snakes and ladders owasp newcastle 24 th november 2015
TRANSCRIPT
![Page 1: Snakes and Ladders OWASP Newcastle 24 th November 2015](https://reader035.vdocument.in/reader035/viewer/2022062315/5697bf9b1a28abf838c92a93/html5/thumbnails/1.jpg)
Snakes and LaddersOWASP Newcastle
24th November 2015
![Page 2: Snakes and Ladders OWASP Newcastle 24 th November 2015](https://reader035.vdocument.in/reader035/viewer/2022062315/5697bf9b1a28abf838c92a93/html5/thumbnails/2.jpg)
Web Risks
201317th September 2014
https://www.owasp.org/index.php/OWASP_Top_Ten_Project
![Page 3: Snakes and Ladders OWASP Newcastle 24 th November 2015](https://reader035.vdocument.in/reader035/viewer/2022062315/5697bf9b1a28abf838c92a93/html5/thumbnails/3.jpg)
Well-Known List
Top Ten Risks to Web Applications (2013)
A1 InjectionA2 Broken Authentication and Session ManagementA3 Cross-Site Scripting (XSS)A4 Insecure Direct Object ReferencesA5 Security MisconfigurationA6 Sensitive Data ExposureA7 Missing Function Level Access ControlA8 Cross-Site Request Forgery (CSRF)A9 Using Components with Known VulnerabilitiesA10 Unvalidated Redirects and Forwards
![Page 4: Snakes and Ladders OWASP Newcastle 24 th November 2015](https://reader035.vdocument.in/reader035/viewer/2022062315/5697bf9b1a28abf838c92a93/html5/thumbnails/4.jpg)
Proactive Controls
Version 110th March 2014
https://www.owasp.org/index.php/OWASP_Proactive_Controls
(version 2 in progress, due end 2015)
![Page 5: Snakes and Ladders OWASP Newcastle 24 th November 2015](https://reader035.vdocument.in/reader035/viewer/2022062315/5697bf9b1a28abf838c92a93/html5/thumbnails/5.jpg)
A Better List
Top Ten Proactive Controls Web Applications
C1 Parameterize QueriesC2 Encode DataC3 Validate All InputsC4 Implement Appropriate Access ControlsC5 Establish Identity and Authentication ControlsC6 Protect Data and PrivacyC7 Implement Logging, Error Handling & Intrusion DetectionC8 Leverage Security Features of Frameworks and LibrariesC9 Include Security-Specific RequirementsC10 Design and Architect Security In
![Page 6: Snakes and Ladders OWASP Newcastle 24 th November 2015](https://reader035.vdocument.in/reader035/viewer/2022062315/5697bf9b1a28abf838c92a93/html5/thumbnails/6.jpg)
Too Much Text!
• Educate• Move from risks to controls• Make a game• Learn Adobe Illustrator• Christmas “cards”
![Page 7: Snakes and Ladders OWASP Newcastle 24 th November 2015](https://reader035.vdocument.in/reader035/viewer/2022062315/5697bf9b1a28abf838c92a93/html5/thumbnails/7.jpg)
Designs, Trademarks, Etc
![Page 8: Snakes and Ladders OWASP Newcastle 24 th November 2015](https://reader035.vdocument.in/reader035/viewer/2022062315/5697bf9b1a28abf838c92a93/html5/thumbnails/8.jpg)
Concept
• 10 snakes• 10 ladders• 100 squares
![Page 9: Snakes and Ladders OWASP Newcastle 24 th November 2015](https://reader035.vdocument.in/reader035/viewer/2022062315/5697bf9b1a28abf838c92a93/html5/thumbnails/9.jpg)
Flat Design
![Page 10: Snakes and Ladders OWASP Newcastle 24 th November 2015](https://reader035.vdocument.in/reader035/viewer/2022062315/5697bf9b1a28abf838c92a93/html5/thumbnails/10.jpg)
Web Applications: ES
![Page 11: Snakes and Ladders OWASP Newcastle 24 th November 2015](https://reader035.vdocument.in/reader035/viewer/2022062315/5697bf9b1a28abf838c92a93/html5/thumbnails/11.jpg)
Web Applications: ZH
![Page 12: Snakes and Ladders OWASP Newcastle 24 th November 2015](https://reader035.vdocument.in/reader035/viewer/2022062315/5697bf9b1a28abf838c92a93/html5/thumbnails/12.jpg)
Web Applications: DE
![Page 13: Snakes and Ladders OWASP Newcastle 24 th November 2015](https://reader035.vdocument.in/reader035/viewer/2022062315/5697bf9b1a28abf838c92a93/html5/thumbnails/13.jpg)
Mobile Apps: JA
![Page 14: Snakes and Ladders OWASP Newcastle 24 th November 2015](https://reader035.vdocument.in/reader035/viewer/2022062315/5697bf9b1a28abf838c92a93/html5/thumbnails/14.jpg)
Mobile Apps: EN
![Page 15: Snakes and Ladders OWASP Newcastle 24 th November 2015](https://reader035.vdocument.in/reader035/viewer/2022062315/5697bf9b1a28abf838c92a93/html5/thumbnails/15.jpg)
Relationships 1/3
• Is the placement of snakes and ladders meaningful?
• Do nearby ladders fix adjacent snakes?
• No
• No
![Page 16: Snakes and Ladders OWASP Newcastle 24 th November 2015](https://reader035.vdocument.in/reader035/viewer/2022062315/5697bf9b1a28abf838c92a93/html5/thumbnails/16.jpg)
Relationships 2/3
Top Ten Risks
A1 InjectionA2 Broken Authentication and Session ManagementA3 Cross-Site Scripting (XSS)A4 Insecure Direct Object ReferencesA5 Security MisconfigurationA6 Sensitive Data ExposureA7 Missing Function Level Access ControlA8 Cross-Site Request Forgery (CSRF)A9 Using Components with Known VulnerabilitiesA10 Unvalidated Redirects and Forwards
Top Ten Proactive Controls
C1 Parameterize QueriesC2 Encode DataC3 Validate All InputsC4 Implement Appropriate Access ControlsC5 Establish Identity and Authentication ControlsC6 Protect Data and PrivacyC7 Implement Logging, Error Handling and Intrusion DetectionC8 Leverage Security Features of Frameworks and Security LibrariesC9 Include Security-Specific RequirementsC10 Design and Architect Security In
![Page 17: Snakes and Ladders OWASP Newcastle 24 th November 2015](https://reader035.vdocument.in/reader035/viewer/2022062315/5697bf9b1a28abf838c92a93/html5/thumbnails/17.jpg)
Relationships 3/3
https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Top_Ten_Mapping
![Page 18: Snakes and Ladders OWASP Newcastle 24 th November 2015](https://reader035.vdocument.in/reader035/viewer/2022062315/5697bf9b1a28abf838c92a93/html5/thumbnails/18.jpg)
Print Your Own
• Adobe PDFA2 print quality
• Adobe Illustrator Source
• Web ApplicationsBR, DE, EN, ES, FR, JA, ZH
• Mobile AppsEN, JA
![Page 19: Snakes and Ladders OWASP Newcastle 24 th November 2015](https://reader035.vdocument.in/reader035/viewer/2022062315/5697bf9b1a28abf838c92a93/html5/thumbnails/19.jpg)
![Page 20: Snakes and Ladders OWASP Newcastle 24 th November 2015](https://reader035.vdocument.in/reader035/viewer/2022062315/5697bf9b1a28abf838c92a93/html5/thumbnails/20.jpg)
From Lists to Threat Modelling
• Not just 10 issues• Build security in from the start, and
throughout processes• In depth application security requirements
![Page 21: Snakes and Ladders OWASP Newcastle 24 th November 2015](https://reader035.vdocument.in/reader035/viewer/2022062315/5697bf9b1a28abf838c92a93/html5/thumbnails/21.jpg)
Staying in Touch
Project pagehttps://www.owasp.org/index.php/OWASP_Snakes_and_Ladders
Mailing listhttps://lists.owasp.org/mailman/listinfo/owasp_snakes_and_ladders
Twitter (Web) (Mobile)@OWASPSnakesWeb @OWASPSnakesMob
Full world tour 2014-15Singapore, Cambridge, London Docklands, London Shoreditch, Bristol, Amsterdam, San Francisco, Newcastle upon Tyne