owasp top 10

15
Seminar Presentation On Shivam Porwal B.Tech (C.S.) 7 th sem 131234040048 1/1 5

Upload: shivam-porwal

Post on 09-Apr-2017

217 views

Category:

Engineering


13 download

TRANSCRIPT

Page 1: Owasp Top 10

Seminar Presentation On

Shivam PorwalB.Tech (C.S.) 7th sem131234040048

1/15

Page 2: Owasp Top 10

Content• What is OWASP?• What is Web Application?• OWASP Top – 10• Successful Attack Path • What next for Developers?• What next for Verifiers & Organisations?• Conclusion

2/15

Page 3: Owasp Top 10

What OWASP Is ?

OWASP is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. The OWASP Foundation is the non-profit entity that ensures the project’s long term success.

3/15

Page 4: Owasp Top 10

What Web Application Is?“In computing, a web application or web app is a client–server software application in which the client (or user interface) runs on a web browser.Common web applications include webmail, online retail sales, instant messaging services and many other functions.”

4/15

Page 5: Owasp Top 10

What OWASP Top–10 Is?

The OWASP Top 10 report is based on 8 datasets from 7 firms that specialize in application security, including 4 consulting companies and 3 tool/SaaS vendors (1 static, 1 dynamic, and 1 with both). This data spans over 500,000 vulnerabilities across hundreds of organizations and thousands of applications. The Top 10 items are selected and prioritized according to this prevalence data, in combination with consensus estimates of exploitability, detectability, and impact estimates.

5/15

Page 6: Owasp Top 10

•Application security tools and standards •Complete books on application security testing, secure code development, and secure code review •Standard security controls and libraries •Cutting edge research

6/15

Page 7: Owasp Top 10

7/15

Page 8: Owasp Top 10

OWASP Top - 10

8/15

Page 9: Owasp Top 10

Successful Attack & Risk Path

9/15

Page 10: Owasp Top 10

What Next For Developers ? “SECURE CODING”

No application is completely secure, but adhering to the fol lowing principals will minimize risk: • Minimize the attack surface area (minimize the access points). • Establish and implement secure default settings with password expiration and timeouts, etc. • Implement the principle of “Least Privilege”; don’t give users access to things that they don’t need to do their jobs. • Implement “Defence in Depth” with re-authentication, tokens, and hidden IDs. • Don’t trust services or 3rd parties.• Keep security simple (humans will always bypass)

10/15

Page 11: Owasp Top 10

What Next For Verifiers & Organization ?•To verify the security of a web application you have developed, or one you are considering purchasing, OWASP recommends that you review the application’s code (if available), and test the application as well.

•OWASP has produced the OWASP Application Security Verification Standard (ASVS). This document defines a minimum verification standard for performing web application security assessments.

•Organization must hire Security Professionals, Penetration Testers so as to keep updated their web applications.

•Organization should keep on testing their web application through bug bounty programs and Vulnerability Scanners.

11/15

Page 12: Owasp Top 10

Examples via Video

12/15

SQL injection XSS

“HACKING IS A CRIMINAL OFFESE TRY IT ON YOUR OWN RISK”

Page 13: Owasp Top 10

ConclusionThe Top 10 cover a lot of ground, but there are many other risks you should consider and evaluate in your organization.

CREATE A REMEDIATION PLAN 1.Identify assets and risks• Obtain a full understanding of what you own• Obtain a full understanding of the risks associated with those assets.

2. Conduct a gap analysis and prioritize risks•Determine the risks (i.e. high/medium/low) to your most expensive assets and their priority

3. Planning and Execution•budget, technology, team, timeframe

4. Track, monitor, and improve the plan. •Security plans, protocols, feedback response

13/15

Page 14: Owasp Top 10

ReferencesA. Whitepaper on Web Application Security and the OWASP Top 10 By Jon Panella under the guidance of Sapient Nitro.

B. Open Web Application Security Project Report by OWASP.

C. OWASP Top -10 by developersWorks IBM.

14/15

Page 15: Owasp Top 10

15/15