SlideShare una empresa de Scribd logo

OWASP Top 10 Web Vulnerabilities from DCC 04/14

C
Chris Holwerda

OWASP Top 10 Web Vulnerabilities from DCC 04/14

Tecnología
1 de 18
Descargar para leer sin conexión
OWASP Top 10 Web Vulnerabilities Desert Code Camp - April 2014
About Me Chris Holwerda! Architect and developer for 15+ years in the financial, money codes, and credit card processing industry. MasterCard Enforcing PCI Compliance (Payment Card Industry) blog: chrisholwerda.com twitter: @cholwerda email: therealchrisholwerda@gmail.com SpeakerRate: http://speakerrate.com/chrisholwerda !
Security In General • Security is HARD • There is no silver bullet • Hackers will always have the upper hand • Have an “everyone” is a hacker mentality • Objective is to minimize risk and losses if breached
What is OWASP? • Open Web Application Security Project • Mission: To make software security visible so that organizations worldwide can make informed decision about true software security risks • Open for anyone • You can sign up to receive OWASP information updates • You can attend meetings. They have chapters in a most of the major cities, including Phoenix. • Website has a lot of resources with examples in multiple programming languages
Show OWASP website
OWASP Top 10 for 2013 • A1 – Injection • A2 – Broken Authentication & Session Management • A3 – Cross-Site Scripting (XSS) • A4 – Insecure Direct Object References • A5 – Security Misconfiguration • A6 – Sensitive Data Exposure • A7 – Missing Function Level Access Control • A8 – Cross-Site Request Forgery (CSRF) • A9 – Using Components with Known Vulnerabilities • A10 – Un-validated Redirects and Forwards
A1 - Injection • Validate all input. • Use white listing (valid chars) over black listing (invalid chars) • Be careful with concatenations using any exposed values • For SQL, use parameterized SQL queries • Remember, it’s not just SQL • Command line switch concatenations • Other objects/apps that take parameters
A2 - Broken Authentication and Session Management • Make sure encryption of user’s password is “solid”. • Make sure change/recover password process is “solid” • Never email password – only allow reset • Reset only using email address – do not confirm validity of address! • One way hash preferred • Don’t expose session Ids in the URL • Security questions - don’t let user’s create their own • Make sure authentication cookies are created/expired/timed out as expected • Use Https • XSS vulnerabilities can lead to sessions being stolen
A3 - Cross Site Scripting (XSS) • Escape all untrusted data • Validate all input. • Use white listing (valid chars) over black listing (invalid chars) • Mark all cookies as HttpOnly and Secure • Use trusted anti-sanitation libraries
A4 - Insecure Direct Object References • Authorize the user for every request, verify access to the item requested • Use per user or session indirect object references • Ie: Map grid row with a row Id that maps back to the actual key in stored in session
A5 - Security Misconfiguration • Repeatable deployment process – preferably automated – that is locked down • Process for updating software and patches • Run scans and audits for detecting
A6 - Sensitive Data Exposure • Encrypt/hash all sensitive data at rest and in transit • Use standard algorithms and strong key/salt • Ensure passwords are stored with algorithm specifically designed for password protection • Disable autocomplete on forms and disable caching for pages that contain sensitive data
A7 - Missing Function Level Access Control • Have an easy to use common consistent authorization module • Deny all access by default • Implement checks in business layer • Ie: link on website hidden, but user could still enter in URL and gain access = BAD • Back to -> authorize every request
A8 - Cross Site Request Forgery (CSRF) • Include unpredictable token in each request – at a minimum, unique per user session • Preferred is by using a hidden field vs. added to URL • There are some tools in .NET to use • Re-authenticate user or prove they are a user (ie: use a captcha)
A9 - Using Components with known vulnerabilities • Have a process in place to update component • Monitor the security of the components • Govern component use • Add security wrappers around component
A10 - Unvalidated Redirects and Forwards • Avoid using redirects and forwards • Don’t involve user parameters in calculating destination • If destination parameters cannot be avoided • Validate value and that the user is authorized • Use mapping values instead of actual value
Questions?
Resources ! OWASP: owasp.org Pluralsight: Owasp Top 10 course Troy Hunt Blog: troyhunt.com !

Recomendados

Semantic logging with etw and slab from DCC 10/16
Semantic logging with etw and slab from DCC 10/16Semantic logging with etw and slab from DCC 10/16
Semantic logging with etw and slab from DCC 10/16
Chris Holwerda
 
Intro to AngularJS from DCC 04/14
Intro to AngularJS from DCC 04/14Intro to AngularJS from DCC 04/14
Intro to AngularJS from DCC 04/14
Chris Holwerda
 
JavaScript security and tools evolution at 2017 OWASP Taiwan Week
JavaScript security and tools evolution at 2017 OWASP Taiwan WeekJavaScript security and tools evolution at 2017 OWASP Taiwan Week
JavaScript security and tools evolution at 2017 OWASP Taiwan Week
dcervigni
 
ASP.NET MVC - Latest & Greatest So Far
ASP.NET MVC - Latest & Greatest So FarASP.NET MVC - Latest & Greatest So Far
ASP.NET MVC - Latest & Greatest So Far
Lohith Goudagere Nagaraj
 
Skillwise corporate presentation
Skillwise corporate presentationSkillwise corporate presentation
Skillwise corporate presentation
Skillwise Group
 
SoCal Code Camp 2011 - ASP.NET 4.5
SoCal Code Camp 2011 - ASP.NET 4.5SoCal Code Camp 2011 - ASP.NET 4.5
SoCal Code Camp 2011 - ASP.NET 4.5
Jon Galloway
 
ASP.NET - Ivan Marković
ASP.NET - Ivan MarkovićASP.NET - Ivan Marković
ASP.NET - Ivan Marković
Software StartUp Academy Osijek
 
A Dynamic Analysis Framework for Front-end JavaScript
A Dynamic Analysis Framework for Front-end JavaScriptA Dynamic Analysis Framework for Front-end JavaScript
A Dynamic Analysis Framework for Front-end JavaScript
Liang Gong
 

Recomendados

Semantic logging with etw and slab from DCC 10/16
Semantic logging with etw and slab from DCC 10/16Semantic logging with etw and slab from DCC 10/16
Semantic logging with etw and slab from DCC 10/16
Chris Holwerda
 
Intro to AngularJS from DCC 04/14
Intro to AngularJS from DCC 04/14Intro to AngularJS from DCC 04/14
Intro to AngularJS from DCC 04/14
Chris Holwerda
 
JavaScript security and tools evolution at 2017 OWASP Taiwan Week
JavaScript security and tools evolution at 2017 OWASP Taiwan WeekJavaScript security and tools evolution at 2017 OWASP Taiwan Week
JavaScript security and tools evolution at 2017 OWASP Taiwan Week
dcervigni
 
ASP.NET MVC - Latest & Greatest So Far
ASP.NET MVC - Latest & Greatest So FarASP.NET MVC - Latest & Greatest So Far
ASP.NET MVC - Latest & Greatest So Far
Lohith Goudagere Nagaraj
 
Skillwise corporate presentation
Skillwise corporate presentationSkillwise corporate presentation
Skillwise corporate presentation
Skillwise Group
 
SoCal Code Camp 2011 - ASP.NET 4.5
SoCal Code Camp 2011 - ASP.NET 4.5SoCal Code Camp 2011 - ASP.NET 4.5
SoCal Code Camp 2011 - ASP.NET 4.5
Jon Galloway
 
ASP.NET - Ivan Marković
ASP.NET - Ivan MarkovićASP.NET - Ivan Marković
ASP.NET - Ivan Marković
Software StartUp Academy Osijek
 
A Dynamic Analysis Framework for Front-end JavaScript
A Dynamic Analysis Framework for Front-end JavaScriptA Dynamic Analysis Framework for Front-end JavaScript
A Dynamic Analysis Framework for Front-end JavaScript
Liang Gong
 
What's new in Visual Studio 2013 & TFS 2013
What's new in Visual Studio 2013 & TFS 2013What's new in Visual Studio 2013 & TFS 2013
What's new in Visual Studio 2013 & TFS 2013
Danijel Malik
 
Introduction to ASP.NET MVC
Introduction to ASP.NET MVC Introduction to ASP.NET MVC
Introduction to ASP.NET MVC
Joe Wilson
 
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
Sencha
 
1.java script
1.java script1.java script
1.java script
PhD Research Scholar
 
Mortal Kombat! ASP.NET MVC vs ASP.NET Webforms – ASP.NET MVC is amazing
Mortal Kombat! ASP.NET MVC vs ASP.NET Webforms – ASP.NET MVC is amazingMortal Kombat! ASP.NET MVC vs ASP.NET Webforms – ASP.NET MVC is amazing
Mortal Kombat! ASP.NET MVC vs ASP.NET Webforms – ASP.NET MVC is amazing
Tom Walker
 
HTML5 for developers
HTML5 for developersHTML5 for developers
HTML5 for developers
Mark Allan
 
ASP .NET MVC - best practices
ASP .NET MVC - best practicesASP .NET MVC - best practices
ASP .NET MVC - best practices
Bohdan Pashkovskyi
 
ASP.NET MVC 5 - EF 6 - VS2015
ASP.NET MVC 5 - EF 6 - VS2015ASP.NET MVC 5 - EF 6 - VS2015
ASP.NET MVC 5 - EF 6 - VS2015
Hossein Zahed
 
Robert polak candidate coversheet-2018-3
Robert polak candidate coversheet-2018-3Robert polak candidate coversheet-2018-3
Robert polak candidate coversheet-2018-3
Robert Polak
 
Ajax Abuse Todcon2008
Ajax Abuse Todcon2008Ajax Abuse Todcon2008
Ajax Abuse Todcon2008
Jesse Rodgers
 
Workshop automating with microsoft flow
Workshop automating with microsoft flowWorkshop automating with microsoft flow
Workshop automating with microsoft flow
Jaap Brasser
 
Alan Hietala - A Brief Into to AngularJS
Alan Hietala - A Brief Into to AngularJSAlan Hietala - A Brief Into to AngularJS
Alan Hietala - A Brief Into to AngularJS
#DevTO
 
Sahi presentation on BOJUG
Sahi presentation on BOJUGSahi presentation on BOJUG
Sahi presentation on BOJUG
narayanraman
 
Getting started with MVC 5 and Visual Studio 2013
Getting started with MVC 5 and Visual Studio 2013Getting started with MVC 5 and Visual Studio 2013
Getting started with MVC 5 and Visual Studio 2013
Thomas Robbins
 
MVC 6 - Tag Helpers and View Components
MVC 6 - Tag Helpers and View ComponentsMVC 6 - Tag Helpers and View Components
MVC 6 - Tag Helpers and View Components
David Paquette
 
Building Better WordPress Sites
Building Better WordPress SitesBuilding Better WordPress Sites
Building Better WordPress Sites
Brian LaFrance
 
Ajax
AjaxAjax
Ajax
amitmishra43258
 
Microsoft Flow and PowerShell combined to automate everything
Microsoft Flow and PowerShell combined to automate everythingMicrosoft Flow and PowerShell combined to automate everything
Microsoft Flow and PowerShell combined to automate everything
Jaap Brasser
 
Feature and Future of ASP.NET
Feature and Future of ASP.NETFeature and Future of ASP.NET
Feature and Future of ASP.NET
Md. Mahedee Hasan
 
Using Microsoft Flow for IT Professionals
Using Microsoft Flow for IT ProfessionalsUsing Microsoft Flow for IT Professionals
Using Microsoft Flow for IT Professionals
Jaap Brasser
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
Gareth Davies
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest
 

Más contenido relacionado

La actualidad más candente

SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
Sencha
 

La actualidad más candente (20)

What's new in Visual Studio 2013 & TFS 2013
What's new in Visual Studio 2013 & TFS 2013What's new in Visual Studio 2013 & TFS 2013
What's new in Visual Studio 2013 & TFS 2013
 
Introduction to ASP.NET MVC
Introduction to ASP.NET MVC Introduction to ASP.NET MVC
Introduction to ASP.NET MVC
 
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
 
1.java script
1.java script1.java script
1.java script
 
Mortal Kombat! ASP.NET MVC vs ASP.NET Webforms – ASP.NET MVC is amazing
Mortal Kombat! ASP.NET MVC vs ASP.NET Webforms – ASP.NET MVC is amazingMortal Kombat! ASP.NET MVC vs ASP.NET Webforms – ASP.NET MVC is amazing
Mortal Kombat! ASP.NET MVC vs ASP.NET Webforms – ASP.NET MVC is amazing
 
HTML5 for developers
HTML5 for developersHTML5 for developers
HTML5 for developers
 
ASP .NET MVC - best practices
ASP .NET MVC - best practicesASP .NET MVC - best practices
ASP .NET MVC - best practices
 
ASP.NET MVC 5 - EF 6 - VS2015
ASP.NET MVC 5 - EF 6 - VS2015ASP.NET MVC 5 - EF 6 - VS2015
ASP.NET MVC 5 - EF 6 - VS2015
 
Robert polak candidate coversheet-2018-3
Robert polak candidate coversheet-2018-3Robert polak candidate coversheet-2018-3
Robert polak candidate coversheet-2018-3
 
Ajax Abuse Todcon2008
Ajax Abuse Todcon2008Ajax Abuse Todcon2008
Ajax Abuse Todcon2008
 
Workshop automating with microsoft flow
Workshop automating with microsoft flowWorkshop automating with microsoft flow
Workshop automating with microsoft flow
 
Alan Hietala - A Brief Into to AngularJS
Alan Hietala - A Brief Into to AngularJSAlan Hietala - A Brief Into to AngularJS
Alan Hietala - A Brief Into to AngularJS
 
Sahi presentation on BOJUG
Sahi presentation on BOJUGSahi presentation on BOJUG
Sahi presentation on BOJUG
 
Getting started with MVC 5 and Visual Studio 2013
Getting started with MVC 5 and Visual Studio 2013Getting started with MVC 5 and Visual Studio 2013
Getting started with MVC 5 and Visual Studio 2013
 
MVC 6 - Tag Helpers and View Components
MVC 6 - Tag Helpers and View ComponentsMVC 6 - Tag Helpers and View Components
MVC 6 - Tag Helpers and View Components
 
Building Better WordPress Sites
Building Better WordPress SitesBuilding Better WordPress Sites
Building Better WordPress Sites
 
Ajax
AjaxAjax
Ajax
 
Microsoft Flow and PowerShell combined to automate everything
Microsoft Flow and PowerShell combined to automate everythingMicrosoft Flow and PowerShell combined to automate everything
Microsoft Flow and PowerShell combined to automate everything
 
Feature and Future of ASP.NET
Feature and Future of ASP.NETFeature and Future of ASP.NET
Feature and Future of ASP.NET
 
Using Microsoft Flow for IT Professionals
Using Microsoft Flow for IT ProfessionalsUsing Microsoft Flow for IT Professionals
Using Microsoft Flow for IT Professionals
 

Similar a OWASP Top 10 Web Vulnerabilities from DCC 04/14

Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Michael Pirnat
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
 

Similar a OWASP Top 10 Web Vulnerabilities from DCC 04/14 (20)

Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
 
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...
 

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Último (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 

OWASP Top 10 Web Vulnerabilities from DCC 04/14

  • 2. About Me Chris Holwerda! Architect and developer for 15+ years in the financial, money codes, and credit card processing industry. MasterCard Enforcing PCI Compliance (Payment Card Industry) blog: chrisholwerda.com twitter: @cholwerda email: therealchrisholwerda@gmail.com SpeakerRate: http://speakerrate.com/chrisholwerda !
  • 3. Security In General • Security is HARD • There is no silver bullet • Hackers will always have the upper hand • Have an “everyone” is a hacker mentality • Objective is to minimize risk and losses if breached
  • 4. What is OWASP? • Open Web Application Security Project • Mission: To make software security visible so that organizations worldwide can make informed decision about true software security risks • Open for anyone • You can sign up to receive OWASP information updates • You can attend meetings. They have chapters in a most of the major cities, including Phoenix. • Website has a lot of resources with examples in multiple programming languages
  • 6. OWASP Top 10 for 2013 • A1 – Injection • A2 – Broken Authentication & Session Management • A3 – Cross-Site Scripting (XSS) • A4 – Insecure Direct Object References • A5 – Security Misconfiguration • A6 – Sensitive Data Exposure • A7 – Missing Function Level Access Control • A8 – Cross-Site Request Forgery (CSRF) • A9 – Using Components with Known Vulnerabilities • A10 – Un-validated Redirects and Forwards
  • 7. A1 - Injection • Validate all input. • Use white listing (valid chars) over black listing (invalid chars) • Be careful with concatenations using any exposed values • For SQL, use parameterized SQL queries • Remember, it’s not just SQL • Command line switch concatenations • Other objects/apps that take parameters
  • 8. A2 - Broken Authentication and Session Management • Make sure encryption of user’s password is “solid”. • Make sure change/recover password process is “solid” • Never email password – only allow reset • Reset only using email address – do not confirm validity of address! • One way hash preferred • Don’t expose session Ids in the URL • Security questions - don’t let user’s create their own • Make sure authentication cookies are created/expired/timed out as expected • Use Https • XSS vulnerabilities can lead to sessions being stolen
  • 9. A3 - Cross Site Scripting (XSS) • Escape all untrusted data • Validate all input. • Use white listing (valid chars) over black listing (invalid chars) • Mark all cookies as HttpOnly and Secure • Use trusted anti-sanitation libraries
  • 10. A4 - Insecure Direct Object References • Authorize the user for every request, verify access to the item requested • Use per user or session indirect object references • Ie: Map grid row with a row Id that maps back to the actual key in stored in session
  • 11. A5 - Security Misconfiguration • Repeatable deployment process – preferably automated – that is locked down • Process for updating software and patches • Run scans and audits for detecting
  • 12. A6 - Sensitive Data Exposure • Encrypt/hash all sensitive data at rest and in transit • Use standard algorithms and strong key/salt • Ensure passwords are stored with algorithm specifically designed for password protection • Disable autocomplete on forms and disable caching for pages that contain sensitive data
  • 13. A7 - Missing Function Level Access Control • Have an easy to use common consistent authorization module • Deny all access by default • Implement checks in business layer • Ie: link on website hidden, but user could still enter in URL and gain access = BAD • Back to -> authorize every request
  • 14. A8 - Cross Site Request Forgery (CSRF) • Include unpredictable token in each request – at a minimum, unique per user session • Preferred is by using a hidden field vs. added to URL • There are some tools in .NET to use • Re-authenticate user or prove they are a user (ie: use a captcha)
  • 15. A9 - Using Components with known vulnerabilities • Have a process in place to update component • Monitor the security of the components • Govern component use • Add security wrappers around component
  • 16. A10 - Unvalidated Redirects and Forwards • Avoid using redirects and forwards • Don’t involve user parameters in calculating destination • If destination parameters cannot be avoided • Validate value and that the user is authorized • Use mapping values instead of actual value
  • 18. Resources ! OWASP: owasp.org Pluralsight: Owasp Top 10 course Troy Hunt Blog: troyhunt.com !