SlideShare a Scribd company logo
CLUSIR InfoNord
18 Décembre 2014
Lille
Sébastien Gioria
Sebastien.Gioria@owasp.org
Chapter Leader & Evangelist OWASP France
OWASP IoT Top10, the life and the universe
http://www.google.fr/#q=sebastien gioria
‣OWASP France Leader & Founder &
Evangelist,
‣OWASP ISO Project & OWASP SonarQube Project
Leader
‣Innovation and Technology @Advens &&
Application Security Expert
Twitter :@SPoint/@OWASP_France
‣Application Security group leader for the
CLUSIF
‣Proud father of youngs kids trying to hack my
digital life.
Agenda
• OWASP ?
• Why Internet of Things and OWASP
• IoT Risks and vulnerabilities for CISO
• OWASP IoT Top10
Open Web Application Security
Project
• OWASP Moto : “Making Application Security Visible”
• Born in 2001; when Web explode. “W” of Name is actually a big cannonball
for us
• An American Fondation (under 501(c)3 ) => in France a 1901 association
• Cited in a lot of standards :
– PCI-DSS
– NIST
– ANSSI guides,
– ....
• OWASP is everywhere : Tools, API, Documentation, Conferences, blog,
youtube, podcast, ....
5
Learn Contract
Testing
Design
MaturityCode
OWASP publications !
• Lot of Publications :
– Top10 Application Security Risk ; bestseller
– Testing Guide ; second bestseller
– OWASP Cheat Sheets !!!
– Application Security Verification Standard ; not the best
well known document
– OpenSAMM : improve your application security
– OWASP Secure Contract Annex
– OWASP Top10 for ... (mobile, cloud, privacy, ...)
• and many more....
OWASP Tools and API
• Lot of Tools / API
– OWASP Zed Attack Proxy ; replace WebScarab with a lot of
new functionalities
– OWASP ESAPI : API for securing your Software
– OWASP AppSensor ; a IDS/IPS in the heart of your software
– OWASP Cornucoppia ; application security play with cards
– OWASP Snake and ladder : play Top10
• and many more....
Thank you !
Why OWASP and IoT ?
• OWASP mission is to secure Application
• OWASP publications are note limited to Web :
Top10 Mobile, Top10 Cloud, Top10 Privacy
• IoT are actually under fire, so naturally OWASP
need to help IoT developers and other guys
IoT a revolution ? or an
evolution ?
• If you ask Tim Cook :
– This is a revolution !
• If you really look in depth, IoT are commons in our
life ;
– Vacuum cleaners Robots
– Cars,
– Drones,
– “Personal health” wristlet and watch
– TV, Home Security Systems, ....
This is not always the best response. Everybody know the best response is 42 !
IoT Impact in entreprises
• More and more assets
• More assets not “known” and not “secure”.
• More Legal problems
• and more leakage....
OWASP IoT Top10 2014
12
A1: Insecure Web
Interface
A2: Insufficient
Authentication/Auto
rization
A3: Insecure Network
Services
A4:Lack of Transport
Encryption
A5: Privacy Concern
A6 : Insecure Cloud
Interface
A8: Insecure Security
Configurability
A10: Poor Physical
Security
A7: Insecure Mobile
Interface
A9: Insecure Software
/ Firmware
A1: Insecure Web Interface
• Risk :
– Access from anywhere to the
object
• Solution :
– Pen / testing the Web Interface
– Redesigning the product
• Tools :
– OWASP Testing Guide v4.0
– OWASP Zap Proxy
A2: Insufficient Authentication /
Autorization
• Risk :
– Access from anywhere to the
object
– Leak of Data
• Solution :
– Sniffing the Network
– Manuel Testing
– Reviewing the password policy
• Tools :
– OWASP Testing Guide v4.0
– OWASP Zap Proxy
A3: Insecure Network Services
• Risk :
– Data Loss
– Denial of Service
• Solution :
– Manual PenTesting
– Fuzzing
– Network scanner
• Tools :
– OWASP Testing Guide v4.0
– OWASP Zap Proxy
– Nmap / Nessus
A4:Lack of Transport Encryption
• Risk :
– Leak of Data
• Solution :
– Sniffing the Network
– Manuel Testing
• Tools :
– OWASP Testing Guide v4.0
– OWASP Zap Proxy
– SSLScan
A5: Privacy Concern
• Risk :
– Leak of Data
• Solution :
– Manual Testing
– Review of the data collected
• Tools :
– OWASP Testing Guide v4.0
– OWASP Zap Proxy
A6 : Insecure Cloud Interface
• Risk :
– Leak of Data
• Solution :
– Manual Testing
– Review of the data collected
• Tools :
– OWASP Testing Guide v4.0
– OWASP Zap Proxy
A7: Insecure Mobile Interface
• Risk :
– Leak of Data
• Solution :
– Manual Testing
– Sniffing the network
– Review of the collected data
• Tools :
– OWASP Testing Guide v4.0
– OWASP Zap Proxy
A8: Insecure Security Configurability
• Risk :
– Leak of Data
– Access to the object
• Solution :
– Manual Testing
– Review of
configuration/documentation
• Tools :
– OWASP Testing Guide v4.0
– OWASP Zap Proxy
A9: Insecure Software / Firmware
• Risk :
– Leak of Data
– Controling the object/network
• Solution :
– Manual Testing
– Binary Analysis
– Sniffing the network
• Tools :
– OWASP Testing Guide v4.0
– OWASP Zap Proxy
A10: Poor Physical Security
• Risk :
– Compromising the data and
the object itself
• Solution :
– Manual Testing
– Insert USB/SD ....
• Tools :
– USB malware
Dates
• OWASP AppSec California 2015
– 26/29 January 2015 – Santa Monica
• OWASP London Cyber Security Week
– 26 / 30 January 2015 – London
• OWASP AppSec Europe 2015 :
– Amsterdam : 19/22 May 2015
23
Soutenir l’OWASP
• Différentes solutions :
– Membre Individuel : 50 $
– Membre Entreprise : 5000 $
– Donation Libre
• Soutenir uniquement le chapitre
France :
– Single Meeting supporter
• Nous offrir une salle de meeting !
• Participer par un talk ou autre !
• Donation simple
– Local Chapter supporter :
• 500 $ à 2000 $
24
License
25
@SPoint
sebastien.gioria@owasp.org

More Related Content

What's hot

Matteo Meucci Isaca Venice - 2017
Matteo Meucci  Isaca Venice - 2017Matteo Meucci  Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017
Minded Security
 
The Shift to Rugged DevOps - Security in the pipeline
The Shift to Rugged DevOps - Security in the pipelineThe Shift to Rugged DevOps - Security in the pipeline
The Shift to Rugged DevOps - Security in the pipeline
Rene Van Osnabrugge
 
HostedScan.com Hosted Vulnerability Security Scans Online - Free Forever
HostedScan.com Hosted Vulnerability Security Scans Online - Free ForeverHostedScan.com Hosted Vulnerability Security Scans Online - Free Forever
HostedScan.com Hosted Vulnerability Security Scans Online - Free Forever
John Snyder
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
Michael Boelen
 
Security On Rails
Security On RailsSecurity On Rails
Security On Rails
Jonathan Weiss
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017
malvvv
 
OWASP overview 2017
OWASP overview 2017OWASP overview 2017
OWASP overview 2017
Brett Gravois
 
A day in the life of a pentester
A day in the life of a pentesterA day in the life of a pentester
A day in the life of a pentester
Cláudio André
 
Guy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeGuy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node Code
DevSecCon
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
Découvrez le Rugged DevOps
Découvrez le Rugged DevOpsDécouvrez le Rugged DevOps
Découvrez le Rugged DevOps
Talent Agile @ Avanade
 
Slides from IPv6 Threats
Slides from IPv6 ThreatsSlides from IPv6 Threats
Slides from IPv6 Threats
Cyren, Inc
 
Software Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостямиSoftware Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостями
OWASP Kyiv
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Vladyslav Radetsky
 
Living with Determined Attackers MOSI Edition
Living with Determined Attackers MOSI EditionLiving with Determined Attackers MOSI Edition
Living with Determined Attackers MOSI Edition
James '​-- Mckinlay
 
Living with the threat of Determined Attackers - RANT0214
Living with the threat of Determined Attackers - RANT0214Living with the threat of Determined Attackers - RANT0214
Living with the threat of Determined Attackers - RANT0214
James '​-- Mckinlay
 
Hacking liferay
Hacking liferayHacking liferay
Hacking liferay
Armel Nene
 
Add Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery PipelineAdd Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery Pipeline
Gene Gotimer
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Denim Group
 
I've been hacked! So, now, what!?
I've been hacked! So, now, what!?I've been hacked! So, now, what!?
I've been hacked! So, now, what!?
Nestor Angulo de Ugarte
 

What's hot (20)

Matteo Meucci Isaca Venice - 2017
Matteo Meucci  Isaca Venice - 2017Matteo Meucci  Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017
 
The Shift to Rugged DevOps - Security in the pipeline
The Shift to Rugged DevOps - Security in the pipelineThe Shift to Rugged DevOps - Security in the pipeline
The Shift to Rugged DevOps - Security in the pipeline
 
HostedScan.com Hosted Vulnerability Security Scans Online - Free Forever
HostedScan.com Hosted Vulnerability Security Scans Online - Free ForeverHostedScan.com Hosted Vulnerability Security Scans Online - Free Forever
HostedScan.com Hosted Vulnerability Security Scans Online - Free Forever
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
 
Security On Rails
Security On RailsSecurity On Rails
Security On Rails
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017
 
OWASP overview 2017
OWASP overview 2017OWASP overview 2017
OWASP overview 2017
 
A day in the life of a pentester
A day in the life of a pentesterA day in the life of a pentester
A day in the life of a pentester
 
Guy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeGuy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node Code
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
 
Découvrez le Rugged DevOps
Découvrez le Rugged DevOpsDécouvrez le Rugged DevOps
Découvrez le Rugged DevOps
 
Slides from IPv6 Threats
Slides from IPv6 ThreatsSlides from IPv6 Threats
Slides from IPv6 Threats
 
Software Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостямиSoftware Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостями
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
 
Living with Determined Attackers MOSI Edition
Living with Determined Attackers MOSI EditionLiving with Determined Attackers MOSI Edition
Living with Determined Attackers MOSI Edition
 
Living with the threat of Determined Attackers - RANT0214
Living with the threat of Determined Attackers - RANT0214Living with the threat of Determined Attackers - RANT0214
Living with the threat of Determined Attackers - RANT0214
 
Hacking liferay
Hacking liferayHacking liferay
Hacking liferay
 
Add Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery PipelineAdd Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery Pipeline
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...
 
I've been hacked! So, now, what!?
I've been hacked! So, now, what!?I've been hacked! So, now, what!?
I've been hacked! So, now, what!?
 

Similar to OWASP Top10 IoT - CLUSIR Infornord Décembre 2014

2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
Sébastien GIORIA
 
La Sécurité des CMS ?
La Sécurité des CMS ? La Sécurité des CMS ?
La Sécurité des CMS ?
Sebastien Gioria
 
Do You... Legal?
Do You... Legal?Do You... Legal?
Do You... Legal?
Ludovic Petit
 
OWASP
OWASPOWASP
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Advanced monitoring
 
Guy Alfassi - CSA Conference Highlights
Guy Alfassi -  CSA Conference HighlightsGuy Alfassi -  CSA Conference Highlights
Guy Alfassi - CSA Conference Highlights
CSAIsrael
 
In that case, we have an OWASP Top 10 opportunity...
In that case, we have an OWASP Top 10 opportunity...In that case, we have an OWASP Top 10 opportunity...
In that case, we have an OWASP Top 10 opportunity...
Josh Grossman
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking Bad
NUS-ISS
 
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
G. Geshev
 
SplunkLive! Stockholm 2015 - Klarna
SplunkLive! Stockholm 2015 - KlarnaSplunkLive! Stockholm 2015 - Klarna
SplunkLive! Stockholm 2015 - Klarna
Splunk
 
OWASP Bulgaria
OWASP BulgariaOWASP Bulgaria
OWASP Bulgaria
Zero Science Lab
 
OWASP, the life and the universe
OWASP, the life and the universeOWASP, the life and the universe
OWASP, the life and the universe
Sébastien GIORIA
 
Security of internet
Security of internetSecurity of internet
Security of internet
OWASPKerala
 
Owasp Serbia overview
Owasp Serbia overviewOwasp Serbia overview
Owasp Serbia overview
Nikola Milosevic
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
OWASP Russia
 
Chirita ionel owasp europe tour
Chirita ionel   owasp europe tourChirita ionel   owasp europe tour
Chirita ionel owasp europe tour
Chirita Ionel
 
RSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsRSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of Things
Daniel Miessler
 
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERSCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
CODE BLUE
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
sudip pudasaini
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
Sophos Benelux
 

Similar to OWASP Top10 IoT - CLUSIR Infornord Décembre 2014 (20)

2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
 
La Sécurité des CMS ?
La Sécurité des CMS ? La Sécurité des CMS ?
La Sécurité des CMS ?
 
Do You... Legal?
Do You... Legal?Do You... Legal?
Do You... Legal?
 
OWASP
OWASPOWASP
OWASP
 
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
 
Guy Alfassi - CSA Conference Highlights
Guy Alfassi -  CSA Conference HighlightsGuy Alfassi -  CSA Conference Highlights
Guy Alfassi - CSA Conference Highlights
 
In that case, we have an OWASP Top 10 opportunity...
In that case, we have an OWASP Top 10 opportunity...In that case, we have an OWASP Top 10 opportunity...
In that case, we have an OWASP Top 10 opportunity...
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking Bad
 
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
 
SplunkLive! Stockholm 2015 - Klarna
SplunkLive! Stockholm 2015 - KlarnaSplunkLive! Stockholm 2015 - Klarna
SplunkLive! Stockholm 2015 - Klarna
 
OWASP Bulgaria
OWASP BulgariaOWASP Bulgaria
OWASP Bulgaria
 
OWASP, the life and the universe
OWASP, the life and the universeOWASP, the life and the universe
OWASP, the life and the universe
 
Security of internet
Security of internetSecurity of internet
Security of internet
 
Owasp Serbia overview
Owasp Serbia overviewOwasp Serbia overview
Owasp Serbia overview
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
 
Chirita ionel owasp europe tour
Chirita ionel   owasp europe tourChirita ionel   owasp europe tour
Chirita ionel owasp europe tour
 
RSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsRSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of Things
 
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERSCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 

More from Sébastien GIORIA

Analyser la sécurité de son code source avec SonarSource
Analyser la sécurité de son code source avec SonarSourceAnalyser la sécurité de son code source avec SonarSource
Analyser la sécurité de son code source avec SonarSource
Sébastien GIORIA
 
2014 09-25-club-27001 iso 27034-presentation-v2.2
2014 09-25-club-27001 iso 27034-presentation-v2.22014 09-25-club-27001 iso 27034-presentation-v2.2
2014 09-25-club-27001 iso 27034-presentation-v2.2
Sébastien GIORIA
 
SonarQube et la Sécurité
SonarQube et la SécuritéSonarQube et la Sécurité
SonarQube et la Sécurité
Sébastien GIORIA
 
Owasp top 10 2010 Resist toulouse
Owasp top 10   2010  Resist toulouseOwasp top 10   2010  Resist toulouse
Owasp top 10 2010 Resist toulouseSébastien GIORIA
 
Présentation Top10 CEGID Lyon
Présentation Top10 CEGID LyonPrésentation Top10 CEGID Lyon
Présentation Top10 CEGID LyonSébastien GIORIA
 
2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch
Sébastien GIORIA
 
OWASP Top10 2013 - Présentation aux RSSIA 2013
OWASP Top10 2013 - Présentation aux RSSIA 2013OWASP Top10 2013 - Présentation aux RSSIA 2013
OWASP Top10 2013 - Présentation aux RSSIA 2013
Sébastien GIORIA
 
2013 04-04-html5-security-v2
2013 04-04-html5-security-v22013 04-04-html5-security-v2
2013 04-04-html5-security-v2Sébastien GIORIA
 
2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)
2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)
2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)
Sébastien GIORIA
 
2013 03-01 automatiser les tests sécurité
2013 03-01 automatiser les tests sécurité2013 03-01 automatiser les tests sécurité
2013 03-01 automatiser les tests sécuritéSébastien GIORIA
 
2013 02-27-owasp top10 javascript
 2013 02-27-owasp top10 javascript 2013 02-27-owasp top10 javascript
2013 02-27-owasp top10 javascriptSébastien GIORIA
 
Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for Java
Sébastien GIORIA
 
2012 11-07-owasp mobile top10 v01
2012 11-07-owasp mobile top10 v012012 11-07-owasp mobile top10 v01
2012 11-07-owasp mobile top10 v01
Sébastien GIORIA
 
2012 03-02-sdl-sgi-v03
2012 03-02-sdl-sgi-v032012 03-02-sdl-sgi-v03
2012 03-02-sdl-sgi-v03
Sébastien GIORIA
 
2012 03-01-ror security v01
2012 03-01-ror security v012012 03-01-ror security v01
2012 03-01-ror security v01
Sébastien GIORIA
 
OWASP Mobile Top10 - Les 10 risques sur les mobiles
OWASP Mobile Top10 -  Les 10 risques sur les mobilesOWASP Mobile Top10 -  Les 10 risques sur les mobiles
OWASP Mobile Top10 - Les 10 risques sur les mobiles
Sébastien GIORIA
 
2011 02-07-html5-security-v1
2011 02-07-html5-security-v12011 02-07-html5-security-v1
2011 02-07-html5-security-v1
Sébastien GIORIA
 

More from Sébastien GIORIA (20)

Analyser la sécurité de son code source avec SonarSource
Analyser la sécurité de son code source avec SonarSourceAnalyser la sécurité de son code source avec SonarSource
Analyser la sécurité de son code source avec SonarSource
 
2014 09-25-club-27001 iso 27034-presentation-v2.2
2014 09-25-club-27001 iso 27034-presentation-v2.22014 09-25-club-27001 iso 27034-presentation-v2.2
2014 09-25-club-27001 iso 27034-presentation-v2.2
 
SonarQube et la Sécurité
SonarQube et la SécuritéSonarQube et la Sécurité
SonarQube et la Sécurité
 
Owasp top 10 2010 Resist toulouse
Owasp top 10   2010  Resist toulouseOwasp top 10   2010  Resist toulouse
Owasp top 10 2010 Resist toulouse
 
Présentation Top10 CEGID Lyon
Présentation Top10 CEGID LyonPrésentation Top10 CEGID Lyon
Présentation Top10 CEGID Lyon
 
Présentation au CRI-Ouest
Présentation au CRI-OuestPrésentation au CRI-Ouest
Présentation au CRI-Ouest
 
2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch
 
OWASP Top10 2013 - Présentation aux RSSIA 2013
OWASP Top10 2013 - Présentation aux RSSIA 2013OWASP Top10 2013 - Présentation aux RSSIA 2013
OWASP Top10 2013 - Présentation aux RSSIA 2013
 
2013 04-04-html5-security-v2
2013 04-04-html5-security-v22013 04-04-html5-security-v2
2013 04-04-html5-security-v2
 
2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)
2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)
2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)
 
2013 03-01 automatiser les tests sécurité
2013 03-01 automatiser les tests sécurité2013 03-01 automatiser les tests sécurité
2013 03-01 automatiser les tests sécurité
 
2013 02-27-owasp top10 javascript
 2013 02-27-owasp top10 javascript 2013 02-27-owasp top10 javascript
2013 02-27-owasp top10 javascript
 
Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for Java
 
2012 11-07-owasp mobile top10 v01
2012 11-07-owasp mobile top10 v012012 11-07-owasp mobile top10 v01
2012 11-07-owasp mobile top10 v01
 
2012 07-05-spn-sgi-v1-lite
2012 07-05-spn-sgi-v1-lite2012 07-05-spn-sgi-v1-lite
2012 07-05-spn-sgi-v1-lite
 
2012 03-02-sdl-sgi-v03
2012 03-02-sdl-sgi-v032012 03-02-sdl-sgi-v03
2012 03-02-sdl-sgi-v03
 
2012 03-01-ror security v01
2012 03-01-ror security v012012 03-01-ror security v01
2012 03-01-ror security v01
 
OWASP Mobile Top10 - Les 10 risques sur les mobiles
OWASP Mobile Top10 -  Les 10 risques sur les mobilesOWASP Mobile Top10 -  Les 10 risques sur les mobiles
OWASP Mobile Top10 - Les 10 risques sur les mobiles
 
2011 02-07-html5-security-v1
2011 02-07-html5-security-v12011 02-07-html5-security-v1
2011 02-07-html5-security-v1
 
2011 03-09-cloud sgi
2011 03-09-cloud sgi2011 03-09-cloud sgi
2011 03-09-cloud sgi
 

Recently uploaded

Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
Alec Kassir cozmozone
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
Infosec train
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 

Recently uploaded (14)

Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 

OWASP Top10 IoT - CLUSIR Infornord Décembre 2014

  • 1. CLUSIR InfoNord 18 Décembre 2014 Lille Sébastien Gioria Sebastien.Gioria@owasp.org Chapter Leader & Evangelist OWASP France OWASP IoT Top10, the life and the universe
  • 2. http://www.google.fr/#q=sebastien gioria ‣OWASP France Leader & Founder & Evangelist, ‣OWASP ISO Project & OWASP SonarQube Project Leader ‣Innovation and Technology @Advens && Application Security Expert Twitter :@SPoint/@OWASP_France ‣Application Security group leader for the CLUSIF ‣Proud father of youngs kids trying to hack my digital life.
  • 3. Agenda • OWASP ? • Why Internet of Things and OWASP • IoT Risks and vulnerabilities for CISO • OWASP IoT Top10
  • 4. Open Web Application Security Project • OWASP Moto : “Making Application Security Visible” • Born in 2001; when Web explode. “W” of Name is actually a big cannonball for us • An American Fondation (under 501(c)3 ) => in France a 1901 association • Cited in a lot of standards : – PCI-DSS – NIST – ANSSI guides, – .... • OWASP is everywhere : Tools, API, Documentation, Conferences, blog, youtube, podcast, ....
  • 6. OWASP publications ! • Lot of Publications : – Top10 Application Security Risk ; bestseller – Testing Guide ; second bestseller – OWASP Cheat Sheets !!! – Application Security Verification Standard ; not the best well known document – OpenSAMM : improve your application security – OWASP Secure Contract Annex – OWASP Top10 for ... (mobile, cloud, privacy, ...) • and many more....
  • 7. OWASP Tools and API • Lot of Tools / API – OWASP Zed Attack Proxy ; replace WebScarab with a lot of new functionalities – OWASP ESAPI : API for securing your Software – OWASP AppSensor ; a IDS/IPS in the heart of your software – OWASP Cornucoppia ; application security play with cards – OWASP Snake and ladder : play Top10 • and many more....
  • 9. Why OWASP and IoT ? • OWASP mission is to secure Application • OWASP publications are note limited to Web : Top10 Mobile, Top10 Cloud, Top10 Privacy • IoT are actually under fire, so naturally OWASP need to help IoT developers and other guys
  • 10. IoT a revolution ? or an evolution ? • If you ask Tim Cook : – This is a revolution ! • If you really look in depth, IoT are commons in our life ; – Vacuum cleaners Robots – Cars, – Drones, – “Personal health” wristlet and watch – TV, Home Security Systems, .... This is not always the best response. Everybody know the best response is 42 !
  • 11. IoT Impact in entreprises • More and more assets • More assets not “known” and not “secure”. • More Legal problems • and more leakage....
  • 12. OWASP IoT Top10 2014 12 A1: Insecure Web Interface A2: Insufficient Authentication/Auto rization A3: Insecure Network Services A4:Lack of Transport Encryption A5: Privacy Concern A6 : Insecure Cloud Interface A8: Insecure Security Configurability A10: Poor Physical Security A7: Insecure Mobile Interface A9: Insecure Software / Firmware
  • 13. A1: Insecure Web Interface • Risk : – Access from anywhere to the object • Solution : – Pen / testing the Web Interface – Redesigning the product • Tools : – OWASP Testing Guide v4.0 – OWASP Zap Proxy
  • 14. A2: Insufficient Authentication / Autorization • Risk : – Access from anywhere to the object – Leak of Data • Solution : – Sniffing the Network – Manuel Testing – Reviewing the password policy • Tools : – OWASP Testing Guide v4.0 – OWASP Zap Proxy
  • 15. A3: Insecure Network Services • Risk : – Data Loss – Denial of Service • Solution : – Manual PenTesting – Fuzzing – Network scanner • Tools : – OWASP Testing Guide v4.0 – OWASP Zap Proxy – Nmap / Nessus
  • 16. A4:Lack of Transport Encryption • Risk : – Leak of Data • Solution : – Sniffing the Network – Manuel Testing • Tools : – OWASP Testing Guide v4.0 – OWASP Zap Proxy – SSLScan
  • 17. A5: Privacy Concern • Risk : – Leak of Data • Solution : – Manual Testing – Review of the data collected • Tools : – OWASP Testing Guide v4.0 – OWASP Zap Proxy
  • 18. A6 : Insecure Cloud Interface • Risk : – Leak of Data • Solution : – Manual Testing – Review of the data collected • Tools : – OWASP Testing Guide v4.0 – OWASP Zap Proxy
  • 19. A7: Insecure Mobile Interface • Risk : – Leak of Data • Solution : – Manual Testing – Sniffing the network – Review of the collected data • Tools : – OWASP Testing Guide v4.0 – OWASP Zap Proxy
  • 20. A8: Insecure Security Configurability • Risk : – Leak of Data – Access to the object • Solution : – Manual Testing – Review of configuration/documentation • Tools : – OWASP Testing Guide v4.0 – OWASP Zap Proxy
  • 21. A9: Insecure Software / Firmware • Risk : – Leak of Data – Controling the object/network • Solution : – Manual Testing – Binary Analysis – Sniffing the network • Tools : – OWASP Testing Guide v4.0 – OWASP Zap Proxy
  • 22. A10: Poor Physical Security • Risk : – Compromising the data and the object itself • Solution : – Manual Testing – Insert USB/SD .... • Tools : – USB malware
  • 23. Dates • OWASP AppSec California 2015 – 26/29 January 2015 – Santa Monica • OWASP London Cyber Security Week – 26 / 30 January 2015 – London • OWASP AppSec Europe 2015 : – Amsterdam : 19/22 May 2015 23
  • 24. Soutenir l’OWASP • Différentes solutions : – Membre Individuel : 50 $ – Membre Entreprise : 5000 $ – Donation Libre • Soutenir uniquement le chapitre France : – Single Meeting supporter • Nous offrir une salle de meeting ! • Participer par un talk ou autre ! • Donation simple – Local Chapter supporter : • 500 $ à 2000 $ 24

Editor's Notes

  1. More than 140,000 internet-of-things devices, from routers to CCTV systems contain zero-day vulnerabilities, backdoors, hard coded crackable passwords and blurted private keys, according to the first large scale analysis of firmware in embedded devices. Four researchers from EURECOM France found the flaws when conducting a simple but systematic, automated, and large-scale analysis of 32,356 firmware images running on embedded systems within thousands of different devices.
  2. When OWASP talks about “security configurability” it is really talking about security features such as password policy enforcement, data encryption, and different levels of access. The good news is that most corporate environments now have an established security policy that tell you exactly what security controls your hardware and software need to have to be safely deployed in your environment. You probably also have the advantage of performing this type of analysis on dozens of things in your existing environment, usually from a remote interface. If there is one additional aspect you need to be aware of when evaluating smart IoT devices is that they are often based on traditional operating systems such as Microsoft Windows or Linux which themselves have multiple levels of user access, including full administrator or root permissions. Known “privilege escalation” attacks against these operating systems should be attempted if they are ever found on a target device.
  3. To test whether or not a device is using insecure updates, you generally need to use a proxy or sniffer to watch the data stream for use of secure transport. To examine the update itself, you can often use an attack proxy to divert the download or a simple URL (or utility) to download it to a desktop location for further inspection. For example, an online utility called “APK Downloader” lets you download and inspect Android installations and updates on any platform.