4. Why SDL?
• Compliance regulations – PCI, Data Protection
and Privacy
• Better IT security strategy – continuous security
(BaU) and security as a shared responsibility
• Functionality versus Security – balancing act
5. What is the core security problem
facing web applications?
6. Answer
A huge variety of attacks against web applications
involve submitting input, crafted to cause behaviour
that was not intended by the application’s
designers. Applications must handle user input in
a safe manner
Users can submit arbitrary input – untrusted
data
9. Problem Areas
• XSS 94% - enables an attacker to target other users of the application, potentially
gaining access to their data, or carry out other attacks against them
• CSRF 92% - allows a malicious web site visited by a victim user to interact with the
application to perform actions that the user did not intend
• Information leakage 78% - application divulging sensitive information that is of use to
an attacker
• Broken access controls 71% - app fails properly protect access to its data and
functionality, potentially enabling an attacker to view other uses data
• Broken authentication 62% - defects within the applications login mechanism which
may enable an attacker to guess weak passwords, launch a brute-force attack, or
bypass the login
• SQL injection 32% - enables an attacker to submit input to interfere with the
applications interactions with back-end database
16. Development Phase
• Adhering to development guidelines
• Integrating secure coding practices into
development
• Peer/code review, advice
• Most critical phase
18. Change control
• Human Error
• Software bugs
• Implementation Errors
• Changes to systems
19. Best practices, resources..
Open Web Application Security Project (OWASP)
• https://www.owasp.org/index.php/Top_10_2013-
Top_10
• https://www.owasp.org/index.php/Cheat_Sheets
Training resource
• http://securitycompass.com/computer-based-
training/free-owasp-top-10/
Editor's Notes
During the slide show, clicking on the [_] icon will take you to the appropriate screenshot of the software. To return to the main presentation, press Esc or click next twice.