Introductions. Jack Katie

Similar documents
Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

OWASP TOP 10. By: Ilia

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Web Application Security. Philippe Bogaerts

Your Turn to Hack the OWASP Top 10!

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Web Applications Penetration Testing

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

JAMES BENNETT DJANGOCON EUROPE 3RD JUNE 2015 THE NET IS DARK AND FULL OF TERRORS


Web Application Vulnerabilities: OWASP Top 10 Revisited

Large Scale Generation of Complex and Faulty PHP Test Cases

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Development*Process*for*Secure* So2ware

Online Intensive Ethical Hacking Training

Web Application Threats and Remediation. Terry Labach, IST Security Team

Certified Secure Web Application Engineer

Secure Programming Techniques

SECURITY TESTING. Towards a safer web world

6-Points Strategy to Get Your Application in Security Shape

OWASP Broken Web Application Project. When Bad Web Apps are Good

Aguascalientes Local Chapter. Kickoff

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Application Layer Security

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.


Managed Application Security trends and best practices in application security

CSWAE Certified Secure Web Application Engineer

371 International Journal of Scientific & Engineering Research, Volume 9, Issue 11, November

Using and Customizing Microsoft Threat Modeling Tool 2016

Applications Security

SECURITY OF VEHICLE TELEMATICS SYSTEMS. Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic University

David Rook. Agnitio Security code review swiss army knife. Hack in Paris, Paris

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Sichere Software vom Java-Entwickler

GOING WHERE NO WAFS HAVE GONE BEFORE

WebStore9 Services. Web Development Services

Protect your apps and your customers against application layer attacks

Application Security Approach

Website Design and Development CSCI 311

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

Introduction to PHP. Handling Html Form With Php. Decisions and loop. Function. String. Array

TIBCO Cloud Integration Security Overview

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Atlassian Crowdsourced Penetration Test Results: January 2018

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Web Application Whitepaper

Application. Security. on line training. Academy. by Appsec Labs

CIS 086 : Week 1. Web Development with PHP and MySQL

Ruby on Rails Secure Coding Recommendations

WEB HOSTING SERVICE OPERATING PROCEDURES AND PROCESSES UNIVERSITY COMPUTER CENTER UNIVERSITY OF THE PHILIPPINES DILIMAN

V Conference on Application Security and Modern Technologies

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Seth & Ken s Excellent Adventures in Secure Code Review. Training Course 17th & 18th of October. Table of Contents

Sichere Webanwendungen mit Java

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Backend Web Frameworks

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Solutions Business Manager Web Application Security Assessment

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock

Welcome to the OWASP TOP 10

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Information Security. Gabriel Lawrence Director, IT Security UCSD

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications

Web Security: Web Application Security [continued]

Q Web Attack Analysis Report

CRAXweb: Web Testing and Attacks through QEMU in S2E. Shih-Kun Huang National Chiao Tung University Hsinchu, Taiwan

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Domino Web Server Security

Business Logic Security

Web Security. Luke Anderson. 26 th May University Of Sydney.

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

Upload to your web space (e.g., UCSC) Due this Thursday 4/8 in class Deliverable: Send me an with the URL Grading:

Continuously Discover and Eliminate Security Risk in Production Apps

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

1 About Web Security. What is application security? So what can happen? see [?]

PRESENTED BY:

C ISPA. Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification. Ben Stock 29th Annual FIRST Conference

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Exploiting and Defending: Common Web Application Vulnerabilities

Get in Touch Module 1 - Core PHP XHTML

Secure Development Guide

Presentation Overview

An analysis of security in a web application development process

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Sleeping Easy Secure development in the real world. Mark Young

Security Communications and Awareness

Transcription:

Main Screen Turn On

Hands On Workshop

Introductions Jack Skinner @developerjack Katie McLaughlin @glasnt

And what about you? (not your employer)

What s your flavour? PHP, Ruby, Python? Wordpress, Drupal, Magento?

What the CVE?

CVE Common Vulnerabilities and Exposures - Unique database of vulnerabilities - Identified by ID CVE-YYYY-NNNNNN - https://cve.mitre.org

OWASP Open Web Application Security Project - https://www.owasp.org OWASP Top 10 - Most common attack vectors for Web

OWASP Top 10 Injection Broken Authentication and Session Management Cross-Site Scripting (XSS) Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards

OWASP Top 10 Injection Broken Authentication and Session Management Cross-Site Scripting (XSS) Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards The Big Three Covered in Hands On

OWASP Top 10 Poor Authentication Injection Broken Authentication and Session Management Cross-Site Scripting (XSS) Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards

OWASP Top 10 Poor Authorisation Injection Broken Authentication and Session Management Cross-Site Scripting (XSS) Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards

OWASP Top 10 Injection Broken Authentication and Session Management Cross-Site Scripting (XSS) Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards The cause of much sadness

With CVEs come patches Free fixes!

How long has it been since you patched?

In the last 6 months Multiple Content Management System* CVEs - Wordpress 64 - Drupal 63 - Magento 7 - Joomla 1 *includes plugins cve.mitre.com

In the last 6 months Multiple Framework CVEs - Django 9 - Ruby on Rails 4 - Symfony 1 cve.mitre.com

In the last 6 months Multiple Language CVEs - PHP 41 - Perl 6 - Python 4 - Ruby 2 cve.mitre.com

It s not just your framework

In the last 12 months Multiple Major Operating System CVEs CVE-2014-6271 CVE-2015-0204 CVE-2015-3456

In the last 12 months also known as

Logos bring recognition

Don t forget your web servers!

Web Servers CVEs recorded against: - Nginx - Apache - IIS cve.mitre.com

It s not just your external stack

CRMs and Ticket Systems CVEs recorded against: - SugarCRM - JIRA - Confluence - Request Tracker and many more... cve.mitre.com

But... There s probably even more issues Responsible Disclosure is optional

Deprecated CMS Versions Are you running unpatched applications?

Example: Wordpress

Wordpress 2.x?

Wordpress 2.x? wat? Upgrade!!

Wordpress 3.x?

Wordpress 3.x? Upgrade!

Wordpress 4.0? Upgrade

Wordpress 4.1.1? Upgrade

Wordpress 4.2? Upgrade

Wordpress 4.2.2? Keep patches up to date

Deprecated Language Versions Are you running unpatched languages?

PHP What version are you running?

PHP 5.0, 5.1, 5.2?

PHP 5.0, 5.1, 5.2? Upgrade Unmaintained php.net/eol.php

PHP 5.3?

PHP 5.3? Upgrade Unmaintained php.net/eol.php

PHP 5.4, 5.5, 5.6?

PHP 5.4, 5.5, 5.6? Keep patches up to date

Ruby What version are you running?

Ruby 1.8?

Ruby 1.8? Upgrade Unmaintained

Ruby 1.9.3?

Ruby 1.9.3? Upgrade Unmaintained

Ruby 2.x?

Ruby 2.x? Keep patches up to date gem install bundle-audit

So just how much DON T we patch? Surely it s not *that* bad... right?

Estimated Insecure Installations PHP Python Perl % % % Drupal % Wordpress % Take a wild guess.

Estimated Insecure Installations PHP 74% Python 22% Perl 18% Drupal 55% Wordpress 40% Data from W3Techs, correlated by known linux distribution supposed numbers blog.ircmaxell.com/2014/12/php-install-statistics.html

But but but...

It s too hard! Upgrades are hard! Patching is boring!

No it s not. It s easier than losing your business

That won t happen to me

In the last 18 months

I m not big enough to be a target

Security through Obscurity in the real world of professional IT is over Eben Moglen, January 13, 2015 youtube.com/watch?v=oakrdzlu7au

So what can you do?

Patch your shit.

and...

Know the enemy

Let s do some hacking!

Repeat after me I do solemnly and sincerely and truly declare and affirm...

Repeat after me to use the following knowledge for good and not evil

Repeat after me for learning and not profit. And agree that if I break my oath I will

Repeat after me rebuild wordpress.com using nothing but Fortran, HTML tables and transparent GIFs.

Let s do some hacking!

joesbaconemporium.com canhazwifi yesyoucan

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback