SlideShare a Scribd company logo

DevOps & CyberSec 9/2016

Ilari Mäkelä
Ilari Mäkelä

My presentation at DevOps & CyberSec meetup event at Digia, Helsinki.

Technology
1 of 12
Download to read offline
TOPIC TO BE DECLARED LATER Ilari Mäkelä Automation Engineer Verkkokauppa.com
A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards www.owasp.org The OWASP Top 10
● Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ● Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') ● Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') ● Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ● Missing Authentication for Critical Function ● Missing Authorization ● Use of Hard-coded Credentials ● Missing Encryption of Sensitive Data ● Unrestricted Upload of File with Dangerous Type ● Reliance on Untrusted Inputs in a Security Decision ● Execution with Unnecessary Privileges ● Cross-Site Request Forgery (CSRF) http://cwe.mitre.org/top25/ CWE/SANS Top 25 ● Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') ● Download of Code Without Integrity Check ● Incorrect Authorization ● Inclusion of Functionality from Untrusted Control Sphere ● Incorrect Permission Assignment for Critical Resource ● Use of Potentially Dangerous Function ● Use of a Broken or Risky Cryptographic Algorithm ● Incorrect Calculation of Buffer Size ● Improper Restriction of Excessive Authentication Attempts ● URL Redirection to Untrusted Site ('Open Redirect') ● Uncontrolled Format String ● Integer Overflow or Wraparound ● Use of a One-Way Hash without a Salt
youtube.com/user/WiseOwlTutorials
https://hackathon.guide/
github.com/facebook/fbctf verkkokauppa.com github.com/WebGoat/WebGoat hackathon.guide

Recommended

Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
DAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPDAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPsrini0x00
 
How to Do a Performance Audit of Your .NET Website
How to Do a Performance Audit of Your .NET WebsiteHow to Do a Performance Audit of Your .NET Website
How to Do a Performance Audit of Your .NET WebsiteDNN
 
Azure Operational Insight Preview
Azure Operational Insight PreviewAzure Operational Insight Preview
Azure Operational Insight PreviewIgor Puhalo
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014ColdFusionConference
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
 

Recommended

Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
DAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPDAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPsrini0x00
 
How to Do a Performance Audit of Your .NET Website
How to Do a Performance Audit of Your .NET WebsiteHow to Do a Performance Audit of Your .NET Website
How to Do a Performance Audit of Your .NET WebsiteDNN
 
Azure Operational Insight Preview
Azure Operational Insight PreviewAzure Operational Insight Preview
Azure Operational Insight PreviewIgor Puhalo
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014ColdFusionConference
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
 
Azure Application insights - An Introduction
Azure Application insights - An IntroductionAzure Application insights - An Introduction
Azure Application insights - An IntroductionMatthias Güntert
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomationLinkesh Kanna Velu
 
Open APIs Design
Open APIs DesignOpen APIs Design
Open APIs DesignIsabelle Mauny
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional testsAnkita Gupta
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
Spring Boot Authentication...and More!
Spring Boot Authentication...and More! Spring Boot Authentication...and More!
Spring Boot Authentication...and More! Stormpath
 
Moving to the APEX Listener
Moving to the APEX ListenerMoving to the APEX Listener
Moving to the APEX ListenerDimitri Gielis
 
When PaaS hits the fan: monitoring advanced Azure PaaS workloads in an enterp...
When PaaS hits the fan: monitoring advanced Azure PaaS workloads in an enterp...When PaaS hits the fan: monitoring advanced Azure PaaS workloads in an enterp...
When PaaS hits the fan: monitoring advanced Azure PaaS workloads in an enterp...Karl Ots
 
Web Application Security II - SQL Injection
Web Application Security II - SQL InjectionWeb Application Security II - SQL Injection
Web Application Security II - SQL InjectionMd Syed Ahamad
 
Spring Web flow. A little flow of happiness
Spring Web flow. A little flow of happinessSpring Web flow. A little flow of happiness
Spring Web flow. A little flow of happinessStrannik_2013
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
SQL Server: Security
SQL Server: SecuritySQL Server: Security
SQL Server: SecurityLearnNowOnline
 
Test automation Frame Works
Test automation Frame WorksTest automation Frame Works
Test automation Frame WorksvodQA
 
Mantenimiento de sistemas informaticos
Mantenimiento de sistemas informaticosMantenimiento de sistemas informaticos
Mantenimiento de sistemas informaticosmaryan kalysh
 
managementscope-energiespecial8-17185
managementscope-energiespecial8-17185managementscope-energiespecial8-17185
managementscope-energiespecial8-17185Cyril Widdershoven
 
Implantación de sistemas operativos
Implantación de sistemas operativosImplantación de sistemas operativos
Implantación de sistemas operativosnurialopezsanchez
 
Assure method monday
Assure method mondayAssure method monday
Assure method mondayturner226
 
Internet safety presentation 2016
Internet safety presentation 2016Internet safety presentation 2016
Internet safety presentation 2016KanelandSvihlik
 
Yo, mi region, mi cultura
Yo, mi region, mi culturaYo, mi region, mi cultura
Yo, mi region, mi culturacasandra67
 
Ukrainian Village
Ukrainian VillageUkrainian Village
Ukrainian Villageaparng
 
Air Live SNMP-GSH2004l - Especificaciones
Air Live SNMP-GSH2004l - EspecificacionesAir Live SNMP-GSH2004l - Especificaciones
Air Live SNMP-GSH2004l - Especificacioneslcdtcorp
 

More Related Content

What's hot

Azure Application insights - An Introduction
Azure Application insights - An IntroductionAzure Application insights - An Introduction
Azure Application insights - An IntroductionMatthias Güntert
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional testsAnkita Gupta
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
Spring Boot Authentication...and More!
Spring Boot Authentication...and More! Spring Boot Authentication...and More!
Spring Boot Authentication...and More! Stormpath
 
Moving to the APEX Listener
Moving to the APEX ListenerMoving to the APEX Listener
Moving to the APEX ListenerDimitri Gielis
 
When PaaS hits the fan: monitoring advanced Azure PaaS workloads in an enterp...
When PaaS hits the fan: monitoring advanced Azure PaaS workloads in an enterp...When PaaS hits the fan: monitoring advanced Azure PaaS workloads in an enterp...
When PaaS hits the fan: monitoring advanced Azure PaaS workloads in an enterp...Karl Ots
 
Web Application Security II - SQL Injection
Web Application Security II - SQL InjectionWeb Application Security II - SQL Injection
Web Application Security II - SQL InjectionMd Syed Ahamad
 
Spring Web flow. A little flow of happiness
Spring Web flow. A little flow of happinessSpring Web flow. A little flow of happiness
Spring Web flow. A little flow of happinessStrannik_2013
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
Test automation Frame Works
Test automation Frame WorksTest automation Frame Works
Test automation Frame WorksvodQA
 

What's hot (14)

Azure Application insights - An Introduction
Azure Application insights - An IntroductionAzure Application insights - An Introduction
Azure Application insights - An Introduction
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
Open APIs Design
Open APIs DesignOpen APIs Design
Open APIs Design
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional tests
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
Spring Boot Authentication...and More!
Spring Boot Authentication...and More! Spring Boot Authentication...and More!
Spring Boot Authentication...and More!
 
Moving to the APEX Listener
Moving to the APEX ListenerMoving to the APEX Listener
Moving to the APEX Listener
 
When PaaS hits the fan: monitoring advanced Azure PaaS workloads in an enterp...
When PaaS hits the fan: monitoring advanced Azure PaaS workloads in an enterp...When PaaS hits the fan: monitoring advanced Azure PaaS workloads in an enterp...
When PaaS hits the fan: monitoring advanced Azure PaaS workloads in an enterp...
 
Web Application Security II - SQL Injection
Web Application Security II - SQL InjectionWeb Application Security II - SQL Injection
Web Application Security II - SQL Injection
 
Spring Web flow. A little flow of happiness
Spring Web flow. A little flow of happinessSpring Web flow. A little flow of happiness
Spring Web flow. A little flow of happiness
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
 
SQL Server: Security
SQL Server: SecuritySQL Server: Security
SQL Server: Security
 
Test automation Frame Works
Test automation Frame WorksTest automation Frame Works
Test automation Frame Works
 

Viewers also liked

Mantenimiento de sistemas informaticos
Mantenimiento de sistemas informaticosMantenimiento de sistemas informaticos
Mantenimiento de sistemas informaticosmaryan kalysh
 
managementscope-energiespecial8-17185
managementscope-energiespecial8-17185managementscope-energiespecial8-17185
managementscope-energiespecial8-17185Cyril Widdershoven
 
Implantación de sistemas operativos
Implantación de sistemas operativosImplantación de sistemas operativos
Implantación de sistemas operativosnurialopezsanchez
 
Assure method monday
Assure method mondayAssure method monday
Assure method mondayturner226
 
Internet safety presentation 2016
Internet safety presentation 2016Internet safety presentation 2016
Internet safety presentation 2016KanelandSvihlik
 
Yo, mi region, mi cultura
Yo, mi region, mi culturaYo, mi region, mi cultura
Yo, mi region, mi culturacasandra67
 
Ukrainian Village
Ukrainian VillageUkrainian Village
Ukrainian Villageaparng
 
Air Live SNMP-GSH2004l - Especificaciones
Air Live SNMP-GSH2004l - EspecificacionesAir Live SNMP-GSH2004l - Especificaciones
Air Live SNMP-GSH2004l - Especificacioneslcdtcorp
 
Cannabis medicinal
Cannabis medicinal Cannabis medicinal
Cannabis medicinal UNAD
 
Mujeres y PNL
Mujeres y PNLMujeres y PNL
Mujeres y PNLILACOT
 
Беспалова Н.М.
Беспалова Н.М.Беспалова Н.М.
Беспалова Н.М.Nataliya Pazina
 
Mobile casino slots exciting games
Mobile casino slots exciting gamesMobile casino slots exciting games
Mobile casino slots exciting gamesKim Grants
 
WT Men's Basketball Game Notes (1-13-17)
WT Men's Basketball Game Notes (1-13-17)WT Men's Basketball Game Notes (1-13-17)
WT Men's Basketball Game Notes (1-13-17)West Texas A&M
 
WT Men's Basketball Game Notes (11-30-16)
WT Men's Basketball Game Notes (11-30-16)WT Men's Basketball Game Notes (11-30-16)
WT Men's Basketball Game Notes (11-30-16)West Texas A&M
 
Properties of fluid by umair
Properties of fluid by umairProperties of fluid by umair
Properties of fluid by umairFarooqui Umair
 
WT Men's Basketball Game Notes (12-2-16)
WT Men's Basketball Game Notes (12-2-16)WT Men's Basketball Game Notes (12-2-16)
WT Men's Basketball Game Notes (12-2-16)West Texas A&M
 
QUANTITATIVE TECHNIQUE IN BUSINESS
QUANTITATIVE TECHNIQUE IN BUSINESSQUANTITATIVE TECHNIQUE IN BUSINESS
QUANTITATIVE TECHNIQUE IN BUSINESSMutahir Bilal
 

Viewers also liked (18)

Mantenimiento de sistemas informaticos
Mantenimiento de sistemas informaticosMantenimiento de sistemas informaticos
Mantenimiento de sistemas informaticos
 
managementscope-energiespecial8-17185
managementscope-energiespecial8-17185managementscope-energiespecial8-17185
managementscope-energiespecial8-17185
 
Implantación de sistemas operativos
Implantación de sistemas operativosImplantación de sistemas operativos
Implantación de sistemas operativos
 
Assure method monday
Assure method mondayAssure method monday
Assure method monday
 
Internet safety presentation 2016
Internet safety presentation 2016Internet safety presentation 2016
Internet safety presentation 2016
 
Yo, mi region, mi cultura
Yo, mi region, mi culturaYo, mi region, mi cultura
Yo, mi region, mi cultura
 
Ukrainian Village
Ukrainian VillageUkrainian Village
Ukrainian Village
 
Air Live SNMP-GSH2004l - Especificaciones
Air Live SNMP-GSH2004l - EspecificacionesAir Live SNMP-GSH2004l - Especificaciones
Air Live SNMP-GSH2004l - Especificaciones
 
Cannabis medicinal
Cannabis medicinal Cannabis medicinal
Cannabis medicinal
 
Imperatorpskov1903
Imperatorpskov1903Imperatorpskov1903
Imperatorpskov1903
 
Mujeres y PNL
Mujeres y PNLMujeres y PNL
Mujeres y PNL
 
Беспалова Н.М.
Беспалова Н.М.Беспалова Н.М.
Беспалова Н.М.
 
Mobile casino slots exciting games
Mobile casino slots exciting gamesMobile casino slots exciting games
Mobile casino slots exciting games
 
WT Men's Basketball Game Notes (1-13-17)
WT Men's Basketball Game Notes (1-13-17)WT Men's Basketball Game Notes (1-13-17)
WT Men's Basketball Game Notes (1-13-17)
 
WT Men's Basketball Game Notes (11-30-16)
WT Men's Basketball Game Notes (11-30-16)WT Men's Basketball Game Notes (11-30-16)
WT Men's Basketball Game Notes (11-30-16)
 
Properties of fluid by umair
Properties of fluid by umairProperties of fluid by umair
Properties of fluid by umair
 
WT Men's Basketball Game Notes (12-2-16)
WT Men's Basketball Game Notes (12-2-16)WT Men's Basketball Game Notes (12-2-16)
WT Men's Basketball Game Notes (12-2-16)
 
QUANTITATIVE TECHNIQUE IN BUSINESS
QUANTITATIVE TECHNIQUE IN BUSINESSQUANTITATIVE TECHNIQUE IN BUSINESS
QUANTITATIVE TECHNIQUE IN BUSINESS
 

Similar to DevOps & CyberSec 9/2016

Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Duo Security
 
SecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know itSecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know itSecurity Ninja
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015devObjective
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeAlexandre Morgaut
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcKaty Anton
 
Web security
Web securityWeb security
Web securitySync.NET
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon
 
Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Security Ninja
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security42Crunch
 
Secure software development presentation
Secure software development presentationSecure software development presentation
Secure software development presentationMahdi Dolati
 
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...apidays
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
The Path of Secure Software
The Path of Secure SoftwareThe Path of Secure Software
The Path of Secure SoftwareKaty Anton
 
Web application security
Web application securityWeb application security
Web application securityVikas Thange
 
Web application security
Web application securityWeb application security
Web application securityVikas Thange
 
Opencart security testing
Opencart security testing Opencart security testing
Opencart security testing vikram vashisth
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesRIZWAN HASAN
 
Protecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksProtecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksKevin Alcock
 

Similar to DevOps & CyberSec 9/2016 (20)

Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default"
 
SecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know itSecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know it
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwc
 
Web security
Web securityWeb security
Web security
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 
Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
 
Secure software development presentation
Secure software development presentationSecure software development presentation
Secure software development presentation
 
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
The Path of Secure Software
The Path of Secure SoftwareThe Path of Secure Software
The Path of Secure Software
 
Web application security
Web application securityWeb application security
Web application security
 
Web application security
Web application securityWeb application security
Web application security
 
Opencart security testing
Opencart security testing Opencart security testing
Opencart security testing
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilities
 
Protecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksProtecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacks
 

Recently uploaded

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

DevOps & CyberSec 9/2016

  • 1. TOPIC TO BE DECLARED LATER Ilari Mäkelä Automation Engineer Verkkokauppa.com
  • 2.
  • 3.
  • 4. A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards www.owasp.org The OWASP Top 10
  • 5. ● Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ● Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') ● Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') ● Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ● Missing Authentication for Critical Function ● Missing Authorization ● Use of Hard-coded Credentials ● Missing Encryption of Sensitive Data ● Unrestricted Upload of File with Dangerous Type ● Reliance on Untrusted Inputs in a Security Decision ● Execution with Unnecessary Privileges ● Cross-Site Request Forgery (CSRF) http://cwe.mitre.org/top25/ CWE/SANS Top 25 ● Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') ● Download of Code Without Integrity Check ● Incorrect Authorization ● Inclusion of Functionality from Untrusted Control Sphere ● Incorrect Permission Assignment for Critical Resource ● Use of Potentially Dangerous Function ● Use of a Broken or Risky Cryptographic Algorithm ● Incorrect Calculation of Buffer Size ● Improper Restriction of Excessive Authentication Attempts ● URL Redirection to Untrusted Site ('Open Redirect') ● Uncontrolled Format String ● Integer Overflow or Wraparound ● Use of a One-Way Hash without a Salt
  • 6.
  • 8.
  • 9.
  • 11.

Editor's Notes

  1. I don’t want you all to sign up to any group or get too excited about security
  2. If I brake in to your home in the middle of the night pointing you with a gun, still you should be able to list these things. You should remember this better than your girlfriends name!!! The Open Web Application Security Project
  3. Real World example Maybe you learn SQL from Wise Owl training videos. At your first job your client says he wants something like Facebook in 3 weeks… You program like never before and create your first legacy system in no time.
  4. You think you are bullet proof when you use latest and greatest framework or tools. For example if you write a blog with Wordpress, you still might have some problems… Sometimes I even hear people saying they know their system is vulnerable and they know it. They just don’t think anyone would attack their site.
  5. How to get you all excited about security? Here are few persons who like to organize events like this so why wouldn’t organize an hackathon.
  6. I have an idea how to make this awesome event. We are going to need at least these things: Geeks, WebGoat, Verkkokauppa and a game. WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. This program is a demonstration of common server-side application flaws.