SlideShare a Scribd company logo

OWASP Top Ten 2017

M
Michael Furman

OWASP Top Ten Overview. OWASP Top Ten changes from 2013 to 2017.

Technology
1 of 40
OWASP Top Ten 2017 Michael Furman Security Architect
What will we cover today? • What is OWASP? • OWASP Top Ten Project • OWASP Top Ten from 2013 to 2017 • Top Ten overview
About Me • 20+ years in software engineering • 10+ years in application security • 4+ years Lead Security Architect at Tufin • www.linkedin.com/in/furmanmichael/ • ultimatesecpro@gmail.com • Read my blog https://ultimatesecurity.pro/ • Follow me on twitter @ultimatesecpro • I like to travel, read books and listen to music.
About Tufin • Market Leader in Security Policy Orchestration for firewalls and cloud – New Tufin products integrate security into DevOps pipeline • Established in 2005 • Used in over 2,000 enterprises, including 40 Fortune 100 companies • We are constantly growing! www.tufin.com/careers/
What is OWASP? • OWASP - Open Web Application Security Project • Worldwide not-for-profit organization • Founded in 2001 • Mission is to make the software security visible.
OWASP Projects • OWASP Top Ten https://www.owasp.org/index.php/Top_10-2017_Top_10 • Opensamm - Software Assurance Maturity Model http://www.opensamm.org/
OWASP Top Ten • Most successful OWASP Project • Ten most critical web application security flaws • First released in 2004 • Released every 3 years • 2007, 2010, 2013, 2017 (current)
Adopters of OWASP Top Ten • Microsoft • Part of the PCI DSS • Vulnerability scanners • …
OWASP Top Ten 2017 • A1 Injection • A2 Broken Authentication • A3 Sensitive Data Exposure • A4 XML External Entities • A5 Broken Access Control • A6 Security Misconfiguration • A7 Cross-Site Scripting (XSS) • A8 Insecure Deserialization • A9 Using Components with Known Vulnerabilities • A10 Insufficient Logging & Monitoring
OWASP Top Ten 2013 • A1 Injection • A2 Broken Authentication and Session Management • A3 Cross-Site Scripting (XSS) • A4 Insecure Direct Object References • A5 Security Misconfiguration • A6 Sensitive Data Exposure • A7 Missing Function Level Access Control • A8 Cross-Site Request Forgery (CSRF) • A9 Using Components with Known Vulnerabilities • A10 Unvalidated Redirects and Forwards
2013 to 2017 - New issues • A4 XML External Entities • A8 Insecure Deserialization • A10 Insufficient Logging & Monitoring
2013 to 2017 - Retired or Merged Issues • A4 - Insecure Direct Object References and A7 - Missing Function Level Access Control merged into A5 - Broken Access Control • A8 Cross-Site Request Forgery (CSRF) – dropped • A10 Unvalidated Redirects and Forwards – dropped
2013 to 2017 • A1 Injection - not changed • A2 Broken Authentication and Session Management renamed to A2 Broken Authentication • A3 Cross-Site Scripting (XSS) moved to A7 Cross-Site Scripting (XSS) • A4 - Insecure Direct Object References and A7 merged into A5 - Broken Access Control • A5 Security Misconfiguration moved to A6 Security Misconfiguration • A6 Sensitive Data Exposure moved to A3 Sensitive Data Exposure • A7 - Missing Function Level Access Control and A4 merged into A5 - Broken Access Control • A8 Cross-Site Request Forgery (CSRF) – dropped • A9 Using Components with Known Vulnerabilities - not changed • A10 Unvalidated Redirects and Forwards – dropped
Why it changed? • Over the last few years, the fundamental technology and architecture of applications has changed significantly: • Microservices • Single page applications
What can I do?
A1 Injection • A user input is concatenated with executable code • SQL injection • OS Command Injection • HQL injection
A1 Injection • Example: String query = "SELECT * FROM accounts WHERE custID=‘” + request.getParameter("id") + "'";
A1 - How to Prevent it • Do not pass user input directly to executable statements • Prepared Statements • Parameterized Queries • Hibernate
A2 Broken Authentication • Session IDs aren’t rotated after successful login • Allow brute force or other automated attacks • Use default, weak, or well-known passwords
A2 - How to Prevent it • Rotate Session IDs after successful login • Implement brute force protection • Implement password complexity
A3 Sensitive Data Exposure • Sensitive data is transmitted or stored in clear text • Old or weak cryptographic algorithms are used
A3 - How to Prevent it • Encrypt all sensitive data both at rest and in transit • Use up-to-date and strong standard algorithms, protocols, and keys
A4 XML External Entities • Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo>
A4 - How to Prevent it • Disable XML external entity and DTD processing in all XML parsers in the application, as per the OWASP Cheat Sheet 'XXE Prevention’. https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Preventio n_Cheat_Sheet • For additional details see my XXE presentation: https://ultimatesecurity.pro/post/xxe-presentation/
A5 Broken Access Control • AKA Privilege Escalation or Elevation of privilege • A regular user accesses a resource with an admin permission
A5 - How to Prevent it • Implement access control mechanisms
A6 Security Misconfiguration • Unnecessary features are enabled or installed • Unnecessary ports • Services • Default accounts • Default passwords
A6 - How to Prevent it • Close unnecessary ports • Disable unnecessary services • Remove default accounts • Change default passwords
A7 Cross-Site Scripting (XSS) • Attackers can execute scripts in a victim’s browser
A7 - How to Prevent it • Input validation for all user input • White list patterns. E.g. pattern for IPv6 or IPv4. • Encode output
A8 Insecure Deserialization • Serialization is the process of translating data structures or object state into a format that can be stored or transmitted and reconstructed later (deserialization) • Insecure Deserialization - an attacker changes the object between serialization and deserialization
A8 Insecure Deserialization • Example: • A PHP forum uses PHP object serialization to save a "super" cookie, containing the user's user ID, role, password hash, and other state information: • An attacker changes the serialized object to gain admin privileges: a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user"; i:3;s:32: "b6a8b3bea87fe0e05022f8f3c88bc960";} a:4:{i:0;i:1;i:1;s:5:"Alice";i:2;s:5:"admin"; i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
A8 Insecure Deserialization • Mark Reinhold, Oracle Chief Architect of Java platform group – Removing serialization is a long-term goal and is part of project Amber – Serialization was a “horrible mistake” made in 1997 – At least a third—maybe even half—of Java vulnerabilities have involved serialization
A8 - How to Prevent it • Don't accept serialized objects from untrusted sources
A9 Using Components with Known Vulnerabilities • Software is vulnerable, unsupported, or out of date. • Is any of your software out of date? • OS • Web/App Server • Database
A9 - How to Prevent it • Update software
A10 Insufficient Logging & Monitoring • Insufficient logging • Logins • Failed logins • High-value transactions
A10 - How to Prevent it • Log important events with sufficient user context – Username – Client IP – Time
Take aways • You understand what OWASP does • You understand the OWASP Top Ten
Thank you! • Contact me – www.linkedin.com/in/furmanmichael/ – ultimatesecpro@gmail.com – https://ultimatesecurity.pro/ – @ultimatesecpro

Recommended

OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 

Recommended

OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security FundamentalsJosé Haro Peralta
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Sql injection
Sql injectionSql injection
Sql injectionPallavi Biswas
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrfn|u - The Open Security Community
 
System hacking
System hackingSystem hacking
System hackingCAS
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
OWASP Top 10 Web Vulnerabilities from DCC 04/14
OWASP Top 10 Web Vulnerabilities from DCC 04/14OWASP Top 10 Web Vulnerabilities from DCC 04/14
OWASP Top 10 Web Vulnerabilities from DCC 04/14Chris Holwerda
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityOliver Hader
 

More Related Content

What's hot

Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
System hacking
System hackingSystem hacking
System hackingCAS
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 

What's hot (20)

Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Sql injection
Sql injectionSql injection
Sql injection
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 
System hacking
System hackingSystem hacking
System hacking
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Security testing
Security testingSecurity testing
Security testing
 

Similar to OWASP Top Ten 2017

OWASP Top 10 Web Vulnerabilities from DCC 04/14
OWASP Top 10 Web Vulnerabilities from DCC 04/14OWASP Top 10 Web Vulnerabilities from DCC 04/14
OWASP Top 10 Web Vulnerabilities from DCC 04/14Chris Holwerda
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityOliver Hader
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Gareth Davies
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...Amazon Web Services
 
MySQL Security
MySQL SecurityMySQL Security
MySQL SecurityMario Beck
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcKaty Anton
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationdcervigni
 
Modern Data Security with MySQL
Modern Data Security with MySQLModern Data Security with MySQL
Modern Data Security with MySQLVittorio Cioe
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityTheodore Kim
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Rafał Hryniewski
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 

Similar to OWASP Top Ten 2017 (20)

OWASP Top 10 Web Vulnerabilities from DCC 04/14
OWASP Top 10 Web Vulnerabilities from DCC 04/14OWASP Top 10 Web Vulnerabilities from DCC 04/14
OWASP Top 10 Web Vulnerabilities from DCC 04/14
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application Security
 
Owasp
Owasp Owasp
Owasp
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
 
MySQL Security
MySQL SecurityMySQL Security
MySQL Security
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwc
 
Introduction to OWASP
Introduction to OWASPIntroduction to OWASP
Introduction to OWASP
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitization
 
Modern Data Security with MySQL
Modern Data Security with MySQLModern Data Security with MySQL
Modern Data Security with MySQL
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to Security
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 

More from Michael Furman

How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure productMichael Furman
 
Istio Security Overview
Istio Security OverviewIstio Security Overview
Istio Security OverviewMichael Furman
 
Top 3 tips for security documentation
Top 3 tips for security documentationTop 3 tips for security documentation
Top 3 tips for security documentationMichael Furman
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goMichael Furman
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 

More from Michael Furman (6)

How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure product
 
Istio Security Overview
Istio Security OverviewIstio Security Overview
Istio Security Overview
 
Top 3 tips for security documentation
Top 3 tips for security documentationTop 3 tips for security documentation
Top 3 tips for security documentation
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to go
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 

Recently uploaded (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 

OWASP Top Ten 2017

  • 2. What will we cover today? • What is OWASP? • OWASP Top Ten Project • OWASP Top Ten from 2013 to 2017 • Top Ten overview
  • 3. About Me • 20+ years in software engineering • 10+ years in application security • 4+ years Lead Security Architect at Tufin • www.linkedin.com/in/furmanmichael/ • ultimatesecpro@gmail.com • Read my blog https://ultimatesecurity.pro/ • Follow me on twitter @ultimatesecpro • I like to travel, read books and listen to music.
  • 4. About Tufin • Market Leader in Security Policy Orchestration for firewalls and cloud – New Tufin products integrate security into DevOps pipeline • Established in 2005 • Used in over 2,000 enterprises, including 40 Fortune 100 companies • We are constantly growing! www.tufin.com/careers/
  • 5. What is OWASP? • OWASP - Open Web Application Security Project • Worldwide not-for-profit organization • Founded in 2001 • Mission is to make the software security visible.
  • 6. OWASP Projects • OWASP Top Ten https://www.owasp.org/index.php/Top_10-2017_Top_10 • Opensamm - Software Assurance Maturity Model http://www.opensamm.org/
  • 7. OWASP Top Ten • Most successful OWASP Project • Ten most critical web application security flaws • First released in 2004 • Released every 3 years • 2007, 2010, 2013, 2017 (current)
  • 8. Adopters of OWASP Top Ten • Microsoft • Part of the PCI DSS • Vulnerability scanners • …
  • 9. OWASP Top Ten 2017 • A1 Injection • A2 Broken Authentication • A3 Sensitive Data Exposure • A4 XML External Entities • A5 Broken Access Control • A6 Security Misconfiguration • A7 Cross-Site Scripting (XSS) • A8 Insecure Deserialization • A9 Using Components with Known Vulnerabilities • A10 Insufficient Logging & Monitoring
  • 10. OWASP Top Ten 2013 • A1 Injection • A2 Broken Authentication and Session Management • A3 Cross-Site Scripting (XSS) • A4 Insecure Direct Object References • A5 Security Misconfiguration • A6 Sensitive Data Exposure • A7 Missing Function Level Access Control • A8 Cross-Site Request Forgery (CSRF) • A9 Using Components with Known Vulnerabilities • A10 Unvalidated Redirects and Forwards
  • 11. 2013 to 2017 - New issues • A4 XML External Entities • A8 Insecure Deserialization • A10 Insufficient Logging & Monitoring
  • 12. 2013 to 2017 - Retired or Merged Issues • A4 - Insecure Direct Object References and A7 - Missing Function Level Access Control merged into A5 - Broken Access Control • A8 Cross-Site Request Forgery (CSRF) – dropped • A10 Unvalidated Redirects and Forwards – dropped
  • 13. 2013 to 2017 • A1 Injection - not changed • A2 Broken Authentication and Session Management renamed to A2 Broken Authentication • A3 Cross-Site Scripting (XSS) moved to A7 Cross-Site Scripting (XSS) • A4 - Insecure Direct Object References and A7 merged into A5 - Broken Access Control • A5 Security Misconfiguration moved to A6 Security Misconfiguration • A6 Sensitive Data Exposure moved to A3 Sensitive Data Exposure • A7 - Missing Function Level Access Control and A4 merged into A5 - Broken Access Control • A8 Cross-Site Request Forgery (CSRF) – dropped • A9 Using Components with Known Vulnerabilities - not changed • A10 Unvalidated Redirects and Forwards – dropped
  • 14. Why it changed? • Over the last few years, the fundamental technology and architecture of applications has changed significantly: • Microservices • Single page applications
  • 15. What can I do?
  • 16. A1 Injection • A user input is concatenated with executable code • SQL injection • OS Command Injection • HQL injection
  • 17. A1 Injection • Example: String query = "SELECT * FROM accounts WHERE custID=‘” + request.getParameter("id") + "'";
  • 18. A1 - How to Prevent it • Do not pass user input directly to executable statements • Prepared Statements • Parameterized Queries • Hibernate
  • 19. A2 Broken Authentication • Session IDs aren’t rotated after successful login • Allow brute force or other automated attacks • Use default, weak, or well-known passwords
  • 20. A2 - How to Prevent it • Rotate Session IDs after successful login • Implement brute force protection • Implement password complexity
  • 21. A3 Sensitive Data Exposure • Sensitive data is transmitted or stored in clear text • Old or weak cryptographic algorithms are used
  • 22. A3 - How to Prevent it • Encrypt all sensitive data both at rest and in transit • Use up-to-date and strong standard algorithms, protocols, and keys
  • 23. A4 XML External Entities • Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo>
  • 24. A4 - How to Prevent it • Disable XML external entity and DTD processing in all XML parsers in the application, as per the OWASP Cheat Sheet 'XXE Prevention’. https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Preventio n_Cheat_Sheet • For additional details see my XXE presentation: https://ultimatesecurity.pro/post/xxe-presentation/
  • 25. A5 Broken Access Control • AKA Privilege Escalation or Elevation of privilege • A regular user accesses a resource with an admin permission
  • 26. A5 - How to Prevent it • Implement access control mechanisms
  • 27. A6 Security Misconfiguration • Unnecessary features are enabled or installed • Unnecessary ports • Services • Default accounts • Default passwords
  • 28. A6 - How to Prevent it • Close unnecessary ports • Disable unnecessary services • Remove default accounts • Change default passwords
  • 29. A7 Cross-Site Scripting (XSS) • Attackers can execute scripts in a victim’s browser
  • 30. A7 - How to Prevent it • Input validation for all user input • White list patterns. E.g. pattern for IPv6 or IPv4. • Encode output
  • 31. A8 Insecure Deserialization • Serialization is the process of translating data structures or object state into a format that can be stored or transmitted and reconstructed later (deserialization) • Insecure Deserialization - an attacker changes the object between serialization and deserialization
  • 32. A8 Insecure Deserialization • Example: • A PHP forum uses PHP object serialization to save a "super" cookie, containing the user's user ID, role, password hash, and other state information: • An attacker changes the serialized object to gain admin privileges: a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user"; i:3;s:32: "b6a8b3bea87fe0e05022f8f3c88bc960";} a:4:{i:0;i:1;i:1;s:5:"Alice";i:2;s:5:"admin"; i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
  • 33. A8 Insecure Deserialization • Mark Reinhold, Oracle Chief Architect of Java platform group – Removing serialization is a long-term goal and is part of project Amber – Serialization was a “horrible mistake” made in 1997 – At least a third—maybe even half—of Java vulnerabilities have involved serialization
  • 34. A8 - How to Prevent it • Don't accept serialized objects from untrusted sources
  • 35. A9 Using Components with Known Vulnerabilities • Software is vulnerable, unsupported, or out of date. • Is any of your software out of date? • OS • Web/App Server • Database
  • 36. A9 - How to Prevent it • Update software
  • 37. A10 Insufficient Logging & Monitoring • Insufficient logging • Logins • Failed logins • High-value transactions
  • 38. A10 - How to Prevent it • Log important events with sufficient user context – Username – Client IP – Time
  • 39. Take aways • You understand what OWASP does • You understand the OWASP Top Ten
  • 40. Thank you! • Contact me – www.linkedin.com/in/furmanmichael/ – ultimatesecpro@gmail.com – https://ultimatesecurity.pro/ – @ultimatesecpro

Editor's Notes

  1. Hi everyone, Thank you for joining the last lecture for today. What will we see today? I will start by giving you an overview of OpenID Connect. I will describe the OpenID Connect protocol, and will show you how it compares to other protocols. Then, we will review some of OpenID Connect Implementations. Finally, I will show you one of the best OpenID Connect implementations: Keycloak.
  2. Before we begin, a couple of words about me and the company I work for - Tufin. I have many years of experience in software development. Like most of you here today, I particularly like application security. I started to work in this area more than 10 years ago, and enjoy each day I work on it. For the last few years, I am responsible for the application security of all Tufin products. Recently I have started to write a blog – you are more then welcomed to read it. Something personal: I like traveling, reading books and listening to music. I particularly enjoy listen to jazz.
  3. And now, a couple of words about Tufin. Tufin is a great company. It is already over 13 years old. We have a lot of customers. Our customers are all around the world: in Israel, USA, Europe, Asia. Some are huge companies, others are much smaller. We have customers in many industries. For example: AT&T, BMW and Visa. Recently we have started to develop products that integrate security into DevOps pipeline. You are more then welcomed to visit our booth. Tufin is always growing. When I joined the company about 5 years ago, it took up only one and half floors. Now it takes up almost 4 floors and that is only in Israel. We have also expanded abroad. We recently opened up a new main office in Boston. We are always looking for good people. We are looking for Java, C++, DevOps people. We are looking for Docker and Kubernetes gurus. You can visit our site to see our open positions in RnD, Sales, Marketing and additional areas.
  4. Microsoft Azure validates services using third party penetration testing based upon the OWASP Top Ten … Tufin customers ask if we use OWASP Top Ten recommendations.
  5. https://www.owasp.org/index.php/Top_10-2017_A1-Injection
  6. https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication - Session IDs are vulnerable to session fixation attacks
  7. https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure
  8. https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE) Example attempt to extract data from a server:
  9. my XXE presentation include examples and the libraries that can be used to prevent XXE.
  10. https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or simply using a custom API attack tool.
  11. https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration Missing security hardening
  12. Do you use Tomcat? Have you disabled its shutdown port?
  13. https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)
  14. https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization
  15. https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization
  16. https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities Who use Java? How many times in a year you updates Java in production?
  17. https://www.owasp.org/index.php/Top_10-2017_A10-Insufficient_Logging%26Monitoring Attackers rely on the lack of monitoring and timely response to achieve their goals without being detected.
  18. Thank you for participating in my lecture! Please contact me if you need any additional information, or if you want to send me your resume.