This is about the Mobile Application Security Verification Standard (MASVS) and the Mobile Security Testing Guide (MSTG) from OWASP. This relates my experience both as an author and a user of these resources and includes some practical examples of what mobile security means and why it is important in IoT.
The whole set of documents can be found at https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide
Mediante el pentest de aplicaciones móviles, es posible identificar los diferentes tipos de errores que comenten en el desarrollo y pueden poner en riesgo datos del usuario final. Se explica cómo aplicando técnicas de ingeniería inversa y hooking se puede manipular las funcionalidades de la aplicación y probar los niveles de seguridad.
This is about the Mobile Application Security Verification Standard (MASVS) and the Mobile Security Testing Guide (MSTG) from OWASP. This relates my experience both as an author and a user of these resources and includes some practical examples of what mobile security means and why it is important in IoT.
The whole set of documents can be found at https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide
Mediante el pentest de aplicaciones móviles, es posible identificar los diferentes tipos de errores que comenten en el desarrollo y pueden poner en riesgo datos del usuario final. Se explica cómo aplicando técnicas de ingeniería inversa y hooking se puede manipular las funcionalidades de la aplicación y probar los niveles de seguridad.
This talk introduces the new OWASP projects focusing on the new GDPR regulation and the impact on the Software Development Life Cycle for a Company today.
Cyber attacks are a real and growing threat to businesses and an increasing number of attacks take place at application layer. The best defence is to develop applications where security controls are incorporated in development cycle and used by developers while writing their code. How can developers deliver more secure applications? What are the security techniques they can use while writing the software?
This presentation will discuss the proactive controls that will guide developers down the path of secure software. It will explore the security techniques that can be incorporated in development cycle and will provide real world examples on how to solve some of the most prevalent security problems on the internet.
Recommended to all builders and security professionals interested in incorporating security techniques as part of software development life cycle in the effort to build more secure applications.
URL: http://sched.co/A652
Security is important for Devs. You need to add in depth capability to secure Apps, and for this, this presentation give you simply principles to add it to a Java App.
This slides come from the Java User Group Summer Camp 2015 in France
This session addresses the technology challenges of continuous security testing to “deliver securely,” and discusses best practices and tooling based on first hand experience in both enterprise and startup environment.
Running a High-Efficiency, High-Visibility Application Security Program with...Denim Group
This webinar demonstrates how organizations can use the ThreadFix application vulnerability resolution platform to improve vulnerability resolution time and protect applications with Prevoty's RASP technology.
Join Denim Group CTO and Principal Dan Cornell and Prevoty VP, Marketing and Product, Arpit Joshipura for a free webinar to learn more about these tools that can help application security teams.
This webinar provides an overview how to use ThreadFix and Prevoty's RASP to run a high-efficiency, high visibility application security program.
Ce talk est une introduction au Secure Coding pour Java. Il s'efforcera de présenter via différents exemples les bonnes pratiques permettant de développer de manière pragmatique une application java sécurisée. Nous aborderons aussi bien des pratiques fonctionnelles que des morceaux de codes java à erreurs et leur correctifs.
Empowering Application Security Protection in the World of DevOpsIBM Security
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
This talk digs into the fundamentals of DevSecOps, exploring the key principles required to advance your security practices. Considering the changes in culture, methodologies, and tools, it will demonstrate how to accelerate your team journey's from endpoint security to built-in security and how to avoid the common mistakes faced when implementing your chosen DevSecOps strategy.
This talk introduces the new OWASP projects focusing on the new GDPR regulation and the impact on the Software Development Life Cycle for a Company today.
Cyber attacks are a real and growing threat to businesses and an increasing number of attacks take place at application layer. The best defence is to develop applications where security controls are incorporated in development cycle and used by developers while writing their code. How can developers deliver more secure applications? What are the security techniques they can use while writing the software?
This presentation will discuss the proactive controls that will guide developers down the path of secure software. It will explore the security techniques that can be incorporated in development cycle and will provide real world examples on how to solve some of the most prevalent security problems on the internet.
Recommended to all builders and security professionals interested in incorporating security techniques as part of software development life cycle in the effort to build more secure applications.
URL: http://sched.co/A652
Security is important for Devs. You need to add in depth capability to secure Apps, and for this, this presentation give you simply principles to add it to a Java App.
This slides come from the Java User Group Summer Camp 2015 in France
This session addresses the technology challenges of continuous security testing to “deliver securely,” and discusses best practices and tooling based on first hand experience in both enterprise and startup environment.
Running a High-Efficiency, High-Visibility Application Security Program with...Denim Group
This webinar demonstrates how organizations can use the ThreadFix application vulnerability resolution platform to improve vulnerability resolution time and protect applications with Prevoty's RASP technology.
Join Denim Group CTO and Principal Dan Cornell and Prevoty VP, Marketing and Product, Arpit Joshipura for a free webinar to learn more about these tools that can help application security teams.
This webinar provides an overview how to use ThreadFix and Prevoty's RASP to run a high-efficiency, high visibility application security program.
Ce talk est une introduction au Secure Coding pour Java. Il s'efforcera de présenter via différents exemples les bonnes pratiques permettant de développer de manière pragmatique une application java sécurisée. Nous aborderons aussi bien des pratiques fonctionnelles que des morceaux de codes java à erreurs et leur correctifs.
Empowering Application Security Protection in the World of DevOpsIBM Security
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
This talk digs into the fundamentals of DevSecOps, exploring the key principles required to advance your security practices. Considering the changes in culture, methodologies, and tools, it will demonstrate how to accelerate your team journey's from endpoint security to built-in security and how to avoid the common mistakes faced when implementing your chosen DevSecOps strategy.
Some security experts would tell you that security testing is very different from functional or non-functional software testing. They are wrong. Having worked on both sides, Paco gives 3 specific recommendations for how testers can make significant contributions to the security of their software and applications by making small changes to the way they do their software testing. The first technique has to do with selecting points in the user journey that are ripe for security testing. The second is to leverage some common free tools that enable security tests. The final technique is adjusting old school boundary value testing and equivalence class partitioning to incorporate security tests. The result is a lot of security testing done and issues fixed long before any security specialists arrive.
Key Takeaways:
-Great places in the user journey to inject security tests
- Ways to augment existing test approaches to cover security concerns
- Typical security tools that are free, cheap, and easy for software testers
Secure Code Review is the best approach to uncover the most security flaws, in addition to being the only approach to find certain types of flaws like design flaws. During this session, you will learn how to perform security code review and uncover vulnerabilities such as OWASP Top 10: Cross-site Scripting, SQL Injection, Access Control and much more in early stages of development. You will use a real life application. You will get an introduction to Static Code Analysis tools and how you can automate some parts of the process using tools like FxCop.
This presentation goes over core principles involved in launching secure web applications and effectively managing security in a cloud services environment.
Vulnerability Management In An Application Security World: AppSecDCDenim Group
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities.
This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
Matteo Meucci did a talk on software security in practice, describing the actual scenario and the roadmap for the enterprise to improve their maturity in the SDLC.
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonAlex Cachia
In this talk Glenn will walk you through the OWASP top 10 published towards the end of 2021 to explain what's hot and what's hotter. He will give a brief description of each weakness and explain how these they are exploited and, more importantly, what you can do to mitigate against attackers exploiting them in your code
Stephan Gerling in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Stefan Zarinschi in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Drupalgeddon 2 – Yet Another Weapon for the AttackerDefCamp
Radu-Emanuel Chiscariu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Mircea Nenciu and Stefan Mitroi in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Threat Hunting: From Platitudes to Practical ApplicationDefCamp
Neil “Grifter” Wyler in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Building application security with 0 money downDefCamp
Muhammad Mudassar Yamin in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Implementation of information security techniques on modern android based Kio...DefCamp
Muhammad Mudassar Yamin in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
The challenge of building a secure and safe digital environment in healthcareDefCamp
Jelena Milosevic in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Tor .onions: The Good, The Rotten and The Misconfigured DefCamp
Ionut-Cristian Bucur in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
Ioan Constantin in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Cristian Pațachia-Sultănoiu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
2. About Myself
Security Architect
International Presenter
Member of OWASP and ISACA global organizations
OWASP Ireland Limerick Chapter Leader
https://www.owasp.org/index.php/Ireland-Limerick
Security Researcher PhD, MEng
http://www.ventuneac.net
http://secureappdev.blogspot.com
http://dcsl.ul.ie
OWASP 2
3. State of Information Security
The problem
There are not enough qualified
application security professionals
What can we do about it?
Make application security visible
Provide Developers and Software Testers with materials
and tools helping them to build more secure applications
OWASP 3
4. Who is OWASP?
Open Web Application Security Project
http://www.owasp.org
Global community driving and promoting safety and
security of world’s software
OWASP is a registered nonprofit in the United States and
Europe
Everyone is free to participate
All OWASP materials & tools are free
OWASP 4
5. OWASP by the Numbers
11 years of community service
88+ Government & Industry Citations
including DHS, ISO, IEEE, NIST, SANS Institute, CSA, etc
30,000 + participant mailing lists
250,000+ unique visitors per month
800,000+ page views per month
15,000+ downloads per month
OWASP 5
6. OWASP by the Numbers (cont)
Budget for 2012: $591,275
2081 individual members and honorary members from
over 70 countries
55+ paid Corporate Members
53+ Academic Supporters
193+ Active Chapters
113+ Active Projects
4 Global AppSec Conferences per Year
OWASP 6
8. OWASP Near You – Romania Chapter
Promote application security and create local
security communities
Started in 2008 by Claudiu Constantinescu
2012 Chapter Reboot
Chapter Leader - Tudor Enache
Penetration Tester @ Electronic Arts
Specialized in web and mobile application security
testing
https://www.owasp.org/index.php/Romania
OWASP 8
9. OWASP Projects & Tools
Make application security visible
Videos, podcasts, books, guidelines, cheat sheets, tools, …
Available under a free and open software license
Used, recommended and referenced by many
government, standards and industry organisations
Open for everyone
to participate
OWASP 9
10. OWASP Projects & Tools - Classification
113+ Active Projects
PROTECT
guard against security-related design and implementation
flaws.
DETECT
find security-related design and implementation flaws.
LIFE CYCLE
add security-related activities into software processes (eg.
SDLC, agile, etc)
OWASP 10
11. OWASP Projects & Tools – An Overview
DETECT
OWASP Top 10 OWASP AppSec Tutorials
OWASP Code Review Guide OWASP ASVS
OWASP Testing Guide OWASP LiveCD / WTE
OWASP Cheat Sheet Series OWASP ZAP Proxy
PROTECT LIFE CYCLE
OWASP ESAPI WebGoat J2EE
OWASP ModSecurity CRS WebGoat .NET
Full list of projects (release, beta, alpha)
http://www.owasp.org/index.php/Category:OWASP_Project
OWASP 11
12. OWASP Top 10 Security Risks (DETECT)
The most visible OWASP project
Classifies some of the most
critical risks
Essential reading for anyone
developing web applications
Referenced by standards, books,
tools, and organizations,
including MITRE, PCI DSS,
FTC, and many more
OWASP 12
14. OWASP Top 10 Risk Rating Methodology
Threat Attack Weakness Weakness Business
Technical Impact
Agent Vector Prevalence Detectability Impact
1 Easy Widespread Easy Severe
? 2 Average Common Average Moderate ?
3 Difficult Uncommon Difficult Minor
1 2 2 1
Injection Example 1.66 * 1
1.66 weighted risk rating
OWASP 14
15. OWASP Code Review Guide
Code review is probably the
most effective technique
for identifying security flaws
Focuses on the mechanics of
reviewing code for certain
vulnerabilities
A key enabler for the OWASP
fight against software insecurity
Stable release v1.1, v2 is in
progress
OWASP 15
16. OWASP Code Review Guide (cont)
Focuses on .NET and Java, but
has some C/C++ and PHP
Integration of secure code
review into software
development processes
Understand what you are
reviewing
Security code review is not a
silver bullet, but a key
component of an IS program
OWASP 16
17. OWASP Testing Guide
Create a "best practices" web
application penetration testing
framework
A low-level web application
penetration testing guide
Recommended for developers
and software testers
Version 3 available, version 4 is
in progress
https://www.owasp.org/index.php/OWASP_Testing_Project
OWASP 17
18. OWASP Cheat Sheet Series
Provide a concise collection of high value information on
specific web application security topics
Developer Cheat Assessment Cheat Sheets
Sheets (Builder) (Breaker)
Authentication Attack Surface Analysis
Clickjacking Defense XSS Filter Evasion
Cryptographic Storage …
HTML5 Security
Input Validation Mobile Cheat Sheets
Query Parameterization
Session Management IOS Developer
SQL Injection Prevention Mobile Jailbreaking
… …
https://www.owasp.org/index.php/Cheat_Sheets
OWASP 18
19. OWASP Cheat Sheet Series (cont)
The most visible OWASP project
Classifies some of the most
critical risks
Essential reading for anyone
developing web applications
Referenced by standards, books,
tools, and organizations,
including MITRE, PCI DSS, DISA,
FTC, and many more
OWASP 19
21. OWASP AppSec Tutorial Series
https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series
MAKE APPSEC MORE VISIBLE
Provide top notch application security video based training
Four episodes available
OWASP 21
22. OWASP ASVS - Application Security
Verification Standard
Provides a basis for testing application technical security
controls
Use as a metric – assess
the degree of trust on existing
security controls
Use as guidance – for what
to build as part of planned
security controls
Use during procurement
OWASP 22
25. OWASP LiveCD / WTE
Make application security tools and documentation easily
available
Collects some of the best open
source security projects in a
single environment
Boot from this Live CD and have
access to a full security testing
suite
http://appseclive.org/
OWASP 25
26. OWASP Zed Attack Proxy Project (PREVENT)
One of the flagship OWASP projects
Easy to use integrated penetration
testing tool for assessing web
applications
Ideal for developers and functional
testers who are new to penetration
testing
Completely free and open source
Cross platform, internationalised
Current version 1.4.1 (v2 in progress) OWASP 26
27. OWASP ZAP Proxy - Features
Intercepting Proxy Upcoming:
Automated scanner New Spider
Passive scanner New 'Ajax‘ Spider
Brute Force scanner Session Awareness
Spider Web Socket Support
Fuzzer Session Scope
Port scanner Different Modes
Dynamic SSL certificates (Safe/Protected/Standard)
API Scripting console
Beanshell integration
OWASP 27
29. OWASP ESAPI – Enterprise Security API
Free, open source, web application security controls
library
Provide developers with libraries for writing lower-risk
applications
Allow retrofitting security into existing applications
Serve as a solid foundation for new development
Support for Java, PHP and Force.com – there could be
more languages supported
OWASP 29
32. OWASP ESAPI - OWASP Top 10 Coverage
OWASP Top Ten OWASP ESAPI
A1. Cross Site Scripting (XSS) Validator, Encoder
A2. Injection Flaws Encoder
A3. Malicious File Execution HTTPUtilities (Safe Upload)
A4. Insecure Direct Object Reference AccessReferenceMap, AccessController
A5. Cross Site Request Forgery (CSRF) User (CSRF Token)
A6. Leakage and Improper Error Handling EnterpriseSecurityException, HTTPUtils
A7. Broken Authentication and Sessions Authenticator, User, HTTPUtils
A8. Insecure Cryptographic Storage Encryptor
A9. Insecure Communications HTTPUtilities (Secure Cookie, Channel)
A10. Failure to Restrict URL Access AccessController
OWASP 32
33. OWASP ModSecurity Core Rule Set
Free certified rule set for ModSecurity WAF
Generic web applications protection:
Common Web Attacks Protection
HTTP Protection
Real-time Blacklist Lookups
HTTP Denial of Service Protection
Automation Detection
Integration with AV Scanning for File Uploads
Tracking Sensitive Data
Identification of Application Defects
Error Detection and Hiding
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_C
ore_Rule_Set_Project OWASP 33
34. OWASP WebGoat Java Project
Deliberately insecure J2EE web application to teach web
application security lessons
Over 30 lessons, providing hands-on learning about
Cross-Site Scripting (XSS)
Access Control
Blind/Numeric/String SQL Injection
Web Services
… and many more
Version 5.4 available, v6 in progress
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
OWASP 34
36. OWASP WebGoat.NET Project
A purposefully broken ASP.NET web application
Contains many common vulnerabilities
Intended for use in classroom environments
https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET
OWASP 36