Application Vulnerability: Trend Analysis and Correlation of Coding Patterns Across Industries
Transcript of Application Vulnerability: Trend Analysis and Correlation of Coding Patterns Across Industries
8/12/2019 Application Vulnerability: Trend Analysis and Correlation of Coding Patterns Across Industries
http://slidepdf.com/reader/full/application-vulnerability-trend-analysis-and-correlation-of-coding-patterns 1/10
Application Vulnerability: Trend Analysisand Correlation of Coding Patterns
Across IndustriesUsing our latest assessment, security architects and developers candetermine which industries — as well as areas of source code andapplications — are most vulnerable to attack, and mitigate the impact.
Executive SummaryAttacks on Web applications threaten nearlyevery organization with an online presence.Based on our experience, these unwelcomeassaults cost companies millions of dollars and
can cause serious damage in terms of brandintegrity and customer turnover. Our EnterpriseRisk and Security Solutions (ERSS) assessmentteam recently evaluated the state of Web appli-cation vulnerability using automated vulnerabilityscanners and manual tests to analyze the state ofsecurity across nine industries.
This white paper presents results identiedduring 2012 and 2013. It focuses on the generalapplication functionalities and the correspond-ing parameters that were developed, but failed,to secure code across verticals. The paper also
details suitable recommendations for mitigatingsecurity vulnerabilities that arise within thesescenarios.
Vulnerability AnalysisThe security posture of each vertical analyzedduring our 2013 assessment can be bestunderstood by examining the concentration ofvulnerability across these industries (see Figure 1,
page 2). Vulnerabilities pertain to severity levels— high, medium and low. Applications withinthe insurance vertical comprise the highestpercentage in total vulnerabilities across theverticals. These applications also contain thehighest number of security coding aws or staticapplication vulnerabilities. Banking and FinancialServices (BFS) and Information, Media and Enter-tainment (IME) applications have nearly thesame vulnerability levels, with IME applicationsbeing the most susceptible — showing the highestnumber of dynamic application vulnerabilitiescompared with other verticals.
Vulnerability Trends in 2012 and 2013The security posture of Web-based applications iscontinuously changing, primarily due to the riseof new hacking methods, the spreading awareness
among developers and regulatory compliance, forexample. 1 Figure 2 compares application vulner-ability distribution across various verticals, basedon the ndings of SAST and DAST assessmentsconducted in 2012 and 2013. The number of appli-cations tested is also shown.
In 2012, nearly 76% of the vulnerabilities weidentied were found in healthcare applications,
• Cognizant 20-20 Insights
cognizant 20-20 insights | april 2014
8/12/2019 Application Vulnerability: Trend Analysis and Correlation of Coding Patterns Across Industries
http://slidepdf.com/reader/full/application-vulnerability-trend-analysis-and-correlation-of-coding-patterns 2/10
2
14% were discovered in insurance industry appli-cations, and about 3% were identied in BFS
applications. Fewer vulnerabilities were seen inretail, IME and other domains such as travel andhospitality and consumer goods. In 2013, nearly37% of the vulnerabilities were detected ininsurance industry applications, 27% were foundin BFS, 26% in IME and 8% in retail.
The following sections describe our industry-based vulnerability analysis. The study usedautomated vulnerability scanners and manualtests, and employed SAST- and DAST-specicinterpretation of industry trends to zero in on theexact application threats and their causes.
Static Application Security TestingIn static application security testing (SAST), theapplication code is examined for aws that canlead to security threats. SAST uses tool-basedscanning, as well as manual reviews. Tool-basedscanning involves tests generated by pre-denedsecurity rules. Manual review entails validatingthe tool output and identifying additional securityaws using manual expertise.
Automated Tool for Vulnerability Detection
Tools for automated security testing produceresults with false-positives (identied as applica-tion vulnerabilities by the tool, but not actually
cognizant 20-20 insights
0
1000
2000
3000
4000
5000
0 2000 4000 000 000 10000 2000 4000 6000 8000
A
T V u
l n e r a
b i l i t y
o u n
t
SAST Vulnerability Count
BFSInsuranceIMEOthers
Vulnerability Concentration Across Verticals
Figure 1
20,772
12,293
10,204
16,947
618
11,774
1400 3831
55,493
2612519
7370
10,000
20,000
30,000
40,000
50,000
60,000
0
50
100
150
200
BFS Insurance IME Retail OthersHealthcare
V u
l n e r a
b i l i t y C o u n
tA
p p l i c
a t i o n
C o u n
t
2012 Vulnerablility Count
2013 Vulnerablility Count
2012 Application Count
2013 Vulnerablility Count
Vulnerability Concentration Across Verticals
Figure 2
8/12/2019 Application Vulnerability: Trend Analysis and Correlation of Coding Patterns Across Industries
http://slidepdf.com/reader/full/application-vulnerability-trend-analysis-and-correlation-of-coding-patterns 3/10
cognizant 20-20 insights 3
vulnerabilities) and false negatives (existing vul-nerabilities that were missed by the tool).
Manual analysis techniques are employed toeliminate false-positives and identify false-neg-atives. Figure 3 above illustrates the summaryof the number of coding aws identied by theautomated security code scanning tools, false-positives identied by manual analysis and theactual vulnerabilities reported to the client’spoint of contact for the applications of different
verticals. The major verticals assessed here wereBFS, Insurance and IME. Other verticals, includingretail, healthcare, T&H and mobility, were groupedinto one category.
For this analysis, we employed a number ofcommercial scanners, open source tools andfreeware. As shown by the data, automatedsecurity scanners have huge false-positive rates.For example, in the insurance and IME verticals,more than 90% of reported issues are false-posi-tives. In general, applications in IME verticals relymore on Web 2.0 components, Flash and Action
scripts, which can increase their complexity.Automated tools are very limited when it comes tounderstanding the business logic and functionalow of the applications, due to the high false-positive counts found in this vertical. This makesthe intervention of manual security expertiseessential — not only for removing false-positives,but also for uncovering vulnerabilities in theapplication that automated tools fail to capture.
Vulnerability Trends in VerticalsStatistical information about the vulnerabili-ties pertaining to SAST with respect to differentverticals and vulnerability categories is depictedin Figure 4 (next page). Security standards suchas OWASP 2, WASC3 and CWE 4/SANS 5 were used toclassify these vulnerabilities.
The various categories of secure coding awsfor different verticals are listed in Figure 5 (nextpage). The most prevalent of these falls under the“Best Practices Violation” category, due to thelack of awareness among developers concerningadherence to secure coding standards. Commonpoor coding practices include null pointer deref-erence, missing checks against null, using weakXML schema, data in hidden elds and failureto remove debug code, comments and othersensitive leftover code. “Information Leakage,Error Handling and Input Validation” aws arealso rampant due to improper handling of applica-tion input and output, which form the major entrypoints for application attacks. Of the total issuesidentied, insurance industry applications werefound to contain the highest number of securitycoding aws. In fact, 91% of coding aws werefound in “Best Practices Violation,” followed by5% in “Input Validation” and 3% in “InformationLeakage and Error Handling” categories.
Dynamic Application Security TestingDynamic application security testing (DAST)or “black-box” testing evaluates applications
15
10791
181176
225
1811 15 7 4
0
20
40
60
80
100
120
140
160
180
200
BFS Insurance IME Others
V u
l n e r a
b i l i t y C
o u n
t
Vulnerabilities
detected by tool.False positives identiedby manual analysis.Vulnerabilities reportedto the client.
Vertical vulnerabilitycounts are represented asmultiples of 100.
Automatic SAST Tool for Vulnerability Detection
Figure 3
8/12/2019 Application Vulnerability: Trend Analysis and Correlation of Coding Patterns Across Industries
http://slidepdf.com/reader/full/application-vulnerability-trend-analysis-and-correlation-of-coding-patterns 4/10
cognizant 20-20 insights 4
during their execution at runtime. This is usefulin determining the risks the application facesin a production environment. Our ERSS teamemploys automated scanning tools and manualtesting techniques to dynamically test an appli-cation. The following sections of this white paperelucidate DAST vulnerability detection usingautomated tools and industry-based DAST vulner-ability trends.
Automated Tool Vulnerability Detection
Dynamic testing is performed using industry-standard automated scanners. The performanceof each scanner typically depends on the security
rule sets dened for these tools. Cognizant’s ERSSgroup performs intensive manual testing, whichhelps assure comprehensive coverage. Some ofthe manual tests include detecting business logicbypass issues and session-related problems, suchas session hijacking, session xation and sessionreplay, as well as authentication issues likeinsufcient logout mechanism, improper cachemanagement, and security miscongurationissues such as SSL renegotiation, click jackingand other such vulnerabilities. Figure 6 (nextpage) summarizes the number of applicationvulnerabilities identied by various automateddynamic security testing tools (commercial, open
V u
l n e r a
b i l i t y C o u n
t
0 1 2 3 4 5
Verticals
BFS
Insurance
IME
Others
11225
15410
7262
4019
0
2000
4000
6000
800010000
12000
14000
16000
18000
SAST Vulnerability Distribution
Figure 4
BFS
Insurance
IME
Others
02000400060008000
10000120001400016000
V u
l n e r a
b i l i t y C o u n
t
Vulnerability Category
InputValidation
SourceCodeDesign
InformationLeakageand Error-Handling
DirectObject
Reference
ResourceUsage
APIUsage
BestPracticesViolation
WeakSession
UsingHTTP GET
Query
Others
Vulnerability Count Based on SAST
Figure 5
8/12/2019 Application Vulnerability: Trend Analysis and Correlation of Coding Patterns Across Industries
http://slidepdf.com/reader/full/application-vulnerability-trend-analysis-and-correlation-of-coding-patterns 5/10
source and freeware), false-positives identied bymanual analysis, and the actual vulnerabilities ofdifferent verticals reported to the client.
Vertical Vulnerabilities
The number of dynamic application vulnerabilitiesis showcased across verticals (see Figure 7). Mostvulnerabilities were found in the IME vertical,with the highest count being in the “InsecureDirect Object Reference” category, followed by“Injection.” Next in line was the insurance vertical,with the highest count in “Security Miscongura-tion,” followed by “Insufcient Transport LayerProtection.”
As Figure 8 (next page) shows, the most dominantvulnerability was in the “Insecure Direct Object
Reference” category. When a developer exposesa reference to an internal object to the user, thistype of vulnerability occurs. A large number ofvulnerabilities were also found in “Injection” and“Cross-Site Scripting,” denoting that developersstill show their trust in user input by failing toperform sufcient input validation and outputencoding, and using secure defaults. “SecurityMisconguration” and “Insufcient TransportLayer Protection” were also very prevalent. Thiscould result from testing environments that donot mirror the actual production environment,have weak server congurations, or have no orpoor SSL congurations. Robust congurationsare essential for maintaining high security for alive site compared with a test site.
5cognizant 20-20 insights
BFS Insurance IME Others
V u
l n e r a
b i l i t y
C o u n
t
19 30
598
2711 16
554
2211 15 458
0
100
200
300
400
500
600
700
Vulnerabilitiesdetected by tool.
False positives identiedby manual analysis.Vulnerabilities reportedto the client.
Vertical vulnerability counts are represented asmultiples of 100.
Automatic DAST Tool Vulnerability Detection
Figure 6
V u
l n e r a
b i l i t y C o u n
t
27 2245
8
1068
1537
4482
810
0 1 2 3 4 5
0
1000
2000
3000
4000
5000
Verticals
BFS
Insurance
IME
Others
DAST Vulnerability Distribution
Figure 7
8/12/2019 Application Vulnerability: Trend Analysis and Correlation of Coding Patterns Across Industries
http://slidepdf.com/reader/full/application-vulnerability-trend-analysis-and-correlation-of-coding-patterns 6/10
cognizant 20-20 insights 6
The overall vulnerability count in the DAST andSAST ndings was highest in IME applications. Thetotal count is comparable to those of insuranceand BFS. In fact, nearly 60% of the applicationstested belong to BFS, but only about 25% ofthe total vulnerabilities reported are present inthose applications. Furthermore, these applica-tions have fewer critical vulnerabilities related toissues such as injection. Hence, it can be inferredfrom the statistics that BFS applications arerelatively more secure. This can be attributed tothe fact that the banking and nance sector dealswith highly sensitive data, for which security isparamount. While condentiality and integrityof nancial data are critical, the third parameterof the security triad — availability — is equallyessential for this growing industry. Securityawareness is progressively increasing within thedeveloper community in BFS because of theserequirements, thereby leading developers toemphasize application security. And becauseBFS applications are also subject to compliancemandates, security requirements are taken care
of during development. This helps to keep theseapplications even more secure.
Security Trends in ApplicationDevelopmentSecurity threats in an application can be drilleddown to the particular functionality that isaffected by the security aw and the parameterthat provides an entry point to the attack vector.
Typical application functionality could beanything from a login/logout function to apayment function. It can further be zeroed downon the query parameters, form parameters,cookies and page parameters that are createdby the developers to accomplish the respectivefunctionality. Figure 9 (next page) shows the dis-tribution of vulnerable parameters and functionsacross verticals.
The most commonly affected parameters are theconguration parameters, which impact the con-guration function and make the application sus-ceptible to security misconguration issues. Thisis due to failure to employ platform-specic securecongurations. Developers should also focus onadd/modify/submit functions, which are largelyvulnerable; submit parameters, for instance, areoften targeted by attackers. As a result, applica-tions become prone to cross-site request forgery,clickjacking and malicious content uploads.
These parameters can be safeguarded duringdevelopment by setting secure attributes andperforming safety checks to ensure that the dataor le that is submitted conforms to the acceptedtype, range and business logic. Other parametersthat require attention include URL/links, proleparameters and IDs such as user IDs, sessionIDs and viewstate parameters. Failure to securethese can result in unsafe redirects and forwards,phishing, session hijacking and user imperson-ation.
BFS
Insurance
IME
Others
V u
l n e r a
b i l i t y C o u n
t
Vulnerability Category
0
500
1000
1500
2000
2500
Injection Cross-SiteScripting
(XSS)
BrokenAuthentication
InsecureDirect ObjectReferences
Cross-SiteRequestForgery
SecurityMisconguration
InsecureCryptographic
Storage
Failureto Restrict
URL Access
InsufficientTransport
Layer
UnvalidatedRedirects
and Forwards
OtherSecurityIssues
Vulnerability Count Based on DAST Category
Figure 8
8/12/2019 Application Vulnerability: Trend Analysis and Correlation of Coding Patterns Across Industries
http://slidepdf.com/reader/full/application-vulnerability-trend-analysis-and-correlation-of-coding-patterns 7/10
cognizant 20-20 insights 7
It is the responsibility of the developer to ensurethat URL redirects are examined for authorization.Developers should also ensure that ID parametersare generated based on stringent industry-stan-dard protocols, and that session IDs are correctlyinvalidated — not resused — and regenerated atfrequent intervals. These session tokens andother sensitive data must be protected duringtransit by using proper SSL conguration, andalso in cookies in order to prevent cookie theft.Payment parameters are often targeted too, asthey can be exploited to execute payment fraudsand cybercrimes. Therefore, the duty lies withdevelopers to ascertain that these parametersare handled in a highly secure manner. The focus
areas for the developer community should be toincorporate strong validation for input and outputparameters, follow secure congurations, set safeattributes for the parameters in general, andpreserve the condentiality of the sensitive datacarried by the parameters.
Looking AheadThis white paper has presented statistics onapplication vulnerability trends across severalverticals with respect to dynamic and staticapplication security testing. The following recom-mendations will help developers improve securityacross numerous parameters:
0
200
400
600
800
1000
1200
Viewstate User Name Submit Session ID Search Profile Product Password Link ID Dropdown Date Credit Card &Bank Account
Cookie Configuration Cache Control
OthersIMEInsuranceBFS
0
200
400
600
800
1000
1200
OthersIMEInsuranceBFS
User Roles/PrivilegeEscalation
Search Redirect
Payment
Password
Logout
Login File Upload/Download
Configuration
Add/Modify/Submit
Vulnerable Parameters and Functions
Figure 9
Parameters Type BFS Insurance IME Others
Cache Control 5 0 0 2
Con guration 103 227 787 6
Cookie 34 0 0 10Credit Card &Bank Account 0 8 0 0
Date 2 0 0 7
Dropdown 28 0 0 1
ID 218 22 7 50
Link 204 9 16 33
Password 2 16 6 6
Product 25 0 2 9
Pro le 158 0 0 43
Search 29 8 0 3
Session ID 0 14 0 6
Submit 275 11 31 16
User Name 0 3 0 2
Viewstate 30 1 0 0
Functionality Type BFS Insurance IME Others
Add/Modify/Submit
736 18 27 122
Con guration 147 239 787 18
File Upload/Download
13 1 23 17
Login 0 39 8 9
Logout 0 0 0 3
Password 0 0 0 2
Payment 170 12 2 5
Redirect 0 0 0 4Search 0 8 0 14
User Roles/PrivilegeEscalation
47 2 2 0
8/12/2019 Application Vulnerability: Trend Analysis and Correlation of Coding Patterns Across Industries
http://slidepdf.com/reader/full/application-vulnerability-trend-analysis-and-correlation-of-coding-patterns 8/10
cognizant 20-20 insights 8
• Ascertain the validity of input supplied by theuser with respect to the data type, range, sizeand business logic allowed.
• Ensure that session management is robust byusing industry-standard session-managementand handling mechanisms.
• Protect sensitive data such as IDs, session
tokens, user personal data, payment informa-tion and the like in transmission and storage.
• Employ secure congurations for all applica-tion components.
The developer community in general shouldclosely adhere to security standards andimplement secure practices throughout thesoftware development lifecycle to create highlysecure applications.
Analysis MethodologyFigure 10 describes the applications that were
studied using dynamic (DAST) and static appli-cation security testing (SAST) methodologies.It illustrates a statistical representation of thevarious applications for which security testingwas conducted based on their type, the verticalsto which they belong and the technology used.
SAST was performed on 214 applications andDAST on 105 applications. Of the total applica-
tions tested, 79% were Web applications, 5% weremobile applications and 16% were other types ofapplications such as IVR, mainframe, native appli-cations, Web services and CS, for example.
Approximately 60% of Web application assess-ments were carried out in the BFS vertical,followed by 14% in IME and 10% in the insurance
vertical. Mobile application security assess-ments were performed for the insurance, retail,healthcare, travel and hospitality, IME and manu-facturing/logistics verticals.
SAST was carried out on applications that werebuilt using technologies such as Java, Android,.Net, COBOL, Objective C and PHP. Nearly 63%of the applications were developed in Java,Java-based frameworks and Android. .Netprojects made up 13% of the applications andCOBOL comprised 21%.
SAST was performed on the codebase of Web,native and mobile applications and Web services,for example. Cognizant, as well as third party-developed code, was taken into account for thisanalysis. SAST for code developed over severalframeworks — including mobile/Web frameworkssuch as Titanium Appecelerator and e-commerceframeworks such as ATG — were also considered.
Application Count Based on Application Type Application Count Based on Verticals
SAST Application Count Based on Technology SAST/ DAST Application Count
0
30
60
90
Java .Net .COBOL O bjective C PHP
120
150
252
Web Mobile Others
BFS Insurance IME Others
5116
187
55
43
34
SAST Application Count DAST Application Count
214
105135
2946
1 3
Application Distribution by Type, Vertical and Technology
Figure 10
8/12/2019 Application Vulnerability: Trend Analysis and Correlation of Coding Patterns Across Industries
http://slidepdf.com/reader/full/application-vulnerability-trend-analysis-and-correlation-of-coding-patterns 9/10
cognizant 20-20 insights 9
Application code within the BFS domain consti-tutes the largest portion of applications undersecurity testing — nearly 72%. The applicationpool comprises 13% of IME applications and
6% insurance, with the remaining being retail,healthcare, travel and hospitality, consumergoods, and manufacturing and logistics applica-tions.
AcknowledgmentsThe author would like to recognize the contribu-tions of the following Cognizant associates to thiswhite paper:
Vimalaasree Anandhan, Security ArchitectMahalakshmi Ravi, Security AnalystKavitha Karunakaran, Security SpecialistSandhana Joldrine Xavier, Security AnalystSaravanan Sankaran, Security SpecialistA, Rajakumari, Security AnalystK, Ratnadeepika, Security Analyst
The author would also like to thank the followingexperts and analysts in application securityassessment:
A AjanthaAnjum AfrinArul SumithraBalasunder RakeshBalu ChitraCeline George
TK ChendhilkumarDurga Surya Kumar SimmaU GopinathS GowripriyaJothi Prakash, Grace CatherineK SubhashiniDeivendran KarthigaMurugan VigneshMuthuramalingam Jose Arokia MaryMuthuveeran SubashNarayanan Droupathy SubhashK Padma PrasoonaJayaprakash PavithraRadhakrishnan AgashnarayaniRamdass KarthikeyanKaruppiah NagamarimuthuKuruvilla MathewM Balaji SwaminathanMantraratnam SwetaMarreddi Venkatesh
Footnotes1 Regulatory Compliance: Regulations a company must follow to meet specic requirements.2 OWASP: Open Web Applications Security Project. A worldwide, not-for-prot charitable organization
focused on improving the security of software.3 SANS: The SANS Institute was established in 1989 as a cooperative research and education organization.4 WASC: The Web Application Security Consortium (WASC) is a 501c3 nonprot comprising an international
group of experts, industry practitioners and organizational representatives who produce open source andwidely agreed upon best-practice security standards for the World Wide Web.
5 CWE: Common Weakness Enumeration provides a unied, measurable set of software weaknesses that isenabling more effective discussion, description, selection and use of software security tools and servicesthat can nd these weaknesses in source code and operational systems, and better understand andmanage software weaknesses related to architecture and design.
GlossaryBFS: Banking and Financial Services
CWE: Common Weakness EnumerationDAST: Dynamic Application Security TestingERSS: Enterprise Risk and Security SolutionsHIPAA: Health Insurance Portability and Account-ability Act
IME: Information, Media and EntertainmentPractice
OWASP: Open Web Application Security ProjectPCI: Payment Card IndustrySANS: SysAdmin, Audit, Networking, and SecuritySAST: Static Application Security TestingT&H: Travel and HospitalityWASC: Web Application Security Consortium
8/12/2019 Application Vulnerability: Trend Analysis and Correlation of Coding Patterns Across Industries
http://slidepdf.com/reader/full/application-vulnerability-trend-analysis-and-correlation-of-coding-patterns 10/10
About CognizantCognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process out-sourcing services, dedicated to helping the world’s leading companies build stronger businesses. Headquartered inTeaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industry
and business process expertise, and a global, collaborative workforce that embodies the future of work. With over 50delivery centers worldwide and approximately 171,400 employees as of December 31, 2013, Cognizant is a member ofthe NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performingand fastest growing companies in the world. Visit us online at www.cognizant.com or follow us on Twitter: Cognizant.
About Cognizant Enterprise Risk and Security SolutionsThe Cognizant Enterprise Risk and Security Solutions (ERSS) group specializes in providing end-to-end information-security solutions for various industry verticals, including retail, banking and nancial services, logistics, telecom,healthcare, manufacturing and travel and hospitality – having serviced over 400 customers across various geogra-phies. Our team of experts provides information-security solutions and services based on best-of-breed products ineach category of enterprise security. Our services encompass:
• 600-plus security consultants specializing in Identify and Access Management (IAM), Governance, Risk andCompliance (GRC), Data Security, Application Security Assessment (Secure SDLC) and Integrated ThreatManagement.
• 300+ CISA, CISM, CISSP, CEH and vendor-certied associates.
• 250+ Infrastructure Security trained associates.
• Over 7000 combined years of information-security experience.
• A proven track record and experience in 400-plus client engagements for security services.
• Partnership with leading vendors such as IBM, CA, Oracle, SailPoint, Novell, Dell, RSA, HP, Symantec and McAfee.
World Headquarters500 Frank W. Burr Blvd.Teaneck, NJ 07666 USAPhone: +1 201 801 0233Fax: +1 201 801 0243Toll Free: +1 888 937 3277Email: [email protected]
European Headquarters1 Kingdom StreetPaddington CentralLondon W2 6BDPhone: +44 (0) 20 7297 7600Fax: +44 (0) 20 7121 0102Email: [email protected]
India Operations Headquarters#5/535, Old Mahabalipuram RoadOkkiyam Pettai, ThoraipakkamChennai, 600 096 IndiaPhone: +91 (0) 44 4209 6000Fax: +91 (0) 44 4209 6060Email: [email protected]
© Copyright 2014, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by anymeans, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is
subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.
About the AuthorDr. Sivakumar Kathiresan, M.E., PhD., is a Principal Architect, Technology, within Cognizant’s EnterpriseRisk and Security Solutions group. In this role, he leads the Application Security Assessment team, andhas managed 120-plus security assessment projects across different verticals over the last three years.Sivakumar has 20 years of experience, including in industry, research and academia, and has deliveredmore than 100 knowledge-sharing sessions on various elds of enterprise security at different forums.His current areas of interest are advanced log analysis, vulnerability management, advanced persistentthreats and management, and security analytics. Sivakumar received his PhD from the Indian Institute
of Technology, Roorkee. He continues to research the area of Web security. His certicates include CEH,Sourcere, Qualysguard, Envision, LanDesk and Big Data Associate. He can be reached at [email protected] .
K RegaS NishaSambasivam SuganiyaSelvaraj NithyaS SivapradhaSrinivasan AmithSundaram Kalicharan
Sundaramurthy Subhashini
Thomas, LijoV Satheesh KumarVaradarajan PradeepVedeshwar RaghavendraGK YashwanthHaja Mohideen T Mohaideen Natchiya SharmeelaJain Dinesh
Jemmi Angelin