Getting benefits of OWASP ASVS at initial phases

Slides:

Advertisements

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Advertisements

Bill McClanahan – Principal Business Consultant LPS Integration.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

0-1 Team # Status Report (1 of 4) Client Contact –Point 1 –Point 2 Team Meetings –Point 1 –Point 2 Team Organization –Point 1 –Point 2 Team #: Team Name.

0-1 Team # Status Report (1 of 4) Client Contact –Status Point 1 –Status Point 2 Team Meetings –Status Point 1 –Status Point 2 Team Organization –Description.

COMP8130 and 4130Adrian Marshall 8130 and 4130 Test Design & Documentation Adrian Marshall.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP

BD / Pre SalesPMO Analysis / Requirements DesignDevelopmentTest / UATDeployMaintain PHASES ERP (AX) Implementation Lifecycle Sales/BD AX Solution.

Information Security Issues at Casinos and eGaming

A Framework for Automated Web Application Security Evaluation

 Computer security policy ◦ Defines the goals and elements of an organization's computer systems  Definition can be ◦ Highly formal ◦ Informal  Security.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Auditing Information Systems (AIS)

AREVA T&D Security Focus Group - 09/14/091 Security Focus Group A Vendor & Customer Collaboration EMS Users Conference September 14, 2009 Rich White AREVA.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

ENISA efforts for securing European Internet Infrastructure

Project Success Factors when using System Development Life Cycle IT Symposium October 2015 By Edward M. Dennis.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

OWASP ASVS Levels1234 Tools Manual Test and Review Manual Design Review At higher levels in ASVS,the use of tools is encouraged. But to be effective,the.

Vulnerability Analysis Dr. X. Computer system Design Implementation Maintenance Operation.

IS&T Project Reviews September 9, Project Review Overview Facilitative approach that actively engages a number of key project staff and senior IS&T.

1 DEPLOYMENT AND OPERATIONS MODULE 23 ECM SPECIALIST COURSE 1 Copyright AIIM.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI D4.4 and the EGI review Dr Linda Cornwall 19 th Sept 2011 D4.41.

Security Development Lifecycle (SDL) Overview

Summary of Changes PCI DSS V. 3.1 to V. 3.2

Enhancing Network Security

Performing Risk Analysis and Testing: Outsource or In-house

Penetration Testing in Financial Institutions

Continuous Improvement Project (A Guideline For Sponsors)

OWASP ASVS for NFTaaS in Financial Services

Office 365 Security Assessment Workshop

Project Quality Management

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Cybersecurity - What’s Next? June 2017

Threat Modeling - An Overview All Your Data is Mine

Security Policies.

INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

Project life span.

Security Policies.

Introduction to the Federal Defense Acquisition Regulation

CSE 403 Software Engineering

Forefront Security ISA

Self Identified Issues

SKILL ASSESSMENT OF SOFTWARE TESTERS Case Study

Description of Revision

CMMI – Staged Representation

OWASP Secure Coding Practices Quick Reference Guide

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Risk Assessment = Risky Business

Engineering Processes

Rld pci compliance project

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

DFARS Cybersecurity Requirements

Alignment of COBIT to Botswana IT Audit Methodology

IS&T Project Reviews September 9, 2004.

Herding Cats and Security Tools

SCOTT NO meeting Measurement

Engineering Processes

Albeado - Enabling Smart Energy

IT Management Services Infrastructure Services

Security in the Real World – Plenary Day One

{Project Name} Organizational Chart, Roles and Responsibilities

Institutional Self Evaluation Report Team Training

ONAP Risk Assessment – Preparation Material - Overview of the Process - Terminology - Assumptions

Presentation transcript:

Getting benefits of OWASP ASVS at initial phases 15 june, 2018 Getting benefits of OWASP ASVS at initial phases NDS {OSLO} 2018 Oleksandr kazymyrov EVRY PUBLIC

Introduction

What is a secure application? Introduction Security Development Lifecycle (SDL) What is a secure application? S.M.A.R.T. criteria

Specific Measurable Achievable Relevant Time Limited Is it clearly described and understandable? Specific How will you know when you are reached it? Measurable Are you able to accomplish it? Achievable Is the web application criterion in line with business needs? Relevant When do you want to achieve it? Time Limited

Achievability OWASP Top 10 2017 – A2 Broken Authentication

Achievability and Pareto principle Result 20% EFFORT Effort 80 % RESULTS

What changed from 2013 to 2017? Deserialization vulnerability

OWASP Top 10 2017 through the S.M.A.R.T. prism Specific Measurable Achievable Relevant Time Limited No: general High level: yes Low level: somewhat OWASP Top 10 2017 Somewhat N/A / Yes N/A / Yes

about the most critical security risks OWASP Top 10 2017 “The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications.” “The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications.” about the most critical security risks https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

OWASP Application Security Verification Standard (ASVS)

From PCI DSS to OWASP ASVS NIST SP-800-XXX OWASP SANS … Penetration Test Guidance NIST SP 800-115 OWASP Testing Guide OSSTMM ... OWASP ASVS PCI DSS mapping MITRE CWE OWASP Top 10

Key parts of OWAS ASVS (v3.0.1) Scope for the application security verification standard Description of security verification levels Requirements / Controls Standards Mappings

What is covered by OWAS ASVS? Web Applications Server Configuration Mobile Clients Web Services Communication

OWASP ASVS Levels Security 3 2 1 Advanced Standard Opportunistic Cursory Opportunistic Standard Advanced Security 3 2 1

OWAS ASVS verification controls (v3.0.1)

General level profiles

OWAS ASVS verification controls V3: Session Management Verification Requirements V2: Authentication Verification Requirements

Operation / Deployment OWASP ASVS Architecture Operation / Deployment Mobile & WS Development OWASP ASVS PCI DSS OWASP Top 10

OWASP Top 10 2017 vs OWASP ASVS Top 10 ASVS Coverage Web applications* Full stack Perspective Black box White box Measurable Somewhat Yes Product size Small / Medium Medium / Large Scalability Flat Flexible

Application of OWASP ASVS

Level definition for LS2 and CHC LoginSevice2 LS2 stays in front of almost all applications It is the first major security barrier LS2 helps to retrieve tokens (i.e., Secure Object) and hand over it to the 3rd party applications Available through the Internet Cardholder Client CHC is a part of EVRY’s NetBank (online banking) It can be integrated with any 3rd party web application EVRY’s NetBank is protected by LoginsService2 in front of CHC After logging in CHC uses SO as the main parameter in session management OWASP ASVS Level 3 OWASP ASVS Level 2 (3)

Compliance selection at EVRY Financial Services FINODS Highly Sensitive Moderate Sensitive Low Sensitive SWW - Self Service Non-Portal Applications over Internet L3 L2 SSP - Self Service Portal Applications over Internet CSW - Non-Portal Applications over dedicated Office Channel L1 CSP - Portal Applications over dedicated Office Channel ESI - Web Services Applications over Internet ESS - Integrated customer solutions over service layer

Non-OWASP ASVS security methodology

Product owners / architects & technical testing team Product Owner / Architect Security Testing Department Define security requirements for AUT Perform security assessment to verify defined requirements Prepare the software architecture document (SAD), NFR checklist and security risk analysis document. Verify SAD, NFR and SRA to be compliant with defined security expectations Identify particular focus areas for code review, and participate follow-up meetings. Complete security code review to verify source code do not contain vulnerabilities Ensures that business and project goals are met Report on deviations from security expectations Gather results in the form of new or updated standards, guidelines and best practices Keep up-to-date knowledge on new threads, vulnerabilities trends

OWASP Software Assurance Maturity Model (SAMM) and ASVS

Pre-Engagement Engagement Post-Engagement Applicability Cleaning up Information Gathering Vulnerability Analysis Attack Modeling Exploitation Evidence Retention Cleaning up Reporting Remediation Mitigation Retesting Scoping Rules of Engagement Success Criteria Sign Off Pre-Engagement Engagement Post-Engagement

Conclusions

Is the application secure? Security Development Lifecycle (SDL) OWASP ASVS S.M.A.R.T. criteria Is the application secure? Security Development Lifecycle (SDL)

Presentation Title