OWASP Top 10 Most Critical Web Application Security Risks
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code. More info at: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Impress your security team and avoid becoming a cautionary tale! Security needs to come first, but how? What do you do if you're not a security expert? From secure development to dealing with cloud-native infrastructure, and being ready for trouble, this presentation will help you feel secure.
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Cristian Garcia G.
Hoy por hoy el tráfico que llega a las aplicaciones web de las compañías en su mayoría es tráfico SSL con lo cual tenemos diferentes opciones para abordar la problemática de visibilidad y control del tráfico cifrado; confiar en todo el tráfico SSL y dejarlo pasar sin inspeccionar o incrementar la capacidad de los dispositivos de seguridad. ¿Qué camino tomar?
No menos importante, son todos aquellos ataques que llegan a las aplicaciones Core de la compañía de actores que buscan poner en riesgo la integridad, disponibilidad y seguridad de la misma como por ejemplo Bots y ataques de DDoS.
¿Se encuentra usted protegido contra amenazas avanzadas?
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
The Cyber Defense Matrix enables organizations to define clear categories for the range of products and services that are available in the marketplace to solve our various infosec problems. This model removes confusion around the security technologies that we buy and helps organizations align their vendors to have the right suite of capabilities to execute their information security mission.
See the 2019 version at: http://bit.ly/cyberdefensematrixreloaded
See the 2022 version at: http://bit.ly/cyberdefensematrixrevolutions
OWASP Top 10 Most Critical Web Application Security Risks
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code. More info at: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Impress your security team and avoid becoming a cautionary tale! Security needs to come first, but how? What do you do if you're not a security expert? From secure development to dealing with cloud-native infrastructure, and being ready for trouble, this presentation will help you feel secure.
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Cristian Garcia G.
Hoy por hoy el tráfico que llega a las aplicaciones web de las compañías en su mayoría es tráfico SSL con lo cual tenemos diferentes opciones para abordar la problemática de visibilidad y control del tráfico cifrado; confiar en todo el tráfico SSL y dejarlo pasar sin inspeccionar o incrementar la capacidad de los dispositivos de seguridad. ¿Qué camino tomar?
No menos importante, son todos aquellos ataques que llegan a las aplicaciones Core de la compañía de actores que buscan poner en riesgo la integridad, disponibilidad y seguridad de la misma como por ejemplo Bots y ataques de DDoS.
¿Se encuentra usted protegido contra amenazas avanzadas?
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
The Cyber Defense Matrix enables organizations to define clear categories for the range of products and services that are available in the marketplace to solve our various infosec problems. This model removes confusion around the security technologies that we buy and helps organizations align their vendors to have the right suite of capabilities to execute their information security mission.
See the 2019 version at: http://bit.ly/cyberdefensematrixreloaded
See the 2022 version at: http://bit.ly/cyberdefensematrixrevolutions
Gartner recently released a report on IT security priorities for the remainder of 2014. Amongst respondents, network security, application security, endpoint security, and security services all ranked highly.
Together with our event partners Cisco, F5, and Bromium, Scalar brings you solutions to these problems, as well as a full presentation on our managed security services portfolio.
The top two attack vectors for malware are email and web browsers. Watering-hole attacks conceal malware on member-based sites and phishing scams can target individuals with personal details. This PPT describes a different security approach to protect against these threats while achieving business growth, efficiency and lowered expenses. The presentation features Cisco Email, Web and Cloud Web Security and covers basic features, offers, benefits, newest features and product integrations. Watch the webinar: http://cs.co/9004BGqvy
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...PROIDEA
As the SOC Manager with Cisco Active Threat Analytics (ATA), Gawel is responsible for building, growing and operating Cisco Managed Security Services SOC in Krakow, Poland and Tokyo, Japan.
Before that, Gawel spent half a decade in various Architect and Consulting Security roles at Cisco. He holds numerous industry certificates, including CCIE #24987, CISSP-ISSAP, CISA, C|EH and SFCE. Gawel is a frequent speaker at IT events, such as Cisco Live! Europe/Australia, PLNOG, EuroNOG, Security B-Sides, CONFidence, Cisco Connect, Cisco Expo and Cisco Forum.
Before Gawel has joined Cisco, he was a UNIX System Administrator and a Systems Engineer with one of the leading system integrators in Poland. He was also a Cisco Networking Academy Instructor. Gawel graduated from Warsaw University of Technology with degree in Telecommunications.
Top Application Security Trends of 2012DaveEdwards12
Learn about the major risks to Cloud and Web-based Applications. What are their weaknesses? How can you deploy them in a more confident fashion and avoid the risks? What can you do to protect these applications without creating a major burden on your end-users and customers. Application Security has become one of the top most priorities of CIOs, CSOs and IT Staff in 2012. Cloud has created a paradigm shift in how we leverage technology. Learn about the power of the Cloud to Secure your applications.
Due to the fast-growing on mobile application trends along with business competition, the lack of security concern on mobile development become critical issues which may lead to reputation damage, financial loss and non-compliance (e.g. Privacy and Cybersecurity laws). It's time to focus on Mobile Defense-in-Dev(Depth) !!
The talk will provide the real-world case-studies on mobile application threats in conjunction with the cybersecurity risk mitigation using Secure development standard and guideline which should be integrated into the development process.
Scalar Security Roadshow - Vancouver PresentationScalar Decisions
Gartner recently released a report on IT security priorities for the remainder of 2014. Amongst respondents, network security, application security, endpoint security, and security services all ranked highly. In this quick-fire, half-day roadshow, Scalar brings you solutions to these problems from three of our most strategic security vendors, as well as a full presentation on our managed security services portfolio.
Gartner recently released a report on IT security priorities for the remainder of 2014. Amongst respondents, network security, application security, endpoint security, and security services all ranked highly. In this quick-fire, half-day roadshow, Scalar brings you solutions to these problems from three of our most strategic security vendors, as well as a full presentation on our managed security services portfolio.
We at Kaspersky Lab believe that the online world should be free from attacks and state-sponsored espionage. And we've been standing by this belief for over 20 years, catching all kinds of cyberthreats, regardless of their origin.
Learn more about our principles of fighting cyberthreats and transparency from this brochure or on our web-site: https://www.kaspersky.com/about/transparency
This is an update to the Cyber Defense Matrix briefing given at the 2019 RSA Conference. Cybersecurity practitioners can use this to organize vendors, find gaps in security portfolios, understand how to organize security measurements, prioritize investments, minimize business impact, visualize attack surfaces, align other existing frameworks, and gain a fuller understanding of the entire space of cybersecurity.
We will present the details of the Cisco's 2016 Annual Security report with emphasis on the Canadian landscape. The Cisco 2016 Annual Security Report; which presents research, insights, and perspectives from Cisco Security Research & highlights the challenges that defenders face in detecting and blocking attackers who employ a rich and ever-changing arsenal of tools. The report also includes research from external experts, such as Level 3 Threat Research Labs, to help shed more light on current threat trends. We take a close look at data compiled by Cisco researchers to show changes over time, provide insights on what this data means, and explain how security professionals should respond to threats.
Ransomware has emerged as a major epidemic for business and consumers. Every day we are encountering thousands of malicious samples that are related to ransomware, ranging from executable files, script downloaders and malicious documents with macros.
Threat actors use different techniques to infect victims from the simplest way like attached executable file in email message to the most difficult like drive-by attack with exploits (even with zero-days!).
We found something new emerging in 2016: several targeted attacks with one main goal – to execute ransomware in the victim’s network and encrypt as much resources as possible. In such cases, payment for decryption depends on the number of affected workstations, servers and victim type (small company or a big market player). Very often, as a result of such attacks, the victim cannot use data from workstation and servers to continue normal functions because the ransomware used the full disk encryption method.
This leaves victim companies in a state of desperation, leading to demands for huge payments for decryption keys. We have encountered cases where the payment demand was more than half a million dollars! In that case, the threat actor used a vulnerability in one popular application server to infect a victim’s network and then used several public tools to get necessary privileges to install ransomware to all workstations and servers. As a result, more than 1000 workstations were encrypted.
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky
For several years now, Kaspersky Lab’s Global Research and Analysis Team (GReAT) has been monitoring more than 60 threat actors responsible for cyber-attacks worldwide. By closely observing these organizations, which appear to be fluent in many languages, including Russian, Chinese, German, Spanish, Arabic and Persian, we have put together a list of what seem to be the emerging threats in the APT world. We think these will play an important role in 2015 and deserve special attention. As a participant of the webinar, you will be the first to hear our detailed analysis of the trends.
The webinar was hosted by Costin Raiu, Director of GReAT at Kaspersky Lab, on December 11.
“If we can call 2014‘sophisticated’, then the word for 2015 will be ‘elusive’. We believe that APT groups will evolve to become stealthier and sneakier, in order to better avoid exposure. This year we’ve already discovered APT players using several zero-days, and we’ve observed new persistence and stealth techniques. We have used this to develop and deploy several new defense mechanisms for our users,” comments Costin Raiu.
Listen to the presentation https://kas.pr/aptwebinar
Read the full report https://kas.pr/ksb
We wanted to know what brings consumers to stores in the first place, what makes them likely to return, and what factors contribute to a positive or negative experience? We surveyed over 800 consumers and had hour-long conversations with 80 of them in order to understand what the future looks like for retail stores. This is what we found...
Gartner recently released a report on IT security priorities for the remainder of 2014. Amongst respondents, network security, application security, endpoint security, and security services all ranked highly.
Together with our event partners Cisco, F5, and Bromium, Scalar brings you solutions to these problems, as well as a full presentation on our managed security services portfolio.
The top two attack vectors for malware are email and web browsers. Watering-hole attacks conceal malware on member-based sites and phishing scams can target individuals with personal details. This PPT describes a different security approach to protect against these threats while achieving business growth, efficiency and lowered expenses. The presentation features Cisco Email, Web and Cloud Web Security and covers basic features, offers, benefits, newest features and product integrations. Watch the webinar: http://cs.co/9004BGqvy
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...PROIDEA
As the SOC Manager with Cisco Active Threat Analytics (ATA), Gawel is responsible for building, growing and operating Cisco Managed Security Services SOC in Krakow, Poland and Tokyo, Japan.
Before that, Gawel spent half a decade in various Architect and Consulting Security roles at Cisco. He holds numerous industry certificates, including CCIE #24987, CISSP-ISSAP, CISA, C|EH and SFCE. Gawel is a frequent speaker at IT events, such as Cisco Live! Europe/Australia, PLNOG, EuroNOG, Security B-Sides, CONFidence, Cisco Connect, Cisco Expo and Cisco Forum.
Before Gawel has joined Cisco, he was a UNIX System Administrator and a Systems Engineer with one of the leading system integrators in Poland. He was also a Cisco Networking Academy Instructor. Gawel graduated from Warsaw University of Technology with degree in Telecommunications.
Top Application Security Trends of 2012DaveEdwards12
Learn about the major risks to Cloud and Web-based Applications. What are their weaknesses? How can you deploy them in a more confident fashion and avoid the risks? What can you do to protect these applications without creating a major burden on your end-users and customers. Application Security has become one of the top most priorities of CIOs, CSOs and IT Staff in 2012. Cloud has created a paradigm shift in how we leverage technology. Learn about the power of the Cloud to Secure your applications.
Due to the fast-growing on mobile application trends along with business competition, the lack of security concern on mobile development become critical issues which may lead to reputation damage, financial loss and non-compliance (e.g. Privacy and Cybersecurity laws). It's time to focus on Mobile Defense-in-Dev(Depth) !!
The talk will provide the real-world case-studies on mobile application threats in conjunction with the cybersecurity risk mitigation using Secure development standard and guideline which should be integrated into the development process.
Scalar Security Roadshow - Vancouver PresentationScalar Decisions
Gartner recently released a report on IT security priorities for the remainder of 2014. Amongst respondents, network security, application security, endpoint security, and security services all ranked highly. In this quick-fire, half-day roadshow, Scalar brings you solutions to these problems from three of our most strategic security vendors, as well as a full presentation on our managed security services portfolio.
Gartner recently released a report on IT security priorities for the remainder of 2014. Amongst respondents, network security, application security, endpoint security, and security services all ranked highly. In this quick-fire, half-day roadshow, Scalar brings you solutions to these problems from three of our most strategic security vendors, as well as a full presentation on our managed security services portfolio.
We at Kaspersky Lab believe that the online world should be free from attacks and state-sponsored espionage. And we've been standing by this belief for over 20 years, catching all kinds of cyberthreats, regardless of their origin.
Learn more about our principles of fighting cyberthreats and transparency from this brochure or on our web-site: https://www.kaspersky.com/about/transparency
This is an update to the Cyber Defense Matrix briefing given at the 2019 RSA Conference. Cybersecurity practitioners can use this to organize vendors, find gaps in security portfolios, understand how to organize security measurements, prioritize investments, minimize business impact, visualize attack surfaces, align other existing frameworks, and gain a fuller understanding of the entire space of cybersecurity.
We will present the details of the Cisco's 2016 Annual Security report with emphasis on the Canadian landscape. The Cisco 2016 Annual Security Report; which presents research, insights, and perspectives from Cisco Security Research & highlights the challenges that defenders face in detecting and blocking attackers who employ a rich and ever-changing arsenal of tools. The report also includes research from external experts, such as Level 3 Threat Research Labs, to help shed more light on current threat trends. We take a close look at data compiled by Cisco researchers to show changes over time, provide insights on what this data means, and explain how security professionals should respond to threats.
Ransomware has emerged as a major epidemic for business and consumers. Every day we are encountering thousands of malicious samples that are related to ransomware, ranging from executable files, script downloaders and malicious documents with macros.
Threat actors use different techniques to infect victims from the simplest way like attached executable file in email message to the most difficult like drive-by attack with exploits (even with zero-days!).
We found something new emerging in 2016: several targeted attacks with one main goal – to execute ransomware in the victim’s network and encrypt as much resources as possible. In such cases, payment for decryption depends on the number of affected workstations, servers and victim type (small company or a big market player). Very often, as a result of such attacks, the victim cannot use data from workstation and servers to continue normal functions because the ransomware used the full disk encryption method.
This leaves victim companies in a state of desperation, leading to demands for huge payments for decryption keys. We have encountered cases where the payment demand was more than half a million dollars! In that case, the threat actor used a vulnerability in one popular application server to infect a victim’s network and then used several public tools to get necessary privileges to install ransomware to all workstations and servers. As a result, more than 1000 workstations were encrypted.
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky
For several years now, Kaspersky Lab’s Global Research and Analysis Team (GReAT) has been monitoring more than 60 threat actors responsible for cyber-attacks worldwide. By closely observing these organizations, which appear to be fluent in many languages, including Russian, Chinese, German, Spanish, Arabic and Persian, we have put together a list of what seem to be the emerging threats in the APT world. We think these will play an important role in 2015 and deserve special attention. As a participant of the webinar, you will be the first to hear our detailed analysis of the trends.
The webinar was hosted by Costin Raiu, Director of GReAT at Kaspersky Lab, on December 11.
“If we can call 2014‘sophisticated’, then the word for 2015 will be ‘elusive’. We believe that APT groups will evolve to become stealthier and sneakier, in order to better avoid exposure. This year we’ve already discovered APT players using several zero-days, and we’ve observed new persistence and stealth techniques. We have used this to develop and deploy several new defense mechanisms for our users,” comments Costin Raiu.
Listen to the presentation https://kas.pr/aptwebinar
Read the full report https://kas.pr/ksb
We wanted to know what brings consumers to stores in the first place, what makes them likely to return, and what factors contribute to a positive or negative experience? We surveyed over 800 consumers and had hour-long conversations with 80 of them in order to understand what the future looks like for retail stores. This is what we found...
Retail & Digital Disruption - Intrigue, Immediacy and FrictionlessRyan Craver
Today's retail environment is changing at a speed in which most legacy retailers are unable to keep up with. Topics include innovative tech like virtual reality/augmented reality that have yet to make a dent to massive marketplaces such as Alibaba, Amazon and Airbnb.
An insight into current trends affecting travel industry and a look at what's next.
Any questions, please get in touch via LinkedIn: www.linkedin.com/in/bjgill
We explore some recent examples of how e-retailers are doing the last thing their venture capitalist backers ever thought they’d want to do: laying down some good-old bricks and mortar.
The retail trend from clicks to bricks is becoming a common occurrence as online-only retailers discover that a physical presence and multiple channels of distribution can help to build volume and scale.
According to research by Verdict and British Land, in 2015, 89% of retail sales touched’ a physical store. The figure represents a 5% boost to in-store sales and demonstrates how different retail channels complement each other.
It’s a new era—welcome to the Control Shift. Exchanging data for utility, people are delegating an increasing amount of control over their lives to technology. Brands can capitalize on this societal change by positioning themselves as trusted partners and fostering consumer empowerment.
Frontier(less) Retail—an Innovation Group report created in partnership with WWD, the leading fashion, beauty and retail authority—reveals a retail landscape that has become borderless, blurred and amorphous.
Consumer expectations are becoming limitless—whether it’s instant delivery, intuitive commerce or compelling store experiences. Interfaces for retail are moving beyond the smartphone into our home environments, and the digital and physical worlds are blurring in new ways.
Book - Retail's Last Mile: Why Online Shopping Will Exceed Our Wildest Predic...Professor Muhammad Arshad
Jonathan's book, Retail's Last Mile, explains why the disruption of store retail by online shopping has only just begun and few retailers are ready for the changes ahead. Jonathan forecasts that last-mile innovations will see shopping online overtake shopping in stores within 20 years.
Learn more and order the book at Jonathan's website:
http://jonathanreeve.com.au/author
Every time you enter a retail store, your shopping experience has been extensively planned, from the items you see for sale to the layout and design of the store. Many times these decisions are made by someone working in retail operations, or the area of retail concerned with the day-to-day functions of stores
PSFK Future of Retail 2015 Report - Summary PresentationPSFK
Get your copy of The Future of Retail 2015: www.psfk.com/report/future-of-retail-2015
In the fifth volume of the Future of Retail report the PSFK Labs team explores the dynamic social, technological, and physical forces influencing consumer behavior and driving next-generation shopping experiences. With a refocus on the importance of the physical store, our analysis below includes 10 in-store strategies supported by over a dozen key trends that retailers can use to immediately begin redefining their retail experience.
The report looks at how, in order to stand out from the competition, retailers and brands must make the best use of their customers’ time and attention by designing multichannel experiences that strike a perfect balance between efficiency and enjoyment, relevance and surprise.
Featured within the 110 page report, readers can find:
- 10 strategies to redefine the store
- Over a dozen global trends changing retail
- 20 future store concepts
- Perspectives from leading shopper experts across the globe
If you are interested in seeing a presentation of this report or would like to understand how PSFK can help your team ideate new possibilities for your brand, contact us at sales@psfk.com
Vol. 5 | Published November 2014
All rights reserved. No parts of this publication may be reproduced without the written permission of PSFK Labs.
Even though e-commerce is driving quick sales growth, brick and mortar is still the major player in retail industry. According to the survey by TimeTrade, 85% of consumers still prefer to shop in-store. And there are more than 20 online retailers have opened physical stores. It's time for retailers to rethink their omnichannel strategies with store transformation.
The Internet of Things is revolutionizing retail store operations. With the connected devices and sensor data, retailers can receive real-time information of both physical and digital worlds. They can use these insights to offer timely and personalized customer services, make better operational decisions, and secure merchandising and supply networks. Learn about how can IoT provides new opportunities and values for retail business and start your IoT journey with The Honeywell Building Sense.
For more information, visit ibm.com/iot/retail
This presentation goes over core principles involved in launching secure web applications and effectively managing security in a cloud services environment.
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
Empowering Application Security Protection in the World of DevOpsIBM Security
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be developed in a safe and secure manner. Join us virtually for our upcoming "Secure Your DevOps Pipeline: Best Practices" Meetup to learn how to integrate security in the development process, DevSecOps advance methods, manage the implement secure coding analysis and how to manage software security risks.
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
Matteo Meucci did a talk on software security in practice, describing the actual scenario and the roadmap for the enterprise to improve their maturity in the SDLC.
Securing your web apps before they hurt the organization
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
1. Looking Forward… and Beyond
Distinctiveness
Through Security Excellence
Ludovic Petit
Ludovic.Petit@owasp.org
Chapter Leader OWASP France
Global Connections Committee
2. About Me
Group Fraud & Information Security Advisor at , 2nd largest French Telecom Operator with
subsidiaries in Brazil and Morocco
– Working on Anti Fraud, Cybercrime, Technical Threat Intelligence, Law Enforcement and Security Futurology
– 20 years’ experience in Security Management within the Telecommunications industry, following 10 years in
Information Technology
Chapter Leader & Founder OWASP France
Global Connections Committee Member
10 years in Application Security, OWASPer since 2003
Contributor to various OWASP Projects
– Translator of the OWASP Top Ten in French (All versions)
– Application Security Guide For CISOs (Marco Morana)
– OWASP Mobile Security Project (Jack Mannino)
– OWASP Cloud Top10 Project (Vinay Bensal)
– OWASP Secure Coding Practices - Quick Reference Guide (Keith Turpin)
2
3. Why this presentation
We are living in a Digital environment, in a Connected World
Most of websites vulnerable to attacks
75% of Attacks at the Application Layer (Source: Gartner)
Important % of web-based Business (Services, Online Store, Self-care) 3
4. But also because…
The legal framework rules the technical means required
to be compliant!
4
5. Agenda
• What is OWASP, what we could bring
• OWASP Projects
• Talking Legal
o Evolutions of the legal framework
o Developers, Software makers held liable for code?
5
6. The True Story
The Open Web Application Security Project
OWASP:
Swarms of WASPS: Local Chapters
6
7. What is OWASP
Mission Driven
Nonprofit | World Wide | Unbiased
OWASP does not endorse or recommend
commercial products or services
7
8. What is OWASP
Community Driven
30,000 Mail List Participants
200 Active Chapters in 70 countries
1600+ Members, 56 Corporate Supporters
69 Academic Supporters
8
9. Around the World
200 Chapters, 1 600+ Members, 20 000+ Builders, Breakers and Defenders
9
10. What is OWASP
Quality Resources
200+ Projects
15,000+ downloads of tools, documentation
250,000+ unique visitors
800,000+ page views (monthly)
10
20. Enterprise Security API
Project Leader: Chris Schmidt, Chris.Schmidt@owasp.org
Purpose: A free, open source, web application security control library
that makes it easier for programmers to write lower-risk applications
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API 20
21. AntiSamy
Project Leader: Jason Li, jason.li@owasp.org
Purpose: An API for ensuring user-supplied HTML/CSS is in compliance
within an application's rules, that helps you make sure that clients don't
supply malicious code in the HTML they supply for their
profile, comments, etc., that get persisted on the server.
Last Release: 1.5 (3 Feb 2013)
https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
21
22. Guides
Development Guide: comprehensive manual for designing, developing and
deploying secure Web Applications and Web Services
Code Review Guide: mechanics of reviewing code for certain vulnerabilities &
validation of proper security controls
Testing Guide: understand the what, why, when, where, and how of testing web
applications
https://www.owasp.org/index.php/Category:OWASP_Guide_Project
https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
https://www.owasp.org/index.php/Category:OWASP_Testing_Project
22
23. Zed Attack Proxy
Project Leader: Simon Bennetts (aka Psiinon), psiinon@gmail.com
Purpose: The Zed Attack Proxy (ZAP) provides automated scanners as
well as a set of tools that allow you to find security vulnerabilities
manually in web applications.
Last Release: ZAP 2.0.0 (30 Jan 2013)
23
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
24. AppSensor
Project Leader(s): Michael Coates, John Melton, Colin Watson
Purpose: Defines a conceptual framework and methodology that offers
prescriptive guidance to implement intrusion detection and automated
response into an existing application.
Release: AppSensor 0.1.3 - Nov 2010 (Tool) & September 2008 (doc)
Create attack aware applications
24
https://www.owasp.org/index.php/AppSensor
25. Cloud Top10 Project
Project Leader: Vinay Bansal, Vinaykbansal@gmail.com
Purpose: Develop and maintain a list of Top 10 Security Risks faced with
the Cloud Computing and SaaS Models. Serve as a Quick List of Top Risks
with Cloud adoption, and Provide Guidelines on Mitigating the Risks.
Deliverables
- Cloud Top 10 Security Risks (Draft expected for early 2013)
https://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project
25
26. Cloud Top10 Security Risks
R1. Accountability & Data Risk
R2. User Identity Federation
R3. Legal & Regulatory Compliance
R4. Business Continuity & Resiliency
R5. User Privacy & Secondary Usage of Data
R6. Service & Data Integration
R7. Multi-tenancy & Physical Security
R8. Incidence Analysis & Forensics
R9. Infrastructure Security
R10. Non-production Environment Exposure
26
27. Mobile Security Project
Project Leader: Jack Mannino, Jack@nvisiumsecurity.com
Purpose: Establish an OWASP Top 10 Mobile Risks. Intended to be platform-
agnostic. Focused on areas of risk rather than individual vulnerabilities.
Deliverables
- Top 10 Mobile Risks (currently Release Candidate v1.0)
- Top 10 Mobile Controls (OWASP/ENISA Collaboration)
- OWASP Wiki, ‘Smartphone Secure Development Guidelines’ (ENISA)
- Mobile Cheat Sheet Series
- OWASP GoatDroid Project
- OWASP Mobile Threat Model Project
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
27
28. Top 10 Mobile Risks
M1. Insecure Data Storage
M2. Weak Server Side Controls
M3. Insufficient Transport Layer Protection
M4. Client Side Injection
M5. Poor Authorization and Authentication
M6. Improper Session Handling
M7. Security Decisions via Untrusted Inputs
M8. Side Channel Data Leakage
M9. Broken Cryptography
M10. Sensitive Information Disclosure
28
29. Threat Modeling Project
Project Leader: Anurag "Archie" Agarwal, anurag.agarwal@owasp.org
Purpose: Establish a single and inclusive software-centric OWASP Threat
modeling Methodology, addressing vulnerability in client and web
application-level services over the Internet.
Deliverables (1st Draft expected for end of 2012 / early 2013)
- An OWASP Threat Modeling methodology
- A glossary of threat modeling terms
https://www.owasp.org/index.php/OWASP_Threat_Modelling_Project
29
30. Projects Reboot 2012
Refresh, revitalize & update Projects, rewrite & complete Guides or Tools.
Initial Submissions Projects selected via first round of review
• OWASP Application Security Guide For CISOs -
1. OWASP Development Guide: Funding Amount:
Selected for Reboot
$5000 initial funding
• OWASP Development Guide - Selected for Reboot
• Zed Attack Proxy - Selected for Reboot 2. OWASP CISO Guide: Funding Amount: $5000
initial funding
• OWASP WebGoat
• OWASP AppSensor 3. OWASP Zed Attack Proxy: Funding Amount:
• OWASP Mobile Project - Selected for Reboot $5000 initial funding
• OWASP Portuguese Language Project 4. OWASP Mobile Project: Funding Amount: $5000
• OWASP_Application_Testing_guide_v4 initial funding
• OWASP ESAPI Ongoing discussions about the Code Review and
• OWASP Eliminate Vulnerable Code Project the Testing Guides
• OWASP_Code_Review_Guide_Reboot
https://www.owasp.org/index.php/Projects_Reboot_2012
30
31. Agenda
• What is OWASP, what we could bring
• Update - OWASP Projects
• Talking Legal
o Evolution of Legal framework
o Developers, Software makers held liable for code?
31
33. Do you…Legal? 1/2
In case of security breach, what’s going on from a Legal
perspective?
Who could be accountable for what?
Who should be accountable for what?
Who would be accountable for what?
In fact, who is accountable for what?...
33
34. Do you…Legal? 2/2
Although Legal and Information
Security need to work better
together, they aren’t, and this is
damaging companies’ ability to
manage risk.
Over 60% of General Counsel are
dissatisfied with the way
information risks are being
addressed and with their
involvement in information risk
management.
Source: The Information Risk Executive Council (IREC)
34
35. Law Enforcement
Three criteria of sensitivity of the information commonly accepted
Confidentiality: Confidentiality refers to limiting information access and
disclosure to authorized users and preventing access by or disclosure to
unauthorized ones.
Integrity: Integrity refers to the trustworthiness of information resources.
Availability: Availability refers, unsurprisingly, to the availability of information
resources.
A fourth is also often used (under different names)
Traceability, Imputability, or Proof, i.e. Non-repudiation
35
36. Stakes of Security: Status
• The legal risk is a consequence of operational risk
• The business risk is in fact induced by the informational
risk
• Information Systems Security aims four main objectives:
- Availability
- Data Integrity
- Confidentiality
- Non-repudiation
The risk assessment of information systems can make it possible
to reduce both business and legal risks
3
37. A Difficult Equation
OBLIGATIONS OF
THE ENTERPRISE
Point
of Balance
CUSTOMER
REQUIREMENTS LEGAL AND REGULATION
REQUIREMENTS
Where is the ‘Border' between
Customer Satisfaction and
Interaction with the
Authorities?
37
38. What’s at Stake?
… also for Software Makers
Technologies
Anticipate Security stakes
and assist businesses in their
efforts to maintain a
balance.
FIND THE POINT OF
BALANCE
FRAUD
SECURITY
Usages Implémentation
38
40. The OWASP Secure Software
Contract Annex
Intended to help software developers and their clients negotiate important
contractual terms and conditions related to the security of the software to be
developed or delivered.
CONTEXT: Most contracts are silent on these issues, and the parties frequently
have dramatically different views on what has actually been agreed to.
OBJECTIVE: Clearly define these terms is the best way to ensure that both
parties can make informed decisions about how to proceed.
https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex
40
42. States of California, USA
Data Breach
California was the first state in USA to enact such a law.
California Senate Bill No. 1386 became effective on 1st July 2003, amending
Civil Codes 1798.29, 1798.82 and 1798.84. It is a serious bill, with far reaching
implications.
Essentially, it requires an agency, person or business that conducts business in
California and owns or licenses computerized 'personal information' to
disclose any breach of security (to any resident whose unencrypted data is
believed to have been disclosed)
The statute imposes specific notification requirements on companies in
such circumstances.
The statute applies regardless of whether the computerized consumer
records are maintained in or outside California.
42
43. European Directive
2009/136/EC
DIRECTIVE 2009/136/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 25 November 2009
amending Directive 2002/22/EC on universal service and users’ rights relating to electronic
communications networks and services, Directive 2002/58/EC concerning the processing of
personal data and the protection of privacy in the electronic communications sector and
Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for
the enforcement of consumer protection laws.
Article 2 (2) (4) (c) adds a requirement to notify Security breaches to
“National Authority” and to those affected by this vulnerability, at
least if the flaw is “likely to affect negatively” their personal data
43
44. European Convention on
Cyber Crime
Came into force in Jul 2004
The Council of Europe adopted a Convention on Cyber Crime that
identified and defined internet crimes:
• Offenses against the Confidentiality, Integrity and Availability of
computers, data and systems (illegal access, illegal
interception, data interference, system interference, misuse of
devices)
• Computer-related Offenses (computer-related forgery, computer-
related Fraud)
• Content-related Offenses (offenses related to child pornography)
• Offenses related to infringements of copyright and related rights
44
45. Executive Management
Responsibility
All organisations need to be aware of the Convention’s provisions in
Article 12, Paragraph 2:
‘Ensure that a legal person can be held liable where the lack of
supervision or control by a natural person… has made possible the
commission of a criminal offenses, established in accordance with this
Convention’.
In other words, Directors can be responsible for offenses
committed by their organisation simply because they failed to
adequately exercise their duty of care.
45
46. European Convention on
Cyber Crime
The Organization of American States (OAS) and the Asia-Pacific
Economic Cooperation (APEC) have both committed themselves to
applying the European Convention on Cyber Crime.
70+ countries have enacted.
http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/default_en.asp
http://www.oas.org/en/default.asp
http://www.apec.org/
46
48. What about France? 1/2
Reporting of violations of personal data to the CNIL
New obligation to notify security breaches or the integrity of
Networks and Services
Consequences in case of non-compliance with legal
obligations
The Commission Nationale de l’Informatique et des Libertés (CNIL) is responsible for ensuring
that information technology remains at the service of citizens, and does not jeopardize human
identity or breach human rights, privacy or individual or public liberties.
http://www.cnil.fr/english/the-cnil/
48
49. What about France? 2/2
Article 38 de l’ordonnance du 24 août 2011 (aka ‘Telecom Packet’): l’obligation
d’une notification des failles de sécurité
«En cas de violation de données à caractère personnel, le fournisseur de services de
communications électroniques accessibles au public avertit, sans délai, la Commission
nationale de l'informatique et des libertés. Lorsque cette violation peut porter atteinte aux
données à caractère personnel ou à la vie privée d'un abonné ou d'une autre personne
physique, le fournisseur avertit également, sans délai, l'intéressé. »
Penalties in case of breach of the duty to report under the jurisdiction of the
CNIL
• 150 K€, 300 K€ for repeat offenses
Brand Impact!
Possibility of publication of the CNIL’s decision
49
50. Computer-related Offenses
According the French Penal Code
• Fraudulent access and maintaining in an Information
System (Art. 323-1 C. Pénal)
• Obstacle to the functioning of an information system
(Art. 323-2 C. Pénal)
• Fraudulent introduction of data into an information
system (Art. 323-3 C. Pénal)
50
51. Computer Crimes
Legal risks in connection with the fraudulent use of Information
Systems:
Reminder: Any Commercial Web Application Service is part of an
Information System
Why: Because we are talking about Information Security, which
means… Legal Compliance!
51
52. Privacy & Information Security
The Responsible of the Data Processing is required to take any
useful precautions, au regard de la nature des données et des
risques présentés par le traitement, pour préserver la sécurité
des données et, notamment empêcher qu’elles soient
déformées, endommagées ou que des tiers non autorisés y
aient accès. (Article 34 de la Loi 78-17 du 6 janvier 1978 modifiée - CNIL)
Article 226-17 du Code Pénal : Le fait de procéder ou de faire
procéder à un traitement de données à caractère personnel sans
mettre en œuvre les mesures prescrites à l'article 34 de la loi n°
78-17 du 6 janvier 1978 précitée est puni de cinq ans
d'emprisonnement et de 300 000 Euros d'amende.
52
53. What is this obligations?
Take any useful precautions
In regard of the nature of Data
And the risks presented by the Processing
To preserve data security and, in particular, prevent that they
are
- Modified
- Tampered
- or that unauthorized third parties have access
53
54. Privacy Security within
the Enterprise
The CEO is criminally responsible of the Data Processing
- France: Obligations under the law of 6 Jan 1978 (modified in 2004)
Criminal Risk in case of Delegation of Authority
… for each person part of the Chain!
What about the subcontracting?
Enterprise: Data owner = Accountable
Subcontractor: Data processor = Accountable
54
55. Proposed European Regulation on the
protection of personal data
Will to harmonization of the regulations at EU level by the use of a
Regulation, for greater harmonization of rules between actors and
countries:
• Same framework for all players regardless of their location:
– The proposed regulation provides that EU rules apply to any
provider that handles data from a EU user
• Same framework throughout Europe:
– The choice of a Regulation, not a Directive, reduces the risk of
differences in interpretation between Member States (national
transposition not required).
• Same framework, whatever the activity of the controller
55
56. New obligations for the persons in
charge of the treatment
• Privacy by design, impact analysis and documentation:
– Principles of “privacy by design” and "accountability": new
internal governance rules for companies to integrate the
protection of personal data in the design of the product /
service.
• Reporting of violations of personal data
56
57. Real Sanctions!
Art. 79 - Penalties:
A 2% annual turnover fine
Administrative penalties may be up to 2% of total revenues
1 000 000 Euros
A 2% annual turnover fine would have meant
1.2 Billion dollars in 2008 for a company like Microsoft!
57
58. Issues for the Enterprise
& Consequences
All these acts can have serious consequences for the Company
• Financial Consequences
• Consequences on the Reputation
• Brand impact
• Criminal Consequences for the Executives
• Proceedings to the civil courts: Claims for damages by customers
58
59. Criminal Consequences
(France)
Article 226-17 of the Penal Code also charges the disclosure of
information… to the spied!
• The Enterprise (i.e. the Spied) is responsible of consequences caused to
third parties
• The people ‘accountable’ (IT, Security, or the CTO, even the CEO) can be
personally involved
Law ‘Godfrain’ - Penalty: 2 months to 5 years / 300 € to 300 K€
Protection of information / Negligence: 5 years / 300 K€
59
61. Don’t forget!
A Software Maker, a Developer, is recognized as a
subject-matter expert in its field.
As such, Software Makers and Developers
have a Duty to Advise
… including about Web Application Security.
61
62. Back to the Future 1/2
EC wants software makers held liable for code
After identifying gaps in EU consumer protection rules, the European
Commission is proposing that software makers give guarantees about the
security and efficiency of their code.
http://news.cnet.com/8301-1001_3-10237212-92.html
62
63. Back to the Future 2/2
Should developers be sued for security holes?
Dr Richard Clayton, security researcher at the University of Cambridge, is
arguing for regulations that remove the developer’s right to waive any
responsibility for security flaws in their software.
It’s an argument that has already won support from officials across Europe, with
a House of Lords committee (UK) recommending such a measure be
implemented in 2007 and European Commissioners arguing for the requirement
in 2009 - however agreements to this effect have not been passed.
http://www.publications.parliament.uk/pa/ld200607/ldselect/ldsctech/165/165i.pdf (see page 38, Vendor liability)
http://www.techrepublic.com/blog/european-technology/should-developers-be-sued-for-security-holes/1109
63
64. Here is the Question
Developers, Software makers held liable for code?
From a global point of view and in essence, YES.
From a Legal point of view: YES, you could.
• Depends on the circumstances
• Depends on the Contract
• Depends on the eventual License
• Depends on the Product
• Depends on the Customer (reputation, business, large account, etc.)
64
65. So, is your Software company concerned?
(Answers below from lawyers specialized in IT)
YES, you could also be held liable in case of Security Breach in a
Customer’s Information System, as well as the company
concerned.
65
66. The Knowledge is wealth,
Knowledge must flow
“If you think education is expensive,
you should try ignorance!”
Abraham Lincoln
66
67. Teamwork
TEAM stands for… Together Each Achieves More
You guys are welcome to attend our meetings
and have talks at OWASP.
The OWASP French Chapter welcomes you!
67
69. Agenda
• Update - Projets OWASP
• Evolution du Cadre Légal
Developers, Sofware makers held liable for code?
• Données personnelles, Projet de Réglement Européen
• OWASP France Day
• OWASP Top Ten