SlideShare a Scribd company logo

OWASP Top Ten in Practice

Security Innovation
Security Innovation

This webcast's agenda is: 1. Introduction to the OWASP Top TEN. 2. How to integrate the OWASP Top Ten in your SDLC. 3. How the OWASP Top Ten maps to compliance, standards and other drivers.

Technology
1 of 26
Download to read offline
3/24/2011 OWASP Top Ten in Practice Jason Taylor Dinis Cruz CTO Security Consultant Security Innovation OWASP Leader Agenda • Intro to the OWASP Top Ten • How to Integrate the OWASP Top Ten into your SDLC • How the OWASP Top Ten maps to compliance, standards and other drivers • Conclusion 1
3/24/2011 About Security Innovation • Application & Crypto Security Experts – 10+ years research on vulnerabilities and cryptography – Hundreds of assessments on world‟s most dominant software applications • Products, Services and Training – Application & Process Assessments – Training. Industry‟s largest eLearning library – Encryption. Fastest, most secure available • Helping organizations: – Ensure applications are secure and in compliance – Build internal software security competency – Roll out a secure, repeatable SDLC Agenda Intro to the OWASP Top Ten • How to Integrate the OWASP Top Ten into your SDLC • How the OWASP Top Ten maps to compliance, standards and other drivers • Conclusion 2
3/24/2011 What is the OWASP Top 10 • Consensus of most critical web application security flaws • Aim: – Educate all security stakeholders: developers, designers, architects and organizations – Reinforce that a secure software initiative must address security at each phase of the development lifecycle – Educate, not standardize • Used by many companies, referenced in standards and regulations such as PCI-DSS o A.G. Edwards o Recreational Equipment, Inc. (REI) o British Telecom o Samsung SDS (Korea) o Bureau of Alcohol, Tobacco, and Firearms o Sprint o Citibank o Sun Microsystems o HP o Symantec o IBM Global Services o The Hartford o Price Waterhouse Coopers o ...many others OWASP Top Ten: Summary A1 – Injection A2 – Cross Site Scripting (XSS) A3 – Broken Authentication and Session Management A4 – Insecure Direct Object References A5 – Cross Site Request Forgery (CSRF) A6 – Security Misconfiguration (NEW) A7 – Failure to Restrict URL Access A8 – Unvalidated Redirects and Forwards (NEW) A9 – Insecure Cryptographic Storage A10 – Insufficient Transport Layer Protection 3
3/24/2011 A1 – Injection • Injection means… – ricking an application into including unintended commands in the data sent to an interpreter • Interpreters… – Take strings and interpret them as commands – SQL, OS Shell, LDAP, XPath, Hibernate, etc… • SQL injection is still quite common – Many applications still susceptible (really don‟t know why) – Even though it‟s usually very simple to avoid • Typical Impact – Usually severe. Entire database can usually be read or modified – May also allow full database schema, or account access, or even OS level access A2 – Cross-Site Scripting (XSS) • Occurs any time… – Raw data from attacker is sent to an innocent user‟s browser • Raw data… – Stored in database – Reflected from web input (form field, hidden field, URL, etc…) – Sent directly into rich JavaScript client • Virtually every web app has this problem – Try this in your browser: • javascript:alert(document.cookie) • <script>alert(document.cookie)</script> • Typical Impact – Steal user‟s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site – Most Severe: Install XSS proxy which allows attacker to observe and direct all user‟s behavior on vulnerable site and force user to other sites 4
3/24/2011 A3 – Broken Authentication and Session Management • HTTP is a “stateless” protocol – Means credentials have to go with every request – Should use SSL for everything requiring authentication • Session management flaws – SESSION ID used to track state since HTTP doesn‟t • and it is just as good as credentials to an attacker – SESSION ID is typically exposed on the network, in browser, in logs, … • Beware the side-doors – Change my password, remember my password, forgot my password, secret question, logout, email address, etc… • Typical Impact – User accounts compromised or user sessions hijacked A4 – Insecure Direct Object References • How do you protect access to your data? – This is part of enforcing proper “Authorization”, along with A7 – Failure to Restrict URL Access • A common mistake … – Only listing the „authorized‟ objects for the current user; or – Hiding the object references in hidden fields … and then not enforcing these restrictions on the server side – This is called presentation layer access control, and doesn‟t work – Attacker simply tampers with parameter value • Typical Impact – Users are able to access unauthorized files or data 5
3/24/2011 A5 – Cross Site Request Forgery (CSRF) • Cross Site Request Forgery – An attack where the victim‟s browser is tricked into issuing a command to a vulnerable web application – Vulnerability is caused by browsers automatically including user authentication data (session ID, IP address, Windows domain credentials, …) with each request • Imagine… – What if a hacker could steer your mouse and get you to click on links in your online banking application? – What could they make you do? • Typical Impact – Initiate transactions (transfer funds, logout user, close account) – Access sensitive data – Change account details A6 – Security Misconfiguration • Web applications rely on a secure foundation – All through the network and platform – Don‟t forget the development environment • Is your source code a secret? – Think of all the places your source code goes – Security should not require secret source code • CM must extend to all parts of the application – All credentials should change in production • Typical Impact – Install backdoor through missing network or server patch – XSS flaw exploits due to missing application framework patches – Unauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration 6
3/24/2011 A7 – Failure to Restrict URL Access • How do you protect access to URLs (pages)? – This is part of enforcing proper “authorization”, along with A4 – Insecure Direct Object References • A common mistake … – Displaying only authorized links and menu choices – This is called presentation layer access control, and doesn‟t work – Attacker simply forges direct access to „unauthorized‟ pages • Typical Impact – Attackers invoke functions and services they‟re not authorized for – Access other user‟s accounts and data – Perform privileged actions A8 – Unvalidated Redirects and Forwards • Web application redirects are very common – And frequently include user supplied parameters in the destination URL – If they aren‟t validated, attacker can send victim to a site of their choice • Forwards (aka Transfer in .NET) are common too – They internally send the request to a new page in the same application – Sometimes parameters define the target page – If not validated, attacker may be able to use unvalidated forward to bypass authentication or authorization checks • Typical Impact – Redirect victim to phishing or malware site – Attacker‟s request is forwarded past security checks, allowing unauthorized function or data access • Live Example – http://www.youtube.com/redirect?username=digitalhook& q=http%3A%2F%2Fsecuritytube.net%2FSocial-Engineering-Attacks-using-Simple-Redirections-video.aspx &video_id=Vgc3NVVpb8c&event=url_redirect&url_redirect=True&usg=UE0DOmwjBRK-mgheFtW1hMTEvh4= 7
3/24/2011 A9 – Insecure Cryptographic Storage • Storing sensitive data insecurely – Failure to identify all sensitive data – Failure to identify all the places that this sensitive data gets stored • Databases, files, directories, log files, backups, etc. – Failure to properly protect this data in every location • Typical Impact – Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) – Attackers extract secrets to use in additional attacks – Company embarrassment, customer dissatisfaction, and loss of trust – Expense of clean up: forensics, apology letters, reissuing credit cards, etc. – Business gets sued and/or fined A10 – Insufficient Transport Layer Protection • Transmitting sensitive data insecurely – Failure to identify all sensitive data – Failure to identify all the places that this sensitive data is sent • On the web, to backend databases, to business partners, internal communications – Failure to properly protect this data in every location • Typical Impact – Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) – Attackers extract secrets to use in additional attacks – Company embarrassment, customer dissatisfaction, and loss of trust – Expense of cleaning up the incident – Business gets sued and/or fined 8
3/24/2011 Agenda • Intro to the OWASP Top Ten How to Integrate the OWASP Top Ten into your SDLC • How the OWASP Top Ten maps to compliance, standards and other drivers • Conclusion Integrating OWASP Top Ten into your SDLC • Requirements How to determine your security objectives • Design How to design mitigations with OWASP threats in mind • Implementation How to code defensively and implement mitigations for key threats • Test How to devise test plans and attacks against OWASP threats • Deploy How to deploy and configuration your application with OWASP in mind • Maintenance How to scan for the OWASP threats in production 9
3/24/2011 Integrating OWASP Top Ten into your SDLC Determining Security Requirements & Objectives • Identify goals and constraints that affect the confidentiality, integrity, and availability of your data and application • Are used to: – Filter the Design Guidelines that are applicable – Scope and guide Architecture and Design reviews – Help set Code Review objectives – Guide Threat Modeling, Security Test Planning, Deployment Reviews Objective Category Questions to ask Tangible assets to  Are there user accounts, passwords, confidential information, intellectual protect property, etc to protect?  Can this system be used as a conduit to access other corporate assets? Intangible assets to  Is there potential for an attack that may be embarrassing, although not protect otherwise damaging? Compliance  Are there corporate security policies or standards that must be adhered to? requirements  Are there security or privacy legislations you must comply with? Quality of service  Are there specific availability or performance requirements you must requirements meet? Integrating OWASP Top Ten into your SDLC Threat Modeling with Top Ten threats in mind • Identify threats and vulnerabilities relevant for your application – What are the potential threats that could impact each asset. – For each threat, what attacks could realize the threat? – Use the OWASP Top 10 as a guide to potential attacks. – Determine countermeasures to mitigate vulnerabilities • Perform in the architecture and design phase, as soon as: – You understand your security objectives and application architecture • Update and improve iteratively: – When your security objectives and design changes – During implementation, testing and deployment • Some specific considerations – Legal, safety or contractual/customer requirements 10
3/24/2011 Integrating OWASP Top Ten into your SDLC Threat Modeling with OWASP threats in mind • Secure software starts with understanding the threats – Threats are not vulnerabilities • Threats live forever; they are the attacker's goal Mitigation Attacker Threat Vulnerability Integrating OWASP Top Ten into your SDLC How to design mitigations with OWASP threats in mind • Adopt a set of design guidelines that are: – Actionable. A vulnerability that can be mitigated through the guideline – Relevant. Associated with a vulnerability that could impact your application – Impactful. Represents a key engineering decision that will have wide-ranging impact • Categorize your guidelines based on areas of highest risk – Describes the areas in which poor design can lead to security vulnerabilities – Allows the inclusion of additional guidelines or the refinement of existing guidelines based on newly discovered vulnerabilities 11
3/24/2011 Integrating OWASP Top Ten into your SDLC Best Practices for Secure Design Category Guidelines Input / Data Do not trust input; consider centralized input validation. Do not rely on client-side Validation validation. Be careful with canonicalization issues. Authentication Use strong passwords. Support password expiration periods and account disablement. Do not store credentials (use one-way hashes with salt). Authorization Use least privileged accounts. Consider authorization granularity. Enforce separation of privileges. Restrict user access to system-level resources. Configuration Use least privileged process and service accounts. Don‟t store credentials in clear Management text. Don‟t use Local Security Authority (LSA). Sensitive Data Avoid storing secrets. Secure the communication channel. Provide strong access controls for sensitive data stores. Cryptography Do not develop your own. Use proven and tested platform features. Keep unencrypted data close to the algorithm. Cycle your keys periodically. Avoid key management (use DPAPI). Exception Use structured exception handling. Do not reveal sensitive application Management implementation details. Consider a centralized exception management framework. Auditing and Identify malicious behavior. Know what good traffic looks like. Audit and log activity Logging through all application tiers. Secure access to log files Integrating OWASP Top Ten into your SDLC How to code defensively and implement mitigations for key threats • Goal: Reduce your risk by addressing OWASP Top 10 vulnerabilities in your implementation… – by using a set of implementation best-practices organized directly around the OWASP Top 10 • Now let’s see what this looks like for a few of the Top 10 12
3/24/2011 A1 – Avoid Injection Flaws • Recommendations 1. Use an interface that supports bind variables (e.g., prepared statements, or stored procedures), • Bind variables allow the interpreter to distinguish between code and data 2. Encode all user input before passing it to an interpreter – Always perform „white list‟ input validation on all user supplied input – Always minimize database privileges to reduce the impact of a flaw A2 – Avoiding XSS Flaws • Recommendations – Eliminate Flaw • Don‟t include user supplied input in the output page – Defend Against the Flaw • Primary Recommendation: Output encode all user supplied input (Use OWASP‟s ESAPI to output encode: http://www.owasp.org/index.php/ESAPI • Perform „white list‟ input validation on all user input to be included in page • For large chunks of user supplied HTML, use OWASP‟s AntiSamy to sanitize this HTML to make it safe See: http://www.owasp.org/index.php/AntiSamy 13
3/24/2011 Integrating OWASP Top Ten into your SDLC Performing Security Code Reviews • Code Review – Critical leverage point to reduce the number of implementation errors – Can be performed on every check-in, every build, or some other interval that works for your development process – One of the most impactful steps you can take toward more secure code – While design bugs are the most expensive to fix, implementation bugs are the most common • OWASP Code Review Guide – http://www.owasp.org/index.php/OWASP_Code_Review_Guide_Tabl e_of_Contents Integrating OWASP Top Ten into your SDLC Static analysis tools for a code review • Should be used throughout the product cycle – DEVELOPERS use light weight version to check for simple bugs missed during development – BUILD MANAGERS or LAB TECHNICIANS use to discover more sophisticated bugs at code integration time – TESTERS use to ensure code coverage and discover complex sections of the product that should be tested more thoroughly – Example: IBM Rational Appscan Source Edition • Find a lot of the common coding errors, faster than humans – Can drastically reduce a number of bugs which may be difficult to find in black box testing – But same applies to hackers, who often use static analysis tools to find exploits • Beware of False Positives and Negatives – False positives can result in wasted effort and drain on security resources 14
3/24/2011 Integrating OWASP Top Ten into your SDLC How to devise test plans and attacks to test against OWASP threats • Leverage your Threat Model for more focused and effective testing • Security Testing – Functional test techniques cannot uncover security bugs – Designed to understand what is the application NOT supposed to do – Specific attacks should be applied to uncover vulnerabilities • Many flaws are caused by environment interaction – what if a resource is not available? – will we page that to disk? If so, when? • Many flaws are only discoverable after analyzing application’s environment – discover sensitive information by sniffing the network – uncover temporary files Integrating OWASP Top Ten into your SDLC Web scanners • PROS. Automates testing; Finds common vulnerabilities – Rely on a database of constantly growing known vulnerabilities – Identify common vulnerabilities faster than manual efforts – Can discover a large amount of information about a device • Misconfigurations, exposed usernames/passwords, vulnerable scripts • Directory/file structure, helper files, Java applets, Flash/ActiveX controls • Forms, query strings, hidden fields, input validation, header information – Example: IBM Rational AppScan Enterprise Edition • CONS. Scanners are just that – scanners – Limited to known vulnerabilities • Can‟t detect business logic attacks • Difficult to find flaws caused by environment interaction – No prioritization of vulnerabilities – False positives are time consuming to validate 15
3/24/2011 Integrating OWASP Top Ten into your SDLC Best practices for using tools • Sequencing of tools introduction critical . When?” is just as important as “Which?” • Adopt when you have the ability to: – Interpret false positives – Fix the problems you are finding – Compliment with manual test efforts • Compliment with sound process – What good are tools if not required and/or used at critical security gates? • Compliment with Training – Tools don‟t make your organization more mature – Tools are more productive when you know what you are looking for and can use them to prevent problems down the road Integrating OWASP Top Ten into your SDLC Deployment Reviews • Ensures application security is not compromised by poor configuration of NETWORK and/or HOST – even the most securely designed and implemented application can be compromised by an error during deployment • Use server security categories - Patches & Updates - Files/Directories - Registry - Accounts - Ports - Services - Auditing and logging - Protocols - Shares • Break down your deployment review – use categories to break down your application deployment for further analysis and to help identify vulnerabilities • Review systematically – you can go through the deployment review process from start to finish or pick a particular category for further analysis 16
3/24/2011 Agenda • Intro to the OWASP Top Ten • How to Integrate the OWASP Top Ten into your SDLC How the OWASP Top Ten maps to compliance, standards and other drivers • Conclusion The Corporate Application Compliance Framework aligning development with management policies 17
3/24/2011 OWASP Adopters & Users • OWASP Top 10 in standards and frameworks – U.S. Federal Trade Commission (FTC) – U.S. Defense Information Systems Agency (DISA) – PCI-DSS • How organizations use the OWASP Top 10 – Microsoft: Top 10 threats are handled by security design and test procedures – NSA: in their developer guidance on web application security – Oracle: for developer awareness – IBM AppScan: maps source code findings to OWASP Top 10 Mapping OWASP Top Ten to PCI DSS v2.0 • OWASP and PCI • Previous version of PCI had explicit mapping to OWASP Top 10 • Current version has direct references to OWASP and mappings to OWASP Top 10 entries 18
3/24/2011 Mapping OWASP Top Ten to PCI DSS v2.0 Mapping OWASP Top Ten to PA DSS 19
3/24/2011 HIPAA - Health Insurance Portability and Accountability Act • Addresses the security and privacy of health data ... • But Web application security or OWASP are not specifically called out in the HIPAA Security Rule • That said, HIPAA requires: – A risk analysis and risk assessment – Depending on the risk rating, entities may need to ensure proper security controls are in place for web applications associated with electronic protected health information (ePHI) • Which means that compliant apps must not have security vulnerabilities likes the one in OWASP Top 10 issues Other standards are also a vague on Application Security • But an application can’t be compliant if vulnerable to an OWASP Top 10 risk: – SOX (US): seeks to protect investors by improving the accuracy and reliability of corporate disclosure. – GBLA (US): seeks to protect the personal information of consumers stored in financial institutions. – PIPED (Canada): The Personal Information Protection and Electronic Document Act mandates that appropriate security measures be applied to personal data obtained on the course of commercial transactions. – 95/46/EC (Europe): European Union Directive 95/46/EC is a sweeping European Parliament directive designed to protect individuals from unregulated personal data access or transfer. – DPA (UK): The Data Protection Act mandates that the processing of sensitive personal data should be carried out with appropriate security in the interests of protecting the individual rights and privacy. – .... and there are many more.... 20
3/24/2011 ISO 27000 Series • New ISO Standards (most are under development) – ISO 27000 : Information Security techniques, fundamentals and vocabulary – ISO 27001 : Information Security Management System Requirements (the standard to which an organization can certify) – ISO 27002 : Code of Practice (ISO 17799:2005, guidance for interpretation and implementation of controls) – ISO 27003 : ISMS Implementation (proposed) – ISO 27004 : Guide for Information Security Metrics and Measures (proposed) – ISO 27005 : Guide for Risk Management (currently BS 7799-3:2006) – ISO 27006 : International Accreditation Guidelines • With a key one standard still on early stages – ISO27034 : Guidelines for application security PCI DSS mapped to ISO 27001 (and OWASP) 21
3/24/2011 OWASP Top 10(s) vs WASC vs CWE vs CAPEC vs SANS • Another big mapping can be found at: http://projects.webappsec.org/w/page/13246975/Threat-Classification-Taxonomy-Cross-Reference-View Open SAMM • New SDL from OWASP • OWASP Top 10 is relevant in all 12 Security Practices 22
3/24/2011 OWASP ESAPI • The OWASP Enterprise Security API: – “....is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. http://www.owasp.org/index.php/ESAPI ESAPI and OWASP Top 10 23
3/24/2011 EASPI and OWASP Top 10 • For an in depth coverage see John Melton’s blog post at: http://www.jtmelton.com/2009/01/03/the-owasp-top-ten-and-esapi/ Agenda • Intro to the OWASP Top Ten • How to Integrate the OWASP Top Ten into your SDLC • How the OWASP Top 10 maps to compliance, standards and other drivers Conclusion 24
3/24/2011 Conclusion • The OWASP Top 10 was designed as a way to publicize the top threats on the web • You can use it for: – Education – Organization of best practices and SDLC initiatives – As a call to action for your development organization • The Top 10 maps well to a variety of industry and regulatory compliance standards – Protection against the Top 10 will help you fulfill your application security compliance requirements How Security Innovation can Help • TeamProfessor eLearning – OWASP Courses: • OWASP Top Ten: Threats & Mitigations • How to Test for the OWASP Top Ten – Many popular technologies • ASP.Net, Java, C/C++,.Net, Windows, C#, JRE • TeamMentor: Secure Development Knowledgebase – Free OWASP Version: http://owasp.teammentor.com • Secure SDLC Consulting – SDLC Assessment & Optimization – Code Review – Security Testing 25
3/24/2011 Free OWASP eLearning Course http://www.teamprofessor.com Free OWASP TeamMentor http://owasp.securityinnovation.com Copy of Presentation getsecure@securityinnovation.com Upcoming/Past Webinars www.securityinnovation.com/securitylab/elearning.shtml Technical Contacts Jason Taylor Dinis Cruz jtaylor@securityinnovation.com dcruz@owasp.org 26

Recommended

OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 

Recommended

OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationPECB
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
Soc
SocSoc
SocMukesh Chaudhari
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonOWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonAlex Cachia
 
Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0Dinis Cruz
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery WorldDinis Cruz
 

More Related Content

What's hot

Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationPECB
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonOWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonAlex Cachia
 

What's hot (20)

Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
 
Security testing
Security testingSecurity testing
Security testing
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?
 
Soc
SocSoc
Soc
 
Application Security
Application SecurityApplication Security
Application Security
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonOWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
 

Viewers also liked

Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0Dinis Cruz
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery WorldDinis Cruz
 
Making threat modeling so easy
Making threat modeling so easyMaking threat modeling so easy
Making threat modeling so easyDinis Cruz
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Dinis Cruz
 
GPG Signing Git Commits
GPG Signing Git CommitsGPG Signing Git Commits
GPG Signing Git CommitsDinis Cruz
 
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityIntroduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityOWASPKerala
 
Owasp summit 2017
Owasp summit 2017 Owasp summit 2017
Owasp summit 2017 Dinis Cruz
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec TeamsDinis Cruz
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Dinis Cruz
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0Dinis Cruz
 
Web Application Security | A developer's perspective - Insecure Direct Object...
Web Application Security | A developer's perspective - Insecure Direct Object...Web Application Security | A developer's perspective - Insecure Direct Object...
Web Application Security | A developer's perspective - Insecure Direct Object...n|u - The Open Security Community
 
Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Nick Galbreath
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcKaty Anton
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013Abraham Aranguren
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015tmd800
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 

Viewers also liked (20)

Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery World
 
Making threat modeling so easy
Making threat modeling so easyMaking threat modeling so easy
Making threat modeling so easy
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)
 
GPG Signing Git Commits
GPG Signing Git CommitsGPG Signing Git Commits
GPG Signing Git Commits
 
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityIntroduction to OWASP & Web Application Security
Introduction to OWASP & Web Application Security
 
Owasp summit 2017
Owasp summit 2017 Owasp summit 2017
Owasp summit 2017
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec Teams
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0
 
Web Application Security | A developer's perspective - Insecure Direct Object...
Web Application Security | A developer's perspective - Insecure Direct Object...Web Application Security | A developer's perspective - Insecure Direct Object...
Web Application Security | A developer's perspective - Insecure Direct Object...
 
Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA
 
Owasp Au Rev4
Owasp Au Rev4Owasp Au Rev4
Owasp Au Rev4
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwc
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and Manico
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 

Similar to OWASP Top Ten in Practice

OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEArun Voleti
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20Tabăra de Testare
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security OverviewNoah Jaehnert
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security Dilip Sharma
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsAlert Logic
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 

Similar to OWASP Top Ten in Practice (20)

Web Security
Web SecurityWeb Security
Web Security
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security Overview
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
How to produce more secure web apps
How to produce more secure web appsHow to produce more secure web apps
How to produce more secure web apps
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security
 
Webdays blida mobile top 10 risks
Webdays blida mobile top 10 risksWebdays blida mobile top 10 risks
Webdays blida mobile top 10 risks
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 

Recently uploaded

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 

OWASP Top Ten in Practice

  • 1. 3/24/2011 OWASP Top Ten in Practice Jason Taylor Dinis Cruz CTO Security Consultant Security Innovation OWASP Leader Agenda • Intro to the OWASP Top Ten • How to Integrate the OWASP Top Ten into your SDLC • How the OWASP Top Ten maps to compliance, standards and other drivers • Conclusion 1
  • 2. 3/24/2011 About Security Innovation • Application & Crypto Security Experts – 10+ years research on vulnerabilities and cryptography – Hundreds of assessments on world‟s most dominant software applications • Products, Services and Training – Application & Process Assessments – Training. Industry‟s largest eLearning library – Encryption. Fastest, most secure available • Helping organizations: – Ensure applications are secure and in compliance – Build internal software security competency – Roll out a secure, repeatable SDLC Agenda Intro to the OWASP Top Ten • How to Integrate the OWASP Top Ten into your SDLC • How the OWASP Top Ten maps to compliance, standards and other drivers • Conclusion 2
  • 3. 3/24/2011 What is the OWASP Top 10 • Consensus of most critical web application security flaws • Aim: – Educate all security stakeholders: developers, designers, architects and organizations – Reinforce that a secure software initiative must address security at each phase of the development lifecycle – Educate, not standardize • Used by many companies, referenced in standards and regulations such as PCI-DSS o A.G. Edwards o Recreational Equipment, Inc. (REI) o British Telecom o Samsung SDS (Korea) o Bureau of Alcohol, Tobacco, and Firearms o Sprint o Citibank o Sun Microsystems o HP o Symantec o IBM Global Services o The Hartford o Price Waterhouse Coopers o ...many others OWASP Top Ten: Summary A1 – Injection A2 – Cross Site Scripting (XSS) A3 – Broken Authentication and Session Management A4 – Insecure Direct Object References A5 – Cross Site Request Forgery (CSRF) A6 – Security Misconfiguration (NEW) A7 – Failure to Restrict URL Access A8 – Unvalidated Redirects and Forwards (NEW) A9 – Insecure Cryptographic Storage A10 – Insufficient Transport Layer Protection 3
  • 4. 3/24/2011 A1 – Injection • Injection means… – ricking an application into including unintended commands in the data sent to an interpreter • Interpreters… – Take strings and interpret them as commands – SQL, OS Shell, LDAP, XPath, Hibernate, etc… • SQL injection is still quite common – Many applications still susceptible (really don‟t know why) – Even though it‟s usually very simple to avoid • Typical Impact – Usually severe. Entire database can usually be read or modified – May also allow full database schema, or account access, or even OS level access A2 – Cross-Site Scripting (XSS) • Occurs any time… – Raw data from attacker is sent to an innocent user‟s browser • Raw data… – Stored in database – Reflected from web input (form field, hidden field, URL, etc…) – Sent directly into rich JavaScript client • Virtually every web app has this problem – Try this in your browser: • javascript:alert(document.cookie) • <script>alert(document.cookie)</script> • Typical Impact – Steal user‟s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site – Most Severe: Install XSS proxy which allows attacker to observe and direct all user‟s behavior on vulnerable site and force user to other sites 4
  • 5. 3/24/2011 A3 – Broken Authentication and Session Management • HTTP is a “stateless” protocol – Means credentials have to go with every request – Should use SSL for everything requiring authentication • Session management flaws – SESSION ID used to track state since HTTP doesn‟t • and it is just as good as credentials to an attacker – SESSION ID is typically exposed on the network, in browser, in logs, … • Beware the side-doors – Change my password, remember my password, forgot my password, secret question, logout, email address, etc… • Typical Impact – User accounts compromised or user sessions hijacked A4 – Insecure Direct Object References • How do you protect access to your data? – This is part of enforcing proper “Authorization”, along with A7 – Failure to Restrict URL Access • A common mistake … – Only listing the „authorized‟ objects for the current user; or – Hiding the object references in hidden fields … and then not enforcing these restrictions on the server side – This is called presentation layer access control, and doesn‟t work – Attacker simply tampers with parameter value • Typical Impact – Users are able to access unauthorized files or data 5
  • 6. 3/24/2011 A5 – Cross Site Request Forgery (CSRF) • Cross Site Request Forgery – An attack where the victim‟s browser is tricked into issuing a command to a vulnerable web application – Vulnerability is caused by browsers automatically including user authentication data (session ID, IP address, Windows domain credentials, …) with each request • Imagine… – What if a hacker could steer your mouse and get you to click on links in your online banking application? – What could they make you do? • Typical Impact – Initiate transactions (transfer funds, logout user, close account) – Access sensitive data – Change account details A6 – Security Misconfiguration • Web applications rely on a secure foundation – All through the network and platform – Don‟t forget the development environment • Is your source code a secret? – Think of all the places your source code goes – Security should not require secret source code • CM must extend to all parts of the application – All credentials should change in production • Typical Impact – Install backdoor through missing network or server patch – XSS flaw exploits due to missing application framework patches – Unauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration 6
  • 7. 3/24/2011 A7 – Failure to Restrict URL Access • How do you protect access to URLs (pages)? – This is part of enforcing proper “authorization”, along with A4 – Insecure Direct Object References • A common mistake … – Displaying only authorized links and menu choices – This is called presentation layer access control, and doesn‟t work – Attacker simply forges direct access to „unauthorized‟ pages • Typical Impact – Attackers invoke functions and services they‟re not authorized for – Access other user‟s accounts and data – Perform privileged actions A8 – Unvalidated Redirects and Forwards • Web application redirects are very common – And frequently include user supplied parameters in the destination URL – If they aren‟t validated, attacker can send victim to a site of their choice • Forwards (aka Transfer in .NET) are common too – They internally send the request to a new page in the same application – Sometimes parameters define the target page – If not validated, attacker may be able to use unvalidated forward to bypass authentication or authorization checks • Typical Impact – Redirect victim to phishing or malware site – Attacker‟s request is forwarded past security checks, allowing unauthorized function or data access • Live Example – http://www.youtube.com/redirect?username=digitalhook& q=http%3A%2F%2Fsecuritytube.net%2FSocial-Engineering-Attacks-using-Simple-Redirections-video.aspx &video_id=Vgc3NVVpb8c&event=url_redirect&url_redirect=True&usg=UE0DOmwjBRK-mgheFtW1hMTEvh4= 7
  • 8. 3/24/2011 A9 – Insecure Cryptographic Storage • Storing sensitive data insecurely – Failure to identify all sensitive data – Failure to identify all the places that this sensitive data gets stored • Databases, files, directories, log files, backups, etc. – Failure to properly protect this data in every location • Typical Impact – Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) – Attackers extract secrets to use in additional attacks – Company embarrassment, customer dissatisfaction, and loss of trust – Expense of clean up: forensics, apology letters, reissuing credit cards, etc. – Business gets sued and/or fined A10 – Insufficient Transport Layer Protection • Transmitting sensitive data insecurely – Failure to identify all sensitive data – Failure to identify all the places that this sensitive data is sent • On the web, to backend databases, to business partners, internal communications – Failure to properly protect this data in every location • Typical Impact – Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) – Attackers extract secrets to use in additional attacks – Company embarrassment, customer dissatisfaction, and loss of trust – Expense of cleaning up the incident – Business gets sued and/or fined 8
  • 9. 3/24/2011 Agenda • Intro to the OWASP Top Ten How to Integrate the OWASP Top Ten into your SDLC • How the OWASP Top Ten maps to compliance, standards and other drivers • Conclusion Integrating OWASP Top Ten into your SDLC • Requirements How to determine your security objectives • Design How to design mitigations with OWASP threats in mind • Implementation How to code defensively and implement mitigations for key threats • Test How to devise test plans and attacks against OWASP threats • Deploy How to deploy and configuration your application with OWASP in mind • Maintenance How to scan for the OWASP threats in production 9
  • 10. 3/24/2011 Integrating OWASP Top Ten into your SDLC Determining Security Requirements & Objectives • Identify goals and constraints that affect the confidentiality, integrity, and availability of your data and application • Are used to: – Filter the Design Guidelines that are applicable – Scope and guide Architecture and Design reviews – Help set Code Review objectives – Guide Threat Modeling, Security Test Planning, Deployment Reviews Objective Category Questions to ask Tangible assets to  Are there user accounts, passwords, confidential information, intellectual protect property, etc to protect?  Can this system be used as a conduit to access other corporate assets? Intangible assets to  Is there potential for an attack that may be embarrassing, although not protect otherwise damaging? Compliance  Are there corporate security policies or standards that must be adhered to? requirements  Are there security or privacy legislations you must comply with? Quality of service  Are there specific availability or performance requirements you must requirements meet? Integrating OWASP Top Ten into your SDLC Threat Modeling with Top Ten threats in mind • Identify threats and vulnerabilities relevant for your application – What are the potential threats that could impact each asset. – For each threat, what attacks could realize the threat? – Use the OWASP Top 10 as a guide to potential attacks. – Determine countermeasures to mitigate vulnerabilities • Perform in the architecture and design phase, as soon as: – You understand your security objectives and application architecture • Update and improve iteratively: – When your security objectives and design changes – During implementation, testing and deployment • Some specific considerations – Legal, safety or contractual/customer requirements 10
  • 11. 3/24/2011 Integrating OWASP Top Ten into your SDLC Threat Modeling with OWASP threats in mind • Secure software starts with understanding the threats – Threats are not vulnerabilities • Threats live forever; they are the attacker's goal Mitigation Attacker Threat Vulnerability Integrating OWASP Top Ten into your SDLC How to design mitigations with OWASP threats in mind • Adopt a set of design guidelines that are: – Actionable. A vulnerability that can be mitigated through the guideline – Relevant. Associated with a vulnerability that could impact your application – Impactful. Represents a key engineering decision that will have wide-ranging impact • Categorize your guidelines based on areas of highest risk – Describes the areas in which poor design can lead to security vulnerabilities – Allows the inclusion of additional guidelines or the refinement of existing guidelines based on newly discovered vulnerabilities 11
  • 12. 3/24/2011 Integrating OWASP Top Ten into your SDLC Best Practices for Secure Design Category Guidelines Input / Data Do not trust input; consider centralized input validation. Do not rely on client-side Validation validation. Be careful with canonicalization issues. Authentication Use strong passwords. Support password expiration periods and account disablement. Do not store credentials (use one-way hashes with salt). Authorization Use least privileged accounts. Consider authorization granularity. Enforce separation of privileges. Restrict user access to system-level resources. Configuration Use least privileged process and service accounts. Don‟t store credentials in clear Management text. Don‟t use Local Security Authority (LSA). Sensitive Data Avoid storing secrets. Secure the communication channel. Provide strong access controls for sensitive data stores. Cryptography Do not develop your own. Use proven and tested platform features. Keep unencrypted data close to the algorithm. Cycle your keys periodically. Avoid key management (use DPAPI). Exception Use structured exception handling. Do not reveal sensitive application Management implementation details. Consider a centralized exception management framework. Auditing and Identify malicious behavior. Know what good traffic looks like. Audit and log activity Logging through all application tiers. Secure access to log files Integrating OWASP Top Ten into your SDLC How to code defensively and implement mitigations for key threats • Goal: Reduce your risk by addressing OWASP Top 10 vulnerabilities in your implementation… – by using a set of implementation best-practices organized directly around the OWASP Top 10 • Now let’s see what this looks like for a few of the Top 10 12
  • 13. 3/24/2011 A1 – Avoid Injection Flaws • Recommendations 1. Use an interface that supports bind variables (e.g., prepared statements, or stored procedures), • Bind variables allow the interpreter to distinguish between code and data 2. Encode all user input before passing it to an interpreter – Always perform „white list‟ input validation on all user supplied input – Always minimize database privileges to reduce the impact of a flaw A2 – Avoiding XSS Flaws • Recommendations – Eliminate Flaw • Don‟t include user supplied input in the output page – Defend Against the Flaw • Primary Recommendation: Output encode all user supplied input (Use OWASP‟s ESAPI to output encode: http://www.owasp.org/index.php/ESAPI • Perform „white list‟ input validation on all user input to be included in page • For large chunks of user supplied HTML, use OWASP‟s AntiSamy to sanitize this HTML to make it safe See: http://www.owasp.org/index.php/AntiSamy 13
  • 14. 3/24/2011 Integrating OWASP Top Ten into your SDLC Performing Security Code Reviews • Code Review – Critical leverage point to reduce the number of implementation errors – Can be performed on every check-in, every build, or some other interval that works for your development process – One of the most impactful steps you can take toward more secure code – While design bugs are the most expensive to fix, implementation bugs are the most common • OWASP Code Review Guide – http://www.owasp.org/index.php/OWASP_Code_Review_Guide_Tabl e_of_Contents Integrating OWASP Top Ten into your SDLC Static analysis tools for a code review • Should be used throughout the product cycle – DEVELOPERS use light weight version to check for simple bugs missed during development – BUILD MANAGERS or LAB TECHNICIANS use to discover more sophisticated bugs at code integration time – TESTERS use to ensure code coverage and discover complex sections of the product that should be tested more thoroughly – Example: IBM Rational Appscan Source Edition • Find a lot of the common coding errors, faster than humans – Can drastically reduce a number of bugs which may be difficult to find in black box testing – But same applies to hackers, who often use static analysis tools to find exploits • Beware of False Positives and Negatives – False positives can result in wasted effort and drain on security resources 14
  • 15. 3/24/2011 Integrating OWASP Top Ten into your SDLC How to devise test plans and attacks to test against OWASP threats • Leverage your Threat Model for more focused and effective testing • Security Testing – Functional test techniques cannot uncover security bugs – Designed to understand what is the application NOT supposed to do – Specific attacks should be applied to uncover vulnerabilities • Many flaws are caused by environment interaction – what if a resource is not available? – will we page that to disk? If so, when? • Many flaws are only discoverable after analyzing application’s environment – discover sensitive information by sniffing the network – uncover temporary files Integrating OWASP Top Ten into your SDLC Web scanners • PROS. Automates testing; Finds common vulnerabilities – Rely on a database of constantly growing known vulnerabilities – Identify common vulnerabilities faster than manual efforts – Can discover a large amount of information about a device • Misconfigurations, exposed usernames/passwords, vulnerable scripts • Directory/file structure, helper files, Java applets, Flash/ActiveX controls • Forms, query strings, hidden fields, input validation, header information – Example: IBM Rational AppScan Enterprise Edition • CONS. Scanners are just that – scanners – Limited to known vulnerabilities • Can‟t detect business logic attacks • Difficult to find flaws caused by environment interaction – No prioritization of vulnerabilities – False positives are time consuming to validate 15
  • 16. 3/24/2011 Integrating OWASP Top Ten into your SDLC Best practices for using tools • Sequencing of tools introduction critical . When?” is just as important as “Which?” • Adopt when you have the ability to: – Interpret false positives – Fix the problems you are finding – Compliment with manual test efforts • Compliment with sound process – What good are tools if not required and/or used at critical security gates? • Compliment with Training – Tools don‟t make your organization more mature – Tools are more productive when you know what you are looking for and can use them to prevent problems down the road Integrating OWASP Top Ten into your SDLC Deployment Reviews • Ensures application security is not compromised by poor configuration of NETWORK and/or HOST – even the most securely designed and implemented application can be compromised by an error during deployment • Use server security categories - Patches & Updates - Files/Directories - Registry - Accounts - Ports - Services - Auditing and logging - Protocols - Shares • Break down your deployment review – use categories to break down your application deployment for further analysis and to help identify vulnerabilities • Review systematically – you can go through the deployment review process from start to finish or pick a particular category for further analysis 16
  • 17. 3/24/2011 Agenda • Intro to the OWASP Top Ten • How to Integrate the OWASP Top Ten into your SDLC How the OWASP Top Ten maps to compliance, standards and other drivers • Conclusion The Corporate Application Compliance Framework aligning development with management policies 17
  • 18. 3/24/2011 OWASP Adopters & Users • OWASP Top 10 in standards and frameworks – U.S. Federal Trade Commission (FTC) – U.S. Defense Information Systems Agency (DISA) – PCI-DSS • How organizations use the OWASP Top 10 – Microsoft: Top 10 threats are handled by security design and test procedures – NSA: in their developer guidance on web application security – Oracle: for developer awareness – IBM AppScan: maps source code findings to OWASP Top 10 Mapping OWASP Top Ten to PCI DSS v2.0 • OWASP and PCI • Previous version of PCI had explicit mapping to OWASP Top 10 • Current version has direct references to OWASP and mappings to OWASP Top 10 entries 18
  • 19. 3/24/2011 Mapping OWASP Top Ten to PCI DSS v2.0 Mapping OWASP Top Ten to PA DSS 19
  • 20. 3/24/2011 HIPAA - Health Insurance Portability and Accountability Act • Addresses the security and privacy of health data ... • But Web application security or OWASP are not specifically called out in the HIPAA Security Rule • That said, HIPAA requires: – A risk analysis and risk assessment – Depending on the risk rating, entities may need to ensure proper security controls are in place for web applications associated with electronic protected health information (ePHI) • Which means that compliant apps must not have security vulnerabilities likes the one in OWASP Top 10 issues Other standards are also a vague on Application Security • But an application can’t be compliant if vulnerable to an OWASP Top 10 risk: – SOX (US): seeks to protect investors by improving the accuracy and reliability of corporate disclosure. – GBLA (US): seeks to protect the personal information of consumers stored in financial institutions. – PIPED (Canada): The Personal Information Protection and Electronic Document Act mandates that appropriate security measures be applied to personal data obtained on the course of commercial transactions. – 95/46/EC (Europe): European Union Directive 95/46/EC is a sweeping European Parliament directive designed to protect individuals from unregulated personal data access or transfer. – DPA (UK): The Data Protection Act mandates that the processing of sensitive personal data should be carried out with appropriate security in the interests of protecting the individual rights and privacy. – .... and there are many more.... 20
  • 21. 3/24/2011 ISO 27000 Series • New ISO Standards (most are under development) – ISO 27000 : Information Security techniques, fundamentals and vocabulary – ISO 27001 : Information Security Management System Requirements (the standard to which an organization can certify) – ISO 27002 : Code of Practice (ISO 17799:2005, guidance for interpretation and implementation of controls) – ISO 27003 : ISMS Implementation (proposed) – ISO 27004 : Guide for Information Security Metrics and Measures (proposed) – ISO 27005 : Guide for Risk Management (currently BS 7799-3:2006) – ISO 27006 : International Accreditation Guidelines • With a key one standard still on early stages – ISO27034 : Guidelines for application security PCI DSS mapped to ISO 27001 (and OWASP) 21
  • 22. 3/24/2011 OWASP Top 10(s) vs WASC vs CWE vs CAPEC vs SANS • Another big mapping can be found at: http://projects.webappsec.org/w/page/13246975/Threat-Classification-Taxonomy-Cross-Reference-View Open SAMM • New SDL from OWASP • OWASP Top 10 is relevant in all 12 Security Practices 22
  • 23. 3/24/2011 OWASP ESAPI • The OWASP Enterprise Security API: – “....is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. http://www.owasp.org/index.php/ESAPI ESAPI and OWASP Top 10 23
  • 24. 3/24/2011 EASPI and OWASP Top 10 • For an in depth coverage see John Melton’s blog post at: http://www.jtmelton.com/2009/01/03/the-owasp-top-ten-and-esapi/ Agenda • Intro to the OWASP Top Ten • How to Integrate the OWASP Top Ten into your SDLC • How the OWASP Top 10 maps to compliance, standards and other drivers Conclusion 24
  • 25. 3/24/2011 Conclusion • The OWASP Top 10 was designed as a way to publicize the top threats on the web • You can use it for: – Education – Organization of best practices and SDLC initiatives – As a call to action for your development organization • The Top 10 maps well to a variety of industry and regulatory compliance standards – Protection against the Top 10 will help you fulfill your application security compliance requirements How Security Innovation can Help • TeamProfessor eLearning – OWASP Courses: • OWASP Top Ten: Threats & Mitigations • How to Test for the OWASP Top Ten – Many popular technologies • ASP.Net, Java, C/C++,.Net, Windows, C#, JRE • TeamMentor: Secure Development Knowledgebase – Free OWASP Version: http://owasp.teammentor.com • Secure SDLC Consulting – SDLC Assessment & Optimization – Code Review – Security Testing 25
  • 26. 3/24/2011 Free OWASP eLearning Course http://www.teamprofessor.com Free OWASP TeamMentor http://owasp.securityinnovation.com Copy of Presentation getsecure@securityinnovation.com Upcoming/Past Webinars www.securityinnovation.com/securitylab/elearning.shtml Technical Contacts Jason Taylor Dinis Cruz jtaylor@securityinnovation.com dcruz@owasp.org 26