OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Similar documents
OWASP Top 10 The Ten Most Critical Web Application Security Risks

SECURITY TESTING. Towards a safer web world

Lessons Learned from a Web Application Penetration Tester. David Caissy ISSA Los Angeles July 2017

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

Development*Process*for*Secure* So2ware

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Applications Security

GOING WHERE NO WAFS HAVE GONE BEFORE

Web Application Penetration Testing

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Certified Secure Web Application Engineer

Web Application Security. Philippe Bogaerts

Web Application Vulnerabilities: OWASP Top 10 Revisited

C1: Define Security Requirements

Solutions Business Manager Web Application Security Assessment

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

OWASP TOP 10. By: Ilia

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Application Security Approach

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Application. Security. on line training. Academy. by Appsec Labs

Copyright

Web Applications Penetration Testing

Managed Application Security trends and best practices in application security

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

SECURITY OF VEHICLE TELEMATICS SYSTEMS. Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic University

V Conference on Application Security and Modern Technologies

CSWAE Certified Secure Web Application Engineer

Your Turn to Hack the OWASP Top 10!

Aguascalientes Local Chapter. Kickoff

Web Application Threats and Remediation. Terry Labach, IST Security Team

6-Points Strategy to Get Your Application in Security Shape

Application Layer Security

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

eb Security Software Studio

Welcome to the OWASP TOP 10

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Using and Customizing Microsoft Threat Modeling Tool 2016

OWASP TOP OWASP TOP

Web Security. Web Programming.

RiskSense Attack Surface Validation for Web Applications

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

Security Communications and Awareness

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Large Scale Generation of Complex and Faulty PHP Test Cases

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

PRESENTED BY:

Security Communications and Awareness

Continuously Discover and Eliminate Security Risk in Production Apps


Introductions. Jack Katie

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Domino Web Server Security

Developing Secure Systems. Associate Professor

Presentation Overview

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

Application vulnerabilities and defences

Saving Time and Costs with Virtual Patching and Legacy Application Modernizing

1 About Web Security. What is application security? So what can happen? see [?]

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

Sichere Software vom Java-Entwickler

COMP9321 Web Application Engineering

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Notes From The field

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Application security : going quicker

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Security in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Web Application Whitepaper

OWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST

OWASP Top Dave Wichers OWASP Top 10 Project Lead OWASP Board Member COO/Cofounder, Aspect Security

OWASP Application Security Building and Breaking Applications

JAMES BENNETT DJANGOCON EUROPE 3RD JUNE 2015 THE NET IS DARK AND FULL OF TERRORS

Integrity attacks (from data to code): Cross-site Scripting - XSS

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

OWASP Top The Top 10 Most Critical Web Application Security Risks. The OWASP Foundation

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Information Security. Gabriel Lawrence Director, IT Security UCSD

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

How to read security test report?

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Sichere Webanwendungen mit Java

Transcription:

OWASP Top 10-2017 David Caissy OWASP Los Angeles Chapter July 2017

About Me David Caissy Web App Penetration Tester Former Java Application Architect IT Security Trainer: Developers Penetration Testers 2

Agenda OWASP Top 10 2013 Overview Critics OWASP Top 10 2017 Changes Critics 3

OWASP Top 10 OWASP flagship project Started by Jeff Williams Project Leader: Dave Wichers Major Releases in 2004, 2007, 2010 and 2013 4

OWASP Top 10 The ten most critical web application security risks **NOT** The ten most critical web application X security vulnerabilities 5

OWASP Top 10 2013 Overview A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards 6

OWASP Top 10 2013 Critics A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards XSS and CSRF are injection vulnerabilities! Javascript (client side) different than SQL (server side)? 7

OWASP Top 10 2013 Critics A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Should XSS and CSRF be merge together? 8

OWASP Top 10 2013 Critics A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Reflected XSS Stored XSS DOM-based XSS 9

OWASP Top 10 2013 Critics A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Same thing!!! 10

OWASP Top 10 2013 Critics A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Should it be ranked higher? How are they ranked anyways? 11

OWASP Top 10 2013 Critics A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Don t see much of these anymore 12

OWASP Top 10 2013 Critics A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Better wording please? unvalidated is not even in the dictionary!!! 13

Did the Top 10-2013 catch everything? 14 Copyright 2016 Albero Solutions Inc. All rights reserved.

OWASP Top 10 2013 Critics Missing: Server-Side Request Forgery (SSRF) Lack of security logging Missing detection mechanisms Least privilege Probability vs impacts 15

OWASP Top 10 2017 March 2017: Release Candidate 1 Public comment period ended June 30 th, 2017 Oups, just got extended to August 25 th, 2017 Was August 2017, now late November 2017 16

Changes 2013 2017 17

A7 - Insufficient Attack Protection Detecting, responding to and blocking attacks Makes applications dramatically harder to exploit Missing in many systems Patching librairies takes weeks/months/years 18

A7 - Insufficient Attack Protection Attack Scenarios: 1. Scanned by an automated tool Should be detected quickly 2. Manual probing by a skilled attacker Tracking malicious intent 3. Attacker starts exploiting a new vulnerability How quickly can you release a patch? 19

A7 - Insufficient Attack Protection How to prevent this? 1. Early attack detection 2. Effective response 3. Quick patch release 20

A10 Underprotected APIs Rich clients (browser, mobile, servers) that connect to backend APIs Web Services (SOAP/XML, REST/JSON), GWT, AJAX, WebSockets, RPC, Designed to be used by programs (not humans) Vulnerable to common attacks Limited support from scanners 21

A10 Underprotected APIs How to prevent this? 1. Secured communication channel 2. Strong authentication scheme 3. Proper access control 4. Validate data format 5. Protect against injection attacks 22

Other Additions Server-Side Request Forgery (SSRF) under A8 23

OWASP Top 10 2017 Critics/Comments A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Broken Access Control A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Insufficient Attack Protection A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Underprotected APIs People seem happy about merging A4 and A7 back together 24

OWASP Top 10 2017 Critics/Comments A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Broken Access Control A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Insufficient Attack Protection A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Underprotected APIs Explicit reference to WAFs 25

OWASP Top 10 2017 Critics/Comments A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Broken Access Control A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Insufficient Attack Protection A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Underprotected APIs Added to help organizations focus on this major emerging exposure Already covered by the other 9 26

OWASP Top 10 2017 Critics/Comments Who s choosing what makes it to the Top 10? Based on 8 datasets from 7 firms? Focus on risks or awareness? Needs more emphasis on security logs (personal opinion) 27

Conclusion Personally: Happy with the new Top 10 Better than the previous version Reflects what I see in my penetration tests 28

Thank you! Don t hesitate if you have any question! dave@notools.net

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback