4. Enter the rest of
OWASP
âą Free Chapter Meetings
âą Free Local Events
âą Conferences
âą ...
People
âą Webgoat
âą Zed Attack Proxy (ZAP)
âą ESAPI
âą ...
Tools
âą Requirements list
âą CLASP
âą SAMM
âą ...
Guides
6
5. Your security âperimeterâ has huge
holes at the application layer
|7
Firewall
Hardened OS
Web Server
App Server
Firewall
Databases
LegacySystems
WebServices
Directories
HumanResrcs
Billing
Custom Developed
Application Code
APPLICATION
ATTACK
You canât use network layer protection (firewall, SSL, IDS, hardening)
to stop or detect application layer attacks
Network
Layer
Application
Layer
6. 8
An Attacker has 24x7x365 to Attack
Scheduled
Pen-Test
Scheduled
Pen-Test
Attacker Schedule
The Defender has 20 man days per year to detect and defend
7. Tools â At Best 45%
âą MITRE found that all application security
tool vendorsâ claims put together cover
only 45% of the known vulnerability types
(695)
âą They found very little overlap between
tools, so to get 45% you need them all
(assuming their claims are true)