4. OWASP 10 – Then and Now
Not Substantially Different
*Challenging for automation tools
OWASP Top 10 – 2001-2004 Edition OWASP Top 10 – 2013 Edition
A1 Unvalidated Input A1 Injection
A2 Broken Access Control A2 Broken Authentication and Session Management
A3 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS)
A4 Cross Site Scripting A4 Insecure Direct Object References
A5 Buffer Overflow A5 Security Misconfiguration
A6 Injection Flaws A6 Sensitive Data Exposure
A7 Improper Error Handling A7 Missing Function Level Access Control
A8 Insecure Storage A8 Cross-Site Request Forgery (CSRF)
A9 Application Denial of Service A9 Using Components with Known Vulnerabilities
A10 Insecure Configuration Management A10 Unvalidated Redirects and Forwards
5. The Intent of OWASP
• The Top 10 is about managing risk
– Not just avoiding vulnerabilities
• Take a big picture approach to application
security.
– OWASP Top 10 doesn't mean it's the most
important problem facing your organization
12. TAKE APPLICATION SECURITY ONE
STEP AT A TIME
Allow the organization to grow into the process rather than
dropping it on the teams all at once
13. EDUCATE YOUR DEVELOPERS AND GET
THEM WRITING SECURE CODE
Empathy is the killer app to application security. Make developers and
your business (e.g. project managers and your business) care about
developing safe software.
14. RECRUIT THE SMART PEOPLE IN THE
DEV TEAMS TO ACT AS CHAMPIONS
Senior developers with a need to learn something new or
Junior developers with the motivation to move ahead within
the organization.
16. NETWORK SECURITY CANNOT PREVENT
APPLICATION BREACHES ON ITS OWN
STATIC ANALYSIS SHOULD
BE PERFORMED AT EARLIER
DEVELOPMENT STAGES
Web application Firewalls (WAF) and/or RASP should be used
as temporary band aids for non-remediated vulnerabilities
17. CAUTION WITH AUTOMATION
Tools make educated guesses that require validation by
trained humans.
Peer code reviews with trained peers is still the best option.
18. Phil Agcaoili
Distinguished Fellow and Fellows Chairman, Ponemon Institute
Board of Advisors, PCI Security Standards Council (SSC)
Contributor, NIST Cybersecurity Framework version 1
Co-Founder & Board Member, Southern CISO Security Council
Founding Member, Cloud Security Alliance (CSA)
Inventor & Co-Author, CSA Cloud Controls Matrix,
GRC Stack, Security, Trust and Assurance Registry (STAR), and
CSA Open Certification Framework (OCF) – AICPA SOC
@hacksec
https://www.linkedin.com/in/philA