Presentation is loading. Please wait.

Presentation is loading. Please wait.

Snakes and Ladders OWASP Newcastle 24 th November 2015.

Published bySheena Martin Modified over 9 years ago

Similar presentations

Presentation on theme: "Snakes and Ladders OWASP Newcastle 24 th November 2015."— Presentation transcript:

1 Snakes and Ladders OWASP Newcastle 24 th November 2015

2 Web Risks 2013 17 th September 2014 https://www.owasp.org/index.php/OWASP_To p_Ten_Project

3 Well-Known List Top Ten Risks to Web Applications (2013) A1Injection A2Broken Authentication and Session Management A3Cross-Site Scripting (XSS) A4Insecure Direct Object References A5Security Misconfiguration A6Sensitive Data Exposure A7Missing Function Level Access Control A8Cross-Site Request Forgery (CSRF) A9Using Components with Known Vulnerabilities A10Unvalidated Redirects and Forwards

4 Proactive Controls Version 1 10 th March 2014 https://www.owasp.org/index.php/OWASP_Pr oactive_Controls (version 2 in progress, due end 2015)

5 A Better List Top Ten Proactive Controls Web Applications C1Parameterize Queries C2Encode Data C3Validate All Inputs C4Implement Appropriate Access Controls C5Establish Identity and Authentication Controls C6Protect Data and Privacy C7Implement Logging, Error Handling & Intrusion Detection C8Leverage Security Features of Frameworks and Libraries C9Include Security-Specific Requirements C10Design and Architect Security In

6 Too Much Text! Educate Move from risks to controls Make a game Learn Adobe Illustrator Christmas “cards”

7 Designs, Trademarks, Etc

8 Concept 10 snakes 10 ladders 100 squares

9 Flat Design

10 Web Applications: ES

11 Web Applications: ZH

12 Web Applications: DE

13 Mobile Apps: JA

14 Mobile Apps: EN

15 Relationships 1/3 Is the placement of snakes and ladders meaningful? Do nearby ladders fix adjacent snakes? No

16 Relationships 2/3 Top Ten Risks A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards Top Ten Proactive Controls C1 Parameterize Queries C2 Encode Data C3 Validate All Inputs C4 Implement Appropriate Access Controls C5 Establish Identity and Authentication Controls C6 Protect Data and Privacy C7 Implement Logging, Error Handling and Intrusion Detection C8 Leverage Security Features of Frameworks and Security Libraries C9 Include Security-Specific Requirements C10 Design and Architect Security In

17 Relationships 3/3 https://www.owasp.org/index.php/ OWASP_Proactive_Controls#tab=Top_Ten_Mapping

18 Print Your Own Adobe PDF A2 print quality Adobe Illustrator Source Web Applications BR, DE, EN, ES, FR, JA, ZH Mobile Apps EN, JA

19 Twitter

20 From Lists to Threat Modelling Not just 10 issues Build security in from the start, and throughout processes In depth application security requirements

21 Staying in Touch Project page https://www.owasp.org/index.php/OWASP_Snakes_and_Ladders Mailing list https://lists.owasp.org/mailman/listinfo/owasp_snakes_and_ladders Twitter (Web)(Mobile) @OWASPSnakesWeb@OWASPSnakesMob Full world tour 2014-15 Singapore, Cambridge, London Docklands, London Shoreditch, Bristol, Amsterdam, San Francisco, Newcastle upon Tyne

22 Q&A colin.watson@owasp.org

Download ppt "Snakes and Ladders OWASP Newcastle 24 th November 2015."

Similar presentations

OWASP Mobile Top 10 Beau Woods

OWASP Mobile Top 10 Beau Woods
Don’t Teach Developers Security Caleb Sima Armorize Technologies.

Don’t Teach Developers Security Caleb Sima Armorize Technologies.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
OWASP Top 10 for 2010 OWASP Education Nishi Kumar

OWASP Top 10 for 2010 OWASP Education Nishi Kumar
The Web Hacking Incident Database (WHID) Report for 2010 Ryan Barnett WASC WHID Project Leader Senior Security Researcher.

The Web Hacking Incident Database (WHID) Report for 2010 Ryan Barnett WASC WHID Project Leader Senior Security Researcher.
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.

Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.

Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
The OWASP Way Understanding the OWASP Vision and the Top Ten.

The OWASP Way Understanding the OWASP Vision and the Top Ten.
Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.

Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.
Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.

Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.

Similar presentations

Ads by Google