Welcome to the full schedule of the OWASP AppSec Research EU 2013 conference days. You’ll find the schedule for the training days at http://trainings2013.appsec.eu
Thursday, August 22 • 2:40pm - 3:25pm
OWASP Top 10 Proactive Controls

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

The major cause of web insecurity is poor development practices. We cannot “firewall” or “patch” our way to secure websites. Programmers need to learn to build websites differently. No company or industry is immune.
The OWASP Ten Ten Proactive Controls Project is a Top-Ten like document that focuses directly on informing developers of necessary secure coding techniques. While not complete, this talk does descrive the bare minimum required of a development team if they wish to have even a small chance of producing moderately secure software.

- Validation
- Whitelist Validation (struggles with internationalization)
- URL validation (as part of redirect features)
- HTML Validation (as part of untrusted content from features like TinyMCE)

- Password storage, HMAC's for scale
- Multi-factor AuthN implementation details
- OAuth
- Forgot password workflow

Access Control
- Limits of access control
- Permission-based access control

- Output encoding for XSS
- Query Parameterization
- Other encodings for LDAP, XML construction and OS Command injection resistance

Data Protection
- Secure number generation
- Certificate pinning
- Proper use of AES (CBC/IV Management)

Secure Requirements
- Core requirements for any project (technical)
- Business logic requirements (project specific)

Secure Architecture and Design
- When to use request, session or database for data flow

avatar for Jim Manico

Jim Manico

Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. He authors and delivers developer security awareness training for WhiteHat Security and has a background building software as a developer and architect for over 20 years. Jim is also a global... Read More →

Thursday August 22, 2013 2:40pm - 3:25pm CEST
Großer Saal