DevCentral Connects: The New OWASP Top 10

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] live from their home studios please welcome the hosts of dev central connects john wagner and jason romm well good day dev central community i'm john and this is dev central connects and we're coming to you live and we're streaming to all the places youtube and linkedin and facebook and twitter and you know all that stuff so we're excited to be here today it's going to be an awesome show and here at the start of the show i thought i would uh mix things up just a bit and bring a bit of world news um to our audience and let you know that there was a uh a kind of an off-cycle election that just happened over in sweden and as it turns out the ceo of ikea was elected as the new president of sweden so he's running the show there in sweden and the good news is is that it was no problem at all for him to assemble his cabinet assemble his cabinet so that was for those of you who didn't pick on a did not pick up on that that's not actually what happened so just bad dad joke here to start off our show here on thursday hope everyone enjoyed that just a bit and with that let me bring on my esteemed co-host mr jason rahm who's going to join us today jason it's good to have you my friend wow yes that is that is a fantastic dad joke but yes that gets that gets the eye roll and the groan from my teenagers when they heard this one yes hey you know it's a good you know it's a good bad dad joke if you get the eye roll and the groan so that's right yeah i saw this one little t-shirt or meme or whatever it said you know bad dad joke award that's how i roll and it was the you know e by e roll so anyway good times well hey jason so as i do as one does i have a little question for you to start off the show before we bring on our esteemed guests uh to talk about the oh wasp top 10. so before we do that we're headed into thanksgiving time here in america and you know when you think about thanksgiving you think about eating way too much and then sitting on the couch and watching nfl football for those uh for those of us here in the states and there seems to be this uh this you know this direction of uh thanksgiving deal or thanksgiving dinner thanksgiving meal it's either at dessert time it's either the pumpkin pie or the pecan pie i feel like those are kind of the options now that doesn't mean that those are the only two but if you were given the pumpkin or the pecan would there be a preference that you have on one of those two um well wow because i'm thinking could i just have a slice of both of them you mentioned it's thanksgiving we eat too much entirely too much so yeah i'm thinking on thanksgiving you know you put on your stretchy pants and you have both pieces you do yeah yeah so when someone says oh yeah hey would you like the pecan pie or the pumpkin pie the answer is resoundingly yes and that's it that's it that's awesome man that's awesome that's right you know it's weird for me i've been more of a pecan pie than a pumpkin pie but everyone in my family is like super you know they're they're uh their team pumpkin by far in a way which for me means there's more pecan pie for me to have right so very good it works i don't want to get into the food science of it all but but pumpkin is a little less sweet than the pecan so i like pumpkin pie but if it has a very bland crust the difference you know there's there's not enough sugar in the pumpkin to offset the really bland crust but in the pecan you know there's enough sugar there that it overcomes the crust yeah so that would be that would be my contention it's like you know if it's a really sweet pumpkin pie then i don't really need the pecan for for satisfying the sugar craving yes exactly exactly awesome man hey i'm noticing in the comments right here we got josh that's chiming in josh first of all it's great to see you first thank you i will say thank you i'll take it as a compliment that you said groan to my bad dad joke and then also josh apparently is a strawberry rhubarb fan so who knew who knew that's uh that's another one out there i'm happy i'm happy to allow the bounty of blessing for strawberry rhubarb for the other people at the party yes you guys enjoy the heck out of that thing no doubt i'll uh i'll be over here with my pecan pie that's awesome well good deal man well hey so jason today it's going to be an awesome show we're going to talk about the o wasp top 10 and so as we get ready to bring on our guests i'm just gonna uh tell everyone who he is stan sam stepanyan um who is a uh security expert and owasp extraordinaire oh wasp leader and uh and he knows everything there is to know about the top ten and so with that uh let's bring on mr sam and welcome him to dev central connects sam it is good to have you here my friend welcome to dev central connects oh hello hello and thanks very much for inviting me uh great to be here hi john hi jason oh it's awesome it's awesome well hey thanks so much for being here so sam for those for those of uh you know the community that maybe have not met you yet maybe give us a little bit of background on you know who you are what you do and then maybe even kind of kind of dovetail that into the o wasp organization i know you've been with them for many years you know all the you know you know where all the skeletons are buried and all that stuff so maybe give us a little bit of background on all that if you don't mind definitely definitely well um i'm an ex-software developer myself an application developer i moved into application security in 2005 and um yeah and became a security guy and uh interestingly knife i actually started liaising with f5 uh back in 2007 i'm on dev central since i think 2007.json you will be pleased to know [Laughter] and also a certified f575 f5 asm web application firewall expert and uh actually one of the interesting facts about me that f5 actually invited me over to your headquarters uh to seattle um a few years ago i think eight years ago now to actually help to create the first um f5 sm exam because i was for some reason the chosen one to come and help you out i had an email out of the blue saying oh sam were identified as one of the subject matter experts in application security and web application firewalls i would like to invite you and help us out so yeah i actually um um was uh and your headquarters and i met jason in person many years ago i think it was 2012 2013 can't wait to remember now yeah wow yeah that's right but obviously uh with the oh wasp is another thing because obviously i'm an independent application security consultant i mainly work with financial services organizations in the city of london and helping their developers to write more secure applications and improve security but of course owasp has a very important role in it because obviously when i shifted from software development to security in 2005 i discovered about owasp because if you guys remember in 2005 there was a big thing in the whole sort of security industry we got something called the pci dss or payment card industry data security standard this is where the leading credit card companies you know american express visa mastercard they came together and they said okay enough is enough there's so many leaks and breaches of credit card data how do we deal with it and they came up with a standard and in the standard they said okay if you are going to create a web application are you going to process and take credit card numbers from your users you need to make sure that your application uh is free from owasp top 10 risks or you use a web application firewall and this is how i found out about oh wasp and then i discovered that there is an um almost chapter in london where i'm based and i started attending it um and became a volunteer and because wasp is a volunteer based organization and in 2015 late 2015 uh um became a chapter leader for london but obas was a massive organization in in case if you uh don't know a a lot of people say oh my god what is this always thing but actually it's a whole bunch of uh volunteers that's who we are um because o wasp is a non-profit organization it's a charity our mission is to improve security of software worldwide um there are lots of chapters i think there are more than 250 chapters all around the world of wasp um there are hundreds of thousands i think last time i looked i think it was almost hundred thousand volunteers of all wasps this number grows because everyone's a volunteer um they're also members because it's a membership based organization but the cool thing about owasp is that you don't have to be a member to enjoy any of the material that os produces it is all free and so open source and that's why it's called open web application security project so yeah this is this is what makes it uh makes it great and um yeah uh let me see if i can actually um show my screen here and maybe uh john if you want to just show them a little slide about um owasp here and you can see who we are yeah we can see it so we are the worldwide free and open community focused on improving security of application software and the mission is to make application security visible so that people and organizations can make informed decisions about application security risks and we are a global non-profit charitable organization we're vendor neutral community so we are supported by some vendors because there are a lot of um cyber security vendors who are our corporate members but we are vendor neutral and uh we like to think of uh owasp as a collective wisdom of best minds in application security worldwide because there are volunteers there are specialists all over the world who are volunteering who are donating their time to help everyone to improve software security we do have uh chapters all around the world and these chapters run uh meetings they run events and uh these meetups are absolutely free for everyone to attend they're usually about two hour seminars and usually well the way how we do it in london we do like two main talks and occasionally we have optional lightning talks and back in the day when we had uh pre-pandemic times when we had the in-person event we also used to provide free drinks and food to all attendees so it was a great networking event um so yeah that's what uh oas missed so um it's very important to stress that it is absolutely uh all for free and all material and all the standards and tools that oas produces it is all free and all open source so everyone can use it everyone can download it and everyone can contribute because it is all open source we got a comment here from from james saying he finds o ospin uh pentester uses it all the time and i'll say john and i actually we attended uh owasp uh here in st louis back when john used to live in this area and and we got to go do a capture the flag event and that was a lot of fun we uh met up with all the the local security people that that happened to come to the meeting and you know building relationships with like-minded folks who want us you know solve the world's problems you know what what could be bad about that yeah yeah it's a lot of fun and like you said it's free and it's just people that that really are motivated to yeah to want to to want to see the web epic web application world you know a safer place and it takes all of us you know so um so it's it's really cool to kind of grow that network and and learn from you know a lot of smart people around you so that's uh that's really exactly cool exactly a lot of people are usually um uh these days they say oh owasp is open web why is it web and we said okay it's not just web because you know don't forget that the organization was created 20 years ago and we only had web apps but these days we have mobile apps with cloud apps so uh yeah we kind of think of replacing the uh the meaning of w to be worldwide because we're open and worldwide application security projects so it's not it's not just about web it's everything so we have projects and um guidelines and standards um and tools not just for web application security but also for mobile applications you devote cloud applications security for cloud native stuff for containers um you know all the all the uh all the latest stuff which is coming also some of it is not necessarily technical there's some projects which are um more to help chief information security officers for example in the managerial world so yeah it's um um it's it's fun it's great because uh it's a great community so first and foremost o wasp is a community and that's what people don't get we we are not a sort of strict rigid organization just a community of volunteers it's just people who want to you know improve the world by making uh applications a little bit more secure and teaching the world and explaining the risks to everyone and that's where os top 10 comes in because that is a really oh wasps uh flagship project because there are lots of lots of projects that always pass but obvious top 10 traditionally was uh probably the thing that obas is best known for and uh a lot of people don't even understand it because uh yeah um recently i discovered that there are quite a few cyber security vendors that uh not name them and they were saying oh you have to protect your organization from all wasp risks from all wasps attacks motivations say well always attacking so no one is attacking you we're we're just a non non-profit uh community right trying to help right do not call attacks or us potentially right call them risks and say oh was top 10 risks because that's what really the um this project is it is just an awareness document and a lot of people actually take it as a standard and they say okay there are always top 10 vulnerabilities there's only 10 risks on the list 10 vulnerabilities uh let's uh treat it as a checklist and uh tick tick tick tick tick okay are all the 10 vulnerabilities things i am now secure and of course this is wrong because there are more than 10 vulnerabilities right so yeah yeah for sure abilities and the main reason for all us to obtain and the reason why it was top 10 was created is to actually to bring attention of the board of the executives um to the most critical ones and obviously there's a different methodology to determine what is the most critical uh but there are more than 10 vulnerabilities and please do not use os top 10 in your organization as a compliance standard it is not a compliance standard there is an oasp application security verification standard or asbs now that's the standard if you need a standard again it is free and open source you can just grab it and use it and similarly owasp has something called secure coding guidelines right so if you if you need some uh secure uh coding uh guidelines you can use the if you if you need to train your developers we have training resources uh we've got uh tools which are uh online labs and you know capture the flag platforms i know the guy that you use right you can go and basically uh split into teams and compete with each other and you can present it to your developers and uh make learning fun so yeah this is one of the things that i like about os because we we're a fun bunch of volunteers and uh um that's really how it works yeah no that's great nothing more fun than taking somebody else down right so you know gamify gamify the the threats right yeah securely securely right so we're here one of our projects is called ova's juice shop so it's basically it's online juice shop but can you can buy different juices you can buy orange juice pineapple juice and then they come in different boxes yeah and it is a world most vulnerable web shop and of course you need to you you can use this application to learn about security so you and you can also uh use it on a capture the flag uh kind of scenario and see who can find as many vulnerabilities as possible in it yeah that's a lot of fun that's that's a lot that's that's really good well hey so i wanted to uh sam i wanted to get into the owasp top ten like you said there's a lot of things that owasp does with the asvs with the secure coding practices but the top ten like that's the one that everybody knows and that's the one that just was recently released for 2021 and one of the interesting things to me about the 2021 list is the methodology that owasp used for 2021 versus how they had done some of the some of the lists in the past like the 2017 or or some of the other ones prior to that so if you don't mind maybe talk to us about the methodology how do they determine what the top 10 are and then we could even spend a minute or two on a couple of the interesting ones in your mind that made the top 10 list this year of course of course so the thing about os top 10 and how it is determined and how it's been determined for this year is that it is data driven it is databased so the way how it works is that um oasp announces a public call for data and uh anyone who has vulnerability data that you can contribute the data to owasp and that is basically how it works and then os processes this data and we collect the data from application security vendors from bug bounty vendors uh it can be even collected from organizations which just have like internal testing data uh and also uh owasp talks to the uh subject matter experts who are there on the front line so basically um if you look at the actual how this top 10 list is uh that you can see here on my screen the probably eighty percent collection of the data uh comes from the uh data contributors and twenty percent is based on the survey which is done with the uh people who are there actually um working with vulnerabilities in the front end again the reason why it's done like that because the second you look at the data contributed by a uh let's say an security testing vendor it's already out of date right because you're looking at the past vulnerabilities um yeah i can show you here on the screen so these are the organizations which contributed to the uh latest uh os top ten of course so we would like to say a big thank you to them again you can see there's a various companies there and including some of the websites like pentesttools.com provided some data and hacker one is of course and cobble.io are very unusual ones this year because we actually got the data from bug bounty vendors so it's not just from this it's actually from the back bounty platforms uh who actually deal with the live uh vulnerabilities and actually pay out bug bounties to researchers to discover vulnerabilities nice so that's basically how they how the data collection works so and where the data comes from people saying okay top ten how did you come up with the top ten because it is all data driven we asked all these organizations they donated data on vulnerabilities in over 500 000 applications and after that data is processed uh the the project team again i'm not in our top 10 project team uh or our stoptime project has its own project team has its own experts who worked on processing all this data and creating the document and um you can see the uh the list on the screen and uh it is different from uh last well the last one in 2017 you can see various arrows going from different categories and you can see that for example in 2017 we had some vulnerabilities which are now gone some risks so for example xml external entities xxe cross-site scripting and insecure decentralization they are now merged into different categories and this year there are three new categories so there is a insecure design which is uh probably the top category which caused a lot of questions um but the thing is uh yeah this is the top issue top risk that we're seeing because obviously you cannot cut your way out of insecure design and uh the the this is the brand new um uh category and i think it highlights the necessity for the organizations that they they have to bake the security uh requirements and security architecture into their design from the very beginning so whatever we call shifting left right because traditionally organizations say okay let's the let's uh gather requirements for the app let's design the app let's program the app and then let's test the app and just before the release and say oh let's do a security testing let's do like penetration testing and then the testers find lots of vulnerabilities and like oh what do we do we we need to go live tomorrow we need to really what do we do and say okay let's just accept the risk let's ju let's just hope and pray that no one is going to hack us right and we're going to go on that note we had a comment from aditya uh that pretty much like ironies most organizations don't take it seriously until the disaster happens right and that that's reality in a lot of places exactly yeah great comment uh but there's another new one i want to briefly talk about which is software and data integrity failure and this is the one that we've seen quite a few um big breaches recently solarwinds is uh um one such example which is basically where the actual software development process uh and the software supply chain process was breached and that's something that people don't usually expect right so this is this is quite new and we didn't really have this kind of attack say four or five years ago or it wasn't that prevalent and now it is uh on the list of the top ten most critical things so i think um solving is probably one of the best example of such attacks and of course we also have the brand new uh for 2021 that's server side request forgery so uh ssr or ssrf so ssrf became really really big and well known vulnerability because there was a massive breach a couple of years ago of capital one right which is a very big bank and uh they shifted all the infrastructure into the cloud into aws and uh due to this particular vulnerability ssrf they they had a massive breach and 100 million customers of capital one had uh basically their personal data stolen the credit card stolen um and yeah this is this is why it is now um on the list of most great releases and ssrf is very specific to cloud applications so um uh i think i mean that is that number that 100 million i mean isn't that like 170th of the entire population of the world i mean that's that's a lot of people that's that's a lot of people but again you see a lot of people assume this is another very interesting point a lot of people assume that if they move the applications from the on-premise data centers into the cloud then automatically the data will be will be secure the application will say what no because cloud comes with its own security issues and you need to be aware that of all the security implications of moving data to the cloud and vulnerabilities which are specific to the cloud-based applications and of course the traditional application security vulnerabilities which existed in your traditional uh you know web infrastructure it's still valid for for the cloud as well because most of the cloud apps they still access using http https you know traditional web protocol your threat surface is still a threat surface no matter where it is it might change a little bit and who's responsible uh at the end of the day for that threat service might change a little bit but it's still a threat service and it's still at risk yeah exactly right exactly and actually speaking of the different changes like over the year i would like to show you another interesting diagram which is basically a diagram which shows ova's top 10 over the years right uh look at that screen again so you can see the first os top 10 was released in 2003 and you can see these these are all our os top tens over the years and you can see with the arrows and this is very interesting you can one of the interesting things that you can spot straight away that some of the vulnerabilities are exactly the same they they are still there for over 20 years and you can see for example cross-site scripting how it's moved from 2003 from here here then it's 2007. then it's there in 2010 then it's the 2013. and it is still there in 2017 and it dropped few positions down and it's actually in 2021 it is still there just been merged with injection uh vulnerabilities because at the end of the day cross-section is still an injection type of vulnerability and in all the previous years we had injection and cross-site scripting for example presented separately on the list because to highlight the the criticality of it because yeah it was just so prevalent and again this is kind of vulnerability that a lot of developers don't understand because i had people approaching me and saying oh sam why is always so concerned about cross-site scripting because uh you know attackers can only put like a hello alert box on the website right and i'm like no in the very simple examples they show in tutorials yes yeah exactly the actual risk is completely different and this is where our top 10 document is that you actually bring the awareness of the risk uh what is the actual risk to your application and what is also very important what is the risk to a business as well and sam i find it i find it fascinating that you know to see all the changes some of the similarities that have that have been going on there so now it's been goodness 18 years of oauth top tens so a couple points one for those that didn't know already the list does not come out every single year it's it's about every three to four years right uh and it's not on a set schedule you can see there there's a you know three to four years you know between um but then also the the os top 10 samlit that you mentioned before the ls top 10 is the top 10 based on the methodology and the data collection and all that that that all these different you know companies and volunteers have put together but just because the o wasp has a top ten that they say is number one or number two or whatever that doesn't mean that your specific organization has that same level or that same list of top ten nor is it the same number you know so like for your organization you know the cryptographic failures may be more important than the broken access controller that kind of thing right so so just um use this as a guide but not like you said as a checklist and you know in that time that type of thing right exactly exactly and of course there are more than ten uh but you can see of course that this is what i what i like about this diagram i just uh put together by bran patelski and i um basically would like to uh thank him for putting this together you can actually see because this is all color coded and you can see the color so you can see the security misconfiguration which is one of the probably number one vulnerabilities that you you can have and you can still have it right that it started in 2003 it dropped from the list in 2007 for some reason but you can see it is still here and you can see there oh if you just look at the colors you can see that things are still here some of the things that disappeared again to bring your attention for example um the insecure insufficient transport layer protection so this is basically protecting data in transit your ssl or to be more correct tls transport layer security right uh this was one of the top ten issues uh for a long time and then uh not anymore right and the same thing with unvalidated redirects and forwards things like open redirects they they are uh no longer happening because a lot of people are now using frameworks uh which are excluding them same thing with a cross-site request forgery or csrf you can see the period in 2007 and then stayed until 2013 in 2017 it actually dropped to number 11 we actually talked about it in our document uh os top 10 2017. uh so it's still there vulnerability still you might have your organization might have an application which is vulnerable to cross-site request forgery but because what we're seeing out there in the field it is no longer top ten it it was actually dropped to the eleventh place that is the reason why it's not included but it's still a really a very dangerous vulnerability because bad guys can actually you know transfer money out of your bank account on your behalf without you knowing it that's where you get people's attention jason yeah it's all about the it's all about the benjamins at least here in america that's right well stan it's all about the bitcoin i guess for for everybody right yeah bitcoin it's all about the bitcoin yeah yeah don't touch my bitcoin wallet right so amazing well sam this has been awesome man to just go through the history of this and and this chart right here to show the changes over the years and to know you know what the oasp is all about and who it is comprised of and all those things um so yeah man i just uh i really appreciate your time today to to go over all that with us and you know share some of the background and some of the current you know current points and and and uh issues that are going on so uh so man thanks so much for being here today and thanks for all your hard work um over there in the uh in the uk and in your local chapter and just all the great things you do to keep keep us all safe thanks very much for having me awesome man yep awesome all righty man well sam what a great great uh you know discussion that was and i just really appreciate what he does for owasp and really for the for the you know general security community around the world you know in general so um so it's good to know that we got people like sam on on the right side you know fighting for us right jason that's right yep and you know especially with oauth that it's a all volunteer organization is crazy because the amount of documentation and tools that comes through that uh you know we we live in in a time where certainly you know i mean throughout all history the world's had its problems right um but you know uh the the sharing of information and the the way that we all you know pitch in and help each other i think is fantastic and you know kudos to the owasp organization for everything that they do yeah yeah like you said it's a community and uh something that we we like to we like to talk about and and live out here at dev central as well so uh so we can relate man we really appreciate appreciate all those people well good stuff well jason we've got some exciting shows coming up here is that right in the next next few days so we do i've got a show coming on tuesday uh the the core i'll have a promo here to close out the show for that nice so i won't say a whole lot about that but kevin stewart is joining us and that's going to be amazing yeah and then next thursday we've got the 2021 tls report you know we mentioned tls kind of dropped off uh it was that 2010. by the way sam i want that chart you know yeah yeah yeah over the years chart we need to make that available to everyone so if they're on the go off site or send us a copy of that that'd be awesome be awesome but we're going to be talking to david warburton about the the 2021 tls report and maybe get some uh some insight into the crypto nice tool that they use to uh to pull all that data together and then of course uh the 23rd we've got uh the top five f5 tech we're thankful for so boo and i didn't show last thursday about like general industry tech but this one's going to be uh you know we're going to be looking at home and what what kind of f5 tech over the years have we been most thankful for that's right that's right so that'll round out november and then goodness we're we're after that we're into december and 2021 is almost over i can't believe it so it's been uh it's been a lot of fun so we um you know look forward to interacting with all of you so yeah there's sarah sarah boddy yeah it's great to see you sarah all right let's say see it's great to see your name on that on that thing so good deal man well awesome well jason it's been a great show my friend uh so i know i know we've got a little uh little promo to lead into to your core show next week and i guess with that i would just say thanks to everybody out there in the dev central community it's awesome to interact with you and uh and this show just allows us to do that so thanks for watching today and uh and we will see you next tuesday at jason's show at the core thank you hello deb central community i'm jason rom and next week on the core we are going to be talking about all the i'm jason proxies and i'm going to be talking about all the proxies on my show the core i don't need you to proxy my proxy show but also i'm going to have a fantastic guest kevin stewart the kevin stewart is going to join me for the discussion hope to see you there next week on the core

Info

Channel: F5 DevCentral

Views: 614

Rating: undefined out of 5

Keywords: owasp top 10, owasp tutorial for beginners, owasp top 10 2021, owasp top 10 explained with examples, top ten

Id: dMARygcX_G8

Channel Id: undefined

Length: 35min 14sec (2114 seconds)

Published: Thu Nov 11 2021