08448380779 Call Girls In Friends Colony Women Seeking Men
DevOps & CyberSec 9/2016
1. TOPIC TO BE DECLARED LATER
Ilari Mäkelä
Automation Engineer
Verkkokauppa.com
2.
3.
4. A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Unvalidated Redirects and Forwards
www.owasp.org
The OWASP Top 10
5. ● Improper Neutralization of Special Elements used in
an SQL Command ('SQL Injection')
● Improper Neutralization of Special Elements used in
an OS Command ('OS Command Injection')
● Buffer Copy without Checking Size of Input ('Classic
Buffer Overflow')
● Improper Neutralization of Input During Web Page
Generation ('Cross-site Scripting')
● Missing Authentication for Critical Function
● Missing Authorization
● Use of Hard-coded Credentials
● Missing Encryption of Sensitive Data
● Unrestricted Upload of File with Dangerous Type
● Reliance on Untrusted Inputs in a Security Decision
● Execution with Unnecessary Privileges
● Cross-Site Request Forgery (CSRF)
http://cwe.mitre.org/top25/
CWE/SANS Top 25
● Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal')
● Download of Code Without Integrity Check
● Incorrect Authorization
● Inclusion of Functionality from Untrusted Control
Sphere
● Incorrect Permission Assignment for Critical
Resource
● Use of Potentially Dangerous Function
● Use of a Broken or Risky Cryptographic Algorithm
● Incorrect Calculation of Buffer Size
● Improper Restriction of Excessive Authentication
Attempts
● URL Redirection to Untrusted Site ('Open Redirect')
● Uncontrolled Format String
● Integer Overflow or Wraparound
● Use of a One-Way Hash without a Salt
I don’t want you all to sign up to any group or get too excited about security
If I brake in to your home in the middle of the night pointing you with a gun, still you should be able to list these things. You should remember this better than your girlfriends name!!!
The Open Web Application Security Project
Real World example
Maybe you learn SQL from Wise Owl training videos.
At your first job your client says he wants something like Facebook in 3 weeks… You program like never before and create your first legacy system in no time.
You think you are bullet proof when you use latest and greatest framework or tools. For example if you write a blog with Wordpress, you still might have some problems…
Sometimes I even hear people saying they know their system is vulnerable and they know it. They just don’t think anyone would attack their site.
How to get you all excited about security?
Here are few persons who like to organize events like this so why wouldn’t organize an hackathon.
I have an idea how to make this awesome event.
We are going to need at least these things: Geeks, WebGoat, Verkkokauppa and a game.
WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. This program is a demonstration of common server-side application flaws.