Advertisement
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer

Check these out next

Nessus and Reporting Karma
Nessus and Reporting Karma
n|u - The Open Security Community
OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
Simon Bennetts
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
OWASP
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
Simon Bennetts
BlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo Talk
Simon Bennetts
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
Zap vs burp
Zap vs burp
Tomasz Fajks
1 of 31

AppSec & OWASP Top 10 Primer

Mar. 17, 2019
Download to read offline
Internet

AppSec & OWASP Top 10 Primer By Matt Scheurer (@c3rkah) Cincinnati, Ohio Date: 03/21/2019 Momentum Developer Conference Sharonville Convention Center #momentumdevcon Abstract: Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP). Bio: Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).

CiNPA Security SIG
Systems Security Engineer at CiNPA Security SIG
Advertisement
Advertisement
Advertisement

Recommended

[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?OWASP461 views75 slides
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava2.6K views51 slides
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP1K views35 slides
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP592 views30 slides
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!Matt Tesauro15.3K views72 slides
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automationOWASP161 views44 slides

More Related Content

Slideshows for you(20)

Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karma
n|u - The Open Security Community7.6K views
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
Simon Bennetts4.4K views
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
OWASP1.1K views
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts8K views
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
Simon Bennetts5.5K views
BlackHat 2014 OWASP ZAP Turbo TalkBlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo Talk
Simon Bennetts2.2K views
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts3.9K views
Zap vs burpZap vs burp
Zap vs burp
Tomasz Fajks11.6K views
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
Simon Bennetts306 views
AllDayDevOps ZAP automation in CIAllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CI
Simon Bennetts2.9K views
OWASP 2014 AppSec EU ZAP Advanced FeaturesOWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced Features
Simon Bennetts3.7K views
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Michael Coates277.9K views
OWASP 2013 Limerick - ZAP: Whats even newerOWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newer
Simon Bennetts1.1K views
OWASP 2013 AppSec EU Hamburg - ZAP InnovationsOWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
Simon Bennetts2.8K views
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing tool
David Sweigert980 views
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
Simon Bennetts2.4K views
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Abraham Aranguren6.4K views
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...
Puppet4.7K views
2017 DevSecCon ZAP Scripting Workshop2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting Workshop
Simon Bennetts3.5K views
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts2K views

Similar to AppSec & OWASP Top 10 Primer(20)

OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
CiNPA Security SIG2.4K views
ISC2: AppSec & OWASP PrimerISC2: AppSec & OWASP Primer
ISC2: AppSec & OWASP Primer
CiNPA Security SIG212 views
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG266 views
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec Presentation
CiNPA Security SIG139 views
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP1.7K views
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
Sudhanshu Chauhan1.2K views
Web Security... Level UpWeb Security... Level Up
Web Security... Level Up
Izzet Mustafaiev428 views
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
alessiomarziali891 views
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf Hadiwinata
Hananto Wibowo Soenarto190 views
DevOps Indonesia #9 - DevSecOpsDevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOps
DevOps Indonesia291 views
security misconfigurationssecurity misconfigurations
security misconfigurations
Megha Sahu1.6K views
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP188 views
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav1.1K views
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec Village
Vandana Verma1.3K views
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Clark Everetts352 views
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
OWASP Delhi735 views
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source Way
Yusuf Hadiwinata Sutandar1.7K views
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.833 views
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsAppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
Magno Logan421 views
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011
Bachkoutou Toutou2.4K views
Advertisement

More from CiNPA Security SIG(20)

CONHESI 2021 - Exploiting Web APIsCONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIs
CiNPA Security SIG135 views
SecureWV: Exploiting Web APIsSecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIs
CiNPA Security SIG88 views
BSides Columbus - Lend me your IR's!BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!
CiNPA Security SIG150 views
PwnSchool: Exploiting Web APIsPwnSchool: Exploiting Web APIs
PwnSchool: Exploiting Web APIs
CiNPA Security SIG71 views
CiNPA Security SIG - Exploiting the Tiredful APICiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG132 views
CCC - Lend me your IR'sCCC - Lend me your IR's
CCC - Lend me your IR's
CiNPA Security SIG123 views
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
CiNPA Security SIG83 views
OISF - Continuous Skills Improvement for EveryoneOISF - Continuous Skills Improvement for Everyone
OISF - Continuous Skills Improvement for Everyone
CiNPA Security SIG481 views
Central Ohio InfoSec Summit: Why Script Kiddies SucceedCentral Ohio InfoSec Summit: Why Script Kiddies Succeed
Central Ohio InfoSec Summit: Why Script Kiddies Succeed
CiNPA Security SIG123 views
Butler Tech - Working in IT and InfoSecButler Tech - Working in IT and InfoSec
Butler Tech - Working in IT and InfoSec
CiNPA Security SIG223 views
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
CiNPA Security SIG105 views
CiNPA Security SIG - Physical SecurityCiNPA Security SIG - Physical Security
CiNPA Security SIG - Physical Security
CiNPA Security SIG90 views
CiNPA / CiNPA Security SIG HistoryCiNPA / CiNPA Security SIG History
CiNPA / CiNPA Security SIG History
CiNPA Security SIG130 views
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
CiNPA Security SIG94 views
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
CiNPA Security SIG173 views
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
CiNPA Security SIG70 views
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
CiNPA Security SIG128 views
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
CiNPA Security SIG97 views
BSides Cincy: Active Defense - Helping threat actors hack themselves!BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!
CiNPA Security SIG197 views
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
CiNPA Security SIG133 views

Recently uploaded(20)

美国荷华大学毕业证文凭成绩单制作指南美国荷华大学毕业证文凭成绩单制作指南
美国荷华大学毕业证文凭成绩单制作指南
abecue2 views
NP Industry in India.pdfNP Industry in India.pdf
NP Industry in India.pdf
Karthik Ramanujam1 view
Empowering Warehouse Operations Seamless WiFi Service in New York.pdfEmpowering Warehouse Operations Seamless WiFi Service in New York.pdf
Empowering Warehouse Operations Seamless WiFi Service in New York.pdf
SliceWirelessSolutio4 views
加拿大温哥华电影学院毕业证文凭成绩单制作指南加拿大温哥华电影学院毕业证文凭成绩单制作指南
加拿大温哥华电影学院毕业证文凭成绩单制作指南
abecue2 views
PLNOG 31 Alena Muravska 2023.pdfPLNOG 31 Alena Muravska 2023.pdf
PLNOG 31 Alena Muravska 2023.pdf
RIPE NCC12 views
oracleeventshunting-190909105308.pdforacleeventshunting-190909105308.pdf
oracleeventshunting-190909105308.pdf
ssuser785ce210 views
Top Cross Platform Trends.pdfTop Cross Platform Trends.pdf
Top Cross Platform Trends.pdf
ItAmd20 views
dtrace_topics_intro.pdfdtrace_topics_intro.pdf
dtrace_topics_intro.pdf
ssuser785ce210 views
如何办理一份高仿萨塞克斯大学毕业证成绩单?如何办理一份高仿萨塞克斯大学毕业证成绩单?
如何办理一份高仿萨塞克斯大学毕业证成绩单?
aazepp0 views
加拿大魁北克大学毕业证文凭成绩单制作指南加拿大魁北克大学毕业证文凭成绩单制作指南
加拿大魁北克大学毕业证文凭成绩单制作指南
abecue2 views
ThaiNOG 5: Security TutorialThaiNOG 5: Security Tutorial
ThaiNOG 5: Security Tutorial
APNIC8 views
Presentation of application,Network And transport layer protocols Created by ...Presentation of application,Network And transport layer protocols Created by ...
Presentation of application,Network And transport layer protocols Created by ...
sadafkoondhar2 views
澳洲维多利亚大学毕业证文凭成绩单制作指南澳洲维多利亚大学毕业证文凭成绩单制作指南
澳洲维多利亚大学毕业证文凭成绩单制作指南
abecue2 views
Hybrid App Development (1) (1).pdfHybrid App Development (1) (1).pdf
Hybrid App Development (1) (1).pdf
Sanjaysharma9946540 views
c++basics.pptc++basics.ppt
c++basics.ppt
EPORI0 views
德国亚琛工业大学毕业证文凭成绩单制作指南德国亚琛工业大学毕业证文凭成绩单制作指南
德国亚琛工业大学毕业证文凭成绩单制作指南
abecue2 views
OUATTARAAboulaye-GL23_SRWE_02-certificate.pdfOUATTARAAboulaye-GL23_SRWE_02-certificate.pdf
OUATTARAAboulaye-GL23_SRWE_02-certificate.pdf
AboulayeOuattara20 views
英国普利茅斯大学毕业证文凭成绩单制作指南英国普利茅斯大学毕业证文凭成绩单制作指南
英国普利茅斯大学毕业证文凭成绩单制作指南
abecue2 views
美国俄亥俄州立大学毕业证文凭成绩单制作指南美国俄亥俄州立大学毕业证文凭成绩单制作指南
美国俄亥俄州立大学毕业证文凭成绩单制作指南
abecue2 views
英国萨塞克斯大学毕业证文凭成绩单制作指南英国萨塞克斯大学毕业证文凭成绩单制作指南
英国萨塞克斯大学毕业证文凭成绩单制作指南
abecue3 views
Advertisement

AppSec & OWASP Top 10 Primer

  1. March 21, 2019 Matt Scheurer @c3rkah Slides: https://www.slideshare.net/cerkah AppSec & OWASP Top 10 Primer AppSecAppSec -------------------------------- & OWASP& OWASP Top 10Top 10
  2. About Me... ● Sr. Systems Security Engineer in the Financial Services Industry ● Frequent speaker at Information Security / Hacker conferences ● Teacher at heart! ● Chair of the
  3. Places where I have presented...
  4. Why am I speaking at a Dev Con? It all started with a tweet…
  5. Why AppSec?
  6. What is OWASP? The Open Web Application Security Project (OWASP), an online community, produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. ● Web site - https://www.owasp.org/
  7. OWASP History ● Started in December, 2001 ● Obtained 501c3 (non-profit) Status in April 2004 ● OWASP Top Ten List – The "Top Ten", first published in 2003, is regularly updated. It aims to raise awareness about application security by identifying some of the most critical risks facing organizations ● The OWASP foundation has produced many guides, projects, and publications, since their beginning
  8. OWASP Top 10 List (2017) ● A1:2017-Injection ● A2:2017-Broken Authentication ● A3:2017-Sensitive Data Exposure ● A4:2017-XML External Entities (XXE) ● A5:2017-Broken Access Control ● A6:2017-Security Misconfiguration ● A7:2017-Cross-Site Scripting (XSS) ● A8:2017-Insecure Deserialization ● A9:2017-Using Components with Known Vulnerabilities ● A10:2017-Insufficient Logging&Monitoring ● Current Version – https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project – https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
  9. Recent OWASP Top 10 Changes From 2013 to 2017... ● "Cross-Site Scripting (XSS)" Down from A3 to A7 ● "Insecure Direct Object References" (A4) and "Missing Function Level Access Control" (A7) – Merged into "Broken Access Control" as A5 ● "Security Misconfiguration" Down from A5 to A6 ● "Sensitive Data Exposure" Up from A5 to A3 ● "Cross-Site Request Forgery (CSRF)" Removed ● "Unvalidated Redirects and Forwards" Removed
  10. Additions to the OWASP Top 10 From 2013 to 2017... ● A4:2017-XML External Entities (XXE) ● A8:2017-Insecure Deserialization ● A10:2017-Insufficient Logging & Monitoring
  11. Where and How to Learn AppSec ● We will cover some basic resources to help get you started on a path towards self-learning... – Basic Vulnerability Scanners – AppSec Testing Platforms – Free places to learn AppDev – Free places to learn AppSec – Free Learning / Practice Platforms NOTE: These are not exhaustive lists as there are many more resources available!
  12. Starting Out... ● Advice my mother would offer about how to begin learning AppSec and testing web server, website and web application security...
  13. Vulnerability Scanners ● Core Security: Core Impact ● Rapid7 products: Nexpose ● Tenable: Nessus ● Qualys: Web Application Scanning (WAS) ● Open Source: OpenVAS ● Open Source / Kali Linux: Sparta / Nikto
  14. AppSec Testing Platforms ● Start with: OWASP ZAP (Zed Attack Proxy) – https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project ● Move to: Fiddler - Free Web Debugging Proxy – https://www.telerik.com/fiddler ● Graduate to: Burp Suite Scanner – https://portswigger.net/burp ● Honorable Mention: Nmap w/ NSE Scripts ● Honorable Mention: Samurai Web Testing Framework
  15. Free places to learn AppDev ● Codecademy – https://www.codecademy.com/ ● Khan Academy – https://www.khanacademy.org/computing ● SQLCourse.com – http://www.sqlcourse.com/ ● W3Schools – https://www.w3schools.com/
  16. Free places to learn AppSec ● OWASP (Of course!) – https://www.owasp.org/ ● Your nearest local OWASP Chapter – https://www.owasp.org/index.php/OWASP_Chapter ● YouTube – https://www.youtube.com/ ● Cybrary – https://www.cybrary.it/course/web-application-pen-testing/ – https://www.cybrary.it/course/ethical-hacking/ – https://www.cybrary.it/course/advanced-penetration-testing/ – https://www.cybrary.it/course/python/
  17. Free Learning / Practice Platforms ● OWASP Mutillidae – https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project ● OWASP WebGoat – https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project ● OWASP Juice Shop – https://www.owasp.org/index.php/OWASP_Juice_Shop_Project ● Rapid7 Metasploitable – https://github.com/rapid7/metasploitable3 ● PentesterLab – https://pentesterlab.com/exercises/
  18. Troy Hunt Resources ● Hack Yourself First – "Hack Yourself First" is all about developers building up cyber-offense skills and proactively seeking out security vulnerabilities in their own websites before an attacker does – There are 50 intentional very sloppy security practices to be found – http://hack-yourself-first.com/ ● Free Accompanying Pluralsight Course – http://pluralsight.com/training/Courses/TableOfContents/hack-yourself-first
  19. What about a WAF? ● A Web Application Firewall (WAF) filters, monitors, and blocks attack traffic to and from specific web applications. – Prevents attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations, etc. ● WAF’s are good as a compensating control and a good defense-in-depth strategy, but... – Nobody should rely solely on a WAF for web app security ● WAF bypasses are continuously being researched, published, and included in exploit kit updates ● A WAF is not likely to stop all of the attacks
  20. *** Live Demo Alert *** This presentation features “Live Demos”, because the speaker is...
  21. *** Live Demo Alert *** This presentation features “Live Demos”, because the speaker is...
  22. *** Live Demo Alert *** This presentation features “Live Demos”, because the speaker is...
  23. *** Live Demo Alert *** This presentation features “Live Demos”, because the speaker is...
  24. *** Live Demo Alert *** Please pick 2…
  25. *** Live Demo Alert *** Please pick 2… So I am not just Crazy!
  26. Scanning Demo w/ Nikto! ● Nikto – Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated. – https://cirt.net/Nikto2 ● Nikto is available as a free download and is also included in Kali Linux
  27. Accidental Exposure Demo w/ ZAP! ● OWASP ZAP – The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience including developers and functional testers who are new to penetration testing. – https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project ● ZAP is available as a free download and is also included in Kali Linux
  28. Conclusion The need for AppSec practitioners is great… ● Because there’s a whole lot of horrible out there!
  29. Shout outs and thank you’s... ● OWASP – https://www.owasp.org ● Cincinnati OWASP Chapter – https://www.owasp.org/index.php/Cincinnati ● Columbus OWASP Chapter – https://www.owasp.org/index.php/Columbus ● University of Cincinnati OWASP Chapter – https://www.cyberatuc.org/ – https://www.youtube.com/channel/UCWcJuk7A_1nDj4m-cHWvIFw
  30. Questions Who ... What ... When ... Where ... Why ... How ...
  31. March 21, 2019 Matt Scheurer @c3rkah Slides: https://www.slideshare.net/cerkah Thank you for attending! AppSecAppSec -------------------------------- & OWASP& OWASP Top 10Top 10
Advertisement