Today, creating a truly secure IT infrastructure requires access to highly specialized knowledge, intelligence, and expertise in order to stay at least one step ahead of the evolving risks. Because Praetorian is an authority on information security, your business can leverage our subject matter expertise to solve these challenging business problems. To that end, we invite you to enjoy the following information security resources.
Information Security Resources
We trust you will benefit from the following information security resources.
Highly specialized knowledge, intelligence, and expertise
Mobile Applications - What's Under the Hood?
OWASP's recent release of the "Top 10 Mobile Risks" has spurred much discussion in enterprises regarding how they may begin to protect against mobile vulnerabilities and prepare for the next wave of threats on the horizon. At this point little has been done to clearly identify the risk of downloading applications from both official and unofficial application marketplaces. Join researchers from Praetorian and Veracode as they look under the hood of a huge selection of Android applications and provide a quantitative examination of the application security posture of today's mobile application space.
Discussion will include:
- List most common mobile security risks
- Unintentional threats in the mobile landscape
- Overly permissive and malicious mobile applications
- Fake / malicious applications from application marketplaces
- Insecure mobile applications / security vulnerabilities
STAAF - OWASP AppSecUSA 2011
There has been no shortage of Android malware analysis reports recently, but thus far that trend has not been accompanied with an equivalent scale of released public Android application tools or frameworks. To address this issue, we are presenting the Scalable Tailored Application Analysis Framework (STAAF), released as a new OWASP project for public use under Apache License 2.0. The goal of this framework is to allow a team of one or more analysts to efficiently analyze a large number of Android applications. In addition to large scale analysis, the framework aims to promote collaborative analysis through shared processing and results.
Top 9 Critical Findings - Dramatically Improve Your Organization's Security
As a consulting company, Praetorian has a unique ability to observe security programs across a wide range of companies. Based on the vulnerability patterns seen across organizations, a top ten list of common critical findings was created. The purpose of this presentation is to examine each of those critical findings and provide recommendations for mitigation. Examples from actual engagements are used to emphasize risk through real world scenarios. Some information from the screenshots provided has been redacted to protect confidentiality.
Threat Modeling - Improve Security, Drive Testing, & Reduce Costs
Over the last few years, significant progress has been made in back end SDLC security controls. Vendors have developed sophisticated analysis tools focusing on code inspection and application testing and organizations are incorporating both automated and manual assessment methods into the latter half of their development process. However, adoption of architectural risk analysis has not been as widespread. Although threat modeling is not a new concept and approaches such as Microsoft's STRIDE are well known, companies have not internalized and adopted design related security controls with the same vigor. The purpose of this presentation is to provide an understanding of what threat modeling is, why it is important, and champion its benefits.
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
The concept of web services has become ubiquitous over the last few years. Frameworks are now available across many platforms and languages to greatly ease and expedite the development of web services, often with a vast amount of existing code reuse. Software companies are taking advantage of this by integrating this technology into their products giving increased power and interoperability to their customers. However, the power web services enables also introduces new risks to an environment. As with web applications, development has outpaced the understanding and mitigation of vulnerabilities that arise from this emerging technology. This presentation will first aim to identify the risks associated with web services. We will describe the existing security standards and technologies which target web services (i.e., WS-Security) including its history, pros and cons, and current status. Finally we will attempt to extrapolate the future of this space to determine what changes must be made going forward.
Social Engineering - Strategy, Tactics, & Case Studies
For many organizations, the human element is often the most overlooked attack vector. Ironically, people are typically one of the easiest vulnerabilities to exploit and an attacker needs little more than a smile or email to completely compromise a company. With targeted attacks on the rise, organizations must understand the risk of social engineering based attacks. The purpose of this presentation is to examine common physical, phone, and Internet based attacks. Real world case studies are included and recommendations are provided that will help mitigate this growing threat.