SlideShare a Scribd company logo

Introduction to OWASP

Download as PPTX, PDF
Thomas F. "T.J." Maher Jr., profile picture
Thomas F. "T.J." Maher Jr.

The document introduces the Open Web Application Security Project (OWASP), a resource established to improve security testing in web applications. The top ten vulnerabilities identified by OWASP highlight critical risks such as injection, authentication issues, and insecure data exposure. Additionally, it mentions the effectiveness of crowd-sourced security testing through bug bounty programs involving public participation.

Internet
1 of 7
Download to read offline
1
2
3
4
5
6
7
Introduction to OWASP: a Security Testing Resource Thomas F. Maher, Jr. (“T.J.”) Sr. QA Engineer, Fitbit 4/30/2015
My Experience using OWASP • OWASP: Open Web Application Security Project • Worked as part of Security Testing Team at Intralinks (2011 – 2013) • Purpose: Integrate security testing into Quality Assurance practices • Three person team: • QA Manager • Chief Security Architect • QA Engineer (me) • Weekly Meetings: hour long discussions on introduction to security testing and what manual tests QA could perform, using OWASP as a guide
Introducing OWASP.org • Open Web Application Security Project (OWASP) https://www.owasp.org/ • OWASP has been active since 2001 • Produces a list of Testing Guides. Version 4 released Sept. 2014: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents • Produces a list of Top Ten Vulnerabilities available as a wiki or PDF format: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project • Developers Guide: https://www.owasp.org/index.php/Category:OWASP_Guide_Project • Creates tools so security testers and developers can improve security and test against various web applications: WebGoat, RailsGoat, NodeGoat https://github.com/OWASP
OWASP Top 10 - 2013 Risk Description A1 - Injection Untrusted data sent to SQL command or query A2 – Broken Authentication & Session Management User authentication isn’t protected by hashing or encryption. Weak account management / forgot password. Session IDs don’t time out. A3 – Cross Site Scripting (XSS) Untrusted data sent to browser without validation. User sessions can be hijacked, browsers defaced. A4 – Insecure Direct Object Readiness References to files, directories or database keys that are exposed to the public but aren’t in password protected area. A5 – Security Misconfiguration Security configurations need to be activate and up-to-date. A6 – Sensitive Data Exposure Credit cards, tax ids, need to be encrypted both being stored and in transit. A7 – Missing Function Level Access Control Applications need access control checks each time functions are accessed so requests can’t be forged. A8 - Cross Site Request Forgery Forged HTTP requests, forged session cookies. A9 – Using Components with Known Vulnerabilities Libraries, frameworks, running with full privileges, if vulnerable, can be exploited causing server takeover. A10 – Unvalidated Redirects and Forwards Victims redirected to phishing or malware sites. Taken from https://www.owasp.org/index.php/Top_10_2013-Top_10
Top10–2013–A3-CrossSiteScripting Taken from https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
OWASPRailsGoat OWASP RailsGoat test application runs locally from local computer • Official page: https://www.owasp.org/index.php/OWASP_Rails_Goat_Project • Unofficial page: http://railsgoat.cktricky.com/ • GitHub: https://github.com/OWASP/railsgoat
How the Crowd is Discovering Critical Vulnerabilities Missed by Traditional Methods: Wednesday, May 6th, 2015 @ 6:30 PM Hosted by Akamai in Kendall Square, Cambridge, MA • How companies setting up “Bug Bounties” are getting the general public involved in security testing. • The speaker, Leif Dreizler, is a Sr. Security Engineer from Bugcrowd https://bugcrowd.com/products More about Leif Dreizler: • LinkedIn: https://www.linkedin.com/in/leifdreizler • Twitter: https://twitter.com/leifdreizler • Github: https://github.com/leifdreizler Taken from http://www.meetup.com/owaspboston/events/221696816/

More Related Content

PPTX
23 owasp top 10 - resources
appsec
 
PPTX
Securing broken access controls on Oracle E-business suite
Suraj Khetani
 
PPTX
OWASP Top Ten 2017
Michael Furman
 
PPTX
Owasp top 10 security threats
Vishal Kumar
 
PDF
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
PDF
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
PPTX
Security misconfiguration
Micho Hayek
 
PDF
Five Principles to API Security
Isabelle Mauny
 
23 owasp top 10 - resources
appsec
 
Securing broken access controls on Oracle E-business suite
Suraj Khetani
 
OWASP Top Ten 2017
Michael Furman
 
Owasp top 10 security threats
Vishal Kumar
 
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
Security misconfiguration
Micho Hayek
 
Five Principles to API Security
Isabelle Mauny
 

What's hot (20)

PPTX
AppSec Pipeline Reference Architecture
Aaron Weaver
 
PDF
API Security Guidelines: Beyond SSL and OAuth.
Isabelle Mauny
 
PDF
The Dev, Sec and Ops of API Security - API World
42Crunch
 
PDF
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
PDF
Project and Community Services the Apache Way, Bertrand Delacretaz, Apache Fo...
OW2
 
PDF
Why you need API Security Automation
42Crunch
 
PDF
API Security in a Microservices World
42Crunch
 
PDF
Applying API Security at Scale
Nordic APIs
 
PDF
API Security with Postman and Qualys
Postman
 
PPTX
SecDevOps 2.0 - Managing Your Robot Army
conjur_inc
 
PPTX
Data-driven API Security
Apigee | Google Cloud
 
PDF
SARCON Talk - Vandana Verma Sehgal
Vandana Verma
 
PDF
Guidelines to protect your APIs from threats
Isabelle Mauny
 
PPTX
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
Alex Cachia
 
PDF
Syhunt Presentation 2011
syhunt
 
PDF
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
PDF
Top 10 web application security risks akash mahajan
Akash Mahajan
 
PDF
Jobvite: A Holistic Approach to Security
Theodore Kim
 
PDF
Running an app sec program with OWASP projects_ Defcon AppSec Village
Vandana Verma
 
PDF
OWASP API Security Top 10 - API World
42Crunch
 
AppSec Pipeline Reference Architecture
Aaron Weaver
 
API Security Guidelines: Beyond SSL and OAuth.
Isabelle Mauny
 
The Dev, Sec and Ops of API Security - API World
42Crunch
 
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
Project and Community Services the Apache Way, Bertrand Delacretaz, Apache Fo...
OW2
 
Why you need API Security Automation
42Crunch
 
API Security in a Microservices World
42Crunch
 
Applying API Security at Scale
Nordic APIs
 
API Security with Postman and Qualys
Postman
 
SecDevOps 2.0 - Managing Your Robot Army
conjur_inc
 
Data-driven API Security
Apigee | Google Cloud
 
SARCON Talk - Vandana Verma Sehgal
Vandana Verma
 
Guidelines to protect your APIs from threats
Isabelle Mauny
 
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
Alex Cachia
 
Syhunt Presentation 2011
syhunt
 
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
Top 10 web application security risks akash mahajan
Akash Mahajan
 
Jobvite: A Holistic Approach to Security
Theodore Kim
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Vandana Verma
 
OWASP API Security Top 10 - API World
42Crunch
 
Ad

Similar to Introduction to OWASP (20)

PDF
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
PPTX
Owasp top 10_-_2010 presentation
Islam Azeddine Mennouchi
 
PPTX
OWASP -Top 5 Jagjit
Jagjit Singh Brar
 
PPTX
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
PPTX
security misconfigurations
Megha Sahu
 
PDF
ISC2: AppSec & OWASP Primer
ThreatReel Podcast
 
PDF
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
ODP
OISF - AppSec Presentation
ThreatReel Podcast
 
PDF
Web Application Security 101
Cybersecurity Education and Research Centre
 
PPTX
Securing your web applications a pragmatic approach
Antonio Parata
 
RTF
OctaviusWaltonResume
Octavius Walton
 
PPTX
OWASP OTG-configuration (OWASP Thailand chapter november 2015)
Noppadol Songsakaew
 
PPTX
Security testautomation
Linkesh Kanna Velu
 
PPTX
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Derrick Hunter
 
PPTX
Web application vulnerability assessment
Ravikumar Paghdal
 
PPTX
OWASP Top 10 2021 What's New
Michael Furman
 
PPTX
Cyber ppt
karthik menon
 
PDF
Continuous Security Testing
Ray Lai
 
PPTX
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
PPT
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
jangomanso
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
Owasp top 10_-_2010 presentation
Islam Azeddine Mennouchi
 
OWASP -Top 5 Jagjit
Jagjit Singh Brar
 
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
security misconfigurations
Megha Sahu
 
ISC2: AppSec & OWASP Primer
ThreatReel Podcast
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
OISF - AppSec Presentation
ThreatReel Podcast
 
Web Application Security 101
Cybersecurity Education and Research Centre
 
Securing your web applications a pragmatic approach
Antonio Parata
 
OctaviusWaltonResume
Octavius Walton
 
OWASP OTG-configuration (OWASP Thailand chapter november 2015)
Noppadol Songsakaew
 
Security testautomation
Linkesh Kanna Velu
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Derrick Hunter
 
Web application vulnerability assessment
Ravikumar Paghdal
 
OWASP Top 10 2021 What's New
Michael Furman
 
Cyber ppt
karthik menon
 
Continuous Security Testing
Ray Lai
 
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
jangomanso
 
Ad

Recently uploaded (20)

PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PDF
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
PDF
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
PPTX
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
PDF
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
PDF
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
PPT
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
PPTX
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
PDF
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
 
PPT
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
PPTX
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
PPTX
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
PDF
Smart Home Technology for Health Monitoring (www.kiu.ac.ug)
publication11
 
DOCX
Unit-3 cyber security network security of internet system
shivangisharma636228
 
PPTX
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
 
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
Smart Home Technology for Health Monitoring (www.kiu.ac.ug)
publication11
 
Unit-3 cyber security network security of internet system
shivangisharma636228
 
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 

Introduction to OWASP

  • 1. Introduction to OWASP: a Security Testing Resource Thomas F. Maher, Jr. (“T.J.”) Sr. QA Engineer, Fitbit 4/30/2015
  • 2. My Experience using OWASP • OWASP: Open Web Application Security Project • Worked as part of Security Testing Team at Intralinks (2011 – 2013) • Purpose: Integrate security testing into Quality Assurance practices • Three person team: • QA Manager • Chief Security Architect • QA Engineer (me) • Weekly Meetings: hour long discussions on introduction to security testing and what manual tests QA could perform, using OWASP as a guide
  • 3. Introducing OWASP.org • Open Web Application Security Project (OWASP) https://www.owasp.org/ • OWASP has been active since 2001 • Produces a list of Testing Guides. Version 4 released Sept. 2014: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents • Produces a list of Top Ten Vulnerabilities available as a wiki or PDF format: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project • Developers Guide: https://www.owasp.org/index.php/Category:OWASP_Guide_Project • Creates tools so security testers and developers can improve security and test against various web applications: WebGoat, RailsGoat, NodeGoat https://github.com/OWASP
  • 4. OWASP Top 10 - 2013 Risk Description A1 - Injection Untrusted data sent to SQL command or query A2 – Broken Authentication & Session Management User authentication isn’t protected by hashing or encryption. Weak account management / forgot password. Session IDs don’t time out. A3 – Cross Site Scripting (XSS) Untrusted data sent to browser without validation. User sessions can be hijacked, browsers defaced. A4 – Insecure Direct Object Readiness References to files, directories or database keys that are exposed to the public but aren’t in password protected area. A5 – Security Misconfiguration Security configurations need to be activate and up-to-date. A6 – Sensitive Data Exposure Credit cards, tax ids, need to be encrypted both being stored and in transit. A7 – Missing Function Level Access Control Applications need access control checks each time functions are accessed so requests can’t be forged. A8 - Cross Site Request Forgery Forged HTTP requests, forged session cookies. A9 – Using Components with Known Vulnerabilities Libraries, frameworks, running with full privileges, if vulnerable, can be exploited causing server takeover. A10 – Unvalidated Redirects and Forwards Victims redirected to phishing or malware sites. Taken from https://www.owasp.org/index.php/Top_10_2013-Top_10
  • 6. OWASPRailsGoat OWASP RailsGoat test application runs locally from local computer • Official page: https://www.owasp.org/index.php/OWASP_Rails_Goat_Project • Unofficial page: http://railsgoat.cktricky.com/ • GitHub: https://github.com/OWASP/railsgoat
  • 7. How the Crowd is Discovering Critical Vulnerabilities Missed by Traditional Methods: Wednesday, May 6th, 2015 @ 6:30 PM Hosted by Akamai in Kendall Square, Cambridge, MA • How companies setting up “Bug Bounties” are getting the general public involved in security testing. • The speaker, Leif Dreizler, is a Sr. Security Engineer from Bugcrowd https://bugcrowd.com/products More about Leif Dreizler: • LinkedIn: https://www.linkedin.com/in/leifdreizler • Twitter: https://twitter.com/leifdreizler • Github: https://github.com/leifdreizler Taken from http://www.meetup.com/owaspboston/events/221696816/