OWASP

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Now our next section is all about
00:00
OWASP which is the Open
00:00
>> Web Application Security Project.
00:00
>> To be honest with you,
00:00
I didn't include this because it's testable
00:00
>> because I don't think they're really going to ask you
00:00
>> about OWASP itself,
00:00
but because I think it's helpful.
00:00
I think it's important for us to know
00:00
the various resources that are out there.
00:00
So if you're just wanting to
00:00
focus on material that's testable,
00:00
I rarely include stuff just for edification,
00:00
but this is one thing that is.
00:00
The reason OWASP is so helpful to us
00:00
>> is that on a periodic basis,
00:00
>> they release a series of Top 10 lists.
00:00
The one list we're going to focus on are
00:00
the weaknesses associated with web applications.
00:00
But they have a list of the Top 10 software threats,
00:00
top 10 threats against the Internet of Things,
00:00
OWASP is just a wealth of information.
00:00
They're an international organization,
00:00
they're non-profit,
00:00
and they really provide us with a good,
00:00
solid understanding of the things
00:00
that we should be cautious about.
00:00
What I've pulled in is the OWASP Top 10 list.
00:00
It's not like you're going to
00:00
see on the test what's number
00:00
4 of the OWASP Top 10 list or any of that,
00:00
but certainly, I think it's worth
00:00
seeing the information that they give us,
00:00
and they expand upon this tremendously on our site.
00:00
Here, they just give us a snippet.
00:00
But today, so much of
00:00
software development is designed for use on the web.
00:00
That means we're going to open
00:00
these applications up to public consumption.
00:00
But also web applications
00:00
interact with other web applications,
00:00
and so we have a really large user base
00:00
>> with our web apps,
00:00
>> so we have to lock them down
00:00
>> and make sure they're secure.
00:00
>> I would just have want to point out
00:00
a couple of the security risks to you from the Top 10.
00:00
This is from 2017 so I expect
00:00
>> they'll be releasing a new Top 10 any day now,
00:00
>> but they haven't done so yet.
00:00
Notice the very top web application security risk
00:00
is code injection and
00:00
code injection will come up on the exam for sure.
00:00
The idea is we frequently
00:00
have software that requests
00:00
information from our end-users.
00:00
Fill in your name,
00:00
here, your comments,
00:00
what quantity do you want to purchase,
00:00
what state do you live in?
00:00
We solicit information from our users
00:00
>> and we provide them with forms
00:00
>> to input that information.
00:00
>> Well, the problem is when we allow users input fields,
00:00
if we're not careful,
00:00
they will input garbage
00:00
and we know garbage in, garbage out.
00:00
We talk about code injection,
00:00
our concern would be the folks entering information
00:00
>> into these fields might use
00:00
>> what we refer to as data control language.
00:00
>> For instance, what goes in these forms generally
00:00
gets pulled into a back-end database.
00:00
Maybe it's a SQL database.
00:00
You don't have to be a SQL expert to know
00:00
the command drop table
00:00
probably is not going to be helpful in the back-end.
00:00
That's going to cause a problem.
00:00
Now nobody's last name is drop table,
00:00
so why would I let that be an entry?
00:00
I can block that specific term from being allowed.
00:00
There are other characters like
00:00
brackets or apostrophes that
00:00
could be used for code injection,
00:00
so the solution to code injection is input validation.
00:00
Now tell you we also have input sanitization.
00:00
What sanitization is going to do is it's going to
00:00
try to use the input.
00:00
What input validations going to
00:00
do is if the input doesn't meet the requirements,
00:00
it will return an error.
00:00
Let's say I have a field
00:00
>> for 10 characters and you enter 12.
00:00
>> Well, that application's just
00:00
going to truncate the last two.
00:00
It's going to just get rid of your last two entries
00:00
and then accept the input.
00:00
Whereas with input validation,
00:00
you'll just get an error message.
00:00
It'll beep when you try to type
00:00
in more than 10 characters.
00:00
They both have the same goal
00:00
>> and that's all about limiting what can go in.
00:00
>> Really important to prevent code injection.
00:00
Code injection can be SQL or no SQL.
00:00
You get your XML injection, LDAP injection.
00:00
Injection is injection.
00:00
It's when an attacker tries to inject
00:00
code into fields to cause damage on the back-end.
00:00
Now, broken authentication is two.
00:00
So authentication issues,
00:00
sensitive data exposure, lack of encryption.
00:00
You can see through some of these.
00:00
Even if you don't understand them all,
00:00
you can see these are not uncommon problems.
00:00
Down at A7 and this is one that appears
00:00
on the security risks time and time again.
00:00
It's cross-site scripting.
00:00
Cross-site scripting ultimately is going to try
00:00
to direct the user to a site
00:00
where a malicious script runs in the background.
00:00
This could be through a link in an email.
00:00
Click on this link and your browser displays
00:00
>> what's on the page or it runs the code.
00:00
>> Usually, XML code with JavaScript
00:00
>> or some of the others.
00:00
>> But if I embed a malicious script,
00:00
your browser's going to run that script as well.
00:00
Cross-site scripting is
00:00
>> one of the greatest concerns as well.
00:00
>> You know what it'll help with that?
00:00
Input validation.
00:00
I can't think of any reason you
00:00
wouldn't want to have input validation.
00:00
It solves a large number of problems.
00:00
You can see some other things using
00:00
components with known vulnerabilities.
00:00
Just using things that are weak because it's easy.
00:00
Insufficient logging and monitoring.
00:00
Not tracking the information
00:00
>> that will give us an indication of security breach.
00:00
>> Like I said, I don't need you
00:00
memorizing this list or going over,
00:00
but just notice what some of the common flaws are.
00:00
You can go back and look at the list from 2013
00:00
>> and the previous lists and you'll see
00:00
>> some of these problems
00:00
>> just continue and continue and continue,
00:00
>> even though there are known fixes.
00:00
That's just a little bit about OWASP.
00:00
Like I said, this isn't testable.
00:00
Although I would understand what code injection is
00:00
and input validation sanitization,
00:00
I would understand cross-site scripting
00:00
at a high level and I would know
00:00
the role of input validation.
00:00
But reviewing the OWASP Top 10 will make you
00:00
more aware of the risks that are out there
00:00
>> and will make you a better developer.
Up Next