SlideShare a Scribd company logo

OWASP: Building Secure Web Apps

Download as PPT, PDF
M
mlogvinov

OWASP Bay Area Application Security Summit: Building Secure Web Applications in a Cloud Services Environment

1 of 25
Building Secure Web Applications In a Cloud Services Environment Misha Logvinov Alex Bello IronKey, Inc. July 1, 2010
Who are we? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Reality check ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Who gets attacked ,[object Object],[object Object],[object Object],[object Object],[object Object]
Who attacks ,[object Object],[object Object],[object Object],[object Object],[object Object]
Consequences ,[object Object],[object Object],[object Object],[object Object],[object Object]
How? ,[object Object],[object Object],[object Object]
Recent breaches December 2009 SQL injection vulnerability, no encryption of critical data, insufficient security monitoring, poor handling of disclosure Consequences PR nightmare Class-action lawsuit
Recent breaches April 2010 Insufficient security testing and monitoring Consequences PR nightmare
Recent breaches June 2010 Personally Identifiable Information was displayed without proper authentication, insufficient output monitoring, “great” exploit timing Consequences PR nightmare Security researcher gets arrested on drug charges
Why ,[object Object],[object Object],[object Object]
How to get started? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Doing things right in the long run ,[object Object],[object Object],[object Object]
Implement a formal security program ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Integrate security into SDLC ,[object Object],[object Object],[object Object],[object Object]
Threat matrix example
Integrate security into SDLC ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Integrate security into SDLC ,[object Object],[object Object],[object Object],[object Object]
Integrate security into SDLC ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Hardening ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Standards & checklists ,[object Object],[object Object],[object Object],[object Object]
Web app assessment initiatives ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Rules of thumb ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Conclusions ,[object Object],[object Object],[object Object],[object Object]
[object Object]

Recommended

Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeVeracode
 
Veracode - Inglês
Veracode - InglêsVeracode - Inglês
Veracode - InglêsDeServ - Tecnologia e Servços
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing ToolsEric Lai
 
Veracode - Overview
Veracode - OverviewVeracode - Overview
Veracode - OverviewStephen Durrant
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
Web application security measures
Web application security measuresWeb application security measures
Web application security measuresICT Frame Magazine Pvt. Ltd.
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
 
The Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreThe Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreVeracode
 

Recommended

Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeVeracode
 
Veracode - Inglês
Veracode - InglêsVeracode - Inglês
Veracode - InglêsDeServ - Tecnologia e Servços
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing ToolsEric Lai
 
Veracode - Overview
Veracode - OverviewVeracode - Overview
Veracode - OverviewStephen Durrant
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
Web application security measures
Web application security measuresWeb application security measures
Web application security measuresICT Frame Magazine Pvt. Ltd.
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
 
The Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreThe Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreVeracode
 
How automation can help boost security
How automation can help boost securityHow automation can help boost security
How automation can help boost securityTestingXperts
 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilitySonatype
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security TestingMohamed Ridha CHEBBI, CISSP
 
Mobile Security: Apps are our digital lives.
Mobile Security: Apps are our digital lives.Mobile Security: Apps are our digital lives.
Mobile Security: Apps are our digital lives.Veracode
 
Security testing
Security testingSecurity testing
Security testingMaheshwar Kanitkar
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
7 measures to overcome cyber attacks of web application
7 measures to overcome cyber attacks of web application7 measures to overcome cyber attacks of web application
7 measures to overcome cyber attacks of web applicationTestingXperts
 
Positive Technologies Application Inspector
Positive Technologies Application InspectorPositive Technologies Application Inspector
Positive Technologies Application Inspectorqqlan
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecIBM Security
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project 99X Technology
 
Defense Innovation Summit
Defense Innovation SummitDefense Innovation Summit
Defense Innovation SummitOPSWAT
 
Application Security and the OWASP Top 10
Application Security and the OWASP Top 10Application Security and the OWASP Top 10
Application Security and the OWASP Top 10Diarmaid McGowan
 
Aliens in Your Apps!
Aliens in Your Apps!Aliens in Your Apps!
Aliens in Your Apps!All Things Open
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFixVirtual Forge
 
Microsoft Cloud App Security Demo
Microsoft Cloud App Security DemoMicrosoft Cloud App Security Demo
Microsoft Cloud App Security DemoCheah Eng Soon
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
 
Fundamentals of testing
Fundamentals of testingFundamentals of testing
Fundamentals of testingseli purnianda
 
Ewrt1 a w15 class 12
Ewrt1 a w15 class 12Ewrt1 a w15 class 12
Ewrt1 a w15 class 12grendel8729
 
Curriculum andreea
Curriculum andreeaCurriculum andreea
Curriculum andreeaandreea_peke_90
 

More Related Content

What's hot

How automation can help boost security
How automation can help boost securityHow automation can help boost security
How automation can help boost securityTestingXperts
 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilitySonatype
 
Mobile Security: Apps are our digital lives.
Mobile Security: Apps are our digital lives.Mobile Security: Apps are our digital lives.
Mobile Security: Apps are our digital lives.Veracode
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
7 measures to overcome cyber attacks of web application
7 measures to overcome cyber attacks of web application7 measures to overcome cyber attacks of web application
7 measures to overcome cyber attacks of web applicationTestingXperts
 
Positive Technologies Application Inspector
Positive Technologies Application InspectorPositive Technologies Application Inspector
Positive Technologies Application Inspectorqqlan
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecIBM Security
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project 99X Technology
 
Defense Innovation Summit
Defense Innovation SummitDefense Innovation Summit
Defense Innovation SummitOPSWAT
 
Application Security and the OWASP Top 10
Application Security and the OWASP Top 10Application Security and the OWASP Top 10
Application Security and the OWASP Top 10Diarmaid McGowan
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFixVirtual Forge
 
Microsoft Cloud App Security Demo
Microsoft Cloud App Security DemoMicrosoft Cloud App Security Demo
Microsoft Cloud App Security DemoCheah Eng Soon
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
 
Fundamentals of testing
Fundamentals of testingFundamentals of testing
Fundamentals of testingseli purnianda
 

What's hot (20)

How automation can help boost security
How automation can help boost securityHow automation can help boost security
How automation can help boost security
 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain Visibility
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
 
Mobile Security: Apps are our digital lives.
Mobile Security: Apps are our digital lives.Mobile Security: Apps are our digital lives.
Mobile Security: Apps are our digital lives.
 
Security testing
Security testingSecurity testing
Security testing
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
7 measures to overcome cyber attacks of web application
7 measures to overcome cyber attacks of web application7 measures to overcome cyber attacks of web application
7 measures to overcome cyber attacks of web application
 
Positive Technologies Application Inspector
Positive Technologies Application InspectorPositive Technologies Application Inspector
Positive Technologies Application Inspector
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
 
Defense Innovation Summit
Defense Innovation SummitDefense Innovation Summit
Defense Innovation Summit
 
Application Security and the OWASP Top 10
Application Security and the OWASP Top 10Application Security and the OWASP Top 10
Application Security and the OWASP Top 10
 
Aliens in Your Apps!
Aliens in Your Apps!Aliens in Your Apps!
Aliens in Your Apps!
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFix
 
Microsoft Cloud App Security Demo
Microsoft Cloud App Security DemoMicrosoft Cloud App Security Demo
Microsoft Cloud App Security Demo
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
 
Fundamentals of testing
Fundamentals of testingFundamentals of testing
Fundamentals of testing
 

Viewers also liked

Ewrt1 a w15 class 12
Ewrt1 a w15 class 12Ewrt1 a w15 class 12
Ewrt1 a w15 class 12grendel8729
 
Portfólio Motion Graphics
Portfólio Motion GraphicsPortfólio Motion Graphics
Portfólio Motion GraphicsIzabela Trevas
 
Universidad Tecnológica de los Andes
Universidad Tecnológica de los AndesUniversidad Tecnológica de los Andes
Universidad Tecnológica de los AndesUtea Perú
 
Ktdigieco201211
Ktdigieco201211Ktdigieco201211
Ktdigieco201211deepersnet
 
Frases inventades 4rt
Frases inventades 4rtFrases inventades 4rt
Frases inventades 4rtAnneta Anna
 
Proyecto educativo entorno de la redes sociales cens 3465
Proyecto educativo entorno de la redes sociales cens 3465Proyecto educativo entorno de la redes sociales cens 3465
Proyecto educativo entorno de la redes sociales cens 3465Carlos Giusepponi
 
Business building strategies_with_dennis_franks_and_jim_winkler(1)
Business building strategies_with_dennis_franks_and_jim_winkler(1)Business building strategies_with_dennis_franks_and_jim_winkler(1)
Business building strategies_with_dennis_franks_and_jim_winkler(1)Yibing Shen
 
kopi miracle stamina para lelaki perkasa
kopi miracle stamina para lelaki perkasakopi miracle stamina para lelaki perkasa
kopi miracle stamina para lelaki perkasakopi miracle miracle
 
Proyecto Educativo Colegio Madrigal
Proyecto Educativo Colegio MadrigalProyecto Educativo Colegio Madrigal
Proyecto Educativo Colegio MadrigalMauricio Valenzuela
 
VisitEngland Domestic Trends 2020 Report introduced by Paul Flatters, Trajectory
VisitEngland Domestic Trends 2020 Report introduced by Paul Flatters, TrajectoryVisitEngland Domestic Trends 2020 Report introduced by Paul Flatters, Trajectory
VisitEngland Domestic Trends 2020 Report introduced by Paul Flatters, TrajectoryBruce Martin
 
Rio branco03 tcc e monografia r$300,00
Rio branco03 tcc e monografia r$300,00Rio branco03 tcc e monografia r$300,00
Rio branco03 tcc e monografia r$300,00Mario Luciano Marques
 
xRx15 vision wed_200_surgical_momentum
xRx15 vision wed_200_surgical_momentumxRx15 vision wed_200_surgical_momentum
xRx15 vision wed_200_surgical_momentumOPUNITE
 
Outdoortfrelease042215
Outdoortfrelease042215Outdoortfrelease042215
Outdoortfrelease042215lscmedia
 
Proyecto tecnologico1
Proyecto tecnologico1Proyecto tecnologico1
Proyecto tecnologico1luisa_Dorado1
 
Fraternitas jul 2012
Fraternitas jul 2012Fraternitas jul 2012
Fraternitas jul 2012scapolan
 

Viewers also liked (18)

Ewrt1 a w15 class 12
Ewrt1 a w15 class 12Ewrt1 a w15 class 12
Ewrt1 a w15 class 12
 
Curriculum andreea
Curriculum andreeaCurriculum andreea
Curriculum andreea
 
Portfólio Motion Graphics
Portfólio Motion GraphicsPortfólio Motion Graphics
Portfólio Motion Graphics
 
Universidad Tecnológica de los Andes
Universidad Tecnológica de los AndesUniversidad Tecnológica de los Andes
Universidad Tecnológica de los Andes
 
Ktdigieco201211
Ktdigieco201211Ktdigieco201211
Ktdigieco201211
 
Frases inventades 4rt
Frases inventades 4rtFrases inventades 4rt
Frases inventades 4rt
 
Proyecto educativo entorno de la redes sociales cens 3465
Proyecto educativo entorno de la redes sociales cens 3465Proyecto educativo entorno de la redes sociales cens 3465
Proyecto educativo entorno de la redes sociales cens 3465
 
Franz kafka tid ii
Franz kafka tid iiFranz kafka tid ii
Franz kafka tid ii
 
Business building strategies_with_dennis_franks_and_jim_winkler(1)
Business building strategies_with_dennis_franks_and_jim_winkler(1)Business building strategies_with_dennis_franks_and_jim_winkler(1)
Business building strategies_with_dennis_franks_and_jim_winkler(1)
 
kopi miracle stamina para lelaki perkasa
kopi miracle stamina para lelaki perkasakopi miracle stamina para lelaki perkasa
kopi miracle stamina para lelaki perkasa
 
Proyecto Educativo Colegio Madrigal
Proyecto Educativo Colegio MadrigalProyecto Educativo Colegio Madrigal
Proyecto Educativo Colegio Madrigal
 
VisitEngland Domestic Trends 2020 Report introduced by Paul Flatters, Trajectory
VisitEngland Domestic Trends 2020 Report introduced by Paul Flatters, TrajectoryVisitEngland Domestic Trends 2020 Report introduced by Paul Flatters, Trajectory
VisitEngland Domestic Trends 2020 Report introduced by Paul Flatters, Trajectory
 
Rio branco03 tcc e monografia r$300,00
Rio branco03 tcc e monografia r$300,00Rio branco03 tcc e monografia r$300,00
Rio branco03 tcc e monografia r$300,00
 
xRx15 vision wed_200_surgical_momentum
xRx15 vision wed_200_surgical_momentumxRx15 vision wed_200_surgical_momentum
xRx15 vision wed_200_surgical_momentum
 
Outdoortfrelease042215
Outdoortfrelease042215Outdoortfrelease042215
Outdoortfrelease042215
 
Rio Marataoan
Rio MarataoanRio Marataoan
Rio Marataoan
 
Proyecto tecnologico1
Proyecto tecnologico1Proyecto tecnologico1
Proyecto tecnologico1
 
Fraternitas jul 2012
Fraternitas jul 2012Fraternitas jul 2012
Fraternitas jul 2012
 

Similar to OWASP: Building Secure Web Apps

OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applicationsalexbe
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩baoyin
 
Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application SecuritySaadSaif6
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfNathanDjami
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsCognizant
 
Unified application security analyser
Unified application security analyserUnified application security analyser
Unified application security analyserTim Youm
 
Top 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfTop 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfSolviosTechnology
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...Neil Matatall
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51martinvoelk
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewAshish Patel
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfAmeliaJonas2
 
Boosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeBoosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeNational Retail Federation
 
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis ResultsBest of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis ResultsJeremiah Grossman
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013Bee_Ware
 

Similar to OWASP: Building Secure Web Apps (20)

OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applications
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩
 
Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application Security
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting Reputations
 
Unified application security analyser
Unified application security analyserUnified application security analyser
Unified application security analyser
 
Top 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfTop 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdf
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product Overview
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
Boosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeBoosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk Imperative
 
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis ResultsBest of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
 
Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013
 

OWASP: Building Secure Web Apps

  • 1. Building Secure Web Applications In a Cloud Services Environment Misha Logvinov Alex Bello IronKey, Inc. July 1, 2010
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8. Recent breaches December 2009 SQL injection vulnerability, no encryption of critical data, insufficient security monitoring, poor handling of disclosure Consequences PR nightmare Class-action lawsuit
  • 9. Recent breaches April 2010 Insufficient security testing and monitoring Consequences PR nightmare
  • 10. Recent breaches June 2010 Personally Identifiable Information was displayed without proper authentication, insufficient output monitoring, “great” exploit timing Consequences PR nightmare Security researcher gets arrested on drug charges
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.

Editor's Notes

  1. There are fewer attacks on the network layer. Based on our experience from talking with various IDS/IPS vendors, there is a growing need for hybrid web app security solutions that cover both network and app layers According to a recent VeriSign research, average price for renting a botnet is only $9 per hour
  2. Who knows how many successful attacks will never be known
  3. Security framework: Most of the existing framework methodologies are still getting worked on and improved, good examples to follow would be BSIMM and OWASP SAMM Incident response: Create a cross-functional body for reporting and managing security events (e.g. SIRT)
  4. Threat model: entry & exit points of the app, threat scenarios, dataflow
  5. Manual testing compliments automated testing. Detect logic flaws through manual testing since they are not easily detected by automated testing. Choose automated tools that work best with your application technology
  6. Validating input/output: Do not trust your own requests (CSRF and click jacking)
  7. From Alex’s SANS preso: Invest in security training and certification Integrate security into SDLC in phases Never trust input, validate all input/output Strong encryption of sensitive data and key management Strong access controls and hardening Stay on top of vulnerabilities and keep your networks, servers, applications up to date