SlideShare uma empresa Scribd logo
1 de 42
Baixar para ler offline
1!
Con$nuous'Monitoring'for'
Web'App'Security'Dave%Shackleford,%IANS%
2%
The'Web'App'Security'Landscape'
!  Many'organiza$ons'are'not'addressing'Web'app'security'as'
they'should'
!  More'are'asking'“How'likely'are'we'to'be'hacked?”'and'
“What'should'we'do'about'it?”'
!  What'kinds'of'aCacks'are'federal'agencies'experiencing?'
And'what'should'they'do'about'it?'
!  We’ll'cover:'
!  Some%a5acks%and%research%trends%
!  Compliance%and%federal%regula>ons%to%focus%on%
!  Some%ideas%on%“what%do%about%it”.%
3%
Some'of'the'Top'Web'App'Issues'Today'
!  “Clickjacking”'and'embedded/hidden'code'aCacks'
!  “Slowloris”Lstyle'applica$on'vulnerabili$es'leading'to'DoS'
condi$ons'
!  The'BEAST'and'CRIME'aCacks'against'SSL/TLS'
!  CSRF'condi$ons'
!  SQL'worms'and'injec$on'vulnerabili$es'
!  ServerLside'Includes'(SSI)'with'development'plaUorms'
4%
Breaches'Are'Happening'Too…'
5%
What'about'compliance?'
!  FISMA'requires'a'number'of'specific'elements'in'its'
framework:'
!  Inventory%of%informa>on%systems%
!  Categorize%informa>on%and%informa>on%systems%according%to%risk%
level%
!  Security%controls%
!  Risk%assessment%
!  System%security%plan%
!  Cer>fica>on%and%accredita>on%
!  Con>nuous%monitoring%
6%
What is Continuous
Monitoring?
!  One'step'in'the'NIST'6Lstep'risk'management'approach'in'
800L37'
!  Important%step%for%assessing%security%impacts%over%>me%
!  Required%by%FISMA%and%OMB%
7%
Risk Management &
Continuous Monitoring
!  Continuous Monitoring only follows sound
risk management practices & control
selection as outlined in NIST 800-53 and
800-37
!  Not replacing traditional risk assessment
and security authorization
!  The final step in the RMF (a key component
in back-end security, as defined by NIST)
8%
So…the RMF?
!  Jointly'developed'by'NIST,'DoD,'intelligence'agencies,'and'
the'CommiCee'on'Na$onal'Security'Systems'
!  Implemented'across'three'$ers:'
!  Governance%
!  Mission/business%process%
!  Informa>on%system%
!  A'lifecycle'approach'that'updates'the'C&A'process'
!  Helps%Authorizing%Officials%assess%Authority%to%Operate%(ATO)%%
9%
Automating Continuous
Monitoring
!  Automa$on?'You'bet.'
!  SCAP%is%a%good%start.%
!  Many%800]53%areas%are%good%candidates:%
!  Access%Control%
!  Iden>fica>on%&%Authen>ca>on%
!  Audi>ng%&%Accountability%
!  Systems%&%Communica>on%Protec>on%
!  Real]>me%monitoring%of%these%is%key%
10%
Involving'Stakeholders'
!  Who'should'be'involved'in'planning'con$nuous'
monitoring?'
!  System%and%control%owners%
!  Business%unit%management%
!  CISO%and%CIO%
!  Authorizing%officials%
11%
Lots of Changes to Federal IT
Security and Compliance
!  Before: Go through C&A, get an ATO
!  Acronyms: Certification & Accreditation (C&A),
Authority to Operate (ATO)
!  FISMA specifies:
!  Periodic Risk Assessments
!  Periodic Testing & Evaluation
!  Annual Security Review
!  Annual Reporting
12%
And Now…?
!  800L53,'updated'in'2009L2010:'
!  Mandates%the%use%of%con>nuous%monitoring%
!  Mandates%the%implementa>on%of%a%strong%Risk%Management%
Framework%(RMF)%
!  Specific%guidance%on%event%triggers%and%responses%
Conducting a thorough point-in-time assessment of the
security controls in an organizational information system is a
necessary but not sufficient condition to demonstrate security
due diligence…The ultimate objective of the continuous
monitoring program is to determine if the security controls in
an information system continue to be effective over time in light
of the inevitable changes that occur in the system as well as the
environment in which the system operates.
13%
In other words…
!  Moving from:
!  To:
Those security controls that are volatile or critical to
protecting the information system are assessed at
least annually. All other controls are assessed at
least once during the information system s three-
year accreditation cycle.
A continuous monitoring program allows an organization to
maintain the security authorization of an information system
over time in a highly dynamic environment of operation with
changing threats, technologies and missions/business
processes. Continuous monitoring of security controls
using automated support tools facilitates near real-time risk
management and promotes organizational situational
awareness with regard to the security state of the
information system.
14%
The Federal InfoSec
Compliance Spectrum
!  FISMA'changes'and'bills'
!  “The%Federal%Informa>on%Security%Management%Act%of%
2010”%(06/2010)%
!  “Revamps%FISMA%repor>ng%requirements,%requiring%agencies%to%u>lize%
new%and%automated%monitoring%and%measuring%capabili>es%to%assess%
their%vulnerabili>es%to%cyber%threats”%
!  SCAP'
!  Measuring%&%repor>ng%on%vulnerabili>es%and%configura>on%issues%
(risk%measurement)%
!  CAG'
!  Consensus%controls%with%SANS,%Public%and%Private%organiza>ons,%and%
infosec%experts%%
15%
More on SCAP
!  Multiple standards for assessing configuration
and vulnerabilities, and reporting them
!  CVE (Vulns)
!  CVSS (Vuln scoring or rating)
!  CCE and CPE (Enumeration)
!  XCCDF and OVAL (Configs and Reporting)
!  Intended to provide standards for scanners,
local system assessment, and reporting
!  Cross-tool correlation and monitoring/alerting is a
critical function, too
16%
More on CAG
!  10'of'the'15'can'be'addressed'with'log'and'event'
management'
!  Tied%to%con>nuous%monitoring%
Can'be'facilitated'with''
con$nuous,'thorough'
Web'applica$on'assessment'
17%
Tying Web assessment to
event monitoring
!  Specific Web app scanning details to correlate:
!  Vulnerability details
!  Open ports and running/listening services
!  Risk ratings for vulnerabilities
!  System/application details
!  Correlation Examples:
!  System/application details: Correlate with current
inventory
!  Open ports: Correlate with configuration details to
determine whether unauthorized changes were made or
services are vulnerable
!  Vulnerability details: Correlate with configuration
details to determine whether unauthorized changes
were made or services are vulnerable
18%
Continuous Monitoring + CAG:
Assets/Inventory
Name Purpose IP address MAC address Purchase Date OS License Good Through Applications
CPCDSM01 File Server 1.2.3.4 AA:BB:CC:DD:EE:FF 1/2/10 Win2k8 Server SP2 1/2/14 XYZ
CPCDSM02 File Server 1.2.3.5 AA:BB:CC:DD:EE:AA 1/3/10 Win2k8 Server SP2 1/3/14 XYZ
CPCDSM03 File Server 1.2.3.6 AA:BB:CC:DD:EE:BB 1/4/10 Win2k8 Server SP2 1/4/14 XYZ
CPCDSM04 File Server 1.2.3.7 AA:BB:CC:DD:EE:CC 1/5/10 Win2k8 Server SP2 1/5/14 XYZ
CPCDSM05 File Server 1.2.3.8 AA:BB:CC:DD:EE:DD 1/6/10 Win2k8 Server SP2 1/6/14 XYZ
CPCDSM06 File Server 1.2.3.9 AA:BB:CC:DD:EE:EE 1/7/10 Win2k8 Server SP2 1/7/14 XYZ
•  System and application inventories can be
leveraged for a number of reasons
–  Determine whether systems or applications are
approved
–  Enforce license compliance
–  Determine whether systems or applications need
upgrades
19%
Continuous Monitoring + CAG:
Assets/Inventory
!  Specific elements we want to learn with scanning:
!  System and asset names
!  Platform and application details (what is installed,
versions, patches applied, etc.)
!  Asset IP/MAC addresses
!  License status and details (maybe)
20%
Continuous Monitoring + CAG:
Assets/Inventory
!  Correlation Examples:
!  System/application details: Correlate with
configuration details and remediation plans to ensure
consistency
!  Asset IP/MAC addresses: Ensure system addresses
have not changed
!  License status/details: Correlate with system
configuration to ensure applications are authorized and
licensed
21%
So…How s all this work?
!  A huge amount of application and
vulnerability detail needs to be collected in
today s Federal IT environments
!  All public-facing and critical apps need to be monitored
continually
!  These data sets should be aggregated, correlated and
used to create meaningful alerts
!  Assessment and reporting should follow
consistent formatting
!  SCAP is the emerging standard
22%
FedRAMP'mandates'web'applica$on'
scanning'controls'
!  The'GSA'guide'to'
implemen$ng'con$nuous'
monitoring'for'FedRAMP'
requires'Web'app'scanning'
!  Agencies'should'adhere'to'
the'same'controls,'but'even'
more'regularly'
!  This'is'becoming'best'prac$ce'
for'everyone!'
23%
Alan'Paller’s'Federal'Tes$mony'
!  Alan'Paller'tes$fied'before'a'House'subcommiCee'in'March'
of'2010:'
One$of$the$most$important$goals$of$any$federal$cyber$security$legisla6on$
must$be$to$enable$the$defenders$to$act$as$quickly$to$protect$their$systems$as$
the$a9ackers$can$act.$We#call#this#con-nuous#monitoring#and#it#is#single#
handedly#the#most#important#element#you#will#write#into#the#new#law.$
Con6nuous$monitoring$enables$government$agencies$to$respond$quickly$
and$effec6vely$to$common$and$new$a9ack$vectors.$The$Department$of$
State$has$demonstrated$the$effec6veness$of$this$security$innova6on.$Most$
major$corpora6ons$use$it.$This$model$is$the$future$of$federal$cybersecurity.$
As$our$response$to$a9acks$becomes$faster$and$more$automated,$we$will$
take$the$first$steps$toward$turning$the$6de$in$cyberspace,$and$protec6ng$
our$sensi6ve$informa6on.'
hCp://oversight.house.gov/wpLcontent/uploads/2012/01/20100324Paller.pdf'
24%
Mee$ng'Requirements'
!  FISMA'provisions'fall'into'three'major'categories:''
!  Assessment:%Determining%the%adequacy%of%the%security%of%federal%
assets%
!  Enforcement:%Requires%that%key%informa>on%security%provisions%be%
implemented%and%managed%
!  Compliance:%Establishes%provisions%for%management%of%each%agency's%
informa>on%security%program%and%accountability%for%compliance%and%
repor>ng%
!  How'can'regular'Web'app'scanning'help'agencies'improve'
security'and'meet'federal'guidelines'and'regula$ons?'
25%
Mee$ng'Requirements'&'Improving'
Security'
!  Specific'accountability%of%agencies%and%officials%
!  Regular%Web%app%scan%reports%show%security%status%of%applica>ons%
owned%by%each%organiza>on%and%manager%
!  Summary%reports%show%enterprise%view%of%applica>on%security%for%
formal%FISMA%repor>ng%
!  Assess'risk%by%seeking%to%meet%defined%security%objec>ves'
!  Reports%provide%iden>fica>on%of%levels%of%risk%
!  Data%can%be%used%in%risk%assessments%to%support%Cer>fica>on%and%
Accredita>on%ac>vity%
!  Management%can%make%risk]based%decisions%about%applica>on%
management%and%security%
26%
Mee$ng'Requirements'&'Improving'
Security'
!  Maintain'an'inventory%of%major%systems%and%applica>ons%
!  Regular'security'assessments%and%reviews%
!  Vulnerabili>es%are%iden>fied%by%applica>on,%allowing%audits%to%be%
targeted%and%more%focused%
!  Scans%can%be%run%and%used%as%input%to%broader%assessments%
!  Assessments%can%be%automated%and%include%iden>fica>on%of%
likelihood%and%impact,%which%assist%with%Cer>fica>on%and%
Accredita>on%efforts%
!  Changes%can%be%mapped%over%>me%to%audit%compliance%with%
recommenda>ons%in%earlier%assessments%(con>nuous%monitoring!)%
27%
Mee$ng'Requirements'&'Improving'
Security'
!  Tracking'of'deficiencies'and'remedia$on'ac$ons%taken'
!  Administrators%and%developers%can%filter%reports%to%show%specific%
vulnerabili>es%and%recommended%remedia>on%sugges>ons%
!  Tickets%can%be%assigned%to%appropriate%staff%to%enforce%remedia>on%
!  Reports%show%status%of%mi>ga>on%ac>vity%]%corrected%vs.%s>ll%ac>ve%
vulnerabili>es%
28%
Mee$ng'Requirements'&'Improving'
Security'
!  Incident'response%and%preven>on%processes%and%capability%
!  Scans%give%early%warning%of%organiza>onal%exposure%to%vulnerabili>es%
!  Specific%vulnerabili>es%are%>ed%to%apps%for%more%rapid%assessments%
and%response%
!  Reports%can%be%shared%with%internal%and%external%incident%response%
teams%
29%
Web'App'Scanning'+'SIEM'
!  Tying'scan'results'into'event'
monitoring'can'add'powerful'
context'to'correla$on'rules'
!  Metrics'can'include:'
!  Web%and%database%applica>on%
vulnerabili>es%or%config%issues%
!  Web%and%database%plaiorm%
configura>on%changes%%
!  Web%applica>on%errors%by%web%
applica>on%by%type%
30%
Web'App'Scanning'+'WAF'
!  Web'Applica$on'Firewalls'(WAFs)'can'be'tested'with'web'
applica$on'scanning'tools'
!  Several'key'areas'to'focus'on:'
!  WAF%bypass%with%specific%scanning%types%
!  WAF%effec>veness%at%aler>ng%
!  Tuning%the%WAF%for%streamlined%detec>on%and%response%efforts%
31%
Web'App'Scanning'+'GRC'
!  Web'app'scanning'can'provide'valuable'input'to'GRC'tools'
and'metrics:'
!  Top%vulnerabili>es%see%and%remediated%
!  Changes%to%compliance%status%
!  Changes%to%overall%risk%status,%or%cri>cal%app%status%
32%
Web'App'Scanning'for'Mobile'
!  Many'mobileLoriented'Web'apps'provide'different'or'
varied'content'based'on'endpoint'device'and'browser'
!  Web'app'scanners'need'to'adapt'to'this'by'allowing'for:'
!  Various%HTTP%headers%to%be%modified%when%scanning%
!  User]Agent%values%to%be%changed%quickly%and%simply%for%different%scan%
results%
!  Varied%scrip>ng%and%data%presenta>on%op>ons%
33%
What’s'to'come?'
!  In'2013'and'beyond,'many'Federal'IT'organiza$ons'will'look'
to'implement'con$nuous'monitoring'
!  There'are'more'and'more'Web'app'vulnerabili$es'
!  Injec>on%flaws%
!  XSS%and%CSRF%issues%
!  Config/Inventory%data%
!  Web%server%vulnerabili>es%
!  Centralized'monitoring'and'management'will'be'key''
1 Cenzic, Inc. - Confidential, All Rights Reserved.
Cenzic!
•  Leading Security Intelligence Platform
•  Headquarters in California, Offices in Singapore &
London, 10 years in business
•  Secures >1,000,000 online applications, $Trillions of
commerce
•  Protects F1000 companies, government agencies,
universities, SMBs & all major security vendors
•  Easy to use enterprise, mobile, and SaaS solutions
•  Delivers best continuous real-world Risk Management
-
Cenzic – Continuous Security Intelligence
GRC
WAF
 SIEM
MOBILE
 STATIC TESTING
Cenzic, Inc. - Confidential, All Rights Reserved.2
3 Cenzic, Inc. - Confidential, All Rights Reserved.
Cenzic Enterprise Application Security
Production 
Partner / 
Supply Chain Networks
Mitigate vulnerabilities
before apps move to
production
Protect against ongoing
threats and manage risks
Certify partners - Ensure
interconnecting partner
and supply chain apps are
protected
Enterprise | Cloud
Hybrid
Mobile | Managed
Enterprise
Cloud 
Cloud
Managed
Enterprise Application Security
Pre-production &
App Development
Unique capabilities Cenzic solutions offer:
–  Detect vulnerabilities in web applications in terms of applicable
compliance standards
!  FISMA 3544
!  NIST 800-53
!  ASD STIG APP
–  Prioritize remediation quickly based on seriousness of compliance
issue
–  Instantaneously connect reports to specific vulnerabilities affected by
regulation
–  Correlate final results in terms of specific subsections to demonstrate
compliance
Mapping to Federal Needs
4
5 Cenzic, Inc. - Confidential, All Rights Reserved.
Sample FISMA Compliance Findings Report
6 Cenzic, Inc. - Confidential, All Rights Reserved.
Sample NIST Compliance Findings Report
7 Cenzic, Inc. - Confidential, All Rights Reserved.
Sample STIG Compliance Findings Report
8 Cenzic, Inc. - Confidential, All Rights Reserved.
Thanks
For more details, contact:
Bala Venkat
bala@cenzic.com
34%
Ques$ons?'

Mais conteúdo relacionado

Mais procurados

edgescan vulnerability stats report (2018)
 edgescan vulnerability stats report (2018)  edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) Eoin Keary
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkAndrew Gerber
 
Device discovery for vulnerability assessment: Automating the Handoff
Device discovery for vulnerability assessment: Automating the HandoffDevice discovery for vulnerability assessment: Automating the Handoff
Device discovery for vulnerability assessment: Automating the Handoffnathan-axonius
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinSplunk
 
The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemLancope, Inc.
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 
Webinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise SecurityWebinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise SecurityGeorg Knon
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Frameworkjpubal
 
Gov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsGov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsSplunk
 
Web Application Attack Report, Edition #4
Web Application Attack Report, Edition #4Web Application Attack Report, Edition #4
Web Application Attack Report, Edition #4Imperva
 
Dhishant -Latest Resume
Dhishant -Latest ResumeDhishant -Latest Resume
Dhishant -Latest ResumeDhishant Abrol
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report exampleIhor Uzhvenko
 
Veterans Administration Hacked by foreign orgs, security needs standardization
Veterans Administration Hacked by foreign orgs, security needs standardizationVeterans Administration Hacked by foreign orgs, security needs standardization
Veterans Administration Hacked by foreign orgs, security needs standardizationMichael Holt
 
Consensus Audit Guidelines 2008
Consensus Audit Guidelines 2008Consensus Audit Guidelines 2008
Consensus Audit Guidelines 2008John Gilligan
 
PHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized TroublePHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized TroubleImperva
 

Mais procurados (20)

2016 Trends in Security
2016 Trends in Security 2016 Trends in Security
2016 Trends in Security
 
edgescan vulnerability stats report (2018)
 edgescan vulnerability stats report (2018)  edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
 
B&W Netsparker overview
B&W Netsparker overviewB&W Netsparker overview
B&W Netsparker overview
 
Device discovery for vulnerability assessment: Automating the Handoff
Device discovery for vulnerability assessment: Automating the HandoffDevice discovery for vulnerability assessment: Automating the Handoff
Device discovery for vulnerability assessment: Automating the Handoff
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
 
The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch System
 
Ransomware attacks
Ransomware attacksRansomware attacks
Ransomware attacks
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
 
Webinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise SecurityWebinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise Security
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 
Vulnerability Management V0.1
Vulnerability Management V0.1Vulnerability Management V0.1
Vulnerability Management V0.1
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
 
Gov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsGov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior Analytics
 
Web Application Attack Report, Edition #4
Web Application Attack Report, Edition #4Web Application Attack Report, Edition #4
Web Application Attack Report, Edition #4
 
Dhishant -Latest Resume
Dhishant -Latest ResumeDhishant -Latest Resume
Dhishant -Latest Resume
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
 
Veterans Administration Hacked by foreign orgs, security needs standardization
Veterans Administration Hacked by foreign orgs, security needs standardizationVeterans Administration Hacked by foreign orgs, security needs standardization
Veterans Administration Hacked by foreign orgs, security needs standardization
 
Consensus Audit Guidelines 2008
Consensus Audit Guidelines 2008Consensus Audit Guidelines 2008
Consensus Audit Guidelines 2008
 
PHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized TroublePHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized Trouble
 

Semelhante a Continuous Monitoring for Web Application Security

Csec 610 Motivated Minds/newtonhelp.com
Csec 610 Motivated Minds/newtonhelp.comCsec 610 Motivated Minds/newtonhelp.com
Csec 610 Motivated Minds/newtonhelp.comamaranthbeg52
 
Csec 610 Your world/newtonhelp.com
Csec 610 Your world/newtonhelp.comCsec 610 Your world/newtonhelp.com
Csec 610 Your world/newtonhelp.comamaranthbeg92
 
Csec 610 Extraordinary Success/newtonhelp.com
Csec 610 Extraordinary Success/newtonhelp.comCsec 610 Extraordinary Success/newtonhelp.com
Csec 610 Extraordinary Success/newtonhelp.comamaranthbeg112
 
Csec 610 Education is Power/newtonhelp.com
Csec 610 Education is Power/newtonhelp.comCsec 610 Education is Power/newtonhelp.com
Csec 610 Education is Power/newtonhelp.comamaranthbeg72
 
Csec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comCsec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comPrescottLunt384
 
2014-12-16 defense news - shutdown the hackers
2014-12-16  defense news - shutdown the hackers2014-12-16  defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackersShawn Wells
 
Splunk conf2014 - Operationalizing Advanced Threat Defense
Splunk conf2014 - Operationalizing Advanced Threat DefenseSplunk conf2014 - Operationalizing Advanced Threat Defense
Splunk conf2014 - Operationalizing Advanced Threat DefenseSplunk
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Application security Best Practices Framework
Application security   Best Practices FrameworkApplication security   Best Practices Framework
Application security Best Practices FrameworkSujata Raskar
 
NetWatcher Customer Overview
NetWatcher Customer OverviewNetWatcher Customer Overview
NetWatcher Customer OverviewScott Suhy
 
DEVNET-1180 Security from the Cloud
DEVNET-1180	Security from the CloudDEVNET-1180	Security from the Cloud
DEVNET-1180 Security from the CloudCisco DevNet
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment Mykhailo Antonishyn
 
Cst 610 Your world/newtonhelp.com
Cst 610 Your world/newtonhelp.comCst 610 Your world/newtonhelp.com
Cst 610 Your world/newtonhelp.comamaranthbeg93
 
Cst 610 Education is Power/newtonhelp.com
Cst 610 Education is Power/newtonhelp.comCst 610 Education is Power/newtonhelp.com
Cst 610 Education is Power/newtonhelp.comamaranthbeg73
 
Cst 610 Motivated Minds/newtonhelp.com
Cst 610 Motivated Minds/newtonhelp.comCst 610 Motivated Minds/newtonhelp.com
Cst 610 Motivated Minds/newtonhelp.comamaranthbeg53
 
What Are The Advantages And Disadvantages Of The Global...
What Are The Advantages And Disadvantages Of The Global...What Are The Advantages And Disadvantages Of The Global...
What Are The Advantages And Disadvantages Of The Global...Beth Salazar
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsCognizant
 
Ebook: Splunk SANS - CIS Top 20 Critical Security Controls
Ebook: Splunk SANS - CIS Top 20 Critical Security ControlsEbook: Splunk SANS - CIS Top 20 Critical Security Controls
Ebook: Splunk SANS - CIS Top 20 Critical Security ControlsDominique Dessy
 

Semelhante a Continuous Monitoring for Web Application Security (20)

Csec 610 Motivated Minds/newtonhelp.com
Csec 610 Motivated Minds/newtonhelp.comCsec 610 Motivated Minds/newtonhelp.com
Csec 610 Motivated Minds/newtonhelp.com
 
Csec 610 Your world/newtonhelp.com
Csec 610 Your world/newtonhelp.comCsec 610 Your world/newtonhelp.com
Csec 610 Your world/newtonhelp.com
 
Csec 610 Extraordinary Success/newtonhelp.com
Csec 610 Extraordinary Success/newtonhelp.comCsec 610 Extraordinary Success/newtonhelp.com
Csec 610 Extraordinary Success/newtonhelp.com
 
Csec 610 Education is Power/newtonhelp.com
Csec 610 Education is Power/newtonhelp.comCsec 610 Education is Power/newtonhelp.com
Csec 610 Education is Power/newtonhelp.com
 
Csec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comCsec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.com
 
2014-12-16 defense news - shutdown the hackers
2014-12-16  defense news - shutdown the hackers2014-12-16  defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers
 
Splunk conf2014 - Operationalizing Advanced Threat Defense
Splunk conf2014 - Operationalizing Advanced Threat DefenseSplunk conf2014 - Operationalizing Advanced Threat Defense
Splunk conf2014 - Operationalizing Advanced Threat Defense
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
Application security Best Practices Framework
Application security   Best Practices FrameworkApplication security   Best Practices Framework
Application security Best Practices Framework
 
NetWatcher Customer Overview
NetWatcher Customer OverviewNetWatcher Customer Overview
NetWatcher Customer Overview
 
DEVNET-1180 Security from the Cloud
DEVNET-1180	Security from the CloudDEVNET-1180	Security from the Cloud
DEVNET-1180 Security from the Cloud
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment
 
Cst 610 Your world/newtonhelp.com
Cst 610 Your world/newtonhelp.comCst 610 Your world/newtonhelp.com
Cst 610 Your world/newtonhelp.com
 
Cst 610 Education is Power/newtonhelp.com
Cst 610 Education is Power/newtonhelp.comCst 610 Education is Power/newtonhelp.com
Cst 610 Education is Power/newtonhelp.com
 
Cst 610 Motivated Minds/newtonhelp.com
Cst 610 Motivated Minds/newtonhelp.comCst 610 Motivated Minds/newtonhelp.com
Cst 610 Motivated Minds/newtonhelp.com
 
What Are The Advantages And Disadvantages Of The Global...
What Are The Advantages And Disadvantages Of The Global...What Are The Advantages And Disadvantages Of The Global...
What Are The Advantages And Disadvantages Of The Global...
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guide
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, Solutions
 
Ebook: Splunk SANS - CIS Top 20 Critical Security Controls
Ebook: Splunk SANS - CIS Top 20 Critical Security ControlsEbook: Splunk SANS - CIS Top 20 Critical Security Controls
Ebook: Splunk SANS - CIS Top 20 Critical Security Controls
 

Mais de Cenzic

How to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingHow to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingCenzic
 
Ians cenzic webinar
Ians cenzic webinarIans cenzic webinar
Ians cenzic webinarCenzic
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Cenzic
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads:  How To Avoid Getting a Cap Popped in Your App Drive By Downloads:  How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Cenzic
 
Security in the cloud protecting your cloud apps
Security in the cloud   protecting your cloud appsSecurity in the cloud   protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
HARM Score: Approaches to Quantitative Risk Analysis for Web Applications
HARM Score:  Approaches to Quantitative Risk Analysis for Web ApplicationsHARM Score:  Approaches to Quantitative Risk Analysis for Web Applications
HARM Score: Approaches to Quantitative Risk Analysis for Web ApplicationsCenzic
 
AJAX: How to Divert Threats
AJAX:  How to Divert ThreatsAJAX:  How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 

Mais de Cenzic (7)

How to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingHow to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security Testing
 
Ians cenzic webinar
Ians cenzic webinarIans cenzic webinar
Ians cenzic webinar
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads:  How To Avoid Getting a Cap Popped in Your App Drive By Downloads:  How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
 
Security in the cloud protecting your cloud apps
Security in the cloud   protecting your cloud appsSecurity in the cloud   protecting your cloud apps
Security in the cloud protecting your cloud apps
 
HARM Score: Approaches to Quantitative Risk Analysis for Web Applications
HARM Score:  Approaches to Quantitative Risk Analysis for Web ApplicationsHARM Score:  Approaches to Quantitative Risk Analysis for Web Applications
HARM Score: Approaches to Quantitative Risk Analysis for Web Applications
 
AJAX: How to Divert Threats
AJAX:  How to Divert ThreatsAJAX:  How to Divert Threats
AJAX: How to Divert Threats
 

Último

UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 

Último (20)

UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 

Continuous Monitoring for Web Application Security