Wednesday, March 05, 2008

OWASP Top Ten and In-secure Software Root Causes

A security professionals diagnosis of vulnerabilities
is similar to a doctor diagnosis of viruses;
 there are causes and symptoms

I did a presentation last week for my OWASP local chapter on application vulnerabilities and in-secure software root causes. A little too much to cover in one hour, the next time, I will do just one session per vulnerability and be less Italian in my perception of time...

Here is the Abstract Of the Presentation:
Before to diagnose the disease and provide the cure a doctor looks at the root causes of the sickness, the risk factors and the symptoms. In case of application security the majority of the root causes of the security issues are in-secure software, the risk factors can be found in how bad the application is designed, the software is coded and the application is tested and the symptoms in how the application vulnerabilities are exposed. The presentation will articulate the problem of secure software, the costs, the software security risks and how these are typically dealt with by most organizations. Solving the problem of software security requires people, process and tools. From the information security perspective we will look at ways to enforcing software security by looking at risks that threat agents (attacks) can exploit vulnerabilities due to insecure software and the resulting impact on company assets. Implementing a set of software security requirements is the best place to start to address the root causes of web application vulnerabilities. With a categorization of web application vulnerabilities as weakness in application security controls, it is easier to describe the root cases as coding errors. A good place to start documenting software security requirements is the OWASP Top Ten, for each of these vulnerabilities we will discuss the threat, the risk factors, the software root causes of the vulnerability, how to find if you are vulnerable and if you are which countermeasures need to be implemented.

The presentation can be downloaded from OWASP site herein:

No comments: