The document discusses the OWASP Top 10 list, which identifies the most critical web application security risks. It provides an overview of the Open Web Application Security Project (OWASP) and explains each of the top 10 risks in the current list - including broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable and outdated components, identification and authentication failures, software and data integrity failures, security logging and monitoring failures, and server side request forgery. For each risk, it provides a brief example and recommendations for prevention.
Slides from data MindsConnect 2018 Conference hosted at Ghelamnco Arena in Ghent by Belgian SQL Server USer Grup. SECDev(OPS) How to embrace your security.
A presentation of OWASP's top 10 most common web application security flaws. The content in the slides is sourced from various sources listed in the references section.
Slides from data MindsConnect 2018 Conference hosted at Ghelamnco Arena in Ghent by Belgian SQL Server USer Grup. SECDev(OPS) How to embrace your security.
A presentation of OWASP's top 10 most common web application security flaws. The content in the slides is sourced from various sources listed in the references section.
CISA GOV - Seven Steps to Effectively Defend ICSMuhammad FAHAD
INTRODUCTION
Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it’s not a matter of if an intrusion will take place, but when. In Fiscal Year (FY) 2015, 295 incidents were reported to ICS-CERT, and many more went unreported or undetected. The capabilities of our adversaries have been demonstrated and cyber incidents are increasing in frequency and complexity. Simply building a
network with a hardened perimeter is no longer adequate. Securing ICSs against the modern threat requires well-planned and well-implemented strategies that will provide network defense
teams a chance to quickly and effectively detect, counter, and expel an adversary. This paper presents seven strategies that can be implemented today to counter common exploitable
weaknesses in “as-built” control systems.
Seven recommendations for bolstering industrial control system cyber securityCTi Controltech
Recommendations from ICS-CERT, the Industrial Control System Cyber Emergency Response Team, a division of Department of Homeland Security. Seven basic steps to follow that will substantially boost cyber security and generate awareness of the threat potential
Industrial control systems may be at least, or even more, vulnerable to intrusion and malicious attack than you desktop PC. The National Cybersecurity and Communications Integration Center outlines seven basic steps you can take to harden your industrial control system against intrusion and mischief.
This paper presents seven strategies that can be implemented today to counter common exploitable weaknesses in “as-built” control systems. Length is 6 pages.
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control SystemsMiller Energy, Inc.
This paper presents seven strategies that can be implemented today to counter common exploitable weaknesses in “as-built” control systems for industrial processes and operations.
Defending Industrial Control Systems From CyberattackCTi Controltech
Industrial control systems of all types and vintages likely are exposed to some level of unauthorized intrusion. Individuals and organizations with nefarious intent will try to gain access to information or control elements, stealing data or causing a range of inappropriate operations.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
Security? It's simple. We have Security Team... Security of our environment, application, development it's their security. We follow Best Practices, we implementing their's suggestions (or not...).
But maybe today, in June 2018, where GDPR is a fact, we should look a little bit more in details for the security aspects. Well know and less known risks, vulnerability assessments, secure coding, secure testing,
Let's discuss: SEC/DEV/OPS/SDLC/OSSTMM/OWASP/ITIL and few other acronyms. Use freely available knowledge and specially prepared environment to check and test our security before we touch out Visual Studio, PowerShell, CLI, Visual Studio Code, or even JSON. Be #SecureByDesign
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
General concepts of web application security vulnerabilities primarily based on OWASP Top 10 list-2007(I know its too old :-))
I, along with Sandeep and Vishal, presented on this at IIIT-Delhi college in April, 2014
"Welcome to the OWASP Top 10 2010! This significant update presents a more concise, risk focused list of the Top 10 Most Critical Web Application Security Risks. The OWASP Top 10 has always been about risk, but this update makes this much more clear than previous editions, and provides additional information on how to assess these risks for your applications.
For each top 10 item, this release discusses the general likelihood and consequence factors that are used to categorize the typical severity of the risk, and then presents guidance on how to verify whether you have this problem, how to avoid this problem, some example flaws in that area, and pointers to links with more information.
The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic methods to protect against these high risk problem areas – a great start to your secure coding security program."
In this presentation, we explain why OAuth and SSL are not enough when it comes to API Security, and that you should also think about addressing other aspects such as confidentiality, integrity, audit or compliance requirements. We expose the tactics to address each of those aspects, and a set of recommendations to apply immediately to your APIs development.
CISA GOV - Seven Steps to Effectively Defend ICSMuhammad FAHAD
INTRODUCTION
Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it’s not a matter of if an intrusion will take place, but when. In Fiscal Year (FY) 2015, 295 incidents were reported to ICS-CERT, and many more went unreported or undetected. The capabilities of our adversaries have been demonstrated and cyber incidents are increasing in frequency and complexity. Simply building a
network with a hardened perimeter is no longer adequate. Securing ICSs against the modern threat requires well-planned and well-implemented strategies that will provide network defense
teams a chance to quickly and effectively detect, counter, and expel an adversary. This paper presents seven strategies that can be implemented today to counter common exploitable
weaknesses in “as-built” control systems.
Seven recommendations for bolstering industrial control system cyber securityCTi Controltech
Recommendations from ICS-CERT, the Industrial Control System Cyber Emergency Response Team, a division of Department of Homeland Security. Seven basic steps to follow that will substantially boost cyber security and generate awareness of the threat potential
Industrial control systems may be at least, or even more, vulnerable to intrusion and malicious attack than you desktop PC. The National Cybersecurity and Communications Integration Center outlines seven basic steps you can take to harden your industrial control system against intrusion and mischief.
This paper presents seven strategies that can be implemented today to counter common exploitable weaknesses in “as-built” control systems. Length is 6 pages.
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control SystemsMiller Energy, Inc.
This paper presents seven strategies that can be implemented today to counter common exploitable weaknesses in “as-built” control systems for industrial processes and operations.
Defending Industrial Control Systems From CyberattackCTi Controltech
Industrial control systems of all types and vintages likely are exposed to some level of unauthorized intrusion. Individuals and organizations with nefarious intent will try to gain access to information or control elements, stealing data or causing a range of inappropriate operations.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
Security? It's simple. We have Security Team... Security of our environment, application, development it's their security. We follow Best Practices, we implementing their's suggestions (or not...).
But maybe today, in June 2018, where GDPR is a fact, we should look a little bit more in details for the security aspects. Well know and less known risks, vulnerability assessments, secure coding, secure testing,
Let's discuss: SEC/DEV/OPS/SDLC/OSSTMM/OWASP/ITIL and few other acronyms. Use freely available knowledge and specially prepared environment to check and test our security before we touch out Visual Studio, PowerShell, CLI, Visual Studio Code, or even JSON. Be #SecureByDesign
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
General concepts of web application security vulnerabilities primarily based on OWASP Top 10 list-2007(I know its too old :-))
I, along with Sandeep and Vishal, presented on this at IIIT-Delhi college in April, 2014
"Welcome to the OWASP Top 10 2010! This significant update presents a more concise, risk focused list of the Top 10 Most Critical Web Application Security Risks. The OWASP Top 10 has always been about risk, but this update makes this much more clear than previous editions, and provides additional information on how to assess these risks for your applications.
For each top 10 item, this release discusses the general likelihood and consequence factors that are used to categorize the typical severity of the risk, and then presents guidance on how to verify whether you have this problem, how to avoid this problem, some example flaws in that area, and pointers to links with more information.
The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic methods to protect against these high risk problem areas – a great start to your secure coding security program."
In this presentation, we explain why OAuth and SSL are not enough when it comes to API Security, and that you should also think about addressing other aspects such as confidentiality, integrity, audit or compliance requirements. We expose the tactics to address each of those aspects, and a set of recommendations to apply immediately to your APIs development.
Talk on "Recon Resurgence: Level up your Recon skills for Maximum impact in Bug-Bounty" by "Agnibha Dutta" at null/OWASP Kolkata Meetup on 27 January 2024
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
2. ABOUT ME
Mukunda Tamly
Information Security Analyst (ISOAH)
Penetration Tester
https://www.linkedin.com/in/mukund
a-tamly-4b77a81b2/
mukundatamly2412@gmail.com
3. AGENDA
A bit of OWASP
OWASP Top 10 List
OWASP Top 10 in-depth
Demo
Q&A
4. A bit of OWASP
Open Worldwide Application Security Project aka OWASP
It is a non-profit foundation that works to improve the
security of applications.
It was founded in 2003
It works by collaboration, education and tools.
It Update their list after a gap of 3 to 4 years
5. OWASP Top 10 list
A01 Broken Access Control
A02 Cryptographic Failures
A03 Injection
A04 Insecure Design
A05 Security Misconfiguration
A06 Vulnerable and Outdated Components
A07 Identification and Authentication Failures
A08 Software and Data Integrity Failures
A09 Security Logging and Monitoring Failures
A10 Server Side Request Forgery (SSRF)
6. A01: Broken Access Control
When a regular user can access protected information,
when they are not meant to see then the access
controls are broken.
Example:
An attacker simply forces browses to target URLs. Admin rights
are required for access to the admin page.
https://example.com/app/getappInfo
https://example.com/app/admin_getappInfo
7. A01: How to prevent
Implement access control mechanisms
Minimize Cross-Origin Resource Sharing (CORS) usage
Except for public resources, deny by default
8. A02: Cryptographic Failures
A cryptographic failure refers to any vulnerability
arising from the lack of use of cryptographic algorithms
for protecting sensitive information.
Example:
The password database uses unsalted or simple hashes to store
everyone's passwords. A file upload flaw allows an attacker to
retrieve the password database. All the unsalted hashes can be
exposed with a rainbow table of pre-calculated hashes. Hashes
generated by simple or fast hash functions may be cracked by
GPUs, even if they were salted
9. A01: How to prevent
Store passwords using strong adaptive and salted
hashing functions with a work factor (delay factor), such
as Argon2, scrypt, bcrypt or PBKDF2.
Make sure to encrypt all sensitive data at rest.
Encrypt all data in transit with secure protocols such as
TLS with forward secrecy (FS) ciphers, cipher
prioritization by the server, and secure parameters.
Enforce encryption using directives like HTTP Strict
Transport Security (HSTS).
10. A03: Injection
Injection flaws occurs because the application
interprets user-controlled input as commands or
parameters.
Example:
An application uses untrusted data in the construction of the
following vulnerable SQL call:ple.com/app/admin_getappInfo
String query = "SELECT * FROM accounts WHERE custID='" +
request.getParameter("id") + "'";
11. A03: How to prevent
Use positive server-side input validation.
Use LIMIT and other SQL controls within queries to
prevent mass disclosure of records in case of SQL
injection.
12. A04: Insecure Design
Insecure design refers to vulnerabilities which are
inherent to the application's architecture.
Example:
A cinema chain allows group booking discounts and has a
maximum of fifteen attendees before requiring a deposit.
Attackers could threat model this flow and test if they could
book six hundred seats and all cinemas at once in a few requests,
causing a massive loss of income.
13. A04: How to prevent
Establish and use a secure development lifecycle
Use threat modeling for critical authentication, access
control, business logic, and key flows
Limit resource consumption by user or service
14. A05: Security Misconfiguration
It occurs when security could have been appropriately
configured but was not.
Example:
The application server's configuration allows detailed error
messages, e.g., stack traces, to be returned to users. This
potentially exposes sensitive information or underlying flaws
such as component versions that are known to be vulnerable..
15. A05: How to prevent
A minimal platform without any unnecessary features,
components, documentation, and samples. Remove or
do not install unused features and frameworks.
A task to review and update the configurations
appropriate to all security notes, updates, and patches
as part of the patch management process
16. A06: Vulnerable and Outdated Components
Sometimes we can find that the company/entity we are
doing pentesting is using a program with a well known
vulnerability.
Example:
CVE-2017-5638, a Struts 2 remote code execution
vulnerability that enables the execution of arbitrary code on
the server, has been blamed for significant breaches
17. A06: How to prevent
Continuously monitor sources like Common
Vulnerability and Exposures (CVE) and National
Vulnerability Database (NVD) for vulnerabilities in the
components.
Only obtain components from official sources over
secure links. Prefer signed packages to reduce the
chance of including a modified, malicious component
18. A07: Identification and Authentication Failures
Confirmation of the user's identity, authentication, and
session management is critical to protect against
authentication-related attacks.
Example:
Application session timeouts aren't set correctly. A user uses
a public computer to access an application. Instead of
selecting "logout," the user simply closes the browser tab
and walks away. An attacker uses the same browser an hour
later, and the user is still authenticated.
19. A07: How to prevent
Where possible, implement multi-factor authentication
to prevent automated credential stuffing, brute force,
and stolen credential reuse attacks.
Implement weak password checks, such as testing new
or changed passwords against the top 10,000 worst
passwords list.
20. A08: Software and Data Integrity Failures
Software and data integrity failures relate to code and
infrastructure that does not protect against integrity
violations.
Example:
An example of this is where an application relies upon
plugins, libraries, or modules from untrusted sources,
repositories, and content delivery networks (CDNs).
21. A08: How to prevent
Ensure libraries and dependencies, such as npm or
Maven, are consuming trusted repositories. If you have a
higher risk profile, consider hosting an internal known-
good repository that's vetted.
Use digital signatures or similar mechanisms to verify the
software or data is from the expected source and has not
been altered.
22. A09: Security Logging and Monitoring Failures
This vulnerability arises from code or infrastructure that
uses software or data without using any kind of integrity
checks.
Example:
A major Indian airline had a data breach involving more than
ten years' worth of personal data of millions of passengers,
including passport and credit card data. The data breach
occurred at a third-party cloud hosting provider, who
notified the airline of the breach after some time.
23. A09: How to prevent
Ensure all login, access control, and server-side input
validation failures can be logged with sufficient user
context to identify suspicious or malicious accounts and
held for enough time to allow delayed forensic analysis.
Ensure log data is encoded correctly to prevent
injections or attacks on the logging or monitoring
systems.
24. A10: Server Side Request Forgery (SSRF)
This type of vulnerability occurs when an attacker can
coerce a web application into sending requests on their
behalf to arbitrary destinations while having control of
the contents of the request itself.
Example:
Sensitive data exposure – Attackers can access local files or
internal services to gain sensitive information such as
file:///etc/passwd and http://localhost:28017/
25. A10: How to prevent
Do not send raw responses to clients
Segment remote resource access functionality in
separate networks to reduce the impact of SSRF
For frontends with dedicated and manageable user
groups use network encryption (e.g. VPNs) on
independent systems to consider very high protection
needs