SlideShare una empresa de Scribd logo

CSSLP & OWASP & WebGoat

Surachai Chatchalermpun
Surachai Chatchalermpun

Challenge Web Application Today!!! Promote CSSLP Certification. Introduce OWASP 2010 Top 10 Risks? Practice with Web Goat? For Education only.

Tecnología
1 de 58
Descargar para leer sin conexión
Certified Secure Software Lifecycle Professional (CSSLP) Master Degree in Management Information Systems (MSMIS) Faculty of Commerce and Accountancy, Thammasat University 05-April-2010 Surachai Chatchalermpun
Speaker Profile , CSSLP, ECSA , LPT 2
Agenda Challenges Today… What is CSSLP? What is OWASP? What is WebGoat? WebGoat Lesson!
Challenges Today… • Over 70% of breaches of security vulnerabilities exist at the application level. (Gartner Group, 2005) • Software is often not developed with security in mind • Attack targeted, financially motivated attacks continue to rise • Attacks are moving up the application stack • New technology waves keep on coming -- there are still numerous emerging threat vectors which require increased spending in certain security sub-segments. Source: Global Information Security & IT Security Personnel Development in USA – trend and hurdles, Prof. Howard A. Schmidt
Source: Issue number 9 Info Security Professional Magazine
W. Hord Tipton, CISSP- ISSEP, CAP, CISA (ISC)² Executive Director
What is the CSSLP? • Certified Secure Software Lifecycle Professional (CSSLP) • Base credential • Professional certification program • Takes a holistic approach to security in the software lifecycle • Tests candidates competency (KSAs) to significantly mitigate the security concerns
• Global leaders in certifying and educating information security professionals with the CISSP® and related concentrations, CAP® and SSCP®. • Established in 1989 – not-for-profit consortium of industry leaders. • More than 60,000 certified professionals in over 135 countries. • Board of Directors - top information security professionals worldwide. • All of our information security credentials are accredited ANSI/ISO/IEC Standard 17024 and were the first technology- related credentials to receive this accreditation.
Over 70% of breaches of security vulnerabilities exist at the application level.* * Gartner Group, 2005
Purpose • Provide a credential that speaks to the individual’s understanding of and ability to deliver secure software through the use of best practices. • The target professionals for this Certification would be anyone who is directly and in some cases indirectly, involved in the Software Lifecycle.
Software Lifecycle Stakeholder Chart Top Management Auditors Business Unit Heads Client Side PM IT Manager Industry Group Delivery Heads Security Specialists Software Lifecycle Business Stakeholders Application Owners Analysts Developers/ Quality Coders Assurance Influencers Managers Primary Target Project Managers/ Technical Secondary Target Architects Team Leads
Market Drivers • Security is everyone’s responsibility • Software vulnerabilities have emerged as a major concern • Off shoring of software development • Software is often not developed with security in mind • Desire to meet growing industry needs
Certified Secure Software Lifecycle Professional (ISC)² CSSLP CBK 7 Domains: • Secure Software Concepts • Secure Software Requirements • Secure Software Design • Secure Software Implementation/Coding • Secure Software Testing • Software Acceptance • Software Deployment, Operations, Maintenance, and Disposal
CSSLP Certification Requirements By Experience Assessment: • Experience Assessment will be open until March 31, 2009 • Candidate will be required to submit: – Experience Assessment Application – Signed candidate agreement and adherence to (ISC)² Code of Ethics – Detailed resume of experience – Four essay responses (Between 250-500 words) detailing experience in four of the following knowledge areas • Applying Security concepts to Software Development • Software Design • Software Implementation/Coding • Software Testing • Software Acceptance • Software Deployment, Operations, Maintenance, and Disposal – Fee of $650
CSSLP Certification Requirements By Examination: • The first public exam will be held at the end of June 2009 • Candidate will be required to submit: – Completed examination registration form – Signed candidate agreement and adherence to the (ISC)² Code of ethics – Proof of 4 years of FTE experience in the Software Development Lifecycle (SDLC) Process or 3 years plus 1 year waiver of experience for degree in an IT related field – Fee of $549 early-bird and $599 standard • Candidate will be required to – Pass the official (ISC)² CSSLP certification examination – Complete the endorsement process • The Associate of (ISC)² Program will apply to those who have passed the exam but still need to acquire the necessary minimum experience requirements
CSSLP CBK Overlap between other Certifications/Programs GSSP-C GSSP-J (SANS) (SANS) Software Coder Software Coder Certification Program Certification Program CSSE CSSLP (ISSECO) Entry-level Education (ISC)² Professional Certification Software Program Certificate of Program Assurance Completion Initiative (DHS) Awareness Effort CSDA CSDP Vendor- Specific Credentials (IEEE) (IEEE) Associate Level Professional Status Certification Program
Future of CSSLP • International Marketing Efforts • ANSI/ISO/IEC17024 accreditation • Maintenance activities • Cert Education Program
Hear what Anthony Lim, from IBM, has to say about CSSLP
CSSLP Certification My CSSLP Certification
Why is Web Application Security Important? • Easiest way to compromise hosts, networks and users. • Widely deployed. • No Logs! (POST Request payload) • Incredibly hard to defend against or detect. • Most don’t think of locking down web applications. • Intrusion detection is a joke. • Firewall? What firewall? I don’t see no firewall… • SSL Encrypted transport layer does nothing. Source: White Hat Security
Web Application Hacking Outer DMZ Zone Inner Server farm Zone Source: White Hat Security
Your “Code” is Part of Your Security Perimeter APPLICATION Your security “perimeter” has huge ATTACK Application Layer holes at the “Application layer” Legacy Systems Web Services Human Resource Directories Databases Custom Developed Billing Application Code App Server Network Layer Web Server Hardened OS Inner Firewall Outer Firewall You can’t use network layer protection (Firewall, SSL, IDS, hardening) to stop or detect application layer attacks Source: White Hat Security
The Web Application Security Risk • Web Applications are vulnerable: – exposing its own vulnerabilities. – Change frequently, requiring constant tuning of application security. – Complex and feature rich with the advent of AJAX, Web Services and Web 2.0. (and Social Network) • Web Applications are threatened: – New business models drive “for profit” hacking. – Performed by Black hat professionals enabling complex attacks. • Potential impact may be severe: – Web applications are used for sensitive information and important transactions. Source: White Hat Security
Threat is Difficult to Assess • Web Attacks are Stealth: – Victims hide breaches. – Incidents are not detected. • Statistics are Skewed: – Number of incident reported is statistically insignificant. Source: Breach Security
Source: Web Hacking Incidents Database
Source: Web Hacking Incidents Database
Available Sources Attacks • Zone-H (The Hacker Community) – http://www.zone-h.org – The most comprehensive attack repository, very important for public awareness. – Reported by hackers and focus on defacements. • WASC Statistics Project – http://www.webappsec.org • OWASP top 10 – http://www.owasp.org
Hacking Incidents (Defacement)
Hacking Incidents (Defacement)
Hacking Incidents (Defacement)
Key Principle 3 Pillars of ICT 3 Pillars of Security Disclosure People Confidentiality PPT CIA Process Technology Integrity Availability (Tool) Alteration Disruption 31
Root Causes of Application Insecurity : PPT Missing or • People and Organization Inadequate Examples Tools, Libraries, or – Lack of Application Security training Missing or Inadequate Infrastructure – Roles & Responsibilities not clear Processes – No budget allocated • Process Examples – Underestimated risks – Missed requirements Untrained – Inadequate testing and reviews People and Organizational – Lack of metrics Structure Issues – Lack of implementing Best Practices or Standards Knowledge Mgmt Communication Administration Bus. Functions Transactions E-Commerce – No detection of attacks Accounts Finance • Technology Examples Custom Code – Lack of appropriate tools – Lack of common infrastructure – Configuration errors Source: OWASP
People / Processes / Technology Training Awareness Guidelines Automated Testing Secure Development Application Secure Code Firewalls Review Secure Security Testing Configuration 33
SDLC & OWASP Guidelines Source: OWASP 34
Source: OWASP
Source: OWASP
Source: OWASP
Source: Microsoft
CSSLP Certification What is OWASP? The Open Web Application Security Project (OWASP) is: A not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. Source: http://www.owasp.org
OWASP Foundation has over 130 Local Chapters
41
CSSLP is WebGoat? What Certification WebGoat is a deliberately insecure J2EE web application maintained by OWASP TOP 10 designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application.
CSSLP is WebGoat? What Certification
CSSLP Certification WebGoat Installation Windows - (Download, Extract, Double Click Release) 1. To start Tomcat, browse to the WebGoat directory unzipped above and double click "webgoat.bat“ 2. start your browser and browse to... (Notice the capital 'W' and 'G') http://localhost/WebGoat/attack 3. login in as: user = guest, password = guest 4. To stop WebGoat, simply close the window you launched it from.
tion WebGoat Lesson 1
tion WebGoat Lesson 2
tion WebGoat Lesson 3
tion Solution: WebGoat Lesson 3
tion Solution: WebGoat Lesson 3 True OR ? = True
tion WebGoat Lesson 4
tion Solution: WebGoat Lesson 4
tion WebGoat Lesson 5
tion Solution: WebGoat Lesson 5 Use Tamper data (Firefox Plug-in)for edit variable value: AccessControlMatrix.help" | net user"
Question & Answer Thank You Surachai Chatchalermpun surachai.c@pttict.com

Recomendados

CSSLP Course
CSSLP CourseCSSLP Course
CSSLP CourseMasoud Ostad
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Raffael Marty
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best PracticesEvolve IP
 
Csslp
CsslpCsslp
CsslpSushil Shakya
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 

Recomendados

CSSLP Course
CSSLP CourseCSSLP Course
CSSLP CourseMasoud Ostad
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Raffael Marty
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best PracticesEvolve IP
 
Csslp
CsslpCsslp
CsslpSushil Shakya
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in PracticeSecurity Innovation
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling EverythingAnne Oikarinen
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards ComplianceDr. Prashant Vats
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Setting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyderSetting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyderSebastien Deleersnyder
 
Csslp Launch Presentation
Csslp Launch PresentationCsslp Launch Presentation
Csslp Launch Presentationgueste35899
 

Más contenido relacionado

La actualidad más candente

Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling EverythingAnne Oikarinen
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards ComplianceDr. Prashant Vats
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 

La actualidad más candente (20)

OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards Compliance
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Application Security
Application SecurityApplication Security
Application Security
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 

Similar a CSSLP & OWASP & WebGoat

Setting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyderSetting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyderSebastien Deleersnyder
 
Csslp Launch Presentation
Csslp Launch PresentationCsslp Launch Presentation
Csslp Launch Presentationgueste35899
 
Midrange role in isets
Midrange role in isetsMidrange role in isets
Midrange role in isetsraziqfareed
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewAshish Patel
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Rightpvanwoud
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
Cast Application Intelligence Platform
Cast Application Intelligence PlatformCast Application Intelligence Platform
Cast Application Intelligence PlatformJohn Fotiadis ✔️
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Perforce
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The CloudPECB
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Is an agile SDLC an oxymoron?
Is an agile SDLC an oxymoron? Is an agile SDLC an oxymoron?
Is an agile SDLC an oxymoron? Dave Sharrock
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterDinis Cruz
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...CA Technologies
 

Similar a CSSLP & OWASP & WebGoat (20)

Setting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyderSetting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyder
 
Csslp Launch Presentation
Csslp Launch PresentationCsslp Launch Presentation
Csslp Launch Presentation
 
Midrange role in isets
Midrange role in isetsMidrange role in isets
Midrange role in isets
 
Malik M. Ashfaque - CV
Malik M. Ashfaque - CVMalik M. Ashfaque - CV
Malik M. Ashfaque - CV
 
Mycv Tb
Mycv TbMycv Tb
Mycv Tb
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product Overview
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Mycv Sas
Mycv SasMycv Sas
Mycv Sas
 
Cast Application Intelligence Platform
Cast Application Intelligence PlatformCast Application Intelligence Platform
Cast Application Intelligence Platform
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The Cloud
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Is an agile SDLC an oxymoron?
Is an agile SDLC an oxymoron? Is an agile SDLC an oxymoron?
Is an agile SDLC an oxymoron?
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
 

Más de Surachai Chatchalermpun

Experienced in blackhat 2015 surachai chatchalermpun
Experienced in blackhat 2015 surachai chatchalermpunExperienced in blackhat 2015 surachai chatchalermpun
Experienced in blackhat 2015 surachai chatchalermpunSurachai Chatchalermpun
 
Experienced in blackhat 2015 by surachai.c
Experienced in blackhat 2015 by surachai.cExperienced in blackhat 2015 by surachai.c
Experienced in blackhat 2015 by surachai.cSurachai Chatchalermpun
 
Why computer security certification is important
Why computer security certification is importantWhy computer security certification is important
Why computer security certification is importantSurachai Chatchalermpun
 
Thailand Online Marketing 2013: Maya Online Show
Thailand Online Marketing 2013: Maya Online Show Thailand Online Marketing 2013: Maya Online Show
Thailand Online Marketing 2013: Maya Online Show Surachai Chatchalermpun
 
Addressing IT Risk [Lecture at MIS Mahidol]
Addressing IT Risk [Lecture at MIS Mahidol]Addressing IT Risk [Lecture at MIS Mahidol]
Addressing IT Risk [Lecture at MIS Mahidol]Surachai Chatchalermpun
 
Cyber security awareness สถาบันพระปกเกล้า
Cyber security awareness สถาบันพระปกเกล้าCyber security awareness สถาบันพระปกเกล้า
Cyber security awareness สถาบันพระปกเกล้าSurachai Chatchalermpun
 
Computer for Kids_Internet security awareness
Computer for Kids_Internet security awarenessComputer for Kids_Internet security awareness
Computer for Kids_Internet security awarenessSurachai Chatchalermpun
 
PTT ICT ความเสี่ยง...จากการใช้ software ละเมิดลิขสิทธิ์
PTT ICT ความเสี่ยง...จากการใช้ software ละเมิดลิขสิทธิ์PTT ICT ความเสี่ยง...จากการใช้ software ละเมิดลิขสิทธิ์
PTT ICT ความเสี่ยง...จากการใช้ software ละเมิดลิขสิทธิ์Surachai Chatchalermpun
 
IT Security Risk [Guest Speaker It Audit Class@Utcc]
IT Security Risk [Guest Speaker It Audit Class@Utcc]IT Security Risk [Guest Speaker It Audit Class@Utcc]
IT Security Risk [Guest Speaker It Audit Class@Utcc]Surachai Chatchalermpun
 

Más de Surachai Chatchalermpun (11)

Experienced in blackhat 2015 surachai chatchalermpun
Experienced in blackhat 2015 surachai chatchalermpunExperienced in blackhat 2015 surachai chatchalermpun
Experienced in blackhat 2015 surachai chatchalermpun
 
Experienced in blackhat 2015 by surachai.c
Experienced in blackhat 2015 by surachai.cExperienced in blackhat 2015 by surachai.c
Experienced in blackhat 2015 by surachai.c
 
Why computer security certification is important
Why computer security certification is importantWhy computer security certification is important
Why computer security certification is important
 
Thailand Online Marketing 2013: Maya Online Show
Thailand Online Marketing 2013: Maya Online Show Thailand Online Marketing 2013: Maya Online Show
Thailand Online Marketing 2013: Maya Online Show
 
Emerging threat
Emerging threatEmerging threat
Emerging threat
 
Addressing IT Risk [Lecture at MIS Mahidol]
Addressing IT Risk [Lecture at MIS Mahidol]Addressing IT Risk [Lecture at MIS Mahidol]
Addressing IT Risk [Lecture at MIS Mahidol]
 
Cyber security awareness สถาบันพระปกเกล้า
Cyber security awareness สถาบันพระปกเกล้าCyber security awareness สถาบันพระปกเกล้า
Cyber security awareness สถาบันพระปกเกล้า
 
Computer for Kids_Internet security awareness
Computer for Kids_Internet security awarenessComputer for Kids_Internet security awareness
Computer for Kids_Internet security awareness
 
PTT ICT ความเสี่ยง...จากการใช้ software ละเมิดลิขสิทธิ์
PTT ICT ความเสี่ยง...จากการใช้ software ละเมิดลิขสิทธิ์PTT ICT ความเสี่ยง...จากการใช้ software ละเมิดลิขสิทธิ์
PTT ICT ความเสี่ยง...จากการใช้ software ละเมิดลิขสิทธิ์
 
IT Security Risk [Guest Speaker It Audit Class@Utcc]
IT Security Risk [Guest Speaker It Audit Class@Utcc]IT Security Risk [Guest Speaker It Audit Class@Utcc]
IT Security Risk [Guest Speaker It Audit Class@Utcc]
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
 

Último

Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Último (20)

Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

CSSLP & OWASP & WebGoat

  • 1. Certified Secure Software Lifecycle Professional (CSSLP) Master Degree in Management Information Systems (MSMIS) Faculty of Commerce and Accountancy, Thammasat University 05-April-2010 Surachai Chatchalermpun
  • 2. Speaker Profile , CSSLP, ECSA , LPT 2
  • 3. Agenda Challenges Today… What is CSSLP? What is OWASP? What is WebGoat? WebGoat Lesson!
  • 4. Challenges Today… • Over 70% of breaches of security vulnerabilities exist at the application level. (Gartner Group, 2005) • Software is often not developed with security in mind • Attack targeted, financially motivated attacks continue to rise • Attacks are moving up the application stack • New technology waves keep on coming -- there are still numerous emerging threat vectors which require increased spending in certain security sub-segments. Source: Global Information Security & IT Security Personnel Development in USA – trend and hurdles, Prof. Howard A. Schmidt
  • 5. Source: Issue number 9 Info Security Professional Magazine
  • 6. W. Hord Tipton, CISSP- ISSEP, CAP, CISA (ISC)² Executive Director
  • 7. What is the CSSLP? • Certified Secure Software Lifecycle Professional (CSSLP) • Base credential • Professional certification program • Takes a holistic approach to security in the software lifecycle • Tests candidates competency (KSAs) to significantly mitigate the security concerns
  • 8. Global leaders in certifying and educating information security professionals with the CISSP® and related concentrations, CAP® and SSCP®. • Established in 1989 – not-for-profit consortium of industry leaders. • More than 60,000 certified professionals in over 135 countries. • Board of Directors - top information security professionals worldwide. • All of our information security credentials are accredited ANSI/ISO/IEC Standard 17024 and were the first technology- related credentials to receive this accreditation.
  • 9. Over 70% of breaches of security vulnerabilities exist at the application level.* * Gartner Group, 2005
  • 10. Purpose • Provide a credential that speaks to the individual’s understanding of and ability to deliver secure software through the use of best practices. • The target professionals for this Certification would be anyone who is directly and in some cases indirectly, involved in the Software Lifecycle.
  • 11. Software Lifecycle Stakeholder Chart Top Management Auditors Business Unit Heads Client Side PM IT Manager Industry Group Delivery Heads Security Specialists Software Lifecycle Business Stakeholders Application Owners Analysts Developers/ Quality Coders Assurance Influencers Managers Primary Target Project Managers/ Technical Secondary Target Architects Team Leads
  • 12. Market Drivers • Security is everyone’s responsibility • Software vulnerabilities have emerged as a major concern • Off shoring of software development • Software is often not developed with security in mind • Desire to meet growing industry needs
  • 13. Certified Secure Software Lifecycle Professional (ISC)² CSSLP CBK 7 Domains: • Secure Software Concepts • Secure Software Requirements • Secure Software Design • Secure Software Implementation/Coding • Secure Software Testing • Software Acceptance • Software Deployment, Operations, Maintenance, and Disposal
  • 14. CSSLP Certification Requirements By Experience Assessment: • Experience Assessment will be open until March 31, 2009 • Candidate will be required to submit: – Experience Assessment Application – Signed candidate agreement and adherence to (ISC)² Code of Ethics – Detailed resume of experience – Four essay responses (Between 250-500 words) detailing experience in four of the following knowledge areas • Applying Security concepts to Software Development • Software Design • Software Implementation/Coding • Software Testing • Software Acceptance • Software Deployment, Operations, Maintenance, and Disposal – Fee of $650
  • 15. CSSLP Certification Requirements By Examination: • The first public exam will be held at the end of June 2009 • Candidate will be required to submit: – Completed examination registration form – Signed candidate agreement and adherence to the (ISC)² Code of ethics – Proof of 4 years of FTE experience in the Software Development Lifecycle (SDLC) Process or 3 years plus 1 year waiver of experience for degree in an IT related field – Fee of $549 early-bird and $599 standard • Candidate will be required to – Pass the official (ISC)² CSSLP certification examination – Complete the endorsement process • The Associate of (ISC)² Program will apply to those who have passed the exam but still need to acquire the necessary minimum experience requirements
  • 16. CSSLP CBK Overlap between other Certifications/Programs GSSP-C GSSP-J (SANS) (SANS) Software Coder Software Coder Certification Program Certification Program CSSE CSSLP (ISSECO) Entry-level Education (ISC)² Professional Certification Software Program Certificate of Program Assurance Completion Initiative (DHS) Awareness Effort CSDA CSDP Vendor- Specific Credentials (IEEE) (IEEE) Associate Level Professional Status Certification Program
  • 17. Future of CSSLP • International Marketing Efforts • ANSI/ISO/IEC17024 accreditation • Maintenance activities • Cert Education Program
  • 18. Hear what Anthony Lim, from IBM, has to say about CSSLP
  • 20. Why is Web Application Security Important? • Easiest way to compromise hosts, networks and users. • Widely deployed. • No Logs! (POST Request payload) • Incredibly hard to defend against or detect. • Most don’t think of locking down web applications. • Intrusion detection is a joke. • Firewall? What firewall? I don’t see no firewall… • SSL Encrypted transport layer does nothing. Source: White Hat Security
  • 21. Web Application Hacking Outer DMZ Zone Inner Server farm Zone Source: White Hat Security
  • 22. Your “Code” is Part of Your Security Perimeter APPLICATION Your security “perimeter” has huge ATTACK Application Layer holes at the “Application layer” Legacy Systems Web Services Human Resource Directories Databases Custom Developed Billing Application Code App Server Network Layer Web Server Hardened OS Inner Firewall Outer Firewall You can’t use network layer protection (Firewall, SSL, IDS, hardening) to stop or detect application layer attacks Source: White Hat Security
  • 23. The Web Application Security Risk • Web Applications are vulnerable: – exposing its own vulnerabilities. – Change frequently, requiring constant tuning of application security. – Complex and feature rich with the advent of AJAX, Web Services and Web 2.0. (and Social Network) • Web Applications are threatened: – New business models drive “for profit” hacking. – Performed by Black hat professionals enabling complex attacks. • Potential impact may be severe: – Web applications are used for sensitive information and important transactions. Source: White Hat Security
  • 24. Threat is Difficult to Assess • Web Attacks are Stealth: – Victims hide breaches. – Incidents are not detected. • Statistics are Skewed: – Number of incident reported is statistically insignificant. Source: Breach Security
  • 25. Source: Web Hacking Incidents Database
  • 26. Source: Web Hacking Incidents Database
  • 27. Available Sources Attacks • Zone-H (The Hacker Community) – http://www.zone-h.org – The most comprehensive attack repository, very important for public awareness. – Reported by hackers and focus on defacements. • WASC Statistics Project – http://www.webappsec.org • OWASP top 10 – http://www.owasp.org
  • 31. Key Principle 3 Pillars of ICT 3 Pillars of Security Disclosure People Confidentiality PPT CIA Process Technology Integrity Availability (Tool) Alteration Disruption 31
  • 32. Root Causes of Application Insecurity : PPT Missing or • People and Organization Inadequate Examples Tools, Libraries, or – Lack of Application Security training Missing or Inadequate Infrastructure – Roles & Responsibilities not clear Processes – No budget allocated • Process Examples – Underestimated risks – Missed requirements Untrained – Inadequate testing and reviews People and Organizational – Lack of metrics Structure Issues – Lack of implementing Best Practices or Standards Knowledge Mgmt Communication Administration Bus. Functions Transactions E-Commerce – No detection of attacks Accounts Finance • Technology Examples Custom Code – Lack of appropriate tools – Lack of common infrastructure – Configuration errors Source: OWASP
  • 33. People / Processes / Technology Training Awareness Guidelines Automated Testing Secure Development Application Secure Code Firewalls Review Secure Security Testing Configuration 33
  • 34. SDLC & OWASP Guidelines Source: OWASP 34
  • 39. CSSLP Certification What is OWASP? The Open Web Application Security Project (OWASP) is: A not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. Source: http://www.owasp.org
  • 40. OWASP Foundation has over 130 Local Chapters
  • 41. 41
  • 42.
  • 43.
  • 44.
  • 45.
  • 46. CSSLP is WebGoat? What Certification WebGoat is a deliberately insecure J2EE web application maintained by OWASP TOP 10 designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application.
  • 47. CSSLP is WebGoat? What Certification
  • 48. CSSLP Certification WebGoat Installation Windows - (Download, Extract, Double Click Release) 1. To start Tomcat, browse to the WebGoat directory unzipped above and double click "webgoat.bat“ 2. start your browser and browse to... (Notice the capital 'W' and 'G') http://localhost/WebGoat/attack 3. login in as: user = guest, password = guest 4. To stop WebGoat, simply close the window you launched it from.
  • 53. tion Solution: WebGoat Lesson 3 True OR ? = True
  • 57. tion Solution: WebGoat Lesson 5 Use Tamper data (Firefox Plug-in)for edit variable value: AccessControlMatrix.help" | net user"
  • 58. Question & Answer Thank You Surachai Chatchalermpun surachai.c@pttict.com