Discover the OWASP Top 10 web vulnerabilities and how to mitigate the risk associated with each for your website.
Register to watch on-demand webinar here: https://wpengine.com/resources/security-webinar-harden-heart-wordpress-site/
2. #wpewebinar
CROP IMAGE
TO GRAY BOX
We’ll answer as many questions as we can after
the presentation
ASK QUESTIONS AS WE GO
Slides and recording will be made available shortly after
the webinar
Use the “Questions” pane
throughout the webinar
3. #wpewebinar
WHAT YOU’LL LEARN:
● What is OWASP?
● What are the OWASP Top Ten?
● How each might affect your website
● How to mitigate risks for each vulnerability
● Q&A
4. #wpewebinar
Security Engineer
WP Engine
Justin Dailey
● Background in HW and digital
electronics
● Sports enthusiast
● Loves all things outdoors
Security Architect
WP Engine
Will West
● Made a gatling gun with sonar
sensor
● 6’8” Tall
● Does not play basketball
7. #wpewebinar
CROP IMAGE
TO GRAY BOX
CROP IMAGE
TO GRAY BOX
CROP IMAGE
TO GRAY BOX
CROP IMAGE
TO GRAY BOX
CROP IMAGE
TO GRAY BOX
CROP IMAGE
TO GRAY BOX
CROP IMAGE
TO GRAY BOX
CROP IMAGE
TO GRAY BOX
CROP IMAGE
TO GRAY BOX
CROP IMAGE
TO GRAY BOX
Injection
OWASP Top 10
Weak
authentication and
session
management
XSS Insecure Direct
Object References
Security
Misconfiguration
Sensitive Data
Exposure
Missing Function
Level Access Control
Cross Site Request
Forgery
Using Components
with Known
Vulnerabilities
Unvalidated
Redirects and
Forwards
A1 A2 A3 A4 A5
A6 A7 A8 A9 A10
8. #wpewebinar
Poll: Are you currently doing anything to
secure your website against these Top 10
threats?
10. #wpewebinar
A1
Injection
Description
• Different types: SQL, LDAP, ORM, XML, XPath, Code Injection, Command
Injection, Buffer Overflows
• Execution of unintended commands
• Unauthorized data access
Protections
• Enforce input type and length
• Ensure special characters are escaped
• Validate all input fields and use an input validation whitelist
• Avoid dynamic queries or commands
11. #wpewebinar
Description
A2
Weak authentication and session
management
• Attacks take advantage of improper authentication or session
management practices
• Leads to access to sensitive information such as passwords, keys, or
tokens
• Execution of privileged application functions
12. #wpewebinar
Description
A2
Weak authentication and session
management
• Attacks take advantage of improper authentication or session
management practices
• Leads to access to sensitive information such as passwords, keys, or
tokens
• Execution of privileged application functions
Protections
• Follow standard and recommended practices for user management and
authentication
• Perform user and role validation on all actions
• Use secure session cookie flags
• Always use CSRF tokens with forms
13. #wpewebinar
A3
Cross Site Scripting (XSS)
Description
• An application places data from untrusted sources into site content
without performing proper validation and/or escaping
• Allows client side script execution
• Can lead to compromised credentials and sessions, site defacement, and
redirection to malicious sites
14. #wpewebinar
A3
Cross Site Scripting (XSS)
Description
• An application places data from untrusted sources into site content
without performing proper validation and/or escaping
• Allows client side script execution
• Can lead to compromised credentials and sessions, site defacement, and
redirection to malicious sites
Protections
• Positive input validation using correct character set
• Sanitize input
• Output encode all user data during upon rendering
15. #wpewebinar
A4
Insecure Direct Object References
Description
• Reference to an internal object such as a file, directory, or database key is
exposed
• Leads to unauthorized data access directly or by manipulation
16. #wpewebinar
A4
Insecure Direct Object References
Description
• Reference to an internal object such as a file, directory, or database key is
exposed
• Leads to unauthorized data access directly or by manipulation
Protections
• Ensure access control checks are performed when using direct object
references
• Use reference maps instead of direct reference such as IDs
18. #wpewebinar
Description
A5
Security Misconfiguration
• Insecure server or application configurations that allow unintended access
to data or application functions
• Can be a result of naive configurations, default configurations, outdated
software
Protections
• A repeatable and testable hardening process incorporating development,
QA, and production
• Regular update and patching processes
• Periodic scans and audits
19. #wpewebinar
A6
Sensitive Data Exposure
Description
• Improper protection and/or encryption of sensitive data such as
personally identifiable information, payment methods, and credentials
• Exposure can occur in rest or in transit
• Can lead to fraud, PR nightmares, and further exploitation
20. #wpewebinar
A6
Sensitive Data Exposure
Description
• Improper protection and/or encryption of sensitive data such as
personally identifiable information, payment methods, and credentials
• Exposure can occur in rest or in transit
• Can lead to fraud, PR nightmares, and further exploitation
Protections
• Encrypt all sensitive data at rest and in transit
• Avoid storing sensitive data at all costs
• Use standard and modern cryptography and hashing algorithms
21. #wpewebinar
A7
Missing Function Level Access Control
Description
• Authentication verification is performed on the front end (UI) but is not
properly performed on application functions
• Verification must be performed on all functions at all levels
• Allows unauthorized access to functions and data
22. #wpewebinar
A7
Missing Function Level Access Control
Description
• Authentication verification is performed on the front end (UI) but is not
properly performed on application functions
• Verification must be performed on all functions at all levels
• Allows unauthorized access to functions and data
Protections
• Perform validations client side AND server side
• Use explicit grants, deny by default
23. #wpewebinar
Description
A8
Cross Site Request Forgery
• An attack forcing a logged in victim’s browser to send a forged HTTP
request which includes local session information
• Requests target vulnerable sites that do not perform proper request
validation
24. #wpewebinar
Description
A8
Cross Site Request Forgery
• An attack forcing a logged in victim’s browser to send a forged HTTP
request which includes local session information
• Requests target vulnerable sites that do not perform proper request
validation
Protections
• Include an unpredictable CSRF token in each HTTP request
25. #wpewebinar
A9
Using Components with Known
Vulnerabilities
Description
• Known vulnerabilities in utilized libraries and frameworks can be
compromised used readily available tools
• Can allow attacks to bypass security measures through exploitation
26. #wpewebinar
A9
Using Components with Known
Vulnerabilities
Description
• Known vulnerabilities in utilized libraries and frameworks can be
compromised used readily available tools
• Can allow attacks to bypass security measures through exploitation
Protections
• Maintain awareness of the components and versions utilized by your
application
• Monitor the security of these components via public notifications such as
vulnerability mailing lists etc
• Establish and follow policies dictating what software components are
acceptable to use
27. #wpewebinar
A10
Unvalidated Redirects and Forwards
Description
• Use of redirects and forwards with untrusted data determining the
destination pages
• Redirection can be exploited to direct users to malicious sites performing
phishing or malware distribution
28. #wpewebinar
A10
Unvalidated Redirects and Forwards
Description
• Use of redirects and forwards with untrusted data determining the
destination pages
• Redirection can be exploited to direct users to malicious sites performing
phishing or malware distribution
Protections
• Avoid redirects and forwards if possible
• If they are used, do not include dynamic parameters in calculating the
destination
30. #wpewebinar
8 KEY SECURITY QUESTIONS YOUR HOSTING COMPANY SHOULD BE ABLE TO ANSWER
RESOURCES
OWASP TOP 10 2013 PROJECT
OWASP VULNERABLE WEB APPLICATIONS DIRECTORY PROJECT
LIVE INTERVIEW WITH DAVID ENDLER OF MANIFEST ON WEB SECURITY
15 WAYS TO HARDEN THE SECURITY OF YOUR WORDPRESS SITE
RECORDED WEBINAR: TODAY’S WEBSITE SECURITY THREAT LANDSCAPE (FEATURING TONY PEREZ, SUCURI)
31. #wpewebinar
CROP IMAGE
TO GRAY BOX
NEXT UP...
Register Now:
http://wpeng.in/
email
Wednesday, Feb 22
11:00 a.m. CST,
12:00 p.m. EST,
9:00 a.m. PST,
5:00 p.m. UTC/GMT