SlideShare une entreprise Scribd logo

Oh, WASP! Security Essentials for Web Apps

T
TechWell

The past few years have seen a rapid increase in business efficiency through Web-based applications. Unfortunately, a dramatic increase in the number of web application vulnerabilities has followed. Insecure web applications can be disastrous for mission critical businesses and users' sensitive data. More than 70 percent of security vulnerabilities are due to flaws in the application rather than firewall breaches. Bennie Paul explains how security testing has become an indispensable part of the SDLC for businesses operating online today. OWASP (Open Web Application Security Project) provides open source tools, code, and materials to develop, test, and maintain application security. Monitoring the “OWASP Top 10” web application security flaws is highly recommended as part of an organization’s testing methodology. Vulnerabilities identified are compared against the organization’s security objectives and regulations, and categorized accordingly for remediation. Benny guides you through the OWASP vulnerabilities, technique, framework, and preventive measures that you can adopt for building better software.

Technologie
1  sur  56
Télécharger pour lire hors ligne
BW8 Concurrent Session 11/13/2013 2:15 PM "Oh, WASP! Security Essentials for Web Apps" Presented by: Benny Paul Cognizant Technology Solutions Brought to you by: 340 Corporate Way, Suite 300, Orange Park, FL 32073 888 268 8770 904 278 0524 sqeinfo@sqe.com www.sqe.com
Benny Paul Cognizant Technology Solutions Benny Paul brings more than fifteen years of IT experience to Cognizant Testing Services where he is responsible for program management, strategic planning, and delivery of QA Services. Benny is experienced in building and managing large scale QA programs in multiple domains, with resolute focus on improving QA maturity practices, enhancing quality engineering and delivery, incorporating optimization techniques, and implementing practical and effective process improvement methods. Benny’s passion for business development, maintaining customer relationships and people management through motivation and inspiration, further contributes to his ability to manage large programs and deliver business value to Cognizant’s global clients.
Oh, WASP! Security Essentials for Web Apps Benny Paul Cognizant Testing Services Nov 11, 2013 1 | ©2013, Cognizant
Introduction Purpose of Session - Provide Overview of Web Application Security - OWASP Top 10 What is Web Application Security? - A brief discussion - Attacker’s hotspots Top Security Problems on the web today - Recent Nightmares - Some statistics Understand OWASP 2013 Top 10 Vulnerabilities - Define the vulnerabilities - How do we protect against them? 2 | ©2013, Cognizant www.owasp.org
Credits & References !  Documents copyrighted Open Web Application Security Project, and freely downloaded from www.owasp.org. !  OWASP Top Ten titled "The Ten Most Critical Web Application Security Vulnerabilities" 2013 update. https://www.owasp.org/index.php/Top_10_2013-Top_10 !  The OWASP Tutorial Series by Jerry Hoff https://www.owasp.org/index.php/Main_Page https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series !  Several Application Security Testing related sites and content on the web like iTeach etc.. 3 | ©2013, Cognizant www.owasp.org
What is Web Application Security? ! Not Network Security ! Starts in the initial planning stages ! Continues through coding, testing, and deployment ! Doesn’t finish until the lifecycle is completely finished Likelihood of a successful web application attack -A web application is attacked at 1-in-3 days on average - Easy to exploit without special tools or knowledge - Little chance of being detected Consequences: -Unauthorized Access to web and application servers -Database Corruption and Disclosure of contents -Breach in user authentication and access control - Website defacement 4 | ©2013, Cognizant www.owasp.org
Percentage of Websites Vulnerability by Class Who are we up against? Who What Why Organized Crime Cash Espionage (Nation State & Corporate) Data Theft & Intellectual Property Competitive Advantage Hackers / Script Kiddies 5 Data & Identity Theft Defacement & Denial of Service Ego & Credibility building | ©2013, Cognizant www.owasp.org
Most sites are not secure… An attacker can access unauthorized data, attack users using your website! 6 | ©2013, Cognizant www.owasp.org
Look at Web App through eyes of Attacker 7 | ©2013, Cognizant www.owasp.org
Hot Spots for Attacker 8 | ©2013, Cognizant www.owasp.org
Recent Security Flaws… Real Attack on Australian Tax office - Attacker changed the tax id in the url, got info on 17,000 companies Bank W e Aug 15 bsite Hacke d! 2013 http://articles.timesofindia.indiatimes.com/2013-08-15/delhi/41412603_1_bank-accountsarun-kumar-machines 9 | ©2013, Cognizant www.owasp.org
So, how can we fix this? 10 | ©2013, Cognizant www.owasp.org
OWASP - What is that? Open Web Application Security Project www.owasp.org "  International not-for-profit charitable Open Source Org "  Top Ten "  Guides towards Building Secure Web Apps Application Testing Code Reviews "  OWASP Resources and Community Documentation & Wiki Code Projects Chapters Conferences "  Participation in OWASP is free and open to all! 11 | ©2013, Cognizant www.owasp.org
Most Critical Web App Security Risks https://www.owasp.org/index.php/Top_10_2013-Top_10 12 | ©2013, Cognizant www.owasp.org
OWASP Top 10 Risks 1 Injection 13 | ©2013, Cognizant www.owasp.org
1 - Injection Easy Common Critical https://www.owasp.org/index.php/Top_10_2013-A1-Injection 14 | ©2013, Cognizant www.owasp.org
1 - Injection String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; String query = "SELECT * FROM accounts WHERE custID='" + 209907 + "'"; Retu rns 1 row Web Server DB String query = "SELECT * FROM accounts WHERE custID='" + 209907’ or ‘1’=‘1+ "'"; 15 | ©2013, Cognizant www.owasp.org
1 - Injection How do I Prevent 'Injection'? " Use Parameterized Queries   "Stored Procedures instead of Dynamic SQL " OWASP ESAPI " Whitelist Input validation https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet 16 | ©2013, Cognizant www.owasp.org
OWASP Top 10 Risks 2 Broken Authentication & Session Management 17 | ©2013, Cognizant www.owasp.org
2 - Broken Authentication & Session Mgmt ncryption shing or e using ha en stored tected wh aren’t pro dentials ication cre weak acco Authent unt m Session IDs are exposed in the URL anagemen t functions ter login n’t Rotate af eout, do IDs don’t tim Session 18 | ©2013, Cognizant www.owasp.org
2 - Broken Authentication & Session Mgmt Scenario 1 – Session id in URL http://myairline.com/sale/saleitems jsessionid=47HDFKWkJDS8723HAUG12HG? dest=Sydney -An authenticated User shares the airline offer (link) - The link has his session id since app supports URL rewriting - When friends open the link, they have access to his session, Credit card etc. Scenario 2 – Improper Application Timeouts -User accesses site in a public computer - Closes browser instead of logging out - Attacker uses same browser shortly, browser is still authenticated Scenario 3 – No restriction on Login attempts - In 2009, an attacker gained admin access to a Twitter server due to no restriction on the no. of login attempts. - Attacker targets a support staff's password using “brute force” - Gains admin access to 33 accounts belonging to celebrities, politicians 19 | ©2013, Cognizant www.owasp.org
2 - Broken Authentication & Session Mgmt How do I Prevent ‘Authentication’ and ‘Session’ related risks'? A single set of strong authentication and session management controls. Such controls should strive to: -Meet all the authentication and session management requirements defined in OWASP’s Application Security Verification Standard (ASVS) areas V2 (Authentication) and V3 (Session Management). https://www.owasp.org/index.php/ASVS 20 | ©2013, Cognizant www.owasp.org
OWASP Top 10 Risks 3 Cross Site Scripting (XSS) 21 | ©2013, Cognizant www.owasp.org
3 - Cross Site Scripting (XSS) XSS is targeted to attack other users’ browse 22 | ©2013, Cognizant www.owasp.org
3 - Cross Site Scripting (XSS) Using Javascript, an attacker can steal Session ID / coockie, rewrite webpages etc.. 23 | ©2013, Cognizant www.owasp.org
3 - Cross Site Scripting (XSS) How do I Prevent ‘XSS'? " Data Escaping techniques " Contextual Encoding   "Auto Sanitation Libaries " Content Secure Policy (CSP) " Whitelist Input validation https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet 24 | ©2013, Cognizant www.owasp.org
OWASP Top 10 Risks 4 Insecure Direct Object References 25 | ©2013, Cognizant www.owasp.org
4 - Insecure Direct Object References Unauthorized access to objects thru Parameter Tampering.. 26 | ©2013, Cognizant www.owasp.org
4 - Insecure Direct Object References 1 4 2 5 3 6 27 | ©2013, Cognizant www.owasp.org
4 - Insecure Direct Object References How Do I Prevent? " Avoid exposing your private object references to users " Validate any private object references " Verify authorization to all referenced objects " Session indirect object references 28 | ©2013, Cognizant www.owasp.org
OWASP Top 10 Risks 5 Security Misconfiguration 29 | ©2013, Cognizant www.owasp.org
5 - Security Misconfiguration Web Apps exposing server error messages on scree Default Acounts 30 | ©2013, Cognizant www.owasp.org
5 - Security Misconfiguration Unprotected Website Directories ! 31 | ©2013, Cognizant www.owasp.org
5 - Security Misconfiguration How Do I Prevent? " Directory listing disabled on your server " Disable stack traces to be returned to users " Identical configuration of Dev, QA & Prod, properly locked down with different passwords   "Periodic scans & audits to detect misconfigurations From OWASP: Development Guide: Chapter on Configuration https://www.owasp.org/index.php/Configuration Testing Guide: Configuration Management https://www.owasp.org/index.php/Testing_for_configuration_management 32 | ©2013, Cognizant www.owasp.org
OWASP Top 10 Risks 6 Sensitive Data Exposure 33 | ©2013, Cognizant www.owasp.org
6 - Sensitive Data Exposure Sensitive Data not Protected properly! 34 | ©2013, Cognizant www.owasp.org
6 - Sensitive Data Exposure Example 1: Https only during login https://OfficeEmail.com HTTP HTTPS HTTP Example 2: Man-in-the-middle Attack 35 | ©2013, Cognizant www.owasp.org
6 - Sensitive Data Exposure How Do I Prevent? " Strict Transport Security in HTTP Header (converts Http to Https at the browser) " Secured sites should switch entirely to HTTPS   "Encrypt all sensitive data " Don’t store sensitive data unnecessarily – Discard them " Disable autocomplete on forms https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet 36 | ©2013, Cognizant www.owasp.org
OWASP Top 10 Risks 7 Missing Function Level Access Control 37 | ©2013, Cognizant www.owasp.org
7 - Missing Function Level Access Control UI shows navigation to unauthorized functionsserver side authentication No http://example.com/app/getappInfo http://example.com/app/admin_getappInfo Example Access to unauthorized functions 38 | ©2013, Cognizant www.owasp.org
6 - Sensitive Data Exposure How Do I Prevent? " “presentation layer access control” vs. validations at controller or business logic " Define specific roles for access to every function " Establish a solid process for ‘Managing Entitlements’ OWASP offers: ESAPI Access Control API http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/ AccessController.html OWASP Development Guide: Chapter on Authorization https://www.owasp.org/index.php/Guide_to_Authorization Testing Guide: Testing for Path Traversal https://www.owasp.org/index.php/Testing_for_Path_Traversal 39 | ©2013, Cognizant www.owasp.org
OWASP Top 10 Risks 8 Cross Site Request Forgery (CSRF) 40 | ©2013, Cognizant www.owasp.org
8 - Cross Site Request Forgery (CSRF) Forged Http requests Easy to detect v ia Penetrat ion Testing 41 | ©2013, Cognizant www.owasp.org
8 - Cross Site Request Forgery (CSRF) Example : 1. Victim browses a page from Evil.org. 2. Evil.org crafted an HTML image element that references a script to the victim's bank's website (rather than an image file), for example: 3. If the victim's bank stores his authentication information in a cookie, and if the cookie hasn't expired, then the attempt by the victim's browser to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without the victim's approval 42 | ©2013, Cognizant www.owasp.org
8 - Cross Site Request Forgery (CSRF) How Do I Prevent CSRF? " Include unpredictable unique Token in each HTTP request   "Token in a hidden field rather than URL " Re-authentication via CAPTCHA OWASP offers: CSRF Guard to include such tokens in Java EE, .NET, or PHP apps https://www.owasp.org/index.php/CSRFGuard Other References: 43 | ©2013, Cognizant www.owasp.org
OWASP Top 10 Risks 9 Using Unknown Vulnerable Components 44 | ©2013, Cognizant www.owasp.org
9 - Using Unknown Vulnerable Components Weak external Components – vulnerable to injection, broken access control, XSS, etc 45 | ©2013, Cognizant www.owasp.org
9 - Using Unknown Vulnerable Components Components built by other Developers Dependency Developer # Web toolkits # Widgets # Runtime engines # Web servers # Framework libraries Etc…. Example: The following two vulnerable components were downloaded 22m times in 2011! Every application using these are vulnerable to attack as both components are directly accessible by application users !  !  46 | ©2013, Cognizant Apache CXF Authentication Bypass Spring Remote Code Execution www.owasp.org
9 - Using Unknown Vulnerable Components How Do I Prevent? " Upgrade to newer versions " Establish security policies governing component use- like requiring certain software development practices, passing security tests, and acceptable licenses OWASP References: https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities 47 | ©2013, Cognizant www.owasp.org
OWASP Top 10 Risks 10 Unvalidated Redirects & Forwards 48 | ©2013, Cognizant www.owasp.org
10 - Unvalidated Redirects & Forwards Easy to detect 49 | ©2013, Cognizant www.owasp.org
10 - Unvalidated Redirects & Forwards Example : 1 2 3 50 | ©2013, Cognizant User receives trusted Email containing legitimate Link Hovering on link shows legitimate Website www.trustedsite.com Clicking on link redirects to www.evilsite.com www.owasp.org
9 - Using Unknown Vulnerable Components How Do I Prevent? " Simply avoid using redirects and forwards " If used, don’t involve user parameters " use OWASP ESAPI to override redirect destinations OWASP References: https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards 51 | ©2013, Cognizant www.owasp.org
OWASP - A Great start for your Web Apps Security! !  Read the OWASP Top Ten paper! !  Get developers trained in web app security !  Try OWASP WebGoat to learn how flaws work !  Define security rules for your application !  Get expert code review and penetration test periodically 52 | ©2013, Cognizant www.owasp.org
Most Critical Web App Security Risks Free download Available at OWASP.Org https://www.owasp.org/index.php/Top_10_2013-Top_10 53 | ©2013, Cognizant www.owasp.org
Thank you for your time Any Questions? 54 | ©2012, Cognizant www.owasp.org

Recommandé

Owasp
Owasp Owasp
Owasp penetration Tester
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10Shivam Porwal
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 

Recommandé

Owasp
Owasp Owasp
Owasp penetration Tester
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10Shivam Porwal
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Cybersecurity Education and Research Centre
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10YasserElsnbary
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1Telefónica
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NETDaniel Krasnokucki
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesDilum Bandara
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveviewShreyas N
 
Secure Coding 2013
Secure Coding 2013 Secure Coding 2013
Secure Coding 2013 The eCore Group
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...Ken DeSouza
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseSecurity Innovation
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10Shivam Porwal
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesBulent Buyukkahraman
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in PracticeSecurity Innovation
 
Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Denim Group
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacksRoberto Suggi Liverani
 

Contenu connexe

Tendances

Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1Telefónica
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesDilum Bandara
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveviewShreyas N
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...Ken DeSouza
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseSecurity Innovation
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesBulent Buyukkahraman
 

Tendances (20)

Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NET
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New Vulnerabilities
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
 
Secure Coding 2013
Secure Coding 2013 Secure Coding 2013
Secure Coding 2013
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the Chase
 
Web application security
Web application securityWeb application security
Web application security
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing Services
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 

En vedette

Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Denim Group
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacksRoberto Suggi Liverani
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)ClubHack
 
Hacking for Fun and Profit
Hacking for Fun and ProfitHacking for Fun and Profit
Hacking for Fun and ProfitApkudo
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
 
Basic reverse engineering steps about .apk file
Basic reverse engineering steps about .apk fileBasic reverse engineering steps about .apk file
Basic reverse engineering steps about .apk fileCarl Lu
 
Decompiling Android Workshop
Decompiling Android WorkshopDecompiling Android Workshop
Decompiling Android WorkshopGodfrey Nolan
 
Rolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review ProgramRolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review ProgramDenim Group
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Scripting Your Qt Application
Scripting Your Qt ApplicationScripting Your Qt Application
Scripting Your Qt Applicationaccount inactive
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101ysurer
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment TechniquesDenim Group
 

En vedette (18)

Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
Hacking for Fun and Profit
Hacking for Fun and ProfitHacking for Fun and Profit
Hacking for Fun and Profit
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
XSS Remediation
XSS RemediationXSS Remediation
XSS Remediation
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
 
Basic reverse engineering steps about .apk file
Basic reverse engineering steps about .apk fileBasic reverse engineering steps about .apk file
Basic reverse engineering steps about .apk file
 
Decompiling Android Workshop
Decompiling Android WorkshopDecompiling Android Workshop
Decompiling Android Workshop
 
Rolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review ProgramRolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review Program
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
 
Software development with qt
Software development with qtSoftware development with qt
Software development with qt
 
Scripting Your Qt Application
Scripting Your Qt ApplicationScripting Your Qt Application
Scripting Your Qt Application
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment Techniques
 

Similaire à Oh, WASP! Security Essentials for Web Apps

Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Mike Tetreault
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)Mike Tetreault
 
Access Control, Authentication, and Public Key Infrastructure .docx
Access Control, Authentication, and Public Key Infrastructure .docxAccess Control, Authentication, and Public Key Infrastructure .docx
Access Control, Authentication, and Public Key Infrastructure .docxdaniahendric
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
The Importance of Security Testing in Web Applications.docx
The Importance of Security Testing in Web Applications.docxThe Importance of Security Testing in Web Applications.docx
The Importance of Security Testing in Web Applications.docxQACraft
 
IRJET- Phishing Website Detection based on Machine Learning
IRJET- Phishing Website Detection based on Machine LearningIRJET- Phishing Website Detection based on Machine Learning
IRJET- Phishing Website Detection based on Machine LearningIRJET Journal
 
Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
Web Application Security For Small and Medium Businesses
Web Application Security For Small and Medium BusinessesWeb Application Security For Small and Medium Businesses
Web Application Security For Small and Medium BusinessesSasha Nunke
 
Domain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptxDomain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptxInfosectrain3
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Secure RESTful Web Services for ASP.NET Web API
Secure RESTful Web Services for ASP.NET Web APISecure RESTful Web Services for ASP.NET Web API
Secure RESTful Web Services for ASP.NET Web APIRob Daigneau
 

Similaire à Oh, WASP! Security Essentials for Web Apps (20)

C01461422
C01461422C01461422
C01461422
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)
 
Access Control, Authentication, and Public Key Infrastructure .docx
Access Control, Authentication, and Public Key Infrastructure .docxAccess Control, Authentication, and Public Key Infrastructure .docx
Access Control, Authentication, and Public Key Infrastructure .docx
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Toronto mule meetup #5
Toronto mule meetup #5Toronto mule meetup #5
Toronto mule meetup #5
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
 
How to produce more secure web apps
How to produce more secure web appsHow to produce more secure web apps
How to produce more secure web apps
 
The Importance of Security Testing in Web Applications.docx
The Importance of Security Testing in Web Applications.docxThe Importance of Security Testing in Web Applications.docx
The Importance of Security Testing in Web Applications.docx
 
IRJET- Phishing Website Detection based on Machine Learning
IRJET- Phishing Website Detection based on Machine LearningIRJET- Phishing Website Detection based on Machine Learning
IRJET- Phishing Website Detection based on Machine Learning
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
OWASP Top 10
OWASP Top 10OWASP Top 10
OWASP Top 10
 
Web Application Security For Small and Medium Businesses
Web Application Security For Small and Medium BusinessesWeb Application Security For Small and Medium Businesses
Web Application Security For Small and Medium Businesses
 
Domain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptxDomain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptx
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
Secure RESTful Web Services for ASP.NET Web API
Secure RESTful Web Services for ASP.NET Web APISecure RESTful Web Services for ASP.NET Web API
Secure RESTful Web Services for ASP.NET Web API
 

Plus de TechWell

Failing and Recovering
Failing and RecoveringFailing and Recovering
Failing and RecoveringTechWell
 
Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization TechWell
 
Test Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTest Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTechWell
 
System-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartSystem-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartTechWell
 
Build Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyBuild Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyTechWell
 
Testing Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTesting Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTechWell
 
Implement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowImplement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowTechWell
 
Develop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityDevelop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityTechWell
 
Eliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyEliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyTechWell
 
Transform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTransform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTechWell
 
The Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipThe Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipTechWell
 
Resolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsResolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsTechWell
 
Pin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GamePin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GameTechWell
 
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsAgile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsTechWell
 
A Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationA Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationTechWell
 
Databases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessDatabases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessTechWell
 
Mobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateMobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateTechWell
 
Cultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessCultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessTechWell
 
Turn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTurn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTechWell
 

Plus de TechWell (20)

Failing and Recovering
Failing and RecoveringFailing and Recovering
Failing and Recovering
 
Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization
 
Test Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTest Design for Fully Automated Build Architecture
Test Design for Fully Automated Build Architecture
 
System-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartSystem-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good Start
 
Build Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyBuild Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test Strategy
 
Testing Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTesting Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for Success
 
Implement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowImplement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlow
 
Develop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityDevelop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your Sanity
 
Ma 15
Ma 15Ma 15
Ma 15
 
Eliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyEliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps Strategy
 
Transform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTransform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOps
 
The Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipThe Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—Leadership
 
Resolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsResolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile Teams
 
Pin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GamePin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile Game
 
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsAgile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
 
A Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationA Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps Implementation
 
Databases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessDatabases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery Process
 
Mobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateMobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to Automate
 
Cultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessCultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for Success
 
Turn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTurn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile Transformation
 

Dernier

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 

Dernier (20)

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 

Oh, WASP! Security Essentials for Web Apps

  • 1. BW8 Concurrent Session 11/13/2013 2:15 PM "Oh, WASP! Security Essentials for Web Apps" Presented by: Benny Paul Cognizant Technology Solutions Brought to you by: 340 Corporate Way, Suite 300, Orange Park, FL 32073 888 268 8770 904 278 0524 sqeinfo@sqe.com www.sqe.com
  • 2. Benny Paul Cognizant Technology Solutions Benny Paul brings more than fifteen years of IT experience to Cognizant Testing Services where he is responsible for program management, strategic planning, and delivery of QA Services. Benny is experienced in building and managing large scale QA programs in multiple domains, with resolute focus on improving QA maturity practices, enhancing quality engineering and delivery, incorporating optimization techniques, and implementing practical and effective process improvement methods. Benny’s passion for business development, maintaining customer relationships and people management through motivation and inspiration, further contributes to his ability to manage large programs and deliver business value to Cognizant’s global clients.
  • 3. Oh, WASP! Security Essentials for Web Apps Benny Paul Cognizant Testing Services Nov 11, 2013 1 | ©2013, Cognizant
  • 4. Introduction Purpose of Session - Provide Overview of Web Application Security - OWASP Top 10 What is Web Application Security? - A brief discussion - Attacker’s hotspots Top Security Problems on the web today - Recent Nightmares - Some statistics Understand OWASP 2013 Top 10 Vulnerabilities - Define the vulnerabilities - How do we protect against them? 2 | ©2013, Cognizant www.owasp.org
  • 5. Credits & References !  Documents copyrighted Open Web Application Security Project, and freely downloaded from www.owasp.org. !  OWASP Top Ten titled "The Ten Most Critical Web Application Security Vulnerabilities" 2013 update. https://www.owasp.org/index.php/Top_10_2013-Top_10 !  The OWASP Tutorial Series by Jerry Hoff https://www.owasp.org/index.php/Main_Page https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series !  Several Application Security Testing related sites and content on the web like iTeach etc.. 3 | ©2013, Cognizant www.owasp.org
  • 6. What is Web Application Security? ! Not Network Security ! Starts in the initial planning stages ! Continues through coding, testing, and deployment ! Doesn’t finish until the lifecycle is completely finished Likelihood of a successful web application attack -A web application is attacked at 1-in-3 days on average - Easy to exploit without special tools or knowledge - Little chance of being detected Consequences: -Unauthorized Access to web and application servers -Database Corruption and Disclosure of contents -Breach in user authentication and access control - Website defacement 4 | ©2013, Cognizant www.owasp.org
  • 7. Percentage of Websites Vulnerability by Class Who are we up against? Who What Why Organized Crime Cash Espionage (Nation State & Corporate) Data Theft & Intellectual Property Competitive Advantage Hackers / Script Kiddies 5 Data & Identity Theft Defacement & Denial of Service Ego & Credibility building | ©2013, Cognizant www.owasp.org
  • 8. Most sites are not secure… An attacker can access unauthorized data, attack users using your website! 6 | ©2013, Cognizant www.owasp.org
  • 9. Look at Web App through eyes of Attacker 7 | ©2013, Cognizant www.owasp.org
  • 10. Hot Spots for Attacker 8 | ©2013, Cognizant www.owasp.org
  • 11. Recent Security Flaws… Real Attack on Australian Tax office - Attacker changed the tax id in the url, got info on 17,000 companies Bank W e Aug 15 bsite Hacke d! 2013 http://articles.timesofindia.indiatimes.com/2013-08-15/delhi/41412603_1_bank-accountsarun-kumar-machines 9 | ©2013, Cognizant www.owasp.org
  • 12. So, how can we fix this? 10 | ©2013, Cognizant www.owasp.org
  • 13. OWASP - What is that? Open Web Application Security Project www.owasp.org "  International not-for-profit charitable Open Source Org "  Top Ten "  Guides towards Building Secure Web Apps Application Testing Code Reviews "  OWASP Resources and Community Documentation & Wiki Code Projects Chapters Conferences "  Participation in OWASP is free and open to all! 11 | ©2013, Cognizant www.owasp.org
  • 14. Most Critical Web App Security Risks https://www.owasp.org/index.php/Top_10_2013-Top_10 12 | ©2013, Cognizant www.owasp.org
  • 15. OWASP Top 10 Risks 1 Injection 13 | ©2013, Cognizant www.owasp.org
  • 17. 1 - Injection String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; String query = "SELECT * FROM accounts WHERE custID='" + 209907 + "'"; Retu rns 1 row Web Server DB String query = "SELECT * FROM accounts WHERE custID='" + 209907’ or ‘1’=‘1+ "'"; 15 | ©2013, Cognizant www.owasp.org
  • 18. 1 - Injection How do I Prevent 'Injection'? " Use Parameterized Queries   "Stored Procedures instead of Dynamic SQL " OWASP ESAPI " Whitelist Input validation https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet 16 | ©2013, Cognizant www.owasp.org
  • 19. OWASP Top 10 Risks 2 Broken Authentication & Session Management 17 | ©2013, Cognizant www.owasp.org
  • 20. 2 - Broken Authentication & Session Mgmt ncryption shing or e using ha en stored tected wh aren’t pro dentials ication cre weak acco Authent unt m Session IDs are exposed in the URL anagemen t functions ter login n’t Rotate af eout, do IDs don’t tim Session 18 | ©2013, Cognizant www.owasp.org
  • 21. 2 - Broken Authentication & Session Mgmt Scenario 1 – Session id in URL http://myairline.com/sale/saleitems jsessionid=47HDFKWkJDS8723HAUG12HG? dest=Sydney -An authenticated User shares the airline offer (link) - The link has his session id since app supports URL rewriting - When friends open the link, they have access to his session, Credit card etc. Scenario 2 – Improper Application Timeouts -User accesses site in a public computer - Closes browser instead of logging out - Attacker uses same browser shortly, browser is still authenticated Scenario 3 – No restriction on Login attempts - In 2009, an attacker gained admin access to a Twitter server due to no restriction on the no. of login attempts. - Attacker targets a support staff's password using “brute force” - Gains admin access to 33 accounts belonging to celebrities, politicians 19 | ©2013, Cognizant www.owasp.org
  • 22. 2 - Broken Authentication & Session Mgmt How do I Prevent ‘Authentication’ and ‘Session’ related risks'? A single set of strong authentication and session management controls. Such controls should strive to: -Meet all the authentication and session management requirements defined in OWASP’s Application Security Verification Standard (ASVS) areas V2 (Authentication) and V3 (Session Management). https://www.owasp.org/index.php/ASVS 20 | ©2013, Cognizant www.owasp.org
  • 23. OWASP Top 10 Risks 3 Cross Site Scripting (XSS) 21 | ©2013, Cognizant www.owasp.org
  • 24. 3 - Cross Site Scripting (XSS) XSS is targeted to attack other users’ browse 22 | ©2013, Cognizant www.owasp.org
  • 25. 3 - Cross Site Scripting (XSS) Using Javascript, an attacker can steal Session ID / coockie, rewrite webpages etc.. 23 | ©2013, Cognizant www.owasp.org
  • 26. 3 - Cross Site Scripting (XSS) How do I Prevent ‘XSS'? " Data Escaping techniques " Contextual Encoding   "Auto Sanitation Libaries " Content Secure Policy (CSP) " Whitelist Input validation https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet 24 | ©2013, Cognizant www.owasp.org
  • 27. OWASP Top 10 Risks 4 Insecure Direct Object References 25 | ©2013, Cognizant www.owasp.org
  • 28. 4 - Insecure Direct Object References Unauthorized access to objects thru Parameter Tampering.. 26 | ©2013, Cognizant www.owasp.org
  • 29. 4 - Insecure Direct Object References 1 4 2 5 3 6 27 | ©2013, Cognizant www.owasp.org
  • 30. 4 - Insecure Direct Object References How Do I Prevent? " Avoid exposing your private object references to users " Validate any private object references " Verify authorization to all referenced objects " Session indirect object references 28 | ©2013, Cognizant www.owasp.org
  • 31. OWASP Top 10 Risks 5 Security Misconfiguration 29 | ©2013, Cognizant www.owasp.org
  • 32. 5 - Security Misconfiguration Web Apps exposing server error messages on scree Default Acounts 30 | ©2013, Cognizant www.owasp.org
  • 33. 5 - Security Misconfiguration Unprotected Website Directories ! 31 | ©2013, Cognizant www.owasp.org
  • 34. 5 - Security Misconfiguration How Do I Prevent? " Directory listing disabled on your server " Disable stack traces to be returned to users " Identical configuration of Dev, QA & Prod, properly locked down with different passwords   "Periodic scans & audits to detect misconfigurations From OWASP: Development Guide: Chapter on Configuration https://www.owasp.org/index.php/Configuration Testing Guide: Configuration Management https://www.owasp.org/index.php/Testing_for_configuration_management 32 | ©2013, Cognizant www.owasp.org
  • 35. OWASP Top 10 Risks 6 Sensitive Data Exposure 33 | ©2013, Cognizant www.owasp.org
  • 36. 6 - Sensitive Data Exposure Sensitive Data not Protected properly! 34 | ©2013, Cognizant www.owasp.org
  • 37. 6 - Sensitive Data Exposure Example 1: Https only during login https://OfficeEmail.com HTTP HTTPS HTTP Example 2: Man-in-the-middle Attack 35 | ©2013, Cognizant www.owasp.org
  • 38. 6 - Sensitive Data Exposure How Do I Prevent? " Strict Transport Security in HTTP Header (converts Http to Https at the browser) " Secured sites should switch entirely to HTTPS   "Encrypt all sensitive data " Don’t store sensitive data unnecessarily – Discard them " Disable autocomplete on forms https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet 36 | ©2013, Cognizant www.owasp.org
  • 39. OWASP Top 10 Risks 7 Missing Function Level Access Control 37 | ©2013, Cognizant www.owasp.org
  • 40. 7 - Missing Function Level Access Control UI shows navigation to unauthorized functionsserver side authentication No http://example.com/app/getappInfo http://example.com/app/admin_getappInfo Example Access to unauthorized functions 38 | ©2013, Cognizant www.owasp.org
  • 41. 6 - Sensitive Data Exposure How Do I Prevent? " “presentation layer access control” vs. validations at controller or business logic " Define specific roles for access to every function " Establish a solid process for ‘Managing Entitlements’ OWASP offers: ESAPI Access Control API http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/ AccessController.html OWASP Development Guide: Chapter on Authorization https://www.owasp.org/index.php/Guide_to_Authorization Testing Guide: Testing for Path Traversal https://www.owasp.org/index.php/Testing_for_Path_Traversal 39 | ©2013, Cognizant www.owasp.org
  • 42. OWASP Top 10 Risks 8 Cross Site Request Forgery (CSRF) 40 | ©2013, Cognizant www.owasp.org
  • 43. 8 - Cross Site Request Forgery (CSRF) Forged Http requests Easy to detect v ia Penetrat ion Testing 41 | ©2013, Cognizant www.owasp.org
  • 44. 8 - Cross Site Request Forgery (CSRF) Example : 1. Victim browses a page from Evil.org. 2. Evil.org crafted an HTML image element that references a script to the victim's bank's website (rather than an image file), for example: 3. If the victim's bank stores his authentication information in a cookie, and if the cookie hasn't expired, then the attempt by the victim's browser to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without the victim's approval 42 | ©2013, Cognizant www.owasp.org
  • 45. 8 - Cross Site Request Forgery (CSRF) How Do I Prevent CSRF? " Include unpredictable unique Token in each HTTP request   "Token in a hidden field rather than URL " Re-authentication via CAPTCHA OWASP offers: CSRF Guard to include such tokens in Java EE, .NET, or PHP apps https://www.owasp.org/index.php/CSRFGuard Other References: 43 | ©2013, Cognizant www.owasp.org
  • 46. OWASP Top 10 Risks 9 Using Unknown Vulnerable Components 44 | ©2013, Cognizant www.owasp.org
  • 47. 9 - Using Unknown Vulnerable Components Weak external Components – vulnerable to injection, broken access control, XSS, etc 45 | ©2013, Cognizant www.owasp.org
  • 48. 9 - Using Unknown Vulnerable Components Components built by other Developers Dependency Developer # Web toolkits # Widgets # Runtime engines # Web servers # Framework libraries Etc…. Example: The following two vulnerable components were downloaded 22m times in 2011! Every application using these are vulnerable to attack as both components are directly accessible by application users !  !  46 | ©2013, Cognizant Apache CXF Authentication Bypass Spring Remote Code Execution www.owasp.org
  • 49. 9 - Using Unknown Vulnerable Components How Do I Prevent? " Upgrade to newer versions " Establish security policies governing component use- like requiring certain software development practices, passing security tests, and acceptable licenses OWASP References: https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities 47 | ©2013, Cognizant www.owasp.org
  • 50. OWASP Top 10 Risks 10 Unvalidated Redirects & Forwards 48 | ©2013, Cognizant www.owasp.org
  • 51. 10 - Unvalidated Redirects & Forwards Easy to detect 49 | ©2013, Cognizant www.owasp.org
  • 52. 10 - Unvalidated Redirects & Forwards Example : 1 2 3 50 | ©2013, Cognizant User receives trusted Email containing legitimate Link Hovering on link shows legitimate Website www.trustedsite.com Clicking on link redirects to www.evilsite.com www.owasp.org
  • 53. 9 - Using Unknown Vulnerable Components How Do I Prevent? " Simply avoid using redirects and forwards " If used, don’t involve user parameters " use OWASP ESAPI to override redirect destinations OWASP References: https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards 51 | ©2013, Cognizant www.owasp.org
  • 54. OWASP - A Great start for your Web Apps Security! !  Read the OWASP Top Ten paper! !  Get developers trained in web app security !  Try OWASP WebGoat to learn how flaws work !  Define security rules for your application !  Get expert code review and penetration test periodically 52 | ©2013, Cognizant www.owasp.org
  • 55. Most Critical Web App Security Risks Free download Available at OWASP.Org https://www.owasp.org/index.php/Top_10_2013-Top_10 53 | ©2013, Cognizant www.owasp.org
  • 56. Thank you for your time Any Questions? 54 | ©2012, Cognizant www.owasp.org