+ All Categories
Home > Documents > Finding and Fighting the Causes of Insecure Applications

Finding and Fighting the Causes of Insecure Applications

Date post: 22-Feb-2016
Category:

Documents
Upload: traci
View: 20 times
Download: 0 times
Download Report this document
Share this document with a friend
Description:
Finding and Fighting the Causes of Insecure Applications. Jeff Williams OWASP Chair [email protected] New York/New Jersey Chapter Meeting June 12, 2007. Public Health Warning. XSS and CSRF have evolved Any website you visit could infect your browser - PowerPoint PPT Presentation
11
Copyright © 2007 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP http://www.owasp.org Finding and Fighting the Causes of Insecure Applications Jeff Williams OWASP Chair [email protected] New York/New Jersey Chapter Meeting June 12, 2007
Transcript
Page 1: Finding and Fighting the Causes of Insecure Applications

Copyright © 2007 - The OWASP FoundationThis work is available under the Creative Commons SA 2.5 license

The OWASP Foundation

OWASP

http://www.owasp.org

Finding and Fighting the Causes of Insecure

Applications

Jeff WilliamsOWASP [email protected]

New York/New Jersey Chapter MeetingJune 12, 2007

mailto:[email protected]
Page 2: Finding and Fighting the Causes of Insecure Applications

OWASP

Public Health Warning

XSS and CSRF have evolved

Any website you visit could infect your browser

An infected browser can do anything you can do

An infected browser can scan, infect, spread

70-90% of web applications are ‘carriers’

2

Page 3: Finding and Fighting the Causes of Insecure Applications

OWASP

Key Application Security Vulnerabilities

http://www.owasp.org/index.php?title=Top_10_2007

http://www.owasp.org/index.php?title=Top_10_2007
Page 4: Finding and Fighting the Causes of Insecure Applications

OWASP

Tools – At Best 45%

MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE)

They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)

Page 5: Finding and Fighting the Causes of Insecure Applications

OWASP

OWASP Knowledge and Tools

Core Application Security

Knowledge Base

Acquiring andBuildingSecure

Applications

VerifyingApplication

Security

ManagingApplication

Security

ApplicationSecurity

Tools

AppSecEducation and

CBTResearch toSecure New

Technologies

Guide to Building Secure Web

Applications and Web Services

Guide to Application

Security Testing and

Guide to Application

Security Code Review

Tools for Scanning, Testing,

Simulating, and Reporting Web

Application Security Issues

Web Based Learning

Environment and Education

Project

Guidance and Tools for

Measuring and Managing

Application Security

Research Projects on

Securing New Technologies

(like Web Services & Ajax)

Page 6: Finding and Fighting the Causes of Insecure Applications

OWASP 6

OWASP Community Platform

OWASP Foundation 501c3(finances, legal, infrastructure, communications)

OWASP Community Platform(wiki, forums, mailing lists, leaders)

Projects(tools and documentation) Chapters AppSec Conferences

Core Application Security

Knowledge Base

Acquiring andBuildingSecure

Applications

VerifyingApplication

Security

ManagingApplication

Security

ApplicationSecurity

Tools

AppSecEducation and

CBTResearch toSecure New

Technologies

Page 7: Finding and Fighting the Causes of Insecure Applications

OWASP 7

OWASP Projects Are Alive!

2001

2003

2005

2007

2009 …

http://www.amazon.com/Security-Development-Lifecycle-Michael-Howard/dp/0735622140/sr=8-36/qid=1169351879/ref=sr_1_36/103-6175548-3897446?ie=UTF8&s=books
http://books.google.com/books?vid=ISBN0072227834&id=MDVTbFceXvwC&pg=RA7-PA134&lpg=RA7-PA134&ots=xrEpp_SM9R&dq=owasp&num=100&sig=Rp9XAMFxtQ2bDMq0RTXjddpkcKQ
http://books.google.com/books?vid=ISBN059600611X&id=QvTzBiwehOoC&pg=PA96&lpg=PA96&ots=uscGD05ZSd&dq=owasp&num=100&sig=UzWqVHxlHNw984PTMgfGngzuvug
http://books.google.com/books?vid=ISBN193226647X&id=i8j865qq7dYC&pg=PA260&lpg=PA260&ots=Mb5TcIyFKC&dq=owasp&num=100&sig=a4fd0jjbmWu48n_HMKzkfWzKjJE
http://books.google.com/books?vid=ISBN0072227842&id=6T4jrz6PbjAC&pg=PP1&lpg=PP1&ots=dBoN7I40n0&dq=owasp&num=100&sig=LpexheevY0rqKxeFd8e5-LOkXe8
http://books.google.com/books?vid=ISBN1931836361&id=fKsc9NwsNpMC&pg=PA478&lpg=PA478&dq=owasp&num=100&sig=p23ci0e9s72yyc9q7F5cKipwuyY
http://books.google.com/books?vid=ISBN0596007949&id=iV8DRekYvg0C&pg=PA183&lpg=PA183&dq=owasp&num=100&sig=ViVx6MhMJRaokqE2QrCoJJKwcCM
http://books.google.com/books?vid=ISBN0849329981&id=tbo_JZ5IRKQC&pg=RA2-PA275&lpg=RA2-PA275&dq=owasp&num=100&sig=cV6tieHfrr9Eo_wuEfeyuC-Gwow
http://books.google.com/books?vid=ISBN0596002424&id=-Qj5aMPujwMC&pg=RA2-PA194&lpg=RA2-PA194&dq=owasp&num=100&sig=6Dcl8qgL2dWy7SRviwtv8VqQQXc
http://books.google.com/books?vid=ISBN0596007248&id=5yiULnTkN6oC&pg=RA1-PA377&lpg=RA1-PA377&dq=owasp&num=100&sig=fASJI79UXTDdYiYjEI9YPMwEoR0
http://books.google.com/books?vid=ISBN0072226307&id=npYOWjVR0q4C&pg=RA4-PA301&lpg=RA4-PA301&dq=owasp&num=100&sig=O6rHxhdcuFiGDPMMMkPN1GbWXsE
http://books.google.com/books?vid=ISBN0130355488&id=O3VB-zspJo4C&pg=PA716&lpg=PA716&dq=owasp&num=100&sig=_joUK2T4cwJO9075QLXOBvqw8XU
http://books.google.com/books?vid=ISBN1932266658&id=79FMJAl_-qoC&pg=PP1&lpg=PP1&dq=owasp&num=100&sig=W6bbEaUrpKFQ3CAWpvu5P_G0_eQ
Page 8: Finding and Fighting the Causes of Insecure Applications

OWASP 8

www.owasp.org (our wiki)

Page 9: Finding and Fighting the Causes of Insecure Applications

OWASP

OWASP by the Numbers

420,000 page views per month 15,000 downloads per month (SF alone) 10,000 members on mailing lists 2,600 wiki users 1,500 wiki updates per month 89 chapters worldwide 75 individual memberships 38 tool and documentation projects 28 corporate/educational memberships 25 new projects funded through Spring of Code 0 employees

9

Page 10: Finding and Fighting the Causes of Insecure Applications

OWASP

How Can You Help?

10

Update the wiki!

Share!

Push us to do better!

Become a member

Page 11: Finding and Fighting the Causes of Insecure Applications

OWASP 11

Thank You for Supporting OWASP!


Recommended
09 a7 insecure cryptographic storage.pptx

09 a7 insecure cryptographic storage.pptx

Technology

Insecure Mag 31

Insecure Mag 31

Documents

Insecure email

Insecure email

Technology

Securing the Insecure

Securing the Insecure

Engineering

Insecure Mag 6

Insecure Mag 6

Documents

Docsis Insecure by Design

Docsis Insecure by Design

Documents

Comprehensive Food Security Fighting Hunger Worldwide ... · The food security challenges in these regions are con rmed by the results from the CFSVA which were severely food insecure,

Comprehensive Food Security Fighting Hunger Worldwide ... · The food security challenges in these regions are con rmed by the results from the CFSVA which were severely food insecure,

Documents

Insecure Mag 43

Insecure Mag 43

Documents

Risks of Insecure Communication

Risks of Insecure Communication

Documents

“ Ukie ” Dang Period : #8 Ch11 Obj Lesson#1 : Explain the European causes for WWI. Identify the Central Powers. Explain how the fighting started and fighting.

“ Ukie ” Dang Period : #8 Ch11 Obj Lesson#1 : Explain the European causes for WWI. Identify the Central Powers. Explain how the fighting started and fighting.

Documents

Parenting While Food Insecure - fsnep.ucdavis.edu

Parenting While Food Insecure - fsnep.ucdavis.edu

Documents

Java Security Concepts Within 'Insecure Networks'juxi.net/papers/Java.Security.Concepts.Within.Insecure.Networks.pdf · “insecure network” more secure in handling and usage. My

Java Security Concepts Within 'Insecure Networks'juxi.net/papers/Java.Security.Concepts.Within.Insecure.Networks.pdf · “insecure network” more secure in handling and usage. My

Documents

Main causes of insecure Land Rights in Brazil: evidences from LGAF and case study BASTIAAN REYDON, ANA PAULA BUENO, ANA KARINA BUENO, VITOR FERNANDES Núcleo.

Main causes of insecure Land Rights in Brazil: evidences from LGAF and case study BASTIAAN REYDON, ANA PAULA BUENO, ANA KARINA BUENO, VITOR FERNANDES Núcleo.

Documents

Mali PRRO 10610.0: “Fighting/controlling malnutrition in ...one.wfp.org/operations/current_operations/project_docs/106100.pdf · ... “Fighting/controlling malnutrition in food-insecure

Mali PRRO 10610.0: “Fighting/controlling malnutrition in ...one.wfp.org/operations/current_operations/project_docs/106100.pdf · ... “Fighting/controlling malnutrition in food-insecure

Documents

Meghan Cook | Rachel Kenny | Austin Richards · Did households ever intercrop? Reasons households intercropped: Severely food insecure Moderately food insecure Mildly food insecure

Meghan Cook | Rachel Kenny | Austin Richards · Did households ever intercrop? Reasons households intercropped: Severely food insecure Moderately food insecure Mildly food insecure

Documents

Exporting to Insecure Markets: A Firm-Level Analysis · Exporting to Insecure Markets: A Firm-Level Analysis EXPORTING TO INSECURE MARKETS: A FIRM-LEVEL ANALYSIS NON-TECHNICAL SUMMARY

Exporting to Insecure Markets: A Firm-Level Analysis · Exporting to Insecure Markets: A Firm-Level Analysis EXPORTING TO INSECURE MARKETS: A FIRM-LEVEL ANALYSIS NON-TECHNICAL SUMMARY

Documents

Women's Insecure Property Rights

Women's Insecure Property Rights

Economy & Finance

Introduction to Insecure Deserialization

Introduction to Insecure Deserialization

Documents