A walkthrough of web application defense strategies, based around the Open Web Application Security Project's top 10 list. Presented to the Classic City Developers Meetup in August 2017.
The document discusses the top 10 security risks as defined by OWASP: injection, XSS, broken authentication, insecure direct object references, CSRF, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards. For each risk, the document explains what it is, why it is a risk, and how it can be mitigated through secure coding practices. The presenter is identified as an Austin OWASP board member who leads security training and runs a security consulting business.
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
A presentation of the OWASP Top 10 2017 release candidate, expected to be finalized in summer 2017. Presented at the St. Louis CYBER meetup on Wednesday, June 7, 2017.
A walkthrough of web application defense strategies, based around the Open Web Application Security Project's top 10 list. Presented to the Classic City Developers Meetup in August 2017.
The document discusses the top 10 security risks as defined by OWASP: injection, XSS, broken authentication, insecure direct object references, CSRF, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards. For each risk, the document explains what it is, why it is a risk, and how it can be mitigated through secure coding practices. The presenter is identified as an Austin OWASP board member who leads security training and runs a security consulting business.
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
A presentation of the OWASP Top 10 2017 release candidate, expected to be finalized in summer 2017. Presented at the St. Louis CYBER meetup on Wednesday, June 7, 2017.
The document discusses common security vulnerabilities in React applications such as cross-site scripting (XSS), injection attacks, CSRF attacks, malicious file uploads, insufficient authorization and authentication, distributed denial of service (DDoS) attacks, and XML external entity (XXE) attacks. It provides recommendations for how to prevent and fix each vulnerability, such as strict escaping to prevent XSS, validating all uploads, and using JSON web tokens for authorization. The document also mentions other vulnerabilities to consider like server-side rendering security and dangerous URI schemes.
The OWASP Top 10 is a list published by OWASP that contains the ten most critical security vulnerabilities that threaten web applications. The document discusses the top 10 vulnerabilities including injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, using components with known vulnerabilities, and insufficient logging and monitoring. Prevention methods are provided for each vulnerability.
This document discusses analysis of web application penetration testing. It provides statistics on common vulnerabilities like SQL injection, XSS, and file inclusion. It then covers methodologies for information gathering, understanding application logic, observing normal behavior, and targeted testing. A variety of tools for penetration testing are listed, along with search queries that can be used during reconnaissance. The document discusses benefits of penetration testing like protecting companies and meeting compliance. It concludes with recommendations for securing web applications like keeping software updated, input validation, code reviews, and runtime monitoring.
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
The OWASP team recently released the 2017 revised version of the ten most critical web application security risks. This presentation brief the OWASP Top 10 - 2017 for you to learn more about these important security issues.
Get Ready for Web Application Security TestingAlan Kan
The document discusses web application security testing and provides guidance for testing professionals. It outlines some of the top attacks like SQL injection and cross-site scripting. It recommends getting educated on security topics, using tools like WebScarab and IBM Rational AppScan to test for vulnerabilities, and incorporating security testing into the development process.
The document provides an overview of Spring Security, an authentication and authorization framework for Java web applications. It discusses what Spring Security is and is not, assumptions about the audience's knowledge, and an outline of topics to be covered, including basic and advanced security configurations, user authentication and authorization, security at the view layer, enabling HTTPS, and protecting against CSRF attacks. The presentation aims to introduce Spring Security and demonstrate how to implement common security features.
This document provides an introduction to web security and the OWASP Top 10. It begins with an introduction of the presenter and their background in cybersecurity competitions. It then covers the basics of how the web works using HTTP requests and responses. The major topics of web security are defined, including the likelihood of threats like SQL injection, XSS, and password breaches. An overview of the OWASP Top 10 is presented along with demonstrations of injection, broken authentication, sensitive data exposure, XXE, access control issues, XSS, insecure deserialization, using vulnerable components, and insufficient logging/monitoring. The document aims to educate about common web vulnerabilities and how to identify and address them.
The document provides an overview of the top 5 vulnerabilities according to the OWASP Top 10 list - Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, and Security Misconfiguration. For each vulnerability, the document defines the vulnerability, provides examples, and lists recommendations for mitigating the risk.
The document summarizes the OWASP Top 10 security threats. It describes each of the top 10 threats, including injection, broken authentication, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, missing access controls, cross-site request forgery, use of vulnerable components, and unsafe redirects/forwards. For each threat, it provides a brief explanation of the meaning and potential impacts, such as data loss, account compromise, or full host takeover. The document encourages implementing people, process, and technology measures to address application security issues.
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
The document summarizes the top 10 security vulnerabilities in web applications according to the Open Web Application Security Project (OWASP). These include injection flaws, cross-site scripting, broken authentication and session management, insecure direct object references, cross-site request forgery, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards. Countermeasures for each vulnerability are also provided.
The document outlines a step-by-step approach for web application security testing. It begins with cracking passwords by guessing usernames and passwords or using password cracking tools. It then discusses manipulating URLs by changing parameters in the query string to test how the server responds. Finally, it describes checking for SQL injection vulnerabilities by entering single quotes or analyzing user inputs given as MySQL queries. The overall approach helps identify security risks so companies can employ reliable website application security services to eliminate vulnerabilities.
Authentication and session management are important aspects of network security. Authentication verifies a user's identity, while session management maintains user access after authentication. Common authentication methods include passwords, multifactor authentication, and digital signatures. Session management uses session IDs and cookies to track authenticated users and can be vulnerable to hijacking attacks. Developers should implement standard security practices like encryption, complex passwords, and short session timeouts to strengthen authentication and prevent session threats.
I did this presentation for one of my java user groups at work.
Basically, this is a mashed up version of various presentations, slides and images that I gathered over the internet.
I've quoted the sources in the end. Feel free to reuse it as you like.
Make sure you’re defending against the most common web security issues and attacks with this useful overview of software development best-practices. We'll go over the most common attacks against web applications and present real world advice for defending yourself against these types of attacks.
Social Enterprise Rises! …and so are the Risks - DefCamp 2012DefCamp
The document discusses social enterprise software and associated security risks. It provides an overview of social enterprise software, why organizations use it, and common deployment models. It then discusses some common security risks like data loss, exploitation of vulnerabilities, and social engineering. The document outlines strategies for risk mitigation and examines several case studies of vulnerabilities found in social enterprise software solutions. It emphasizes that even large vendors can overlook application security and stresses the importance of verification testing.
Top Application Security Trends of 2012DaveEdwards12
Learn about the major risks to Cloud and Web-based Applications. What are their weaknesses? How can you deploy them in a more confident fashion and avoid the risks? What can you do to protect these applications without creating a major burden on your end-users and customers. Application Security has become one of the top most priorities of CIOs, CSOs and IT Staff in 2012. Cloud has created a paradigm shift in how we leverage technology. Learn about the power of the Cloud to Secure your applications.
The document discusses common security vulnerabilities in React applications such as cross-site scripting (XSS), injection attacks, CSRF attacks, malicious file uploads, insufficient authorization and authentication, distributed denial of service (DDoS) attacks, and XML external entity (XXE) attacks. It provides recommendations for how to prevent and fix each vulnerability, such as strict escaping to prevent XSS, validating all uploads, and using JSON web tokens for authorization. The document also mentions other vulnerabilities to consider like server-side rendering security and dangerous URI schemes.
The OWASP Top 10 is a list published by OWASP that contains the ten most critical security vulnerabilities that threaten web applications. The document discusses the top 10 vulnerabilities including injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, using components with known vulnerabilities, and insufficient logging and monitoring. Prevention methods are provided for each vulnerability.
This document discusses analysis of web application penetration testing. It provides statistics on common vulnerabilities like SQL injection, XSS, and file inclusion. It then covers methodologies for information gathering, understanding application logic, observing normal behavior, and targeted testing. A variety of tools for penetration testing are listed, along with search queries that can be used during reconnaissance. The document discusses benefits of penetration testing like protecting companies and meeting compliance. It concludes with recommendations for securing web applications like keeping software updated, input validation, code reviews, and runtime monitoring.
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
The OWASP team recently released the 2017 revised version of the ten most critical web application security risks. This presentation brief the OWASP Top 10 - 2017 for you to learn more about these important security issues.
Get Ready for Web Application Security TestingAlan Kan
The document discusses web application security testing and provides guidance for testing professionals. It outlines some of the top attacks like SQL injection and cross-site scripting. It recommends getting educated on security topics, using tools like WebScarab and IBM Rational AppScan to test for vulnerabilities, and incorporating security testing into the development process.
The document provides an overview of Spring Security, an authentication and authorization framework for Java web applications. It discusses what Spring Security is and is not, assumptions about the audience's knowledge, and an outline of topics to be covered, including basic and advanced security configurations, user authentication and authorization, security at the view layer, enabling HTTPS, and protecting against CSRF attacks. The presentation aims to introduce Spring Security and demonstrate how to implement common security features.
This document provides an introduction to web security and the OWASP Top 10. It begins with an introduction of the presenter and their background in cybersecurity competitions. It then covers the basics of how the web works using HTTP requests and responses. The major topics of web security are defined, including the likelihood of threats like SQL injection, XSS, and password breaches. An overview of the OWASP Top 10 is presented along with demonstrations of injection, broken authentication, sensitive data exposure, XXE, access control issues, XSS, insecure deserialization, using vulnerable components, and insufficient logging/monitoring. The document aims to educate about common web vulnerabilities and how to identify and address them.
The document provides an overview of the top 5 vulnerabilities according to the OWASP Top 10 list - Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, and Security Misconfiguration. For each vulnerability, the document defines the vulnerability, provides examples, and lists recommendations for mitigating the risk.
The document summarizes the OWASP Top 10 security threats. It describes each of the top 10 threats, including injection, broken authentication, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, missing access controls, cross-site request forgery, use of vulnerable components, and unsafe redirects/forwards. For each threat, it provides a brief explanation of the meaning and potential impacts, such as data loss, account compromise, or full host takeover. The document encourages implementing people, process, and technology measures to address application security issues.
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
The document summarizes the top 10 security vulnerabilities in web applications according to the Open Web Application Security Project (OWASP). These include injection flaws, cross-site scripting, broken authentication and session management, insecure direct object references, cross-site request forgery, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards. Countermeasures for each vulnerability are also provided.
The document outlines a step-by-step approach for web application security testing. It begins with cracking passwords by guessing usernames and passwords or using password cracking tools. It then discusses manipulating URLs by changing parameters in the query string to test how the server responds. Finally, it describes checking for SQL injection vulnerabilities by entering single quotes or analyzing user inputs given as MySQL queries. The overall approach helps identify security risks so companies can employ reliable website application security services to eliminate vulnerabilities.
Authentication and session management are important aspects of network security. Authentication verifies a user's identity, while session management maintains user access after authentication. Common authentication methods include passwords, multifactor authentication, and digital signatures. Session management uses session IDs and cookies to track authenticated users and can be vulnerable to hijacking attacks. Developers should implement standard security practices like encryption, complex passwords, and short session timeouts to strengthen authentication and prevent session threats.
I did this presentation for one of my java user groups at work.
Basically, this is a mashed up version of various presentations, slides and images that I gathered over the internet.
I've quoted the sources in the end. Feel free to reuse it as you like.
Make sure you’re defending against the most common web security issues and attacks with this useful overview of software development best-practices. We'll go over the most common attacks against web applications and present real world advice for defending yourself against these types of attacks.
Social Enterprise Rises! …and so are the Risks - DefCamp 2012DefCamp
The document discusses social enterprise software and associated security risks. It provides an overview of social enterprise software, why organizations use it, and common deployment models. It then discusses some common security risks like data loss, exploitation of vulnerabilities, and social engineering. The document outlines strategies for risk mitigation and examines several case studies of vulnerabilities found in social enterprise software solutions. It emphasizes that even large vendors can overlook application security and stresses the importance of verification testing.
Top Application Security Trends of 2012DaveEdwards12
Learn about the major risks to Cloud and Web-based Applications. What are their weaknesses? How can you deploy them in a more confident fashion and avoid the risks? What can you do to protect these applications without creating a major burden on your end-users and customers. Application Security has become one of the top most priorities of CIOs, CSOs and IT Staff in 2012. Cloud has created a paradigm shift in how we leverage technology. Learn about the power of the Cloud to Secure your applications.
What's Wrong with Vulnerability Management & How Can We Fix ItSkybox Security
The document discusses challenges with traditional vulnerability management programs and provides recommendations for improvement. It summarizes findings from a survey of vulnerability management professionals that found dissatisfaction with current scanning, analysis, and remediation capabilities. The document recommends that organizations focus on maturity of their vulnerability management process, strive for continuous assessment, use network and security context to prioritize risks, and speed up remediation times.
This presentation simplifies Cloud, Cloud Security and Cloud Security Certifications. This includes the following:
- Understanding Cloud
- Understanding Cloud Security using the Risk Management and Cloud Security Control Frameworks
- Cloud Security Certifications
- Key Definitions
The document discusses how web application hacking occurs through examples like SQL injection. It explains the basic components of a web application like the database, server, and client. It then covers the steps an attacker may take, like using tools to find hidden content or exploiting vulnerabilities in how user input is handled to access private user data or delete database tables. The document emphasizes that these types of vulnerabilities are common and provides resources for learning about different hacking techniques as well as the company's security assessment services.
The Federal Information Security Management ActMichelle Singh
The document discusses the importance of access controls and audit controls for organizations. It notes that traditionally applications and data were stored on local servers, but with distributed computing and more users, security issues increased. Access control models like mandatory access control and discretionary access control were used to secure data and control access, but role-based access control (RBAC) was proposed as a more flexible model. However, with growing user numbers, security has become a bottleneck. The paper describes access control and the RBAC model, its limitations, and proposes future research to reduce security risks with large user numbers in cloud computing environments.
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
Conducting regular security assessments on the organizational network and computer systems has become a vital part of protecting information-computing assets. Security assessments are a proactive and offensive posture towards information security as compared to the traditional reactive and defensive stance normally implemented with the use of Access Control-Lists (ACLs) and firewalls.
Too effectively conduct a security assessment so it is beneficial to an organization, a proven methodology must be followed so the assessors and assesses are on the same page.
This presentation will evaluate the benefits of credential scanning, scanning in a virtual environment, distributed scanning as well as vulnerability management.
This document discusses techniques for optimizing threat modeling to require fewer resources. It proposes using templates and risk patterns to generate threats and countermeasures for common application components and use cases. This allows for more efficient "just enough" threat modeling compared to traditional manual methods. The document demonstrates how to decompose templates into reusable risk patterns and generate threat models through a rules engine. It also introduces the open source IriusRisk tool for implementing this approach.
Are you looking for an IT Infrastructure Services & Management? We help to manage IT risks at all levels of an Organization with a focus on planning & protect your information from security breaches. For more details, please visit our site: http://www.webindia.com/infrastructure.php
The document provides an overview of key security engineering activities that should be integrated into the software development lifecycle (SDLC). It discusses securing each phase of development through threat modeling, secure coding practices like code reviews, and security testing. The goal is to build security into applications from the start to help prevent vulnerabilities and deliver more robust products.
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...EC-Council
This session will focus on presenting a next generation defense in depth model and answer the question on many CISO’s minds - is it still relevant? A model of defense in depth will serve as a backdrop to introduce you to a wide range of solutions from across the cybersecurity-industrial complex that just may change how you view your defense in depth approach.
Bugs (or) Vulnerabilities in the application software may enable cyber criminals to exploit both Internet facing and internal systems. Organizations do all they can to protect their critical cyber assets, but they don’t always systematically test their defences.
We do quality pen tests much faster and cost effective than the traditional approach. Our consultants achieve this by combining their advanced technical skills. You can get an accurate security posture of your web application and actionable recommendations for improving it. Our testing services would scrutinize the security loopholes in your application, at various levels and reports would be shared..
This document provides information about a secure web application development training course offered by Pivotal Security LLC. The training is customized for each client's development needs and covers topics like common vulnerabilities, authentication, authorization, cryptography, input handling, error handling, and logging. The course aims to help developers design and build secure applications. It is led by experts with experience at Microsoft and Honeywell and receives positive feedback from attendees.
Accelerating Your Cyber Security Career North Texas EditionAmy Hughey
Compilation of Cyber Security technology trends, certifications, salaries, job postings in the Dallas Fort Worth North Texas Area with recommendations based on data from 2017. Comments welcome.
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...David Etue
Control Quotient: Adaptive Strategies For Gracefully Losing Control as presented at RSAC US 2013 by @djetue and @joshcorman
The security community has spent years on failed approaches to Return On Investment (ROI) on security offerings and Return On Security Investment (ROSI). It’s failed as it evaluates from the wrong perspective. This session flips ROI on its head, looking from the adversary’s perspective. We’ll introduce an “Adversary ROI” model, and show how it can change how you evaluate cyber security investment.
Best practices for automating cloud security processes with Evident.io and AWSAmazon Web Services
Evident.io helps modern IT and DevOps teams implement and maintain security within the AWS shared responsibility model by enabling IT, Security, Engineering, and Operations with a continuous global view of security risk and actionable intelligence to rapidly remediate and secure AWS deployments.
Hear how one of their customers combined the detection and analysis of misconfigurations, vulnerabilities, and risk with guided remediation and audit capabilities to gain visibility of their security environment, automate processes and meet compliance requirements.
Eddie Borrero, Chief Information Security Officer, Robert Half International
Phil Rodrigues, Security Solution Architect, AWS
Craig Dent, Solutions Architect, Evident.io
This document discusses web application penetration testing and security. It begins with an overview of web application security standards and realities, noting that standards do not encompass all vulnerability types or attacks. It then discusses web application testing methodologies and realities of security testing. The main part of the document focuses on facets of web application penetration testing, highlighting the importance of thinking beyond surface issues to more hidden vulnerabilities. It concludes with demonstrations of different web application attacks.
This document provides an overview of a presentation on security monitoring and analytics using Splunk. The presentation covers using Splunk Enterprise for security operations like alert management and incident response. It also covers using Splunk User Behavior Analytics to detect anomalies and threats using machine learning. The presentation highlights new features in Splunk Enterprise Security 4.1 like prioritizing investigations and expanded threat intelligence, and new features in Splunk UBA 2.2 like enhanced security analytics and custom threat modeling. It demonstrates integrating UBA results into the Splunk Enterprise Security workflow for faster investigation of advanced threats.
Similar to Chapter 3: Vulnerabilities and threat models (20)
How to Add Chatter in the odoo 17 ERP ModuleCeline George
In Odoo, the chatter is like a chat tool that helps you work together on records. You can leave notes and track things, making it easier to talk with your team and partners. Inside chatter, all communication history, activity, and changes will be displayed.
How to Build a Module in Odoo 17 Using the Scaffold MethodCeline George
Odoo provides an option for creating a module by using a single line command. By using this command the user can make a whole structure of a module. It is very easy for a beginner to make a module. There is no need to make each file manually. This slide will show how to create a module using the scaffold method.
Walmart Business+ and Spark Good for Nonprofits.pdfTechSoup
"Learn about all the ways Walmart supports nonprofit organizations.
You will hear from Liz Willett, the Head of Nonprofits, and hear about what Walmart is doing to help nonprofits, including Walmart Business and Spark Good. Walmart Business+ is a new offer for nonprofits that offers discounts and also streamlines nonprofits order and expense tracking, saving time and money.
The webinar may also give some examples on how nonprofits can best leverage Walmart Business+.
The event will cover the following::
Walmart Business + (https://business.walmart.com/plus) is a new shopping experience for nonprofits, schools, and local business customers that connects an exclusive online shopping experience to stores. Benefits include free delivery and shipping, a 'Spend Analytics” feature, special discounts, deals and tax-exempt shopping.
Special TechSoup offer for a free 180 days membership, and up to $150 in discounts on eligible orders.
Spark Good (walmart.com/sparkgood) is a charitable platform that enables nonprofits to receive donations directly from customers and associates.
Answers about how you can do more with Walmart!"
A workshop hosted by the South African Journal of Science aimed at postgraduate students and early career researchers with little or no experience in writing and publishing journal articles.
A review of the growth of the Israel Genealogy Research Association Database Collection for the last 12 months. Our collection is now passed the 3 million mark and still growing. See which archives have contributed the most. See the different types of records we have, and which years have had records added. You can also see what we have for the future.
How to Setup Warehouse & Location in Odoo 17 InventoryCeline George
In this slide, we'll explore how to set up warehouses and locations in Odoo 17 Inventory. This will help us manage our stock effectively, track inventory levels, and streamline warehouse operations.
This presentation was provided by Steph Pollock of The American Psychological Association’s Journals Program, and Damita Snow, of The American Society of Civil Engineers (ASCE), for the initial session of NISO's 2024 Training Series "DEIA in the Scholarly Landscape." Session One: 'Setting Expectations: a DEIA Primer,' was held June 6, 2024.
Main Java[All of the Base Concepts}.docxadhitya5119
This is part 1 of my Java Learning Journey. This Contains Custom methods, classes, constructors, packages, multithreading , try- catch block, finally block and more.
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...PECB
Denis is a dynamic and results-driven Chief Information Officer (CIO) with a distinguished career spanning information systems analysis and technical project management. With a proven track record of spearheading the design and delivery of cutting-edge Information Management solutions, he has consistently elevated business operations, streamlined reporting functions, and maximized process efficiency.
Certified as an ISO/IEC 27001: Information Security Management Systems (ISMS) Lead Implementer, Data Protection Officer, and Cyber Risks Analyst, Denis brings a heightened focus on data security, privacy, and cyber resilience to every endeavor.
His expertise extends across a diverse spectrum of reporting, database, and web development applications, underpinned by an exceptional grasp of data storage and virtualization technologies. His proficiency in application testing, database administration, and data cleansing ensures seamless execution of complex projects.
What sets Denis apart is his comprehensive understanding of Business and Systems Analysis technologies, honed through involvement in all phases of the Software Development Lifecycle (SDLC). From meticulous requirements gathering to precise analysis, innovative design, rigorous development, thorough testing, and successful implementation, he has consistently delivered exceptional results.
Throughout his career, he has taken on multifaceted roles, from leading technical project management teams to owning solutions that drive operational excellence. His conscientious and proactive approach is unwavering, whether he is working independently or collaboratively within a team. His ability to connect with colleagues on a personal level underscores his commitment to fostering a harmonious and productive workplace environment.
Date: May 29, 2024
Tags: Information Security, ISO/IEC 27001, ISO/IEC 42001, Artificial Intelligence, GDPR
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: ISO/IEC 27001 Information Security Management System - EN | PECB
ISO/IEC 42001 Artificial Intelligence Management System - EN | PECB
General Data Protection Regulation (GDPR) - Training Courses - EN | PECB
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
2. Vulnerability, Threats and Attacks
2017-04-27 Web Application Security Fast Guide (book slides) Slide 2By Dr.Sami Khiami
Vulnerability Successful attackThreat+
Vulnerability Threat+
Analysis & regular update and
patch Detection and prevention
techniques
Safe system
Response and mitigation plan
3. Threat Risk Modeling
2017-04-27 Web Application Security Fast Guide (book slides) Slide 3By Dr.Sami Khiami
identify, understand and rate main threats that might affect the application giving a better view that will help
implementing countermeasures to secure the application.
4. Identify assets and security objectives
2017-04-27 Web Application Security Fast Guide (book slides) Slide 4By Dr.Sami Khiami
Value of the asset to adversaries.
Cost to replace the asset if lost.
Operational and productivity costs incurred if the asset is unavailable.
Liability issues if the asset is compromised.
Value of the asset to adversaries.
Prioritize depending on the information you collected the specifying the most important assets
Prioritize and set security objectives.
Set the security objective depending on your findings
1
2
5. Creating Architecture overview
2017-04-27 Web Application Security Fast Guide (book slides) Slide 5By Dr.Sami Khiami
identifying all functionalities of the application
identifying all subsystems of the application
Identify all used technologies
Creating Architecture overview
Generate a diagram along with list of used technologies and versions.
3
https://cve.mitre.org
6. Decompose the application
2017-04-27 Web Application Security Fast Guide (book slides) Slide 6By Dr.Sami Khiami
identifying trust boundaries
Identifying data flow
Identify entry points
Decompose the application
Identify privileged code
4
Document the security profile
(input validation, authentication, authorization, configuration management, session management, Cryptography,
parameters manipulation, exception management and logging)
App
.
7. Identifying and rating threats
2017-04-27 Web Application Security Fast Guide (book slides) Slide 7By Dr.Sami Khiami
8. IIMF
2017-04-27 Web Application Security Fast Guide (book slides) Slide 8By Dr.Sami Khiami
Interception
Interruption
Fabrication
Normal Flow
9. CIA
2017-04-27 Web Application Security Fast Guide (book slides) Slide 9By Dr.Sami Khiami
100101110110101
01010001010101
10010111011010101010001010101
10010111011010101
010001010101
10010111011010101010001010101
Availability
Confidentiality
Integrity
10. STRIDE
2017-04-27 Web Application Security Fast Guide (book slides) Slide 10By Dr.Sami Khiami
Tampering Data
Repudiation Information disclosure Denial of service
Elevation of privileges
ON
OFF
1001011101101010101001
Admin
Spoofing
1001011101101010101000101010101010101
11. DREAD
2017-04-27 Web Application Security Fast Guide (book slides) Slide 11By Dr.Sami Khiami
Damage Potential
Level No Damage
User Data is compromised or
affected
Complete destruction of
Data or System
Value 0 5 10
Level
Very hard to
reproduce
One or two steps to
reproduce
Easy to reproduce
Value 0 5 10
Level
Advance Knowledge
and advanced tools
Available tool and easy to perform
Very simple tool
(only browser)
Value 0 5 10
Level None Some users All Users
Value 0 5 10
Level
Very hard
requires Admin
access
Guessing or
monitoring
network
Can be easily
discovered (search
engine) , available
publicly
Visible directly
(through address bar
as example)
Value 0 5 9 10
Reproducibility
Exploitability
Affected user
Discoverability
Risk= (DAMAGE + REPRODUCIBILITY +EXPLOITABILITY + AFFECTED USERS+DISCOVERABILITY) / 5
12. CVSS (common vulnerability scoring system)
2017-04-27 Web Application Security Fast Guide (book slides) Slide 12By Dr.Sami Khiami
13. CVSS (cont)
2017-04-27 Web Application Security Fast Guide (book slides) Slide 13By Dr.Sami Khiami
BaseScore = round_to_1_decimal(((0.6*Impact)+(0.4*Exploitability)–
1.5)*f(Impact))
Impact = 10.41*(1-(1-ConfImpact)*(1-IntegImpact)*(1-AvailImpact))
Exploitability = 20* AccessVector*AccessComplexity*Authentication
f(impact)= 0 if Impact=0, 1.176 otherwise
AccessVector = case AccessVector of requires
local access: 0.395
adjacent network accessible: 0.646
network accessible: 1.0
AccessComplexity = case AccessComplexity of
high: 0.35
medium: 0.61
low: 0.71
Authentication = case Authentication of
requires multiple instances of authentication: 0.45
requires single instance of authentication: 0.56
requires no authentication: 0.704
ConfImpact = case ConfidentialityImpact of
none: 0.0
partial: 0.275
complete: 0.660
IntegImpact= case IntegrityImpact of
none: 0.0
partial: 0.275
complete: 0.660
AvailImpact= case AvailabilityImpact of
none: 0.0
partial: 0.275
complete: 0.660
14. CVSS (cont)
2017-04-27 Web Application Security Fast Guide (book slides) Slide 14By Dr.Sami Khiami
TemporalScore=round_to_1_decimal(BaseScore*Exploitability*RemediationLevel*ReportConfidence)
Exploitability = case Exploitability of
unproven:0.85
proof-of-concept:0.9
functional:0.95
high:1.00
not defined:1.00
RemediationLevel = case RemediationLevel of
official-fix:0.87
temporary-fix:0.90
workaround:0.95
unavailable:1.00
not defined:1.00
ReportConfidence = case ReportConfidence ofunconfirmed:0.90
uncorroborated:0.95
confirmed:1.00
not defined:1.00
15. CVSS (cont)
2017-04-27 Web Application Security Fast Guide (book slides) Slide 15By Dr.Sami Khiami
EnvironmentalScore = round_to_1_decimal((AdjustedTemporal+(10-
AdjustedTemporal) *CollateralDamagePotential)*TargetDistribution)
AdjustedTemporal = TemporalScore recomputed with the BaseScore’s
Impact sub-equation replaced with the AdjustedImpact equation
AdjustedImpact = min(10,10.41*(1-(1-ConfImpact*ConfReq)*(1-
IntegImpact*IntegReq)*(1-AvailImpact*AvailReq)))
CollateralDamagePotential = case CollateralDamagePotential of
none: 0
low: 0.1
low-medium: 0.3
medium-high: 0.4
high: 0.5
not defined: 0
TargetDistribution = case TargetDistribution of
none: 0
low: 0.25
medium: 0.75
high: 1.00
not defined: 1.00
ConfReq = case ConfReq of
low: 0.5
medium: 1.0
high: 1.51
not defined: 1.0
IntegReq = case IntegReq of
low: 0.5
medium: 1.0
high: 1.51
not defined: 1.0
AvailReq= case AvailReq of
low:0.5
medium:1.0
high:1.51
not defined: 1.0
16. OWASP Top 10
2017-04-27 Web Application Security Fast Guide (book slides) Slide 16By Dr.Sami Khiami
Using
Components
with Known
Vulnerabilities
Injection
XSS
Broken
Auth.
Sensitive Data
Exposure
Insecure
Direct Object
References
Security
Misconfig.
TOP 10
OWASP
Cross-Site
Request
Forgery
(CSRF)
Control
Missing
Function
Level Access
Control.
Unvalidated
Redirect and
forwards