motaz alturayef head of engineering, ksa and north africa ......2013 owasp top 10 1. injection 2....
TRANSCRIPT
![Page 1: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/1.jpg)
Protecting your Applications and Data in anEvolving risk Environment
Motaz AlturayefHead of Engineering, KSA and North Africa
F5 Networks
![Page 2: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/2.jpg)
What is anApplication?
Web ApplicationAttacks
What HappensWhen Apps AreAttacked?
Agenda
ProtectingApplications
![Page 3: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/3.jpg)
haveibeenpwned.com
![Page 4: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/4.jpg)
2%
17%
20%
24%
25%
50%
63%
68%
Other
Cross-site Request Forgery
Clickjack
SQL Injection
Cross-site Scripting
Web Fraud
DDoS
Cred Theft
F5 Ponemon Survey
![Page 5: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/5.jpg)
Applicationsare the
business
![Page 6: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/6.jpg)
Applicationsare the
gateway toyour data
![Page 7: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/7.jpg)
Sub domains hostingother versions of the main
application site
Dynamic webpage
generators
HTTPheaders
and cookies
Admininterfaces Apps/files linked
to the app
Web servicemethods
Helper appson client
(java, flash)
Server-side featuressuch as search
How AreApplicationsTargeted?
Web pagesand directories
Shells,Perl/PHP
Data entryforms
Administrative andmonitoring stubs
and toolsEvents of theapplication—
triggeredserver-side code
Backend connectionsthrough the server
(injection)
APIs
Cookies/statetracking
mechanisms
Data/active content pools—the data that populates and
drives pages
![Page 8: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/8.jpg)
SERVICES
ACCESS
TLS/SSL
DNS
NETWORK
How Can WeOrganize ThisBetter?
Sub domains hostingother versions of the main
application site
Dynamic webpage
generators
HTTPheaders
and cookies
Admininterfaces Apps/files linked
to the app
Web servicemethods
Helper appson client
(java, flash)
Server-side featuressuch as search
Web pagesand directories
Shells,Perl/PHP
Data entryforms
Administrative andmonitoring stubs
and toolsEvents of theapplication—
triggeredserver-side code
Backend connectionsthrough the server
(injection)
APIs
Cookies/statetracking
mechanisms
Data/active content pools—the data that populates and
drives pages
![Page 9: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/9.jpg)
Public cloudPrivate cloud
SaaS
Co-location
On-premises
Containers
Containers
ContainersContainers
![Page 10: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/10.jpg)
of web appsconsideredmission critical
AppsImportance 34% 760 9.93
web appsin use in anorganization
web appenvironments/frameworksin use
How does thismatch up with yourorganization?
![Page 11: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/11.jpg)
1%6%
9%13%
16%32%
51%57%
62%74%
81%
OtherNone of the Above
Project ManagementDeveloper Tools
Financial Apps (Banking/eCommerce)Social Apps
Backup and StorageOffice Suites
Document Management and CollaborationRemote Access
Communication Apps (Email/Texting)
F5 Ponemon Survey
![Page 12: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/12.jpg)
$6.56
$7.18
$8.53
$9.07Leakage of Confidentialor Sensitive Information
Tampering and UnauthorizedModifications to Apps
The Hack Resulted in the Failure to AccessData and/or Apps
Leakage of Personally-Identifiable InformationAbout Customers, Consumers or Employees
F5 Ponemon Survey
![Page 13: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/13.jpg)
2%
7%
10%
12%
13%
13%
14%
30%
Insider Attack
Point-of-Sale Attacks
Physical Breach
Malware
Credential Theft
Accidental Breach
Phishing
F5 & Whatcom CC
Web Attacks
![Page 14: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/14.jpg)
Web Attacks
F5 & Whatcom CC
Card-StealingWeb Injection
70%WebsiteHacking
26%DatabaseHacking
4%
Web Attacks
![Page 15: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/15.jpg)
Stolen data exfiltratedvia HTTPS to a
drop server
Card Stealing Web Injects
Targeted SiteMaliciousPHP Code
Payment CardInfo Breached
Injects usually due toweak input filters common
in PHP, JS, CMS sysCan add fakefields to page
![Page 16: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/16.jpg)
InjectionsContinuingto MakeHeadlines
![Page 17: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/17.jpg)
https://devcentral.f5.com/articles/anatomy-of-code-injection
2013 OWASP Top 101. Injection
2. Broken authentication and sessionmanagement
3. Cross-site scripting (XSS)
4. Insecure direct object references
5. Security misconfiguration
6. Sensitive data exposure
7. Missing function level access control
8. Cross-site request forgery (CSRF)
9. Using components with knownvulnerabilities
10. Unvalidated redirects and forwards
2017 OWASP Top 101. Injection
2. Broken authentication
3. Sensitive data exposure
4. XML external entities (XXE)
5. Broken access control
6. Security misconfiguration
7. Cross-site scripting (XSS)
8. Insecure deserialization
9. Using components with knownvulnerabilities
10. Insufficient loggingand monitoring
2013 OWASP Top 101. Injection
2. Broken authentication and sessionmanagement
3. Cross-site scripting (XSS)
4. Insecure direct object references
5. Security misconfiguration
6. Sensitive data exposure
7. Missing function level access control
8. Cross-site request forgery (CSRF)
9. Using components with knownvulnerabilities
10. Unvalidated redirects and forwards
2017 OWASP Top 101. Injection
2. Broken authentication
3. Sensitive data exposure
4. XML external entities (XXE)
5. Broken access control
6. Security misconfiguration
7. Cross-site scripting (XSS)
8. Insecure deserialization
9. Using components with knownvulnerabilities
10. Insufficient loggingand monitoring
![Page 18: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/18.jpg)
In the last 8 years more than7.1 billion identities have beenexposed in data breaches
70MILLIONaccounts
427MILLIONaccounts
150MILLIONaccounts
3BILLIONaccounts
117MILLIONaccounts
1. Symantec Internet Security Threat Report, April 20172. https://www.entrepreneur.com/article/246902#
Nearly 3 out of 4 consumersuse duplicate passwords,many of which have not beenchanged in five years or more.
3 out of 4
![Page 19: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/19.jpg)
Credential Stuffing
USERNAME Credit CardData
USERNAME IntellectualProperty
USERNAME HealthcareData
USERNAME PassportData
USERNAME FinancialData
USERNAME USERNAME
USERNAME USERNAME
USERNAME USERNAME
USERNAME USERNAME
USERNAME USERNAME
USERNAME USERNAME
USERNAME USERNAME
![Page 20: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/20.jpg)
https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization
A PHP forum uses PHP object serialization to save a “super” cookie,containing the user’s user ID, role, password hash, and other state
a:4:{i:0;i:132;i:1;s:7: “Bob”;1:2;s:4:“ “use ”;i:3;s:32:b6a8b3bea87fe0e05022f8f3c88bc960”;}
Deserialization
An attacker changes the serialized objectto give themselves admin privileges:
useradmin
![Page 21: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/21.jpg)
3
1 12 2
32
13
2007 2008 2009 2010 2013 2014 2015 2016 2017
Published Deserialization Exploits
0
![Page 22: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/22.jpg)
16%22% 24%
38%
Very Confident Confident Somewhat Confident No Confidence
F5 Ponemon Survey
![Page 23: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/23.jpg)
2%
3%
4%
5%
6%
7%
8%
19%
20%
28%
Other Network Security Controls
Next-Generation Firewall
Web Fraud Detection
Traditional Network Firewall
Intrusion Prevention System (IPS)
Anti-DDoS
Anti-Malware Software
Application Scanning
Penetration Testing
Web App Firewall (WAF)
F5 Ponemon Survey
![Page 24: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/24.jpg)
PrioritizeDefensesBased onAttacks
ReduceYour AttackSurface
UnderstandYourEnvironment
SelectFlexible andIntegratedDefenseTools
IntegrateSecurity intoDevelopment
1 2 3 4 5
![Page 25: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/25.jpg)
Analysis ofUS Attorney BreachData Records
Analysis of Exploit DB
12 months of web appsecurity vulnerabilitydata (DAST & SAST)
12 months of globalattack web app data
App Security survey of3,135 IT sec pros
US, Canada, UnitedKingdom, Brazil, China,Germany, India
Across 14 industries
![Page 26: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/26.jpg)
Additional Research
![Page 27: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/27.jpg)
Articles Threat BlogCISO to CISOThought Leadership Blog
General Threat Trends Phishing Encryption IoT (Attacker Hunt Series)
![Page 28: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/28.jpg)
![Page 29: Motaz Alturayef Head of Engineering, KSA and North Africa ......2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure](https://reader034.vdocuments.us/reader034/viewer/2022051606/60299fb4113fa101cc59f5ee/html5/thumbnails/29.jpg)