OWASP Top 10 "The Big Picture" is all about understanding the top 10 web security risks we face on the web today in an easily consumable, well-structured fashion that aligns to the number one industry standard on the topic today.
Security on the web is becoming an increasingly important topic for organisations to grasp. Recent years have seen the emergence of the hacktivist movement, the increasing sophistication of online career criminals and now the very real threat posed by nation states compromising personal and corporate security. The Open Web Application Security Project gives us the OWASP Top 10 to help guide the secure development of online applications and defend against these threats. This course takes you through a very well-structured, evidence-based prioritisation of risks and most importantly, how organisations building software for the web can protect against them.
Troy Hunt is a Microsoft Regional Director and MVP for Developer Security. He's a regular conference speaker, frequent blogger at troyhunt.com and is the creator of the data breach notification service known as “Have I Been Pwned”.
Introduction Hi, my name's Troy Hunt and welcome to my course on Web Security and the OWASP Top 10: The Big Picture. In this course, I'm going to cover a heap of information on web application security in a way that I hope everyone can learn something really important about the way we secure our websites. Let me start off, though, by giving you a bit of an overview of why we're talking about web security, who OWASP and the Top 10 are, and then how I'm going to structure each module in order to help you understand the risk. So let's jump in and have a look at that bit on why web security is so important. Let's talk about why web security is so important. And what you'll see appearing on the screen here is a whole range of different companies who've suffered online attacks in recent years. Now what I really want to get through here is the breadth of organizations, and it covers everything from very small startups through to huge multinationals, and it also covers every industry. Web security and, indeed, hackers know no bounds. Just by having a presence on the web, you are a target, and what I want to do throughout this course is help you understand the primary risks that expose websites to attackers. Every one of the attacks you see here had _____ falues in their web security in one way or another. And in many cases the consequences were dire, all the way to the point where some of these companies don't even exist anymore as a result. Now we're seeing these online attacks from all sorts of different sources and that's everything from hacktivists, who are frequently just opportunistic kids, through to career criminals that are in this game to make money, all the way through to nation states who have huge resources at their disposal, so that's a pretty broad range of attacker that we're trying to protect our online web assets from. Let's move on and take a look at who OWASP and that top 10 are. Clearly, this course has been created around the concepts that OWASP talks about. OWASP is the Open Web Application Security Project and there's three important things to understand about OWASP. First of all, they are not profit. They're not making money out of anyone. They are simply here to help the web become a more secure place. Secondly, their technology agnostic. OWASP doesn't promote, nor exclusively provide any guidance for any one technology stack. They cover PHP as equally as they cover ASP. NET, as equally as they cover Java. And that's important, because it means that in a course like this we can talk about concepts that span all the web technology stacks. So it has a very broad appeal. And finally, it's Contributed to selflessly by the security community. OWASP relies on those of us that are willing to devote our time and expertise in order to build resources such as the one we're going to talk about in this course. So let's take a look at that and here is what we're going to be talking about, the OWASP Top 10 most critical web application security risks. And in this course we're going to be talking about the 2013 release, and really what this document is here to do is to provide guidance for people delivering web applications so that they understand where they need to invest their security focus. Indeed, the OWASP Top 10 is a very frequently referenced resource in all sorts of different contexts where web security is discussed. For example, companies often use it as a set of standards for how they expect their staff or their vendors to secure web applications. Developers often use it as a reference for when they're building software. Certainly I hope they do use it as a reference and, indeed, when that doesn't happen and they miss the concepts all together, that's when we get logos on that previous slide. And thirdly, security professionals regularly use the OWASP top 10 as a reference point when they're assessing applications, and the whole thing comes full circle, because very frequently findings in security scans tied directly back to this top 10 because it is such a de facto standard for web application security. Let's move on and have a look at how I'm going to deliver this course and explain each one of those top 10. Each one of the 10 modules that aligns to the OWASP top 10 is going to contain four different key messages I want to leave you with, and the first one is going to be an Overview of the risk. So here I'm going to share a categorization of the severity of the risk and share a high level overview of how it's executed. We'll then move on and have a look at Understanding the risk in more detail and we'll go through a sample attack scenario. So the idea here is to share with you a step-by-step process about how an attacker might exploit this particular risk in a vulnerable web application. Now, of course, the really important bit is understanding the defenses, and what I'll do here is outline three key areas for each risk that will secure the application. Now this is important, the three key areas, in that in security we don't tend to just talk about one mitigation, it's all about security in depth, layer upon layer of defense so that we don't leave any one single point of failure. That is a critical message, and that's why you're going to keep seeing multiple defenses for each risk. Finally, I want to talk about the risk in the wild, and what I mean by this is I want to show you where it has been exploited and websites actually attacked. This is really important and I strongly believe that unless people can actually conceptualize the risk and really see what it means to have a website exploited, it's hard for them to buy into the web security value proposition. And, indeed, so many times we see web security just not being taken seriously until after it's too late. And you know what, it becomes the most important thing in the world after that. So I hope that throughout this course you get a sense of how prevalent risks in web security are, but also how easy it can be to mitigate the risk. It just requires awareness and a bit of due diligence to fundamentally change the security profile of a website. So let's jump into it and I'd like to begin with the first risk on injection.