//ALPHA.1 OWASP Knoxville
Application Security Then and Now.Make a Difference Now
2015 June 11Phil Agcaoili
A Career Path…printf(“hello, world\n”);
Why OWASP is VERY Important!
source: Checkmarx
OWASP 10 – Then and Now
Not Substantially Different
*Challenging for automation tools
OWASP Top 10 – 2001-2004 Edition OWASP Top 10 – 2013 EditionA1 Unvalidated Input A1 InjectionA2 Broken Access Control A2 Broken Authentication and Session ManagementA3 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS)A4 Cross Site Scripting A4 Insecure Direct Object ReferencesA5 Buffer Overflow A5 Security MisconfigurationA6 Injection Flaws A6 Sensitive Data ExposureA7 Improper Error Handling A7 Missing Function Level Access ControlA8 Insecure Storage A8 Cross-Site Request Forgery (CSRF)A9 Application Denial of Service A9 Using Components with Known Vulnerabilities
A10 Insecure Configuration Management A10 Unvalidated Redirects and Forwards
The Intent of OWASP
• The Top 10 is about managing risk– Not just avoiding vulnerabilities
• Take a big picture approach to application security.– OWASP Top 10 doesn't mean it's the most
important problem facing your organization
Keep it simple…It’s not as difficult as you think it is.
START SMALL
BUILD THE MOMENTUM OF SUCCESS
HOPE FOR SERENDIPITYThe occurrence and development of events by chance in a happy or beneficial way
ACHIEVE BUY-IN FROM MANAGEMENT AND EMPLOYEESProvide opportunities for teams and clear advantages for company.
TAKE APPLICATION SECURITY ONE STEP AT A TIMEAllow the organization to grow into the process rather than dropping it on the teams all at once
EDUCATE YOUR DEVELOPERS AND GET THEM WRITING SECURE CODE
RECRUIT THE SMART PEOPLE IN THE DEV TEAMS TO ACT AS CHAMPIONS
Senior developers with a need to learn something new or Junior developers with the motivation to move ahead within the organization.
GET THE RIGHT PARTNERSTO HELP YOU
NETWORK SECURITY CANNOT PREVENT APPLICATION BREACHES ON ITS OWN
STATIC ANALYSIS SHOULDBE PERFORMED AT EARLIER DEVELOPMENT STAGESWeb application Firewalls (WAF) and/or RASP should be used as temporary band aids for non-remediated vulnerabilities
CAUTION WITH AUTOMATIONTools make educated guesses that require validation by trained humans.Peer code reviews with trained peers is still the best option.
Phil AgcaoiliDistinguished Fellow and Fellows Chairman, Ponemon Institute
Board of Advisors, PCI Security Standards Council (SSC)
Contributor, NIST Cybersecurity Framework version 1
Co-Founder & Board Member, Southern CISO Security Council
Founding Member, Cloud Security Alliance (CSA) Inventor & Co-Author, CSA Cloud Controls Matrix,
GRC Stack, Security, Trust and Assurance Registry (STAR), and
CSA Open Certification Framework (OCF) – AICPA SOC
@hacksec
https://www.linkedin.com/in/philA