Test 1: Review
OWASP Top 10
Defense Approaches
Classification and Prioritization Systems
INFO6026
TEST 1: Review
OWASP: TOP 10
Open Web Application Security Project https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project • Web applications are uniquely vulnerable
• It is estimated that up to 70 percent of attacks come through web applications
• This stems from the fact that user traffic needs to pass through the firewall to the web application
• Firewalls alone are an ineffective defense for attacks against web applications
• Unfortunately, most companies spend much more resources on network defense, than on building or configuring their web applications properly
5
INFO6026
The information presented here is from the 2013 release. • The official list was released in April 2013
OWASP
• Open Web Application Security Project
• Non-Profit
• Identifies the ten most critical web application security risks at time of release
• http://www.owasp.org
6
INFO6026
7
INFO6026
• Attacker can use many paths through a web application to harm the organization
• Each of these paths represents a risk
• The OWASP top 10 attempts to identify the most dangerous risks
• serious enough to warrant attention
8
INFO6026
For each risk OWASP provides detailed information
• Threat Agents
• Where are these attacks going to come from
• Attack Vector
• How easy is it to perform the attack
• Weakness Prevalence
• How Common is the weakness
• Weakness Detectability
• How easy is it to detect the weakness
9
INFO6026
• Technical Impact
• How severe will the attack be on the infrastructure
• Business Impact
• What will be the varied costs to the business if a successful attack takes place
10
INFO6026
Threat Agent Factors
How technically skilled is this group of threat agents?
•
•
•
•
•
12
Security penetration skills
Network and programming skills
Advanced computer user
Some technical skills
No technical skills
INFO6026
How motivated is this group of threat agents to find and exploit this vulnerability?
• Low or no reward
• Possible reward
• High reward
13
INFO6026
What resources and opportunity are required for this group of threat agents to find and exploit this vulnerability?
• Full access or expensive resources required
• Special access or resources required
• Some access or resources required
• No access or resources required
14
INFO6026
How large is this group of threat agents?
•
•
•
•
•
•
15
Developers
System administrators
Intranet users
Partners
Authenticated users anonymous Internet users
INFO6026
Vulnerability Factors
How easy is it for this group of threat agents to discover this vulnerability?
•
•
•
•
17
Practically impossible
Difficult
Easy
Automated tools available
INFO6026
How easy is it for this group of threat agents to actually exploit this vulnerability?
•
•
•
•
18
Theoretical
Difficult
Easy
Automated tools available
INFO6026
How well known is this vulnerability to this group of threat agents?
•
•
•
•
19
Unknown
Hidden
Obvious
Public knowledge
INFO6026
How likely is an exploit to be detected?
•
•
•
•
20
Active detection in application
Logged and reviewed
Logged without review
Not logged
INFO6026
• Loss of confidentiality
• How much data could be disclosed and how sensitive is it?
• Loss of integrity
• How much data could be corrupted and how damaged is it?
• Loss of availability
• How much service could be lost and how vital is it?
• Loss of accountability
• Are the threat agents' actions traceable to an individual?
21
INFO6026
• Financial damage
• How much financial damage will result from an exploit?
• Reputation damage
• Would an exploit result in reputation damage that would harm the business?
• Non-compliance
• How much exposure does non-compliance introduce?
• Privacy violation
• How much personally identifiable information could be disclosed? 22