Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

In that case, we have an OWASP Top 10 opportunity...

108 views

Published on

Presentation I gave at the OWASP Israel June 2017 chapter meeting about recent developments around the OWASP Top 10

Published in: Software
  • Be the first to comment

  • Be the first to like this

In that case, we have an OWASP Top 10 opportunity...

  1. 1. Josh Grossman OWASP Israel – June 2017 Meeting
  2. 2. To discuss • The new RC of the OWASPTop 10 Risks • What the new RC was based on • Outcome of the OWASP Summit • My ideas and suggestions
  3. 3. Who am I? • 10 years of IT Security and IT Risk experience • Last several years focused onApplication Security and Cloud • Team Lead in the AppSec Department at Comsec Global. • Married + 2, living in Modi’in
  4. 4. Background to the OWASPTop 10
  5. 5. So what is it? • OWASP Top 10 first released in 2003 • Revisions in 2004, 2007, 2010, 2013, 2017… • Flagship project • “A list of the 10 Most Critical Web Application Security Risks” • Co-authored By Dave Wichers and JeffWilliams
  6. 6. Real life examples “Our team undergo secure development training which covers the OWASPTop 10.” “Our testing procedures cover risks including the OWASPTop 10.”
  7. 7. Real life examples “We just want a quick cheap test, just cover the OWASPTop 10” “The Application Security testing report must map findings to the OWASPTop 10”
  8. 8. Real life examples “We want certification that our application complies with the OWASPTop 10”
  9. 9. The bottom line “TheTop 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, Defense Information Systems Agency, FTC, and many more.” https://en.wikipedia.org/wiki/OWASP
  10. 10. Release of theTop 10 2017 RC1
  11. 11. So what has changed? https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf
  12. 12. But where did this come from?
  13. 13. Some key stats • Call for Data closed in July 2016 • 11 large companies and 13 small companies contributed • Most vulnerability data came fromVeracode although results are weighted • Largest category: XSS 84% of the total by count, 24% after weighting • Thanks to Brian Glas for some great analysis: • https://nvisium.com/blog/2017/04/18/musings-on-the-owasp-top-10-2017-rc1/ • https://nvisium.com/blog/2017/04/24/musings-on-the-owasp-top-10-2017-rc1-pt2/
  14. 14. Some key stats Average Overall Massive Company % Smaller company % Etc… XSS 24% 1,900,000 86% 2,012 17% .. Injection 6.63% 225,398 10% 372 3.25% .. Etc… .. .. .. .. .. ..
  15. 15. Some key stats • Call for Data closed in July 2016 • 11 large companies and 13 small companies contributed • Most vulnerability data came fromVeracode although results are weighted • Largest category: XSS 84% of the total by count, 24% after weighting • Thanks to Brian Glas for some great analysis: • https://nvisium.com/blog/2017/04/18/musings-on-the-owasp-top-10-2017-rc1/ • https://nvisium.com/blog/2017/04/24/musings-on-the-owasp-top-10-2017-rc1-pt2/
  16. 16. So where did the new ones come from?
  17. 17. So where did the new ones come from? • “APIs” and “Attack Protection” only mentioned once in the open data
  18. 18. Who are Contrast Security?
  19. 19. Who are Contrast Security?
  20. 20. Sound Familiar?
  21. 21. • … • To avoid relationships that impair — or may appear to impair — OWASP's objectivity and independence. OWASP Code of Ethics https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethics 1) Being independent 2) Seeming independent
  22. 22. The OWASP Summit
  23. 23. Changing of the Guard
  24. 24. The independence threat “I will take a motion to the Board asking for a change...where Flagship projects will have a six month grace period to obtain at least two leaders from two different firms to avoid perceptions of vendor lock in either in actuality or perceived.” Andrew van der Stock, 13 June 2017
  25. 25. Transparency “There will be a transparent and documented decision to ensure that up to 2 of the OWASPTop 10 issues will be forward looking, and that the community should drive the consensus for what they will be.” Andrew van der Stock, 13 June 2017
  26. 26. TheTop 10 is for everyone “The goal of theTop 10 project is to raise awareness about application security” Foreword to the OWASPTop 10 2017
  27. 27. Call for Data reopened and New Survey “There will be a second data call, ending on August 25…We are looking for large and small data sets - tool or human driven, we want it all.” “I will work with Brian Glas to define a set of 5-10…forward looking inclusions and let the community decide the fate of A7 /A10.” Andrew van der Stock, 14 June 2017
  28. 28. Art, not science “The OWASPTop 10 is art, not science” Someone at some point during the summit
  29. 29. Provide feedback “If you want to spend time reviewing the current draft, please do so, and provide feedback here: https://github.com/OWASP/Top10/issues” Andrew van der Stock, 14 June 2017
  30. 30. The final release date “…we have decided on a final date for the next release of the OWASPTop 10 2017 - late November, probably just before Thanksgiving.” Andrew van der Stock, 14 June 2017
  31. 31. What should be there?
  32. 32. The Good: • Removal of 2013 A10—Unvalidated Redirects and Forwards • Creation of 2017 A4—Broken Access Control
  33. 33. The Bad(ish): • 2017 A10—UnderprotectedAPIs: • Worth its own category • Should focus on API specific issues
  34. 34. The Ugly: • 2017 A7—Insufficient Attack Protection: • Lack of control is not a risk • Encourages making a control, not addressing a risk
  35. 35. Attack Protection • Still an important topic • Developers/Defenders should be thinking of that • If only there was a list of controls for defenders / developers to consider…
  36. 36. Attack Protection • OWASP-2016-C1:Verify for Security Early and Often • OWASP-2016-C2: Parameterize Queries • OWASP-2016-C3: Encode Data • OWASP-2016-C4:Validate All Inputs • OWASP-2016-C5: Implement Identity and Authentication Controls • OWASP-2016-C6: Implement Appropriate Access Controls • OWASP-2016-C7: Protect Data • OWASP-2016-C8: Implement Logging and Intrusion Detection • OWASP-2016-C9: Leverage Security Frameworks and Libraries • OWASP-2016-C10: Error and Exception Handling
  37. 37. A7: So what should be there?
  38. 38. So in conclusion…
  39. 39. 1) OWASP needs us • OWASP sits on a narrow base of support • The more people involved, the better the materials will become • More involvement = wider perspective
  40. 40. 2) Use the right tool for the job • OWASPTop 10 is used too much • Consider other projects like: • Top 10 Proactive Controls • Application SecurityVerification Standard (ASVS) • SoftwareAssurance Maturity Model • (Mobile) SecurityTesting Guide
  41. 41. 3) Future of theTop 10 Risks • Just a data-based risks list? • How manyTop 10 lists do we need? • I like the idea of forward looking
  42. 42. Conclusions: 1. OWASP needs us 2. Use the right tool for the job 3. Future of theTop 10 Risks joshg@comsecglobal.com joshcgrossman@gmail.com @JoshCGrossman

×