Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byOsborne Cunningham Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Why WebAppsec Matters Module (to be combined) Education Project

2 OWASP 2 What goes Wrong?

3 OWASP 3 Public Health Warning  XSS and CSRF have evolved  Any website you visit could infect your browser  An infected browser can do anything you can do  An infected browser can scan, infect, spread  70-90% of web applications are ‘carriers’ 3

4 OWASP 4 Key Application Security Vulnerabilities http://www.owasp.org/index.php?title=Top_10_2007

5 OWASP 5 Tools – At Best 45%  MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE)  They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)

6 OWASP 6 Myth Myth: we are secure because we have a firewall 75% of Internet Vulnerabilities are at Web Application Layer * *GartnerGroup (2002 report)

7 OWASP 7 Source: Jeremiah Grossman, BlackHat 2001 Myth

8 OWASP 8  Myth 2 - we are secure because we use SSL  only secures data in transit  does not solve vulnerabilities on:  Web server  Browser Myth

9 OWASP 9 Source: Jeremiah Grossman, BlackHat 2001 Myth

10 OWASP 10 Firewall Hardened OS Web Server App Server Firewall DatabasesLegacy SystemsWeb ServicesDirectoriesHuman ResrcsBilling Custom Developed Application Code APPLICATION ATTACK You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks Network Layer Application Layer Your security “perimeter” has huge holes at the application layer Myth

11 OWASP 11 What is Web Application Security?

12 OWASP 12 Web Application Security  Combination of  People,  Processes,  and Technology  to identify, measure, and manage Risk  presented by COTS (*), open source, and custom web applications. (*) Commercial Of The Shelf

13 OWASP 13 People Processes Technology Awareness Training Guidelines Secure Development Secure Configuration Security Testing Secure Code Review Automated Testing Application Firewalls

14 OWASP 14 Web Application (in)Security Trends

15 OWASP 15 Trends  Business demands more bells and whistles  Internal applications get ‘web-enabled’ and are exposed to Intranet or Internet  Increasing complexity of software  Rush software out without adequate testing  Poor security training and awareness

16 OWASP 16 Vulnerabilities: OWASP top 10 (v 2007)  A1: Cross site scripting (XSS)  A2: Injection flaws  A3: Malicious file execution  A4: Insecure direct object reference  A5: Cross site request forgery (CSRF)  A6: Information leakage and improper error handling  A7: Broken authentication and session management  A8: Insecure cryptographic storage  A9: Insecure communications  A10: Failure to restrict URL access

17 OWASP 17 Attacks  Defacements  Phishing  Denial of Service  Credit Card Stealing  Bot Infection ... See the Web Hacking Incidents Database on http://www.webappsec.org/projects/whid/

Download ppt "Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
The OWASP Foundation Why hackers don’t care about your firewall Seba Deleersnyder

The OWASP Foundation Why hackers don’t care about your firewall Seba Deleersnyder
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
The Web Hacking Incident Database (WHID) Report for 2010 Ryan Barnett WASC WHID Project Leader Senior Security Researcher.

The Web Hacking Incident Database (WHID) Report for 2010 Ryan Barnett WASC WHID Project Leader Senior Security Researcher.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Advanced Security Center Overview Northern Illinois University.

Advanced Security Center Overview Northern Illinois University.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
SiteLock Internet Security: Big Threats for Small Business.

SiteLock Internet Security: Big Threats for Small Business.
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Similar presentations

Ads by Google