Lightning talk owasp_top10in10

•Download as PPTX, PDF•

1 like•604 views

Learn about the OWASP 10 and the changes for the 2017 version. A lot of material is included in this short 10 minute sprint.

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 1
Agility. Security. Delivered.
How to test for (the new)
OWASP Top 10 in 10 Minutes?
An all out sprint by Ben Pick

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 2

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 3
A1 - Injection
Username:
Password:
admin
myPassword
select * from Users where user_id = ‘admin’
and password = ‘myPassword’
Username:
Password:
‘ OR 1=1; --
myPassword
select * from Users where user_id = ‘’ OR 1=1; --
and password = ‘myPassword’
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 4
A1 - Injection, tools

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 5
A2 - Broken Authentication and Session
Management
• http://example.com/sale/mycart?sessionid=abcd
• http://internalcompanyHRservice.com/search?role=user
• Cookie replay from valid session

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 6
A3 - Cross Site Scripting (XSS)
• Client-side scripts interpreted by the end user
<script>alert(‘Label XSSed’)</script>
<script>alert(123)</script>
<script>alert(document.cookie)</script>

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 7
A3 – XSS, Tools

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 8
A4 - Broken Access Controls
• http://example.com/app/accountInfo?acct=notmyacct
• https://example.com/auth
• https://example.com/myprofile?action=updatepassword
• https://example.com/admin

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 9
A5 - Security Misconfigurations
• Look for default passwords!

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 10
A6 - Sensitive Data Exposure
• Look for stacktraces, relative or absolute directory structures, listings
of running software and versions
• User objects that include name, SSN, DoB, address…
• IP addresses, usernames, and os information in source code
• View page source

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 11
A7 – Insufficient Attack Protections
• Detect
• Prevent
• Patch

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 12
A8 - Cross Site Request Forgery
• www.bank.com/transfermymoney=-1000&toaccount=maliciousBen

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 13
A9 - Using issues with known vulnerabilities
• Vulnerable components = vulnerable application

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 14
A10 – Underprotected APIs
• http://www.example.com/supersecretendpoint?internalfile=notmine
• http://www.example.com/deleteaccount?acct=12345

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 15
Summary – Good Security Testing
• Send garbage input
• Malicious content
• Attempt to obfuscate to avoid detection
• Try to break frameworks and processes
• Do the unexpected
• Play “What if” with the application
• Assume a service or server is compromised and determine the impact

© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 16
Supplemental Notes: Tools Mentioned
• Static Analysis
• SonarQube
• HP Fortify
• Sonatype CLM
• OWASP Dependency Check
• Dynamic Analysis:
• sqlmap
• Wfuzz
• w3af
• Burp Suite (Free or Professional)
• OWASP Zed Attack Proxy
• SOAP UI
• ModSecurity
• Wireshark
• Contrast RASP

The document provides an overview of 10 steps for software security according to OWASP-Turkey. It introduces the author Bünyamin Demir and his background and experience in application security. It then discusses key aspects of OWASP and provides code examples for implementing input validation, sanitization, secure cookies, session management, CAPTCHA, path canonicalization, HTTPS, CSRF tokens, and prepared statements.

Storage Visibility for Operations - A Ceph Story

Debojyoti Dutta

Securing your EmberJS Application

Philippe De Ryck

This document discusses securing EmberJS applications. It begins by introducing the author and their background working on client-side web security. It then provides an overview of the topics covered, which include cross-site request forgery (CSRF), cross-site scripting (XSS), and content security policy (CSP). It explains the architecture of single-page applications like EmberJS applications. It also illustrates common web attacks like CSRF and XSS, and describes approaches to mitigate these attacks in EmberJS applications, including the use of tokens and CSP.

Demystfying secure certs

Gary Williams

This document discusses why HTTPS and secure certificates are important for websites. Some key points include: - HTTPS provides benefits like faster loading, improved SEO, and avoiding browser warnings. It also establishes trust with users. - Common excuses for not using certificates like small site size or not processing payments are invalid, as hackers automate attacks. - If a web server supports HTTP/2, HTTPS can be faster than HTTP. Tools like Chrome developer tools show the protocol used. - The process to implement HTTPS involves obtaining a certificate, updating server configurations, and ensuring proper security is configured. - Resources like Let's Encrypt and Qualsys tools can help simplify certificate management and test security configurations. Maint

D3TLV17- You have Incapsula...now what?

Imperva Incapsula

The document discusses how the Incapsula support team can help customers who have purchased Incapsula services. It outlines several ways the support team can be contacted, including via a support website, email, or phone. It also describes resources available to customers like knowledge base articles, training courses, and status pages. The document notes there are standard and premium support options with different response times and update intervals. It highlights that emergency escalation is available by phone and identifies enhanced support programs like managed services and technical account managers.

Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017

Amazon Web Services

Executives from the Intelligence community discuss cloud security best practices in a field where security is imperative to operations. Security Cloud Chief John Nicely and Deputy Chief of Cyber Integration Scott Kaplan share success stories of migrating mass data to the cloud from a security perspective. Hear how they migrated their IT portfolios while managing their organizations' unique blend of constraints, budget issues, politics, culture, and security pressures. Learn how these institutions overcame barriers to migration, and ask these panelists what actions you can take to better prepare yourself for the journey of mass migration to the cloud.

The document provides an introduction to secure coding in Java. It discusses the Open Web Application Security Project (OWASP) and its mission to improve software security. It then covers 10 simple principles for writing secure code, such as input validation, output encoding, and parameterized queries. Examples of SQL injection and LDAP injection vulnerabilities are shown, along with ways to avoid them through parameterization and input sanitization. The importance of using security mechanisms from trusted libraries rather than reimplementing them is also stressed.

Csp july2015

n|u - The Open Security Community

This document discusses Content Security Policy (CSP), which defines an HTTP header to whitelist approved sources of content like scripts to prevent XSS attacks. It describes how CSP directives like script-src restrict where code can be loaded from to enhance security. The speaker then demonstrates how to construct CSP policies and explains options like 'unsafe-inline' that disable the protection CSP is meant to provide. In the end, resources on CSP that informed the presentation are listed.

A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...

Amazon Web Services

Making sense of the risks of IT deployments that sit in hybrid environments and span multiple countries is a major challenge. When you add in multiple toolsets, and global compliance requirements, including GDPR, it can get overwhelming. Listen to Vonage’s Chief Information Security Officer, Johan Hybinette, share his experiences tackling these challenges. Vonage is an established leader with 15 years of experience providing residential and business communications solutions in global markets. With a robust solution for end users, solutions offered by Vonage require a sophisticated, reliable technology stack—that technology is spread between on-premises and AWS Cloud environments. Johan shares lessons learned to achieve a successful and secure cloud deployment. How does GDPR impact a multinational hybrid deployment? Can security drive tool adoption among developers? What’s a practical approach to maintaining flexibility and a rapid pace of innovation, while providing world-class security for your customer? Get answers to all these questions and a jumpstart on your challenges from an industry leader. Session sponsored by Trend Micro Incorporated

SSL Pinning and Bypasses: Android and iOS

Anant Shrivastava

A Risk-Based Mobile App Security Testing Strategy

NowSecure

Originally presented on September 19, 2018 Given the volume and velocity of mobile apps, there simply aren’t enough resources to test them all in the same manner. There has to be a better way. NowSecure introduces a new framework to help organizations craft a Risk-Based Mobile App Security Testing strategy. Watch the presentation here: https://www.nowsecure.com/webinars/a-risk-based-mobile-app-security-testing-strategy/

D3TLV17- Keeping it Safe

Imperva Incapsula

Adding the Sec to Your DevOps Pipelines

Amazon Web Services

DevSecOps is the premise that everyone in the software development lifecycle is responsible for security. DevSecOps aims to embed security in every part of the development process. In this *workshop*, participants explore taking a standard CI/CD pipeline and adding security stages to improve security posture. Learn how to use AWS CodeCommit and AWS CodePipeline to build and publish golden AMI images. Also, learn how to modify pipeline flow to add security test cases. You also have to opportunity to perform CVE analysis and code analysis using Amazon Inspector and perform observational container analysis using Amazon GuardDuty.

10 Lessons from 10 Years of AWS

Adrian Hornsby

Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...

Amazon Web Services

ARC201_Scaling Up to Your First 10 Million Users

Amazon Web Services

Cloud computing gives you a number of advantages, such as the ability to scale your web application or website on demand. If you have a new web application and want to use cloud computing, you might be asking yourself, "Where do I start?" Join us in this session to understand best practices for scaling your resources from one to millions of users. We show you how to best combine different AWS services, how to make smarter decisions for architecting your application, and how to scale your infrastructure in the cloud.

Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...

Amazon Web Services

Managing AWS and hybrid environments securely and safely while having actionable insights is an operational priority and business driver for all customers. Using SSH or RDP sessions could lead to unintended or malicious outcomes with no traceability. Learn to use Amazon EC2 Systems Manager to improve your security posture, automate at scale, and minimize application downtime for both Windows and Linux workloads. Easily author configurations to automate your infrastructure without SSH access, and control the blast radius of configuration changes. Get a cross-account and cross-region view of what’s installed and running on your servers or instances. Learn to use Systems Manager to securely store, manage, and retrieve secrets. You can also run patch compliance checks on the fleet to react to malware and vulnerabilities within minutes, while still providing granular control to users with different privilege levels and full auditability. You will hear from FINRA, the Financial Industry Regulatory Authority, on how they use Systems Manager to safely manage their Enterprise environment.

CIS14: Best Practices You Must Apply to Secure Your APIs

CloudIDSummit

Security crawl walk run presentation mckay v1 2017

Adam Tice

DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...

Amazon Web Services

We’ve seen companies like fast-growing startups and large enterprises adopt and evolve strategies to optimize their application deployment to Amazon EC2. Some AWS customers perform in-place updates across their servers. Some perform blue-green deployments to newly provisioned servers. In this session, we’ll share the advantages of each approach and talk about the scenarios in which you should choose one over the other. We will also demonstrate how to perform auto-scaling and auto-rollback for deployments.

Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...

Amazon Web Services

AWS enables companies to build innovative cloud applications combining technologies like Alexa, AWS IoT, and AWS Lambda with enterprise-scale, microservice backends. After these applications move into production, there are teams responsible for monitoring all components and providing insights needed to optimize the customer experience. In this session, we share an easy-to-apply framework to build all components successfully to get the answers needed to run and improve every application, no matter how complicated. First, we lay the foundation with powerful tools in the AWS ecosystem like Amazon CloudWatch, AWS CloudTrail, and AWS X-Ray. Then, we complement these insights with approaches for monitoring frontend web and mobile performance and behavior, eventually extending into IoT devices. Finally, we show how to derive actionable insights from all the gathered data and integrate it into enterprise-grade monitoring platforms. Session sponsored by Dynatrace

IOT308-One Message to a Million Things Done in 60 seconds with AWS IoT

Amazon Web Services

The AWS IoT message broker is a fully managed publish/subscribe broker service that enables the sending and receiving of messages between devices and applications with high speed and reliability. In this session, learn about the common AWS IoT messaging patterns and dive deep into understanding the scaling best practices while using these patterns in applications. In addition, Amazon Music talks about how they used AWS IoT to build event notifications of soccer games in their applications for our customers.

Related OSS Projects - Peter Rowe, Flexera Software

OpenStack

Audience Level Intermediate Synopsis Today’s fast-paced development environment has changed the compliance landscape. Many software projects consist of more than 50% Open Source Software (OSS) components, but as much as 99% are undocumented, increasing the complexities of managing your company’s software compliance process. Of particular concern is “Zombie software”, or software that is outdated and contains vulnerable versions of certain components. Zombies can live in your code forever if you’re not aware of them. The acceleration of modern development lifecycles and the breakdown of an undocumented software supply chain have opened up new pathways for zombies to enter your software – leaving you exposed to security threats. This presentation discusses best practices for implementing an Open Source Software management strategy that covers common pitfalls and commercial licence issues as well as the optimal way to track and eliminate the risks associated with Zombies! Speaker Bio: Involved in and around IT development for over 20 years, starting as a web developer using NotePad in 1995 when the most exciting thing online was Sun’s animated Java coffee cup, through Numega Pre-Sales selling BoundsChecker and now into the brave, new World of Open Source and software composition analysis.

Driving Innovation with Containers - CON203 - re:Invent 2017

Amazon Web Services

Containers allow you to easily package an application's code, configurations, and dependencies into easy to use building blocks that deliver environmental consistency, operational efficiency, developer productivity, and version control. But how can developers leverage containers to drive innovation for their applications, their team, and organization? In this session, Asif Khan Technical Business Manager for AWS will discuss how containers are becoming a new cloud native compute primitive, and how your organization can use containers as a building block to accelerate innovation. WeWork's Christopher Tava, Joshua Davis, and OpsLine's Radek Wierzbicki will show how they adopted containers as discipline in code development, and how they refactored their production architecture into containers running on Amazon ECS in under 8 months.

CON203_Driving Innovation with Containers

Amazon Web Services

"Containers allow you to easily package an application's code, configurations, and dependencies into easy to use building blocks that deliver environmental consistency, operational efficiency, developer productivity, and version control. But how can developers leverage containers to drive innovation for their applications, their team, and organization? In this session, Asif Khan Technical Business Manager for AWS will discuss how containers are becoming a new cloud native compute primitive, and how your organization can use containers as a building block to accelerate innovation. WeWork's Christopher Tava, Joshua Davis, and OpsLine's Radek Wierzbicki will show how they adopted containers as discipline in code development, and how they refactored their production architecture into containers running on Amazon ECS in under 8 months."

Containers on AWS - State of the Union - CON201 - re:Invent 2017

Amazon Web Services

Just over four years after the first public release of Docker, and three years to the day after the launch of Amazon EC2 Container Service, the use of containers has surged to run a significant percentage of production workloads at startups and enterprise organizations. Join Deepak Singh, General Manager of Amazon Container Services, as we cover the state of containerized application development and deployment trends, new container capabilities on AWS that are available now, options for running containerized applications on AWS, and how AWS customers successfully run container workloads in production.

SID302_Force Multiply Your Security Team with Automation and Alexa

Amazon Web Services

Adversaries automate. Who says the good guys can't as well? By combining AWS offerings like AWS CloudTrail, Amazon Cloudwatch, AWS Config, and AWS Lambda with the power of Amazon Alexa, you can do more security tasks faster, with fewer resources. Force multiplying your security team is all about automation! Last year, we showed off penetration testing at the push of an (AWS IoT) button, and surprise-previewed how to ask Alexa to run Inspector as-needed. Want to see other ways to ask Alexa to be your cloud security sidekick? We have crazy new demos at the ready to show security geeks how to sling security automation solutions for their AWS environments (and impress and help your boss, too).

What's hot

Nexus Protocol Gateway and BYOD

Samuel Erdtman

Secure Coding For Java - Une introduction

Sebastien Gioria

Csp july2015

n|u - The Open Security Community

A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...

Amazon Web Services

SSL Pinning and Bypasses: Android and iOS

Anant Shrivastava

A Risk-Based Mobile App Security Testing Strategy

NowSecure

What's hot (6)

Nexus Protocol Gateway and BYOD

Secure Coding For Java - Une introduction

Csp july2015

A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...

SSL Pinning and Bypasses: Android and iOS

A Risk-Based Mobile App Security Testing Strategy

Similar to Lightning talk owasp_top10in10

D3TLV17- Keeping it Safe

Imperva Incapsula

Adding the Sec to Your DevOps Pipelines

Amazon Web Services

10 Lessons from 10 Years of AWS

Adrian Hornsby

Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...

Amazon Web Services

ARC201_Scaling Up to Your First 10 Million Users

Amazon Web Services

Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...

Amazon Web Services

CIS14: Best Practices You Must Apply to Secure Your APIs

CloudIDSummit

Security crawl walk run presentation mckay v1 2017

Adam Tice

DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...

Amazon Web Services

Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...

Amazon Web Services

IOT308-One Message to a Million Things Done in 60 seconds with AWS IoT

Amazon Web Services

Related OSS Projects - Peter Rowe, Flexera Software

OpenStack

Driving Innovation with Containers - CON203 - re:Invent 2017

Amazon Web Services

CON203_Driving Innovation with Containers

Amazon Web Services

Containers on AWS - State of the Union - CON201 - re:Invent 2017

Amazon Web Services

SID302_Force Multiply Your Security Team with Automation and Alexa

Amazon Web Services

Easy and Scalable Log Analytics with Amazon Elasticsearch Service - ABD326 - ...

Amazon Web Services

- Applications generate logs. Infrastructure generates logs. Even humans generate logs (though we usually call that “medical data”). By ingesting and analyzing logs, you can gain understanding of how complex systems operate and quickly discover and diagnose when they don’t work as they should. In this workshop, we ingest and analyze log streams using Amazon Kinesis Firehose and Amazon Elasticsearch Service. You should come with an understanding of AWS fundamentals (Amazon EC2, Amazon S3, and security groups). You need a laptop with a Chrome or Firefox browser.

IOT311_Customer Stories of Things, Cloud, and Analytics on AWS

Amazon Web Services

Testing and Troubleshooting with AWS Device Farm - MBL301 - re:Invent 2017

Amazon Web Services

Testing your mobile app is important! In this session, learn about UI testing and how to build UI tests, then run the UI tests on a variety of mobile devices in the cloud. Learn how you can go completely device free by using devices in the cloud for your development. Also, learn about using tools like Appium and Jenkins as part of your testing and QA process. We use PWA and native apps in this session to show the difference.

The Open Sourcing of Infrastructure

All Things Open

This document discusses the history and future of open sourcing infrastructure. It describes how Linux and open source software grew from being seen as "cheap Unix" to becoming ubiquitous. Factors like the LAMP stack, concerns around vendor lock-in, and a need for greater automation drove more organizations to use open source options. Now open source powers much of modern infrastructure through tools like Docker, Kubernetes, and DC/OS. Going forward, the document advocates open sourcing entire infrastructure stacks to avoid vendor lock-in and allow for community ownership and contributions from anywhere.

Similar to Lightning talk owasp_top10in10 (20)

D3TLV17- Keeping it Safe

Adding the Sec to Your DevOps Pipelines

10 Lessons from 10 Years of AWS

Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...

ARC201_Scaling Up to Your First 10 Million Users

Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...

CIS14: Best Practices You Must Apply to Secure Your APIs

Security crawl walk run presentation mckay v1 2017

DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...

Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...

IOT308-One Message to a Million Things Done in 60 seconds with AWS IoT

Related OSS Projects - Peter Rowe, Flexera Software

Driving Innovation with Containers - CON203 - re:Invent 2017

CON203_Driving Innovation with Containers

Containers on AWS - State of the Union - CON201 - re:Invent 2017

SID302_Force Multiply Your Security Team with Automation and Alexa

Easy and Scalable Log Analytics with Amazon Elasticsearch Service - ABD326 - ...

IOT311_Customer Stories of Things, Cloud, and Analytics on AWS

Testing and Troubleshooting with AWS Device Farm - MBL301 - re:Invent 2017

The Open Sourcing of Infrastructure

Recently uploaded

ALGIT - Assembly Line for Green IT - Numbers, Data, Facts

Green Software Development

UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions

Peter Muessig

The UI5 tooling is the development and build tooling of UI5. It is built in a modular and extensible way so that it can be easily extended by your needs. This session will showcase various tooling extensions which can boost your development experience by far so that you can really work offline, transpile your code in your project to use even newer versions of EcmaScript (than 2022 which is supported right now by the UI5 tooling), consume any npm package of your choice in your project, using different kind of proxies, and even stitching UI5 projects during development together to mimic your target environment.

Energy consumption of Database Management - Florina Jonuzi

Green Software Development

How Can Hiring A Mobile App Development Company Help Your Business Grow?

ToXSL Technologies

UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem

Peter Muessig

Microservice Teams - How the cloud changes the way we work

Sven Peters

A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams? Sven will talk about Atlassian’s journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.

原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样

mz5nrf0n

原版一模一样【微信：741003700 】【美国纽约州立大学奥尔巴尼分校毕业证学位证书】【微信：741003700 】学位证，留信认证（真实可查，永久存档）offer、雅思、外壳等材料/诚信可靠,可直接看成品样本，帮您解决无法毕业带来的各种难题！外壳，原版制作，诚信可靠，可直接看成品样本。行业标杆！精益求精，诚心合作，真诚制作！多年品质 ,按需精细制作，24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题，包您满意。本公司拥有海外各大学样板无数，能完美还原海外各大学 Bachelor Diploma degree, Master Degree Diploma 1:1完美还原海外各大学毕业材料上的工艺：水印，阴影底纹，钢印LOGO烫金烫银，LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微741003700 留信网认证的作用: 1:该专业认证可证明留学生真实身份 2:同时对留学生所学专业登记给予评定 3:国家专业人才认证中心颁发入库证书 4:这个认证书并且可以归档倒地方 5:凡事获得留信网入网的信息将会逐步更新到个人身份内，将在公安局网内查询个人身份证信息后，同步读取人才网入库信息 6:个人职称评审加20分 7:个人信誉贷款加10分 8:在国家人才网主办的国家网络招聘大会中纳入资料，供国家高端企业选择人才

Transform Your Communication with Cloud-Based IVR Solutions

TheSMSPoint

Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony

openEuler Case Study - The Journey to Supply Chain Security

Shane Coughlan

WWDC 2024 Keynote Review: For CocoaCoders Austin

Patrick Weigel

Need for Speed: Removing speed bumps from your Symfony projects ⚡️

Łukasz Chruściel

No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception. In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed. We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.

Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris

Neo4j

Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf

VALiNTRY360

Salesforce Healthcare CRM, implemented by VALiNTRY360, revolutionizes patient management by enhancing patient engagement, streamlining administrative processes, and improving care coordination. Its advanced analytics, robust security, and seamless integration with telehealth services ensure that healthcare providers can deliver personalized, efficient, and secure patient care. By automating routine tasks and providing actionable insights, Salesforce Healthcare CRM enables healthcare providers to focus on delivering high-quality care, leading to better patient outcomes and higher satisfaction. VALiNTRY360's expertise ensures a tailored solution that meets the unique needs of any healthcare practice, from small clinics to large hospital systems. For more info visit us https://valintry360.com/solutions/health-life-sciences

Using Xen Hypervisor for Functional Safety

Ayan Halder

Requirement Traceability in Xen Functional Safety

Ayan Halder

Odoo ERP Vs. Traditional ERP Systems – A Comparative Analysis

Envertis Software Solutions

When it is all about ERP solutions, companies typically meet their needs with common ERP solutions like SAP, Oracle, and Microsoft Dynamics. These big players have demonstrated that ERP systems can be either simple or highly comprehensive. This remains true today, but there are new factors to consider, including a promising new contender in the market that’s Odoo. This blog compares Odoo ERP with traditional ERP systems and explains why many companies now see Odoo ERP as the best choice. What are ERP Systems? An ERP, or Enterprise Resource Planning, system provides your company with valuable information to help you make better decisions and boost your ROI. You should choose an ERP system based on your company’s specific needs. For instance, if you run a manufacturing or retail business, you will need an ERP system that efficiently manages inventory. A consulting firm, on the other hand, would benefit from an ERP system that enhances daily operations. Similarly, eCommerce stores would select an ERP system tailored to their needs. Because different businesses have different requirements, ERP system functionalities can vary. Among the various ERP systems available, Odoo ERP is considered one of the best in the ERp market with more than 12 million global users today. Odoo is an open-source ERP system initially designed for small to medium-sized businesses but now suitable for a wide range of companies. Odoo offers a scalable and configurable point-of-sale management solution and allows you to create customised modules for specific industries. Odoo is gaining more popularity because it is built in a way that allows easy customisation, has a user-friendly interface, and is affordable. Here, you will cover the main differences and get to know why Odoo is gaining attention despite the many other ERP systems available in the market.

Introducing Crescat - Event Management Software for Venues, Festivals and Eve...

Crescat

Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry. Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events. With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use. Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements. If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io

OpenMetadata Community Meeting - 5th June 2024

OpenMetadata

The OpenMetadata Community Meeting was held on June 5th, 2024. In this meeting, we discussed about the data quality capabilities that are integrated with the Incident Manager, providing a complete solution to handle your data observability needs. Watch the end-to-end demo of the data quality features. * How to run your own data quality framework * What is the performance impact of running data quality frameworks * How to run the test cases in your own ETL pipelines * How the Incident Manager is integrated * Get notified with alerts when test cases fail Watch the meeting recording here - https://www.youtube.com/watch?v=UbNOje0kf6E

UI5con 2024 - Bring Your Own Design System

Peter Muessig

How do you combine the OpenUI5/SAPUI5 programming model with a design system that makes its controls available as Web Components? Since OpenUI5/SAPUI5 1.120, the framework supports the integration of any Web Components. This makes it possible, for example, to natively embed own Web Components of your design system which are created with Stencil. The integration embeds the Web Components in a way that they can be used naturally in XMLViews, like with standard UI5 controls, and can be bound with data binding. Learn how you can also make use of the Web Components base class in OpenUI5/SAPUI5 to also integrate your Web Components and get inspired by the solution to generate a custom UI5 library providing the Web Components control wrappers for the native ones.

Atelier - Innover avec l’IA Générative et les graphes de connaissances

Neo4j

Atelier - Innover avec l’IA Générative et les graphes de connaissances Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement. Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.

Recently uploaded (20)

ALGIT - Assembly Line for Green IT - Numbers, Data, Facts

UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions

Energy consumption of Database Management - Florina Jonuzi

How Can Hiring A Mobile App Development Company Help Your Business Grow?

UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem

Microservice Teams - How the cloud changes the way we work

原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样

Transform Your Communication with Cloud-Based IVR Solutions

openEuler Case Study - The Journey to Supply Chain Security

WWDC 2024 Keynote Review: For CocoaCoders Austin

Need for Speed: Removing speed bumps from your Symfony projects ⚡️

Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris

Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf

Using Xen Hypervisor for Functional Safety

Requirement Traceability in Xen Functional Safety

Odoo ERP Vs. Traditional ERP Systems – A Comparative Analysis

Introducing Crescat - Event Management Software for Venues, Festivals and Eve...

OpenMetadata Community Meeting - 5th June 2024

UI5con 2024 - Bring Your Own Design System

Atelier - Innover avec l’IA Générative et les graphes de connaissances

Lightning talk owasp_top10in10

3. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 3 A1 - Injection Username: Password: admin myPassword select * from Users where user_id = ‘admin’ and password = ‘myPassword’ Username: Password: ‘ OR 1=1; -- myPassword select * from Users where user_id = ‘’ OR 1=1; -- and password = ‘myPassword’ <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo>

5. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 5 A2 - Broken Authentication and Session Management • http://example.com/sale/mycart?sessionid=abcd • http://internalcompanyHRservice.com/search?role=user • Cookie replay from valid session

6. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 6 A3 - Cross Site Scripting (XSS) • Client-side scripts interpreted by the end user <script>alert(‘Label XSSed’)</script> <script>alert(123)</script> <script>alert(document.cookie)</script>

8. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 8 A4 - Broken Access Controls • http://example.com/app/accountInfo?acct=notmyacct • https://example.com/auth • https://example.com/myprofile?action=updatepassword • https://example.com/admin

10. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 10 A6 - Sensitive Data Exposure • Look for stacktraces, relative or absolute directory structures, listings of running software and versions • User objects that include name, SSN, DoB, address… • IP addresses, usernames, and os information in source code • View page source

15. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 15 Summary – Good Security Testing • Send garbage input • Malicious content • Attempt to obfuscate to avoid detection • Try to break frameworks and processes • Do the unexpected • Play “What if” with the application • Assume a service or server is compromised and determine the impact

16. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 16 Supplemental Notes: Tools Mentioned • Static Analysis • SonarQube • HP Fortify • Sonatype CLM • OWASP Dependency Check • Dynamic Analysis: • sqlmap • Wfuzz • w3af • Burp Suite (Free or Professional) • OWASP Zed Attack Proxy • SOAP UI • ModSecurity • Wireshark • Contrast RASP

Editor's Notes

* The tools and processes I recommend are simply things which I have used on my projects or personal research which worked for me. There are many additional alternatives out there and I try to include both open source and commercial products. Intro into Coveros -> local software company who specializes in creating secure code and DevOps solutions Focus on tools, less on techniques. Not in depth -> list tools instead Ending -> now here is another related talk (Coveros presents) I will be available after the talk to answer some questions. And If you like what you heard here, please attend the talk X about Y… Before leaving for Japan, drop presentation onto Google drive in case Gene needs to take care of anything
What is the OWASP Top 10? It is a list of vulnerabilities created by security professionals to define the most critical security risks. There are multiple top 10 OWASP lists, but their flagship list is the OWASP Top 10 Most Critical Web Application Security Risks. This talk highlights the release candidate for 2017. Although this candidate was recently rejected, the vulnerabilities have not changed drastically throughout the years and the methods of detection and the tools used will provide a stronger security posture for your applications
Yeah. This slide is a little light. I’ve found a lot of issues with scanning tools and determining correctly if sql injection is possible and if so, how or what may be gained. Manual testing is important and you need to understand how SQL injection works, but the initial steps may be automated with a tool, such as Sqlmap. As the name implies, sqlmap focuses on sql injection attempts. To expand on the security tests performed, why not also use Wfuzz, a web application bruteforcing tool which attempts to find and exploit various known issues. In terms of xxe, that really requires an in depth knowledge of how data is stored and passed within the application.
The OWASP Zed Attack Proxy, or ZAP for short, and Burp Suite Professional will attempt to find available web pages and fuzz data entry points. However, a tool can only take you so far. You can also use Wfuzz or a similar tool. However, these are only an initial step. The tester must attempt to break the business logic of an application. Meaning the responsibility for testing this should fall on someone very familiar with the target application. Running a blind scan may be as detrimental as not running a scan at all. Manual testing scenarios: attempt to break password reset functions. Or login as an administrator, record the pages traversed and attempt to reach them as a lower privileged user
Mention obfuscation
This is the fist slide where I really highlight ZAP and Burp because it’s the first slide where they tend to do well. These tools attempt to find where injection may be possible, but I have found those instances to be full of false positives in identifying a legitimate SQL injection vulnerability as opposed to just a part of the application which interacts with the database. Likewise for broken authentication, I have found these tools can quickly iterate through known or common authentication issues, but that they are incapable of a deep dive into an underlying business logic flaw. These tools to tend to do a great job at identifying XSS instances and in iterating through a wide library of vulnerabilities to verify if they vulnerability is exploitable.
Formerly Insecure Direct Object References and Missing Function Level Access Control Much like authentication, tools, such as Burp and Zap attempt to break or identify weak access controls. These must also be supplemented with manual testing. Manual testing: I like running through 4 different steps to test access. Login as an administrator and browse to a critical file and perform an admin function Login as a regular user and attempt to access the file and admin function. Browse around to find a personal file for this account and perform a process unique to this user Login as another regular user, preferably with different credentials or access rights, and attempt to access the other regular user’s personal file and perform the process unique to that user. Also attempt to perform previously identified admin functions Access web app as an unauthenticated user. Attempt to reach and perform all of the above files and functions.
Use Nessus to check for default configurations For those familiar with the recent Equifax compromise, it came to light that in Argentina, their privileges accounts used admin/admin as its username/password.
It may not be returned in the gui, but review requests and responses to ensure data is not bleeding unnecessarily. Multipronged approach: static – sonarqube and fortify Dynamic – burp and zap and nikto and wireshark (bleeding sensitive data) Logging – splunk, This may be addressed by a two pronged approach. Review source code for objects containing sensitive data and check dynamically for sensitive data being used. Static analysis tools, such as SonarQube and HP Fortify will search within the code for potential vulnerabilities. Dynamic tools, such as Burp or ZAP will check for sensitive exposures in the deployed application. A logging or monitoring tool, such as Splunk, will alert on strings which appear to contain sensitive data based on regular expressions.
“Detection is ideal, but prevention is a must” There are countless Host and Network Intrusion Detection services. My only recommendation is to read all of the fine print of every contract and I’m not going down that rabbit hole right now. Since this is the OWASP talk, I’ll mention one of their flagship projects, ModSecurity. This is a versatile and useful method of detecting and preventing when malicious activity is detected. That being said, all you need is a simple network monitoring tool such as wireshark to review communication across your network and gain an understanding of what is expected. This can help you create a baseline and identify when any anomalous traffic is generated.
Blocked by using randomized tokens within body of request Burp and Zap can check for CSRF weaknesses. However, full exploitation and vulnerability assessments require manual review and testing. Issues I have observed which tools have failed to detect: csrf being constant throughout a session or the same for repeated sessions. Most tools will only check that a CSRF token exists. They do not track this value by default or perform sufficient testing to prove its predictability.
Sonatype CLM OWASP Dependency Check Contrast’s RASP Equifax with struts2 Wannacry and its many variations ransomware attacks through samba
New Category. This was rejected, but I have included it here because I routinely find this as a valid finding. Also, this is, in many ways, an extension of the old finding: Failure to restrict URL access. sSome of the endpoints I test have no validation performed on the passed user input. Not to be paranoid, but everything is connected. Soap UI

Lightning talk owasp_top10in10

Recommended

Recommended

More Related Content

What's hot

What's hot (6)

Similar to Lightning talk owasp_top10in10

Similar to Lightning talk owasp_top10in10 (20)

Recently uploaded

Recently uploaded (20)

Lightning talk owasp_top10in10

Editor's Notes