Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OWASP Top 10 et ISO/IEC 27034 Sécurité des applications par Luc Poulin et Jonathan Marcil

OWASP Montréal
December 02, 2013
Technology
0
1.8k

OWASP Top 10 et ISO/IEC 27034 Sécurité des applications par Luc Poulin et Jonathan Marcil

PRÉSENTATEURS PRINCIPAUX: Luc Poulin et Jonathan Marcil

RÉSUMÉ: Cette nouvelle norme propose aux organisations de toutes tailles un modèle pour faciliter l’intégration de la sécurité tout au long du cycle de vie des applications. La norme 27034 est destinée aux gestionnaires, équipes de réalisation et d’exploitation, clients et fournisseurs d’applications et auditeurs qui doivent concevoir, planifier, implanter, gérer et vérifier la sécurité des applications. La conformité à cette norme résulte en la diminution du risque par réduction des vulnérabilités des applications. Suite à la dernière présentation sur le sujet, celle-ci introduira le projet OWASP officiel qui produira des contrôles de sécurité applicatifs (CSA) basé sur le Top 10 d'OWASP sous le format de la norme.

BIO: M. Poulin compte plus de trente années d'expérience en informatique, durant lesquelles il a acquis une solide expertise en technologie des systèmes et en génie logiciel. Il se spécialise en gestion, implantation et évaluation de la sécurité globale de systèmes informatiques, à l'intérieur d'environnements de développement et d’opération d'applications. Il est corédacteur de la norme ISO/IEC 27034 – Sécurité des applications. Jonathan Marcil est consultant en sécurité des applications Web et leader du chapitre de Montréal. Il possède plus de dix ans d'expérience en technologie de l'information et développement Web avec un penchant pour la sécurité. Il est concepteur de défi pour NorthSec, une compétition de sécurité informatique technique et conseiller sur le sujet sécurité de la conférence de technologies Web ConFoo à Montréal.

QUAND: 2 décembre 2013

OÙ: École de technologie supérieure, 1100 rue Notre-Dame ouest, Montréal, Salle: A-1150

WEBCAST: http://youtu.be/ZxrpIvUJ40g

OWASP Montréal

December 02, 2013
Tweet

More Decks by OWASP Montréal

See All by OWASP Montréal
OWASP_-_Operate_PCIDSS_infrastructure_using_devOps_approch.pptx.pdf
owaspmontreal
0
110
Endpoint Bypass Charles Hamilton
owaspmontreal
0
130
Hybrid approach to security testing
owaspmontreal
0
190
Threat Modeling Toolkit
owaspmontreal
0
900
NorthSec - Applied Security Event
owaspmontreal
0
170
Sécurité des applications : Les fondements
owaspmontreal
0
110
WORKSHOP ! Server Side Template Injection (SSTI)
owaspmontreal
1
900
Ransomware and healthcare - Hacking Health
owaspmontreal
0
140
OWASP Montréal reçoit Mario Contestabile
owaspmontreal
0
170

Other Decks in Technology

See All in Technology
20230816_AprilTagを利用してARで物体を表示させてみた
kentaitakura
0
240
サーバーレスでターンベース制のネット対戦ゲームを作った話
kaidouji85
0
140
20230822FUSICxMIERUNE
furukawayasuto
0
190
20230826_SecurityJAWS_NWFW_DNSFW
tsumita
3
170
Compliance & Regulatory Standards Are NOT Incompatible With Modern Development Best Practices
charity
2
390
Ubieのデータ品質の検査・維持・向上への取り組み
okiyuki99
3
600
IoT自動水やり機2023(IoT松ぼっくり)
keicafeblack
0
130
ISUCON 夏祭り 2023 ハンズオン資料
rosylilly
0
120
20230826_ScrumFestSendai_iwamu
takusamar
0
110
データ基盤における管理の考え方 〜dbtの極意〜:LayerXにdbtを導入するときに意識したこと
civitaspo
3
700
[Opening] DBRE Summit 2023
_awache
0
210
Oracle Database 23c SQL新機能
oracle4engineer
PRO
2
150

Featured

See All Featured
How GitHub (no longer) Works
holman
299
140k
Pencils Down: Stop Designing & Start Developing
hursman
115
10k
VelocityConf: Rendering Performance Case Studies
addyosmani
318
23k
Support Driven Design
roundedbygravity
90
9.1k
Build your cross-platform service in a week with App Engine
jlugia
223
17k
GraphQLとの向き合い方2022年版
quramy
24
11k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
1.9k
How STYLIGHT went responsive
nonsquared
89
4.4k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
Atom: Resistance is Futile
akmur
257
24k
Unsuck your backbone
ammeep
660
56k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k

Transcript

  1. – Luc Poulin
    OWASP Project – Start Up Meeting
    OWASP ISO/IEC 27034 Application Security Controls
    Presented by Luc Poulin and Jonathan Marcil

    View Slide

  2. 1. Welcome
    2. ISO/IEC 27034 ASCs review
    3. OWASP Top 10 Risks & related documents
    4. Top 10 conversion to ASC, an example
    5. Your opinion and interest
    6. Next meeting

    View Slide

  3. Buts de la sécurité des applications
    Protéger l’information des
    applications
    • Meeting objectives
    – Define the strategy
    • SCRUM project management
    • Step by step approach
    – Start the project
    • Design, validate, develop and verify a ASC from the one
    of the Top 10
    • Targeted languages: English, Français, Español…
    • Build the project team (we will need your emails)
    3

    View Slide

  4. 1. Welcome
    2. ISO/IEC 27034 ASCs review
    3. OWASP Top 10 Risks & related documents
    4. Top 10 conversion to ASC, an example
    5. Your opinion and interest
    6. Next meeting
    4

    View Slide

  5. ISO/IEC 27034 Review
    27034 do not…
    • ISO/IEC 27034 do not propose any
    – Application Security Control
    – Coding best practices
    – Tests best practices
    • That’s why OWASP and 27034 is a good match
    5

    View Slide

  6. • Architects, analysts, programmers, testers, IT
    Team, DBA, Admins, etc., who need to:
    – know what and when Application Security Controls
    should be applied;
    – integrate Application Security Controls in their
    activities;
    – meet the requirements of the Application Security
    Controls associated measurements;
    – get access to tools and best practices;
    – facilitate peer review.
    6
    ISO/IEC 27034 Review
    Needs from Project and
    operation teams

    View Slide

  7. • Auditors, who need to:
    – know the scope and process of verification
    measurements for the corresponding Application
    Security Controls;
    – make audit results repeatable;
    – identify a list of verification measurements which
    can generate supporting evidence to demonstrate
    that the application has reached the required
    level of trust authorized by the management;
    – standardize the application security verification;
    7
    ISO/IEC 27034 Review
    Needs from Auditors

    View Slide

  8. • Security is a requirement
    • Application security is context-dependent
    • Appropriate investment for application
    security
    • Application security must be demonstrated
    ISO/IEC 27034 Review
    Key Principles

    View Slide

  9. Application
    Application
    • Requirements are used to define and choose a
    functionnality/control implementation that
    will produce an expected result
    Security Risk

    Need
    Security
    Requirement

    Requirement

    Functionnality
    Expected
    Result
    Expected
    Result
    ASC
    ISO/IEC 27034 Review
    Requirements process

    View Slide

  10. Critical
    Information
    Verification
    and Control
    (Conformity)
    Security
    Management
    (Governance)
    Applications,
    Information System
    (Development
    and Evolution)
    Technology
    (Acquisition,
    Maintenance, and
    Contingency)
    ISO/IEC 27034 Review
    The 4 interventions domain

    View Slide

  11. ASC
    ISO/IEC 27034 Review
    Application Security Control

    View Slide

  12. • ASCs may have a
    graph relationship
    ASC
    ASC
    Online Payment
    ASC
    ISO/IEC 27034 Review
    Application Security Control

    View Slide

  13. Disposal
    Layers
    ISO/IEC 27034 Review
    Application Security Life Cycle
    Reference Model

    View Slide

  14. 14
    ...
    0
    Organisation ASC Library
    1 3
    2 9 10
    Application levels of trust used
    by the organisation
    Source of
    specifications
    and constraints
    Specifications
    and constraints
    ISO/IEC 27034 Review
    Build the OWASP ASC Library
    The chosen one
    OWASP
    Top 10

    View Slide

  15. Technology
    Application
    Application
    Organization
    Organization
    ISO/IEC 27034 Review
    Implement ASCs on
    Application’s elements

    View Slide

  16. • ASC Creation and
    Maintenance Process
    • ONF and ASCs
    Validation Process
    Organisation
    normative
    framework
    ASC
    Validate,
    verify,
    control
    Verification
    team
    Create,
    update
    ASC
    Domain
    Experts
    ISO/IEC 27034 Review
    ASC Management process

    View Slide

  17. 1. Welcome
    2. ISO/IEC 27034 ASCs review
    3. OWASP Top 10 Risks & related documents
    4. Top 10 conversion to ASC, an example
    5. Your opinion and interest
    6. Next meeting
    17

    View Slide

  18. OWASP Top 10
    Introduction
    • The most visible OWASP
    flagship project
    • A broad consensus
    about what the most
    critical web application
    security risks are
    • Educate developers,
    designers, architects,
    managers, and
    organizations

    View Slide

  19. OWASP Top 10
    Top 10 Application
    Security Risks – 2013

    View Slide

  20. OWASP Top 10
    Layout for each risk
    RISK TITLE
    Risk rating
    and
    details
    A#
    Example Attack
    Scenarios
    References
    Prevention
    methods
    Security
    control ?!
    Vulnerability
    assessments

    View Slide

  21. OWASP Top 10
    Risk layout and details
    Risk path
    Risk rating

    View Slide

  22. OWASP Top 10
    References
    • There’s a lot more into OWASP than Top 10
    • Actually 145 active projects as of 2013-15-11
    • Top 10 refers to them
    • Types
    – Code
    – Tool
    – Documentation

    View Slide

  23. 1. Welcome
    2. ISO/IEC 27034 ASCs review
    3. OWASP Top 10 Risks & related documents
    4. Top 10 conversion to ASC, an example
    5. Your opinion and interest
    6. Next meeting
    23

    View Slide

  24. • Select one of the OWASP Top 10 risk
    • Do an OWASP Literature review on the
    subject
    • Define Security Requirements (SRs)
    – Who, want what, on which information, when,
    where
    • Define ASCs that address SRs
    – Security activity
    – Verification & Measurement activity
    Conversion example to ASC
    Conversion Process

    View Slide

  25. Conversion example to ASC
    MindMap

    View Slide

  26. 1. Welcome
    2. ISO/IEC 27034 ASCs review
    3. OWASP Top 10 Risks & related documents
    4. Top 10 conversion to ASC, an example
    5. Your opinion and interest
    6. Next meeting
    26

    View Slide

  27. • Discussion…
    – What do you think about this project
    – Who want to come onboard?
    – Which Risk will be more interresting to begin
    with?
    – Please leave us your email address
    – Next meeting
    – …
    Conversion example to ASC
    Your opinion and interest

    View Slide

  28. 1. Welcome
    2. ISO/IEC 27034 ASCs review
    3. OWASP Top 10 Risks & related documents
    4. Top 10 conversion to ASC, an example
    5. Your opinion and interest
    6. Next meeting
    28

    View Slide

  29. La sécurité des applications
    c’est plus que la sécurité dans le
    développement d’appl.
    • Merci de votre attention, des questions?
    29
    Jonathan Marcil B.ing
    OWASP ISO/IEC 27034 ASCs Project Co-Leader
    [email protected]
    Luc Poulin M.Sc, CISSP-ISSMP, CSSLP, CISA, CISM
    OWASP ISO/IEC 27034 ASCs Project Co-Leader
    Éditeur principal de la norme ISO/IEC 27034
    [email protected]
    • Next Meeting: ??? 2014

    View Slide