A short introduction to the end 2017 changes in the owasp top10 about web application Security. I also explain the methodology and the history of top10.
3. OWASP Top10 2017
@hgregoire
CTO @ Agysoft
Open standards, Java, JS, Agility
and AppSec passionate since lthe
last century…
Also trainer @LTI and @polytech
About me…
5. OWASP Top10 2017
What’s OWASP ?
• The Open Web Application Security Project (OWASP) is an open
community dedicated to enabling organizations to develop, purchase, and
maintain applications and APIs that can be trusted. All artefacts are free .
• The OWASP is also
• Books on application security testing, secure coding, and code review.
• Cheat sheets on many topics, Presentations and videos, Conferences
• Standard security controls , tools and libraries (mod_security, SONAR)
• Local chapters worldwide., Mailing lists.
6. OWASP Top10 2017
What is it ?
• OWASP Top 10 of the most common and most important web application
security weaknesses
• To educate developers, designers, architects, managers, and organizations
about the consequences of the weaknesses
• Every 3 years since the begining: 2004,2007, 2010 ( §6.5 of PCI-DSS), 2013
• This version 2017 was expected for very very very long time…
• RC: April 2 new vulnerabilities : “insufficient detection and unprotected APIs.”
• Final : november, 3 others: “XXE, insecure deserialization, and insufficient
logging”
7. OWASP Top10 2017
- Fully refactored
- Based on data contributors and
individuals for the first time
- More than 114,000 tested webapp
- Data published on GitHub
- Updated to manage:
- JavaScript, JSON & TypeScript
- SPA (Angular, React), PWA
- Microservices (node, springboot)
- New Frameworks (Electron,
Bootstrap)
- noSQL databases
-Risks names aligned to CWE
Risk Modeling
Risk Rating
The 2017 OWASP Top 10
9. OWASP Top10 2017
What’s new in this release ?
• New issues by data analysis:
A4:2017-XML External Entities (XXE)
• New issues by the community:
A8:2017-Insecure Deserialization, which permits remote code execution or
sensitive object manipulation on affected platforms.
A10:2017-Insufficient Logging and Monitoring, can prevent or significantly
delay malicious activity and breach detection, incident response.
• Merged or retired, but not forgotten:
A4-Insecure Direct Object References and A7-Missing Function Level
Access Control merged into A5.
A8-Cross-Site Request Forgery, many CSRF defenses in place (5%)
A10-Unvalidated Redirects and Forwards (8%)
11. OWASP Top10 2017
A4:2017-XML External Entities (XXE)
• Is my Application Vulnerable ?
• The web app accepts XML from untrusted
sources
• Some SAML or SOAP implementation
• How to Prevent ?
• Prefer JSON
• Patch or upgrade all XML processors and
libraries
• Disable XML external entity and DTD
processing in all XML parsers
• Update your WAF (mod_security)
• Attack Scenario
12. OWASP Top10 2017
A8:2017-Insecure Deserialization
• Is my Application Vulnerable ?
• Applications and APIs will be vulnerable if they
deserialize hostile or tampered objects supplied
by an attacker
• Serialization may be used in applications for:
• RPC, Message Brokers, WS, Caching, DB,
Cookies, Auth Tokens
• How to Prevent ?
• More controls or sandbox
• Do not accept serialized objects from untrusted
sources
• Use digital signature or HMAC
• Attack Scenario
13. OWASP Top10 2017
A10:2017-Insufficient Logging and Monitoring
• Is my Application Vulnerable ?
• Auditable events, such as logins, failed logins,
and high-value transactions are not logged.
• Eerrors generate unclear log messages.
• Logs of applications and APIs are not
monitored for suspicious activity.
• Logs are only stored locally.
• How to Prevent ?
• Ensure all access control failures, and server-side input validation failures
can be logged to identify suspicious accounts, and held for sufficient time.
• Ensure that logs are generated in a format that can be easily consumed by
a centralized log solutions.
• Attack Scenario
16. OWASP Top10 2017
Don't stop at 10
• There are 100’s of issues that could affect security of a
web application (see the OWASP Developer's Guide
and the Cheat Sheet Series)
• Think positive, we can’t correct all at once
• Maintain and update your stacks !
17. OWASP Top10 2017
Références
• Go OWASP ! http://www.owasp.org
• Official Top 10 OWASP 2017
• https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
• Good article from Arden Rubens
• https://www.checkmarx.com/2017/12/03/closer-look-owasp-top-10-application-security-risks/
• Videos of Top 10 attacks Explained by Detectify
• https://www.youtube.com/playlist?list=PLbKl_RtocZetEzdHyZCgZHwaUHjE_jeQT
18. OWASP Top10 2017
Merci à vous & Bonnes fêtes !
Rejoignez nous ! Agysoft et le groupe Ach@tSolutions recrutent