SlideShare a Scribd company logo

ISC2: AppSec & OWASP Primer

ThreatReel Podcast
ThreatReel Podcast

This document provides an overview of application security and the Open Web Application Security Project (OWASP). It discusses what OWASP is, its history and Top 10 list. It also provides resources for learning application development, security testing tools like Nikto and ZAP, and places to learn about application security for free like OWASP itself. The presentation concludes by emphasizing the need for application security practitioners and thanking attendees.

Internet
1 of 29
Download to read offline
I R I R - Matt Scheurer | (ISC)² Cincinnati Chapter | 09/17/2019 I R @c3rkah | https://www.linkedin.com/in/mattscheurer/ https://www.slideshare.net/cerkah/ AppSec & OWASP PrimerAppSec & OWASP Primer
About Me...About Me... I work here: As a Sr. Systems Security Engineer I serve as Chair for the I am also an Ambassador & Security Researcher for
Why AppSec?Why AppSec? I work here: As a Sr. Systems Security Engineer
What is OWASP?What is OWASP? I work here: As a Sr. Systems Security Engineer The Open Web Application Security Project (OWASP), an online community, produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. ● Web site - https://www.owasp.org/
OWASP HistoryOWASP History I work here: As a Sr. Systems Security Engineer ● Started in December, 2001 ● Obtained 501c3 (non-profit) Status in April 2004 ● OWASP Top Ten List – The "Top Ten", first published in 2003, is regularly updated. It aims to raise awareness about application security by identifying some of the most critical risks facing organizations ● The OWASP foundation has produced many guides, projects, and publications, since their beginning
OWASP Top 10 List (2017)OWASP Top 10 List (2017) I work here: As a Sr. Systems Security Engineer ● A1:2017-Injection ● A2:2017-Broken Authentication ● A3:2017-Sensitive Data Exposure ● A4:2017-XML External Entities (XXE) ● A5:2017-Broken Access Control ● A6:2017-Security Misconfiguration ● A7:2017-Cross-Site Scripting (XSS) ● A8:2017-Insecure Deserialization ● A9:2017-Using Components with Known Vulnerabilities ● A10:2017-Insufficient Logging&Monitoring ● Current Version ● https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project ● https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
OWASP Top 10 ChangesOWASP Top 10 Changes I work here: As a Sr. Systems Security Engineer ● From 2013 to 2017... – "Cross-Site Scripting (XSS)" Down from A3 to A7 – "Insecure Direct Object References" (A4) and "Missing Function Level Access Control" (A7) – Merged into "Broken Access Control" as A5 – "Security Misconfiguration" Down from A5 to A6 – "Sensitive Data Exposure" Up from A5 to A3 – "Cross-Site Request Forgery (CSRF)" Removed – "Unvalidated Redirects and Forwards" Removed
Additions to the OWASP Top 10Additions to the OWASP Top 10 I work here: As a Sr. Systems Security Engineer ● From 2013 to 2017... – A4:2017-XML External Entities (XXE) – A8:2017-Insecure Deserialization – A10:2017-Insufficient Logging & Monitoring
Where and How to Learn AppSecWhere and How to Learn AppSec I work here: As a Sr. Systems Security Engineer ● We will cover some basic resources to help get you started on a path towards self-learning... – Basic Vulnerability Scanners – AppSec Testing Platforms – Free places to learn AppDev – Free places to learn AppSec – Free Learning / Practice Platforms NOTE: These are not exhaustive lists as there are many more resources available!
Starting OutStarting Out I work here: As a Sr. Systems Security Engineer Advice my mother would offer about how to begin learning AppSec and testing web server, website and web application security...
Vulnerability ScannersVulnerability Scanners I work here: As a Sr. Systems Security Engineer ● Core Security: Core Impact ● Rapid7 products: Nexpose ● Tenable: Nessus ● Qualys: Web Application Scanning (WAS) ● Open Source: OpenVAS ● Open Source / Kali Linux: Sparta / Nikto
AppSec Testing PlatformsAppSec Testing Platforms I work here: As a Sr. Systems Security Engineer ● Start with: OWASP ZAP (Zed Attack Proxy) – https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project ● Move to: Fiddler - Free Web Debugging Proxy – https://www.telerik.com/fiddler ● Graduate to: Burp Suite Scanner – https://portswigger.net/burp ● Honorable Mention: Nmap w/ NSE Scripts ● Honorable Mention: Samurai Web Testing Framework
Free places to learn AppDevFree places to learn AppDev I work here: As a Sr. Systems Security Engineer ● Codecademy – https://www.codecademy.com/ ● Khan Academy – https://www.khanacademy.org/computing ● SQLCourse.com – http://www.sqlcourse.com/ ● W3Schools – https://www.w3schools.com/
Free places to learn AppSecFree places to learn AppSec I work here: As a Sr. Systems Security Engineer ● OWASP (Of course!) – https://www.owasp.org/ ● Your nearest local OWASP Chapter – https://www.owasp.org/index.php/OWASP_Chapter ● YouTube – https://www.youtube.com/ ● Cybrary – https://www.cybrary.it/course/web-application-pen-testing/ – https://www.cybrary.it/course/ethical-hacking/ – https://www.cybrary.it/course/advanced-penetration-testing/ – https://www.cybrary.it/course/python/
Free Learning / Practice PlatformsFree Learning / Practice Platforms I work here: As a Sr. Systems Security Engineer ● OWASP Mutillidae – https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project ● OWASP WebGoat – https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project ● Rapid7 Metasploitable – https://github.com/rapid7/metasploitable3 ● PentesterLab – https://pentesterlab.com/exercises/
Troy Hunt ResourcesTroy Hunt Resources I work here: As a Sr. Systems Security Engineer ● Hack Yourself First – "Hack Yourself First" is all about developers building up cyber-offense skills and proactively seeking out security vulnerabilities in their own websites before an attacker does – There are 50 intentional very sloppy security practices to be found – http://hack-yourself-first.com/ ● Free Accompanying Pluralsight Course – http://pluralsight.com/training/Courses/TableOfContents/hack-yourself-first
What about a WAF?What about a WAF? I work here: As a Sr. Systems Security Engineer ● A Web Application Firewall (WAF) filters, monitors, and blocks attack traffic to and from specific web applications. – Prevents attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations, etc. ● WAF’s are good as a compensating control and a good defense-in-depth strategy, but... – Nobody should rely solely on a WAF for web app security ● WAF bypasses are continuously being researched, published, and included in exploit kit updates ● A WAF is not likely to stop all of the attacks
*** Live Demo Alert *** This presentation features “Live Demos”, because the speaker is...
*** Live Demo Alert *** This presentation features “Live Demos”, because the speaker is...
*** Live Demo Alert *** This presentation features “Live Demos”, because the speaker is...
*** Live Demo Alert *** This presentation features “Live Demos”, because the speaker is...
*** Live Demo Alert *** Please pick 2…
*** Live Demo Alert *** Please pick 2… So I am not just Crazy!
Scanning Demo w/ Nikto!Scanning Demo w/ Nikto! I work here: As a Sr. Systems Security Engineer ● Nikto – Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated. – https://cirt.net/Nikto2 ● Nikto is available as a free download and is also included in Kali Linux
Accidental Exposure Demo w/ ZAP!Accidental Exposure Demo w/ ZAP! I work here: As a Sr. Systems Security Engineer ● OWASP ZAP – The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience including developers and functional testers who are new to penetration testing. – https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project ● ZAP is available as a free download and is also included in Kali Linux
Shout outs and thank you’s...Shout outs and thank you’s... I work here: As a Sr. Systems Security Engineer ● OWASP – https://www.owasp.org ● Cincinnati OWASP Chapter – https://www.owasp.org/index.php/Cincinnati ● Columbus OWASP Chapter – https://www.owasp.org/index.php/Columbus ● University of Cincinnati OWASP Chapter – https://www.cyberatuc.org/ – https://www.youtube.com/channel/UCWcJuk7A_1nDj4m-cHWvIFw
ConclusionConclusion I work here: As a Sr. Systems Security Engineer ● The need for AppSec practitioners is great… – Because there’s a whole lot of horrible out there!
QuestionsQuestions I work here: As a Sr. Systems Security Engineer ● Who ... ● What ... ● When ... ● Where ... ● Why ... ● How ...
I R I R - Matt Scheurer | (ISC)² Cincinnati Chapter | 09/17/2019 I R @c3rkah | https://www.linkedin.com/in/mattscheurer/ https://www.slideshare.net/cerkah/ Thank you for attending!Thank you for attending!

Recommended

AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 PrimerAppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
ThreatReel Podcast
 
SARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalSARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma Sehgal
Vandana Verma
 
Web Security... Level Up
Web Security... Level UpWeb Security... Level Up
Web Security... Level Up
Izzet Mustafaiev
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
OWASP
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
Anant Shrivastava
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
ThreatReel Podcast
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 

Recommended

AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 PrimerAppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
ThreatReel Podcast
 
SARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalSARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma Sehgal
Vandana Verma
 
Web Security... Level Up
Web Security... Level UpWeb Security... Level Up
Web Security... Level Up
Izzet Mustafaiev
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
OWASP
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
Anant Shrivastava
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
ThreatReel Podcast
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burp
Tomasz Fajks
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery World
Dinis Cruz
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
Rafał Hryniewski
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
Trivadis
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015
Matt Tesauro
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap It
Manjyot Singh
 
Owasp tools - OWASP Serbia
Owasp tools - OWASP SerbiaOwasp tools - OWASP Serbia
Owasp tools - OWASP Serbia
Nikola Milosevic
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0
Dinis Cruz
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
Dinis Cruz
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Websec México, S.C.
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security Tools
Lalit Kale
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
Mike Saunders
 
OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec Presentation
ThreatReel Podcast
 
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec Presentation
ThreatReel Podcast
 

More Related Content

What's hot

[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burp
Tomasz Fajks
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery World
Dinis Cruz
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
Rafał Hryniewski
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
Trivadis
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015
Matt Tesauro
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap It
Manjyot Singh
 
Owasp tools - OWASP Serbia
Owasp tools - OWASP SerbiaOwasp tools - OWASP Serbia
Owasp tools - OWASP Serbia
Nikola Milosevic
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0
Dinis Cruz
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
Dinis Cruz
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Websec México, S.C.
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security Tools
Lalit Kale
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
Mike Saunders
 

What's hot (20)

[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burp
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery World
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap It
 
Owasp tools - OWASP Serbia
Owasp tools - OWASP SerbiaOwasp tools - OWASP Serbia
Owasp tools - OWASP Serbia
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security Tools
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 

Similar to ISC2: AppSec & OWASP Primer

OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec Presentation
ThreatReel Podcast
 
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec Presentation
ThreatReel Podcast
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
Megha Sahu
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec Village
Vandana Verma
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
Antonio Parata
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
alessiomarziali
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
POSSCON
 
Introduction to OWASP
Introduction to OWASPIntroduction to OWASP
Introduction to OWASP
Thomas F. "T.J." Maher Jr.
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
OWASP Delhi
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
T23 HTML5 Security Testing at Spotify
T23 HTML5 Security Testing at SpotifyT23 HTML5 Security Testing at Spotify
T23 HTML5 Security Testing at Spotify
TechWell
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
Bipin Upadhyay
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
OWASP Russia
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
gerardkortney
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
karthik menon
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assurance
Tjylen Veselyj
 

Similar to ISC2: AppSec & OWASP Primer (20)

OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec Presentation
 
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec Presentation
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec Village
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
 
Introduction to OWASP
Introduction to OWASPIntroduction to OWASP
Introduction to OWASP
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
T23 HTML5 Security Testing at Spotify
T23 HTML5 Security Testing at SpotifyT23 HTML5 Security Testing at Spotify
T23 HTML5 Security Testing at Spotify
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assurance
 

More from ThreatReel Podcast

CONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIs
ThreatReel Podcast
 
SecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIsSecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIs
ThreatReel Podcast
 
BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!
ThreatReel Podcast
 
PwnSchool: Exploiting Web APIs
PwnSchool: Exploiting Web APIsPwnSchool: Exploiting Web APIs
PwnSchool: Exploiting Web APIs
ThreatReel Podcast
 
CiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful APICiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful API
ThreatReel Podcast
 
CCC - Lend me your IR's
CCC - Lend me your IR'sCCC - Lend me your IR's
CCC - Lend me your IR's
ThreatReel Podcast
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
ThreatReel Podcast
 
OISF - Continuous Skills Improvement for Everyone
OISF - Continuous Skills Improvement for EveryoneOISF - Continuous Skills Improvement for Everyone
OISF - Continuous Skills Improvement for Everyone
ThreatReel Podcast
 
Central Ohio InfoSec Summit: Why Script Kiddies Succeed
Central Ohio InfoSec Summit: Why Script Kiddies SucceedCentral Ohio InfoSec Summit: Why Script Kiddies Succeed
Central Ohio InfoSec Summit: Why Script Kiddies Succeed
ThreatReel Podcast
 
Butler Tech - Working in IT and InfoSec
Butler Tech - Working in IT and InfoSecButler Tech - Working in IT and InfoSec
Butler Tech - Working in IT and InfoSec
ThreatReel Podcast
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
ThreatReel Podcast
 
CiNPA Security SIG - Physical Security
CiNPA Security SIG - Physical SecurityCiNPA Security SIG - Physical Security
CiNPA Security SIG - Physical Security
ThreatReel Podcast
 
CiNPA / CiNPA Security SIG History
CiNPA / CiNPA Security SIG HistoryCiNPA / CiNPA Security SIG History
CiNPA / CiNPA Security SIG History
ThreatReel Podcast
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
ThreatReel Podcast
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
ThreatReel Podcast
 
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
ThreatReel Podcast
 
BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
ThreatReel Podcast
 

More from ThreatReel Podcast (20)

CONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIs
 
SecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIsSecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIs
 
BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!BSides Columbus - Lend me your IR's!
BSides Columbus - Lend me your IR's!
 
PwnSchool: Exploiting Web APIs
PwnSchool: Exploiting Web APIsPwnSchool: Exploiting Web APIs
PwnSchool: Exploiting Web APIs
 
CiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful APICiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful API
 
CCC - Lend me your IR's
CCC - Lend me your IR'sCCC - Lend me your IR's
CCC - Lend me your IR's
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
OISF - Continuous Skills Improvement for Everyone
OISF - Continuous Skills Improvement for EveryoneOISF - Continuous Skills Improvement for Everyone
OISF - Continuous Skills Improvement for Everyone
 
Central Ohio InfoSec Summit: Why Script Kiddies Succeed
Central Ohio InfoSec Summit: Why Script Kiddies SucceedCentral Ohio InfoSec Summit: Why Script Kiddies Succeed
Central Ohio InfoSec Summit: Why Script Kiddies Succeed
 
Butler Tech - Working in IT and InfoSec
Butler Tech - Working in IT and InfoSecButler Tech - Working in IT and InfoSec
Butler Tech - Working in IT and InfoSec
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
 
CiNPA Security SIG - Physical Security
CiNPA Security SIG - Physical SecurityCiNPA Security SIG - Physical Security
CiNPA Security SIG - Physical Security
 
CiNPA / CiNPA Security SIG History
CiNPA / CiNPA Security SIG HistoryCiNPA / CiNPA Security SIG History
CiNPA / CiNPA Security SIG History
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
 
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
 
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?
 
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?
 
BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!
 
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...
 

Recently uploaded

Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
uehowe
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
wolfsoftcompanyco
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
uehowe
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 

Recently uploaded (16)

Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 

ISC2: AppSec & OWASP Primer

  • 1. I R I R - Matt Scheurer | (ISC)² Cincinnati Chapter | 09/17/2019 I R @c3rkah | https://www.linkedin.com/in/mattscheurer/ https://www.slideshare.net/cerkah/ AppSec & OWASP PrimerAppSec & OWASP Primer
  • 2. About Me...About Me... I work here: As a Sr. Systems Security Engineer I serve as Chair for the I am also an Ambassador & Security Researcher for
  • 3. Why AppSec?Why AppSec? I work here: As a Sr. Systems Security Engineer
  • 4. What is OWASP?What is OWASP? I work here: As a Sr. Systems Security Engineer The Open Web Application Security Project (OWASP), an online community, produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. ● Web site - https://www.owasp.org/
  • 5. OWASP HistoryOWASP History I work here: As a Sr. Systems Security Engineer ● Started in December, 2001 ● Obtained 501c3 (non-profit) Status in April 2004 ● OWASP Top Ten List – The "Top Ten", first published in 2003, is regularly updated. It aims to raise awareness about application security by identifying some of the most critical risks facing organizations ● The OWASP foundation has produced many guides, projects, and publications, since their beginning
  • 6. OWASP Top 10 List (2017)OWASP Top 10 List (2017) I work here: As a Sr. Systems Security Engineer ● A1:2017-Injection ● A2:2017-Broken Authentication ● A3:2017-Sensitive Data Exposure ● A4:2017-XML External Entities (XXE) ● A5:2017-Broken Access Control ● A6:2017-Security Misconfiguration ● A7:2017-Cross-Site Scripting (XSS) ● A8:2017-Insecure Deserialization ● A9:2017-Using Components with Known Vulnerabilities ● A10:2017-Insufficient Logging&Monitoring ● Current Version ● https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project ● https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
  • 7. OWASP Top 10 ChangesOWASP Top 10 Changes I work here: As a Sr. Systems Security Engineer ● From 2013 to 2017... – "Cross-Site Scripting (XSS)" Down from A3 to A7 – "Insecure Direct Object References" (A4) and "Missing Function Level Access Control" (A7) – Merged into "Broken Access Control" as A5 – "Security Misconfiguration" Down from A5 to A6 – "Sensitive Data Exposure" Up from A5 to A3 – "Cross-Site Request Forgery (CSRF)" Removed – "Unvalidated Redirects and Forwards" Removed
  • 8. Additions to the OWASP Top 10Additions to the OWASP Top 10 I work here: As a Sr. Systems Security Engineer ● From 2013 to 2017... – A4:2017-XML External Entities (XXE) – A8:2017-Insecure Deserialization – A10:2017-Insufficient Logging & Monitoring
  • 9. Where and How to Learn AppSecWhere and How to Learn AppSec I work here: As a Sr. Systems Security Engineer ● We will cover some basic resources to help get you started on a path towards self-learning... – Basic Vulnerability Scanners – AppSec Testing Platforms – Free places to learn AppDev – Free places to learn AppSec – Free Learning / Practice Platforms NOTE: These are not exhaustive lists as there are many more resources available!
  • 10. Starting OutStarting Out I work here: As a Sr. Systems Security Engineer Advice my mother would offer about how to begin learning AppSec and testing web server, website and web application security...
  • 11. Vulnerability ScannersVulnerability Scanners I work here: As a Sr. Systems Security Engineer ● Core Security: Core Impact ● Rapid7 products: Nexpose ● Tenable: Nessus ● Qualys: Web Application Scanning (WAS) ● Open Source: OpenVAS ● Open Source / Kali Linux: Sparta / Nikto
  • 12. AppSec Testing PlatformsAppSec Testing Platforms I work here: As a Sr. Systems Security Engineer ● Start with: OWASP ZAP (Zed Attack Proxy) – https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project ● Move to: Fiddler - Free Web Debugging Proxy – https://www.telerik.com/fiddler ● Graduate to: Burp Suite Scanner – https://portswigger.net/burp ● Honorable Mention: Nmap w/ NSE Scripts ● Honorable Mention: Samurai Web Testing Framework
  • 13. Free places to learn AppDevFree places to learn AppDev I work here: As a Sr. Systems Security Engineer ● Codecademy – https://www.codecademy.com/ ● Khan Academy – https://www.khanacademy.org/computing ● SQLCourse.com – http://www.sqlcourse.com/ ● W3Schools – https://www.w3schools.com/
  • 14. Free places to learn AppSecFree places to learn AppSec I work here: As a Sr. Systems Security Engineer ● OWASP (Of course!) – https://www.owasp.org/ ● Your nearest local OWASP Chapter – https://www.owasp.org/index.php/OWASP_Chapter ● YouTube – https://www.youtube.com/ ● Cybrary – https://www.cybrary.it/course/web-application-pen-testing/ – https://www.cybrary.it/course/ethical-hacking/ – https://www.cybrary.it/course/advanced-penetration-testing/ – https://www.cybrary.it/course/python/
  • 15. Free Learning / Practice PlatformsFree Learning / Practice Platforms I work here: As a Sr. Systems Security Engineer ● OWASP Mutillidae – https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project ● OWASP WebGoat – https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project ● Rapid7 Metasploitable – https://github.com/rapid7/metasploitable3 ● PentesterLab – https://pentesterlab.com/exercises/
  • 16. Troy Hunt ResourcesTroy Hunt Resources I work here: As a Sr. Systems Security Engineer ● Hack Yourself First – "Hack Yourself First" is all about developers building up cyber-offense skills and proactively seeking out security vulnerabilities in their own websites before an attacker does – There are 50 intentional very sloppy security practices to be found – http://hack-yourself-first.com/ ● Free Accompanying Pluralsight Course – http://pluralsight.com/training/Courses/TableOfContents/hack-yourself-first
  • 17. What about a WAF?What about a WAF? I work here: As a Sr. Systems Security Engineer ● A Web Application Firewall (WAF) filters, monitors, and blocks attack traffic to and from specific web applications. – Prevents attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations, etc. ● WAF’s are good as a compensating control and a good defense-in-depth strategy, but... – Nobody should rely solely on a WAF for web app security ● WAF bypasses are continuously being researched, published, and included in exploit kit updates ● A WAF is not likely to stop all of the attacks
  • 18. *** Live Demo Alert *** This presentation features “Live Demos”, because the speaker is...
  • 19. *** Live Demo Alert *** This presentation features “Live Demos”, because the speaker is...
  • 20. *** Live Demo Alert *** This presentation features “Live Demos”, because the speaker is...
  • 21. *** Live Demo Alert *** This presentation features “Live Demos”, because the speaker is...
  • 22. *** Live Demo Alert *** Please pick 2…
  • 23. *** Live Demo Alert *** Please pick 2… So I am not just Crazy!
  • 24. Scanning Demo w/ Nikto!Scanning Demo w/ Nikto! I work here: As a Sr. Systems Security Engineer ● Nikto – Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated. – https://cirt.net/Nikto2 ● Nikto is available as a free download and is also included in Kali Linux
  • 25. Accidental Exposure Demo w/ ZAP!Accidental Exposure Demo w/ ZAP! I work here: As a Sr. Systems Security Engineer ● OWASP ZAP – The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience including developers and functional testers who are new to penetration testing. – https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project ● ZAP is available as a free download and is also included in Kali Linux
  • 26. Shout outs and thank you’s...Shout outs and thank you’s... I work here: As a Sr. Systems Security Engineer ● OWASP – https://www.owasp.org ● Cincinnati OWASP Chapter – https://www.owasp.org/index.php/Cincinnati ● Columbus OWASP Chapter – https://www.owasp.org/index.php/Columbus ● University of Cincinnati OWASP Chapter – https://www.cyberatuc.org/ – https://www.youtube.com/channel/UCWcJuk7A_1nDj4m-cHWvIFw
  • 27. ConclusionConclusion I work here: As a Sr. Systems Security Engineer ● The need for AppSec practitioners is great… – Because there’s a whole lot of horrible out there!
  • 28. QuestionsQuestions I work here: As a Sr. Systems Security Engineer ● Who ... ● What ... ● When ... ● Where ... ● Why ... ● How ...
  • 29. I R I R - Matt Scheurer | (ISC)² Cincinnati Chapter | 09/17/2019 I R @c3rkah | https://www.linkedin.com/in/mattscheurer/ https://www.slideshare.net/cerkah/ Thank you for attending!Thank you for attending!