Presentation is loading. Please wait.

Presentation is loading. Please wait.

Finding and Fighting the Causes of Insecure Applications

Published byFrederica Rodgers Modified over 5 years ago

Similar presentations

Presentation on theme: "Finding and Fighting the Causes of Insecure Applications"— Presentation transcript:

1 Finding and Fighting the Causes of Insecure Applications
Jeff Williams OWASP Chair New York/New Jersey Chapter Meeting June 12, 2007

2 Public Health Warning XSS and CSRF have evolved
Any website you visit could infect your browser An infected browser can do anything you can do An infected browser can scan, infect, spread 70-90% of web applications are ‘carriers’

3 Key Application Security Vulnerabilities
A1: Cross Site Scripting (XSS) A2: Injection Flaws A3: Malicious File Execution A4: Insecure Direct Object Reference A5: Cross Site Request Forgery (CSRF) A6: Information Leakage and Improper Error Handling A7: Broken Authentication and Session Management A8: Insecure Cryptographic Storage A9: Insecure Communications A10: Failure to Restrict URL Access

4 Tools – At Best 45% MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE) They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)

5 OWASP Knowledge and Tools
Guide to Application Security Testing and Guide to Application Security Code Review Guidance and Tools for Measuring and Managing Application Security Verifying Application Security Managing Application Security Core Application Security Knowledge Base Guide to Building Secure Web Applications and Web Services Tools for Scanning, Testing, Simulating, and Reporting Web Application Security Issues Application Security Tools Acquiring and Building Secure Applications Everything people need to understand and practice application security AppSec Education and CBT Research to Secure New Technologies Research Projects on Securing New Technologies (like Web Services & Ajax) Web Based Learning Environment and Education Project

6 OWASP Community Platform
Verifying Application Security Managing Application Security Core Application Security Knowledge Base Acquiring and Building Secure Applications Application Security Tools Research to Secure New Technologies AppSec Education and CBT Projects (tools and documentation) Chapters AppSec Conferences Everything people need to understand and practice application security OWASP Community Platform (wiki, forums, mailing lists, leaders) OWASP Foundation 501c3 (finances, legal, infrastructure, communications)

7 OWASP Projects Are Alive!
2009 2007 2005 The Testing is alive… When they say, “print is dead” they don’t mean it’s out of style – it’s static not living! Do you have a bookshelf of security books? When’s the last time you opened them? They don’t have answers to today’s problems because they’re dead. It’s a process for translating security principles to the latest technologies and getting them to developers fast It’s an evolving growing living thing 2003 2001

8 www.owasp.org (our wiki)

9 OWASP by the Numbers 420,000 page views per month
15,000 downloads per month (SF alone) 10,000 members on mailing lists 2,600 wiki users 1,500 wiki updates per month 89 chapters worldwide 75 individual memberships 38 tool and documentation projects 28 corporate/educational memberships 25 new projects funded through Spring of Code 0 employees

10 How Can You Help? Update the wiki! Share! Push us to do better! Become a member

11 Thank You for Supporting OWASP!
OWASP Worldwide 10,000 chapter and project members around the world

Download ppt "Finding and Fighting the Causes of Insecure Applications"

Similar presentations

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Advanced Security Center Overview Northern Illinois University.

Advanced Security Center Overview Northern Illinois University.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
Copyright © 2008 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
HTTP and Server Security James Walden Northern Kentucky University.

HTTP and Server Security James Walden Northern Kentucky University.
Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.

Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.
Copyright © 2008 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Similar presentations

Ads by Google