Professional Documents
Culture Documents
Day 1
TM
GLOBAL APPSEC DC
About OWASP
• The Open Web Application Security Project
(OWASP) is a 501(c)(3) worldwide not-for-
profit charitable organization focused on
improving the security of software.
• Our mission is to make software security
visible, so that individuals and organizations
worldwide can make informed decisions
about true software security risks.
• Everyone is free to participate in OWASP and
all of our materials are available under a free
and open software license. You'll find
everything about OWASP linked from our wiki
and current information on our OWASP Blog.
• https://owasp.org
• Name
• Role
• Serial number (joking)
TM
GLOBAL APPSEC DC
Agenda Day 1
Morning Afternoon
• V4 Access Control • Introductions
• V4 Access Control Lab • About ASVS
• Incorporating ASVS into your
development lifecycle
• V5 Validation and Encoding
• V1 Architecture
• V5 Validation and Encoding Lab • V2 Authentication
(tbc)
• V3 Session Management
• V2 and V3 Lab
OWASP GLOBAL APPSEC - DC
Agenda Day 2
Morning Afternoon
• V8 Data Protection • V5 Validation and Encoding Lab
• V8 Data Protection Lab (cont)
Morning Afternoon
• V13 API and Web Services • V11 Business Logic Flaws
• V13 API Lab • V11 Business Logic Flaws Lab
TM
GLOBAL APPSEC DC
What is the Application Security Verification
Standard?
• First application security standard by
developers, for developers
• Learn to code
• Use the same tool chain
• Business
• Scrum folks
• Developers
• Security
• Testers
• DevOps
TM
GLOBAL APPSEC DC
Olden days vs new days
• Protect
• Detect
• Resilient Integration tests Abuse cases
• Selenium
• Postman
• Protractor
• Robot Framework
TM
GLOBAL APPSEC DC
Lab: Fork ASVS
TM
GLOBAL APPSEC DC
Secure Code Warrior Setup
• Pick a language
• Let’s pick a lab together
• Create a fix
• Test the result
TM
GLOBAL APPSEC DC
What is Security Architecture
• Architectural principles
• Secure design patterns
• Shared secure component
design and re-use
• Expects ~25% architecture
change every 3-5 years
• Addresses current and future
threats
This Photo by Unknown Author is licensed under CC BY-ND
• Testable security
TM
GLOBAL APPSEC DC
What is authentication?
TM
GLOBAL APPSEC DC
What is Session Management?
• Relevant standards •
•
Logout
Test that you can’t view or use high value functionality
TM
GLOBAL APPSEC DC
What is Input Validation & Output
Encoding?
So you are inside, you fancy a
beer and the barman hands you
water from the toilet. Do you
drink it?
TM
GLOBAL APPSEC DC
What did we learn yesterday?
Morning Afternoon
• About ASVS • V4 Access Control
• Incorporating ASVS into your • V5 Validation and Encoding
development lifecycle
• V1 Architecture
• V2 Authentication
• V3 Session Management
Morning Afternoon
• V5 Validation and Encoding Lab • V8 Data Protection
(cont) • V8 Data Protection Lab
TM
GLOBAL APPSEC DC
What is Error Handling and Logging?
TM
GLOBAL APPSEC DC
What is Communications Security?
British Airways
Unencrypted links expose PII
TM
GLOBAL APPSEC DC
What is Malicious
Code?
Code inserted by insiders or partners or
suppliers that:
Performs unauthorized activities
Harms the organization or its users
Discloses sensitive information
Deletes, corrupts or encrypts data for
ransom
- WebMin Backdoor
- Fortinet Backdoor
Day 3
TM
GLOBAL APPSEC DC
What did we learn yesterday?
Morning Afternoon
• V5 Validation and Encoding Lab • V8 Data Protection
(cont) • V8 Data Protection Lab
Morning Afternoon
• V11 Business Logic Flaws • V13 API and Web Services
• V11 Business Logic Flaws Lab • V13 API Lab
TM
GLOBAL APPSEC DC
What are business logic flaws?
TM
GLOBAL APPSEC DC
What is Secure Files and Resources
• File uploads
• Malicious files
• Path traversal
• Pathnames / filename attacks
• Redirection and forwards
TM
GLOBAL APPSEC DC
What is Web Service Security
Shopify
Thousands of stores
revenue data exposed
This Photo by Unknown Author is licensed under CC BY-SA-NC
TM
GLOBAL APPSEC DC
What is Configuration Security
• Outdated components
• Web Server
• Application Server
• Database Server(s)
• Serverless / Cloud configuration
• File permissions and so on
TM
GLOBAL APPSEC DC
Objective – Find all the bugs!
•Join code
• Tournament has exercises in a
bunch of languages and
frameworks
• Points are awarded for fixing
code
• Teaming up is absolutely fine!
• Try to combine skills in multiple
languages and frameworks
• Testing is just as important as
3492 4588
coding
TM
GLOBAL APPSEC DC
https://owasp.org
• Fork it here:
• https://github.com/OWASP/ASVS
• Get it here:
• https://cheatsheetseries.owasp.org/
• Fork it here:
• https://github.com/OWASP/CheatSheetSeries
• Get it here:
• https://www.owasp.org/index.php/OWASP_Dependency_Check
• Fork it here:
• https://github.com/jeremylong/DependencyCheck
• Get it here:
• https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Projec
t
• Fork it here:
• https://github.com/zaproxy/zaproxy/
TM
GLOBAL APPSEC DC
Rate this Session
Thank you!
Andrew van der Stock
vanderaj@owasp.org
@vanderaj
1 510 697 9315
TM
GLOBAL APPSEC DC
OWASP, Open Web Application Security Project, Global AppSec and AppSec Days are Trademarks of the OWASP Foundation, Inc.
Copyright notice and license
• https://owasp.org