SlideShare a Scribd company logo

Threat Modeling and OWASP Top 10 (2017 rc1)

M
Mike Tetreault

This session introduces the OWASP Top Ten Web Application Security Risks, provides the basics of threat modeling, and helps understand how a Web Application Firewall (WAF) can help address security defects.

Technology
1 of 41
Download to read offline
An Overview of the OWASP Top Ten Web Application Risks and Threat Modeling Web Applications THREAT MODELING FOR WEB APPLICATIONS
 AND OTHER DUTIES AS ASSIGNED… 1
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Who is Mike Tetreault? ● Twenty five years of IT experience ● Technically more, but seventh graders aren’t reliable network consultants.. ● Primarily web application development and team leadership, but also includes network, server, and database administration. ⦿ Security background ● Lifelong interest in physical and data security. ● Security is the one constant across all of my roles. ● Certification Activities ● 2003 – Certified Information Systems Security Professional (CISSP) ● 2009 – Certified Secure Software Lifecycle Professional (CSSLP) ● 2013 – Healthcare Information Security and Privacy Practitioner (HCISPP) ● Regularly participate in Examination and Credential Development Workshops Introduction 2
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ What do I do today? ● Functional IT Manager, Application Security ● Two primary practices: ● Access Enablement ● Web Application Firewall ● Authenticated Reverse Proxy ● Web Application and Code Security ● Static and Dynamic Analysis Tools ● Covers Preventative, Detective, Corrective, and Compensatory controls Introduction (cont) 3
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Why focus on web applications? ● We all have them and we all use them ● This is why they have the largest threat profile ⦿ Why are web applications everywhere? ● Quickly installed and updated ● Work across devices and operating systems ⦿ Why is this bad? ● Data is accessible from anywhere ● Clients do some hidden processing ⦿ This is what leads to vulnerabilities Presentation Overview 4
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Asset ⦿ What we’re trying to protect. ⦿ Threat ⦿ What we’re trying to protect against. ⦿ Vulnerability ⦿ Weakness or gap in our protection efforts. ⦿ Risk ⦿ The intersection of assets, threats, and vulnerabilities. Terms 5
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP Why It Matters ⦿ According to the 2015 Global Information Security Workforce Study by (ISC)2, 72% of the over 14,000 IT professionals surveyed believe that application vulnerabilities are the number one security issue for 2013. ⦿ Heartland Payment Systems suffered a SQL injection attack in 2008 which cost them $170 million, by their own admission. ⦿ Equifax breach of 2017 has been determined to be due to an unpatched Apached Struts 2 vulnerability. ⦿ Corrective (patching) and Compensatory (Web Application Firewall) controls could have prevented the attack. ⦿ 2016 “Cost of Data Breach” study by IBM and Ponemon puts the overall cost of a data breach at $154 to $158 per record. 6
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Started in 2001 ⦿ Has tremendous resources available for security professionals and developers alike ⦿ In the midst of updating their flagship OWASP Top Ten Most Critical Web Application Security Risks ⦿ RC2 expected any day now ⦿ This presentation is based on RC1, which was rejected OWASP - The Open Web Application Security Project 7
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP OWASP Top Ten Web Application Security Risks Injection Sensitive Data Exposure Broken Authentication and Session Management Insufficient Attack Protection (new) Cross-Site Scripting (XSS) Cross-Site Request Forgery Broken Access Control (new) Using Components With Known Vulnerabilities Security Misconfiguration Underprotected APIs (new) 8
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ What it is: ● Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. ⦿ What it looks like: ● String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; ⦿ How to mitigate: ● Keep untrusted data separate from commands and queries. ● Use a safe API with parameterized inputs. ● Scrub inputs to escape special characters (eg, SQL’s ‘:’ operator). A1: Injection 9
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP How Popular is SQL Injection? 10
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ What it is: ● Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities. ⦿ What it looks like: ● http://example.com/saleitems? jsessionid=2P0OCLPSKHCJUN2JVdest=Hawaii ⦿ How to mitigate: ● Use a single set of strong authentication and session management controls that has a simple interface for developers. ● Strong efforts should also be made to avoid Cross-Site Scripting (XSS) flaws which can be used to steal session IDs. A2: Broken Authentication and Session Management 11
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ What it is: ● XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. ⦿ What it looks like: ● page += "<input name='creditcard' type='TEXT' value='" + request.getParameter("CC") + "'>"; ⦿ How to mitigate: ● Properly escape all untrusted (ie, user supplied) data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. A3: Cross-Site Scripting (XSS) 12
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ What it is: ● Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc. ⦿ What it looks like: ● Valid: http://example.com/app/accountInfo?acct=myacct ● Not Valid: http://example.com/app/accountInfo?acct=notmyacct ⦿ How to mitigate: ● Use per-user or per-session indirect references. ○ This means that the reference is only valid for a single user or session, and means nothing to a different user or session. A4: Broken Access Control 13
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ What it is: ● Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. ⦿ How to mitigate: ● Maintain a repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. ● Implement a process for keeping abreast of and deploying all new software updates and patches in a timely manner. A5: Security Misconfiguration 14
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ What it is: ● Many web applications do not properly protect sensitive data. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. ⦿ How to mitigate: ● Encrypt all sensitive data at rest and in transit. ● Use standard algorithms with proper key management. ● Do not store sensitive data unnecessarily. ● Disable autocomplete and caching on pages that collect or display sensitive information. A6: Sensitive Data Exposure 15
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ What it is: ● Web Applications need to be resilient in the face of attacks. This means that the confidentiality, integrity, and availability of the data must be maintained in the face of attack. ⦿ What it looks like: ● Attacker with OWASP ZAP or SQLMap scans an application to detect its vulnerabilities and possible exploit them. ⦿ How to mitigate: ● Detect Attacks ○ Commodity scanners stick out. Use this uniqueness to identify them. Look for a high volume of requests, repeated requests for the same resource, etc. ● Respond to Attacks ● Blocking is the first line of defense, but delaying responses or requiring a captcha is valid as well. ● Patch Quickly ● If a critical patch can’t be pushed quickly, consider a “virtual patch” instead. A7: Insufficient Attack Protection 16
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ What it is: ● A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. ⦿ What it looks like: ● http://example.com/app/transferFunds? amount=1500&destinationAccount=4673243243 ● Embedded link in malicious page: <img src="http://example.com/app/transferFunds? amount=1500&destinationAccount=attackersAcct#" width="0" height="0" /> ⦿ How to mitigate: ● Include a unique token, individual to each user or session, in every page as a hidden field. ○ Verify that this token is returned with every request. If it is not, destroy the session and force the user to reauthenticate. ● Require an explicit user authentication for high-value transactions. ○ This ensure the user is aware of the activity. A8: Cross-Site Request Forgery (CSRF) 17
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ What it is: ● Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. ⦿ How to mitigate: ● Don’t use external, third-part components. It’s not realistic, but it will work. ● Identify all components and versions you are using. Keep up to date with both releases by the components maintainers and identified vulnerabilities on security mailing lists and databases. A9: Using Components with Known Vulnerabilities 18
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ What it is: ● Many modern web applications use APIs to transmit commands and data between the users and systems. This communication can be easily intercepted, analyzed, and manipulated. ⦿ How to mitigate: ● Ensure secured communication between the clients and APIs. ● Ensure the parser configuration is hardened against attacks. ● Protect against injection attacks in all forms, not just browsers. A10: Underprotected APIs 19
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ First, are there any questions about the OWASP Top Ten vulnerabilities? ⦿ Web applications present a big target ● Broad profile with rich data ⦿ Where do you begin with your security efforts? ⦿ Enter: Threat Modeling! What now? 20
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ A systematic approach for understanding, classifying, and assigning risk to threats and vulnerabilities ⦿ Security becomes what it should be: A cost/benefit analysis. ⦿ Based on two different classification schemes: ● STRIDE ○ STRIDE classifies threat ● DREAD ○ DREAD classifies risks What is Threat Modeling? 21
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ The sooner the better. ⦿ Prevention is better than a cure. When Do You Threat Model? 22 Source: IBM Systems Sciences Institute
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Identify your security objectives ● All security can be characterized as being related to Confidentiality, Integrity, or Availability. ● An objective can be tied to one or all of those characteristics ⦿ High Level Objective Categories ● Identity ● Financial ● Reputation ● Privacy and Regulatory ● Availability Guarantees How do you start? 23
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Application Overview ● Understand the Components, Data Flows, and Trust Boundaries. ● UML Use Case diagrams are handy for this. ⦿ Decompose the Application ● Identify the features and modules with security impacts. ● Understand: ○ How data enters the module. ○ How the module validates and processes the data. ○ Where the data flows. ○ How the data is stored. ○ What fundamental decisions and assumptions are made by the module. ⦿ Now that you know what the application looks like, you can classify its threats using the STRIDE model. What does the application look like? 24
Decomposing the Application 25 Courtesy of OWASP
Decomposing the Application (cont.) 26 Courtesy of OWASP
Understanding The Threats, Vulnerabilities, and Mitigations 27 Courtesy of OWASP
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Spoofing ● Users cannot become another user or assume their attributes. ⦿ Tampering ● Applications should never send internal data to users, and should always verify inputs before storing or processing it. ⦿ Repudiation ● An application needs to be able to prove that authorized activities are initiated by authenticated users. ⦿ Information Disclosure ● Applications should only store sensitive data if proper controls are in place. ⦿ Denial Of Service ● Large, resource-intensive queries should only be accessible to properly authorized and authenticated users. ⦿ Elevation of Privileges ● Users should only be able to access information and processing capabilities appropriate for their role in a system. STRIDE – Characterizing Known Threats 28
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Each threat is scored on a 1-10 scale, added together, and divided by 5. ⦿ Damage ● If a threat exploit occurs, how much damage will it cause? ⦿ Reproducibility ● How easy is it to reproduce a threat exploit? ⦿ Exploitability ● How difficult are the steps needed to exploit the threat? ⦿ Affected Users ● How many users are affected if a threat is exploited? ⦿ Discoverability ● How easy is it to discover the threat? ● Often set to 10 by default, with the assumption that it will be discovered. DREAD – Classifying, Quantifying, Comparing, and Prioritizing Risk 29
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Analyze the DREAD score for each threat ⦿ Understand the remediation for each threat, and what you need to do with the risk presented by each: ● Acceptance – Not all security is “worth it” ○ You don’t spend $50,000 on security controls for a hot dog cart. ● Avoidance – Just don’t do it ○ Not typically feasible in application development. ● Limitation – Take steps to minimize risk ○ Most common risk management strategy. ○ Example: Disk drives may fail, so we maintain RAID and backups. ● Transference – Let someone else take the risk ○ Outsource common functions that are not a core competency . ○ Purchasing insurance can be an option. Next Steps 30
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ “Awww, man. This is too hard!” ⦿ The less structured approach: ⦿ 1. What are you building or deploying? ⦿ 2. What can go wrong? ⦿ 3. What are you going to do about it? ⦿ 4. Did you do well with steps 1-3? An Alternative… 31
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ “Think like an attacker.” ⦿ Not quite.. “Let’s go through this in a structured way and find the real problems.” ⦿ “You’re never done threat modeling.” ⦿ “Perfect is the enemy of good.” ⦿ Model -> Identify -> Mitigate -> Validate ⦿ “The way to threat model is…” ⦿ There is no perfect way to threat model! ⦿ What works for you may not work for others. Traps of Threat Modeling 32
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ “Threat modeling is born, not taught.” ⦿ Just like any skill, it is learned. ⦿ Interest helps though. ⦿ “Threat modeling is for specialists.” ⦿ Threat modeling is like version control. ⦿ Every developer understands it, but only a few are responsible for administering it. ⦿ Starting at the wrong time ⦿ Earlier is almost always better. Traps of Threat Modeling 33
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Let’s say you have a space station, and it has a highly exploitable exhaust port… What would its DREAD score look like? Other Uses! 34
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Or you have a big invading space ship, and you allow unauthenticated access to your network (and don’t have host security)… Other Uses! 35
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ If you run a highly virtualized environment with potentially hostile VM’s, be sure you monitor
 hosts breaking out of
 the sandbox… Other Uses! 36
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ You maintain a complex, life critical system of hardware and software, and allow one person
 to develop,
 implement,
 and support the
 application… Other Uses! 37
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Web Application Firewall (WAF) ⦿ What is it? ⦿ System that filters, monitors, and blocks traffic to and from a web application ⦿ Why use it? ⦿ Can mitigate every item in the OWASP Top Ten ⦿ Payment Card Industry (PCI) Data Security Standard (DSS) Section 6.6 requires it. ⦿ Or Application Code Reviews, but why choose? An Alternative to the Alternative 38
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP OWASP Top Ten Web Application Security Risks Injection Sensitive Data Exposure Broken Authentication and Session Management Insufficient Attack Protection (new) Cross-Site Scripting (XSS) Cross-Site Request Forgery Broken Access Control (new) Using Components With Known Vulnerabilities Security Misconfiguration Underprotected APIs (new) 39
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ They’re touchy to set up. ⦿ They can be noisy for alerts. ⦿ The lower your tolerance for false positives, the less meaningful your controls. ⦿ The converse is true as well! ⦿ WAF’s require a specialized skill set to be truly proficient. Web Application Firewalls are great, but… 40
10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Email: mike@macrocosmictech.com ⦿ I’m on LinkedIn, and these slides will be too! ⦿ Resources: ● OWASP – The Open Web Application Security Project ○ https://www.owasp.org/ ● Threat Modeling, Frank Swiderski and Window Snyder ● Threat Modeling Web Applications, J.D. Meier, Alex Mackman, Blaine Wastell ● Threat Modeling: Designing for Security, Adam Shostack ● Mailing Lists and other resources: ○ Common Vulnerabilities and Exposures Database - http://cve.mitre.org ○ Microsoft Security Response Center ○ SANS – http://www.sans.org Questions / Comments / Resources 41

Recommended

Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)
Mike Tetreault
 
[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC
OWASP
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development
6502programmer
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
Shreyas N
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
ibrahimumer2
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
Siddharth Phatarphod
 

Recommended

Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)
Mike Tetreault
 
[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC
OWASP
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development
6502programmer
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
Shreyas N
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
ibrahimumer2
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
Siddharth Phatarphod
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
Shivam Porwal
 
Updated Mvc Web security updated presentation
Updated Mvc Web security updated presentationUpdated Mvc Web security updated presentation
Updated Mvc Web security updated presentation
John Staveley
 
The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?
BCS ProSoft
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NET
Daniel Krasnokucki
 
The path to most GRC requirements
The path to most GRC requirementsThe path to most GRC requirements
The path to most GRC requirements
Watchful Software
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Big Data Analytics to Enhance Security
Big Data Analytics to Enhance SecurityBig Data Analytics to Enhance Security
Big Data Analytics to Enhance Security
Data Science Thailand
 
Information Gathering with Google (c0c0n - India)
Information Gathering with Google (c0c0n - India)Information Gathering with Google (c0c0n - India)
Information Gathering with Google (c0c0n - India)
Maximiliano Soler
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
YasserElsnbary
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
Ashwini Paranjpe
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
John Staveley
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New Vulnerabilities
Dilum Bandara
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protection
dcervigni
 
Automating your SOC/CSIRT - The case study: Pescatore a real time URL Classifier
Automating your SOC/CSIRT - The case study: Pescatore a real time URL ClassifierAutomating your SOC/CSIRT - The case study: Pescatore a real time URL Classifier
Automating your SOC/CSIRT - The case study: Pescatore a real time URL Classifier
Roberto Sponchioni
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1
Telefónica
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
Jeremiah Grossman
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 

More Related Content

What's hot

Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
Shivam Porwal
 
Updated Mvc Web security updated presentation
Updated Mvc Web security updated presentationUpdated Mvc Web security updated presentation
Updated Mvc Web security updated presentation
John Staveley
 
The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?
BCS ProSoft
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NET
Daniel Krasnokucki
 
The path to most GRC requirements
The path to most GRC requirementsThe path to most GRC requirements
The path to most GRC requirements
Watchful Software
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Big Data Analytics to Enhance Security
Big Data Analytics to Enhance SecurityBig Data Analytics to Enhance Security
Big Data Analytics to Enhance Security
Data Science Thailand
 
Information Gathering with Google (c0c0n - India)
Information Gathering with Google (c0c0n - India)Information Gathering with Google (c0c0n - India)
Information Gathering with Google (c0c0n - India)
Maximiliano Soler
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
YasserElsnbary
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
Ashwini Paranjpe
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
John Staveley
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New Vulnerabilities
Dilum Bandara
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protection
dcervigni
 
Automating your SOC/CSIRT - The case study: Pescatore a real time URL Classifier
Automating your SOC/CSIRT - The case study: Pescatore a real time URL ClassifierAutomating your SOC/CSIRT - The case study: Pescatore a real time URL Classifier
Automating your SOC/CSIRT - The case study: Pescatore a real time URL Classifier
Roberto Sponchioni
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1
Telefónica
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
Jeremiah Grossman
 

What's hot (20)

Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
Updated Mvc Web security updated presentation
Updated Mvc Web security updated presentationUpdated Mvc Web security updated presentation
Updated Mvc Web security updated presentation
 
The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NET
 
The path to most GRC requirements
The path to most GRC requirementsThe path to most GRC requirements
The path to most GRC requirements
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTrana
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Big Data Analytics to Enhance Security
Big Data Analytics to Enhance SecurityBig Data Analytics to Enhance Security
Big Data Analytics to Enhance Security
 
Information Gathering with Google (c0c0n - India)
Information Gathering with Google (c0c0n - India)Information Gathering with Google (c0c0n - India)
Information Gathering with Google (c0c0n - India)
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New Vulnerabilities
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protection
 
Automating your SOC/CSIRT - The case study: Pescatore a real time URL Classifier
Automating your SOC/CSIRT - The case study: Pescatore a real time URL ClassifierAutomating your SOC/CSIRT - The case study: Pescatore a real time URL Classifier
Automating your SOC/CSIRT - The case study: Pescatore a real time URL Classifier
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
 

Similar to Threat Modeling and OWASP Top 10 (2017 rc1)

Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Edouard de Lansalut
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Daniel Tumser
 
19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf
KunjJoshi14
 
C01461422
C01461422C01461422
C01461422
IOSR Journals
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp
 
PwnSchool: Exploiting Web APIs
PwnSchool: Exploiting Web APIsPwnSchool: Exploiting Web APIs
PwnSchool: Exploiting Web APIs
ThreatReel Podcast
 
CiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful APICiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful API
ThreatReel Podcast
 
OWASP Top 10
OWASP Top 10OWASP Top 10
OWASP Top 10
Arthur Shvetsov
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
Jim Kaplan CIA CFE
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdf
Abhi Jain
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
TechWell
 
QAing the security way!
QAing the security way!QAing the security way!
QAing the security way!
Amit Gundiyal
 
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security way
vodQA
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
llangit
 
SecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIsSecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIs
ThreatReel Podcast
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
Lucas Hendrich
 

Similar to Threat Modeling and OWASP Top 10 (2017 rc1) (20)

Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
 
19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf
 
C01461422
C01461422C01461422
C01461422
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
 
PwnSchool: Exploiting Web APIs
PwnSchool: Exploiting Web APIsPwnSchool: Exploiting Web APIs
PwnSchool: Exploiting Web APIs
 
CiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful APICiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful API
 
OWASP Top 10
OWASP Top 10OWASP Top 10
OWASP Top 10
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdf
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
 
QAing the security way!
QAing the security way!QAing the security way!
QAing the security way!
 
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security way
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
 
SecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIsSecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIs
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 

Recently uploaded

Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 

Recently uploaded (20)

Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 

Threat Modeling and OWASP Top 10 (2017 rc1)

  • 1. An Overview of the OWASP Top Ten Web Application Risks and Threat Modeling Web Applications THREAT MODELING FOR WEB APPLICATIONS
 AND OTHER DUTIES AS ASSIGNED… 1
  • 2. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Who is Mike Tetreault? ● Twenty five years of IT experience ● Technically more, but seventh graders aren’t reliable network consultants.. ● Primarily web application development and team leadership, but also includes network, server, and database administration. ⦿ Security background ● Lifelong interest in physical and data security. ● Security is the one constant across all of my roles. ● Certification Activities ● 2003 – Certified Information Systems Security Professional (CISSP) ● 2009 – Certified Secure Software Lifecycle Professional (CSSLP) ● 2013 – Healthcare Information Security and Privacy Practitioner (HCISPP) ● Regularly participate in Examination and Credential Development Workshops Introduction 2
  • 3. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ What do I do today? ● Functional IT Manager, Application Security ● Two primary practices: ● Access Enablement ● Web Application Firewall ● Authenticated Reverse Proxy ● Web Application and Code Security ● Static and Dynamic Analysis Tools ● Covers Preventative, Detective, Corrective, and Compensatory controls Introduction (cont) 3
  • 4. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Why focus on web applications? ● We all have them and we all use them ● This is why they have the largest threat profile ⦿ Why are web applications everywhere? ● Quickly installed and updated ● Work across devices and operating systems ⦿ Why is this bad? ● Data is accessible from anywhere ● Clients do some hidden processing ⦿ This is what leads to vulnerabilities Presentation Overview 4
  • 5. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Asset ⦿ What we’re trying to protect. ⦿ Threat ⦿ What we’re trying to protect against. ⦿ Vulnerability ⦿ Weakness or gap in our protection efforts. ⦿ Risk ⦿ The intersection of assets, threats, and vulnerabilities. Terms 5
  • 6. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP Why It Matters ⦿ According to the 2015 Global Information Security Workforce Study by (ISC)2, 72% of the over 14,000 IT professionals surveyed believe that application vulnerabilities are the number one security issue for 2013. ⦿ Heartland Payment Systems suffered a SQL injection attack in 2008 which cost them $170 million, by their own admission. ⦿ Equifax breach of 2017 has been determined to be due to an unpatched Apached Struts 2 vulnerability. ⦿ Corrective (patching) and Compensatory (Web Application Firewall) controls could have prevented the attack. ⦿ 2016 “Cost of Data Breach” study by IBM and Ponemon puts the overall cost of a data breach at $154 to $158 per record. 6
  • 7. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Started in 2001 ⦿ Has tremendous resources available for security professionals and developers alike ⦿ In the midst of updating their flagship OWASP Top Ten Most Critical Web Application Security Risks ⦿ RC2 expected any day now ⦿ This presentation is based on RC1, which was rejected OWASP - The Open Web Application Security Project 7
  • 8. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP OWASP Top Ten Web Application Security Risks Injection Sensitive Data Exposure Broken Authentication and Session Management Insufficient Attack Protection (new) Cross-Site Scripting (XSS) Cross-Site Request Forgery Broken Access Control (new) Using Components With Known Vulnerabilities Security Misconfiguration Underprotected APIs (new) 8
  • 9. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ What it is: ● Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. ⦿ What it looks like: ● String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; ⦿ How to mitigate: ● Keep untrusted data separate from commands and queries. ● Use a safe API with parameterized inputs. ● Scrub inputs to escape special characters (eg, SQL’s ‘:’ operator). A1: Injection 9
  • 10. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP How Popular is SQL Injection? 10
  • 11. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ What it is: ● Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities. ⦿ What it looks like: ● http://example.com/saleitems? jsessionid=2P0OCLPSKHCJUN2JVdest=Hawaii ⦿ How to mitigate: ● Use a single set of strong authentication and session management controls that has a simple interface for developers. ● Strong efforts should also be made to avoid Cross-Site Scripting (XSS) flaws which can be used to steal session IDs. A2: Broken Authentication and Session Management 11
  • 12. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ What it is: ● XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. ⦿ What it looks like: ● page += "<input name='creditcard' type='TEXT' value='" + request.getParameter("CC") + "'>"; ⦿ How to mitigate: ● Properly escape all untrusted (ie, user supplied) data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. A3: Cross-Site Scripting (XSS) 12
  • 13. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ What it is: ● Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc. ⦿ What it looks like: ● Valid: http://example.com/app/accountInfo?acct=myacct ● Not Valid: http://example.com/app/accountInfo?acct=notmyacct ⦿ How to mitigate: ● Use per-user or per-session indirect references. ○ This means that the reference is only valid for a single user or session, and means nothing to a different user or session. A4: Broken Access Control 13
  • 14. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ What it is: ● Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. ⦿ How to mitigate: ● Maintain a repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. ● Implement a process for keeping abreast of and deploying all new software updates and patches in a timely manner. A5: Security Misconfiguration 14
  • 15. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ What it is: ● Many web applications do not properly protect sensitive data. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. ⦿ How to mitigate: ● Encrypt all sensitive data at rest and in transit. ● Use standard algorithms with proper key management. ● Do not store sensitive data unnecessarily. ● Disable autocomplete and caching on pages that collect or display sensitive information. A6: Sensitive Data Exposure 15
  • 16. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ What it is: ● Web Applications need to be resilient in the face of attacks. This means that the confidentiality, integrity, and availability of the data must be maintained in the face of attack. ⦿ What it looks like: ● Attacker with OWASP ZAP or SQLMap scans an application to detect its vulnerabilities and possible exploit them. ⦿ How to mitigate: ● Detect Attacks ○ Commodity scanners stick out. Use this uniqueness to identify them. Look for a high volume of requests, repeated requests for the same resource, etc. ● Respond to Attacks ● Blocking is the first line of defense, but delaying responses or requiring a captcha is valid as well. ● Patch Quickly ● If a critical patch can’t be pushed quickly, consider a “virtual patch” instead. A7: Insufficient Attack Protection 16
  • 17. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ What it is: ● A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. ⦿ What it looks like: ● http://example.com/app/transferFunds? amount=1500&destinationAccount=4673243243 ● Embedded link in malicious page: <img src="http://example.com/app/transferFunds? amount=1500&destinationAccount=attackersAcct#" width="0" height="0" /> ⦿ How to mitigate: ● Include a unique token, individual to each user or session, in every page as a hidden field. ○ Verify that this token is returned with every request. If it is not, destroy the session and force the user to reauthenticate. ● Require an explicit user authentication for high-value transactions. ○ This ensure the user is aware of the activity. A8: Cross-Site Request Forgery (CSRF) 17
  • 18. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ What it is: ● Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. ⦿ How to mitigate: ● Don’t use external, third-part components. It’s not realistic, but it will work. ● Identify all components and versions you are using. Keep up to date with both releases by the components maintainers and identified vulnerabilities on security mailing lists and databases. A9: Using Components with Known Vulnerabilities 18
  • 19. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ What it is: ● Many modern web applications use APIs to transmit commands and data between the users and systems. This communication can be easily intercepted, analyzed, and manipulated. ⦿ How to mitigate: ● Ensure secured communication between the clients and APIs. ● Ensure the parser configuration is hardened against attacks. ● Protect against injection attacks in all forms, not just browsers. A10: Underprotected APIs 19
  • 20. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ First, are there any questions about the OWASP Top Ten vulnerabilities? ⦿ Web applications present a big target ● Broad profile with rich data ⦿ Where do you begin with your security efforts? ⦿ Enter: Threat Modeling! What now? 20
  • 21. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ A systematic approach for understanding, classifying, and assigning risk to threats and vulnerabilities ⦿ Security becomes what it should be: A cost/benefit analysis. ⦿ Based on two different classification schemes: ● STRIDE ○ STRIDE classifies threat ● DREAD ○ DREAD classifies risks What is Threat Modeling? 21
  • 22. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ The sooner the better. ⦿ Prevention is better than a cure. When Do You Threat Model? 22 Source: IBM Systems Sciences Institute
  • 23. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Identify your security objectives ● All security can be characterized as being related to Confidentiality, Integrity, or Availability. ● An objective can be tied to one or all of those characteristics ⦿ High Level Objective Categories ● Identity ● Financial ● Reputation ● Privacy and Regulatory ● Availability Guarantees How do you start? 23
  • 24. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Application Overview ● Understand the Components, Data Flows, and Trust Boundaries. ● UML Use Case diagrams are handy for this. ⦿ Decompose the Application ● Identify the features and modules with security impacts. ● Understand: ○ How data enters the module. ○ How the module validates and processes the data. ○ Where the data flows. ○ How the data is stored. ○ What fundamental decisions and assumptions are made by the module. ⦿ Now that you know what the application looks like, you can classify its threats using the STRIDE model. What does the application look like? 24
  • 26. Decomposing the Application (cont.) 26 Courtesy of OWASP
  • 27. Understanding The Threats, Vulnerabilities, and Mitigations 27 Courtesy of OWASP
  • 28. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Spoofing ● Users cannot become another user or assume their attributes. ⦿ Tampering ● Applications should never send internal data to users, and should always verify inputs before storing or processing it. ⦿ Repudiation ● An application needs to be able to prove that authorized activities are initiated by authenticated users. ⦿ Information Disclosure ● Applications should only store sensitive data if proper controls are in place. ⦿ Denial Of Service ● Large, resource-intensive queries should only be accessible to properly authorized and authenticated users. ⦿ Elevation of Privileges ● Users should only be able to access information and processing capabilities appropriate for their role in a system. STRIDE – Characterizing Known Threats 28
  • 29. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Each threat is scored on a 1-10 scale, added together, and divided by 5. ⦿ Damage ● If a threat exploit occurs, how much damage will it cause? ⦿ Reproducibility ● How easy is it to reproduce a threat exploit? ⦿ Exploitability ● How difficult are the steps needed to exploit the threat? ⦿ Affected Users ● How many users are affected if a threat is exploited? ⦿ Discoverability ● How easy is it to discover the threat? ● Often set to 10 by default, with the assumption that it will be discovered. DREAD – Classifying, Quantifying, Comparing, and Prioritizing Risk 29
  • 30. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Analyze the DREAD score for each threat ⦿ Understand the remediation for each threat, and what you need to do with the risk presented by each: ● Acceptance – Not all security is “worth it” ○ You don’t spend $50,000 on security controls for a hot dog cart. ● Avoidance – Just don’t do it ○ Not typically feasible in application development. ● Limitation – Take steps to minimize risk ○ Most common risk management strategy. ○ Example: Disk drives may fail, so we maintain RAID and backups. ● Transference – Let someone else take the risk ○ Outsource common functions that are not a core competency . ○ Purchasing insurance can be an option. Next Steps 30
  • 31. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ “Awww, man. This is too hard!” ⦿ The less structured approach: ⦿ 1. What are you building or deploying? ⦿ 2. What can go wrong? ⦿ 3. What are you going to do about it? ⦿ 4. Did you do well with steps 1-3? An Alternative… 31
  • 32. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ “Think like an attacker.” ⦿ Not quite.. “Let’s go through this in a structured way and find the real problems.” ⦿ “You’re never done threat modeling.” ⦿ “Perfect is the enemy of good.” ⦿ Model -> Identify -> Mitigate -> Validate ⦿ “The way to threat model is…” ⦿ There is no perfect way to threat model! ⦿ What works for you may not work for others. Traps of Threat Modeling 32
  • 33. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ “Threat modeling is born, not taught.” ⦿ Just like any skill, it is learned. ⦿ Interest helps though. ⦿ “Threat modeling is for specialists.” ⦿ Threat modeling is like version control. ⦿ Every developer understands it, but only a few are responsible for administering it. ⦿ Starting at the wrong time ⦿ Earlier is almost always better. Traps of Threat Modeling 33
  • 34. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Let’s say you have a space station, and it has a highly exploitable exhaust port… What would its DREAD score look like? Other Uses! 34
  • 35. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Or you have a big invading space ship, and you allow unauthenticated access to your network (and don’t have host security)… Other Uses! 35
  • 36. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ If you run a highly virtualized environment with potentially hostile VM’s, be sure you monitor
 hosts breaking out of
 the sandbox… Other Uses! 36
  • 37. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ You maintain a complex, life critical system of hardware and software, and allow one person
 to develop,
 implement,
 and support the
 application… Other Uses! 37
  • 38. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Web Application Firewall (WAF) ⦿ What is it? ⦿ System that filters, monitors, and blocks traffic to and from a web application ⦿ Why use it? ⦿ Can mitigate every item in the OWASP Top Ten ⦿ Payment Card Industry (PCI) Data Security Standard (DSS) Section 6.6 requires it. ⦿ Or Application Code Reviews, but why choose? An Alternative to the Alternative 38
  • 39. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP OWASP Top Ten Web Application Security Risks Injection Sensitive Data Exposure Broken Authentication and Session Management Insufficient Attack Protection (new) Cross-Site Scripting (XSS) Cross-Site Request Forgery Broken Access Control (new) Using Components With Known Vulnerabilities Security Misconfiguration Underprotected APIs (new) 39
  • 40. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ They’re touchy to set up. ⦿ They can be noisy for alerts. ⦿ The lower your tolerance for false positives, the less meaningful your controls. ⦿ The converse is true as well! ⦿ WAF’s require a specialized skill set to be truly proficient. Web Application Firewalls are great, but… 40
  • 41. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP ⦿ Email: mike@macrocosmictech.com ⦿ I’m on LinkedIn, and these slides will be too! ⦿ Resources: ● OWASP – The Open Web Application Security Project ○ https://www.owasp.org/ ● Threat Modeling, Frank Swiderski and Window Snyder ● Threat Modeling Web Applications, J.D. Meier, Alex Mackman, Blaine Wastell ● Threat Modeling: Designing for Security, Adam Shostack ● Mailing Lists and other resources: ○ Common Vulnerabilities and Exposures Database - http://cve.mitre.org ○ Microsoft Security Response Center ○ SANS – http://www.sans.org Questions / Comments / Resources 41