SlideShare a Scribd company logo
March 21, 2019
Matt Scheurer
@c3rkah
Slides:
https://www.slideshare.net/cerkah
AppSec & OWASP Top 10 Primer
AppSecAppSec
--------------------------------
& OWASP& OWASP
Top 10Top 10
About Me...
●
Sr. Systems Security
Engineer in the
Financial Services
Industry
●
Frequent speaker at
Information Security
/ Hacker
conferences
●
Teacher at heart!
●
Chair of the
Places where I have presented...
Why am I speaking at a Dev Con?
It all started with a tweet…
Why AppSec?
What is OWASP?
The Open Web Application Security Project (OWASP),
an online community, produces freely-available
articles, methodologies, documentation, tools, and
technologies in the field of web application security.
●
Web site - https://www.owasp.org/
OWASP History
●
Started in December, 2001
●
Obtained 501c3 (non-profit) Status in April 2004
●
OWASP Top Ten List
– The "Top Ten", first published in 2003, is regularly
updated. It aims to raise awareness about
application security by identifying some of the most
critical risks facing organizations
●
The OWASP foundation has produced many
guides, projects, and publications, since their
beginning
OWASP Top 10 List (2017)
●
A1:2017-Injection
●
A2:2017-Broken
Authentication
●
A3:2017-Sensitive Data
Exposure
●
A4:2017-XML External
Entities (XXE)
●
A5:2017-Broken Access
Control
●
A6:2017-Security
Misconfiguration
●
A7:2017-Cross-Site Scripting
(XSS)
●
A8:2017-Insecure
Deserialization
●
A9:2017-Using Components
with Known Vulnerabilities
●
A10:2017-Insufficient
Logging&Monitoring
●
Current Version
– https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
– https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
Recent OWASP Top 10 Changes
From 2013 to 2017...
●
"Cross-Site Scripting (XSS)" Down from A3 to A7
●
"Insecure Direct Object References" (A4) and "Missing
Function Level Access Control" (A7)
– Merged into "Broken Access Control" as A5
●
"Security Misconfiguration" Down from A5 to A6
●
"Sensitive Data Exposure" Up from A5 to A3
●
"Cross-Site Request Forgery (CSRF)" Removed
●
"Unvalidated Redirects and Forwards" Removed
Additions to the OWASP Top 10
From 2013 to 2017...
●
A4:2017-XML External Entities (XXE)
●
A8:2017-Insecure Deserialization
●
A10:2017-Insufficient Logging & Monitoring
Where and How to Learn AppSec
●
We will cover some basic resources to help get
you started on a path towards self-learning...
– Basic Vulnerability Scanners
– AppSec Testing Platforms
– Free places to learn AppDev
– Free places to learn AppSec
– Free Learning / Practice Platforms
NOTE: These are not exhaustive lists as there
are many more resources available!
Starting Out...
●
Advice my mother
would offer about how
to begin learning
AppSec and testing
web server, website
and web application
security...
Vulnerability Scanners
●
Core Security: Core Impact
●
Rapid7 products: Nexpose
●
Tenable: Nessus
●
Qualys: Web Application Scanning (WAS)
●
Open Source: OpenVAS
●
Open Source / Kali Linux: Sparta / Nikto
AppSec Testing Platforms
●
Start with: OWASP ZAP (Zed Attack Proxy)
– https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
●
Move to: Fiddler - Free Web Debugging Proxy
– https://www.telerik.com/fiddler
●
Graduate to: Burp Suite Scanner
– https://portswigger.net/burp
●
Honorable Mention: Nmap w/ NSE Scripts
●
Honorable Mention: Samurai Web Testing
Framework
Free places to learn AppDev
●
Codecademy
– https://www.codecademy.com/
●
Khan Academy
– https://www.khanacademy.org/computing
●
SQLCourse.com
– http://www.sqlcourse.com/
●
W3Schools
– https://www.w3schools.com/
Free places to learn AppSec
●
OWASP (Of course!)
– https://www.owasp.org/
●
Your nearest local OWASP Chapter
– https://www.owasp.org/index.php/OWASP_Chapter
●
YouTube
– https://www.youtube.com/
●
Cybrary
– https://www.cybrary.it/course/web-application-pen-testing/
– https://www.cybrary.it/course/ethical-hacking/
– https://www.cybrary.it/course/advanced-penetration-testing/
– https://www.cybrary.it/course/python/
Free Learning / Practice Platforms
●
OWASP Mutillidae
– https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project
●
OWASP WebGoat
– https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
●
OWASP Juice Shop
– https://www.owasp.org/index.php/OWASP_Juice_Shop_Project
●
Rapid7 Metasploitable
– https://github.com/rapid7/metasploitable3
●
PentesterLab
– https://pentesterlab.com/exercises/
Troy Hunt Resources
●
Hack Yourself First
– "Hack Yourself First" is all about developers building
up cyber-offense skills and proactively seeking out
security vulnerabilities in their own websites before
an attacker does
– There are 50 intentional very sloppy security
practices to be found
– http://hack-yourself-first.com/
●
Free Accompanying Pluralsight Course
– http://pluralsight.com/training/Courses/TableOfContents/hack-yourself-first
What about a WAF?
●
A Web Application Firewall (WAF) filters, monitors,
and blocks attack traffic to and from specific web
applications.
– Prevents attacks stemming from web application security
flaws, such as SQL injection, cross-site scripting (XSS),
file inclusion, and security misconfigurations, etc.
●
WAF’s are good as a compensating control and a
good defense-in-depth strategy, but...
– Nobody should rely solely on a WAF for web app security
●
WAF bypasses are continuously being researched, published,
and included in exploit kit updates
●
A WAF is not likely to stop all of the attacks
*** Live Demo Alert ***
This presentation features “Live Demos”, because
the speaker is...
*** Live Demo Alert ***
This presentation features “Live Demos”, because
the speaker is...
*** Live Demo Alert ***
This presentation features “Live Demos”, because
the speaker is...
*** Live Demo Alert ***
This presentation features “Live Demos”, because
the speaker is...
*** Live Demo Alert ***
Please pick 2…
*** Live Demo Alert ***
Please pick 2…
So I am not just Crazy!
Scanning Demo w/ Nikto!
●
Nikto
– Nikto is an Open Source (GPL) web server scanner which
performs comprehensive tests against web servers for
multiple items, including over 6700 potentially dangerous
files/programs, checks for outdated versions of over 1250
servers, and version specific problems on over 270 servers.
It also checks for server configuration items such as the
presence of multiple index files, HTTP server options, and
will attempt to identify installed web servers and software.
Scan items and plugins are frequently updated and can be
automatically updated.
– https://cirt.net/Nikto2
●
Nikto is available as a free download and is also
included in Kali Linux
Accidental Exposure Demo w/ ZAP!
●
OWASP ZAP
– The Zed Attack Proxy (ZAP) is an easy to use
integrated penetration testing tool for finding
vulnerabilities in web applications. It is designed to
be used by people with a wide range of security
experience including developers and functional
testers who are new to penetration testing.
– https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
●
ZAP is available as a free download and is also
included in Kali Linux
Conclusion
The need for AppSec
practitioners is great…
●
Because there’s a whole lot
of horrible out there!
Shout outs and thank you’s...
●
OWASP
– https://www.owasp.org
●
Cincinnati OWASP Chapter
– https://www.owasp.org/index.php/Cincinnati
●
Columbus OWASP Chapter
– https://www.owasp.org/index.php/Columbus
●
University of Cincinnati OWASP Chapter
– https://www.cyberatuc.org/
– https://www.youtube.com/channel/UCWcJuk7A_1nDj4m-cHWvIFw
Questions
Who ...
What ...
When ...
Where ...
Why ...
How ...
March 21, 2019
Matt Scheurer
@c3rkah
Slides:
https://www.slideshare.net/cerkah
Thank you for attending!
AppSecAppSec
--------------------------------
& OWASP& OWASP
Top 10Top 10

More Related Content

What's hot

Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karma
n|u - The Open Security Community
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
Simon Bennetts
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
OWASP
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
Simon Bennetts
 
BlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkBlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo Talk
Simon Bennetts
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burp
Tomasz Fajks
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
Simon Bennetts
 
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CIAllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CI
Simon Bennetts
 
OWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesOWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced Features
Simon Bennetts
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Michael Coates
 
OWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newerOWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newer
Simon Bennetts
 
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP InnovationsOWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
Simon Bennetts
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing tool
David Sweigert
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
Simon Bennetts
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Abraham Aranguren
 
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...
Puppet
 
2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting Workshop2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting Workshop
Simon Bennetts
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 

What's hot (20)

Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karma
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
 
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
 
BlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkBlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo Talk
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burp
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
 
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CIAllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CI
 
OWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesOWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced Features
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
 
OWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newerOWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newer
 
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP InnovationsOWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing tool
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
 
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...
“Sensu and Sensibility” - The Story of a Journey From #monitoringsucks to #mo...
 
2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting Workshop2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting Workshop
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
 

Similar to AppSec & OWASP Top 10 Primer

OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
ThreatReel Podcast
 
ISC2: AppSec & OWASP Primer
ISC2: AppSec & OWASP PrimerISC2: AppSec & OWASP Primer
ISC2: AppSec & OWASP Primer
ThreatReel Podcast
 
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec Presentation
ThreatReel Podcast
 
OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec Presentation
ThreatReel Podcast
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
Web Security... Level Up
Web Security... Level UpWeb Security... Level Up
Web Security... Level Up
Izzet Mustafaiev
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
alessiomarziali
 
DevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOpsDevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOps
DevOps Indonesia
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf Hadiwinata
Hananto Wibowo Soenarto
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
Megha Sahu
 
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec Village
Vandana Verma
 
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Clark Everetts
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
OWASP Delhi
 
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source Way
Yusuf Hadiwinata Sutandar
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsAppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
Magno Logan
 
hacking your website with vega, confoo2011
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011Bachkoutou Toutou
 

Similar to AppSec & OWASP Top 10 Primer (20)

OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
 
ISC2: AppSec & OWASP Primer
ISC2: AppSec & OWASP PrimerISC2: AppSec & OWASP Primer
ISC2: AppSec & OWASP Primer
 
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec Presentation
 
OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec Presentation
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Web Security... Level Up
Web Security... Level UpWeb Security... Level Up
Web Security... Level Up
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
DevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOpsDevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOps
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf Hadiwinata
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec Village
 
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
 
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source Way
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsAppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
 
hacking your website with vega, confoo2011
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011
 

More from ThreatReel Podcast

CONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIs
ThreatReel Podcast
 
SecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIsSecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIs
ThreatReel Podcast
 
BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!
ThreatReel Podcast
 
PwnSchool: Exploiting Web APIs
PwnSchool: Exploiting Web APIsPwnSchool: Exploiting Web APIs
PwnSchool: Exploiting Web APIs
ThreatReel Podcast
 
CiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful APICiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful API
ThreatReel Podcast
 
CCC - Lend me your IR's
CCC - Lend me your IR'sCCC - Lend me your IR's
CCC - Lend me your IR's
ThreatReel Podcast
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
ThreatReel Podcast
 
OISF - Continuous Skills Improvement for Everyone
OISF - Continuous Skills Improvement for EveryoneOISF - Continuous Skills Improvement for Everyone
OISF - Continuous Skills Improvement for Everyone
ThreatReel Podcast
 
Central Ohio InfoSec Summit: Why Script Kiddies Succeed
Central Ohio InfoSec Summit: Why Script Kiddies SucceedCentral Ohio InfoSec Summit: Why Script Kiddies Succeed
Central Ohio InfoSec Summit: Why Script Kiddies Succeed
ThreatReel Podcast
 
Butler Tech - Working in IT and InfoSec
Butler Tech - Working in IT and InfoSecButler Tech - Working in IT and InfoSec
Butler Tech - Working in IT and InfoSec
ThreatReel Podcast
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
ThreatReel Podcast
 
CiNPA Security SIG - Physical Security
CiNPA Security SIG - Physical SecurityCiNPA Security SIG - Physical Security
CiNPA Security SIG - Physical Security
ThreatReel Podcast
 
CiNPA / CiNPA Security SIG History
CiNPA / CiNPA Security SIG HistoryCiNPA / CiNPA Security SIG History
CiNPA / CiNPA Security SIG History
ThreatReel Podcast
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
ThreatReel Podcast
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
ThreatReel Podcast
 
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
ThreatReel Podcast
 
BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
ThreatReel Podcast
 

More from ThreatReel Podcast (20)

CONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIs
 
SecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIsSecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIs
 
BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!
 
PwnSchool: Exploiting Web APIs
PwnSchool: Exploiting Web APIsPwnSchool: Exploiting Web APIs
PwnSchool: Exploiting Web APIs
 
CiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful APICiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful API
 
CCC - Lend me your IR's
CCC - Lend me your IR'sCCC - Lend me your IR's
CCC - Lend me your IR's
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
OISF - Continuous Skills Improvement for Everyone
OISF - Continuous Skills Improvement for EveryoneOISF - Continuous Skills Improvement for Everyone
OISF - Continuous Skills Improvement for Everyone
 
Central Ohio InfoSec Summit: Why Script Kiddies Succeed
Central Ohio InfoSec Summit: Why Script Kiddies SucceedCentral Ohio InfoSec Summit: Why Script Kiddies Succeed
Central Ohio InfoSec Summit: Why Script Kiddies Succeed
 
Butler Tech - Working in IT and InfoSec
Butler Tech - Working in IT and InfoSecButler Tech - Working in IT and InfoSec
Butler Tech - Working in IT and InfoSec
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
 
CiNPA Security SIG - Physical Security
CiNPA Security SIG - Physical SecurityCiNPA Security SIG - Physical Security
CiNPA Security SIG - Physical Security
 
CiNPA / CiNPA Security SIG History
CiNPA / CiNPA Security SIG HistoryCiNPA / CiNPA Security SIG History
CiNPA / CiNPA Security SIG History
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
 
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
 
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
 
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
 
BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!
 
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
 

Recently uploaded

The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
natyesu
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 
test test test test testtest test testtest test testtest test testtest test ...
test test  test test testtest test testtest test testtest test testtest test ...test test  test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
VivekSinghShekhawat2
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 

Recently uploaded (20)

The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
test test test test testtest test testtest test testtest test testtest test ...
test test  test test testtest test testtest test testtest test testtest test ...test test  test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 

AppSec & OWASP Top 10 Primer

  • 1. March 21, 2019 Matt Scheurer @c3rkah Slides: https://www.slideshare.net/cerkah AppSec & OWASP Top 10 Primer AppSecAppSec -------------------------------- & OWASP& OWASP Top 10Top 10
  • 2. About Me... ● Sr. Systems Security Engineer in the Financial Services Industry ● Frequent speaker at Information Security / Hacker conferences ● Teacher at heart! ● Chair of the
  • 3. Places where I have presented...
  • 4. Why am I speaking at a Dev Con? It all started with a tweet…
  • 6. What is OWASP? The Open Web Application Security Project (OWASP), an online community, produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. ● Web site - https://www.owasp.org/
  • 7. OWASP History ● Started in December, 2001 ● Obtained 501c3 (non-profit) Status in April 2004 ● OWASP Top Ten List – The "Top Ten", first published in 2003, is regularly updated. It aims to raise awareness about application security by identifying some of the most critical risks facing organizations ● The OWASP foundation has produced many guides, projects, and publications, since their beginning
  • 8. OWASP Top 10 List (2017) ● A1:2017-Injection ● A2:2017-Broken Authentication ● A3:2017-Sensitive Data Exposure ● A4:2017-XML External Entities (XXE) ● A5:2017-Broken Access Control ● A6:2017-Security Misconfiguration ● A7:2017-Cross-Site Scripting (XSS) ● A8:2017-Insecure Deserialization ● A9:2017-Using Components with Known Vulnerabilities ● A10:2017-Insufficient Logging&Monitoring ● Current Version – https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project – https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
  • 9. Recent OWASP Top 10 Changes From 2013 to 2017... ● "Cross-Site Scripting (XSS)" Down from A3 to A7 ● "Insecure Direct Object References" (A4) and "Missing Function Level Access Control" (A7) – Merged into "Broken Access Control" as A5 ● "Security Misconfiguration" Down from A5 to A6 ● "Sensitive Data Exposure" Up from A5 to A3 ● "Cross-Site Request Forgery (CSRF)" Removed ● "Unvalidated Redirects and Forwards" Removed
  • 10. Additions to the OWASP Top 10 From 2013 to 2017... ● A4:2017-XML External Entities (XXE) ● A8:2017-Insecure Deserialization ● A10:2017-Insufficient Logging & Monitoring
  • 11. Where and How to Learn AppSec ● We will cover some basic resources to help get you started on a path towards self-learning... – Basic Vulnerability Scanners – AppSec Testing Platforms – Free places to learn AppDev – Free places to learn AppSec – Free Learning / Practice Platforms NOTE: These are not exhaustive lists as there are many more resources available!
  • 12. Starting Out... ● Advice my mother would offer about how to begin learning AppSec and testing web server, website and web application security...
  • 13. Vulnerability Scanners ● Core Security: Core Impact ● Rapid7 products: Nexpose ● Tenable: Nessus ● Qualys: Web Application Scanning (WAS) ● Open Source: OpenVAS ● Open Source / Kali Linux: Sparta / Nikto
  • 14. AppSec Testing Platforms ● Start with: OWASP ZAP (Zed Attack Proxy) – https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project ● Move to: Fiddler - Free Web Debugging Proxy – https://www.telerik.com/fiddler ● Graduate to: Burp Suite Scanner – https://portswigger.net/burp ● Honorable Mention: Nmap w/ NSE Scripts ● Honorable Mention: Samurai Web Testing Framework
  • 15. Free places to learn AppDev ● Codecademy – https://www.codecademy.com/ ● Khan Academy – https://www.khanacademy.org/computing ● SQLCourse.com – http://www.sqlcourse.com/ ● W3Schools – https://www.w3schools.com/
  • 16. Free places to learn AppSec ● OWASP (Of course!) – https://www.owasp.org/ ● Your nearest local OWASP Chapter – https://www.owasp.org/index.php/OWASP_Chapter ● YouTube – https://www.youtube.com/ ● Cybrary – https://www.cybrary.it/course/web-application-pen-testing/ – https://www.cybrary.it/course/ethical-hacking/ – https://www.cybrary.it/course/advanced-penetration-testing/ – https://www.cybrary.it/course/python/
  • 17. Free Learning / Practice Platforms ● OWASP Mutillidae – https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project ● OWASP WebGoat – https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project ● OWASP Juice Shop – https://www.owasp.org/index.php/OWASP_Juice_Shop_Project ● Rapid7 Metasploitable – https://github.com/rapid7/metasploitable3 ● PentesterLab – https://pentesterlab.com/exercises/
  • 18. Troy Hunt Resources ● Hack Yourself First – "Hack Yourself First" is all about developers building up cyber-offense skills and proactively seeking out security vulnerabilities in their own websites before an attacker does – There are 50 intentional very sloppy security practices to be found – http://hack-yourself-first.com/ ● Free Accompanying Pluralsight Course – http://pluralsight.com/training/Courses/TableOfContents/hack-yourself-first
  • 19. What about a WAF? ● A Web Application Firewall (WAF) filters, monitors, and blocks attack traffic to and from specific web applications. – Prevents attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations, etc. ● WAF’s are good as a compensating control and a good defense-in-depth strategy, but... – Nobody should rely solely on a WAF for web app security ● WAF bypasses are continuously being researched, published, and included in exploit kit updates ● A WAF is not likely to stop all of the attacks
  • 20. *** Live Demo Alert *** This presentation features “Live Demos”, because the speaker is...
  • 21. *** Live Demo Alert *** This presentation features “Live Demos”, because the speaker is...
  • 22. *** Live Demo Alert *** This presentation features “Live Demos”, because the speaker is...
  • 23. *** Live Demo Alert *** This presentation features “Live Demos”, because the speaker is...
  • 24. *** Live Demo Alert *** Please pick 2…
  • 25. *** Live Demo Alert *** Please pick 2… So I am not just Crazy!
  • 26. Scanning Demo w/ Nikto! ● Nikto – Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated. – https://cirt.net/Nikto2 ● Nikto is available as a free download and is also included in Kali Linux
  • 27. Accidental Exposure Demo w/ ZAP! ● OWASP ZAP – The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience including developers and functional testers who are new to penetration testing. – https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project ● ZAP is available as a free download and is also included in Kali Linux
  • 28. Conclusion The need for AppSec practitioners is great… ● Because there’s a whole lot of horrible out there!
  • 29. Shout outs and thank you’s... ● OWASP – https://www.owasp.org ● Cincinnati OWASP Chapter – https://www.owasp.org/index.php/Cincinnati ● Columbus OWASP Chapter – https://www.owasp.org/index.php/Columbus ● University of Cincinnati OWASP Chapter – https://www.cyberatuc.org/ – https://www.youtube.com/channel/UCWcJuk7A_1nDj4m-cHWvIFw
  • 30. Questions Who ... What ... When ... Where ... Why ... How ...
  • 31. March 21, 2019 Matt Scheurer @c3rkah Slides: https://www.slideshare.net/cerkah Thank you for attending! AppSecAppSec -------------------------------- & OWASP& OWASP Top 10Top 10