SlideShare uma empresa Scribd logo

OWASP, the life and the universe

Sébastien GIORIA
Sébastien GIORIA
TecnologiaNotícias e política
1 de 58
OWASP,  the  Life  and  the  Universe CLUSIR-­‐EST  -­‐  Strasbourg 6th  June  2013 Sébas&en  Gioria SebasEen.Gioria@owasp.org Chapter  Leader  OWASP  France Thursday, June 6, 13
http://www.google.fr/#q=sebastien gioria ‣OWASP France Leader & Founder & Evangelist ‣Application Security freelance consultant. Twitter :@SPoint 2 ‣Application Security group leader for the CLUSIF ‣Proud father of youngs kids trying to hack my digital life. Thursday, June 6, 13
Agenda • ApplicaEon  Security  : – where  we  are  (no  bullshit) – where  we  are  (hopefully)  going  ? • Open  Web  ApplicaEon  Security  Project  ? • Update  on  OWASP  Top10  (2013  version)    and   major  projects 3 Thursday, June 6, 13
Why  ApplicaEon  Security  ? 4 4 Thursday, June 6, 13
Why  ApplicaEon  Security  ? 4 4 Your Application been Hacked Thursday, June 6, 13
Why  ApplicaEon  Security  ? 4 4 Your Application been Hacked YES Thursday, June 6, 13
Why  ApplicaEon  Security  ? 4 4 Your Application been Hacked NO YES Thursday, June 6, 13
Why  ApplicaEon  Security  ? 4 4 Your Application will be Hacked ;) Your Application been Hacked NO YES Thursday, June 6, 13
Why  ApplicaEon  Security  ? 4 4 Your Application will be Hacked ;) Your Application been Hacked YES NO YES Thursday, June 6, 13
Why  ApplicaEon  Security  ? 4 4 Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Thursday, June 6, 13
Why  ApplicaEon  Security  ? 4 Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Thursday, June 6, 13
Why  ApplicaEon  Security  ? 4 My Application will be hacked ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Thursday, June 6, 13
Why  ApplicaEon  Security  ? 4 My Application will be hacked ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Next Step Thursday, June 6, 13
Game 5What’s  this  ?   Thursday, June 6, 13
Game  2 6 What’s  this  ?   Thursday, June 6, 13
Game  3 7 What’s  this  ?   Thursday, June 6, 13
Game  3 7 What’s  this  ?   Thursday, June 6, 13
Game  4 8 What’s  this  ?   Thursday, June 6, 13
Game  Over.... • Did  you  have  VoIP  Phone  ?   • Did  you  have  IP  Router  /  Broadband  box    ?   • Did  you  have  smartphone  ? • Did  you  have  customers  /  partners  over   Internet  ? 9 Thursday, June 6, 13
Anything  else  ?   10 Thursday, June 6, 13
We  are  living  in  a  Digital  environment,  in  a  Connected  World v Most  of  websites  vulnerable  to  a`acks v Important  %  of  web-­‐based  Business  (Services,  Online  Store,  Self-­‐care,  Telcos,   SCADA,  ...) Why  ApplicaEon  Security  ?   Age  of  AnEvirus Age  of   Network  Security Age  of   ApplicaEon   Security 11 Thursday, June 6, 13
12 (c)  WhiteHatSecurity  2013 Thursday, June 6, 13
13 (c)  WhiteHatSecurity  2013 Thursday, June 6, 13
OWASP  ?   The  Open  Web  ApplicaEon  Security  Project OWASP:   Swarms  of  WASPS:  Local  Chapters 14 Thursday, June 6, 13
Mission  Driven Nonprofit  |  World  Wide  |  Unbiased OWASP  does  not  endorse  or  recommend   commercial  products  or  services What  is  OWASP 15 Thursday, June 6, 13
Community  Driven 30,000  Mail  List  ParEcipants 200  AcEve  Chapters  in  70  countries   1600+  Members,  56  Corporate  Supporters   What  is  OWASP 16 Thursday, June 6, 13
200  Chapters,  1  600+  Members,  20  000+  Builders,  Breakers  and  Defenders Around  the  World 17 Thursday, June 6, 13
Quality  Resources 200+  Projects 15,000+  downloads  of  tools,  documentaEon What  is  OWASP 18 Thursday, June 6, 13
Documenta&on ToolsCode 50% 10% 40% Quality  Resources 19 Thursday, June 6, 13
Security  Lifecycle 20 Thursday, June 6, 13
Security  Resources 21 Thursday, June 6, 13
TOP  10  WEB  APPLICATION  SECURITY  RISKS The OWASP Top Ten 22 Thursday, June 6, 13
TOP  10  WEB  APPLICATION  SECURITY  RISKS A1: Injection A2: Cross Site Scripting A3: Broken Authenticatio A4: Insecure Direct Object A5: Cross Site Request A6: Security Misconfigurati A7: Failure to Restrict URL A8: Unvalidated A9: Insecure Cryptographic A10: Insufficient The OWASP Top Ten 22 Thursday, June 6, 13
TOP  10  WEB  APPLICATION  SECURITY  RISKS A1: Injection A2: Cross Site Scripting A3: Broken Authenticatio A4: Insecure Direct Object A5: Cross Site Request A6: Security Misconfigurati A7: Failure to Restrict URL A8: Unvalidated A9: Insecure Cryptographic A10: Insufficient The OWASP Top Ten 22 2010 Version ! soon updated Thursday, June 6, 13
 NEWS A  BLOG A  PODCAST MEMBERSHIPS MAILING  LISTS A  NEWSLETTER APPLE  APP  STORE VIDEO  TUTORIALS TRAINING  SESSIONS SOCIAL  NETWORKING 23 Thursday, June 6, 13
7  Global  Commi`ees 24 Thursday, June 6, 13
All  over  the  world 25 N S EW Thursday, June 6, 13
OWASP  Projects 26 Thursday, June 6, 13
Developer  Cheat  Sheets § OWASP  Top  Ten  Cheat  Sheet § AuthenEcaEon  Cheat  Sheet § Cross-­‐Site  Request  Forgery  (CSRF)  PrevenEon  Cheat   Sheet § Cryptographic  Storage  Cheat  Sheet § Input  ValidaEon  Cheat  Sheet § XSS  (Cross  Site  ScripEng)  PrevenEon  Cheat  Sheet § DOM  based  XSS  PrevenEon  Cheat  Sheet § Forgot  Password  Cheat  Sheet § Query  ParameterizaEon  Cheat  Sheet § SQL  InjecEon  PrevenEon  Cheat  Sheet § Session  Management  Cheat  Sheet § HTML5  Security  Cheat  Sheet § Transport  Layer  ProtecEon  Cheat  Sheet § Web  Service  Security  Cheat  Sheet § Logging  Cheat  Sheet § JAAS  Cheat  Sheet Mobile  Cheat  Sheets § IOS  Developer  Cheat  Sheet § Mobile  Jailbreaking  Cheat  Sheet Dral  Cheat  Sheets § Access  Control  Cheat  Sheet § REST  Security  Cheat  Sheet § Abridged  XSS  PrevenEon  Cheat  Sheet § PHP  Security  Cheat  Sheet § Password  Storage  Cheat  Sheet § Secure  Coding  Cheat  Sheet § Threat  Modeling  Cheat  Sheet § Clickjacking  Cheat  Sheet § Virtual  Patching  Cheat  Sheet § Secure  SDLC  Cheat  Sheet § Web  ApplicaEon  Security  TesEng  Cheat   Sheet § ApplicaEon  Security  Architecture  Cheat   Sheet Cheat  Sheets 27 Thursday, June 6, 13
Project  Leader:  Chris  Schmidt,  Chris.Schmidt@owasp.org Purpose:  A  free,  open  source,  web  applicaEon  security  control  library  that   makes  it  easier  for  programmers  to  write  lower-­‐risk  applicaEons h`ps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Enterprise  Security  API for  Reboot 28 Thursday, June 6, 13
Project  Leader:  Jason  Li,  jason.li@owasp.org Purpose:  An  HTML  validaEon  tool  and  API  to  safely  and  gracefully  handle   rich   html   input,   for   ensuring   user-­‐supplied   HTML/CSS   is   in   compliance   within  an  applicaEon's  rules. h`ps://www.owasp.org/index.php/AnESamy AnESamy 29 Thursday, June 6, 13
Development   Guide:   comprehensive   manual   for   designing,   developing   and   deploying  secure  Web  ApplicaEons  and  Web  Services Code   Review   Guide:   mechanics   of   reviewing   code   for   certain   vulnerabiliEes   &   validaEon  of  proper  security  controls TesEng  Guide:  understand  the  what,  why,  when,  where,  and  how  of  tesEng  web   applicaEons h`ps://www.owasp.org/index.php/Category:OWASP_Guide_Project h`ps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project h`ps://www.owasp.org/index.php/Category:OWASP_TesEng_Project Guides for  Reboot 30 Thursday, June 6, 13
Zed  A`ack  Proxy for  Reboot Project  Leader:  Simon  Benne`s  (aka  Psiinon),  psiinon@gmail.com Purpose:  The  Zed  A`ack  Proxy  (ZAP)  provides  automated  scanners  as  well   as  a  set  of  tools  that  allow  you  to  find  security  vulnerabiliEes  manually  in   web  applicaEons. Last  Release:  ZAP  2.0.0  (30  Jan  2013) h`ps://www.owasp.org/index.php/OWASP_Zed_A`ack_Proxy_Project 31 Thursday, June 6, 13
AppSensor Project  Leader(s):  Michael  Coates,  John  Melton,  Colin  Watson Purpose:   Defines  a   conceptual   framework   and  methodology   that   offers   prescripEve   guidance   to   implement   intrusion   detecEon   and   automated   response  into  an  exisEng  applicaEon. Release:  AppSensor  0.1.3  -­‐  Nov  2010  (Tool)  &  September  2008  (doc)   h`ps://www.owasp.org/index.php/AppSensor Create  aUack  aware  applica&ons 32 Thursday, June 6, 13
Project  Leader:  Vinay  Bansal,  Vinaykbansal@gmail.com Purpose:  Develop  and  maintain  a  list  of  Top  10  Security  Risks  faced  with   the  Cloud  CompuEng  and  SaaS  Models.  Serve  as  a  Quick  List  of  Top  Risks   with  Cloud  adopEon,  and  Provide  Guidelines  on  MiEgaEng  the  Risks. Deliverables   -­‐ Cloud  Top  10  Security  Risks  (DraE  expected  for  early  2013) h`ps://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project Cloud  Top10  Project 33 Thursday, June 6, 13
Cloud  Top10  Security  Risks •  R1.  Accountability  &  Data  Risk •  R2.  User  IdenEty  FederaEon •  R3.  Legal  &  Regulatory  Compliance •  R4.  Business  ConEnuity  &  Resiliency •  R5.  User  Privacy  &  Secondary  Usage  of  Data •  R6.  Service  &  Data  IntegraEon •  R7.  MulE-­‐tenancy  &  Physical  Security •  R8.  Incidence  Analysis  &  Forensics •  R9.  Infrastructure  Security •  R10.  Non-­‐producEon  Environment  Exposure 34 Thursday, June 6, 13
Project  Leader:  Jack  Mannino,  Jack@nvisiumsecurity.com Purpose:   Establish   an   OWASP   Top   10   Mobile   Risks.   Intended   to   be   plaRorm-­‐ agnosEc.  Focused  on  areas  of  risk  rather  than  individual  vulnerabiliEes. Deliverables   -­‐ Top  10  Mobile  Risks  (currently  Release  Candidate  v1.0) -­‐ Top  10  Mobile  Controls  (OWASP/ENISA  CollaboraOon) -­‐ OWASP  Wiki,  ‘Smartphone  Secure  Development  Guidelines’  (ENISA) -­‐ Mobile  Cheat  Sheet  Series -­‐ OWASP  GoatDroid  Project -­‐ OWASP  Mobile  Threat  Model  Project h`ps://www.owasp.org/index.php/OWASP_Mobile_Security_Project Mobile  Security  Project for  Reboot 35 Thursday, June 6, 13
Top  10  Mobile  Risks • M1.  Insecure  Data  Storage • M2.  Weak  Server  Side  Controls • M3.  Insufficient  Transport  Layer  ProtecEon • M4.  Client  Side  InjecEon • M5.  Poor  AuthorizaEon  and  AuthenEcaEon • M6.  Improper  Session  Handling • M7.  Security  Decisions  via  Untrusted  Inputs • M8.  Side  Channel  Data  Leakage • M9.  Broken  Cryptography • M10.  SensiEve  InformaEon  Disclosure 36 Thursday, June 6, 13
Project  Leader:  Anurag  "Archie"  Agarwal,  anurag.agarwal@owasp.org Purpose:  Establish  a  single  and  inclusive  so[ware-­‐centric  OWASP  Threat   modeling   Methodology,   addressing   vulnerability   in   client   and   web   applicaEon-­‐level  services  over  the  Internet. Deliverables  (1st  DraE  expected  for  end  of  2012  /  early  2013) -­‐ An  OWASP  Threat  Modeling  methodology -­‐ A  glossary  of  threat  modeling  terms h`ps://www.owasp.org/index.php/OWASP_Threat_Modelling_Project Threat  Modeling  Project 37 Thursday, June 6, 13
Intended   to   help   solware   developers   and   their   clients   negoEate   important   contractual  terms  and  condiEons  related  to  the  security  of  the  solware  to  be   developed  or  delivered. CONTEXT:  Most  contracts  are  silent  on  these  issues,  and  the  parEes  frequently   have  dramaEcally  different  views  on  what  has  actually  been  agreed  to.   OBJECTIVE:   Clearly   define   these   terms   is   the   best   way   to   ensure   that   both   parEes  can  make  informed  decisions  about  how  to  proceed. h`ps://www.owasp.org/index.php/OWASP_Secure_Solware_Contract_Annex The  OWASP  Secure  Solware   Contract  Annex 38 Thursday, June 6, 13
Refresh,  revitalize  &  update  Projects,  rewrite  &  complete  Guides  or  Tools. Projects  Reboot  2012 h`ps://www.owasp.org/index.php/Projects_Reboot_2012 Current  Submissions   • OWASP  ApplicaEon  Security  Guide  For  CISOs  -­‐   Selected  for  Reboot • OWASP  Development  Guide  -­‐  Selected  for  Reboot • Zed  A`ack  Proxy  -­‐  Selected  for  Reboot • OWASP  WebGoat   • OWASP  AppSensor • OWASP  Mobile  Project  -­‐  Selected  for  Reboot • OWASP  Portuguese  Language  Project • OWASP_ApplicaEon_TesEng_guide_v4 • OWASP  ESAPI • OWASP  Eliminate  Vulnerable  Code  Project • OWASP_Code_Review_Guide_Reboot   Projects  selected  via  first  round  of  review 1.OWASP   Development   Guide:   Funding   Amount:   $5000  iniEal  funding 2.OWASP   CISO   Guide:   Funding   Amount:   $5000   iniEal  funding 3.OWASP   Zed   A;ack   Proxy:   Funding   Amount:   $5000  iniEal  funding 4.OWASP  Mobile  Project:   Funding  Amount:   $5000   iniEal  funding Ongoing  discussions  about  the  Code  Review  and  the   TesOng  Guides 39 Thursday, June 6, 13
OWASP  Top10  2013 • Final  publicaEon  OWASP  Top10  2013 – Very  Very  Soon.   • French  translaEon  done • Not  a  lot  of  new  things. 40 Thursday, June 6, 13
Top10  2013  –  RC1 41 A1:  Injec&on A2:  Mauvaise   ges&on  des   sessions  et  de   l’authen&fica&on A3:  Cross  Site   Scrip&ng  (XSS) A4:Référence   directe  non   sécurisée  à  un   objet A5:  Mauvaise   configura&on   sécurité A6  :   Exposi&on  de   données   A7  :  Mauvais   contrôle   d’accès A8:  Cross  Site   Request   Forgery  (CSRF) A9:  U&lisa&on  de   composants  non   sécurisés A10:Mauvaise   ges&on  des   redirec&ons  et  des   transferts Thursday, June 6, 13
OWASP  News • New  projects    :   – OWASP  Scada  Project – OWASP  OpenStack  Security  Project 42 Thursday, June 6, 13
Dates • RSSIA  Bordeaux  :  21  Juin – OWASP  Top10  2013  en  praEque   • OWASP  EU  Tour  2013  :   – 24  Juin  -­‐  Sophia  AnEpolis – 25  Juin  -­‐  Geneve • Java  User  Groupe  Poitou  Charentes  :  27  Juin – Secure  Coding  for  Java   • AppSec  Research  Europe  2013  :  20/23  Aout  –   Hambourg  –  Allemagne •  OWASP  Benelux  :  28/29  Novembre  2013 43 Thursday, June 6, 13
Soutenir  l’OWASP • Différentes  soluEons  :   – Membre  Individuel  :  50  $ – Membre  Entreprise  :  5000  $ – DonaEon  Libre • Soutenir  uniquement    le  chapitre  France  : – Single  MeeEng  supporter   • Nous  offrir  une  salle  de  meeEng  !   • ParEciper  par  un  talk  ou  autre  !   • DonaEon  simple   – Local  Chapter  supporter  :   • 500  $  à  2000  $   44 Thursday, June 6, 13
Prochains  meeEngs • Septembre  2013   – Salle  :  Mozilla  Center  Paris – Speaker  :   • Security  on  Firefox  OS • A  définir • Novembre  2013 – Salle  :  a  définir – Speaker  :  a  définir Thursday, June 6, 13
License 46 Thursday, June 6, 13

Recomendados

Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSebastien Gioria
 
CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014Sebastien Gioria
 
OWASP, PHP, life and universe
OWASP, PHP, life and universeOWASP, PHP, life and universe
OWASP, PHP, life and universeSebastien Gioria
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр АнтухOWASP Russia
 
Shifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and securityShifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and securityNowSecure
 
Beating the 1:100 Odds with Team Design for Security @ Open Security Summit, ...
Beating the 1:100 Odds with Team Design for Security @ Open Security Summit, ...Beating the 1:100 Odds with Team Design for Security @ Open Security Summit, ...
Beating the 1:100 Odds with Team Design for Security @ Open Security Summit, ...Manuel Pais
 
Sızma Testi Metodolojileri
Sızma Testi MetodolojileriSızma Testi Metodolojileri
Sızma Testi MetodolojileriPRISMA CSI
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
 

Recomendados

Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSebastien Gioria
 
CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014Sebastien Gioria
 
OWASP, PHP, life and universe
OWASP, PHP, life and universeOWASP, PHP, life and universe
OWASP, PHP, life and universeSebastien Gioria
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр АнтухOWASP Russia
 
Shifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and securityShifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and securityNowSecure
 
Beating the 1:100 Odds with Team Design for Security @ Open Security Summit, ...
Beating the 1:100 Odds with Team Design for Security @ Open Security Summit, ...Beating the 1:100 Odds with Team Design for Security @ Open Security Summit, ...
Beating the 1:100 Odds with Team Design for Security @ Open Security Summit, ...Manuel Pais
 
Sızma Testi Metodolojileri
Sızma Testi MetodolojileriSızma Testi Metodolojileri
Sızma Testi MetodolojileriPRISMA CSI
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
In that case, we have an OWASP Top 10 opportunity...
In that case, we have an OWASP Top 10 opportunity...In that case, we have an OWASP Top 10 opportunity...
In that case, we have an OWASP Top 10 opportunity...Josh Grossman
 
OWASP overview 2017
OWASP overview 2017OWASP overview 2017
OWASP overview 2017Brett Gravois
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101Shahee Mirza
 
Lets exploit Injection and XSS
Lets exploit Injection and XSSLets exploit Injection and XSS
Lets exploit Injection and XSSlethalduck
 
Anwar Ibrahim Sokong LGBT
Anwar Ibrahim Sokong LGBTAnwar Ibrahim Sokong LGBT
Anwar Ibrahim Sokong LGBTSkandalAnwarIbrahim
 
Kaseya Connect 2013: Becoming A Trusted Security Advisor - It’s Easier Than Y...
Kaseya Connect 2013: Becoming A Trusted Security Advisor - It’s Easier Than Y...Kaseya Connect 2013: Becoming A Trusted Security Advisor - It’s Easier Than Y...
Kaseya Connect 2013: Becoming A Trusted Security Advisor - It’s Easier Than Y...Kaseya
 
BSides LA/PDX
BSides LA/PDXBSides LA/PDX
BSides LA/PDXleifdreizler
 
Beating the 1:100 Odds - Team Design for Security @ All Day DevOps 2019
Beating the 1:100 Odds - Team Design for Security @ All Day DevOps 2019Beating the 1:100 Odds - Team Design for Security @ All Day DevOps 2019
Beating the 1:100 Odds - Team Design for Security @ All Day DevOps 2019Manuel Pais
 
Safety training and communication using web 2.0 slideshare
Safety training and communication using web 2.0 slideshareSafety training and communication using web 2.0 slideshare
Safety training and communication using web 2.0 slideshareLinda Tapp
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pjSébastien GIORIA
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Secure Coding for Java - An introduction
Secure Coding for Java - An introductionSecure Coding for Java - An introduction
Secure Coding for Java - An introductionSebastien Gioria
 
2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pchSébastien GIORIA
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Websec México, S.C.
 
OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec PresentationThreatReel Podcast
 
Security of internet
Security of internetSecurity of internet
Security of internetOWASPKerala
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...POSSCON
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction alessiomarziali
 
Chirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita Ionel
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)OWASP Ottawa
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 

Mais conteúdo relacionado

Mais procurados

Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
In that case, we have an OWASP Top 10 opportunity...
In that case, we have an OWASP Top 10 opportunity...In that case, we have an OWASP Top 10 opportunity...
In that case, we have an OWASP Top 10 opportunity...Josh Grossman
 
Lets exploit Injection and XSS
Lets exploit Injection and XSSLets exploit Injection and XSS
Lets exploit Injection and XSSlethalduck
 
Kaseya Connect 2013: Becoming A Trusted Security Advisor - It’s Easier Than Y...
Kaseya Connect 2013: Becoming A Trusted Security Advisor - It’s Easier Than Y...Kaseya Connect 2013: Becoming A Trusted Security Advisor - It’s Easier Than Y...
Kaseya Connect 2013: Becoming A Trusted Security Advisor - It’s Easier Than Y...Kaseya
 
Beating the 1:100 Odds - Team Design for Security @ All Day DevOps 2019
Beating the 1:100 Odds - Team Design for Security @ All Day DevOps 2019Beating the 1:100 Odds - Team Design for Security @ All Day DevOps 2019
Beating the 1:100 Odds - Team Design for Security @ All Day DevOps 2019Manuel Pais
 
Safety training and communication using web 2.0 slideshare
Safety training and communication using web 2.0 slideshareSafety training and communication using web 2.0 slideshare
Safety training and communication using web 2.0 slideshareLinda Tapp
 

Mais procurados (10)

Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
 
In that case, we have an OWASP Top 10 opportunity...
In that case, we have an OWASP Top 10 opportunity...In that case, we have an OWASP Top 10 opportunity...
In that case, we have an OWASP Top 10 opportunity...
 
OWASP overview 2017
OWASP overview 2017OWASP overview 2017
OWASP overview 2017
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 
Lets exploit Injection and XSS
Lets exploit Injection and XSSLets exploit Injection and XSS
Lets exploit Injection and XSS
 
Anwar Ibrahim Sokong LGBT
Anwar Ibrahim Sokong LGBTAnwar Ibrahim Sokong LGBT
Anwar Ibrahim Sokong LGBT
 
Kaseya Connect 2013: Becoming A Trusted Security Advisor - It’s Easier Than Y...
Kaseya Connect 2013: Becoming A Trusted Security Advisor - It’s Easier Than Y...Kaseya Connect 2013: Becoming A Trusted Security Advisor - It’s Easier Than Y...
Kaseya Connect 2013: Becoming A Trusted Security Advisor - It’s Easier Than Y...
 
BSides LA/PDX
BSides LA/PDXBSides LA/PDX
BSides LA/PDX
 
Beating the 1:100 Odds - Team Design for Security @ All Day DevOps 2019
Beating the 1:100 Odds - Team Design for Security @ All Day DevOps 2019Beating the 1:100 Odds - Team Design for Security @ All Day DevOps 2019
Beating the 1:100 Odds - Team Design for Security @ All Day DevOps 2019
 
Safety training and communication using web 2.0 slideshare
Safety training and communication using web 2.0 slideshareSafety training and communication using web 2.0 slideshare
Safety training and communication using web 2.0 slideshare
 

Semelhante a OWASP, the life and the universe

Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Secure Coding for Java - An introduction
Secure Coding for Java - An introductionSecure Coding for Java - An introduction
Secure Coding for Java - An introductionSebastien Gioria
 
2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pchSébastien GIORIA
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Websec México, S.C.
 
Security of internet
Security of internetSecurity of internet
Security of internetOWASPKerala
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...POSSCON
 
Chirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita Ionel
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)OWASP Ottawa
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationThreatReel Podcast
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxgerardkortney
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory LectureG. Geshev
 

Semelhante a OWASP, the life and the universe (20)

2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
Secure Coding for Java - An introduction
Secure Coding for Java - An introductionSecure Coding for Java - An introduction
Secure Coding for Java - An introduction
 
2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
 
OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec Presentation
 
Security of internet
Security of internetSecurity of internet
Security of internet
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Chirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita ionel owasp europe tour
Chirita ionel owasp europe tour
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
Owasp Serbia overview
Owasp Serbia overviewOwasp Serbia overview
Owasp Serbia overview
 
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec Presentation
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
 
OWASP Bulgaria
OWASP BulgariaOWASP Bulgaria
OWASP Bulgaria
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
 
2014 06-05-mozilla-afup
2014 06-05-mozilla-afup2014 06-05-mozilla-afup
2014 06-05-mozilla-afup
 

Mais de Sébastien GIORIA

OWASP Top10 IoT - CLUSIR Infornord Décembre 2014
OWASP Top10 IoT - CLUSIR Infornord Décembre 2014OWASP Top10 IoT - CLUSIR Infornord Décembre 2014
OWASP Top10 IoT - CLUSIR Infornord Décembre 2014Sébastien GIORIA
 
Analyser la sécurité de son code source avec SonarSource
Analyser la sécurité de son code source avec SonarSourceAnalyser la sécurité de son code source avec SonarSource
Analyser la sécurité de son code source avec SonarSourceSébastien GIORIA
 
2014 09-25-club-27001 iso 27034-presentation-v2.2
2014 09-25-club-27001 iso 27034-presentation-v2.22014 09-25-club-27001 iso 27034-presentation-v2.2
2014 09-25-club-27001 iso 27034-presentation-v2.2Sébastien GIORIA
 
Owasp top 10 2010 Resist toulouse
Owasp top 10 2010 Resist toulouseOwasp top 10 2010 Resist toulouse
Owasp top 10 2010 Resist toulouseSébastien GIORIA
 
Présentation Top10 CEGID Lyon
Présentation Top10 CEGID LyonPrésentation Top10 CEGID Lyon
Présentation Top10 CEGID LyonSébastien GIORIA
 
OWASP Top10 2013 - Présentation aux RSSIA 2013
OWASP Top10 2013 - Présentation aux RSSIA 2013OWASP Top10 2013 - Présentation aux RSSIA 2013
OWASP Top10 2013 - Présentation aux RSSIA 2013Sébastien GIORIA
 
2013 04-04-html5-security-v2
2013 04-04-html5-security-v22013 04-04-html5-security-v2
2013 04-04-html5-security-v2Sébastien GIORIA
 
2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)
2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)
2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)Sébastien GIORIA
 
2013 03-01 automatiser les tests sécurité
2013 03-01 automatiser les tests sécurité2013 03-01 automatiser les tests sécurité
2013 03-01 automatiser les tests sécuritéSébastien GIORIA
 
2013 02-27-owasp top10 javascript
2013 02-27-owasp top10 javascript 2013 02-27-owasp top10 javascript
2013 02-27-owasp top10 javascriptSébastien GIORIA
 
2012 11-07-owasp mobile top10 v01
2012 11-07-owasp mobile top10 v012012 11-07-owasp mobile top10 v01
2012 11-07-owasp mobile top10 v01Sébastien GIORIA
 
OWASP Mobile Top10 - Les 10 risques sur les mobiles
OWASP Mobile Top10 - Les 10 risques sur les mobilesOWASP Mobile Top10 - Les 10 risques sur les mobiles
OWASP Mobile Top10 - Les 10 risques sur les mobilesSébastien GIORIA
 
2011 02-07-html5-security-v1
2011 02-07-html5-security-v12011 02-07-html5-security-v1
2011 02-07-html5-security-v1Sébastien GIORIA
 

Mais de Sébastien GIORIA (20)

OWASP Top10 IoT - CLUSIR Infornord Décembre 2014
OWASP Top10 IoT - CLUSIR Infornord Décembre 2014OWASP Top10 IoT - CLUSIR Infornord Décembre 2014
OWASP Top10 IoT - CLUSIR Infornord Décembre 2014
 
Analyser la sécurité de son code source avec SonarSource
Analyser la sécurité de son code source avec SonarSourceAnalyser la sécurité de son code source avec SonarSource
Analyser la sécurité de son code source avec SonarSource
 
2014 09-25-club-27001 iso 27034-presentation-v2.2
2014 09-25-club-27001 iso 27034-presentation-v2.22014 09-25-club-27001 iso 27034-presentation-v2.2
2014 09-25-club-27001 iso 27034-presentation-v2.2
 
SonarQube et la Sécurité
SonarQube et la SécuritéSonarQube et la Sécurité
SonarQube et la Sécurité
 
Owasp top 10 2010 Resist toulouse
Owasp top 10 2010 Resist toulouseOwasp top 10 2010 Resist toulouse
Owasp top 10 2010 Resist toulouse
 
Présentation Top10 CEGID Lyon
Présentation Top10 CEGID LyonPrésentation Top10 CEGID Lyon
Présentation Top10 CEGID Lyon
 
Présentation au CRI-Ouest
Présentation au CRI-OuestPrésentation au CRI-Ouest
Présentation au CRI-Ouest
 
OWASP Top10 2013 - Présentation aux RSSIA 2013
OWASP Top10 2013 - Présentation aux RSSIA 2013OWASP Top10 2013 - Présentation aux RSSIA 2013
OWASP Top10 2013 - Présentation aux RSSIA 2013
 
2013 04-04-html5-security-v2
2013 04-04-html5-security-v22013 04-04-html5-security-v2
2013 04-04-html5-security-v2
 
2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)
2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)
2013 02-12-owasp top10 mobile - attaques et solutions sur windows phone (sec309)
 
2013 03-01 automatiser les tests sécurité
2013 03-01 automatiser les tests sécurité2013 03-01 automatiser les tests sécurité
2013 03-01 automatiser les tests sécurité
 
2013 02-27-owasp top10 javascript
2013 02-27-owasp top10 javascript 2013 02-27-owasp top10 javascript
2013 02-27-owasp top10 javascript
 
Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for Java
 
2012 11-07-owasp mobile top10 v01
2012 11-07-owasp mobile top10 v012012 11-07-owasp mobile top10 v01
2012 11-07-owasp mobile top10 v01
 
2012 07-05-spn-sgi-v1-lite
2012 07-05-spn-sgi-v1-lite2012 07-05-spn-sgi-v1-lite
2012 07-05-spn-sgi-v1-lite
 
2012 03-02-sdl-sgi-v03
2012 03-02-sdl-sgi-v032012 03-02-sdl-sgi-v03
2012 03-02-sdl-sgi-v03
 
2012 03-01-ror security v01
2012 03-01-ror security v012012 03-01-ror security v01
2012 03-01-ror security v01
 
OWASP Mobile Top10 - Les 10 risques sur les mobiles
OWASP Mobile Top10 - Les 10 risques sur les mobilesOWASP Mobile Top10 - Les 10 risques sur les mobiles
OWASP Mobile Top10 - Les 10 risques sur les mobiles
 
2011 02-07-html5-security-v1
2011 02-07-html5-security-v12011 02-07-html5-security-v1
2011 02-07-html5-security-v1
 
2011 03-09-cloud sgi
2011 03-09-cloud sgi2011 03-09-cloud sgi
2011 03-09-cloud sgi
 

Último

ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 

Último (20)

ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

OWASP, the life and the universe

  • 1. OWASP,  the  Life  and  the  Universe CLUSIR-­‐EST  -­‐  Strasbourg 6th  June  2013 Sébas&en  Gioria SebasEen.Gioria@owasp.org Chapter  Leader  OWASP  France Thursday, June 6, 13
  • 2. http://www.google.fr/#q=sebastien gioria ‣OWASP France Leader & Founder & Evangelist ‣Application Security freelance consultant. Twitter :@SPoint 2 ‣Application Security group leader for the CLUSIF ‣Proud father of youngs kids trying to hack my digital life. Thursday, June 6, 13
  • 3. Agenda • ApplicaEon  Security  : – where  we  are  (no  bullshit) – where  we  are  (hopefully)  going  ? • Open  Web  ApplicaEon  Security  Project  ? • Update  on  OWASP  Top10  (2013  version)    and   major  projects 3 Thursday, June 6, 13
  • 4. Why  ApplicaEon  Security  ? 4 4 Thursday, June 6, 13
  • 5. Why  ApplicaEon  Security  ? 4 4 Your Application been Hacked Thursday, June 6, 13
  • 6. Why  ApplicaEon  Security  ? 4 4 Your Application been Hacked YES Thursday, June 6, 13
  • 7. Why  ApplicaEon  Security  ? 4 4 Your Application been Hacked NO YES Thursday, June 6, 13
  • 8. Why  ApplicaEon  Security  ? 4 4 Your Application will be Hacked ;) Your Application been Hacked NO YES Thursday, June 6, 13
  • 9. Why  ApplicaEon  Security  ? 4 4 Your Application will be Hacked ;) Your Application been Hacked YES NO YES Thursday, June 6, 13
  • 10. Why  ApplicaEon  Security  ? 4 4 Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Thursday, June 6, 13
  • 11. Why  ApplicaEon  Security  ? 4 Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Thursday, June 6, 13
  • 12. Why  ApplicaEon  Security  ? 4 My Application will be hacked ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Thursday, June 6, 13
  • 13. Why  ApplicaEon  Security  ? 4 My Application will be hacked ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Next Step Thursday, June 6, 13
  • 14. Game 5What’s  this  ?   Thursday, June 6, 13
  • 15. Game  2 6 What’s  this  ?   Thursday, June 6, 13
  • 16. Game  3 7 What’s  this  ?   Thursday, June 6, 13
  • 17. Game  3 7 What’s  this  ?   Thursday, June 6, 13
  • 18. Game  4 8 What’s  this  ?   Thursday, June 6, 13
  • 19. Game  Over.... • Did  you  have  VoIP  Phone  ?   • Did  you  have  IP  Router  /  Broadband  box    ?   • Did  you  have  smartphone  ? • Did  you  have  customers  /  partners  over   Internet  ? 9 Thursday, June 6, 13
  • 20. Anything  else  ?   10 Thursday, June 6, 13
  • 21. We  are  living  in  a  Digital  environment,  in  a  Connected  World v Most  of  websites  vulnerable  to  a`acks v Important  %  of  web-­‐based  Business  (Services,  Online  Store,  Self-­‐care,  Telcos,   SCADA,  ...) Why  ApplicaEon  Security  ?   Age  of  AnEvirus Age  of   Network  Security Age  of   ApplicaEon   Security 11 Thursday, June 6, 13
  • 24. OWASP  ?   The  Open  Web  ApplicaEon  Security  Project OWASP:   Swarms  of  WASPS:  Local  Chapters 14 Thursday, June 6, 13
  • 25. Mission  Driven Nonprofit  |  World  Wide  |  Unbiased OWASP  does  not  endorse  or  recommend   commercial  products  or  services What  is  OWASP 15 Thursday, June 6, 13
  • 26. Community  Driven 30,000  Mail  List  ParEcipants 200  AcEve  Chapters  in  70  countries   1600+  Members,  56  Corporate  Supporters   What  is  OWASP 16 Thursday, June 6, 13
  • 27. 200  Chapters,  1  600+  Members,  20  000+  Builders,  Breakers  and  Defenders Around  the  World 17 Thursday, June 6, 13
  • 28. Quality  Resources 200+  Projects 15,000+  downloads  of  tools,  documentaEon What  is  OWASP 18 Thursday, June 6, 13
  • 32. TOP  10  WEB  APPLICATION  SECURITY  RISKS The OWASP Top Ten 22 Thursday, June 6, 13
  • 33. TOP  10  WEB  APPLICATION  SECURITY  RISKS A1: Injection A2: Cross Site Scripting A3: Broken Authenticatio A4: Insecure Direct Object A5: Cross Site Request A6: Security Misconfigurati A7: Failure to Restrict URL A8: Unvalidated A9: Insecure Cryptographic A10: Insufficient The OWASP Top Ten 22 Thursday, June 6, 13
  • 34. TOP  10  WEB  APPLICATION  SECURITY  RISKS A1: Injection A2: Cross Site Scripting A3: Broken Authenticatio A4: Insecure Direct Object A5: Cross Site Request A6: Security Misconfigurati A7: Failure to Restrict URL A8: Unvalidated A9: Insecure Cryptographic A10: Insufficient The OWASP Top Ten 22 2010 Version ! soon updated Thursday, June 6, 13
  • 35.  NEWS A  BLOG A  PODCAST MEMBERSHIPS MAILING  LISTS A  NEWSLETTER APPLE  APP  STORE VIDEO  TUTORIALS TRAINING  SESSIONS SOCIAL  NETWORKING 23 Thursday, June 6, 13
  • 37. All  over  the  world 25 N S EW Thursday, June 6, 13
  • 39. Developer  Cheat  Sheets § OWASP  Top  Ten  Cheat  Sheet § AuthenEcaEon  Cheat  Sheet § Cross-­‐Site  Request  Forgery  (CSRF)  PrevenEon  Cheat   Sheet § Cryptographic  Storage  Cheat  Sheet § Input  ValidaEon  Cheat  Sheet § XSS  (Cross  Site  ScripEng)  PrevenEon  Cheat  Sheet § DOM  based  XSS  PrevenEon  Cheat  Sheet § Forgot  Password  Cheat  Sheet § Query  ParameterizaEon  Cheat  Sheet § SQL  InjecEon  PrevenEon  Cheat  Sheet § Session  Management  Cheat  Sheet § HTML5  Security  Cheat  Sheet § Transport  Layer  ProtecEon  Cheat  Sheet § Web  Service  Security  Cheat  Sheet § Logging  Cheat  Sheet § JAAS  Cheat  Sheet Mobile  Cheat  Sheets § IOS  Developer  Cheat  Sheet § Mobile  Jailbreaking  Cheat  Sheet Dral  Cheat  Sheets § Access  Control  Cheat  Sheet § REST  Security  Cheat  Sheet § Abridged  XSS  PrevenEon  Cheat  Sheet § PHP  Security  Cheat  Sheet § Password  Storage  Cheat  Sheet § Secure  Coding  Cheat  Sheet § Threat  Modeling  Cheat  Sheet § Clickjacking  Cheat  Sheet § Virtual  Patching  Cheat  Sheet § Secure  SDLC  Cheat  Sheet § Web  ApplicaEon  Security  TesEng  Cheat   Sheet § ApplicaEon  Security  Architecture  Cheat   Sheet Cheat  Sheets 27 Thursday, June 6, 13
  • 40. Project  Leader:  Chris  Schmidt,  Chris.Schmidt@owasp.org Purpose:  A  free,  open  source,  web  applicaEon  security  control  library  that   makes  it  easier  for  programmers  to  write  lower-­‐risk  applicaEons h`ps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Enterprise  Security  API for  Reboot 28 Thursday, June 6, 13
  • 41. Project  Leader:  Jason  Li,  jason.li@owasp.org Purpose:  An  HTML  validaEon  tool  and  API  to  safely  and  gracefully  handle   rich   html   input,   for   ensuring   user-­‐supplied   HTML/CSS   is   in   compliance   within  an  applicaEon's  rules. h`ps://www.owasp.org/index.php/AnESamy AnESamy 29 Thursday, June 6, 13
  • 42. Development   Guide:   comprehensive   manual   for   designing,   developing   and   deploying  secure  Web  ApplicaEons  and  Web  Services Code   Review   Guide:   mechanics   of   reviewing   code   for   certain   vulnerabiliEes   &   validaEon  of  proper  security  controls TesEng  Guide:  understand  the  what,  why,  when,  where,  and  how  of  tesEng  web   applicaEons h`ps://www.owasp.org/index.php/Category:OWASP_Guide_Project h`ps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project h`ps://www.owasp.org/index.php/Category:OWASP_TesEng_Project Guides for  Reboot 30 Thursday, June 6, 13
  • 43. Zed  A`ack  Proxy for  Reboot Project  Leader:  Simon  Benne`s  (aka  Psiinon),  psiinon@gmail.com Purpose:  The  Zed  A`ack  Proxy  (ZAP)  provides  automated  scanners  as  well   as  a  set  of  tools  that  allow  you  to  find  security  vulnerabiliEes  manually  in   web  applicaEons. Last  Release:  ZAP  2.0.0  (30  Jan  2013) h`ps://www.owasp.org/index.php/OWASP_Zed_A`ack_Proxy_Project 31 Thursday, June 6, 13
  • 44. AppSensor Project  Leader(s):  Michael  Coates,  John  Melton,  Colin  Watson Purpose:   Defines  a   conceptual   framework   and  methodology   that   offers   prescripEve   guidance   to   implement   intrusion   detecEon   and   automated   response  into  an  exisEng  applicaEon. Release:  AppSensor  0.1.3  -­‐  Nov  2010  (Tool)  &  September  2008  (doc)   h`ps://www.owasp.org/index.php/AppSensor Create  aUack  aware  applica&ons 32 Thursday, June 6, 13
  • 45. Project  Leader:  Vinay  Bansal,  Vinaykbansal@gmail.com Purpose:  Develop  and  maintain  a  list  of  Top  10  Security  Risks  faced  with   the  Cloud  CompuEng  and  SaaS  Models.  Serve  as  a  Quick  List  of  Top  Risks   with  Cloud  adopEon,  and  Provide  Guidelines  on  MiEgaEng  the  Risks. Deliverables   -­‐ Cloud  Top  10  Security  Risks  (DraE  expected  for  early  2013) h`ps://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project Cloud  Top10  Project 33 Thursday, June 6, 13
  • 46. Cloud  Top10  Security  Risks •  R1.  Accountability  &  Data  Risk •  R2.  User  IdenEty  FederaEon •  R3.  Legal  &  Regulatory  Compliance •  R4.  Business  ConEnuity  &  Resiliency •  R5.  User  Privacy  &  Secondary  Usage  of  Data •  R6.  Service  &  Data  IntegraEon •  R7.  MulE-­‐tenancy  &  Physical  Security •  R8.  Incidence  Analysis  &  Forensics •  R9.  Infrastructure  Security •  R10.  Non-­‐producEon  Environment  Exposure 34 Thursday, June 6, 13
  • 47. Project  Leader:  Jack  Mannino,  Jack@nvisiumsecurity.com Purpose:   Establish   an   OWASP   Top   10   Mobile   Risks.   Intended   to   be   plaRorm-­‐ agnosEc.  Focused  on  areas  of  risk  rather  than  individual  vulnerabiliEes. Deliverables   -­‐ Top  10  Mobile  Risks  (currently  Release  Candidate  v1.0) -­‐ Top  10  Mobile  Controls  (OWASP/ENISA  CollaboraOon) -­‐ OWASP  Wiki,  ‘Smartphone  Secure  Development  Guidelines’  (ENISA) -­‐ Mobile  Cheat  Sheet  Series -­‐ OWASP  GoatDroid  Project -­‐ OWASP  Mobile  Threat  Model  Project h`ps://www.owasp.org/index.php/OWASP_Mobile_Security_Project Mobile  Security  Project for  Reboot 35 Thursday, June 6, 13
  • 48. Top  10  Mobile  Risks • M1.  Insecure  Data  Storage • M2.  Weak  Server  Side  Controls • M3.  Insufficient  Transport  Layer  ProtecEon • M4.  Client  Side  InjecEon • M5.  Poor  AuthorizaEon  and  AuthenEcaEon • M6.  Improper  Session  Handling • M7.  Security  Decisions  via  Untrusted  Inputs • M8.  Side  Channel  Data  Leakage • M9.  Broken  Cryptography • M10.  SensiEve  InformaEon  Disclosure 36 Thursday, June 6, 13
  • 49. Project  Leader:  Anurag  "Archie"  Agarwal,  anurag.agarwal@owasp.org Purpose:  Establish  a  single  and  inclusive  so[ware-­‐centric  OWASP  Threat   modeling   Methodology,   addressing   vulnerability   in   client   and   web   applicaEon-­‐level  services  over  the  Internet. Deliverables  (1st  DraE  expected  for  end  of  2012  /  early  2013) -­‐ An  OWASP  Threat  Modeling  methodology -­‐ A  glossary  of  threat  modeling  terms h`ps://www.owasp.org/index.php/OWASP_Threat_Modelling_Project Threat  Modeling  Project 37 Thursday, June 6, 13
  • 50. Intended   to   help   solware   developers   and   their   clients   negoEate   important   contractual  terms  and  condiEons  related  to  the  security  of  the  solware  to  be   developed  or  delivered. CONTEXT:  Most  contracts  are  silent  on  these  issues,  and  the  parEes  frequently   have  dramaEcally  different  views  on  what  has  actually  been  agreed  to.   OBJECTIVE:   Clearly   define   these   terms   is   the   best   way   to   ensure   that   both   parEes  can  make  informed  decisions  about  how  to  proceed. h`ps://www.owasp.org/index.php/OWASP_Secure_Solware_Contract_Annex The  OWASP  Secure  Solware   Contract  Annex 38 Thursday, June 6, 13
  • 51. Refresh,  revitalize  &  update  Projects,  rewrite  &  complete  Guides  or  Tools. Projects  Reboot  2012 h`ps://www.owasp.org/index.php/Projects_Reboot_2012 Current  Submissions   • OWASP  ApplicaEon  Security  Guide  For  CISOs  -­‐   Selected  for  Reboot • OWASP  Development  Guide  -­‐  Selected  for  Reboot • Zed  A`ack  Proxy  -­‐  Selected  for  Reboot • OWASP  WebGoat   • OWASP  AppSensor • OWASP  Mobile  Project  -­‐  Selected  for  Reboot • OWASP  Portuguese  Language  Project • OWASP_ApplicaEon_TesEng_guide_v4 • OWASP  ESAPI • OWASP  Eliminate  Vulnerable  Code  Project • OWASP_Code_Review_Guide_Reboot   Projects  selected  via  first  round  of  review 1.OWASP   Development   Guide:   Funding   Amount:   $5000  iniEal  funding 2.OWASP   CISO   Guide:   Funding   Amount:   $5000   iniEal  funding 3.OWASP   Zed   A;ack   Proxy:   Funding   Amount:   $5000  iniEal  funding 4.OWASP  Mobile  Project:   Funding  Amount:   $5000   iniEal  funding Ongoing  discussions  about  the  Code  Review  and  the   TesOng  Guides 39 Thursday, June 6, 13
  • 52. OWASP  Top10  2013 • Final  publicaEon  OWASP  Top10  2013 – Very  Very  Soon.   • French  translaEon  done • Not  a  lot  of  new  things. 40 Thursday, June 6, 13
  • 53. Top10  2013  –  RC1 41 A1:  Injec&on A2:  Mauvaise   ges&on  des   sessions  et  de   l’authen&fica&on A3:  Cross  Site   Scrip&ng  (XSS) A4:Référence   directe  non   sécurisée  à  un   objet A5:  Mauvaise   configura&on   sécurité A6  :   Exposi&on  de   données   A7  :  Mauvais   contrôle   d’accès A8:  Cross  Site   Request   Forgery  (CSRF) A9:  U&lisa&on  de   composants  non   sécurisés A10:Mauvaise   ges&on  des   redirec&ons  et  des   transferts Thursday, June 6, 13
  • 54. OWASP  News • New  projects    :   – OWASP  Scada  Project – OWASP  OpenStack  Security  Project 42 Thursday, June 6, 13
  • 55. Dates • RSSIA  Bordeaux  :  21  Juin – OWASP  Top10  2013  en  praEque   • OWASP  EU  Tour  2013  :   – 24  Juin  -­‐  Sophia  AnEpolis – 25  Juin  -­‐  Geneve • Java  User  Groupe  Poitou  Charentes  :  27  Juin – Secure  Coding  for  Java   • AppSec  Research  Europe  2013  :  20/23  Aout  –   Hambourg  –  Allemagne •  OWASP  Benelux  :  28/29  Novembre  2013 43 Thursday, June 6, 13
  • 56. Soutenir  l’OWASP • Différentes  soluEons  :   – Membre  Individuel  :  50  $ – Membre  Entreprise  :  5000  $ – DonaEon  Libre • Soutenir  uniquement    le  chapitre  France  : – Single  MeeEng  supporter   • Nous  offrir  une  salle  de  meeEng  !   • ParEciper  par  un  talk  ou  autre  !   • DonaEon  simple   – Local  Chapter  supporter  :   • 500  $  à  2000  $   44 Thursday, June 6, 13
  • 57. Prochains  meeEngs • Septembre  2013   – Salle  :  Mozilla  Center  Paris – Speaker  :   • Security  on  Firefox  OS • A  définir • Novembre  2013 – Salle  :  a  définir – Speaker  :  a  définir Thursday, June 6, 13