Owasp qatar presentation top 10 changes 2013 - Tarun Gupta

829 views
665 views

Published on

Presented in OWASP Qatar Chapter Meeting - June 2013

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
829
On SlideShare
0
From Embeds
0
Number of Embeds
13
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Owasp qatar presentation top 10 changes 2013 - Tarun Gupta

  1. 1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP QATAR http://www.owasp.org Changes in Top 10, 2013 Tarun Gupta Crisis Management ictQatar / Q-CERT tgupta@ict.gov.qa | +974 5546 206527 June 2013
  2. 2. OWASP 2 About OWASP TOP 10 Raise awareness about application security Developers – Secure coding, security testing Executives – Manage application security risks First release 2003, minor updates in 2003,2007 Risk prioritized version 2010, 19th April Update 2013, 12th June Global recognition & acceptance ISO,NIST, PCI DSS, DISA…..
  3. 3. OWASP Sources Application Security Vendors Penetration Testing/ Scanning Partners Publicly Released Research/ Statistics Aspect Security HP – Statistics from both Fortify and WebInspect Minded Security Softtek Trustwave, Spiderlabs Veracode WhiteHat Security Inc. … 3
  4. 4. OWASP Statistics 4 19 % Increase in reported vulnerabilities Source : Veracode, HP Most common vulnerabilities, broken down by category, 2000–2012 Web Applications still introduce significant risk to enterprises
  5. 5. OWASP Present & Future Risks 5 Sharp Increase in Disclosed SCADA vulnerabilities Data compromised by number of breaches and records Internally Developed Commercial Outsourced Open Source Applications by Supplier Type Source : Veracode, HP
  6. 6. OWASP OWASP Top 10, 2010. The Changes 6 A1 - Injection A4 – Insecure Direct Object References A10 – Unvalidated Redirects and Forwards A2 – Cross-Site Scripting (XSS) A3 A3 – Broken Auth. & Session Management A2 A5 – Cross-Site Request Forgery (CSRF) A8 A6 – Security Misconfiguration A5 A8 – Failure to Restrict URL Access A7 A9 – Insufficient Transport Layer Protection A6 A7 – Insecure Cryptographic Storage A6  A3 escalated, issue more in focus, not more prevalent  A5 (CSRF) moved down to A8, higher position in 2010 brought attention  A8, moved up with increase scope, function can be accessed in may ways; besides URL  A7 & A9 merged and escalated to A6, Sensitive data protection (Storage & Transmission)  Addition A9. Known vulnerable components ex. Framework libraries
  7. 7. OWASP OWASP Top 10, 2013 7 A1 - Injection A4 – Insecure Direct Object References A10 – Unvalidated Redirects and Forwards A2 – Broken Auth. & Session Management A3 – Cross-Site Scripting (XSS) A5 – Security Misconfiguration A6 – Sensitive Data Exposure A8 – Cross-Site Request Forgery (CSRF) A9 – Using Components with Known Vulnerabilities A7 – Missing Function Level Access Control  Start Application Security program  Include at least OWASP TOP 10  Follow secure coding practices  Benefit from OWASP community resources  Collaborate with Q-CERT  Consider additional risks based on unique environment
  8. 8. OWASP 8 Thank You.

×