OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Similar documents
Copyright

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

OWASP Top 10 The Ten Most Critical Web Application Security Risks

C1: Define Security Requirements

OWASP TOP OWASP TOP

Introduction F rom a management perspective, application security is a difficult topic. Multiple parties within an organization are involved, as well

Aguascalientes Local Chapter. Kickoff

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Web Application Security. Philippe Bogaerts

Web Application Vulnerabilities: OWASP Top 10 Revisited

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Managed Application Security trends and best practices in application security

SECURITY TESTING. Towards a safer web world

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Solutions Business Manager Web Application Security Assessment

Bank Infrastructure - Video - 1

F5 Application Security. Radovan Gibala Field Systems Engineer

1 About Web Security. What is application security? So what can happen? see [?]

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Application vulnerabilities and defences

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Mitigating Security Breaches in Retail Applications WHITE PAPER

Security Testing White Paper

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

Top 10 Web Application Vulnerabilities


Simplifying Application Security and Compliance with the OWASP Top 10

GOING WHERE NO WAFS HAVE GONE BEFORE

Applications Security

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Presentation Overview

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Application Layer Security

Hacking Web Sites OWASP Top 10

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Certified Secure Web Application Engineer

Exploiting and Defending: Common Web Application Vulnerabilities

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

COMP9321 Web Application Engineering

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Hacking Oracle APEX. Welcome. About

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Your Turn to Hack the OWASP Top 10!

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

CSWAE Certified Secure Web Application Engineer

Vulnerabilities in online banking applications

Web Application Penetration Testing

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

Application security : going quicker

The Top 6 WAF Essentials to Achieve Application Security Efficacy

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

TIBCO Cloud Integration Security Overview

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Security Solutions. Overview. Business Needs

Web Application Whitepaper

IBM Future of Work Forum

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

RiskSense Attack Surface Validation for Web Applications

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

OWASP TOP 10. By: Ilia

Welcome to the OWASP TOP 10

INNOV-09 How to Keep Hackers Out of your Web Application

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Web Application Security GVSAGE Theater

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Secure Development Guide

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Development*Process*for*Secure* So2ware

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

The requirements were developed with the following objectives in mind:

Curso: Ethical Hacking and Countermeasures

Advanced Web Technology 10) XSS, CSRF and SQL Injection

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

SECURITY OF VEHICLE TELEMATICS SYSTEMS. Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic University

Evaluating the Security Risks of Static vs. Dynamic Websites

Loadbalancer.org WAF Gateway with Metaswitch EAS DSS/SSS

Securing Your Company s Web Presence

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

90% of data breaches are caused by software vulnerabilities.

CIT 380: Securing Computer Systems. Web Security II

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Transcription:

OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati

Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls

Why have a Top 10? Software runs the world (infrastructure, cars, voting, toaster) Developers are not perfect Developers are not security experts Software is complex and has to interact with other systems, apps, and business processes Open Source Software is not a panacea Software wants to be free (reuse) Software is a way in to other systems

Why Software Security Matters Cost The cost to fix a found, unexploited security vulnerability far outweighs the cost to prevent it. The cost of a successful exploit of the vulnerability increases by orders of magnitude The cost of lost time that could be spent writing new code over rewriting old code Brand and Reputational cost can decrease marketshare. Increases Time to Market when done right Not for initial roll out but for new versions Quicker testing Testing smaller chunks of code more often and more throughly Quicker fixes Mitigates vulnerabilities faster (think of how long it used to take from discovery to release fix) Quicker fixes improves brand image (responsiveness, takes security seriously, cares about ME)

By The Numbers Time and Cost to Fix www.securityinnovationeurope.com/the-business-case-for-security-in-the-software-development-lifecycle-sdlc

Getting it fixed before it breaks Vulnerabilities are introduced in code for a myriad of reasons Rush to market (which can/do lead to below being more common) Code Reuse (typically OSS) One study found that 77% of scanned IOT apps contained OSS and had an ave of 677 vulns per app Many vulns are years old and are high risk Those responsible for remediation are taking longer to fix, if at all Lack of developer secure coding training Lack of QA (testing, peer review) You MUST start early Requirements/Design/Architecture You MUST verify often QA/Security Testing/Peer Review You MUST invest in your teams by providing access to training

OWASP Top 10(s) OWASP Top 10 Web Risks OWASP Top 10 Privacy Risks OWASP Top 10 Mobile Risks OWASP Top 10 Proactive Controls

Top 10 Web Risks 2004 A1: Unvalidated Input A2: Broken Access Control A3: Broken Authentication and Session Management A4: Cross-Site Scripting (XSS) Flaws A5: Buffer Overflows A6: Injection Flaws A7: Improper Error Handling A8: Insecure Storage A9: Denial of Service A10: Insecure Configuration Management

Top 10 Web Risks 2017 A1: Injection A2: Broken Authentication A3: Sensitive Data Exposure A4: XML External Entities A5: Broken Access Control A6: Security Misconfiguration A7: Cross-Site Scripting (XSS) A8: Insecure Deserialization A9: Using Components with Known Vulnerabilities A10: Insufficient Logging and Monitoring

What s Old is New A1: Unvalidated Input A2: Broken Access Control A3: Broken Authentication & Session Management A4: Cross-Site Scripting (XSS) A6: Injection Flaws A10: Insecure Configuration Management A1: Injection A2: Broken Authentication A5: Broken Access Controls A6: Security Misconfiguration A7: Cross-Site Scripting (XSS) A8: Insecure Deserialization

Changes to 2017

2013 vs 2017

Top 10: A1 A5 A1: Injection Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. A2: Broken Authentication Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users identities temporarily or permanently. A3: Sensitive Data Exposure Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. A4: XML External Entities (XEE) Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. A5: Broken Access Control Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users data, change access rights, etc.

Top 10: A6 A10 A6: Security Misconfiguration Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion. A7: Cross-Site Scripting XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. A8: Insecure Deserialization Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. A9: Using Components Known Vulns Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. A10: Insufficient Logging and Monitoring Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

Top 10 Proactive Controls (2018) 1. Define Security Requirements ( 1?, New) 2. Leverage Security Frameworks and Libraries (9) 3. Secure Database Access (6?, New) 4. Encode and Escape Data (3, partially) 5. Validate All Inputs (4) 6. Implement Digital Identity (5, sort of) 7. Enforce Access Controls (6?) 8. Protect Data Everywhere (7, expanded) 9. Implement Security Logging and Monitoring (8) 10.Handle All Errors and Exceptions (10)

Top 10 Proactive Controls (2016) 1. Verify for Security Early and Often 2. Parameterize Queries 3. Encode Data 4. Validate All Inputs 5. Implement Identity and Authentication Controls 6. Implement Appropriate Access Controls 7. Protect Data 8. Implement Logging and Intrusion Detection 9. Leverage Security Frameworks and Libraries 10.Error and Exception Handling

Top 10 Mobile Risks (2016) Improper Platform Usage Insecure Data Storage Insecure Communication Insecure Authentication Insufficient Cryptography Insecure Authorization Client Code Quality Code Tampering Reverse Engineering Extraneous Functionality

Top 10 Privacy Risks (2014) Web App Vulnerabilities Operator sided Data Leakage Insufficient Data Breach Response Insufficient Deletion of Personal Data Non-Transparent Policy, Terms & Conditions Collection of data not required for the primary purpose Sharing of data with third party Outdated personal data Missing or Insufficient Session Expiration Insecure Data Transfer

Questions

Apendix https://www.owasp.org/images/7/72/owasp_top_10-2017_%28en%29.pdf.pdf https://www.owasp.org/index.php/mobile_top_10_2016-top_10 https://www.owasp.org/index.php/owasp_top_10_privacy_risks_ Project#tab=Top_10_Privacy_Risks_2 https://www.owasp.org/index.php/owasp_proactive_controls https://www.slideshare.net/mobile/hacker0x01/owasp-top-10-2017-84029876?from_action=save www.securityinnovationeurope.com/the-business-case-for-securityin-the-software-development-lifecycle-sdlc https://www.synopsys.com/content/dam/synopsys/sigassets/reports/2018-ossra.pdf

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback