Security of internet

The OWASP Foundationhttp://www.owasp.org

Security of the Internet

Kerala 2014Rajesh PBoard Member OWASP Kerala

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify the document under the terms of the OWASP License


Computer Security DayObserved on November 30th

Started in 1988Help raise awareness of computer related security issues

2


Computer Security Day Activities

• Change your password• Update anti-virus and Check for viruses• Cleanup up your computer and surroundings• Back-up your data• Verify your inventory of computer utilities

and packaged software• Monitor Event Logs• Register and pay for all commercial software

that is used on your computer

3


- Large-scale intelligence activities targeting Internet communication

- Attempts to undermine cryptographic algorithms

- People, companies and governments intentionally introduce defects or vulnerabilities (or secret back-doors) compromising the security, trust and integrity of software and applications

Trends related to Security in Internet

4


- Deep Web

- Firmware

- Ransomware

- POS Malware

- Steganography

Trends related to Security in Internet

5

Age of Application Security

Age of Network Security

Age of Anti-Virus

• 3 out of 4 web sites are vulnerable to attacks (Source: Gartner)

• 75% of Attacks at the Application Layer (Source: Gartner)

• Important % of sales via the Web (Services, Shop On Line, Self-care)

The OWASP Foundationhttp://www.owasp.orgThe Numbers

Cyber Crime: “Second cause of economic crime experienced by the financial services sector” – PwC

“Globally, every second, 18 adults become victims of cybercrime” - Norton

US - $20.7 billion – (direct losses)Globally 2012 - $110,000,000,000 – direct losses

“556 million adults across the world have first-hand experience of cybercrime --more than the entire population of the European Union.”

6


Target's December 19 disclosure 100+ million payment cards

LoyaltyBuild November disclosure 1.5 million + records

Snapchat: 4.6 million user records

7


Two weeks of ethical hacking

Ten man-years of development

An inconvenient truth

8


Make this more difficult: Lets change the application code once a month.9


Application Code

COTS (Commercial off

the shelf

Outsourced development

Sub-Contractors

Bespoke outsourced

development

Bespoke Internal development

Third Party API’s

Third Party Components & Systems

Degrees of trust

You may not let some of the people who have developed your code into your offices!!

More LESS

10


2012/13 Study of 31 popular open source libraries

- 19.8 million (26%) of the library downloads have known vulnerabilities

- Today's applications may use up to 30 or more libraries - 80% of the codebase

Dependencies

11


The Open Web Application Security Project (OWASP) is dedicated to

finding and fighting the causes of insecure software. The OWASP

Foundation is a 501c3 not-for-profit charitable organization that

ensures the on going availability and support for our work.

Participation in OWASP is free and open to all.

Everything here is free and open source and vendor neutral.

Main objectives: producing tools, standards and documentations

related to Web Application Security.

Thousands active members, hundreds of local chapters in the world

12


13

OWASP Mission

To make application security "visible," so that people and organizations can make informed decisions about application security risks


Making Security Visible , through…

DocumentationTop Ten, Dev. Guide, Design Guide, Testing Guide, …

ToolsWebGoat, WebScarab, ESAPI, CSRF Guard, Zed Attack Proxy (ZAP), …

Working GroupsBrowser Security, Industry Sectors, Education, Mobile Phone Security, Preventive Security, OWASP Governance

Security Community and AwarenessLocal Chapters, Conferences, Mailing Lists

14

PROTECT

DETECT

LIFE CYCLE


Body of Knowledge

Core Application Security

Knowledge Base

Acquiring andBuildingSecure

Applications

VerifyingApplication

Security

ManagingApplication

Security

ApplicationSecurity

Tools

AppSecEducation and

CBT

Research toSecure NewTechnologies

PrinciplesThreat Agents,

Attacks, Vulnerabilities, Impacts, and

Countermeasures

OWASP Foundation 501c3

OWASP Community Platform(wiki, forums, mailing lists)

Pro

ject

s

Chapte

rs

AppSec

Confe

rence

s

Guide to Building Secure Web

Applications and Web Services

Guide to Application Security Testing and Guide to Application

Security Code Review

Tools for Scanning, Testing, Simulating, and Reporting Web Application Security

Issues

Web Based Learning Environment and

Guide for Learning Application Security

Guidance and Tools for Measuring and

Managing Application Security

Research Projects to Figure Out How to Secure the Use of New Technologies

(like Ajax)

15


The OWASP Enterprise Security API

Custom Enterprise Web Application

Enterprise Security API

Au

the

nti

ca

tor

Use

r

Acce

ssC

on

tro

lle

r

Acce

ssR

efe

ren

ce

Ma

p

Va

lid

ato

r

En

co

de

r

HT

TP

Uti

liti

es

En

cry

pto

r

En

cry

pte

dP

rop

ert

ies

Ra

nd

om

ize

r

Ex

ce

pti

on

Ha

nd

lin

g

Lo

gg

er

Intr

usio

nD

ete

cto

r

Se

cu

rity

Co

nfi

gu

rati

on

Existing Enterprise Security Services/Libraries16


17


Please Help OWASP Grow

Push us to do better!

Be an active contributorStub articles – wiki contributionsNew technologies to analyze

Be an OWASP memberCorporate MembersIndividual Members

Please join us and share what you know!18

9%

41%50%

OWASP Projects

Code

Tools

Documentation


Thank you!

[email protected]://www.facebook.com/OWASPKerala

https://www.twitter.com/owasp_kerala

Date post:	13-Jul-2015
Category:	Technology
Upload:	owaspkerala
View:	129 times
Download:	1 times

Security of internet

Technology