SlideShare a Scribd company logo

Improving web application security, part ii

Download as PPTX, PDF
Kangkan Goswami
Kangkan Goswami

Part 2 of the study with the accompanying book: https://msdn.microsoft.com/en-us/library/ff649874.aspx This is a n architectural study for making application software resilient to security threat.

Software
1 of 43
Improving Web Application Security, Part-II – Threat Modeling KANGKAN GOSWAMI
Agenda Steps to decompose an application architecture to discover vulnerabilities How to identify and document threats that are relevant to the application CORPORATE PRESENTATION Slide 2
Threat Modeling Principles The Process •Identify assets. •Create an architecture overview. •Decompose the application. •Identify the threats. •Document the threats. •Rate the threats. CORPORATE PRESENTATION Slide 3
The Process Identify assets. Create an architecture overview. Decompose the application. Identify the threats. Document the threats. Rate the threats. CORPORATE PRESENTATION Slide 4
The Output CORPORATE PRESENTATION Slide 5
Threat Modeling Process Step 1. Identify Assets Identify the assets that we need to protect. This could range from confidential data, such as customer or orders database, the Web pages or Web site availability. CORPORATE PRESENTATION Slide 6
Threat Modeling Process Step 2. Create an Architecture Overview Identify what the application does. Create an architecture diagram. Identify the technologies. CORPORATE PRESENTATION Slide 7
Threat Modeling Process Step 3. Decompose the Application Identify trust boundaries. Identify data flow. Identify entry points. Identify privileged code. Document the security profile. CORPORATE PRESENTATION Slide 8
Threat Modeling Process Step 4. Identify the Threats Identify network threats. Identity host threats. Identify application threats. CORPORATE PRESENTATION Slide 9
Threat Modeling Process Step 5. Document the Threats Documenting the threats Document target Document Risk Document Attack Technique Document Countermeasure CORPORATE PRESENTATION Slide 10
Threat Modeling Process Step 6. Rate the Threats Estimate the Probability Estimate Damage Potential Estimate Risk () Scale them – HIGH, MEDIUM, LOW Prioritize – DREAD Model Recalculate Risk Rating CORPORATE PRESENTATION Slide 11
Creating Architecture Overview Identify what the application does. Create an architecture diagram. Identify the technologies. CORPORATE PRESENTATION Slide 12
Creating Architecture Overview Identify what the application does. Identify what the application does and how it uses and accesses assets. Document use cases to help the team understand how the application is supposed to be used. This also helps to work out how it can be misused. CORPORATE PRESENTATION Slide 13
Creating Architecture Overview Create an architecture diagram. Create a high-level architecture diagram It should describe the composition and structure of the application It should include its subsystems as well as its physical deployment characteristics CORPORATE PRESENTATION Slide 14
Creating architecture diagram CORPORATE PRESENTATION Slide 15 Create an architecture diagram. Start with a rough diagram that conveys the composition and structure of the application and its subsystems together with its deployment characteristics. Evolve the diagram by adding details about the trust boundaries, authentication, and authorization mechanisms
Creating Architecture Overview Identify the technologies. Identify the distinct technologies that are used to implement the solution. This helps to focus on technology-specific threats later in the process. It also helps to determine the correct and most appropriate mitigation techniques. CORPORATE PRESENTATION Slide 16
Identify the technologies Document the technologies using a table Technology/Platform Implementation Details Microsoft SQL Server on Microsoft Windows Advanced Server 2000 Includes logins, database users, user defined database roles, tables, stored procedures, views, constraints, and triggers Microsoft .NET Framework Secure Used for Forms authentication. Sockets Layer (SSL) Used to encrypt HTTP traffic. CORPORATE PRESENTATION Slide 17
Decomposing the Application Identify trust boundaries. Identify data flow. Identify entry points. Identify privileged code. Document the security profile. CORPORATE PRESENTATION Slide 18
Identify trust boundaries Identify the trust boundaries that surround each of the tangible assets of the application. For each subsystem, consider how the data flows and input can be authenticated and authorized. Also consider how the calling code can be authenticated and authorized. Start by analyzing trust boundaries from a code perspective. Also consider server trust relationships. CORPORATE PRESENTATION Slide 19
Identify data flow Start at the highest level and then iteratively decompose the application by analyzing the data flow between individual subsystems. Data flow across trust boundaries is particularly important. Data from outside of its own trust boundary should be assumed to be malicious and perform thorough validation of the data. Data flow diagrams (DFDs) and sequence diagrams can help with the formal decomposition of a system. CORPORATE PRESENTATION Slide 20
Identify entry points The entry points of the application also serve as entry points for attacks. Determine the types of gatekeepers that provide authorization and the degree of validation. Logical entry points include UI (Web pages), service interfaces (Web services), serviced components, and .NET Remoting components and message queues (asynchronous entry point). Physical or platform entry points include ports and sockets. CORPORATE PRESENTATION Slide 21
Identify privileged code Privileged code accesses specific types of secure resources (DNS servers, directory services) and performs other privileged operations. Privileged code must be granted the appropriate code access security permissions. CORPORATE PRESENTATION Slide 22
Document the security profile Identify the approaches used for input validation, authentication, authorization, configuration management, and the remaining areas where applications are most susceptible. Consider the next table as a sample. CORPORATE PRESENTATION Slide 23
Document the security profile Category Considerations Input validation Is all input data validated? Could an attacker inject commands or malicious data into the application? Is data validated as it is passed between separate trust boundaries (by the recipient entry point)? Can data in the database be trusted? Authentication Are credentials secured if they are passed over the network? Are strong account policies used? Are strong passwords enforced? Are you using certificates? Are password verifiers (using one-way hashes) used for user passwords? Refer the book for the rest…. CORPORATE PRESENTATION Slide 24
Identify the Threats Use STRIDE to identify threats. ◦ Refer the STRIDE Model Use categorized threat lists. ◦ Start with a laundry list of common threats grouped by network, host, and application categories. ◦ Apply the threat list to the application architecture and any vulnerabilities CORPORATE PRESENTATION Slide 25
Identify Network Threats Look for existence of security mechanisms that rely on the IP address of the sender. (IP spoofing is easy) Possibility of passing session identifiers or cookies over unencrypted network channels. (Session hijacking) Possibility of passing clear text credentials or other sensitive data over unencrypted communication channels. (Eavesdropping) You must also ensure that your network is not vulnerable to threats arising from insecure device and server configuration. CORPORATE PRESENTATION Slide 26
Identify Host Threats Un-patched servers can be exploited by viruses, Trojan horses, worms, and IIS attacks. Using nonessential ports, protocols, and services increase the attack profile and enable attackers to gather information about and exploit the environment. Unauthenticated anonymous access. Weak passwords and account policies that lead to password cracking, identity spoofing, and denial of service attacks if accounts can be locked out deliberately. CORPORATE PRESENTATION Slide 27
Identify Application Threats Poor input validation leads to cross-site scripting (XSS), SQL injection, and buffer overflow attacks. Passing credentials or authentication cookies over unencrypted network links can lead to credential capture or session hijacking. Weak password and account policies can lead to unauthorized access. Failing to secure the configuration management aspects of your application, including administration interfaces. CORPORATE PRESENTATION Slide 28
Identify Application Threats Storing configuration secrets, such as connection strings and service account credentials, in clear text. Using over-privileged process and service accounts. Using insecure data access coding techniques, which can increase the threat posed by SQL injection. Using weak or custom encryption and failing to adequately secure encryption keys. CORPORATE PRESENTATION Slide 29
Identify Application Threats Relying on the integrity of parameters that are passed from the Web browser, for example, form fields, query strings, cookie data, and HTTP headers. Using insecure exception handling, which can lead to denial of service attacks and the disclosure of system-level details that are useful to an attacker. Doing inadequate auditing and logging, which can lead to repudiation threats. CORPORATE PRESENTATION Slide 30
Identify the Threats Using Attack Trees and Attack Patterns ◦ An attack tree is a way of collecting and documenting the potential attacks on the system in a structured and hierarchical manner. ◦ By creating attack trees, we create a reusable representation of security issues that helps focus efforts. ◦ Create test plans to validate security design. ◦ Attack patterns are a formalized approach to capturing attack information in the enterprise. CORPORATE PRESENTATION Slide 31
Identify the Threats Document the Threats ◦ Use a template that shows several threat attributes similar to the one below. ◦ The threat description and threat target are essential attributes. ◦ The risk rating is used in the final stage of the threat modeling process while prioritizing the identified threat list. Threat Description Attacker obtains authentication credentials by monitoring the network Threat target Web application user authentication process Risk Attack techniques Use of network monitoring software Countermeasures Use SSL to provide encrypted channel CORPORATE PRESENTATION Slide 32
Rate the Threats Risk = Probability * Damage Potential ◦ For example, if Probability=10 and Damage Potential=1, then Risk = 10 * 1 = 10. ◦ If Probability=1 and Damage Potential=10, then Risk = 1 * 10 = 10. Use simple HIGH, MEDIUM and LOW ratings to prioritize risk. CORPORATE PRESENTATION Slide 33
Rate the Threats - DREAD Rating At Microsoft, the DREAD model is used to help calculate risk. Damage potential: How great is the damage if the vulnerability is exploited? Reproducibility: Ease of reproducing the attack? Exploitability: How easy is it to launch an attack? Affected users: Percentage of affected users Discoverability: How easy is it to find the vulnerability? CORPORATE PRESENTATION Slide 34
Rate the Threats - DREAD CORPORATE PRESENTATION Slide 35
Rate the Threats CORPORATE PRESENTATION Slide 36 Update the documented Threat List with RISK RATING
What is next? The threat model can be used by the following groups of people: Designers can use it to make secure design choices about technologies and functionality. Developers who write code can use it to mitigate risks. Testers can write test cases to test if the application is vulnerable to the threats identified by the analysis. CORPORATE PRESENTATION Slide 37
Generating Work Item Report Create a formalized work item report that can include additional attributes, such as a Bug ID Tie the threat in with the bug tracking system. Use its reporting facilities to generate the report. Make sure to include the original threat number to tie it back to the threat model document. Organize the threats by network, host, and application categories. Within each category, present the threats in prioritized order. CORPORATE PRESENTATION Slide 38
Summary While we can mitigate the risk of an attack, we do not mitigate or eliminate the actual threat. Threats still exist regardless of the security actions and the countermeasures we take/apply. The reality is that we acknowledge the presence of threats and manage the risks. Threat modeling can help us manage and communicate security risks across the team. CORPORATE PRESENTATION Slide 39
Summary Treat modeling is an iterative process. The threat model should be a dynamic item that changes over time to cater to new types of threats and attacks as they are discovered. It should also be capable of adapting to follow the natural evolution of the application as it is enhanced and modified to accommodate changing business requirements. CORPORATE PRESENTATION Slide 40
Request Please read the book….. https://msdn.microsoft.com/en-us/library/ff649874.aspx CORPORATE PRESENTATION Slide 41
Open House Questions and possible answers CORPORATE PRESENTATION Slide 42
Thanks a lot… CORPORATE PRESENTATION Slide 43

Recommended

Improving web application security, part i
Improving web application security, part iImproving web application security, part i
Improving web application security, part iKangkan Goswami
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
Cyber Threats on the Industrial Environment
Cyber Threats on the Industrial EnvironmentCyber Threats on the Industrial Environment
Cyber Threats on the Industrial EnvironmentEduardo Arriols Nuñez
 
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure CodeThreat Modeling - Writing Secure Code
Threat Modeling - Writing Secure CodeCaleb Jenkins
 
Network Based Intrusion Detection and Prevention Systems: Attack Classificati...
Network Based Intrusion Detection and Prevention Systems: Attack Classificati...Network Based Intrusion Detection and Prevention Systems: Attack Classificati...
Network Based Intrusion Detection and Prevention Systems: Attack Classificati...researchinventy
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and RisksInformation Technology
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security ResilienceJoel Aleburu
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 

Recommended

Improving web application security, part i
Improving web application security, part iImproving web application security, part i
Improving web application security, part iKangkan Goswami
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
Cyber Threats on the Industrial Environment
Cyber Threats on the Industrial EnvironmentCyber Threats on the Industrial Environment
Cyber Threats on the Industrial EnvironmentEduardo Arriols Nuñez
 
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure CodeThreat Modeling - Writing Secure Code
Threat Modeling - Writing Secure CodeCaleb Jenkins
 
Network Based Intrusion Detection and Prevention Systems: Attack Classificati...
Network Based Intrusion Detection and Prevention Systems: Attack Classificati...Network Based Intrusion Detection and Prevention Systems: Attack Classificati...
Network Based Intrusion Detection and Prevention Systems: Attack Classificati...researchinventy
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and RisksInformation Technology
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security ResilienceJoel Aleburu
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
WITDOM Credit Risk Scoring use case at ISSE 2017
WITDOM Credit Risk Scoring use case at ISSE 2017WITDOM Credit Risk Scoring use case at ISSE 2017
WITDOM Credit Risk Scoring use case at ISSE 2017Elsa Prieto
 
Solvit identity is the new perimeter
Solvit identity is the new perimeterSolvit identity is the new perimeter
Solvit identity is the new perimeterS.E. CTS CERT-GOV-MD
 
Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsInformation Technology
 
02.security systems
02.security systems02.security systems
02.security systemsSri Lanka Institute of Information Technology
 
System of security controls
System of security controlsSystem of security controls
System of security controlsS.E. CTS CERT-GOV-MD
 
Teknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeemu Tiainen
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general attSHIVA101531
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attacknewbie2019
 
Computer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOVComputer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability AssessmentTALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability AssessmentDawn Yankeelov
 
Module 4 (enumeration)
Module 4 (enumeration)Module 4 (enumeration)
Module 4 (enumeration)Wail Hassan
 
Residency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiResidency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiSHIVA101531
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsBen Rothke
 
Chapter006
Chapter006Chapter006
Chapter006Jeanie Delos Arcos
 
Untitled 1
Untitled 1Untitled 1
Untitled 1Sergey Kochergan
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
6 e commerce security
6 e commerce security6 e commerce security
6 e commerce securityNaveed Ahmed Siddiqui
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionBen Rothke
 
Essentials Of Security
Essentials Of SecurityEssentials Of Security
Essentials Of Securityxsy
 
Improving web application security, part i
Improving web application security, part iImproving web application security, part i
Improving web application security, part iKangkan Goswami
 
Web application security: how to start?
Web application security: how to start?Web application security: how to start?
Web application security: how to start?Antonio Fontes
 

More Related Content

What's hot

WITDOM Credit Risk Scoring use case at ISSE 2017
WITDOM Credit Risk Scoring use case at ISSE 2017WITDOM Credit Risk Scoring use case at ISSE 2017
WITDOM Credit Risk Scoring use case at ISSE 2017Elsa Prieto
 
Solvit identity is the new perimeter
Solvit identity is the new perimeterSolvit identity is the new perimeter
Solvit identity is the new perimeterS.E. CTS CERT-GOV-MD
 
Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsInformation Technology
 
Teknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeemu Tiainen
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general attSHIVA101531
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attacknewbie2019
 
Computer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOVComputer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability AssessmentTALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability AssessmentDawn Yankeelov
 
Module 4 (enumeration)
Module 4 (enumeration)Module 4 (enumeration)
Module 4 (enumeration)Wail Hassan
 
Residency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiResidency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiSHIVA101531
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsBen Rothke
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionBen Rothke
 
Essentials Of Security
Essentials Of SecurityEssentials Of Security
Essentials Of Securityxsy
 

What's hot (20)

WITDOM Credit Risk Scoring use case at ISSE 2017
WITDOM Credit Risk Scoring use case at ISSE 2017WITDOM Credit Risk Scoring use case at ISSE 2017
WITDOM Credit Risk Scoring use case at ISSE 2017
 
Solvit identity is the new perimeter
Solvit identity is the new perimeterSolvit identity is the new perimeter
Solvit identity is the new perimeter
 
Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability Assessments
 
02.security systems
02.security systems02.security systems
02.security systems
 
System of security controls
System of security controlsSystem of security controls
System of security controls
 
Teknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimukset
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general att
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
 
Computer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOVComputer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOV
 
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability AssessmentTALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
 
Module 4 (enumeration)
Module 4 (enumeration)Module 4 (enumeration)
Module 4 (enumeration)
 
Residency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiResidency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resi
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizations
 
Chapter006
Chapter006Chapter006
Chapter006
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
6 e commerce security
6 e commerce security6 e commerce security
6 e commerce security
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryption
 
Essentials Of Security
Essentials Of SecurityEssentials Of Security
Essentials Of Security
 

Viewers also liked

Improving web application security, part i
Improving web application security, part iImproving web application security, part i
Improving web application security, part iKangkan Goswami
 
Web application security: how to start?
Web application security: how to start?Web application security: how to start?
Web application security: how to start?Antonio Fontes
 
Hickman threat modeling
Hickman threat modelingHickman threat modeling
Hickman threat modelingjonecx
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Designcentralohioissa
 
Network Security
Network SecurityNetwork Security
Network SecurityJoe Baker
 
Starcor IPTV/OTT Solution. The Introduction
Starcor IPTV/OTT Solution. The IntroductionStarcor IPTV/OTT Solution. The Introduction
Starcor IPTV/OTT Solution. The IntroductionStarcor
 
20170304 주일예배, 눅08장40 52절, 옷자락으로 전해진 사랑 - 예배
20170304 주일예배, 눅08장40 52절, 옷자락으로 전해진 사랑 - 예배20170304 주일예배, 눅08장40 52절, 옷자락으로 전해진 사랑 - 예배
20170304 주일예배, 눅08장40 52절, 옷자락으로 전해진 사랑 - 예배Myoung-Ryun Mission Presbyterian Church
 
ATP Technology Pillars
ATP Technology PillarsATP Technology Pillars
ATP Technology PillarsPriyanka Aash
 
Secure Password Storage & Management
Secure Password Storage & ManagementSecure Password Storage & Management
Secure Password Storage & ManagementSastry Tumuluri
 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Mike Tetreault
 
Web App Audit Ppt
Web App Audit PptWeb App Audit Ppt
Web App Audit PptAung Khant
 
아카마이 CDN 과 함께, 마음이 편해지는 인프라 설계
아카마이 CDN 과 함께, 마음이 편해지는 인프라 설계아카마이 CDN 과 함께, 마음이 편해지는 인프라 설계
아카마이 CDN 과 함께, 마음이 편해지는 인프라 설계Seung Heun Noh
 
DWS16 - Smart city forum - Niels De Schutter, Atos
DWS16 - Smart city forum - Niels De Schutter, AtosDWS16 - Smart city forum - Niels De Schutter, Atos
DWS16 - Smart city forum - Niels De Schutter, AtosIDATE DigiWorld
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...CA API Management
 
IoT And Inevitable Decentralization of The Internet
IoT And Inevitable Decentralization of The InternetIoT And Inevitable Decentralization of The Internet
IoT And Inevitable Decentralization of The InternetPaul Brody
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityWSO2
 
The End of the Fortress: The new Approach to Cybersecurity
The End of the Fortress: The new Approach to CybersecurityThe End of the Fortress: The new Approach to Cybersecurity
The End of the Fortress: The new Approach to CybersecurityMarc Nader
 
SABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSAcourses
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingPriyanka Aash
 

Viewers also liked (20)

Improving web application security, part i
Improving web application security, part iImproving web application security, part i
Improving web application security, part i
 
Web application security: how to start?
Web application security: how to start?Web application security: how to start?
Web application security: how to start?
 
Hickman threat modeling
Hickman threat modelingHickman threat modeling
Hickman threat modeling
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
 
Network Security
Network SecurityNetwork Security
Network Security
 
Starcor IPTV/OTT Solution. The Introduction
Starcor IPTV/OTT Solution. The IntroductionStarcor IPTV/OTT Solution. The Introduction
Starcor IPTV/OTT Solution. The Introduction
 
20170304 주일예배, 눅08장40 52절, 옷자락으로 전해진 사랑 - 예배
20170304 주일예배, 눅08장40 52절, 옷자락으로 전해진 사랑 - 예배20170304 주일예배, 눅08장40 52절, 옷자락으로 전해진 사랑 - 예배
20170304 주일예배, 눅08장40 52절, 옷자락으로 전해진 사랑 - 예배
 
ATP Technology Pillars
ATP Technology PillarsATP Technology Pillars
ATP Technology Pillars
 
Secure Password Storage & Management
Secure Password Storage & ManagementSecure Password Storage & Management
Secure Password Storage & Management
 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)
 
Web App Audit Ppt
Web App Audit PptWeb App Audit Ppt
Web App Audit Ppt
 
아카마이 CDN 과 함께, 마음이 편해지는 인프라 설계
아카마이 CDN 과 함께, 마음이 편해지는 인프라 설계아카마이 CDN 과 함께, 마음이 편해지는 인프라 설계
아카마이 CDN 과 함께, 마음이 편해지는 인프라 설계
 
DWS16 - Smart city forum - Niels De Schutter, Atos
DWS16 - Smart city forum - Niels De Schutter, AtosDWS16 - Smart city forum - Niels De Schutter, Atos
DWS16 - Smart city forum - Niels De Schutter, Atos
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
 
IoT And Inevitable Decentralization of The Internet
IoT And Inevitable Decentralization of The InternetIoT And Inevitable Decentralization of The Internet
IoT And Inevitable Decentralization of The Internet
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise Security
 
The End of the Fortress: The new Approach to Cybersecurity
The End of the Fortress: The new Approach to CybersecurityThe End of the Fortress: The new Approach to Cybersecurity
The End of the Fortress: The new Approach to Cybersecurity
 
SABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summary
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day Threats
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 

Similar to Improving web application security, part ii

Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners Checkmarx
 
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...Cognizant
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET Journal
 
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptxCompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptxInfosectrain3
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
Brochure Swascan Overview
Brochure Swascan OverviewBrochure Swascan Overview
Brochure Swascan OverviewSara Colnago
 
Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...karthikvcyber
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen? Claranet UK
 
Azure Fundamentals Part 3
Azure Fundamentals Part 3Azure Fundamentals Part 3
Azure Fundamentals Part 3CCG
 
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & ComplianceCortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & ComplianceMSAdvAnalytics
 
Project 1CST630 Project ChecklistStudent Name DateNote This che
Project 1CST630 Project ChecklistStudent Name DateNote This cheProject 1CST630 Project ChecklistStudent Name DateNote This che
Project 1CST630 Project ChecklistStudent Name DateNote This chedavieec5f
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principlesOWASP
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideAryan G
 

Similar to Improving web application security, part ii (20)

Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
 
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
C01461422
C01461422C01461422
C01461422
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
 
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptxCompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
 
Security engineering
Security engineeringSecurity engineering
Security engineering
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 
Brochure Swascan Overview
Brochure Swascan OverviewBrochure Swascan Overview
Brochure Swascan Overview
 
Swascan
Swascan Swascan
Swascan
 
Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...
 
Secure Software Engineering
Secure Software EngineeringSecure Software Engineering
Secure Software Engineering
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
 
Azure Fundamentals Part 3
Azure Fundamentals Part 3Azure Fundamentals Part 3
Azure Fundamentals Part 3
 
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & ComplianceCortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
 
Project 1CST630 Project ChecklistStudent Name DateNote This che
Project 1CST630 Project ChecklistStudent Name DateNote This cheProject 1CST630 Project ChecklistStudent Name DateNote This che
Project 1CST630 Project ChecklistStudent Name DateNote This che
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
 

Recently uploaded

A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 

Recently uploaded (20)

A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 

Improving web application security, part ii

  • 1. Improving Web Application Security, Part-II – Threat Modeling KANGKAN GOSWAMI
  • 2. Agenda Steps to decompose an application architecture to discover vulnerabilities How to identify and document threats that are relevant to the application CORPORATE PRESENTATION Slide 2
  • 3. Threat Modeling Principles The Process •Identify assets. •Create an architecture overview. •Decompose the application. •Identify the threats. •Document the threats. •Rate the threats. CORPORATE PRESENTATION Slide 3
  • 4. The Process Identify assets. Create an architecture overview. Decompose the application. Identify the threats. Document the threats. Rate the threats. CORPORATE PRESENTATION Slide 4
  • 6. Threat Modeling Process Step 1. Identify Assets Identify the assets that we need to protect. This could range from confidential data, such as customer or orders database, the Web pages or Web site availability. CORPORATE PRESENTATION Slide 6
  • 7. Threat Modeling Process Step 2. Create an Architecture Overview Identify what the application does. Create an architecture diagram. Identify the technologies. CORPORATE PRESENTATION Slide 7
  • 8. Threat Modeling Process Step 3. Decompose the Application Identify trust boundaries. Identify data flow. Identify entry points. Identify privileged code. Document the security profile. CORPORATE PRESENTATION Slide 8
  • 9. Threat Modeling Process Step 4. Identify the Threats Identify network threats. Identity host threats. Identify application threats. CORPORATE PRESENTATION Slide 9
  • 10. Threat Modeling Process Step 5. Document the Threats Documenting the threats Document target Document Risk Document Attack Technique Document Countermeasure CORPORATE PRESENTATION Slide 10
  • 11. Threat Modeling Process Step 6. Rate the Threats Estimate the Probability Estimate Damage Potential Estimate Risk () Scale them – HIGH, MEDIUM, LOW Prioritize – DREAD Model Recalculate Risk Rating CORPORATE PRESENTATION Slide 11
  • 12. Creating Architecture Overview Identify what the application does. Create an architecture diagram. Identify the technologies. CORPORATE PRESENTATION Slide 12
  • 13. Creating Architecture Overview Identify what the application does. Identify what the application does and how it uses and accesses assets. Document use cases to help the team understand how the application is supposed to be used. This also helps to work out how it can be misused. CORPORATE PRESENTATION Slide 13
  • 14. Creating Architecture Overview Create an architecture diagram. Create a high-level architecture diagram It should describe the composition and structure of the application It should include its subsystems as well as its physical deployment characteristics CORPORATE PRESENTATION Slide 14
  • 15. Creating architecture diagram CORPORATE PRESENTATION Slide 15 Create an architecture diagram. Start with a rough diagram that conveys the composition and structure of the application and its subsystems together with its deployment characteristics. Evolve the diagram by adding details about the trust boundaries, authentication, and authorization mechanisms
  • 16. Creating Architecture Overview Identify the technologies. Identify the distinct technologies that are used to implement the solution. This helps to focus on technology-specific threats later in the process. It also helps to determine the correct and most appropriate mitigation techniques. CORPORATE PRESENTATION Slide 16
  • 17. Identify the technologies Document the technologies using a table Technology/Platform Implementation Details Microsoft SQL Server on Microsoft Windows Advanced Server 2000 Includes logins, database users, user defined database roles, tables, stored procedures, views, constraints, and triggers Microsoft .NET Framework Secure Used for Forms authentication. Sockets Layer (SSL) Used to encrypt HTTP traffic. CORPORATE PRESENTATION Slide 17
  • 18. Decomposing the Application Identify trust boundaries. Identify data flow. Identify entry points. Identify privileged code. Document the security profile. CORPORATE PRESENTATION Slide 18
  • 19. Identify trust boundaries Identify the trust boundaries that surround each of the tangible assets of the application. For each subsystem, consider how the data flows and input can be authenticated and authorized. Also consider how the calling code can be authenticated and authorized. Start by analyzing trust boundaries from a code perspective. Also consider server trust relationships. CORPORATE PRESENTATION Slide 19
  • 20. Identify data flow Start at the highest level and then iteratively decompose the application by analyzing the data flow between individual subsystems. Data flow across trust boundaries is particularly important. Data from outside of its own trust boundary should be assumed to be malicious and perform thorough validation of the data. Data flow diagrams (DFDs) and sequence diagrams can help with the formal decomposition of a system. CORPORATE PRESENTATION Slide 20
  • 21. Identify entry points The entry points of the application also serve as entry points for attacks. Determine the types of gatekeepers that provide authorization and the degree of validation. Logical entry points include UI (Web pages), service interfaces (Web services), serviced components, and .NET Remoting components and message queues (asynchronous entry point). Physical or platform entry points include ports and sockets. CORPORATE PRESENTATION Slide 21
  • 22. Identify privileged code Privileged code accesses specific types of secure resources (DNS servers, directory services) and performs other privileged operations. Privileged code must be granted the appropriate code access security permissions. CORPORATE PRESENTATION Slide 22
  • 23. Document the security profile Identify the approaches used for input validation, authentication, authorization, configuration management, and the remaining areas where applications are most susceptible. Consider the next table as a sample. CORPORATE PRESENTATION Slide 23
  • 24. Document the security profile Category Considerations Input validation Is all input data validated? Could an attacker inject commands or malicious data into the application? Is data validated as it is passed between separate trust boundaries (by the recipient entry point)? Can data in the database be trusted? Authentication Are credentials secured if they are passed over the network? Are strong account policies used? Are strong passwords enforced? Are you using certificates? Are password verifiers (using one-way hashes) used for user passwords? Refer the book for the rest…. CORPORATE PRESENTATION Slide 24
  • 25. Identify the Threats Use STRIDE to identify threats. ◦ Refer the STRIDE Model Use categorized threat lists. ◦ Start with a laundry list of common threats grouped by network, host, and application categories. ◦ Apply the threat list to the application architecture and any vulnerabilities CORPORATE PRESENTATION Slide 25
  • 26. Identify Network Threats Look for existence of security mechanisms that rely on the IP address of the sender. (IP spoofing is easy) Possibility of passing session identifiers or cookies over unencrypted network channels. (Session hijacking) Possibility of passing clear text credentials or other sensitive data over unencrypted communication channels. (Eavesdropping) You must also ensure that your network is not vulnerable to threats arising from insecure device and server configuration. CORPORATE PRESENTATION Slide 26
  • 27. Identify Host Threats Un-patched servers can be exploited by viruses, Trojan horses, worms, and IIS attacks. Using nonessential ports, protocols, and services increase the attack profile and enable attackers to gather information about and exploit the environment. Unauthenticated anonymous access. Weak passwords and account policies that lead to password cracking, identity spoofing, and denial of service attacks if accounts can be locked out deliberately. CORPORATE PRESENTATION Slide 27
  • 28. Identify Application Threats Poor input validation leads to cross-site scripting (XSS), SQL injection, and buffer overflow attacks. Passing credentials or authentication cookies over unencrypted network links can lead to credential capture or session hijacking. Weak password and account policies can lead to unauthorized access. Failing to secure the configuration management aspects of your application, including administration interfaces. CORPORATE PRESENTATION Slide 28
  • 29. Identify Application Threats Storing configuration secrets, such as connection strings and service account credentials, in clear text. Using over-privileged process and service accounts. Using insecure data access coding techniques, which can increase the threat posed by SQL injection. Using weak or custom encryption and failing to adequately secure encryption keys. CORPORATE PRESENTATION Slide 29
  • 30. Identify Application Threats Relying on the integrity of parameters that are passed from the Web browser, for example, form fields, query strings, cookie data, and HTTP headers. Using insecure exception handling, which can lead to denial of service attacks and the disclosure of system-level details that are useful to an attacker. Doing inadequate auditing and logging, which can lead to repudiation threats. CORPORATE PRESENTATION Slide 30
  • 31. Identify the Threats Using Attack Trees and Attack Patterns ◦ An attack tree is a way of collecting and documenting the potential attacks on the system in a structured and hierarchical manner. ◦ By creating attack trees, we create a reusable representation of security issues that helps focus efforts. ◦ Create test plans to validate security design. ◦ Attack patterns are a formalized approach to capturing attack information in the enterprise. CORPORATE PRESENTATION Slide 31
  • 32. Identify the Threats Document the Threats ◦ Use a template that shows several threat attributes similar to the one below. ◦ The threat description and threat target are essential attributes. ◦ The risk rating is used in the final stage of the threat modeling process while prioritizing the identified threat list. Threat Description Attacker obtains authentication credentials by monitoring the network Threat target Web application user authentication process Risk Attack techniques Use of network monitoring software Countermeasures Use SSL to provide encrypted channel CORPORATE PRESENTATION Slide 32
  • 33. Rate the Threats Risk = Probability * Damage Potential ◦ For example, if Probability=10 and Damage Potential=1, then Risk = 10 * 1 = 10. ◦ If Probability=1 and Damage Potential=10, then Risk = 1 * 10 = 10. Use simple HIGH, MEDIUM and LOW ratings to prioritize risk. CORPORATE PRESENTATION Slide 33
  • 34. Rate the Threats - DREAD Rating At Microsoft, the DREAD model is used to help calculate risk. Damage potential: How great is the damage if the vulnerability is exploited? Reproducibility: Ease of reproducing the attack? Exploitability: How easy is it to launch an attack? Affected users: Percentage of affected users Discoverability: How easy is it to find the vulnerability? CORPORATE PRESENTATION Slide 34
  • 35. Rate the Threats - DREAD CORPORATE PRESENTATION Slide 35
  • 36. Rate the Threats CORPORATE PRESENTATION Slide 36 Update the documented Threat List with RISK RATING
  • 37. What is next? The threat model can be used by the following groups of people: Designers can use it to make secure design choices about technologies and functionality. Developers who write code can use it to mitigate risks. Testers can write test cases to test if the application is vulnerable to the threats identified by the analysis. CORPORATE PRESENTATION Slide 37
  • 38. Generating Work Item Report Create a formalized work item report that can include additional attributes, such as a Bug ID Tie the threat in with the bug tracking system. Use its reporting facilities to generate the report. Make sure to include the original threat number to tie it back to the threat model document. Organize the threats by network, host, and application categories. Within each category, present the threats in prioritized order. CORPORATE PRESENTATION Slide 38
  • 39. Summary While we can mitigate the risk of an attack, we do not mitigate or eliminate the actual threat. Threats still exist regardless of the security actions and the countermeasures we take/apply. The reality is that we acknowledge the presence of threats and manage the risks. Threat modeling can help us manage and communicate security risks across the team. CORPORATE PRESENTATION Slide 39
  • 40. Summary Treat modeling is an iterative process. The threat model should be a dynamic item that changes over time to cater to new types of threats and attacks as they are discovered. It should also be capable of adapting to follow the natural evolution of the application as it is enhanced and modified to accommodate changing business requirements. CORPORATE PRESENTATION Slide 40
  • 41. Request Please read the book….. https://msdn.microsoft.com/en-us/library/ff649874.aspx CORPORATE PRESENTATION Slide 41
  • 42. Open House Questions and possible answers CORPORATE PRESENTATION Slide 42
  • 43. Thanks a lot… CORPORATE PRESENTATION Slide 43