OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Similar documents
OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Copyright

Applications Security

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

OWASP Top 10 The Ten Most Critical Web Application Security Risks

C1: Define Security Requirements

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Aguascalientes Local Chapter. Kickoff

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Web Application Vulnerabilities: OWASP Top 10 Revisited

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

OWASP TOP OWASP TOP

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Managed Application Security trends and best practices in application security

SECURITY TESTING. Towards a safer web world

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Your Turn to Hack the OWASP Top 10!

RiskSense Attack Surface Validation for Web Applications


Web Application Security. Philippe Bogaerts

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock

Application Security Approach

Application Layer Security

Solutions Business Manager Web Application Security Assessment

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

CSWAE Certified Secure Web Application Engineer

Development*Process*for*Secure* So2ware

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Bank Infrastructure - Video - 1

Certified Secure Web Application Engineer

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Saving Time and Costs with Virtual Patching and Legacy Application Modernizing

Hacking Web Sites OWASP Top 10

Secure Development Guide

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Using and Customizing Microsoft Threat Modeling Tool 2016

Introduction F rom a management perspective, application security is a difficult topic. Multiple parties within an organization are involved, as well

1 About Web Security. What is application security? So what can happen? see [?]

PRESENTED BY:

Security Communications and Awareness

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

Presentation Overview

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

Mitigating Security Breaches in Retail Applications WHITE PAPER

Web Application Whitepaper

Welcome to the OWASP TOP 10

Web Applications Penetration Testing

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

Security Communications and Awareness

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

V Conference on Application Security and Modern Technologies

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

WEB APPLICATION VULNERABILITIES

Certified Secure Web Application Security Test Checklist

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Exploiting and Defending: Common Web Application Vulnerabilities

Vulnerabilities in online banking applications

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

Web Application Penetration Testing

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

6-Points Strategy to Get Your Application in Security Shape

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Top 10 Web Application Vulnerabilities

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Web Application Threats and Remediation. Terry Labach, IST Security Team

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Application security : going quicker

Security Best Practices. For DNN Websites

Secure Coding, some simple steps help. OWASP EU Tour 2013

OWASP TOP 10. By: Ilia

Integrity attacks (from data to code): Cross-site Scripting - XSS

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Introductions. Jack Katie

EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT

Continuously Discover and Eliminate Security Risk in Production Apps

Cybersecurity Education Catalog

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Web Application Security GVSAGE Theater

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

Copyright

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Large Scale Generation of Complex and Faulty PHP Test Cases

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

IBM Future of Work Forum

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Evaluating the Security Risks of Static vs. Dynamic Websites

ShiftLeft. Real-World Runtime Protection Benchmarking

MBFuzzer - MITM Fuzzing for Mobile Applications

90% of data breaches are caused by software vulnerabilities.

GOING WHERE NO WAFS HAVE GONE BEFORE

Transcription:

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

What is the OWASP Top 10? A list of the top ten web application vulnerabilities Determined by OWASP and the security community at large Released every few years Most recently released in 2017 First release in 2003

What are the OWASP Top 10 Vulnerabilities for 2017? A1: Injection A2: Broken Authentication A3: Sensitive Data Exposure A4: XML External Entities (XEE) A5: Broken Access Control A6: Security Misconfiguration A7: Cross-Site Scripting A8: Insecure Deserialization A9: Using Components with Known Vulnerabilities A10: Insufficient Logging and Monitoring

OWASP Top 10 Breakdown Part 1 A1: Injection First placed at A1 in 2010 Best known for SQL Injection Occurs anytime untrusted input is used as an execution command.

OWASP Top 10 Breakdown Part 2 A2: Broken Authentication Broad category Covers issues such as Credential Stuffing, Insecure Password Reset, Session Management Issues, and Insufficient Password Complexity A3: Sensitive Data Exposure Covers the display of data, data at rest, and data in transit Sensitive data that does not need to be kept, should not be Sensitivity of data should be categorized Data should be protected in accordance with how sensitive it is

OWASP Top 10 Breakdown Part 3 A4: XML External Entities (XEE) Occurs when XML parsers allow loading of external entities Commonly occurs in older XML processors, as they are configured to allow loading of external entities by default Can be used to steal data, perform denial of service attacks, or map out the application and its environment A5: Broken Access Control The other auth and just as broad Centered around vulnerabilities that allow a user to have access to data and application functionality that the developers did not intend

OWASP Top 10 Breakdown Part 4 A6: Security Misconfiguration Occurs anytime an insecure default setting goes ignored or a server or application is configured without security in mind Examples include the application returning stack traces or other default messages to the client and vulnerabilities such as Web Cache Deception A7: Cross-Site Scripting Also known as XSS Occurs in applications that do not properly handle untrusted input Two most common flavors are Persisted and Reflected

OWASP Top 10 Breakdown Part 5 A8: Insecure Deserialization Deserialization is a process where structured data is taken and turned into an object Applications that use weak deserialization methods are vulnerable to Insecure Deserialization Native language serialization formats are often weak Makes it possible for data to be interpreted as code, or in a way that an attacker can take advantage of Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. OWASP Top 10-2017

OWASP Top 10 Breakdown Part 6 A9: Using Components with Known Vulnerabilities Just like in in-house code, vulnerabilities can pop up in 3rd party code and tools If the code is still supported, generally a patch can be applied If it s no longer supported, a replacement or workaround may be required A10: Insufficient Monitoring and Logging Logging and monitoring is often overlooked Proper logging provides valuable information to developers and security teams that can be used to improve weak points In the event of a breach, logging and monitoring data can be used to assist with quicker response times, reducing impact

Changes in the OWASP Top 10

Notable Changes the OWASP Top 10 from 2013 to 2017 Early versions of the 2017 list were intensely discussed. Over the course of 2017, the list was refined until it became what we have today.

Breakdown of Changes Between 2013 and 2017 Part 1 A1: Unchanged, Injection remains at the top spot A2: Broken Authentication and Session Management remains in the second spot Name has been shorted to simply Broken Authentication A3: Previously occupied by Cross-Site Scripting (XSS) Now Sensitive Data Exposure A4: The previous A4 category was Insecure Direct Object References A new category, XML External Entities (XEE) was placed here in 2017

Breakdown of Changes Between 2013 and 2017 Part 2 A5: In 2013, A5 went to Security Misconfiguration 2013 s A4 (Insecure Direct Object Reference) and A7 (Missing Function Level Access Control) categories have combined to become Broken Access Control A6: 2013 s A5, Security Misconfiguration has been placed at A6 in 2017 A7: Previously, this spot went to Missing Function Level Access Control Now occupied by Cross-Site Scripting (XSS)

Breakdown of Changes Between 2013 and 2017 Part 3 A8: The now removed category, Cross-Site Request Forgery, sat here in 2013 Insecure Deserialization (a new category) has been placed at A8 A9: Unchanged, remains as Using Components with Known Vulnerabilities A10: 2013 s A10, Unvalidated Redirects and Forwards, was removed from the Top 10 Now occupied by the new category, Insufficient Logging and Monitoring

Summary The OWASP Top 10 does not cover every web application security vulnerability The Top 10 is a fantastic foundation on which to build an application security plan that also considers the needs of the application and organization OWASP is a non-profit and is always looking for volunteer assistance for its projects, you can find their website here if you want to learn more

About Cypress Data Defense: Our goal is to help organizations secure their IT development and operations using a pragmatic, risk-based approach. The diverse background of our founders allows us to apply security controls to governance, networks, and applications across the enterprise. Contact us to learn more! https://www.cypressdatadefense.com/contact/ Email: info@cypressdatadefense.com Phone Number: 720.588.8133 REFERENCES: XKCD Exploits of a Mom https://xkcd.com/327/ OWASP Top 10-2017 https://www.owasp.org/images/7/72/owasp_top_10-2017_%28en%29.pdf.pdf

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback