OWASP TOP 10


Hello from the Internet

In this episode we run down the OWASP TOP 10 and explore the implications of each of the issues that we should be looking at in securing our applications.

Enjoy the show!

Show Notes

10. Logs

  • Insufficient Logging and Monitoring - https://www.owasp.org/index.php/Top_10-2017_A10-Insufficient_Logging%26Monitoring
  • Graylog - https://www.graylog.org/
  • Logstash (ELK) - https://www.elastic.co/elk-stack

09. Components

  • https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities
  • Safety - Python - https://pyup.io/safety/
  • Ruby - http://guides.rubygems.org/security/
  • Node - Node Security - https://github.com/nodesecurity/nsp

08. Deserialization

  • https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization

07. XSS

  • https://www.owasp.org/index.php/Top_10-2017A7-Cross-Site_Scripting(XSS)

06. Security Misconfiguration

  • https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration

  • How to harden a Linux server: - https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf - https://medium.com/viithiisys/10-steps-to-secure-linux-server-for-production-environment-a135109a57c5 - https://www.cyberciti.biz/tips/linux-security.html

05. Broken Access Control

  • https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control
  • Firesheep - https://codebutler.com/projects/firesheep/

04. XML External Entities

  • https://www.owasp.org/index.php/Top_10-2017A4-XML_External_Entities(XXE)
  • Billion Laughs Attack - https://en.wikipedia.org/wiki/Billion_laughs_attack

03. Sensitive Data Exposure

  • https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure
  • PCI DSS - https://www.pcisecuritystandards.org/pci_security/
  • GDPR - https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
  • Password Hashing - https://crackstation.net/hashing-security.htm
  • Best practice for SSL + TLS - https://www.ssllabs.com/ssltest/ - https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
  • Let’s Encrypt - https://letsencrypt.org/
  • CipherList - Strong config for Apache / Nginx https://cipherli.st/

02. Broken Authentication

  • https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication
  • Horse staple - https://xkcd.com/936/
  • NIST - https://www.passwordping.com/surprising-new-password-guidelines-nist/
  • Rainbow tables - http://project-rainbowcrack.com/table.htm
  • Google 2FA - Authy - https://authy.com/ - Duo - https://duo.com/

01. Injection

  • https://www.owasp.org/index.php/Top_10-2017_A1-Injection
  • Bobby Tables - https://xkcd.com/327/
  • Misc - Nessus - https://www.tenable.com/products/nessus/nessus-professional - OpenVas - http://www.openvas.org/ - ZED Attack Proxy - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
  • zxcvbn: realistic password strength estimation - https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/
  • Be afraid, be very afraid - https://attack.mitre.org/wiki/Main_Page