What is the OWASP Top 10? | AppSec 101

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] welcome everyone to another episode of appsec 101 my name is andrew and i work in marketing here at fortify and i'm pleased to be joined today by katie crabtree and katie has been at fortify for over six years now she has a lot of experience she actually started on the customer support team talking to customers every day and then about three years ago she moved over to the product management side of things handling pricing licensing special programs and more recently she has moved to working with the products directly so katie is based in south florida and her husband is also in the absence industry and she told me that you know they spend a lot of their days talking about their kids but also talking about app sex since they're both in the industry so i thought that was fun to hear and katie um welcome aboard glad to have you on today yeah thanks i'm excited to be talking to you and looking looking forward to talking more about the owasp top ten yeah exactly let's get started and dive into that so for those that are new to the industry or haven't heard of the owasp top 10 before what is the oauass pop 10 yes so um the os top 10 is the open web application security project and it's focused on improving uh security of software and so a number of application security firms and industry experts actually provide input to be able to identify what the top 10 most critical security risks are that threaten web applications today and that's how we come up with the owasp top ten okay and katie i've been working in data security for just about four years now but i've heard oh wasp and the owasp top 10 mentioned all the time i mean i hear it at shows and i mean i i get emails all the time that mention it you see white papers so why is it that we hear this term the oauth top 10 so often so in security we talk about it a lot because we use it to help identify the the top critical risks and then we use it to help prioritize and minimize the risks for our applications okay so when we talk about minimizing risk for applications how does the top 10 actually get determined yeah so like i mentioned before you know owasp has a number of application security firms and industry experts that provide input into forming the top ten and they're going to look at four different things so they're going to look at how prevalent is the threat and how often are we seeing it you know in applications today how exploitable is it so how easy is it for me to actually find that vulnerability and exploit it how likely can it be detected so when we look for these vulnerabilities and then look at these risks how how easy is it going to be for us to find them and then what is the impact so they're going to look at the impact on both the business side as well as the technical side so on the business side they're going to look at things like do we have financial impacts if something were to happen uh and and that threat was to get um exploited and then you know what's our reputation impact are we going to be all over the news if we get exploited in this application um because you know we're trying to avoid that we don't want to be that that company in the news when um we've had a breach so so what are the impacts on the business side and then we're going to look at what are the impacts on the technical side does it break the application is the application no longer able to do what it needs to do so so all of those things are kind of looked at um and then that's how they determine what the top 10 vulnerabilities uh are or what the top 10 risks are so why is this important for a company trying to secure their applications why should they be concerned with the oauth top 10 so i mean when it comes to writing code for applications i mean we we obviously want everything to be secure and we want to avoid against any threat that's out there but you know we we have to start somewhere and so the oauth top 10 is really good because it can give developers a foundation of the top security issues that they're they're going to want to try and prevent against right at a minimum you know we got to try and prevent against these these top 10 issues um and at a higher level right it's going to help an organization to kind of prioritize what vulnerabilities need to be fixed when they're found so you know across the board a company is going to use this to uh narrow down what they're what they're focused on obviously there's there's a wide range of things they can focus on but this is going to kind of give them guidance into what they should be starting with and then they can expand from there okay yeah i like how you said you know we have to start somewhere this gives us some guidance kind of a baseline where we can start how can application security teams detect oh the oauth top 10 vulnerabilities once they know what they are how do they actually go about detecting them in their environments yeah so fordify has application scanning solutions that can detect a wide array of security vulnerabilities um including the oau's top 10. so you know they're it's going to give you the ability to look for those specific risks in your application and then in addition it's going to also allow someone to filter down to the oau's top 10 vulnerabilities when they are found in the application and look closer at those okay so now i have a good understanding about the oauth top 10 what it is why it's important let's dive a little deeper now and actually talk about the owasp top 10 so what are the owasp top 10 risks and then let's talk about them yeah so the owa top 10 risks are injection broken authentication sensitive data exposure xml external entities which we also call xxe broken access control security misconfiguration cross-site scripting which we also call xss desterilization using components with non-vulnerabilities and then insufficient logging and monitoring okay great uh let's dive into some of those a little bit more we we don't have time to go over all 10 but maybe let's start with injections because i know that's a popular one yeah so an injection is going to allow a hacker to input something malicious that will cause the application to behave unexpectedly right so just do something it's not supposed to do and this this can lead to things like the application executing unintended commands or providing access to data without proper authorization and so a hacker who's leveraging a sql injection vulnerability could do that in the login functionality and that would allow them to see something like everyone's username and password or everybody's credit card information or everybody's email address or anything really that they're not supposed to have right that's the that's the impact right we could see we could see that they get data that they really aren't supposed to have okay and i'd also like to touch on sensitive data exposure that's a that's a big one for me i mean you hear in the news about you know these big companies that have a data breach and you hear about ransomware attacks and you know sensitive data exposure it's a big one could you touch on that a little bit yeah of course i mean sensitive data is obviously the data that we're trying to protect against right for for you and i andrew we don't want our credit card information out there for the world to see um and so when we don't have enough protection around that data um it's easier for it to be compromised and so it gives somebody access to something that they shouldn't have and like i said you know if that's our credit card information well hey we don't we don't want them to have that so we want to take the measures to protect against the data that is sensitive and so if we're not taking those extra precautions like doing things to encrypt the encrypt the data or um use strong ciphers then that data becomes easier to expose and again that's that's not a good thing right we don't want anybody having access to that so we we want to make sure that our our data is protected um so that we're not we're not that company in the news where we've been breached um and that data is that data is out there for people to see yeah exactly you don't want to see your company in the headlines as a victim of a data breach well next up let's talk a little bit about cross-site scripting you mentioned it's also known as xss yeah so cross-site scripting is when a hacker is basically going to trick an application into supplying another user with something malicious or malicious script that's going to get executed in the user's browser so you know if i went to a web page and a hacker had executed a cross-site scripting attack um i could do anything from just give me a pop-up that you know says something funny to actually stealing my session data and giving the hacker access to kind of be me and do things that they're not supposed to do you know when i think about cross-site scripting it's kind of scary um what what are some some things we can do to maybe prevent those types of attacks yes i mean the biggest thing is just being able to detect them right we want to be able to detect those attacks and then we want to be able to remediate those as quickly as possible and the os top 10 obviously gives us that foundation of what it's important to fix but if you're using fortify to kind of scan your your application and you find a cross-site scripting vulnerability it's just important that that vulnerability gets fixed so that the hacker doesn't have access to be able to trick that application to doing something that it's not supposed to do so anything we can do to remediate it is is going to be important and the great thing about owasp is um you know it does give guidance on on kind of how to prevent against it yeah katie one term i've heard so often since i started here at fortify is shift left right and it's this idea of you know taking these security measures earlier in your development life cycles and i think that applies here as well because we want to detect these vulnerabilities as early as possible right absolutely yeah we want to detect them as early as possible we want to prevent against them as much as possible so yeah shifting left gives us the ability to do that and um you know when we when we do find these vulnerabilities and we we see that we can uh you know see that they're in our application we obviously want to get them fixed so that you know we we don't that doesn't become a bigger risk than you know we intend it to be right um well just to wrap things up here i wanted to touch on one more vulnerability from the owasp top 10 and that is using components with known vulnerabilities yes i mean that's that's a good one right when when an application gets built you know so often we are now using open source components right we're not writing everything on our own custom we're using these open source components that are already written and contributed to openly and so that does open up the possibility for vulnerabilities to be in those libraries or in those frameworks that we're using and so when using those open source components it's always possible that we're going to see a vulnerability associated with them so it's really important for us to you know obviously not use those libraries or those versions of libraries that have the vulnerabilities and so when we look for those right when we find those it's important for us to um figure out how to use a different version and and that's not you know there's so many libraries out there that's easier said than done and so fortify offers open source scanning through sonotype so that the components um that do have vulnerabilities can be identified a little bit easier and then we can address and remediate those those issues that we're gonna find when we're when we're looking at a component that has vulnerabilities that we know about yeah no i'm glad you touched on that and you know open source it's it's convenient right but we also as you mentioned just got to make sure we're using best practices when it comes to using these open source libraries because you know security is obviously first priority and exactly so i i'm glad you brought that up with fordify and sona type right so we can make sure we're using these open source libraries securely yeah of course that's that's really important we're seeing you know a lot a lot of applications are now using open source components and so it's it's an important one for us to make sure that we're we are finding those vulnerabilities and we are remedying or you know finding those vulnerable libraries and we're we're upgrading to the next versions that that are not vulnerable because you know we we don't want to be um using open source components that that are vulnerable or that have issues in them yeah absolutely um well katie i want to thank you for joining me today on this episode of appsec 101. before we sign off do you have any maybe last thoughts or maybe tips for any of our viewers uh in their you know app sec journeys going forward yeah thanks andrew it's it's been great talking to you and and talking more about the owasp top ten and you know my advice with this is go out and and look more at the owasp top ten there's so many resources out there that we have access to um and and it's so so prevalent in the application security world today so go take advantage of everything that's out there um that you can use to learn about these vulnerabilities and how to prevent against them and then how to find them and remediate against them when you do when you do see them in your applications to make sure you're staying secure absolutely yeah it's so important to stay educated and like you said take advantage of all these resources that we have so absolutely um well thanks katie and you know thank you as well to our viewers for watching this episode of appstick101 if you liked this episode please give it a like leave a comment down below and remember to subscribe to fortify unplugged for more appsec videos thanks and we'll see you next time [Music] you
Info
Channel: Fortify Unplugged
Views: 3,757
Rating: undefined out of 5
Keywords: application security testing, software vulnerability testing, Secure DevOps, secure software development, appsec, Micro Focus, cybersecurity, DAST, SAST, Fortify, DevSecOps, CI/CD, software vulnerabilities, OWASP, owasp top 10, owasp top 10 explained with examples, owasp top ten, owasp top ten vulnerabilities, what is owasp top 10, what is owasp, what are the owasp top 10, owasp top 10 risks, owasp top 10 tryhackme, owasp top 10 list, owasp top 10 2020, owasp top ten project
Id: XHHZiPIAcq8
Channel Id: undefined
Length: 14min 34sec (874 seconds)
Published: Tue Mar 09 2021
Related Videos
2017 OWASP Top 10: Sensitive Data Exposure
F5 DevCentral
74K
What is Static Code Analysis? | AppSec 101
Fortify Unplugged
5.2K
2017 OWASP Top 10: Broken Authentication
F5 DevCentral
108K
SOC Analyst Skills - 4 "Must Have" Tools for Triaging and Analyzing Malware
Gerald Auger - Simply Cyber
14K
What Is Dynamic Application Security Testing (DAST)? | AppSec 101
Fortify Unplugged
7.2K
How to Shift DAST Left | AppSec 101
Fortify Unplugged
556
PCI DSS Fundamentals
Ingram Micro Cyber Security
4.3K
What is API Security? | AppSec 101
Fortify Unplugged
3.1K
2017 OWASP Top 10: Injection Attacks
F5 DevCentral
185K
What is SIEM & It's Requirement in Corporate Networks | By Sulabh Mishra | SIEM XPERT
SIEM XPERT
16K
2017 OWASP Top Ten: Using Components With Known Vulnerabilities
F5 DevCentral
37K
you need to learn Docker RIGHT NOW!! // Docker Containers 101
NetworkChuck
1.2M
The OWASP Top Ten Proactive Controls - Jim Manico
secappdev.org
8.2K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.