Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Slides:



Advertisements
Similar presentations
Error-Tolerant Password Recovery Niklas Frykholm and Ari Juels RSA Laboratories.
Advertisements

Copyright © 2003 Pearson Education, Inc. Slide 7-1 The Web Wizards Guide to PHP by David Lash.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Application Security Verification Standard 2009
The 4 T’s of Test Automation:
Copyright © 2003 Pearson Education, Inc. Slide 1-1 The Web Wizards Guide to PHP by David A. Lash.
Chapter 7 Constructors and Other Tools. Copyright © 2006 Pearson Addison-Wesley. All rights reserved. 7-2 Learning Objectives Constructors Definitions.
Foundations of Relational Implementation (1) IS 240 – Database Management Lecture #13 – Prof. M. E. Kabay, PhD, CISSP Norwich University
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
© 2006 Open Grid Forum GGF18, 13th September 2006 OGSA Data Architecture Scenarios Dave Berry & Stephen Davey.
IT203 Unit 9: Database Security II Is It Secure? Copyright © 2012 Pearson Education, Inc. Publishing as Prentice HallChapter8.1.
0 - 0.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts
Construction process lasts until coding and testing is completed consists of design and implementation reasons for this phase –analysis model is not sufficiently.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Configuration management
Software change management
Software testing.
How to Navigate the IFPUG Member Services Area 1.
Chapter 1 Object Oriented Programming 1. OOP revolves around the concept of an objects. Objects are created using the class definition. Programming techniques.
1 Linked List Demo Node third = new Node(); third.item = "Carol"; third.next = null; Node second = new Node(); second.item = "Bob"; second.next = third;
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Molecular Biomedical Informatics Web Programming 1.
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
Component-Based Software Engineering Main issues: assemble systems out of (reusable) components compatibility of components.
OWASP Secure Coding Practices Quick Reference Guide
Database System Concepts and Architecture
© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.
Lecture 8: Testing, Verification and Validation
Lilian Blot VARIABLE SCOPE EXCEPTIONS FINAL WORD Final Lecture Spring 2014 TPOP 1.
Chapter 10 Software Testing
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Executional Architecture
Microsoft Office Grade 10 A / B Cahaya Bangsa Classical School (C) 2010 Digital Media Production Facility 14 Microsoft Excel – 05.
Addition 1’s to 20.
25 seconds left…...
Week 1.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 15 A Table with a View: Database Queries.
 2003 Prentice Hall, Inc. All rights reserved. 1 Chapter 13 - Exception Handling Outline 13.1 Introduction 13.2 Exception-Handling Overview 13.3 Other.
Presenter: James Huang Date: Sept. 29,  HTTP and WWW  Bottle Web Framework  Request Routing  Sending Static Files  Handling HTML  HTTP Errors.
1 Search Update Webmasters User Group by Kevin Paddock, DTS Search Administrator State of California Webmasters User Group Wednesday,
1 XML Web Services Practical Implementations Bob Steemson Product Architect iSOFT plc.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
OWASP Periodic Table of Vulnerabilities James Landis
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
OWASP Mobile Top 10 Why They Matter and What We Can Do
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
A Security Review Process for Existing Software Applications
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Building Secure Web Applications With ASP.Net MVC.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
SQL Injection.
APEx: Automated Inference of Error Specifications for C APIs
A Security Review Process for Existing Software Applications
The Owasp Orizon Project
Presentation transcript:

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP EU09 Poland The Owasp Source code flaws Top 10 Project Paolo Perego Owasp SCf_Top10 Project leader Spike Reply

2 OWASP AppSecEU09 Poland Agenda Why do we need another Top 10 The source code flaws top 10

3 OWASP AppSecEU09 Poland $ whoami Senior Spike Reply srl Offense (Application penetration test) Defense Application Security Code review SSDLC design Owasp project leader Owasp Orizon Owasp Source code flaws Top 10 Owasp Italy board member

4 OWASP AppSecEU09 Poland Do we need another Top 10?

5 OWASP AppSecEU09 Poland Why do we need another Top 10 Owasp Top 10 is great to describe what is wrong with a web application when dynamically tested Stuff like CWE are great to categories vulnerabilities Source code flaws Top 10 was born to: make a pair with classic Owasp Top 10 document give Owasp Code review guide, Owasp Orizon, Owasp Code Crawler a way to summarize flaws in a web application is statically analyzed Categories != Vulnerabilities

6 OWASP AppSecEU09 Poland The Source code flaws top 10 C1 - Design Weakness C2 - Architectural Weakness C3 - Missing input validation C4 - Insecure communications C5 - Information leakage and improper error handling C6 - Direct object reference C7 - Misuse of local resources C8 - Usage of potentially dangerous APIs C9 - Documentation weakness C10 - Best practices violation

7 OWASP AppSecEU09 Poland The SCF Top 10: C1 - Design Weakness Safe coding starts from designing an application with security in mind Safe design starts with a threat modeling activity and continues with designing classes and database schema Can reveal SDLC workflow weakness A design weakness can be detected in early stage of SDLC, prior development starts It addresses how the application is designed

8 OWASP AppSecEU09 Poland The SCF Top 10: C1 - Design Weakness Can be a design weakness missing threat modeling no questionnaire is submitted to customer no extra care is taken for sensitive data stored in a database a class field scope is public two or more main methods are present in different application classes duplicated functionalities are present in application design...

9 OWASP AppSecEU09 Poland The SCF Top 10: C2 - Architectural Weakness With the word architecture we talk about the underlying application server / operating system auxiliary systems such as Mail server, DNS server,... the overall application subsystems and how they are connected Can reveal SDLC workflow weakness An architectural weakness can be detected in early stage of SDLC, prior development starts It addresses how the architecture is built

10 OWASP AppSecEU09 Poland The SCF Top 10: C2 - Architectural Weakness Can be an architectural weakness no hardening guidelines are expected to be applied for operating system, DBMS, mail server,... architecture is designed by the developers themselves...

11 OWASP AppSecEU09 Poland The SCF Top 10: C3 - Missing input validation The category that gather together the first two points of the Owasp Top 10 (Cross site scripting, Injection flaws) There is an input vs output debate Can be a missing input validation when there is not a data filtering policy to be applied when managing user supplied data, then can input filtering is not centralized Most risky vulnerabilities are here

12 OWASP AppSecEU09 Poland The SCF Top 10: C4 - Insecure communications Match the correspondent Classic Top 10 voice to the source code side Doesnt care for invalid certificate, we care how communication APIs are used Easy to spot with a code crawling Can be an insecure communication vulnerability missing cryptography usage usage of weak function such as MD5 or SHA1 missing secure attribute for cookies...

13 OWASP AppSecEU09 Poland The SCF Top 10: C5 - Information leakage and improper error handling Match the correspondent Classic Top 10 voice to the source code side To avoid false positives, a manual code review can be better to spot these vulnerabilities It will be evaluated how in the code are managed: error conditions exceptions log / debug messages database data

14 OWASP AppSecEU09 Poland The SCF Top 10: C5 - Information leakage and improper error handling Can be an info leakage and improper error handling using System.out or System.err in a J2EE application empty catch block not all exceptions are caught method return value is ignored no checks performed over methods parameters (to spot null values)...

15 OWASP AppSecEU09 Poland The SCF Top 10: C6 - Direct object reference Match the correspondent Classic Top 10 voice to the source code side No magic here Easy to spot with a manual review

16 OWASP AppSecEU09 Poland The SCF Top 10: C7 - Misuse of local resources Often code doesnt handle OS resources fairly Resources that can be misused are disk space memory cpu time Can be a misuse of local resources not checking for available disk space prior I/O not freeing your m-allocated() memory spawning too much processes double free()...

17 OWASP AppSecEU09 Poland The SCF Top 10: C8 - Usage of potentially dangerous APIs Ideal to match source code crawling findings Known frameworks, languages potentially dangerous keywords should not to be used Can be detected with a blind code crawl (potentially with some false positives) a code crawl adding inference to the arguments passed to the keyword Should be marked as low critical vulnerability unless manually reviewed

18 OWASP AppSecEU09 Poland The SCF Top 10: C9 - Documentation weakness Yes... were lazy and we love coding instead of writing documentation Look at the Orizon code... I know what I say (is it correct Dinis? :-)) A documentation weakness can be missing documentation in the code, it is easy to spot automatically poor documentation in the code, it is easy to spot with a manual review with the code the developer that wrote it missing or non suitable documentation used in the SDLC...

19 OWASP AppSecEU09 Poland The SCF Top 10: C10 - Best practices violation The garbage collector vulnerability category All the issues not included in other 9 categories falls here It addresses missing or violated best practices normally applied to source code or to SDLC process

20 OWASP AppSecEU09 Poland Some key values before we leave... Venerable Owasp Top 10 doesnt fit very well code review findings This Top 10 can be a glue between Code Review and Testing guide We dont want to enumerate checks to be done keywords to avoid these are already there in the Testing and Code review guide Just flaws categories

21 OWASP AppSecEU09 Poland Before we leave Thanks to OWASP the Italian chapter and its board the mailing list gang my Mom my Wife

22 OWASP AppSecEU09 Poland Some link Owasp Source Code Flaws Top 10 link Homepage: de_Flaws_Top_10_Project_Index de_Flaws_Top_10_Project_Index

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.