OWASP is a very cool community dedicated to helping organizations build software that can be trusted. It came online in 2001 and was established as a non-profit in April of 2004.
Its core purpose is to be the thriving global community that drives visibility and evolution in the safety and security of the world’s software. And its core values are to be open, innovative, global, and to have integrity.
There have been several iterations of the OWASP Top 10 since 2003. You can think of the Top 10 as basically a list of how not to get hacked. The official document provides information about determining your vulnerability, prevention strategies, examples, and testing strategies.
Caroline Wong (@CarolineWMWong) first learned about the OWASP Top 10 years ago while she worked at ebay, where she launched her infosec career. These days, she’s Chief Strategy Officer for Cobalt.io and teaches the subject on LinkedIn Learning. You can learn in much more detail about the OWASP Top 10 through her courses there.
To teach this subject matter, Caroline makes use of memorable analogies, which is what the rest of the talk will cover.
Injection, loosely speaking, involves tricking systems into interpreting untrusted data as trusted commands (e.g. SQL injection).
To understand this, think of a file cabinet, and a robot that you tell to fetch files. “Robot, give me all files from 2019.” With an injection attack, the attacker alters the instructions to the robot to “give me the files from 2019… and also all of the other files.”
#2 Broken Authentication
Broken authentication happens when functions related to authentication are implemented incorrectly and can be exploited.
As an analogy, think of a Hide-A-Key that looks like a rock. Except, you don’t actually hide the key (Read more...)