Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Transcription

1 Defend Your Web Applications Against the OWASP Top 10 Security Risks Speaker Name, Job Title

2 Application Security Is Business Continuity Maintain and grow revenue Identify industry threats Protect assets and customers

3 GOAL Threat Intel DDoS Mitigation Defense in Depth Anti-Fraud L7 WAF / Signatures / Zero day Bot Defense Identity / Access SSL Offload

4 Web app attacks are the #1 single source entry point of successful data breaches Web App Attacks User / Identity Physical 11% 33% 53% Other (VPN, PoS, infra.) 3%

5 But we still have a lot of other exposure Web App Attacks User / Identity 33% 53% Physical 11% Other (VPN, PoS, infra.) 3%

6 Secure Expedient Effective

7 Traditional WAF: Advanced WAF: OWASP Top 10 OWASP Top 10 Malicious Bots SSL/TLS Inspection SSL/TLS Inspection Credential Attacks Scripting Scripting API Attacks

8 Open Web Application Security Project

9 A broad consensus on the most critical web application security flaws

10 What do all of these attack vectors have in common? These are difficult and complex problems despite being well known, remain pervasive Building coverage into apps again and again is expensive if you can find the expertise Common vulnerabilities remain difficult to defend against in any case

11 A1:2017 Injection UserX OR 1=1; /* Web Application Successful Auth SQL DB

12 Decrypt and inspect parameter values

13 A2:2017 Broken Authentication

14 risk-based workflows Monitor requests

15 A3:2017 Sensitive Data Exposure

16 Sanitise output back-end software versions Enforce usage of SSL

17 A4:2017 XML External Entities (XXE) Attacker Host Malicious XML Request //etc/passwd XML Parser Web Application

18 Enforce HTTP JSON, XML, and SOAP API attack signatures

19 A5:2017 Broken Access Control

20 accessed by users with proper credentials

21 A6:2017 Security Misconfiguration

22 central point of control whitelisting

23 A7:2017 Cross-Site Scripting (XSS) Attackers coerce web apps to store and serve, or reflect malicious code back to a victim to be executed within a site they re visiting

24 Detect and filter URI metacharacters pre-defined parameter values

25 A8:2017 Insecure Deserialisation

26 Enforce HTTP JSON, XML, and SOAP JSON parser output

27 A8: Cross-Site Request Forgery (from previous Top 10) Phishing <malicious link> Fraudulent Transaction Bank Site

28 random nonce Limit application entry points

29 A9:2017 Using Components with Known Vulnerabilities

30 detect server software stacks advanced programmability

31 A10:2017 Insufficient Logging and Monitoring

32 to protect web apps at all layers threat visibility

33 What do all of these items have in common? These are difficult and complex problems despite being well known, remain pervasive Building coverage into apps again and again is expensive if you can find the expertise Common vulnerabilities remain difficult to defend against in any case

34 Effective protection against threats beyond the Top 10 Advanced WAF is more accessible and affordable than ever Here s the good news Comprehensive OWASP Top 10 support Dedicated team of researchers and engineers going the heavy lifting Advanced WAF Technology Policies are reusable and portable Flexible and expedient deployment options Defends apps of any size and variety

35 Beyond the Top 10 The OWASP Top 10 is just one piece of the app security puzzle Applications and vulnerabilities constantly change Good security tools can help reduce costs and give better business intel Go beyond vulnerabilities, and pursue a proactive security posture Push to make security part of the organisational culture where you work

36 Security programs are journeys of evolution Ongoing diligence and constant refinement

37 Key Takeaways These are complex concepts Difficult to defend against Costly Security programs are journeys of evolution WAF is accessible and affordable Protect against more than just the OWASP Top 10

38