SlideShare a Scribd company logo

OWASP top10 2017, Montpellier JUG de Noel

Hubert Gregoire
Hubert Gregoire

A short introduction to the end 2017 changes in the owasp top10 about web application Security. I also explain the methodology and the history of top10.

Technology
1 of 18
Download to read offline
Le top10 2017 @hgregoire Mercredi 20 / 12 / 2017 JUG de Noël
OWASP Top10 2017 About me Introduction Some code Next step… Agenda…
OWASP Top10 2017 @hgregoire CTO @ Agysoft Open standards, Java, JS, Agility and AppSec passionate since lthe last century… Also trainer @LTI and @polytech About me…
OWASP Top10 2017 Introduction…
OWASP Top10 2017 What’s OWASP ? • The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. All artefacts are free . • The OWASP is also • Books on application security testing, secure coding, and code review. • Cheat sheets on many topics, Presentations and videos, Conferences • Standard security controls , tools and libraries (mod_security, SONAR) • Local chapters worldwide., Mailing lists.
OWASP Top10 2017 What is it ? • OWASP Top 10 of the most common and most important web application security weaknesses • To educate developers, designers, architects, managers, and organizations about the consequences of the weaknesses • Every 3 years since the begining: 2004,2007, 2010 ( §6.5 of PCI-DSS), 2013 • This version 2017 was expected for very very very long time… • RC: April 2 new vulnerabilities : “insufficient detection and unprotected APIs.” • Final : november, 3 others: “XXE, insecure deserialization, and insufficient logging”
OWASP Top10 2017 - Fully refactored - Based on data contributors and 
 individuals for the first time - More than 114,000 tested webapp - Data published on GitHub - Updated to manage: - JavaScript, JSON & TypeScript - SPA (Angular, React), PWA - Microservices (node, springboot) - New Frameworks (Electron, Bootstrap) - noSQL databases -Risks names aligned to CWE Risk Modeling Risk Rating The 2017 OWASP Top 10
OWASP Top10 2017 Changes in this release ?
OWASP Top10 2017 What’s new in this release ? • New issues by data analysis: 
 A4:2017-XML External Entities (XXE) • New issues by the community: 
 A8:2017-Insecure Deserialization, which permits remote code execution or sensitive object manipulation on affected platforms. 
 A10:2017-Insufficient Logging and Monitoring, can prevent or significantly delay malicious activity and breach detection, incident response. • Merged or retired, but not forgotten: 
 A4-Insecure Direct Object References and A7-Missing Function Level Access Control merged into A5.
 A8-Cross-Site Request Forgery, many CSRF defenses in place (5%) 
 A10-Unvalidated Redirects and Forwards (8%)
OWASP Top10 2017 Some code…
OWASP Top10 2017 A4:2017-XML External Entities (XXE) • Is my Application Vulnerable ? • The web app accepts XML from untrusted sources • Some SAML or SOAP implementation • How to Prevent ? • Prefer JSON • Patch or upgrade all XML processors and libraries • Disable XML external entity and DTD processing in all XML parsers • Update your WAF (mod_security) • Attack Scenario
OWASP Top10 2017 A8:2017-Insecure Deserialization • Is my Application Vulnerable ? • Applications and APIs will be vulnerable if they deserialize hostile or tampered objects supplied by an attacker • Serialization may be used in applications for: • RPC, Message Brokers, WS, Caching, DB, Cookies, Auth Tokens • How to Prevent ? • More controls or sandbox • Do not accept serialized objects from untrusted sources • Use digital signature or HMAC
 • Attack Scenario
OWASP Top10 2017 A10:2017-Insufficient Logging and Monitoring • Is my Application Vulnerable ? • Auditable events, such as logins, failed logins, 
 and high-value transactions are not logged. • Eerrors generate unclear log messages. • Logs of applications and APIs are not 
 monitored for suspicious activity. • Logs are only stored locally. • How to Prevent ? • Ensure all access control failures, and server-side input validation failures can be logged to identify suspicious accounts, and held for sufficient time. • Ensure that logs are generated in a format that can be easily consumed by a centralized log solutions. • Attack Scenario
OWASP Top10 2017 Let’s secure our WebApps…
OWASP Top10 2017 Level of top10 risk by industry in 2015
OWASP Top10 2017 Don't stop at 10 • There are 100’s of issues that could affect security of a web application (see the OWASP Developer's Guide and the Cheat Sheet Series) • Think positive, we can’t correct all at once • Maintain and update your stacks !
OWASP Top10 2017 Références • Go OWASP ! http://www.owasp.org • Official Top 10 OWASP 2017 • https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf • Good article from Arden Rubens • https://www.checkmarx.com/2017/12/03/closer-look-owasp-top-10-application-security-risks/ • Videos of Top 10 attacks Explained by Detectify • https://www.youtube.com/playlist?list=PLbKl_RtocZetEzdHyZCgZHwaUHjE_jeQT
OWASP Top10 2017 Merci à vous & Bonnes fêtes ! Rejoignez nous ! Agysoft et le groupe Ach@tSolutions recrutent

Recommended

OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec PresentationCiNPA Security SIG
 
Pitfalls of top n lists 6 28-2017
Pitfalls of top n lists 6 28-2017Pitfalls of top n lists 6 28-2017
Pitfalls of top n lists 6 28-2017Synopsys Software Integrity Group
 
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG
 
23 owasp top 10 - resources
23 owasp top 10 - resources23 owasp top 10 - resources
23 owasp top 10 - resourcesappsec
 
香港六合彩<六合彩
香港六合彩<六合彩香港六合彩<六合彩
香港六合彩<六合彩dqsmesc
 
12 owasp top 10 - introduction
12 owasp top 10 - introduction12 owasp top 10 - introduction
12 owasp top 10 - introductionappsec
 
SARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalSARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalVandana Verma
 
[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's life[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's lifeOWASP
 

Recommended

OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec PresentationCiNPA Security SIG
 
Pitfalls of top n lists 6 28-2017
Pitfalls of top n lists 6 28-2017Pitfalls of top n lists 6 28-2017
Pitfalls of top n lists 6 28-2017Synopsys Software Integrity Group
 
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG
 
23 owasp top 10 - resources
23 owasp top 10 - resources23 owasp top 10 - resources
23 owasp top 10 - resourcesappsec
 
香港六合彩<六合彩
香港六合彩<六合彩香港六合彩<六合彩
香港六合彩<六合彩dqsmesc
 
12 owasp top 10 - introduction
12 owasp top 10 - introduction12 owasp top 10 - introduction
12 owasp top 10 - introductionappsec
 
SARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalSARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalVandana Verma
 
[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's life[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's lifeOWASP
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageVandana Verma
 
Waratek ISACA Webinar
Waratek ISACA WebinarWaratek ISACA Webinar
Waratek ISACA WebinarWaratek Ltd
 
Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016Waratek Ltd
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016Waratek Ltd
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...POSSCON
 
Waratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside OutWaratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside OutWaratek Ltd
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015tmd800
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017malvvv
 
Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010Poulopoulos Ioannis
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPR[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPROWASP
 
Meet the OWASP
Meet the OWASPMeet the OWASP
Meet the OWASPAntonio Fontes
 
Owasp
OwaspOwasp
Owaspkkarashay
 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Andrejs Prokopjevs
 
Introduction to OWASP
Introduction to OWASPIntroduction to OWASP
Introduction to OWASPThomas F. "T.J." Maher Jr.
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application securityRogue Wave Software
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pjSébastien GIORIA
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxgerardkortney
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction alessiomarziali
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
In that case, we have an OWASP Top 10 opportunity...
In that case, we have an OWASP Top 10 opportunity...In that case, we have an OWASP Top 10 opportunity...
In that case, we have an OWASP Top 10 opportunity...Josh Grossman
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 

More Related Content

What's hot

Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageVandana Verma
 
Waratek ISACA Webinar
Waratek ISACA WebinarWaratek ISACA Webinar
Waratek ISACA WebinarWaratek Ltd
 
Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016Waratek Ltd
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016Waratek Ltd
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...POSSCON
 
Waratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside OutWaratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside OutWaratek Ltd
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015tmd800
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017malvvv
 
Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010Poulopoulos Ioannis
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPR[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPROWASP
 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Andrejs Prokopjevs
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application securityRogue Wave Software
 

What's hot (16)

Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec Village
 
Waratek ISACA Webinar
Waratek ISACA WebinarWaratek ISACA Webinar
Waratek ISACA Webinar
 
Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
 
Waratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside OutWaratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside Out
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017
 
Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPR[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPR
 
Meet the OWASP
Meet the OWASPMeet the OWASP
Meet the OWASP
 
Owasp
OwaspOwasp
Owasp
 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...
 
Introduction to OWASP
Introduction to OWASPIntroduction to OWASP
Introduction to OWASP
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
 

Similar to OWASP top10 2017, Montpellier JUG de Noel

OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxgerardkortney
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
In that case, we have an OWASP Top 10 opportunity...
In that case, we have an OWASP Top 10 opportunity...In that case, we have an OWASP Top 10 opportunity...
In that case, we have an OWASP Top 10 opportunity...Josh Grossman
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...apidays
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)PrashantDhakol
 
OWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfOWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfSamSepiolRhodes
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр АнтухOWASP Russia
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security42Crunch
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE Magno Logan
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideSharebnmbroti
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideSharenwnftpbv
 
香港六合彩
香港六合彩香港六合彩
香港六合彩pibpjsxy
 
香港六合彩
香港六合彩香港六合彩
香港六合彩gxsdjh
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩rakfbe
 
Application security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOpsApplication security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOpsPhillip Maddux
 

Similar to OWASP top10 2017, Montpellier JUG de Noel (20)

2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
In that case, we have an OWASP Top 10 opportunity...
In that case, we have an OWASP Top 10 opportunity...In that case, we have an OWASP Top 10 opportunity...
In that case, we have an OWASP Top 10 opportunity...
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)
 
OWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfOWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdf
 
Owasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentationOwasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentation
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩
 
Application security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOpsApplication security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOps
 

Recently uploaded

Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 

OWASP top10 2017, Montpellier JUG de Noel

  • 1. Le top10 2017 @hgregoire Mercredi 20 / 12 / 2017 JUG de Noël
  • 2. OWASP Top10 2017 About me Introduction Some code Next step… Agenda…
  • 3. OWASP Top10 2017 @hgregoire CTO @ Agysoft Open standards, Java, JS, Agility and AppSec passionate since lthe last century… Also trainer @LTI and @polytech About me…
  • 5. OWASP Top10 2017 What’s OWASP ? • The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. All artefacts are free . • The OWASP is also • Books on application security testing, secure coding, and code review. • Cheat sheets on many topics, Presentations and videos, Conferences • Standard security controls , tools and libraries (mod_security, SONAR) • Local chapters worldwide., Mailing lists.
  • 6. OWASP Top10 2017 What is it ? • OWASP Top 10 of the most common and most important web application security weaknesses • To educate developers, designers, architects, managers, and organizations about the consequences of the weaknesses • Every 3 years since the begining: 2004,2007, 2010 ( §6.5 of PCI-DSS), 2013 • This version 2017 was expected for very very very long time… • RC: April 2 new vulnerabilities : “insufficient detection and unprotected APIs.” • Final : november, 3 others: “XXE, insecure deserialization, and insufficient logging”
  • 7. OWASP Top10 2017 - Fully refactored - Based on data contributors and 
 individuals for the first time - More than 114,000 tested webapp - Data published on GitHub - Updated to manage: - JavaScript, JSON & TypeScript - SPA (Angular, React), PWA - Microservices (node, springboot) - New Frameworks (Electron, Bootstrap) - noSQL databases -Risks names aligned to CWE Risk Modeling Risk Rating The 2017 OWASP Top 10
  • 8. OWASP Top10 2017 Changes in this release ?
  • 9. OWASP Top10 2017 What’s new in this release ? • New issues by data analysis: 
 A4:2017-XML External Entities (XXE) • New issues by the community: 
 A8:2017-Insecure Deserialization, which permits remote code execution or sensitive object manipulation on affected platforms. 
 A10:2017-Insufficient Logging and Monitoring, can prevent or significantly delay malicious activity and breach detection, incident response. • Merged or retired, but not forgotten: 
 A4-Insecure Direct Object References and A7-Missing Function Level Access Control merged into A5.
 A8-Cross-Site Request Forgery, many CSRF defenses in place (5%) 
 A10-Unvalidated Redirects and Forwards (8%)
  • 11. OWASP Top10 2017 A4:2017-XML External Entities (XXE) • Is my Application Vulnerable ? • The web app accepts XML from untrusted sources • Some SAML or SOAP implementation • How to Prevent ? • Prefer JSON • Patch or upgrade all XML processors and libraries • Disable XML external entity and DTD processing in all XML parsers • Update your WAF (mod_security) • Attack Scenario
  • 12. OWASP Top10 2017 A8:2017-Insecure Deserialization • Is my Application Vulnerable ? • Applications and APIs will be vulnerable if they deserialize hostile or tampered objects supplied by an attacker • Serialization may be used in applications for: • RPC, Message Brokers, WS, Caching, DB, Cookies, Auth Tokens • How to Prevent ? • More controls or sandbox • Do not accept serialized objects from untrusted sources • Use digital signature or HMAC
 • Attack Scenario
  • 13. OWASP Top10 2017 A10:2017-Insufficient Logging and Monitoring • Is my Application Vulnerable ? • Auditable events, such as logins, failed logins, 
 and high-value transactions are not logged. • Eerrors generate unclear log messages. • Logs of applications and APIs are not 
 monitored for suspicious activity. • Logs are only stored locally. • How to Prevent ? • Ensure all access control failures, and server-side input validation failures can be logged to identify suspicious accounts, and held for sufficient time. • Ensure that logs are generated in a format that can be easily consumed by a centralized log solutions. • Attack Scenario
  • 14. OWASP Top10 2017 Let’s secure our WebApps…
  • 15. OWASP Top10 2017 Level of top10 risk by industry in 2015
  • 16. OWASP Top10 2017 Don't stop at 10 • There are 100’s of issues that could affect security of a web application (see the OWASP Developer's Guide and the Cheat Sheet Series) • Think positive, we can’t correct all at once • Maintain and update your stacks !
  • 17. OWASP Top10 2017 Références • Go OWASP ! http://www.owasp.org • Official Top 10 OWASP 2017 • https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf • Good article from Arden Rubens • https://www.checkmarx.com/2017/12/03/closer-look-owasp-top-10-application-security-risks/ • Videos of Top 10 attacks Explained by Detectify • https://www.youtube.com/playlist?list=PLbKl_RtocZetEzdHyZCgZHwaUHjE_jeQT
  • 18. OWASP Top10 2017 Merci à vous & Bonnes fêtes ! Rejoignez nous ! Agysoft et le groupe Ach@tSolutions recrutent