SlideShare a Scribd company logo
1 of 25
CLUSIR InfoNord
18 Décembre 2014
Lille
Sébastien Gioria
Sebastien.Gioria@owasp.org
Chapter Leader & Evangelist OWASP France
OWASP IoT Top10, the life and the universe
http://www.google.fr/#q=sebastien gioria
‣OWASP France Leader & Founder &
Evangelist,
‣OWASP ISO Project & OWASP SonarQube Project
Leader
‣Innovation and Technology @Advens &&
Application Security Expert
Twitter :@SPoint/@OWASP_France
‣Application Security group leader for the
CLUSIF
‣Proud father of youngs kids trying to hack my
digital life.
Agenda
• OWASP ?
• Why Internet of Things and OWASP
• IoT Risks and vulnerabilities for CISO
• OWASP IoT Top10
Open Web Application Security
Project
• OWASP Moto : “Making Application Security Visible”
• Born in 2001; when Web explode. “W” of Name is actually a big cannonball
for us
• An American Fondation (under 501(c)3 ) => in France a 1901 association
• Cited in a lot of standards :
– PCI-DSS
– NIST
– ANSSI guides,
– ....
• OWASP is everywhere : Tools, API, Documentation, Conferences, blog,
youtube, podcast, ....
5
Learn Contract
Testing
Design
MaturityCode
OWASP publications !
• Lot of Publications :
– Top10 Application Security Risk ; bestseller
– Testing Guide ; second bestseller
– OWASP Cheat Sheets !!!
– Application Security Verification Standard ; not the best
well known document
– OpenSAMM : improve your application security
– OWASP Secure Contract Annex
– OWASP Top10 for ... (mobile, cloud, privacy, ...)
• and many more....
OWASP Tools and API
• Lot of Tools / API
– OWASP Zed Attack Proxy ; replace WebScarab with a lot of
new functionalities
– OWASP ESAPI : API for securing your Software
– OWASP AppSensor ; a IDS/IPS in the heart of your software
– OWASP Cornucoppia ; application security play with cards
– OWASP Snake and ladder : play Top10
• and many more....
Thank you !
Why OWASP and IoT ?
• OWASP mission is to secure Application
• OWASP publications are note limited to Web :
Top10 Mobile, Top10 Cloud, Top10 Privacy
• IoT are actually under fire, so naturally OWASP
need to help IoT developers and other guys
IoT a revolution ? or an
evolution ?
• If you ask Tim Cook :
– This is a revolution !
• If you really look in depth, IoT are commons in our
life ;
– Vacuum cleaners Robots
– Cars,
– Drones,
– “Personal health” wristlet and watch
– TV, Home Security Systems, ....
This is not always the best response. Everybody know the best response is 42 !
IoT Impact in entreprises
• More and more assets
• More assets not “known” and not “secure”.
• More Legal problems
• and more leakage....
OWASP IoT Top10 2014
12
A1: Insecure Web
Interface
A2: Insufficient
Authentication/Auto
rization
A3: Insecure Network
Services
A4:Lack of Transport
Encryption
A5: Privacy Concern
A6 : Insecure Cloud
Interface
A8: Insecure Security
Configurability
A10: Poor Physical
Security
A7: Insecure Mobile
Interface
A9: Insecure Software
/ Firmware
A1: Insecure Web Interface
• Risk :
– Access from anywhere to the
object
• Solution :
– Pen / testing the Web Interface
– Redesigning the product
• Tools :
– OWASP Testing Guide v4.0
– OWASP Zap Proxy
A2: Insufficient Authentication /
Autorization
• Risk :
– Access from anywhere to the
object
– Leak of Data
• Solution :
– Sniffing the Network
– Manuel Testing
– Reviewing the password policy
• Tools :
– OWASP Testing Guide v4.0
– OWASP Zap Proxy
A3: Insecure Network Services
• Risk :
– Data Loss
– Denial of Service
• Solution :
– Manual PenTesting
– Fuzzing
– Network scanner
• Tools :
– OWASP Testing Guide v4.0
– OWASP Zap Proxy
– Nmap / Nessus
A4:Lack of Transport Encryption
• Risk :
– Leak of Data
• Solution :
– Sniffing the Network
– Manuel Testing
• Tools :
– OWASP Testing Guide v4.0
– OWASP Zap Proxy
– SSLScan
A5: Privacy Concern
• Risk :
– Leak of Data
• Solution :
– Manual Testing
– Review of the data collected
• Tools :
– OWASP Testing Guide v4.0
– OWASP Zap Proxy
A6 : Insecure Cloud Interface
• Risk :
– Leak of Data
• Solution :
– Manual Testing
– Review of the data collected
• Tools :
– OWASP Testing Guide v4.0
– OWASP Zap Proxy
A7: Insecure Mobile Interface
• Risk :
– Leak of Data
• Solution :
– Manual Testing
– Sniffing the network
– Review of the collected data
• Tools :
– OWASP Testing Guide v4.0
– OWASP Zap Proxy
A8: Insecure Security Configurability
• Risk :
– Leak of Data
– Access to the object
• Solution :
– Manual Testing
– Review of
configuration/documentation
• Tools :
– OWASP Testing Guide v4.0
– OWASP Zap Proxy
A9: Insecure Software / Firmware
• Risk :
– Leak of Data
– Controling the object/network
• Solution :
– Manual Testing
– Binary Analysis
– Sniffing the network
• Tools :
– OWASP Testing Guide v4.0
– OWASP Zap Proxy
A10: Poor Physical Security
• Risk :
– Compromising the data and
the object itself
• Solution :
– Manual Testing
– Insert USB/SD ....
• Tools :
– USB malware
Dates
• OWASP AppSec California 2015
– 26/29 January 2015 – Santa Monica
• OWASP London Cyber Security Week
– 26 / 30 January 2015 – London
• OWASP AppSec Europe 2015 :
– Amsterdam : 19/22 May 2015
23
Soutenir l’OWASP
• Différentes solutions :
– Membre Individuel : 50 $
– Membre Entreprise : 5000 $
– Donation Libre
• Soutenir uniquement le chapitre
France :
– Single Meeting supporter
• Nous offrir une salle de meeting !
• Participer par un talk ou autre !
• Donation simple
– Local Chapter supporter :
• 500 $ à 2000 $
24
License
25
@SPoint
sebastien.gioria@owasp.org

More Related Content

What's hot

Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
Software Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостямиSoftware Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостями
OWASP Kyiv
 
Hacking liferay
Hacking liferayHacking liferay
Hacking liferay
Armel Nene
 

What's hot (20)

Matteo Meucci Isaca Venice - 2017
Matteo Meucci  Isaca Venice - 2017Matteo Meucci  Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017
 
The Shift to Rugged DevOps - Security in the pipeline
The Shift to Rugged DevOps - Security in the pipelineThe Shift to Rugged DevOps - Security in the pipeline
The Shift to Rugged DevOps - Security in the pipeline
 
HostedScan.com Hosted Vulnerability Security Scans Online - Free Forever
HostedScan.com Hosted Vulnerability Security Scans Online - Free ForeverHostedScan.com Hosted Vulnerability Security Scans Online - Free Forever
HostedScan.com Hosted Vulnerability Security Scans Online - Free Forever
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
 
Security On Rails
Security On RailsSecurity On Rails
Security On Rails
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017
 
OWASP overview 2017
OWASP overview 2017OWASP overview 2017
OWASP overview 2017
 
A day in the life of a pentester
A day in the life of a pentesterA day in the life of a pentester
A day in the life of a pentester
 
Guy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeGuy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node Code
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
 
Découvrez le Rugged DevOps
Découvrez le Rugged DevOpsDécouvrez le Rugged DevOps
Découvrez le Rugged DevOps
 
Slides from IPv6 Threats
Slides from IPv6 ThreatsSlides from IPv6 Threats
Slides from IPv6 Threats
 
Software Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостямиSoftware Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостями
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
 
Living with Determined Attackers MOSI Edition
Living with Determined Attackers MOSI EditionLiving with Determined Attackers MOSI Edition
Living with Determined Attackers MOSI Edition
 
Living with the threat of Determined Attackers - RANT0214
Living with the threat of Determined Attackers - RANT0214Living with the threat of Determined Attackers - RANT0214
Living with the threat of Determined Attackers - RANT0214
 
Hacking liferay
Hacking liferayHacking liferay
Hacking liferay
 
Add Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery PipelineAdd Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery Pipeline
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...
 
I've been hacked! So, now, what!?
I've been hacked! So, now, what!?I've been hacked! So, now, what!?
I've been hacked! So, now, what!?
 

Similar to OWASP Top10 IoT - CLUSIR Infornord Décembre 2014

Guy Alfassi - CSA Conference Highlights
Guy Alfassi -  CSA Conference HighlightsGuy Alfassi -  CSA Conference Highlights
Guy Alfassi - CSA Conference Highlights
CSAIsrael
 
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
G. Geshev
 
OWASP, the life and the universe
OWASP, the life and the universeOWASP, the life and the universe
OWASP, the life and the universe
Sébastien GIORIA
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
OWASP Russia
 
Chirita ionel owasp europe tour
Chirita ionel   owasp europe tourChirita ionel   owasp europe tour
Chirita ionel owasp europe tour
Chirita Ionel
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
sudip pudasaini
 

Similar to OWASP Top10 IoT - CLUSIR Infornord Décembre 2014 (20)

2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
 
La Sécurité des CMS ?
La Sécurité des CMS ? La Sécurité des CMS ?
La Sécurité des CMS ?
 
Do You... Legal?
Do You... Legal?Do You... Legal?
Do You... Legal?
 
OWASP
OWASPOWASP
OWASP
 
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
 
Guy Alfassi - CSA Conference Highlights
Guy Alfassi -  CSA Conference HighlightsGuy Alfassi -  CSA Conference Highlights
Guy Alfassi - CSA Conference Highlights
 
In that case, we have an OWASP Top 10 opportunity...
In that case, we have an OWASP Top 10 opportunity...In that case, we have an OWASP Top 10 opportunity...
In that case, we have an OWASP Top 10 opportunity...
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking Bad
 
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
 
SplunkLive! Stockholm 2015 - Klarna
SplunkLive! Stockholm 2015 - KlarnaSplunkLive! Stockholm 2015 - Klarna
SplunkLive! Stockholm 2015 - Klarna
 
OWASP Bulgaria
OWASP BulgariaOWASP Bulgaria
OWASP Bulgaria
 
OWASP, the life and the universe
OWASP, the life and the universeOWASP, the life and the universe
OWASP, the life and the universe
 
Security of internet
Security of internetSecurity of internet
Security of internet
 
Owasp Serbia overview
Owasp Serbia overviewOwasp Serbia overview
Owasp Serbia overview
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
 
Chirita ionel owasp europe tour
Chirita ionel   owasp europe tourChirita ionel   owasp europe tour
Chirita ionel owasp europe tour
 
RSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsRSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of Things
 
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERSCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 

More from Sébastien GIORIA

Owasp top 10 2010 Resist toulouse
Owasp top 10   2010  Resist toulouseOwasp top 10   2010  Resist toulouse
Owasp top 10 2010 Resist toulouse
Sébastien GIORIA
 
Présentation Top10 CEGID Lyon
Présentation Top10 CEGID LyonPrésentation Top10 CEGID Lyon
Présentation Top10 CEGID Lyon
Sébastien GIORIA
 
2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch
Sébastien GIORIA
 
2013 04-04-html5-security-v2
2013 04-04-html5-security-v22013 04-04-html5-security-v2
2013 04-04-html5-security-v2
Sébastien GIORIA
 
2013 03-01 automatiser les tests sécurité
2013 03-01 automatiser les tests sécurité2013 03-01 automatiser les tests sécurité
2013 03-01 automatiser les tests sécurité
Sébastien GIORIA
 
2013 02-27-owasp top10 javascript
 2013 02-27-owasp top10 javascript 2013 02-27-owasp top10 javascript
2013 02-27-owasp top10 javascript
Sébastien GIORIA
 

More from Sébastien GIORIA (20)

Analyser la sécurité de son code source avec SonarSource
Analyser la sécurité de son code source avec SonarSourceAnalyser la sécurité de son code source avec SonarSource
Analyser la sécurité de son code source avec SonarSource
 
2014 09-25-club-27001 iso 27034-presentation-v2.2
2014 09-25-club-27001 iso 27034-presentation-v2.22014 09-25-club-27001 iso 27034-presentation-v2.2
2014 09-25-club-27001 iso 27034-presentation-v2.2
 
SonarQube et la Sécurité
SonarQube et la SécuritéSonarQube et la Sécurité
SonarQube et la Sécurité
 
Owasp top 10 2010 Resist toulouse
Owasp top 10   2010  Resist toulouseOwasp top 10   2010  Resist toulouse
Owasp top 10 2010 Resist toulouse
 
Présentation Top10 CEGID Lyon
Présentation Top10 CEGID LyonPrésentation Top10 CEGID Lyon
Présentation Top10 CEGID Lyon
 
Présentation au CRI-Ouest
Présentation au CRI-OuestPrésentation au CRI-Ouest
Présentation au CRI-Ouest
 
2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch
 
OWASP Top10 2013 - Présentation aux RSSIA 2013
OWASP Top10 2013 - Présentation aux RSSIA 2013OWASP Top10 2013 - Présentation aux RSSIA 2013
OWASP Top10 2013 - Présentation aux RSSIA 2013
 
2013 04-04-html5-security-v2
2013 04-04-html5-security-v22013 04-04-html5-security-v2
2013 04-04-html5-security-v2
 
2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)
2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)
2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)
 
2013 03-01 automatiser les tests sécurité
2013 03-01 automatiser les tests sécurité2013 03-01 automatiser les tests sécurité
2013 03-01 automatiser les tests sécurité
 
2013 02-27-owasp top10 javascript
 2013 02-27-owasp top10 javascript 2013 02-27-owasp top10 javascript
2013 02-27-owasp top10 javascript
 
Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for Java
 
2012 11-07-owasp mobile top10 v01
2012 11-07-owasp mobile top10 v012012 11-07-owasp mobile top10 v01
2012 11-07-owasp mobile top10 v01
 
2012 07-05-spn-sgi-v1-lite
2012 07-05-spn-sgi-v1-lite2012 07-05-spn-sgi-v1-lite
2012 07-05-spn-sgi-v1-lite
 
2012 03-02-sdl-sgi-v03
2012 03-02-sdl-sgi-v032012 03-02-sdl-sgi-v03
2012 03-02-sdl-sgi-v03
 
2012 03-01-ror security v01
2012 03-01-ror security v012012 03-01-ror security v01
2012 03-01-ror security v01
 
OWASP Mobile Top10 - Les 10 risques sur les mobiles
OWASP Mobile Top10 -  Les 10 risques sur les mobilesOWASP Mobile Top10 -  Les 10 risques sur les mobiles
OWASP Mobile Top10 - Les 10 risques sur les mobiles
 
2011 02-07-html5-security-v1
2011 02-07-html5-security-v12011 02-07-html5-security-v1
2011 02-07-html5-security-v1
 
2011 03-09-cloud sgi
2011 03-09-cloud sgi2011 03-09-cloud sgi
2011 03-09-cloud sgi
 

Recently uploaded

原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样
AS
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理
F
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
AS
 
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
mikehavy0
 
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
Fi
 
Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...
Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...
Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...
ZurliaSoop
 
一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理
A
 
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
Obat Cytotec
 
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
AS
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
c6eb683559b3
 
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
AS
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理
SS
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 

Recently uploaded (20)

TOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide HandbookTOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
 
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
 
(VIP) ℂall Girls Lucknow < Hire Me Sneha 📞8630512678 > Home Delivery For Full...
(VIP) ℂall Girls Lucknow < Hire Me Sneha 📞8630512678 > Home Delivery For Full...(VIP) ℂall Girls Lucknow < Hire Me Sneha 📞8630512678 > Home Delivery For Full...
(VIP) ℂall Girls Lucknow < Hire Me Sneha 📞8630512678 > Home Delivery For Full...
 
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
 
Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...
Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...
Jual obat aborsi Bekasi ( 085657271886 ) Cytote pil telat bulan penggugur kan...
 
一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理
 
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
 
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
Washington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers ShirtWashington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers Shirt
 
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
 
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理
 
The Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfThe Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdf
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 

OWASP Top10 IoT - CLUSIR Infornord Décembre 2014

  • 1. CLUSIR InfoNord 18 Décembre 2014 Lille Sébastien Gioria Sebastien.Gioria@owasp.org Chapter Leader & Evangelist OWASP France OWASP IoT Top10, the life and the universe
  • 2. http://www.google.fr/#q=sebastien gioria ‣OWASP France Leader & Founder & Evangelist, ‣OWASP ISO Project & OWASP SonarQube Project Leader ‣Innovation and Technology @Advens && Application Security Expert Twitter :@SPoint/@OWASP_France ‣Application Security group leader for the CLUSIF ‣Proud father of youngs kids trying to hack my digital life.
  • 3. Agenda • OWASP ? • Why Internet of Things and OWASP • IoT Risks and vulnerabilities for CISO • OWASP IoT Top10
  • 4. Open Web Application Security Project • OWASP Moto : “Making Application Security Visible” • Born in 2001; when Web explode. “W” of Name is actually a big cannonball for us • An American Fondation (under 501(c)3 ) => in France a 1901 association • Cited in a lot of standards : – PCI-DSS – NIST – ANSSI guides, – .... • OWASP is everywhere : Tools, API, Documentation, Conferences, blog, youtube, podcast, ....
  • 6. OWASP publications ! • Lot of Publications : – Top10 Application Security Risk ; bestseller – Testing Guide ; second bestseller – OWASP Cheat Sheets !!! – Application Security Verification Standard ; not the best well known document – OpenSAMM : improve your application security – OWASP Secure Contract Annex – OWASP Top10 for ... (mobile, cloud, privacy, ...) • and many more....
  • 7. OWASP Tools and API • Lot of Tools / API – OWASP Zed Attack Proxy ; replace WebScarab with a lot of new functionalities – OWASP ESAPI : API for securing your Software – OWASP AppSensor ; a IDS/IPS in the heart of your software – OWASP Cornucoppia ; application security play with cards – OWASP Snake and ladder : play Top10 • and many more....
  • 9. Why OWASP and IoT ? • OWASP mission is to secure Application • OWASP publications are note limited to Web : Top10 Mobile, Top10 Cloud, Top10 Privacy • IoT are actually under fire, so naturally OWASP need to help IoT developers and other guys
  • 10. IoT a revolution ? or an evolution ? • If you ask Tim Cook : – This is a revolution ! • If you really look in depth, IoT are commons in our life ; – Vacuum cleaners Robots – Cars, – Drones, – “Personal health” wristlet and watch – TV, Home Security Systems, .... This is not always the best response. Everybody know the best response is 42 !
  • 11. IoT Impact in entreprises • More and more assets • More assets not “known” and not “secure”. • More Legal problems • and more leakage....
  • 12. OWASP IoT Top10 2014 12 A1: Insecure Web Interface A2: Insufficient Authentication/Auto rization A3: Insecure Network Services A4:Lack of Transport Encryption A5: Privacy Concern A6 : Insecure Cloud Interface A8: Insecure Security Configurability A10: Poor Physical Security A7: Insecure Mobile Interface A9: Insecure Software / Firmware
  • 13. A1: Insecure Web Interface • Risk : – Access from anywhere to the object • Solution : – Pen / testing the Web Interface – Redesigning the product • Tools : – OWASP Testing Guide v4.0 – OWASP Zap Proxy
  • 14. A2: Insufficient Authentication / Autorization • Risk : – Access from anywhere to the object – Leak of Data • Solution : – Sniffing the Network – Manuel Testing – Reviewing the password policy • Tools : – OWASP Testing Guide v4.0 – OWASP Zap Proxy
  • 15. A3: Insecure Network Services • Risk : – Data Loss – Denial of Service • Solution : – Manual PenTesting – Fuzzing – Network scanner • Tools : – OWASP Testing Guide v4.0 – OWASP Zap Proxy – Nmap / Nessus
  • 16. A4:Lack of Transport Encryption • Risk : – Leak of Data • Solution : – Sniffing the Network – Manuel Testing • Tools : – OWASP Testing Guide v4.0 – OWASP Zap Proxy – SSLScan
  • 17. A5: Privacy Concern • Risk : – Leak of Data • Solution : – Manual Testing – Review of the data collected • Tools : – OWASP Testing Guide v4.0 – OWASP Zap Proxy
  • 18. A6 : Insecure Cloud Interface • Risk : – Leak of Data • Solution : – Manual Testing – Review of the data collected • Tools : – OWASP Testing Guide v4.0 – OWASP Zap Proxy
  • 19. A7: Insecure Mobile Interface • Risk : – Leak of Data • Solution : – Manual Testing – Sniffing the network – Review of the collected data • Tools : – OWASP Testing Guide v4.0 – OWASP Zap Proxy
  • 20. A8: Insecure Security Configurability • Risk : – Leak of Data – Access to the object • Solution : – Manual Testing – Review of configuration/documentation • Tools : – OWASP Testing Guide v4.0 – OWASP Zap Proxy
  • 21. A9: Insecure Software / Firmware • Risk : – Leak of Data – Controling the object/network • Solution : – Manual Testing – Binary Analysis – Sniffing the network • Tools : – OWASP Testing Guide v4.0 – OWASP Zap Proxy
  • 22. A10: Poor Physical Security • Risk : – Compromising the data and the object itself • Solution : – Manual Testing – Insert USB/SD .... • Tools : – USB malware
  • 23. Dates • OWASP AppSec California 2015 – 26/29 January 2015 – Santa Monica • OWASP London Cyber Security Week – 26 / 30 January 2015 – London • OWASP AppSec Europe 2015 : – Amsterdam : 19/22 May 2015 23
  • 24. Soutenir l’OWASP • Différentes solutions : – Membre Individuel : 50 $ – Membre Entreprise : 5000 $ – Donation Libre • Soutenir uniquement le chapitre France : – Single Meeting supporter • Nous offrir une salle de meeting ! • Participer par un talk ou autre ! • Donation simple – Local Chapter supporter : • 500 $ à 2000 $ 24

Editor's Notes

  1. More than 140,000 internet-of-things devices, from routers to CCTV systems contain zero-day vulnerabilities, backdoors, hard coded crackable passwords and blurted private keys, according to the first large scale analysis of firmware in embedded devices. Four researchers from EURECOM France found the flaws when conducting a simple but systematic, automated, and large-scale analysis of 32,356 firmware images running on embedded systems within thousands of different devices.
  2. When OWASP talks about “security configurability” it is really talking about security features such as password policy enforcement, data encryption, and different levels of access. The good news is that most corporate environments now have an established security policy that tell you exactly what security controls your hardware and software need to have to be safely deployed in your environment. You probably also have the advantage of performing this type of analysis on dozens of things in your existing environment, usually from a remote interface. If there is one additional aspect you need to be aware of when evaluating smart IoT devices is that they are often based on traditional operating systems such as Microsoft Windows or Linux which themselves have multiple levels of user access, including full administrator or root permissions. Known “privilege escalation” attacks against these operating systems should be attempted if they are ever found on a target device.
  3. To test whether or not a device is using insecure updates, you generally need to use a proxy or sniffer to watch the data stream for use of secure transport. To examine the update itself, you can often use an attack proxy to divert the download or a simple URL (or utility) to download it to a desktop location for further inspection. For example, an online utility called “APK Downloader” lets you download and inspect Android installations and updates on any platform.