SlideShare a Scribd company logo

20th Anniversary - OWASP Top 10 2021.pptx

Download as PPTX, PDF
Dedy Hariyadi
Dedy Hariyadi

The document summarizes the OWASP Top 10 2021 risks. It provides an overview of the collaborative process used to develop the risks and introduces the leaders involved. It then summarizes each of the 10 risks, including the categories covered, example CWEs and CVEs, prevalence, and impact ratings. It highlights changes from previous years and recommendations for mitigating each risk. Finally, it provides information on how to get involved and provides next steps.

Internet
1 of 21
Andrew van der Stock Brian Glas Andrew van der Stock Torsten Gigler Neil Smithline owasp.org/Top10
• Top 10 Risks – not Top 10 impacts, likelihoods, or vulnerabilities • First released in 2003, 2021 is the 7th update • Audience • Developers, lead developers, architects • Framework developers (but they really should be using ASVS) • AppSec program management (CISOs, CTOs, and so on) • AppSec professionals: consultancies, tools, vendors, trainers Introduction
• Collaborative - all of us do all the things • Goals: conceptual integrity and to include our community What they primarily do Brian Glas Co-lead, author, data scientist, data analysis, risk rankings, interface to data sources, and more Torsten Gigler Co-lead, author, data analysis, risk rankings, document template, website, English editor, German translation, and more Neil Smithline Co-lead, author, data analysis, risk rankings, and valuable counsel and advice, and more Andrew van der Stock Co-lead, author, data analysis, risk rankings, persnickety grammar person, often gets interviews and media outlet requests, and more Leadership
• After nearly 20 years, injection is no longer A1 • Even with XSS combined into injection • Shorter by design • Mobile-first, PDF and wall poster available (soon) • New look after a decade • How to adopt as a (pseudo-)standard and basic appsec program • A1..A10 titles are root causes, not symptoms • Four new categories, including Insecure Design and SSRF • And lastly, next steps Highlights
https://www.owasptopten.org/ Status Data Collection Industry Survey Data Analysis Write Up Responsive Web and Mobile Version PDF and Developer Poster Review Translations
How it’s made • Want to learn how the Top 10 was made? • Please attend Brian Glas’ talk at 1700 US EDT / 2100 UTC The making of the OWASP Top 10 and beyond Risky Click of the Day It’s not a Rick Roll. Promise
• Bypass access control checks • Unauthorized access to accounts • Unauthorized creation, reading, updating and deletion of data • Elevation of privilege • Privacy and regulatory impacts • The biggest breaches and largest costs 34 CWEs 19k CVEs Found in 3.8% apps Occurred 318k times Weighted Exploit: 6.9 Weighted Impact: 5.9 Broken Access Control A01:2021
• Covers • Some facets of “Sensitive Data Exposure” • Missing or ineffective data at rest controls • Missing or ineffective TLS • Missing or ineffective configuration • Includes CWEs for hard coded passwords • Mostly found during code reviews or static code analysis A02:2021 29 CWEs 3075 CVEs Found in 4.5% apps Occurred 234k times Weighted Exploit: 7.3 Weighted Impact: 6.8 Cryptographic Failures
• Moving down from A1 … at last • Now covers XSS and JavaScript injection due to safer view frameworks • Easily - but now rarely - found using tools • Still quite exploitable • Adopt better frameworks and more secure paved roads • Provide observability to development teams if they use less secure alternatives • Help by providing paved roads and gold standard support for safer frameworks A03:2021 33 CWEs 32k CVEs Found in 3.4% apps Occurred 274k times Weighted Exploit: 7.3 Weighted Impact: 7.2 Injection
• New category obtained from data • Broad category, but it’s NOT a catch all bucket! • Insecure design directly impacts application security • Insecure design is easily the costliest to fix later (up to 100x) • Really shift left! Earlier integration with the development and teams • Threat model Where are controls needed? Are they there? Do they work? • Adopt better frameworks! Create secure paved roads with dev teams • Test, test, and test! Create unit, integration, and other tests A04:2021 40 CWEs 2691 CVEs Found in 3.0% apps Occurred 262k times Weighted Exploit: 6.5 Weighted Impact: 6.8 Insecure Design
• Cloud infrastructure as code == slight jump to A5 • Covers unhardened, misconfigured, and default configurations • Eliminate the risk: Build “paved road” pre-hardened development and production frameworks, components, and build configurations • Surface the risk: Build tools to identify weakly or insecurely configured components and applications A05:2021 20 CWEs 789 CVEs Found in 4.5% apps Occurred 208k times Weighted Exploit: 8.1 Weighted Impact: 6.6 Security Misconfiguration
• Root cause of the LARGEST and MOST COSTLY breach of all time • Covers the USG Executive Order for supply chain security • Covers “Patching Applications” of the ASD Essential 8 • CWEs are self-referential to previous OWASP Top 10’s • Recommend using CI/CD tools to warn for outdated components • Strongly recommend breaking the build for vulnerable components A06:2021 3 CWEs 0 CVEs Found in 8.8% apps Occurred 30k times Weighted Exploit: 5.0 Weighted Impact: 5.0 Vulnerable and Outdated Components
• Replaces 2017:A2 Broken Authentication • Includes authentication and session management issues • CWEs cover nearly all the ASVS V2 and V3 at Level 1 • Protect against re-used, breached, and weak passwords • Add MFA to all the things • Use the ASVS to improve authentication of your apps • Consider a “paved road” secured and shared authentication service A07:2021 22 CWEs 3897 CVEs Found in 2.6% apps Occurred 132k times Weighted Exploit: 7.4 Weighted Impact: 6.5 Identification and authentication failures
• Integrity of business or privacy critical data • Lack of integrity of includes from content data networks • Software updates without integrity • CI/CD pipelines without check in or build checks, unsigned output • Improve the integrity of the build process • Use SBOM to identify authentic builds and updates • Use sub-resource integrity if using CDN for web page includes • Consider how you vet and ensure npm, maven, repos are legit A08:2021 10 CWEs 1152 CVEs Found in 2.0% apps Occurred 47.9k times Weighted Exploit: 6.9 Weighted Impact: 7.9 Software and Data Integrity Failures
• Included by survey results for a second time • Critical to reduce the breach window, response time, and cleanup • Necessary if you have breach disclosure laws • Critical if you intend to prosecute • Interview or code review the best review technique • Static code analysis can’t find the absence • Still difficult to dynamically test A09:2021 4 CWEs 242 CVEs Found in 6.5% apps Occurred 53.6k times Weighted Exploit: 6.9 Weighted Impact: 5.0 Security Logging and Monitoring Failures
• Included by survey • Written by Orange Tsai – thank you so much! • Everyone needs to learn how to test • Developers • AppSec Professionals • Frameworks need to protect against SSRF by default • IDEs (and frameworks though *doc) need to highlight potential SSRF • Like XXE, we hope the focus in OWASP Top 10 2021 will help retire it A10:2021 1 CWEs 385 CVEs Found in 2.7% apps Occurred 9.5k times Weighted Exploit: 8.2 Weighted Impact: 6.7 Server-Side Request Forgery (SSRF)
• OWASP Top 10 is the MINIMUM • There’s always something that nearly makes it in • Include these in any coding standard or testing • Code Quality issues • Denial of Service • Memory Management Errors A11:2021 Next Steps
• Frameworks helped eliminate bug classes. Please continue! • Threat model, eliminate or reduce bug classes, and test, test, test • Improve your appsec program or checklists using: • OWASP Proactive Controls for entry level developers • OWASP Application Security Verification Standard for all developers • OWASP Cheat Sheets for concrete advice • OWASP Web Testing Guide to learn how to test the ASVS and Top 10 • OWASP Education and Training Committee developing a curriculum and framework for developer training Wrap Up
• Head over to #project-top-10 on OWASP Slack and say hi • Still to produce one pager and PDF version • Looking for translators - #top-10-translations • Log issues at https://github.com/OWASP/Top10 • Review drafts, suggest improvements by logging issues • We work in GitHub in Markdown • Fork and branch to create PRs Get involved
Questions? #20th-anniv-flagshipproject
20th Anniversary - OWASP Top 10 2021.pptx

Recommended

Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
pbink
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
Black Duck by Synopsys
 
Building an application security program
Building an application security programBuilding an application security program
Building an application security program
Outpost24
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
Christopher Grayson
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson
 

Recommended

Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
pbink
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
Black Duck by Synopsys
 
Building an application security program
Building an application security programBuilding an application security program
Building an application security program
Outpost24
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
Christopher Grayson
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
OWASP Russia
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
2018 07-24 network security at the speed of dev ops - webinar
2018 07-24 network security at the speed of dev ops - webinar2018 07-24 network security at the speed of dev ops - webinar
2018 07-24 network security at the speed of dev ops - webinar
AlgoSec
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
Black Duck by Synopsys
 
AMIS 25: DevOps Best Practice for Oracle SOA and BPM
AMIS 25: DevOps Best Practice for Oracle SOA and BPMAMIS 25: DevOps Best Practice for Oracle SOA and BPM
AMIS 25: DevOps Best Practice for Oracle SOA and BPM
Matt Wright
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
Qualitest
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
Jim Kaplan CIA CFE
 
Test Automation NYC 2014
Test Automation NYC 2014Test Automation NYC 2014
Test Automation NYC 2014
Kishore Bhatia
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?
Virtual Forge
 
Measure and Increase Developer Productivity with Help of Serverless at AWS Co...
Measure and Increase Developer Productivity with Help of Serverless at AWS Co...Measure and Increase Developer Productivity with Help of Serverless at AWS Co...
Measure and Increase Developer Productivity with Help of Serverless at AWS Co...
Vadym Kazulkin
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
SeniorStoryteller
 
Encontrando la Aguja en el Rendimiento de Aplicaciones
Encontrando la Aguja en el Rendimiento de AplicacionesEncontrando la Aguja en el Rendimiento de Aplicaciones
Encontrando la Aguja en el Rendimiento de Aplicaciones
Software Guru
 
Shift left-csun-sagar-barbhaya
Shift left-csun-sagar-barbhayaShift left-csun-sagar-barbhaya
Shift left-csun-sagar-barbhaya
SAGAR BARBHAYA
 
Cloud Computing from Academic Perspective
Cloud Computing from Academic PerspectiveCloud Computing from Academic Perspective
Cloud Computing from Academic Perspective
Dedy Hariyadi
 
Komparasi Barang Bukti Elektronik dan/atau Digital
Komparasi Barang Bukti Elektronik dan/atau DigitalKomparasi Barang Bukti Elektronik dan/atau Digital
Komparasi Barang Bukti Elektronik dan/atau Digital
Dedy Hariyadi
 

More Related Content

Similar to 20th Anniversary - OWASP Top 10 2021.pptx

VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
OWASP Russia
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
2018 07-24 network security at the speed of dev ops - webinar
2018 07-24 network security at the speed of dev ops - webinar2018 07-24 network security at the speed of dev ops - webinar
2018 07-24 network security at the speed of dev ops - webinar
AlgoSec
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
Black Duck by Synopsys
 
AMIS 25: DevOps Best Practice for Oracle SOA and BPM
AMIS 25: DevOps Best Practice for Oracle SOA and BPMAMIS 25: DevOps Best Practice for Oracle SOA and BPM
AMIS 25: DevOps Best Practice for Oracle SOA and BPM
Matt Wright
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
Qualitest
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
Jim Kaplan CIA CFE
 
Test Automation NYC 2014
Test Automation NYC 2014Test Automation NYC 2014
Test Automation NYC 2014
Kishore Bhatia
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?
Virtual Forge
 
Measure and Increase Developer Productivity with Help of Serverless at AWS Co...
Measure and Increase Developer Productivity with Help of Serverless at AWS Co...Measure and Increase Developer Productivity with Help of Serverless at AWS Co...
Measure and Increase Developer Productivity with Help of Serverless at AWS Co...
Vadym Kazulkin
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
SeniorStoryteller
 
Encontrando la Aguja en el Rendimiento de Aplicaciones
Encontrando la Aguja en el Rendimiento de AplicacionesEncontrando la Aguja en el Rendimiento de Aplicaciones
Encontrando la Aguja en el Rendimiento de Aplicaciones
Software Guru
 
Shift left-csun-sagar-barbhaya
Shift left-csun-sagar-barbhayaShift left-csun-sagar-barbhaya
Shift left-csun-sagar-barbhaya
SAGAR BARBHAYA
 

Similar to 20th Anniversary - OWASP Top 10 2021.pptx (20)

VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
2018 07-24 network security at the speed of dev ops - webinar
2018 07-24 network security at the speed of dev ops - webinar2018 07-24 network security at the speed of dev ops - webinar
2018 07-24 network security at the speed of dev ops - webinar
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
AMIS 25: DevOps Best Practice for Oracle SOA and BPM
AMIS 25: DevOps Best Practice for Oracle SOA and BPMAMIS 25: DevOps Best Practice for Oracle SOA and BPM
AMIS 25: DevOps Best Practice for Oracle SOA and BPM
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
Test Automation NYC 2014
Test Automation NYC 2014Test Automation NYC 2014
Test Automation NYC 2014
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?
 
Measure and Increase Developer Productivity with Help of Serverless at AWS Co...
Measure and Increase Developer Productivity with Help of Serverless at AWS Co...Measure and Increase Developer Productivity with Help of Serverless at AWS Co...
Measure and Increase Developer Productivity with Help of Serverless at AWS Co...
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
Encontrando la Aguja en el Rendimiento de Aplicaciones
Encontrando la Aguja en el Rendimiento de AplicacionesEncontrando la Aguja en el Rendimiento de Aplicaciones
Encontrando la Aguja en el Rendimiento de Aplicaciones
 
Shift left-csun-sagar-barbhaya
Shift left-csun-sagar-barbhayaShift left-csun-sagar-barbhaya
Shift left-csun-sagar-barbhaya
 

More from Dedy Hariyadi

Cloud Computing from Academic Perspective
Cloud Computing from Academic PerspectiveCloud Computing from Academic Perspective
Cloud Computing from Academic Perspective
Dedy Hariyadi
 
Komparasi Barang Bukti Elektronik dan/atau Digital
Komparasi Barang Bukti Elektronik dan/atau DigitalKomparasi Barang Bukti Elektronik dan/atau Digital
Komparasi Barang Bukti Elektronik dan/atau Digital
Dedy Hariyadi
 
JOSC2013: GamaBox by MRS
JOSC2013: GamaBox by MRSJOSC2013: GamaBox by MRS
JOSC2013: GamaBox by MRS
Dedy Hariyadi
 
Mobile security data encryption - apcert yogyakarta 24 sept 2013
Mobile security data encryption - apcert yogyakarta 24 sept 2013Mobile security data encryption - apcert yogyakarta 24 sept 2013
Mobile security data encryption - apcert yogyakarta 24 sept 2013Dedy Hariyadi
 
Orasi Ilmiah Prof. Dr. Rochmat Wahab, M.Pd.,MA.
Orasi Ilmiah Prof. Dr. Rochmat Wahab, M.Pd.,MA.Orasi Ilmiah Prof. Dr. Rochmat Wahab, M.Pd.,MA.
Orasi Ilmiah Prof. Dr. Rochmat Wahab, M.Pd.,MA.
Dedy Hariyadi
 
Presentasi Kuliah Umum CIO 2012
Presentasi Kuliah Umum CIO 2012Presentasi Kuliah Umum CIO 2012
Presentasi Kuliah Umum CIO 2012Dedy Hariyadi
 
Workshop Cloud Computing, Balai Kartini 4 Juli 2012
Workshop Cloud Computing, Balai Kartini 4 Juli 2012Workshop Cloud Computing, Balai Kartini 4 Juli 2012
Workshop Cloud Computing, Balai Kartini 4 Juli 2012
Dedy Hariyadi
 

More from Dedy Hariyadi (7)

Cloud Computing from Academic Perspective
Cloud Computing from Academic PerspectiveCloud Computing from Academic Perspective
Cloud Computing from Academic Perspective
 
Komparasi Barang Bukti Elektronik dan/atau Digital
Komparasi Barang Bukti Elektronik dan/atau DigitalKomparasi Barang Bukti Elektronik dan/atau Digital
Komparasi Barang Bukti Elektronik dan/atau Digital
 
JOSC2013: GamaBox by MRS
JOSC2013: GamaBox by MRSJOSC2013: GamaBox by MRS
JOSC2013: GamaBox by MRS
 
Mobile security data encryption - apcert yogyakarta 24 sept 2013
Mobile security data encryption - apcert yogyakarta 24 sept 2013Mobile security data encryption - apcert yogyakarta 24 sept 2013
Mobile security data encryption - apcert yogyakarta 24 sept 2013
 
Orasi Ilmiah Prof. Dr. Rochmat Wahab, M.Pd.,MA.
Orasi Ilmiah Prof. Dr. Rochmat Wahab, M.Pd.,MA.Orasi Ilmiah Prof. Dr. Rochmat Wahab, M.Pd.,MA.
Orasi Ilmiah Prof. Dr. Rochmat Wahab, M.Pd.,MA.
 
Presentasi Kuliah Umum CIO 2012
Presentasi Kuliah Umum CIO 2012Presentasi Kuliah Umum CIO 2012
Presentasi Kuliah Umum CIO 2012
 
Workshop Cloud Computing, Balai Kartini 4 Juli 2012
Workshop Cloud Computing, Balai Kartini 4 Juli 2012Workshop Cloud Computing, Balai Kartini 4 Juli 2012
Workshop Cloud Computing, Balai Kartini 4 Juli 2012
 

Recently uploaded

可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
zyfovom
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
nhiyenphan2005
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
cuobya
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
Trending Blogers
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 

Recently uploaded (20)

可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 

20th Anniversary - OWASP Top 10 2021.pptx

  • 1. Andrew van der Stock Brian Glas Andrew van der Stock Torsten Gigler Neil Smithline owasp.org/Top10
  • 2. • Top 10 Risks – not Top 10 impacts, likelihoods, or vulnerabilities • First released in 2003, 2021 is the 7th update • Audience • Developers, lead developers, architects • Framework developers (but they really should be using ASVS) • AppSec program management (CISOs, CTOs, and so on) • AppSec professionals: consultancies, tools, vendors, trainers Introduction
  • 3. • Collaborative - all of us do all the things • Goals: conceptual integrity and to include our community What they primarily do Brian Glas Co-lead, author, data scientist, data analysis, risk rankings, interface to data sources, and more Torsten Gigler Co-lead, author, data analysis, risk rankings, document template, website, English editor, German translation, and more Neil Smithline Co-lead, author, data analysis, risk rankings, and valuable counsel and advice, and more Andrew van der Stock Co-lead, author, data analysis, risk rankings, persnickety grammar person, often gets interviews and media outlet requests, and more Leadership
  • 4. • After nearly 20 years, injection is no longer A1 • Even with XSS combined into injection • Shorter by design • Mobile-first, PDF and wall poster available (soon) • New look after a decade • How to adopt as a (pseudo-)standard and basic appsec program • A1..A10 titles are root causes, not symptoms • Four new categories, including Insecure Design and SSRF • And lastly, next steps Highlights
  • 5. https://www.owasptopten.org/ Status Data Collection Industry Survey Data Analysis Write Up Responsive Web and Mobile Version PDF and Developer Poster Review Translations
  • 6. How it’s made • Want to learn how the Top 10 was made? • Please attend Brian Glas’ talk at 1700 US EDT / 2100 UTC The making of the OWASP Top 10 and beyond Risky Click of the Day It’s not a Rick Roll. Promise
  • 7. • Bypass access control checks • Unauthorized access to accounts • Unauthorized creation, reading, updating and deletion of data • Elevation of privilege • Privacy and regulatory impacts • The biggest breaches and largest costs 34 CWEs 19k CVEs Found in 3.8% apps Occurred 318k times Weighted Exploit: 6.9 Weighted Impact: 5.9 Broken Access Control A01:2021
  • 8. • Covers • Some facets of “Sensitive Data Exposure” • Missing or ineffective data at rest controls • Missing or ineffective TLS • Missing or ineffective configuration • Includes CWEs for hard coded passwords • Mostly found during code reviews or static code analysis A02:2021 29 CWEs 3075 CVEs Found in 4.5% apps Occurred 234k times Weighted Exploit: 7.3 Weighted Impact: 6.8 Cryptographic Failures
  • 9. • Moving down from A1 … at last • Now covers XSS and JavaScript injection due to safer view frameworks • Easily - but now rarely - found using tools • Still quite exploitable • Adopt better frameworks and more secure paved roads • Provide observability to development teams if they use less secure alternatives • Help by providing paved roads and gold standard support for safer frameworks A03:2021 33 CWEs 32k CVEs Found in 3.4% apps Occurred 274k times Weighted Exploit: 7.3 Weighted Impact: 7.2 Injection
  • 10. • New category obtained from data • Broad category, but it’s NOT a catch all bucket! • Insecure design directly impacts application security • Insecure design is easily the costliest to fix later (up to 100x) • Really shift left! Earlier integration with the development and teams • Threat model Where are controls needed? Are they there? Do they work? • Adopt better frameworks! Create secure paved roads with dev teams • Test, test, and test! Create unit, integration, and other tests A04:2021 40 CWEs 2691 CVEs Found in 3.0% apps Occurred 262k times Weighted Exploit: 6.5 Weighted Impact: 6.8 Insecure Design
  • 11. • Cloud infrastructure as code == slight jump to A5 • Covers unhardened, misconfigured, and default configurations • Eliminate the risk: Build “paved road” pre-hardened development and production frameworks, components, and build configurations • Surface the risk: Build tools to identify weakly or insecurely configured components and applications A05:2021 20 CWEs 789 CVEs Found in 4.5% apps Occurred 208k times Weighted Exploit: 8.1 Weighted Impact: 6.6 Security Misconfiguration
  • 12. • Root cause of the LARGEST and MOST COSTLY breach of all time • Covers the USG Executive Order for supply chain security • Covers “Patching Applications” of the ASD Essential 8 • CWEs are self-referential to previous OWASP Top 10’s • Recommend using CI/CD tools to warn for outdated components • Strongly recommend breaking the build for vulnerable components A06:2021 3 CWEs 0 CVEs Found in 8.8% apps Occurred 30k times Weighted Exploit: 5.0 Weighted Impact: 5.0 Vulnerable and Outdated Components
  • 13. • Replaces 2017:A2 Broken Authentication • Includes authentication and session management issues • CWEs cover nearly all the ASVS V2 and V3 at Level 1 • Protect against re-used, breached, and weak passwords • Add MFA to all the things • Use the ASVS to improve authentication of your apps • Consider a “paved road” secured and shared authentication service A07:2021 22 CWEs 3897 CVEs Found in 2.6% apps Occurred 132k times Weighted Exploit: 7.4 Weighted Impact: 6.5 Identification and authentication failures
  • 14. • Integrity of business or privacy critical data • Lack of integrity of includes from content data networks • Software updates without integrity • CI/CD pipelines without check in or build checks, unsigned output • Improve the integrity of the build process • Use SBOM to identify authentic builds and updates • Use sub-resource integrity if using CDN for web page includes • Consider how you vet and ensure npm, maven, repos are legit A08:2021 10 CWEs 1152 CVEs Found in 2.0% apps Occurred 47.9k times Weighted Exploit: 6.9 Weighted Impact: 7.9 Software and Data Integrity Failures
  • 15. • Included by survey results for a second time • Critical to reduce the breach window, response time, and cleanup • Necessary if you have breach disclosure laws • Critical if you intend to prosecute • Interview or code review the best review technique • Static code analysis can’t find the absence • Still difficult to dynamically test A09:2021 4 CWEs 242 CVEs Found in 6.5% apps Occurred 53.6k times Weighted Exploit: 6.9 Weighted Impact: 5.0 Security Logging and Monitoring Failures
  • 16. • Included by survey • Written by Orange Tsai – thank you so much! • Everyone needs to learn how to test • Developers • AppSec Professionals • Frameworks need to protect against SSRF by default • IDEs (and frameworks though *doc) need to highlight potential SSRF • Like XXE, we hope the focus in OWASP Top 10 2021 will help retire it A10:2021 1 CWEs 385 CVEs Found in 2.7% apps Occurred 9.5k times Weighted Exploit: 8.2 Weighted Impact: 6.7 Server-Side Request Forgery (SSRF)
  • 17. • OWASP Top 10 is the MINIMUM • There’s always something that nearly makes it in • Include these in any coding standard or testing • Code Quality issues • Denial of Service • Memory Management Errors A11:2021 Next Steps
  • 18. • Frameworks helped eliminate bug classes. Please continue! • Threat model, eliminate or reduce bug classes, and test, test, test • Improve your appsec program or checklists using: • OWASP Proactive Controls for entry level developers • OWASP Application Security Verification Standard for all developers • OWASP Cheat Sheets for concrete advice • OWASP Web Testing Guide to learn how to test the ASVS and Top 10 • OWASP Education and Training Committee developing a curriculum and framework for developer training Wrap Up
  • 19. • Head over to #project-top-10 on OWASP Slack and say hi • Still to produce one pager and PDF version • Looking for translators - #top-10-translations • Log issues at https://github.com/OWASP/Top10 • Review drafts, suggest improvements by logging issues • We work in GitHub in Markdown • Fork and branch to create PRs Get involved

Editor's Notes

  1. Also, metadata manipulation (such as JWT), CORS, and force browsing