SlideShare une entreprise Scribd logo

OWASP Top 10 And Insecure Software Root Causes

Télécharger en tant que PPT, PDF
Marco Morana
Marco Morana
Technologie
1  sur  67
Web Application Vulnerabilities and Insecure Software Root Causes: The OWASP Top 10 Cincinnati Chapter Meeting February 26 th , 2008 Marco Morana
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Application Security and The Medical Metaphor ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Focus on the root cause: Insecure software.. … and still keep a 360 degree perspective: People, Process and Tools
Process perspective: Build Security in the SDLC
Software Security Strategy ,[object Object]
Essential Elements For Secure Coding Standards/Guidelines ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Common Security Issues: The OWASP Top 10 ,[object Object],[object Object],[object Object],[object Object],[object Object]
Common Security Issues: OWASP Top 10 2007 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Common Security Issues: Top 10 Methodology ,[object Object]
Common Security Issues: 2007 T10 vs. 2004 T10 29 10. Insecure Configuration Management 17 9. Denial of Service 4, 8, and 10 5. Buffer Overflows 7 1. Unvalidated Input 14 2. Broken Access Control (split in 2007 T10) 10. Failure to Restrict URL Access 8 Discussed under 10 9. Insecure Communications (NEW) 8 8. Insecure Storage 8. Insecure Cryptographic Storage 14 3. Broken Authentication and Session Management 7. Broken Auth. and Session Management 6 7. Improper Error Handling 6. Info Leakage and Improper Error Handling 36 5. Cross Site Request Forgery (CSRF) (NEW) 5 2. Broken Access Control (split in 2007 T10) 4. Insecure Direct Object Reference 3 3. Insecure Remote File Include (NEW) 2 6. Injection Flaws 2. Injection Flaws 1 4. Cross Site Scripting (XSS) 1. Cross Site Scripting (XSS) MITRE 2006 Raw Ranking OWASP Top 10 2004 OWASP Top 10 2007
Security Threats and OWASP T10 Vulnerabilities ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Security Threats and OWASP T10 Vulnerabilities (Cont) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A1: Cross Site Scripting ,[object Object],[object Object],[object Object],[object Object],[object Object]
A1: Cross Site Scripting - Insecure Software Root Cause ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A1: Cross Site Scripting -How to find the potential vulnerability ,[object Object],[object Object],[object Object]
A1: Cross Site Scripting -How to find the potential vulnerability
A1: Cross Site Scripting - Secure coding requirement ,[object Object],[object Object],[object Object],[object Object],[object Object]
A2: Injection Flaws ,[object Object],[object Object]
A2: Injection Flaws –SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A2: Injection Flaws –SQL Injection Attack Illustrated 3 Attacker sends data containing SQL fragments Attacker enters SQL fragments into a web page that uses input in a query 1 Attacker views unauthorized data Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Database 2 Application sends modified query to database, which executes it
A2: Injection Flaws-SQL Injection - Insecure Software Root Cause ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A2: Injection Flaws-SQL SQL Injection– How To Find The Potential Vulnerability ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A2: Injection Flaws-SQL Injection - Secure coding requirements ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A3: Malicious File Execution ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A3: Malicious File Execution - Insecure Software Root Cause ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A3: Malicious File Execution – How To Find the Vulnerability ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A3: Malicious File Execution – Secure Coding Requirement ,[object Object],[object Object],[object Object],[object Object]
A4: Insecure Direct Object Reference ,[object Object],[object Object],[object Object],[object Object]
A4: Insecure Direct Object Reference: Insecure Root Causes ,[object Object],[object Object],[object Object],[object Object],[object Object]
A4: Insecure Direct Object Reference: How You Can Find If You Are Vulnerable ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A4: Insecure Direct Object Reference - How You Can Find If You Are Vulnerable
A4: Insecure Direct Object Reference - How You Can Find If You Are Vulnerable
A4: Insecure Direct Object Reference - Secure Coding Requirement ,[object Object],[object Object],[object Object],[object Object]
A5:Cross Site Request Forgery ,[object Object],[object Object],[object Object],[object Object]
A5:Cross Site Request Forgery
A5:Cross Site Request Forgery- in-secure software root causes ,[object Object],[object Object],[object Object],[object Object]
A5: CSRF : How You Can Find If You Are Vulnerable ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A5: CSRF : Secure Coding Requirements ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A6: Information Leakage and Improper Error Handling ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A6: Information Leakage and Improper Error Handling
A6:Information Leakage and Improper Error Handling- insecure software root cause ,[object Object],[object Object],[object Object],[object Object]
A6:Information Leakage and Improper Error Handling- How You Can Find If You Are Vulnerable: Black Box Testing ,[object Object],[object Object],[object Object],[object Object]
A6:Information Leakage and Improper Error Handling- How You Can Find If You Are Vulnerable: White Box Testing ,[object Object],[object Object],[object Object],[object Object]
A6:Information Leakage and Improper Error Handling -Secure Coding Requirement ,[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],A7: Broken Authentication and Session Management
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A7:Broken Authentication and Session Management
A7: Broken Authentication - insecure software root cause ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A7: Session Management - insecure software root cause ,[object Object],[object Object],[object Object],[object Object],[object Object]
A7: Broken Authentication - How You Can Find If You Are Vulnerable ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A7: Session Management - How You Can Find If You Are Vulnerable ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A7: Session Management -Secure Coding Requirements ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A7: Broken Authentication -Secure Coding Requirement ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A8:Insecure Cryptographic Storage
A8: insecure Cryptographic Storage - insecure software root cause ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A8: Insecure Cryptographic Storage - How You Can Find If You Are Vulnerable ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A8: Insecure Cryptographic Storage -Secure Coding Requirements ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A9: Insecure Communication
A9 Insecure Communication - insecure software root cause ,[object Object],[object Object]
A9 Insecure Communication - How You Can Find If You Are Vulnerable ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A9 Insecure Communication - How You Can Find If You Are Vulnerable
A9: Insecure Communication -Secure Coding Requirement ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],A10: Failure to restrict URL access
A10 Failure to restrict URL access - insecure software root cause ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A10 Failure to restrict URL access - How You Can Find If You Are Vulnerable ,[object Object],[object Object],[object Object],[object Object],[object Object]
A10: Failure to restrict URL access -Secure Coding Requirement ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Thank You

Recommandé

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 

Recommandé

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat ModelingMiriam Celi, CISSP, GISP, MSCS, MBA
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for JavaSébastien GIORIA
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Aymeric Lagier
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationPECB
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Penetration Security Testing
Penetration Security TestingPenetration Security Testing
Penetration Security TestingSanjulika Rastogi
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationOnwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
 

Contenu connexe

Tendances

Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Aymeric Lagier
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationPECB
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Penetration Security Testing
Penetration Security TestingPenetration Security Testing
Penetration Security TestingSanjulika Rastogi
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 

Tendances (20)

Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for Java
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depth
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Penetration Security Testing
Penetration Security TestingPenetration Security Testing
Penetration Security Testing
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
Web application security
Web application securityWeb application security
Web application security
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 

Similaire à OWASP Top 10 And Insecure Software Root Causes

Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
 
Application security [appsec]
Application security [appsec]Application security [appsec]
Application security [appsec]Judy Ngure
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Top Security Threats for .NET Developers
Top Security Threats for .NET DevelopersTop Security Threats for .NET Developers
Top Security Threats for .NET DevelopersMikhail Shcherbakov
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017SamsonMuoki
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure codeMiva
 

Similaire à OWASP Top 10 And Insecure Software Root Causes (20)

Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
 
Application security [appsec]
Application security [appsec]Application security [appsec]
Application security [appsec]
 
Owasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentationOwasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentation
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
Top Security Threats for .NET Developers
Top Security Threats for .NET DevelopersTop Security Threats for .NET Developers
Top Security Threats for .NET Developers
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
ieee
ieeeieee
ieee
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017
 
Attques web
Attques webAttques web
Attques web
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure code
 

Plus de Marco Morana

Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco moranaMarco Morana
 
Isaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdfIsaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdfMarco Morana
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Marco Morana
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-finalMarco Morana
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Marco Morana
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Owasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_finalOwasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_finalMarco Morana
 
Security Summit Rome 2011
Security Summit Rome 2011Security Summit Rome 2011
Security Summit Rome 2011Marco Morana
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksMarco Morana
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Marco Morana
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksMarco Morana
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software securityMarco Morana
 
Security Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementSecurity Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementMarco Morana
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services SecurityMarco Morana
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security FrameworksMarco Morana
 
Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'Marco Morana
 
Progetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web ApplicationsProgetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web ApplicationsMarco Morana
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 

Plus de Marco Morana (20)

Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco morana
 
Isaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdfIsaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdf
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-final
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
 
Owasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_finalOwasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_final
 
Security Summit Rome 2011
Security Summit Rome 2011Security Summit Rome 2011
Security Summit Rome 2011
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware Attacks
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic Attacks
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software security
 
Security Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementSecurity Compliance Web Application Risk Management
Security Compliance Web Application Risk Management
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services Security
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
 
Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'
 
Progetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web ApplicationsProgetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web Applications
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
 

Dernier

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 

Dernier (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

OWASP Top 10 And Insecure Software Root Causes

  • 1. Web Application Vulnerabilities and Insecure Software Root Causes: The OWASP Top 10 Cincinnati Chapter Meeting February 26 th , 2008 Marco Morana
  • 2.
  • 3.
  • 4. Focus on the root cause: Insecure software.. … and still keep a 360 degree perspective: People, Process and Tools
  • 5. Process perspective: Build Security in the SDLC
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11. Common Security Issues: 2007 T10 vs. 2004 T10 29 10. Insecure Configuration Management 17 9. Denial of Service 4, 8, and 10 5. Buffer Overflows 7 1. Unvalidated Input 14 2. Broken Access Control (split in 2007 T10) 10. Failure to Restrict URL Access 8 Discussed under 10 9. Insecure Communications (NEW) 8 8. Insecure Storage 8. Insecure Cryptographic Storage 14 3. Broken Authentication and Session Management 7. Broken Auth. and Session Management 6 7. Improper Error Handling 6. Info Leakage and Improper Error Handling 36 5. Cross Site Request Forgery (CSRF) (NEW) 5 2. Broken Access Control (split in 2007 T10) 4. Insecure Direct Object Reference 3 3. Insecure Remote File Include (NEW) 2 6. Injection Flaws 2. Injection Flaws 1 4. Cross Site Scripting (XSS) 1. Cross Site Scripting (XSS) MITRE 2006 Raw Ranking OWASP Top 10 2004 OWASP Top 10 2007
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17. A1: Cross Site Scripting -How to find the potential vulnerability
  • 18.
  • 19.
  • 20.
  • 21. A2: Injection Flaws –SQL Injection Attack Illustrated 3 Attacker sends data containing SQL fragments Attacker enters SQL fragments into a web page that uses input in a query 1 Attacker views unauthorized data Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Database 2 Application sends modified query to database, which executes it
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32. A4: Insecure Direct Object Reference - How You Can Find If You Are Vulnerable
  • 33. A4: Insecure Direct Object Reference - How You Can Find If You Are Vulnerable
  • 34.
  • 35.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41. A6: Information Leakage and Improper Error Handling
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61. A9 Insecure Communication - How You Can Find If You Are Vulnerable
  • 62.
  • 63.
  • 64.
  • 65.
  • 66.