SlideShare una empresa de Scribd logo

sumnevaSERT Presentation

Scott Spendolini
Scott Spendolini

The document introduces sumnevaSERT, a security evaluation and review tool for APEX applications. It scans applications for potential security vulnerabilities and provides solutions. The tool evaluates applications across various security attributes and identifies passes and failures. It can be customized to add new rules and attributes. SumnevaSERT aims to help developers address security issues and comply with an organization's policies. However, it is not a replacement for overall security practices and code auditing.

Tecnología
1 de 19
Descargar para leer sin conexión
sumnevaSERT
AGENDA • Overview • Demonstration • Summary 2 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
Overview 3 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
INSECURITIES • We live in a time where the security of data is the most emphasized yet least practiced thing • WikiLeaks • HBGary • Epsilon • Unfortunately, adding security to our applications is almost always event driven or reactive 4 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
CUSTOMER DEMAND • Despite this, we’re all tasked with quickly developing applications for our customers/ clients • Often times, we take shortcuts and leave out things, like security • Not because we want to, because we have to 5 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
EXCUSES, EXCUSES... • We make many, many excuses to ourselves as to why we didn’t adequately secure our applications: • Not enough time • No one cares about the data/application • It’s “internal only” • Our users are not smart enough to do anything malicious • False sense of security 6 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
RECIPE FOR DISASTER • Given: • The stresses of getting our applications released quickly • The lack of time we have to do so • Our applications - APEX & otherwise - are likely to have potential security vulnerabilities that we could easily fix • If we only knew what they were and had the time... 7 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
SUMNEVASERT • sumnevaSERT: Security Evaluation & Review Tool • APEX application designed to evaluate and identify potential security issues in other APEX applications • Supports APEX 4.0+ • Runs on any edition of the database • Can be easily customized to meet your specific security and/or QA requirements 8 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
HOW IT WORKS • sumnevaSERT uses a simple scoring & red light/ green light approach to evaluate your application based on a number of pre-defined criteria • Each application gets a score based on the result of evaluating an attribute • Percentage as well as X of Y points • Each attribute evaluated either passes or fails • Pass yields a point; failure yields none 9 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
HOW IT WORKS An authorization scheme was expected, but not found. Thus, this attribute failed. The developer can click on Fix and see step-by-step instructions. 10 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
WHAT IT LOOKS FOR • sumnevaSERT ships with a set of attributes that inspect APEX applications for the following: • Application Settings • Session State Protection • Session Timeout • Unrestricted Items • Security Attributes • Encrypted Items • Schema Properties • Page Access • SQL Injection • Form Autocomplete • Cross Site Scripting • Authorization Schemes 11 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
ONE SIZE DOESN’T FIT ALL • If you need additional attributes inspected, you can customize sumnevaSERT as much as you like • sumnevaSERT supports a number of rule types: • NULL/NOT NULL • List of Valid Values • Less Than/Greater Than • PL/SQL 12 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
MULTI-PURPOSE • Thus, you can create your own attribute set(s) for specific purposes, for example: • General Security Attributes • General set of attributes that must be met and a minimal score must be achieved • Application with Sensitive Data • Look for specific columns in reports and flag for follow-up • Minimal Configuration Signature • Applications must use a specific authentication scheme, etc. 13 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
sumnevaSERT D E M O N S T R A T I O N 14 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
Summary 15 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
THE REALITY • sumnevaSERT will identify most security exploits that hackers and malicious users alike look for in APEX applications and provide step-by-step solutions to fix them • But it will not secure everything • There’s no such thing as a silver bullet of any sort... • You still need a strong overall security policy • Strong Passwords • Physical access control • Code Audits • Best Practices 16 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
AVAILABILITY • Initial release in Beta now • Still accepting beta customers - contact us for details • Targeted release of June 2011 • Will support APEX 4.0+ 17 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
LICENSING • Per instance of APEX • Can run on as many applications as you like in as many workspaces as you like in a single instance of APEX • Contact us for details & pricing • sales@sumneva.com • +1 (703) 879-4615 • http://www.sumneva.com/sert 18 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
http://sumneva.com 19 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com

Recomendados

Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
Blueinfy Solutions
 
Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)
Sandeep Jayashankar
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
Sam Bowne
 
Mozilla Persona Talk at FOSDEM 2014
Mozilla Persona Talk at FOSDEM 2014Mozilla Persona Talk at FOSDEM 2014
Mozilla Persona Talk at FOSDEM 2014
Srikar Ananthula
 
Analysing Existing Products
Analysing Existing ProductsAnalysing Existing Products
Analysing Existing Products
RachAH
 
Avvento di speranza
Avvento di speranzaAvvento di speranza
Avvento di speranza
operasal
 
Cloud Computing Trends: at the Horizon\'s Watch
Cloud Computing Trends: at the Horizon\'s WatchCloud Computing Trends: at the Horizon\'s Watch
Cloud Computing Trends: at the Horizon\'s Watch
JocelynDG
 
Analysing Existing Products
Analysing Existing ProductsAnalysing Existing Products
Analysing Existing Products
RachAH
 

Recomendados

Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
Blueinfy Solutions
 
Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)
Sandeep Jayashankar
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
Sam Bowne
 
Mozilla Persona Talk at FOSDEM 2014
Mozilla Persona Talk at FOSDEM 2014Mozilla Persona Talk at FOSDEM 2014
Mozilla Persona Talk at FOSDEM 2014
Srikar Ananthula
 
Analysing Existing Products
Analysing Existing ProductsAnalysing Existing Products
Analysing Existing Products
RachAH
 
Avvento di speranza
Avvento di speranzaAvvento di speranza
Avvento di speranza
operasal
 
Cloud Computing Trends: at the Horizon\'s Watch
Cloud Computing Trends: at the Horizon\'s WatchCloud Computing Trends: at the Horizon\'s Watch
Cloud Computing Trends: at the Horizon\'s Watch
JocelynDG
 
Analysing Existing Products
Analysing Existing ProductsAnalysing Existing Products
Analysing Existing Products
RachAH
 
Garfield had a bad day !
Garfield had a bad day !Garfield had a bad day !
Garfield had a bad day !
Raquel Pereira
 
Analysing Existing Products
Analysing Existing ProductsAnalysing Existing Products
Analysing Existing Products
RachAH
 
Marketing final
Marketing final Marketing final
Marketing final
Kayla Smartz
 
Preparare il natale di cristo 21 11 10
Preparare il natale di cristo 21 11 10Preparare il natale di cristo 21 11 10
Preparare il natale di cristo 21 11 10
operasal
 
Web fwd
Web fwdWeb fwd
Web fwd
Srikar Ananthula
 
Windows Azure Introduction
Windows Azure IntroductionWindows Azure Introduction
Windows Azure Introduction
Srikar Ananthula
 
Capri Solutions
Capri SolutionsCapri Solutions
Capri Solutions
geraldineschepers
 
Mozilla intro & how to contribute
Mozilla intro & how to contributeMozilla intro & how to contribute
Mozilla intro & how to contribute
Srikar Ananthula
 
Style Sheet, Flat Plans and Pitch
Style Sheet, Flat Plans and PitchStyle Sheet, Flat Plans and Pitch
Style Sheet, Flat Plans and Pitch
RachAH
 
Cloud Computing: Fact versus Fog
Cloud Computing: Fact versus FogCloud Computing: Fact versus Fog
Cloud Computing: Fact versus Fog
JocelynDG
 
Catalogue
CatalogueCatalogue
Catalogue
La Maison des Petites Canailles
 
Conférence Social Media Social Club Septembre 2009 présentation Lagardère Int...
Conférence Social Media Social Club Septembre 2009 présentation Lagardère Int...Conférence Social Media Social Club Septembre 2009 présentation Lagardère Int...
Conférence Social Media Social Club Septembre 2009 présentation Lagardère Int...
Alban Martin
 
Tiki-VUL-ARTICLE-DO-final-AS1mai2016
Tiki-VUL-ARTICLE-DO-final-AS1mai2016Tiki-VUL-ARTICLE-DO-final-AS1mai2016
Tiki-VUL-ARTICLE-DO-final-AS1mai2016
Dany Ouellet
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
iphonepentest
 
Oracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for SecurityOracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for Security
Chris Muir
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
iphonepentest
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the Web
Akana
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the Web
Akana
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 

Más contenido relacionado

Destacado

Garfield had a bad day !
Garfield had a bad day !Garfield had a bad day !
Garfield had a bad day !
Raquel Pereira
 
Analysing Existing Products
Analysing Existing ProductsAnalysing Existing Products
Analysing Existing Products
RachAH
 
Preparare il natale di cristo 21 11 10
Preparare il natale di cristo 21 11 10Preparare il natale di cristo 21 11 10
Preparare il natale di cristo 21 11 10
operasal
 
Windows Azure Introduction
Windows Azure IntroductionWindows Azure Introduction
Windows Azure Introduction
Srikar Ananthula
 
Mozilla intro & how to contribute
Mozilla intro & how to contributeMozilla intro & how to contribute
Mozilla intro & how to contribute
Srikar Ananthula
 
Style Sheet, Flat Plans and Pitch
Style Sheet, Flat Plans and PitchStyle Sheet, Flat Plans and Pitch
Style Sheet, Flat Plans and Pitch
RachAH
 
Cloud Computing: Fact versus Fog
Cloud Computing: Fact versus FogCloud Computing: Fact versus Fog
Cloud Computing: Fact versus Fog
JocelynDG
 
Tiki-VUL-ARTICLE-DO-final-AS1mai2016
Tiki-VUL-ARTICLE-DO-final-AS1mai2016Tiki-VUL-ARTICLE-DO-final-AS1mai2016
Tiki-VUL-ARTICLE-DO-final-AS1mai2016
Dany Ouellet
 

Destacado (13)

Garfield had a bad day !
Garfield had a bad day !Garfield had a bad day !
Garfield had a bad day !
 
Analysing Existing Products
Analysing Existing ProductsAnalysing Existing Products
Analysing Existing Products
 
Marketing final
Marketing final Marketing final
Marketing final
 
Preparare il natale di cristo 21 11 10
Preparare il natale di cristo 21 11 10Preparare il natale di cristo 21 11 10
Preparare il natale di cristo 21 11 10
 
Web fwd
Web fwdWeb fwd
Web fwd
 
Windows Azure Introduction
Windows Azure IntroductionWindows Azure Introduction
Windows Azure Introduction
 
Capri Solutions
Capri SolutionsCapri Solutions
Capri Solutions
 
Mozilla intro & how to contribute
Mozilla intro & how to contributeMozilla intro & how to contribute
Mozilla intro & how to contribute
 
Style Sheet, Flat Plans and Pitch
Style Sheet, Flat Plans and PitchStyle Sheet, Flat Plans and Pitch
Style Sheet, Flat Plans and Pitch
 
Cloud Computing: Fact versus Fog
Cloud Computing: Fact versus FogCloud Computing: Fact versus Fog
Cloud Computing: Fact versus Fog
 
Catalogue
CatalogueCatalogue
Catalogue
 
Conférence Social Media Social Club Septembre 2009 présentation Lagardère Int...
Conférence Social Media Social Club Septembre 2009 présentation Lagardère Int...Conférence Social Media Social Club Septembre 2009 présentation Lagardère Int...
Conférence Social Media Social Club Septembre 2009 présentation Lagardère Int...
 
Tiki-VUL-ARTICLE-DO-final-AS1mai2016
Tiki-VUL-ARTICLE-DO-final-AS1mai2016Tiki-VUL-ARTICLE-DO-final-AS1mai2016
Tiki-VUL-ARTICLE-DO-final-AS1mai2016
 

Similar a sumnevaSERT Presentation

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the Web
Akana
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
Managing Complexity in Mobile Application Deployment Using the OSGi Service P...
Managing Complexity in Mobile Application Deployment Using the OSGi Service P...Managing Complexity in Mobile Application Deployment Using the OSGi Service P...
Managing Complexity in Mobile Application Deployment Using the OSGi Service P...
mfrancis
 
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Advanced monitoring
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
Kevin Fealey
 

Similar a sumnevaSERT Presentation (20)

Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
 
Oracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for SecurityOracle ADF Architecture TV - Design - Designing for Security
Oracle ADF Architecture TV - Design - Designing for Security
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the Web
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the Web
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Představení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruPředstavení Oracle SPARC Miniclusteru
Představení Oracle SPARC Miniclusteru
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
Database Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsDatabase Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower Costs
 
Managing Complexity in Mobile Application Deployment Using the OSGi Service P...
Managing Complexity in Mobile Application Deployment Using the OSGi Service P...Managing Complexity in Mobile Application Deployment Using the OSGi Service P...
Managing Complexity in Mobile Application Deployment Using the OSGi Service P...
 
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
 
SaaS Introduction-May2014
SaaS Introduction-May2014SaaS Introduction-May2014
SaaS Introduction-May2014
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
 
The Datacenter API
The Datacenter APIThe Datacenter API
The Datacenter API
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
 

Último

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Último (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 

sumnevaSERT Presentation

  • 2. AGENDA • Overview • Demonstration • Summary 2 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 3. Overview 3 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 4. INSECURITIES • We live in a time where the security of data is the most emphasized yet least practiced thing • WikiLeaks • HBGary • Epsilon • Unfortunately, adding security to our applications is almost always event driven or reactive 4 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 5. CUSTOMER DEMAND • Despite this, we’re all tasked with quickly developing applications for our customers/ clients • Often times, we take shortcuts and leave out things, like security • Not because we want to, because we have to 5 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 6. EXCUSES, EXCUSES... • We make many, many excuses to ourselves as to why we didn’t adequately secure our applications: • Not enough time • No one cares about the data/application • It’s “internal only” • Our users are not smart enough to do anything malicious • False sense of security 6 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 7. RECIPE FOR DISASTER • Given: • The stresses of getting our applications released quickly • The lack of time we have to do so • Our applications - APEX & otherwise - are likely to have potential security vulnerabilities that we could easily fix • If we only knew what they were and had the time... 7 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 8. SUMNEVASERT • sumnevaSERT: Security Evaluation & Review Tool • APEX application designed to evaluate and identify potential security issues in other APEX applications • Supports APEX 4.0+ • Runs on any edition of the database • Can be easily customized to meet your specific security and/or QA requirements 8 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 9. HOW IT WORKS • sumnevaSERT uses a simple scoring & red light/ green light approach to evaluate your application based on a number of pre-defined criteria • Each application gets a score based on the result of evaluating an attribute • Percentage as well as X of Y points • Each attribute evaluated either passes or fails • Pass yields a point; failure yields none 9 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 10. HOW IT WORKS An authorization scheme was expected, but not found. Thus, this attribute failed. The developer can click on Fix and see step-by-step instructions. 10 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 11. WHAT IT LOOKS FOR • sumnevaSERT ships with a set of attributes that inspect APEX applications for the following: • Application Settings • Session State Protection • Session Timeout • Unrestricted Items • Security Attributes • Encrypted Items • Schema Properties • Page Access • SQL Injection • Form Autocomplete • Cross Site Scripting • Authorization Schemes 11 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 12. ONE SIZE DOESN’T FIT ALL • If you need additional attributes inspected, you can customize sumnevaSERT as much as you like • sumnevaSERT supports a number of rule types: • NULL/NOT NULL • List of Valid Values • Less Than/Greater Than • PL/SQL 12 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 13. MULTI-PURPOSE • Thus, you can create your own attribute set(s) for specific purposes, for example: • General Security Attributes • General set of attributes that must be met and a minimal score must be achieved • Application with Sensitive Data • Look for specific columns in reports and flag for follow-up • Minimal Configuration Signature • Applications must use a specific authentication scheme, etc. 13 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 14. sumnevaSERT D E M O N S T R A T I O N 14 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 15. Summary 15 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 16. THE REALITY • sumnevaSERT will identify most security exploits that hackers and malicious users alike look for in APEX applications and provide step-by-step solutions to fix them • But it will not secure everything • There’s no such thing as a silver bullet of any sort... • You still need a strong overall security policy • Strong Passwords • Physical access control • Code Audits • Best Practices 16 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 17. AVAILABILITY • Initial release in Beta now • Still accepting beta customers - contact us for details • Targeted release of June 2011 • Will support APEX 4.0+ 17 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 18. LICENSING • Per instance of APEX • Can run on as many applications as you like in as many workspaces as you like in a single instance of APEX • Contact us for details & pricing • sales@sumneva.com • +1 (703) 879-4615 • http://www.sumneva.com/sert 18 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
  • 19. http://sumneva.com 19 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com