owasp top ten - c-mric · owasp top ten what is the state of practice among start-ups? cyber...

Report

Post on 12-Aug-2020

10 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

OWASP TOP TEN

What is the state of practice among start-ups?

Cyber Security 2018Halldis Søhoel, Martin Gilje Jaatun, Colin Boyd

12th of June 2018

WHAT: Project and time management solution

Store sensitive information about employees, customers and financial info

Background: Business and management. Outsourced development

Biggest fear: Authentication and Access Control. Sensitive information leakage.

COMPANY A – FUNCTIONALITY FIRST

WHAT: Crowdsourcing educational material

Each user is assigned privileges based on trust by contributing to the site.

Background: Students at computer science programs

Biggest fear: Destruction and privilege escalation.

COMPANY B – LEARN BY DOING

WHAT: Laundry booking site

Does not store user information, except e-mail addresses as usernames

Background: Experienced developers. Hobby project beside full time jobs

Biggest fear: stolen email-addresses, spamming, destruction

COMPANY C - HOBBY PROJECT

WHAT: Communication platform for medical personnel and patients.

Store personal and sensitive information about patients

Background: Computer science fields among others

Biggest fear: Information leakage

COMPANY D - HEALTH APP

WHAT: Tutoring service

Store information about grades and diplomas.

Background: Computer science fields and related studies

Biggest fear: Ransomware. Being blackmailed in bitcoins

COMPANY E - TUTORING SERVICE

SQL INJECTION

MISSING FUNCTION LEVEL ACCESS CONTROL

MISSING FUNCTION LEVEL ACCESS CONTROL

UNVALIDATED REDIRECT

A1: Injection

A2: Broken Authentication

A3: Cross-Site Scripting (XSS)

A4: Insecure Direct Object References

A5: Security Misconfiguration

A6: Sensitive Data Exposure

A7: Missing Function Level Access Control

A8: Cross-Site Request Forgery (CSRF)

A9: Using Components with Known Vulnerabilities

A10: Unvalidated Redirects and Forwards

LESSONS

● Consider security from the start

● Start-ups make more secure applications because they are motivated

● Secure third-party code and samples

top related

mric in action | march 2014
Documents
sec835 owasp top ten project. top ten web app...
Documents
54. owasp mobile top ten
Technology
owasp day iv•180 blog monitorati owasp-italy day iv –...
Documents
owasp top-ten-mapping-2015-05-lwc
Software
owasp top 10 the ten most critical web application security
Documents
securing jsf applications against owasp top ten color
Documents
owasp web application security top ten list
Documents
securing jsf applications against owasp top ten
Documents
2015 mric talent report
Documents
desarrollo seguro ante ciberataques para java, …...2.3.-...
Documents
im services - wol mric
Documents
owasp top ten 2013 - ossir.org · ossir - owasp top ten...
Documents
don’t get stung (an introduction to the owasp top ten...
Documents
xebia knowledge exchange - owasp top ten
Technology
vulnerabilities by owasp top ten 2013 - mme …...
Documents
internet of things top ten - owasp
Documents
securing myfaces applications against the owasp top ten
Documents
ten commandments of secure coding - owasp top ten proactive...
Software
the owasp way understanding the owasp vision and the top ten
Documents