Copyright Gupta Consulting, LLC.

Slides:



Advertisements
Similar presentations
Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.
Advertisements

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Bridging the gap between software developers and auditors.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Access Control Methodologies
1 Overview CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 8, 2004.
SECURITY What does this word mean to you? The sum of all measures taken to prevent loss of any kind.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
Storage Security and Management: Security Framework
Information Security Update CTC 18 March 2015 Julianne Tolson.
Architecting secure software systems
1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.
Copyright © 2008, CIBER Norge AS 1 Web Application Security Nina Ingvaldsen 22 nd October 2008.
Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.
CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.
Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?
1 Presented by July-2013, IIM Indore. 2  RFID = Radio Frequency IDentification.  RFID is ADC (Automated Data Collection) technology that:-  uses radio-frequency.
Risk Analysis James Walden Northern Kentucky University.
 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.
John Carpenter & lecture & Information Security 2008 Lecture 1: Subject Introduction and Security Fundamentals.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Module 6: Designing Security for Network Hosts
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Chapter 1 COMPUTER AND NETWORK SECURITY PRINCIPLES.
Module 11: Designing Security for Network Perimeters.
Practical Threat Modeling for Software Architects & System Developers
CSCE 548 Secure Software Development Security Operations.
Csci5233 Computer Security & Integrity 1 Overview of Security & Java (based on GS: Ch. 1)
Module 2: Designing Network Security
Lesson Title: Media Interface Threats, Risks, and Mitigation Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
Computer Science, Software Engineering & Robotics Workshop, FGCU, April 27-28, 2012 RFID Security Nicholas Alteen Computer Science Program Florida Gulf.
C OMPUTER THREATS, ATTACKS AND ASSETS DONE BY NISHANT NARVEKAR TE COMP
Copyright © 2013 – Curt Hill Computer Security An Overview.
Computers and Security by Calder Jones. What is Computer Security Computer Security is the protection of computing systems and the data that they store.
Chapter 1: Security Governance Through Principles and Policies
Module 7: Designing Security for Accounts and Services.
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Chapter 14: Controlling and Monitoring Access. Comparing Access Control Models Comparing permissions, rights, and privileges Understanding authorization.
Ken De Souza KWSQA, April 2016 V. 1.0
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Threat Modeling: Employing the 5 Ws Security Series, December 13, 2013 Jeff Minelli Penn State ITS
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University
Enhancing Network Security
CS 395: Topics in Computer Security
Threat Modeling - An Overview All Your Data is Mine
Design for Security Pepper.
IP Security – Session 1 – Basic Security Principles
Evaluating Existing Systems
Threat modeling Aalto University, autumn 2013.
Evaluating Existing Systems
Off-line Risk Assessment of Cloud Service Provider
Audit Findings: SQL Database
Chapter 1: Introduction
By Arisara Sangsopapun
CS 465 Terminology Slides by Kent Seamons Last Updated: Sep 7, 2017.
Engineering Secure Software
Designing IIS Security (IIS – Internet Information Service)
Engineering Secure Software
Cyber Security For Civil Engineering
Session 1 – Introduction to Information Security
CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com
CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com
Presentation transcript:

Copyright Gupta Consulting, LLC. www.bgupta.com AppSec Testing Beyond Pen Test Bhushan Gupta Gupta Consulting, LLC. www.bgupta.com 10/3/2018 Copyright Gupta Consulting, LLC. www.bgupta.com

Pen Testing – Some Observations An art of finding known vulnerabilities and exploiting them Well suited for networks and operating systems Tools have limited effectiveness Way later in the SDLC Gary McGraw  “If you fail a penetration test you know you have a very bad problem indeed. If you pass a penetration test you do not know that you don’t have a very bad problem” 4/11/2019 Copyright Gupta Consulting, LLC. www.bgupta.com

Security 1. Categorize/ Determine Data Sensitivity 6. Monitor/ 2. Select Baseline Controls 3. Implement Security Controls 4. Assess Security Controls 6. Monitor/ Track Internal External Changes 5. Determine Risk to Organization Security 10/3/2018 Copyright Gupta Consulting, LLC. www.bgupta.com

Data Security Principles Confidentiality – Maintaining data privacy (Access Control) Integrity – Authorized Modification of data and system environment Availability – Usable during desired hours of service Not all data is worth protecting! Protect data while stationary and in motion! 10/3/2018 Copyright Gupta Consulting, LLC. www.bgupta.com

Copyright Gupta Consulting, LLC. www.bgupta.com NIST (National Institute of Standards and Technology) 800-53 - Access Control Identification And Authentication (IA-Family) Least Privilege (AC-6) Separation Of Duties (AC-5) Session Lock (AC-11) Session Termination (AC-12) Unsuccessful Logon Attempts (AC-7) Access Enforcement (AC-3) Account Management (AC-2) System Use Notification (AC-8) – especially for Govt. applications 10/3/2018 Copyright Gupta Consulting, LLC. www.bgupta.com

STRIDE Approach to Vulnerability Category Description Spoofing Gaining Access to the system using false identity Tampering Unauthorized modification of data Repudiation Ability to successfully deny an activity already taken place Information Disclosure Unwanted exposure of private data Denial of Service Making system unavailable for use Elevation of Privilege Assuming identity of a privileged user from limited privileges 10/3/2018 Copyright Gupta Consulting, LLC. www.bgupta.com

STRIDE MAP – Epic Sign UP Story ID/ Vulnerability Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privileges STRIDE Score 1. Browse to Web Site No YES 1 2. Create user Profile Yes No (data stationary) Yes – social engineering 2 3. Create Login Id & Password 6. Login Yes (MitM) 5 10/3/2018 Copyright Gupta Consulting, LLC. www.bgupta.com

Quantifying and Comparing Risk – DREAD Method DREAD Index = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5 10/3/2018 Copyright Gupta Consulting, LLC. www.bgupta.com

Quantifying and Comparing Risk Category Value = 0 Value = 5 Value = 10 Damage Impact (data) None Few users only Entire system Reproducibility Very hard Few steps required Use of web browser Exploitability Advanced knowledge Use of kits Just a web bowser Actual Users Impacted Some but not all All users Discoverability (application) Easy – apparent Public Domain/Web browser Guessing Very hard (need special efforts) 10/3/2018 Copyright Gupta Consulting, LLC. www.bgupta.com

Copyright Gupta Consulting, LLC. www.bgupta.com References OWASP Security Testing – Best Practices Testing Guide - V4 https://www.owasp.org/index.php/OWASP_Testing_Project Attack Surface Analysis Quantifying the Attack Surface of a Web Application (2010) by Thomas Heumann , Jörg Keller , Sven Türpe 10/3/2018 Copyright Gupta Consulting, LLC. www.bgupta.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.