Relevance of the OWASP Top 10 Mike Woolard Manager of risk and compliance - OEC @wooly6bear

Slides available at: wooly6bear.wordpress.com

Testing the 2017 OWASP Top 10 with the Zed Attack Proxy (ZAP) December Disclaimer Getting Started with OWASP Zed Attack Proxy (ZAP) for Web Application Penetration Testing Testing the 2017 OWASP Top 10 with the Zed Attack Proxy (ZAP) December AUTHOR

Define “Relevance”

WHO WHAT WHERE WHEN WHY HOW

WHAT

OWASP

OWASP Top 10

OWASP TOP 10 2017 RC1 A1: Injection A2: Broken Authentication & Session A6: Sensitive Data Exposure OWASP TOP 10 2017 RC1 A1: Injection A7: Insufficient Attack Protection A5: Security Misconfiguration A4: Broken Access Control A3: XSS – Cross Site Scripting A8: CRSF – Cross Site Request Forgery A9: Vulnerable Components A10: Underprotected APIs

OWASP TOP 10 2017 RC2 A1: Injection A2: Broken Authentication & Session A3: Sensitive Data Exposure OWASP TOP 10 2017 RC2 A1: Injection A4: XXE - XML External Entity A6: Security Misconfiguration A5: Broken Access Control A7: XSS – Cross Site Scripting A8: Insecure Deserialization A9: Vulnerable Components A10: Insufficient Log & Monitoring

Developers QA/Testers Blue Teamer Red Teamer WHO Students Me

WHERE Capture the Flag Pentesting / Assess App Build Process Compliance Training / School

https://sakurity.com/blog/2017/04/24/owasp.html Egor Homakov

A1: Solved for with modern frameworks A2: Solved with auth libraries A3: Solved for with modern frameworks A4: not solved A5: not solved A6: Solved with https (not entirely the problem) A7: Too vendor oriented for this list A8: Solved with token A9: Patch A10: Solved with experience

A0: Use Modern Frameworks

“If you aren’t maintaining some PHP app written 10 years ago, Top 10 list is irrelevant to you.” Egor Homakov

https://insights.stackoverflow.com/survey/2017?

42% https://trends.builtwith.com

78% https://trends.builtwith.com

? QUESTION

“…the original goal of the OWASP Top 10 project was simply to raise awareness amongst developers…”

Prepared by: christian.heinrich@owasp.org

“…as has been the problem all along, is that no one looks at 11-20, which are real problems….” Bill Sempf (cwcid - @0DDJ0BB and @roberthurlbut )

RISK

? QUESTION

Compliance standards like PCI-DSS drive security programs. Is it good or bad that they specifically call out the need to scan for the OWASP Top10 in your code?

“…[Insert Tool/Service Name] aims to protect web applications from all the attacks in the OWASP Top 10…”

Name of Company/Organization Company/Organization Web Site Timestamp Name of Company/Organization Company/Organization Web Site How many web applications do the submitted results cover? What were the primary programming languages the applications you reviewed written in? 5/31/2016 edgescan   356 Java, .NET, PHP 7/15/2016 Veracode https://www.veracode.com/ 44627 7/18/2016 Branding Brand www.brandingbrand.com 200 Java, PHP, Node.js, Objective-C 7/19/2016 Paladion Networks www.paladion.net 1400 Vantage Point www.vantagepoint.sg 111 7/20/2016 iBLISS Segurança & Inteligência www.ibliss.com.br 148 AsTech Consulting https://www.astechconsulting.com 54 Java, .NET 7/22/2016 Contrast Security http://contrastsecurity.com 3734 Java, .NET, Node.js 8/31/2016 Minded Security https://www.mindedsecurity.com 110 Aspect Security 155

? QUESTION

We use broken web applications for training, what base of vulnerabilities are they always built on?

Security Shepherd Juice Shop bWapp Webgoat Mutillidae

Application Security Verification Standard Focus Application Security Verification Standard Testing Guide

Verify for Security Early and Often Parameterize Queries Encode Data Validate All Inputs Implement Identity and Authentication Controls Implement Appropriate Access Controls Protect Data Implement Logging and Intrusion Detection Leverage Security Frameworks and Libraries Error and Exception Handling

Thank You….. Questions? Mike Woolard @wooly6bear Manager of risk and compliance - OEC @wooly6bear

Slides available at: wooly6bear.wordpress.com