Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Introduction to Web Application Security

Published byΘέτις Γερμανού Modified over 6 years ago

Similar presentations

Presentation on theme: "An Introduction to Web Application Security"— Presentation transcript:

1 An Introduction to Web Application Security
Class 1: Introduction to AppSec December 15th 2014 Daniel Somerfield Lead Consulting Developer ThoughtWorks

2 This Week’s Agenda December 15th: Introduction to AppSec December 16th: Injection December 17th: Vulnerable Authentication & Session Management December 18th: Cross-Site Scripting December 19th: Secure Development Process

3 Why is AppSec Important?

4 Sidebar: The Sky is Falling

5 Why is this difficult? Increasingly sophisticated adversary
Complexity of software requirements Speed of technology evolution Lack of focus and under- standing in product organizations Challenges in cost / benefit analysis Technologies that simply were not designed with security in mind

6 Aspects of Application Security
Operational / IT Security e.g. Firewall Configuration e.g. Network partitioning e.g. Password management e.g. Key management

7 Aspects of Application Security
Security Policy & Governance e.g. Data retention e.g. Password expiration e.g. Encryption standards

8 Aspects of Application Security
Engineering Practice and Process e.g. Secure coding e.g. Functional security concerns e.g. AppSec automation

9 The AppSec Roles Builder Defender Breaker

10 Sidebar: The Fortress & the Casino

11 Principals of Secure Coding
Trusted & Untrusted Data Defense in Depth Positive Modeling Least Privilege

12 AppSec Anti-patterns Security Checkbox Compliance as Security
Roll-your-own encryption and protocols Security through obscurity / complexity

13 OWASP “OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.” OWASP Top 10 OWASP Tools and Projects AppSec Conferences

14 References OWASP. https://www.owasp.org/
Krebs on Security.

15 This Week’s Agenda December 15th: Introduction to AppSec December 16th: Injection December 17th: Vulnerable Authentication & Session Management December 18th: Cross-Site Scripting December 19th: Secure Development Process

Download ppt "An Introduction to Web Application Security"

Similar presentations

Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.

Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by the U.S. Department of Defense © 2000 by Carnegie Mellon.

Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 2000 by Carnegie Mellon.
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Adversaries in Clouds: Protecting Data in Cloud-Based Applications Nick Feamster Georgia Tech.

Adversaries in Clouds: Protecting Data in Cloud-Based Applications Nick Feamster Georgia Tech.
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.

Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
User Group 2015 Security Best Practices. Presenters Steve Kelley, COO 31 years experience building and managing operations and service delivery organizations.

User Group 2015 Security Best Practices. Presenters Steve Kelley, COO 31 years experience building and managing operations and service delivery organizations.
SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1.

SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan Srinivas Gudisagar
INSERT GRAPHIC SQUARE HERE World Wide Web EPC Network DNS Authoritative system that routes requests for Web sites and email ONS Authoritative record of.

INSERT GRAPHIC SQUARE HERE World Wide Web EPC Network DNS Authoritative system that routes requests for Web sites and ONS Authoritative record of.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough.

Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.

Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
An Ad Hoc Writable Rule Language for White-Box Security Scanners Author:Sebastian Schinzel Referent:Prof. Dr. Alexander del Pino Korreferent:Prof. Dr.

An Ad Hoc Writable Rule Language for White-Box Security Scanners Author:Sebastian Schinzel Referent:Prof. Dr. Alexander del Pino Korreferent:Prof. Dr.
12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,

12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,
2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security 2006. 2. 20. HPC.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.

OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.

Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.

Similar presentations

Ads by Google