„OWASP Top Ten in Latvia“ by Agris Krusts from IT Centrs SIA at Security focused 64th DevClub.lv

•

0 j'aime•3,219 vues

Most common web security problems from OWASP Top 10 in Latvia in recent years and compare with similar statistics from couple of years ago. Presentation will include most common mobile application security problems. For some vulnerabilities there will be demos in test and live systems. Agris is founder of security consulting and pen-testing company IT Centrs, SIA and works in the the field for more than 10 years.

Technologie

OWASP Top Ten in Latvia
Most common web security problems
Agris Krusts, IT Centrs, SIA
2018

Who am I
• Agris Krusts, founder of IT Centrs, security consultant
• Managing pen-tes;ng engagements, pen-tests, security audits,
training
• E-mail: Agris.Krusts@itcentrs.lv
• TwiCer: @agris_krusts
• www.itcentrs.lv
© Agris Krusts, SIA IT Centrs, 2018 2

www.itcentrs.lv/ﬁles/devclub-2018.pdf
© Agris Krusts, SIA IT Centrs, 2018 3

Data source
• Pen-tests for last 2 - 3 years
• ~ 130 systems
• Usually test environments
• According to appropriate OWASP TesBng Guide v4 control
• Detailed staBsBcs shows only most "popular" problems
• Comparing to similar data from 2011 - 2014
© Agris Krusts, SIA IT Centrs, 2018 5

Excep&ons from OWASP Top 10 2017
• No stats for:
• A8:2017-Insecure Deserializa;on
• A10:2017-Insuﬃcient Logging & Monitoring
© Agris Krusts, SIA IT Centrs, 2018 6

Injec&ons
• Down from ~40% to less than 10%
• S6ll majority is SQLi (7)
• The rest: XML and code injec6ons
© Agris Krusts, SIA IT Centrs, 2018 7

Broken Authen,ca,on and session management
Vulnerable systems
Session ﬁxa+on 11%
Logout problems 15%
Session +meouts 13%
Bypassing authen+ca+on 18%
Problems in password reset 7%
Weak passwords 13%
© Agris Krusts, SIA IT Centrs, 2018 8

Broken Authen,ca,on and session management
• Session ﬁxa,on down from 30% to 11%
• Missing Secure and HttpOnly down from 44% to 5%
• S,ll some do not learn
© Agris Krusts, SIA IT Centrs, 2018 9

Sensi&ve Data Exposure
Systems
Browser caching 21%
SSL problems 31%
Sensi8ve informa8on over
HTTP
10%
© Agris Krusts, SIA IT Centrs, 2018 10

Sensi&ve Data Exposure
• SSL problems up from 27% to 31%
• Sensi7ve informa7on over HTTP down from 40% to 10%
© Agris Krusts, SIA IT Centrs, 2018 11

XML External En--es
• Separate category
• Only couple in Latvia
• Something like this ...
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///c:/inetpub/secret.xml" >]>
<login>
<username>&xxe;</username>
</login>
© Agris Krusts, SIA IT Centrs, 2018 12

Broken Access Control
Systems
Directory traversal 1%
Bypassing authoriza7on 9%
Direct object reference 11%
© Agris Krusts, SIA IT Centrs, 2018 13

Broken Access Control
• Authoriza+on problems in general down from 40%
• Direct object reference down from 33% to 11%
© Agris Krusts, SIA IT Centrs, 2018 14

Security Misconﬁgura1on (most popular)
Systems
Pla$orm conﬁgura.on errors 17%
Old backups and unreferenced ﬁles
with sensi.ve informa.on
13%
Accessible admin interfaces 9%
No HSTS headers 26%
© Agris Krusts, SIA IT Centrs, 2018 15

Using Components with Known Vulnerabili6es
239 instances in 130 systems!
© Agris Krusts, SIA IT Centrs, 2018 16

Cross-site scrip,ng
Systems
Reﬂected XSS 21%
DOM XSS 7%
Stored XSS 18%
© Agris Krusts, SIA IT Centrs, 2018 17

Cross-site scrip,ng
• Down from 46% for dynamic and 36% for stored
• Less risk in dynamic because blocked by browsers
• Higher risk because of data may travel across many systems
© Agris Krusts, SIA IT Centrs, 2018 18

Summary
© Agris Krusts, SIA IT Centrs, 2018 21

Number of issues
A1: Injec*on 10
A2: Broken Authen*ca*on and session
management
134
A3 Sensi*ve Data Exposure 89
A4: XML External En**es 2
A5: Broken Access Control 27
A6: Security Misconﬁgura*on 97
A7: Cross-Site Scrip*ng 59
A9: Using Components with Known Vulnerabili*es 239
© Agris Krusts, SIA IT Centrs, 2018 22

• Web applica+ons are becoming more secure, at least some
• Frameworks help
• Some developers produce more secure code than others
• Old problems, if exit, are more diﬃcult to exploit
• More problems in "new" technologies
© Agris Krusts, SIA IT Centrs, 2018 23

Thank You!
Ques%on and answers!
Agris Krusts, @agris_krusts, +371 29151412, www.itcentrs.lv 24

Agris Krusts
SIA IT Centrs
E-mail: agris.krusts@itcentrs.lv
Phone: +371 29151412
Twi$er: @agris_krusts
www.itcentrs.lv
© Agris Krusts, SIA IT Centrs, 2018 25

Contenu connexe

Tendances

Nowadays in-stream data analysis takes an important role in modern research and development. Cerrera is a cloud-based data stream processing platform that lets analysts concentrate on solving their research problems but not the administrator’s or developer’s ones. Cerrera provides functionality to build stream processing workflow with pre-defined and user modules via Web interface, to run computations over stream and to export data or to get real time visualization. Cerrera is designed to be integrated with Microsoft Azure services (HDInsight, SQL, ML) and relies on modern cloud technologies.

Cerrera DINWC2015

Dmitry Kalashnikov

BDX 2016 - Kevin lyons & yakir buskilla @ eXelate

Ido Shilon

Introduction to Machine learning and Deep Learning

Nishan Aryal

This presentation focuses on the design and evolution of the LinkedIn recommendations platform. It currently computes more than 100 billion personalized recommendations every week, powering an ever growing assortment of products, including Jobs You May be Interested In, Groups You May Like, News Relevance, and Ad Targeting. We will describe how we leverage Hadoop to transform raw data to rich features using knowledge aggregated from LinkedIn's 100 million member base, how we use Lucene to do real-time recommendations, and how we marshal Lucene on Hadoop to bridge offline analysis with user-facing services.

Hadoop World 2011: LeveragIng Hadoop to Transform Raw Data to Rich Features a...

Cloudera, Inc.

Team2 final project_presentation

Nishtha Adroja

What is MLOps

Henrik Skogström

Microsoft Machine Learning Smackdown

Lynn Langit

Cnvrg webinar continual learning

Maya Perry

Thomas Jensen. Machine Learning

Volha Banadyseva

Tendances (9)

Cerrera DINWC2015

BDX 2016 - Kevin lyons & yakir buskilla @ eXelate

Introduction to Machine learning and Deep Learning

Hadoop World 2011: LeveragIng Hadoop to Transform Raw Data to Rich Features a...

Team2 final project_presentation

What is MLOps

Microsoft Machine Learning Smackdown

Cnvrg webinar continual learning

Thomas Jensen. Machine Learning

Similaire à „OWASP Top Ten in Latvia“ by Agris Krusts from IT Centrs SIA at Security focused 64th DevClub.lv

UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT

Ulf Mattsson

Security Architecture Best Practices for SaaS Applications

Techcello

Cisco Connect 2018 Indonesia - Building a secure data center

NetworkCollaborators

The Big Data Ecosystem for Financial Services

DataStax

[Cisco Connect 2018 - Vietnam] Anh duc le building a secure data center

Nur Shiqim Chok

Cisco Connect 2018 Vietnam - building a secure data center

NetworkCollaborators

Cisco connect winnipeg 2018 introducing the network intuitive

Cisco Canada

Security architecture best practices for saas applications

kanimozhin

Network infrastructure teams connect. Information security teams lock it down. Their missions are fundamentally opposed, but digital enterprises are increasingly demanding that network operations and security operations teams work together. These slides--based on the webinar featuring Shamus McGillicuddy, senior analyst at leading IT analyst firm Enterprise Management Associates (EMA), and Jon Kies, manager of network management product marketing at Micro Focus--examine how enterprises are aligning NetOps and SecOps.

NetSecOps: Everything Network Managers Must Know About Collaborating with Sec...

Enterprise Management Associates

EAS-SEC Project

ERPScan

Track 1 Session 6_建立安全高效的資料分析平台加速金融創新_HC+EMQ Cliff(已檢核,上下無黑邊).pptx

Amazon Web Services

PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków

PROIDEA

https://www.brighttalk.com/webcast/14723/234829?utm_source=Compliance+Engineering&utm_medium=brighttalk&utm_campaign=234829 : With cyber attacks on the rise, securing your data is more imperative than ever. In future, organizations will face severe penalties if their data isn’t robustly secured. This will have a far reaching impact for how businesses deal with security in terms of managing their cyber risk. Join this presentation to learn the cyber security controls prescribed by regulation, how this impacts compliance, and how cyber risk management helps CISOs understand the degree these controls are in place and where to prioritize their cyber dollars and ensure they are not at risk for fines. Viewers will learn: - The latest cybercrime trends and targets - Trends in board involvement in cybersecurity - How to effectively manage the full range of enterprise risks - How to protect against ransomware - Visibility into third party risk - Data security metrics

Cyber Risk Management in 2017: Challenges & Recommendations

Ulf Mattsson

Content is King - Symantec

Harry Gunns

MySQL Enterprise Transparent Data Encryption (TDE) protects your critical data by enabling data-at-rest encryption in the database. It protects the privacy of your information, prevents data breaches and helps meet regulatory requirements including the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) and numerous others. MySQL Enterprise Audit provides an easy to use, policy-based auditing solution that helps organizations implement stronger security controls and satisfy regulatory compliance. As more sensitive data is collected, stored and used online, database auditing becomes an essential component of any security strategy. To guard against the misuse of information, popular compliance regulations including HIPAA, Sarbanes-Oxley, and the PCI Data Security Standard require organizations to track access to information. MySQL Enterprise Firewall guards against cyber security threats by providing real-time protection against database specific attacks. Any application that has user-supplied input, such as login and personal information fields is at risk. Database attacks don't just come from applications. Data breaches can come from many sources including SQL virus attacks or from employee misuse. Successful attacks can quickly steal millions of customer records containing personal information, credit card, financial, healthcare or other valuable data. MySQL Enterprise Masking and De-identification provides an easy to use, built-in database solution to help organizations protect sensitive data from unauthorized uses by hiding and replacing real values with substitutes. MySQL Enterprise Edition provides ready to use external authentication modules to easily integrate existing security infrastructures, including Linux Pluggable Authentication Modules (PAM) and Windows Active Directory.

MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements

Olivier DASINI

Enterprise Data Protection - Understanding Your Options and Strategies

Ulf Mattsson

[Webinar Slides] Data Explosion in Your Organization? Harness It with a Compr...

AIIM International

This talk gives a technical and innovative overview of how companies can face the challenge of protecting the data and services that are in their data-centric platform, focusing on three main aspects: implementing network segmentation, managing AAA and securing data processing. https://www.bigdataspain.org/2017/talk/big-data-security-facing-the-challenge Big Data Spain 2017 16th - 17th November Kinépolis Madrid

Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017

Big Data Spain

Monitoring Multi-Cloud Performance

ThousandEyes

Cisco Connect Toronto 2018 an introduction to Cisco kinetic

Cisco Canada

Similaire à „OWASP Top Ten in Latvia“ by Agris Krusts from IT Centrs SIA at Security focused 64th DevClub.lv (20)

UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT

Security Architecture Best Practices for SaaS Applications

Cisco Connect 2018 Indonesia - Building a secure data center

The Big Data Ecosystem for Financial Services

[Cisco Connect 2018 - Vietnam] Anh duc le building a secure data center

Cisco Connect 2018 Vietnam - building a secure data center

Cisco connect winnipeg 2018 introducing the network intuitive

Security architecture best practices for saas applications

NetSecOps: Everything Network Managers Must Know About Collaborating with Sec...

EAS-SEC Project

Track 1 Session 6_建立安全高效的資料分析平台加速金融創新_HC+EMQ Cliff(已檢核,上下無黑邊).pptx

PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków

Cyber Risk Management in 2017: Challenges & Recommendations

Content is King - Symantec

MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements

Enterprise Data Protection - Understanding Your Options and Strategies

[Webinar Slides] Data Explosion in Your Organization? Harness It with a Compr...

Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017

Monitoring Multi-Cloud Performance

Cisco Connect Toronto 2018 an introduction to Cisco kinetic

Plus de DevClub_lv

Fine-tuning Large Language Models by Dmitry Balabka

DevClub_lv

It is a talk regarding how AWS is utilized to manage around 200 services, 4+ million users and 20+ teams in Posti Group. The speaker will demonstrate how Posti is maintaining and controlling the ‘Infrastructure side’ of a variety of different cross-functional teams, with a unified approach. The presentation will focus on the approach, tools and tech with some concrete examples. It should be fairly comprehendible even for non-hands on IT professionals, however aimed at Software engineers, Infra and DevOps engineers and IT leaders.

"Infrastructure and AWS at Scale: The story of Posti" by Goran Gjorgievski @ ...

DevClub_lv

Erik Kaju from Wise will give a talk “From 50 to 500 product engineers – data-driven approach to building impactful and efficient product teams”. Product engineering is data-driven. It is best to avoid personal opinions and back actions with data. Sharing data transparently and making it broadly accessible within the whole company helps to scale and build faster. Data-driven practices are useful beyond just product development. Over the years, we have been systematic and methodological in how we scale the company and track its health. This is a story of Wise growing from a regular-sized with 50 engineers to one with 500. While our headcount has grown tenfold, the speed of our releasing and ability to deliver complex projects has risen significantly. It is crucial for the scale-up to not slow down. And that is only possible with effective and unhampered teams. Join Erik for fresh insights that will inspire you to grow your teams, track their health and experiment with team metrics. (Language – English) Erik is Director of Engineering at Wise.

From 50 to 500 product engineers – data-driven approach to building impactful...

DevClub_lv

Why is it so complex to accept a payment? by Dmitry Buzdin from A-Heads Consu...

DevClub_lv

Jurijs Čudnovskis from “Craftsmans Passion” will give a talk “Do we need DDD?“. While helping to build and scale multiple IT companies and during tons of interviews I’ve seen a lot of misunderstanding of Domain Driven Design. I would like to share with you my experience based point of view on why and how DDD can help you and your company to build better, more flexible and scalable software and solve real business needs. The talk will be not so much about technical aspect of DDD, but about core ideas behind with some real world examples. :) (Language – English) For more than 10 years Jurijs is helping multiple organizations to build their products and grow their companies. His passion is to find easiest solution for complex business problems and build excelent business oriented IT teams.

Do we need DDD? by Jurijs Čudnovskis from “Craftsmans Passion” at Fintech foc...

DevClub_lv

Erwin Staal from 4DotNet will share experience on “Network security with Azure PaaS services“. He will share some of the things he learned while implementing network security at his current client. We will start with a short introduction to the basics of networking in Azure. He will present to you some best practices and tell you about some of the limitations you need to know before getting started. We will talk about how you for example can lock-down your API or SQL-server. To do that we will use relatively new Azure offerings like Service endpoints, Private endpoints, and VPN connections. Erwin is a .NET Software Engineer and DevOps Consultant at 4DotNet. He’s helping clients with ASP.NET Core, Docker and Kubernetes and as a DevOps Consultant he helps companies with the implementation of DevOps and Continuous Delivery.

Network security with Azure PaaS services by Erwin Staal from 4DotNet at Azur...

DevClub_lv

Jan de Vries from 4DotNet will share experience on “Using Azure Managed Identities for your App Services“. He will show you what needs to be set up in your application and AAD to get you started. When everything is set up correctly you can manage the access to all of your API’s via Azure Active Directory and even restrict access to specific endpoints if you want. You’ll leave this session knowing how to set up your services by using the built-in capabilities of Azure and make your complete environment more secure and easy to manage. Jan is a Cloud Solution Architect at 4DotNet (Netherlands). His main focus is on developing highly performant and scalable solutions using the awesome services provided by the Microsoft Azure platform. Because of his expertise, he has been able to help out multiple customers to bring their on-premise solution to the cloud and guide them towards a better software development ecosystem.

Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...

DevClub_lv

SRE (service reliability engineer) on big DevOps platform running on the clou...

DevClub_lv

In this talk, we will discuss what is IOT, what is the market and growth of IOT, security in IOT, and factor for the growth of IOT, how the invention of eSIM giving a boost in IOT, and need of cloud and steps for the codification of IOT with Azure. (Language – English) Narendra is a Technical Architect at Cognizant, other than coding his hobbies includes Travelling, reading technical books & watching thriller/sci-fi series.

Emergence of IOT & Cloud – Azure by Narendra Sharma at Cloud focused 76th Dev...

DevClub_lv

Maintaining multiple code bases for the same application is often a pain in the neck for mobile developers. In the recent years, different frameworks have appeared in the market that aim to reduce the workload of developers by offering them a write-once-run-everywhere approach. In this session, Wei-Meng will take a quick look at the different frameworks available – Xamarin, React Native, and Flutter. He will focus on using Flutter and see how it makes your life as a mobile developer easier. (Language – English) Wei-Meng Lee is a technologist and founder of Developer Learning Solutions (http://www.learn2develop.net).

Cross Platform Mobile Development using Flutter by Wei Meng Lee at Mobile foc...

DevClub_lv

Change is inevitable. So is legacy. And too often, we as developers (who love to solve problems by coding) fall into the trap of believing the only way to fix it is by rewriting everything again and again. But how can we design an application architecture that is more resilient to change in the first place? How can we defend against entropy in a system where people are pushing changes every day? In this talk we’ll define what architecture means for the frontend, dispel some commonly-held myths, and look at specific tools and techniques on a scale from micro to macro that you can use today to keep your app from turning into that infamous ball of mud.

Building resilient frontend architecture by Monica Lent at FrontCon 2019

DevClub_lv

JavaScript can be a passive-aggressive and fickle language that can frustrate you at every turn. It lets you do things like declare variables anywhere, but doesn’t tell you that it will hoist them while you’re not looking. Learn how JavaScript organizes data by using key-based dictionaries and how it handles functions behind the scenes. Additionally, you'll learn how JavaScript uses arrow functions, closures, prototypes and inheritance, equality, and more. In this session, you'll learn little known facts about JavaScript, as well as frequently experienced JavaScript headaches and mistakes, and ways to avoid them. Learn these key facets of JavaScript and take your knowledge to the next level!

Things that every JavaScript developer should know by Rachel Appel at FrontCo...

DevClub_lv

Front-end developers have grown accustomed to protecting themselves from attackers seeking to exploit vectors such as cross-site scripting and malicious input, but the prevalence of reusable micro-libraries in the Node.js ecosystem makes JavaScript developers particularly susceptible to software supply chain attacks. In this session Mitch will share his perspective on helping to protect Microsoft and its customers from these supply chain attacks and what it is like being the vendor of an artifact management service which often plays the middleman between target and victim. Learn how Microsoft tackles the problem of securely taking dependencies on open source software and what problems scanning tools can and can’t solve and thoughts on how we as an industry could start to tackle the problem for 0-day malicious packages.

In the Trenches During a Software Supply Chain Attack by Mitch Denny at Front...

DevClub_lv

Software Decision Making in Terms of Uncertainty by Ziv Levy at FrontCon 2019

DevClub_lv

V8 is complicated. Things change way too fast and it’s really hard to keep track of what’s the fastest way of doing every specific action. But not anymore. Join me, a V8 contributor, on a journey through the compilation pipeline of V8 and understand how it all works under the hood. We’ll take the example of a popular JavaScript builtin method and find that what does and does not trigger de-optimization. By the end of the talk, you will have a fairly decent idea of how builtins are written inside the V8 compilation pipeline, and how to make sure you always take the fast path, no matter what.

V8 by example: A journey through the compilation pipeline by Ujjwas Sharma at...

DevClub_lv

The main topic of this talk is a short introduction to Storybook.js, JavaScript library that allows us to create independent and interactive UX components from already existing ones, developed in frameworks such as Angular, React or Vue. Reusing the components, we create an isolated environment that can be shared within the organization and enable a collaboration between designers and developers on a whole new level. Different use-cases will be described using Angular as a framework of choice with practical examples.

Bridging the gap between UX and development - A Storybook by Marko Letic at F...

DevClub_lv

This talk will cover the whole UX development process and many choices that we as a team did, to get where we are now. When you think about frontend, it’s not just a developers who writes Javascript. If you want to make it right, you need UX researchers, UX designers, UI designers, Visual Designers, Technical writers and, of course, UX developers. I would like to talk about each roll in short and how they help and why you should have all of them to achieve best results. After that I want to go into more technical details on why EmberJs (its not so trendy, right?). How we work with ES6 and why we see future in Typescript. I will structure a talk in terms of a “technical challenge – pros/cons – why we’ve chose A and not B”. For example: We have 16 applications internal and external. Why we have them separate and not a single app. We had ~8-10 internal packages and we’ve merged them into 2. Why we’ve did that and why benefits out-weighted cons? Also, from the talk point, I want to start with a real Cybersecurity case and how how it gets solved

Case-study: Frontend in Cybersecurity by Ruslan Zavacky by FrontCon 2019

DevClub_lv

Page load times can influence conversion rates and store profitability a lot. PWA is a magic keyword that can deliver fast page load times and happy customers that buy a lot. PWA was coming to Magento, there were several competing solutions, but we wanted to be the best and stand out. Being the most certified Magento agency in the world Scandiweb wanted to make something that is both compatible with default Magneto, but also easier to use and faster. So this is a story of looking at competitors and finding our niche as well as building on experience gained by creating solutions for the world’s top brands. The talk will share approaches investigated and selected and look into tips and tricks used to get out most of React, Webpack, Mobx and other cool frontend tools. There is also some GraphQl and aspects of integration with Magento.

Building next generation PWA e-commerce frontend by Raivis Dejus at FrontCon ...

DevClub_lv

Parcel – your next web application bundler? by Janis Koselevs at FrontCon 2019

DevClub_lv

Redux is one of the most popular technologies for the management of shared state across entire React applications, which can be complemented by Redux Observable to describe asynchronous side effects with RxJS. This approach, however, adds cognitive load when balancing the varying concepts across these three libraries. What if we could use RxJS exclusively for managing state in our React apps? This talk will demonstrate this possibility and the benefits it provides.

Managing State in React Apps with RxJS by James Wright at FrontCon 2019

DevClub_lv

Plus de DevClub_lv (20)