Download as PDF, PPTX
Uploaded byWP Engine
Security Webinar: Harden the Heart of Your WordPress SiteSe
The document is a summary of a webinar about OWASP and its top ten vulnerabilities that affect website security, detailing each vulnerability along with its descriptions and protections. It covers topics like injection attacks, weak authentication, cross-site scripting, and others, providing advice on mitigation strategies. The presentation also includes a Q&A section and mentions the availability of slides and recordings post-webinar.
More Related Content
Similar to Security Webinar: Harden the Heart of Your WordPress SiteSe
![Automating ISP Networks Using Ansible and IPAM as a Source of Truth [SoT]](https://cdn.slidesharecdn.com/ss_thumbnails/automatingispnetworksusingansibleandipamasasourceoftruthsot-v25-1-251124105117-d7d4ca24-thumbnail.jpg?width=640&height=640&fit=bounds)
Security Webinar: Harden the Heart of Your WordPress SiteSe
- 1.
- 2. #wpewebinar CROP IMAGE TO GRAYBOX We’ll answer as many questions as we can after the presentation ASK QUESTIONS AS WE GO Slides and recording will be made available shortly after the webinar Use the “Questions” pane throughout the webinar
- 3. #wpewebinar WHAT YOU’LL LEARN: ●What is OWASP? ● What are the OWASP Top Ten? ● How each might affect your website ● How to mitigate risks for each vulnerability ● Q&A
- 4. #wpewebinar Security Engineer WP Engine JustinDailey ● Background in HW and digital electronics ● Sports enthusiast ● Loves all things outdoors Security Architect WP Engine Will West ● Made a gatling gun with sonar sensor ● 6’8” Tall ● Does not play basketball
- 5.
- 6.
- 7. #wpewebinar CROP IMAGE TO GRAYBOX CROP IMAGE TO GRAY BOX CROP IMAGE TO GRAY BOX CROP IMAGE TO GRAY BOX CROP IMAGE TO GRAY BOX CROP IMAGE TO GRAY BOX CROP IMAGE TO GRAY BOX CROP IMAGE TO GRAY BOX CROP IMAGE TO GRAY BOX CROP IMAGE TO GRAY BOX Injection OWASP Top 10 Weak authentication and session management XSS Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross Site Request Forgery Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards A1 A2 A3 A4 A5 A6 A7 A8 A9 A10
- 8. #wpewebinar Poll: Are youcurrently doing anything to secure your website against these Top 10 threats?
- 9. #wpewebinar A1 Injection Description • Different types:SQL, LDAP, ORM, XML, XPath, Code Injection, Command Injection, Buffer Overflows • Execution of unintended commands • Unauthorized data access
- 10. #wpewebinar A1 Injection Description • Different types:SQL, LDAP, ORM, XML, XPath, Code Injection, Command Injection, Buffer Overflows • Execution of unintended commands • Unauthorized data access Protections • Enforce input type and length • Ensure special characters are escaped • Validate all input fields and use an input validation whitelist • Avoid dynamic queries or commands
- 11. #wpewebinar Description A2 Weak authentication andsession management • Attacks take advantage of improper authentication or session management practices • Leads to access to sensitive information such as passwords, keys, or tokens • Execution of privileged application functions
- 12. #wpewebinar Description A2 Weak authentication andsession management • Attacks take advantage of improper authentication or session management practices • Leads to access to sensitive information such as passwords, keys, or tokens • Execution of privileged application functions Protections • Follow standard and recommended practices for user management and authentication • Perform user and role validation on all actions • Use secure session cookie flags • Always use CSRF tokens with forms
- 13. #wpewebinar A3 Cross Site Scripting(XSS) Description • An application places data from untrusted sources into site content without performing proper validation and/or escaping • Allows client side script execution • Can lead to compromised credentials and sessions, site defacement, and redirection to malicious sites
- 14. #wpewebinar A3 Cross Site Scripting(XSS) Description • An application places data from untrusted sources into site content without performing proper validation and/or escaping • Allows client side script execution • Can lead to compromised credentials and sessions, site defacement, and redirection to malicious sites Protections • Positive input validation using correct character set • Sanitize input • Output encode all user data during upon rendering
- 15. #wpewebinar A4 Insecure Direct ObjectReferences Description • Reference to an internal object such as a file, directory, or database key is exposed • Leads to unauthorized data access directly or by manipulation
- 16. #wpewebinar A4 Insecure Direct ObjectReferences Description • Reference to an internal object such as a file, directory, or database key is exposed • Leads to unauthorized data access directly or by manipulation Protections • Ensure access control checks are performed when using direct object references • Use reference maps instead of direct reference such as IDs
- 17. #wpewebinar Description A5 Security Misconfiguration • Insecureserver or application configurations that allow unintended access to data or application functions • Can be a result of naive configurations, default configurations, outdated software
- 18. #wpewebinar Description A5 Security Misconfiguration • Insecureserver or application configurations that allow unintended access to data or application functions • Can be a result of naive configurations, default configurations, outdated software Protections • A repeatable and testable hardening process incorporating development, QA, and production • Regular update and patching processes • Periodic scans and audits
- 19. #wpewebinar A6 Sensitive Data Exposure Description •Improper protection and/or encryption of sensitive data such as personally identifiable information, payment methods, and credentials • Exposure can occur in rest or in transit • Can lead to fraud, PR nightmares, and further exploitation
- 20. #wpewebinar A6 Sensitive Data Exposure Description •Improper protection and/or encryption of sensitive data such as personally identifiable information, payment methods, and credentials • Exposure can occur in rest or in transit • Can lead to fraud, PR nightmares, and further exploitation Protections • Encrypt all sensitive data at rest and in transit • Avoid storing sensitive data at all costs • Use standard and modern cryptography and hashing algorithms
- 21. #wpewebinar A7 Missing Function LevelAccess Control Description • Authentication verification is performed on the front end (UI) but is not properly performed on application functions • Verification must be performed on all functions at all levels • Allows unauthorized access to functions and data
- 22. #wpewebinar A7 Missing Function LevelAccess Control Description • Authentication verification is performed on the front end (UI) but is not properly performed on application functions • Verification must be performed on all functions at all levels • Allows unauthorized access to functions and data Protections • Perform validations client side AND server side • Use explicit grants, deny by default
- 23. #wpewebinar Description A8 Cross Site RequestForgery • An attack forcing a logged in victim’s browser to send a forged HTTP request which includes local session information • Requests target vulnerable sites that do not perform proper request validation
- 24. #wpewebinar Description A8 Cross Site RequestForgery • An attack forcing a logged in victim’s browser to send a forged HTTP request which includes local session information • Requests target vulnerable sites that do not perform proper request validation Protections • Include an unpredictable CSRF token in each HTTP request
- 25. #wpewebinar A9 Using Components withKnown Vulnerabilities Description • Known vulnerabilities in utilized libraries and frameworks can be compromised used readily available tools • Can allow attacks to bypass security measures through exploitation
- 26. #wpewebinar A9 Using Components withKnown Vulnerabilities Description • Known vulnerabilities in utilized libraries and frameworks can be compromised used readily available tools • Can allow attacks to bypass security measures through exploitation Protections • Maintain awareness of the components and versions utilized by your application • Monitor the security of these components via public notifications such as vulnerability mailing lists etc • Establish and follow policies dictating what software components are acceptable to use
- 27. #wpewebinar A10 Unvalidated Redirects andForwards Description • Use of redirects and forwards with untrusted data determining the destination pages • Redirection can be exploited to direct users to malicious sites performing phishing or malware distribution
- 28. #wpewebinar A10 Unvalidated Redirects andForwards Description • Use of redirects and forwards with untrusted data determining the destination pages • Redirection can be exploited to direct users to malicious sites performing phishing or malware distribution Protections • Avoid redirects and forwards if possible • If they are used, do not include dynamic parameters in calculating the destination
- 29. #wpewebinar Slides and recordingwill be made available shortly after the webinar QUESTIONS AND ANSWERS
- 30. #wpewebinar 8 KEY SECURITYQUESTIONS YOUR HOSTING COMPANY SHOULD BE ABLE TO ANSWER RESOURCES OWASP TOP 10 2013 PROJECT OWASP VULNERABLE WEB APPLICATIONS DIRECTORY PROJECT LIVE INTERVIEW WITH DAVID ENDLER OF MANIFEST ON WEB SECURITY 15 WAYS TO HARDEN THE SECURITY OF YOUR WORDPRESS SITE RECORDED WEBINAR: TODAY’S WEBSITE SECURITY THREAT LANDSCAPE (FEATURING TONY PEREZ, SUCURI)
- 31. #wpewebinar CROP IMAGE TO GRAYBOX NEXT UP... Register Now: http://wpeng.in/ email Wednesday, Feb 22 11:00 a.m. CST, 12:00 p.m. EST, 9:00 a.m. PST, 5:00 p.m. UTC/GMT
- 32.
- 33.