SlideShare ist ein Scribd-Unternehmen logo

OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam

‱
‱
Bitcoin Wednesday
Bitcoin Wednesday

Security Awareness Presentation by Dutch Chapter of OWASP on Bitcoin Wednesday's First Year Anniversary Meeting in Amsterdam

Technologie
1 von 19
Downloaden Sie, um offline zu lesen
Martin Knobloch – 10 years developer experience – 10 years information security experience – +3 years independent Security Consultant – Dutch OWASP Chapter Leader – OWASP AppSec-Eu/Research 2015 Chair – martin.knobloch@owasp.org – www.owasp.org
www.owasp.org | 3
Enter the rest of OWASP ‱ Free Chapter Meetings ‱ Free Local Events ‱ Conferences ‱ ... People ‱ Webgoat ‱ Zed Attack Proxy (ZAP) ‱ ESAPI ‱ ... Tools ‱ Requirements list ‱ CLASP ‱ SAMM ‱ ... Guides 6
Your security “perimeter” has huge holes at the application layer |7 Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Developed Application Code APPLICATION ATTACK You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks Network Layer Application Layer
8 An Attacker has 24x7x365 to Attack Scheduled Pen-Test Scheduled Pen-Test Attacker Schedule The Defender has 20 man days per year to detect and defend
Tools – At Best 45% ‱ MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (695) ‱ They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)
10
Content
Insecure? Insecure? Functional Specification Technical Implementation An application is secure if it acts and reacts, as it expected, at any time! Secure
Username Password password forgotten link
Threat Modeling – The Basics Asset: Valuable resource Vulnerability: Exploitable weakness Threat: Causes harm Risk: Chance of harm occurring ? Countermeasure: Reduces risk
Why start again? Asset Threat Risk is low Countermeasure Dependency Dependency’s Countermeasure Dependency’s Threat
22 That’s it
 ..thank you!

Empfohlen

NEtwork Security Admin Portal
NEtwork Security Admin PortalNEtwork Security Admin Portal
NEtwork Security Admin PortalBhadreshsinh Gohil
 
Javascript Malware - Spi Dynamics
Javascript Malware - Spi DynamicsJavascript Malware - Spi Dynamics
Javascript Malware - Spi Dynamicsamiable_indian
 
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015Werner Keil
 
Huneed-Cisco Perimeter Security Solution Guide
Huneed-Cisco Perimeter Security Solution GuideHuneed-Cisco Perimeter Security Solution Guide
Huneed-Cisco Perimeter Security Solution GuideGlen Yi
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig BaldingA Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig Baldingcraigbalding
 
Strong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOStrong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOSylvain Maret
 
Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...
Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...
Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...Bitcoin Wednesday
 

Empfohlen

NEtwork Security Admin Portal
NEtwork Security Admin PortalNEtwork Security Admin Portal
NEtwork Security Admin PortalBhadreshsinh Gohil
 
Javascript Malware - Spi Dynamics
Javascript Malware - Spi DynamicsJavascript Malware - Spi Dynamics
Javascript Malware - Spi Dynamicsamiable_indian
 
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015Werner Keil
 
Huneed-Cisco Perimeter Security Solution Guide
Huneed-Cisco Perimeter Security Solution GuideHuneed-Cisco Perimeter Security Solution Guide
Huneed-Cisco Perimeter Security Solution GuideGlen Yi
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig BaldingA Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig Baldingcraigbalding
 
Strong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOStrong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOSylvain Maret
 
Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...
Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...
Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...Bitcoin Wednesday
 
Augur Presented by Founder Joey Krug
Augur Presented by Founder Joey KrugAugur Presented by Founder Joey Krug
Augur Presented by Founder Joey KrugBitcoin Wednesday
 
Factom Presentation by Founder Peter Kirby
Factom Presentation by Founder Peter KirbyFactom Presentation by Founder Peter Kirby
Factom Presentation by Founder Peter KirbyBitcoin Wednesday
 
Block trust presentation (1)
Block trust presentation (1)Block trust presentation (1)
Block trust presentation (1)Bitcoin Wednesday
 
Ledger Wallet
Ledger WalletLedger Wallet
Ledger WalletBitcoin Wednesday
 
Bitcoin wednesday (1) deloitte
Bitcoin wednesday (1) deloitteBitcoin wednesday (1) deloitte
Bitcoin wednesday (1) deloitteBitcoin Wednesday
 
Codius, Where Smart Programs Live at BitcoinWednesday #19 in Amsterdam
Codius, Where Smart Programs Live at BitcoinWednesday #19 in AmsterdamCodius, Where Smart Programs Live at BitcoinWednesday #19 in Amsterdam
Codius, Where Smart Programs Live at BitcoinWednesday #19 in AmsterdamBitcoin Wednesday
 
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19Bitcoin Wednesday
 
Presenting the electronic gulden 7 january 2015 final
Presenting the electronic gulden 7 january 2015 finalPresenting the electronic gulden 7 january 2015 final
Presenting the electronic gulden 7 january 2015 finalBitcoin Wednesday
 
Send chat presentation 7 jan (1)
Send chat presentation 7 jan (1)Send chat presentation 7 jan (1)
Send chat presentation 7 jan (1)Bitcoin Wednesday
 
Eris, Deciding on the Blockchain, Project Douglas by Casey Kuhlman
Eris, Deciding on the Blockchain, Project Douglas by Casey KuhlmanEris, Deciding on the Blockchain, Project Douglas by Casey Kuhlman
Eris, Deciding on the Blockchain, Project Douglas by Casey KuhlmanBitcoin Wednesday
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...?#DUbAI#??##{{(☎+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Weitere Àhnliche Inhalte

Mehr von Bitcoin Wednesday

Augur Presented by Founder Joey Krug
Augur Presented by Founder Joey KrugAugur Presented by Founder Joey Krug
Augur Presented by Founder Joey KrugBitcoin Wednesday
 
Factom Presentation by Founder Peter Kirby
Factom Presentation by Founder Peter KirbyFactom Presentation by Founder Peter Kirby
Factom Presentation by Founder Peter KirbyBitcoin Wednesday
 
Block trust presentation (1)
Block trust presentation (1)Block trust presentation (1)
Block trust presentation (1)Bitcoin Wednesday
 
Bitcoin wednesday (1) deloitte
Bitcoin wednesday (1) deloitteBitcoin wednesday (1) deloitte
Bitcoin wednesday (1) deloitteBitcoin Wednesday
 
Codius, Where Smart Programs Live at BitcoinWednesday #19 in Amsterdam
Codius, Where Smart Programs Live at BitcoinWednesday #19 in AmsterdamCodius, Where Smart Programs Live at BitcoinWednesday #19 in Amsterdam
Codius, Where Smart Programs Live at BitcoinWednesday #19 in AmsterdamBitcoin Wednesday
 
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19Bitcoin Wednesday
 
Presenting the electronic gulden 7 january 2015 final
Presenting the electronic gulden 7 january 2015 finalPresenting the electronic gulden 7 january 2015 final
Presenting the electronic gulden 7 january 2015 finalBitcoin Wednesday
 
Send chat presentation 7 jan (1)
Send chat presentation 7 jan (1)Send chat presentation 7 jan (1)
Send chat presentation 7 jan (1)Bitcoin Wednesday
 
Eris, Deciding on the Blockchain, Project Douglas by Casey Kuhlman
Eris, Deciding on the Blockchain, Project Douglas by Casey KuhlmanEris, Deciding on the Blockchain, Project Douglas by Casey Kuhlman
Eris, Deciding on the Blockchain, Project Douglas by Casey KuhlmanBitcoin Wednesday
 

Mehr von Bitcoin Wednesday (10)

Augur Presented by Founder Joey Krug
Augur Presented by Founder Joey KrugAugur Presented by Founder Joey Krug
Augur Presented by Founder Joey Krug
 
Factom Presentation by Founder Peter Kirby
Factom Presentation by Founder Peter KirbyFactom Presentation by Founder Peter Kirby
Factom Presentation by Founder Peter Kirby
 
Block trust presentation (1)
Block trust presentation (1)Block trust presentation (1)
Block trust presentation (1)
 
Ledger Wallet
Ledger WalletLedger Wallet
Ledger Wallet
 
Bitcoin wednesday (1) deloitte
Bitcoin wednesday (1) deloitteBitcoin wednesday (1) deloitte
Bitcoin wednesday (1) deloitte
 
Codius, Where Smart Programs Live at BitcoinWednesday #19 in Amsterdam
Codius, Where Smart Programs Live at BitcoinWednesday #19 in AmsterdamCodius, Where Smart Programs Live at BitcoinWednesday #19 in Amsterdam
Codius, Where Smart Programs Live at BitcoinWednesday #19 in Amsterdam
 
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19
 
Presenting the electronic gulden 7 january 2015 final
Presenting the electronic gulden 7 january 2015 finalPresenting the electronic gulden 7 january 2015 final
Presenting the electronic gulden 7 january 2015 final
 
Send chat presentation 7 jan (1)
Send chat presentation 7 jan (1)Send chat presentation 7 jan (1)
Send chat presentation 7 jan (1)
 
Eris, Deciding on the Blockchain, Project Douglas by Casey Kuhlman
Eris, Deciding on the Blockchain, Project Douglas by Casey KuhlmanEris, Deciding on the Blockchain, Project Douglas by Casey Kuhlman
Eris, Deciding on the Blockchain, Project Douglas by Casey Kuhlman
 

KĂŒrzlich hochgeladen

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel AraĂșjo
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 

KĂŒrzlich hochgeladen (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam

  • 1. Martin Knobloch – 10 years developer experience – 10 years information security experience – +3 years independent Security Consultant – Dutch OWASP Chapter Leader – OWASP AppSec-Eu/Research 2015 Chair – martin.knobloch@owasp.org – www.owasp.org
  • 3.
  • 4. Enter the rest of OWASP ‱ Free Chapter Meetings ‱ Free Local Events ‱ Conferences ‱ ... People ‱ Webgoat ‱ Zed Attack Proxy (ZAP) ‱ ESAPI ‱ ... Tools ‱ Requirements list ‱ CLASP ‱ SAMM ‱ ... Guides 6
  • 5. Your security “perimeter” has huge holes at the application layer |7 Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Developed Application Code APPLICATION ATTACK You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks Network Layer Application Layer
  • 6. 8 An Attacker has 24x7x365 to Attack Scheduled Pen-Test Scheduled Pen-Test Attacker Schedule The Defender has 20 man days per year to detect and defend
  • 7. Tools – At Best 45% ‱ MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (695) ‱ They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)
  • 8. 10
  • 10.
  • 11. Insecure? Insecure? Functional Specification Technical Implementation An application is secure if it acts and reacts, as it expected, at any time! Secure
  • 12.
  • 13.
  • 14.
  • 15.
  • 17. Threat Modeling – The Basics Asset: Valuable resource Vulnerability: Exploitable weakness Threat: Causes harm Risk: Chance of harm occurring ? Countermeasure: Reduces risk
  • 18. Why start again? Asset Threat Risk is low Countermeasure Dependency Dependency’s Countermeasure Dependency’s Threat