Date post: | 13-Jul-2015 |
Category: |
Technology |
Upload: | owaspkerala |
View: | 129 times |
Download: | 1 times |
The OWASP Foundationhttp://www.owasp.org
Security of the Internet
Kerala 2014Rajesh PBoard Member OWASP Kerala
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify the document under the terms of the OWASP License
The OWASP Foundationhttp://www.owasp.org
Computer Security DayObserved on November 30th
Started in 1988Help raise awareness of computer related security issues
2
The OWASP Foundationhttp://www.owasp.org
Computer Security Day Activities
• Change your password• Update anti-virus and Check for viruses• Cleanup up your computer and surroundings• Back-up your data• Verify your inventory of computer utilities
and packaged software• Monitor Event Logs• Register and pay for all commercial software
that is used on your computer
3
The OWASP Foundationhttp://www.owasp.org
- Large-scale intelligence activities targeting Internet communication
- Attempts to undermine cryptographic algorithms
- People, companies and governments intentionally introduce defects or vulnerabilities (or secret back-doors) compromising the security, trust and integrity of software and applications
Trends related to Security in Internet
4
The OWASP Foundationhttp://www.owasp.org
- Deep Web
- Firmware
- Ransomware
- POS Malware
- Steganography
Trends related to Security in Internet
5
Age of Application Security
Age of Network Security
Age of Anti-Virus
• 3 out of 4 web sites are vulnerable to attacks (Source: Gartner)
• 75% of Attacks at the Application Layer (Source: Gartner)
• Important % of sales via the Web (Services, Shop On Line, Self-care)
The OWASP Foundationhttp://www.owasp.orgThe Numbers
Cyber Crime: “Second cause of economic crime experienced by the financial services sector” – PwC
“Globally, every second, 18 adults become victims of cybercrime” - Norton
US - $20.7 billion – (direct losses)Globally 2012 - $110,000,000,000 – direct losses
“556 million adults across the world have first-hand experience of cybercrime --more than the entire population of the European Union.”
6
The OWASP Foundationhttp://www.owasp.org
Target's December 19 disclosure 100+ million payment cards
LoyaltyBuild November disclosure 1.5 million + records
Snapchat: 4.6 million user records
7
The OWASP Foundationhttp://www.owasp.org
Two weeks of ethical hacking
Ten man-years of development
An inconvenient truth
8
The OWASP Foundationhttp://www.owasp.org
Make this more difficult: Lets change the application code once a month.9
The OWASP Foundationhttp://www.owasp.org
Application Code
COTS (Commercial off
the shelf
Outsourced development
Sub-Contractors
Bespoke outsourced
development
Bespoke Internal development
Third Party API’s
Third Party Components & Systems
Degrees of trust
You may not let some of the people who have developed your code into your offices!!
More LESS
10
The OWASP Foundationhttp://www.owasp.org
2012/13 Study of 31 popular open source libraries
- 19.8 million (26%) of the library downloads have known vulnerabilities
- Today's applications may use up to 30 or more libraries - 80% of the codebase
Dependencies
11
The OWASP Foundationhttp://www.owasp.org
The Open Web Application Security Project (OWASP) is dedicated to
finding and fighting the causes of insecure software. The OWASP
Foundation is a 501c3 not-for-profit charitable organization that
ensures the on going availability and support for our work.
Participation in OWASP is free and open to all.
Everything here is free and open source and vendor neutral.
Main objectives: producing tools, standards and documentations
related to Web Application Security.
Thousands active members, hundreds of local chapters in the world
12
The OWASP Foundationhttp://www.owasp.org
13
OWASP Mission
To make application security "visible," so that people and organizations can make informed decisions about application security risks
The OWASP Foundationhttp://www.owasp.org
Making Security Visible , through…
DocumentationTop Ten, Dev. Guide, Design Guide, Testing Guide, …
ToolsWebGoat, WebScarab, ESAPI, CSRF Guard, Zed Attack Proxy (ZAP), …
Working GroupsBrowser Security, Industry Sectors, Education, Mobile Phone Security, Preventive Security, OWASP Governance
Security Community and AwarenessLocal Chapters, Conferences, Mailing Lists
14
PROTECT
DETECT
LIFE CYCLE
The OWASP Foundationhttp://www.owasp.org
Body of Knowledge
Core Application Security
Knowledge Base
Acquiring andBuildingSecure
Applications
VerifyingApplication
Security
ManagingApplication
Security
ApplicationSecurity
Tools
AppSecEducation and
CBT
Research toSecure NewTechnologies
PrinciplesThreat Agents,
Attacks, Vulnerabilities, Impacts, and
Countermeasures
OWASP Foundation 501c3
OWASP Community Platform(wiki, forums, mailing lists)
Pro
ject
s
Chapte
rs
AppSec
Confe
rence
s
Guide to Building Secure Web
Applications and Web Services
Guide to Application Security Testing and Guide to Application
Security Code Review
Tools for Scanning, Testing, Simulating, and Reporting Web Application Security
Issues
Web Based Learning Environment and
Guide for Learning Application Security
Guidance and Tools for Measuring and
Managing Application Security
Research Projects to Figure Out How to Secure the Use of New Technologies
(like Ajax)
15
The OWASP Foundationhttp://www.owasp.org
The OWASP Enterprise Security API
Custom Enterprise Web Application
Enterprise Security API
Au
the
nti
ca
tor
Use
r
Acce
ssC
on
tro
lle
r
Acce
ssR
efe
ren
ce
Ma
p
Va
lid
ato
r
En
co
de
r
HT
TP
Uti
liti
es
En
cry
pto
r
En
cry
pte
dP
rop
ert
ies
Ra
nd
om
ize
r
Ex
ce
pti
on
Ha
nd
lin
g
Lo
gg
er
Intr
usio
nD
ete
cto
r
Se
cu
rity
Co
nfi
gu
rati
on
Existing Enterprise Security Services/Libraries16
The OWASP Foundationhttp://www.owasp.org
Please Help OWASP Grow
Push us to do better!
Be an active contributorStub articles – wiki contributionsNew technologies to analyze
Be an OWASP memberCorporate MembersIndividual Members
Please join us and share what you know!18
9%
41%50%
OWASP Projects
Code
Tools
Documentation
The OWASP Foundationhttp://www.owasp.org
Thank you!
[email protected]://www.facebook.com/OWASPKerala
https://www.twitter.com/owasp_kerala