Download presentation
Presentation is loading. Please wait.
Published byOsborne Cunningham Modified over 8 years ago
1
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Why WebAppsec Matters Module (to be combined) Education Project
2
OWASP 2 What goes Wrong?
3
OWASP 3 Public Health Warning XSS and CSRF have evolved Any website you visit could infect your browser An infected browser can do anything you can do An infected browser can scan, infect, spread 70-90% of web applications are ‘carriers’ 3
4
OWASP 4 Key Application Security Vulnerabilities http://www.owasp.org/index.php?title=Top_10_2007
5
OWASP 5 Tools – At Best 45% MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE) They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)
6
OWASP 6 Myth Myth: we are secure because we have a firewall 75% of Internet Vulnerabilities are at Web Application Layer * *GartnerGroup (2002 report)
7
OWASP 7 Source: Jeremiah Grossman, BlackHat 2001 Myth
8
OWASP 8 Myth 2 - we are secure because we use SSL only secures data in transit does not solve vulnerabilities on: Web server Browser Myth
9
OWASP 9 Source: Jeremiah Grossman, BlackHat 2001 Myth
10
OWASP 10 Firewall Hardened OS Web Server App Server Firewall DatabasesLegacy SystemsWeb ServicesDirectoriesHuman ResrcsBilling Custom Developed Application Code APPLICATION ATTACK You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks Network Layer Application Layer Your security “perimeter” has huge holes at the application layer Myth
11
OWASP 11 What is Web Application Security?
12
OWASP 12 Web Application Security Combination of People, Processes, and Technology to identify, measure, and manage Risk presented by COTS (*), open source, and custom web applications. (*) Commercial Of The Shelf
13
OWASP 13 People Processes Technology Awareness Training Guidelines Secure Development Secure Configuration Security Testing Secure Code Review Automated Testing Application Firewalls
14
OWASP 14 Web Application (in)Security Trends
15
OWASP 15 Trends Business demands more bells and whistles Internal applications get ‘web-enabled’ and are exposed to Intranet or Internet Increasing complexity of software Rush software out without adequate testing Poor security training and awareness
16
OWASP 16 Vulnerabilities: OWASP top 10 (v 2007) A1: Cross site scripting (XSS) A2: Injection flaws A3: Malicious file execution A4: Insecure direct object reference A5: Cross site request forgery (CSRF) A6: Information leakage and improper error handling A7: Broken authentication and session management A8: Insecure cryptographic storage A9: Insecure communications A10: Failure to restrict URL access
17
OWASP 17 Attacks Defacements Phishing Denial of Service Credit Card Stealing Bot Infection ... See the Web Hacking Incidents Database on http://www.webappsec.org/projects/whid/
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.