Introduction
to
Application
Security
by Nicholas Bering
https://nicholasbering.caWhat are we protecting?
C.I.A.
Confidentiality
Integrity
Availability
What can go wrong?
Schneier's Law
Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break.
S.T.R.I.D.E.
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege
OWASP Top 10 Vulnerabilities
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
OWASP Top 10 Vulnerabilities
- Security Misconfiguration
- Cross-site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging and Monitoring
Protect Your Resources
Trust Boundaries
Trust Boundaries
Systems are most vulnerable to all aspects of STRIDE when information or commands cross trust boundaries.
OWASP Top 10 Proactive Controls
- Define Security Requirements
- Leverage Security Frameworks and Libraries
- Secure Database Access
- Encode and Escape Data
- Validate All Inputs
OWASP Top 10 Proactive Controls
- Implement Digital Identity
- Enforce Access Controls
- Protect Data Everywhere
- Implement Security Monitoring and Logging
- Handle all Errors and Exceptions
Risk
Risk Formula
risk = probability x loss
Cost of Mitigation
Even if loss is certain, cost of mitigating risk should not exceeed the potential loss.
Cost of Mitigation
Therefore, if storing sensitive information would cost more than the value that the information provides... just don't store it at all.
Better yet, don't even collect it.
Learning Resources
OWASP Top 10
OWASP ASVS
- Application Security Verification Standard (ASVS)
- This is a great resource to use if negotiating the scope for penetration testing, or to do a self-audit against security standards.
- It's a good way to ease in, because it has maturity levels "baked in".
Troy Hunt
Creator of Have I been pwned?