Presentation is loading. Please wait.

Presentation is loading. Please wait.

Getting benefits of OWASP ASVS at initial phases

Published byBrittney Underwood Modified over 5 years ago

Similar presentations

Presentation on theme: "Getting benefits of OWASP ASVS at initial phases"— Presentation transcript:

1 Getting benefits of OWASP ASVS at initial phases
15 june, 2018 Getting benefits of OWASP ASVS at initial phases NDS {OSLO} 2018 Oleksandr kazymyrov EVRY PUBLIC

2 Introduction

3 What is a secure application?
Introduction Security Development Lifecycle (SDL) What is a secure application? S.M.A.R.T. criteria

4 Specific Measurable Achievable Relevant Time Limited
Is it clearly described and understandable? Specific How will you know when you are reached it? Measurable Are you able to accomplish it? Achievable Is the web application criterion in line with business needs? Relevant When do you want to achieve it? Time Limited

5 Achievability OWASP Top – A2 Broken Authentication

6 Achievability and Pareto principle
Result 20% EFFORT Effort 80 % RESULTS

7 What changed from 2013 to 2017? Deserialization vulnerability

8 OWASP Top 10 2017 through the S.M.A.R.T. prism
Specific Measurable Achievable Relevant Time Limited No: general High level: yes Low level: somewhat OWASP Top Somewhat N/A / Yes N/A / Yes

9 about the most critical security risks
OWASP Top “The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications.” “The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications.” about the most critical security risks

10 OWASP Application Security Verification Standard (ASVS)

11 From PCI DSS to OWASP ASVS
NIST SP-800-XXX OWASP SANS Penetration Test Guidance NIST SP OWASP Testing Guide OSSTMM ... OWASP ASVS PCI DSS mapping MITRE CWE OWASP Top 10

12 Key parts of OWAS ASVS (v3.0.1)
Scope for the application security verification standard Description of security verification levels Requirements / Controls Standards Mappings

13 What is covered by OWAS ASVS?
Web Applications Server Configuration Mobile Clients Web Services Communication

14 OWASP ASVS Levels Security 3 2 1 Advanced Standard Opportunistic
Cursory Opportunistic Standard Advanced Security 3 2 1

15 OWAS ASVS verification controls (v3.0.1)

16 General level profiles

17 OWAS ASVS verification controls
V3: Session Management Verification Requirements V2: Authentication Verification Requirements

18 Operation / Deployment
OWASP ASVS Architecture Operation / Deployment Mobile & WS Development OWASP ASVS PCI DSS OWASP Top 10

19 OWASP Top 10 2017 vs OWASP ASVS Top 10 ASVS Coverage Web applications*
Full stack Perspective Black box White box Measurable Somewhat Yes Product size Small / Medium Medium / Large Scalability Flat Flexible

20 Application of OWASP ASVS

21 Level definition for LS2 and CHC
LoginSevice2 LS2 stays in front of almost all applications It is the first major security barrier LS2 helps to retrieve tokens (i.e., Secure Object) and hand over it to the 3rd party applications Available through the Internet Cardholder Client CHC is a part of EVRY’s NetBank (online banking) It can be integrated with any 3rd party web application EVRY’s NetBank is protected by LoginsService2 in front of CHC After logging in CHC uses SO as the main parameter in session management OWASP ASVS Level 3 OWASP ASVS Level 2 (3)

22 Compliance selection at EVRY Financial Services
FINODS Highly Sensitive Moderate Sensitive Low Sensitive SWW - Self Service Non-Portal Applications over Internet L3 L2 SSP - Self Service Portal Applications over Internet CSW - Non-Portal Applications over dedicated Office Channel L1 CSP - Portal Applications over dedicated Office Channel ESI - Web Services Applications over Internet ESS - Integrated customer solutions over service layer

23 Non-OWASP ASVS security methodology

24 Product owners / architects & technical testing team
Product Owner / Architect Security Testing Department Define security requirements for AUT Perform security assessment to verify defined requirements Prepare the software architecture document (SAD), NFR checklist and security risk analysis document. Verify SAD, NFR and SRA to be compliant with defined security expectations Identify particular focus areas for code review, and participate follow-up meetings. Complete security code review to verify source code do not contain vulnerabilities Ensures that business and project goals are met Report on deviations from security expectations Gather results in the form of new or updated standards, guidelines and best practices Keep up-to-date knowledge on new threads, vulnerabilities trends

25 OWASP Software Assurance Maturity Model (SAMM) and ASVS

26 Pre-Engagement Engagement Post-Engagement Applicability Cleaning up
Information Gathering Vulnerability Analysis Attack Modeling Exploitation Evidence Retention Cleaning up Reporting Remediation Mitigation Retesting Scoping Rules of Engagement Success Criteria Sign Off Pre-Engagement Engagement Post-Engagement

27 Conclusions

28 Is the application secure? Security Development Lifecycle (SDL)
OWASP ASVS S.M.A.R.T. criteria Is the application secure? Security Development Lifecycle (SDL)

29 Presentation Title

Download ppt "Getting benefits of OWASP ASVS at initial phases"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Bill McClanahan – Principal Business Consultant LPS Integration.

Bill McClanahan – Principal Business Consultant LPS Integration.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
0-1 Team # Status Report (1 of 4) Client Contact –Point 1 –Point 2 Team Meetings –Point 1 –Point 2 Team Organization –Point 1 –Point 2 Team #: Team Name.

0-1 Team # Status Report (1 of 4) Client Contact –Point 1 –Point 2 Team Meetings –Point 1 –Point 2 Team Organization –Point 1 –Point 2 Team #: Team Name.
0-1 Team # Status Report (1 of 4) Client Contact –Status Point 1 –Status Point 2 Team Meetings –Status Point 1 –Status Point 2 Team Organization –Description.

0-1 Team # Status Report (1 of 4) Client Contact –Status Point 1 –Status Point 2 Team Meetings –Status Point 1 –Status Point 2 Team Organization –Description.
COMP8130 and 4130Adrian Marshall 8130 and 4130 Test Design & Documentation Adrian Marshall.

COMP8130 and 4130Adrian Marshall 8130 and 4130 Test Design & Documentation Adrian Marshall.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP

PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
BD / Pre SalesPMO Analysis / Requirements DesignDevelopmentTest / UATDeployMaintain PHASES ERP (AX) Implementation Lifecycle Sales/BD AX Solution.

BD / Pre SalesPMO Analysis / Requirements DesignDevelopmentTest / UATDeployMaintain PHASES ERP (AX) Implementation Lifecycle Sales/BD AX Solution.
Information Security Issues at Casinos and eGaming

Information Security Issues at Casinos and eGaming
A Framework for Automated Web Application Security Evaluation

A Framework for Automated Web Application Security Evaluation
 Computer security policy ◦ Defines the goals and elements of an organization's computer systems  Definition can be ◦ Highly formal ◦ Informal  Security.

 Computer security policy ◦ Defines the goals and elements of an organization's computer systems  Definition can be ◦ Highly formal ◦ Informal  Security.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Auditing Information Systems (AIS)

Auditing Information Systems (AIS)
AREVA T&D Security Focus Group - 09/14/091 Security Focus Group A Vendor & Customer Collaboration EMS Users Conference September 14, 2009 Rich White AREVA.

AREVA T&D Security Focus Group - 09/14/091 Security Focus Group A Vendor & Customer Collaboration EMS Users Conference September 14, 2009 Rich White AREVA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
ENISA efforts for securing European Internet Infrastructure

ENISA efforts for securing European Internet Infrastructure
Project Success Factors when using System Development Life Cycle IT Symposium October 2015 By Edward M. Dennis.

Project Success Factors when using System Development Life Cycle IT Symposium October 2015 By Edward M. Dennis.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google