Cloud Application Security Guy + OWASP 3 email@example.com! firstname.lastname@example.org! Racker since October 2011! Rackspace’s Cloud Product Group! Work with developers and QE! OWASP International Foundation Board Member and Treasurer ! Project Leader of OWASP Live CD & OWASP WTE projects!
Report 7 Figure 13: Total full-year attacks measured by the HP TippingPoint IPS, 2009–2011 Year by year, attacks increased but it should be noted that Web application attacks grew almost 50 percent from 2010 to 2011. Web application attacks also made up 13 percent of the total attacks observed by the HP TippingPoint IPS. This is an increase from 2010, during which the HP TippingPoint IPS measured Web application Attacks Seen from IDS/IPS attacks making up 10 percent of overall attacks. The next section will go into more detail about the Web application attacks seen in 2011. Figure 14: Total Web application attacks measured by the HP TippingPoint IPS, 2009–2011 Figure 15: Breakdown of attacks measured by the HP TippingPoint IPS, 2011 Web Attacks Seen from IDS/IPS
re 10 provides trend data for mean Veracode Security Quality Score over the past eight quarters. The red “best fit” via least squares regression to the set of plotted blue points, one blue point for each quarter. T he red line is slightly smaller than that for the previous volume of this report and the p-value4 has increase o .543. Both of these results are consistent as indicators that the trend is flat—no increase or decrease i ication quality, as measured by the Veracode Security Quality Score, in our dataset since 4Q2009. 2009-4 2010-1 2010-2 2010-3 2010-4 2011-1 2011-2 2011-3 QUARTER 80 79 78 77 76 75 74 MEAN VERACODE SECURITY QUALITY SCORE Veracode Security Quality Score Trend by Quarter pvalue = 0.543: Statistically, the trend is flat. Figure 10: Veracode Security Quality Score Trend by Quarter
Vulnerabilities by Language Distribution VERACODE STATE OF SOFTWARE SECURITY REPORT: VOLUME 4 100 80 60 40 20 0 2009-1 2009-2 2009-3 2009-4 2010-1 2010-2 2010-3 2010-4 QUARTER PERCENTAGE OF WEB APPLICATIONS AFFECTED Quarterly Trend for SQL Injection pvalue = 0.048: Statistically, the trend is down. Figure 23: Quarterly Trend for SQL Injection
# nmap.attack Feature: nmap attacks Background: Given "nmap" is installed And the target hostname is "google.com" Scenario: Verify server is available on standard web ports When I launch an "nmap" attack with: """ nmap -‐p 80,443 <hostname> """ Then the output should contain: """ 80/tcp open http 443/tcp open https """
vulnerabilities and writing tests to expose them • Hardening base Puppet / Chef scripts • Writing permanent configuration auditing • Reviewing results of automated config, app, network and vuln scans 26
has_many :lines belongs_to :user … end class Order attr_accessible :id, :order_number has_many :lines belongs_to :user access_control :user … end Let’s Talk Direct Object Reference 31 Model has no enforcement for access. Model know knows how to determine ownership. model = load_model(query) if model.owner.id != current_user.id throw new HttpError(401) end return model Framework can enforce access controls.
to work with open source frameworks to champion and implement security features? 32 Some people going in the same direction Gauntlet: BDD for Security https://github.com/thegauntlet ThreadFix: Security Integration http://code.google.com/p/threadfix/