Strategic Security, Inc. © Application Security is Easy Right?

Slides:



Advertisements
Similar presentations
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Advertisements

Hands on Demonstration for Testing Security in Web Applications
Web Vulnerability Assessments
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Getting Started with XPages Presented by Jeff Byrd.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or UCSF Campus VPN.
Donna Thompsson For Tech Tips - Facebook: Debbie Jarrett – Ed Tech PD
Hacking outside the box Mike Aiello. Objectives Describe jobs in “Infosec" Discuss why communication is critically important to Infosec professionals.
IS Today (Valacich & Schneider) 5/e Copyright © 2012 Pearson Education, Inc. Published as Prentice Hall 7/2/ Facebook is the most popular social.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Extend Your UFT for Mobile Testing & Monitoring Mobile Add-on For UFT Nov 2014.
OWASP Bricks. Web application security learning platform. Built with PHP and MySQL. Open source and free. ‘Break the Bricks’ and learn.
Data Analyst Making HMIS Work for You HMI S. What I will cover today  Part I: Getting big data … fast!  Part II: Making customized forms and reports.
How to turn on the robot How to start Bluetooth How to connect to robot How to initialize the robot How to not break the robot Sec Getting Started.
Security Scanning OWASP Education Nishi Kumar Computer based training
Introduction to Application Penetration Testing
Alfresco – An Open Source Content Management System - Bindu Nayar, Bhavana Mohanraj.
Introdution to Computer Science ICS3U/4U.  New room!!!  Respect it  Wooden tables  No food/drink  Bathroom – one at a time  Course outline – coming.
Command School On Task In Touch Online Software for Schools Developed by Schools.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
WorkPlace Pro Utilities.
Susanna Jordan Period 4.  What do they do?  How much do they make (range)?  What kind of education or training do they need?  What kind of company.
2010 Technology Decision Making Roundtable: Cloud Computing Google Apps vs. Daryl Tilley Director of Technology Services Ingham Intermediate School.
 Internet Regulation  Some people think that Internet Regulations and Business exchange are the same. That is why many consider this a controversial.
DUE Introduction to the Android Platform Working Connections 2011.
Selenium Web Test Tool Training Using Ruby Language Discover the automating power of Selenium Kavin School Kavin School Presents: Presented by: Kangeyan.
INTEGRATING SOCIAL MEDIA & WORDPRESS Akilah Thompkins- CTWordCamp 2014 © Copyright 2014 AKZMe Designs.
Here is an activity that you can use to review or reinforce a lesson or concept.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
ISquad Customer Service Working with the DOE Help Desk.
Tech Tools Focus QR Codes. Agenda What is a QR code? What do they do? How can I use them in the classroom? How do I create them? How do I scan them?
DUE Starting AppInventor Working Connections 2012.
Strategic Security, Inc. © Introduction To SQL Injection Presented By: Joe McCray
QR CODES What are they? A Quick Response code… something like a bar code you would see in the grocery store. QR’s were first created and used in Japan.
Evaluating Websites: A Paul Cuffee Guide A URL is a Uniform Resource Locator, or the ADDRESS or the website. Each file on the Internet has a unique address.
Automated Security Testing Using The ZAP API. About Me My name is Michael Haselhurst. I work for Sage as a Test Analyst. This is the first OWASP meeting.
By Jordan SEKE MBOUNGOU MOUYABI Senior LAN Administrator & E-learning Site Administrator Oliver Schreiner building, School of law.
Asynchronous Module on Zotero Titilola Obilade Instructional Design for Distance Learning November 19, 2011.
Technology Education THE PERSONAL COMPUTER (PC) SOFTWARE PART 1.
THE PAPERLESS CLASSROOM: USING GOOGLE DRIVE TO CONDUCT A PAPERLESS RESEARCH PAPER: BENEFITS OF USING GOOGLE DRIVE TO CONDUCT A PAPERLESS RESEARCH PAPER,
OWASP Secure Configuration Guide Alexander Antukh 25/11/2014.
ISquad Customer Service Working with the DOE Help Desk.
What is ? ●It is a Halton District School Board term ●It is HDSB use of Google Apps for education. It includes: ■ Google Docs ■ Google Drive ■ Google Applications.
Communicating and Sharing with our 21 st Century Students.
Wharton Computer Consulting, Inc. PowerShell Basics for SQL Server One Tool to Manage All SQL Servers Michael Wharton
Page 1 This is page one. I’m talking about it now….
Cloud-Computing Cloud Web-Blog Software Application Download Software.
Google Apps For Education (And why you might want to use them)
Set up your own Cloud The search for a secure and acceptable means of gaining access to your files stored at the office from a remote location.
Cloud Computing Cloud computing: (the Internet represents the Cloud).
P.6 Impacts of Technology on society.
Computer Security Fundamentals
Foundations of Programming: Introduction to Programming
NEED OF JAILBREAKING IN IOS PENETRATION TESTING
Enterprise Application Architecture
HTML Level II (CyberAdvantage)
Fix Bitdefender Internet Security Error 217 Bitdefender Support Number Give a Ring on:
Fix Bitdefender Error Code 2202 Give a Ring on: Bitdefender Support Number.
HP Printer Technical Support Number
Principles of report writing
Provide Real-Time Appointment Status & Improve Patient Satisfaction
Validating Your Information Security Program (ISP 3 of 3)
Topics we will cover followed by Q&A session at end
How to Break Web Application Security
Back to the Future with Information Security How Embedded Devices Have Turned Back the Security Clock James Edge Information Security Specialist.
Making Your Website Work NJAET October 13, 2009
Hacking web applications
The Hacking Suite For Governmental Interception
Presentation transcript:

Strategic Security, Inc. © Application Security is Easy Right?

Strategic Security, Inc. © Trying to learn App Sec I came up the old fashioned way: Help Desk PC Tech Systems Administrator Network Administrator Moved into IT Security Intrusion Analyst Penetration Tester The way nature intended….

Strategic Security, Inc. © Pentesting Starting Moving Away From The Network Pentesting started shifting away from the network…. Network and Systems Web App Mobile App Cloud Mashups Source Code Easy right? Houston….

Strategic Security, Inc. © I Felt Lost In The App Sec

Strategic Security, Inc. © I DON’T KNOW HOW TO PROGRAM A lot of computer scientists will be familiar with programming concepts such as: Turing’s Primitives Programming Logic Data Structures and Algorithms Object Oriented Programming If you are like me then none of this stuff makes any sense to you I don’t understand any of this stuff, and don’t plan on trying I’m regular working stiff – so that means that I like: Alcohol Sports Barbequing

Strategic Security, Inc. © OWASP Confused Me More OWASP Testing Guide

Strategic Security, Inc. © I Needed Something Simple I Could Do A process to follow A methodology to use It has to be simple

Strategic Security, Inc. © 3 Simple Questions 1.Is it talking to a DB? Is there parameter passing – if yes… Insert a single quote 2.Can I or someone else see what I type? Is there a forum, blog, guestbook, contact us page, feedback form, instant messenger/chat – if yes... Insert alert(‘xss’) 3.Does it reference a file? Is it talking about a file on the local file system – if yes… Insert../../../../../../etc/passwd,../../../../../../etc/passwd%00../../../../../../windows/win.ini,../../../../../../windows/win.ini%00

Strategic Security, Inc. © Let’s drive Everything I’m doing today can be found at: I use pastebin to allow you to follow me and just copy/paste the commands I type So you can just just open up Firefox and follow along

Strategic Security, Inc. © What About Tools Once you have a methodology then you can start with simple firefox addons: ShowIP Server Spy FoxyProxy Tamper Data Firebug A good list of web app testing add ons for Firefox:

Strategic Security, Inc. © What About Free/Low Cost Tools Once you are comfortable with the firefox addons, then I think you can move on to the proxies: Burp Suite Zap Fiddler Charles Proxy

Strategic Security, Inc. © What About Commercial Tools Once you are comfortable with the firefox addons, then I think you can move on to the proxies: IBM AppScan HP WebInspect Acunetix Comparison of the scanners

Strategic Security, Inc. © I built one (shameless plug) Web Scanner Pro (YES IT IS FREE and cheap): You don’t need to be a Web App expert to use the product You don’t need to be a programmer to understand the reports You don’t need to be a compliance expert to demonstrate your due diligence

Strategic Security, Inc. © Contact Me.... Toll Free: Twitter: LinkedIn:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.