Upgrade to Pro — share decks privately, control downloads, hide ads and more …

When Museums Get Hacked: OWASP Top 10 Lessons f...

When Museums Get Hacked: OWASP Top 10 Lessons from Heists

Historically (pun intended) the OWASP Top 10 has been a standard awareness document for developers and web application security. However its mitigation strategies can transcend history and be applied to critical infrastructures under attack, *exempli gratia* museums.

In this talk, we’ll explore the newest OWASP Top 10 (released in November MMXXV) through the lens of famous Museum heists (Louvre, you are not alone) — a narrative journey through security blind spots, sneaky exploits, and lack of awareness.

Avatar for José Carlos Chávez

José Carlos Chávez

July 01, 2026

More Decks by José Carlos Chávez

Transcript

  1. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    • Open Source contributor and maintainer for 10+ years • OWASP Coraza WAF co-leader • Loving father of 2 • Mathematician in quarantine José Carlos Chávez Security Software Engineer @ Auth0/Okta
  2. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    One of the oldest projects of OWASP and the appsec community It is updated every 4 years depending on current changes and data. Last update was in Nov 2025 Awareness document for developers and web application security Most critical security risks for web applications What is the OWASP Top 10? and why is it important?
  3. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A10: Mishandling of Exceptional Conditions Image Source: The Guardian
  4. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A10: Mishandling of Exceptional Conditions Attacker 0x101🍌
  5. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A10: Mishandling of Exceptional Conditions Prevention Handle every error at the point it occurs Constrain the blast radius before an exception happens Establish a global exception handler as the last line of defence
  6. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A09: Security Logging and Alerting Failures Image Source: CNN World
  7. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A09: Security Logging and Alerting Failures Access the app Monitor all actions Logs system … 1 User Logs in Search for products Buy products Server Jun 10 06:06:23 | GET /app 200 Jun 10 06:07:03 | POST /login 200 Jun 10 06:07:06 | GET /app 302 Jun 10 06:07:23 | GET /item?id=23 200 Jun 10 06:07:43 | GET /stock?d=23 200 Jun 10 06:10:23 | POST /buy?id=23 200 Jun 10 06:10:33 | GET /purchase?id=3 302 | INFO | User 1 access the application | INFO | User 1 logs in the application | DEBUG | User redirect to application | INFO | User 1 list product 23 | DEBUG | User see stock of product 23 | INFO | User 1 buys product id 23 | INFO | User 1 confirmed purchase 3 2 1 2 3 3 4 4 Alert system
  8. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A09: Security Logging and Alerting Failures Prevention Make sure all security-relevant events are recorded Make logs actionable, not just archival Verify that logs are immutable, reliable, and cannot be manipulated
  9. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A08: Software and Data Integrity Failures Image Source: Pueblos Mágicos de España
  10. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A08: Software and Data Integrity Failures Developer CI/CD Pipeline User Code repository 1 2 3 Push code to the repository Access the app Code is deployed in prod
  11. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A08: Software and Data Integrity Failures Attacker Developer CI/CD Pipeline User Code repository 1 2 3 4 Push code to the repository Modifies to include malicious code Uses infected app Code is deployed in prod
  12. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A08: Software and Data Integrity Failures Prevention Use mechanisms such as hash functions to ensure data integrity Build an internal inventory of components/software/libraries Check and verify that those libraries/software are reliable and secure
  13. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A07: Authentication Failures 8 Image Source: obonparis.com, chatgpt
  14. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A07: Authentication Failures Attacker Leaked Credentials Right authentication: Breached password Authentication failure
  15. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A07: Authentication Failures Prevention Use multi-factor authentication mechanisms Monitor suspicious activity Refresh authentication often
  16. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A06: Insecure Design Image Source: louvreguide.com
  17. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A06: Insecure Design Prevention Involve security from the beginning: controls, threat modeling, pentesting, bug bounties, etc Security is a process, not a checklist Training, workshops and tools
  18. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A05: Injection Image Source: The British Newspaper Archive
  19. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A05: Injection Attacker SELECT * FROM users WHERE name=’John Smith’; --’ and password=’wrong’
  20. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A05: Injection Prevention Sanitize and validate input data: never trust the client Deal with structured messages vs raw data Multiple layers of protection
  21. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A04: Cryptographic Failures Image Source: NSA
  22. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A04: Cryptographic Failures HTTP (Port 80) User Insecure Connection Private Message
  23. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A04: Cryptographic Failures Prevention Less is more: store and transfer only what is necessary Categorize data to choose an appropriate security level Use reliable encryption algorithms
  24. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A03: Software Supply Chain Failures Image Source: paristickets.com
  25. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A03: Software Supply Chain Failures Proprietary code Open Source libraries (3rd party libraries) Your code is as weak as your weakest library
  26. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A03: Software Supply Chain Failures Attacker 1 2 Vulnerable component in credit website • Lack of internal procedures for continuous update • Lack of inventory of artifacts and materials • Lack of monitoring of vulnerabilities Users RCE in host Apache Struts 2 [CVE-2017-5638] 3
  27. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A03: Software Supply Chain Failures Prevention Ensure that only the necessary components are used Evaluate the components, the sources, and verify that they are safe for use Maintain an up-to-date inventory of components with vulnerability alerts
  28. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A02: Security Misconfiguration Image Source: ABC News
  29. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A02: Security Misconfiguration HTTP headers Accessible filesystem Default configuration Bloated images Verbose errors admin/admin credentials
  30. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A02: Security Misconfiguration Prevention Less is more Explicit >>> Implicit Verification policies and usage of templates
  31. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A01: Broken access control Attacker Nico /myaccount/nico /myaccount/nico
  32. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    A01: Broken access control Prevention Less is more: fewer permits, more granular Contextualized access controls Have an up-to-date, documented, and visible permission map
  33. When Museums Get Hacked: OWASP Top 10 Lessons from Heists

    1. The OWASP Top 10 is a snapshot of reality, not a comprehensive checklist. 2. Vulnerabilities evolve, but root causes remain the same. 3. Security is a continuous journey. CONCLUSIONS