Presentation is loading. Please wait.

Presentation is loading. Please wait.

OWASP Periodic Table of Vulnerabilities James Landis

Published byKaleigh Gridley Modified over 9 years ago

Similar presentations

Presentation on theme: "OWASP Periodic Table of Vulnerabilities James Landis"— Presentation transcript:

1 OWASP Periodic Table of Vulnerabilities James Landis james.landis@owasp.org

2 The AppSec Profession ~1980-????

3 GOAL Project Goal

4 Existing ‘Taxonomies’ OWASP Top Ten (2013) Focuses on just the riskiest issue categories Measures DREAD attributes Recommends high-level solutions, and secure libraries like ESAPI WASC Threat Classification (v2) Attempts to enumerate, but not classify, all web application attacks and weaknesses Includes a view (Development Phase View) which shows SDLC mapping Officially avoids recommending solutions SANS Common Weakness Enumeration (CWE-25) Focuses on riskiest issues (just more of them) Measures DREAD attributes Recommends solutions, categorized by SDL phase

5 Failed Approaches Developer Training “Enumerating Badness”, “Penetrate and Patch” (h/t Marcus Ranum) – Some vulnerability classes, automated tests – Yes! – Other classes (e.g. Logic flaws), manual tests – No! Firewalls Root cause analysis (XSS == SQLi, XSS != SQLi) Everything else we’ve been doing

6 Solutions? Accepting Reality – HTTP not stateless – People might try to hurt us Platform Security Continuum Make it impossible to make mistakes Economies of Scale Vulnerable by DefaultSecure by Design

7 Divide and Conquer Browsers and Standards User agents, plugins, HTTP protocol, SSL/TLS, Content Security Policy (CSP), Same Origin Policy (SOP), IETF RFC, etc. Perimeter and Platform Application proxies, content distribution networks (CDNs), application firewalls, web servers, database servers, application servers, operating systems, etc. Generic Frameworks Web application runtime environments Custom Frameworks Development platforms unique to individual businesses/verticals Custom CodeBusiness logic unique to each application

8 Economies of Scale Browsers and Standards Perimeter and Platform Generic Frameworks Custom Frameworks Custom Code WebDev Mistakes Impact Code Changes

9 Scope Avoid reproducing existing documentation – Describe just enough of the solution to show how it’s distributed between targets – References, references, references! Minimize original research – Most solutions enforce old ideas in frameworks – Browser/standards require some new thought Mobile, thick client vulnerabilities excluded

10 Metaphor

11 Results!

12 Selected Examples Vulnerability Browser /Standards Perimeter /Infrastructur e Generic Framework Custom Framework Custom Code Clickjacking Browser vendor standardization on safe framing Automatically set X-Frame-Options header Configurable XFO policy CSRF Change default for cross-domain writes Automatic nonce checking, configurable Improper Input Handling Provide APIs for positive validation of common types Provide APIs for positive validation of custom types Never use primitives Abuse of Functionality Define abuse cases for all features

13 Case Study - XSS Decouple presentation and data – easy with AJAX, not with Web 1.0 What if content IS markup? Secure framework might have steep learning curve / difficult adoption path Browser sandboxing CSP, Caja, IFRAME seamless / sandbox

14 Developer Training XSS SQLi CSRF HTTPRS Clickjacking Application DDoS Improper Input Handling Redirector Abuse Logical Flaws Remote File Include OS Commanding XML External Entities BEFORE AFTER Logical Flaws Function Abuse Input Validation Secure Framework

15 Drawbacks and Benefits DOESN’T help us with legacy/current applications DOES help drive remediation planning / gap analysis in existing applications DOES focus remediation toward areas with greatest force multiplier (e.g. Top Ten Defenses) DOES allow objective evaluation of firewalls and frameworks

16 Q & A

Download ppt "OWASP Periodic Table of Vulnerabilities James Landis"

Similar presentations

OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.

Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.

Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Similar presentations

Ads by Google