Advancements in Vulnerability Management

• 0d-opendocman (PDF, 95.38 Kb)
• Hacking the Big 4 - Jan 2013 FG (2) (PPTX, 3.80 Mb)
• NYC ISSA presentation FNL 1 (PPTX, 907.94 Kb)

Most organizations today are constantly exposed to threats that they’ve never anticipated before. Today’s attacker community is constantly maturing and refining its approach capabilities. Over the past decade, traditional single style attacks like cross site scripting and sql injection and service abuse were the most ubiquitous vulnerabilities contributing to security incidents. However, they have evolved to become more targeted and multifaceted.

Additionally the attack surface is consistently changing. Advancements in web technology virtualization, mobility and Cloud all introduce a new dynamic in a comprehensive vulnerability management program.

This program will focus on those new dynamics.

January 2012 – ISSA PROGRAM – Sponsored by Core Security

Core Security is the leading provider of predictive security intelligence solutions for enterprises and government organizations. We help more than 1,400 customers worldwide preempt critical security threats throughout their IT environments, and communicate the risk the threats pose to the business.  Our patented, proven, award-winning enterprise solutions are backed by more than 15 years of applied expertise from CoreLabs, the company’s innovative security research center. For more information, visit www.coresecurity.com.

Start Time – End Time2:10 – 2:55Session DescriptionTraditional network, web and end-user assessment initiatives create overwhelming amounts of data – data that is difficult to process effectively or with any consistency.  This data does not equal intelligence.  Nor do pages and pages of CVE’s – even those matched against known exploits.  Intelligence is realized only when context is applied to information – giving it meaning and operational significance.  CORE Security will review how their customers are advancing and scaling vulnerability management with an integrated solution that consolidates, analyzes, and prioritizes operational risk in business terms, not network bits and bytes. SpeakersTim Byrne, Sr. Mgr. – Technical Pre-Sales and Services for Core SecurityBio(s)Tim Byrne is the Sr. Manager of Technical Pre-Sales and Services for Core Security whose team provides pre-sales and training for all of Core Security’s enterprise products which includes Core IMPACT and Core INSIGHT.  Mr. Byrne has been with Core Security for over 6 years and has over 20 years’ experience in networks, computer security products and secure collaboration platforms.  He was a Solution Architect for Hewlett Packard, Groove Networks and a Sales Engineer for Primus Telecommunications.

Session TitleHacking The Big Four Databases: Exploiting Top Vulnerabilities & Mis-ConfigurationsStart Time – End Time2:55 – 3:30Session Description

According to the Identity Theft Resource Center, in the past year and a half, there have been close to 900 breaches and over 28,000,000 records compromised. With groups like Anonymous and LulzSec continuously hacking into major corporations and government agencies, do you wonder if you’re next?

No organization, industry, or government agency is immune to the proliferation of complex attacks and malicious behavior. Ensuring database security is a priority for organizations interested in protecting sensitive data and passing audits.

Over the course of this presentation, a description of some of the sophisticated methods used in invading enterprise databases will be discussed, and the evolution of the security issues and features in each will be provided. A demonstration of popular attacks will also be presented.

The presentation will conclude by proposing essential steps IT managers can take to securely configure, maintain databases, and defend against malicious breaches entirely. Attendees will leave with a basic understanding of the most effective methods for protecting their data, an enterprise’s most prized asset, from attackers today and in the future.

Attendees will:

• Understand the common vulnerabilities and mis-configurations used to attack databases
• Learn how organizations, through an integrated defense strategy, can effectively manage their database risks across large, heterogeneous database environments with automated controls
• Come away with methodologies and best practices on how to implement actionable plans to protect enterprise database assets

SpeakersFrank Grottola – Vice President of Sales, North America at Application Security, Inc.

 Bio(s)As the Vice President of Sales with Application Security, Inc. (AppSecInc), Frank is responsible for the overall direction of the Commercial organization’s sales strategy for North America, which includes planning for the product portfolio – AppDetectivePro for auditors and IT advisors, and its flagship solution, DbProtect for the enterprise.

Frank has 26 years of experience which started with Electronics Engineering then lead to designing, implementing and supporting information technology solutions for Fortune 500 businesses. In the last 12 years, he has focused on networking, data center / cloud service providers, information security and compliance solutions, as well as leading technical and sales teams.

Networking Break

3:30 pm – 3:50

Session TitleAdvanced XSS Defenses Start Time – End Time3:50 – 4:30 PMSession Description

This talk will discuss the past methods used for cross-site scripting (XSS) defense that were only partially effective. Learning from these lessons, we will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg.

SpeakersJerry Hoff – VP of the Static Code Analysis Division at WhiteHat SecurityBio(s)Jerryis the VP of the Static Code Analysis Division at WhiteHat Security. In addition to WhiteHat, he is a co-founder and managing partner at Infrared Security. Jerry has worked at a number of fortune ten financial firms, along with years of hands-on security consulting, where he specialized in manual code review, web application penetration testing, and architecture reviews. Jerry also has years of development and teaching experience. He taught for over seven years at Washington University’s CAIT program, and the microcomputer program at University of Missouri in St. Louis.

Jerry is the writer/producer of the popular OWASP Appsec Tutorial Series and the lead developer for the WebGoat.NET project.Session TitleBeyond Automated Tools: Finding Zero-Day / Custom Vulnerabilities in Open Source Web AppsStart Time – End Time4:30 – 5:00 PMSession DescriptionThis presentation will show how to combine blackbox and whitebox testing to discover zero-day vulnerabilities. While most current webapp testing focuses on purely blackbox testing methodologies, we will examine the art of integrating manual static code reviews that go beyond the standard source code analysis tools. As a hands-on example we will examine the presenter’s recent zero-day discoveries in the open source webapp OpenDocMan. For completeness the presentation will cover various avenues that are tested within an assessment and show how they may or may not lead to vulnerabilities that are exploitable. Some of the methodologies presented may be generalized from web applications to non-web apps.SpeakersKenneth F. BelvaBio(s)Kenneth F. Belva is the Publisher and Editor-in-Chief of bloginfosec.com. He currently manages an Information Technology Risk Management Program for a bank whose assets are Billions of dollars. He reports directly to the Senior Vice President and Deputy General Manager (CFO).

ITsecurity.com recognized him as one of the top information security influencers in 2007.

In 2009, he was published in the Information Security Management Handbook, Sixth Edition, edited by Hal Tipton and Micki Krause. He also co-authored one of the central chapters in Enterprise Information Security and Privacy, edited by Warren Axelrod, Jennifer L. Bayuk and Daniel Schutzer.

In addition to his daily corporate responsibilities, he is currently on the board of the New York Metro Chapter of the Information Systems Security Association (ISSA).

He recently co-authored a paper entitled “Creating Business Through Virtual Trust: How to Gain and Sustain a Competitive Advantage Using Information Security” with Sam Dekay of The Bank of New York. of security breaches on stock prices.

Mr. Belva frequently presents at information security conferences around the US as well as globally. He writes on day-to-day information security experiences in a non-essay format at SecurityMaverick.com when time permits and can be followed on twitter @infosecmaverick  Who should attend (customize to each session content)Who should attend this session:

ISSA Members, ISACA Members and FS/ISAC Members (and other ISAC’s)

This program has been created for information security practitioners,
but may also be of interest to the following:

Mobile Application Developers – Seeking to understand the latest in assessment trends and methodologies leveraged in reducing the number of security related flaws

Security Assessors – Striving to not only identify the next vulnerability and recommendation but understanding the context in which it should be presented, allowing for socialization of the vulnerability to the appropriate stakeholders and the recommendation of technical and procedural remedies to minimize repeat occurrence and minimization of risk.

Security Management & Executives – With a goal of understanding industry practices trends, and seeking perspective on implementing technical assessment activities in the context of a broader application security program.

NYC ISSA presentation FNL 1

Hacking the Big 4 – Jan 2013 FG (2)

0d-opendocman