SlideShare ist ein Scribd-Unternehmen logo

Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People

POSSCON
POSSCON

This document discusses application security testing techniques and tools that can be used on a limited budget. It recommends establishing security governance through policies, standards and guidelines to provide structure for a security program. It introduces the Open Web Application Security Project (OWASP) as an open source community and lists some of their key resources like the Open Software Assurance Maturity Model (OpenSAMM) for evaluating security practices, and tools like AntiSamy and CSRFGuard for protecting against common vulnerabilities. The document advocates threat modeling to identify risks and provides examples of tools for static analysis and dynamic testing of applications to identify security issues before attackers.

Technologie
1 von 73
Downloaden Sie, um offline zu lesen
Application Security on a Dime Open Technologies, Tools, and Techniques for Running an Blossoming InfoSec Program POSSCON – Columbia, SC April 2015
Anyone run Wordpress? Wordpress  hacks  are  boun0ful.    Secure  them  using  latest  hardening   guidelines  h9p://codex.wordpress.org/Hardening_WordPress       Test  #WordPress  using   WPScan   h9p://wpscan.org/;  blackbox   vuln  scanner  #posscon   #appsec  
Open Source Security Facilitated By…
And especially….. A  hacker’s  gateway  drug  to  online  perdi0on......or  just  a  really  helpful   search  engine.  
Who am I? Why should you listen | care?   20 years of IT / InfoSec experience   Utility | Fed | Banking | Retail | Healthcare | Information Services | Hosting | Financial Services | Manufacturing | Insurance | Real Estate   Former developer | sysadmin | network engineer | iso | security engineer | security architect | security assessor | security director | ciso |   Author ‘Risk Centric Threat Modeling’, Wiley Life Sciences 2015 – comprehensive walk through security principles   Started security consulting firm in 2007 – www.versprite.com   Presentation based upon hands-on work and global travels working with both large enterprises and SMB
SECURITY CULTURE BEGINS W/ GOVERNANCE Establish  a  framework  and  ecosystem  of  security  processes  and  tools.  
  Establish Governance   Security Requirements & Resources   Implementation of S- SDLC   Use Security Frameworks   Test and Test Early   Track Defects Before you begin, know inherent challenges Challenges in AppSec   Isolated SDLC Efforts   Anti-Security Culture   Expanding heterogeneous tech stack   Decentralizing management   Security is not built into IT functions early on   Targeted attacks   Open intel on application components Sound Solutions
A BIT ABOUT OWASP Open  Web  Applica;on  Security  Project  
Intro to OWASP §  Open Web Application Security Project §  Community driven; 11 years old §  Dedicated to openness of all content & materials §  International community focused on AppSec §  X-cultural, X-industry related challenges exposed and addressed. §  Massively supportive and responsive. §  Follow @OWASP
Intro to OWASP §  Open Web Application Security Project §  Community driven; 11 years old §  Dedicated to openness of all content & materials §  International community focused on AppSec §  X-cultural, X-industry related challenges exposed and addressed. §  Massively supportive and responsive. §  Follow @OWASP
GOVERNANCE Without governance, your security program will sink.
Unless you have this appear on all your servers…
…governance is the better starting point Security   Governance   Opera0ons   Risk   Management   Compliance   Although  a  key  business  driver,  don’t  let  Compliance  eclipse  Security.  #POSSCON   Provides   structure  to  a   security   program.   Makes  security   ac0onable  but   can  be  known   to  be  black  hole   to  security  $$$.     Everyone’s   security  threat   is  not  yours.     Don’t  believe   the  FUD;  make   risk  based   security   decisions.  
Policies, Standards, Guidelines   Policies provide accountability   Standards govern technology   Guidelines provide “best practices”   Framework for enterprise operations   Creates baseline of what is ‘secure’ and ‘acceptable’ in terms of risk
Each Security Component Can Warrant Governance {Program}   Governance   Incident   Response   Secure   Development   Security   Tes0ng   Security   Awareness   NIST  800-­‐100   NIST  800-­‐39   OpenSAMM   NIST  800-­‐53r4   NIST  800-­‐61r2   NIST  CSF     NIST  800-­‐100   NIST  800-­‐39   OpenSAMM   OWASP  ASVS   OWASP  Tes0ng   Guide  v4   PTES   Mostly  tool   based  
OWASP Open SAMM ! The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. ! Benefits " Evaluate your organization's existing software security practices " Build a balanced software security program in well- defined iterations. " Demonstrating concrete improvements http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project
Wide Scope Covered by OpenSAMM ! Supports a Security Plan or Roadmap ! Establish governance ! Perform against assessments ! Test and Report ! Enhance Security Operations ! Building a S-SDLC Initiative ! Measures success/ shortcomings ! Provides metrics for reporting http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project
OpenSAMM Key Links   Main link to OpenSAMM gateway of resources https://www.owasp.org/index.php/ Category:Software_Assurance_Maturity_Model   Latest on the global initiative https://docs.google.com/document/d/ 1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/ edit
SECURE CODING & SECURITY ARCHITECTURE Simple considerations of secure coding & security architecture can lay a foundation of security for your development efforts.
OWASP Developer Guide https://github.com/ OWASP/DevGuide
OWASP Developer Cheat Sheets Clickjacking Defense Cheat Sheet   C-Based Toolchain Hardening Cheat Sheet   Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet   Cryptographic Storage Cheat Sheet   DOM based XSS Prevention Cheat Sheet   Forgot Password Cheat Sheet   HTML5 Security Cheat Sheet   Input Validation Cheat Sheet   JAAS Cheat Sheet   Logging Cheat Sheet   .NET Security Cheat Sheet   OWASP Top Ten Cheat Sheet   Password Storage Cheat Sheet   Pinning Cheat Sheet   Query Parameterization Cheat Sheet   Ruby on Rails Cheat sheet   REST Security Cheat Sheet  Session Management Cheat Sheet  SQL Injection Prevention Cheat Sheet  Transport Layer Protection Cheat Sheet Unvalidated Redirects and Forwards Cheat Sheet  User Privacy Protection Cheat Sheet  Web Service Security Cheat Sheet  XSS (Cross Site Scripting) Prevention Cheat Sheet  Attack Surface Analysis Cheat Sheet  XSS Filter Evasion Cheat Sheet  REST Assessment Cheat Sheet  IOS Developer Cheat Sheet  Mobile Jailbreaking Cheat Sheet OpSec Cheat Sheets (Defender)  Virtual Patching Cheat Sheet
S-SDLC/ Building Security-In
OWASP Developer References Educate   OWASP  WebGoat   • Exercise  successful   implementa0on  of  OWAPSP   Countermeasures   OWASP  Top  Ten   • Ranks  top  web  app  related   risks   • Serves  as  a  good  scope  for   ini0al  tes0ng   Develop   OWASP  Code  Review   • Methodology  for  Source  Code   Reviews   OWASP  Development  Guide   • Establishes  a  process  for   secure  development  efforts   across  various  SDLCs   OWASP  Cheat  Sheet   Series   OWASP   Countermeasures   • OWASP  CSRFGuard   • OWASP  An0-­‐Samy   Test   OWASP  Zed  A9ack  Proxy   • Test  against  OWASP  Top  Ten   • Use  in  conformance  to   Tes0ng  Guide   OWASP  YASCA   • Leverages  FindBugs,  PMD,   JLint,  JavaScript  Lint,  PHPLint,   Cppcheck,  ClamAV,  RATS,  and   Pixy  to  scan  
OWASP Developer Guide https:// github.com/ OWASP/ DevGuide
OWASP Cheat Sheet Snippet Insecure Direct object references It may seem obvious, but if you had a bank account REST web service, you have to make sure there is adequate checking of primary and foreign keys: https://example.com/account/325365436/transfer? amount=$100.00&toAccount=473846376 In this case, it would be possible to transfer money from any account to any other account, which is clearly insane. Not even a random token makes this safe. https://example.com/invoice/2362365 In this case, it would be possible to get a copy of all invoices. Please make sure you understand how to protect against insecure direct object references in the OWASP Top 10 2010. Java Regex Usage Example Example validating the parameter “zip” using a regular expression. private static final Pattern zipPattern = Pattern.compile("^d{5}(-d{4})?$"); public void doPost( HttpServletRequest request, HttpServletResponse response) { try { String zipCode = request.getParameter( "zip" ); if ( !zipPattern.matcher( zipCode ).matches() { throw new YourValidationException( "Improper zipcode format." ); } .. do what you want here, after its been validated .. } catch(YourValidationException e ) { response.sendError( response.SC_BAD_REQUEST, e.getMessage() ); } }
OWASP XSS Cheat Sheet
OWASP AntiSamy ! OWASP AntiSamy is an API for ensuring user-supplied HTML/CSS is compliant within the applications rules. " API plus implementations " Java, .Net, Coldfusion, PHP (HTMLPurifier) ! Benefits " It helps you ensure that clients don't supply malicious code into your application " A safer way to allow for rich content from an application's users http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
OWASP CSRFGuard ! OWASP CSRFGuard utilizes request tokens to address Cross-Site Request Forgery. CSRF is an attack where the victim is tricked into interacting with a website where they are already authenticated. " Java, .Net and PHP implementations " CSRF is considered the app sec sleeping giant ! Benefits " Provides code to generate unique request tokens to mitigate CSRF risks http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project
SECURITY TESTING Testing insecurities before your adversaries do
Threat Modeling provides targeted scope   Purpose: Identify possible threat agents, threat motives, vulnerabilities in infrastructure, attack patterns, and possible countermeasures  Risk Centric (Process for Attack Simulation & Threat Analysis) – http://versprite.com/docs/PASTA_Abstract.pdf  Security Centric (e.g. - STRIDE threat categorization)  Software Centric – Microsoft Threat Modeling Tool http:// www.microsoft.com/en-us/download/details.aspx? id=42518   Some free solutions
Seasponge - http://mozilla.github.io/ seasponge/#/draw
Octotrike - http://octotrike.org/
! The OWASP Application Security Verification Standard (ASVS) defines a standard for conducting app sec verifications. " Covers automated and manual approaches for external testing and code review techniques " Recently created and already adopted by several companies and government agencies ! Benefits " Standardizes the coverage and level of rigor used to perform app sec assessments " Allows for better comparisons http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP ASVS - Security Assurance Methodology
OWASP Top Ten ! The OWASP Top Ten represents a broad consensus of what the most critical web application security flaws are. " Adopted by the Payment Card Industry (PCI) " Recommended as a best practice by many government and industry entities ! Benefits " Powerful awareness document for web application security " Great starting point and reference for developers http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Prescriptive Advice for Testing ! Simplify!!! ! Create Roadmap ! Standardize Testing ! Follow a Methodology!!! ! Metrics are actually important. Really. ! Tools.
Sqlmap.py – Test for the dreaded SQLi ! Use in conjunction with Burp or Zed Attack Proxy. ! Capture POST request to web site via proxy ! Copy POST requests to text file ! http://sqlmap.org/
46
Static Analysis Options for Source Code Reviews Product License Type Languages Features FxCop 4 Open Source MS-PL VS Plugin .NET Security-specific static analysis, UI built into Visual Studio RIPS 7 Open-Source GPL Standalone PHP Professional user-interface, Security-specific analysis FlawFinder 19 Open-Source GPL Standalone Text-based C++ Security-specific analysis, Injections, Overflow, etc. Dangerous function analysis PreFast 20 Open-Source MS-PL VS Plugin C++ General static analysis, UI built into Visual Studio BrakeMan 21 Open-Source MIT Standalone Text-based Ruby Security-specific analysis Strong following
FlawFinder   Works on C++ source-code.   Console-based and specifically targets security vulnerabilities.   Uses a built-in database of C/C++ functions  (e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf() family), format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()), potential shell metacharacter dangers (most of the exec() family, system(), popen()), and poor random number acquisition (such as random())”. 19
RIPS   Written in PHP and for PHP specifically to find vulnerabilities..   Can create a program model of the source code.   Detects vulnerable functions (sinks) that can be utilized by malicious user-input.  Audit framework is provided for further analysis in an IDE-style.   Detects XSS, SQL Injection, LFI/RFI, and RCE vulnerabilities.
Real Time Code Coverage during Black Box Testing Follow  your  #blackbox  web  tes0ng  efforts  with  source  code  weakness  #visualiza0on   h9ps://www.owasp.org/index.php/OWASP_Code_Pulse_Project  #POSSCON  #OWASP  
SPARTA v1.0.2 Network Infra Testing   Run nmap from SPARTA or import nmap XML output.   Transparent staged nmap: get results quickly and achieve thorough coverage.   Configurable context menu for each service. You can configure what to run on discovered services. Any tool that can be run from a terminal, can be run from SPARTA.   You can run any script or tool on a service across all the hosts in scope, just with a click of the mouse.   Define automated tasks for services (ie. Run nikto on every HTTP service, or sslscan on every ssl service).   Default credentials check for most common services. Of course, this can also be configured to run automatically.   Identify password reuse on the tested infrastructure. If any usernames/passwords are found by Hydra they are stored in internal wordlists which can then be used on other targets in the same network (breaking news: sysadmins reuse passwords).   Ability to mark hosts that you have already worked on so that you don’t waste time looking at them again.   Website screenshot taker so that you don’t waste time on less interesting web servers.
Weeding out Bad Hash   Bad hashes have plagued news in recent #breaches. Validate your #hash http:// code.google.com /p/hash-identifier/ #appsec   Hash ID: Python based hash validator
The Zed Attack Proxy •  Released September 2010 •  Ease of use a priority •  Comprehensive help pages •  Free, Open source •  Cross platform •  A fork of the well regarded Paros Proxy •  Involvement actively encouraged •  Adopted by OWASP October 2010
ZAP Overview •  ZAP is:  Easy to use (for a web app pentest tool;)  Ideal for appsec newcomers  Ideal for training courses  Being used by Professional Pen Testers  Easy to contribute to (and please do!)  Improving rapidly
The Main Features   All the essentials for web application testing •  Intercepting Proxy •  Active and Passive Scanners •  Spider •  Report Generation •  Brute Force (using OWASP DirBuster code) •  Fuzzing (using OWASP JBroFuzz code)
The Additional Features   Auto tagging   Port scanner   Smart card support   Session comparison   Invoke external apps   BeanShell integration   API + Headless mode   Dynamic SSL Certificates   Anti CSRF token handling
ZAP Test Drive (Demo)
ZAP Summary •  ZAP has:  An active development community  An international user base  The potential to reach people new to OWASP and appsec, especially developers and functional testers •  ZAP is a key OWASP project •  Security Tool of the Year 2013
BurpSuite •  Enhance scanners to detect more vulnerabilities •  Extend API, better integration •  Fuzzing analysis •  Easier to use, better help •  More localization (all offers gratefully received!) •  Parameter analysis? •  Technology detection?
INCIDENT RESPONSE Knowing what to do during a fire is more important than the right tool(s)
Adopt a Robust Incident Response Framework   Computer Security Incident Handling Guide  http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ NIST.SP.800-61r2.pdf   Check security pages for respective Firewall companies on default DENY security configuration   Integrating Forensic Analysis to Incident Handling  http://csrc.nist.gov/publications/nistpubs/800-86/ SP800-86.pdf   Guide to IDS Management  http://csrc.nist.gov/publications/drafts/800-94-rev1/ draft_sp800-94-rev1.pdf
Autopsy & The Sleuth Kit
OSSEC – Host IDS (HIDS)   performs log analysis,   file integrity checking,   policy monitoring,   rootkit detection,   real-time alerting   active response.
TAKE-AWAYS Only cost of security implementation is time and resources.
A Word on OpenSource Adoption 1.  Define scope of adoption 1.  Driven by _ _ _ _ _ _ _ (impact, criticality, etc.) 2.  Use cases/ Abuse cases 3.  Architecture 2.  Set up controlled adoption 3.  Test, decompile, review 4.  Become involved in dev forums
More Tools •  SET – Social Engineering Toolkit (http://www.social-engineer.org/framework/Computer_Based_ Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET)) •  BeEF – Browser Exploitation Framework (http://www.bindshell.net/tools/beef.html) •  Metasploit – http://www.metasploit.com/ •  Kali - http://www.kali.org/ •  Burp - http://portswigger.net/burp/ •  Recon-ng – full featured web recon framework tool that is text based and written in Python https://bitbucket.org/LaNMaSteR53/recon-ng •  Twitter? Yes, Twitter, 2nd to Google, is hacker’s paradise
Closing Thoughts   Leverage Open Source sources to INFLUENCE your security program development/ management   Do NOT make your security program free and open, keep it close to the vest   Keep abreast of security news is a must – ever changing threat landscape   Need to tell management that security is a process, not a one time mountain climb. Keeping executive support of security is the most important thing for longevity of your security program.   Learn how to measure and improve your security program using metrics over time.
Thanks! Follow  us/me  on  Twi2er:  @versprite                            @t0nyuv     Blog:  www.versprite.com/og  

Empfohlen

Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSebastien Gioria
 
42 minutes to secure your code....
42 minutes to secure your code....42 minutes to secure your code....
42 minutes to secure your code....Sebastien Gioria
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
Continuous Security Testing
Continuous Security TestingContinuous Security Testing
Continuous Security TestingRay Lai
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessPuma Security, LLC
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pjSébastien GIORIA
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageVandana Verma
 

Empfohlen

Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSebastien Gioria
 
42 minutes to secure your code....
42 minutes to secure your code....42 minutes to secure your code....
42 minutes to secure your code....Sebastien Gioria
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
Continuous Security Testing
Continuous Security TestingContinuous Security Testing
Continuous Security TestingRay Lai
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessPuma Security, LLC
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pjSébastien GIORIA
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageVandana Verma
 
Using threat models to control project brief
Using threat models to control project briefUsing threat models to control project brief
Using threat models to control project briefDinis Cruz
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction alessiomarziali
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonStefan Streichsbier
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityKevin Fealey
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftAmazon Web Services
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016Waratek Ltd
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)Dinis Cruz
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASPchadtindel
 
Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010Poulopoulos Ioannis
 
Owasp and friends
Owasp and friendsOwasp and friends
Owasp and friendsMažvydas Skuodas
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019 Elizabeth Ayer
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingPriyanka Aash
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
Harnessing the power of cloud for real security
Harnessing the power of cloud for real securityHarnessing the power of cloud for real security
Harnessing the power of cloud for real securityErkang Zheng
 
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-NapocaFrom Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napocajerryhargrove
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveColin Domoney
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)PrashantDhakol
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World42Crunch
 
A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityImperva Incapsula
 
CCIS short presentation - English version
CCIS short presentation - English versionCCIS short presentation - English version
CCIS short presentation - English versionGry Helene Stavseng
 

Weitere ähnliche Inhalte

Was ist angesagt?

Using threat models to control project brief
Using threat models to control project briefUsing threat models to control project brief
Using threat models to control project briefDinis Cruz
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonStefan Streichsbier
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityKevin Fealey
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftAmazon Web Services
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016Waratek Ltd
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)Dinis Cruz
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASPchadtindel
 
Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010Poulopoulos Ioannis
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019 Elizabeth Ayer
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingPriyanka Aash
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
Harnessing the power of cloud for real security
Harnessing the power of cloud for real securityHarnessing the power of cloud for real security
Harnessing the power of cloud for real securityErkang Zheng
 
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-NapocaFrom Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napocajerryhargrove
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveColin Domoney
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)PrashantDhakol
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World42Crunch
 

Was ist angesagt? (20)

Using threat models to control project brief
Using threat models to control project briefUsing threat models to control project brief
Using threat models to control project brief
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} Hackathon
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP
 
Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010
 
Owasp and friends
Owasp and friendsOwasp and friends
Owasp and friends
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos Testing
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 
Harnessing the power of cloud for real security
Harnessing the power of cloud for real securityHarnessing the power of cloud for real security
Harnessing the power of cloud for real security
 
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-NapocaFrom Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
 

Andere mochten auch

A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityImperva Incapsula
 
CCIS short presentation - English version
CCIS short presentation - English versionCCIS short presentation - English version
CCIS short presentation - English versionGry Helene Stavseng
 
The Best Pairwise Testing Tool / Best Orthogonal Array Tool Just Got Better
The Best Pairwise Testing Tool / Best Orthogonal Array Tool Just Got BetterThe Best Pairwise Testing Tool / Best Orthogonal Array Tool Just Got Better
The Best Pairwise Testing Tool / Best Orthogonal Array Tool Just Got BetterJustin Hunter
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Combinatorial software test design beyond pairwise testing
Combinatorial software test design beyond pairwise testingCombinatorial software test design beyond pairwise testing
Combinatorial software test design beyond pairwise testingJustin Hunter
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners Checkmarx
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 
Top 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTop 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTripwire
 

Andere mochten auch (9)

A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application Security
 
CCIS short presentation - English version
CCIS short presentation - English versionCCIS short presentation - English version
CCIS short presentation - English version
 
The Best Pairwise Testing Tool / Best Orthogonal Array Tool Just Got Better
The Best Pairwise Testing Tool / Best Orthogonal Array Tool Just Got BetterThe Best Pairwise Testing Tool / Best Orthogonal Array Tool Just Got Better
The Best Pairwise Testing Tool / Best Orthogonal Array Tool Just Got Better
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
 
Combinatorial software test design beyond pairwise testing
Combinatorial software test design beyond pairwise testingCombinatorial software test design beyond pairwise testing
Combinatorial software test design beyond pairwise testing
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
Top 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTop 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security Dashboard
 

Ähnlich wie Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People

Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017malvvv
 
OWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfOWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfSamSepiolRhodes
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxgerardkortney
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applicationsalexbe
 
The Principles of Secure Development - David Rook
The Principles of Secure Development - David RookThe Principles of Secure Development - David Rook
The Principles of Secure Development - David RookSecurity B-Sides
 
Owasp top 10 2013 - rc1
Owasp top 10 2013 - rc1Owasp top 10 2013 - rc1
Owasp top 10 2013 - rc1Ajay Ohri
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
Null singapore - Mobile Security Essentials
Null singapore - Mobile Security EssentialsNull singapore - Mobile Security Essentials
Null singapore - Mobile Security EssentialsSven Schleier
 
Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3RazaMehmood7
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 

Ähnlich wie Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People (20)

Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017
 
OWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfOWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdf
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applications
 
The Principles of Secure Development - David Rook
The Principles of Secure Development - David RookThe Principles of Secure Development - David Rook
The Principles of Secure Development - David Rook
 
Owasp top 10 2013 - rc1
Owasp top 10 2013 - rc1Owasp top 10 2013 - rc1
Owasp top 10 2013 - rc1
 
OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec Presentation
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
Owasp o
Owasp oOwasp o
Owasp o
 
Null singapore - Mobile Security Essentials
Null singapore - Mobile Security EssentialsNull singapore - Mobile Security Essentials
Null singapore - Mobile Security Essentials
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10
 
Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 

Mehr von POSSCON

Why Meteor.JS?
Why Meteor.JS?Why Meteor.JS?
Why Meteor.JS?POSSCON
 
Vagrant 101
Vagrant 101Vagrant 101
Vagrant 101POSSCON
 
Tools for Open Source Systems Administration
Tools for Open Source Systems AdministrationTools for Open Source Systems Administration
Tools for Open Source Systems AdministrationPOSSCON
 
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...POSSCON
 
Accelerating Application Delivery with OpenShift
Accelerating Application Delivery with OpenShiftAccelerating Application Delivery with OpenShift
Accelerating Application Delivery with OpenShiftPOSSCON
 
Openstack 101
Openstack 101Openstack 101
Openstack 101POSSCON
 
Community Building: The Open Source Way
Community Building: The Open Source WayCommunity Building: The Open Source Way
Community Building: The Open Source WayPOSSCON
 
I Know It Was MEAN, But I Cut the Cord to LAMP Anyway
I Know It Was MEAN, But I Cut the Cord to LAMP AnywayI Know It Was MEAN, But I Cut the Cord to LAMP Anyway
I Know It Was MEAN, But I Cut the Cord to LAMP AnywayPOSSCON
 
Software Defined Networking (SDN) for the Datacenter
Software Defined Networking (SDN) for the DatacenterSoftware Defined Networking (SDN) for the Datacenter
Software Defined Networking (SDN) for the DatacenterPOSSCON
 
Why Your Open Source Story Matters
Why Your Open Source Story MattersWhy Your Open Source Story Matters
Why Your Open Source Story MattersPOSSCON
 
How YARN Enables Multiple Data Processing Engines in Hadoop
How YARN Enables Multiple Data Processing Engines in HadoopHow YARN Enables Multiple Data Processing Engines in Hadoop
How YARN Enables Multiple Data Processing Engines in HadoopPOSSCON
 
Google Summer of Code
Google Summer of CodeGoogle Summer of Code
Google Summer of CodePOSSCON
 
Introduction to Hadoop
Introduction to HadoopIntroduction to Hadoop
Introduction to HadoopPOSSCON
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...POSSCON
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open SourcePOSSCON
 
Intro to AngularJS
Intro to AngularJSIntro to AngularJS
Intro to AngularJSPOSSCON
 
Docker 101: An Introduction
Docker 101: An IntroductionDocker 101: An Introduction
Docker 101: An IntroductionPOSSCON
 
Graph the Planet!
Graph the Planet!Graph the Planet!
Graph the Planet!POSSCON
 
Software Freedom Licensing: What You Must Know
Software Freedom Licensing: What You Must KnowSoftware Freedom Licensing: What You Must Know
Software Freedom Licensing: What You Must KnowPOSSCON
 
Contributing to an Open Source Project 101
Contributing to an Open Source Project 101Contributing to an Open Source Project 101
Contributing to an Open Source Project 101POSSCON
 

Mehr von POSSCON (20)

Why Meteor.JS?
Why Meteor.JS?Why Meteor.JS?
Why Meteor.JS?
 
Vagrant 101
Vagrant 101Vagrant 101
Vagrant 101
 
Tools for Open Source Systems Administration
Tools for Open Source Systems AdministrationTools for Open Source Systems Administration
Tools for Open Source Systems Administration
 
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...
 
Accelerating Application Delivery with OpenShift
Accelerating Application Delivery with OpenShiftAccelerating Application Delivery with OpenShift
Accelerating Application Delivery with OpenShift
 
Openstack 101
Openstack 101Openstack 101
Openstack 101
 
Community Building: The Open Source Way
Community Building: The Open Source WayCommunity Building: The Open Source Way
Community Building: The Open Source Way
 
I Know It Was MEAN, But I Cut the Cord to LAMP Anyway
I Know It Was MEAN, But I Cut the Cord to LAMP AnywayI Know It Was MEAN, But I Cut the Cord to LAMP Anyway
I Know It Was MEAN, But I Cut the Cord to LAMP Anyway
 
Software Defined Networking (SDN) for the Datacenter
Software Defined Networking (SDN) for the DatacenterSoftware Defined Networking (SDN) for the Datacenter
Software Defined Networking (SDN) for the Datacenter
 
Why Your Open Source Story Matters
Why Your Open Source Story MattersWhy Your Open Source Story Matters
Why Your Open Source Story Matters
 
How YARN Enables Multiple Data Processing Engines in Hadoop
How YARN Enables Multiple Data Processing Engines in HadoopHow YARN Enables Multiple Data Processing Engines in Hadoop
How YARN Enables Multiple Data Processing Engines in Hadoop
 
Google Summer of Code
Google Summer of CodeGoogle Summer of Code
Google Summer of Code
 
Introduction to Hadoop
Introduction to HadoopIntroduction to Hadoop
Introduction to Hadoop
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open Source
 
Intro to AngularJS
Intro to AngularJSIntro to AngularJS
Intro to AngularJS
 
Docker 101: An Introduction
Docker 101: An IntroductionDocker 101: An Introduction
Docker 101: An Introduction
 
Graph the Planet!
Graph the Planet!Graph the Planet!
Graph the Planet!
 
Software Freedom Licensing: What You Must Know
Software Freedom Licensing: What You Must KnowSoftware Freedom Licensing: What You Must Know
Software Freedom Licensing: What You Must Know
 
Contributing to an Open Source Project 101
Contributing to an Open Source Project 101Contributing to an Open Source Project 101
Contributing to an Open Source Project 101
 

Kürzlich hochgeladen

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 

Kürzlich hochgeladen (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Application Security on a Dime: A Practical Guide to Using Functional Open Source Tools to Test, Validate, Harden Code, Systems, and Even People

  • 1. Application Security on a Dime Open Technologies, Tools, and Techniques for Running an Blossoming InfoSec Program POSSCON – Columbia, SC April 2015
  • 2.
  • 3. Anyone run Wordpress? Wordpress  hacks  are  boun0ful.    Secure  them  using  latest  hardening   guidelines  h9p://codex.wordpress.org/Hardening_WordPress       Test  #WordPress  using   WPScan   h9p://wpscan.org/;  blackbox   vuln  scanner  #posscon   #appsec  
  • 4. Open Source Security Facilitated By…
  • 5. And especially….. A  hacker’s  gateway  drug  to  online  perdi0on......or  just  a  really  helpful   search  engine.  
  • 6. Who am I? Why should you listen | care?   20 years of IT / InfoSec experience   Utility | Fed | Banking | Retail | Healthcare | Information Services | Hosting | Financial Services | Manufacturing | Insurance | Real Estate   Former developer | sysadmin | network engineer | iso | security engineer | security architect | security assessor | security director | ciso |   Author ‘Risk Centric Threat Modeling’, Wiley Life Sciences 2015 – comprehensive walk through security principles   Started security consulting firm in 2007 – www.versprite.com   Presentation based upon hands-on work and global travels working with both large enterprises and SMB
  • 7.
  • 8. SECURITY CULTURE BEGINS W/ GOVERNANCE Establish  a  framework  and  ecosystem  of  security  processes  and  tools.  
  • 9.   Establish Governance   Security Requirements & Resources   Implementation of S- SDLC   Use Security Frameworks   Test and Test Early   Track Defects Before you begin, know inherent challenges Challenges in AppSec   Isolated SDLC Efforts   Anti-Security Culture   Expanding heterogeneous tech stack   Decentralizing management   Security is not built into IT functions early on   Targeted attacks   Open intel on application components Sound Solutions
  • 10. A BIT ABOUT OWASP Open  Web  Applica;on  Security  Project  
  • 11.
  • 12.
  • 13. Intro to OWASP §  Open Web Application Security Project §  Community driven; 11 years old §  Dedicated to openness of all content & materials §  International community focused on AppSec §  X-cultural, X-industry related challenges exposed and addressed. §  Massively supportive and responsive. §  Follow @OWASP
  • 14. Intro to OWASP §  Open Web Application Security Project §  Community driven; 11 years old §  Dedicated to openness of all content & materials §  International community focused on AppSec §  X-cultural, X-industry related challenges exposed and addressed. §  Massively supportive and responsive. §  Follow @OWASP
  • 16. Unless you have this appear on all your servers…
  • 17. …governance is the better starting point Security   Governance   Opera0ons   Risk   Management   Compliance   Although  a  key  business  driver,  don’t  let  Compliance  eclipse  Security.  #POSSCON   Provides   structure  to  a   security   program.   Makes  security   ac0onable  but   can  be  known   to  be  black  hole   to  security  $$$.     Everyone’s   security  threat   is  not  yours.     Don’t  believe   the  FUD;  make   risk  based   security   decisions.  
  • 18. Policies, Standards, Guidelines   Policies provide accountability   Standards govern technology   Guidelines provide “best practices”   Framework for enterprise operations   Creates baseline of what is ‘secure’ and ‘acceptable’ in terms of risk
  • 19. Each Security Component Can Warrant Governance {Program}   Governance   Incident   Response   Secure   Development   Security   Tes0ng   Security   Awareness   NIST  800-­‐100   NIST  800-­‐39   OpenSAMM   NIST  800-­‐53r4   NIST  800-­‐61r2   NIST  CSF     NIST  800-­‐100   NIST  800-­‐39   OpenSAMM   OWASP  ASVS   OWASP  Tes0ng   Guide  v4   PTES   Mostly  tool   based  
  • 20. OWASP Open SAMM ! The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. ! Benefits " Evaluate your organization's existing software security practices " Build a balanced software security program in well- defined iterations. " Demonstrating concrete improvements http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project
  • 21.
  • 22. Wide Scope Covered by OpenSAMM ! Supports a Security Plan or Roadmap ! Establish governance ! Perform against assessments ! Test and Report ! Enhance Security Operations ! Building a S-SDLC Initiative ! Measures success/ shortcomings ! Provides metrics for reporting http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project
  • 23.
  • 24. OpenSAMM Key Links   Main link to OpenSAMM gateway of resources https://www.owasp.org/index.php/ Category:Software_Assurance_Maturity_Model   Latest on the global initiative https://docs.google.com/document/d/ 1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/ edit
  • 25. SECURE CODING & SECURITY ARCHITECTURE Simple considerations of secure coding & security architecture can lay a foundation of security for your development efforts.
  • 27. OWASP Developer Cheat Sheets Clickjacking Defense Cheat Sheet   C-Based Toolchain Hardening Cheat Sheet   Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet   Cryptographic Storage Cheat Sheet   DOM based XSS Prevention Cheat Sheet   Forgot Password Cheat Sheet   HTML5 Security Cheat Sheet   Input Validation Cheat Sheet   JAAS Cheat Sheet   Logging Cheat Sheet   .NET Security Cheat Sheet   OWASP Top Ten Cheat Sheet   Password Storage Cheat Sheet   Pinning Cheat Sheet   Query Parameterization Cheat Sheet   Ruby on Rails Cheat sheet   REST Security Cheat Sheet  Session Management Cheat Sheet  SQL Injection Prevention Cheat Sheet  Transport Layer Protection Cheat Sheet Unvalidated Redirects and Forwards Cheat Sheet  User Privacy Protection Cheat Sheet  Web Service Security Cheat Sheet  XSS (Cross Site Scripting) Prevention Cheat Sheet  Attack Surface Analysis Cheat Sheet  XSS Filter Evasion Cheat Sheet  REST Assessment Cheat Sheet  IOS Developer Cheat Sheet  Mobile Jailbreaking Cheat Sheet OpSec Cheat Sheets (Defender)  Virtual Patching Cheat Sheet
  • 29. OWASP Developer References Educate   OWASP  WebGoat   • Exercise  successful   implementa0on  of  OWAPSP   Countermeasures   OWASP  Top  Ten   • Ranks  top  web  app  related   risks   • Serves  as  a  good  scope  for   ini0al  tes0ng   Develop   OWASP  Code  Review   • Methodology  for  Source  Code   Reviews   OWASP  Development  Guide   • Establishes  a  process  for   secure  development  efforts   across  various  SDLCs   OWASP  Cheat  Sheet   Series   OWASP   Countermeasures   • OWASP  CSRFGuard   • OWASP  An0-­‐Samy   Test   OWASP  Zed  A9ack  Proxy   • Test  against  OWASP  Top  Ten   • Use  in  conformance  to   Tes0ng  Guide   OWASP  YASCA   • Leverages  FindBugs,  PMD,   JLint,  JavaScript  Lint,  PHPLint,   Cppcheck,  ClamAV,  RATS,  and   Pixy  to  scan  
  • 31. OWASP Cheat Sheet Snippet Insecure Direct object references It may seem obvious, but if you had a bank account REST web service, you have to make sure there is adequate checking of primary and foreign keys: https://example.com/account/325365436/transfer? amount=$100.00&toAccount=473846376 In this case, it would be possible to transfer money from any account to any other account, which is clearly insane. Not even a random token makes this safe. https://example.com/invoice/2362365 In this case, it would be possible to get a copy of all invoices. Please make sure you understand how to protect against insecure direct object references in the OWASP Top 10 2010. Java Regex Usage Example Example validating the parameter “zip” using a regular expression. private static final Pattern zipPattern = Pattern.compile("^d{5}(-d{4})?$"); public void doPost( HttpServletRequest request, HttpServletResponse response) { try { String zipCode = request.getParameter( "zip" ); if ( !zipPattern.matcher( zipCode ).matches() { throw new YourValidationException( "Improper zipcode format." ); } .. do what you want here, after its been validated .. } catch(YourValidationException e ) { response.sendError( response.SC_BAD_REQUEST, e.getMessage() ); } }
  • 33. OWASP AntiSamy ! OWASP AntiSamy is an API for ensuring user-supplied HTML/CSS is compliant within the applications rules. " API plus implementations " Java, .Net, Coldfusion, PHP (HTMLPurifier) ! Benefits " It helps you ensure that clients don't supply malicious code into your application " A safer way to allow for rich content from an application's users http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
  • 34. OWASP CSRFGuard ! OWASP CSRFGuard utilizes request tokens to address Cross-Site Request Forgery. CSRF is an attack where the victim is tricked into interacting with a website where they are already authenticated. " Java, .Net and PHP implementations " CSRF is considered the app sec sleeping giant ! Benefits " Provides code to generate unique request tokens to mitigate CSRF risks http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project
  • 35. SECURITY TESTING Testing insecurities before your adversaries do
  • 36. Threat Modeling provides targeted scope   Purpose: Identify possible threat agents, threat motives, vulnerabilities in infrastructure, attack patterns, and possible countermeasures  Risk Centric (Process for Attack Simulation & Threat Analysis) – http://versprite.com/docs/PASTA_Abstract.pdf  Security Centric (e.g. - STRIDE threat categorization)  Software Centric – Microsoft Threat Modeling Tool http:// www.microsoft.com/en-us/download/details.aspx? id=42518   Some free solutions
  • 39. ! The OWASP Application Security Verification Standard (ASVS) defines a standard for conducting app sec verifications. " Covers automated and manual approaches for external testing and code review techniques " Recently created and already adopted by several companies and government agencies ! Benefits " Standardizes the coverage and level of rigor used to perform app sec assessments " Allows for better comparisons http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP ASVS - Security Assurance Methodology
  • 40. OWASP Top Ten ! The OWASP Top Ten represents a broad consensus of what the most critical web application security flaws are. " Adopted by the Payment Card Industry (PCI) " Recommended as a best practice by many government and industry entities ! Benefits " Powerful awareness document for web application security " Great starting point and reference for developers http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  • 41. Prescriptive Advice for Testing ! Simplify!!! ! Create Roadmap ! Standardize Testing ! Follow a Methodology!!! ! Metrics are actually important. Really. ! Tools.
  • 42.
  • 43.
  • 44. Sqlmap.py – Test for the dreaded SQLi ! Use in conjunction with Burp or Zed Attack Proxy. ! Capture POST request to web site via proxy ! Copy POST requests to text file ! http://sqlmap.org/
  • 45.
  • 46. 46
  • 47. Static Analysis Options for Source Code Reviews Product License Type Languages Features FxCop 4 Open Source MS-PL VS Plugin .NET Security-specific static analysis, UI built into Visual Studio RIPS 7 Open-Source GPL Standalone PHP Professional user-interface, Security-specific analysis FlawFinder 19 Open-Source GPL Standalone Text-based C++ Security-specific analysis, Injections, Overflow, etc. Dangerous function analysis PreFast 20 Open-Source MS-PL VS Plugin C++ General static analysis, UI built into Visual Studio BrakeMan 21 Open-Source MIT Standalone Text-based Ruby Security-specific analysis Strong following
  • 48. FlawFinder   Works on C++ source-code.   Console-based and specifically targets security vulnerabilities.   Uses a built-in database of C/C++ functions  (e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf() family), format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()), potential shell metacharacter dangers (most of the exec() family, system(), popen()), and poor random number acquisition (such as random())”. 19
  • 49.
  • 50. RIPS   Written in PHP and for PHP specifically to find vulnerabilities..   Can create a program model of the source code.   Detects vulnerable functions (sinks) that can be utilized by malicious user-input.  Audit framework is provided for further analysis in an IDE-style.   Detects XSS, SQL Injection, LFI/RFI, and RCE vulnerabilities.
  • 51.
  • 52. Real Time Code Coverage during Black Box Testing Follow  your  #blackbox  web  tes0ng  efforts  with  source  code  weakness  #visualiza0on   h9ps://www.owasp.org/index.php/OWASP_Code_Pulse_Project  #POSSCON  #OWASP  
  • 53. SPARTA v1.0.2 Network Infra Testing   Run nmap from SPARTA or import nmap XML output.   Transparent staged nmap: get results quickly and achieve thorough coverage.   Configurable context menu for each service. You can configure what to run on discovered services. Any tool that can be run from a terminal, can be run from SPARTA.   You can run any script or tool on a service across all the hosts in scope, just with a click of the mouse.   Define automated tasks for services (ie. Run nikto on every HTTP service, or sslscan on every ssl service).   Default credentials check for most common services. Of course, this can also be configured to run automatically.   Identify password reuse on the tested infrastructure. If any usernames/passwords are found by Hydra they are stored in internal wordlists which can then be used on other targets in the same network (breaking news: sysadmins reuse passwords).   Ability to mark hosts that you have already worked on so that you don’t waste time looking at them again.   Website screenshot taker so that you don’t waste time on less interesting web servers.
  • 54. Weeding out Bad Hash   Bad hashes have plagued news in recent #breaches. Validate your #hash http:// code.google.com /p/hash-identifier/ #appsec   Hash ID: Python based hash validator
  • 55. The Zed Attack Proxy •  Released September 2010 •  Ease of use a priority •  Comprehensive help pages •  Free, Open source •  Cross platform •  A fork of the well regarded Paros Proxy •  Involvement actively encouraged •  Adopted by OWASP October 2010
  • 56. ZAP Overview •  ZAP is:  Easy to use (for a web app pentest tool;)  Ideal for appsec newcomers  Ideal for training courses  Being used by Professional Pen Testers  Easy to contribute to (and please do!)  Improving rapidly
  • 57. The Main Features   All the essentials for web application testing •  Intercepting Proxy •  Active and Passive Scanners •  Spider •  Report Generation •  Brute Force (using OWASP DirBuster code) •  Fuzzing (using OWASP JBroFuzz code)
  • 58. The Additional Features   Auto tagging   Port scanner   Smart card support   Session comparison   Invoke external apps   BeanShell integration   API + Headless mode   Dynamic SSL Certificates   Anti CSRF token handling
  • 59. ZAP Test Drive (Demo)
  • 60. ZAP Summary •  ZAP has:  An active development community  An international user base  The potential to reach people new to OWASP and appsec, especially developers and functional testers •  ZAP is a key OWASP project •  Security Tool of the Year 2013
  • 61. BurpSuite •  Enhance scanners to detect more vulnerabilities •  Extend API, better integration •  Fuzzing analysis •  Easier to use, better help •  More localization (all offers gratefully received!) •  Parameter analysis? •  Technology detection?
  • 62. INCIDENT RESPONSE Knowing what to do during a fire is more important than the right tool(s)
  • 63. Adopt a Robust Incident Response Framework   Computer Security Incident Handling Guide  http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ NIST.SP.800-61r2.pdf   Check security pages for respective Firewall companies on default DENY security configuration   Integrating Forensic Analysis to Incident Handling  http://csrc.nist.gov/publications/nistpubs/800-86/ SP800-86.pdf   Guide to IDS Management  http://csrc.nist.gov/publications/drafts/800-94-rev1/ draft_sp800-94-rev1.pdf
  • 64.
  • 65.
  • 66.
  • 68. OSSEC – Host IDS (HIDS)   performs log analysis,   file integrity checking,   policy monitoring,   rootkit detection,   real-time alerting   active response.
  • 69. TAKE-AWAYS Only cost of security implementation is time and resources.
  • 70. A Word on OpenSource Adoption 1.  Define scope of adoption 1.  Driven by _ _ _ _ _ _ _ (impact, criticality, etc.) 2.  Use cases/ Abuse cases 3.  Architecture 2.  Set up controlled adoption 3.  Test, decompile, review 4.  Become involved in dev forums
  • 71. More Tools •  SET – Social Engineering Toolkit (http://www.social-engineer.org/framework/Computer_Based_ Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET)) •  BeEF – Browser Exploitation Framework (http://www.bindshell.net/tools/beef.html) •  Metasploit – http://www.metasploit.com/ •  Kali - http://www.kali.org/ •  Burp - http://portswigger.net/burp/ •  Recon-ng – full featured web recon framework tool that is text based and written in Python https://bitbucket.org/LaNMaSteR53/recon-ng •  Twitter? Yes, Twitter, 2nd to Google, is hacker’s paradise
  • 72. Closing Thoughts   Leverage Open Source sources to INFLUENCE your security program development/ management   Do NOT make your security program free and open, keep it close to the vest   Keep abreast of security news is a must – ever changing threat landscape   Need to tell management that security is a process, not a one time mountain climb. Keeping executive support of security is the most important thing for longevity of your security program.   Learn how to measure and improve your security program using metrics over time.
  • 73. Thanks! Follow  us/me  on  Twi2er:  @versprite                            @t0nyuv     Blog:  www.versprite.com/og