Ing. Karina Astudillo B.

Gerente de IT – Elixircorp S.A.

Cisco
© 2012 Cisco and/or its
Copyright 2013 affiliates. All ri...
• Co-fundadora de Elixircorp S.A.
• Consultora de Seguridad Informática
Hacking Ético

Cómputo Forense
Networking
Unix/Lin...
• ¿Qué son los riesgos de aplicaciones?
• Evaluación de riesgos
• OWASP Top 10
• Medidas preventivas

• Tipos de auditoría...
Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

4
Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

5
• Open
• Web
• Application

• Security

“El proyecto abierto de seguridad
en aplicaciones Web (OWASP por
sus siglas en ing...
Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

7
Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

8
Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

9
Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

10
Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

11
Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

12
Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

13
Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

14
Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

15
Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

16
Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

17
Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

18
Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

19
Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

20
Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

21
Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

22
Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

23
Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

24
Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

25
Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

26
Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

27
• Capacitación para los desarrolladores sobre Codificación

Segura de Aplicaciones.
• Incluir la seguridad desde la fase d...
• Hacking Ético:
Web Application Hacking
Ejecutado por un hacker ético
experto
Pruebas de intrusión externas
e internas
Fo...
• Hacking Frameworks

profesionales. Ej: Core
Impact Pro, Metasploit
Professional.
• Entornos

especializados. Ej.:
Samura...
© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

31
© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

32
• Website: http://www.elixircorp.biz
• Blog:

http://www.SeguridadInformaticaFacil.com
• Facebook: www.facebook.com/elixir...
http://www.elixircorp.biz
http://www.facebook.com/elixircorp

© 2012 Cisco and/or its affiliates. All rights reserved.

Ci...
Thank you.
Upcoming SlideShare
Loading in …5
×

Web application hacking (owasp top 10) security day

999 views

Published on

Hacking de aplicaciones web basado en el Top 10 de vulnerabilidades publicadas por OWASP en el 2013.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
999
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Web application hacking (owasp top 10) security day

  1. 1. Ing. Karina Astudillo B. Gerente de IT – Elixircorp S.A. Cisco © 2012 Cisco and/or its Copyright 2013 affiliates. All rights Astudillo - Este documento se distribuye bajo la licencia 3.0 de Creative Commons AttributionConfidential Alike - Karina reserved. Share 1
  2. 2. • Co-fundadora de Elixircorp S.A. • Consultora de Seguridad Informática Hacking Ético Cómputo Forense Networking Unix/Linux • Docente de FIEC-ESPOL Karina.Astudillo@elixircorp.biz • Instructora de Cisco-Espol Twitter: KAstudilloB Facebook: Kastudi Blog: SeguridadInformaticaFacil.com • Algunas certificaciones: CEH, Computer Forensics US, CCNA Security, CCNA R&SW, SCSA, Network Security, Internet Security, VmWare VSP, CCAI. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  3. 3. • ¿Qué son los riesgos de aplicaciones? • Evaluación de riesgos • OWASP Top 10 • Medidas preventivas • Tipos de auditorías • Herramientas de software • Demo © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  4. 4. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  5. 5. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  6. 6. • Open • Web • Application • Security “El proyecto abierto de seguridad en aplicaciones Web (OWASP por sus siglas en inglés) es una comunidad abierta dedicada a facultar a las organizaciones a desarrollar, adquirir y mantener aplicaciones que pueden ser confiables.” • Project • http://www.owasp.org Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  7. 7. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
  8. 8. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
  9. 9. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
  10. 10. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
  11. 11. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
  12. 12. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
  13. 13. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
  14. 14. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
  15. 15. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
  16. 16. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
  17. 17. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
  18. 18. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
  19. 19. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
  20. 20. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
  21. 21. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
  22. 22. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
  23. 23. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
  24. 24. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
  25. 25. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
  26. 26. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
  27. 27. Fuente: OWASP Top 10 - 2013 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
  28. 28. • Capacitación para los desarrolladores sobre Codificación Segura de Aplicaciones. • Incluir la seguridad desde la fase de Diseño. • Hacer uso de API’s seguras. • Validar la seguridad de las actualizaciones en un ambiente de pruebas previo al paso a producción. • Ejecutar auditorías internas y externas periódicas. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
  29. 29. • Hacking Ético: Web Application Hacking Ejecutado por un hacker ético experto Pruebas de intrusión externas e internas Formas de ejecución: hacking manual y automático Entregable: informe de hallazgos y recomendaciones de mejora © 2012 Cisco and/or its affiliates. All rights reserved. • Revisión de código: Auditoría de codificación segura Ejecutado por un desarrollador experto en revisión de código Proceso exhaustivo manual Se realiza una revisión de todo el código de la aplicación (a veces es necesario realizar ingeniería reversa de librerías) Entregable: informe de hallazgos y recomendaciones de mejora Cisco Confidential 29
  30. 30. • Hacking Frameworks profesionales. Ej: Core Impact Pro, Metasploit Professional. • Entornos especializados. Ej.: Samurai Linux, Kali Linux (otrora Bactrack). • Aplicaciones independientes: W3AF, WebSecurify Suite, Nikto, RAFT, etc. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
  31. 31. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
  32. 32. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
  33. 33. • Website: http://www.elixircorp.biz • Blog: http://www.SeguridadInformaticaFacil.com • Facebook: www.facebook.com/elixircorp • Twitter: www.twitter.com/elixircorp • Google+: http://google.com/+SeguridadInformaticaFaci l © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
  34. 34. http://www.elixircorp.biz http://www.facebook.com/elixircorp © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
  35. 35. Thank you.

×