SO YOU WANT TO BE A HACKER? Maybe not yet, but you will at the end of the hour!

Slides:

Advertisements

Similar presentations

Writing Secure Code By Sam Nasr, MCAD, MCT, MCTS March 18, 2009.

Advertisements

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

Esri International User Conference | San Diego, CA Demo Theater | ArcGIS Beta Community and ArcGIS 10.1 Beta Program Mike Hogan & Rohit Gupta July 12 th,

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

Designed-in Security Some Major Challenges Security Group Department of Computer Science University of California, Santa Barbara Trustworthy.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

E. halFILE™ Providing images and documents to the Internet hal Systems Corporation Overview.

Social Networking Services and User Data Protection

Cyber Crime Game Players By Marharyta Abreu & Iwona Sornat.

Computer Security And Computer Crimes. Problem under consideration A software flaw was found in a national bank's web site that allows anyone who knows.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Introduction to Web Application Security

Chapter 4 Application Security Knowledge and Test Prep

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Web Application Testing with AppScan Terry Labach.

Norman SecureSurf Protect your users when surfing the Internet.

1 Title ECI: Anatomy of a Cyber Investigation Who Are the Actors.

Unit 2 - Hardware Computer Security.

The OWASP Way Understanding the OWASP Vision and the Top Ten.

Microsoft Australia Security Summit Rocky Heckman CISSP MVP Senior Consultant Security and Monitoring Readify.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

SECURITY ENGINEERING 2 April 2013 William W. McMillan.

Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India.

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.

By Hyrum Wines  2. Anti-spyware: A spyware is a program which collects private information and sends it to its programmer. Spywares are considered.

Web Applications Testing By Jamie Rougvie Supported by.

Building Secure Web Applications With ASP.Net MVC.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

Microsoft Security Response Center Presented by Fan Chiang, Chun-Wei( 范姜竣韋 ) 2015/11/14 1 NTUIM.

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.

By Creighton Linza for IT IS Introduction  Search Engine  an information retrieval system that searches its database for matches based on a query.

Internet Security. 2 Computers on the Internet are almost constantly bombarded with viruses, other malware and other threats.

Introduction to Security Dr. John P. Abraham Professor UTPA.

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.

Web Applications on the battlefield Alain Abou Tass.

Looking Ahead: ClientSpaceNEXT Brad Falk, Software Architect.

 Define hacking  Types of hackers  History  Intentions  Statistics  Facts  How to Protect yourself.

By: Joshua DeLong Computer Security and Privacy.

F&F Wholesale E-Commerce Web site Client: F&F Wholesale Internet Application Developers: Joe Schmaltz Julie Carter.

Javascript worms By Benjamin Mossé SecPro

Information Security Analytics

Web Application Bug Hunting

An Introduction to Web Application Security

World Wide Web policy.

ISYM 540 Current Topics in Information System Management

Threats By Dr. Shadi Masadeh.

Cyber Security Awareness Workshop

What if tomorrow never comes

Protect Your Computer Against Harmful Attacks!

Computer Security Elaine Munn Introduction to Computer Security.

OWASP WebGoat v5 16 April 2010.

Security Threats Haunting the E-Commerce Industry. How Can Security Testing Help?

Website Security Testing: Why Business Need It Very Badly.

Oracle E-Business Suite cybersecurity risks and mitigation

CSE 154 Lecture 26: web security.

Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez

An Introduction to Web Application Security

Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez

Bethesda Cybersecurity Club

Security at the Source.

Ethical Hacking ‘Ethical hacking’ is the branch of computer science that involves cybersecurity and preventing cyberattacks. Ethical hackers are not malicious.

CSc 337 Lecture 24: Security.

Presentation transcript:

SO YOU WANT TO BE A HACKER? Maybe not yet, but you will at the end of the hour!

Agenda  Introductions  Why you should listen to me  Day in the life of Joe  What makes a security tester different?  DEMOS!  Cross Site Scripting  SQL injection  Java Decomplier

Introduction  Joe Basirico – Dev Manager and Security Consultant for Security Innovation  Worked in security for about 6 years now  Worked for Microsoft before SI  Security Trainer, Engineer, Consultant, etc.

Day in the life  Work with Software, Financial, Insurance, companies to help them produce more secure software  Find Vulnerabilities in software so hackers don’t  Help our customers fix them before they release

The Work  One week to a couple months engagement  Quickly learn the system  Find theoretical flaws through threat modeling and intuition  Verify flaws through testing  Help client remediate the flaw directly or through recommendations

What makes a great hacker?  Complete Knowledge of the System  Great security testers know everything about every layer of the system, from browser to hardware  A Great Imagination  What’s really going on back there?  An Evil Streak  What’s the worst thing I could do?  Steal passwords, credit card numbers, take the system down?

Example

Demos!  Cross Site Scripting  SQL Injection  Forceful Browsing  Decompilation

Remediation  Be very careful with your input!  Assume the world is malicious  Think like an attacker  Protect yourself

Questions?