Presentation is loading. Please wait.

Presentation is loading. Please wait.

Relevance of the OWASP Top 10

Similar presentations


Presentation on theme: "Relevance of the OWASP Top 10"— Presentation transcript:

1 Relevance of the OWASP Top 10
Mike Woolard Manager of risk and compliance - OEC @wooly6bear

2 Slides available at: wooly6bear.wordpress.com

3 Testing the 2017 OWASP Top 10 with the Zed Attack Proxy (ZAP) December
Disclaimer Getting Started with OWASP Zed Attack Proxy (ZAP) for Web Application Penetration Testing Testing the 2017 OWASP Top 10 with the Zed Attack Proxy (ZAP) December AUTHOR

4 Define “Relevance”

5 WHO WHAT WHERE WHEN WHY HOW

6 WHAT

7

8 OWASP

9 OWASP Top 10

10 OWASP TOP 10 2017 RC1 A1: Injection
A2: Broken Authentication & Session A6: Sensitive Data Exposure OWASP TOP RC1 A1: Injection A7: Insufficient Attack Protection A5: Security Misconfiguration A4: Broken Access Control A3: XSS – Cross Site Scripting A8: CRSF – Cross Site Request Forgery A9: Vulnerable Components A10: Underprotected APIs

11

12

13

14 OWASP TOP 10 2017 RC2 A1: Injection
A2: Broken Authentication & Session A3: Sensitive Data Exposure OWASP TOP RC2 A1: Injection A4: XXE - XML External Entity A6: Security Misconfiguration A5: Broken Access Control A7: XSS – Cross Site Scripting A8: Insecure Deserialization A9: Vulnerable Components A10: Insufficient Log & Monitoring

15 Developers QA/Testers Blue Teamer Red Teamer WHO Students Me

16 WHERE Capture the Flag Pentesting / Assess App Build Process
Compliance Training / School

17 Egor Homakov

18 A1: Solved for with modern frameworks
A2: Solved with auth libraries A3: Solved for with modern frameworks A4: not solved A5: not solved A6: Solved with https (not entirely the problem) A7: Too vendor oriented for this list A8: Solved with token A9: Patch A10: Solved with experience

19 A0: Use Modern Frameworks

20 “If you aren’t maintaining some PHP app written 10 years ago, Top 10 list is irrelevant to you.”
Egor Homakov

21 https://insights.stackoverflow.com/survey/2017?

22 42%

23 78%

24 ? QUESTION

25 “…the original goal of the OWASP Top 10 project was simply to raise awareness amongst developers…”

26 Prepared by: christian.heinrich@owasp.org

27

28 “…as has been the problem all along, is that no one looks at 11-20, which are real problems….”
Bill Sempf (cwcid )

29 RISK

30 ? QUESTION

31 Compliance standards like PCI-DSS drive security programs.
Is it good or bad that they specifically call out the need to scan for the OWASP Top10 in your code?

32 “…[Insert Tool/Service Name] aims to protect web applications from all the attacks in the OWASP Top 10…”

33

34

35

36 Name of Company/Organization Company/Organization Web Site
Timestamp Name of Company/Organization Company/Organization Web Site How many web applications do the submitted results cover? What were the primary programming languages the applications you reviewed written in? 5/31/2016 edgescan 356 Java, .NET, PHP 7/15/2016 Veracode 44627 7/18/2016 Branding Brand 200 Java, PHP, Node.js, Objective-C 7/19/2016 Paladion Networks 1400 Vantage Point 111 7/20/2016 iBLISS Segurança & Inteligência 148 AsTech Consulting 54 Java, .NET 7/22/2016 Contrast Security 3734 Java, .NET, Node.js 8/31/2016 Minded Security 110 Aspect Security 155

37

38

39 ? QUESTION

40 We use broken web applications for training, what base of vulnerabilities are they always built on?

41 Security Shepherd Juice Shop bWapp Webgoat Mutillidae

42 Application Security Verification Standard
Focus Application Security Verification Standard Testing Guide

43 Verify for Security Early and Often
Parameterize Queries Encode Data Validate All Inputs Implement Identity and Authentication Controls Implement Appropriate Access Controls Protect Data Implement Logging and Intrusion Detection Leverage Security Frameworks and Libraries Error and Exception Handling

44 Thank You….. Questions? Mike Woolard @wooly6bear
Manager of risk and compliance - OEC @wooly6bear

45 Slides available at: wooly6bear.wordpress.com


Download ppt "Relevance of the OWASP Top 10"

Similar presentations


Ads by Google