SlideShare une entreprise Scribd logo

What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec

Télécharger en tant que PPTX, PDF
IBM Security
IBM Security

Despite being on vulnerability “Top 10” lists for many years, application vulnerabilities such as SQL injection and Cross-Site scripting continue to be significant attack paradigms for organizational data breaches. In fact, the IBM X-Force 2013 Mid-Year Trend and Risk Report confirmed that SQL Injection (SQLi) remained the most common paradigm for attackers to breach organizational security controls. Meanwhile, Cross-Site Scripting continued to be the most common type of application vulnerability. In this session, we review the latest trends in application and mobile security vulnerabilities, and how to combat them with improved security awareness, organizational controls and application security testing technologies. We also address how to improve application security on your organization’s mobile devices.

TechnologieBusiness
1  sur  34
IBM Security Systems OWASP Top Ten 2013 Update Diana Kelley Application Security Strategist Presented: February 2014 © 2013 IBM Corporation
IBM Security Systems Agenda  X-Force Latest Findings  OWASP and Top Ten Defined  OWASP Top Ten Web – 2013 Update Changes  Impacts   OWASP Top Ten Mobile  Making the Most of the OWASP Top Tens  How IBM Security AppScan can Help Web  Mobile  2 © 2014 IBM Corporation
IBM Security Systems X-Force Latest Findings 3 © 2014 IBM Corporation
IBM Security Systems X-Force 2013 Findings 4 © 2014 IBM Corporation
IBM Security Systems XSS and SQLi Still Lead in Web Attacks 5 © 2014 IBM Corporation
IBM Security Systems OWASP and Top Ten Defined 6 © 2014 IBM Corporation
IBM Security Systems OWASP Defined  OWASP – Open Web Application Security Project  Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.  Facts Came online December 1, 2001  Established as a Not-for-Profit April 21, 2004  International organization, over 36,000 global participants  Free to participate  All materials are available under a free and open software license  Vendor neutral  Does not endorse or recommend commercial products or services  7 © 2014 IBM Corporation
IBM Security Systems OWASP Projects  OWASP runs three types of projects  Incubator – experimental projects, ideas are being proven • Code • Tools • Documentation  Labs - have produced a deliverable of value • Tools • Documentation  Flagship - superior maturity, established quality, and strategic value • Code • Tools • Documentation  Top 10 is a Flagship, Documentation Project at OWASP 8 © 2014 IBM Corporation
IBM Security Systems Who Uses the OWASP Top Ten?  Standards and Practices  U.S. Federal Trade Commission recommends that companies use the OWASP Top Ten to help prioritize efforts when addressing software risks http://www.business.ftc.gov/documents/bus58-security-check-reducing-risks-your-computer-systems  PCI DSS 3.0 Requirement 6.5 - for industry best practices and common coding vulnerabilities https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf  End User Companies Including  A.G. Edwards, CitiBank, IBM Global Services, Price Waterhouse Coopers,, Samsung, The Hartford https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=How_Are_Companies-ProjectsVendors_Using_the_OWASP_Top_10  Application Security Testing Vendors  9 Ex: for compliance reporting in testing tools (spoiler alert: IBM!) © 2014 IBM Corporation
IBM Security Systems OWASP Top Ten Web 10 © 2014 IBM Corporation
IBM Security Systems How the Ranking is Done  The OWASP Top 10 focuses on identifying the most serious risks for a broad array of organizations. OWASP provides generic information about likelihood and technical impact using this ratings scheme, which is based on the OWASP Risk Rating Methodology.*  Based on 8 datasets from 7 firms that specialize in application security, including 4 consulting companies and 3 tool/SaaS vendors *Image Source and Text: https://www.owasp.org/index.php/Top_10_2013-Risk 11 © 2014 IBM Corporation
IBM Security Systems Comparison of 2010 and 2013 OWASP Top 10 Lists 2010 2013 What Changed A1 Injection Injection N/A A2 Cross-Site Scripting (XSS) Broken Authentication and Session Management Was 2010-A3 A3 Broken Authentication and Session Management Cross-Site Scripting (XSS) Was 2010-A2 A4 Insecure Direct Object References Insecure Direct Object References N/A A5 Cross-Site Request Forgery (CSRF) Security Misconfiguration Was 2010-A6 A6 Security Misconfiguration Sensitive Data Exposure Merges 2010-A7 and 2010-A9 A7 Insecure Cryptographic Storage Missing Function Level Access Control Expanded from 2010-A8 A8 Failure to Restrict URL Access Cross-Site Request Forgery (CSRF) Was 2010-A5 A9 Insufficient Transport Layer Protection Using Known Vulnerable Components Expansion from 2010-A6 A10 Unvalidated Redirects and Forwards Unvalidated Redirects and Forwards N/A 12 © 2014 IBM Corporation
IBM Security Systems Other Changes of Note  Sensitive Data Exposure Covers data in use (in browser), in transit and at rest  Combined into a single vulnerability to encompass the data protection lifecycle in an application environment   Assess the entire cycle for data exposure Classify data to understand what’s sensitive  Scope data protection to that data  • Ex: passwords, EHR, PII  Don’t Forget! For transport protection, SSL and TLS should be defined in requirements  Techniques like preventing auto-complete and disabling caching can help protect data in use in the browser  13 © 2014 IBM Corporation
IBM Security Systems How Apps are Developed is changing – and so are the Attacks  Missing Function Level Access Control   Functions can be accessed in ways not limited to the URL – ex; UI may show links or buttons that required login privs Or the UI hides them, but the access is still available through the server if the attacker can craft the correct request  Don’t Forget!    Test all methods of access Augment tools with manual pen testing for better coverage server. Expanding this vulnerability highlights the importance of doing thorough testing on all methods of access  Using Known Vulnerable Components    Previously part of “Security Misconfigurations” Component based development is on the rise Requires closer attention to security and testing of those components and open source modules  Don’t Forget!     14 Forbidding use of external components may slow down development Consider an approved component library Re-test components, frameworks and plug-ins when new revs are released before approving them for use Create guidance with recommended usage and configurations to prevent unintentional mis-use © 2014 IBM Corporation
IBM Security Systems OWASP Top Ten Mobile 15 © 2014 IBM Corporation
IBM Security Systems OWASP Top 10 Mobile, Release Candidate v1.0 16 Image Source: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks © 2014 IBM Corporation
IBM Security Systems Example: M4 Client Side Injection  Checking the code is a fast and accurate way to see if the application is handling data correctly. Code analysis tools can help a security analyst find the use of interpreters and trace the data flow through the application. Manual penetration testers can confirm these issues by crafting exploits that confirm the vulnerability.* *Image Source and Text: https://www.owasp.org/index.php/Mobile_Top_10_2012-M4 17 © 2014 IBM Corporation
IBM Security Systems Making the Most of the OWASP Top Tens 18 © 2014 IBM Corporation
IBM Security Systems OWASP is a Great Starting Point  But it’s not the final destination!  Software security testing is part of a broader application security program Security Intelligence: Information and event management Advanced correlation and deep analytics External threat research Optimized Secure app engineering processes Fraud detection Proficient Basic Glass box scanning Static analysis Dynamic analysis Applications 19 © 2014 IBM Corporation
IBM Security Systems What Works for You “Leverage your organization’s existing strengths to do and measure what works for you”*  In Practice Examples  Companies that outsource development • Use the OWASP Top Ten to evaluate code before acceptance/deployment  Companies that develop and test in-house • Use OWASP for training developers • Or as one of the baselines during security testing  Education for Executives • To help them understand the risks and problems associated with insecure/untested software *https://www.owasp.org/index.php/Top_10_2013 20 © 2014 IBM Corporation
IBM Security Systems Create Your Own Top Ten Ranking the OWASP Way  Start with the standard risk model RISK Likelihood Impact  Customize for application security and your organizational needs Step 1: Identifying a Risk  Step 2: Factors for Estimating Likelihood  Step 3: Factors for Estimating Impact  Step 4: Determining Severity of the Risk  Step 5: Deciding What to Fix  Step 6: Customizing Your Risk Rating Model  Learn More: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology#The_OWASP_Risk_Rating_Metho dology 21 © 2014 IBM Corporation
IBM Security Systems How IBM Security AppScan can Help 22 © 2014 IBM Corporation
IBM Security Systems Application Security: The Source of Security Protection 1. 2. Mobile Application Attacks are Increasing Rapidly 3. Vulnerabilities spread through a wide variety of applications (internal development / external in use without code) 4. Common questions: where are your vulnerabilities and how to validate the risk? 5. 23 Web application vulnerabilities dominate the enterprise threat landscape Many clients still do not understand the need for Application Security in their environment © 2014 IBM Corporation
IBM Security Systems Gartner has recognized IBM as a leader in the Magic Quadrant for Application Security Testing (AST) Magic Quadrant for Application Security Testing Neil MacDonald, Joseph Feiman July 2, 2013 “The market for application security testing is changing rapidly. Technology trends, such as mobile applications, advanced Web applications and dynamic languages, are forcing the need to combine dynamic and static testing capabilities, which is reshaping the overall market.” This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The link to the Gartner report is available upon request from IBM. 24 Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose © 2014 IBM Corporation
IBM Security Systems Adopt a Secure by Design approach to enable you to design, deliver and manage smarter software and services  Build security into your application development process  Efficiently and effectively address security defects before deployment  Collaborate effectively between Security and Development Deliver New Services Faster Innovate Securely Reduce Costs  Provide Management visibility Proactively address vulnerabilities early in the development process 25 © 2014 IBM Corporation
Applications IBM Security Systems Finding more vulnerabilities using advanced techniques Dynamic Analysis Static Analysis - Analyze Source Code - Use during development - Uses Taint Analysis / Pattern Matching Total Potential Security Issues - Analyze Live Web Application - Use during testing - Uses HTTP tampering Hybrid Analysis - Correlate Dynamic and Static results - Assists remediation by identification of line of code Run-Time Analysis - Combines Dynamic Analysis with run-time agent - More results, better accuracy 26 26 Client-Side Analysis - Analyze downloaded Javascript code which runs in client - Unique in the industry © 2014 IBM Corporation
IBM Security Systems The IBM Security AppScan Solution AppScan Enterprise Server Governance -- Collaboration -- Security Intelligence -- Correlation Source for Analysis Source for Automation • Configure Software • Build integration • Scan • Automate Scans • Triage Results • ANT, Make, Maven integration • Manage Security Policies Penetration Testing 27 • Data Access API    Source for Development • Investigate Flaws • Remediate with Guidance • IDE Scan • Confirm Fix Source for Remediation • Non-scanning IDE plugin AppScan Standard Desktop solution for security consultants and in-house security testers Combines advanced security testing with ease of use DAST with advanced hybrid technology included (JavaScript Analyzer & new Glass box) © 2014 IBM Corporation
IBM Security Systems Remediation Assistance  Vulnerability Found Details  Explanation of Vulnerability  Fix Recommendation 28 © 2014 IBM Corporation
IBM Security Systems Enterprise Dashboards – Measure Progress  Compare the number of issues across teams and applications  Identify top security issues and risks  View trending of the number of issues by severity over time  Monitor the progress of issue resolution 29 © 2014 IBM Corporation
IBM Security Systems Bridging the Security/Development gap Break down organizational silos  Security experts establish security testing policies  Development teams test early in the cycle Provide Management Visibility  Dashboard of application risk  Enable compliance with regulation-specific reporting  Treat vulnerabilities as development defects “… we wanted to go to a multiuser web-based solution that enabled us to do concurrent scans and provide our customers with a web-based portal for accessing and sharing information on identified issues.” Alex Jalso, Asst Dir, Office of InfoSecurity, WVU 30 Developer Architect Quality Professional Enables Collaboration Security Auditor © 2014 IBM Corporation
IBM Security Systems AppScan Enterprise – OWASP Top Ten 2013 Reporting 31 © 2014 IBM Corporation
Under NDA until date of announce IBM Security Systems AppScan Source - 100% coverage of OWASP Mobile Top Ten OWASP TOP 10 IBM Security AppScan Coverage  1. Insecure Data Storage Trace routes of sensitive data  2. Weak Server Side Controls Security scanning of server side code  3. Insufficient Transport Layer Protection Check for use of SSL/TLS  4. Client Side Injection Checks for common injection flaws including SQLi, HTMLi, and XSS  5. Poor Authentication and Authorization Track where IDs and Passwords enter/exit the system  6. Improper Session Handling Verify UUID is not used for session management  7. Security Decisions via Untrusted Inputs Track where data originates and how it is used  8. Side Channel Data Leakage Test for data leakage to log files, pasteboard, property lists, etc  9. Broken Cryptography Identify proper usage of cryptographic usage  10. Sensitive Information Disclosure Test for data leakage to peripherals, network, sockets, etc. 32 © 2014 IBM Corporation
IBM Security Systems Wrap-Up!  X-Force is IBM’s Leading Research and attack insights from today’s security threat landscape  Stay ahead of the threat, know what attackers are doing  OWASP and the OWASP Top Ten  Industry accepted rankings of the most critical web and mobile software vulnerabilities  Use these to help inform and mature your software security programs  IBM Security AppScan can be a cirtical part of that program Test for the high severity vulnerabilities  Prioritize fixes  Help developers remediate existing problems and learn how to code to prevent new ones  Run reports for auditors and assessors  33 © 2014 IBM Corporation
IBM Security Systems ibm.com/security 34 © 2014 IBM Corporation

Recommandé

Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - PrintAndrew Kanikuru
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium SecurityJack Mannino
 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply ChainMark Sherman
 
Follow the Money, Follow the Crime
Follow the Money, Follow the CrimeFollow the Money, Follow the Crime
Follow the Money, Follow the CrimeIBM Security
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewAshish Patel
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Everything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security ControlsEverything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security ControlsIvanti
 

Recommandé

Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - PrintAndrew Kanikuru
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium SecurityJack Mannino
 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply ChainMark Sherman
 
Follow the Money, Follow the Crime
Follow the Money, Follow the CrimeFollow the Money, Follow the Crime
Follow the Money, Follow the CrimeIBM Security
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewAshish Patel
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Everything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security ControlsEverything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security ControlsIvanti
 
Case Closed with IBM Application Security on Cloud infographic
Case Closed with IBM Application Security on Cloud infographicCase Closed with IBM Application Security on Cloud infographic
Case Closed with IBM Application Security on Cloud infographicIBM Security
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Vulnerability scanning project
Vulnerability scanning projectVulnerability scanning project
Vulnerability scanning projectChirag Dhamecha
 
How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...kunwaratul hax0r
 
Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeVeracode
 
Rapport X force 2014
Rapport X force 2014Rapport X force 2014
Rapport X force 2014Patrick Bouillaud
 
Cybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply ChainCybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply ChainAnthony Braddy
 
Turning the Tables on Cyber Attacks
Turning the Tables on Cyber AttacksTurning the Tables on Cyber Attacks
Turning the Tables on Cyber Attacks- Mark - Fullbright
 
Infographic network protection security
Infographic network protection securityInfographic network protection security
Infographic network protection securityIBM Security
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareRogue Wave Software
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...Denim Group
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Sonatype
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]geeksec80
 
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceSonatype
 
Veracode State of Software Security vol 4
Veracode State of Software Security vol 4Veracode State of Software Security vol 4
Veracode State of Software Security vol 4stemkat
 
How can we predict vulnerabilities to prevent them from causing data losses
How can we predict vulnerabilities to prevent them from causing data lossesHow can we predict vulnerabilities to prevent them from causing data losses
How can we predict vulnerabilities to prevent them from causing data lossesAbhishek BV
 
Positive Technologies Application Inspector
Positive Technologies Application InspectorPositive Technologies Application Inspector
Positive Technologies Application Inspectorqqlan
 
Virtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudVirtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudTjylen Veselyj
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Nitroxis Sprl
 

Contenu connexe

Tendances

Case Closed with IBM Application Security on Cloud infographic
Case Closed with IBM Application Security on Cloud infographicCase Closed with IBM Application Security on Cloud infographic
Case Closed with IBM Application Security on Cloud infographicIBM Security
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Vulnerability scanning project
Vulnerability scanning projectVulnerability scanning project
Vulnerability scanning projectChirag Dhamecha
 
How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...kunwaratul hax0r
 
Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeVeracode
 
Cybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply ChainCybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply ChainAnthony Braddy
 
Turning the Tables on Cyber Attacks
Turning the Tables on Cyber AttacksTurning the Tables on Cyber Attacks
Turning the Tables on Cyber Attacks- Mark - Fullbright
 
Infographic network protection security
Infographic network protection securityInfographic network protection security
Infographic network protection securityIBM Security
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareRogue Wave Software
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...Denim Group
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Sonatype
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]geeksec80
 
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceSonatype
 
Veracode State of Software Security vol 4
Veracode State of Software Security vol 4Veracode State of Software Security vol 4
Veracode State of Software Security vol 4stemkat
 
How can we predict vulnerabilities to prevent them from causing data losses
How can we predict vulnerabilities to prevent them from causing data lossesHow can we predict vulnerabilities to prevent them from causing data losses
How can we predict vulnerabilities to prevent them from causing data lossesAbhishek BV
 
Positive Technologies Application Inspector
Positive Technologies Application InspectorPositive Technologies Application Inspector
Positive Technologies Application Inspectorqqlan
 

Tendances (20)

Case Closed with IBM Application Security on Cloud infographic
Case Closed with IBM Application Security on Cloud infographicCase Closed with IBM Application Security on Cloud infographic
Case Closed with IBM Application Security on Cloud infographic
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Vulnerability scanning project
Vulnerability scanning projectVulnerability scanning project
Vulnerability scanning project
 
How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...
 
Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracode
 
Rapport X force 2014
Rapport X force 2014Rapport X force 2014
Rapport X force 2014
 
Cybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply ChainCybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply Chain
 
Turning the Tables on Cyber Attacks
Turning the Tables on Cyber AttacksTurning the Tables on Cyber Attacks
Turning the Tables on Cyber Attacks
 
Infographic network protection security
Infographic network protection securityInfographic network protection security
Infographic network protection security
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]
 
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
 
Veracode State of Software Security vol 4
Veracode State of Software Security vol 4Veracode State of Software Security vol 4
Veracode State of Software Security vol 4
 
How can we predict vulnerabilities to prevent them from causing data losses
How can we predict vulnerabilities to prevent them from causing data lossesHow can we predict vulnerabilities to prevent them from causing data losses
How can we predict vulnerabilities to prevent them from causing data losses
 
Positive Technologies Application Inspector
Positive Technologies Application InspectorPositive Technologies Application Inspector
Positive Technologies Application Inspector
 

En vedette

Virtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudVirtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudTjylen Veselyj
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Nitroxis Sprl
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 

En vedette (9)

Virtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudVirtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the Cloud
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Glycogen metabolism
Glycogen metabolismGlycogen metabolism
Glycogen metabolism
 

Similaire à What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec

Unified application security analyser
Unified application security analyserUnified application security analyser
Unified application security analyserTim Youm
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSTobias Koprowski
 
Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityCygnet Infotech
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
JavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaJavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaChris Bailey
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
 
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...IBM Security
 
IBM Mobile Overview for Ecosystem Partners
IBM Mobile Overview for Ecosystem PartnersIBM Mobile Overview for Ecosystem Partners
IBM Mobile Overview for Ecosystem PartnersJeremy Siewert
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comPentest-Tools.com
 
Web app penetration testing best methods tools used
Web app penetration testing best methods tools usedWeb app penetration testing best methods tools used
Web app penetration testing best methods tools usedZoe Gilbert
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web securityIAEME Publication
 
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...Security Innovation
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxAardwolf Security
 
Key Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseKey Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseLumension
 
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...IBM Security
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowNarola Infotech
 
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN ITWHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN ITTekRevol LLC
 
Mojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks Webinar: A Three-Pronged Approach to Mobile SecurityMojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks Webinar: A Three-Pronged Approach to Mobile SecurityMojave Networks
 

Similaire à What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec (20)

Unified application security analyser
Unified application security analyserUnified application security analyser
Unified application security analyser
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
 
Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App Security
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
 
JavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaJavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for Java
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
 
IBM Mobile Overview for Ecosystem Partners
IBM Mobile Overview for Ecosystem PartnersIBM Mobile Overview for Ecosystem Partners
IBM Mobile Overview for Ecosystem Partners
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.com
 
Web app penetration testing best methods tools used
Web app penetration testing best methods tools usedWeb app penetration testing best methods tools used
Web app penetration testing best methods tools used
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web security
 
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docx
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
 
Key Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseKey Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your Enterprise
 
OWASP Top Ten 2013
OWASP Top Ten 2013OWASP Top Ten 2013
OWASP Top Ten 2013
 
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should Know
 
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN ITWHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
 
Mojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks Webinar: A Three-Pronged Approach to Mobile SecurityMojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks Webinar: A Three-Pronged Approach to Mobile Security
 

Plus de IBM Security

Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsIBM Security
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...IBM Security
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...IBM Security
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIBM Security
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...IBM Security
 
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...IBM Security
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackIBM Security
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationIBM Security
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?IBM Security
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceIBM Security
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...IBM Security
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...IBM Security
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...IBM Security
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowIBM Security
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsIBM Security
 
Mobile Vision 2020
Mobile Vision 2020Mobile Vision 2020
Mobile Vision 2020IBM Security
 
Retail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityRetail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityIBM Security
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident ResponseIBM Security
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats IBM Security
 

Plus de IBM Security (20)

Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM Resilient
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
 
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon Black
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
 
IBM QRadar UBA
IBM QRadar UBA IBM QRadar UBA
IBM QRadar UBA
 
Mobile Vision 2020
Mobile Vision 2020Mobile Vision 2020
Mobile Vision 2020
 
Retail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityRetail Mobility, Productivity and Security
Retail Mobility, Productivity and Security
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident Response
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats
 

Dernier

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Dernier (20)

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec

  • 1. IBM Security Systems OWASP Top Ten 2013 Update Diana Kelley Application Security Strategist Presented: February 2014 © 2013 IBM Corporation
  • 2. IBM Security Systems Agenda  X-Force Latest Findings  OWASP and Top Ten Defined  OWASP Top Ten Web – 2013 Update Changes  Impacts   OWASP Top Ten Mobile  Making the Most of the OWASP Top Tens  How IBM Security AppScan can Help Web  Mobile  2 © 2014 IBM Corporation
  • 3. IBM Security Systems X-Force Latest Findings 3 © 2014 IBM Corporation
  • 4. IBM Security Systems X-Force 2013 Findings 4 © 2014 IBM Corporation
  • 5. IBM Security Systems XSS and SQLi Still Lead in Web Attacks 5 © 2014 IBM Corporation
  • 6. IBM Security Systems OWASP and Top Ten Defined 6 © 2014 IBM Corporation
  • 7. IBM Security Systems OWASP Defined  OWASP – Open Web Application Security Project  Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.  Facts Came online December 1, 2001  Established as a Not-for-Profit April 21, 2004  International organization, over 36,000 global participants  Free to participate  All materials are available under a free and open software license  Vendor neutral  Does not endorse or recommend commercial products or services  7 © 2014 IBM Corporation
  • 8. IBM Security Systems OWASP Projects  OWASP runs three types of projects  Incubator – experimental projects, ideas are being proven • Code • Tools • Documentation  Labs - have produced a deliverable of value • Tools • Documentation  Flagship - superior maturity, established quality, and strategic value • Code • Tools • Documentation  Top 10 is a Flagship, Documentation Project at OWASP 8 © 2014 IBM Corporation
  • 9. IBM Security Systems Who Uses the OWASP Top Ten?  Standards and Practices  U.S. Federal Trade Commission recommends that companies use the OWASP Top Ten to help prioritize efforts when addressing software risks http://www.business.ftc.gov/documents/bus58-security-check-reducing-risks-your-computer-systems  PCI DSS 3.0 Requirement 6.5 - for industry best practices and common coding vulnerabilities https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf  End User Companies Including  A.G. Edwards, CitiBank, IBM Global Services, Price Waterhouse Coopers,, Samsung, The Hartford https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=How_Are_Companies-ProjectsVendors_Using_the_OWASP_Top_10  Application Security Testing Vendors  9 Ex: for compliance reporting in testing tools (spoiler alert: IBM!) © 2014 IBM Corporation
  • 10. IBM Security Systems OWASP Top Ten Web 10 © 2014 IBM Corporation
  • 11. IBM Security Systems How the Ranking is Done  The OWASP Top 10 focuses on identifying the most serious risks for a broad array of organizations. OWASP provides generic information about likelihood and technical impact using this ratings scheme, which is based on the OWASP Risk Rating Methodology.*  Based on 8 datasets from 7 firms that specialize in application security, including 4 consulting companies and 3 tool/SaaS vendors *Image Source and Text: https://www.owasp.org/index.php/Top_10_2013-Risk 11 © 2014 IBM Corporation
  • 12. IBM Security Systems Comparison of 2010 and 2013 OWASP Top 10 Lists 2010 2013 What Changed A1 Injection Injection N/A A2 Cross-Site Scripting (XSS) Broken Authentication and Session Management Was 2010-A3 A3 Broken Authentication and Session Management Cross-Site Scripting (XSS) Was 2010-A2 A4 Insecure Direct Object References Insecure Direct Object References N/A A5 Cross-Site Request Forgery (CSRF) Security Misconfiguration Was 2010-A6 A6 Security Misconfiguration Sensitive Data Exposure Merges 2010-A7 and 2010-A9 A7 Insecure Cryptographic Storage Missing Function Level Access Control Expanded from 2010-A8 A8 Failure to Restrict URL Access Cross-Site Request Forgery (CSRF) Was 2010-A5 A9 Insufficient Transport Layer Protection Using Known Vulnerable Components Expansion from 2010-A6 A10 Unvalidated Redirects and Forwards Unvalidated Redirects and Forwards N/A 12 © 2014 IBM Corporation
  • 13. IBM Security Systems Other Changes of Note  Sensitive Data Exposure Covers data in use (in browser), in transit and at rest  Combined into a single vulnerability to encompass the data protection lifecycle in an application environment   Assess the entire cycle for data exposure Classify data to understand what’s sensitive  Scope data protection to that data  • Ex: passwords, EHR, PII  Don’t Forget! For transport protection, SSL and TLS should be defined in requirements  Techniques like preventing auto-complete and disabling caching can help protect data in use in the browser  13 © 2014 IBM Corporation
  • 14. IBM Security Systems How Apps are Developed is changing – and so are the Attacks  Missing Function Level Access Control   Functions can be accessed in ways not limited to the URL – ex; UI may show links or buttons that required login privs Or the UI hides them, but the access is still available through the server if the attacker can craft the correct request  Don’t Forget!    Test all methods of access Augment tools with manual pen testing for better coverage server. Expanding this vulnerability highlights the importance of doing thorough testing on all methods of access  Using Known Vulnerable Components    Previously part of “Security Misconfigurations” Component based development is on the rise Requires closer attention to security and testing of those components and open source modules  Don’t Forget!     14 Forbidding use of external components may slow down development Consider an approved component library Re-test components, frameworks and plug-ins when new revs are released before approving them for use Create guidance with recommended usage and configurations to prevent unintentional mis-use © 2014 IBM Corporation
  • 15. IBM Security Systems OWASP Top Ten Mobile 15 © 2014 IBM Corporation
  • 16. IBM Security Systems OWASP Top 10 Mobile, Release Candidate v1.0 16 Image Source: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks © 2014 IBM Corporation
  • 17. IBM Security Systems Example: M4 Client Side Injection  Checking the code is a fast and accurate way to see if the application is handling data correctly. Code analysis tools can help a security analyst find the use of interpreters and trace the data flow through the application. Manual penetration testers can confirm these issues by crafting exploits that confirm the vulnerability.* *Image Source and Text: https://www.owasp.org/index.php/Mobile_Top_10_2012-M4 17 © 2014 IBM Corporation
  • 18. IBM Security Systems Making the Most of the OWASP Top Tens 18 © 2014 IBM Corporation
  • 19. IBM Security Systems OWASP is a Great Starting Point  But it’s not the final destination!  Software security testing is part of a broader application security program Security Intelligence: Information and event management Advanced correlation and deep analytics External threat research Optimized Secure app engineering processes Fraud detection Proficient Basic Glass box scanning Static analysis Dynamic analysis Applications 19 © 2014 IBM Corporation
  • 20. IBM Security Systems What Works for You “Leverage your organization’s existing strengths to do and measure what works for you”*  In Practice Examples  Companies that outsource development • Use the OWASP Top Ten to evaluate code before acceptance/deployment  Companies that develop and test in-house • Use OWASP for training developers • Or as one of the baselines during security testing  Education for Executives • To help them understand the risks and problems associated with insecure/untested software *https://www.owasp.org/index.php/Top_10_2013 20 © 2014 IBM Corporation
  • 21. IBM Security Systems Create Your Own Top Ten Ranking the OWASP Way  Start with the standard risk model RISK Likelihood Impact  Customize for application security and your organizational needs Step 1: Identifying a Risk  Step 2: Factors for Estimating Likelihood  Step 3: Factors for Estimating Impact  Step 4: Determining Severity of the Risk  Step 5: Deciding What to Fix  Step 6: Customizing Your Risk Rating Model  Learn More: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology#The_OWASP_Risk_Rating_Metho dology 21 © 2014 IBM Corporation
  • 22. IBM Security Systems How IBM Security AppScan can Help 22 © 2014 IBM Corporation
  • 23. IBM Security Systems Application Security: The Source of Security Protection 1. 2. Mobile Application Attacks are Increasing Rapidly 3. Vulnerabilities spread through a wide variety of applications (internal development / external in use without code) 4. Common questions: where are your vulnerabilities and how to validate the risk? 5. 23 Web application vulnerabilities dominate the enterprise threat landscape Many clients still do not understand the need for Application Security in their environment © 2014 IBM Corporation
  • 24. IBM Security Systems Gartner has recognized IBM as a leader in the Magic Quadrant for Application Security Testing (AST) Magic Quadrant for Application Security Testing Neil MacDonald, Joseph Feiman July 2, 2013 “The market for application security testing is changing rapidly. Technology trends, such as mobile applications, advanced Web applications and dynamic languages, are forcing the need to combine dynamic and static testing capabilities, which is reshaping the overall market.” This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The link to the Gartner report is available upon request from IBM. 24 Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose © 2014 IBM Corporation
  • 25. IBM Security Systems Adopt a Secure by Design approach to enable you to design, deliver and manage smarter software and services  Build security into your application development process  Efficiently and effectively address security defects before deployment  Collaborate effectively between Security and Development Deliver New Services Faster Innovate Securely Reduce Costs  Provide Management visibility Proactively address vulnerabilities early in the development process 25 © 2014 IBM Corporation
  • 26. Applications IBM Security Systems Finding more vulnerabilities using advanced techniques Dynamic Analysis Static Analysis - Analyze Source Code - Use during development - Uses Taint Analysis / Pattern Matching Total Potential Security Issues - Analyze Live Web Application - Use during testing - Uses HTTP tampering Hybrid Analysis - Correlate Dynamic and Static results - Assists remediation by identification of line of code Run-Time Analysis - Combines Dynamic Analysis with run-time agent - More results, better accuracy 26 26 Client-Side Analysis - Analyze downloaded Javascript code which runs in client - Unique in the industry © 2014 IBM Corporation
  • 27. IBM Security Systems The IBM Security AppScan Solution AppScan Enterprise Server Governance -- Collaboration -- Security Intelligence -- Correlation Source for Analysis Source for Automation • Configure Software • Build integration • Scan • Automate Scans • Triage Results • ANT, Make, Maven integration • Manage Security Policies Penetration Testing 27 • Data Access API    Source for Development • Investigate Flaws • Remediate with Guidance • IDE Scan • Confirm Fix Source for Remediation • Non-scanning IDE plugin AppScan Standard Desktop solution for security consultants and in-house security testers Combines advanced security testing with ease of use DAST with advanced hybrid technology included (JavaScript Analyzer & new Glass box) © 2014 IBM Corporation
  • 28. IBM Security Systems Remediation Assistance  Vulnerability Found Details  Explanation of Vulnerability  Fix Recommendation 28 © 2014 IBM Corporation
  • 29. IBM Security Systems Enterprise Dashboards – Measure Progress  Compare the number of issues across teams and applications  Identify top security issues and risks  View trending of the number of issues by severity over time  Monitor the progress of issue resolution 29 © 2014 IBM Corporation
  • 30. IBM Security Systems Bridging the Security/Development gap Break down organizational silos  Security experts establish security testing policies  Development teams test early in the cycle Provide Management Visibility  Dashboard of application risk  Enable compliance with regulation-specific reporting  Treat vulnerabilities as development defects “… we wanted to go to a multiuser web-based solution that enabled us to do concurrent scans and provide our customers with a web-based portal for accessing and sharing information on identified issues.” Alex Jalso, Asst Dir, Office of InfoSecurity, WVU 30 Developer Architect Quality Professional Enables Collaboration Security Auditor © 2014 IBM Corporation
  • 31. IBM Security Systems AppScan Enterprise – OWASP Top Ten 2013 Reporting 31 © 2014 IBM Corporation
  • 32. Under NDA until date of announce IBM Security Systems AppScan Source - 100% coverage of OWASP Mobile Top Ten OWASP TOP 10 IBM Security AppScan Coverage  1. Insecure Data Storage Trace routes of sensitive data  2. Weak Server Side Controls Security scanning of server side code  3. Insufficient Transport Layer Protection Check for use of SSL/TLS  4. Client Side Injection Checks for common injection flaws including SQLi, HTMLi, and XSS  5. Poor Authentication and Authorization Track where IDs and Passwords enter/exit the system  6. Improper Session Handling Verify UUID is not used for session management  7. Security Decisions via Untrusted Inputs Track where data originates and how it is used  8. Side Channel Data Leakage Test for data leakage to log files, pasteboard, property lists, etc  9. Broken Cryptography Identify proper usage of cryptographic usage  10. Sensitive Information Disclosure Test for data leakage to peripherals, network, sockets, etc. 32 © 2014 IBM Corporation
  • 33. IBM Security Systems Wrap-Up!  X-Force is IBM’s Leading Research and attack insights from today’s security threat landscape  Stay ahead of the threat, know what attackers are doing  OWASP and the OWASP Top Ten  Industry accepted rankings of the most critical web and mobile software vulnerabilities  Use these to help inform and mature your software security programs  IBM Security AppScan can be a cirtical part of that program Test for the high severity vulnerabilities  Prioritize fixes  Help developers remediate existing problems and learn how to code to prevent new ones  Run reports for auditors and assessors  33 © 2014 IBM Corporation