the reason people use the internet to data · 2013 owasp top 10 1. injection 2. broken...
TRANSCRIPT
![Page 1: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/1.jpg)
![Page 2: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/2.jpg)
The business
The reason people
use the Internet
The gateway
to DATA
the target
APPLICATIONS ARE
![Page 3: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/3.jpg)
6 minbefore it's scanned
If vulnerable, you
could be PWND in
<2 hours
1/3Mission critical
![Page 4: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/4.jpg)
Certificate spoofing
Protocol abuse
Session hijacking
Key disclosure
DDoS
DDoS
Eavesdropping
Protocol abuse
Man-in-the-middle
Man-in-the-browser
Session hijacking
Malware
Cross-site request forgery
Cross-site scripting
DNS hijacking
DDoS
DNS spoofing
DNS cache poisoning
Man-in-the-middle
Dictionary attacks
Abuse of functionality
Man-in-the-middleDDoS
Malware
API attacks
InjectionCross-site scripting
Cross-site request forgery
Credential theft
Credential stuffing
Session hijacking
Brute force
Phishing
App Tiers
![Page 5: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/5.jpg)
![Page 6: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/6.jpg)
2013 OWASP Top 10
1. Injection
2. Broken authentication and session
management
3. Cross-site scripting (XSS)
4. Insecure direct object references
5. Security misconfiguration
6. Sensitive data exposure
7. Missing function level access control
8. Cross-site request forgery (CSRF)
9. Using components with known
vulnerabilities
10. Unvalidated redirects and forwards
2017 OWASP Top 10
1. Injection
2. Broken authentication
3. Sensitive data exposure
4. XML external entities (XXE)
5. Broken access control
6. Security misconfiguration
7. Cross-site scripting (XSS)
8. Insecure deserialization
9. Using components with known
vulnerabilities
10. Insufficient logging
and monitoring
![Page 7: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/7.jpg)
58%
56%
6%
4%
3%
2%
2%
1%
1%
PHP
SQL
Exchweb
Comments
Cart
Betablock
Admin
Affiliates
Login
Injection → PHP & SQL
![Page 8: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/8.jpg)
PHP
of PHP attacks were SQL injections.
46%
Loryka Attack Data
![Page 9: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/9.jpg)
Access Attacks
5%
23%
26%
34%
9%
3%
![Page 10: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/10.jpg)
Access Attacks – Check your Credentials
![Page 11: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/11.jpg)
In the last 8 years more than 7.1 billion identities have been exposed in data breaches
70MILLION accounts
427 MILLION accounts
150 MILLION accounts
3 BILLIONaccounts
117 MILLION accounts
1. Symantec Internet Security Threat Report, April 2017
2. https://www.entrepreneur.com/article/246902#
Nearly 3 out of 4 consumers use duplicate passwords, many of which have not been changed in five years or more.
3 out of 4
Credential Stuffing – Major Breaches
![Page 12: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/12.jpg)
Clients are phished → malware installed
Banking Trojans→ Fraud Trojans
Fraud targets = any site with a login page
![Page 13: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/13.jpg)
Web Fraud Credential Stealing – Not Only Banks
Use our research to
learn about attack trends
affecting your industry
Application Threat Intelligence
![Page 14: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/14.jpg)
DoS becomes newspam
L7 DoS attacks arerising
Multi-layeredprotection is needed
Denial of Service Attacks Against Applications
![Page 15: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/15.jpg)
DDoS by Region 2017
![Page 16: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/16.jpg)
BOTs
Rise of the BOTs98.6M bots observed
52% of Internet traffic is automated
77% of 2016 web app
breaches involved
the use of bots
ThingBOTs
![Page 17: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/17.jpg)
Affected Devices
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
7Bots
SORA
OWARI
UPnPProxy
OMNI
RoamingMantis
Wicked
VPNFilter
1Bot
Brickerbot
2Bots
WireX
Reaper
3Bots
Mirai
BigBrother
Rediation
1Bot
Remaiten
1BotMoon
1Bot
Aidra
1Bot
Hydra
3Bots
Satori Fam
Amnesia
Persirai
6Bots
Masuta
PureMasuta
Hide ‘N Seek
JenX
OMG
DoubleDoor
1Bot
Crash
override
1Bot
Gafgyt
Family
2Bots
Darlloz
Marcher
1BotPsyb0t
4Bots
Hajime
Trickbot
IRC Telnet
Annie
CCTV
DVRs
WAPs
Set-Top Boxes
Media Center
Android
Wireless Chipsets
NVR Surveillance
Busybox Platforms
Smart TVs
VoIP Devices
Cable Modems
ICS
74% Discoveredin last 2 years
SOHO routers
iOS
IP Cameras
![Page 18: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/18.jpg)
Thingbot Attack Type
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
7Bots
SORA
OWARI
UPnPProxy
OMNI
RoamingMantis
Wicked
VPNFilter
1Bot
Brickerbot
2Bots
WireX
Reaper
3Bots
Mirai
BigBrother
Rediation
1Bot
Remaiten
1BotMoon
1Bot
Aidra
1Bot
Hydra
3Bots
Satori Fam
Amnesia
Persirai
6Bots
Masuta
PureMasuta
Hide ‘N Seek
JenX
OMG
DoubleDoor
1Bot
Crash
override
1Bot
Gafgyt
Family
2Bots
Darlloz
Marcher
1Bot
Psyb0t
4Bots
Hajime
Trickbot
IRC Telnet
Annie
DNS Hijack
DDoS
PDoS
Proxy Servers
Unknown…
Rent-a-bot
Install-a-bot
Multi-purpose Bot
Fraud trojan
ICS protocol monitoring
Tor Node
Sniffer
Credential Collector
Shifting from primarily DDoS to multi-purpose
Crypto-miner
![Page 19: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/19.jpg)
BOTs - Common source of threat vectors
Client-Side Attacks
Malware
Ransomware
Man-in-the-browser
Session hijacking
Cross-site request forgery
Cross-site scripting
DDoS Attacks
SYN, UDP, and HTTP floods
SSL renegotiation
DNS amplification
Heavy URL
App Infrastructure Attacks
Man-in-the-middle
Key disclosure
Eavesdropping
DNS cache poisoning
DNS spoofing
DNS hijacking
Protocol abuse
Dictionary attacks
Web Application Attacks
API attacks
Cross-site scripting
Injection
Cross-site request forgery
Malware
Abuse of functionality
Man-in-the-middle
Credential theft
Credential stuffing
Phishing
Certificate spoofing
Protocol abuse
Malware
Ransomware
Man-in-the-browser
Cross-site scripting
Dictionary attacks
SYN, UDP, HTTP floods
SSL renegotiation
DNS amplication
Heavy URL
API attacks
Cross-site scripting
Injection
Malware
Abuse of functionality
Credential stuffing
Phishing
![Page 20: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/20.jpg)
Prioritize Defenses Based on Attacks
Reduce Your Attack Surface
UnderstandYourEnvironment
Select Flexible and Integrated Defense Tools
Integrate Security into Development
1 2 3 4 5
Recomendations
![Page 21: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/21.jpg)
1UnderstandYourEnvironment
CISO’S #1 MISSION
PreventDowntime
EVERYONE’S #1 CHALLENGE
Visibility
![Page 22: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/22.jpg)
Reduce Your Attack Surface
2
Sub domains hosting other versions of the main
application site
Dynamic web page generators
HTTP headersand cookies
Admin interfacesApps/files linked
to the app
Web service methods
Helper apps on client
(java, flash)
Server-side features such as search
Web pages and directories
Shells, Perl/PHP
Data entry forms
Administrative and monitoring stubs
and tools
Events of the application—triggered
server-side code
Backend connections through the server (injection)
APIs
Cookies/state tracking mechanisms
Data/active content pools—the data that populates and
drives pages
![Page 23: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/23.jpg)
Prioritize Defenses Based on Attacks
3
Focus OpEx & CapEx spend
![Page 24: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/24.jpg)
Select Flexible and Integrated Defense Tools
4
https://lifehacker.com/watch-alton-
brown-demonstrate-why-unitaskers-
have-no-1749470145
![Page 25: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/25.jpg)
Integrate Security into Development
5
https://f5.com/labs/articles/cisotociso/
strategy/six-steps-to-finding-honey-in-
the-owasp
1 Understand your OWASP scope2 Scan all web applications3 Share Results4 Educate and inform5 Firewall what you can’t fix6Become part of the OWASP community
![Page 26: The reason people use the Internet to DATA · 2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object](https://reader033.vdocuments.site/reader033/viewer/2022060303/5f08d8017e708231d423fe69/html5/thumbnails/26.jpg)