owasp -top 5 jagjit
TRANSCRIPT
1
OWASP - The Open Web Application Security Project
OWASP Top 5 By Jagjit Singh Brar LinkedIN : https://au.linkedin.com/in/jagjit-singh-brar-3634ba5
Agenda What is OWASP? What OWASP do? Why Web Application Security? Discussion about OWASP top 5
2
OWASP - The Open Web Application Security Project
What is OWASP? Founded in 2001 by Mark Churphey Not-for-profit organization focused on improving the security of web applications and web services Issues software tools and knowledge-based documentation on application security http://www.owasp.org Hundreds of volunteer experts from around the world Cutting edge application security research
3
OWASP - The Open Web Application Security Project
How does OWASP help?Publications and Resources
OWASP Top Ten: List for awareness about application security by identifying some of the most critical risks
OWASP Software Assurance Maturity Model: Framework to help organizations formulate and implement a strategy for application security
OWASP Development Guide: Provide sample codes and development guide covers an extensive array of application-level security issues, from SQL injection through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues
OWASP Testing Guide: "best practice" penetration testing framework and a "low level" penetration testing guide
OWASP ZAP Project: Zed Attack Proxy is an easy to use integrated penetration testing tool for finding vulnerabilities
OWASP Code Review Guide: OWASP Application Security Verification Standard (ASVS):
4
OWASP - The Open Web Application Security Project
Why Web Application Security?Application is core
Network Security Mostly Ignores the Contents of HTTP Traffic Securing the “custom code” that drives a web application Securing libraries Securing backend systems Securing web and application servers, Operating System Hardening, Database Hardening
Web Application Architecture
5
OWASP - The Open Web Application Security Project
Web-application Vulnerabilities cause Data Loss or corruption Data could be stolen Unauthorized access Denial of access Legal action if system is used for other attacks
6
OWASP - The Open Web Application Security Project
OWASP Top Ten (last update in 2013)?A variety of security experts from around the world shared their expertise to produce this list.List based on higher to low risk:
A1:Injection: A2:Broken Authentication and Session Management: A3:Cross Site Scripting: A4:Insecure Direct Object References: A5:Security Misconfiguration: A6:Sensitive Data Exposure: A7:Missing Function Level Access Control: A8:Cross Site Request Forgery (CSRF): A9:Using Components with Known Vulnerabilities: A10:Unvalidated Redirects and Forwards
7
OWASP - The Open Web Application Security Project
A1: Injection: e.g. (?id=‘ or ‘1’=1)Hackers “inject” their code to run on server-side to read/modify/delete data
SQL-injection: Permits query manipulation Data entered by users is sent to the SQL interpreter as part of an SQL query SQL Injection attack exploits security vulnerabilities at the database layer by exploiting the SQL injection flaw Attackers can create, read, modify or delete sensitive data
Command Injection: Permit arbitrary shell commands File Injection: Upload executable files XML injection SSL injection Buffer Overflow
8
OWASP - The Open Web Application Security Project
A1: Injection: ProtectionHackers “inject” their code to run on server-side
Must use trusted framework Use safe API instead of interpreter Escape special characters and validate input Use prepared statements Use “Web Application Firewall”- specially header manipulation
9
OWASP - The Open Web Application Security Project
A2: Broken authentication and session managementA Vulnerability that allows the capture or bypass of authentication or capture sessionWeak Authentication
Single factor authentication Easily guessable usernames (admin, administrator etc.) Rest password options Unencrypted secrets
Backend Password Store Not being stored hashed Trust relationship between hosts
Weak Session Session id in URL Session timeout Session id sent over insecure connection(HTTP)
10
OWASP - The Open Web Application Security Project
A2: Broken authentication and session management : Protection Password Strength Password Expiry Password Change Control Encryption in transit Session ID not in URL Session timeout
11
OWASP - The Open Web Application Security Project
A3: Cross-Site Scripting(XSS)Attacker uses trusted application/company to inject malicious code through the URL
Social engineering: Email an innocent URL or image Cookie Steaking: Exploiting cookies Database Infecting: Self replicating worms
: Protection Keep untrusted data separate from active browser content White list output validation User/customer education
Example:1. Attacker injects malicious code into vulnerable web server2. Victim visits vulnerable web server3. Malicious code is served to victim by web server4. Malicious code executes on the victims with web server’s
privileges
12
OWASP - The Open Web Application Security Project
A4: Insecure Direct Object ReferencesA direct object reference occurs when a developer exposes a reference to an internal implementation object(a file, directory or database key) without any validation mechanism
: Protection Send indirect random access reference map value Add access control for unauthorized access
13
OWASP - The Open Web Application Security Project
A5: Security misconfigurationImproper server or web application configuration leading to various flaws Debugging enabled Incorrect folder permissions Using default accounts or passwords Setup/configuration pages enabled
: Protection Regular Hardening of framework Disabling unnecessary services/features Periodic scan Updating security patch
14
OWASP - The Open Web Application Security Project
Conclusion: Multilayered security Best practice while Web Application Design Regular review security policy and procedures
Thanks for your valuable time.Regards,Jagjit Singh Brar