For IT Support Staff
For IT Support Staff
Tools
- Vulnerability Scanning Tool - Automated vulnerability scanning software for identifying devices on your network that are open to known vulnerabilities
- CIS Benchmarks and Scoring Tools - Security configuration benchmarks that detail how to secure an array of workstations, servers, network devices and software applications in terms of technology-specific controls; scoring tools that analyze and report system compliance with the technical control settings in the benchmarks
- Web Application Security Assessment Tool - Automated security and compliance assessment software for checking web applications for common vulnerabilities. It can be used in test, development and production instances to find all linked pages and to check sites for such vulnerabilities as SQL injection, cross-site scripting and buffer overflows.
- DHCP Information
- Check Current List of Blocked Hosts
- Net Manager Database - Owner Information and IP Ranges
Training Materials
Firewalls at UA (Requires UA NetID and Apple QuickTime Player)
|
Part 1 (Modules 1-4): Basic network and firewall terminology and concepts; UA network architecture. Recommended for anyone wanting to gain or refresh a basic understanding of networking and firewalls. |
||||
|
|
|
|||
|
Part 2 (Module 5): How to create rule sets and request a new firewall implementation, with interactive examples. Recommended for all who complete the first session and others with a basic understanding of networking and firewalls. |
|
|||
|
|
|
|
|
UA Presentations
- The Man With the Active Directory: Using AD for Improved Security (Video presentation) (PowerPoint presentation)
- Octopolicy: Security Through Group Policy (Video presentation) (PowerPoint presentation)
- Logs Never Die: Log Management/Reporting and Incident Handling (Video presentation) (PowerPoint presentation)
- Web-Raker: Web Application Security (Video presentation) (PowerPoint presentation)
- Live and Let Comply: Tools for Complying With UA Standards (Video presentation) (PowerPoint presentation)
- Goldentools: Centralized Tools on a Decentralized Campus (Video presentation) (PowerPoint presentation)
Other Helpful Resources & Information
- Developments of the Honeyd Virtual Honeypot
- Ethereal: A Network Protocol Analyzer
- F. I. R. E.
- Forensic Acquisition Utilities
- Nessus Vulnerability Scanner
- Packet Storm
- SANS Information and Computer Security Resources
- Security Focus
- Security Tools Distribution
- Stumbler Dot Net
- The Helix Live CD Page
- Top 75 Security Tools by Insecure.org
For Application Developers
Tools
- Web Application Security Assessment Tool - Automated security and compliance assessment software for checking web applications for common vulnerabilities. It can be used in test, development and production instances to find all linked pages and to check sites for such vulnerabilities as SQL injection, cross-site scripting and buffer overflows.
-
Vulnerability Scanning Tool - Automated vulnerability scanning software for identifying known vulnerabilities on your web server
Training Materials
The biggest threat to UA's network security comes from its public websites and the web-based applications found there. A public website is generally accessible to anyone who wants to view it, making application security an issue. Vulnerabilities in web applications have inevitably attracted the attention of recreational and criminal attackers, who have devised techniques to exploit the vulnerabilities. Attacks on the web application layer now exceed attacks on the network.
Developers can mitigate these risks by becoming educated on the threats to application security and designing applications with security in mind. The following free resources provide both general and platform-specific information.
- AzIT Security Training - Language-agnostic security training developed by senior IBM software engineers
- Microsoft Security Guidance Training for Developers - This clinic presents topics related to the essentials of application security (the importance of application security, security development practices, security technologies and secure development guidelines), threat defense (the need for secure code; defending against memory issues, arithmetic errors, cross-site scripting, SQL injection, canonicalization issues, cryptography weaknesses, Unicode issues, and denial of services attacks) and best practices for writing secure code (secure development process, threat modeling, risk mitigation and security best practices). The emphasis is on generally applicable material, but includes some demonstrations for Microsoft Visual Basic, Microsoft Visual C++, C#. Requires online registration.
- Dept. of Home Security Approved Secure Software Course - This course covers secure programming practices necessary to secure applications against attacks and exploits. Topics covered include fundamental concepts of secure software development, defensive programming techniques, secure design and testing, and secure development methodologies. Requires online registration.
UA Presentations
- Web Application Security - Presentation by Ed Murphy, UITS, for AzFUSE (PDF)
- Web-Raker: Web Application Security (Video presentation) (PowerPoint presentation)
CWE/SANS
- Top 25 Most Dangerous Programming Errors - CWE - Broader than OWASP Top Ten, covering more general concepts
- Web Application Security Assessments - SANS
- Web Application Auditing Over Lunch - SANS
- SANS Top 20 Internet Security Attack Targets - SANS
- Application/Database Security - SANS
OWASP
- Open Web Application Security Project
- OWASP Top Ten - Critical web application security flaws
- Guide to Building Secure Web Applications
- Web Application Testing (pdf)
- Web Application Penetration Test Checklist (pdf)
- Application Security Testing Procedures and Checklists
- OWASP Video Collection
MSDN Library
- Resource for developers using Microsoft tools, products, and technologies - Information found here will help developers and administrators design and deploy secure .NET Framework applications.
- Improving Web Application Security: Threats and Countermeasures - Guide for designing, building, and configuring secure ASP.NET Web applications
Other Resources
- Web Application Best Practices – UA Confluence
- Secure Coding - CERT
- Application Security Configuration Guides – National Security Agency
- List of common security concerns for web applications, with a focus on PHP solutions
