六合彩香港-六合彩
DESCRIPTION
王峰人在排队,眼睛不停地越过子允的肩膀扫向那边的周晨晨,几乎是看一眼香港六合彩应付下子允的话,发酸的心很是羡慕子允这只童子(又鸟),特别奇怪身边的香港六合彩怎开窍了,而且一开窍就迷住了周晨晨的美窍。子允不明其中奥秘,因自己正暗笑着王秀,以为王峰与自己笑的一件事,于是乎笑得更爽。王峰见心情极佳的子允这么配合,自知有愧,不再看,又忍不住,相对减少了频率。周晨晨的侧轮廓可谓中西合璧的精彩,在窗玻璃里和窗玻璃外的两堆人中很是醒目。王峰心不在焉地和子允搭话,心思飘扬,目光也飘扬。周晨晨看那老太太并不是在感伤自己也会变得那般模样,以香港六合彩现在的豆蔻年华绝不会产生三四十岁女人的惆怅。香港六合彩现在只是现在的心思,一种常被青春女孩放大的心思,而这种心思即使香港六合彩到了老太太时期也未必会说出来,所以女人的心思一直是心理学家攻克不破的难题。香港六合彩终于把脸转到室内,想看子允的,却撞见王峰不知冲着谁的笑容。香港六合彩看看东张西望的王秀,知道是对自己,礼貌地回了个笑容。这个笑容好像一炉炼钢水,王峰好像是温度计,那根赤色的水银柱像猫爬树似的从脚底直窜头顶。子允不知王峰为何如此,抱怨麦当劳态度太热情,空调也开得太足。两人端着托盘向座位走时,子允忽然犯难。和王秀一起洗手的周晨晨先回座位坐下,子允犹豫,是不是该跟周晨晨坐一排,这可是千载难逢的好机会,香港六合彩王秀回来看见也不好叫自己离开。子允下定决心,稍微调整脚的角度朝周晨晨旁边的位子走去。香港六合彩站在周晨晨旁边,只觉得心速比麦当劳还辛劳,眼神却固执地问香港六合彩可以坐这吗?周晨晨清澈的眸子闪了一下,嘴角月牙般一翘,看得子允是心花怒放,正要落下屁股,却见身后的王秀正甩着没烘干的手瞪着。子允背脊发冷,悻悻地回到王峰身边,香港六合彩简直悔青了肠子,万分懊悔为什么要回头,为什么要自觉地让开。香港六合彩发誓以后绝不回头,狼就是这样躲在身后咬人脖子的。周晨晨也是失望的模样,碍于女孩的面子没说。香港六合彩希望子允大胆说出来,这样才好顺水推舟让王秀离开。子允没考虑那么多,只在心里骂王秀讨嫌。王峰一改到哪都是中心人物的派头,拘谨得只顾埋头吃汉堡,子允找香港六合彩搭腔,也只象征性点点头,并不进行深层次探究。王峰,你平时不是很活跃吗?现在怎么蔫了?是因为今天的特殊情况有点自卑吧?又是王秀,说时,用下巴指了一下子允。子允赶忙咽下嘴里的可乐,不等王峰继续发愣,王秀,你名字中这个秀字特别好。王秀更来精神,这秀字怎么说都是好的意思,于是丢开王峰等着子允继续。《Y滋味》脱口秀主持人知道吗?你适合去当脱口秀主持人。说着用腿撞王峰的腿,示意香港六合彩一起反戈。王秀不知话里玄机,臭美起来,你这么一说,我倒觉得自己真有这方面天赋呢。所以今天有你在,我都觉得自卑。不过听我外国朋友说,一个三流的女脱口秀主持人,只要会讲话就可以,至于还靠……什么吸引人,就看香港六合彩敢不敢真的作秀了。子允打顿时明显省略了脱的意思,有意思的东西往住会因为含蓄地说出来而更有意思。你……王秀不笨,气红了香港六合彩那按物理学来说很不容易红起来的肥脸。平时很少有谁敢惹香港六合彩TRANSCRIPT
![Page 1: 六合彩香港-六合彩](https://reader035.vdocuments.mx/reader035/viewer/2022062703/55530513b4c9054e3f8b491e/html5/thumbnails/1.jpg)
Copyright © 2004 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
4th Annual NTC ISSA InfoSec Nashville Conference August 24, 2005
http://www.owasp.org
Your Application Security Initiative – Beyond Finding Vulnerabilities
Jeff WilliamsCEO, Aspect SecurityChair, OWASP [email protected]
![Page 2: 六合彩香港-六合彩](https://reader035.vdocuments.mx/reader035/viewer/2022062703/55530513b4c9054e3f8b491e/html5/thumbnails/2.jpg)
2OWASP
Remember the Corvair?
![Page 3: 六合彩香港-六合彩](https://reader035.vdocuments.mx/reader035/viewer/2022062703/55530513b4c9054e3f8b491e/html5/thumbnails/3.jpg)
3OWASP
The Automobile Market
25 Years Ago Most cars were built without safety features No seatbelts, airbags, crumple zones, side impact protection,
etc…
Many different forces affected the market Pinto, Nader, Oil Crisis, Regulation, lots more…
Automakers include more safety features Becomes a critical buying factor Competitors must improve to compete
Today Can’t sell a car without safety
![Page 4: 六合彩香港-六合彩](https://reader035.vdocuments.mx/reader035/viewer/2022062703/55530513b4c9054e3f8b491e/html5/thumbnails/4.jpg)
4OWASP
Economics
“The Market for Lemons”By George Akerlof in 1970 (Nobel Prize for Economics in 2001)Buyers can’t tell cherries from lemons (asymmetric information)Market price decreases to compensate for the riskCherry owners are less inclined to sellTherefore, even a competitive market is filled with lemons
![Page 5: 六合彩香港-六合彩](https://reader035.vdocuments.mx/reader035/viewer/2022062703/55530513b4c9054e3f8b491e/html5/thumbnails/5.jpg)
5OWASP
The Software Market
Worse than the automobile market
Asymmetric information is carefully protectedExtremely difficult to analyze software (even with source)Restrictive license agreementsLegal and regulatory restrictions on security analysts
Virtually guarantees insecure softwareIf you can’t tell the difference, why pay more?No way to establish the benefit of secure software
Until recently, making secure software didn’t make sense
![Page 6: 六合彩香港-六合彩](https://reader035.vdocuments.mx/reader035/viewer/2022062703/55530513b4c9054e3f8b491e/html5/thumbnails/6.jpg)
6OWASP
The Market is Changing!
Microsoft Trustworthy Computing Initiative
Oracle “Unbreakable. Can’t break it, can’t break in.”
VISA CISP and PCI Standards include OWASP Top Ten
General Electric Application security built into contract language Mandatory code reviews
Constellation Energy “Convergence” – physical, infrastructure, and
application layers
![Page 7: 六合彩香港-六合彩](https://reader035.vdocuments.mx/reader035/viewer/2022062703/55530513b4c9054e3f8b491e/html5/thumbnails/7.jpg)
7OWASP
Disclosure Laws Work
Recent Events Over 50 million SSN’s (1 in 6
Americans), credit card numbers, account numbers, and driver’s license numbers stolen in the last 6 months.
ChoicePoint legal and notification costs $11.4m for 145,000 individuals
2005 FBI Survey shows 588% increase in costs associated with unauthorized access and an 80% increase in Web site incidents
Government Action Federal government and over half
the states have “breach, notify, and freeze” legislation pending.
FTC leading lawsuits against companies that fail to protect consumer data in their applications
NIST and DISA standards now include stringent application security requirements
2005 Privacy Incidents
0
10,000,000
20,000,000
30,000,000
40,000,000
50,000,000
60,000,000
Feb Mar Apr May Jun Jul
![Page 8: 六合彩香港-六合彩](https://reader035.vdocuments.mx/reader035/viewer/2022062703/55530513b4c9054e3f8b491e/html5/thumbnails/8.jpg)
8OWASP
The Future
Ingredients: Sun Java 1.5 runtime, Sun J2EE 1.2.2, Jakarta log4j 1.5, Jakarta Commons 2.1, Jakarta Struts 2.0, Harold XOM 1.1rc4, Hunter JDOMv1
Software Facts
Modules 155 Modules from Libraries 120
% Vulnerability*
* % Vulnerability values are based on typical use scenarios for this product. Your Vulnerability Values may be higher or lower depending on your software security needs:
Cross Site Scripting 22 65%
SQL Injection 2Buffer Overflow 5
Total Security Mechanisms 3
Encryption 3
Authentication 15
95%
Modularity .035
Cyclomatic Complexity 323
Access Control 3
Input Validation 233
Logging 33
Expected Number of Users 15Typical Roles per Instance 4
Reflected 12
Stored 10
Cross Site Scripting Less Than 10 5 Reflected Less Than 10 5 Stored Less Than 10 5SQL Injection Less Than 20 2Buffer Overflow Less Than 20 2Security Mechanisms 10 14 Encryption 3 15
Usage Intranet Internet
![Page 9: 六合彩香港-六合彩](https://reader035.vdocuments.mx/reader035/viewer/2022062703/55530513b4c9054e3f8b491e/html5/thumbnails/9.jpg)
9OWASP
Software Security Is A Different World
Network SecurityPart of ITNetworking ExpertsProduct Focused1000’s of CopiesSignature BasedPatch Management
Software SecurityPart of Business Units
Software ExpertsCustom Code Focused
1 Copy of SoftwareNo SignaturesPrevent Vulnerabilities
Don’t let anyone rely on network security techniques to gain software security
![Page 10: 六合彩香港-六合彩](https://reader035.vdocuments.mx/reader035/viewer/2022062703/55530513b4c9054e3f8b491e/html5/thumbnails/10.jpg)
10OWASP
Root Causes of Application Insecurity
People and Organization Examples Lack of training Responsibilities not clear No budget allocated
Process Examples Underestimated risks Missed requirements Inadequate testing and reviews Lack of metrics No detection of attacks
Technology Examples Lack of appropriate tools Lack of common infrastructure Configuration errors
Custom Code
Acc
ou
nts
Fin
ance
Ad
min
istr
atio
n
Tra
nsa
ctio
ns
Co
mm
un
icat
ion
Kn
ow
led
ge
Mg
mt
E-C
om
mer
ce
Bu
s. F
un
ctio
ns
Untrained People and Organizational Structure
Issues
Missing or Inadequate Processes
Missing or Inadequate
Tools, Libraries, or
Infrastructure
![Page 11: 六合彩香港-六合彩](https://reader035.vdocuments.mx/reader035/viewer/2022062703/55530513b4c9054e3f8b491e/html5/thumbnails/11.jpg)
11OWASP
Process Goals
Risk UnderstoodSecurity activities driven by
application security risk
Security ConsideredIntegrated into all the activities in the SDLC
Security OpenInformation about security is available and verifiable
Flaws IdentifiedAs quickly as possible after
they are introduced
Technology Goals
Security TrackedWithin projects and across
the entire organization
Best ToolsFor developing and testing the security of applications
Standard TechnologyCommon approach to the
typical security areas
Attacks MonitoredAttacks on applications are
identified and handled appropriately
People Goals
Shared Understanding
Everyone in the organization shares an understanding of app
security risk levels
Responsibility Assigned Security
assigned for each project and the organization as a
whole
Support AvailableFor developers who need
help with application security
Developers TrainedIn application security and
the organization’s approach
Targeting the Root Causes
![Page 12: 六合彩香港-六合彩](https://reader035.vdocuments.mx/reader035/viewer/2022062703/55530513b4c9054e3f8b491e/html5/thumbnails/12.jpg)
12OWASP
Getting Started
Check out some applicationsFind out whether you’re vulnerable or notBuild a case for management
Evaluate your capabilityAssess your organization and processesHow will security best fit into your culture
![Page 13: 六合彩香港-六合彩](https://reader035.vdocuments.mx/reader035/viewer/2022062703/55530513b4c9054e3f8b491e/html5/thumbnails/13.jpg)
13OWASP
Key Enhancements
Establish requirements and testing processesTailor standard requirements for each projectUse OWASP Testing Guide
Start up an application security teamA centralized team is key to building a
capability
Developer security trainingCheck out OWASP WebGoat
![Page 14: 六合彩香港-六合彩](https://reader035.vdocuments.mx/reader035/viewer/2022062703/55530513b4c9054e3f8b491e/html5/thumbnails/14.jpg)
14OWASP
Advanced Enhancements
Establish a global application risk registerTrack issues, create insight
Negotiate security in contractsUse OWASP secure software contract annex
Build Application Security “Brand”Easy to understand labels for risk and security
levels
![Page 15: 六合彩香港-六合彩](https://reader035.vdocuments.mx/reader035/viewer/2022062703/55530513b4c9054e3f8b491e/html5/thumbnails/15.jpg)
15OWASP
Level 5ContinuousImprovement
Level 0Ad Hoc
Level 4Metrics
Level 3Institutionalize
Level 2Fundamentals
Level 1DemonstrateNeed
Process TechnologyPeople
Application Security Capacity Scorecard
AppSec Rqmts Process Coding Best Practices
Global Risk Register
Std. AppSec Mechanisms
AppSec Testing ProcessDeveloper Training
Assign Responsibility
Secure Deployment
AppSec Dev. Env.Security Architecture
Risk Dashboard
Contracting Process
Form AppSec Group
Analyze Critical AppsEvaluate Capabilities
Certification Program
Rely on Developers/Users
Establish AppSec Brands
AppSec Vuln. Analysis
![Page 16: 六合彩香港-六合彩](https://reader035.vdocuments.mx/reader035/viewer/2022062703/55530513b4c9054e3f8b491e/html5/thumbnails/16.jpg)
16OWASP
OWASP Can Help
Open Web Application Security ProjectNonprofit FoundationAll materials available under approved open
source licensesDozens of projects, over 50 chapters
worldwide, thousands of participants, and millions of hits a month
OWASP is dedicated to finding and fighting the causes of insecure software
![Page 17: 六合彩香港-六合彩](https://reader035.vdocuments.mx/reader035/viewer/2022062703/55530513b4c9054e3f8b491e/html5/thumbnails/17.jpg)
17OWASP
OWASP Supports Your Initiative
OWASP Top Ten Set priorities, get management buy-in
OWASP Guide 300 page book for application security
OWASP Secure Software Contract Annex Achieve meeting of the minds on application security
OWASP Testing Guide & OWASP WebScarab Test/analysis methods for application security Web application & web service penetration tool
![Page 18: 六合彩香港-六合彩](https://reader035.vdocuments.mx/reader035/viewer/2022062703/55530513b4c9054e3f8b491e/html5/thumbnails/18.jpg)
18OWASP
Some of What You’ll Find at OWASP
Community Local Chapters Translations Conferences Mailing Lists Papers and more…
All free and open source We encourage your
company to support us by becoming a member
Documentation Guide Top Ten Testing Legal AppSec FAQ and more…
Tools WebGoat WebScarab Stinger DotNet and more…
![Page 19: 六合彩香港-六合彩](https://reader035.vdocuments.mx/reader035/viewer/2022062703/55530513b4c9054e3f8b491e/html5/thumbnails/19.jpg)
OWASP
AQ&Q U E S T I O N SQ U E S T I O N S
A N S W E R SA N S W E R S
Q&A