Presentation is loading. Please wait.

Presentation is loading. Please wait.

Relevance of the OWASP Top 10

Published byHarvey Allen Modified over 5 years ago

Similar presentations

Presentation on theme: "Relevance of the OWASP Top 10"— Presentation transcript:

1 Relevance of the OWASP Top 10
Mike Woolard Manager of risk and compliance - OEC @wooly6bear

2 Slides available at: wooly6bear.wordpress.com

3 Testing the 2017 OWASP Top 10 with the Zed Attack Proxy (ZAP) December
Disclaimer Getting Started with OWASP Zed Attack Proxy (ZAP) for Web Application Penetration Testing Testing the 2017 OWASP Top 10 with the Zed Attack Proxy (ZAP) December AUTHOR

4 Define “Relevance”

5 WHO WHAT WHERE WHEN WHY HOW

6 WHAT

7

8 OWASP

9 OWASP Top 10

10 OWASP TOP 10 2017 RC1 A1: Injection
A2: Broken Authentication & Session A6: Sensitive Data Exposure OWASP TOP RC1 A1: Injection A7: Insufficient Attack Protection A5: Security Misconfiguration A4: Broken Access Control A3: XSS – Cross Site Scripting A8: CRSF – Cross Site Request Forgery A9: Vulnerable Components A10: Underprotected APIs

11

12

13

14 OWASP TOP 10 2017 RC2 A1: Injection
A2: Broken Authentication & Session A3: Sensitive Data Exposure OWASP TOP RC2 A1: Injection A4: XXE - XML External Entity A6: Security Misconfiguration A5: Broken Access Control A7: XSS – Cross Site Scripting A8: Insecure Deserialization A9: Vulnerable Components A10: Insufficient Log & Monitoring

15 Developers QA/Testers Blue Teamer Red Teamer WHO Students Me

16 WHERE Capture the Flag Pentesting / Assess App Build Process
Compliance Training / School

17 Egor Homakov

18 A1: Solved for with modern frameworks
A2: Solved with auth libraries A3: Solved for with modern frameworks A4: not solved A5: not solved A6: Solved with https (not entirely the problem) A7: Too vendor oriented for this list A8: Solved with token A9: Patch A10: Solved with experience

19 A0: Use Modern Frameworks

20 “If you aren’t maintaining some PHP app written 10 years ago, Top 10 list is irrelevant to you.”
Egor Homakov

21 https://insights.stackoverflow.com/survey/2017?

22 42%

23 78%

24 ? QUESTION

25 “…the original goal of the OWASP Top 10 project was simply to raise awareness amongst developers…”

26 Prepared by: christian.heinrich@owasp.org

27

28 “…as has been the problem all along, is that no one looks at 11-20, which are real problems….”
Bill Sempf (cwcid )

29 RISK

30 ? QUESTION

31 Compliance standards like PCI-DSS drive security programs.
Is it good or bad that they specifically call out the need to scan for the OWASP Top10 in your code?

32 “…[Insert Tool/Service Name] aims to protect web applications from all the attacks in the OWASP Top 10…”

33

34

35

36 Name of Company/Organization Company/Organization Web Site
Timestamp Name of Company/Organization Company/Organization Web Site How many web applications do the submitted results cover? What were the primary programming languages the applications you reviewed written in? 5/31/2016 edgescan 356 Java, .NET, PHP 7/15/2016 Veracode 44627 7/18/2016 Branding Brand 200 Java, PHP, Node.js, Objective-C 7/19/2016 Paladion Networks 1400 Vantage Point 111 7/20/2016 iBLISS Segurança & Inteligência 148 AsTech Consulting 54 Java, .NET 7/22/2016 Contrast Security 3734 Java, .NET, Node.js 8/31/2016 Minded Security 110 Aspect Security 155

37

38

39 ? QUESTION

40 We use broken web applications for training, what base of vulnerabilities are they always built on?

41 Security Shepherd Juice Shop bWapp Webgoat Mutillidae

42 Application Security Verification Standard
Focus Application Security Verification Standard Testing Guide

43 Verify for Security Early and Often
Parameterize Queries Encode Data Validate All Inputs Implement Identity and Authentication Controls Implement Appropriate Access Controls Protect Data Implement Logging and Intrusion Detection Leverage Security Frameworks and Libraries Error and Exception Handling

44 Thank You….. Questions? Mike Woolard @wooly6bear
Manager of risk and compliance - OEC @wooly6bear

45 Slides available at: wooly6bear.wordpress.com

Download ppt "Relevance of the OWASP Top 10"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Webgoat.

Webgoat.
Don’t Teach Developers Security Caleb Sima Armorize Technologies.

Don’t Teach Developers Security Caleb Sima Armorize Technologies.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.

DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.
OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.

OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Web Application Security

Web Application Security
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
The OWASP Way Understanding the OWASP Vision and the Top Ten.

The OWASP Way Understanding the OWASP Vision and the Top Ten.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Similar presentations

Ads by Google