Applications Security

Similar documents
OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Copyright

Web Application Vulnerabilities: OWASP Top 10 Revisited

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Application Layer Security

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

OWASP Top 10 The Ten Most Critical Web Application Security Risks

C1: Define Security Requirements

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Bank Infrastructure - Video - 1

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

1 About Web Security. What is application security? So what can happen? see [?]


PRESENTED BY:

Certified Secure Web Application Security Test Checklist

Hacking Web Sites OWASP Top 10

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Your Turn to Hack the OWASP Top 10!

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

OWASP TOP OWASP TOP

Sichere Software vom Java-Entwickler

GOING WHERE NO WAFS HAVE GONE BEFORE

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Top 10 Web Application Vulnerabilities

Welcome to the OWASP TOP 10

Certified Secure Web Application Engineer

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

Web Application Whitepaper

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

CSWAE Certified Secure Web Application Engineer

Web Application Security. Philippe Bogaerts

EasyCrypt passes an independent security audit

EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Solutions Business Manager Web Application Security Assessment

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Secure Development Guide

Web Application Threats and Remediation. Terry Labach, IST Security Team

Web Application Penetration Testing

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Web Security. Web Programming.

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Security Best Practices. For DNN Websites

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Aguascalientes Local Chapter. Kickoff

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

SECURITY TESTING. Towards a safer web world

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

eb Security Software Studio

TIBCO Cloud Integration Security Overview

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Engineering Your Software For Attack

Web Vulnerabilities. And The People Who Love Them

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

6-Points Strategy to Get Your Application in Security Shape

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Application. Security. on line training. Academy. by Appsec Labs

Managed Application Security trends and best practices in application security

F5 Big-IP Application Security Manager v11

About the OWASP Top 10

COMP9321 Web Application Engineering

F5 Application Security. Radovan Gibala Field Systems Engineer

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Web Application Security GVSAGE Theater

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Bugcrowd v1.6 - Nov. 2, 2018

SECURITY OF VEHICLE TELEMATICS SYSTEMS. Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic University

Exploiting and Defending: Common Web Application Vulnerabilities

Integrity attacks (from data to code): Cross-site Scripting - XSS

Secure Coding, some simple steps help. OWASP EU Tour 2013

Secure Programming Techniques

Development Security Guide Oracle Banking Credit Facilities Process Management Release [July] [2018]

Development Security Guide Oracle Banking Virtual Account Management Release July 2018

COMP9321 Web Application Engineering

How to read security test report?

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

16th Annual Karnataka Conference

RiskSense Attack Surface Validation for Web Applications

Copyright

Information Security. Gabriel Lawrence Director, IT Security UCSD

Web Applications Penetration Testing

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Development*Process*for*Secure* So2ware

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

JAMES BENNETT DJANGOCON EUROPE 3RD JUNE 2015 THE NET IS DARK AND FULL OF TERRORS

Vulnerabilities in online banking applications

Application Security Approach

Providing Secure, Fast and Available

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Transcription:

Applications Security OWASP Top 10 PyCon Argentina 2018

Objectives Generate awareness and visibility on web-apps security Set a baseline of shared knowledge across the company Why are we here / Trigger security-improving tasks in the projects

OWASP / www.owasp.org Open Web Application Security Project NPO focused on improving the security of software make software security visible individuals and organizations are able to make informed decisions PyCon Argentina 2018 A community that issues software tools and knowledge-based documentation.

OWASP Top 10 PDFs cheatsheets translations tools etc Los más buscados Broad consensus about the most critical security risks to web applications.

1 - Injection A1:2017-Injection Browser: http://example.com/app/accountview?id=xxx Some data... Backend: String query = " SELECT * FROM accounts WHERE custid='xxx' custid=' " "; + request.getparameter("id") + "'"; SQL DB

1 - Injection A1:2017-Injection Browser: http://example.com/app/accountview?id=' or '1'='1 ALL data... Backend: String String query query = = " " SELECT * SELECT * FROM accounts FROM accounts WHERE custid=' WHERE True " + request.getparameter("id") "; + "'"; SQL DB

1 - Injection A1:2017-Injection

2 - Broken Authentication A2:2017-Broken Authentication Weak passwords allowed? (such as "Password1" or "123456 ) Multi-factor authentication? Session data in the URL? https:// Web-app Backend AUTH Ineffective session/token management? (rotation, invalidation) Automated attacks allowed? (brute force, credential stuffing) Weak password recovery process? (such as "knowledge-based answers") Weakly encrypted/hashed passwords? (see A3:2017-Sensitive Data Exposure).

3 - Sensitive Data Exposure A3:2017-Sensitive Data Exposure Is encryption not enforced? (browser security directives or headers missing) data transmitted in clear text? (Verify internal & external Is proper key management traffic) or rotation missing? https:// Web-app Backend Does the app not verify if the received server certificate is valid? Are there default or weak cryptographic algorithms used? (by default or in older code) Is sensitive data stored in clear text? (including backups and logs)

4 - XML External Entities Extract data from the server: <?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo> Probe the server's private network: <!ENTITY xxe SYSTEM "https://192.168.1.1/private" >]> Attempt a denial-of-service attack: <!ENTITY xxe SYSTEM "file:///dev/random" >]> A4:2017-XXE

5 - Broken Access Control A5:2017-Broken Access Control import django.contrib.auth The main threat to a Django application is between the monitor and keyword (it s you, the developer)

6 - Security Misconfiguration A6:2017-Security Misconf. Cloud or HW SO Clients KVS MQ API Services Services Services DB

6 - Security Misconfiguration A6:2017-Security Misconf. Cloud or HW SO Clients KVS MQ DEBUG =APITrue Services Services Services DB

7 - Cross-Site Scripting (XSS) A7:2017-XSS

8 - Insecure Deserialization A8:2017-Insecure Deserialization import pickle serialization Insecure Deserialization

8 - Insecure Deserialization A8:2017-Insecure Deserialization import # don'tpickle import pickle serialization Insecure Deserialization

9 - Using Components With Known Vulnerabilities A9:2017-Using Components with Known Vulnerabilities Cloud or HW SO Clients KVS MQ API Services Services Services DB

10 - Insufficient Logging & Monitoring A10:2017-Insufficient Logging & Monitoring

Risk Factor based on statistics and experience

Other not in the top-10 Cross-Site Request Forgery Uncontrolled Resource Consumption (CSRF) ('Resource Exhaustion', 'AppDoS') Unrestricted Upload of File with Dangerous Type User Interface (UI) Misrepresentation of Critical Information (Clickjacking and others) Abducción Julio 2018 Unvalidated Forward and Redirects Improper Control of Interaction Frequency (Anti-Automation) Inclusion of Functionality from Untrusted Control Sphere (3rd Party Content) Server-Side Request Forgery (SSRF)

And more https://imgs.xkcd.com/comics/2018_cve_list.png

Preguntas? Francisco Capdevila francisco.capdevila@mercadolibre.com @pancho_jay Carlos Matías de la Torre carlos.delatorre@mercadolibre.com @py_litox

Muchas Gracias

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback