SlideShare a Scribd company logo

Web Security Overview

Download as PPTX, PDF
Noah Jaehnert
Noah Jaehnert

Guest lecture on web application security, presented to students at the Indianapolis campus of The Iron Yard on November 9, 2016. This presentation was a basic overview/introduction to security, discussed the CIA Triad, why security is difficult, what happens if we don't do security right, what developers can do to enhance security, and included a brief overview of the OWASP Top Ten.

Technology
1 of 34
Web Security Overview Noah G. Jaehnert Director of Information Security OurHealth, LLC
Agenda • Who are you/Who am I? • What is OurHealth? • What is security/What is Information Security? • Why is security difficult? • What happens if we don't do security right? • What can developers do to enhance security? • Questions? • If I only leave you with three things...
Who am I? • Noah G. Jaehnert - Director of Information Security at OurHealth • Email: njaehnert@ourhealth.org,Twitter: @njaehner • LinkedIn: https://www.linkedin.com/in/noahjaehnert • Previous experience: • Security Architecture Program Manager/Enterprise Security Strategist – • Senior Information Security Consultant – • Enterprise Architect – • Technical Engineer –
Who am I? • Awards/Honors: • 2015 and 2016 Cisco Champion for Security! • 2015 America’s Information Security Leadership Award (AISLA) winner - Up and Coming Information Security Professional • Certifications Include: • Other Interests: • Photography • Skiing • Volunteer as a Firefighter/EMT (a different side of Risk Management) *In Progress
What is OurHealth? CUSTOMNEAR-SITEON-SITE Healthcare Clinics Services We Provide: Adult Primary & Urgent Care Pediatric Urgent Care Wellness Services On-site Labs & Medications Referral Services Online Tools
What is OurHealth’s Mission?People Passion Excellence
What is security? • Security is the degree of resistance to, or protection from, harm. • It applies to any vulnerable and valuable asset, such as a person, dwelling, community, item, nation, or organization. • As noted by the Institute for Security and Open Methodologies (ISECOM) in their Open Source SecurityTesting Methodology Manual (SSTMM), security provides: • A form of protection where a separation is created between the assets and the threat • These separations are generically called "controls," and sometimes include changes to the asset or the threat
Components of Security • The Certified Information Systems Security Professional (CISSP) certification requires knowledge of the following domains/areas: • Access Control • Application Development Security • Business Continuity and Disaster Recovery Planning • Cryptography • Information Security Governance and Risk Management • Legal regulations, investigations, and compliance • Operations Security • Physical and Environmental Security • SecurityArchitecture and Design • Telecommunications and Network Security
What Is Information Security? • The protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information • Tools, such as policy, awareness, training, education, and technology are necessary to support the overall protection of information and systems • The C.I.A. triangle was created as a standard to provide guidance on protecting information and systems
Basics of Information Security: CIA
Basics of Information Security: CIA
Basics of Information Security: CIA • Confidentiality – Information, systems, and/or data are not made available or disclosed to unauthorized individuals, entities, or processes • Integrity – Information, systems, and/or data are accurate and complete over their entire lifecycle. This means they cannot be modified in an unauthorized or undetected manner. • Availability – Information, systems, and/or data must be available when it needed. This means that the systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly
Why is Security Difficult? • OurHealth
Why is Security Difficult? • OurHealth
Why is Security Difficult? • OurHealth
What happens if we don’t do security right? Source: 2016 Verizon Data Breach Investigation Report • Gray bars indicate the corresponding figure from the DBIR report for 2015. • Web application attacks accounted for the greatest percentage of attacks that resulted in breaches • Increased almost fivefold from 2015!
What can developers do to enhance security? • Build it into what you do! • A plethora of resources for developers on building secure applications are available from the OpenWeb Application Security Project (OWASP).OWASP is: • The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for- profit charitable organization focused on improving the security of software. • OWASP’s mission is to make software security visible, so that individuals and organizations are able to make informed decisions. • OWASP is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies and other organizations worldwide. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security.
What can developers do to enhance security? • There is an IndianapolisOWASP Chapter that meets quarterly. • I HIGHLY encourage you attend, because: • There are great presentations on relevant security topics • It is an awesome networking opportunity • Dinner (and sometimes drinks) provided free by a sponsor • Next meeting: TBD Q4 2016. • Visit the Indy OWASP Meetup page for details: http://www.meetup.com/indyowasp/
About the OWASP Top 10 • Not a standard… OWASP Top 10 is an Awareness Document • Was probably 3rd or 4th OWASP project, after • Developers Guide • WebGoat • Maybe WebScarab ?? First developed in 2003 • 2003, 2004, 2007, 2010, 2013 Released
OWASP Top Ten (2013 Edition)
What Didn’t Change • Title is: “The Top 10 Most Critical Web Application Security Risks” It’s About Risks, Not Just Vulnerabilities • Based on the OWASP Risk Rating Methodology, used to prioritize Top 10 OWASP Top 10 Risk Rating Methodology
2013-A1 – Injection • Tricking an application into including unintended commands in the data sent to an interpreter Injection means… • Take strings and interpret them as commands • SQL, OS Shell, LDAP, XPath, Hibernate, etc… Interpreters… • Many applications still susceptible (really don’t know why) • Even though it’s usually very simple to avoid SQL injection is still quite common • Usually severe. Entire database can usually be read or modified • May also allow full database schema, or account access, or even OS level access Typical Impact
SQL Injection – Illustrated Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions HTTP request  SQL query  DB Table   HTTP respons e   "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query Account Summary Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 4. Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user Account: SKU: Account: SKU:
A1 – Avoiding Injection Flaws • Avoid the interpreter entirely, or • Use an interface that supports bind variables (e.g., prepared statements, or stored procedures), • Bind variables allow the interpreter to distinguish between code and data • Encode all user input before passing it to the interpreter • Always perform ‘white list’ input validation on all user supplied input • Always minimize database privileges to reduce the impact of a flaw Recommendations • For more details, read the https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet References
2013-A2 – Broken Authentication and Session Management • Means credentials have to go with every request • Should use SSL for everything requiring authentication HTTP is a “stateless” protocol • SESSION ID used to track state since HTTP doesn’t • and it is just as good as credentials to an attacker • SESSION ID is typically exposed on the network, in browser, in logs, … Session management flaws • Change my password, remember my password, forgot my password, secret question, logout, email address, etc… Beware the side-doors • User accounts compromised or user sessions hijacked Typical Impact
Broken Authentication Illustrated Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus.Functions 1 User sends credentials 2Site uses URL rewriting (i.e., put session in URL) 3 User clicks on a link to http://www.hacker.com in a forum www.boi.com?JSESSIONID=9FA1DB9EA... 4 Hacker checks referrer logs on www.hacker.com and finds user’s JSESSIONID 5 Hacker uses JSESSIONID and takes over victim’s account
A2 – Avoiding Broken Authentication and Session Management • Authentication should be simple, centralized, and standardized • Use the standard session id provided by your container • Be sure SSL protects both credentials and session id at all times Verify your architecture • Forget automated analysis approaches • Check your SSL certificate • Examine all the authentication-related functions • Verify that logoff actually destroys the session • Use OWASP’s WebScarab to test the implementation Verify the implementation • https://www.owasp.org/index.php/Authentication_Cheat_Sheet Follow the guidance from
Summary: How do you address these problems? • Develop Secure Code – Follow the best practices in OWASP’s Guide to Building Secure Web Applications • https://www.owasp.org/index.php/Guide • And the cheat sheets: https://www.owasp.org/index.php/Cheat_Sheets – Use OWASP’s Application Security Verification Standard (ASVS) as a guide to what an application needs to be secure: https://www.owasp.org/index.php/ASVS – Use standard security components that are a fit for your organization • Use OWASP’s ESAPI as a basis for your standard components: https://www.owasp.org/index.php/ESAPI • Review Your Applications – Have an expert team review your applications – Review your applications yourselves following OWASP Guidelines • OWASP Code Review Guide: https://www.owasp.org/index.php/Code_Review_Guide • OWASP Testing Guide: https://www.owasp.org/index.php/Testing_Guide
A few stories from my past…
A few stories from my past…
Questions?
If I only leave you with three things: 1. WE CAN FIXTHIS! 2. Learn all you can about security. Build it into what you do, and do it early and often throughout your projects. Don’t wait until the end. Doing so makes it infinitely much harder to fix (and it probably won’t ever be fixed). 3. Use the resources available to you, such asOWASP. Never be afraid to ask (or Google, or Google then ask)!
Sources/Resources • 2016Verizon Data Breach Investigation Report: http://www.verizonenterprise.com/verizon- insights-lab/dbir/2016/ • Open Web Application Security Project (OWASP): https://www.owasp.org • OWASP Cheat Sheets: https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series • OWASP TopTen Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project • OWASP TopTen 2013 (latest edition): https://storage.googleapis.com/google-code-archive- downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013.pdf • OWASP TopTen Slides (used in this presentation): https://storage.googleapis.com/google- code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top-10_2013%20- %20Presentation.pptx
My contact information: • If I can ever be a resource to you, please do not hesitate to reach out! • Email: njaehnert@ourhealth.org • Twitter: @njaehner • LinkedIn: https://www.linkedin.com/in/noahjaehnert

Recommended

Security Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSecurity Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSymosis Security (Previously C-Level Security)
 
Enterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurityEnterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurityVenkat Alagarsamy
 
Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web securitynewbie2019
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updatedInfosecTrain
 
Webdays blida mobile top 10 risks
Webdays blida mobile top 10 risksWebdays blida mobile top 10 risks
Webdays blida mobile top 10 risksIslam Azeddine Mennouchi
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Identity and Security in the Cloud
Identity and Security in the CloudIdentity and Security in the Cloud
Identity and Security in the CloudRichard Diver
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultAlienVault
 

Recommended

Security Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSecurity Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSymosis Security (Previously C-Level Security)
 
Enterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurityEnterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurityVenkat Alagarsamy
 
Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web securitynewbie2019
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updatedInfosecTrain
 
Webdays blida mobile top 10 risks
Webdays blida mobile top 10 risksWebdays blida mobile top 10 risks
Webdays blida mobile top 10 risksIslam Azeddine Mennouchi
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Identity and Security in the Cloud
Identity and Security in the CloudIdentity and Security in the Cloud
Identity and Security in the CloudRichard Diver
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultAlienVault
 
Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365Imperva
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security Dilip Sharma
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending ApplicationsMichael Coates
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareMichael Coates
 
Top 10 Database Threats
Top 10 Database ThreatsTop 10 Database Threats
Top 10 Database ThreatsImperva
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approachIdexcel Technologies
 
Database Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsDatabase Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsImperva
 
Mandatory access control for information security
Mandatory access control for information securityMandatory access control for information security
Mandatory access control for information securityAjit Dadresa
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project 99X Technology
 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Eoin Keary
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsKaran Nagrecha
 
OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum - Top 10 A6 - 8th meeting - Security MisconfigurationOWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum - Top 10 A6 - 8th meeting - Security MisconfigurationOWASP Khartoum
 
Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalOracleIDM
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity ManagementKarthikeyan Dhayalan
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account securityRaleigh ISSA
 
Access Controls
Access ControlsAccess Controls
Access Controlsprimeteacher32
 
Unit4 next
Unit4 nextUnit4 next
Unit4 nextIntegral university, India
 
Ethical Hacking Services
Ethical Hacking ServicesEthical Hacking Services
Ethical Hacking ServicesVirtue Security
 
Hackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageHackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageImperva
 
Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and HealthcareJonathon Coulter
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture Nirosh Jayaratnam
 

More Related Content

What's hot

Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365Imperva
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security Dilip Sharma
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending ApplicationsMichael Coates
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareMichael Coates
 
Top 10 Database Threats
Top 10 Database ThreatsTop 10 Database Threats
Top 10 Database ThreatsImperva
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approachIdexcel Technologies
 
Database Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsDatabase Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsImperva
 
Mandatory access control for information security
Mandatory access control for information securityMandatory access control for information security
Mandatory access control for information securityAjit Dadresa
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project 99X Technology
 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Eoin Keary
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsKaran Nagrecha
 
OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum - Top 10 A6 - 8th meeting - Security MisconfigurationOWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum - Top 10 A6 - 8th meeting - Security MisconfigurationOWASP Khartoum
 
Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalOracleIDM
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account securityRaleigh ISSA
 
Ethical Hacking Services
Ethical Hacking ServicesEthical Hacking Services
Ethical Hacking ServicesVirtue Security
 
Hackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageHackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageImperva
 

What's hot (20)

Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending Applications
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of Software
 
Top 10 Database Threats
Top 10 Database ThreatsTop 10 Database Threats
Top 10 Database Threats
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
 
Database Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsDatabase Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower Costs
 
Mandatory access control for information security
Mandatory access control for information securityMandatory access control for information security
Mandatory access control for information security
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applications
 
OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum - Top 10 A6 - 8th meeting - Security MisconfigurationOWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
 
Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - final
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity Management
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account security
 
Access Controls
Access ControlsAccess Controls
Access Controls
 
Unit4 next
Unit4 nextUnit4 next
Unit4 next
 
Ethical Hacking Services
Ethical Hacking ServicesEthical Hacking Services
Ethical Hacking Services
 
Hackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageHackers, Cyber Crime and Espionage
Hackers, Cyber Crime and Espionage
 

Similar to Web Security Overview

Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and HealthcareJonathon Coulter
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information SecurityAhmed Sayed-
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches Jim Kaplan CIA CFE
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart WaySecurity Innovation
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis Belsis MPhil/MRes/BSc
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The HorizonLalit Kale
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Scott Carlson
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are ComingErnest Staats
 
Safe Internet Banking Cyber Security
Safe Internet Banking Cyber SecuritySafe Internet Banking Cyber Security
Safe Internet Banking Cyber SecurityKushantha Gunawardana
 

Similar to Web Security Overview (20)

Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and Healthcare
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information Security
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information security
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The Horizon
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
It security cognic_systems
It security cognic_systemsIt security cognic_systems
It security cognic_systems
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are Coming
 
Safe Internet Banking Cyber Security
Safe Internet Banking Cyber SecuritySafe Internet Banking Cyber Security
Safe Internet Banking Cyber Security
 

Recently uploaded

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Recently uploaded (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Web Security Overview

  • 1. Web Security Overview Noah G. Jaehnert Director of Information Security OurHealth, LLC
  • 2. Agenda • Who are you/Who am I? • What is OurHealth? • What is security/What is Information Security? • Why is security difficult? • What happens if we don't do security right? • What can developers do to enhance security? • Questions? • If I only leave you with three things...
  • 3. Who am I? • Noah G. Jaehnert - Director of Information Security at OurHealth • Email: njaehnert@ourhealth.org,Twitter: @njaehner • LinkedIn: https://www.linkedin.com/in/noahjaehnert • Previous experience: • Security Architecture Program Manager/Enterprise Security Strategist – • Senior Information Security Consultant – • Enterprise Architect – • Technical Engineer –
  • 4. Who am I? • Awards/Honors: • 2015 and 2016 Cisco Champion for Security! • 2015 America’s Information Security Leadership Award (AISLA) winner - Up and Coming Information Security Professional • Certifications Include: • Other Interests: • Photography • Skiing • Volunteer as a Firefighter/EMT (a different side of Risk Management) *In Progress
  • 5. What is OurHealth? CUSTOMNEAR-SITEON-SITE Healthcare Clinics Services We Provide: Adult Primary & Urgent Care Pediatric Urgent Care Wellness Services On-site Labs & Medications Referral Services Online Tools
  • 6. What is OurHealth’s Mission?People Passion Excellence
  • 7. What is security? • Security is the degree of resistance to, or protection from, harm. • It applies to any vulnerable and valuable asset, such as a person, dwelling, community, item, nation, or organization. • As noted by the Institute for Security and Open Methodologies (ISECOM) in their Open Source SecurityTesting Methodology Manual (SSTMM), security provides: • A form of protection where a separation is created between the assets and the threat • These separations are generically called "controls," and sometimes include changes to the asset or the threat
  • 8. Components of Security • The Certified Information Systems Security Professional (CISSP) certification requires knowledge of the following domains/areas: • Access Control • Application Development Security • Business Continuity and Disaster Recovery Planning • Cryptography • Information Security Governance and Risk Management • Legal regulations, investigations, and compliance • Operations Security • Physical and Environmental Security • SecurityArchitecture and Design • Telecommunications and Network Security
  • 9. What Is Information Security? • The protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information • Tools, such as policy, awareness, training, education, and technology are necessary to support the overall protection of information and systems • The C.I.A. triangle was created as a standard to provide guidance on protecting information and systems
  • 10. Basics of Information Security: CIA
  • 11. Basics of Information Security: CIA
  • 12. Basics of Information Security: CIA • Confidentiality – Information, systems, and/or data are not made available or disclosed to unauthorized individuals, entities, or processes • Integrity – Information, systems, and/or data are accurate and complete over their entire lifecycle. This means they cannot be modified in an unauthorized or undetected manner. • Availability – Information, systems, and/or data must be available when it needed. This means that the systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly
  • 13. Why is Security Difficult? • OurHealth
  • 14. Why is Security Difficult? • OurHealth
  • 15. Why is Security Difficult? • OurHealth
  • 16. What happens if we don’t do security right? Source: 2016 Verizon Data Breach Investigation Report • Gray bars indicate the corresponding figure from the DBIR report for 2015. • Web application attacks accounted for the greatest percentage of attacks that resulted in breaches • Increased almost fivefold from 2015!
  • 17. What can developers do to enhance security? • Build it into what you do! • A plethora of resources for developers on building secure applications are available from the OpenWeb Application Security Project (OWASP).OWASP is: • The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for- profit charitable organization focused on improving the security of software. • OWASP’s mission is to make software security visible, so that individuals and organizations are able to make informed decisions. • OWASP is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies and other organizations worldwide. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security.
  • 18. What can developers do to enhance security? • There is an IndianapolisOWASP Chapter that meets quarterly. • I HIGHLY encourage you attend, because: • There are great presentations on relevant security topics • It is an awesome networking opportunity • Dinner (and sometimes drinks) provided free by a sponsor • Next meeting: TBD Q4 2016. • Visit the Indy OWASP Meetup page for details: http://www.meetup.com/indyowasp/
  • 19. About the OWASP Top 10 • Not a standard… OWASP Top 10 is an Awareness Document • Was probably 3rd or 4th OWASP project, after • Developers Guide • WebGoat • Maybe WebScarab ?? First developed in 2003 • 2003, 2004, 2007, 2010, 2013 Released
  • 20. OWASP Top Ten (2013 Edition)
  • 21. What Didn’t Change • Title is: “The Top 10 Most Critical Web Application Security Risks” It’s About Risks, Not Just Vulnerabilities • Based on the OWASP Risk Rating Methodology, used to prioritize Top 10 OWASP Top 10 Risk Rating Methodology
  • 22. 2013-A1 – Injection • Tricking an application into including unintended commands in the data sent to an interpreter Injection means… • Take strings and interpret them as commands • SQL, OS Shell, LDAP, XPath, Hibernate, etc… Interpreters… • Many applications still susceptible (really don’t know why) • Even though it’s usually very simple to avoid SQL injection is still quite common • Usually severe. Entire database can usually be read or modified • May also allow full database schema, or account access, or even OS level access Typical Impact
  • 23. SQL Injection – Illustrated Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions HTTP request  SQL query  DB Table   HTTP respons e   "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query Account Summary Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 4. Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user Account: SKU: Account: SKU:
  • 24. A1 – Avoiding Injection Flaws • Avoid the interpreter entirely, or • Use an interface that supports bind variables (e.g., prepared statements, or stored procedures), • Bind variables allow the interpreter to distinguish between code and data • Encode all user input before passing it to the interpreter • Always perform ‘white list’ input validation on all user supplied input • Always minimize database privileges to reduce the impact of a flaw Recommendations • For more details, read the https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet References
  • 25. 2013-A2 – Broken Authentication and Session Management • Means credentials have to go with every request • Should use SSL for everything requiring authentication HTTP is a “stateless” protocol • SESSION ID used to track state since HTTP doesn’t • and it is just as good as credentials to an attacker • SESSION ID is typically exposed on the network, in browser, in logs, … Session management flaws • Change my password, remember my password, forgot my password, secret question, logout, email address, etc… Beware the side-doors • User accounts compromised or user sessions hijacked Typical Impact
  • 26. Broken Authentication Illustrated Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus.Functions 1 User sends credentials 2Site uses URL rewriting (i.e., put session in URL) 3 User clicks on a link to http://www.hacker.com in a forum www.boi.com?JSESSIONID=9FA1DB9EA... 4 Hacker checks referrer logs on www.hacker.com and finds user’s JSESSIONID 5 Hacker uses JSESSIONID and takes over victim’s account
  • 27. A2 – Avoiding Broken Authentication and Session Management • Authentication should be simple, centralized, and standardized • Use the standard session id provided by your container • Be sure SSL protects both credentials and session id at all times Verify your architecture • Forget automated analysis approaches • Check your SSL certificate • Examine all the authentication-related functions • Verify that logoff actually destroys the session • Use OWASP’s WebScarab to test the implementation Verify the implementation • https://www.owasp.org/index.php/Authentication_Cheat_Sheet Follow the guidance from
  • 28. Summary: How do you address these problems? • Develop Secure Code – Follow the best practices in OWASP’s Guide to Building Secure Web Applications • https://www.owasp.org/index.php/Guide • And the cheat sheets: https://www.owasp.org/index.php/Cheat_Sheets – Use OWASP’s Application Security Verification Standard (ASVS) as a guide to what an application needs to be secure: https://www.owasp.org/index.php/ASVS – Use standard security components that are a fit for your organization • Use OWASP’s ESAPI as a basis for your standard components: https://www.owasp.org/index.php/ESAPI • Review Your Applications – Have an expert team review your applications – Review your applications yourselves following OWASP Guidelines • OWASP Code Review Guide: https://www.owasp.org/index.php/Code_Review_Guide • OWASP Testing Guide: https://www.owasp.org/index.php/Testing_Guide
  • 29. A few stories from my past…
  • 30. A few stories from my past…
  • 32. If I only leave you with three things: 1. WE CAN FIXTHIS! 2. Learn all you can about security. Build it into what you do, and do it early and often throughout your projects. Don’t wait until the end. Doing so makes it infinitely much harder to fix (and it probably won’t ever be fixed). 3. Use the resources available to you, such asOWASP. Never be afraid to ask (or Google, or Google then ask)!
  • 33. Sources/Resources • 2016Verizon Data Breach Investigation Report: http://www.verizonenterprise.com/verizon- insights-lab/dbir/2016/ • Open Web Application Security Project (OWASP): https://www.owasp.org • OWASP Cheat Sheets: https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series • OWASP TopTen Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project • OWASP TopTen 2013 (latest edition): https://storage.googleapis.com/google-code-archive- downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013.pdf • OWASP TopTen Slides (used in this presentation): https://storage.googleapis.com/google- code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top-10_2013%20- %20Presentation.pptx
  • 34. My contact information: • If I can ever be a resource to you, please do not hesitate to reach out! • Email: njaehnert@ourhealth.org • Twitter: @njaehner • LinkedIn: https://www.linkedin.com/in/noahjaehnert