//ALPHA.1 OWASP Knoxville Application Security Then and Now. Make a Difference Now 2015 June 11 Phil Agcaoili.

Slides:

Advertisements

Similar presentations

Advertisements

Don’t Teach Developers Security Caleb Sima Armorize Technologies.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

OWASP Web Vulnerabilities and Auditing

OWASP Top Dave Wichers OWASP Top 10 Project Lead OWASP Board Member Cofounder, Aspect Security & Contrast Security.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

SEC835 OWASP Top Ten Project.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

The Web Hacking Incident Database (WHID) Report for 2010 Ryan Barnett WASC WHID Project Leader Senior Security Researcher.

A Demo of and Preventing XSS in.NET Applications.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

Making the Campus Web Safer: One application at a time Diane Gierisch, Senior Systems Analyst PJ Abrams, CISSP, Senior Systems Analyst Copyright The University.

Web Application Security

Security Scanning OWASP Education Nishi Kumar Computer based training

Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

OWASP Zed Attack Proxy Project Lead

Security Management prepared by Dean Hipwell, CISSP

A Framework for Automated Web Application Security Evaluation

Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.

Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

OWASP Cambridge 2 nd December Agenda Networking, food and refreshments Welcome Colin Watson Global Application Security Survey & Benchmarking John.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.

Web Applications Testing By Jamie Rougvie Supported by.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Building Secure Web Applications With ASP.Net MVC.

OWASP OWASP top 10 - Agenda  Background  Risk based  Top 10 items 1 – 6  Live demo  Top 10 items 7 – 10  OWASP resources.

Snakes and Ladders OWASP Newcastle 24 th November 2015.

Deconstructing API Security

Securing Java Applications

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.

CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.

OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.

Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

OWASP London 4 th December Agenda Networking, food and refreshments Welcome Justin Clark Offensive OSINT Christian Martorella and Zigor Zumalde.

Ken De Souza KWSQA, April 2016 V. 1.0

Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.

SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.

OWASP ASVS for NFTaaS in Financial Services

Web Application Vulnerabilities

Security Autodesk DevDays rEvolution

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Case Study - Target.

Securing Your Web Application in Azure with a WAF

Vulnerability Chaining Every Low Issue Has its big impact

Penetration Testing following OWASP

Finding and Fighting the Causes of Insecure Applications

Marking Scheme for Semantic-aware Web Application Security

Relevance of the OWASP Top 10

1. ASSOCILATE DEGREE PROGRAM Application Attacks SUBMITTED TO: Fatima Ashiq SUBMITTED By: University Of Central Punjab Farooq Sardar (V1F16ASOC0012) Adnan.

An Introduction to Web Application Security

Risk Assessment = Risky Business

Research for Cyber Security Warwick University Industry Day 2018

امنیت نرم‌افزارهای وب تقديم به پيشگاه مقدس امام عصر (عج) عباس نادری

Finding and Fighting the Causes of Insecure Applications

WWW安全國立暨南國際大學資訊管理學系陳彥錚.

A snapshot into current Web Application vulnerabilities

Presentation transcript:

//ALPHA.1 OWASP Knoxville Application Security Then and Now. Make a Difference Now 2015 June 11 Phil Agcaoili

A Career Path…printf(“hello, world\n”);

Why OWASP is VERY Important! source: Checkmarx

OWASP 10 – Then and Now Not Substantially Different *Challenging for automation tools OWASP Top 10 – EditionOWASP Top 10 – 2013 Edition A1 Unvalidated InputA1 Injection A2 Broken Access ControlA2 Broken Authentication and Session Management A3 Broken Authentication and Session ManagementA3 Cross-Site Scripting (XSS) A4 Cross Site ScriptingA4 Insecure Direct Object References A5 Buffer OverflowA5 Security Misconfiguration A6 Injection FlawsA6 Sensitive Data Exposure A7 Improper Error HandlingA7 Missing Function Level Access Control A8 Insecure StorageA8 Cross-Site Request Forgery (CSRF) A9 Application Denial of ServiceA9 Using Components with Known Vulnerabilities A10 Insecure Configuration Management A10 Unvalidated Redirects and Forwards

The Intent of OWASP The Top 10 is about managing risk – Not just avoiding vulnerabilities Take a big picture approach to application security. – OWASP Top 10 doesn't mean it's the most important problem facing your organization

Keep it simple…It’s not as difficult as you think it is.

START SMALL BUILD THE MOMENTUM OF SUCCESS

HOPE FOR SERENDIPITY The occurrence and development of events by chance in a happy or beneficial way

ACHIEVE BUY-IN FROM MANAGEMENT AND EMPLOYEES Provide opportunities for teams and clear advantages for company.

TAKE APPLICATION SECURITY ONE STEP AT A TIME Allow the organization to grow into the process rather than dropping it on the teams all at once

EDUCATE YOUR DEVELOPERS AND GET THEM WRITING SECURE CODE

RECRUIT THE SMART PEOPLE IN THE DEV TEAMS TO ACT AS CHAMPIONS Senior developers with a need to learn something new or Junior developers with the motivation to move ahead within the organization.

GET THE RIGHT PARTNERS TO HELP YOU

NETWORK SECURITY CANNOT PREVENT APPLICATION BREACHES ON ITS OWN STATIC ANALYSIS SHOULD BE PERFORMED AT EARLIER DEVELOPMENT STAGES Web application Firewalls (WAF) and/or RASP should be used as temporary band aids for non-remediated vulnerabilities

CAUTION WITH AUTOMATION Tools make educated guesses that require validation by trained humans. Peer code reviews with trained peers is still the best option.

Phil Agcaoili Distinguished Fellow and Fellows Chairman, Ponemon Institute Board of Advisors, PCI Security Standards Council (SSC) Contributor, NIST Cybersecurity Framework version 1 Co-Founder & Board Member, Southern CISO Security Council Founding Member, Cloud Security Alliance (CSA) Inventor & Co-Author, CSA Cloud Controls Matrix, GRC Stack, Security, Trust and Assurance Registry (STAR), and CSA Open Certification Framework (OCF) – AICPA