SlideShare uma empresa Scribd logo

sumnevaSERT Presentation

Scott Spendolini
Scott Spendolini

The document introduces sumnevaSERT, a security evaluation and review tool for APEX applications. It scans applications for potential security vulnerabilities and provides solutions. The tool evaluates applications across various security attributes and identifies passes and failures. It can be customized to add new rules and attributes. SumnevaSERT aims to help developers address security issues and comply with an organization's policies. However, it is not a replacement for overall security practices and code auditing.

Tecnologia
1 de 19
Baixar para ler offline
sumnevaSERT
AGENDA • Overview • Demonstration • Summary 2 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
Overview 3 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
INSECURITIES • We live in a time where the security of data is the most emphasized yet least practiced thing • WikiLeaks • HBGary • Epsilon • Unfortunately, adding security to our applications is almost always event driven or reactive 4 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
CUSTOMER DEMAND • Despite this, we’re all tasked with quickly developing applications for our customers/ clients • Often times, we take shortcuts and leave out things, like security • Not because we want to, because we have to 5 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
EXCUSES, EXCUSES... • We make many, many excuses to ourselves as to why we didn’t adequately secure our applications: • Not enough time • No one cares about the data/application • It’s “internal only” • Our users are not smart enough to do anything malicious • False sense of security 6 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
RECIPE FOR DISASTER • Given: • The stresses of getting our applications released quickly • The lack of time we have to do so • Our applications - APEX & otherwise - are likely to have potential security vulnerabilities that we could easily fix • If we only knew what they were and had the time... 7 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
SUMNEVASERT • sumnevaSERT: Security Evaluation & Review Tool • APEX application designed to evaluate and identify potential security issues in other APEX applications • Supports APEX 4.0+ • Runs on any edition of the database • Can be easily customized to meet your specific security and/or QA requirements 8 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
HOW IT WORKS • sumnevaSERT uses a simple scoring & red light/ green light approach to evaluate your application based on a number of pre-defined criteria • Each application gets a score based on the result of evaluating an attribute • Percentage as well as X of Y points • Each attribute evaluated either passes or fails • Pass yields a point; failure yields none 9 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
HOW IT WORKS An authorization scheme was expected, but not found. Thus, this attribute failed. The developer can click on Fix and see step-by-step instructions. 10 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
WHAT IT LOOKS FOR • sumnevaSERT ships with a set of attributes that inspect APEX applications for the following: • Application Settings • Session State Protection • Session Timeout • Unrestricted Items • Security Attributes • Encrypted Items • Schema Properties • Page Access • SQL Injection • Form Autocomplete • Cross Site Scripting • Authorization Schemes 11 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
ONE SIZE DOESN’T FIT ALL • If you need additional attributes inspected, you can customize sumnevaSERT as much as you like • sumnevaSERT supports a number of rule types: • NULL/NOT NULL • List of Valid Values • Less Than/Greater Than • PL/SQL 12 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
MULTI-PURPOSE • Thus, you can create your own attribute set(s) for specific purposes, for example: • General Security Attributes • General set of attributes that must be met and a minimal score must be achieved • Application with Sensitive Data • Look for specific columns in reports and flag for follow-up • Minimal Configuration Signature • Applications must use a specific authentication scheme, etc. 13 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
sumnevaSERT D E M O N S T R A T I O N 14 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
Summary 15 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
THE REALITY • sumnevaSERT will identify most security exploits that hackers and malicious users alike look for in APEX applications and provide step-by-step solutions to fix them • But it will not secure everything • There’s no such thing as a silver bullet of any sort... • You still need a strong overall security policy • Strong Passwords • Physical access control • Code Audits • Best Practices 16 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
AVAILABILITY • Initial release in Beta now • Still accepting beta customers - contact us for details • Targeted release of June 2011 • Will support APEX 4.0+ 17 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
LICENSING • Per instance of APEX • Can run on as many applications as you like in as many workspaces as you like in a single instance of APEX • Contact us for details & pricing • sales@sumneva.com • +1 (703) 879-4615 • http://www.sumneva.com/sert 18 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
http://sumneva.com 19 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com

Recomendados

Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
 
Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)Sandeep Jayashankar
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securitySam Bowne
 
Mozilla Persona Talk at FOSDEM 2014
Mozilla Persona Talk at FOSDEM 2014Mozilla Persona Talk at FOSDEM 2014
Mozilla Persona Talk at FOSDEM 2014Srikar Ananthula
 
Analysing Existing Products
Analysing Existing ProductsAnalysing Existing Products
Analysing Existing ProductsRachAH
 
Avvento di speranza
Avvento di speranzaAvvento di speranza
Avvento di speranzaoperasal
 
Cloud Computing Trends: at the Horizon\'s Watch
Cloud Computing Trends: at the Horizon\'s WatchCloud Computing Trends: at the Horizon\'s Watch
Cloud Computing Trends: at the Horizon\'s WatchJocelynDG
 
Analysing Existing Products
Analysing Existing ProductsAnalysing Existing Products
Analysing Existing ProductsRachAH
 

Recomendados

Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
 
Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)Sandeep Jayashankar
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securitySam Bowne
 
Mozilla Persona Talk at FOSDEM 2014
Mozilla Persona Talk at FOSDEM 2014Mozilla Persona Talk at FOSDEM 2014
Mozilla Persona Talk at FOSDEM 2014Srikar Ananthula
 
Analysing Existing Products
Analysing Existing ProductsAnalysing Existing Products
Analysing Existing ProductsRachAH
 
Avvento di speranza
Avvento di speranzaAvvento di speranza
Avvento di speranzaoperasal
 
Cloud Computing Trends: at the Horizon\'s Watch
Cloud Computing Trends: at the Horizon\'s WatchCloud Computing Trends: at the Horizon\'s Watch
Cloud Computing Trends: at the Horizon\'s WatchJocelynDG
 
Analysing Existing Products
Analysing Existing ProductsAnalysing Existing Products
Analysing Existing ProductsRachAH
 
Garfield had a bad day !
Garfield had a bad day !Garfield had a bad day !
Garfield had a bad day !Raquel Pereira
 
Analysing Existing Products
Analysing Existing ProductsAnalysing Existing Products
Analysing Existing ProductsRachAH
 
Marketing final
Marketing final Marketing final
Marketing final Kayla Smartz
 
Preparare il natale di cristo 21 11 10
Preparare il natale di cristo 21 11 10Preparare il natale di cristo 21 11 10
Preparare il natale di cristo 21 11 10operasal
 
Web fwd
Web fwdWeb fwd
Web fwdSrikar Ananthula
 
Windows Azure Introduction
Windows Azure IntroductionWindows Azure Introduction
Windows Azure IntroductionSrikar Ananthula
 
Capri Solutions
Capri SolutionsCapri Solutions
Capri Solutionsgeraldineschepers
 
Mozilla intro & how to contribute
Mozilla intro & how to contributeMozilla intro & how to contribute
Mozilla intro & how to contributeSrikar Ananthula
 
Style Sheet, Flat Plans and Pitch
Style Sheet, Flat Plans and PitchStyle Sheet, Flat Plans and Pitch
Style Sheet, Flat Plans and PitchRachAH
 
Cloud Computing: Fact versus Fog
Cloud Computing: Fact versus FogCloud Computing: Fact versus Fog
Cloud Computing: Fact versus FogJocelynDG
 
Catalogue
CatalogueCatalogue
CatalogueLa Maison des Petites Canailles
 
Conférence Social Media Social Club Septembre 2009 présentation Lagardère Int...
Conférence Social Media Social Club Septembre 2009 présentation Lagardère Int...Conférence Social Media Social Club Septembre 2009 présentation Lagardère Int...
Conférence Social Media Social Club Septembre 2009 présentation Lagardère Int...Alban Martin
 
Tiki-VUL-ARTICLE-DO-final-AS1mai2016
Tiki-VUL-ARTICLE-DO-final-AS1mai2016Tiki-VUL-ARTICLE-DO-final-AS1mai2016
Tiki-VUL-ARTICLE-DO-final-AS1mai2016Dany Ouellet
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest
 
Oracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for SecurityOracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for SecurityChris Muir
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebAkana
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebAkana
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 

Mais conteúdo relacionado

Destaque

Garfield had a bad day !
Garfield had a bad day !Garfield had a bad day !
Garfield had a bad day !Raquel Pereira
 
Analysing Existing Products
Analysing Existing ProductsAnalysing Existing Products
Analysing Existing ProductsRachAH
 
Preparare il natale di cristo 21 11 10
Preparare il natale di cristo 21 11 10Preparare il natale di cristo 21 11 10
Preparare il natale di cristo 21 11 10operasal
 
Windows Azure Introduction
Windows Azure IntroductionWindows Azure Introduction
Windows Azure IntroductionSrikar Ananthula
 
Mozilla intro & how to contribute
Mozilla intro & how to contributeMozilla intro & how to contribute
Mozilla intro & how to contributeSrikar Ananthula
 
Style Sheet, Flat Plans and Pitch
Style Sheet, Flat Plans and PitchStyle Sheet, Flat Plans and Pitch
Style Sheet, Flat Plans and PitchRachAH
 
Cloud Computing: Fact versus Fog
Cloud Computing: Fact versus FogCloud Computing: Fact versus Fog
Cloud Computing: Fact versus FogJocelynDG
 
Conférence Social Media Social Club Septembre 2009 présentation Lagardère Int...
Conférence Social Media Social Club Septembre 2009 présentation Lagardère Int...Conférence Social Media Social Club Septembre 2009 présentation Lagardère Int...
Conférence Social Media Social Club Septembre 2009 présentation Lagardère Int...Alban Martin
 
Tiki-VUL-ARTICLE-DO-final-AS1mai2016
Tiki-VUL-ARTICLE-DO-final-AS1mai2016Tiki-VUL-ARTICLE-DO-final-AS1mai2016
Tiki-VUL-ARTICLE-DO-final-AS1mai2016Dany Ouellet
 

Destaque (13)

Garfield had a bad day !
Garfield had a bad day !Garfield had a bad day !
Garfield had a bad day !
 
Analysing Existing Products
Analysing Existing ProductsAnalysing Existing Products
Analysing Existing Products
 
Marketing final
Marketing final Marketing final
Marketing final
 
Preparare il natale di cristo 21 11 10
Preparare il natale di cristo 21 11 10Preparare il natale di cristo 21 11 10
Preparare il natale di cristo 21 11 10
 
Web fwd
Web fwdWeb fwd
Web fwd
 
Windows Azure Introduction
Windows Azure IntroductionWindows Azure Introduction
Windows Azure Introduction
 
Capri Solutions
Capri SolutionsCapri Solutions
Capri Solutions
 
Mozilla intro & how to contribute
Mozilla intro & how to contributeMozilla intro & how to contribute
Mozilla intro & how to contribute
 
Style Sheet, Flat Plans and Pitch
Style Sheet, Flat Plans and PitchStyle Sheet, Flat Plans and Pitch
Style Sheet, Flat Plans and Pitch
 
Cloud Computing: Fact versus Fog
Cloud Computing: Fact versus FogCloud Computing: Fact versus Fog
Cloud Computing: Fact versus Fog
 
Catalogue
CatalogueCatalogue
Catalogue
 
Conférence Social Media Social Club Septembre 2009 présentation Lagardère Int...
Conférence Social Media Social Club Septembre 2009 présentation Lagardère Int...Conférence Social Media Social Club Septembre 2009 présentation Lagardère Int...
Conférence Social Media Social Club Septembre 2009 présentation Lagardère Int...
 
Tiki-VUL-ARTICLE-DO-final-AS1mai2016
Tiki-VUL-ARTICLE-DO-final-AS1mai2016Tiki-VUL-ARTICLE-DO-final-AS1mai2016
Tiki-VUL-ARTICLE-DO-final-AS1mai2016
 

Semelhante a sumnevaSERT Presentation

Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest
 
Oracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for SecurityOracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for SecurityChris Muir
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebAkana
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebAkana
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
Představení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruPředstavení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruMarketingArrowECS_CZ
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
Database Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsDatabase Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsImperva
 
Managing Complexity in Mobile Application Deployment Using the OSGi Service P...
Managing Complexity in Mobile Application Deployment Using the OSGi Service P...Managing Complexity in Mobile Application Deployment Using the OSGi Service P...
Managing Complexity in Mobile Application Deployment Using the OSGi Service P...mfrancis
 
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Advanced monitoring
 
SaaS Introduction-May2014
SaaS Introduction-May2014SaaS Introduction-May2014
SaaS Introduction-May2014Nguyen Tung
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...CA API Management
 
The Datacenter API
The Datacenter APIThe Datacenter API
The Datacenter APIAkana
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit ERPScan
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsKevin Fealey
 

Semelhante a sumnevaSERT Presentation (20)

Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
 
Oracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for SecurityOracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for Security
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the Web
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the Web
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Představení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruPředstavení Oracle SPARC Miniclusteru
Představení Oracle SPARC Miniclusteru
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
Database Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsDatabase Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower Costs
 
Managing Complexity in Mobile Application Deployment Using the OSGi Service P...
Managing Complexity in Mobile Application Deployment Using the OSGi Service P...Managing Complexity in Mobile Application Deployment Using the OSGi Service P...
Managing Complexity in Mobile Application Deployment Using the OSGi Service P...
 
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
 
SaaS Introduction-May2014
SaaS Introduction-May2014SaaS Introduction-May2014
SaaS Introduction-May2014
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
 
The Datacenter API
The Datacenter APIThe Datacenter API
The Datacenter API
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
 

Último

How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 

Último (20)

How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 

sumnevaSERT Presentation

  • 2. AGENDA • Overview • Demonstration • Summary 2 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 3. Overview 3 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 4. INSECURITIES • We live in a time where the security of data is the most emphasized yet least practiced thing • WikiLeaks • HBGary • Epsilon • Unfortunately, adding security to our applications is almost always event driven or reactive 4 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 5. CUSTOMER DEMAND • Despite this, we’re all tasked with quickly developing applications for our customers/ clients • Often times, we take shortcuts and leave out things, like security • Not because we want to, because we have to 5 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 6. EXCUSES, EXCUSES... • We make many, many excuses to ourselves as to why we didn’t adequately secure our applications: • Not enough time • No one cares about the data/application • It’s “internal only” • Our users are not smart enough to do anything malicious • False sense of security 6 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 7. RECIPE FOR DISASTER • Given: • The stresses of getting our applications released quickly • The lack of time we have to do so • Our applications - APEX & otherwise - are likely to have potential security vulnerabilities that we could easily fix • If we only knew what they were and had the time... 7 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 8. SUMNEVASERT • sumnevaSERT: Security Evaluation & Review Tool • APEX application designed to evaluate and identify potential security issues in other APEX applications • Supports APEX 4.0+ • Runs on any edition of the database • Can be easily customized to meet your specific security and/or QA requirements 8 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 9. HOW IT WORKS • sumnevaSERT uses a simple scoring & red light/ green light approach to evaluate your application based on a number of pre-defined criteria • Each application gets a score based on the result of evaluating an attribute • Percentage as well as X of Y points • Each attribute evaluated either passes or fails • Pass yields a point; failure yields none 9 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 10. HOW IT WORKS An authorization scheme was expected, but not found. Thus, this attribute failed. The developer can click on Fix and see step-by-step instructions. 10 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 11. WHAT IT LOOKS FOR • sumnevaSERT ships with a set of attributes that inspect APEX applications for the following: • Application Settings • Session State Protection • Session Timeout • Unrestricted Items • Security Attributes • Encrypted Items • Schema Properties • Page Access • SQL Injection • Form Autocomplete • Cross Site Scripting • Authorization Schemes 11 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 12. ONE SIZE DOESN’T FIT ALL • If you need additional attributes inspected, you can customize sumnevaSERT as much as you like • sumnevaSERT supports a number of rule types: • NULL/NOT NULL • List of Valid Values • Less Than/Greater Than • PL/SQL 12 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 13. MULTI-PURPOSE • Thus, you can create your own attribute set(s) for specific purposes, for example: • General Security Attributes • General set of attributes that must be met and a minimal score must be achieved • Application with Sensitive Data • Look for specific columns in reports and flag for follow-up • Minimal Configuration Signature • Applications must use a specific authentication scheme, etc. 13 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 14. sumnevaSERT D E M O N S T R A T I O N 14 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 15. Summary 15 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 16. THE REALITY • sumnevaSERT will identify most security exploits that hackers and malicious users alike look for in APEX applications and provide step-by-step solutions to fix them • But it will not secure everything • There’s no such thing as a silver bullet of any sort... • You still need a strong overall security policy • Strong Passwords • Physical access control • Code Audits • Best Practices 16 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 17. AVAILABILITY • Initial release in Beta now • Still accepting beta customers - contact us for details • Targeted release of June 2011 • Will support APEX 4.0+ 17 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 18. LICENSING • Per instance of APEX • Can run on as many applications as you like in as many workspaces as you like in a single instance of APEX • Contact us for details & pricing • sales@sumneva.com • +1 (703) 879-4615 • http://www.sumneva.com/sert 18 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 19. http://sumneva.com 19 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com