//ALPHA.1 OWASP Knoxville

Application Security Then and NowMake a Difference Now

2015 June 11Phil Agcaoili

A Career Path…printf(“hello, world\n”);

Why OWASP is VERY Important!

source: Checkmarx

OWASP 10 – Then and Now

Not Substantially Different

*Challenging for automation tools

OWASP Top 10 – 2001-2004 Edition OWASP Top 10 – 2013 EditionA1 Unvalidated Input A1 InjectionA2 Broken Access Control A2 Broken Authentication and Session ManagementA3 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS)A4 Cross Site Scripting A4 Insecure Direct Object ReferencesA5 Buffer Overflow A5 Security MisconfigurationA6 Injection Flaws A6 Sensitive Data ExposureA7 Improper Error Handling A7 Missing Function Level Access ControlA8 Insecure Storage A8 Cross-Site Request Forgery (CSRF)A9 Application Denial of Service A9 Using Components with Known Vulnerabilities

A10 Insecure Configuration Management A10 Unvalidated Redirects and Forwards

The Intent of OWASP

• The Top 10 is about managing risk– Not just avoiding vulnerabilities

• Take a big picture approach to application security.– OWASP Top 10 doesn't mean it's the most

important problem facing your organization

Keep it simple…It’s not as difficult as you think it is.

START SMALL

BUILD THE MOMENTUM OF SUCCESS

HOPE FOR SERENDIPITYThe occurrence and development of events by chance in a happy or beneficial way

ACHIEVE BUY-IN FROM MANAGEMENT AND EMPLOYEESProvide opportunities for teams and clear advantages for company.

TAKE APPLICATION SECURITY ONE STEP AT A TIMEAllow the organization to grow into the process rather than dropping it on the teams all at once

EDUCATE YOUR DEVELOPERS AND GET THEM WRITING SECURE CODEEmpathy is the killer app to application security. Make developers and your business (e.g. project managers and your business) care about developing safe software.

RECRUIT THE SMART PEOPLE IN THE DEV TEAMS TO ACT AS CHAMPIONS

Senior developers with a need to learn something new or Junior developers with the motivation to move ahead within the organization.

GET THE RIGHT PARTNERSTO HELP YOU

NETWORK SECURITY CANNOT PREVENT APPLICATION BREACHES ON ITS OWN

STATIC ANALYSIS SHOULDBE PERFORMED AT EARLIER DEVELOPMENT STAGESWeb application Firewalls (WAF) and/or RASP should be used as temporary band aids for non-remediated vulnerabilities

CAUTION WITH AUTOMATIONTools make educated guesses that require validation by trained humans.Peer code reviews with trained peers is still the best option.

Phil AgcaoiliDistinguished Fellow and Fellows Chairman, Ponemon Institute

Board of Advisors, PCI Security Standards Council (SSC)

Contributor, NIST Cybersecurity Framework version 1

Co-Founder & Board Member, Southern CISO Security Council

Founding Member, Cloud Security Alliance (CSA) Inventor & Co-Author, CSA Cloud Controls Matrix,

GRC Stack, Security, Trust and Assurance Registry (STAR), and

CSA Open Certification Framework (OCF) – AICPA SOC

@hacksec

https://www.linkedin.com/in/philA