SlideShare une entreprise Scribd logo

2014 09-04-pj

Sébastien GIORIA
Sébastien GIORIA

This document summarizes a presentation given by Sébastien Gioria on application security. The presentation provided an overview of the current state of application security, described the Open Web Application Security Project (OWASP) including its mission and resources, and highlighted several OWASP projects that developers can use to help secure applications. It also listed upcoming security events in France and ways to support OWASP.

Internet
1  sur  34
Télécharger pour lire hors ligne
TechItDays 2014 Séminaire DT Solocal 2014 4th September 2014 OWASP, the Life,the Universe Sébas&en Gioria Sebas8en.Gioria@owasp.org Chapter Leader & Evangelist OWASP France
2 http://www.google.fr/#q=sebastien gioria ‣ Innovation and Technology @Advens && Application Security Expert ‣ OWASP France Leader & Founder & Evangelist, ‣ OWASP ISO Project & OWASP SonarQube Project Leader ‣ Application Security group leader for the CLUSIF ‣ Proud father of youngs kids trying to hack my digital life. Twitter :@SPoint/@OWASP_France 2
Agenda • Applica8on Security : – where we are (no bullshit) – where we are (hopefully) going ? • Open Web Applica8on Security Project ? • Major projects you can use 3
Why Applica8on Security ? Your Application has been Hacked Let Me take you on the right way 4 4 My Application will be hacked ! Your Application will be Hacked ;) YES NO NO YES Next Step
SQL in Java 5 http://stackoverflow.com/questions/9123084/how-to-execute-a-sql-statement-with-a-variable-as-where" ResultSet rs = stmd.executeQuery("select * from person where uid = "+ userid);" while (rs.next()) { " "System.out.println("Name= " + rs.getString(1));" }
6 http://www.advens.fr/blog/les-injections-sql-dans-les-applications-web-pourquoi-navancons-nous-pas"
Game Over.... • Did you develop Web Site? • Did you develop embeded products ? • Did you develop smartphone applica8ons ? • Did you have customers / partners over Internet ? 7
We are living in a Digital environment, in a Connected World v Most of websites vulnerable to a[acks v Important % of web-­‐based Business (Services, Online Store, Self-­‐care, Telcos, SCADA, ...) Why Applica8on Security ? Age of An8virus Age of Network Security Age of Applica8on Security 8
9 (c) Verizon 2014
Who win ? 10 (c) WhiteHatSecurity 2013"
Vulnerabili8es ? 11 (c) WhiteHatSecurity 2013
Anything else ? 12
What is OWASP Mission Driven Nonprofit | World Wide | Unbiased OWASP does not endorse or recommend commercial products or services 13
What is OWASP Community Driven 30,000 Mail List Par8cipants 200 Ac8ve Chapters in 70 countries 1600+ Members, 56 Corporate Supporters 69 Academic Supporters 14
Around the World 200 Chapters, 1 600+ Members, 20 000+ Builders, Breakers and Defenders 15
What is OWASP Quality Resources 200+ Projects 15,000+ downloads of tools, documenta8on 250,000+ unique visitors 800,000+ page views (monthly) 16
Quality Resources Documenta&on Code Tools 50% 10% 40% 17
Security Lifecycle 18
Security Resources 19
NEWS A BLOG A PODCAST MEMBERSHIPS MAILING LISTS A NEWSLETTER APPLE APP STORE VIDEO TUTORIALS TRAINING SESSIONS SOCIAL NETWORKING 20
OWASP Projects 21
OWASP Top10 2013 22 A1: Injec&on A2: Viola&on de Ges&on d’authen&fica&on et de session A3: Cross Site Scrip&ng (XSS) A4:Référence directe non sécurisée à un objet A5: Mauvaise configura&on sécurité A6 : Exposi&on de données sensibles A8: Cross Site Request Forgery (CSRF) A7: Manque de contrôle d’accès fonc&onnel A10: Redirec&ons et transferts non validés A9: U&lisa&on de composants avec des vulnérabilités connues ex-­‐A9(transport non sécurisé) + A7(Stockage crypto)
Cheat Sheets Developer Cheat Sheets § PHP Security Cheat Sheet § OWASP Top Ten Cheat Sheet § Authen8ca8on Cheat Sheet § Cross-­‐Site Request Forgery (CSRF) Preven&on Cheat Sheet § Cryptographic Storage Cheat Sheet § Input Valida8on Cheat Sheet § XSS (Cross Site Scrip&ng) Preven&on Cheat Sheet § DOM based XSS Preven8on Cheat Sheet § Forgot Password Cheat Sheet § Query Parameteriza&on Cheat Sheet § SQL Injec&on Preven&on Cheat Sheet § Session Management Cheat Sheet § HTML5 Security Cheat Sheet § Transport Layer Protec8on Cheat Sheet § Web Service Security Cheat Sheet § Logging Cheat Sheet § JAAS Cheat Sheet Mobile Cheat Sheets § IOS Developer Cheat Sheet § Mobile Jailbreaking Cheat Sheet Dran Cheat Sheets § Access Control Cheat Sheet § REST Security Cheat Sheet § Abridged XSS Preven8on Cheat Sheet § Password Storage Cheat Sheet § Secure Coding Cheat Sheet § Threat Modeling Cheat Sheet § Clickjacking Cheat Sheet § Virtual Patching Cheat Sheet § Secure SDLC Cheat Sheet § Web Applica8on Security Tes8ng Cheat Sheet § Applica8on Security Architecture Cheat Sheet 23
Project Leader: Enterprise Security API Chris Schmidt, Chris.Schmidt@owasp.org Purpose: A free, open source, web applica8on security control library that makes it easier for programmers to write lower-­‐risk applica8ons h[ps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API 24
Java HTML Sani8zer, Java Encoder Project Leader: Mike Samuel Mike.samuel@owasp.org Purpose: The OWASP HTML Sani8zer is a fast and easy to configure HTML Sani8zer wri[en in Java which lets you include HTML authored by third-­‐par&es in your web applica&on while protec8ng against XSS. h[ps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Project Leader: Jeff Ichnowski Purpose: The OWASP Java Encoder is a Java 1.5+ simple-­‐to-­‐use drop-­‐in high-­‐ performance encoder class with no dependencies and li[le baggage. This project will help Java web developers defend against Cross Site Scrip8ng! h[ps://www.owasp.org/index.php/OWASP_Java_Encoder_Project
Java Encoder Project Project Leader: Mike Samuel Mike.samuel@owasp.org Purpose: The OWASP Java Encoder is a Java 1.5+ simple-­‐to-­‐use drop-­‐in high-­‐ performance encoder class with no dependencies and li[le baggage. This project will help Java web developers defend against Cross Site Scrip8ng! h[ps://www.owasp.org/index.php/OWASP_Java_Encoder_Project
OWASP Top10 Mobile project
OWASP IoT Project • The OWASP Internet of Things Top 10 -­‐ 2014 is as follows: • I1 Insecure Web Interface • I2 Insufficient Authen8ca8on/Authoriza8on • I3 Insecure Network Services • I4 Lack of Transport Encryp8on • I5 Privacy Concerns • I6 Insecure Cloud Interface • I7 Insecure Mobile Interface • I8 Insufficient Security Configurability • I9 Insecure Sonware/Firmware • I10 Poor Physical Security
Development Guide: Guides comprehensive manual for designing, developing and deploying secure Web Applica8ons and Web Services Code Review Guide: mechanics of reviewing code for certain vulnerabili8es & valida8on of proper security controls Tes&ng Guide: understand the what, why, when, where, and how of tes8ng web applica8ons Applica&on Security Verifica&on Standard (ASVS): comprehensive manual for designing, verify the security of an applica8on h[ps://www.owasp.org/index.php/Category:OWASP_Guide_Project h[ps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project h[ps://www.owasp.org/index.php/Category:OWASP_Tes8ng_Project h[ps://www.owasp.org/index.php/Category:OWASP_Applica8on_Security_Verifica8on_Standard_Project 29
Zed A[ack Proxy Project Leader: Simon Benne[s (aka Psiinon), psiinon@gmail.com Purpose: The Zed A[ack Proxy (ZAP) provides automated scanners as well as a set of tools that allow you to find security vulnerabili8es manually in web applica8ons. Last Release: ZAP 2.3.1 (21 May 2014) h[ps://www.owasp.org/index.php/OWASP_Zed_A[ack_Proxy_Project 30
The OWASP Secure Sonware Contract Annex Intended to help sonware developers and their clients nego8ate important contractual terms and condi8ons related to the security of the sonware to be developed or delivered. CONTEXT: Most contracts are silent on these issues, and the par8es frequently have drama8cally different views on what has actually been agreed to. OBJECTIVE: Clearly define these terms is the best way to ensure that both par8es can make informed decisions about how to proceed. h[ps://www.owasp.org/index.php/OWASP_Secure_Sonware_Contract_Annex 31
Dates • 11 Septembre 2014 – OWASP France Mee8ng Paris @Mozilla Office – Programme : – 18h30 : Ouverture des portes – 19h : Welcome by OWASP France et Mozilla – 19h15 : SonarQube pour la sécurité par Sébas8en Gioria (OWASP France) – 19h45 : Warning Ahead: Security Storms are Brewing in Your JavaScript -­‐ Par Laurent Levi (Checkmarx) -­‐ En Francais – 20h15 : OWASP News && Closing par Sébas8en Gioria (OWASP France) – 20h30 : Networking hkp://www.eventbrite.fr/e/billets-­‐owasp-­‐france-­‐mee&ng-­‐septembre-­‐2014-­‐12738480137 • Applica8on Security Forum Western Switzerland – Yverdon les Bains – 4/6 Novembre 2014 – h[p://www.appsec-­‐forum.ch/ • Club 27001 /Paris -­‐ 25 Septembre 2014 – Présenta8on de la norme ISO 27034 32
Soutenir l’OWASP • Différentes solu8ons : – Membre Individuel : 50 $ – Membre Entreprise : 5000 $ – Dona8on Libre • Soutenir uniquement le chapitre France : – Single Mee8ng supporter • Nous offrir une salle de mee8ng ! • Par8ciper par un talk ou autre ! • Dona8on simple – Local Chapter supporter : • 500 $ à 2000 $ 33
License 34 @SPoint sebas8en.gioria@owasp.org

Recommandé

CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014
Sebastien Gioria
 
OWASP, PHP, life and universe
OWASP, PHP, life and universeOWASP, PHP, life and universe
OWASP, PHP, life and universe
Sebastien Gioria
 
Owasp Serbia overview
Owasp Serbia overviewOwasp Serbia overview
Owasp Serbia overview
Nikola Milosevic
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
POSSCON
 
42 minutes to secure your code....
42 minutes to secure your code....42 minutes to secure your code....
42 minutes to secure your code....
Sebastien Gioria
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec Village
Vandana Verma
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
DefCamp
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017
malvvv
 

Recommandé

CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014
Sebastien Gioria
 
OWASP, PHP, life and universe
OWASP, PHP, life and universeOWASP, PHP, life and universe
OWASP, PHP, life and universe
Sebastien Gioria
 
Owasp Serbia overview
Owasp Serbia overviewOwasp Serbia overview
Owasp Serbia overview
Nikola Milosevic
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
POSSCON
 
42 minutes to secure your code....
42 minutes to secure your code....42 minutes to secure your code....
42 minutes to secure your code....
Sebastien Gioria
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec Village
Vandana Verma
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
DefCamp
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017
malvvv
 
Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...
Denim Group
 
Découvrez le Rugged DevOps
Découvrez le Rugged DevOpsDécouvrez le Rugged DevOps
Découvrez le Rugged DevOps
Talent Agile @ Avanade
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixOptimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFix
Denim Group
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOp
James Wickett
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
Kevin Fealey
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Denim Group
 
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Sherif Koussa
 
Matteo Meucci Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017Matteo Meucci Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017
Minded Security
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructures
Priyanka Aash
 
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
Denim Group
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019
James Wickett
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP
 
Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010
Poulopoulos Ioannis
 
A worldwide journey to build a secure development environment
A worldwide journey to build a secure development environmentA worldwide journey to build a secure development environment
A worldwide journey to build a secure development environment
Priyanka Aash
 
DevSecOps: Finding the Adversaries in our Midst
DevSecOps: Finding the Adversaries in our MidstDevSecOps: Finding the Adversaries in our Midst
DevSecOps: Finding the Adversaries in our Midst
DevOps.com
 
DevSecOps and the New Path Forward
DevSecOps and the New Path ForwardDevSecOps and the New Path Forward
DevSecOps and the New Path Forward
James Wickett
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Websec México, S.C.
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
Continuous Security Testing
Continuous Security TestingContinuous Security Testing
Continuous Security Testing
Ray Lai
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Ludovic Petit
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
OWASP Russia
 

Contenu connexe

Tendances

Optimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixOptimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFix
Denim Group
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
Kevin Fealey
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Denim Group
 
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Sherif Koussa
 
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
Denim Group
 
DevSecOps: Finding the Adversaries in our Midst
DevSecOps: Finding the Adversaries in our MidstDevSecOps: Finding the Adversaries in our Midst
DevSecOps: Finding the Adversaries in our Midst
DevOps.com
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Websec México, S.C.
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 

Tendances (20)

Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...
 
Découvrez le Rugged DevOps
Découvrez le Rugged DevOpsDécouvrez le Rugged DevOps
Découvrez le Rugged DevOps
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixOptimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFix
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOp
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...
 
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
 
Matteo Meucci Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017Matteo Meucci Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructures
 
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
 
Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010
 
A worldwide journey to build a secure development environment
A worldwide journey to build a secure development environmentA worldwide journey to build a secure development environment
A worldwide journey to build a secure development environment
 
DevSecOps: Finding the Adversaries in our Midst
DevSecOps: Finding the Adversaries in our MidstDevSecOps: Finding the Adversaries in our Midst
DevSecOps: Finding the Adversaries in our Midst
 
DevSecOps and the New Path Forward
DevSecOps and the New Path ForwardDevSecOps and the New Path Forward
DevSecOps and the New Path Forward
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
Continuous Security Testing
Continuous Security TestingContinuous Security Testing
Continuous Security Testing
 

Similaire à 2014 09-04-pj

[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
OWASP Russia
 
OWASP Top10 IoT - CLUSIR Infornord Décembre 2014
OWASP Top10 IoT - CLUSIR Infornord Décembre 2014OWASP Top10 IoT - CLUSIR Infornord Décembre 2014
OWASP Top10 IoT - CLUSIR Infornord Décembre 2014
Sébastien GIORIA
 
OWASP, the life and the universe
OWASP, the life and the universeOWASP, the life and the universe
OWASP, the life and the universe
Sébastien GIORIA
 
Chirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita ionel owasp europe tour
Chirita ionel owasp europe tour
Chirita Ionel
 
2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch
Sébastien GIORIA
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
gerardkortney
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Aryan G
 

Similaire à 2014 09-04-pj (20)

Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
 
OWASP Top10 IoT - CLUSIR Infornord Décembre 2014
OWASP Top10 IoT - CLUSIR Infornord Décembre 2014OWASP Top10 IoT - CLUSIR Infornord Décembre 2014
OWASP Top10 IoT - CLUSIR Infornord Décembre 2014
 
OWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de NoelOWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de Noel
 
OWASP, the life and the universe
OWASP, the life and the universeOWASP, the life and the universe
OWASP, the life and the universe
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Chirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita ionel owasp europe tour
Chirita ionel owasp europe tour
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
Secure Coding for Java - An introduction
Secure Coding for Java - An introductionSecure Coding for Java - An introduction
Secure Coding for Java - An introduction
 
2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
 
OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec Presentation
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Owasp top 10_-_2013
Owasp top 10_-_2013Owasp top 10_-_2013
Owasp top 10_-_2013
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)
 

Plus de Sébastien GIORIA

Owasp top 10 2010 Resist toulouse
Owasp top 10 2010 Resist toulouseOwasp top 10 2010 Resist toulouse
Owasp top 10 2010 Resist toulouse
Sébastien GIORIA
 
Présentation Top10 CEGID Lyon
Présentation Top10 CEGID LyonPrésentation Top10 CEGID Lyon
Présentation Top10 CEGID Lyon
Sébastien GIORIA
 
2013 04-04-html5-security-v2
2013 04-04-html5-security-v22013 04-04-html5-security-v2
2013 04-04-html5-security-v2
Sébastien GIORIA
 
2013 03-01 automatiser les tests sécurité
2013 03-01 automatiser les tests sécurité2013 03-01 automatiser les tests sécurité
2013 03-01 automatiser les tests sécurité
Sébastien GIORIA
 
2013 02-27-owasp top10 javascript
2013 02-27-owasp top10 javascript 2013 02-27-owasp top10 javascript
2013 02-27-owasp top10 javascript
Sébastien GIORIA
 

Plus de Sébastien GIORIA (20)

Analyser la sécurité de son code source avec SonarSource
Analyser la sécurité de son code source avec SonarSourceAnalyser la sécurité de son code source avec SonarSource
Analyser la sécurité de son code source avec SonarSource
 
2014 09-25-club-27001 iso 27034-presentation-v2.2
2014 09-25-club-27001 iso 27034-presentation-v2.22014 09-25-club-27001 iso 27034-presentation-v2.2
2014 09-25-club-27001 iso 27034-presentation-v2.2
 
SonarQube et la Sécurité
SonarQube et la SécuritéSonarQube et la Sécurité
SonarQube et la Sécurité
 
Owasp top 10 2010 Resist toulouse
Owasp top 10 2010 Resist toulouseOwasp top 10 2010 Resist toulouse
Owasp top 10 2010 Resist toulouse
 
Présentation Top10 CEGID Lyon
Présentation Top10 CEGID LyonPrésentation Top10 CEGID Lyon
Présentation Top10 CEGID Lyon
 
Présentation au CRI-Ouest
Présentation au CRI-OuestPrésentation au CRI-Ouest
Présentation au CRI-Ouest
 
OWASP Top10 2013 - Présentation aux RSSIA 2013
OWASP Top10 2013 - Présentation aux RSSIA 2013OWASP Top10 2013 - Présentation aux RSSIA 2013
OWASP Top10 2013 - Présentation aux RSSIA 2013
 
2013 04-04-html5-security-v2
2013 04-04-html5-security-v22013 04-04-html5-security-v2
2013 04-04-html5-security-v2
 
2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)
2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)
2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)
 
2013 03-01 automatiser les tests sécurité
2013 03-01 automatiser les tests sécurité2013 03-01 automatiser les tests sécurité
2013 03-01 automatiser les tests sécurité
 
2013 02-27-owasp top10 javascript
2013 02-27-owasp top10 javascript 2013 02-27-owasp top10 javascript
2013 02-27-owasp top10 javascript
 
Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for Java
 
2012 11-07-owasp mobile top10 v01
2012 11-07-owasp mobile top10 v012012 11-07-owasp mobile top10 v01
2012 11-07-owasp mobile top10 v01
 
2012 07-05-spn-sgi-v1-lite
2012 07-05-spn-sgi-v1-lite2012 07-05-spn-sgi-v1-lite
2012 07-05-spn-sgi-v1-lite
 
2012 03-02-sdl-sgi-v03
2012 03-02-sdl-sgi-v032012 03-02-sdl-sgi-v03
2012 03-02-sdl-sgi-v03
 
2012 03-01-ror security v01
2012 03-01-ror security v012012 03-01-ror security v01
2012 03-01-ror security v01
 
OWASP Mobile Top10 - Les 10 risques sur les mobiles
OWASP Mobile Top10 - Les 10 risques sur les mobilesOWASP Mobile Top10 - Les 10 risques sur les mobiles
OWASP Mobile Top10 - Les 10 risques sur les mobiles
 
2011 02-07-html5-security-v1
2011 02-07-html5-security-v12011 02-07-html5-security-v1
2011 02-07-html5-security-v1
 
2011 03-09-cloud sgi
2011 03-09-cloud sgi2011 03-09-cloud sgi
2011 03-09-cloud sgi
 
2011 02-08-ms tech-days-sdl-sgi-v02
2011 02-08-ms tech-days-sdl-sgi-v022011 02-08-ms tech-days-sdl-sgi-v02
2011 02-08-ms tech-days-sdl-sgi-v02
 

Dernier

Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
soniya singh
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
soniya singh
 
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Delhi Call girls
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
Neha Pandey
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
SUHANI PANDEY
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
soniya singh
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
soniya singh
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
soniya singh
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
soniya singh
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
SUHANI PANDEY
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
kumarajju5765
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
Diya Sharma
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
SUHANI PANDEY
 

Dernier (20)

Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
 

2014 09-04-pj

  • 1. TechItDays 2014 Séminaire DT Solocal 2014 4th September 2014 OWASP, the Life,the Universe Sébas&en Gioria Sebas8en.Gioria@owasp.org Chapter Leader & Evangelist OWASP France
  • 2. 2 http://www.google.fr/#q=sebastien gioria ‣ Innovation and Technology @Advens && Application Security Expert ‣ OWASP France Leader & Founder & Evangelist, ‣ OWASP ISO Project & OWASP SonarQube Project Leader ‣ Application Security group leader for the CLUSIF ‣ Proud father of youngs kids trying to hack my digital life. Twitter :@SPoint/@OWASP_France 2
  • 3. Agenda • Applica8on Security : – where we are (no bullshit) – where we are (hopefully) going ? • Open Web Applica8on Security Project ? • Major projects you can use 3
  • 4. Why Applica8on Security ? Your Application has been Hacked Let Me take you on the right way 4 4 My Application will be hacked ! Your Application will be Hacked ;) YES NO NO YES Next Step
  • 5. SQL in Java 5 http://stackoverflow.com/questions/9123084/how-to-execute-a-sql-statement-with-a-variable-as-where" ResultSet rs = stmd.executeQuery("select * from person where uid = "+ userid);" while (rs.next()) { " "System.out.println("Name= " + rs.getString(1));" }
  • 7. Game Over.... • Did you develop Web Site? • Did you develop embeded products ? • Did you develop smartphone applica8ons ? • Did you have customers / partners over Internet ? 7
  • 8. We are living in a Digital environment, in a Connected World v Most of websites vulnerable to a[acks v Important % of web-­‐based Business (Services, Online Store, Self-­‐care, Telcos, SCADA, ...) Why Applica8on Security ? Age of An8virus Age of Network Security Age of Applica8on Security 8
  • 10. Who win ? 10 (c) WhiteHatSecurity 2013"
  • 11. Vulnerabili8es ? 11 (c) WhiteHatSecurity 2013
  • 13. What is OWASP Mission Driven Nonprofit | World Wide | Unbiased OWASP does not endorse or recommend commercial products or services 13
  • 14. What is OWASP Community Driven 30,000 Mail List Par8cipants 200 Ac8ve Chapters in 70 countries 1600+ Members, 56 Corporate Supporters 69 Academic Supporters 14
  • 15. Around the World 200 Chapters, 1 600+ Members, 20 000+ Builders, Breakers and Defenders 15
  • 16. What is OWASP Quality Resources 200+ Projects 15,000+ downloads of tools, documenta8on 250,000+ unique visitors 800,000+ page views (monthly) 16
  • 17. Quality Resources Documenta&on Code Tools 50% 10% 40% 17
  • 20. NEWS A BLOG A PODCAST MEMBERSHIPS MAILING LISTS A NEWSLETTER APPLE APP STORE VIDEO TUTORIALS TRAINING SESSIONS SOCIAL NETWORKING 20
  • 22. OWASP Top10 2013 22 A1: Injec&on A2: Viola&on de Ges&on d’authen&fica&on et de session A3: Cross Site Scrip&ng (XSS) A4:Référence directe non sécurisée à un objet A5: Mauvaise configura&on sécurité A6 : Exposi&on de données sensibles A8: Cross Site Request Forgery (CSRF) A7: Manque de contrôle d’accès fonc&onnel A10: Redirec&ons et transferts non validés A9: U&lisa&on de composants avec des vulnérabilités connues ex-­‐A9(transport non sécurisé) + A7(Stockage crypto)
  • 23. Cheat Sheets Developer Cheat Sheets § PHP Security Cheat Sheet § OWASP Top Ten Cheat Sheet § Authen8ca8on Cheat Sheet § Cross-­‐Site Request Forgery (CSRF) Preven&on Cheat Sheet § Cryptographic Storage Cheat Sheet § Input Valida8on Cheat Sheet § XSS (Cross Site Scrip&ng) Preven&on Cheat Sheet § DOM based XSS Preven8on Cheat Sheet § Forgot Password Cheat Sheet § Query Parameteriza&on Cheat Sheet § SQL Injec&on Preven&on Cheat Sheet § Session Management Cheat Sheet § HTML5 Security Cheat Sheet § Transport Layer Protec8on Cheat Sheet § Web Service Security Cheat Sheet § Logging Cheat Sheet § JAAS Cheat Sheet Mobile Cheat Sheets § IOS Developer Cheat Sheet § Mobile Jailbreaking Cheat Sheet Dran Cheat Sheets § Access Control Cheat Sheet § REST Security Cheat Sheet § Abridged XSS Preven8on Cheat Sheet § Password Storage Cheat Sheet § Secure Coding Cheat Sheet § Threat Modeling Cheat Sheet § Clickjacking Cheat Sheet § Virtual Patching Cheat Sheet § Secure SDLC Cheat Sheet § Web Applica8on Security Tes8ng Cheat Sheet § Applica8on Security Architecture Cheat Sheet 23
  • 24. Project Leader: Enterprise Security API Chris Schmidt, Chris.Schmidt@owasp.org Purpose: A free, open source, web applica8on security control library that makes it easier for programmers to write lower-­‐risk applica8ons h[ps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API 24
  • 25. Java HTML Sani8zer, Java Encoder Project Leader: Mike Samuel Mike.samuel@owasp.org Purpose: The OWASP HTML Sani8zer is a fast and easy to configure HTML Sani8zer wri[en in Java which lets you include HTML authored by third-­‐par&es in your web applica&on while protec8ng against XSS. h[ps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Project Leader: Jeff Ichnowski Purpose: The OWASP Java Encoder is a Java 1.5+ simple-­‐to-­‐use drop-­‐in high-­‐ performance encoder class with no dependencies and li[le baggage. This project will help Java web developers defend against Cross Site Scrip8ng! h[ps://www.owasp.org/index.php/OWASP_Java_Encoder_Project
  • 26. Java Encoder Project Project Leader: Mike Samuel Mike.samuel@owasp.org Purpose: The OWASP Java Encoder is a Java 1.5+ simple-­‐to-­‐use drop-­‐in high-­‐ performance encoder class with no dependencies and li[le baggage. This project will help Java web developers defend against Cross Site Scrip8ng! h[ps://www.owasp.org/index.php/OWASP_Java_Encoder_Project
  • 28. OWASP IoT Project • The OWASP Internet of Things Top 10 -­‐ 2014 is as follows: • I1 Insecure Web Interface • I2 Insufficient Authen8ca8on/Authoriza8on • I3 Insecure Network Services • I4 Lack of Transport Encryp8on • I5 Privacy Concerns • I6 Insecure Cloud Interface • I7 Insecure Mobile Interface • I8 Insufficient Security Configurability • I9 Insecure Sonware/Firmware • I10 Poor Physical Security
  • 29. Development Guide: Guides comprehensive manual for designing, developing and deploying secure Web Applica8ons and Web Services Code Review Guide: mechanics of reviewing code for certain vulnerabili8es & valida8on of proper security controls Tes&ng Guide: understand the what, why, when, where, and how of tes8ng web applica8ons Applica&on Security Verifica&on Standard (ASVS): comprehensive manual for designing, verify the security of an applica8on h[ps://www.owasp.org/index.php/Category:OWASP_Guide_Project h[ps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project h[ps://www.owasp.org/index.php/Category:OWASP_Tes8ng_Project h[ps://www.owasp.org/index.php/Category:OWASP_Applica8on_Security_Verifica8on_Standard_Project 29
  • 30. Zed A[ack Proxy Project Leader: Simon Benne[s (aka Psiinon), psiinon@gmail.com Purpose: The Zed A[ack Proxy (ZAP) provides automated scanners as well as a set of tools that allow you to find security vulnerabili8es manually in web applica8ons. Last Release: ZAP 2.3.1 (21 May 2014) h[ps://www.owasp.org/index.php/OWASP_Zed_A[ack_Proxy_Project 30
  • 31. The OWASP Secure Sonware Contract Annex Intended to help sonware developers and their clients nego8ate important contractual terms and condi8ons related to the security of the sonware to be developed or delivered. CONTEXT: Most contracts are silent on these issues, and the par8es frequently have drama8cally different views on what has actually been agreed to. OBJECTIVE: Clearly define these terms is the best way to ensure that both par8es can make informed decisions about how to proceed. h[ps://www.owasp.org/index.php/OWASP_Secure_Sonware_Contract_Annex 31
  • 32. Dates • 11 Septembre 2014 – OWASP France Mee8ng Paris @Mozilla Office – Programme : – 18h30 : Ouverture des portes – 19h : Welcome by OWASP France et Mozilla – 19h15 : SonarQube pour la sécurité par Sébas8en Gioria (OWASP France) – 19h45 : Warning Ahead: Security Storms are Brewing in Your JavaScript -­‐ Par Laurent Levi (Checkmarx) -­‐ En Francais – 20h15 : OWASP News && Closing par Sébas8en Gioria (OWASP France) – 20h30 : Networking hkp://www.eventbrite.fr/e/billets-­‐owasp-­‐france-­‐mee&ng-­‐septembre-­‐2014-­‐12738480137 • Applica8on Security Forum Western Switzerland – Yverdon les Bains – 4/6 Novembre 2014 – h[p://www.appsec-­‐forum.ch/ • Club 27001 /Paris -­‐ 25 Septembre 2014 – Présenta8on de la norme ISO 27034 32
  • 33. Soutenir l’OWASP • Différentes solu8ons : – Membre Individuel : 50 $ – Membre Entreprise : 5000 $ – Dona8on Libre • Soutenir uniquement le chapitre France : – Single Mee8ng supporter • Nous offrir une salle de mee8ng ! • Par8ciper par un talk ou autre ! • Dona8on simple – Local Chapter supporter : • 500 $ à 2000 $ 33
  • 34. License 34 @SPoint sebas8en.gioria@owasp.org