Static Analysis for Web Service Security – Techniques and Tools for a Secure Development @ IEEE HST

Presented at IEEE HST 2015


Static Analysis for Web Service Security – Techniques and Tools for a Secure Development Life Cycle

Adnan Masood, Nova Southeastern University; Jim Java, Nova Southeastern University



State of the IoT Security

In a recent podcast by Scott Hanselman and Erica Stanley, an Internet of Things (IoT) primer, the guest mentioned how security is being treated as an afterthought for most things IoT. This is unfortunately true in various areas of software development; but especially with the unprecedented growth of IoT, this lax in providing security standards will fast become a safety and security dilemma.

To borrow the variety, velocity and volume analogy of Big Data, IoT is also subject to a very large variety of devices, supporting different velocities (performance capacities) and volumes (large number of devices, meshes etc). Protection of data in these devices and providing privacy of is definitely the key challenges in the IoT. It is also bad for business since lax security measures will cause decreased adoption impacting the success of the IoT and hinder overall development.

Following are some of the relevant links and papers which provide overview, analysis and taxonomy of security and privacy challenges in IoT.


References and Further Reading


Norse - IPViking Live - honeypots for visualization

Systems and methods for dynamic protection from electronic attacks - US Patent 8726379 B1

Systems and methods for gathering, classifying, and evaluating real time security intelligence data concerning security threats presented by an IP address, and reporting in real time the degree and character of such security threats.



Penetration Testing techniques in Web Applications - Infographic

Penetration Testing techniques in web applications by Dimitris Mandilaras, Nikolaos Tsalis is an succinct info-graphic review of different security frameworks / methodologies including OWASP, PTES, ISSAF, NIST, OSSTM and PTF.

A short poster can be downloaded from here.



Selection of 2014 F# / Functional Programming Resources


Excellent list of Cyber Security Resources

Top 100+ Cyber Security Blogs & Infosec Resources - Excellent List by DDOS Protection




Resolution for the group's SID could not be resolved Error

I have recently encountered the following error when enumerating through the UserPrincipal.GetAuthorizationGroups collection.

System.DirectoryServices.AccountManagement.PrincipalOperationException: An error (1301) occurred while enumerating the groups.  The group's SID could not be resolved.

The problem was introduction of the domain controller running Server 2012 while the machine running my application was win7 VM (applies to Win2K8 as well)


With little googling, it appears that for the Windows 7 VM with introduction of 2012 domain controller, this SID error appears to be a known issue. When a 2012 domain controller is involved, the GetAuthorizationGroups() function would fail on groups (SIDs) that are added to a user by default.

Installing KB2830145 fixed my problem.




Poodle & Sandworm

In lieu of recently passed National Cyber Security Awareness Month, a shout out to CVE-2014-4114 with MS14-060 as a vulnerability in the OLE package manager can be exploited to remotely execute arbitrary code in Microsoft Windows versions Vista SP2 to Windows 8.1 and in Server 2008 and 2012. Yeah, 2012 too.

and here is to poodle.

POODLE: This dog bites – An infographic by the team at Pluralsight


Hacktivity - Software Threat Modeling by Shakeel Tufail

Threat modeling and diversion tactics; a good high level overview on software security.

There are only a handful of threat modeling approaches in the industry which are difficult to implement due to the subjective guidelines. Our training session will focus on best practices and a hands-on approach that will provide attendees a better understanding of how to conduct threat modeling in their organization. Most threat models focus on attackers, we will look at the threat model using trust zones, identifying assets, indirect threats, and ambiguity analysis. We will also speak about secure design concepts and best practices for securing software architecture.

Learning Objectives: At the end of this workshop, participants will be able to:

  • Understand the basics of threat modeling software applications
  • Understand the meaning of threats, attack vectors, and trust zones
  • Learn about ambiguity analysis
  • Learn about secure design concepts
  • Learn best practices for securing software architect

Notes from my LA C# User Group Talk

I spoke to LA C# User group last night in Pasadena on the topic of Web Application Security with OWASP.

The slide deck of my talk can be downloaded from here. LA C# OWASP Presentation

Links from the talk follow.

Go to Top