Assessment 4

In: Computers and Technology

Submitted By pbraza
Words 586
Pages 3
Assessment Worksheet
Applying OWASP to a Web Security Assessment
Web Security Management COM-545
Course Name and Number: _____________________________________________________
Plinio Alves
Student Name: ________________________________________________________________

Manh Nguyen
Instructor Name: ______________________________________________________________
Lab Due Date: ________________________________________________________________

In this lab, you explored the Open Web Application Security Project (OWASP) Web site and reviewed its Web application test methodology. You studied the standards and guides published by this project and summarized your findings. Finally, you drafted a Web Application Test Plan based on the information you gained in your OWASP research.

Lab Assessment Questions & Answers
1. Identify the four recognized business functions and each security practice of
The four business function are governance, construction, verification and deployment.

2. Identify and describe the four maturity levels for security practices in SAMM.
Phase I: Awareness & Planning
Phase II: Education & Testing
Phase III: Architecture & Infrastructure
Phase IV: Governance & Operational Security

3. What are some activities an organization could perform for the security practice of Threat
Starting with simple threat models and building to more detailed methods of threat analysis and weighting, an organization improves over time. Ultimately, a sophisticated organization would maintain this information in a way that is tightly coupled to the compensating factors and pass-through risks from external entities.

4. What are the two recommended assessment styles for SAMM, and how are they used?
Business functions to ensure that business functionality is working and continuous. Security Practices

Similar Documents

Week 2 Lab #4 Assessment

...ISSC362: IT Security: Attack & Defense 14 Apr 2013 Lab #4 – Assessment Worksheet 1. Phase 1—Reconnaissance, Phase 2—Scanning, Phase 3—Gaining Access, Phase 4—Maintaining Access, Phase 5—Covering Tracks 2. Zenmap does an intense scan of all TCP ports in order to find open and vulnerable ports. 3. Phase 1 Reconnaissance 4. This is referred to by many names, but typically just called a vulnerability scan. Can be done with tools such as Nessus or Microsoft baseline security analyzer. 5. MS04-022: Microsoft Windows Task Scheduler Remote Overflow (841873), MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741), MS03-043: Buffer Overrun in Messenger Service (828035), MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159), MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883), MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687), MS03-039: Microsoft RPC Interface Buffer Overrun (824146), MS04-011: Security Update for Microsoft Windows (835732), MS04-007: ASN.1 Vulnerability Could Allow Code Execution (828028), MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422), MS05-043: Vulnerability in Printer Spooler Service Could Allow Remote Code Execution (896423), MS03-026: Microsoft RPC Interface Buffer Overrun (823980), MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644), MS02-045: Microsoft Windows SMB Protocol......

Words: 343 - Pages: 2

Week 4 Assignment Product Assessment

...Running head: WEEK 4 ASSIGNMENT PRODUCT ASSESSMENT Week 4 Assignment Product Assessment Marketing 100 July 30, 2013 Introduction Many people enjoy listening to music nowadays for relaxation or to become more energetic. For whatever reasons a person enjoy music, it becomes an essential part of their lives. In a world where technology continues to grow the once popular music medium known as compact disc are now marked obsolete. Current Target Market In the last four years in a row, cd‘s sales have dropped nearly 20% mainly caused by digital downloads (Christman, 2013). The target markets for compact disc include all people –including different races and incomes. Teens, young adult and older people between the ages of 15-64 which makes up an estimated 61.3% of the population are the main factor for the target market (ACS Demographic and Housing Estimate, 2013). Only 15.9 percent of the U.S household population lives below the poverty level in 2010-2011 (Selected Population Profile in the United States, 2013). The demographic groups selected mean that half of the target market could afford to spend money on non-essential items. Compact Disc Declining in Popularity There are many factors that cause the lack of popularity of music compact disc like social, demographic, the ethnic market, economic, technology, and legal as well as the competitive market. Social factors are the product and the price a consumer will pay for a compact discs. Consumers are also......

Words: 1771 - Pages: 8

Knowledge Assessment 1-4

...Lesson 1 Overview of Active Directory Domain Services Knowledge Assessment Fill in the Blank Complete the following sentences by writing the correct word or words in the blanks provided. 1. The Active Directory database is stored on each domain controller in a file called _____ntds.dit____. 2. The Active Directory __forest____ is considered the security boundary for an Active Directory environment. 3. To provide fault tolerance, Active Directory utilizes a _multimaster_ replication model. 4. To create a trust relationship with an NT4 domain, you will configure a(n) __external trust__. 5. The _ Domain_ naming context is replicated across the domain. 6. Each object in the schema must have a unique ___OID___. 7. A(n) __cross-forest trust__ provides a two-way transitive trust relationship between all domains within two forests. 8. Each domain in an Active Directory forest has a(n) ___two-way transitive___ trust relationship with every other domain in a forest. 9. ___Universal group caching___ allows a user at a remote site to be able to log into Active Directory without needing to contact a global catalog server. 10. Active Directory clients rely on ___SRV records___ in DNS to locate Active Directory resources such as domain controllers and global catalog servers. Multiple Choice Circle the correct choice. 1. Which of the following items is a valid leaf object in Active Directory? a. Domain b. User c. Application partition d. OU Except for a user object...

Words: 5416 - Pages: 22

Pttls Assignment 4 Principles of Assessment

...Explain the role of Assessment in teaching and learning process. 1.1 Explain the function of assessment in learning and development. “Assessment is a way of finding out if learning has taken place. It enables you to ascertain if a student has gained the skills, knowledge and/or attitudes needed at a given point towards their programme of learning”. Gravells (2010 page 110). It is primarily a gauge for the teacher and student to be able to measure progress against set criteria. Assessment can be broken down according to its purpose, that of assessment for learning, assessment as learning, assessment of learning and evaluation. Assessment for learning may begin with initial and diagnostic assessments where a teacher can learn from a student any previous learning/study that will assist in the forthcoming teaching. This can take the form of testimonies from previous teachers, portfolios, certificates and conversation. This will allow the teacher to identify a starting point and capability of a student to achieve the required outcome in the learning they are about to perform. In my own role of teaching Professional Updates the students will present a workbook linked with the coming PU lesson which they will have completed prior to the PU training. I will examine and mark the workbook to check on their knowledge and understanding. This will give me an indication of a student’s strengths and weaknesses before the training commences and allows me to tailor the lesson plan......

Words: 2366 - Pages: 10

Week 4 Assessment

...Week 4 Stating an Opinion on a Position 1. Only the good die young. I would have to disagree with this saying. Why? Well because i believe that plenty of people who hold good morals and stay true to their good ways see a long life as well as I’ve very successful. 2.Its human Nature to be greedy. I believe this is true, because in the early years of the human race, it has been said that the men of the tribes always wanted to be superior to other man, and in a sense have that feeling of being the alpha male. 3. We know ourselves more than other know us. This is very true, in fact how can somebody with a completely different center on consciousness tell us how we feel or know us better than we know ourselves. Its impossible. 4. Black people are better athletes than white people. This can go both ways, but in my opinion yes! i believe they are better athletes they seem to hold more passion for the sport they play, and to them if you’re not 1st you’re last which is always a good attitude to have when participating in a competitive sport. 5. An unborn fetus is a human being. Absolutely! Anything with a heart beat inside another human being is considered a human being according to me. 6. Censorship is evil. Yes! i believe we have the right to know whats going on in our world that we share. Its not fair that information is being kept from us, and when i say this I’m referring to what the news airs or what they chose not to air. 7. Winning isn’t everything, Its the only......

Words: 434 - Pages: 2

Lab 4 Assessment Worksheet

...the computer owner's or user's knowledge or permission for the benefit of someone else. Malicious code – Malware short for "Malicious" software is designed to infiltrate or damage a computer system without the owner's informed consent. 2. How often should you update your anti-virus protection? Must be updated regularly to stay effective against new viruses, and most anti-virus software is designed to update automatically, but you can also update your software manually. 3. Why is it a best practice to have and to carry an antivirus boot-up disc or CD? So that there is not a chance of anti-virus program to have issues (with virus, malware, etc.). Installed on the workstation already there could be virus’s already in there. 4. What other anti-malicious software and anti-malicious code applications are included with Avira under the Real-Time Shields application? What risk and threats do these help mitigate? Real-Time Shield (with Avira) shields the possibility of the program to check data for viruses at the time as the data is written or read, Avira AntiVir Personal have this into the Guard. The Guard will observe the drives and check the data at the time as the data is written or read. Avira AntiVir Personal can’t directly check the content of Websites, but the downloaded data from the sites will be checked after download from the Guard. 5. In a corporate environment, should new AV definitions be installed as soon as they are available? The AV......

Words: 992 - Pages: 4

Unit 4 Assessment

...Unit four: Principles of supporting change in a business environment Assessment You should use this file to complete your Assessment. • The first thing you need to do is save a copy of this document, either onto your computer or a disk • Then work through your Assessment, remembering to save your work regularly • When you’ve finished, print out a copy to keep for reference • Then, go to and send your completed Assessment to your tutor via your My Study area – make sure it is clearly marked with your name, the course title and the Unit and Assessment number. Please note that this Assessment document has 3 pages and is made up of 3 Sections. Name: Ioannis Louizos Section 1 – Understand why change happens in a business environment 1. Explain why change happens in a business environment. You should include at least three reasons in your answer. Change happens in a business environment as a result of several factors which broadly can be broken down into 4 reasons: Political which is as a result of changes in laws, regulations, political upheaval such as wars or conflicts abroad, trade union disputes and legislation, for example the outlawing of certain chemicals in a manufacturing process. Economic such as the recent credit crunch, unemployment, inflation, interest rates, foreign exchange rates, reaction to changes in raw material or fuel and utility prices. Social such as changes in consumer behaviours and attitudes. Best...

Words: 1229 - Pages: 5

Lab 4 Assessment Questions Is3110

...Lab 4 Assessment Questions | Lab Assessment Questions 1. What is the goal or objective of an IT risk assessment? * The goal is to define how the risk to the system will be managed, controlled, and monitored. 2. Why is it difficult to conduct a qualitative risk assessment for an IT infrastructure? * A qualitative assessment is based on opinion than actual fact, and IT risk assessments need to be based on a quantitative analysis. 3. What was your rationale in assigning “1” risk impact/risk factor value of “critical” for an identified risk, threat, or vulnerability? * The critical needs to be mitigated immediately. 4. When you assemble all of the “1” and “2” and “3” risk impact/risk factor values to the identified risks, threats, and vulnerabilities, how did you prioritize the “1”, “2”, and “3” risk elements? What would you say to executive management in regards to your final recommended prioritization? * By assessing how important the risk is to the infrastructure and how quickly the risk needs to be mitigated. The one’s and two’s need to be mitigated as soon as possible and the threes can be mitigated or left alone at management’s decision. 5. Identify a risk mitigation solution for each of the following risk factors: A. Workstation OS has a known software vulnerability- * Patch or update software. B. Need to prevent eavesdropping on WLAN due to customer privacy data access- * Increase WLAN......

Words: 302 - Pages: 2

Lab 4 Assessment Questions

...1. Which US government agency acts as the legal enforcement entity for businesses and organizations involved in commerce? • Federal Trade Commission 2. Which US government agency acts as the legal enforcement entity regarding HIPAA compliance and HIPAA violations? • Office of Civil Rights: OCR 3. List three (3) similarities between GLBA and HIPAA. • They both protect customer’s information, they both require review of log and access reports, and they protect how the company shares the information. 4. List five (5) examples of privacy data elements for GLBA as defined in the privacy rule. • Credit, Consumer Loan, Money, Tax Returns, and Consumer Debts 5. List five (5) examples of privacy data elements for HIPPA as defined in the privacy rule. • Physical Health Condition, Mental Health Condition, Provision of health care, Payment, and Health plan 6. List three (3) differences between GLBA and HIPAA. • GLBA protects financial information, HIPAA protects medical information, and HIPAA rules and regulation are enforced by the OCR and GLBA by the FTC. 7. How does GLBA and HIPAA privacy rule translate into information systems security controls and countermeasures? • All financial and medical information must be kept confidential. 8. What three areas does the GLBA safeguard rule encompass? • Confidentiality, integrity and availability. 9. What is ePHI? • Electronic Protected Health Information. 10. What three areas does the HIPAA security......

Words: 404 - Pages: 2

Lab 4 Performing a Vulnerability Assessment

...Teanea Reed Lab 4 1. What is Zenmap typically used for? How is it related to Nmap? Describe a scenario in which you would use this type of application. Zenmap is the official graphical user interface (GUI) for the Nmap Security Scanner. It is a multi-platform, free and open-source application designed to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Zenmap is a port scanning tool that can quickly identify hosts and detect what operating system and services are running on them, and all without privileged access. Zenmap, and similar tools, are typically used during the scanning and vulnerability phase of the ethical hacking process 2. Which application can be used to perform a vulnerability assessment scan in the reconnaissance phase of the ethical hacking process? OpenVAS, and similar tools, perform vulnerability assessment of Unix, Windows, and network infrastructures and can perform a network discovery of devices, operating systems, applications, databases, and services running on those devices. These tools are typically used to complete the scanning and vulnerability assessment phase of the ethical hacking process once the network-mapping scan (that was in Part 1 of this lab) is completed. Conducting a vulnerability scan on entire subnets can be noisy (making them easily detected) and time-consuming. You can limit the breadth and scope of the scan by specifying the hosts you want to scan in a simple text......

Words: 466 - Pages: 2

Lab #4 – Assessment Worksheet

...Lab #4 – Assessment Worksheet Using Ethical Hacking Techniques to Exploit a Vulnerable Workstation IS4650 Course Name and Number: _____________________________________________________ Student Name: ________________________________________________________________ Instructor Name: ______________________________________________________________ Lab Due Date: ________________________________________________________________ Overview In this lab, you performed all five phases of ethical hacking: reconnaissance (using Zenmap GUI for Nmap), scanning (using OpenVAS), enumeration (exploring the vulnerabilities identified by OpenVAS), compromise (attack and exploit the known vulnerabilities) using the Metasploit Framework application), and conducted post-attack activities by recommending specific countermeasures for remediating the vulnerabilities and eliminating the possible exploits. Lab Assessment Questions & Answers 1. What are the five steps of ethical hacking? reconnaissance, scanning,enumeration, compromise, post-attack activities: recommended countermeasures for remediation. 2. During the reconnaissance step of the attack, what open ports were discovered by Zenmap? What services were running on those ports? There were several Ports, I will list onl a few POrts, 21,3306,22,53,445,111,25, all running TCP: the services running were Linux telneted, smtp Postfix, Apache Tomcat/Coyote JSP 3. What step in the hacking attack process uses......

Words: 285 - Pages: 2

Assessment 4

... |Individual Assessments|Assessment 1 |S ( NS ( |Final Result |C ( | | |result | | | | | | | |Assessment 2 |S ( NS ( | | | | | |Assessment 3 |S ( NS ( | |NC ( | |Assessor | |Date | | |Signature | | | | |Feedback to Student | | | |I have received the Assessment Feedback on ____________________________(Date) | |Students Signature | | |Assessor Signature | |Date | | Assessment 1: Project : ......

Words: 3292 - Pages: 14

Mis 310 Assignment 4 Assessment & Recommendations

...MIS 310 Assignment 4 Assessment & Recommendations To Buy this tutorial Copy & paste below link in your Brower Or Visit Our Website Visit : Email Us : MIS 310 Assignment 4 Assessment & Recommendations In this section of the post-implementation review (3-5 pages), student teams will assess the success of the information system project they studied. The student teams need to address both the application product that has been developed or acquired and implemented, and the process of acquiring and/or developing and implementing the application. The student teams will complete their assessment and will offer recommendations by responding in detail to the following questions: 1. Was the development/acquisition/implementation process for this project a success? Please note: students must take an extremely critical approach to this question – they should evaluate this question from the following views: 1. How does the organization measure success? 1. By that measurement, was it a success? 1. Do you agree? If no, why not? 1. Did the business benefits justify the project cost? If no, why not? 1. In their own right, were project costs justified? Were costs commensurate with the results If no, why not? 1. Did the design, acquisition/development, and implementation processes work? Where were they......

Words: 496 - Pages: 2

Assessment 4: Major Case Analysis and Evaluation

...BUSS5000/CRITICAL THINKING IN BUSINESS Semester 1 2016 Assessment 4: Major Case Analysis and Evaluation Due date: Weight: Length: Monday, 23 May 10:00am on Blackboard via Turnitin 20% 1700 words (including references) Questions Read the ‘Emerging Nokia’ case that is accessible on the link that is on the BUSS5000 Blackboard site and then respond to the following questions. In responding to Question i and Question 11 below, your analysis you should only use the information that is provided in the case. Extra research can be done to substantiate your analysis and frameworks. 证实 i. Using the most relevant frameworks and concepts from those that we have covered in BUSS5000, critically evaluate and analyse the competition that Nokia faced between 1995 and 2010. ii. Identify and critically analyse any five (5) factors that you consider to have contributed to Nokia sustaining its competitive position during the 1995 and 2010 period. iii. Identify four (4) challenges you think Nokia might face in one of the emerging markets mentioned in the case and recommend ways that Nokia could address each of these challenges so as to enhance its performance post 2010. Justify your answer. Assessment Criteria      Demonstrate knowledge of frameworks and business concepts covered in lectures, tutorials and unit readings. (35%) Show evidence of critical thinking in analysing the assigned case. (30%) Demonstrate responsible application of ethical......

Words: 470 - Pages: 2

Module 4 Reflection and Self Assessment

...Lauren Trezise Fin-325 July 14th, 2016 Module 4 Reflection and Self-Assessment 1. What was your score on the quiz? 100% on both 2. What questions gave you a hard time? Why? No issues 3. Identify some of the important features of bonds. Bonds have set maturity dates that range from 1 to 30 years. They typically offer some form of interest payments either by fixed rate, floating rate, or zero coupon. The bond issuers are required to repay the principle full amount in a lump sum after the bond has reached maturity. The default risk of the bond can be evaluated first-hand to decide if it’s worth investing. It may also be redeemed before the maturity date if it has a “call feature.” Bonds are typically issued in $1,000 or $5,000 denominations. 4. There are three main patterns created by the term structure of interest rates. There are normal, flat, and inverted yield curves. The normal yield curve means that as general current interest rates increase, the price of a bond will decrease and its yield will increase. With a flat yield curve, investors can maximize their risk/return tradeoff by choosing fixed income securities with the least risk or highest credit quality. Lastly, with an inverted yield curve, interest rates decline as time moves farther into the future, which means the yields of long-term bonds will decline. This is a very rare circumstance. This can sometimes be an indicator of a market slowdown. 5. The coupon rate determines if a bond is...

Words: 414 - Pages: 2