5. 2013 OWASP Top 10
# 2010 2013
6
Security
Misconfiguration
Sensitivate Data
Exposure
7
Insecure Cryptographic
Storage
Missing Function Level
Access Control
8
Failued to Restrict URL
Access
Cross-Site Request
Forgery(CSRF)
9
Insufficiend Transport
Layer Protection
Using Components w/
known vulnerabilities
10
Unvalidated Forwards
and Redirects
Unvalidated Forwards
and Redirects
Source : https://www.owasp.org/index.php/Top_10_2013-Top_10
6. (OWASP)
Open Web Application Security Project
is a worldwide non-profit charitable organization focused on
improving the security of software
7. Web Application Attack StatisticsSource : https://www.owasp.org/index.php/Top_10_2013-Top_10
8. $3,100,000/yr
Average Cost of
Web Application Attacks
Source : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-infographic.pdf
9. 78%
Organizations that have had web applications
COMPROMISED
Source : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-infographic.pdf
10. 69%
Said that a web application firewall (WAF)
is necessary or critical
Source : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-infographic.pdf
11. Top 3 Reasons to Secure Web Applications
Protection
of
Data
Revenue
Loss
Compliance
Source : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-infographic.pdf
12. Number of full-time employees needed to
manage a web application firewall
Source : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-infographic.pdf
15. (ZAP)
Zed Attack Proxy
is an easy to use integrated penetration testing tool for finding
vulnerabilities in web applications.
16. It is designed to be used by people with a wide range of security
experience and as such is ideal for developers and functional testers
who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow
you to find security vulnerabilities manually.
17. Acunetix
Automatically crawls and scans off-the-shelf and custom-built
websites and web applications for SQL Injection, XSS, XXE, SSRF,
Host Header Attacks & over 500 other web vulnerabilities.
18. Acunetix is a fully automated web browser that can understand and
interact with complex web technologies such
as AJAX, SOAP/WSDL, SOAP/WCF, REST/WADL, XML, JSON,
Google Web Toolkit (GWT) and CRUD operations just like a regular
browser would.
Acunetix can crawl complex web application architectures including
JavaScript-heavy HTML5 Single Page Applications while being able
to scan restricted areas automatically and with ease.
19. Vega
is a free and open source scanner and testing platform to test the
security of web applications. Vega can help you find and validate
SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed
sensitive information, and other vulnerabilities.
20. Vega is a free and open source scanner and testing platform to test
the security of web applications. Vega can help you find and validate
SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed
sensitive information, and other vulnerabilities. It is written in Java,
GUI based, and runs on Linux, OS X, and Windows.
Vega includes an automated scanner for quick tests and an
intercepting proxy for tactical inspection. The Vega scanner finds
XSS (cross-site scripting), SQL injection, and other vulnerabilities.
Vega can be extended using a powerful API in the language of the
web: Javascript.