OWASP Top Ten 2017

OWASP
Top Ten
2017
Michael Furman
Security Architect

What will we cover today?
• What is OWASP?
• OWASP Top Ten Project
• OWASP Top Ten from 2013 to 2017
• Top Ten overview

About Me
• 20+ years in software engineering
• 10+ years in application security
• 4+ years Lead Security Architect at Tufin
• www.linkedin.com/in/furmanmichael/
• ultimatesecpro@gmail.com
• Read my blog https://ultimatesecurity.pro/
• Follow me on twitter @ultimatesecpro
• I like to travel, read books and listen to music.

About Tufin
• Market Leader in Security Policy Orchestration for
firewalls and cloud
– New Tufin products integrate security into DevOps pipeline
• Established in 2005
• Used in over 2,000 enterprises, including 40 Fortune
100 companies
• We are constantly growing!
www.tufin.com/careers/

What is OWASP?
• OWASP - Open Web Application Security Project
• Worldwide not-for-profit organization
• Founded in 2001
• Mission is to make the software security visible.

OWASP Projects
• OWASP Top Ten
https://www.owasp.org/index.php/Top_10-2017_Top_10
• Opensamm - Software Assurance Maturity Model
http://www.opensamm.org/

OWASP Top Ten
• Most successful OWASP Project
• Ten most critical web application security flaws
• First released in 2004
• Released every 3 years
• 2007, 2010, 2013, 2017 (current)

Adopters of OWASP Top Ten
• Microsoft
• Part of the PCI DSS
• Vulnerability scanners
• …

OWASP Top Ten 2017
• A1 Injection
• A2 Broken Authentication
• A3 Sensitive Data Exposure
• A4 XML External Entities
• A5 Broken Access Control
• A6 Security Misconfiguration
• A7 Cross-Site Scripting (XSS)
• A8 Insecure Deserialization
• A9 Using Components with Known Vulnerabilities
• A10 Insufficient Logging & Monitoring

OWASP Top Ten 2013
• A1 Injection
• A2 Broken Authentication and Session Management
• A3 Cross-Site Scripting (XSS)
• A4 Insecure Direct Object References
• A5 Security Misconfiguration
• A6 Sensitive Data Exposure
• A7 Missing Function Level Access Control
• A8 Cross-Site Request Forgery (CSRF)
• A9 Using Components with Known Vulnerabilities
• A10 Unvalidated Redirects and Forwards

2013 to 2017 - New issues
• A4 XML External Entities
• A8 Insecure Deserialization
• A10 Insufficient Logging & Monitoring

2013 to 2017 - Retired or Merged Issues
• A4 - Insecure Direct Object References and A7 -
Missing Function Level Access Control merged into
A5 - Broken Access Control
• A8 Cross-Site Request Forgery (CSRF) – dropped
• A10 Unvalidated Redirects and Forwards – dropped

2013 to 2017
• A1 Injection - not changed
• A2 Broken Authentication and Session Management renamed to
A2 Broken Authentication
• A3 Cross-Site Scripting (XSS) moved to A7 Cross-Site Scripting (XSS)
• A4 - Insecure Direct Object References and A7 merged into A5 - Broken
Access Control
• A5 Security Misconfiguration moved to A6 Security Misconfiguration
• A6 Sensitive Data Exposure moved to A3 Sensitive Data Exposure
• A7 - Missing Function Level Access Control and A4 merged into A5 -
Broken Access Control
• A8 Cross-Site Request Forgery (CSRF) – dropped
• A9 Using Components with Known Vulnerabilities - not changed
• A10 Unvalidated Redirects and Forwards – dropped

Why it changed?
• Over the last few years, the fundamental technology
and architecture of applications has changed
significantly:
• Microservices
• Single page applications

A1 Injection
• A user input is concatenated with executable code
• SQL injection
• OS Command Injection
• HQL injection

A1 Injection
• Example:
String query = "SELECT * FROM accounts
WHERE custID=‘” + request.getParameter("id") + "'";

A1 - How to Prevent it
• Do not pass user input directly to executable
statements
• Prepared Statements
• Parameterized Queries
• Hibernate

A2 Broken Authentication
• Session IDs aren’t rotated after successful login
• Allow brute force or other automated attacks
• Use default, weak, or well-known passwords

• Rotate Session IDs after successful login
• Implement brute force protection
• Implement password complexity

A3 Sensitive Data Exposure
• Sensitive data is transmitted or stored in clear text
• Old or weak cryptographic algorithms are used

• Encrypt all sensitive data both at rest and in transit
• Use up-to-date and strong standard algorithms,
protocols, and keys

A4 XML External Entities
• Attackers can exploit vulnerable XML processors if
they can upload XML or include hostile content in an
XML document
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>

• Disable XML external entity and DTD processing in all
XML parsers in the application, as per the OWASP
Cheat Sheet 'XXE Prevention’.
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Preventio
n_Cheat_Sheet
• For additional details see my XXE presentation:
https://ultimatesecurity.pro/post/xxe-presentation/

A5 Broken Access Control
• AKA Privilege Escalation or Elevation of privilege
• A regular user accesses a resource with an admin
permission

• Implement access control mechanisms

A6 Security Misconfiguration
• Unnecessary features are enabled or installed
• Unnecessary ports
• Services
• Default accounts
• Default passwords

• Close unnecessary ports
• Disable unnecessary services
• Remove default accounts
• Change default passwords

A7 Cross-Site Scripting (XSS)
• Attackers can execute scripts in a victim’s browser

• Input validation for all user input
• White list patterns. E.g. pattern for IPv6 or IPv4.
• Encode output

A8 Insecure Deserialization
• Serialization is the process of translating data
structures or object state into a format that can be
stored or transmitted and reconstructed later
(deserialization)
• Insecure Deserialization - an attacker changes the
object between serialization and deserialization

• Example:
• A PHP forum uses PHP object serialization to save a
"super" cookie, containing the user's user ID, role,
password hash, and other state information:
• An attacker changes the serialized object to gain admin
privileges:
a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user"; i:3;s:32:
"b6a8b3bea87fe0e05022f8f3c88bc960";}
a:4:{i:0;i:1;i:1;s:5:"Alice";i:2;s:5:"admin";
i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}

• Mark Reinhold, Oracle
Chief Architect of Java platform group
– Removing serialization is a long-term goal and is part of
project Amber
– Serialization was a “horrible mistake” made in 1997
– At least a third—maybe even half—of Java vulnerabilities
have involved serialization

• Don't accept serialized objects from untrusted
sources

A9 Using Components with
Known Vulnerabilities
• Software is vulnerable, unsupported, or out of date.
• Is any of your software out of date?
• OS
• Web/App Server
• Database

• Update software

A10 Insufficient Logging & Monitoring
• Insufficient logging
• Logins
• Failed logins
• High-value transactions

• Log important events with sufficient user context
– Username
– Client IP
– Time

Take aways
• You understand what OWASP does
• You understand the OWASP Top Ten

Thank you!
• Contact me
– www.linkedin.com/in/furmanmichael/
– ultimatesecpro@gmail.com
– https://ultimatesecurity.pro/
– @ultimatesecpro

OWASP Top Ten 2017

More Related Content

What's hot (20)

Similar to OWASP Top Ten 2017 (20)

More from Michael Furman (7)

Recently uploaded (20)

OWASP Top Ten 2017

Editor's Notes