Optimizing Internet Application Vulnerability Discovery– A Hybrid Approach Works

Jonathan Davis, Security Consultant, AsTech Consulting
External penetration testing of Internet facing applications provides a valuable but limited perspective. Source code assessment, either manual or automated, delivers a more comprehensive understanding of vulnerabilities. The most efficient discovery methodology will combine the best of both these approaches. We discuss a method for performing hybrid assessments in which the results of some level of source code analysis drives the penetration testing process. This will maximize Return on Security Investment.
Mar 8 2012
49 mins
Optimizing Internet Application Vulnerability Discovery– A Hybrid Approach Works
Join us for this summit:
More from this community:

Cloud Computing

Webinars and videos

  • Live and recorded (3233)
  • Upcoming (109)
  • Date
  • Rating
  • Views
  • Channel
  • Channel profile
Up Down
  • Introducing a New Level of on Demand Application Security Recorded: Mar 27 2014 58 mins
    According to Gartner, by 2015, ninety-nine percent of mission -critical applications in Global 2000 companies will contain open source. The ease of using open source components speeds development and creates competitive advantage but can introduce security risk into your organization. Do you know what open source components are used in your application landscape?

    Sonatype and HP Fortify are the first to deliver a new level of application security that includes static and dynamic testing coupled with open source component analysis. Join this session to learn how your organization can use Fortify on Demand to gain complete visibility into what components you are using and if there are known vulnerabilities or license obligation that bring risk to your organization and your customers.
  • The Application Blind-spot Recorded: Feb 18 2014 28 mins
    In many organizations, Security Operation Center teams have little to no visibility into application security events. This is a significant challenge because security teams can’t protect the organization If they can't identify threats. With the evolution of threats targeting applications as the weakest link in the security ecosystem, security teams need help closing the security gap that results from improper user access as well as an improper usage of applications. For many organizations it takes up to 270 days to recognize that they have been breached and it’s often a 3rd party such as customer that highlights the issue. Can your organization wait for a breach to happen to react? Attend this webcast to hear from HP security experts, as they articulate specific use case examples.
  • The 6 Deadly Mistakes of Mobile Application Development Recorded: Dec 13 2013 39 mins
    Everyone's heading to mobile and attackers are following. To stay ahead of the curve you need to think like the enemy. In this talk Fortify on Demand Principal Security Architect, Daniel Miessler, talks about what makes mobile security different, the OWASP (mobile) top ten and deadly mistakes NOT to make during mobile app development.
  • HP Fortify Secure Agile SDLC Recorded: Nov 22 2013 28 mins
    As the number of web application intrusions rise, the need for application software developers to identify and remediate vulnerabilities is more apparent than ever. This webinar will cover tools, education, and techniques that help security teams partner with development to maintain a secure application posture without slowing the pace of development or hindering the rapid delivery of business value in an agile development framework.
  • 2013 4th Annual Cost of Cyber Crime Study Results: Asia Recorded: Oct 31 2013 60 mins
    2013 Cost of Cyber Crime Study: Australia & Japan

    Join us for the 2013 results presentation of the second annual Cost of Cyber Crime study for Australia and Japan. Conducted by Ponemon Institute and sponsored by HP Enterprise Security, a total of 64 Australian and Japanese organizations participated. According to the findings, cyber attacks increased 12 percent in Australia and 32 percent in Japan. The costs associated with this increase in Australia were $772,903 and ¥265 million in Japan. “Findings from the report also show that each week Australian and Japanese organizations experienced on average 1.4 successful attacks per company”
  • 2013 4th Annual Cost of Cyber Crime Study Results: Europe Recorded: Oct 30 2013 62 mins
    2013 Cost of Cyber Crime Study: UK, Germany & France

    Join us for the 2013 results presentation of the second annual Cost of Cyber Crime study for the United Kingdom and Germany. For the first time, the research was conducted in France. Conducted by Ponemon Institute and sponsored by HP Enterprise Security, a total of 110 UK, German and French organizations participated. According to the findings, cyber attacks increased 16 percent in the UK and 21 percent in Germany. The costs associated with this increase in the UK and Germany were £904,886 and €830,169, respectively. For the first time, it was determined that the average cost of a cyber attack in France was €3.89 million. Findings from the report also show that each week UK and German organizations experienced on average 1.3 successful attacks per company. French organizations experienced an average of 1 cyber attack per company.
  • 2013 4th Annual Cost of Cyber Crime Study Results: Americas Recorded: Oct 29 2013 61 mins
    Join us for the 2013 results presentation of the 4th Annual Cost of Cyber Crime Study, conducted by Ponemon Institute and sponsored by HP Enterprise Security. This study, based on a benchmark sample of U.S. organizations, shows that cyber attacks not only increased 12 percent last year, the costs associated with those attacks increased by an average of 26 percent or $2.6 million per organization. Findings from the report also show that each week, an organization can expect two of the many cyber attacks launched against it to succeed.

    Join us for this important webinar and learn how:
    • All industries and all sizes of organizations fall victim to cyber crime, but to different degrees.
    • Denial of service, malicious insiders and web-based attacks comprise the most costly crimes.
    • Attacks can be mitigated by SIEM, enterprise governance, application security testing and other prevention-focused strategies and technologies.
  • Real-world cross-site request forgery and scripting Recorded: Oct 10 2013 40 mins
    Cross-site request forgery (CSRF) and cross-site scripting (XSS) are two of the most serious web vulnerabilities today, but few know about them in detail. In this session, we'll show you real-world attacks that may be using CSRF and XSS, tell you what they can do to you if you're vulnerable, and explain how to find and validate these threats.
  • Threat Central – Cloud based Threat Intelligence Sharing Recorded: Oct 9 2013 24 mins
    In the new generation of cyber defense, security intelligence becomes a key element. Recent technology advances provide the foundation for a new type of threat intelligence sharing platform to organize, collaborate, and manage risk more effectively. This sharing platform makes your security program more effective with actionable protection.
  • HTML5 Security Threats Recorded: Aug 14 2013 34 mins
    HTML5: A Beautiful Disaster

    HTML5 enables web developers to create rich user experiences with application features like cross-origin communication, local storage, sandboxed iframe, and web sockets. However, the features that make HTML5 powerful can also leave your applications ripe for exploitation. Join us as we scrutinize the top five threats to HTML5. We’ll demonstrate specific features that not only introduce new attack vectors, but also undo critical protection mechanisms in legacy web applications. You’ll hear how attackers can use HTML5 features to bypass clickjacking protections, render anti-CSRF protections useless, and open new avenues for data thieves. You’ll also learn ways to protect your applications. The session will include demonstrations and real-world examples highlighting incorrect usage of HTML5 features, tips for secure HTML5 development, and ways to fortify legacy applications impacted by HTML5-related browser enhancements.
  • 6 Ways to Build an Insecure Mobile Application Recorded: Aug 1 2013 38 mins
    Companies continue to move more and more of their infrastructure to the cloud, and while many focus well on infrastructure security they forget that most compromises occur at the application layer. This talk will walk through the most dangerous and commonly seen application vulnerabilities in the Fortify on Demand testing practice. It will include discussion of the various risks, the mistakes that lead to their introduction, and how to avoid them.
  • How PCI has changed application security Recorded: Jul 24 2013 45 mins
    If your organization deals with credit card information, then you’re familiar with PCI compliance standards. And if you’re like most IT security professionals, you’re still perfecting your methods of achieving PCI compliance and application security in general. If you’re wrestling with decisions such as whether to outsource security testing, to implement a firewall, or to build security into your development processes, then attend this session. Presenters will discuss the ways in which PCI has changed application security (not always for the better), and explain how your organization can best approach this complicated issue. You’ll learn what the roadblocks to PCI compliance are, how your organization can best achieve it, and where your application security should go next.
  • Mobile Malfeasance - Exploring Trends in Dangerous Mobile Code Recorded: Jun 18 2013 61 mins
    Please join us as we explore the OWASP Mobile Top 10 classification system and metrics from a large case study of a real enterprise facing the deployment and assessment of a large number of mobile applications. Developers, Managers, and team leads will leave with resources and guidelines to start mobile security both at the process level and code level, including how to handle external mobile development teams they might contract.
  • Gaining Threat Intelligence and Combating the Four Most Common Attack Vectors Recorded: Jun 12 2013 36 mins
    The HP Security Research team (HPSR) is hard at work monitoring the threat landscape for new campaigns, profiling actors to understand their motivations, identifying the tools they use and determining how credible certain threats might be. It’s part of a long-term strategy for developing a new threat intelligence-sharing model. Why is that important? It will provide real-time info from the larger security community-- enterprises like yours, industry security organizations and security vendors-- that can be used to automate and catch these breaches immediately.

    Learn about HP’s findings, including these culprits: injection flaws, DDoS, various phishing techniques and zero day vulnerabilities. How can you address the inevitable breaches that will occur?
  • Why Your Cloud Provider Security Logo Doesn’t Mean a Thing Recorded: May 16 2013 49 mins
    As more applications have moved to the cloud, the industry has seen a proliferation of application security issues. In 2012, several cloud service providers were breached as a direct result of application security vulnerabilities. Before you choose a cloud service provider, make sure that it answers the series of security questions created by the Cloud Security Alliance (CSA). CSA has created a checklist of industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings – creating more transparency for enterprises. The speakers will walk attendees through this blueprint, helping them to become more adept at identifying service provider security readiness. They'll also discuss some of the most common application vulnerabilities, including unencrypted passwords, SQL Injection, and those that impact poorly architected mobile apps.
  • What is Application Security? Recorded: Apr 9 2013 30 mins
    A primer on application security and why governments and modern enterprises need it. What is application security? Simply put, it is about ensuring that every single line of code is secure and every single software application– whether it is built for the desktop, cloud or mobile device— is safe from cyber attackers and hackers. The thesis is about eliminating exploitable security risk in software at the application code level, making it immune to attack even if intruders get past perimeter defenses and identifying the preventable costs associated with application layer attacks.
  • Mobile Application Integrity: Being Good When No One is Watching (Your Security) Recorded: Feb 14 2013 49 mins
    Mobile devices are a hot trend amongst security topics this year. While most cover the angle of the device management, only few go into testing the applications. Since the mobile application vulnerability landscape is still young, there is a need to classify these vulnerabilities so that development teams can focus and root them out of their codebases. Join us as we explore the OWASP Mobile Top 10 classification system and metrics from a large case study of a real enterprise facing the deployment and assessment of a large number of mobile applications. Developers, Managers, and team leads will leave with resources and guidelines to start mobile security both at the process level and code level, including how to handle external mobile development teams they might contract. Get ahead of upcoming PCI compliance by addressing your mobile software early!
  • Mobile Apps under Attack – How to Secure and Protect Your Apps Recorded: Dec 12 2012 48 mins
    Join us to explore the mobile application threat landscape and identify ways to prepare for reverse engineering and tampering attacks.

    The mobile App Economy is growing explosively as businesses are seeking to embrace innovation to provide new products and services to consumers, partners, and employees. However, malicious hackers and criminal organizations are now targeting these applications with a growing number of sophisticated attacks. Security of mobile apps, rather than devices, has become the new focal point as well as a top level concern for all stakeholders.

    In this webinar, mobile security experts, James Lynn, Practice Principal of HP Fortify and Vince Arneja, VP of Product Management of Arxan Technologies will explore the mobile application threat landscape to identify a wide range of threats from vulnerability based attacks to reverse engineering and tampering attacks. The presenters will also address how to achieve comprehensive mobile application security within the SDLC to manage risk and exposure for B2C, B2E and B2B applications and protect today’s App Economy from theft, fraud, malware invasion, and tampering. You will gain insights how to develop and launch vulnerability-free, self-defending, and tamper-proofed applications that can withstand the new attacks.

    HP Fortify is the leader in Software Security Assurance with solutions that contain, remove, and prevent software vulnerabilities. Arxan Technologies is the leader in protecting the App Economy with application protection solutions that are deployed on over one hundred million devices by Fortune 500 and global financial services.
  • Don’t be a Wiki Leak! Preventing Insider Threat Breaches Recorded: Oct 3 2012 39 mins
    In the wake of Wikileaks breaches in recent years, resulting from insider threat breaches, organizations began looking not only at perimeter defense but also at solutions that serve as a “Single Pane of Glass” in order to monitor and thwart insider threat and data loss activities. Specifically, organizations want to incorporate disparate applications, processes and mobile devices into the Single Pane of Glass view. In this webinar, you will learn how HP Enterprise Security solved these types of customer challenges to ensure that their “Wiki doesn’t leak.”

    Speaker: Ray Patterson, Vice President of Global Services, HP Enterprise Security Products

    About Ray Patterson
    Ray is a veteran information security executive, having held leadership roles at VeriSign, Oracle, ArcSight, and currently at HP Enterprise Security Products (ESP). In his present role, Ray leads the Global Government Services business where his organization solves critical cyber security challenges for customers through the ESP portfolio of security solutions such as ArcSight, Fortify and Tipping Point. He also frequently presents and speaks on emerging cyber security issues impacting business and government. Ray is a retired Lieutenant Colonel, U.S Army, and is a graduate of George Washington University (MBA), George Mason University (BS), Virginia Tech (BA), and is a Certified Public Accountant.
  • Social Networking: Risky for the Enterprise? Recorded: Sep 6 2012 49 mins
    Social networking for most of us is becoming wrapped into our DNA. This is especially important for the next generation workforce. Additionally, the employees today and those of tomorrow will expect the capability to blog and social network with corporate assets and corporate bandwidth. Additionally, these technologies are being widely used for corporate marketing and communication. That is why it's important to look at all aspects of securing your infrastructure and more importantly, the people that drive your organization today. This involves educating people, corporate process and the right security technologies. The following session will cover the benefits and the security risks inherit with social networking across all business verticals. Additionally, the author will provide a use case analysis of information that is gathered via web beacons that harvest information unknowing to the user.
Proactively Securing Software for the Enterprise.
Listen to experts from HP, partners and customers discuss pressuring issues across application security.
Try a powerful marketing platform for your videos and webinars. Learn more  >

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Optimizing Internet Application Vulnerability Discovery– A Hybrid Approach Works
  • Live at: Mar 8 2012 7:00 pm
  • Presented by: Jonathan Davis, Security Consultant, AsTech Consulting
  • From:
Your email has been sent.
or close
You must be logged in to email this