Webinar–Using Evidence-Based Security
0 likes162 views
The document discusses the history and development of the OWASP Top 10, focusing on the 2017 release and the importance of evidence-based security in development. It highlights the collaboration and data collection efforts that contributed to the updated list, including the challenges faced in maintaining data quality. The OWASP Top 10 serves as an awareness tool for web application security risks and emphasizes the need for continuous improvement in security practices.
Webinar–Using Evidence-Based Security
- 1. © 2019 Synopsys, Inc. 1 Using Evidence-Based Security in Your Secure Development Life Cycle • Andrew van der Stock • Senior Principal Consultant, Synopsys • OWASP Top 10 Co-Lead • OWASP Application Security Verification Standard Co-Lead
- 2. © 2019 Synopsys, Inc. 2 Andrew van der Stock Joined OWASP late 2002 (ish) Executive Director 2005–2007 OWASP Developer Guide 2.0 (2003– 2005) OWASP Top 10 2007 OWASP ESAPI for PHP (sorry!) OWASP Application Security Verification Standard (2009–2018) OWASP Top 10 2017 Board Member 2015–2018
- 3. © 2019 Synopsys, Inc. 3 Difficult gestation OWASP Top 10 history
- 4. © 2019 Synopsys, Inc. 4 Top 10 is awareness. Period.
- 5. © 2019 Synopsys, Inc. 5 Source: I Can Has Cheezeburger
- 6. © 2019 Synopsys, Inc. 6 Criticism—valid and invalid • “Not OWASP-like” – A7 Monitoring and A10 API Protection boiled down to “failure to buy a tool” – From a vendor who sets the standard – From a vendor who owns the tool-type market • John Steven and others had ontological issues with both controls and vulnerabilities (“Define vulnerability. Is that a vulnerability?”) • Others had problems with the data quality • Showed us people really care about the OWASP Top 10! Source: I Can Has Cheezeburger
- 7. © 2019 Synopsys, Inc. 7 Leadership • Dave Wichers and Jeff Williams stood down • Handed it over to Andrew van der Stock • Immediately appointed co-leaders –Neil Smithline (participated since 2004) –Torsten Gigler (German translator since 2010) –And the team added … Brian Glas (data geek) Source: I Can Has Cheezeburger
- 8. © 2019 Synopsys, Inc. 8 Project Summit • OWASP Project Summit • 10–15 folks local, including Brian Glas and Dave Wichers • 5–10 folks remote, including Andrew van der Stock • Aimed for a release in 2017 (achieved) • Agreed to reopen data call (done) • Agreed on up to two forward-looking issues (done) • Agreed to open a new survey (done) • Agreed to work in the open at GitHub (done) Source: I Can Has Cheezeburger
- 9. © 2019 Synopsys, Inc. 9 Data OWASP Top 10 2017
- 10. © 2019 Synopsys, Inc. 10 Data call • Needed data for 2016 • Needed qualitative survey data for two replacements for A7 and A10 • Brian Glas designed the new survey • 500+ responses • Obtained a great deal more data, including from the CAC, HPE (Fortify), Veracode, Checkmarx, and Bugcrowd • Over 114,000 apps form data set • Still analyzing all this data Source: I Can Has Cheezeburger
- 11. © 2019 Synopsys, Inc. 11 Dimensions of data qualityIntrinsic Accuracy Lineage Semantic Structure Integrity Contextual Completeness Consistency Currency Timeliness Reasonableness Identifiability
- 12. © 2019 Synopsys, Inc. 12
- 13. © 2019 Synopsys, Inc. 13
- 14. © 2019 Synopsys, Inc. 14 Ordering • We ordered in risk (impact x likelihood), which means CVSS x (survey | data) • Represents our best understanding of 2017 issues
- 15. © 2019 Synopsys, Inc. 15 Road to release OWASP Top 10 RC2 OWASP Top 10 GM OWASP Top 10 Final
- 16. © 2019 Synopsys, Inc. 16 GitHub • Everything is in GitHub • Open: Moved to GitHub • Open: Data and analysis • Traceable: Issues • Translatable: Markdown
- 17. © 2019 Synopsys, Inc. 17 Translations Please contribute to translations - Fork - Translate - Submit a pull request - Maintain your translation • English • French • Hebrew • Japanese • Korean • Spanish 私わ猫です。
- 18. © 2019 Synopsys, Inc. 18 Final release • Hundreds of issues closed in three months • Markdown à PowerPoint • Released Thanksgiving 2017 • Kicked off translations • Well received OWASP Top 10 - 2017 The Ten Most Critical Web Application Security Risks This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International Licensehttps://owasp.org
- 19. © 2019 Synopsys, Inc. 19 Time to upskill and continuously improve • OWASP Top 10 2017 is different – Update skills – Update test plans – Update tools – Update scan policies In particular, A3, A8, and A10 are very different. No tool can adequately capture all 10 risks. Source: I Can Has Cheezeburger
- 20. © 2019 Synopsys, Inc. 20 Onward to the OWASP Top 10 2020
- 21. © 2019 Synopsys, Inc. 21 What did we learn? • Awareness first • OWASP Top 10 41 • Data call • Data quality • (Business) risk vs. (technical risk) vs. breach likelihood vs. … • Time for a new look • Don’t release on Thanksgiving
- 22. © 2019 Synopsys, Inc. 22 Focus on awareness • OWASP Top 10 is an awareness document – Proactive Controls is better for entry-level AppSec programs – Application Security Verification Standard is a standard and should be used – Testing Guide – Code Review Guide – Training applications – Other standards (PCI DSS, NIST 800-63, NIST 800-53, etc.) • Tighter integration with all OWASP materials, calls to action
- 23. © 2019 Synopsys, Inc. 23 OWASP Top 10 … or OWASP Top 41? • This is to be decided – SSRF only appears in AR section – CWE limitations • More specificity—agreed • No categories—mostly agreed Source: I Can Has Cheezeburger
- 24. © 2019 Synopsys, Inc. 24 Data call planning –Anonymous and aggregate public data? –Detailed private data for academics? –Full disclosure? –More sources –Boutiques –Vulnerability management –Bug bounties –Cloud vendors –Automated tool vendors with services This Photo by Unknown Author is licensed under CC BY-SA
- 25. © 2019 Synopsys, Inc. 25 Dimensions of data qualityIntrinsic Accuracy Lineage Semantic Structure Integrity Contextual Completeness Consistency Currency Timeliness Reasonableness Identifiability
- 26. © 2019 Synopsys, Inc. 26 Data quality • Segmentation – Allows folks to work out their Top 10 – Boutiques (manual results are better than automated results) – Automated vendors (low-hanging fruit, volume) – Bug bounties (demonstrated payout) and vulnerability programs • Better data science – Ask better questions of the data • Share with anyone, including other OWASP projects – Application Security Verification Standard – Proactive Controls – Juice Shop and other training tools This Photo by Unknown Author is licensed under CC BY
- 27. © 2019 Synopsys, Inc. 27 Risk-rated order, or just existence • Ordering history (2004, 2007, 2010– 2017) • Order of the Top 10 is irrelevant • It’s the absolute, bare, rock-bottom minimum you can and should do • Do we provide an order at all? • Where do we go from here?
- 28. © 2019 Synopsys, Inc. 28 Time for a new look
- 29. © 2019 Synopsys, Inc. 29 Release date • Will not be Thanksgiving • Will engage with media earlier • Aiming between August and October –Likely to coincide with OWASP AppSec Global <USA>
- 30. © 2019 Synopsys, Inc. 30 Get ready for 2020 We have started getting ready! - Help us with data! - Watch us build out on GitHub! - Provide issues and advice! This Photo by Unknown Author is licensed under CC BY-SA-NC
- 31. © 2019 Synopsys, Inc. 31 Thank you! Andrew van der Stock @vanderaj OWASP related vanderaj@owasp.org Work related vander@synopsys.com