SlideShare une entreprise Scribd logo

OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam

Bitcoin Wednesday
Bitcoin Wednesday

Security Awareness Presentation by Dutch Chapter of OWASP on Bitcoin Wednesday's First Year Anniversary Meeting in Amsterdam

Technologie
1  sur  19
Télécharger pour lire hors ligne
Martin Knobloch – 10 years developer experience – 10 years information security experience – +3 years independent Security Consultant – Dutch OWASP Chapter Leader – OWASP AppSec-Eu/Research 2015 Chair – martin.knobloch@owasp.org – www.owasp.org
www.owasp.org | 3
Enter the rest of OWASP • Free Chapter Meetings • Free Local Events • Conferences • ... People • Webgoat • Zed Attack Proxy (ZAP) • ESAPI • ... Tools • Requirements list • CLASP • SAMM • ... Guides 6
Your security “perimeter” has huge holes at the application layer |7 Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Developed Application Code APPLICATION ATTACK You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks Network Layer Application Layer
8 An Attacker has 24x7x365 to Attack Scheduled Pen-Test Scheduled Pen-Test Attacker Schedule The Defender has 20 man days per year to detect and defend
Tools – At Best 45% • MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (695) • They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)
10
Content
Insecure? Insecure? Functional Specification Technical Implementation An application is secure if it acts and reacts, as it expected, at any time! Secure
Username Password password forgotten link
Threat Modeling – The Basics Asset: Valuable resource Vulnerability: Exploitable weakness Threat: Causes harm Risk: Chance of harm occurring ? Countermeasure: Reduces risk
Why start again? Asset Threat Risk is low Countermeasure Dependency Dependency’s Countermeasure Dependency’s Threat
22 That’s it… ..thank you!

Recommandé

NEtwork Security Admin Portal
NEtwork Security Admin PortalNEtwork Security Admin Portal
NEtwork Security Admin PortalBhadreshsinh Gohil
 
Javascript Malware - Spi Dynamics
Javascript Malware - Spi DynamicsJavascript Malware - Spi Dynamics
Javascript Malware - Spi Dynamicsamiable_indian
 
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015Werner Keil
 
Huneed-Cisco Perimeter Security Solution Guide
Huneed-Cisco Perimeter Security Solution GuideHuneed-Cisco Perimeter Security Solution Guide
Huneed-Cisco Perimeter Security Solution GuideGlen Yi
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig BaldingA Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig Baldingcraigbalding
 
Strong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOStrong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOSylvain Maret
 
Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...
Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...
Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...Bitcoin Wednesday
 

Recommandé

NEtwork Security Admin Portal
NEtwork Security Admin PortalNEtwork Security Admin Portal
NEtwork Security Admin PortalBhadreshsinh Gohil
 
Javascript Malware - Spi Dynamics
Javascript Malware - Spi DynamicsJavascript Malware - Spi Dynamics
Javascript Malware - Spi Dynamicsamiable_indian
 
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015Werner Keil
 
Huneed-Cisco Perimeter Security Solution Guide
Huneed-Cisco Perimeter Security Solution GuideHuneed-Cisco Perimeter Security Solution Guide
Huneed-Cisco Perimeter Security Solution GuideGlen Yi
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig BaldingA Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig Baldingcraigbalding
 
Strong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOStrong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOSylvain Maret
 
Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...
Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...
Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...Bitcoin Wednesday
 
Augur Presented by Founder Joey Krug
Augur Presented by Founder Joey KrugAugur Presented by Founder Joey Krug
Augur Presented by Founder Joey KrugBitcoin Wednesday
 
Factom Presentation by Founder Peter Kirby
Factom Presentation by Founder Peter KirbyFactom Presentation by Founder Peter Kirby
Factom Presentation by Founder Peter KirbyBitcoin Wednesday
 
Block trust presentation (1)
Block trust presentation (1)Block trust presentation (1)
Block trust presentation (1)Bitcoin Wednesday
 
Ledger Wallet
Ledger WalletLedger Wallet
Ledger WalletBitcoin Wednesday
 
Bitcoin wednesday (1) deloitte
Bitcoin wednesday (1) deloitteBitcoin wednesday (1) deloitte
Bitcoin wednesday (1) deloitteBitcoin Wednesday
 
Codius, Where Smart Programs Live at BitcoinWednesday #19 in Amsterdam
Codius, Where Smart Programs Live at BitcoinWednesday #19 in AmsterdamCodius, Where Smart Programs Live at BitcoinWednesday #19 in Amsterdam
Codius, Where Smart Programs Live at BitcoinWednesday #19 in AmsterdamBitcoin Wednesday
 
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19Bitcoin Wednesday
 
Presenting the electronic gulden 7 january 2015 final
Presenting the electronic gulden 7 january 2015 finalPresenting the electronic gulden 7 january 2015 final
Presenting the electronic gulden 7 january 2015 finalBitcoin Wednesday
 
Send chat presentation 7 jan (1)
Send chat presentation 7 jan (1)Send chat presentation 7 jan (1)
Send chat presentation 7 jan (1)Bitcoin Wednesday
 
Eris, Deciding on the Blockchain, Project Douglas by Casey Kuhlman
Eris, Deciding on the Blockchain, Project Douglas by Casey KuhlmanEris, Deciding on the Blockchain, Project Douglas by Casey Kuhlman
Eris, Deciding on the Blockchain, Project Douglas by Casey KuhlmanBitcoin Wednesday
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 

Contenu connexe

Plus de Bitcoin Wednesday

Augur Presented by Founder Joey Krug
Augur Presented by Founder Joey KrugAugur Presented by Founder Joey Krug
Augur Presented by Founder Joey KrugBitcoin Wednesday
 
Factom Presentation by Founder Peter Kirby
Factom Presentation by Founder Peter KirbyFactom Presentation by Founder Peter Kirby
Factom Presentation by Founder Peter KirbyBitcoin Wednesday
 
Block trust presentation (1)
Block trust presentation (1)Block trust presentation (1)
Block trust presentation (1)Bitcoin Wednesday
 
Bitcoin wednesday (1) deloitte
Bitcoin wednesday (1) deloitteBitcoin wednesday (1) deloitte
Bitcoin wednesday (1) deloitteBitcoin Wednesday
 
Codius, Where Smart Programs Live at BitcoinWednesday #19 in Amsterdam
Codius, Where Smart Programs Live at BitcoinWednesday #19 in AmsterdamCodius, Where Smart Programs Live at BitcoinWednesday #19 in Amsterdam
Codius, Where Smart Programs Live at BitcoinWednesday #19 in AmsterdamBitcoin Wednesday
 
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19Bitcoin Wednesday
 
Presenting the electronic gulden 7 january 2015 final
Presenting the electronic gulden 7 january 2015 finalPresenting the electronic gulden 7 january 2015 final
Presenting the electronic gulden 7 january 2015 finalBitcoin Wednesday
 
Send chat presentation 7 jan (1)
Send chat presentation 7 jan (1)Send chat presentation 7 jan (1)
Send chat presentation 7 jan (1)Bitcoin Wednesday
 
Eris, Deciding on the Blockchain, Project Douglas by Casey Kuhlman
Eris, Deciding on the Blockchain, Project Douglas by Casey KuhlmanEris, Deciding on the Blockchain, Project Douglas by Casey Kuhlman
Eris, Deciding on the Blockchain, Project Douglas by Casey KuhlmanBitcoin Wednesday
 

Plus de Bitcoin Wednesday (10)

Augur Presented by Founder Joey Krug
Augur Presented by Founder Joey KrugAugur Presented by Founder Joey Krug
Augur Presented by Founder Joey Krug
 
Factom Presentation by Founder Peter Kirby
Factom Presentation by Founder Peter KirbyFactom Presentation by Founder Peter Kirby
Factom Presentation by Founder Peter Kirby
 
Block trust presentation (1)
Block trust presentation (1)Block trust presentation (1)
Block trust presentation (1)
 
Ledger Wallet
Ledger WalletLedger Wallet
Ledger Wallet
 
Bitcoin wednesday (1) deloitte
Bitcoin wednesday (1) deloitteBitcoin wednesday (1) deloitte
Bitcoin wednesday (1) deloitte
 
Codius, Where Smart Programs Live at BitcoinWednesday #19 in Amsterdam
Codius, Where Smart Programs Live at BitcoinWednesday #19 in AmsterdamCodius, Where Smart Programs Live at BitcoinWednesday #19 in Amsterdam
Codius, Where Smart Programs Live at BitcoinWednesday #19 in Amsterdam
 
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19
 
Presenting the electronic gulden 7 january 2015 final
Presenting the electronic gulden 7 january 2015 finalPresenting the electronic gulden 7 january 2015 final
Presenting the electronic gulden 7 january 2015 final
 
Send chat presentation 7 jan (1)
Send chat presentation 7 jan (1)Send chat presentation 7 jan (1)
Send chat presentation 7 jan (1)
 
Eris, Deciding on the Blockchain, Project Douglas by Casey Kuhlman
Eris, Deciding on the Blockchain, Project Douglas by Casey KuhlmanEris, Deciding on the Blockchain, Project Douglas by Casey Kuhlman
Eris, Deciding on the Blockchain, Project Douglas by Casey Kuhlman
 

Dernier

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Dernier (20)

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam

  • 1. Martin Knobloch – 10 years developer experience – 10 years information security experience – +3 years independent Security Consultant – Dutch OWASP Chapter Leader – OWASP AppSec-Eu/Research 2015 Chair – martin.knobloch@owasp.org – www.owasp.org
  • 3.
  • 4. Enter the rest of OWASP • Free Chapter Meetings • Free Local Events • Conferences • ... People • Webgoat • Zed Attack Proxy (ZAP) • ESAPI • ... Tools • Requirements list • CLASP • SAMM • ... Guides 6
  • 5. Your security “perimeter” has huge holes at the application layer |7 Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Developed Application Code APPLICATION ATTACK You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks Network Layer Application Layer
  • 6. 8 An Attacker has 24x7x365 to Attack Scheduled Pen-Test Scheduled Pen-Test Attacker Schedule The Defender has 20 man days per year to detect and defend
  • 7. Tools – At Best 45% • MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (695) • They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)
  • 8. 10
  • 10.
  • 11. Insecure? Insecure? Functional Specification Technical Implementation An application is secure if it acts and reacts, as it expected, at any time! Secure
  • 12.
  • 13.
  • 14.
  • 15.
  • 17. Threat Modeling – The Basics Asset: Valuable resource Vulnerability: Exploitable weakness Threat: Causes harm Risk: Chance of harm occurring ? Countermeasure: Reduces risk
  • 18. Why start again? Asset Threat Risk is low Countermeasure Dependency Dependency’s Countermeasure Dependency’s Threat