snakes and ladders owasp newcastle 24 th november 2015
TRANSCRIPT
Snakes and LaddersOWASP Newcastle
24th November 2015
Web Risks
201317th September 2014
https://www.owasp.org/index.php/OWASP_Top_Ten_Project
Well-Known List
Top Ten Risks to Web Applications (2013)
A1 InjectionA2 Broken Authentication and Session ManagementA3 Cross-Site Scripting (XSS)A4 Insecure Direct Object ReferencesA5 Security MisconfigurationA6 Sensitive Data ExposureA7 Missing Function Level Access ControlA8 Cross-Site Request Forgery (CSRF)A9 Using Components with Known VulnerabilitiesA10 Unvalidated Redirects and Forwards
Proactive Controls
Version 110th March 2014
https://www.owasp.org/index.php/OWASP_Proactive_Controls
(version 2 in progress, due end 2015)
A Better List
Top Ten Proactive Controls Web Applications
C1 Parameterize QueriesC2 Encode DataC3 Validate All InputsC4 Implement Appropriate Access ControlsC5 Establish Identity and Authentication ControlsC6 Protect Data and PrivacyC7 Implement Logging, Error Handling & Intrusion DetectionC8 Leverage Security Features of Frameworks and LibrariesC9 Include Security-Specific RequirementsC10 Design and Architect Security In
Too Much Text!
• Educate• Move from risks to controls• Make a game• Learn Adobe Illustrator• Christmas “cards”
Designs, Trademarks, Etc
Concept
• 10 snakes• 10 ladders• 100 squares
Flat Design
Web Applications: ES
Web Applications: ZH
Web Applications: DE
Mobile Apps: JA
Mobile Apps: EN
Relationships 1/3
• Is the placement of snakes and ladders meaningful?
• Do nearby ladders fix adjacent snakes?
• No
• No
Relationships 2/3
Top Ten Risks
A1 InjectionA2 Broken Authentication and Session ManagementA3 Cross-Site Scripting (XSS)A4 Insecure Direct Object ReferencesA5 Security MisconfigurationA6 Sensitive Data ExposureA7 Missing Function Level Access ControlA8 Cross-Site Request Forgery (CSRF)A9 Using Components with Known VulnerabilitiesA10 Unvalidated Redirects and Forwards
Top Ten Proactive Controls
C1 Parameterize QueriesC2 Encode DataC3 Validate All InputsC4 Implement Appropriate Access ControlsC5 Establish Identity and Authentication ControlsC6 Protect Data and PrivacyC7 Implement Logging, Error Handling and Intrusion DetectionC8 Leverage Security Features of Frameworks and Security LibrariesC9 Include Security-Specific RequirementsC10 Design and Architect Security In
Relationships 3/3
https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Top_Ten_Mapping
Print Your Own
• Adobe PDFA2 print quality
• Adobe Illustrator Source
• Web ApplicationsBR, DE, EN, ES, FR, JA, ZH
• Mobile AppsEN, JA
From Lists to Threat Modelling
• Not just 10 issues• Build security in from the start, and
throughout processes• In depth application security requirements
Staying in Touch
Project pagehttps://www.owasp.org/index.php/OWASP_Snakes_and_Ladders
Mailing listhttps://lists.owasp.org/mailman/listinfo/owasp_snakes_and_ladders
Twitter (Web) (Mobile)@OWASPSnakesWeb @OWASPSnakesMob
Full world tour 2014-15Singapore, Cambridge, London Docklands, London Shoreditch, Bristol, Amsterdam, San Francisco, Newcastle upon Tyne
Q&A