owasp - security awareness presentation for bitcoin wednesday amsterdam
DESCRIPTION
Security Awareness Presentation by Dutch Chapter of OWASP on Bitcoin Wednesday's First Year Anniversary Meeting in AmsterdamTRANSCRIPT
![Page 1: OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam](https://reader034.vdocuments.us/reader034/viewer/2022042508/547856575806b50b198b4830/html5/thumbnails/1.jpg)
Martin Knobloch
– 10 years developer experience
– 10 years information security experience
– +3 years independent Security Consultant
– Dutch OWASP Chapter Leader
– OWASP AppSec-Eu/Research 2015 Chair
– www.owasp.org
![Page 2: OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam](https://reader034.vdocuments.us/reader034/viewer/2022042508/547856575806b50b198b4830/html5/thumbnails/2.jpg)
www.owasp.org |3
3
![Page 3: OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam](https://reader034.vdocuments.us/reader034/viewer/2022042508/547856575806b50b198b4830/html5/thumbnails/3.jpg)
![Page 4: OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam](https://reader034.vdocuments.us/reader034/viewer/2022042508/547856575806b50b198b4830/html5/thumbnails/4.jpg)
Enter the rest of OWASP
• Free Chapter Meetings
• Free Local Events
• Conferences
• ...
People • Webgoat
• Zed Attack Proxy (ZAP)
• ESAPI
• ...
Tools
• Requirements list
• CLASP
• SAMM
• ...
Guides 6
![Page 5: OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam](https://reader034.vdocuments.us/reader034/viewer/2022042508/547856575806b50b198b4830/html5/thumbnails/5.jpg)
Your security “perimeter” has huge holes at the application layer
|7 Firew
all
Hardened OS
Web Server
App Server
Firewall
Dat
abas
es
Lega
cy S
yste
ms
We
b S
erv
ice
s
Dir
ect
ori
es
Hu
man
Re
srcs
Bill
ing Custom Developed
Application Code APPLICATION
ATTACK
You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks
Ne
two
rk
La
ye
r A
pp
lic
ati
on
L
aye
r
![Page 6: OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam](https://reader034.vdocuments.us/reader034/viewer/2022042508/547856575806b50b198b4830/html5/thumbnails/6.jpg)
8
An Attacker has 24x7x365 to Attack
Scheduled Pen-Test
Scheduled Pen-Test
Attacker Schedule
The Defender has 20 man days per year to detect and defend
![Page 7: OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam](https://reader034.vdocuments.us/reader034/viewer/2022042508/547856575806b50b198b4830/html5/thumbnails/7.jpg)
Tools – At Best 45%
• MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (695)
• They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)
![Page 8: OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam](https://reader034.vdocuments.us/reader034/viewer/2022042508/547856575806b50b198b4830/html5/thumbnails/8.jpg)
10
![Page 9: OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam](https://reader034.vdocuments.us/reader034/viewer/2022042508/547856575806b50b198b4830/html5/thumbnails/9.jpg)
Content
![Page 10: OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam](https://reader034.vdocuments.us/reader034/viewer/2022042508/547856575806b50b198b4830/html5/thumbnails/10.jpg)
![Page 11: OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam](https://reader034.vdocuments.us/reader034/viewer/2022042508/547856575806b50b198b4830/html5/thumbnails/11.jpg)
Insecure? Insecure?
Functional
Specification
Technical
Implementation
An application is secure if it acts and reacts, as it expected, at any time!
Secure
![Page 12: OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam](https://reader034.vdocuments.us/reader034/viewer/2022042508/547856575806b50b198b4830/html5/thumbnails/12.jpg)
![Page 13: OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam](https://reader034.vdocuments.us/reader034/viewer/2022042508/547856575806b50b198b4830/html5/thumbnails/13.jpg)
![Page 14: OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam](https://reader034.vdocuments.us/reader034/viewer/2022042508/547856575806b50b198b4830/html5/thumbnails/14.jpg)
![Page 15: OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam](https://reader034.vdocuments.us/reader034/viewer/2022042508/547856575806b50b198b4830/html5/thumbnails/15.jpg)
![Page 16: OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam](https://reader034.vdocuments.us/reader034/viewer/2022042508/547856575806b50b198b4830/html5/thumbnails/16.jpg)
Username
Password
password forgotten link
![Page 17: OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam](https://reader034.vdocuments.us/reader034/viewer/2022042508/547856575806b50b198b4830/html5/thumbnails/17.jpg)
Threat Modeling – The Basics
Asset:
Valuable resource
Vulnerability:
Exploitable
weakness
Threat:
Causes harm
Risk:
Chance of harm occurring
?
Countermeasure:
Reduces risk
![Page 18: OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam](https://reader034.vdocuments.us/reader034/viewer/2022042508/547856575806b50b198b4830/html5/thumbnails/18.jpg)
Why start again?
Asset
Threat
Risk is low
Countermeasure
Dependency
Dependency’s
Countermeasure
Dependency’s
Threat
![Page 19: OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam](https://reader034.vdocuments.us/reader034/viewer/2022042508/547856575806b50b198b4830/html5/thumbnails/19.jpg)
22
That’s it…
..thank you!