owasp - security awareness presentation for bitcoin wednesday amsterdam
DESCRIPTION
Security Awareness Presentation by Dutch Chapter of OWASP on Bitcoin Wednesday's First Year Anniversary Meeting in AmsterdamTRANSCRIPT
Martin Knobloch
– 10 years developer experience
– 10 years information security experience
– +3 years independent Security Consultant
– Dutch OWASP Chapter Leader
– OWASP AppSec-Eu/Research 2015 Chair
– www.owasp.org
www.owasp.org |3
3
Enter the rest of OWASP
• Free Chapter Meetings
• Free Local Events
• Conferences
• ...
People • Webgoat
• Zed Attack Proxy (ZAP)
• ESAPI
• ...
Tools
• Requirements list
• CLASP
• SAMM
• ...
Guides 6
Your security “perimeter” has huge holes at the application layer
|7 Firew
all
Hardened OS
Web Server
App Server
Firewall
Dat
abas
es
Lega
cy S
yste
ms
We
b S
erv
ice
s
Dir
ect
ori
es
Hu
man
Re
srcs
Bill
ing Custom Developed
Application Code APPLICATION
ATTACK
You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks
Ne
two
rk
La
ye
r A
pp
lic
ati
on
L
aye
r
8
An Attacker has 24x7x365 to Attack
Scheduled Pen-Test
Scheduled Pen-Test
Attacker Schedule
The Defender has 20 man days per year to detect and defend
Tools – At Best 45%
• MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (695)
• They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)
10
Content
Insecure? Insecure?
Functional
Specification
Technical
Implementation
An application is secure if it acts and reacts, as it expected, at any time!
Secure
Username
Password
password forgotten link
Threat Modeling – The Basics
Asset:
Valuable resource
Vulnerability:
Exploitable
weakness
Threat:
Causes harm
Risk:
Chance of harm occurring
?
Countermeasure:
Reduces risk
Why start again?
Asset
Threat
Risk is low
Countermeasure
Dependency
Dependency’s
Countermeasure
Dependency’s
Threat
22
That’s it…
..thank you!