• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
OWASP - Building Secure Web Applications
 

OWASP - Building Secure Web Applications

on

  • 1,660 views

This presentation goes over core principles involved in launching secure web applications and effectively managing security in a cloud services environment.

This presentation goes over core principles involved in launching secure web applications and effectively managing security in a cloud services environment.

Statistics

Views

Total Views
1,660
Views on SlideShare
1,646
Embed Views
14

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 14

http://www.linkedin.com 14

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    OWASP - Building Secure Web Applications OWASP - Building Secure Web Applications Presentation Transcript

    • Building Secure Web Applications In a Cloud Services Environment Misha Logvinov Alex Bello IronKey, Inc.OWASP Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
    • Who are we?Misha Logvinov VP of Online Operations at IronKey Director of Operations at YodleeAlex Bello Director of Technical Operations at IronKey Product Threat Team Lead at IronKey Technical Operations at Anti-Phishing Working Group (APWG) OWASP 2
    • Reality check The Internet is full of web application hacking tools and tutorials Botnets are used to scan for recent web app exploits 75% of attacks happen at the app layer Majority of web app vulnerabilities remain undetected App security is an after-thought for most of the Internet-enabled businesses Security holes in web apps result in large business losses Bad guys are getting smarter and are not sitting still OWASP 3
    • Who gets attacked Brick and Mortar Retail Healthcare Government Small businesses Web 2.0 OWASP 4
    • Who attacks Kids playing war Researchers looking for fame Organized crime Competition Governments OWASP 5
    • How? The most widespread vulnerabilities in web apps (Source: projects.webappsec.org): Attacks on the rise: SQL Injection, File Inclusion, Web Server Intrusion (Source: zone-h.org) OWASP Top 10 Most Critical Security Risks OWASP 6
    • WhyInsufficient Security in:  SDLC  Web Operations OWASP 7
    • Consequences Customers defect Brand damaged and stock price plummets Large fines Legal consequences Company out of business You may get fired OWASP 8
    • Recent breachesDecember 2009SQL injection vulnerability, noencryption of critical data, insufficientsecurity monitoring, poor handling ofdisclosureConsequencesPR nightmareClass-action lawsuit OWASP 9
    • Recent breachesApril 2010Insufficient security testing andmonitoringConsequencesPR nightmare OWASP 10
    • Recent breachesJune 2010Personally Identifiable Information wasdisplayed without properauthentication, insufficient outputmonitoring, “great” exploit timingConsequencesPR nightmareSecurity researcher gets arrested ondrug charges OWASP 11
    • How to get started? Understand business, security and privacy requirements Assess important security controls Create security awareness and facilitate training Get release management under control Scan applications prior to new releases Benchmark against industry best-practices Create and communicate meaningful metrics Conduct independent security assessments OWASP 12
    • Doing things right in the long run Implement a formal security program Integrate security into Software Development Life Cycle (SDLC) Make security a competitive advantage for your business OWASP 13
    • Implement a formal security program Security framework Policies and procedures Training Secure by design Coding policy Risk assessments Security testing and evaluation Reporting Incident response Change management OWASP 14
    • Integrate security into SDLC2. Design  Security requirements  Threat modeling  Secure architecture design OWASP 15
    • Threat matrix example OWASP 16
    • Integrate security into SDLC3. Development  Use modern frameworks  Develop secure coding standards  Secure implementation and best practices  Security checklists  Code review (internal/third party)  Static code analysis OWASP 17
    • Integrate security into SDLC3. Quality Assurance • Security testing of changes (automated/manual) • Regression testing • Bug tracking integration OWASP 18
    • Integrate security into SDLC4-5. Operations  Infrastructure hardening  Vulnerability alerting  Web application firewalls  Security events alerting & analysis  Automated infrastructure testing  Penetration testing (internal/third party)  Tracking security metrics  Change & release management OWASP 19
    • Hardening CIS and NSA hardening guidelines http://cisecurity.org/en-us/?route=downloads.multiform http://www.nsa.gov/ia/guidance/security_configuration_guides/current_guides.shtml OWASP Backend Security Project http://www.owasp.org/index.php/Category:OWASP_Backend_Security_Project Automated open-source and commercial tools OWASP 20
    • Standards & checklists OWASP Application Security Verification Standard Project http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project The OWASP Code Review Top 9 http://www.owasp.org/index.php/The_Owasp_Code_Review_Top_9 OWASP 21
    • Web app assessment initiativesWeb app scannersEvaluation & Deployment: 6-8 weeksSample Budget: $20-50KStatic source code analysisEvaluation & Deployment: 8-12 weeksSample Budget: $50-100KWeb app firewallsEvaluation & Deployment: 6-8 weeksSample Budget: $25-100K+ OWASP 22
    • Rules of thumb Invest in security training and certification of core personnel Encrypt all sensitive data and pay attention to key management Never trust input, validate all input/output Harden your systems Tightly control who has access to your environment Stay on top of vulnerabilities and keep your networks, servers and applications up-to-date OWASP 23
    • Conclusions Integrating security into SDLC from the beginning is worth it! Shortcuts will cost more time and $$ later Rome wasn’t built in a day – take a phased approach Mold a security framework around your business, not the other way around Don’t underestimate the power of marketing security within your organization OWASP 24
    • Q&A OWASP 25