Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OWASP Top Ten

8,145 views

Published on

Published in: Technology
  • Slides #3 and #22 of the 2013 Release do not export correctly within slideshare i.e. https://github.com/OWASP/OWASP-Top-10/issues/3
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

OWASP Top Ten

  1. 1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation June 2013 http://www.owasp.org/ Christian Heinrich christian.heinrich@owasp.org OWASP OWASP Top Ten 2013 FINAL Release
  2. 2. 2OWASP - Top Ten 2013 – June 2013 #whoami OWASP Testing Guide v3 4.2.1 “Spiders/Robots/Crawlers” 4.2.2 “Search Engine Reconnaissance” OWASP “Google Hacking” Project “Download Indexed Cache” PoC Presented at .au, EU and USA OWASP Conferences London (.uk) Sydney (.au) and Melbourne (.au) Chapters http://www.owasp.org/index.php/user:cmlh
  3. 3. 3OWASP - Top Ten 2013 – June 2013 OWASP Top Ten 2013 1. What is the OWASP Top Ten? 2. Additions from the OWASP Top Ten 2013  Using Components with Known Vulnerabilities 1. OWASP Top Ten Risk Rating Methodology 2. Timeline from Release Candidate (RC) to Final 3. When Not to Cite the OWASP Top Ten?  Application Security Verification Standard (ASVS) 1. Politics of the OWASP Top Ten
  4. 4. 4OWASP - Top Ten 2013 – June 2013 What is the OWASP “Top Ten”? Ten most common WebAppSec risks: Based on the “OWASP Risk Rating Methodology. Intended Audience is Executive Level. Prior to 2010 on prevalence and severity.
  5. 5. 5OWASP - Top Ten 2013 – June 2013 What is the OWASP “Top Ten”? Statistics of vulnerabilities contributed by: Aspect Security MITRE White Hat Veracode Minded Security HP (Fortify and WebInspect) Trustwave
  6. 6. 6OWASP - Top Ten 2013 – June 2013 Differences between 2003 and 2004
  7. 7. 7OWASP - Top Ten 2013 – June 2013 Differences between 2004 and 2007
  8. 8. 8OWASP - Top Ten 2013 – June 2013 Differences between 2007 and 2010 + + - - = =
  9. 9. 9OWASP - Top Ten 2013 – June 2013 OWASP Top Ten 2013 A1: InjectionA1: Injection A2: Broken Authentication and Session Management A2: Broken Authentication and Session Management A3:Cross-Site Scripting (XSS) A3:Cross-Site Scripting (XSS) A4: Insecure Direct Object References A4: Insecure Direct Object References A5: Security Misconfiguration A5: Security Misconfiguration A6: Sensitive Data Exposure A6: Sensitive Data Exposure A7: Missing Function Level Access Control A7: Missing Function Level Access Control A8:Cross Site Request Forgery (CSRF) A8:Cross Site Request Forgery (CSRF) A9: Using Known Vulnerable Components A9: Using Known Vulnerable Components A10: Unvalidated Redirects and Forwards A10: Unvalidated Redirects and Forwards
  10. 10. 10OWASP - Top Ten 2013 – June 2013 Comparison with 2003, 2004, 2007 and 2010 Releases
  11. 11. 11OWASP - Top Ten 2013 – June 2013 Comparison to SANS/MITRE CVE Top 25
  12. 12. 12OWASP - Top Ten 2013 – June 2013 ESAPI and Top Ten 2007
  13. 13. 13OWASP - Top Ten 2013 – June 2013 Python (Flask/Django) and Top Ten 2013
  14. 14. 14OWASP - Top Ten 2013 – June 2013 Politics of A9
  15. 15. 15OWASP - Top Ten 2013 – June 2013 Politics of A9
  16. 16. 16OWASP - Top Ten 2013 – June 2013 Politics of A9
  17. 17. 17OWASP - Top Ten 2013 – June 2013 Politics of A9
  18. 18. 18OWASP - Top Ten 2013 – June 2013 Politics of A9 Ironic
  19. 19. 19OWASP - Top Ten 2013 – June 2013 Politics of A9
  20. 20. 20OWASP - Top Ten 2013 – June 2013 Politics of A9
  21. 21. 21OWASP - Top Ten 2013 – June 2013 Politics of A9
  22. 22. 22OWASP - Top Ten 2013 – June 2013 Politics of A9
  23. 23. 23OWASP - Top Ten 2013 – June 2013 Politics of A9 cmlh$ openssl sha1 Aspect-2013-Global-AppSec-Risk-Report.pdf SHA1(Aspect-2013-Global-AppSec-Risk-Report.pdf)= e3e7e0793a311f0779161d082a874042ee0bd498 cmlh$ pdfinfo Aspect-2013-Global-AppSec-Risk-Report.pdf Title: Global Application Security Risk Report Author: Jeff Williams Creator: Microsoft? Word 2010 Producer: Microsoft? Word 2010 CreationDate: Mon Jun 10 14:59:01 2013 ModDate: Mon Jun 10 14:59:01 2013 Tagged: yes Form: none Pages: 13 Encrypted: no Page size: 612 x 792 pts (letter) File size: 845806 bytes Optimized: no
  24. 24. 24OWASP - Top Ten 2013 – June 2013 Politics of A9
  25. 25. 25OWASP - Top Ten 2013 – June 2013 Politics of A9
  26. 26. 26OWASP - Top Ten 2013 – June 2013 Politics of A9
  27. 27. 27OWASP - Top Ten 2013 – June 2013 Politics of A9
  28. 28. 28OWASP - Top Ten 2013 – June 2013 OWASP Top 10 Risk Rating Methodology Threat Agent Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Business Impact ? Easy Widespread Easy Severe ?Average Common Average Moderate Difficult Uncommon Difficult Minor 2 1 1 2 1.3 * 2 2.6 weighted risk rating XSS Example 1 2 3
  29. 29. 29OWASP - Top Ten 2013 – June 2013 Politics of OWASP Risk Rating Methodology Not recommended by OWASP Threat Modeling. Others e.g. STRIDE, DREAD, etc not used either. “donated” this to OWASP. Perceived Conflict of Interest.
  30. 30. 30OWASP - Top Ten 2013 – June 2013 When *Not* to Cite the OWASP Top Ten? PCI DSS and PA-DSS Cited (incorrectly) as OWASP “Guide” Payment Applications (PA) are TANDEM, etc based. Exception is Web Server within LPAR “Platform Security – Facebook Developer Wiki”
  31. 31. 31OWASP - Top Ten 2013 – June 2013 When *Not* to Cite the OWASP Top Ten? Web Application Firewall (WAF) and other Vendors: WAF don’t address root causes Mark Curphey (OWASP Founder) raised abuse issue. AvdS suggested OWASP T10 Certification Scheme webappsec “blackbox” or “whitebox” pen testing RFTs
  32. 32. 32OWASP - Top Ten 2013 – June 2013 Application Security Verification Standard Consider ASVS instead of OWASP Top 10 Some issues when implemented in practice.
  33. 33. 33OWASP - Top Ten 2013 – June 2013 Internal OWASP Politics of the Top Ten Against OWASP “Builders not Breakers” Directive Justified as “Awareness” for Executive audience  generate “not for profit” revenue
  34. 34. 34OWASP - Top Ten 2013 – June 2013 Further Information URLs Published by OWASP http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project http://lists.owasp.org/mailman/listinfo/owasp-topten URLs Aggregated by cmlh http://deli.cio.us/cmlh/OWASP.Top.Ten
  35. 35. 35OWASP - Top Ten 2013 – June 2013 Copyright Notices Slides and Notes Licensed as:  AU Creative Commons 2.5  Attribution-Non Commercial-No Derivative Works
  36. 36. 36OWASP - Top Ten 2013 – June 2013 In Closing Slides are Published on http://www.slideshare.net/cmlh christian.heinrich@owasp.org http://www.owasp.org/index.php/user:cmlh
  37. 37. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation June 2013 http://www.owasp.org/ Christian Heinrich christian.heinrich@owasp.org OWASP OWASP Top Ten 2010 FINAL Release

×