View
32
Download
2
Category
Preview:
Citation preview
Copyright
©The O
WA
SP F
oundation
Perm
issi
on is
gra
nte
d t
o c
opy,
dis
trib
ute
and/o
r m
odify t
his
docu
ment
under
the t
erm
s of
the O
WASP L
icense
.
The OWASP Foundation
OWASP
htt
p:/
/ww
w.o
wasp
.org
Top Ten 2010 rc1
Presentation
Colin W
atson
Watson Hall Ltd
colin
.wats
on(a
t)ow
asp
.org
OW
ASP L
ondon,
16
thApril 2010
12
OWASP
Top Ten -2010 rc1
The Ten Most Critical Web Application Security Risks
13
OWASP
Risks to your business processes & info systems
14
OWASP
OWASP Top 10 Risk Rating M
ethodology
15
OWASP
Example for Cross Site Scripting (XSS)
XSS
Score = W
eighted risk rating
= Average of Exploitability, Prevalence and Detectabilitymultiplied by Impact
= (2+1+1)/3 x 2
= 2.6
16
OWASP
Evaluate your own business risks
Use
OW
ASP’s
Ris
k R
ating M
eth
odolo
gy
htt
p:/
/ww
w.o
wasp
.org
/index.p
hp/O
WASP_R
isk_R
ating_M
eth
odolo
gy
�Ste
p 1
: Id
entify
ing a
ris
k
�Ste
p 2
: Fact
ors
for
est
imating lik
elih
ood
�Ste
p 3
: Fact
ors
for
est
imating im
pact
�Ste
p 4
: D
ete
rmin
ing s
everity
of
the r
isk
�Ste
p 5
: D
eci
din
g w
hat
to f
ix
�Ste
p 6
: Cust
om
izin
g y
our
risk
rating m
odel
17
OWASP
18
OWASP
A10 -Insufficient Transport Layer Protection
19
OWASP
20
OWASP
A9 -Insecure Cryptographic Storage
21
OWASP
22
OWASP
A8 -UnvalidatedRedirects and Forw
ards
23
OWASP
24
OWASP
A7 -Failure to Restrict URL Access
25
OWASP
26
OWASP
A6 -Security M
isconfiguration
27
OWASP
28
OWASP
A5 -Cross-Site Request Forgery (CSRF)
29
OWASP
30
OWASP
A4 -Insecure Direct Object References
31
OWASP
32
OWASP
A3 -Broken Authentication & Session M
anagement
33
OWASP
34
OWASP
A2 -Cross-Site Scripting (XSS)
35
OWASP
36
OWASP
A1 -Injection
37
OWASP
Standard layout for each page
�R
isk c
alc
ula
tion
�H
ow
to d
ete
ct if
you
are
vuln
era
ble
�Exam
ple
s att
ack
s
�H
ow
to p
revent
it
�R
efe
rence
s
38
OWASP
Additional advice
�W
hat’s
next
for
develo
pers
�W
hat’s
next
for
verifiers
�?
�N
ote
s about
risk
39
OWASP
Summary of changes 2007 to 2010 rc1
40
OWASP
The End
Recommended