Professional Documents
Culture Documents
The OWASP
http://www.owasp.org
Foundation
G u ilty
G ets l eads raud
y P F
oda d ian Online
L I MT eek Ca na
l i on
AO ed W i l
60 Muters,
t e r IIS
a ck ompu o $ S
H ral C
ede iPl
t -- R e 200 2
, be e ervers
—F l 30 unn xploite can
7 , 2002 ane
tS Apri
r il 2 - Se otic d
Ap onl erver curi
t y W ed
ine ho at c
— b le a 200 h, Sep
The ank
ing ffects , 1 t6
Ap Re Go
ril gis
28,
2
te
001 r d as in v’t P
e s Re Ha Den ayr
e se f New ck ver oll
ers O Sy
tscap rns o pe st
r D isrupts Ne I wa ack 1
-M
SN n t em
Hac ke FB Att 200 o
i ty W ebsite g1
7 , BC
, Ju
Univers ept 6, 2001
u
s, A ly
10
— CN N
,S byte ,2
ews 00
—N
1
Code Red:Alive
Po
again and Kicking
we
rG — Zdnet Aug 1, 2001
b a nks
rid
V Milit so me rds
H u l a r c e c a
—
LA ack
e
n er a
b
y Hack
e ers for d ebit 2001
Tim r le t D efen r s k sa pt 5 ,
es, s o se o hit US Hac l V i e
Aug
13, — vn ffice ca nce terWorld , S
2 001 April u ne t.comto pu
om
2 6, 20
02
, —C
Copyright © 2004 – Seagate Technology OWASP San Jose Chapter Kick- 2
Permission is granted to copy and distribute for Fair Use Only off
Application Security Is the Trend of the
Future
“The biggest vulnerability to a corporation’s network
is its widespread access to its applications. Security
has focused on anti-virus and network security –
but the most crucial part of business transaction is
the application and its core data.”
-- Curtis Coleman, CISSP,
Kick-off of new Application Assurance Department, 2001
Undetected
• QA testing tools not designed to
27% Privacy detect security defects in
11%
Breach
e-Shoplifting applications
2% Delete Web
Site • Manual patching - reactive, never
ending, time consuming and
expensive
Dangerous
Slow Business
• It takes 75 minutes on average to track
down one defect. Fixing one of these
defects takes 2 to 9 hours each
5 Year Pentagon Study
• Researching each of the 4,200
vulnerabilities published by CERT last year
for 10 minutes would have required 1
staffer to research for 17.5 full workweeks
or 700 hours
Intel White paper, CERT, ICSA Labs
Loss of Business
• A company with 1,000 servers can spend
$300,000 to test & deploy a patch; most
companies deploy several patches a week
Gartner Group
KPIVs
Published vulnerabilities
Parameter tampering
Stealth commanding
Cross-site scripting
Forceful browsing
Cookie poisoning
Buffer overflow
EFFECTS
Developers
"Bugs" insert
Hidden Form fields Insecure
Application do URL More data and backdoors
Cookies can fields Forms accept default
not force a parameters than the security into
CAUSES be modified
browsing
used to
are
accept
application
upload of
holes in
settings in 3rd
applications
by client track metatags malicious party
order on client changed expects 3rd party and forget to
session code application
code remove for
production
Patches
Hacker can Hidden are
Null value Metatag Site
Return of jump directly fields delayed
causes characters Incoming defacement Unclear or
unarthorized to pages can be while
application are not data size is or server lack of Debugging is
information normally seen hackers
to enter filtered by not execution configuration turned on
to controlled by using have
undefined the checked of uploaded procedures
application authentication View published
state application code
mechanisms Source exploit
code
Previously
saved
Client Field Mis-
cookies are Parameters Patches
data is validation configurations Backdoors do
modified are not are not
not on server are published not require
and sent as checked by keep
validated are not on hacker passwords
current application updated
by server checked sites
cookies to
server
Database Error
statements messages and
Cookier are
(insert, comments in
not
delete) are the code
encrypted
not reveal
validated vulnerabilities
9000 100
8000
7000 80
6000
Percent
60
Count
5000
4000
40
3000
2000 20
1000
0 0
g
ing ing g ng er in ning
m per m per c ript in ro ws i ta mp ois o
t a t a s l b e r p rs
Defect met e
r
m et e
r
s s s it e
or c ef
u
r a me
t
Co oki
e
Ot he
ar a ar a C ro m- F -P a um
-
-P h- P gh - ediu dium edi
Low 3901 Hig Hi e M
Count 2180 2064 M 184M 181 123 383
Percent 43.3 24.2 22.9 2.0 2.0 1.4 4.2
Cum % 43.3 67.4 90.3 92.4 94.4 95.8 100.0
1
No. Of Vulnerabilities Open
3 2
Red
Yellow
1 3
1 2 2
1
1 1 1 1
0
Parameter Data Flow Forceful Cross-site Buffer overflow Stealth Published Hidden field
tampering browsing scripting commanding / vulnerabilities manipulation
SQL Injection
Vulnerability Category
Source: TestDirector
V1
V5
Forceful Browsing
V6
V3 Hidden Field Manipulation
4 V8 1
V7
Cookie Poisoning
Parameter Tampering
V4
Low High
Vulnerability Vulnerability
3 V2 2
Low Threat
Copyright © 2004 – Seagate Technology OWASP San Jose Chapter Kick- 27
Permission is granted to copy and distribute for Fair Use Only off
2004 Statistical Analysis of Application
Vulnerabilities Discovered
Discovered Vulnerabilities by Categoryand Resolved
Data Flow
4%
Third party
misconfigurations
10%
Cross-site scripting
26%
Forceful browsing
14%
Prepared by
Kris Kahn, Anil Ghanta, & David Viveiros
Seagate Application Assurance Team
Network
Risks and vulnerabilities over the network
System
Risks and vulnerabilities in system configuration
Application
Weaknesses in web-based applications, Oracle applications (using
AppScan and ESM for Oracle)
Data Flow
Weaknesses in the data flow (lack of encryption for confidential
information, etc.)
Process
Data backup, disaster recovery, patch updates, user management,
change management, etc.
Phase 2: Kick-Off
E-Security and project team review assessment process and synchronize
timelines
Assessor(s) meets project team
Phase 7: Close-Out
E-Security and project meet to review assessment report, open items are
identified and action plans are established
Yes
E-Security Review Perform Generate Critical No
Assessment
Request Assessment Report Vulnerabilities? Project Approved
Approved?
No Yes
Project
Owner Request Apply
IT Staff Deferred or Fixes
Submits
Request Rejected
Review Report Review Report
Bus. Units
Fix Go live
Fix or
go live?
Policy Exception
SVPs Risk Acceptance
Assessment Plan
Details of assessment scope and tool configuration
Assessment Report
Detailed analysis of findings
Recommendations for fixing or mitigating issues
Certification
No red flags means project is certified to go live!
Yellow flags will be reviewed by Electronic Security and
project team for overall risk.
Cannot go live with red flags.