The document discusses the Open Web Application Security Project (OWASP) and its role in improving application security through free resources and tools. It outlines the OWASP Top 10 vulnerabilities, including injection attacks and broken authentication, emphasizing the importance of understanding these threats for secure web services. Additionally, it highlights recent vulnerabilities such as unvalidated redirects and insecure deserialization, and underscores the ongoing need for monitoring and patching to protect applications.

1. Web Security
OWASP

2. OWASP (Open Web Application Security Project )
OWASP is an open community dedicated to enabling organizations
to conceive, develop, acquire, operate, and maintain applications that
can be trusted. All of the OWASP tools, documents, forums, and
chapters are free and open to anyone interested in improving
application security.

4. evolution in the safety
and security of the
world's software.

5. OWASP Top 10
vulnerabilities
OWASP maintains a list of the top ten web
security vulnerabilities that cyber security
experts should understand and defend
against to maintain secure web services.
The current version of the OWASP Top 10
was developed in 2013 and is currently
undergoing revision, with a new release in
2017.

6. the Top 10 web security
issues in 2013
1. Injection Attacks.
2. Broken Authentication and Session
Management.
3. Cross-Site Scripting.
4. Insecure Direct Object References.
5. Security Misconfigurations.
6. Sensitive Data Exposure.
7. Missing Function Level Access Controls.
8. Cross-Site Request Forgery Attacks.
9. Using Components with Known Vulnerabilities.
10. Unvalidated Redirects and Forwards.

7. Injection Attacks
Injection Flaws occur when an attacker is able to
insert code into a request sent to a website and then
trick that website into passing the code along to a
back-end server where it is executed. The most
common example of Injection Attack is the Sequel
Injection Attack against databases.

9. Broken Authentication and
Session Management
Application functions related to authentication and
session management are often not implemented
correctly, allowing attackers to compromise passwords,
keys, or session tokens, or to exploit other
implementation flaws to assume other users’ identities.

11. Cross-Site Scripting
Cross-Site Scripting is an attack where the attacker
embeds scripts in third-party websites that may then
execute in the browsers of victims.
XSS flaws occur whenever an application takes untrusted
data and sends it to a web browser without proper
validation or escaping. XSS allows attackers to execute
scripts in the victim’s browser which can hijack user
sessions, deface web sites, or redirect the user to
malicious sites.

13. Insecure Direct Object References
Insecure Direct Object References occur when a
developer exposes some details of how an underlying
application functions and then doesn't perform proper
security checks to prevent unauthorized use of the
application.

14. Security Misconfigurations
Security Misconfigurations occur because web
applications depend upon a large number of complex
systems. These include web servers, application servers,
database servers, firewalls, routers and other
components.
Each one of these components has its own security
settings and an error anywhere in those settings could
jeopardize the security of the entire system.

15. Sensitive Data Exposure
Sensitive Data Exposure occurs when an insecure web
application accidentally exposes sensitive information to
eavesdroppers. This may be as simple as accidentally
placing a customer file on a publicly accessible portion of
a website.
Or Sensitive Data Exposure may occur when web server
administrators fail to implement the https protocol to
encrypt information sent over the Internet.
Sensitive data deserves extra protection such as
encryption at rest or in transit

17. Missing Function Level Access Control
Missing Function Level Access Control occurs when
developers fail to check on the back end whether a user
is authorized to access a particular function of an
application. Users with knowledge of the application may
send requests directly to the server, bypassing the
security controls that are built into the user interface.

18. Cross-Site Request Forgery
Cross-Site Request Forgery exploits the fact that users
often have more than one website open at the same time.

19. Using Components with Known Vulnerabilities
Web developers must be very cautious about the components
that they use to build their applications, as many of these
components have known vulnerabilities. If a web application is
built using a vulnerable component, attackers may exploit that
component to attack the application itself. Administrators must be
sure to monitor their environment regularly and apply security
patches to components as soon as they are available.

20. Unvalidated Redirects and Forwards
Unvalidated Redirects and Forwards occur when a website allows
external links to other websites using the organization's URL.
For example, a URL like this one might redirect users from the
IRS site to a third-party website. Developers creating forwarding
capabilities should ensure that any redirects appear on an
approved list before allowing them to go through. Otherwise, an
attacker could use URLs like this one to hide the real identity of a
malicious site behind the domain name of a trusted organization.

21. Top 10 in 2017
1. Unvalidated Redirects and Forwards.
2. Missing Function Level Access Controls
3. Cross-Site Request Forgery Attacks.

22. XML External Entity (XXE)
Many older or poorly configured XML processors evaluate
external entity references within XML
documents. External entities can be used to disclose internal
files using the file URI handler,
internal SMB file shares on unpatched Windows servers, internal
port scanning, remote code
execution, and denial of service attacks, such as the Billion
Laughs attack.

24. Insecure Deserialization
Insecure deserialization flaws occur when an application
receives hostile serialized objects.
Insecure deserialization leads to remote code execution. Even
if deserialization flaws do not result
in remote code execution, serialized objects can be replayed,
tampered or deleted to spoof users,
conduct injection attacks, and elevate privileges.

26. Insufficient Logging &
Monitoring
Insufficient logging and monitoring, coupled with missing or
ineffective integration with incident response allows attackers
to further attack systems, maintain persistence, pivot to more
systems, and tamper, extract or destroy data. Most breach
studies show time to detect a breach is over 200 days,
typically detected by external parties rather than internal
processes or monitoring.

27. Thank you