Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download OWASP Education Project
Document related concepts
no text concepts found
Transcript
Why WebAppsec Matters Module (to be combined) OWASP Education Project Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org What goes Wrong? OWASP 2 Public Health Warning XSS and CSRF have evolved Any website you visit could infect your browser An infected browser can do anything you can do An infected browser can scan, infect, spread 70-90% of web applications are ‘carriers’ OWASP 3 3 Key Application Security Vulnerabilities http://www.owasp.org/index.php?title=Top_10_2007 OWASP 4 Tools – At Best 45% MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE) They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true) OWASP 5 Myth Myth: we are secure because we have a firewall 75% of Internet Vulnerabilities are at Web Application Layer * *GartnerGroup (2002 report) OWASP 6 Myth Source: Jeremiah Grossman, BlackHat 2001 OWASP 7 Myth Myth 2 - we are secure because we use SSL only secures data in transit does not solve vulnerabilities on: Web server Browser OWASP 8 Myth Source: Jeremiah Grossman, BlackHat 2001 OWASP 9 Billing Human Resrcs Directories APPLICATION ATTACK Web Services Custom Developed Application Code Legacy Systems Your security “perimeter” has huge holes at the application layer Databases Application Layer Myth Web Server Hardened OS Firewall Firewall Network Layer App Server You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks OWASP 10 What is Web Application Security? OWASP 11 Web Application Security Combination of People, Processes, and Technology to identify, measure, and manage Risk presented by COTS , open source, and custom web applications. (*) (*) Commercial Of The Shelf OWASP 12 People Processes Technology Training Awareness Guidelines Automated Testing Secure Development Application Firewalls Secure Code Review Secure Configuration Security Testing OWASP 13 Web Application (in)Security Trends OWASP 14 Trends Business demands more bells and whistles Internal applications get ‘web-enabled’ and are exposed to Intranet or Internet Increasing complexity of software Rush software out without adequate testing Poor security training and awareness OWASP 15 Vulnerabilities: OWASP top 10 (v 2007) A1: Cross site scripting (XSS) A2: Injection flaws A3: Malicious file execution A4: Insecure direct object reference A5: Cross site request forgery (CSRF) A6: Information leakage and improper error handling A7: Broken authentication and session management A8: Insecure cryptographic storage A9: Insecure communications A10: Failure to restrict URL access OWASP 16 Attacks Defacements Phishing Denial of Service Credit Card Stealing Bot Infection ... See the Web Hacking Incidents Database on http://www.webappsec.org/projects/whid/ OWASP 17
