SlideShare une entreprise Scribd logo

how to secure web applications with owasp - isaca sep 2009 - for distribution

Santosh Satam
Santosh Satam
Technologie
1  sur  35
How to secure web applications with OWASP Santosh Satam Head-Technical Services MIEL
No noble thing can be done without risks. Michel De Montaigne © 2009 MIEL eSecurity Pvt Ltd Confidential 2
Due care has been taken to make this Presentation as accurate as possible. Certain statements made in this presentation may not be based on historical information or facts and may be “forward looking statements” and may be subject to risks and uncertainties that could cause actual results to differ materially and adversely from those that may be projected by such forward looking statements. MIEL makes no representation or warranties with respect to the contents hereof and shall not be responsible for any loss or damage caused to the user by the direct or indirect use of this Presentation. MIEL may alter, modify or otherwise change in any manner the content hereof, without obligation to notify any person of such revision or changes. All company and product names are trademarks of the respective companies with which they are associated. COPYRIGHT © 2009 MIEL e-Security Pvt. Ltd. All rights reserved. Softcopy Name : MIEL – OWASP Presentation – ISACA Sep 2009 Published Date : Sep 2009 Author : Santosh Satam © 2009 MIEL eSecurity Pvt Ltd Confidential 3
Agenda  Introduction to Application Security  OWASP Projects  Way Forward © 2009 MIEL e-Security Pvt. Ltd Confidential 4
You have been appointed as Head of Application Security Your first task is to define roadmap for application security .. © 2009 MIEL e-Security Pvt. Ltd Confidential 5
You started digging into maze of applications .. © 2009 MIEL eSecurity Pvt Ltd Confidential 6
COTS (Commercial Off the shelf) Applications In-house Developed Applications Legacy Systems Interface to External Systems Support Applications Open Source Applications Application Hosted in Cloud (SaaS) © 2009 MIEL eSecurity Pvt Ltd Confidential 7
Even after two weeks you are still struggling … © 2009 MIEL eSecurity Pvt Ltd Confidential 8
Stakeholders in Application Security Top Management Auditors BU Heads IT/Network Admin Quality Assurances Project Managers Architects Developers © 2009 MIEL eSecurity Pvt Ltd Confidential 9
OWASP will help you !! © 2009 MIEL eSecurity Pvt Ltd Confidential 10
What is OWASP ? OWASP – Open Web Application Security Project Open group focused on understanding and improving the security of web applications and web services! © 2009 MIEL e-Security Pvt. Ltd Confidential 11
Who is using OWASP ? © 2009 MIEL e-Security Pvt. Ltd Confidential 12
SDLC is King Requirements Design Development Testing Deployment © 2009 MIEL eSecurity Pvt Ltd Confidential 13
OWASP – Guides throughout SDLC © 2009 MIEL eSecurity Pvt Ltd Confidential 14
Requirements Phase OWASP METHODS  Identify Security Requirement AND TOOLS  Identify Mis-use cases Free Tools  Identify Attack Surface  Identify Deployment Scenarios * WebGoat Training Tool Projects * Web AppSec Guide © 2009 MIEL eSecurity Pvt Ltd Confidential 15
Requirements Phase – Define Security Requirement Business Requirements Security Requirement The application stores credit card data Strong encryption should be that must be protected. used to protect the sensitive customer data. The application transmits sensitive user Communication channels must be information over the un-trusted network encrypted. The application must be available 24x7 Mitigate denial of service attack The application takes user input and uses SQL injection should be SQL mitigated by Input Validations © 2009 MIEL eSecurity Pvt Ltd Confidential 16
Requirements Phase – Car Security Mis-use Case Drive Threatens Steal the Car the Car Mitigates Lock Threatens the Car Short the Ignition Lock the Mitigates Transmission © 2009 MIEL eSecurity Pvt Ltd Confidential 17
Requirements Phase – Identify Attack Surface © 2009 MIEL eSecurity Pvt Ltd Confidential 18
Requirements Phase – Identify Deployment Scenarios  Infrastructure Security  Scalability Secure Communication  Compliance © 2009 MIEL eSecurity Pvt Ltd Confidential 19
Design Phase OWASP METHODS  Security Principles AND TOOLS  Threat Modeling Free Tools * WebGoat Training Tool Projects * Enterprise Security API (ESAPI) * AntiSamy (Java Project) * AntiSamy (.Net Project) © 2009 MIEL eSecurity Pvt Ltd Confidential 20
Design Phase – Security Principles © 2009 MIEL eSecurity Pvt Ltd Confidential 21
Design Phase – Threat Modeling  Identify Assets  Decompose Application  Identify Threats and Vulnerabilities  Document Threats  Rate Threats Mitigate Threats © 2009 MIEL eSecurity Pvt Ltd Confidential 22
Design Phase – OWASP ESAPI © 2009 MIEL eSecurity Pvt Ltd Confidential 23
Development Phase OWASP METHODS  Input Validations AND TOOLS Output Handling Free Tools Session Handling  Error Handling * WebScarab Proxy  Configuration Management * ASP.NET Analyzers  Cryptography Projects  Secure Code Review * Web AppSec Guide * Code Review Project * AppSec Metrics © 2009 MIEL eSecurity Pvt Ltd Confidential 24
Testing Phase OWASP METHODS  Manual Inspection AND TOOLS  Threat Modeling Free Tools  Code Review  Penetration Testing * LiveCD Projects * OWASP Top 10 * Testing Project © 2009 MIEL eSecurity Pvt Ltd Confidential 25
OWASP Top 10  A1 – Cross Site  A6 – Information Leakage Scripting (XSS) and Improper Error Handling  A2 – Injection Flaws  A7 – Broken Authentication and Session Management  A3 – Insecure Remote  A8 – Insecure Cryptographic File Include Storage  A4 – Insecure Direct  A9 – Insecure Object Reference Communications  A5 – Cross Site Request  A10 – Failure to Restrict URL Forgery (CSRF) Access © 2009 MIEL e-Security Pvt. Ltd Confidential 26
Code Review • Code review helps to find vulnerabilities that may not be discoverable in a black-box/zero-knowledge testing scenario. • It covers following areas: Syntactical Business Infrastructure logic © 2009 MIEL eSecurity Pvt Ltd Confidential 27
OWASP – LiveCD Tools 1 OWASP WebScarab 14 OWASP WSFuzzer 2 OWASP WebGoat 15 Metasploit 3 3 OWASP CAL9000 16 w3af & GTK GUI for w3af 4 OWASP JBroFuzz 17 Netcats collection 5 Paros Proxy 18 OWASP Wapiti 6 nmap & Zenmap 19 Nikto 7 Wireshark 20 Fierce Domain Scaner 8 tcpdump 21 Maltego CE 9 Firefox 3 22 Httprint 10 Burp Suite 23 SQLBrute 11 Grenedel-Scan 24 Spike Proxy 12 OWASP DirBuster 25 Rat Proxy 13 OWASP SQLiX © 2009 MIEL eSecurity Pvt Ltd Confidential 28
Deployment Phase OWASP METHODS  System Hardening AND TOOLS Power on Sequence Free Tools  Secure Transmission  Database Security * LiveCD Projects * Web AppSec Guide * Testing Project © 2009 MIEL eSecurity Pvt Ltd Confidential 29
Summary  Implement Application Security Practices in the Development Process  Conduct Awareness Program on Application Security  Conduct Code Reviews  Test, Test and Test each and “Prevention is always better than every application before it is put Cure” to Production © 2009 MIEL e-Security Pvt. Ltd Confidential 30
Take a Systemic Approach © 2009 MIEL eSecurity Pvt Ltd Confidential 31
Useful Links Description URL Open Web Application Security Project (OWASP) http://www.owasp.org SANS http://www.sans.org CERT http://www.cert.org ISACA http://www.isaca.org Security Focus http://www.securityfocus.com Microsoft Security http://microsoft.com/security/ IBM http://www- 106.ibm.com/developerworks/linux/library/ The Web Application Security Consortium (WASC) http://www.webappsec.org/ The Web Hacking Incidents Database http://www.webappsec.org/projects/whid/ © 2009 MIEL eSecurity Pvt Ltd Confidential 32
Application Security - Certifications • CSSLP - Certified Secure Software Lifecycle Professional http://www.isc2.org/csslp/ • CSSLP CBK • Secure Software Concepts • Secure Software Requirements • Secure Software Design • Secure Software Implementation/Coding • Secure Software Testing • Software Acceptance • Software Deployment, Operations, Maintenance and Disposal © 2009 MIEL eSecurity Pvt Ltd Confidential 33
OWASP Application Security – Forthcoming Conference © 2009 MIEL eSecurity Pvt Ltd Confidential
Discussion Santosh Satam Head – Technical Services CISA | CISM | CISSP | CSSLP MIEL e-Security Pvt. Ltd. E-mail: ssatam@mielesecurity.com © 2009 MIEL e-Security Pvt. Ltd Confidential 35

Recommandé

The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldArun Prabhakar
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3EnterpriseGRC Solutions, Inc.
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 20165 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016IBM Security
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudCloudHesive
 
Case Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderCase Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderArmor
 
Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry
 
Securing Your Cloud Applications
Securing Your Cloud ApplicationsSecuring Your Cloud Applications
Securing Your Cloud ApplicationsIBM Security
 

Recommandé

The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldArun Prabhakar
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3EnterpriseGRC Solutions, Inc.
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 20165 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016IBM Security
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudCloudHesive
 
Case Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderCase Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderArmor
 
Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry
 
Securing Your Cloud Applications
Securing Your Cloud ApplicationsSecuring Your Cloud Applications
Securing Your Cloud ApplicationsIBM Security
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsRightScale
 
Qradar Business Case
Qradar Business CaseQradar Business Case
Qradar Business CaseEnterprise Technology Management (ETM)
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security ArchitectureCisco Canada
 
Service Organizational Control (SOC 2) Compliance - Kloudlearn
Service Organizational Control (SOC 2) Compliance - KloudlearnService Organizational Control (SOC 2) Compliance - Kloudlearn
Service Organizational Control (SOC 2) Compliance - KloudlearnKloudLearn
 
The Year the Internet Fell Apart
The Year the Internet Fell ApartThe Year the Internet Fell Apart
The Year the Internet Fell ApartIBM Security
 
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperMohd Anwar Jamal Faiz
 
IBM Security Immune System
IBM Security Immune SystemIBM Security Immune System
IBM Security Immune SystemJuan Pablo Coelho
 
Cybersecurity frameworks globally and saudi arabia
Cybersecurity frameworks globally and saudi arabiaCybersecurity frameworks globally and saudi arabia
Cybersecurity frameworks globally and saudi arabiaFaysal Ghauri
 
Cloud summit demystifying cloud security
Cloud summit demystifying cloud securityCloud summit demystifying cloud security
Cloud summit demystifying cloud securityDavid De Vos
 
Microsoft Platform Security Briefing
Microsoft Platform Security BriefingMicrosoft Platform Security Briefing
Microsoft Platform Security Briefingtechnext1
 
Cyber threats
Cyber threatsCyber threats
Cyber threatsSonia Baratas Alves
 
IBM Security Portfolio - 2015
IBM Security Portfolio - 2015IBM Security Portfolio - 2015
IBM Security Portfolio - 2015IBM Thailand Co Ltd
 
Msft cloud architecture_security_commonattacks
Msft cloud architecture_security_commonattacksMsft cloud architecture_security_commonattacks
Msft cloud architecture_security_commonattacksAkram Qureshi
 
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...Cisco Security
 
Securing Office 365
Securing Office 365Securing Office 365
Securing Office 365Symantec
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 
Cloud Security - Made simple
Cloud Security - Made simpleCloud Security - Made simple
Cloud Security - Made simpleSameer Paradia
 
IBM Security - 2015 - Client References Guide
IBM Security - 2015 - Client References GuideIBM Security - 2015 - Client References Guide
IBM Security - 2015 - Client References GuideFrancisco González Jiménez
 
Extend Your Market Reach with IBM Security QRadar for MSPs
Extend Your Market Reach with IBM Security QRadar for MSPsExtend Your Market Reach with IBM Security QRadar for MSPs
Extend Your Market Reach with IBM Security QRadar for MSPsIBM Security
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Andris Soroka
 
More for the video
More for the videoMore for the video
More for the videoDave Nuss
 
הטיפול בארכיונים-של-רשות-השידור
הטיפול בארכיונים-של-רשות-השידורהטיפול בארכיונים-של-רשות-השידור
הטיפול בארכיונים-של-רשות-השידורAnochi.com.
 

Contenu connexe

Tendances

Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsRightScale
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security ArchitectureCisco Canada
 
Service Organizational Control (SOC 2) Compliance - Kloudlearn
Service Organizational Control (SOC 2) Compliance - KloudlearnService Organizational Control (SOC 2) Compliance - Kloudlearn
Service Organizational Control (SOC 2) Compliance - KloudlearnKloudLearn
 
The Year the Internet Fell Apart
The Year the Internet Fell ApartThe Year the Internet Fell Apart
The Year the Internet Fell ApartIBM Security
 
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperMohd Anwar Jamal Faiz
 
Cybersecurity frameworks globally and saudi arabia
Cybersecurity frameworks globally and saudi arabiaCybersecurity frameworks globally and saudi arabia
Cybersecurity frameworks globally and saudi arabiaFaysal Ghauri
 
Cloud summit demystifying cloud security
Cloud summit demystifying cloud securityCloud summit demystifying cloud security
Cloud summit demystifying cloud securityDavid De Vos
 
Microsoft Platform Security Briefing
Microsoft Platform Security BriefingMicrosoft Platform Security Briefing
Microsoft Platform Security Briefingtechnext1
 
Msft cloud architecture_security_commonattacks
Msft cloud architecture_security_commonattacksMsft cloud architecture_security_commonattacks
Msft cloud architecture_security_commonattacksAkram Qureshi
 
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...Cisco Security
 
Securing Office 365
Securing Office 365Securing Office 365
Securing Office 365Symantec
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 
Cloud Security - Made simple
Cloud Security - Made simpleCloud Security - Made simple
Cloud Security - Made simpleSameer Paradia
 
Extend Your Market Reach with IBM Security QRadar for MSPs
Extend Your Market Reach with IBM Security QRadar for MSPsExtend Your Market Reach with IBM Security QRadar for MSPs
Extend Your Market Reach with IBM Security QRadar for MSPsIBM Security
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Andris Soroka
 

Tendances (20)

Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
 
Qradar Business Case
Qradar Business CaseQradar Business Case
Qradar Business Case
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security Architecture
 
Service Organizational Control (SOC 2) Compliance - Kloudlearn
Service Organizational Control (SOC 2) Compliance - KloudlearnService Organizational Control (SOC 2) Compliance - Kloudlearn
Service Organizational Control (SOC 2) Compliance - Kloudlearn
 
The Year the Internet Fell Apart
The Year the Internet Fell ApartThe Year the Internet Fell Apart
The Year the Internet Fell Apart
 
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White Paper
 
IBM Security Immune System
IBM Security Immune SystemIBM Security Immune System
IBM Security Immune System
 
Cybersecurity frameworks globally and saudi arabia
Cybersecurity frameworks globally and saudi arabiaCybersecurity frameworks globally and saudi arabia
Cybersecurity frameworks globally and saudi arabia
 
Cloud summit demystifying cloud security
Cloud summit demystifying cloud securityCloud summit demystifying cloud security
Cloud summit demystifying cloud security
 
Microsoft Platform Security Briefing
Microsoft Platform Security BriefingMicrosoft Platform Security Briefing
Microsoft Platform Security Briefing
 
Cyber threats
Cyber threatsCyber threats
Cyber threats
 
IBM Security Portfolio - 2015
IBM Security Portfolio - 2015IBM Security Portfolio - 2015
IBM Security Portfolio - 2015
 
Msft cloud architecture_security_commonattacks
Msft cloud architecture_security_commonattacksMsft cloud architecture_security_commonattacks
Msft cloud architecture_security_commonattacks
 
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
 
Securing Office 365
Securing Office 365Securing Office 365
Securing Office 365
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
 
Cloud Security - Made simple
Cloud Security - Made simpleCloud Security - Made simple
Cloud Security - Made simple
 
IBM Security - 2015 - Client References Guide
IBM Security - 2015 - Client References GuideIBM Security - 2015 - Client References Guide
IBM Security - 2015 - Client References Guide
 
Extend Your Market Reach with IBM Security QRadar for MSPs
Extend Your Market Reach with IBM Security QRadar for MSPsExtend Your Market Reach with IBM Security QRadar for MSPs
Extend Your Market Reach with IBM Security QRadar for MSPs
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
 

En vedette

More for the video
More for the videoMore for the video
More for the videoDave Nuss
 
הטיפול בארכיונים-של-רשות-השידור
הטיפול בארכיונים-של-רשות-השידורהטיפול בארכיונים-של-רשות-השידור
הטיפול בארכיונים-של-רשות-השידורAnochi.com.
 
דו"ח הבדיקה של פרופ' חיים פרשטמן
דו"ח הבדיקה של פרופ' חיים פרשטמן דו"ח הבדיקה של פרופ' חיים פרשטמן
דו"ח הבדיקה של פרופ' חיים פרשטמן Anochi.com.
 
Hariintro exebit 2014
Hariintro exebit 2014Hariintro exebit 2014
Hariintro exebit 2014Harisankar H
 
Strategie per la mente sicilia
Strategie per la mente siciliaStrategie per la mente sicilia
Strategie per la mente siciliamaurizio vellano
 
Learn Australia through multimedia
Learn Australia through multimediaLearn Australia through multimedia
Learn Australia through multimediaHarisankar H
 
Radical privatization
Radical privatizationRadical privatization
Radical privatizationAnochi.com.
 
בגצ המוניות חופש העיסוק
בגצ המוניות חופש העיסוקבגצ המוניות חופש העיסוק
בגצ המוניות חופש העיסוקAnochi.com.
 
ประเพณีท้องถิ่น
ประเพณีท้องถิ่นประเพณีท้องถิ่น
ประเพณีท้องถิ่นDowroong Wittaya School
 
Presentació figueres1
Presentació figueres1Presentació figueres1
Presentació figueres1montboro
 
1022 predictions
1022 predictions1022 predictions
1022 predictionsAnochi.com.
 
יגיל לוי צבא העם נגד גיוס חובה
יגיל לוי צבא העם נגד גיוס חובהיגיל לוי צבא העם נגד גיוס חובה
יגיל לוי צבא העם נגד גיוס חובהAnochi.com.
 
חינוך ומדיניות סביבתית בישראל JIMS
חינוך ומדיניות סביבתית בישראל JIMSחינוך ומדיניות סביבתית בישראל JIMS
חינוך ומדיניות סביבתית בישראל JIMSAnochi.com.
 
Running with Sciccors! : Team Dynamics in Open Source
Running with Sciccors! : Team Dynamics in Open SourceRunning with Sciccors! : Team Dynamics in Open Source
Running with Sciccors! : Team Dynamics in Open SourceAmye Scavarda
 
לקט נתונים מתוך הסקר החברתי 2012 בנושא הסדרי פנסיה
לקט נתונים מתוך הסקר החברתי 2012 בנושא הסדרי פנסיה לקט נתונים מתוך הסקר החברתי 2012 בנושא הסדרי פנסיה
לקט נתונים מתוך הסקר החברתי 2012 בנושא הסדרי פנסיה Anochi.com.
 
Hawaii linkedin social media bootcamp v1.pptx
Hawaii linkedin social media bootcamp v1.pptxHawaii linkedin social media bootcamp v1.pptx
Hawaii linkedin social media bootcamp v1.pptxMargo Rose
 
Formazione e integrazione_profughi_nelle_colline_metallife…
Formazione e integrazione_profughi_nelle_colline_metallife…Formazione e integrazione_profughi_nelle_colline_metallife…
Formazione e integrazione_profughi_nelle_colline_metallife…VISITMAREMMA
 
Hawaii linkedin social media bootcamp v1
Hawaii linkedin social media bootcamp v1Hawaii linkedin social media bootcamp v1
Hawaii linkedin social media bootcamp v1Margo Rose
 
Documenting Teaching Effectiveness
Documenting Teaching EffectivenessDocumenting Teaching Effectiveness
Documenting Teaching EffectivenessIlene Dawn Alexander
 
Writing Research Statements - Rubric
Writing Research Statements - RubricWriting Research Statements - Rubric
Writing Research Statements - RubricIlene Dawn Alexander
 

En vedette (20)

More for the video
More for the videoMore for the video
More for the video
 
הטיפול בארכיונים-של-רשות-השידור
הטיפול בארכיונים-של-רשות-השידורהטיפול בארכיונים-של-רשות-השידור
הטיפול בארכיונים-של-רשות-השידור
 
דו"ח הבדיקה של פרופ' חיים פרשטמן
דו"ח הבדיקה של פרופ' חיים פרשטמן דו"ח הבדיקה של פרופ' חיים פרשטמן
דו"ח הבדיקה של פרופ' חיים פרשטמן
 
Hariintro exebit 2014
Hariintro exebit 2014Hariintro exebit 2014
Hariintro exebit 2014
 
Strategie per la mente sicilia
Strategie per la mente siciliaStrategie per la mente sicilia
Strategie per la mente sicilia
 
Learn Australia through multimedia
Learn Australia through multimediaLearn Australia through multimedia
Learn Australia through multimedia
 
Radical privatization
Radical privatizationRadical privatization
Radical privatization
 
בגצ המוניות חופש העיסוק
בגצ המוניות חופש העיסוקבגצ המוניות חופש העיסוק
בגצ המוניות חופש העיסוק
 
ประเพณีท้องถิ่น
ประเพณีท้องถิ่นประเพณีท้องถิ่น
ประเพณีท้องถิ่น
 
Presentació figueres1
Presentació figueres1Presentació figueres1
Presentació figueres1
 
1022 predictions
1022 predictions1022 predictions
1022 predictions
 
יגיל לוי צבא העם נגד גיוס חובה
יגיל לוי צבא העם נגד גיוס חובהיגיל לוי צבא העם נגד גיוס חובה
יגיל לוי צבא העם נגד גיוס חובה
 
חינוך ומדיניות סביבתית בישראל JIMS
חינוך ומדיניות סביבתית בישראל JIMSחינוך ומדיניות סביבתית בישראל JIMS
חינוך ומדיניות סביבתית בישראל JIMS
 
Running with Sciccors! : Team Dynamics in Open Source
Running with Sciccors! : Team Dynamics in Open SourceRunning with Sciccors! : Team Dynamics in Open Source
Running with Sciccors! : Team Dynamics in Open Source
 
לקט נתונים מתוך הסקר החברתי 2012 בנושא הסדרי פנסיה
לקט נתונים מתוך הסקר החברתי 2012 בנושא הסדרי פנסיה לקט נתונים מתוך הסקר החברתי 2012 בנושא הסדרי פנסיה
לקט נתונים מתוך הסקר החברתי 2012 בנושא הסדרי פנסיה
 
Hawaii linkedin social media bootcamp v1.pptx
Hawaii linkedin social media bootcamp v1.pptxHawaii linkedin social media bootcamp v1.pptx
Hawaii linkedin social media bootcamp v1.pptx
 
Formazione e integrazione_profughi_nelle_colline_metallife…
Formazione e integrazione_profughi_nelle_colline_metallife…Formazione e integrazione_profughi_nelle_colline_metallife…
Formazione e integrazione_profughi_nelle_colline_metallife…
 
Hawaii linkedin social media bootcamp v1
Hawaii linkedin social media bootcamp v1Hawaii linkedin social media bootcamp v1
Hawaii linkedin social media bootcamp v1
 
Documenting Teaching Effectiveness
Documenting Teaching EffectivenessDocumenting Teaching Effectiveness
Documenting Teaching Effectiveness
 
Writing Research Statements - Rubric
Writing Research Statements - RubricWriting Research Statements - Rubric
Writing Research Statements - Rubric
 

Similaire à how to secure web applications with owasp - isaca sep 2009 - for distribution

Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec
 
Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Jason Jolley
 
分会场八云及虚拟环境安全防护
分会场八云及虚拟环境安全防护分会场八云及虚拟环境安全防护
分会场八云及虚拟环境安全防护ITband
 
Oded Tsur - Ca Cloud Security
Oded Tsur - Ca Cloud SecurityOded Tsur - Ca Cloud Security
Oded Tsur - Ca Cloud SecurityCSAIsrael
 
Security Principles for CEOs
Security Principles for CEOsSecurity Principles for CEOs
Security Principles for CEOsMorten Bjørklund
 
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitCarry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitAmazon Web Services
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...OracleIDM
 
Cisco tec chris young - security intelligence operations
Cisco tec chris young - security intelligence operationsCisco tec chris young - security intelligence operations
Cisco tec chris young - security intelligence operationsCisco Public Relations
 
Appsecurity, win or loose
Appsecurity, win or looseAppsecurity, win or loose
Appsecurity, win or looseBjørn Sloth
 
Introducing IBM Cloud Security Enforcer, CASB, IDaaS and Threat Prevention
Introducing IBM Cloud Security Enforcer, CASB, IDaaS and Threat PreventionIntroducing IBM Cloud Security Enforcer, CASB, IDaaS and Threat Prevention
Introducing IBM Cloud Security Enforcer, CASB, IDaaS and Threat PreventionIBM Security
 
Enabling Secure Use of Cloud Applications
Enabling Secure Use of Cloud ApplicationsEnabling Secure Use of Cloud Applications
Enabling Secure Use of Cloud ApplicationsSonia Baratas Alves
 
Get to know infoSec - EEESE2014 presentation - Duko Team
Get to know infoSec - EEESE2014 presentation - Duko TeamGet to know infoSec - EEESE2014 presentation - Duko Team
Get to know infoSec - EEESE2014 presentation - Duko TeamAhmed EL Murtada
 
Cloud securityperspectives cmg
Cloud securityperspectives cmgCloud securityperspectives cmg
Cloud securityperspectives cmgNeha Dhawan
 
Seguridad en la Nube
Seguridad en la NubeSeguridad en la Nube
Seguridad en la NubeMundo Contact
 
Presentation cloud security the grand challenge
Presentation cloud security the grand challengePresentation cloud security the grand challenge
Presentation cloud security the grand challengexKinAnx
 
Nils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesNils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesGovCloud Network
 
Re-­Think Mobile… Beyond Mobile­‐First: Oracle Mobile Strategy and Overview
Re-­Think Mobile… Beyond Mobile­‐First: Oracle Mobile Strategy and OverviewRe-­Think Mobile… Beyond Mobile­‐First: Oracle Mobile Strategy and Overview
Re-­Think Mobile… Beyond Mobile­‐First: Oracle Mobile Strategy and OverviewGuatemala User Group
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec
 
Cloud Security: What you need to know about IBM SmartCloud Security
Cloud Security: What you need to know about IBM SmartCloud SecurityCloud Security: What you need to know about IBM SmartCloud Security
Cloud Security: What you need to know about IBM SmartCloud SecurityIBM Security
 

Similaire à how to secure web applications with owasp - isaca sep 2009 - for distribution (20)

Cloud Security by CK
Cloud Security by CKCloud Security by CK
Cloud Security by CK
 
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front Lines
 
Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!
 
分会场八云及虚拟环境安全防护
分会场八云及虚拟环境安全防护分会场八云及虚拟环境安全防护
分会场八云及虚拟环境安全防护
 
Oded Tsur - Ca Cloud Security
Oded Tsur - Ca Cloud SecurityOded Tsur - Ca Cloud Security
Oded Tsur - Ca Cloud Security
 
Security Principles for CEOs
Security Principles for CEOsSecurity Principles for CEOs
Security Principles for CEOs
 
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitCarry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
 
Cisco tec chris young - security intelligence operations
Cisco tec chris young - security intelligence operationsCisco tec chris young - security intelligence operations
Cisco tec chris young - security intelligence operations
 
Appsecurity, win or loose
Appsecurity, win or looseAppsecurity, win or loose
Appsecurity, win or loose
 
Introducing IBM Cloud Security Enforcer, CASB, IDaaS and Threat Prevention
Introducing IBM Cloud Security Enforcer, CASB, IDaaS and Threat PreventionIntroducing IBM Cloud Security Enforcer, CASB, IDaaS and Threat Prevention
Introducing IBM Cloud Security Enforcer, CASB, IDaaS and Threat Prevention
 
Enabling Secure Use of Cloud Applications
Enabling Secure Use of Cloud ApplicationsEnabling Secure Use of Cloud Applications
Enabling Secure Use of Cloud Applications
 
Get to know infoSec - EEESE2014 presentation - Duko Team
Get to know infoSec - EEESE2014 presentation - Duko TeamGet to know infoSec - EEESE2014 presentation - Duko Team
Get to know infoSec - EEESE2014 presentation - Duko Team
 
Cloud securityperspectives cmg
Cloud securityperspectives cmgCloud securityperspectives cmg
Cloud securityperspectives cmg
 
Seguridad en la Nube
Seguridad en la NubeSeguridad en la Nube
Seguridad en la Nube
 
Presentation cloud security the grand challenge
Presentation cloud security the grand challengePresentation cloud security the grand challenge
Presentation cloud security the grand challenge
 
Nils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesNils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic Slides
 
Re-­Think Mobile… Beyond Mobile­‐First: Oracle Mobile Strategy and Overview
Re-­Think Mobile… Beyond Mobile­‐First: Oracle Mobile Strategy and OverviewRe-­Think Mobile… Beyond Mobile­‐First: Oracle Mobile Strategy and Overview
Re-­Think Mobile… Beyond Mobile­‐First: Oracle Mobile Strategy and Overview
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB Projects
 
Cloud Security: What you need to know about IBM SmartCloud Security
Cloud Security: What you need to know about IBM SmartCloud SecurityCloud Security: What you need to know about IBM SmartCloud Security
Cloud Security: What you need to know about IBM SmartCloud Security
 

Dernier

Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...itnewsafrica
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 

Dernier (20)

Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 

how to secure web applications with owasp - isaca sep 2009 - for distribution

  • 1. How to secure web applications with OWASP Santosh Satam Head-Technical Services MIEL
  • 2. No noble thing can be done without risks. Michel De Montaigne © 2009 MIEL eSecurity Pvt Ltd Confidential 2
  • 3. Due care has been taken to make this Presentation as accurate as possible. Certain statements made in this presentation may not be based on historical information or facts and may be “forward looking statements” and may be subject to risks and uncertainties that could cause actual results to differ materially and adversely from those that may be projected by such forward looking statements. MIEL makes no representation or warranties with respect to the contents hereof and shall not be responsible for any loss or damage caused to the user by the direct or indirect use of this Presentation. MIEL may alter, modify or otherwise change in any manner the content hereof, without obligation to notify any person of such revision or changes. All company and product names are trademarks of the respective companies with which they are associated. COPYRIGHT © 2009 MIEL e-Security Pvt. Ltd. All rights reserved. Softcopy Name : MIEL – OWASP Presentation – ISACA Sep 2009 Published Date : Sep 2009 Author : Santosh Satam © 2009 MIEL eSecurity Pvt Ltd Confidential 3
  • 4. Agenda  Introduction to Application Security  OWASP Projects  Way Forward © 2009 MIEL e-Security Pvt. Ltd Confidential 4
  • 5. You have been appointed as Head of Application Security Your first task is to define roadmap for application security .. © 2009 MIEL e-Security Pvt. Ltd Confidential 5
  • 6. You started digging into maze of applications .. © 2009 MIEL eSecurity Pvt Ltd Confidential 6
  • 7. COTS (Commercial Off the shelf) Applications In-house Developed Applications Legacy Systems Interface to External Systems Support Applications Open Source Applications Application Hosted in Cloud (SaaS) © 2009 MIEL eSecurity Pvt Ltd Confidential 7
  • 8. Even after two weeks you are still struggling … © 2009 MIEL eSecurity Pvt Ltd Confidential 8
  • 9. Stakeholders in Application Security Top Management Auditors BU Heads IT/Network Admin Quality Assurances Project Managers Architects Developers © 2009 MIEL eSecurity Pvt Ltd Confidential 9
  • 10. OWASP will help you !! © 2009 MIEL eSecurity Pvt Ltd Confidential 10
  • 11. What is OWASP ? OWASP – Open Web Application Security Project Open group focused on understanding and improving the security of web applications and web services! © 2009 MIEL e-Security Pvt. Ltd Confidential 11
  • 12. Who is using OWASP ? © 2009 MIEL e-Security Pvt. Ltd Confidential 12
  • 13. SDLC is King Requirements Design Development Testing Deployment © 2009 MIEL eSecurity Pvt Ltd Confidential 13
  • 14. OWASP – Guides throughout SDLC © 2009 MIEL eSecurity Pvt Ltd Confidential 14
  • 15. Requirements Phase OWASP METHODS  Identify Security Requirement AND TOOLS  Identify Mis-use cases Free Tools  Identify Attack Surface  Identify Deployment Scenarios * WebGoat Training Tool Projects * Web AppSec Guide © 2009 MIEL eSecurity Pvt Ltd Confidential 15
  • 16. Requirements Phase – Define Security Requirement Business Requirements Security Requirement The application stores credit card data Strong encryption should be that must be protected. used to protect the sensitive customer data. The application transmits sensitive user Communication channels must be information over the un-trusted network encrypted. The application must be available 24x7 Mitigate denial of service attack The application takes user input and uses SQL injection should be SQL mitigated by Input Validations © 2009 MIEL eSecurity Pvt Ltd Confidential 16
  • 17. Requirements Phase – Car Security Mis-use Case Drive Threatens Steal the Car the Car Mitigates Lock Threatens the Car Short the Ignition Lock the Mitigates Transmission © 2009 MIEL eSecurity Pvt Ltd Confidential 17
  • 18. Requirements Phase – Identify Attack Surface © 2009 MIEL eSecurity Pvt Ltd Confidential 18
  • 19. Requirements Phase – Identify Deployment Scenarios  Infrastructure Security  Scalability Secure Communication  Compliance © 2009 MIEL eSecurity Pvt Ltd Confidential 19
  • 20. Design Phase OWASP METHODS  Security Principles AND TOOLS  Threat Modeling Free Tools * WebGoat Training Tool Projects * Enterprise Security API (ESAPI) * AntiSamy (Java Project) * AntiSamy (.Net Project) © 2009 MIEL eSecurity Pvt Ltd Confidential 20
  • 21. Design Phase – Security Principles © 2009 MIEL eSecurity Pvt Ltd Confidential 21
  • 22. Design Phase – Threat Modeling  Identify Assets  Decompose Application  Identify Threats and Vulnerabilities  Document Threats  Rate Threats Mitigate Threats © 2009 MIEL eSecurity Pvt Ltd Confidential 22
  • 23. Design Phase – OWASP ESAPI © 2009 MIEL eSecurity Pvt Ltd Confidential 23
  • 24. Development Phase OWASP METHODS  Input Validations AND TOOLS Output Handling Free Tools Session Handling  Error Handling * WebScarab Proxy  Configuration Management * ASP.NET Analyzers  Cryptography Projects  Secure Code Review * Web AppSec Guide * Code Review Project * AppSec Metrics © 2009 MIEL eSecurity Pvt Ltd Confidential 24
  • 25. Testing Phase OWASP METHODS  Manual Inspection AND TOOLS  Threat Modeling Free Tools  Code Review  Penetration Testing * LiveCD Projects * OWASP Top 10 * Testing Project © 2009 MIEL eSecurity Pvt Ltd Confidential 25
  • 26. OWASP Top 10  A1 – Cross Site  A6 – Information Leakage Scripting (XSS) and Improper Error Handling  A2 – Injection Flaws  A7 – Broken Authentication and Session Management  A3 – Insecure Remote  A8 – Insecure Cryptographic File Include Storage  A4 – Insecure Direct  A9 – Insecure Object Reference Communications  A5 – Cross Site Request  A10 – Failure to Restrict URL Forgery (CSRF) Access © 2009 MIEL e-Security Pvt. Ltd Confidential 26
  • 27. Code Review • Code review helps to find vulnerabilities that may not be discoverable in a black-box/zero-knowledge testing scenario. • It covers following areas: Syntactical Business Infrastructure logic © 2009 MIEL eSecurity Pvt Ltd Confidential 27
  • 28. OWASP – LiveCD Tools 1 OWASP WebScarab 14 OWASP WSFuzzer 2 OWASP WebGoat 15 Metasploit 3 3 OWASP CAL9000 16 w3af & GTK GUI for w3af 4 OWASP JBroFuzz 17 Netcats collection 5 Paros Proxy 18 OWASP Wapiti 6 nmap & Zenmap 19 Nikto 7 Wireshark 20 Fierce Domain Scaner 8 tcpdump 21 Maltego CE 9 Firefox 3 22 Httprint 10 Burp Suite 23 SQLBrute 11 Grenedel-Scan 24 Spike Proxy 12 OWASP DirBuster 25 Rat Proxy 13 OWASP SQLiX © 2009 MIEL eSecurity Pvt Ltd Confidential 28
  • 29. Deployment Phase OWASP METHODS  System Hardening AND TOOLS Power on Sequence Free Tools  Secure Transmission  Database Security * LiveCD Projects * Web AppSec Guide * Testing Project © 2009 MIEL eSecurity Pvt Ltd Confidential 29
  • 30. Summary  Implement Application Security Practices in the Development Process  Conduct Awareness Program on Application Security  Conduct Code Reviews  Test, Test and Test each and “Prevention is always better than every application before it is put Cure” to Production © 2009 MIEL e-Security Pvt. Ltd Confidential 30
  • 31. Take a Systemic Approach © 2009 MIEL eSecurity Pvt Ltd Confidential 31
  • 32. Useful Links Description URL Open Web Application Security Project (OWASP) http://www.owasp.org SANS http://www.sans.org CERT http://www.cert.org ISACA http://www.isaca.org Security Focus http://www.securityfocus.com Microsoft Security http://microsoft.com/security/ IBM http://www- 106.ibm.com/developerworks/linux/library/ The Web Application Security Consortium (WASC) http://www.webappsec.org/ The Web Hacking Incidents Database http://www.webappsec.org/projects/whid/ © 2009 MIEL eSecurity Pvt Ltd Confidential 32
  • 33. Application Security - Certifications • CSSLP - Certified Secure Software Lifecycle Professional http://www.isc2.org/csslp/ • CSSLP CBK • Secure Software Concepts • Secure Software Requirements • Secure Software Design • Secure Software Implementation/Coding • Secure Software Testing • Software Acceptance • Software Deployment, Operations, Maintenance and Disposal © 2009 MIEL eSecurity Pvt Ltd Confidential 33
  • 34. OWASP Application Security – Forthcoming Conference © 2009 MIEL eSecurity Pvt Ltd Confidential
  • 35. Discussion Santosh Satam Head – Technical Services CISA | CISM | CISSP | CSSLP MIEL e-Security Pvt. Ltd. E-mail: ssatam@mielesecurity.com © 2009 MIEL e-Security Pvt. Ltd Confidential 35