Security Principles Ian Kayne

Slides:



Advertisements
Similar presentations
Welcome Windows SharePoint Service 3.0. Craig Carpenter MCSE, MCT Director, Combined Knowledge.
Advertisements

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Testing with AppScan Terry Labach.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.
Information Systems Security Computer System Life Cycle Security.
 Prototype for Course on Web Security ETEC 550.  Huge topic covering both system/network architecture and programming techniques.  Identified lack.
IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Company small business cloud solution Client UNIVERSITY OF BEDFORDSHIRE.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
Role Of Network IDS in Network Perimeter Defense.
BizSmart Lunch & Learn Webinar Information Security and Protecting your business With the increased risk of some sort of cyber- attack over the past few.
Network and Server Basics. Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server network.
TUF: Secure Software Updates Justin Cappos NYU Poly Computer Science and Engineering.
Defense In Depth: Minimizing the Risk of SQL Injection
Penetration Test Preparation
Michael Wright • Chief Security Officer • Tech Lock
Stop Those Prying Eyes Getting to Your Data
Fan Engagement Solution
Security Autodesk DevDays rEvolution
SOFTWARE TESTING Date: 29-Dec-2016 By: Ram Karthick.
By: Raza Usmani SaaS, PaaS & TaaS By: Raza Usmani
Web Application Protection Against Hackers and Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
CEH vs CISSP Course, Advantage, Career, Salary, Demand!
Software Quality Assurance
Security: Exploits & Countermeasures
World Wide Web policy.
Key Points Unfolding the Situations to Drill a Framework in PHP
N-Tier Architecture.
Web Development Web Servers.
Outline Introduction Standards Project General Idea
E 96 Introduction to Engineering Design Peter Reiher UCLA
Chapter 2 Introduction to Computer User Support
Hybrid Cloud Architecture for Software-as-a-Service Provider to Achieve Higher Privacy and Decrease Securiity Concerns about Cloud Computing P. Reinhold.
SQL Injection Attacks Many web servers have backing databases
Logical vulnerabilities
Why Nokia aquired Qt by Knut Yrvin at Community One, Apr 15 - Oslo
Introduction to Networking
Introduction to Networking
Introduction to Computers
PHP / MySQL Introduction
CANVAS Report for CTF Event at USAFA on 4/25/2007
COMPTIA CAS-003 Dumps VCE
Myths About Web Application Security That You Need To Ignore.
A Quick Guide To Fix QuickBooks Error QuickBooks is a leading accounting software that has assisted millions of small and mid-sized business in.
HOW TO CREATE A NEW PROFILE IN MICROSOFT OUTLOOK?
Database Driven Websites
Design and Maintenance of Web Applications in J2EE
Web Penetration Testing and Ethical Hacking Capture the Flag
MTM Measurement Initiative
Relate to Clients on a business level
IS4680 Security Auditing for Compliance
Section 14.1 Section 14.2 Identify the technical needs of a Web server
Security Flaws 2 Ian Kayne
Crimson® 3.1 Updates January 2019.
Security: Exploits & Countermeasures
Introduction to Projects
Security: Attacks & Countermeasures
Enterprise Class Security Scanner
ECCouncil v10 Certified Ethical Hacker Exam (CEH V10) Get certified in one attempt!
Information Technology and E-Commerce
Presentation transcript:

Security Principles Ian Kayne For School of Computer Science, University of Birmingham 17th November 2008

Welcome Introductions Aim and subject matter Real world, industry examples What you would like to gain Q&A at the end NB: Some slides have been deleted from this version of the presentation. 4/7/2019

The Basics What is security? 4/7/2019

The Basics What is not security? A little hint: Why are firewalls, IDS, content scanners etc not security? A little hint: 4/7/2019

The Basics The Sony PSP – ultimate security? Closed platform Proprietary hardware Proprietary media (UMD) – “almost” Code signing Tight controls on devkits 4/7/2019

The Basics Insecure! LibTIFF GTA – missing a culture of security Not just once, repeatedly over years LibTIFF Widely distributed library Cross-platform security flaw GTA – missing a culture of security 3rd party company: “It’s only a game” 4/7/2019

Culture QA can’t find flaws that aren’t normal user experience One mistake cost £millions? Broke Sony’s business model Required new release of game & firmware Enabled piracy End-user desire (homebrew) won 4/7/2019

The Basics What is security? Firewalls, IDS etc are tech enablers Process Mindset Buy-in from day one Culture Firewalls, IDS etc are tech enablers Without a secure approach they’re useless 4/7/2019

The Basics UK Government Comparison: Number of laptop & USB stick losses –v– “proper hacks” Encryption is available but not used Strong, clear guidelines ignored Security: “someone else’s problem”, putting CDs in the post is fine Missing a culture of security 4/7/2019

In The Real World It’s not that easy Security is a balancing act: Security –v– cost Security –v– delivery Security –v– functionality Security –v– corporate politics Security –v– ………… Day 1 buy-in helps to mitigate 4/7/2019

In The Real World Security demands: Communication Early Involvement Empathy Pragmatism (Don’t forget the technical skills!) Most security teams/professionals don’t sit in ivory towers 4/7/2019

(Finding holes in the security culture) Pentesting PENETRATION TESTING (Finding holes in the security culture) 4/7/2019

Pen Testing Penetration Testing Very different to consultancy Not like the movies! Boring work/documentation Requires Wide knowledge and skill set Experience Ability to make logic leaps Diligence, resolve, patience, lots of coffee Pen-tester quality varies wildly Not a pen-tester? Understand approach to evaluate. 4/7/2019

Simple Design Internet External firewall Proxy appliance Web tier firewall Proxy appliance Web server App tier firewall Database server 4/7/2019

SQL Injection Occurs when unchecked input builds SQL queries Search box input: pizza Code builds SQL query: SELECT * FROM food WHERE type=’pizza’; pizza’; DROP DATABASE cafe;SELECT * FROM food WHERE type=’pizza Code builds SQL query: SELECT * FROM food WHERE type=’pizza’; DROP DATABASE cafe;SELECT * FROM food WHERE type=’pizza’; 4/7/2019

Pentesting Impact Site shut down Reputation damage Lost revenue Lost customers / goodwill Cost to resolve In the USA? Full disclosure may be required. 4/7/2019

Pentesting Review: If the end user has control, there is no security There is no security in client-side validation All input must be validated Don’t allow data uploads without validation Implement security controls correctly IDS & Content filtering Firewall rules – no connect out from web servers Culture of security is most important Not just “do it” but “do it properly & securely” If the end user has control, there is no security 4/7/2019

Doing the Job Career path – use it to learn the principles Why are the principles so important? Expect unique systems & software No courses on “Widgets v1.0 security” Expect unusual problems Expect unusual solutions Expect issues outside your comfort zone 4/7/2019

Doing the Job Your mission, should you choose to accept it… 95% of the time it’s (relatively) easy Most attackers go for the easy score The other 5% is hard – directed, tech attacks Non-technical: empathy & pragmatism Jack of all trades and master of some Learn the principles, investigate the rest 4/7/2019

Review Thank you! Questions Comments Items to review Further study 4/7/2019

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.