![Page 1: OWASP TOP TEN - C-MRiC · OWASP TOP TEN What is the state of practice among start-ups? Cyber Security 2018 Halldis Søhoel, ... A10: Unvalidated Redirects and Forwards . LESSONS Consider](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fadaddbd6d5715b2621bfb1/html5/thumbnails/1.jpg)
OWASP TOP TEN
What is the state of practice among start-ups?
Cyber Security 2018Halldis Søhoel, Martin Gilje Jaatun, Colin Boyd
12th of June 2018
![Page 2: OWASP TOP TEN - C-MRiC · OWASP TOP TEN What is the state of practice among start-ups? Cyber Security 2018 Halldis Søhoel, ... A10: Unvalidated Redirects and Forwards . LESSONS Consider](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fadaddbd6d5715b2621bfb1/html5/thumbnails/2.jpg)
WHAT: Project and time management solution
Store sensitive information about employees, customers and financial info
Background: Business and management. Outsourced development
Biggest fear: Authentication and Access Control. Sensitive information leakage.
COMPANY A – FUNCTIONALITY FIRST
![Page 3: OWASP TOP TEN - C-MRiC · OWASP TOP TEN What is the state of practice among start-ups? Cyber Security 2018 Halldis Søhoel, ... A10: Unvalidated Redirects and Forwards . LESSONS Consider](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fadaddbd6d5715b2621bfb1/html5/thumbnails/3.jpg)
WHAT: Crowdsourcing educational material
Each user is assigned privileges based on trust by contributing to the site.
Background: Students at computer science programs
Biggest fear: Destruction and privilege escalation.
COMPANY B – LEARN BY DOING
![Page 4: OWASP TOP TEN - C-MRiC · OWASP TOP TEN What is the state of practice among start-ups? Cyber Security 2018 Halldis Søhoel, ... A10: Unvalidated Redirects and Forwards . LESSONS Consider](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fadaddbd6d5715b2621bfb1/html5/thumbnails/4.jpg)
WHAT: Laundry booking site
Does not store user information, except e-mail addresses as usernames
Background: Experienced developers. Hobby project beside full time jobs
Biggest fear: stolen email-addresses, spamming, destruction
COMPANY C - HOBBY PROJECT
![Page 5: OWASP TOP TEN - C-MRiC · OWASP TOP TEN What is the state of practice among start-ups? Cyber Security 2018 Halldis Søhoel, ... A10: Unvalidated Redirects and Forwards . LESSONS Consider](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fadaddbd6d5715b2621bfb1/html5/thumbnails/5.jpg)
WHAT: Communication platform for medical personnel and patients.
Store personal and sensitive information about patients
Background: Computer science fields among others
Biggest fear: Information leakage
COMPANY D - HEALTH APP
![Page 6: OWASP TOP TEN - C-MRiC · OWASP TOP TEN What is the state of practice among start-ups? Cyber Security 2018 Halldis Søhoel, ... A10: Unvalidated Redirects and Forwards . LESSONS Consider](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fadaddbd6d5715b2621bfb1/html5/thumbnails/6.jpg)
WHAT: Tutoring service
Store information about grades and diplomas.
Background: Computer science fields and related studies
Biggest fear: Ransomware. Being blackmailed in bitcoins
COMPANY E - TUTORING SERVICE
![Page 7: OWASP TOP TEN - C-MRiC · OWASP TOP TEN What is the state of practice among start-ups? Cyber Security 2018 Halldis Søhoel, ... A10: Unvalidated Redirects and Forwards . LESSONS Consider](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fadaddbd6d5715b2621bfb1/html5/thumbnails/7.jpg)
SQL INJECTION
![Page 8: OWASP TOP TEN - C-MRiC · OWASP TOP TEN What is the state of practice among start-ups? Cyber Security 2018 Halldis Søhoel, ... A10: Unvalidated Redirects and Forwards . LESSONS Consider](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fadaddbd6d5715b2621bfb1/html5/thumbnails/8.jpg)
MISSING FUNCTION LEVEL ACCESS CONTROL
![Page 9: OWASP TOP TEN - C-MRiC · OWASP TOP TEN What is the state of practice among start-ups? Cyber Security 2018 Halldis Søhoel, ... A10: Unvalidated Redirects and Forwards . LESSONS Consider](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fadaddbd6d5715b2621bfb1/html5/thumbnails/9.jpg)
MISSING FUNCTION LEVEL ACCESS CONTROL
![Page 10: OWASP TOP TEN - C-MRiC · OWASP TOP TEN What is the state of practice among start-ups? Cyber Security 2018 Halldis Søhoel, ... A10: Unvalidated Redirects and Forwards . LESSONS Consider](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fadaddbd6d5715b2621bfb1/html5/thumbnails/10.jpg)
UNVALIDATED REDIRECT
![Page 11: OWASP TOP TEN - C-MRiC · OWASP TOP TEN What is the state of practice among start-ups? Cyber Security 2018 Halldis Søhoel, ... A10: Unvalidated Redirects and Forwards . LESSONS Consider](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fadaddbd6d5715b2621bfb1/html5/thumbnails/11.jpg)
A1: Injection
A2: Broken Authentication
A3: Cross-Site Scripting (XSS)
A4: Insecure Direct Object References
A5: Security Misconfiguration
A6: Sensitive Data Exposure
A7: Missing Function Level Access Control
A8: Cross-Site Request Forgery (CSRF)
A9: Using Components with Known Vulnerabilities
A10: Unvalidated Redirects and Forwards
![Page 12: OWASP TOP TEN - C-MRiC · OWASP TOP TEN What is the state of practice among start-ups? Cyber Security 2018 Halldis Søhoel, ... A10: Unvalidated Redirects and Forwards . LESSONS Consider](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fadaddbd6d5715b2621bfb1/html5/thumbnails/12.jpg)
LESSONS
● Consider security from the start
● Start-ups make more secure applications because they are motivated
● Secure third-party code and samples