SlideShare a Scribd company logo

How to produce more secure web apps

Download as PPTX, PDF
D
Damilola Longe, CISSP, CCSP, MSc

This document discusses how to produce more secure web applications. It identifies that the core security problem facing web applications is handling untrusted user input in a safe manner to prevent attacks like XSS and CSRF. It recommends following a secure development lifecycle that includes requirements gathering, design, development, testing, and change control phases. During these phases, activities like threat modeling, secure coding practices, code reviews, and security testing can help balance functionality and security. Training, coding standards, and resources from OWASP can also help developers build more secure applications.

Software
1 of 20
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Presented to BT Fresca development Teams Date 14/11/13 By Damilola Longe How to produce more secure web apps
We are secure, so what is the problem? or are we?
What do we really know? What is XSS? “
Why SDL? • Compliance regulations – PCI, Data Protection and Privacy • Better IT security strategy – continuous security (BaU) and security as a shared responsibility • Functionality versus Security – balancing act
What is the core security problem facing web applications?
Answer A huge variety of attacks against web applications involve submitting input, crafted to cause behaviour that was not intended by the application’s designers. Applications must handle user input in a safe manner Users can submit arbitrary input – untrusted data
Handling User input • Blacklist validation • Whitelist validation • Safe re-encoding https://www.owasp.org/index.php/Category: OWASP_Enterprise_Security_API • Semantics checks • Boundary Validation and defence in-depth
Handling Attackers • Error handling • Maintaining audit logs • alerting administrators • reacting to attacks
Problem Areas • XSS 94% - enables an attacker to target other users of the application, potentially gaining access to their data, or carry out other attacks against them • CSRF 92% - allows a malicious web site visited by a victim user to interact with the application to perform actions that the user did not intend • Information leakage 78% - application divulging sensitive information that is of use to an attacker • Broken access controls 71% - app fails properly protect access to its data and functionality, potentially enabling an attacker to view other uses data • Broken authentication 62% - defects within the applications login mechanism which may enable an attacker to guess weak passwords, launch a brute-force attack, or bypass the login • SQL injection 32% - enables an attacker to submit input to interfere with the applications interactions with back-end database
Web Application Security Consortium (WASC)
So what can we do?
Training • increase Security awareness • local sessions • online webinars/conferences • developer courses • self study
Secure development lifecycle process • Application development policy • Coding standards • Project Management - SoW
Requirements gathering Phase • Security requirements • Security risk assessment • Privacy risk assessment • Risk-level acceptance
Design Phase • Attack surface analysis • Threat modelling
Development Phase • Adhering to development guidelines • Integrating secure coding practices into development • Peer/code review, advice • Most critical phase
Security Testing/validation Phase
Change control • Human Error • Software bugs • Implementation Errors • Changes to systems
Best practices, resources.. Open Web Application Security Project (OWASP) • https://www.owasp.org/index.php/Top_10_2013- Top_10 • https://www.owasp.org/index.php/Cheat_Sheets Training resource • http://securitycompass.com/computer-based- training/free-owasp-top-10/
How to produce more secure web apps

More Related Content

PPTX
Application security
Hagar Alaa el-din
 
PPT
Application Security
Reggie Niccolo Santos
 
PDF
Cyber security series Application Security
Jim Kaplan CIA CFE
 
PPTX
Ethical Hacking Services
Virtue Security
 
PPTX
Hide and seek - Attack Surface Management and continuous assessment.
Eoin Keary
 
PPTX
What is security testing and why it is so important?
ONE BCG
 
PDF
Security Testing for Test Professionals
TechWell
 
PPTX
Is Antivirus (AV) Dead or Just Missing in Action
Quick Heal Technologies Ltd.
 
Application security
Hagar Alaa el-din
 
Application Security
Reggie Niccolo Santos
 
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Ethical Hacking Services
Virtue Security
 
Hide and seek - Attack Surface Management and continuous assessment.
Eoin Keary
 
What is security testing and why it is so important?
ONE BCG
 
Security Testing for Test Professionals
TechWell
 
Is Antivirus (AV) Dead or Just Missing in Action
Quick Heal Technologies Ltd.
 

What's hot (20)

PPTX
Security Testing
Qualitest
 
PPT
CDM….Where do you start? (OA Cyber Summit)
Open Analytics
 
PPTX
What is Next-Generation Antivirus?
Ryan G. Murphy
 
PPTX
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24
 
PDF
Application security testing an integrated approach
Idexcel Technologies
 
PPTX
#ALSummit: Live Cyber Hack Demonstration
Alert Logic
 
PPS
Security testing
Tabăra de Testare
 
PDF
Web Application Penetration Testing
Priyanka Aash
 
PPTX
Security vulnerability
A. Shamel
 
PDF
Carbon Black Corporate Overview 2016
Exclusive Networks ME
 
PPTX
5 things i wish i knew about sast (DSO-LG July 2021)
Michael Man
 
PPTX
Outpost24 webinar: best practice for external attack surface management
Outpost24
 
KEY
EISA Considerations for Web Application Security
Larry Ball
 
PDF
Testing Web Application Security
Ted Husted
 
PPTX
What's new in​ CEHv11?
EC-Council
 
PPTX
Security testing fundamentals
Cygnet Infotech
 
PDF
Application Security Guide for Beginners
Checkmarx
 
PDF
Introduction to Security Testing
vodQA
 
PPTX
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24
 
PDF
Security testing presentation
Confiz
 
Security Testing
Qualitest
 
CDM….Where do you start? (OA Cyber Summit)
Open Analytics
 
What is Next-Generation Antivirus?
Ryan G. Murphy
 
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24
 
Application security testing an integrated approach
Idexcel Technologies
 
#ALSummit: Live Cyber Hack Demonstration
Alert Logic
 
Security testing
Tabăra de Testare
 
Web Application Penetration Testing
Priyanka Aash
 
Security vulnerability
A. Shamel
 
Carbon Black Corporate Overview 2016
Exclusive Networks ME
 
5 things i wish i knew about sast (DSO-LG July 2021)
Michael Man
 
Outpost24 webinar: best practice for external attack surface management
Outpost24
 
EISA Considerations for Web Application Security
Larry Ball
 
Testing Web Application Security
Ted Husted
 
What's new in​ CEHv11?
EC-Council
 
Security testing fundamentals
Cygnet Infotech
 
Application Security Guide for Beginners
Checkmarx
 
Introduction to Security Testing
vodQA
 
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24
 
Security testing presentation
Confiz
 
Ad

Viewers also liked (6)

PDF
Herramientas Libres para el Análisis de Vulnerabilidades OWASP ZAP
Alvaro Machaca Tola
 
PPTX
Web Application Defences
Damilola Longe, CISSP, CCSP, MSc
 
PDF
Análisis de riesgos aplicando la metodología OWASP
Alvaro Machaca Tola
 
PDF
PCI DSS - Payment Card Industry Data Security Standard
Alvaro Machaca Tola
 
PDF
OWASP Mobile Top 10
NowSecure
 
ODP
AllDayDevOps ZAP automation in CI
Simon Bennetts
 
Herramientas Libres para el Análisis de Vulnerabilidades OWASP ZAP
Alvaro Machaca Tola
 
Web Application Defences
Damilola Longe, CISSP, CCSP, MSc
 
Análisis de riesgos aplicando la metodología OWASP
Alvaro Machaca Tola
 
PCI DSS - Payment Card Industry Data Security Standard
Alvaro Machaca Tola
 
OWASP Mobile Top 10
NowSecure
 
AllDayDevOps ZAP automation in CI
Simon Bennetts
 
Ad

Similar to How to produce more secure web apps (20)

PDF
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
PPTX
How to develop an AppSec culture in your project
99X Technology
 
PPTX
Building an AppSec Culture
Nirosh Jayaratnam
 
PPTX
Web Application Hacking tools .pptx
Guna Dhondwad
 
PDF
Best Practices for Secure Web Application Development by Site Invention.pdf
siteseo
 
PDF
Web Application Penetration Testing Course in 2025.pdf
daksh908982
 
PDF
Cybersecurity update 12
Jim Kaplan CIA CFE
 
PPTX
Enterprise under attack dealing with security threats and compliance
SPAN Infotech (India) Pvt Ltd
 
PPTX
Application Threat Modeling
Rochester Security Summit
 
PPTX
Web_Appication_Security_Training_For_Developers.pptx
xobewe1102
 
PPTX
00. introduction to app sec v3
Eoin Keary
 
PPTX
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
PPTX
CyberSecurityppt. pptx
iamayesha2526
 
PPTX
Application Hackers Have A Handbook. Why Shouldn't You?
London School of Cyber Security
 
PPTX
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
PDF
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Denim Group
 
PPTX
tas-s6-software-engineering-slide-deck-secure-software-architecture.pptx
Mostafa Taghizade
 
PDF
Protecting microservices using secure design patterns 1.0
Trupti Shiralkar, CISSP
 
PDF
Secure Software Development: Best practice and strategies.pdf
Nexflare Dynamics
 
PPTX
Introduction to security testing raj
Rajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
How to develop an AppSec culture in your project
99X Technology
 
Building an AppSec Culture
Nirosh Jayaratnam
 
Web Application Hacking tools .pptx
Guna Dhondwad
 
Best Practices for Secure Web Application Development by Site Invention.pdf
siteseo
 
Web Application Penetration Testing Course in 2025.pdf
daksh908982
 
Cybersecurity update 12
Jim Kaplan CIA CFE
 
Enterprise under attack dealing with security threats and compliance
SPAN Infotech (India) Pvt Ltd
 
Application Threat Modeling
Rochester Security Summit
 
Web_Appication_Security_Training_For_Developers.pptx
xobewe1102
 
00. introduction to app sec v3
Eoin Keary
 
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
CyberSecurityppt. pptx
iamayesha2526
 
Application Hackers Have A Handbook. Why Shouldn't You?
London School of Cyber Security
 
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Denim Group
 
tas-s6-software-engineering-slide-deck-secure-software-architecture.pptx
Mostafa Taghizade
 
Protecting microservices using secure design patterns 1.0
Trupti Shiralkar, CISSP
 
Secure Software Development: Best practice and strategies.pdf
Nexflare Dynamics
 
Introduction to security testing raj
Rajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 

Recently uploaded (20)

PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PDF
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
System and Network Administraation Chapter 3
jaramharo
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Transform Your Business with a Software ERP System
Canada Software Company
 
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Introduction to Artificial Intelligence
lohedi9363
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 

How to produce more secure web apps

  • 1. Presented to BT Fresca development Teams Date 14/11/13 By Damilola Longe How to produce more secure web apps
  • 2. We are secure, so what is the problem? or are we?
  • 3. What do we really know? What is XSS? “
  • 4. Why SDL? • Compliance regulations – PCI, Data Protection and Privacy • Better IT security strategy – continuous security (BaU) and security as a shared responsibility • Functionality versus Security – balancing act
  • 5. What is the core security problem facing web applications?
  • 6. Answer A huge variety of attacks against web applications involve submitting input, crafted to cause behaviour that was not intended by the application’s designers. Applications must handle user input in a safe manner Users can submit arbitrary input – untrusted data
  • 7. Handling User input • Blacklist validation • Whitelist validation • Safe re-encoding https://www.owasp.org/index.php/Category: OWASP_Enterprise_Security_API • Semantics checks • Boundary Validation and defence in-depth
  • 8. Handling Attackers • Error handling • Maintaining audit logs • alerting administrators • reacting to attacks
  • 9. Problem Areas • XSS 94% - enables an attacker to target other users of the application, potentially gaining access to their data, or carry out other attacks against them • CSRF 92% - allows a malicious web site visited by a victim user to interact with the application to perform actions that the user did not intend • Information leakage 78% - application divulging sensitive information that is of use to an attacker • Broken access controls 71% - app fails properly protect access to its data and functionality, potentially enabling an attacker to view other uses data • Broken authentication 62% - defects within the applications login mechanism which may enable an attacker to guess weak passwords, launch a brute-force attack, or bypass the login • SQL injection 32% - enables an attacker to submit input to interfere with the applications interactions with back-end database
  • 10. Web Application Security Consortium (WASC)
  • 11. So what can we do?
  • 12. Training • increase Security awareness • local sessions • online webinars/conferences • developer courses • self study
  • 13. Secure development lifecycle process • Application development policy • Coding standards • Project Management - SoW
  • 14. Requirements gathering Phase • Security requirements • Security risk assessment • Privacy risk assessment • Risk-level acceptance
  • 15. Design Phase • Attack surface analysis • Threat modelling
  • 16. Development Phase • Adhering to development guidelines • Integrating secure coding practices into development • Peer/code review, advice • Most critical phase
  • 18. Change control • Human Error • Software bugs • Implementation Errors • Changes to systems
  • 19. Best practices, resources.. Open Web Application Security Project (OWASP) • https://www.owasp.org/index.php/Top_10_2013- Top_10 • https://www.owasp.org/index.php/Cheat_Sheets Training resource • http://securitycompass.com/computer-based- training/free-owasp-top-10/

Editor's Notes

  • #2: During the slide show, clicking on the [_] icon will take you to the appropriate screenshot of the software. To return to the main presentation, press Esc or click next twice.