Web Application Security Implementation - © 2007 GIAC Web Application Security Implementation SANS MSISE GDWP Kevin Bong John Brozycki July 26, 2007.

Slides:

Advertisements

Similar presentations

Agile Software Distribution

Advertisements

Overview and Demonstration of declarative workflows in SharePoint using Microsoft SharePoint Designer 2007 Kevin Hughes MCT, MCITP, MCSA, MCTS, MCP, Network+,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

ITS Customer Work Request & Triage Process. Work Request & Triage Process – what is it? Some new terminology: Work Request: A request for support from.

Presented by: Virginia Hendricks Information Audit.

The Islamic University of Gaza

Hands-On Ethical Hacking and Network Defense

Copyright © 2009 Rolta International, Inc., All Rights Reserved a c c e l R12™ Upgrade Approach.

1 USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME.

Installing and Configuring a Secure Web Server COEN 351 David Papay.

Chapter 17 Acquiring and Implementing Accounting Information Systems

Web Application Security Assessment and Vulnerability Assessment.

Incident Response Updated 03/20/2015

Website Hardening HUIT IT Security | Sep

PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME 1 USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

GOOGLE HACKING FOR PENETRATION TESTERS Chris Chromiak SentryMetrics March 27 th, 2007.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

ISU Alumni Association Online Store Abstract The Iowa State University Alumni Association desires a complete overhaul of their online store. The current.

Module 14: Configuring Server Security Compliance

Auditing Information Systems (AIS)

1 Chapter 1 Introduction to Accounting Information Systems Chapter 18 Systems Implementation and Operation.

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.

Network Perimeter Defense Josef Pojsl, Martin Macháček, Trusted Network Solutions, Inc.

Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.

Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.

Module 11: Designing Security for Network Perimeters.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

Web Access. Overview  Purpose  Prerequisites  Install Components  Enable Virtual Directories  IIS Configuration & Security  Troubleshooting.

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

OWASP ASVS Levels1234 Tools Manual Test and Review Manual Design Review At higher levels in ASVS,the use of tools is encouraged. But to be effective,the.

E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.

Chapter 8-1 Chapter 8 Accounting Information Systems Information Technology Auditing Dr. Hisham madi.

Information Security tools for records managers Frank Rankin.

ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.

Kevin Watson and Ammar Ammar IT Asset Visibility.

Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.

● The most common website platform ● User friendly-easy to edit ● Constantly improving-updates, plugins, themes Why WordPress?

INF526: Secure Systems Administration Team Status Exercise 1 Prof. Clifford Neuman Lecture 5 17 June 2016 OHE100C.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Critical Security Controls

CompTIA Security+ SY0-401 Real Exam Question Answer

Security Standard: “reasonable security”

Penetration Test Debrief

Secure Software Confidentiality Integrity Data Security Authentication

Cyber Protections: First Step, Risk Assessment

Security mechanisms and vulnerabilities in .NET

CIT 480: Securing Computer Systems

Penetration Test Debrief

PT0-001 Dumps PDF CompTIA PenTest+ Exam Exam Code Exam Name.

USAID/Peru Risk Assessment In-Briefing

POP: Building Automation Around Secure Server Deployment

Oracle HFM Implementation Boot Camp

IBM GTS Storage Security and Compliance overview.

Security week 1 Introductions Class website Syllabus review

Cybersecurity Threat Assessment

SharePoint services Provides team collaboration through SharePoint Sites and makes it easy for communities to work together on documents, tasks, contacts,

6. Application Software Security

Access Control and Site Security

Presentation transcript:

Web Application Security Implementation - © 2007 GIAC Web Application Security Implementation SANS MSISE GDWP Kevin Bong John Brozycki July 26, 2007

Web Application Security Implementation - © 2007 GIAC Introduction Website vulnerability used to copy customer data to foreign host. Senior management to acquire services of penetration team. Not available for immediate needs. Post incident,we are tasked with creation of a web application security assessment program, to implement within a few days.

Web Application Security Implementation - © 2007 GIAC Web Assessment Process Inventory Automated Vulnerability Scan Manual Web Server Audit Manual Web Application Audit Conduct Interviews Report Findings

Web Application Security Implementation - © 2007 GIAC Web Service Inventory Need to know what is legitimate and necessary. (Programs, services, ports) Need to know where the data lives and how it is accessed. Rate assets (web servers/services) to focus resources and set priorities.

Web Application Security Implementation - © 2007 GIAC Performing Automated Scans Verify the inventory by confirming the existence of services. Identify additional, unneeded processes and check for common vulnerabilities and misconfigurations for both the necessary and unnecessary processes and services. Quickly identify the low hanging fruit.

Web Application Security Implementation - © 2007 GIAC Manual Audit of Web Server Security Review if best practices are followed –Is defense in depth employed? –Configuration of web server and web development frameworks –User and service accounts and rights –Error messages, other information leakage –Do log files store appropriate information? Review change processes for ports and services through interviews

Web Application Security Implementation - © 2007 GIAC Manual Audit of Web Applications Based on inventory, focus on potentially vulnerable code Specific tests to be performed against each dynamic page Interview developers to determine if processes prevent new vulnerabilities

Web Application Security Implementation - © 2007 GIAC Deliverables for the Senior Management Team Reports and recommendations delivered within days. Results of inventory, scans, and manual audits used to provide action items that can be given to implementation team. Additional recommendations from tiger team to management to minimize reoccurrences.