Presentation is loading. Please wait.

Presentation is loading. Please wait.

//ALPHA.1 OWASP Knoxville Application Security Then and Now. Make a Difference Now 2015 June 11 Phil Agcaoili.

Published byBernice Gibbs Modified over 8 years ago

Similar presentations

Presentation on theme: "//ALPHA.1 OWASP Knoxville Application Security Then and Now. Make a Difference Now 2015 June 11 Phil Agcaoili."— Presentation transcript:

1 //ALPHA.1 OWASP Knoxville Application Security Then and Now. Make a Difference Now 2015 June 11 Phil Agcaoili

2 A Career Path…printf(“hello, world\n”);

3 Why OWASP is VERY Important! source: Checkmarx

4 OWASP 10 – Then and Now Not Substantially Different *Challenging for automation tools OWASP Top 10 – 2001-2004 EditionOWASP Top 10 – 2013 Edition A1 Unvalidated InputA1 Injection A2 Broken Access ControlA2 Broken Authentication and Session Management A3 Broken Authentication and Session ManagementA3 Cross-Site Scripting (XSS) A4 Cross Site ScriptingA4 Insecure Direct Object References A5 Buffer OverflowA5 Security Misconfiguration A6 Injection FlawsA6 Sensitive Data Exposure A7 Improper Error HandlingA7 Missing Function Level Access Control A8 Insecure StorageA8 Cross-Site Request Forgery (CSRF) A9 Application Denial of ServiceA9 Using Components with Known Vulnerabilities A10 Insecure Configuration Management A10 Unvalidated Redirects and Forwards

5 The Intent of OWASP The Top 10 is about managing risk – Not just avoiding vulnerabilities Take a big picture approach to application security. – OWASP Top 10 doesn't mean it's the most important problem facing your organization

6 Keep it simple…It’s not as difficult as you think it is.

7

8 START SMALL BUILD THE MOMENTUM OF SUCCESS

9 HOPE FOR SERENDIPITY The occurrence and development of events by chance in a happy or beneficial way

10 ACHIEVE BUY-IN FROM MANAGEMENT AND EMPLOYEES Provide opportunities for teams and clear advantages for company.

11

12 TAKE APPLICATION SECURITY ONE STEP AT A TIME Allow the organization to grow into the process rather than dropping it on the teams all at once

13 EDUCATE YOUR DEVELOPERS AND GET THEM WRITING SECURE CODE

14 RECRUIT THE SMART PEOPLE IN THE DEV TEAMS TO ACT AS CHAMPIONS Senior developers with a need to learn something new or Junior developers with the motivation to move ahead within the organization.

15 GET THE RIGHT PARTNERS TO HELP YOU

16 NETWORK SECURITY CANNOT PREVENT APPLICATION BREACHES ON ITS OWN STATIC ANALYSIS SHOULD BE PERFORMED AT EARLIER DEVELOPMENT STAGES Web application Firewalls (WAF) and/or RASP should be used as temporary band aids for non-remediated vulnerabilities

17 CAUTION WITH AUTOMATION Tools make educated guesses that require validation by trained humans. Peer code reviews with trained peers is still the best option.

18 Phil Agcaoili Distinguished Fellow and Fellows Chairman, Ponemon Institute Board of Advisors, PCI Security Standards Council (SSC) Contributor, NIST Cybersecurity Framework version 1 Co-Founder & Board Member, Southern CISO Security Council Founding Member, Cloud Security Alliance (CSA) Inventor & Co-Author, CSA Cloud Controls Matrix, GRC Stack, Security, Trust and Assurance Registry (STAR), and CSA Open Certification Framework (OCF) – AICPA SOC @hacksec https://www.linkedin.com/in/philA

Download ppt "//ALPHA.1 OWASP Knoxville Application Security Then and Now. Make a Difference Now 2015 June 11 Phil Agcaoili."

Similar presentations

Webgoat.

Webgoat.
Don’t Teach Developers Security Caleb Sima Armorize Technologies.

Don’t Teach Developers Security Caleb Sima Armorize Technologies.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
OWASP Top-10 2013 Dave Wichers OWASP Top 10 Project Lead OWASP Board Member Cofounder, Aspect Security & Contrast Security.

OWASP Top Dave Wichers OWASP Top 10 Project Lead OWASP Board Member Cofounder, Aspect Security & Contrast Security.
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
The Web Hacking Incident Database (WHID) Report for 2010 Ryan Barnett WASC WHID Project Leader Senior Security Researcher.

The Web Hacking Incident Database (WHID) Report for 2010 Ryan Barnett WASC WHID Project Leader Senior Security Researcher.
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.

Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Making the Campus Web Safer: One application at a time Diane Gierisch, Senior Systems Analyst PJ Abrams, CISSP, Senior Systems Analyst Copyright The University.

Making the Campus Web Safer: One application at a time Diane Gierisch, Senior Systems Analyst PJ Abrams, CISSP, Senior Systems Analyst Copyright The University.
Web Application Security

Web Application Security
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.

Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

Similar presentations

Ads by Google