SlideShare une entreprise Scribd logo
1  sur  57
QAing the Security Way!
Amit & Null
vodQA, Pune 17th March 2018
“A system is secure if it behaves
precisely in the manner intended -
and does nothing more”
- Ivan Arce
Amit Gundiyal
Senior Consultant - Quality Analyst at ThoughtWorks, Inc
6+ years of experience (as Dev, QA & BA)
About Me
Nalinikanth AKA Null
About Me
Senior Consultant - Quality Analyst at ThoughtWorks, Inc
5+ years of experience
©ThoughtWorks, Inc. Do not copy. Do not distribute. 5
Ground Rules
● Follow the speaker
○ Don’t get deviated.
○ If you are stuck call any of the volunteers.
● We will share you all the material don’t bother about that.
● Ask questions whenever you have - don’t wait.
● MOST IMPORTANT!
Information Technology Act 2000
Imprisonment upto
5 years
and / or
with fine upto
₹5,00,000
http://www.itlaw.in/
https://en.wikipedia.org/wiki/Information_Technology_Act,_2000
©ThoughtWorks, Inc. Do not copy. Do not distribute. 7
What to expect?
● Talk about QAing and Security.
● OWASP TOP 10
● Hands on few OWASP threats.
● We will be using tools to do an attack, but will not go in
depth on the tools.
©ThoughtWorks, Inc. Do not copy. Do not distribute. 8
Agenda
● What and Why of security ?
● QA role in testing security.
● OWASP TOP 10
● Hands on security vulnerabilities
©ThoughtWorks, Inc. Do not copy. Do not distribute. 9
What and Why of Security Testing?
In 2017
● Verizon: 14 Millions of customer records exposed in security lapse.
● Verifone: the largest maker of point-of-sale credit card terminals used across world.
● Deloitte: Embarrassingly for the accounting firm who pride themselves on their Cyber Intelligence
Centre, Deloitte fell victim to a cyber attack in March.
● Deep Root Analytics: A data analytics firm, to gather political information about U.S. voters. Chris
Vickery, a cyber risk analyst, discovered that the sensitive information Deep Root Analytics
obtained–personal data for roughly 198 million American citizens.
● Virgin America: In a letter to employees, airline Virgin America revealed that a hacker had
successfully entered their corporate network gaining access to login information and passwords
used by employees to access the network.
● Equifax: one of the three largest credit agencies in the U.S., suffered a breach that may affect 143
million consumers.
As a QA
©ThoughtWorks, Inc. Do not copy. Do not distribute. 11
What a QA has?
● End to end knowledge.
● One who tests almost
everything in the system.
● Implement security thinking.
● Add security analysis to stories.
● Identify where security can
possibly go for toss.
● Test the stories if they are
vulnerable.
● Help team build more security
products
What a QA can do?
©ThoughtWorks, Inc. Do not copy. Do not distribute. 12
QA could have stopped this
https://www.exploit-db.com/exploits/6421/
©ThoughtWorks, Inc. Do not copy. Do not distribute. 13
Let's start with a story
©ThoughtWorks, Inc. Do not copy. Do not distribute. 14
OWASP
● Open Web Application Security Project (OWASP)
● Online community, which creates freely-available articles, tools,
methodologies, documentation, and technologies in the field of
web application security.
● Not-for-profit charitable organization.
● Focussed on improving the security of software.
● Currently has over 150+ active projects
©ThoughtWorks, Inc. Do not copy. Do not distribute. 15
OWASP Top 10
● List the 10 most critical web application security risks.
● A powerful awareness document.
● Published at regular intervals.
● Approximately once in 3 years.
● Last published in 2017
©ThoughtWorks, Inc. Do not copy. Do not distribute. 16
OWASP Top 10 - 2013 vs 2017
©ThoughtWorks, Inc. Do not copy. Do not distribute. 17
Tools we are using today
● OWASP Mutillidae II - Application to attack
● Burp suite to intercept requests (we can use ZAP as well)
● Python to steal cookie
What causes most of the attacks?
©ThoughtWorks, Inc. Do not copy. Do not distribute. 19
User Input - Surface Area
I don’t like user input
and
this is why I don’t
©ThoughtWorks, Inc. Do not copy. Do not distribute. 20
A7: Cross-site Scripting (XSS)
XSS flaws occur whenever an application takes untrusted data and
sends it to a web browser without proper validation or escaping.
XSS allows attackers to execute scripts in the victim’s browser which can:
● hijack user sessions
● deface web sites
● redirect the user to malicious sites.
©ThoughtWorks, Inc. Do not copy. Do not distribute. 21
A7: How XSS works?
©ThoughtWorks, Inc. Do not copy. Do not distribute. 22
Types of XSS
● Reflected XSS
○ Reflected XSS occurs when user input is immediately returned by a
web application in an error message, search result, etc. and without
permanently storing the user provided data.
● Stored XSS
○ Stored XSS generally occurs when user input is stored on the target
server, such as in a database, in a message forum, visitor log,
comment field, etc.
XSS Hands-on!!
23
©ThoughtWorks, Inc. Do not copy. Do not distribute. 24
Where in Mutillidae II?
©ThoughtWorks, Inc. Do not copy. Do not distribute. 25
A1: Injection
Injection flaws occur when untrusted data is sent to an interpreter as part of a
command or query. The attacker’s hostile data can trick the interpreter into
executing unintended commands or accessing data without proper
authorization.
Types of Injection:
● SQL Injection - Anywhere input value is being executed as a database query.
● OS Command Injection - Anywhere input is being executed as a command.
● Hibernate Query Language (HQL), LDAP, XPath, XQuery, XSLT, XML and many
more
Injection Hands-on!!
©ThoughtWorks, Inc. Do not copy. Do not distribute. 27
Where in Mutillidae II?
For SQL Injections -
©ThoughtWorks, Inc. Do not copy. Do not distribute. 28
Where in Mutillidae II?
For OS Command Injection -
©ThoughtWorks, Inc. Do not copy. Do not distribute. 29
A3 : Sensitive Data Exposure
Many web applications do not properly protect sensitive
data, such as credit cards, tax IDs, and authentication
credentials. Sometimes data pertaining to the configuration
of systems is also leaked by error messages or forgotten
debug pages.
©ThoughtWorks, Inc. Do not copy. Do not distribute. 30
A3 : Sensitive Data Exposure
Scenario #1: An application encrypts credit card numbers in a database using automatic
database encryption. However, this data is automatically decrypted when retrieved,
allowing an SQL injection flaw to retrieve credit card numbers in clear text.
Scenario #2: A site doesn't use or enforce TLS for all pages, or if it supports weak
encryption. An attacker simply monitors network traffic, strips or intercepts the TLS (like an
open wireless network), and steals the user's session cookie.The attacker then replays this
cookie and hijacks the user's (authenticated) session, accessing or modifying the user's
private data. Instead of the above he could alter all transported data, e.g. the recipient of a
money transfer.
Scenario #3: The password database uses unsalted hashes to store everyone's
passwords. A file upload flaw allows an attacker to retrieve the password database. All the
unsalted hashes can be exposed with a rainbow table of pre-calculated hashes.
©ThoughtWorks, Inc. Do not copy. Do not distribute. 31
Where do we miss it
● Access to some unwanted files.
● Poor encryption mechanism.
● Not using HTTPS
Sensitive Data Exposure Hands-on!!
©ThoughtWorks, Inc. Do not copy. Do not distribute. 33
A2 : Broken Authentication
©ThoughtWorks, Inc. Do not copy. Do not distribute. 34
A2 : Broken Authentication
©ThoughtWorks, Inc. Do not copy. Do not distribute. 35
A2 : Broken Authentication
Session management is a critical piece of application
security. It is broader risk, and requires developers take care
of protecting session id, user credential secure storage,
session duration, and protecting critical session data in
transit.
©ThoughtWorks, Inc. Do not copy. Do not distribute. 36
How A2 can happen?
● SQL Injection.
● Weak passwords and Password retrieval mechanisms
● Not handling session ids properly which leads to privilege
escalation or elevation of privilege.
● Cookies (Unencrypted, not securing them properly)
Broken Authentication Hands-on!!
©ThoughtWorks, Inc. Do not copy. Do not distribute. 38
Set up Proxy on firefox!!
©ThoughtWorks, Inc. Do not copy. Do not distribute. 39
Set up your burp Proxy!!
©ThoughtWorks, Inc. Do not copy. Do not distribute. 40
Interceptor on burp
©ThoughtWorks, Inc. Do not copy. Do not distribute. 41
A9 : Using components with known vulnerabilities
Components such as libraries, frameworks & other modules,
almost always run with privileges. Exploitation of a
vulnerable component can cause serious data loss or server
takeover. Apps using components with known vulnerabilities
may undermine app defenses and enable a range of attacks.
©ThoughtWorks, Inc. Do not copy. Do not distribute. 42
Where
● Technology we use.
● Third party libraries
○ Programing languages/ frameworks
○ Node modules
○ Charting libraries
○ Many more...
● Any tools or softwares installed.
©ThoughtWorks, Inc. Do not copy. Do not distribute. 43
A9 : Recent Times
©ThoughtWorks, Inc. Do not copy. Do not distribute. 44
Where to check and how to protect?
● https://www.cvedetails.com/
Use dependency checkers..
● https://www.owasp.org/index.php/OWASP_Dependency_Check
● https://github.com/nodesecurity/nsp
©ThoughtWorks, Inc. Do not copy. Do not distribute. 45
A4 : XML External Entity (XXE)
Many older or poorly configured XML processors evaluate external entity
references within XML documents. External entities can be used to disclose
internal files using the file URI handler, internal SMB file shares on
unpatched Windows servers, internal port scanning, remote code execution,
and denial of service attacks, such as the Billion Laughs attack.
©ThoughtWorks, Inc. Do not copy. Do not distribute. 46
A4 : XML External Entity (XXE)
©ThoughtWorks, Inc. Do not copy. Do not distribute. 47
A8 : Insecure Deserialization
Web servers and applications can leak information and allow
attackers to take control over systems using
misconfigurations either arising out of weak defaults, hidden
applications or via enhanced functionality that causes the
app to become vulnerable.
©ThoughtWorks, Inc. Do not copy. Do not distribute. 48
A8 : Insecure Deserialization - Example
©ThoughtWorks, Inc. Do not copy. Do not distribute. 49
A5 : Broken Access Control
Restrictions on what authenticated users are allowed to do are
not properly enforced. Attackers can exploit these flaws to access
unauthorized functionality and/or data, such as access other
users' accounts, view sensitive files, modify other users’ data,
change access rights, etc.
©ThoughtWorks, Inc. Do not copy. Do not distribute. 50
A6 : Security Misconfiguration
Web servers and applications can leak information and allow attackers to
take control over systems using misconfigurations either arising out of
weak defaults, hidden applications or via enhanced functionality that
causes the app to become vulnerable.
©ThoughtWorks, Inc. Do not copy. Do not distribute. 51
A6 : Security Misconfiguration
©ThoughtWorks, Inc. Do not copy. Do not distribute. 52
A6 : Security Misconfiguration
©ThoughtWorks, Inc. Do not copy. Do not distribute. 53
A10 : Insufficient Logging and Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective
integration with incident response allows attackers to further attack
systems, maintain persistence, pivot to more systems, and tamper,
extract or destroy data. Most breach studies show time to detect a
breach is over 200 days, typically detected by external parties rather
than internal processes or monitoring.
©ThoughtWorks, Inc. Do not copy. Do not distribute.
● What do you log?
● Where do you log?
● When do you log?
● Why do you log?
● Is this log sufficient?
54
A10 : Insufficient Logging and Monitoring
A system is secure if and only if it
starts in a secure state and cannot
enter an insecure state!!
©ThoughtWorks, Inc. Do not copy. Do not distribute.
References
● https://blog.sqreen.io/reflected-xss/
● https://news.netcraft.com/archives/2008/05/16/paypal_xss_vulnerability_undermines_ev_ssl_security.html
● https://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/
● https://motherboard.vice.com/en_us/article/ne3bv7/equifax-breach-social-security-numbers-researcher-warning
● http://www.information-age.com/10-cyber-security-trends-look-2017-123463680/
● http://www.information-age.com/10-biggest-hacks-rocked-business-world-2017-123469857/
● http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
● https://www.csoonline.com/article/2130877/data-breach/the-16-biggest-data-breaches-of-the-21st-century.html
● http://fortune.com/2017/06/22/cybersecurity-hacks-history/
● https://en.wikipedia.org/wiki/List_of_data_breaches
● http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/
● https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails
THANK YOU
For questions or suggestions mailto:
amit.gundiyal@thoughtworks.com
nalinim@thoughtworks.com

Contenu connexe

Tendances

Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsNarudom Roongsiriwong, CISSP
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
Offensive Security basics part 2
Offensive Security basics  part 2Offensive Security basics  part 2
Offensive Security basics part 2wharpreet
 
Offensive Security basics part 1
Offensive Security basics  part 1Offensive Security basics  part 1
Offensive Security basics part 1wharpreet
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar SlidesThreatConnect
 
Enabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responseEnabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responsejeffmcjunkin
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE - ATT&CKcon
 
Network Forensics Backwards and Forwards
Network Forensics Backwards and ForwardsNetwork Forensics Backwards and Forwards
Network Forensics Backwards and ForwardsSavvius, Inc
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAPNIC
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Designcentralohioissa
 
You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
You Suspect a Security Breach. Network Forensic Analysis Gives You the AnswersYou Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
You Suspect a Security Breach. Network Forensic Analysis Gives You the AnswersSavvius, Inc
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksCyren, Inc
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareKaspersky
 
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...North Texas Chapter of the ISSA
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy BeyondTrust
 
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...CODE BLUE
 
IPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeIPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeRIPE NCC
 

Tendances (19)

Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security Problems
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot Essentials
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 
Offensive Security basics part 2
Offensive Security basics  part 2Offensive Security basics  part 2
Offensive Security basics part 2
 
NTXISSACSC4 - Ransomware: History Analysis & Mitigation
NTXISSACSC4 - Ransomware: History Analysis & MitigationNTXISSACSC4 - Ransomware: History Analysis & Mitigation
NTXISSACSC4 - Ransomware: History Analysis & Mitigation
 
Offensive Security basics part 1
Offensive Security basics  part 1Offensive Security basics  part 1
Offensive Security basics part 1
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar Slides
 
Enabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responseEnabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident response
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
 
Network Forensics Backwards and Forwards
Network Forensics Backwards and ForwardsNetwork Forensics Backwards and Forwards
Network Forensics Backwards and Forwards
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
 
You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
You Suspect a Security Breach. Network Forensic Analysis Gives You the AnswersYou Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array works
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
 
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
 
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
 
IPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeIPv6 Security - Where is the Challenge
IPv6 Security - Where is the Challenge
 

Similaire à QAing Security with OWASP Top 10

Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Mike Tetreault
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxAmardeepKumar621436
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdfKunjJoshi14
 
13.02 Network Security
13.02   Network Security13.02   Network Security
13.02 Network SecurityAnjan Mahanta
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackinghcls
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerShivamSharma909
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.pptKaukau9
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)Mike Tetreault
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Cryptography and system security
Cryptography and system securityCryptography and system security
Cryptography and system securityGary Mendonca
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 

Similaire à QAing Security with OWASP Top 10 (20)

Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
01
01 01
01
 
19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf
 
13.02 Network Security
13.02   Network Security13.02   Network Security
13.02 Network Security
 
Network security
Network securityNetwork security
Network security
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
 
Check Point: Securing Web 2.0
Check Point: Securing Web 2.0 Check Point: Securing Web 2.0
Check Point: Securing Web 2.0
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Cryptography and system security
Cryptography and system securityCryptography and system security
Cryptography and system security
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 

Dernier

办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfkalichargn70th171
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING  RIVER  WATER QUALITY  ppt presentationPREDICTING  RIVER  WATER QUALITY  ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 

Dernier (20)

办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING  RIVER  WATER QUALITY  ppt presentationPREDICTING  RIVER  WATER QUALITY  ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 

QAing Security with OWASP Top 10

  • 1. QAing the Security Way! Amit & Null vodQA, Pune 17th March 2018
  • 2. “A system is secure if it behaves precisely in the manner intended - and does nothing more” - Ivan Arce
  • 3. Amit Gundiyal Senior Consultant - Quality Analyst at ThoughtWorks, Inc 6+ years of experience (as Dev, QA & BA) About Me
  • 4. Nalinikanth AKA Null About Me Senior Consultant - Quality Analyst at ThoughtWorks, Inc 5+ years of experience
  • 5. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 5 Ground Rules ● Follow the speaker ○ Don’t get deviated. ○ If you are stuck call any of the volunteers. ● We will share you all the material don’t bother about that. ● Ask questions whenever you have - don’t wait. ● MOST IMPORTANT!
  • 6. Information Technology Act 2000 Imprisonment upto 5 years and / or with fine upto ₹5,00,000 http://www.itlaw.in/ https://en.wikipedia.org/wiki/Information_Technology_Act,_2000
  • 7. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 7 What to expect? ● Talk about QAing and Security. ● OWASP TOP 10 ● Hands on few OWASP threats. ● We will be using tools to do an attack, but will not go in depth on the tools.
  • 8. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 8 Agenda ● What and Why of security ? ● QA role in testing security. ● OWASP TOP 10 ● Hands on security vulnerabilities
  • 9. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 9 What and Why of Security Testing? In 2017 ● Verizon: 14 Millions of customer records exposed in security lapse. ● Verifone: the largest maker of point-of-sale credit card terminals used across world. ● Deloitte: Embarrassingly for the accounting firm who pride themselves on their Cyber Intelligence Centre, Deloitte fell victim to a cyber attack in March. ● Deep Root Analytics: A data analytics firm, to gather political information about U.S. voters. Chris Vickery, a cyber risk analyst, discovered that the sensitive information Deep Root Analytics obtained–personal data for roughly 198 million American citizens. ● Virgin America: In a letter to employees, airline Virgin America revealed that a hacker had successfully entered their corporate network gaining access to login information and passwords used by employees to access the network. ● Equifax: one of the three largest credit agencies in the U.S., suffered a breach that may affect 143 million consumers.
  • 11. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 11 What a QA has? ● End to end knowledge. ● One who tests almost everything in the system. ● Implement security thinking. ● Add security analysis to stories. ● Identify where security can possibly go for toss. ● Test the stories if they are vulnerable. ● Help team build more security products What a QA can do?
  • 12. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 12 QA could have stopped this https://www.exploit-db.com/exploits/6421/
  • 13. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 13 Let's start with a story
  • 14. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 14 OWASP ● Open Web Application Security Project (OWASP) ● Online community, which creates freely-available articles, tools, methodologies, documentation, and technologies in the field of web application security. ● Not-for-profit charitable organization. ● Focussed on improving the security of software. ● Currently has over 150+ active projects
  • 15. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 15 OWASP Top 10 ● List the 10 most critical web application security risks. ● A powerful awareness document. ● Published at regular intervals. ● Approximately once in 3 years. ● Last published in 2017
  • 16. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 16 OWASP Top 10 - 2013 vs 2017
  • 17. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 17 Tools we are using today ● OWASP Mutillidae II - Application to attack ● Burp suite to intercept requests (we can use ZAP as well) ● Python to steal cookie
  • 18. What causes most of the attacks?
  • 19. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 19 User Input - Surface Area I don’t like user input and this is why I don’t
  • 20. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 20 A7: Cross-site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can: ● hijack user sessions ● deface web sites ● redirect the user to malicious sites.
  • 21. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 21 A7: How XSS works?
  • 22. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 22 Types of XSS ● Reflected XSS ○ Reflected XSS occurs when user input is immediately returned by a web application in an error message, search result, etc. and without permanently storing the user provided data. ● Stored XSS ○ Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc.
  • 24. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 24 Where in Mutillidae II?
  • 25. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 25 A1: Injection Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Types of Injection: ● SQL Injection - Anywhere input value is being executed as a database query. ● OS Command Injection - Anywhere input is being executed as a command. ● Hibernate Query Language (HQL), LDAP, XPath, XQuery, XSLT, XML and many more
  • 27. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 27 Where in Mutillidae II? For SQL Injections -
  • 28. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 28 Where in Mutillidae II? For OS Command Injection -
  • 29. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 29 A3 : Sensitive Data Exposure Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Sometimes data pertaining to the configuration of systems is also leaked by error messages or forgotten debug pages.
  • 30. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 30 A3 : Sensitive Data Exposure Scenario #1: An application encrypts credit card numbers in a database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. Scenario #2: A site doesn't use or enforce TLS for all pages, or if it supports weak encryption. An attacker simply monitors network traffic, strips or intercepts the TLS (like an open wireless network), and steals the user's session cookie.The attacker then replays this cookie and hijacks the user's (authenticated) session, accessing or modifying the user's private data. Instead of the above he could alter all transported data, e.g. the recipient of a money transfer. Scenario #3: The password database uses unsalted hashes to store everyone's passwords. A file upload flaw allows an attacker to retrieve the password database. All the unsalted hashes can be exposed with a rainbow table of pre-calculated hashes.
  • 31. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 31 Where do we miss it ● Access to some unwanted files. ● Poor encryption mechanism. ● Not using HTTPS
  • 33. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 33 A2 : Broken Authentication
  • 34. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 34 A2 : Broken Authentication
  • 35. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 35 A2 : Broken Authentication Session management is a critical piece of application security. It is broader risk, and requires developers take care of protecting session id, user credential secure storage, session duration, and protecting critical session data in transit.
  • 36. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 36 How A2 can happen? ● SQL Injection. ● Weak passwords and Password retrieval mechanisms ● Not handling session ids properly which leads to privilege escalation or elevation of privilege. ● Cookies (Unencrypted, not securing them properly)
  • 38. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 38 Set up Proxy on firefox!!
  • 39. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 39 Set up your burp Proxy!!
  • 40. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 40 Interceptor on burp
  • 41. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 41 A9 : Using components with known vulnerabilities Components such as libraries, frameworks & other modules, almost always run with privileges. Exploitation of a vulnerable component can cause serious data loss or server takeover. Apps using components with known vulnerabilities may undermine app defenses and enable a range of attacks.
  • 42. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 42 Where ● Technology we use. ● Third party libraries ○ Programing languages/ frameworks ○ Node modules ○ Charting libraries ○ Many more... ● Any tools or softwares installed.
  • 43. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 43 A9 : Recent Times
  • 44. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 44 Where to check and how to protect? ● https://www.cvedetails.com/ Use dependency checkers.. ● https://www.owasp.org/index.php/OWASP_Dependency_Check ● https://github.com/nodesecurity/nsp
  • 45. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 45 A4 : XML External Entity (XXE) Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal SMB file shares on unpatched Windows servers, internal port scanning, remote code execution, and denial of service attacks, such as the Billion Laughs attack.
  • 46. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 46 A4 : XML External Entity (XXE)
  • 47. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 47 A8 : Insecure Deserialization Web servers and applications can leak information and allow attackers to take control over systems using misconfigurations either arising out of weak defaults, hidden applications or via enhanced functionality that causes the app to become vulnerable.
  • 48. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 48 A8 : Insecure Deserialization - Example
  • 49. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 49 A5 : Broken Access Control Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc.
  • 50. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 50 A6 : Security Misconfiguration Web servers and applications can leak information and allow attackers to take control over systems using misconfigurations either arising out of weak defaults, hidden applications or via enhanced functionality that causes the app to become vulnerable.
  • 51. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 51 A6 : Security Misconfiguration
  • 52. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 52 A6 : Security Misconfiguration
  • 53. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 53 A10 : Insufficient Logging and Monitoring Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
  • 54. ©ThoughtWorks, Inc. Do not copy. Do not distribute. ● What do you log? ● Where do you log? ● When do you log? ● Why do you log? ● Is this log sufficient? 54 A10 : Insufficient Logging and Monitoring
  • 55. A system is secure if and only if it starts in a secure state and cannot enter an insecure state!!
  • 56. ©ThoughtWorks, Inc. Do not copy. Do not distribute. References ● https://blog.sqreen.io/reflected-xss/ ● https://news.netcraft.com/archives/2008/05/16/paypal_xss_vulnerability_undermines_ev_ssl_security.html ● https://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/ ● https://motherboard.vice.com/en_us/article/ne3bv7/equifax-breach-social-security-numbers-researcher-warning ● http://www.information-age.com/10-cyber-security-trends-look-2017-123463680/ ● http://www.information-age.com/10-biggest-hacks-rocked-business-world-2017-123469857/ ● http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ ● https://www.csoonline.com/article/2130877/data-breach/the-16-biggest-data-breaches-of-the-21st-century.html ● http://fortune.com/2017/06/22/cybersecurity-hacks-history/ ● https://en.wikipedia.org/wiki/List_of_data_breaches ● http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/ ● https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails
  • 57. THANK YOU For questions or suggestions mailto: amit.gundiyal@thoughtworks.com nalinim@thoughtworks.com