SlideShare ist ein Scribd-Unternehmen logo

OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam

Bitcoin Wednesday
Bitcoin Wednesday

Security Awareness Presentation by Dutch Chapter of OWASP on Bitcoin Wednesday's First Year Anniversary Meeting in Amsterdam

Technologie
1 von 19
Downloaden Sie, um offline zu lesen
Martin Knobloch – 10 years developer experience – 10 years information security experience – +3 years independent Security Consultant – Dutch OWASP Chapter Leader – OWASP AppSec-Eu/Research 2015 Chair – martin.knobloch@owasp.org – www.owasp.org
www.owasp.org | 3
Enter the rest of OWASP • Free Chapter Meetings • Free Local Events • Conferences • ... People • Webgoat • Zed Attack Proxy (ZAP) • ESAPI • ... Tools • Requirements list • CLASP • SAMM • ... Guides 6
Your security “perimeter” has huge holes at the application layer |7 Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Developed Application Code APPLICATION ATTACK You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks Network Layer Application Layer
8 An Attacker has 24x7x365 to Attack Scheduled Pen-Test Scheduled Pen-Test Attacker Schedule The Defender has 20 man days per year to detect and defend
Tools – At Best 45% • MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (695) • They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)
10
Content
Insecure? Insecure? Functional Specification Technical Implementation An application is secure if it acts and reacts, as it expected, at any time! Secure
Username Password password forgotten link
Threat Modeling – The Basics Asset: Valuable resource Vulnerability: Exploitable weakness Threat: Causes harm Risk: Chance of harm occurring ? Countermeasure: Reduces risk
Why start again? Asset Threat Risk is low Countermeasure Dependency Dependency’s Countermeasure Dependency’s Threat
22 That’s it… ..thank you!

Empfohlen

NEtwork Security Admin Portal
NEtwork Security Admin PortalNEtwork Security Admin Portal
NEtwork Security Admin PortalBhadreshsinh Gohil
 
Javascript Malware - Spi Dynamics
Javascript Malware - Spi DynamicsJavascript Malware - Spi Dynamics
Javascript Malware - Spi Dynamicsamiable_indian
 
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015Werner Keil
 
Huneed-Cisco Perimeter Security Solution Guide
Huneed-Cisco Perimeter Security Solution GuideHuneed-Cisco Perimeter Security Solution Guide
Huneed-Cisco Perimeter Security Solution GuideGlen Yi
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig BaldingA Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig Baldingcraigbalding
 
Strong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOStrong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOSylvain Maret
 
Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...
Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...
Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...Bitcoin Wednesday
 

Empfohlen

NEtwork Security Admin Portal
NEtwork Security Admin PortalNEtwork Security Admin Portal
NEtwork Security Admin PortalBhadreshsinh Gohil
 
Javascript Malware - Spi Dynamics
Javascript Malware - Spi DynamicsJavascript Malware - Spi Dynamics
Javascript Malware - Spi Dynamicsamiable_indian
 
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015Werner Keil
 
Huneed-Cisco Perimeter Security Solution Guide
Huneed-Cisco Perimeter Security Solution GuideHuneed-Cisco Perimeter Security Solution Guide
Huneed-Cisco Perimeter Security Solution GuideGlen Yi
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig BaldingA Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig Baldingcraigbalding
 
Strong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOStrong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOSylvain Maret
 
Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...
Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...
Dash Presentation - 7 October 2015 - Evan Duffield, Daniel Diaz, Robert Wieck...Bitcoin Wednesday
 
Augur Presented by Founder Joey Krug
Augur Presented by Founder Joey KrugAugur Presented by Founder Joey Krug
Augur Presented by Founder Joey KrugBitcoin Wednesday
 
Factom Presentation by Founder Peter Kirby
Factom Presentation by Founder Peter KirbyFactom Presentation by Founder Peter Kirby
Factom Presentation by Founder Peter KirbyBitcoin Wednesday
 
Block trust presentation (1)
Block trust presentation (1)Block trust presentation (1)
Block trust presentation (1)Bitcoin Wednesday
 
Ledger Wallet
Ledger WalletLedger Wallet
Ledger WalletBitcoin Wednesday
 
Bitcoin wednesday (1) deloitte
Bitcoin wednesday (1) deloitteBitcoin wednesday (1) deloitte
Bitcoin wednesday (1) deloitteBitcoin Wednesday
 
Codius, Where Smart Programs Live at BitcoinWednesday #19 in Amsterdam
Codius, Where Smart Programs Live at BitcoinWednesday #19 in AmsterdamCodius, Where Smart Programs Live at BitcoinWednesday #19 in Amsterdam
Codius, Where Smart Programs Live at BitcoinWednesday #19 in AmsterdamBitcoin Wednesday
 
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19Bitcoin Wednesday
 
Presenting the electronic gulden 7 january 2015 final
Presenting the electronic gulden 7 january 2015 finalPresenting the electronic gulden 7 january 2015 final
Presenting the electronic gulden 7 january 2015 finalBitcoin Wednesday
 
Send chat presentation 7 jan (1)
Send chat presentation 7 jan (1)Send chat presentation 7 jan (1)
Send chat presentation 7 jan (1)Bitcoin Wednesday
 
Eris, Deciding on the Blockchain, Project Douglas by Casey Kuhlman
Eris, Deciding on the Blockchain, Project Douglas by Casey KuhlmanEris, Deciding on the Blockchain, Project Douglas by Casey Kuhlman
Eris, Deciding on the Blockchain, Project Douglas by Casey KuhlmanBitcoin Wednesday
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Weitere ähnliche Inhalte

Mehr von Bitcoin Wednesday

Augur Presented by Founder Joey Krug
Augur Presented by Founder Joey KrugAugur Presented by Founder Joey Krug
Augur Presented by Founder Joey KrugBitcoin Wednesday
 
Factom Presentation by Founder Peter Kirby
Factom Presentation by Founder Peter KirbyFactom Presentation by Founder Peter Kirby
Factom Presentation by Founder Peter KirbyBitcoin Wednesday
 
Block trust presentation (1)
Block trust presentation (1)Block trust presentation (1)
Block trust presentation (1)Bitcoin Wednesday
 
Bitcoin wednesday (1) deloitte
Bitcoin wednesday (1) deloitteBitcoin wednesday (1) deloitte
Bitcoin wednesday (1) deloitteBitcoin Wednesday
 
Codius, Where Smart Programs Live at BitcoinWednesday #19 in Amsterdam
Codius, Where Smart Programs Live at BitcoinWednesday #19 in AmsterdamCodius, Where Smart Programs Live at BitcoinWednesday #19 in Amsterdam
Codius, Where Smart Programs Live at BitcoinWednesday #19 in AmsterdamBitcoin Wednesday
 
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19Bitcoin Wednesday
 
Presenting the electronic gulden 7 january 2015 final
Presenting the electronic gulden 7 january 2015 finalPresenting the electronic gulden 7 january 2015 final
Presenting the electronic gulden 7 january 2015 finalBitcoin Wednesday
 
Send chat presentation 7 jan (1)
Send chat presentation 7 jan (1)Send chat presentation 7 jan (1)
Send chat presentation 7 jan (1)Bitcoin Wednesday
 
Eris, Deciding on the Blockchain, Project Douglas by Casey Kuhlman
Eris, Deciding on the Blockchain, Project Douglas by Casey KuhlmanEris, Deciding on the Blockchain, Project Douglas by Casey Kuhlman
Eris, Deciding on the Blockchain, Project Douglas by Casey KuhlmanBitcoin Wednesday
 

Mehr von Bitcoin Wednesday (10)

Augur Presented by Founder Joey Krug
Augur Presented by Founder Joey KrugAugur Presented by Founder Joey Krug
Augur Presented by Founder Joey Krug
 
Factom Presentation by Founder Peter Kirby
Factom Presentation by Founder Peter KirbyFactom Presentation by Founder Peter Kirby
Factom Presentation by Founder Peter Kirby
 
Block trust presentation (1)
Block trust presentation (1)Block trust presentation (1)
Block trust presentation (1)
 
Ledger Wallet
Ledger WalletLedger Wallet
Ledger Wallet
 
Bitcoin wednesday (1) deloitte
Bitcoin wednesday (1) deloitteBitcoin wednesday (1) deloitte
Bitcoin wednesday (1) deloitte
 
Codius, Where Smart Programs Live at BitcoinWednesday #19 in Amsterdam
Codius, Where Smart Programs Live at BitcoinWednesday #19 in AmsterdamCodius, Where Smart Programs Live at BitcoinWednesday #19 in Amsterdam
Codius, Where Smart Programs Live at BitcoinWednesday #19 in Amsterdam
 
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19
Crosspring Presentation by Maurice Beckand Verwee at Bitcoin Wednesday #19
 
Presenting the electronic gulden 7 january 2015 final
Presenting the electronic gulden 7 january 2015 finalPresenting the electronic gulden 7 january 2015 final
Presenting the electronic gulden 7 january 2015 final
 
Send chat presentation 7 jan (1)
Send chat presentation 7 jan (1)Send chat presentation 7 jan (1)
Send chat presentation 7 jan (1)
 
Eris, Deciding on the Blockchain, Project Douglas by Casey Kuhlman
Eris, Deciding on the Blockchain, Project Douglas by Casey KuhlmanEris, Deciding on the Blockchain, Project Douglas by Casey Kuhlman
Eris, Deciding on the Blockchain, Project Douglas by Casey Kuhlman
 

Kürzlich hochgeladen

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 

Kürzlich hochgeladen (20)

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

OWASP - Security Awareness Presentation for Bitcoin Wednesday Amsterdam

  • 1. Martin Knobloch – 10 years developer experience – 10 years information security experience – +3 years independent Security Consultant – Dutch OWASP Chapter Leader – OWASP AppSec-Eu/Research 2015 Chair – martin.knobloch@owasp.org – www.owasp.org
  • 3.
  • 4. Enter the rest of OWASP • Free Chapter Meetings • Free Local Events • Conferences • ... People • Webgoat • Zed Attack Proxy (ZAP) • ESAPI • ... Tools • Requirements list • CLASP • SAMM • ... Guides 6
  • 5. Your security “perimeter” has huge holes at the application layer |7 Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Developed Application Code APPLICATION ATTACK You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks Network Layer Application Layer
  • 6. 8 An Attacker has 24x7x365 to Attack Scheduled Pen-Test Scheduled Pen-Test Attacker Schedule The Defender has 20 man days per year to detect and defend
  • 7. Tools – At Best 45% • MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (695) • They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)
  • 8. 10
  • 10.
  • 11. Insecure? Insecure? Functional Specification Technical Implementation An application is secure if it acts and reacts, as it expected, at any time! Secure
  • 12.
  • 13.
  • 14.
  • 15.
  • 17. Threat Modeling – The Basics Asset: Valuable resource Vulnerability: Exploitable weakness Threat: Causes harm Risk: Chance of harm occurring ? Countermeasure: Reduces risk
  • 18. Why start again? Asset Threat Risk is low Countermeasure Dependency Dependency’s Countermeasure Dependency’s Threat