SlideShare une entreprise Scribd logo

White Paper: Leveraging The OWASP Top Ten to Simplify application security and compliance

Security Innovation
Security Innovation

The OWASP Top Ten List represents a consensus among many of the world’s leading information security experts about the greatest application risk - based on both the frequency of the attacks and the magnitude of business impact. This whitepaper will quickly present the OWASP Top Ten, then offer insight into how it can transform application security, facilitate compliance, and reduce application risk. The white paper can be accessed here: http://web.securityinnovation.com/owasp-top-ten.

Technologie
1  sur  12
Télécharger pour lire hors ligne
Simplifying Application Security and Compliance with the OWASP Top 10 An ExEcutivE PErsPEctivE 187 Ballardvale Street, Wilmington, MA 01887 978.694.1008 www.securityinnovation.com
ExECuTivE PErSPECTivE Simplifying Application Security and Compliance with the OWASP Top 10 2 introduction From a management perspective, application security is a difficult topic. Multiple parties within an organization are involved, as well as a varying collection of technologies intended to provide better security. As new threats and regulations create moving targets, it has become increasingly difficult to connect proposed remedies with specific results. However, many leading enterprises have found an approach that cuts through much of this complexity. They are using the OWASP Top 10 list of critical security risks to focus their application security and compliance initiatives. The concept: in this management briefing we will answer the following questions: build processes to prevent the ten most • Why is application security serious web-based attacks, and those important? processes will help you reduce many • What is the oWasp top 10? types of security risks, and at the same • how can the oWasp top 10 be used time cut development costs. to transform application security? • how can the oWasp top 10 help with compliance? • is this approach cost-effective? • What tools are available to ensure best practices around the oWasp top 10? www.securityinnovation.com
ExECuTivE PErSPECTivE Simplifying Application Security and Compliance with the OWASP Top 10 3 Why is Application Security important? Everyone acknowledges that iT security is important. Certainly the costs of failure are high: a recent survey found an average cost of $7.2 million per data breach event (or $214 per compromised customer record). The same survey found that 88% of the organizations surveyed had at least one major data breach in 2010.1 The problem is that, although most enterprises have invested in network and PC security, many have neglected to build adequate safeguards into their software applications. Application security is rapidly being recognized as a top priority. Gartner has stated that: “Over 70% of security vulnerabilities exist at the application layer, not the network layer,” and other researchers have estimated this figure at 90%.2 State laws requiring the prompt disclosure of data breach problems are causing companies to look Organizations incorporating the OWASP Top 10 more closely at applications that process customer information. And indus- into security programs: try standards bodies and government agencies are increasingly empha- sizing application security, including the Payment Card industry Security A.G. Edwards Standards Council and the u.S. National institute of Standards British Telecom and Technology (NiST).3 Citibank HP IBM Global Services What is the OWASP Top 10? Michigan State University Price Waterhouse Coopers But what is the best way to address an issue that that affects every REI software developer and virtually every piece of software within an Samsung SDS (Korea) organization? That is where the OWASP Top 10 list has been helpful. Sprint Symantec Since 2003, the Open Web Application Security Project (OWASP) has The Hartford published a list of the ten most critical web application security risks.4 This list represents a consensus among many of the world’s leading information security experts about the greatest risks, based on both the frequency of the attacks and the magnitude of their impact on businesses. The objective of the OWASP Top 10 project is not only to raise awareness about ten specific risks, but also to educate business managers and technical personnel on how to assess and protect against a wide range of application vulnerabilities. This use of the OWASP Top 10 has been embraced by many of the world’s leading iT organizations, including those listed on this page. www.securityinnovation.com
ExECuTivE PErSPECTivE Simplifying Application Security and Compliance with the OWASP Top 10 4 The OWASP Top 10 has also become a key reference list for many standards bodies, including the PCi Security Standards Council, NiST and the FTC. The bOTTOm line: Organizations that put in place the people, tools and processes to protect against the OWASP Top 10 risks will develop first-class application security programs capable of handling a wide range of web-based threats. Understanding the secUrity risks The OWASP Top 10 risks are listed in the Appendix. Here we will give a quick overview of two of them. The first risk on the list is “injection.” This means tricking an application into including unintended commands in the data sent to a database or another “interpreter.” For example, a web form might ask for an account number. An attacker, instead of entering a legitimate account number, might enter something like this: ‘ Or 1=1 -- if the application sends these characters to a database, the database will collect a group of account numbers and send those back to the attacker. The consequences can be extremely serious: the attacker can get full access to hundreds of customer accounts. Similar consequences can result from the eighth entry on the list, “Failure to restrict urL Access.” An attacker on an online shopping web site might notice that part of the address of his account page is /user/getAccounts, and from that guess that there is another web page /manager/getAccounts used by administrators to manage user accounts. unless the /manager/getAccounts page is properly protected, the attacker can use it to steal confidential customer data. www.securityinnovation.com
ExECuTivE PErSPECTivE Simplifying Application Security and Compliance with the OWASP Top 10 5 how Can the OWASP Top 10 be Used to Transform Application Security? The OWASP organization suggests that the OWASP Top 10 list can be used to “establish a strong foundation of training, standards and tools that makes secure coding possible.”5 Enterprises who have implemented a successful application security program integrate the OWASP Top 10 into each stage of their software development lifecycle (SDLC) to design, develop and test new software applications. The diagram below demonstrates how this can be done. Phase OWASP Top 10 Use Threat modeling: use Top 10 as guide to potential attacks. Determine Requirements and Analysis countermeasures. Security Design Guidelines: Adopt design guidelines that will harden Architecture and Design applications against Top 10. Development Adopt coding standards to counter Top 10. Search for Top 10 code reviews. Develop test plans for Top 10. Test for Top 10 with static analysis tools. Testing Scan for Top 10 with web scanning tools. Deployment Check for configuration and physical deployment errors related to Top 10. maintenance Conduct ongoing scanning for Top 10. 1. reqUirements and analysis in the Requirements and Analysis phase, analysts consider the requirements and goals of the application, as well as possible problems and constraints. Part of this process involves threat modeling, which identifies threats and vulnerabilities relevant to the application. The OWASP Top 10 can be used as guides to potential attacks. A thorough examination of which of those 10 risks could affect the software will suggest ways the application design can be shaped to achieve security objectives, and where resources could be applied to develop countermeasures. www.securityinnovation.com
ExECuTivE PErSPECTivE Simplifying Application Security and Compliance with the OWASP Top 10 6 2. architectUre and design in the Architecture and Design phase, specific design guidelines can be adopted that are proven solutions to the Top 10 risks. For example, if the application is potentially susceptible to injection attacks specific guide- lines can be adopted, such as always requiring centralized input validation that differentiates data (account numbers) from code (commands to the database). 3. development in the Development phase, specific coding standards that have been proven to defend against the Top 10 risks can be adopted. To use our injection risk example again, developers could be required to have their software encode user-supplied input; that is, to tell the database “these characters come from a user screen, so they are definitely data and should never be executed as commands.” To address some of the “Failure to restrict urL Access” issues, coding standards might require that every web page be protected by role-based permissions. For example, special logon screens for managers could be added to prevent attackers (and non-management employees) from accessing management screens. Code reviews are another activity that typically occurs during the Development phase. Most developers review code only to make sure that it has the features and functions described in the specification. But developers trained to look also for vulnerabilities in the code related to the OWASP Top 10 will find many types of security issues. 4. testing When the quality assurance group builds the test plan, it can ensure that specific tests are run to simulate attacks related to the Top 10 risks. Static analysis tools which read through software code, can be programmed to look for clues in the code that the application may be vulnerable to Top 10 risks. Web scanning tools can be programmed to simulate attacks based on Top 10 vulnerabilities. For example, they could be set up to attempt injection attacks on all customer input screens. 5. deployment Computer systems and software that are not configured with security in mind can open up systems to attacks. That is why the OWASP Top 10 can be very helpful in the Deployment phase of the software life cycle. For example, many problems can be prevented by ensuring that unnecessary utility software is shut off on servers, and that auditing and logging services are always turned on. www.securityinnovation.com
ExECuTivE PErSPECTivE Simplifying Application Security and Compliance with the OWASP Top 10 7 6. maintenance Finally, in the maintenance phase of the life cycle, a focus on the OWASP Top 10 will ensure that organizations conduct ongoing reviews and code scanning, to find out if changes to the application over time might have created any new vulnerabilities. in short, integrating the OWASP Top 10 into every phase of the software development life cycle forces development organizations to adopt security best practices and learn how to use software testing tools. And these best practices and testing tools will help eliminate mitigate the risks, not just of the OWASP Top 10, but for many types of security risks. SeCURe SO FTWARe DeVelOPmenT RiSK mAnAGemenT DeFine > DeSiGn > bUilD > TeST > bUilD > TeST > how Can the OWASP Top 10 help with Compliance? For some enterprises, addressing the OWASP Top 10 risks is mandatory for industry and regulatory compliance. For others it is optional, but provides an excellent way of demonstrating a high level of effort in addressing compliance issues. Pci Dss The PCi DSS rules specifically require addressing the Top 10. PCi DSS requirement 6.5 states: “Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes...as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CErT Secure Coding, etc.), the current best practices must be used for these requirements.” in fact, the PCi DSS requirements 6.1 to 6.9 map directly to 8 of the OWASP Top 10, as shown in the diagram shown on the next page. www.securityinnovation.com
ExECuTivE PErSPECTivE Simplifying Application Security and Compliance with the OWASP Top 10 8 PCi DSS Requirements Top 10 most Critical Web Application Security Risks 6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection, A1 Injection LDAP and XPath injection flaws as well as other injection flaws. A2 Cross-site Scripting (XSS) 6.5.2 Buffer overflow A3 Broken Authentication and Session Management 6.5.3 Insecure cryptographic storage A4 Insecure Direct Object References 6.5.4 Insecure communications 6.5.5 Improper error handling A5 Cross-site Request Forgery (CSRF) 6.5.6 All “High” vulnerabilities identified in the vulnerability identification process A6 Security Misconfiguration (NEW) (as defined in PCI DSS Requirement 6.2).* A7 Failure to Restrict URL Access These apply to web applications and application interfaces (internal or external) 6.5.7 Cross-site scripting (XSS) A8 Unvalidated Redirects and Forwards (NEW) 6.5.8 Improper Access Control (such as insecure A9 Insecure Cryptographic Storage direct object references, failure to restrict URL access, and directory traversal) A10 Insufficient Transport Layer Protection 6.5.9 Cross-site request forgery (CSRF) * This requirement is considered a best practice until June 30, 2012, after which it becomes a requirement. other standards Most standards and regulations are not as explicit as PCi DSS in addressing the OWASP Top 10. However, several others do call for following best practices in the area of application security. For example, the Department of Defense and Defense information Systems Agency (DiSA) recently published the 114-page Application Security and Development Security Technical implementation Guide with detailed recommendations for creating a secure SDLC.6 HiPAA requires that covered organizations perform risks analysis and risks assessments, and in some cases ensure that proper controls are in place for web applica- tions. And a new iSO standard is under development: iSO 27034: Guidelines for Application Security. Essentially, auditors are likely to view the failure to address the OWASP Top 10 as a sign that the organization is falling short of compliance with many standards, while integrating the Top 10 into the software development life cycle demonstrates that many best practices have been implemented as part of the security process. www.securityinnovation.com
ExECuTivE PErSPECTivE Simplifying Application Security and Compliance with the OWASP Top 10 9 is this Approach Cost-effective? At this point in our discussion some readers might say: “Why do we need such a new set of programs? Don’t software developers already know how to implement application security?” But in fact, very few have been educated on secure coding practices. And even when they have been, emerging threats require refresher courses every year or two based on how attach methodologies continue to change. So educational programs built around the OWASP Top 10 provide essential education that most developers might not seek to acquire on their own. Other readers might ask “Wouldn’t it be cheaper to buy a few software testing tools and let them detect vulnerabilities in applications?” But software testing tools are almost useless unless developers learn how to use them and know where to point them. in fact, they can be worse than useless, because if not used properly they can generate large numbers of “false positives” that cause resources to be wasted hunting down non-existent bugs. A third common misconception is that programs designed to improve application security can be focused only on software coding. Many security and compliance requirements are missed during the requirements and design phases of the life cycle, and many vulnerabilities are created during the deployment and maintenance phases. JUstification Do application security programs have a return on investment? Part of the answer obviously relates to preventing costly security breaches, and the emergence of advanced threats. As mentioned earlier, a recent survey found an average cost of $7.2 million per data breach, or $214 per compromised customer record, to cover expenses like customer notification, regulatory fines, and cleaning up the damage to internal systems. More than ever, enterprises must take into account the potential for serious damage to reputation and to customer relationships. A second area is compliance. Compliance activities can be costly and time-consuming, and can take manage- ment attention away from more strategic projects. A well-documented application security program built around the OWASP Top 10 can streamline compliance processes and free up resources for more productive tasks. Finally, a program that identifies application security issues early can save a tremendous amount of money over trying to identify and fix requirements in the later phases of the software development life cycle. Studies have calculated that preventing defects in the design phase requires one-tenth the effort of catching and fixing those defects at the system test phase. Gartner estimates that removing 50 percent of software vulner- abilities prior to applications being put into production can reduce configuration management and incident response costs by 75 percent.7 www.securityinnovation.com
ExECuTivE PErSPECTivE Simplifying Application Security and Compliance with the OWASP Top 10 10 What Tools are available to ensure best practices around the OWASP Top 10? As discussed in this paper, a program built around the OWASP Top 10 can provide a powerful foundation to effectively focus and organize an application security program. But implementing such a program success- fully the first time requires an accumulation of knowledge and experience. Security innovation provides products, training and consulting services to help organizations build and deploy secure software, but also in implementing a best practices model based on the OWASP top 10. These offerings include: • Consulting services to assess application risk across the entire application portfolio, how to implement a secure software development life cycle, including SDLC assessment and optimization, code reviews, threat modeling and penetration testing. • TeamProfessor eLearning, including courses like “OWASP Top Ten: Threats and Mitigations,” “How to Test for the OWASP Top Ten,” and many courses on secure coding practices for ASP.Net, Java, C++, Windows and other development environments. • TeamMentor, the industry’s largest and only secure software development knowledgebase repository that provides intelligence at every stage of the development lifecycle, the perfect “in-Practice” reference guide for novice and advanced developers and designers, architects, project managers and security teams. To learn more: For more information, please visit Security innovation’s web site at http://www.securityinnovation.com. To evaluate the company’s eLearning products, please contact us at + 1.877.694.1008 x1 or getsecure@securityinnovation.com. www.securityinnovation.com
ExECuTivE PErSPECTivE Simplifying Application Security and Compliance with the OWASP Top 10 11 Appendix OWASP Top 10 Application Security Risks —2010 injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an A1 injection interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. xSS flaws occur whenever an application takes untrusted data and sends it to a web browser without Cross-site A2 proper validation and escaping. xSS allows attackers to execute scripts in the victim’s browser which Scripting (XSS) can hijack user sessions, deface web sites, or redirect the user to malicious sites. broken Application functions related to authentication and session management are often not implemented Authentication A3 correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other and Session implementation flaws to assume other users’ identities. management insecure Direct A direct object reference occurs when a developer exposes a reference to an internal implementation A4 Object Refer- object, such as a file, directory, or database key. Without an access control check or other protection, ences attackers can manipulate these references to access unauthorized data. A CSrF attack forces a logged-on victim’s browser to send a forged HTTP request, including the Cross-site victim’s session cookie and any other automatically included authentication information, to a vulnerable A5 Request Forgery web application. This allows the attacker to force the victim’s browser to generate requests the (CSRF) vulnerable application thinks are legitimate requests from the victim. Good security requires having a secure configuration defined and deployed for the application, Security frameworks, application server, web server, database server, and platform. All these settings A6 misconfiguration should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application. insecure Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and A7 Cryptographic authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify Storage such weakly protected data to conduct identity theft, credit card fraud, or other crimes. Failure to Many web applications check urL access rights before rendering protected links and buttons. A8 Restrict URl However, applications need to perform similar access control checks each time these pages are Access accessed, or attackers will be able to forge urLs to access these hidden pages anyway. insufficient Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity A9 Transport layer of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired Protection or invalid certificates, or do not use them correctly Unvalidated Web applications frequently redirect and forward users to other pages and websites, and use A10 Redirects and untrusted data to determine the destination pages. Without proper validation, attackers can Forwards redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. www.securityinnovation.com
ExECuTivE PErSPECTivE Simplifying Application Security and Compliance with the OWASP Top 10 12 notes 1 Ponemon institute, 2010 Annual Study: U.S. Cost of a Data Breach, March 2011. Press release: http://www.ponemon.org/blog/post/cost-of-a-data- breach-climbs-higher. Full study: http://bit.ly/hlgCne. 2 Estimate from Gartner, quoted in Computerworld, February 25, 2005: http://www.computerworld.com/printthis/2005/0,4814,99981,00.html. 3 See https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf; https://www.pcisecuritystandards.org/pdfs/summary_of_changes_highlights.pdf; NiST Special Publication 800-53A rev 1:Guide for Assessing the Security Controls in Federal information Systems and Organizations: http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf. 4 OWASP Top 10 project home: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project. OWASP Top 10 for 2010 release document: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf. OWASP Top 10 for 2010 slide presentation: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx. 5 OWASP Top 10 for 2010 release document: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf. 6 Department of Defense/DiSA Application Security and Development Security Technical implementation Guide, vol. 3, release 2: http://iase.disa.mil/stigs/downloads/zip/u_application_security_and_development_stig_v3r2_20101029.zip. 7 The cost of finding defects at different stages of the development life cycle were estimated by B. W. Boehm and P. N.Papaccio in: understanding and Controlling Software Costs, iEEE Transactions on Software Engineering, vol. 14, No. 10, p.1462-1477, October 1988, and by iDC and iBM Systems Sciences institute, quoted in Microsoft Security Development Lifecycle: http://www.cert.uy/historico/pdf/MicrosoftSDL.pdf. The Gartner estimate is from: http://www.gartner.com/press_releases/asset_106327_11.html. © 2011 Security innovation. All rights reserved. www.securityinnovation.com

Recommandé

Owasp o
Owasp oOwasp o
Owasp oSagar Nangare
 
App sec owasp from developers prospective
App sec owasp from developers prospectiveApp sec owasp from developers prospective
App sec owasp from developers prospectiveSecurity Innovation
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]geeksec80
 
OWASP Top Ten 2013
OWASP Top Ten 2013OWASP Top Ten 2013
OWASP Top Ten 2013Alessandro Bonu
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Bee_Ware
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecIBM Security
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 

Recommandé

Owasp o
Owasp oOwasp o
Owasp oSagar Nangare
 
App sec owasp from developers prospective
App sec owasp from developers prospectiveApp sec owasp from developers prospective
App sec owasp from developers prospectiveSecurity Innovation
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]geeksec80
 
OWASP Top Ten 2013
OWASP Top Ten 2013OWASP Top Ten 2013
OWASP Top Ten 2013Alessandro Bonu
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Bee_Ware
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecIBM Security
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Bridging the cybersecurity culture gap
Bridging the cybersecurity culture gapBridging the cybersecurity culture gap
Bridging the cybersecurity culture gapSherry Jones
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Cenzic
 
State of Web Application Security by Ponemon Institute
State of Web Application Security by Ponemon InstituteState of Web Application Security by Ponemon Institute
State of Web Application Security by Ponemon InstituteJeremiah Grossman
 
Top Software Glitches and Growing Significance of Software Testing
Top Software Glitches and Growing Significance of Software TestingTop Software Glitches and Growing Significance of Software Testing
Top Software Glitches and Growing Significance of Software TestingCigniti Technologies Ltd
 
Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application SecuritySaadSaif6
 
SBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesSBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesEMC
 
Achieving Hi-Fidelity Security by Combining Packet and Endpoint Data
Achieving Hi-Fidelity Security by Combining Packet and Endpoint DataAchieving Hi-Fidelity Security by Combining Packet and Endpoint Data
Achieving Hi-Fidelity Security by Combining Packet and Endpoint DataEnterprise Management Associates
 
The unprecedented state of web insecurity
The unprecedented state of web insecurityThe unprecedented state of web insecurity
The unprecedented state of web insecurityVincent Kwon
 
2016 Trends in Security
2016 Trends in Security 2016 Trends in Security
2016 Trends in Security Ioannis Aligizakis, M.Sc.
 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply ChainMark Sherman
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersSynopsys Software Integrity Group
 
Are Your Cyber Defenses Strong Enough?
Are Your Cyber Defenses Strong Enough?Are Your Cyber Defenses Strong Enough?
Are Your Cyber Defenses Strong Enough?Cygilant
 
VSEC Company Profile
VSEC Company ProfileVSEC Company Profile
VSEC Company ProfileVietnamese Network Security J.S.C
 
CRI Cyber Board Briefing
CRI Cyber Board Briefing CRI Cyber Board Briefing
CRI Cyber Board Briefing OCTF Industry Engagement
 
Impacts cloud remote_workforce
Impacts cloud remote_workforceImpacts cloud remote_workforce
Impacts cloud remote_workforceRodrigo Varas
 
Csathreats.v1.0
Csathreats.v1.0Csathreats.v1.0
Csathreats.v1.0vivek_kale27
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsFireEye, Inc.
 
Tata communications io t solutions_ehs_v2.0
Tata communications io t solutions_ehs_v2.0Tata communications io t solutions_ehs_v2.0
Tata communications io t solutions_ehs_v2.0e1torres
 
Owasp top 10 2013 - rc1
Owasp top 10 2013 - rc1Owasp top 10 2013 - rc1
Owasp top 10 2013 - rc1Ajay Ohri
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]geeksec0306
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10 Pensamiento Libre
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017malvvv
 

Contenu connexe

Tendances

Bridging the cybersecurity culture gap
Bridging the cybersecurity culture gapBridging the cybersecurity culture gap
Bridging the cybersecurity culture gapSherry Jones
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Cenzic
 
State of Web Application Security by Ponemon Institute
State of Web Application Security by Ponemon InstituteState of Web Application Security by Ponemon Institute
State of Web Application Security by Ponemon InstituteJeremiah Grossman
 
Top Software Glitches and Growing Significance of Software Testing
Top Software Glitches and Growing Significance of Software TestingTop Software Glitches and Growing Significance of Software Testing
Top Software Glitches and Growing Significance of Software TestingCigniti Technologies Ltd
 
Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application SecuritySaadSaif6
 
SBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesSBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesEMC
 
Achieving Hi-Fidelity Security by Combining Packet and Endpoint Data
Achieving Hi-Fidelity Security by Combining Packet and Endpoint DataAchieving Hi-Fidelity Security by Combining Packet and Endpoint Data
Achieving Hi-Fidelity Security by Combining Packet and Endpoint DataEnterprise Management Associates
 
The unprecedented state of web insecurity
The unprecedented state of web insecurityThe unprecedented state of web insecurity
The unprecedented state of web insecurityVincent Kwon
 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply ChainMark Sherman
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersSynopsys Software Integrity Group
 
Are Your Cyber Defenses Strong Enough?
Are Your Cyber Defenses Strong Enough?Are Your Cyber Defenses Strong Enough?
Are Your Cyber Defenses Strong Enough?Cygilant
 
Impacts cloud remote_workforce
Impacts cloud remote_workforceImpacts cloud remote_workforce
Impacts cloud remote_workforceRodrigo Varas
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsFireEye, Inc.
 
Tata communications io t solutions_ehs_v2.0
Tata communications io t solutions_ehs_v2.0Tata communications io t solutions_ehs_v2.0
Tata communications io t solutions_ehs_v2.0e1torres
 

Tendances (18)

Bridging the cybersecurity culture gap
Bridging the cybersecurity culture gapBridging the cybersecurity culture gap
Bridging the cybersecurity culture gap
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
 
State of Web Application Security by Ponemon Institute
State of Web Application Security by Ponemon InstituteState of Web Application Security by Ponemon Institute
State of Web Application Security by Ponemon Institute
 
Top Software Glitches and Growing Significance of Software Testing
Top Software Glitches and Growing Significance of Software TestingTop Software Glitches and Growing Significance of Software Testing
Top Software Glitches and Growing Significance of Software Testing
 
Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application Security
 
SBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesSBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic Technologies
 
Achieving Hi-Fidelity Security by Combining Packet and Endpoint Data
Achieving Hi-Fidelity Security by Combining Packet and Endpoint DataAchieving Hi-Fidelity Security by Combining Packet and Endpoint Data
Achieving Hi-Fidelity Security by Combining Packet and Endpoint Data
 
The unprecedented state of web insecurity
The unprecedented state of web insecurityThe unprecedented state of web insecurity
The unprecedented state of web insecurity
 
2016 Trends in Security
2016 Trends in Security 2016 Trends in Security
2016 Trends in Security
 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply Chain
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
 
Are Your Cyber Defenses Strong Enough?
Are Your Cyber Defenses Strong Enough?Are Your Cyber Defenses Strong Enough?
Are Your Cyber Defenses Strong Enough?
 
VSEC Company Profile
VSEC Company ProfileVSEC Company Profile
VSEC Company Profile
 
CRI Cyber Board Briefing
CRI Cyber Board Briefing CRI Cyber Board Briefing
CRI Cyber Board Briefing
 
Impacts cloud remote_workforce
Impacts cloud remote_workforceImpacts cloud remote_workforce
Impacts cloud remote_workforce
 
Csathreats.v1.0
Csathreats.v1.0Csathreats.v1.0
Csathreats.v1.0
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security Teams
 
Tata communications io t solutions_ehs_v2.0
Tata communications io t solutions_ehs_v2.0Tata communications io t solutions_ehs_v2.0
Tata communications io t solutions_ehs_v2.0
 

Similaire à White Paper: Leveraging The OWASP Top Ten to Simplify application security and compliance

Owasp top 10 2013 - rc1
Owasp top 10 2013 - rc1Owasp top 10 2013 - rc1
Owasp top 10 2013 - rc1Ajay Ohri
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]geeksec0306
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017malvvv
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Aryan G
 
Owasp top 10_-_2013
Owasp top 10_-_2013Owasp top 10_-_2013
Owasp top 10_-_2013Edho Armando
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)PrashantDhakol
 
OWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfOWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfSamSepiolRhodes
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1Telefónica
 
Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3RazaMehmood7
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxgerardkortney
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩baoyin
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsSonatype
 
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonOWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonAlex Cachia
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applicationsalexbe
 
What are the top 10 web security risks?
What are the top 10 web security risks?What are the top 10 web security risks?
What are the top 10 web security risks?Jacklin Berry
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - PrintAndrew Kanikuru
 

Similaire à White Paper: Leveraging The OWASP Top Ten to Simplify application security and compliance (20)

Owasp top 10 2013 - rc1
Owasp top 10 2013 - rc1Owasp top 10 2013 - rc1
Owasp top 10 2013 - rc1
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Owasp top 10_-_2013
Owasp top 10_-_2013Owasp top 10_-_2013
Owasp top 10_-_2013
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)
 
OWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfOWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdf
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
 
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonOWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applications
 
What are the top 10 web security risks?
What are the top 10 web security risks?What are the top 10 web security risks?
What are the top 10 web security risks?
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - Print
 

Dernier

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 

Dernier (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 

White Paper: Leveraging The OWASP Top Ten to Simplify application security and compliance

  • 1. Simplifying Application Security and Compliance with the OWASP Top 10 An ExEcutivE PErsPEctivE 187 Ballardvale Street, Wilmington, MA 01887 978.694.1008 www.securityinnovation.com
  • 2. ExECuTivE PErSPECTivE Simplifying Application Security and Compliance with the OWASP Top 10 2 introduction From a management perspective, application security is a difficult topic. Multiple parties within an organization are involved, as well as a varying collection of technologies intended to provide better security. As new threats and regulations create moving targets, it has become increasingly difficult to connect proposed remedies with specific results. However, many leading enterprises have found an approach that cuts through much of this complexity. They are using the OWASP Top 10 list of critical security risks to focus their application security and compliance initiatives. The concept: in this management briefing we will answer the following questions: build processes to prevent the ten most • Why is application security serious web-based attacks, and those important? processes will help you reduce many • What is the oWasp top 10? types of security risks, and at the same • how can the oWasp top 10 be used time cut development costs. to transform application security? • how can the oWasp top 10 help with compliance? • is this approach cost-effective? • What tools are available to ensure best practices around the oWasp top 10? www.securityinnovation.com
  • 3. ExECuTivE PErSPECTivE Simplifying Application Security and Compliance with the OWASP Top 10 3 Why is Application Security important? Everyone acknowledges that iT security is important. Certainly the costs of failure are high: a recent survey found an average cost of $7.2 million per data breach event (or $214 per compromised customer record). The same survey found that 88% of the organizations surveyed had at least one major data breach in 2010.1 The problem is that, although most enterprises have invested in network and PC security, many have neglected to build adequate safeguards into their software applications. Application security is rapidly being recognized as a top priority. Gartner has stated that: “Over 70% of security vulnerabilities exist at the application layer, not the network layer,” and other researchers have estimated this figure at 90%.2 State laws requiring the prompt disclosure of data breach problems are causing companies to look Organizations incorporating the OWASP Top 10 more closely at applications that process customer information. And indus- into security programs: try standards bodies and government agencies are increasingly empha- sizing application security, including the Payment Card industry Security A.G. Edwards Standards Council and the u.S. National institute of Standards British Telecom and Technology (NiST).3 Citibank HP IBM Global Services What is the OWASP Top 10? Michigan State University Price Waterhouse Coopers But what is the best way to address an issue that that affects every REI software developer and virtually every piece of software within an Samsung SDS (Korea) organization? That is where the OWASP Top 10 list has been helpful. Sprint Symantec Since 2003, the Open Web Application Security Project (OWASP) has The Hartford published a list of the ten most critical web application security risks.4 This list represents a consensus among many of the world’s leading information security experts about the greatest risks, based on both the frequency of the attacks and the magnitude of their impact on businesses. The objective of the OWASP Top 10 project is not only to raise awareness about ten specific risks, but also to educate business managers and technical personnel on how to assess and protect against a wide range of application vulnerabilities. This use of the OWASP Top 10 has been embraced by many of the world’s leading iT organizations, including those listed on this page. www.securityinnovation.com
  • 4. ExECuTivE PErSPECTivE Simplifying Application Security and Compliance with the OWASP Top 10 4 The OWASP Top 10 has also become a key reference list for many standards bodies, including the PCi Security Standards Council, NiST and the FTC. The bOTTOm line: Organizations that put in place the people, tools and processes to protect against the OWASP Top 10 risks will develop first-class application security programs capable of handling a wide range of web-based threats. Understanding the secUrity risks The OWASP Top 10 risks are listed in the Appendix. Here we will give a quick overview of two of them. The first risk on the list is “injection.” This means tricking an application into including unintended commands in the data sent to a database or another “interpreter.” For example, a web form might ask for an account number. An attacker, instead of entering a legitimate account number, might enter something like this: ‘ Or 1=1 -- if the application sends these characters to a database, the database will collect a group of account numbers and send those back to the attacker. The consequences can be extremely serious: the attacker can get full access to hundreds of customer accounts. Similar consequences can result from the eighth entry on the list, “Failure to restrict urL Access.” An attacker on an online shopping web site might notice that part of the address of his account page is /user/getAccounts, and from that guess that there is another web page /manager/getAccounts used by administrators to manage user accounts. unless the /manager/getAccounts page is properly protected, the attacker can use it to steal confidential customer data. www.securityinnovation.com
  • 5. ExECuTivE PErSPECTivE Simplifying Application Security and Compliance with the OWASP Top 10 5 how Can the OWASP Top 10 be Used to Transform Application Security? The OWASP organization suggests that the OWASP Top 10 list can be used to “establish a strong foundation of training, standards and tools that makes secure coding possible.”5 Enterprises who have implemented a successful application security program integrate the OWASP Top 10 into each stage of their software development lifecycle (SDLC) to design, develop and test new software applications. The diagram below demonstrates how this can be done. Phase OWASP Top 10 Use Threat modeling: use Top 10 as guide to potential attacks. Determine Requirements and Analysis countermeasures. Security Design Guidelines: Adopt design guidelines that will harden Architecture and Design applications against Top 10. Development Adopt coding standards to counter Top 10. Search for Top 10 code reviews. Develop test plans for Top 10. Test for Top 10 with static analysis tools. Testing Scan for Top 10 with web scanning tools. Deployment Check for configuration and physical deployment errors related to Top 10. maintenance Conduct ongoing scanning for Top 10. 1. reqUirements and analysis in the Requirements and Analysis phase, analysts consider the requirements and goals of the application, as well as possible problems and constraints. Part of this process involves threat modeling, which identifies threats and vulnerabilities relevant to the application. The OWASP Top 10 can be used as guides to potential attacks. A thorough examination of which of those 10 risks could affect the software will suggest ways the application design can be shaped to achieve security objectives, and where resources could be applied to develop countermeasures. www.securityinnovation.com
  • 6. ExECuTivE PErSPECTivE Simplifying Application Security and Compliance with the OWASP Top 10 6 2. architectUre and design in the Architecture and Design phase, specific design guidelines can be adopted that are proven solutions to the Top 10 risks. For example, if the application is potentially susceptible to injection attacks specific guide- lines can be adopted, such as always requiring centralized input validation that differentiates data (account numbers) from code (commands to the database). 3. development in the Development phase, specific coding standards that have been proven to defend against the Top 10 risks can be adopted. To use our injection risk example again, developers could be required to have their software encode user-supplied input; that is, to tell the database “these characters come from a user screen, so they are definitely data and should never be executed as commands.” To address some of the “Failure to restrict urL Access” issues, coding standards might require that every web page be protected by role-based permissions. For example, special logon screens for managers could be added to prevent attackers (and non-management employees) from accessing management screens. Code reviews are another activity that typically occurs during the Development phase. Most developers review code only to make sure that it has the features and functions described in the specification. But developers trained to look also for vulnerabilities in the code related to the OWASP Top 10 will find many types of security issues. 4. testing When the quality assurance group builds the test plan, it can ensure that specific tests are run to simulate attacks related to the Top 10 risks. Static analysis tools which read through software code, can be programmed to look for clues in the code that the application may be vulnerable to Top 10 risks. Web scanning tools can be programmed to simulate attacks based on Top 10 vulnerabilities. For example, they could be set up to attempt injection attacks on all customer input screens. 5. deployment Computer systems and software that are not configured with security in mind can open up systems to attacks. That is why the OWASP Top 10 can be very helpful in the Deployment phase of the software life cycle. For example, many problems can be prevented by ensuring that unnecessary utility software is shut off on servers, and that auditing and logging services are always turned on. www.securityinnovation.com
  • 7. ExECuTivE PErSPECTivE Simplifying Application Security and Compliance with the OWASP Top 10 7 6. maintenance Finally, in the maintenance phase of the life cycle, a focus on the OWASP Top 10 will ensure that organizations conduct ongoing reviews and code scanning, to find out if changes to the application over time might have created any new vulnerabilities. in short, integrating the OWASP Top 10 into every phase of the software development life cycle forces development organizations to adopt security best practices and learn how to use software testing tools. And these best practices and testing tools will help eliminate mitigate the risks, not just of the OWASP Top 10, but for many types of security risks. SeCURe SO FTWARe DeVelOPmenT RiSK mAnAGemenT DeFine > DeSiGn > bUilD > TeST > bUilD > TeST > how Can the OWASP Top 10 help with Compliance? For some enterprises, addressing the OWASP Top 10 risks is mandatory for industry and regulatory compliance. For others it is optional, but provides an excellent way of demonstrating a high level of effort in addressing compliance issues. Pci Dss The PCi DSS rules specifically require addressing the Top 10. PCi DSS requirement 6.5 states: “Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes...as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CErT Secure Coding, etc.), the current best practices must be used for these requirements.” in fact, the PCi DSS requirements 6.1 to 6.9 map directly to 8 of the OWASP Top 10, as shown in the diagram shown on the next page. www.securityinnovation.com
  • 8. ExECuTivE PErSPECTivE Simplifying Application Security and Compliance with the OWASP Top 10 8 PCi DSS Requirements Top 10 most Critical Web Application Security Risks 6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection, A1 Injection LDAP and XPath injection flaws as well as other injection flaws. A2 Cross-site Scripting (XSS) 6.5.2 Buffer overflow A3 Broken Authentication and Session Management 6.5.3 Insecure cryptographic storage A4 Insecure Direct Object References 6.5.4 Insecure communications 6.5.5 Improper error handling A5 Cross-site Request Forgery (CSRF) 6.5.6 All “High” vulnerabilities identified in the vulnerability identification process A6 Security Misconfiguration (NEW) (as defined in PCI DSS Requirement 6.2).* A7 Failure to Restrict URL Access These apply to web applications and application interfaces (internal or external) 6.5.7 Cross-site scripting (XSS) A8 Unvalidated Redirects and Forwards (NEW) 6.5.8 Improper Access Control (such as insecure A9 Insecure Cryptographic Storage direct object references, failure to restrict URL access, and directory traversal) A10 Insufficient Transport Layer Protection 6.5.9 Cross-site request forgery (CSRF) * This requirement is considered a best practice until June 30, 2012, after which it becomes a requirement. other standards Most standards and regulations are not as explicit as PCi DSS in addressing the OWASP Top 10. However, several others do call for following best practices in the area of application security. For example, the Department of Defense and Defense information Systems Agency (DiSA) recently published the 114-page Application Security and Development Security Technical implementation Guide with detailed recommendations for creating a secure SDLC.6 HiPAA requires that covered organizations perform risks analysis and risks assessments, and in some cases ensure that proper controls are in place for web applica- tions. And a new iSO standard is under development: iSO 27034: Guidelines for Application Security. Essentially, auditors are likely to view the failure to address the OWASP Top 10 as a sign that the organization is falling short of compliance with many standards, while integrating the Top 10 into the software development life cycle demonstrates that many best practices have been implemented as part of the security process. www.securityinnovation.com
  • 9. ExECuTivE PErSPECTivE Simplifying Application Security and Compliance with the OWASP Top 10 9 is this Approach Cost-effective? At this point in our discussion some readers might say: “Why do we need such a new set of programs? Don’t software developers already know how to implement application security?” But in fact, very few have been educated on secure coding practices. And even when they have been, emerging threats require refresher courses every year or two based on how attach methodologies continue to change. So educational programs built around the OWASP Top 10 provide essential education that most developers might not seek to acquire on their own. Other readers might ask “Wouldn’t it be cheaper to buy a few software testing tools and let them detect vulnerabilities in applications?” But software testing tools are almost useless unless developers learn how to use them and know where to point them. in fact, they can be worse than useless, because if not used properly they can generate large numbers of “false positives” that cause resources to be wasted hunting down non-existent bugs. A third common misconception is that programs designed to improve application security can be focused only on software coding. Many security and compliance requirements are missed during the requirements and design phases of the life cycle, and many vulnerabilities are created during the deployment and maintenance phases. JUstification Do application security programs have a return on investment? Part of the answer obviously relates to preventing costly security breaches, and the emergence of advanced threats. As mentioned earlier, a recent survey found an average cost of $7.2 million per data breach, or $214 per compromised customer record, to cover expenses like customer notification, regulatory fines, and cleaning up the damage to internal systems. More than ever, enterprises must take into account the potential for serious damage to reputation and to customer relationships. A second area is compliance. Compliance activities can be costly and time-consuming, and can take manage- ment attention away from more strategic projects. A well-documented application security program built around the OWASP Top 10 can streamline compliance processes and free up resources for more productive tasks. Finally, a program that identifies application security issues early can save a tremendous amount of money over trying to identify and fix requirements in the later phases of the software development life cycle. Studies have calculated that preventing defects in the design phase requires one-tenth the effort of catching and fixing those defects at the system test phase. Gartner estimates that removing 50 percent of software vulner- abilities prior to applications being put into production can reduce configuration management and incident response costs by 75 percent.7 www.securityinnovation.com
  • 10. ExECuTivE PErSPECTivE Simplifying Application Security and Compliance with the OWASP Top 10 10 What Tools are available to ensure best practices around the OWASP Top 10? As discussed in this paper, a program built around the OWASP Top 10 can provide a powerful foundation to effectively focus and organize an application security program. But implementing such a program success- fully the first time requires an accumulation of knowledge and experience. Security innovation provides products, training and consulting services to help organizations build and deploy secure software, but also in implementing a best practices model based on the OWASP top 10. These offerings include: • Consulting services to assess application risk across the entire application portfolio, how to implement a secure software development life cycle, including SDLC assessment and optimization, code reviews, threat modeling and penetration testing. • TeamProfessor eLearning, including courses like “OWASP Top Ten: Threats and Mitigations,” “How to Test for the OWASP Top Ten,” and many courses on secure coding practices for ASP.Net, Java, C++, Windows and other development environments. • TeamMentor, the industry’s largest and only secure software development knowledgebase repository that provides intelligence at every stage of the development lifecycle, the perfect “in-Practice” reference guide for novice and advanced developers and designers, architects, project managers and security teams. To learn more: For more information, please visit Security innovation’s web site at http://www.securityinnovation.com. To evaluate the company’s eLearning products, please contact us at + 1.877.694.1008 x1 or getsecure@securityinnovation.com. www.securityinnovation.com
  • 11. ExECuTivE PErSPECTivE Simplifying Application Security and Compliance with the OWASP Top 10 11 Appendix OWASP Top 10 Application Security Risks —2010 injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an A1 injection interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. xSS flaws occur whenever an application takes untrusted data and sends it to a web browser without Cross-site A2 proper validation and escaping. xSS allows attackers to execute scripts in the victim’s browser which Scripting (XSS) can hijack user sessions, deface web sites, or redirect the user to malicious sites. broken Application functions related to authentication and session management are often not implemented Authentication A3 correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other and Session implementation flaws to assume other users’ identities. management insecure Direct A direct object reference occurs when a developer exposes a reference to an internal implementation A4 Object Refer- object, such as a file, directory, or database key. Without an access control check or other protection, ences attackers can manipulate these references to access unauthorized data. A CSrF attack forces a logged-on victim’s browser to send a forged HTTP request, including the Cross-site victim’s session cookie and any other automatically included authentication information, to a vulnerable A5 Request Forgery web application. This allows the attacker to force the victim’s browser to generate requests the (CSRF) vulnerable application thinks are legitimate requests from the victim. Good security requires having a secure configuration defined and deployed for the application, Security frameworks, application server, web server, database server, and platform. All these settings A6 misconfiguration should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application. insecure Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and A7 Cryptographic authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify Storage such weakly protected data to conduct identity theft, credit card fraud, or other crimes. Failure to Many web applications check urL access rights before rendering protected links and buttons. A8 Restrict URl However, applications need to perform similar access control checks each time these pages are Access accessed, or attackers will be able to forge urLs to access these hidden pages anyway. insufficient Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity A9 Transport layer of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired Protection or invalid certificates, or do not use them correctly Unvalidated Web applications frequently redirect and forward users to other pages and websites, and use A10 Redirects and untrusted data to determine the destination pages. Without proper validation, attackers can Forwards redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. www.securityinnovation.com
  • 12. ExECuTivE PErSPECTivE Simplifying Application Security and Compliance with the OWASP Top 10 12 notes 1 Ponemon institute, 2010 Annual Study: U.S. Cost of a Data Breach, March 2011. Press release: http://www.ponemon.org/blog/post/cost-of-a-data- breach-climbs-higher. Full study: http://bit.ly/hlgCne. 2 Estimate from Gartner, quoted in Computerworld, February 25, 2005: http://www.computerworld.com/printthis/2005/0,4814,99981,00.html. 3 See https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf; https://www.pcisecuritystandards.org/pdfs/summary_of_changes_highlights.pdf; NiST Special Publication 800-53A rev 1:Guide for Assessing the Security Controls in Federal information Systems and Organizations: http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf. 4 OWASP Top 10 project home: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project. OWASP Top 10 for 2010 release document: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf. OWASP Top 10 for 2010 slide presentation: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx. 5 OWASP Top 10 for 2010 release document: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf. 6 Department of Defense/DiSA Application Security and Development Security Technical implementation Guide, vol. 3, release 2: http://iase.disa.mil/stigs/downloads/zip/u_application_security_and_development_stig_v3r2_20101029.zip. 7 The cost of finding defects at different stages of the development life cycle were estimated by B. W. Boehm and P. N.Papaccio in: understanding and Controlling Software Costs, iEEE Transactions on Software Engineering, vol. 14, No. 10, p.1462-1477, October 1988, and by iDC and iBM Systems Sciences institute, quoted in Microsoft Security Development Lifecycle: http://www.cert.uy/historico/pdf/MicrosoftSDL.pdf. The Gartner estimate is from: http://www.gartner.com/press_releases/asset_106327_11.html. © 2011 Security innovation. All rights reserved. www.securityinnovation.com