• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Owasp qatar presentation   top 10 changes 2013 - Tarun Gupta
 

Owasp qatar presentation top 10 changes 2013 - Tarun Gupta

on

  • 719 views

Presented in OWASP Qatar Chapter Meeting - June 2013

Presented in OWASP Qatar Chapter Meeting - June 2013

Statistics

Views

Total Views
719
Views on SlideShare
714
Embed Views
5

Actions

Likes
0
Downloads
12
Comments
0

1 Embed 5

https://twitter.com 5

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Owasp qatar presentation   top 10 changes 2013 - Tarun Gupta Owasp qatar presentation top 10 changes 2013 - Tarun Gupta Presentation Transcript

    • Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP QATAR http://www.owasp.org Changes in Top 10, 2013 Tarun Gupta Crisis Management ictQatar / Q-CERT tgupta@ict.gov.qa | +974 5546 206527 June 2013
    • OWASP 2 About OWASP TOP 10 Raise awareness about application security Developers – Secure coding, security testing Executives – Manage application security risks First release 2003, minor updates in 2003,2007 Risk prioritized version 2010, 19th April Update 2013, 12th June Global recognition & acceptance ISO,NIST, PCI DSS, DISA…..
    • OWASP Sources Application Security Vendors Penetration Testing/ Scanning Partners Publicly Released Research/ Statistics Aspect Security HP – Statistics from both Fortify and WebInspect Minded Security Softtek Trustwave, Spiderlabs Veracode WhiteHat Security Inc. … 3
    • OWASP Statistics 4 19 % Increase in reported vulnerabilities Source : Veracode, HP Most common vulnerabilities, broken down by category, 2000–2012 Web Applications still introduce significant risk to enterprises
    • OWASP Present & Future Risks 5 Sharp Increase in Disclosed SCADA vulnerabilities Data compromised by number of breaches and records Internally Developed Commercial Outsourced Open Source Applications by Supplier Type Source : Veracode, HP
    • OWASP OWASP Top 10, 2010. The Changes 6 A1 - Injection A4 – Insecure Direct Object References A10 – Unvalidated Redirects and Forwards A2 – Cross-Site Scripting (XSS) A3 A3 – Broken Auth. & Session Management A2 A5 – Cross-Site Request Forgery (CSRF) A8 A6 – Security Misconfiguration A5 A8 – Failure to Restrict URL Access A7 A9 – Insufficient Transport Layer Protection A6 A7 – Insecure Cryptographic Storage A6  A3 escalated, issue more in focus, not more prevalent  A5 (CSRF) moved down to A8, higher position in 2010 brought attention  A8, moved up with increase scope, function can be accessed in may ways; besides URL  A7 & A9 merged and escalated to A6, Sensitive data protection (Storage & Transmission)  Addition A9. Known vulnerable components ex. Framework libraries
    • OWASP OWASP Top 10, 2013 7 A1 - Injection A4 – Insecure Direct Object References A10 – Unvalidated Redirects and Forwards A2 – Broken Auth. & Session Management A3 – Cross-Site Scripting (XSS) A5 – Security Misconfiguration A6 – Sensitive Data Exposure A8 – Cross-Site Request Forgery (CSRF) A9 – Using Components with Known Vulnerabilities A7 – Missing Function Level Access Control  Start Application Security program  Include at least OWASP TOP 10  Follow secure coding practices  Benefit from OWASP community resources  Collaborate with Q-CERT  Consider additional risks based on unique environment
    • OWASP 8 Thank You.