F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security...
Transcript of F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security...
![Page 2: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/2.jpg)
@PhilippeDeRyck 2
![Page 3: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/3.jpg)
@PhilippeDeRyck 3
![Page 4: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/4.jpg)
@PhilippeDeRyck
• Traveling the world to deliver security courses• In-depth web security training for developers• Custom training courses with developer-oriented labs• Covering web security, API security, Angular/React security
• 15+ years of security experience• Founder of Pragmatic Web Security • Author of Primer on client-side web security• Creator of Web Security Fundamentals on edX
• Course curator of the SecAppDev course• Yearly security course targeted towards developers• More information on https://secappdev.org
GOOGLE DEVELOPER EXPERT
PH.D. IN WEB SECURITY
DR. PHILIPPE DE RYCK
(NOT EMPLOYED BY GOOGLE)
![Page 5: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/5.jpg)
@PhilippeDeRyck 5
OWASP TOP 10
The Ten Most Critical Web Application Security Risks
![Page 6: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/6.jpg)
@PhilippeDeRyck 6
![Page 7: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/7.jpg)
@PhilippeDeRyck 7
![Page 8: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/8.jpg)
@PhilippeDeRyck 8
1 – Injection
2 – Broken authentication
3 – Sensitive data exposure
3 – Sensitive data exposure
4 – XXE
5 – Broken access control
7 – XSS
![Page 9: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/9.jpg)
@PhilippeDeRyck 9
AWARENESS
![Page 10: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/10.jpg)
@PhilippeDeRyck 10
![Page 11: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/11.jpg)
@PhilippeDeRyck 11
![Page 12: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/12.jpg)
@PhilippeDeRyck 12
Authentication
Authorization
Session management
![Page 13: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/13.jpg)
@PhilippeDeRyck 13
![Page 14: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/14.jpg)
@PhilippeDeRyck 14
OWASP TOP 10
Awareness on the most critical issues in web applications
Brief overview of do's and don'ts in web applications
Advice is independent of application, user impact or required skills
![Page 15: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/15.jpg)
@PhilippeDeRyck 15
OWASP TOP 10 PROACTIVE CONTROLS
Ten critical security areas that developers must be aware of
![Page 16: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/16.jpg)
@PhilippeDeRyck 16
![Page 17: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/17.jpg)
@PhilippeDeRyck 17
![Page 18: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/18.jpg)
@PhilippeDeRyck 18
AWARENESS
![Page 19: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/19.jpg)
@PhilippeDeRyck 19
![Page 20: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/20.jpg)
@PhilippeDeRyck 20
![Page 21: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/21.jpg)
@PhilippeDeRyck 21
![Page 22: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/22.jpg)
@PhilippeDeRyck 22
OWASP TOP 10 PROACTIVE CONTROLS
Awareness on the most important security controls
Mainly focusing on the do's that matter for almost every application
Advice is independent of application, user impact or required skills
![Page 23: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/23.jpg)
@PhilippeDeRyck 23
OWASP APPLICATION SECURITYVERIFICATION STANDARD
A list of security requirements or tests to determine how secure an application is
![Page 24: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/24.jpg)
@PhilippeDeRyck 24
![Page 25: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/25.jpg)
@PhilippeDeRyck 25
![Page 26: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/26.jpg)
@PhilippeDeRyck 26
![Page 27: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/27.jpg)
@PhilippeDeRyck 27
![Page 28: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/28.jpg)
@PhilippeDeRyck 28
All applications
Applications handling sensitive info
Applications handling critical info
![Page 29: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/29.jpg)
@PhilippeDeRyck 29
DRIVE SECURITY PROCESSES
ALIGNMENT STANDARD
![Page 30: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/30.jpg)
@PhilippeDeRyck 30
![Page 31: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/31.jpg)
@PhilippeDeRyck 31
![Page 32: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/32.jpg)
@PhilippeDeRyck 32
![Page 33: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/33.jpg)
@PhilippeDeRyck 33
OWASP APPLICATION SECURITYVERIFICATION STANDARD
Detailed overview of security do's and don'ts in web applications
Advice incorporates application type and development challenges
![Page 34: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/34.jpg)
@PhilippeDeRyck 34
CHECKLIST
![Page 35: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/35.jpg)
“ “the data leak was caused by a misconfigured Amazon S3 storage bucket which permitted the access and download of
information without the need for authorization
![Page 36: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/36.jpg)
@PhilippeDeRyck 36
2.19
Verify there are no default passwords in use for the application framework or any components used by the application (such as “admin/password”).
![Page 37: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/37.jpg)
@PhilippeDeRyck 37
AUTOMATED SECURITY TESTING
![Page 38: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/38.jpg)
“ “The passwords were either kept in plain text format, or used the largely discredited
SHA1 hashing algorithm.
![Page 39: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/39.jpg)
@PhilippeDeRyck 39
![Page 40: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/40.jpg)
@PhilippeDeRyck 40
![Page 41: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/41.jpg)
@PhilippeDeRyck
IS HASH CRACKING REALLY THAT FAST?
41
MD5 SHA1 BCRYPT(13)
Hash
es p
er se
cond
200 000 million
68 771 million
390
![Page 42: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/42.jpg)
@PhilippeDeRyck 42
2.13
Verify that account passwords are one way hashed with a salt, and there is sufficient work factor to defeat brute force and password hash recovery attacks.
![Page 43: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/43.jpg)
@PhilippeDeRyck 43
SECURE CODING GUIDELINES
![Page 44: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/44.jpg)
@PhilippeDeRyck
USERNAME HARVESTING THROUGH TIMING ATTACKS
List<User> users = new UserDAO().findAllByEmailWithPassword(email);if(users.size() == 1) {User user = users.get(0);if(AuthenticationUtils.verifyPassword(user, password)) {Logger.info("Authentication successful.");return redirectAfterLogin();
}else {Logger.warn("Invalid password. Authentication failed");return handleLoginError();
}}else {Logger.warn("No matching user account found. Authentication failed");return handleLoginError();
}
12345678910111213141516
100 – 200ms operation
Almost instant operation
![Page 45: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/45.jpg)
@PhilippeDeRyck 45
2.28
Verify that all authentication challenges, whether successful or failed, should respond in the same average response time.
![Page 46: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/46.jpg)
@PhilippeDeRyck 46
PRIORITIZE SECURITY
![Page 47: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/47.jpg)
@PhilippeDeRyck 47
2.31Verify that if an application allows users to authenticate, they can authenticate using two-factor authentication or other strong authentication, or any similar scheme that provides protection against username + password disclosure.
![Page 48: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/48.jpg)
@PhilippeDeRyck 48
![Page 49: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/49.jpg)
@PhilippeDeRyck 49
x' UNION SELECT id,email, totpsecret, 'bleh', 'bleh.png' FROM users WHERE 'x%' = 'x
![Page 50: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/50.jpg)
@PhilippeDeRyck 50
5.10Verify that all SQL queries, HQL, OSQL, NOSQL and stored procedures, calling of stored procedures are protected by the use of prepared statements or query parameterization, and thus not susceptible to SQL injection
![Page 51: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/51.jpg)
@PhilippeDeRyck 51
X
Verify that all shared secrets are encrypted and stored in a protected location
![Page 52: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/52.jpg)
@PhilippeDeRyck 52
FORK AND CUSTOMIZE
![Page 53: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/53.jpg)
@PhilippeDeRyck 53
ASVS V4.0IN PROGRESS
AVAILABLE ON GITHUBPARTICIPATE!
![Page 54: F OWASP TOP TEN S TOTHE OWASP ASVS · OWASP TOP10 The Ten Most Critical Web Application Security Risks @PhilippeDeRyck 6 @PhilippeDeRyck 7 @PhilippeDeRyck 8 1 –Injection 2 –Broken](https://reader036.fdocuments.us/reader036/viewer/2022081514/5f327ca3e512b43ef878c28b/html5/thumbnails/54.jpg)
@PhilippeDeRyck
1-day workshops
5-day dual-track program
Whiteboard hacking (aka hands-on Threat Modeling)
Building secure web & web service applications
Securing Kubernetes the hard way
Jim Manico
Sebastien Deleersnyder
Jimmy Mesta
Crypto, AppSec Processes, web security, access control, mobile security, ...