Security Fix or Workaround

•Download as PPTX, PDF•

0 likes•2,538 views

This document summarizes the results of a security assessment of an educational application. It identifies several high and medium risk vulnerabilities found, including cross-site request forgery, cross-site scripting, weak password requirements, and improper access control. It discusses approaches taken to remediate vulnerabilities like using automated tools and fixes by the development team. It provides recommendations around prioritizing fixes, using web application firewalls as a fast fix, and ensuring security is an ongoing process rather than a single event.

Technology

Security fix or workaround:
which way to select?
Bohdan Serednytskyi, OWASP Lviv

• OWASP Lviv Chapter
• Security Consulting Team at SoftServe
We are…

Communication with client
Project Execution
Delivering Results
Consulting Dev Team in issues fixing
Usual Project Flow

Tools will solve all our problems
Clients Vision

https://www.outpost24.com/wp-content/uploads/2014/12/Picture1-1024x610.jpg
Automated Tools Effectiveness

• All application security tool vendors’ claims put
together cover only 45% of the known vulnerability
types (over 600 in CWE).
• They also found very little overlap between tools, so
to get 45% you need them all (assuming their
claims are true)
MITRE Claims

Risk Vulnerability
Critical CROSS-SITE REQUEST FORGERY (CSRF)
CROSS-SITE SCRIPTING (STORED)
High SESSION TOKEN DOES NOT CHANGE AFTER LOGIN
Medium USERLOGINID ENUMERATION
WEAK PASSWORD REQUIREMENTS
NO LOGOUT FUNCTION IMPLEMENTED
ACCOUNT ENUMERATION
IMPROPER ACCESS CONTROL
STUDENT CAN REVEAL TEACHERS LOGIN FROM SERVER RESPONSE
Low
ERROR MESSAGES REVEAL SENSITIVE INFORMATION
INTERNAL IP ADDRESS DISCLOSURE
INSUFFICIENT PASSWORD HISTORY MANAGEMENT
Remediation Status
PARTIALLY FIXED
NEED IMPROVEMENT
FIXED
FIXED
FIXED
FIXED
FIXED
FIXED
NOT FIXED
FIXED
FIXED
FIXED
Security Test Results

XSS Vulnerability Fixing
‘});alert(1)”
Initial payload
Protection implemented by Developers Team
‘});alert(1)”
‘});alert(1)”
Modified payload
‘});alert(1)”

Every security flaw is a process problem

Security vulnerabilities are “patterned”.

Security issue could be widespread
amongst all code bases.

Ensure that root cause analysis is used
Remove as many vulnerabilities of this type as is possible within
the prescribed time frame or budget
Involve Security Expert
Recommendations

Use Fast Fix Methods - WAFs
A security solution on the
web application level which
does not depend on the
application itself

•OWASP Secure Coding Practices
•OWASP Guide Project
•OWASP Enterprise Security API
•Microsoft Web Protection Library
Resources

• Patching
• Updating
• Continuous Security Monitoring
• Regular Security Tests

Thank You!
http://owasp-lviv.blogspot.com/

What's hot

ALM and DevOps in the health industry

Agile Partner S.A.

As delusions of effective risk management for application environments continue to spread, companies continue to bleed large amounts of security spending without truly knowing if the amount is warranted, effective, or even elevating security at all. In parallel, hybrid, thought-provoking security strategies are moving beyond conceptual ideas to practical applications within ripe environments. Application Threat Modeling is one of those areas that, beyond the hype, provides practical and sensible security strategy that leverages already existing security efforts for an improved threat model of what is lurking in the shadows. Tony UcedaVelez, Managing Director An experienced security management professional, Tony has more than 10 years of hands-on security and technology experience and is a vocal advocate of security process engineering – a term that describes the design and development of secure processes and controls working symbiotically to create a unique business workflow. Tony currently serves as Managing Director for an Atlanta based risk advisory firm that focuses on security strategy and delivering effective means for risk mitigation and security process engineering. He has worked and consulted for the Fortune 500, as well as federal agencies in the U.S. on the topic of application security and security process engineering.

Application Threat Modeling

Rochester Security Summit

Software Security Engineering

Marco Morana

CSSLP & OWASP & WebGoat

Surachai Chatchalermpun

Building an AppSec Team Extended Cut

Mike Spaulding

Олексій Барановський “Vulnerability assessment as part software testing process”

Dakiry

Threat Modeling to Reduce Software Security Risk

Security Innovation

This presentation discusses the importance of threat Modeling. This presentation also discusses about different ways to perform threat modeling. This threat modeling should be done during the design phase of the application development. The main aim of the threat modeling is to identify the import assets or functionalities of the application and to protect them. Threat Modeling cuts down the cost of application development as it identifies the issues during the design phase. In this presentation we also discuss about basics of Mobile Threat Modeling. This presentation mainly concentrates on STRIDE and DREAD.

Null bachav

Naga Venkata Sunil Alamuri

Hack through Injections

Nazar Tymoshyk, CEH, Ph.D.

Application Threat Modeling

Marco Morana

OWASP Top 10 Project

Muhammad Shehata

Vulnerability Ass... Penetrate What?

Jorge Orchilles

Arvind resume - Copy

arvind kumar tripathi

Secure Design: Threat Modeling

Cigital

Assess all the things

Jerod Brennen

Threat simulation and modeling training shows you the different sorts of threat modeling procedures and encourages you to apply threat modeling as a propelled preventive type of security. TONEX as a pioneer in security industry for over 15 years is presently declaring the threat simulation and modeling training which encourages you to perceive procedures, apparatuses and contextual investigations of effective threat modeling method. Threat Simulation and Modeling Training course covers a variety of topics in cybersecurity area such as: Process for attack simulation and threat analysis (PASTA) PASTA steps Common attack patter enumeration and classification (CAPEC) Threat modeling with SDLC and existing threat modeling approaches. Moreover, you will be introduced to threat analysis, weakens and vulnerability analysis, attack modeling and simulation, and residual risk analysis and management. Learn About: PASTA, objectives of risk analysis, risk centric threat modeling, and weakness and vulnerability analysis basics. Common attack pattern enumeration such as: HTTP response splitting, SQL injection, XSS strings, phishing, buffer overflow, authentication protocol attacks or even cache poisoning. Threat analysis approaches and principles to give you the step by step straight forward methodology to conduct the threat modeling and analysis. Moreover, a detailed introduction of existing threat modeling approaches are included in the course. Examples of such approaches can be: CVSS, CERT, DREAD, and SDL threat modeling. Who Can Benefit from Threat Simulation and Modeling Training ? If you are an IT professional who specialize in computer security, you will benefit the presentations, examples, case studies, discussions, and individual activities upon the completion of threat simulation and modeling training and will prepare yourself for your career. Threat Simulation and Modeling Training Features : Threat simulation and modeling training will introduce a set of labs, workshops and group activities of real world case studies in order to prepare you to tackle all the related computer threat challenges. Our instructors at TONEX will help you to understand the step by step procedure for attack simulation and modeling such as enumerating the attack vector, assessing the probability of attacks, attack driven security tests or attack library update Learn more about course audience, course objectives, course outline, workshop pricing, etc. Threat Simulation and Modeling Training https://www.tonex.com/training-courses/threat-simulation-and-modeling-training/

Threat Simulation and Modeling Training

Bryan Len

resume _jayendra Kadam

Jayendra Kadam

Your Datacenter at risk? – Patching for the Datacenter

Ivanti

SC Application Stack

Paul Worrall

Common Sense Security Framework

Jerod Brennen

What's hot (20)

ALM and DevOps in the health industry

Application Threat Modeling

Software Security Engineering

CSSLP & OWASP & WebGoat

Building an AppSec Team Extended Cut

Олексій Барановський “Vulnerability assessment as part software testing process”

Threat Modeling to Reduce Software Security Risk

Null bachav

Hack through Injections

Application Threat Modeling

OWASP Top 10 Project

Vulnerability Ass... Penetrate What?

Arvind resume - Copy

Secure Design: Threat Modeling

Assess all the things

Threat Simulation and Modeling Training

resume _jayendra Kadam

Your Datacenter at risk? – Patching for the Datacenter

SC Application Stack

Common Sense Security Framework

Similar to Security Fix or Workaround

Lviv IT Arena is a conference specially designed for programmers, designers, developers, top managers, inverstors, entrepreneur and startuppers. Annually it takes place on 2-4 of October in Lviv at the Arena Lviv stadium. In 2015 conference gathered more than 1400 participants and over 100 speakers from companies like Facebook. FitBit, Mail.ru, HP, Epson and IBM. More details about conference at itarene.lviv.ua.

Security as a New Metric for Your Business, Product and Development Lifecycle...

IT Arena

Security as a new metric for Business, Product and Development Lifecycle

Nazar Tymoshyk, CEH, Ph.D.

Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.

Vulnerability Management In An Application Security World: AppSecDC

Denim Group

Website Security Service.pdf

Briskinfosec Technology and Consulting

A fluid and effective Vulnerability Management Framework, a core pillar in most Enterprise Security Architectures (ESA), remains a continual challenge to most organizations. Ask any of the major breach targets of the past several years. This talk takes the recent OWASP Application Security Verification Standard (ASVS) 2014 framework and applies it to Enterprise Vulnerability Management in an attempt to make a clearly complicated yet necessary part of your organization's ESA much more manageable, effective and efficient with feasible recommendations based on your business' needs.

Enterprise Class Vulnerability Management Like A Boss

rbrockway

2016 06 03_threat_mgmt like a boss

rbrockway

One of the reasons application security is so challenging to address is that it spans multiple teams within an organization. Development teams build software, security testing teams find vulnerabilities, security operations staff manage applications in production and IT audit organizations make sure that the resulting software meets compliance and governance requirements. In addition, each team has a different toolbox they use to meet their goals, ranging from scanning tools, defect trackers, Integrated Development Environments (IDEs), WAFs and GRC systems. Unfortunately, in most organizations the interactions between these teams is often strained and the flow of data between these disparate tools and systems is non-existent or tediously implemented manually. In today’s presentation, we will demonstrate how leading organizations are breaking down these barriers between teams and better integrating their disparate tools to enable the flow of application security data between silos to accelerate and simplify their remediation efforts. At the same time, we will show how to collect the proper data to measure the performance and illustrate the improvement of the software security program. The challenges that need to be overcome to enable teams and tools to work seamlessly with one another will be enumerated individually. Team and tool interaction patterns will also be outlined that reduce the friction that will arise while addressing application security risks. Using open source products such as OWASP ZAP, ThreadFix, Bugzilla and Eclipse, a significant amount of time will also be spent demonstrating the kinds of interactions that need to be enabled between tools. This will provide attendees with practical examples on how to replicate a powerful, integrated Application Security program within their own organizations. In addition, how to gather program-wide metrics and regularly calculate measurements such as mean-time-to-fix will also be demonstrated to enable attendees to monitor and ensure the continuing health and performance of their Application Security program.

Building Your Application Security Data Hub - OWASP AppSecUSA

Denim Group

Far too often application security decisions are made in an ad hoc manner and based on little or no data. This leads to an inefficient allocation of scarce resources. To move beyond fear, uncertainty and doubt, organizations must adopt an approach to application risk management based on a structured process and quantitative data. This presentation outlines such an approach for organizations to enumerate all the applications in their portfolio. It then goes through background information to collect for each application to support further decision-making. In addition, the presentation lays out an application risk-ranking framework allowing security analysts to quantitatively categorize their application assets and then plan for assessment activities based on available budgets. This provides the knowledge and tools required for them to use the approach on the applications they are responsible for in their organization. Please email dan _at_ denimgroup dot com for a template spreadsheet and a how-to guide.

Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers

Denim Group

Application Whitelisting - Complementing Threat centric with Trust centric se...

Osama Salah

ThreadFix is an open source application vulnerability management system that helps automate many common application security tasks and integrate security and development tools. This tutorial will walk through the capabilities of the ecosystem of ThreadFix applications, showing how ThreadFix can be used to: •Manage a risk-ranked application portfolio •Consolidate, normalize and de-duplicate the results of DAST, SAST and other application security testing activities and track these results over time to produce trending and mean-time-to-fix reporting •Convert application vulnerabilities into software defects in developer issue tracking systems •Pre-seed DAST scanners such as OWASP ZAP with application attack surface data to allow for better scan coverage •Instrument developer Continuous Integration (CI) systems such as Jenkins to automatically collect security test data •Map the results of DAST and SAST scanning into developer IDEs The presentation walks through these scenarios and demonstrates how ThreadFix, along with other open source tools, can be used to address common problems faced by teams implementing software security programs. It will also provide insight into the ThreadFix development roadmap and upcoming enhancements.

Managing Your Application Security Program with the ThreadFix Ecosystem

Denim Group

Outpost24 webinar - Demystifying Web Application Security with Attack Surface...

Outpost24

VRX_ Presentation 2023 (1).pptx

channelnext21

Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode

Digital Defense Inc

EISA Considerations for Web Application Security

Larry Ball

Fendley how secure is your e learning

Bryan Fendley

Appsec2013 presentation-dickson final-with_all_final_edits

drewz lin

V-Empower Services And Solutions

guest609a5ed

V-Empower Services And Solutions

Hannan Ahmed

App Security? There’s a metric for that! (Part 1 of 2) Over the past year, NetSPI has been working on a new approach to manage and measure application security. By combining OWASP’s Software Assurance Maturity Model, traditional risk assessment methodologies, and experience developing security metrics, NetSPI developed a methodology that may be used to help organizations improve the way they manage and prioritize their application security initiatives. Once fully developed, this approach will be donated to OWASP either as an add-on to the existing SAMM project or as a new project intended to improve application security management. In this presentation, NetSPI provides a detailed walk-through of the overall methodology as well as OWASP’s SAMM project. We provide examples of the types of metrics and executive dashboards that can be generated by using this approach to managing application security and help highlight various ways this information can be used to further improve the overall maturity of application security programs. Be sure to check out Part 2 of this presentation for a more "Hands On" approach. http://www.slideshare.net/NetSPI/application-risk-prioritizationhandsonsecure360part2of2

Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2

NetSPI

The Amazon Web Services (AWS) cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. However, because you’re building systems on top of the AWS cloud infrastructure, the security responsibilities will be shared: AWS has secured the underlying infrastructure and you must secure anything you put on the infrastructure. Alert Logic has more than a decade of experience implementing cloud solutions that are secure, flexible and designed to work with hosting and cloud service providers. In this webinar, you'll learn from Alert Logic strategies for making this shared security model work for your web applications. The webinar includes a live demo of Alert Logic Web Security Manager. In this webinar, you’ll learn: - How to access Alert Logic Web Security Manager via AWS Marketplace for the quickest and easiest path to web application protection - How to integrate web application security in your AWS environment - An attractive approach to auto scaling web security

AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...

Amazon Web Services

Similar to Security Fix or Workaround (20)

Security as a New Metric for Your Business, Product and Development Lifecycle...

Security as a new metric for Business, Product and Development Lifecycle

Vulnerability Management In An Application Security World: AppSecDC

Website Security Service.pdf

Enterprise Class Vulnerability Management Like A Boss

2016 06 03_threat_mgmt like a boss

Building Your Application Security Data Hub - OWASP AppSecUSA

Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers

Application Whitelisting - Complementing Threat centric with Trust centric se...

Managing Your Application Security Program with the ThreadFix Ecosystem

Outpost24 webinar - Demystifying Web Application Security with Attack Surface...

VRX_ Presentation 2023 (1).pptx

Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode

EISA Considerations for Web Application Security

Fendley how secure is your e learning

Appsec2013 presentation-dickson final-with_all_final_edits

V-Empower Services And Solutions

Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2

AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...

Recently uploaded

In this keynote, Asanka Abeysinghe, CTO,WSO2 will explore the shift towards platformless technology ecosystems and their importance in driving digital adaptability and innovation. We will discuss strategies for leveraging decentralized architectures and integrating diverse technologies, with a focus on building resilient, flexible, and future-ready IT infrastructures. We will also highlight WSO2's roadmap, emphasizing our commitment to supporting this transformative journey with our evolving product suite.

Platformless Horizons for Digital Adaptability

WSO2

DBX First Quarter 2024 Investor Presentation

Dropbox

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

Passkeys: Developing APIs to enable passwordless authentication Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

apidays

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Retrieval augmented generation (RAG) is the most popular style of large language model application to emerge from 2023. The most basic style of RAG works by vectorizing your data and injecting it into a vector database like Milvus for retrieval to augment the text output generated by an LLM. This is just the beginning. One of the ways that we can extend RAG, and extend AI, is through multilingual use cases. Typical RAG is done in English using embedding models that are trained in English. In this talk, we’ll explore how RAG could work in languages other than English. We’ll explore French, Chinese, and Polish.

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Zilliz

Discover the innovative features and strategic vision that keep WSO2 an industry leader. Explore the exciting 2024 roadmap of WSO2 API management, showcasing innovations, unified APIM/APK control plane, natural language API interaction, and cloud native agility. Discover how open source solutions, microservices architecture, and cloud native technologies unlock seamless API management in today's dynamic landscapes. Leave with a clear blueprint to revolutionize your API journey and achieve industry success!

WSO2's API Vision: Unifying Control, Empowering Developers

WSO2

Exploring Multimodal Embeddings with Milvus

Zilliz

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

ICT role in 21st century education and its challenges

rafiqahmad00786416

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

Whatsapp Number Escorts Call girls 8617370543 Available 24x7 Mcleodganj Call Girls Service Offer Genuine VIP Model Escorts Call Girls in Your Budget. Mcleodganj Call Girls Service Provide Real Call Girls Number. Make Your Sexual Pleasure Memorable with Our Mcleodganj Call Girls at Affordable Price. Top VIP Escorts Call Girls, High Profile Independent Escorts Call Girls, Housewife Women Escorts Call Girl, College Girls Escorts Call Girls, Russian Escorts Call girls Service in Your Budget.

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Deepika Singh

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

Elevate Developer Efficiency & build GenAI Application with Amazon Q

Bhuvaneswari Subramani

Recently uploaded (20)

Platformless Horizons for Digital Adaptability

DBX First Quarter 2024 Investor Presentation

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

AWS Community Day CPH - Three problems of Terraform

Apidays New York 2024 - The value of a flexible API Management solution for O...

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Corporate and higher education May webinar.pptx

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

How to Troubleshoot Apps for the Modern Connected Worker

Introduction to Multilingual Retrieval Augmented Generation (RAG)

WSO2's API Vision: Unifying Control, Empowering Developers

Exploring Multimodal Embeddings with Milvus

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

ICT role in 21st century education and its challenges

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

CNIC Information System with Pakdata Cf In Pakistan

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

Elevate Developer Efficiency & build GenAI Application with Amazon Q

Security Fix or Workaround

1. Security fix or workaround: which way to select? Bohdan Serednytskyi, OWASP Lviv

2. • OWASP Lviv Chapter • Security Consulting Team at SoftServe We are…

3. Communication with client Project Execution Delivering Results Consulting Dev Team in issues fixing Usual Project Flow

4. Tools will solve all our problems Clients Vision

5. https://www.outpost24.com/wp-content/uploads/2014/12/Picture1-1024x610.jpg Automated Tools Effectiveness

6. • All application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE). • They also found very little overlap between tools, so to get 45% you need them all (assuming their claims are true) MITRE Claims

7. Case with One Educational Application

8. Risk Vulnerability Critical CROSS-SITE REQUEST FORGERY (CSRF) CROSS-SITE SCRIPTING (STORED) High SESSION TOKEN DOES NOT CHANGE AFTER LOGIN Medium USERLOGINID ENUMERATION WEAK PASSWORD REQUIREMENTS NO LOGOUT FUNCTION IMPLEMENTED ACCOUNT ENUMERATION IMPROPER ACCESS CONTROL STUDENT CAN REVEAL TEACHERS LOGIN FROM SERVER RESPONSE Low ERROR MESSAGES REVEAL SENSITIVE INFORMATION INTERNAL IP ADDRESS DISCLOSURE INSUFFICIENT PASSWORD HISTORY MANAGEMENT Remediation Status PARTIALLY FIXED NEED IMPROVEMENT FIXED FIXED FIXED FIXED FIXED FIXED NOT FIXED FIXED FIXED FIXED Security Test Results

9. XSS Vulnerability Fixing ‘});alert(1)” Initial payload Protection implemented by Developers Team ‘});alert(1)” ‘});alert(1)” Modified payload ‘});alert(1)”

10. CSRF and Information Leakage Fixing

11. Best Practices

12. Every security flaw is a process problem

13. Security vulnerabilities are “patterned”.

14. Security issue could be widespread amongst all code bases.

15. Ensure that root cause analysis is used Remove as many vulnerabilities of this type as is possible within the prescribed time frame or budget Involve Security Expert Recommendations

16. Use Fast Fix Methods - WAFs A security solution on the web application level which does not depend on the application itself

17. Security Expert is not a Developer

18. •OWASP Secure Coding Practices •OWASP Guide Project •OWASP Enterprise Security API •Microsoft Web Protection Library Resources

19. Security is a Journey Not a Destination

20. • Patching • Updating • Continuous Security Monitoring • Regular Security Tests

21. Questions?

22. Thank You! http://owasp-lviv.blogspot.com/

Security Fix or Workaround

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Security Fix or Workaround

Similar to Security Fix or Workaround (20)

Recently uploaded

Recently uploaded (20)

Security Fix or Workaround