Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Slides:



Advertisements
Similar presentations
Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
Advertisements

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
OWASP Web Vulnerabilities and Auditing
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.
The OWASP Foundation Why hackers don’t care about your firewall Seba Deleersnyder
Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
The Web Hacking Incident Database (WHID) Report for 2010 Ryan Barnett WASC WHID Project Leader Senior Security Researcher.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Advanced Security Center Overview Northern Illinois University.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
SiteLock Internet Security: Big Threats for Small Business.
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
OWASP Mobile Top 10 Why They Matter and What We Can Do
Web Application Security (and why it matters to YOU!) By Mark Bristow and Doug Wilson.
1 Web Application Security (and why it matters to YOU!) -Remix- By Mark Bristow and Doug Wilson
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.
OWASP Zed Attack Proxy Project Lead
HTTP and Server Security James Walden Northern Kentucky University.
The OWASP Way Understanding the OWASP Vision and the Top Ten.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Configuring Electronic Health Records Privacy and Security in the US Lecture f This material (Comp11_Unit7f) was developed by Oregon Health & Science University,
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
 Two types of malware propagating through social networks, Cross Site Scripting (XSS) and Koobface worm.  How these two types of malware are propagated.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Playing Safely in the Cloud Marie Greenberg, CISSP, IAM, IEM Information Security Manager Virginia State Corporation Commission.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Applications Testing By Jamie Rougvie Supported by.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Building Secure Web Applications With ASP.Net MVC.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Application Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Securing Your Web Application in Azure with a WAF
TOPIC: Web Security (Part-4)
Penetration Testing following OWASP
Finding and Fighting the Causes of Insecure Applications
HTML Level II (CyberAdvantage)
Playing Safely in the Cloud
امنیت نرم‌افزارهای وب تقديم به پيشگاه مقدس امام عصر (عج) عباس نادری
Playing Safely in the Cloud
Finding and Fighting the Causes of Insecure Applications
Presentation transcript:

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Why WebAppsec Matters Module (to be combined) Education Project

OWASP 2 What goes Wrong?

OWASP 3 Public Health Warning  XSS and CSRF have evolved  Any website you visit could infect your browser  An infected browser can do anything you can do  An infected browser can scan, infect, spread  70-90% of web applications are ‘carriers’ 3

OWASP 4 Key Application Security Vulnerabilities

OWASP 5 Tools – At Best 45%  MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE)  They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)

OWASP 6 Myth Myth: we are secure because we have a firewall 75% of Internet Vulnerabilities are at Web Application Layer * *GartnerGroup (2002 report)

OWASP 7 Source: Jeremiah Grossman, BlackHat 2001 Myth

OWASP 8  Myth 2 - we are secure because we use SSL  only secures data in transit  does not solve vulnerabilities on:  Web server  Browser Myth

OWASP 9 Source: Jeremiah Grossman, BlackHat 2001 Myth

OWASP 10 Firewall Hardened OS Web Server App Server Firewall DatabasesLegacy SystemsWeb ServicesDirectoriesHuman ResrcsBilling Custom Developed Application Code APPLICATION ATTACK You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks Network Layer Application Layer Your security “perimeter” has huge holes at the application layer Myth

OWASP 11 What is Web Application Security?

OWASP 12 Web Application Security  Combination of  People,  Processes,  and Technology  to identify, measure, and manage Risk  presented by COTS (*), open source, and custom web applications. (*) Commercial Of The Shelf

OWASP 13 People Processes Technology Awareness Training Guidelines Secure Development Secure Configuration Security Testing Secure Code Review Automated Testing Application Firewalls

OWASP 14 Web Application (in)Security Trends

OWASP 15 Trends  Business demands more bells and whistles  Internal applications get ‘web-enabled’ and are exposed to Intranet or Internet  Increasing complexity of software  Rush software out without adequate testing  Poor security training and awareness

OWASP 16 Vulnerabilities: OWASP top 10 (v 2007)  A1: Cross site scripting (XSS)  A2: Injection flaws  A3: Malicious file execution  A4: Insecure direct object reference  A5: Cross site request forgery (CSRF)  A6: Information leakage and improper error handling  A7: Broken authentication and session management  A8: Insecure cryptographic storage  A9: Insecure communications  A10: Failure to restrict URL access

OWASP 17 Attacks  Defacements  Phishing  Denial of Service  Credit Card Stealing  Bot Infection ... See the Web Hacking Incidents Database on

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.