Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Security fix or workaround:
which way to select?
Bohdan Serednytskyi, OWASP Lviv
• OWASP Lviv Chapter
• Security Consulting Team at SoftServe
We are…
Communication with client
Project Execution
Delivering Results
Consulting Dev Team in issues fixing
Usual Project Flow
Tools will solve all our problems
Clients Vision
https://www.outpost24.com/wp-content/uploads/2014/12/Picture1-1024x610.jpg
Automated Tools Effectiveness
• All application security tool vendors’ claims put
together cover only 45% of the known vulnerability
types (over 600 in ...
Case with One Educational Application
Risk Vulnerability
Critical CROSS-SITE REQUEST FORGERY (CSRF)
CROSS-SITE SCRIPTING (STORED)
High SESSION TOKEN DOES NOT CH...
XSS Vulnerability Fixing
‘});alert(1)”
Initial payload
Protection implemented by Developers Team
‘});alert(1)”
‘});alert(1...
CSRF and Information Leakage Fixing
Best Practices
Every security flaw is a process problem
Security vulnerabilities are “patterned”.
Security issue could be widespread
amongst all code bases.
Ensure that root cause analysis is used
Remove as many vulnerabilities of this type as is possible within
the prescribed t...
Use Fast Fix Methods - WAFs
A security solution on the
web application level which
does not depend on the
application itse...
Security Expert is not a Developer
•OWASP Secure Coding Practices
•OWASP Guide Project
•OWASP Enterprise Security API
•Microsoft Web Protection Library
Resou...
Security is a Journey
Not a Destination
• Patching
• Updating
• Continuous Security Monitoring
• Regular Security Tests
Questions?
Thank You!
http://owasp-lviv.blogspot.com/
Upcoming SlideShare
Loading in …5
×

Security Fix or Workaround

2,146 views

Published on

BSides Kyiv 2016 Presentation

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security Fix or Workaround

  1. 1. Security fix or workaround: which way to select? Bohdan Serednytskyi, OWASP Lviv
  2. 2. • OWASP Lviv Chapter • Security Consulting Team at SoftServe We are…
  3. 3. Communication with client Project Execution Delivering Results Consulting Dev Team in issues fixing Usual Project Flow
  4. 4. Tools will solve all our problems Clients Vision
  5. 5. https://www.outpost24.com/wp-content/uploads/2014/12/Picture1-1024x610.jpg Automated Tools Effectiveness
  6. 6. • All application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE). • They also found very little overlap between tools, so to get 45% you need them all (assuming their claims are true) MITRE Claims
  7. 7. Case with One Educational Application
  8. 8. Risk Vulnerability Critical CROSS-SITE REQUEST FORGERY (CSRF) CROSS-SITE SCRIPTING (STORED) High SESSION TOKEN DOES NOT CHANGE AFTER LOGIN Medium USERLOGINID ENUMERATION WEAK PASSWORD REQUIREMENTS NO LOGOUT FUNCTION IMPLEMENTED ACCOUNT ENUMERATION IMPROPER ACCESS CONTROL STUDENT CAN REVEAL TEACHERS LOGIN FROM SERVER RESPONSE Low ERROR MESSAGES REVEAL SENSITIVE INFORMATION INTERNAL IP ADDRESS DISCLOSURE INSUFFICIENT PASSWORD HISTORY MANAGEMENT Remediation Status PARTIALLY FIXED NEED IMPROVEMENT FIXED FIXED FIXED FIXED FIXED FIXED NOT FIXED FIXED FIXED FIXED Security Test Results
  9. 9. XSS Vulnerability Fixing ‘});alert(1)” Initial payload Protection implemented by Developers Team ‘});alert(1)” ‘});alert(1)” Modified payload ‘});alert(1)”
  10. 10. CSRF and Information Leakage Fixing
  11. 11. Best Practices
  12. 12. Every security flaw is a process problem
  13. 13. Security vulnerabilities are “patterned”.
  14. 14. Security issue could be widespread amongst all code bases.
  15. 15. Ensure that root cause analysis is used Remove as many vulnerabilities of this type as is possible within the prescribed time frame or budget Involve Security Expert Recommendations
  16. 16. Use Fast Fix Methods - WAFs A security solution on the web application level which does not depend on the application itself
  17. 17. Security Expert is not a Developer
  18. 18. •OWASP Secure Coding Practices •OWASP Guide Project •OWASP Enterprise Security API •Microsoft Web Protection Library Resources
  19. 19. Security is a Journey Not a Destination
  20. 20. • Patching • Updating • Continuous Security Monitoring • Regular Security Tests
  21. 21. Questions?
  22. 22. Thank You! http://owasp-lviv.blogspot.com/

×