O documento apresenta os 10 principais riscos de segurança em APIs de acordo com o projeto OWASP Top Ten API de 2019. São descritos brevemente cada um dos riscos, incluindo autorização de objetos quebradas, autenticação quebrada, exposição excessiva de dados, falta de limitação de recursos, autorização de funções quebradas, atribuição em massa, configuração de segurança inadequada, injeção, gerenciamento inadequado de ativos e falta de registro e monitoramento. Exemplos e links são fornecidos para ilustrar cada risco.
With the dominance of Mobile Apps, Single Page Apps for the Web, and Micro-Services, we are all building more APIs than ever before. Like many other developers, I had struggled with finding the right mix of security and simplicity for securing APIs. Some standards from the IETF have made it possible to accomplish both. Let me show you how to utilize existing libraries to lock down you API without writing a ton of code.
In this tutorial, you will learn how to write a secure API with future proof security utilizing JOSE. JOSE is a collection of complimentary standards: JWT, JWE, JWS, JWA, and JWK. JOSE is used by OAuth, OpenID, and others to secure communications between APIs and consumers. Now you can use it to secure your API.
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
The document summarizes API security topics presented by Erez Yalon at a Checkmarx Meetup event. Yalon discusses how API-based applications are different from traditional apps and deserve their own security focus. He outlines the OWASP API Security Project and the proposed API Security Top 10 risks, including broken object level authorization, excessive data exposure, lack of resources/rate limiting, and improper asset management. Yalon calls for community contributions to further develop the Top 10 and other API security resources.
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
The document discusses modern application security issues related to APIs. It begins with an overview of common API security risks like SQL injection, XSS, and CSRF. It then focuses on how application security has changed with the transition to modern architectures that are API-focused, use cloud infrastructure, and follow DevOps practices. Key changes discussed include less abstraction layers, clients handling more responsibility, and APIs exposing more data and endpoints directly. The document also summarizes the OWASP API security project and proposed API security top 10 risks. Real attack examples are provided to illustrate broken authorization and authentication vulnerabilities.
This document outlines the OWASP API Security Top 10 project which identifies the top 10 risks associated with modern application programming interfaces (APIs). It describes each of the top 10 risks, including broken authentication, excessive data exposure, lack of resources and rate limiting, and insufficient logging and monitoring. For each risk, it provides real-world examples of APIs that have been exploited and mitigation strategies are proposed. Additional resources for the project are listed at the end.
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
The document provides information about the OWASP Top 10 2021 list of web application security risks. It describes the top risk, A01: Broken Access Control, giving its definition, examples of vulnerabilities it can enable, prevention methods, and examples. It also summarizes the second and third top risks, A02: Cryptographic Failures and A03: Injection, in a similar manner.
This document provides an overview of penetration testing on AWS environments. It discusses the key areas to focus on when penetration testing AWS infrastructure and applications, including external infrastructure, applications, internal infrastructure, and AWS configurations. It also outlines services that can be tested without prior approval and limitations on testing AWS-managed infrastructure. The document then covers starting penetration testing activities, accessing AWS with IAM credentials, enumerating IAM users, groups, and policies, and new methods for enumerating cross-account roles between AWS accounts.
With the dominance of Mobile Apps, Single Page Apps for the Web, and Micro-Services, we are all building more APIs than ever before. Like many other developers, I had struggled with finding the right mix of security and simplicity for securing APIs. Some standards from the IETF have made it possible to accomplish both. Let me show you how to utilize existing libraries to lock down you API without writing a ton of code.
In this tutorial, you will learn how to write a secure API with future proof security utilizing JOSE. JOSE is a collection of complimentary standards: JWT, JWE, JWS, JWA, and JWK. JOSE is used by OAuth, OpenID, and others to secure communications between APIs and consumers. Now you can use it to secure your API.
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
The document summarizes API security topics presented by Erez Yalon at a Checkmarx Meetup event. Yalon discusses how API-based applications are different from traditional apps and deserve their own security focus. He outlines the OWASP API Security Project and the proposed API Security Top 10 risks, including broken object level authorization, excessive data exposure, lack of resources/rate limiting, and improper asset management. Yalon calls for community contributions to further develop the Top 10 and other API security resources.
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
The document discusses modern application security issues related to APIs. It begins with an overview of common API security risks like SQL injection, XSS, and CSRF. It then focuses on how application security has changed with the transition to modern architectures that are API-focused, use cloud infrastructure, and follow DevOps practices. Key changes discussed include less abstraction layers, clients handling more responsibility, and APIs exposing more data and endpoints directly. The document also summarizes the OWASP API security project and proposed API security top 10 risks. Real attack examples are provided to illustrate broken authorization and authentication vulnerabilities.
This document outlines the OWASP API Security Top 10 project which identifies the top 10 risks associated with modern application programming interfaces (APIs). It describes each of the top 10 risks, including broken authentication, excessive data exposure, lack of resources and rate limiting, and insufficient logging and monitoring. For each risk, it provides real-world examples of APIs that have been exploited and mitigation strategies are proposed. Additional resources for the project are listed at the end.
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
The document provides information about the OWASP Top 10 2021 list of web application security risks. It describes the top risk, A01: Broken Access Control, giving its definition, examples of vulnerabilities it can enable, prevention methods, and examples. It also summarizes the second and third top risks, A02: Cryptographic Failures and A03: Injection, in a similar manner.
This document provides an overview of penetration testing on AWS environments. It discusses the key areas to focus on when penetration testing AWS infrastructure and applications, including external infrastructure, applications, internal infrastructure, and AWS configurations. It also outlines services that can be tested without prior approval and limitations on testing AWS-managed infrastructure. The document then covers starting penetration testing activities, accessing AWS with IAM credentials, enumerating IAM users, groups, and policies, and new methods for enumerating cross-account roles between AWS accounts.
View on-demand: https://wso2.com/library/webinars/api-security-best-practices-and-guidelines/
Modern enterprises are increasingly adopting APIs, exceeding all predictions. With more businesses investing in microservices and the increased consumption of cloud APIs, you need to secure beyond just a handful of well-known APIs. You will need to secure a higher number of internal and external endpoints.
At the same time, security itself is a broad area and vendors implement a number of seemingly similar standards and patterns, making it very difficult for consumers to settle on the best option for securing APIs. The sheer number of options can be very confusing.
There is much to learn about API security, regardless of whether you are a novice or expert and it’s extremely important that you do because security is an integral part of any development project, including API ecosystems.
This webinar will deep-dive into the importance of API security, API security patterns, and how identity and access management (IAM) fit in the ecosystem.
DURING THE WEBINAR, WE WILL COVER:
Managed APIs
OAuth 2.0 and API security patterns
Introduction to WSO2 Identity Server
How we align with OWASP API security guidelines
WATCH WEBINAR: https://youtu.be/zTkv_9ChVPY
In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.
OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications.
APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year.
In this session we’ll discuss:
What makes API Security different from web application security
The OWASP API Security Top 10
Real world breaches and mitigation strategies for each of the risks
This document summarizes the OWASP Top Ten 2013 report, which outlines the top 10 most critical web application security risks. It discusses the methodology used to determine the top risks, comparisons to past versions, and politics around ranking certain vulnerabilities. It also provides context on how and when the OWASP Top Ten list should be cited and explains the risk rating methodology used to evaluate vulnerabilities.
The document discusses the top vulnerabilities from the OWASP Top 10 list - Injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). It provides details on each vulnerability like how injection occurs, types of XSS, and how CSRF allows unauthorized actions. Prevention techniques are also covered, such as input validation, output encoding, and synchronizer token pattern. The presentation is given by Arya Anindyaratna Bal for Wipro and covers their experience in application security and the history of OWASP Top 10 lists.
Tomasz Fajks gives short intro about Security Tests as well as guide how to start. He goes through comparison of two security scanners Burp Suite and OWASP Zed Attack Proxy (ZAP), trying to answer "which one is better".
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
This document discusses security issues related to broken access control and security misconfiguration. It provides examples of broken access control including modifying URL parameters to access restricted resources, restricting folder access, and using malicious URLs as parameters. Recommendations are given to implement access controls consistently, limit account data changes to account holders, and log access control failures. Examples of security misconfiguration include using default credentials and configurations, having an overly informative error handling, and leaving unnecessary features enabled. Recommendations include removing unused features, sending secure headers, not using default configurations, and properly configuring robots.txt files. Links to additional resources on these topics are also provided.
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
The document summarizes the top 10 security vulnerabilities in web applications according to the Open Web Application Security Project (OWASP). These include injection flaws, cross-site scripting, broken authentication and session management, insecure direct object references, cross-site request forgery, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards. Countermeasures for each vulnerability are also provided.
The OWASP Top Ten is an expert consensus of the most critical web application security threats. If properly understood, it is an invaluable framework to prioritize efforts and address flaws that expose your organization to attack.
This webcast series presents the OWASP Top 10 in an abridged format, interpreting the threats for you and providing actionable offensive and defensive best practices. It is ideal for all IT/development stakeholders that want to take a risk-based approach to Web application security.
How to Test for the OWASP Top Ten webcast focuses on tell tale markers of the OWASP Top Ten and techniques to hunt them down:
• Vulnerability anatomy – how they present themselves
• Analysis of vulnerability root cause and protection schemas
• Test procedures to validate susceptibility (or not) for each threat
1) The document provides guidance on testing APIs for security weaknesses, including enumerating the attack surface, common tools to use, what to test for (e.g. authentication, authorization, injections), and demo apps to practice on.
2) It recommends testing authentication and authorization mechanisms like tokens, injections attacks on state-changing requests, and how data is consumed client-side.
3) The document also discusses testing for denial of service conditions, data smuggling through middleware, API rate limiting, and cross-origin requests.
The document discusses the OWASP API Security Top 10 project which aims to raise awareness of common API vulnerabilities. It highlights some frequent issues like input validation problems, insecure configurations, and data/exception leakage. The document also demonstrates examples of these vulnerabilities using a vulnerable demo API called Pixi.
The document discusses web application security and provides an overview of common vulnerabilities like SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). It summarizes the OWASP Top 10 list of most critical web app security risks, including injection flaws, broken authentication, sensitive data exposure, and more. The document also offers best practices for developing more securely, like using prepared statements, validating and sanitizing input, and implementing authentication and session management properly.
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
This presentation explain how to discover this vulnerability in application, how to test and how to mitigate the risk.
The document discusses integrating security testing into the typical iterative development lifecycle through automated software tests at various stages, including unit tests, integration tests, and acceptance tests. It provides examples of using JUnit for unit testing and tools like Cactus, Selenium, and WATIR for integration and acceptance testing to validate valid/invalid inputs and test for vulnerabilities like SQL injection and cross-site scripting.
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
Brief overview of API
▸ Fingerprinting & Discovering API
▸ Authentication attacks on API (JWT)
▸ Authorization attacks on API (OAuth)
▸ Bruteforce attacks on API
▸ Attacking Dev/Staging API
▸ Traditional attacks
Como analisar a vulnerabilidade de uma aplicação web com o Kali LinuxEdlaine Zamora
O documento apresenta a biografia e experiência da autora Edlaine Zamora, introduz conceitos de segurança da informação e lista as 10 vulnerabilidades mais críticas em aplicações web segundo a OWASP. É demonstrado como o Kali Linux pode ser usado para analisar vulnerabilidades, com foco em injeção SQL usando a ferramenta SQLMap em um site de teste.
Vou apresentar e explorar as 5 maiores falhas cometidas pelos programadosres na hora de codar e identificar as práticas de codificação inseguras que levam a esses erros para instruir os desenvolvedores sobre alternativas seguras, as organizações podem adotar medidas proativas para ajudar a reduzir ou eliminar significativamente as vulnerabilidades no software antes da implantação.
View on-demand: https://wso2.com/library/webinars/api-security-best-practices-and-guidelines/
Modern enterprises are increasingly adopting APIs, exceeding all predictions. With more businesses investing in microservices and the increased consumption of cloud APIs, you need to secure beyond just a handful of well-known APIs. You will need to secure a higher number of internal and external endpoints.
At the same time, security itself is a broad area and vendors implement a number of seemingly similar standards and patterns, making it very difficult for consumers to settle on the best option for securing APIs. The sheer number of options can be very confusing.
There is much to learn about API security, regardless of whether you are a novice or expert and it’s extremely important that you do because security is an integral part of any development project, including API ecosystems.
This webinar will deep-dive into the importance of API security, API security patterns, and how identity and access management (IAM) fit in the ecosystem.
DURING THE WEBINAR, WE WILL COVER:
Managed APIs
OAuth 2.0 and API security patterns
Introduction to WSO2 Identity Server
How we align with OWASP API security guidelines
WATCH WEBINAR: https://youtu.be/zTkv_9ChVPY
In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.
OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications.
APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year.
In this session we’ll discuss:
What makes API Security different from web application security
The OWASP API Security Top 10
Real world breaches and mitigation strategies for each of the risks
This document summarizes the OWASP Top Ten 2013 report, which outlines the top 10 most critical web application security risks. It discusses the methodology used to determine the top risks, comparisons to past versions, and politics around ranking certain vulnerabilities. It also provides context on how and when the OWASP Top Ten list should be cited and explains the risk rating methodology used to evaluate vulnerabilities.
The document discusses the top vulnerabilities from the OWASP Top 10 list - Injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). It provides details on each vulnerability like how injection occurs, types of XSS, and how CSRF allows unauthorized actions. Prevention techniques are also covered, such as input validation, output encoding, and synchronizer token pattern. The presentation is given by Arya Anindyaratna Bal for Wipro and covers their experience in application security and the history of OWASP Top 10 lists.
Tomasz Fajks gives short intro about Security Tests as well as guide how to start. He goes through comparison of two security scanners Burp Suite and OWASP Zed Attack Proxy (ZAP), trying to answer "which one is better".
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
This document discusses security issues related to broken access control and security misconfiguration. It provides examples of broken access control including modifying URL parameters to access restricted resources, restricting folder access, and using malicious URLs as parameters. Recommendations are given to implement access controls consistently, limit account data changes to account holders, and log access control failures. Examples of security misconfiguration include using default credentials and configurations, having an overly informative error handling, and leaving unnecessary features enabled. Recommendations include removing unused features, sending secure headers, not using default configurations, and properly configuring robots.txt files. Links to additional resources on these topics are also provided.
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
The document summarizes the top 10 security vulnerabilities in web applications according to the Open Web Application Security Project (OWASP). These include injection flaws, cross-site scripting, broken authentication and session management, insecure direct object references, cross-site request forgery, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards. Countermeasures for each vulnerability are also provided.
The OWASP Top Ten is an expert consensus of the most critical web application security threats. If properly understood, it is an invaluable framework to prioritize efforts and address flaws that expose your organization to attack.
This webcast series presents the OWASP Top 10 in an abridged format, interpreting the threats for you and providing actionable offensive and defensive best practices. It is ideal for all IT/development stakeholders that want to take a risk-based approach to Web application security.
How to Test for the OWASP Top Ten webcast focuses on tell tale markers of the OWASP Top Ten and techniques to hunt them down:
• Vulnerability anatomy – how they present themselves
• Analysis of vulnerability root cause and protection schemas
• Test procedures to validate susceptibility (or not) for each threat
1) The document provides guidance on testing APIs for security weaknesses, including enumerating the attack surface, common tools to use, what to test for (e.g. authentication, authorization, injections), and demo apps to practice on.
2) It recommends testing authentication and authorization mechanisms like tokens, injections attacks on state-changing requests, and how data is consumed client-side.
3) The document also discusses testing for denial of service conditions, data smuggling through middleware, API rate limiting, and cross-origin requests.
The document discusses the OWASP API Security Top 10 project which aims to raise awareness of common API vulnerabilities. It highlights some frequent issues like input validation problems, insecure configurations, and data/exception leakage. The document also demonstrates examples of these vulnerabilities using a vulnerable demo API called Pixi.
The document discusses web application security and provides an overview of common vulnerabilities like SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). It summarizes the OWASP Top 10 list of most critical web app security risks, including injection flaws, broken authentication, sensitive data exposure, and more. The document also offers best practices for developing more securely, like using prepared statements, validating and sanitizing input, and implementing authentication and session management properly.
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
This presentation explain how to discover this vulnerability in application, how to test and how to mitigate the risk.
The document discusses integrating security testing into the typical iterative development lifecycle through automated software tests at various stages, including unit tests, integration tests, and acceptance tests. It provides examples of using JUnit for unit testing and tools like Cactus, Selenium, and WATIR for integration and acceptance testing to validate valid/invalid inputs and test for vulnerabilities like SQL injection and cross-site scripting.
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
Brief overview of API
▸ Fingerprinting & Discovering API
▸ Authentication attacks on API (JWT)
▸ Authorization attacks on API (OAuth)
▸ Bruteforce attacks on API
▸ Attacking Dev/Staging API
▸ Traditional attacks
Como analisar a vulnerabilidade de uma aplicação web com o Kali LinuxEdlaine Zamora
O documento apresenta a biografia e experiência da autora Edlaine Zamora, introduz conceitos de segurança da informação e lista as 10 vulnerabilidades mais críticas em aplicações web segundo a OWASP. É demonstrado como o Kali Linux pode ser usado para analisar vulnerabilidades, com foco em injeção SQL usando a ferramenta SQLMap em um site de teste.
Vou apresentar e explorar as 5 maiores falhas cometidas pelos programadosres na hora de codar e identificar as práticas de codificação inseguras que levam a esses erros para instruir os desenvolvedores sobre alternativas seguras, as organizações podem adotar medidas proativas para ajudar a reduzir ou eliminar significativamente as vulnerabilidades no software antes da implantação.
1. O documento apresenta as 10 vulnerabilidades de segurança mais críticas em aplicações WEB para 2007 de acordo com a OWASP.
2. A metodologia utilizada foi analisar os dados de vulnerabilidades do MITRE para 2006 e selecionar as 10 principais vulnerabilidades relacionadas a aplicações WEB.
3. As 10 vulnerabilidades listadas são: Cross Site Scripting, Falhas de Injeção, Execução Maliciosa de Arquivos, Referência Insegura Direta a Objetos, Cross Site Request Forgery, Vazamento de Informações, Furos de Autent
O documento discute os dez riscos de segurança mais críticos em aplicações web segundo o Projeto Top 10 da OWASP. Ele explica cada risco, incluindo seus elementos como agentes de ameaça, explorabilidade, prevalência, detectabilidade e impactos. Os riscos incluem injeção, falhas de autenticação, cross-site scripting, referências diretas a objetos, configurações inseguras e exposição de dados.
O documento discute análise de segurança em aplicações web, mencionando os 10 riscos mais críticos identificados pela OWASP, como injeção, XSS e falhas de configuração. Também fornece links sobre ferramentas e passo-a-passo para testes de segurança.
Vou apresentar e explorar as 5 maiores falhas cometidas pelos programadosres na hora de codar e identificar as práticas de codificação inseguras que levam a esses erros para instruir os desenvolvedores sobre alternativas seguras, as organizações podem adotar medidas proativas para ajudar a reduzir ou eliminar significativamente as vulnerabilidades no software antes da implantação.
Daniel Varanda fala sobre Segurança de APIs.
Vulnerabilidades
- Uso não autorizado
- Espionagem de dados
- Manipulação de parâmetros
- Repetição de chamadas
- Negação de Serviço (DDoS)
Contra medidas
- oAuth
- OpenID
- JWT
- Multi-Factor Authentication
- Criptografia (AES, RSA)
- Assinatura Digital
- Unique Request ID
- WAF
Dicas e boas práticas
- API Gateway / Platform
- OWASP
- SDK
O documento discute a importância da segurança de aplicações web ao longo do ciclo de desenvolvimento de software. Apresenta os principais vetores de ataque a aplicações web, como injeção de código e cross-site scripting. Defende a necessidade de testes de segurança desde as primeiras fases do desenvolvimento para identificar e corrigir vulnerabilidades.
1) O documento apresenta os conceitos e práticas recomendadas para construção de APIs gerenciadas de ponta a ponta.
2) As etapas incluem planejamento da estratégia, design, construção, execução e instrumentalização da API.
3) As boas práticas abordadas incluem uso de URIs, recursos, operações, versionamento, tipos de mídia, códigos de status e instrumentação.
Há diversas razões que levam uma empresa a expor APIs. Algumas delas são: aumentar o alcance de suas parcerias; facilitar a integração “mobile-cloud”; posicionar-se como uma plataforma; inovar “abertamente”; aumentar a governança e reduzir custos.
Nesse minicurso exploramos todo o ciclo de vida das APIs gerenciadas em REST/JSON, os mecanismos de segurança, políticas de acessos, monitoração, comunicação e controles.
O documento resume as 10 principais vulnerabilidades em aplicações web segundo o OWASP (Open Web Application Security Project) e os recursos do .NET para mitigá-las, como validação de dados, autenticação e gerenciamento de sessão, criptografia e configuração de erros.
1) A empresa Site Blindado oferece serviços de segurança cibernética para proteger sites de negócios, incluindo auditoria de segurança, detecção de vulnerabilidades e proteção ativa contra hackers.
2) Os serviços incluem análise de segurança da aplicação web, detecção de malware, validação de certificado SSL e testes de penetração.
3) O selo Site Blindado aumenta a credibilidade e conversão de vendas dos sites protegidos.
O relatório resume um teste de intrusão realizado em uma aplicação web para verificar vulnerabilidades de segurança. O teste não encontrou vulnerabilidades e a aplicação estava em conformidade com as melhores práticas de segurança como configurações, criptografia e autenticação. O auditor responsável possui vasta experiência em segurança cibernética.
Segundo relatório anual sobre incidentes de segurança em redes de automação ...TI Safe
O relatório descreve um aumento alarmante de incidentes de segurança cibernética em redes de automação brasileiras em 2015, com malware sendo a principal causa. As vulnerabilidades em protocolos industriais como Modbus e ICCP também estão sendo mais exploradas. Aplicativos de alto risco como proxy e P2P expõem as empresas a riscos, e políticas de segurança para aplicativos devem ser implementadas.
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...Magno Logan
O documento discute o uso da biblioteca OWASP ESAPI para fornecer segurança em aplicações web. Apresenta os objetivos e roteiro do curso, que inclui uma introdução às vulnerabilidades comuns e à arquitetura da ESAPI, com exemplos em Java. Também aborda conceitos como injeção de código e OWASP Top 10.
Este documento discute segurança de aplicações web, definindo o que são aplicações web e webservices, e abordando riscos, vulnerabilidades e exemplos comuns, como parâmetros inválidos, controle de acesso falho e injeção de comando/SQL. O foco é que a segurança começa com o código da aplicação e que a maioria das invasões ocorrem devido a vulnerabilidades na codificação.
Melhores práticas para segurança em um mundo multi cloud Alexandre Freire
O documento discute as melhores práticas de segurança em ambientes multi-cloud, destacando que dados e aplicações estão em toda parte, tornando a segurança difícil. É necessária uma abordagem que forneça proteção consistente entre nuvens e localidades, aplicação avançada de prevenção de violações de dados e implementação e gerenciamento sem atrito. A plataforma de segurança operacional da Palo Alto Networks aborda esses desafios com proteções inline, baseadas em API e para hosts, oferecendo segurança preventiva em todos os ambientes.
Este documento discute a importância dos testes de segurança de aplicativos para identificar vulnerabilidades e manter a segurança. Ele explica vários tipos de testes como SAST, DAST, IAST e SCA e como a HCL Software pode ajudar times de desenvolvimento a escrever código mais seguro e fornecer visibilidade sobre a segurança das aplicações. Estudos de caso mostram como clientes usaram soluções da HCL Software para melhorar a segurança de aplicativos web e sistemas.
Gerenciamento de Vulnerabilidades em Aplicações e Servidores WebEduardo Lanna
O documento discute a importância da gestão de vulnerabilidades em aplicações web e apresenta o sistema N-Stalker da empresa RedeSegura para testes automatizados de segurança. O sistema permite definir, executar e analisar testes de vulnerabilidade de forma padronizada e contínua para múltiplas aplicações.
Gerenciamento de Vulnerabilidades em Aplicações e Servidores Web
OWASP Top Ten API Project 2019
1.
2. OWASP Top Ten API Project
Os 10 principais riscos de segurança em APIs
3. Fernando Galves
+20 anos de experiência em TI
Certified Application Security Engineer
OWASP Code Review Guide
OWASP São Paulo Chapter Leader
Diretor de Segurança da Informação na OITI Technologies
Apresentação
8. OWASP Top Ten API 2019
https://www.owasp.org/index.php/OWASP_API_Security_Project
9. API1:2019 - Broken Object Level Authorization
DATA LAYER ACCESS CONTROL
• A API vulnerável não realiza o controle de acesso
corretamente e permite o acesso não autorizado a
dados confidenciais;
• O vetor de ataque pode ser através de um ataque
enumerado no ID de um objeto na chamada da API
10. www.example.com.br
W
A
F
APIWEB
GET /users/ID/info
GET /users/1/info
IDOR (Insecure Direct Object Reference)
Expõe uma referência para um objeto interno
Enumeration Attack
API1:2019 - Broken Object Level Authorization
?
Usuário X pode
acessar esse dado?
DATA LAYER ACCESS CONTROL
Testes de
autorização
13. API2:2019 - Broken Authentication
• O processo de autenticação da API vulnerável é mal
implementado e permite que atacantes assumam
identidades de outros usuários.
14. www.example.com.br
W
A
F
API
WEB
POST /api/v1/auth
API2:2019 - Broken Authentication
JWT
GET /api/v1/user/1/info
1
2
(credenciais)
(JWT)
JSON
Credential
Stuffing
Wordlist
? Protege contra brute force?
Protege contra credential stuffing?
Gerenciamento correto do JWT?
JWT possui expiração?
Permite o uso de senhas fracas?
Vetor de ataque! Manual Code Review for:
- Authentication
- Credential Storage
- Crypto
- Other things of that nature
15. API2:2019 - Broken Authentication
Temos todos os dados para realizar
o brute force na assinatura!
17. API3:2019 – Excessive Data Exposure
• A API vulnerável expõe mais dados do que o cliente
legitimamente precisa, confiando no browser ou no
aplicativo para fazer a filtragem.
19. API3:2019 – Excessive Data Exposure
https://www.pentestpartners.com/security-blog/group-sex-app-leaks-locations-pictures-and-other-personal-details-identifies-
users-in-white-house-and-supreme-court/
20. API3:2019 – Excessive Data Exposure
https://www.pentestpartners.com/security-blog/group-sex-app-leaks-locations-pictures-and-other-personal-details-identifies-
users-in-white-house-and-supreme-court/
21. API4:2019 – Lack of Resources & Rate Limiting
• A API vulnerável não está protegida contra uma
quantidade excessiva de chamadas ou tamanhos de
payloads.
• Os atacantes usam isso para DoS e ataques de força
bruta.
22. www.example.com.br
W
A
F
API
WEB
API4:2019 – Lack of Resources & Rate Limiting
GET /api/v1/users?page=1&size=100000000
2
GET /api/v1/users?page=1&size=100
1
JSON
X
Pode causar Denial of Service
Pode permitir Brute Force Attack
Input
Validation
Estabeleça e
respeite os limites
O Docker facilita o limite de memória, CPU,
número de reinicializações, descritores de
arquivo e processos.
API não protege contra quantidade
excessiva de chamadas por tamanho
de payloads
23. API5:2019 - Broken Function Level Authorization
• A API vulnerável não realiza o controle de acesso
corretamente de endpoints e permite que usuários
comuns acessem funções não autorizadas.
URL ACCESS CONTROL
24. www.example.com.br
APIWEB
?
Usuário X pode
acessar essa URL?
API5:2019 - Broken Function Level Authorization
URL ACCESS CONTROL
DELETE /api/v1/users/716
ADM
GET /api/v1/users/717
DELETE /api/v1/users/717
W
A
F
25. API6:2019 – Mass Assignment
• A API vulnerável permite que os atacantes modifiquem
propriedades de objetos internos que não deveriam.
27. API7:2019 – Security Misconfiguration
• Security Misconfiguration geralmente é o resultado de:
• Configurações padrão inseguras;
• Configurações incompletas ou ad-hoc;
• Armazenamento em nuvem aberta;
• Cabeçalhos HTTP configurados incorretamente;
• Métodos HTTP desnecessários;
• Compartilhamento permissivo de recursos de
origem cruzada (CORS);
• Mensagens de erro detalhadas que contêm
informações confidenciais.
28. www.example.com.br
W
A
F
API
WEB
API7:2019 – Security Misconfiguration
?
Configuração padrão em produção
Patches não aplicados
Mensagens de erro com stack trace
Criptografia fraca
Cross-Origin resource sharing permissivo
Headers HTTP mal configurados
36. API8:2019 – Injection
• Falhas de injeção ocorrem quando dados não confiáveis
são enviados para um interpretador como parte de um
comando ou consulta;
• Os dados maliciosos do atacante podem induzir o
interpretador a executar comandos não intencionais ou
acessar dados sem a devida autorização.
37. www.example.com.br
W
A
F
API
WEB
POST /api/v1/auth
API8:2019 – Injection
usr: teste
pwd: teste123
select name from users where username = `teste` and password = `teste123`
POST /api/v1/auth
usr: ` or 1=1 or `
pwd: 123456
select name from users where username = `` or 1=1 or `` and password = `123456`
Bloqueio
EX: SQL INJECTION
39. API9:2019 – Improper Assets Management
• O atacante encontra versões que não são de produção
da API, como teste, beta ou versões anteriores - que
não são tão bem protegidas e que podem ser utilizadas
para iniciar um ataque.
40. API9:2019 – Improper Assets Management
www.example.com.br
W
A
F
API
WEB
POST /api/v1/auth
POST /api/v1/auth
beta-api.example.com.br
Inventário
Plano descontinuidade/versionamento
INVENTÁRIO
Versões de teste, beta, descontinuadas que permanecem em produção
41. API10:2019 – Insufficient Logging & Monitoring
• A falta de registro, monitoramento e alerta adequados
deixa os ataques passarem despercebidos