Seminar Presentation On

Shivam PorwalB.Tech (C.S.) 7th sem131234040048

1/15

Content• What is OWASP?• What is Web Application?• OWASP Top – 10• Successful Attack Path • What next for Developers?• What next for Verifiers & Organisations?• Conclusion

2/15

What OWASP Is ?

OWASP is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. The OWASP Foundation is the non-profit entity that ensures the project’s long term success.

3/15

What Web Application Is?“In computing, a web application or web app is a client–server software application in which the client (or user interface) runs on a web browser.Common web applications include webmail, online retail sales, instant messaging services and many other functions.”

4/15

What OWASP Top–10 Is?

The OWASP Top 10 report is based on 8 datasets from 7 firms that specialize in application security, including 4 consulting companies and 3 tool/SaaS vendors (1 static, 1 dynamic, and 1 with both). This data spans over 500,000 vulnerabilities across hundreds of organizations and thousands of applications. The Top 10 items are selected and prioritized according to this prevalence data, in combination with consensus estimates of exploitability, detectability, and impact estimates.

5/15

•Application security tools and standards •Complete books on application security testing, secure code development, and secure code review •Standard security controls and libraries •Cutting edge research

6/15

7/15

OWASP Top - 10

8/15

Successful Attack & Risk Path

9/15

What Next For Developers ? “SECURE CODING”

No application is completely secure, but adhering to the fol lowing principals will minimize risk: • Minimize the attack surface area (minimize the access points). • Establish and implement secure default settings with password expiration and timeouts, etc. • Implement the principle of “Least Privilege”; don’t give users access to things that they don’t need to do their jobs. • Implement “Defence in Depth” with re-authentication, tokens, and hidden IDs. • Don’t trust services or 3rd parties.• Keep security simple (humans will always bypass)

10/15

What Next For Verifiers & Organization ?•To verify the security of a web application you have developed, or one you are considering purchasing, OWASP recommends that you review the application’s code (if available), and test the application as well.

•OWASP has produced the OWASP Application Security Verification Standard (ASVS). This document defines a minimum verification standard for performing web application security assessments.

•Organization must hire Security Professionals, Penetration Testers so as to keep updated their web applications.

•Organization should keep on testing their web application through bug bounty programs and Vulnerability Scanners.

11/15

Examples via Video

12/15

SQL injection XSS

“HACKING IS A CRIMINAL OFFESE TRY IT ON YOUR OWN RISK”

ConclusionThe Top 10 cover a lot of ground, but there are many other risks you should consider and evaluate in your organization.

CREATE A REMEDIATION PLAN 1.Identify assets and risks• Obtain a full understanding of what you own• Obtain a full understanding of the risks associated with those assets.

2. Conduct a gap analysis and prioritize risks•Determine the risks (i.e. high/medium/low) to your most expensive assets and their priority

3. Planning and Execution•budget, technology, team, timeframe

4. Track, monitor, and improve the plan. •Security plans, protocols, feedback response

13/15

ReferencesA. Whitepaper on Web Application Security and the OWASP Top 10 By Jon Panella under the guidance of Sapient Nitro.

B. Open Web Application Security Project Report by OWASP.

C. OWASP Top -10 by developersWorks IBM.

14/15

15/15