Lightning talk owasp_top10in10

•Download as PPTX, PDF•

1 like•604 views

Learn about the OWASP 10 and the changes for the 2017 version. A lot of material is included in this short 10 minute sprint.

Software

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 1
Agility. Security. Delivered.
How to test for (the new)
OWASP Top 10 in 10 Minutes?
An all out sprint by Ben Pick

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 2

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 3
A1 - Injection
Username:
Password:
admin
myPassword
select * from Users where user_id = ‘admin’
and password = ‘myPassword’
Username:
Password:
‘ OR 1=1; --
myPassword
select * from Users where user_id = ‘’ OR 1=1; --
and password = ‘myPassword’
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 4
A1 - Injection, tools

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 5
A2 - Broken Authentication and Session
Management
• http://example.com/sale/mycart?sessionid=abcd
• http://internalcompanyHRservice.com/search?role=user
• Cookie replay from valid session

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 6
A3 - Cross Site Scripting (XSS)
• Client-side scripts interpreted by the end user
<script>alert(‘Label XSSed’)</script>
<script>alert(123)</script>
<script>alert(document.cookie)</script>

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 7
A3 – XSS, Tools

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 8
A4 - Broken Access Controls
• http://example.com/app/accountInfo?acct=notmyacct
• https://example.com/auth
• https://example.com/myprofile?action=updatepassword
• https://example.com/admin

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 9
A5 - Security Misconfigurations
• Look for default passwords!

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 10
A6 - Sensitive Data Exposure
• Look for stacktraces, relative or absolute directory structures, listings
of running software and versions
• User objects that include name, SSN, DoB, address…
• IP addresses, usernames, and os information in source code
• View page source

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 11
A7 – Insufficient Attack Protections
• Detect
• Prevent
• Patch

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 12
A8 - Cross Site Request Forgery
• www.bank.com/transfermymoney=-1000&toaccount=maliciousBen

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 13
A9 - Using issues with known vulnerabilities
• Vulnerable components = vulnerable application

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 14
A10 – Underprotected APIs
• http://www.example.com/supersecretendpoint?internalfile=notmine
• http://www.example.com/deleteaccount?acct=12345

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 15
Summary – Good Security Testing
• Send garbage input
• Malicious content
• Attempt to obfuscate to avoid detection
• Try to break frameworks and processes
• Do the unexpected
• Play “What if” with the application
• Assume a service or server is compromised and determine the impact

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 16
Supplemental Notes: Tools Mentioned
• Static Analysis
• SonarQube
• HP Fortify
• Sonatype CLM
• OWASP Dependency Check
• Dynamic Analysis:
• sqlmap
• Wfuzz
• w3af
• Burp Suite (Free or Professional)
• OWASP Zed Attack Proxy
• SOAP UI
• ModSecurity
• Wireshark
• Contrast RASP

The document provides an overview of 10 steps for software security according to OWASP-Turkey. It introduces the author Bünyamin Demir and his background and experience in application security. It then discusses key aspects of OWASP and provides code examples for implementing input validation, sanitization, secure cookies, session management, CAPTCHA, path canonicalization, HTTPS, CSRF tokens, and prepared statements.

Storage Visibility for Operations - A Ceph Story

Debojyoti Dutta

Securing your EmberJS Application

Philippe De Ryck

This document discusses securing EmberJS applications. It begins by introducing the author and their background working on client-side web security. It then provides an overview of the topics covered, which include cross-site request forgery (CSRF), cross-site scripting (XSS), and content security policy (CSP). It explains the architecture of single-page applications like EmberJS applications. It also illustrates common web attacks like CSRF and XSS, and describes approaches to mitigate these attacks in EmberJS applications, including the use of tokens and CSP.

Demystfying secure certs

Gary Williams

This document discusses why HTTPS and secure certificates are important for websites. Some key points include: - HTTPS provides benefits like faster loading, improved SEO, and avoiding browser warnings. It also establishes trust with users. - Common excuses for not using certificates like small site size or not processing payments are invalid, as hackers automate attacks. - If a web server supports HTTP/2, HTTPS can be faster than HTTP. Tools like Chrome developer tools show the protocol used. - The process to implement HTTPS involves obtaining a certificate, updating server configurations, and ensuring proper security is configured. - Resources like Let's Encrypt and Qualsys tools can help simplify certificate management and test security configurations. Maint

D3TLV17- You have Incapsula...now what?

Imperva Incapsula

The document discusses how the Incapsula support team can help customers who have purchased Incapsula services. It outlines several ways the support team can be contacted, including via a support website, email, or phone. It also describes resources available to customers like knowledge base articles, training courses, and status pages. The document notes there are standard and premium support options with different response times and update intervals. It highlights that emergency escalation is available by phone and identifies enhanced support programs like managed services and technical account managers.

Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017

Amazon Web Services

Executives from the Intelligence community discuss cloud security best practices in a field where security is imperative to operations. Security Cloud Chief John Nicely and Deputy Chief of Cyber Integration Scott Kaplan share success stories of migrating mass data to the cloud from a security perspective. Hear how they migrated their IT portfolios while managing their organizations' unique blend of constraints, budget issues, politics, culture, and security pressures. Learn how these institutions overcame barriers to migration, and ask these panelists what actions you can take to better prepare yourself for the journey of mass migration to the cloud.

The document provides an introduction to secure coding in Java. It discusses the Open Web Application Security Project (OWASP) and its mission to improve software security. It then covers 10 simple principles for writing secure code, such as input validation, output encoding, and parameterized queries. Examples of SQL injection and LDAP injection vulnerabilities are shown, along with ways to avoid them through parameterization and input sanitization. The importance of using security mechanisms from trusted libraries rather than reimplementing them is also stressed.

Csp july2015

n|u - The Open Security Community

This document discusses Content Security Policy (CSP), which defines an HTTP header to whitelist approved sources of content like scripts to prevent XSS attacks. It describes how CSP directives like script-src restrict where code can be loaded from to enhance security. The speaker then demonstrates how to construct CSP policies and explains options like 'unsafe-inline' that disable the protection CSP is meant to provide. In the end, resources on CSP that informed the presentation are listed.

A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...

Amazon Web Services

Making sense of the risks of IT deployments that sit in hybrid environments and span multiple countries is a major challenge. When you add in multiple toolsets, and global compliance requirements, including GDPR, it can get overwhelming. Listen to Vonage’s Chief Information Security Officer, Johan Hybinette, share his experiences tackling these challenges. Vonage is an established leader with 15 years of experience providing residential and business communications solutions in global markets. With a robust solution for end users, solutions offered by Vonage require a sophisticated, reliable technology stack—that technology is spread between on-premises and AWS Cloud environments. Johan shares lessons learned to achieve a successful and secure cloud deployment. How does GDPR impact a multinational hybrid deployment? Can security drive tool adoption among developers? What’s a practical approach to maintaining flexibility and a rapid pace of innovation, while providing world-class security for your customer? Get answers to all these questions and a jumpstart on your challenges from an industry leader. Session sponsored by Trend Micro Incorporated

SSL Pinning and Bypasses: Android and iOS

Anant Shrivastava

A Risk-Based Mobile App Security Testing Strategy

NowSecure

Originally presented on September 19, 2018 Given the volume and velocity of mobile apps, there simply aren’t enough resources to test them all in the same manner. There has to be a better way. NowSecure introduces a new framework to help organizations craft a Risk-Based Mobile App Security Testing strategy. Watch the presentation here: https://www.nowsecure.com/webinars/a-risk-based-mobile-app-security-testing-strategy/

D3TLV17- Keeping it Safe

Imperva Incapsula

Adding the Sec to Your DevOps Pipelines

Amazon Web Services

DevSecOps is the premise that everyone in the software development lifecycle is responsible for security. DevSecOps aims to embed security in every part of the development process. In this *workshop*, participants explore taking a standard CI/CD pipeline and adding security stages to improve security posture. Learn how to use AWS CodeCommit and AWS CodePipeline to build and publish golden AMI images. Also, learn how to modify pipeline flow to add security test cases. You also have to opportunity to perform CVE analysis and code analysis using Amazon Inspector and perform observational container analysis using Amazon GuardDuty.

10 Lessons from 10 Years of AWS

Adrian Hornsby

Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...

Amazon Web Services

ARC201_Scaling Up to Your First 10 Million Users

Amazon Web Services

Cloud computing gives you a number of advantages, such as the ability to scale your web application or website on demand. If you have a new web application and want to use cloud computing, you might be asking yourself, "Where do I start?" Join us in this session to understand best practices for scaling your resources from one to millions of users. We show you how to best combine different AWS services, how to make smarter decisions for architecting your application, and how to scale your infrastructure in the cloud.

Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...

Amazon Web Services

Managing AWS and hybrid environments securely and safely while having actionable insights is an operational priority and business driver for all customers. Using SSH or RDP sessions could lead to unintended or malicious outcomes with no traceability. Learn to use Amazon EC2 Systems Manager to improve your security posture, automate at scale, and minimize application downtime for both Windows and Linux workloads. Easily author configurations to automate your infrastructure without SSH access, and control the blast radius of configuration changes. Get a cross-account and cross-region view of what’s installed and running on your servers or instances. Learn to use Systems Manager to securely store, manage, and retrieve secrets. You can also run patch compliance checks on the fleet to react to malware and vulnerabilities within minutes, while still providing granular control to users with different privilege levels and full auditability. You will hear from FINRA, the Financial Industry Regulatory Authority, on how they use Systems Manager to safely manage their Enterprise environment.

CIS14: Best Practices You Must Apply to Secure Your APIs

CloudIDSummit

Security crawl walk run presentation mckay v1 2017

Adam Tice

DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...

Amazon Web Services

We’ve seen companies like fast-growing startups and large enterprises adopt and evolve strategies to optimize their application deployment to Amazon EC2. Some AWS customers perform in-place updates across their servers. Some perform blue-green deployments to newly provisioned servers. In this session, we’ll share the advantages of each approach and talk about the scenarios in which you should choose one over the other. We will also demonstrate how to perform auto-scaling and auto-rollback for deployments.

Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...

Amazon Web Services

AWS enables companies to build innovative cloud applications combining technologies like Alexa, AWS IoT, and AWS Lambda with enterprise-scale, microservice backends. After these applications move into production, there are teams responsible for monitoring all components and providing insights needed to optimize the customer experience. In this session, we share an easy-to-apply framework to build all components successfully to get the answers needed to run and improve every application, no matter how complicated. First, we lay the foundation with powerful tools in the AWS ecosystem like Amazon CloudWatch, AWS CloudTrail, and AWS X-Ray. Then, we complement these insights with approaches for monitoring frontend web and mobile performance and behavior, eventually extending into IoT devices. Finally, we show how to derive actionable insights from all the gathered data and integrate it into enterprise-grade monitoring platforms. Session sponsored by Dynatrace

IOT308-One Message to a Million Things Done in 60 seconds with AWS IoT

Amazon Web Services

The AWS IoT message broker is a fully managed publish/subscribe broker service that enables the sending and receiving of messages between devices and applications with high speed and reliability. In this session, learn about the common AWS IoT messaging patterns and dive deep into understanding the scaling best practices while using these patterns in applications. In addition, Amazon Music talks about how they used AWS IoT to build event notifications of soccer games in their applications for our customers.

Related OSS Projects - Peter Rowe, Flexera Software

OpenStack

Audience Level Intermediate Synopsis Today’s fast-paced development environment has changed the compliance landscape. Many software projects consist of more than 50% Open Source Software (OSS) components, but as much as 99% are undocumented, increasing the complexities of managing your company’s software compliance process. Of particular concern is “Zombie software”, or software that is outdated and contains vulnerable versions of certain components. Zombies can live in your code forever if you’re not aware of them. The acceleration of modern development lifecycles and the breakdown of an undocumented software supply chain have opened up new pathways for zombies to enter your software – leaving you exposed to security threats. This presentation discusses best practices for implementing an Open Source Software management strategy that covers common pitfalls and commercial licence issues as well as the optimal way to track and eliminate the risks associated with Zombies! Speaker Bio: Involved in and around IT development for over 20 years, starting as a web developer using NotePad in 1995 when the most exciting thing online was Sun’s animated Java coffee cup, through Numega Pre-Sales selling BoundsChecker and now into the brave, new World of Open Source and software composition analysis.

Driving Innovation with Containers - CON203 - re:Invent 2017

Amazon Web Services

Containers allow you to easily package an application's code, configurations, and dependencies into easy to use building blocks that deliver environmental consistency, operational efficiency, developer productivity, and version control. But how can developers leverage containers to drive innovation for their applications, their team, and organization? In this session, Asif Khan Technical Business Manager for AWS will discuss how containers are becoming a new cloud native compute primitive, and how your organization can use containers as a building block to accelerate innovation. WeWork's Christopher Tava, Joshua Davis, and OpsLine's Radek Wierzbicki will show how they adopted containers as discipline in code development, and how they refactored their production architecture into containers running on Amazon ECS in under 8 months.

CON203_Driving Innovation with Containers

Amazon Web Services

"Containers allow you to easily package an application's code, configurations, and dependencies into easy to use building blocks that deliver environmental consistency, operational efficiency, developer productivity, and version control. But how can developers leverage containers to drive innovation for their applications, their team, and organization? In this session, Asif Khan Technical Business Manager for AWS will discuss how containers are becoming a new cloud native compute primitive, and how your organization can use containers as a building block to accelerate innovation. WeWork's Christopher Tava, Joshua Davis, and OpsLine's Radek Wierzbicki will show how they adopted containers as discipline in code development, and how they refactored their production architecture into containers running on Amazon ECS in under 8 months."

Containers on AWS - State of the Union - CON201 - re:Invent 2017

Amazon Web Services

Just over four years after the first public release of Docker, and three years to the day after the launch of Amazon EC2 Container Service, the use of containers has surged to run a significant percentage of production workloads at startups and enterprise organizations. Join Deepak Singh, General Manager of Amazon Container Services, as we cover the state of containerized application development and deployment trends, new container capabilities on AWS that are available now, options for running containerized applications on AWS, and how AWS customers successfully run container workloads in production.

SID302_Force Multiply Your Security Team with Automation and Alexa

Amazon Web Services

Adversaries automate. Who says the good guys can't as well? By combining AWS offerings like AWS CloudTrail, Amazon Cloudwatch, AWS Config, and AWS Lambda with the power of Amazon Alexa, you can do more security tasks faster, with fewer resources. Force multiplying your security team is all about automation! Last year, we showed off penetration testing at the push of an (AWS IoT) button, and surprise-previewed how to ask Alexa to run Inspector as-needed. Want to see other ways to ask Alexa to be your cloud security sidekick? We have crazy new demos at the ready to show security geeks how to sling security automation solutions for their AWS environments (and impress and help your boss, too).

What's hot

Nexus Protocol Gateway and BYOD

Samuel Erdtman

Secure Coding For Java - Une introduction

Sebastien Gioria

Csp july2015

n|u - The Open Security Community

A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...

Amazon Web Services

SSL Pinning and Bypasses: Android and iOS

Anant Shrivastava

A Risk-Based Mobile App Security Testing Strategy

NowSecure

What's hot (6)

Nexus Protocol Gateway and BYOD

Secure Coding For Java - Une introduction

Csp july2015

A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...

SSL Pinning and Bypasses: Android and iOS

A Risk-Based Mobile App Security Testing Strategy

Similar to Lightning talk owasp_top10in10

D3TLV17- Keeping it Safe

Imperva Incapsula

Adding the Sec to Your DevOps Pipelines

Amazon Web Services

10 Lessons from 10 Years of AWS

Adrian Hornsby

Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...

Amazon Web Services

ARC201_Scaling Up to Your First 10 Million Users

Amazon Web Services

Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...

Amazon Web Services

CIS14: Best Practices You Must Apply to Secure Your APIs

CloudIDSummit

Security crawl walk run presentation mckay v1 2017

Adam Tice

DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...

Amazon Web Services

Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...

Amazon Web Services

IOT308-One Message to a Million Things Done in 60 seconds with AWS IoT

Amazon Web Services

Related OSS Projects - Peter Rowe, Flexera Software

OpenStack

Driving Innovation with Containers - CON203 - re:Invent 2017

Amazon Web Services

CON203_Driving Innovation with Containers

Amazon Web Services

Containers on AWS - State of the Union - CON201 - re:Invent 2017

Amazon Web Services

SID302_Force Multiply Your Security Team with Automation and Alexa

Amazon Web Services

Easy and Scalable Log Analytics with Amazon Elasticsearch Service - ABD326 - ...

Amazon Web Services

- Applications generate logs. Infrastructure generates logs. Even humans generate logs (though we usually call that “medical data”). By ingesting and analyzing logs, you can gain understanding of how complex systems operate and quickly discover and diagnose when they don’t work as they should. In this workshop, we ingest and analyze log streams using Amazon Kinesis Firehose and Amazon Elasticsearch Service. You should come with an understanding of AWS fundamentals (Amazon EC2, Amazon S3, and security groups). You need a laptop with a Chrome or Firefox browser.

IOT311_Customer Stories of Things, Cloud, and Analytics on AWS

Amazon Web Services

Testing and Troubleshooting with AWS Device Farm - MBL301 - re:Invent 2017

Amazon Web Services

Testing your mobile app is important! In this session, learn about UI testing and how to build UI tests, then run the UI tests on a variety of mobile devices in the cloud. Learn how you can go completely device free by using devices in the cloud for your development. Also, learn about using tools like Appium and Jenkins as part of your testing and QA process. We use PWA and native apps in this session to show the difference.

The Open Sourcing of Infrastructure

All Things Open

This document discusses the history and future of open sourcing infrastructure. It describes how Linux and open source software grew from being seen as "cheap Unix" to becoming ubiquitous. Factors like the LAMP stack, concerns around vendor lock-in, and a need for greater automation drove more organizations to use open source options. Now open source powers much of modern infrastructure through tools like Docker, Kubernetes, and DC/OS. Going forward, the document advocates open sourcing entire infrastructure stacks to avoid vendor lock-in and allow for community ownership and contributions from anywhere.

Similar to Lightning talk owasp_top10in10 (20)

D3TLV17- Keeping it Safe

Adding the Sec to Your DevOps Pipelines

10 Lessons from 10 Years of AWS

Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...

ARC201_Scaling Up to Your First 10 Million Users

Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...

CIS14: Best Practices You Must Apply to Secure Your APIs

Security crawl walk run presentation mckay v1 2017

DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...

Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...

IOT308-One Message to a Million Things Done in 60 seconds with AWS IoT

Related OSS Projects - Peter Rowe, Flexera Software

Driving Innovation with Containers - CON203 - re:Invent 2017

CON203_Driving Innovation with Containers

Containers on AWS - State of the Union - CON201 - re:Invent 2017

SID302_Force Multiply Your Security Team with Automation and Alexa

Easy and Scalable Log Analytics with Amazon Elasticsearch Service - ABD326 - ...

IOT311_Customer Stories of Things, Cloud, and Analytics on AWS

Testing and Troubleshooting with AWS Device Farm - MBL301 - re:Invent 2017

The Open Sourcing of Infrastructure

Recently uploaded

8 Best Automated Android App Testing Tool and Framework in 2024.pdf

kalichargn70th171

Webinar On-Demand: Using Flutter for Embedded

ICS

Flutter is a popular open source, cross-platform framework developed by Google. In this webinar we'll explore Flutter and its architecture, delve into the Flutter Embedder and Flutter’s Dart language, discover how to leverage Flutter for embedded device development, learn about Automotive Grade Linux (AGL) and its consortium and understand the rationale behind AGL's choice of Flutter for next-gen IVI systems. Don’t miss this opportunity to discover whether Flutter is right for your project.

Hand Rolled Applicative User ValidationCode Kata

Philip Schwarz

Could you use a simple piece of Scala validation code (granted, a very simplistic one too!) that you can rewrite, now and again, to refresh your basic understanding of Applicative operators <*>, <*, *>? The goal is not to write perfect code showcasing validation, but rather, to provide a small, rough-and ready exercise to reinforce your muscle-memory. Despite its grandiose-sounding title, this deck consists of just three slides showing the Scala 3 code to be rewritten whenever the details of the operators begin to fade away. The code is my rough and ready translation of a Haskell user-validation program found in a book called Finding Success (and Failure) in Haskell - Fall in love with applicative functors.

E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies

Quickdice ERP

SMS API Integration in Saudi Arabia| Best SMS API Service

Yara Milbes

Discover the benefits and implementation of SMS API integration in the UAE and Middle East. This comprehensive guide covers the importance of SMS messaging APIs, the advantages of bulk SMS APIs, and real-world case studies. Learn how CEQUENS, a leader in communication solutions, can help your business enhance customer engagement and streamline operations with innovative CPaaS, reliable SMS APIs, and omnichannel solutions, including WhatsApp Business. Perfect for businesses seeking to optimize their communication strategies in the digital age.

SQL Accounting Software Brochure Malaysia

GohKiangHock

How Can Hiring A Mobile App Development Company Help Your Business Grow?

ToXSL Technologies

Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf

VALiNTRY360

Salesforce Healthcare CRM, implemented by VALiNTRY360, revolutionizes patient management by enhancing patient engagement, streamlining administrative processes, and improving care coordination. Its advanced analytics, robust security, and seamless integration with telehealth services ensure that healthcare providers can deliver personalized, efficient, and secure patient care. By automating routine tasks and providing actionable insights, Salesforce Healthcare CRM enables healthcare providers to focus on delivering high-quality care, leading to better patient outcomes and higher satisfaction. VALiNTRY360's expertise ensures a tailored solution that meets the unique needs of any healthcare practice, from small clinics to large hospital systems. For more info visit us https://valintry360.com/solutions/health-life-sciences

Requirement Traceability in Xen Functional Safety

Ayan Halder

KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD

rodomar2

Artificia Intellicence and XPath Extension Functions

Octavian Nadolu

Microservice Teams - How the cloud changes the way we work

Sven Peters

A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams? Sven will talk about Atlassian’s journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.

Using Query Store in Azure PostgreSQL to Understand Query Performance

Grant Fritchey

Transform Your Communication with Cloud-Based IVR Solutions

TheSMSPoint

Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony

Vitthal Shirke Java Microservices Resume.pdf

Vitthal Shirke

LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM

lorraineandreiamcidl

Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...

XfilesPro

2024 eCommerceDays Toulouse - Sylius 2.0.pdf

Łukasz Chruściel

Introducing Crescat - Event Management Software for Venues, Festivals and Eve...

Crescat

Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry. Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events. With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use. Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements. If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io

WWDC 2024 Keynote Review: For CocoaCoders Austin

Patrick Weigel

Recently uploaded (20)

8 Best Automated Android App Testing Tool and Framework in 2024.pdf

Webinar On-Demand: Using Flutter for Embedded

Hand Rolled Applicative User ValidationCode Kata

E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies

SMS API Integration in Saudi Arabia| Best SMS API Service

SQL Accounting Software Brochure Malaysia

How Can Hiring A Mobile App Development Company Help Your Business Grow?

Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf

Requirement Traceability in Xen Functional Safety

KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD

Artificia Intellicence and XPath Extension Functions

Microservice Teams - How the cloud changes the way we work

Using Query Store in Azure PostgreSQL to Understand Query Performance

Transform Your Communication with Cloud-Based IVR Solutions

Vitthal Shirke Java Microservices Resume.pdf

LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM

Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...

2024 eCommerceDays Toulouse - Sylius 2.0.pdf

Introducing Crescat - Event Management Software for Venues, Festivals and Eve...

WWDC 2024 Keynote Review: For CocoaCoders Austin

Lightning talk owasp_top10in10

3. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 3 A1 - Injection Username: Password: admin myPassword select * from Users where user_id = ‘admin’ and password = ‘myPassword’ Username: Password: ‘ OR 1=1; -- myPassword select * from Users where user_id = ‘’ OR 1=1; -- and password = ‘myPassword’ <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo>

5. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 5 A2 - Broken Authentication and Session Management • http://example.com/sale/mycart?sessionid=abcd • http://internalcompanyHRservice.com/search?role=user • Cookie replay from valid session

6. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 6 A3 - Cross Site Scripting (XSS) • Client-side scripts interpreted by the end user <script>alert(‘Label XSSed’)</script> <script>alert(123)</script> <script>alert(document.cookie)</script>

8. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 8 A4 - Broken Access Controls • http://example.com/app/accountInfo?acct=notmyacct • https://example.com/auth • https://example.com/myprofile?action=updatepassword • https://example.com/admin

10. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 10 A6 - Sensitive Data Exposure • Look for stacktraces, relative or absolute directory structures, listings of running software and versions • User objects that include name, SSN, DoB, address… • IP addresses, usernames, and os information in source code • View page source

15. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 15 Summary – Good Security Testing • Send garbage input • Malicious content • Attempt to obfuscate to avoid detection • Try to break frameworks and processes • Do the unexpected • Play “What if” with the application • Assume a service or server is compromised and determine the impact

16. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 16 Supplemental Notes: Tools Mentioned • Static Analysis • SonarQube • HP Fortify • Sonatype CLM • OWASP Dependency Check • Dynamic Analysis: • sqlmap • Wfuzz • w3af • Burp Suite (Free or Professional) • OWASP Zed Attack Proxy • SOAP UI • ModSecurity • Wireshark • Contrast RASP

Editor's Notes

* The tools and processes I recommend are simply things which I have used on my projects or personal research which worked for me. There are many additional alternatives out there and I try to include both open source and commercial products. Intro into Coveros -> local software company who specializes in creating secure code and DevOps solutions Focus on tools, less on techniques. Not in depth -> list tools instead Ending -> now here is another related talk (Coveros presents) I will be available after the talk to answer some questions. And If you like what you heard here, please attend the talk X about Y… Before leaving for Japan, drop presentation onto Google drive in case Gene needs to take care of anything
What is the OWASP Top 10? It is a list of vulnerabilities created by security professionals to define the most critical security risks. There are multiple top 10 OWASP lists, but their flagship list is the OWASP Top 10 Most Critical Web Application Security Risks. This talk highlights the release candidate for 2017. Although this candidate was recently rejected, the vulnerabilities have not changed drastically throughout the years and the methods of detection and the tools used will provide a stronger security posture for your applications
Yeah. This slide is a little light. I’ve found a lot of issues with scanning tools and determining correctly if sql injection is possible and if so, how or what may be gained. Manual testing is important and you need to understand how SQL injection works, but the initial steps may be automated with a tool, such as Sqlmap. As the name implies, sqlmap focuses on sql injection attempts. To expand on the security tests performed, why not also use Wfuzz, a web application bruteforcing tool which attempts to find and exploit various known issues. In terms of xxe, that really requires an in depth knowledge of how data is stored and passed within the application.
The OWASP Zed Attack Proxy, or ZAP for short, and Burp Suite Professional will attempt to find available web pages and fuzz data entry points. However, a tool can only take you so far. You can also use Wfuzz or a similar tool. However, these are only an initial step. The tester must attempt to break the business logic of an application. Meaning the responsibility for testing this should fall on someone very familiar with the target application. Running a blind scan may be as detrimental as not running a scan at all. Manual testing scenarios: attempt to break password reset functions. Or login as an administrator, record the pages traversed and attempt to reach them as a lower privileged user
Mention obfuscation
This is the fist slide where I really highlight ZAP and Burp because it’s the first slide where they tend to do well. These tools attempt to find where injection may be possible, but I have found those instances to be full of false positives in identifying a legitimate SQL injection vulnerability as opposed to just a part of the application which interacts with the database. Likewise for broken authentication, I have found these tools can quickly iterate through known or common authentication issues, but that they are incapable of a deep dive into an underlying business logic flaw. These tools to tend to do a great job at identifying XSS instances and in iterating through a wide library of vulnerabilities to verify if they vulnerability is exploitable.
Formerly Insecure Direct Object References and Missing Function Level Access Control Much like authentication, tools, such as Burp and Zap attempt to break or identify weak access controls. These must also be supplemented with manual testing. Manual testing: I like running through 4 different steps to test access. Login as an administrator and browse to a critical file and perform an admin function Login as a regular user and attempt to access the file and admin function. Browse around to find a personal file for this account and perform a process unique to this user Login as another regular user, preferably with different credentials or access rights, and attempt to access the other regular user’s personal file and perform the process unique to that user. Also attempt to perform previously identified admin functions Access web app as an unauthenticated user. Attempt to reach and perform all of the above files and functions.
Use Nessus to check for default configurations For those familiar with the recent Equifax compromise, it came to light that in Argentina, their privileges accounts used admin/admin as its username/password.
It may not be returned in the gui, but review requests and responses to ensure data is not bleeding unnecessarily. Multipronged approach: static – sonarqube and fortify Dynamic – burp and zap and nikto and wireshark (bleeding sensitive data) Logging – splunk, This may be addressed by a two pronged approach. Review source code for objects containing sensitive data and check dynamically for sensitive data being used. Static analysis tools, such as SonarQube and HP Fortify will search within the code for potential vulnerabilities. Dynamic tools, such as Burp or ZAP will check for sensitive exposures in the deployed application. A logging or monitoring tool, such as Splunk, will alert on strings which appear to contain sensitive data based on regular expressions.
“Detection is ideal, but prevention is a must” There are countless Host and Network Intrusion Detection services. My only recommendation is to read all of the fine print of every contract and I’m not going down that rabbit hole right now. Since this is the OWASP talk, I’ll mention one of their flagship projects, ModSecurity. This is a versatile and useful method of detecting and preventing when malicious activity is detected. That being said, all you need is a simple network monitoring tool such as wireshark to review communication across your network and gain an understanding of what is expected. This can help you create a baseline and identify when any anomalous traffic is generated.
Blocked by using randomized tokens within body of request Burp and Zap can check for CSRF weaknesses. However, full exploitation and vulnerability assessments require manual review and testing. Issues I have observed which tools have failed to detect: csrf being constant throughout a session or the same for repeated sessions. Most tools will only check that a CSRF token exists. They do not track this value by default or perform sufficient testing to prove its predictability.
Sonatype CLM OWASP Dependency Check Contrast’s RASP Equifax with struts2 Wannacry and its many variations ransomware attacks through samba
New Category. This was rejected, but I have included it here because I routinely find this as a valid finding. Also, this is, in many ways, an extension of the old finding: Failure to restrict URL access. sSome of the endpoints I test have no validation performed on the passed user input. Not to be paranoid, but everything is connected. Soap UI

Lightning talk owasp_top10in10

Recommended

Recommended

More Related Content

What's hot

What's hot (6)

Similar to Lightning talk owasp_top10in10

Similar to Lightning talk owasp_top10in10 (20)

Recently uploaded

Recently uploaded (20)

Lightning talk owasp_top10in10

Editor's Notes