Scribd Logo
Upload

Welcome to Scribd!

  • OWASP Top 10 - 2013 - Presentation - Christian Heinrich PDF

    Uploaded by

    DD NN
    48 views37 pages

    Original Title

    OWASP Top 10 - 2013 - Presentation - Christian Heinrich.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    48 views37 pages

    OWASP Top 10 - 2013 - Presentation - Christian Heinrich PDF

    Uploaded by

    DD NN

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 37

    OWASP Top Ten 2013

    FINAL Release

    Christian Heinrich
    christian.heinrich@owasp.org
    OWASP

    June 2013

    Copyright © The OWASP Foundation


    Permission is granted to copy, distribute and/or modify this document
    under the terms of the OWASP License.

    The OWASP Foundation


    http://www.owasp.org/
    #whoami

    OWASP Testing Guide v3


     4.2.1 “Spiders/Robots/Crawlers”
     4.2.2 “Search Engine Reconnaissance”

    OWASP “Google Hacking” Project


     “Download Indexed Cache” PoC

    Presented at
     .au, EU and USA OWASP Conferences
     London (.uk) Sydney (.au) and Melbourne (.au) Chapters

    http://www.owasp.org/index.php/user:cmlh

    OWASP - Top Ten 2013 – June 2013 2


    OWASP Top Ten 2013

    1. What is the OWASP Top Ten?


    2. Additions from the OWASP Top Ten 2013
     Using Components with Known Vulnerabilities
    3. OWASP Top Ten Risk Rating Methodology
    4. Timeline from Release Candidate (RC) to Final
    5. When Not to Cite the OWASP Top Ten?
     Application Security Verification Standard (ASVS)
    6. Politics of the OWASP Top Ten

    OWASP - Top Ten 2013 – June 2013 3


    What is the OWASP “Top Ten”?

    Ten most common WebAppSec risks:


    Based on the “OWASP Risk Rating Methodology.
    Intended Audience is Executive Level.
    Prior to 2010 on prevalence and severity.

    OWASP - Top Ten 2013 – June 2013 4


    What is the OWASP “Top Ten”?

    Statistics of vulnerabilities contributed by:


    Aspect Security
    MITRE
    White Hat
    Veracode
    Minded Security
    HP (Fortify and WebInspect)
    Trustwave

    OWASP - Top Ten 2013 – June 2013 5


    Differences between 2003 and 2004

    OWASP - Top Ten 2013 – June 2013 6


    Differences between 2004 and 2007

    OWASP - Top Ten 2013 – June 2013 7


    Differences between 2007 and 2010

    =
    =
    +

    -
    -
    OWASP - Top Ten 2013 – June 2013 8
    OWASP Top Ten 2013

    A2: Broken A4: Insecure


    A3:Cross-Site
    A1: Injection Authentication Direct Object
    Scripting (XSS)
    and Session References

    A8:Cross Site A7: Missing A5: Security


    A6: Sensitive
    Request Function Level Misconfiguratio
    Data Exposure
    Forgery (CSRF) Access Control n

    A9: Using A10:


    Known Unvalidated
    Vulnerable Redirects and

    OWASP - Top Ten 2013 – June 2013 9


    Comparison with 2003, 2004, 2007 and 2010 Releases

    OWASP - Top Ten 2013 – June 2013 10


    Comparison to SANS/MITRE CVE Top 25

    OWASP - Top Ten 2013 – June 2013 11


    ESAPI and Top Ten 2007

    OWASP - Top Ten 2013 – June 2013 12


    Python (Flask/Django) and Top Ten 2013

    OWASP - Top Ten 2013 – June 2013 13


    Politics of A9

    OWASP - Top Ten 2013 – June 2013 14


    Politics of A9

    OWASP - Top Ten 2013 – June 2013 15


    Politics of A9

    OWASP - Top Ten 2013 – June 2013 16


    Politics of A9

    OWASP - Top Ten 2013 – June 2013 17


    Politics of A9

    Ironic

    OWASP - Top Ten 2013 – June 2013 18


    Politics of A9

    OWASP - Top Ten 2013 – June 2013 19


    Politics of A9

    OWASP - Top Ten 2013 – June 2013 20


    Politics of A9

    OWASP - Top Ten 2013 – June 2013 21


    Politics of A9

    OWASP - Top Ten 2013 – June 2013 22


    Politics of A9

    cmlh$ openssl sha1 Aspect-2013-Global-AppSec-Risk-Report.pdf


    SHA1(Aspect-2013-Global-AppSec-Risk-Report.pdf)= e3e7e0793a311f0779161d082a874042ee0bd498

    cmlh$ pdfinfo Aspect-2013-Global-AppSec-Risk-Report.pdf


    Title: Global Application Security Risk Report
    Author: Jeff Williams
    Creator: Microsoft? Word 2010
    Producer: Microsoft? Word 2010
    CreationDate: Mon Jun 10 14:59:01 2013
    ModDate: Mon Jun 10 14:59:01 2013
    Tagged: yes
    Form: none
    Pages: 13
    Encrypted: no
    Page size: 612 x 792 pts (letter)
    File size: 845806 bytes
    Optimized: no
    PDF version: 1.5

    OWASP - Top Ten 2013 – June 2013 23


    Politics of A9

    OWASP - Top Ten 2013 – June 2013 24


    Politics of A9

    OWASP - Top Ten 2013 – June 2013 25


    Politics of A9

    OWASP - Top Ten 2013 – June 2013 26


    Politics of A9

    OWASP - Top Ten 2013 – June 2013 27


    OWASP Top 10 Risk Rating Methodology

    Threat Attack Weakness Weakness Technical Impact Business


    Agent Vector Prevalence Detectability Impact

    1 Easy Widespread Easy Severe

    ? 2 Average Common Average Moderate ?


    Difficult Uncommon Difficult Minor
    3
    2 1 1 2

    XSS Example 1.3 * 2

    2.6 weighted risk rating


    OWASP - Top Ten 2013 – June 2013 28
    Politics of OWASP Risk Rating Methodology

    Not recommended by OWASP Threat Modeling.


    Others e.g. STRIDE, DREAD, etc not used either.

    “donated” this to OWASP.


    Perceived Conflict of Interest.

    OWASP - Top Ten 2013 – June 2013 29


    When *Not* to Cite the OWASP Top Ten?

    PCI DSS and PA-DSS


    Cited (incorrectly) as OWASP “Guide”
    Payment Applications (PA) are TANDEM, etc based.
    Exception is Web Server within LPAR

    “Platform Security – Facebook Developer Wiki”

    OWASP - Top Ten 2013 – June 2013 30


    When *Not* to Cite the OWASP Top Ten?

    Web Application Firewall (WAF) and other Vendors:


    WAF don’t address root causes
    Mark Curphey (OWASP Founder) raised abuse issue.
    AvdS suggested OWASP T10 Certification Scheme

    webappsec “blackbox” or “whitebox” pen testing RFTs

    OWASP - Top Ten 2013 – June 2013 31


    Application Security Verification Standard

    Consider ASVS instead of OWASP Top 10


    Some issues when implemented in practice.

    OWASP - Top Ten 2013 – June 2013 32


    Internal OWASP Politics of the Top Ten

    Against OWASP “Builders not Breakers” Directive

    Justified as “Awareness” for Executive audience


     generate “not for profit” revenue

    OWASP - Top Ten 2013 – June 2013 33


    Further Information

    URLs Published by OWASP

    http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

    http://lists.owasp.org/mailman/listinfo/owasp-topten

    URLs Aggregated by cmlh


    http://deli.cio.us/cmlh/OWASP.Top.Ten

    OWASP - Top Ten 2013 – June 2013 34


    Copyright Notices

    Slides and Notes Licensed as:


     AU Creative Commons 2.5
     Attribution-Non Commercial-No Derivative Works

    OWASP - Top Ten 2013 – June 2013 35


    In Closing

    Slides are Published on


    http://www.slideshare.net/cmlh

    christian.heinrich@owasp.org

    http://www.owasp.org/index.php/user:cmlh

    OWASP - Top Ten 2013 – June 2013 36


    OWASP Top Ten 2010
    FINAL Release

    Christian Heinrich
    christian.heinrich@owasp.org
    OWASP

    June 2013

    Copyright © The OWASP Foundation


    Permission is granted to copy, distribute and/or modify this document
    under the terms of the OWASP License.

    The OWASP Foundation


    http://www.owasp.org/

    You might also like