OWASP stands for
Open Web Application Security Project
OWASP is what type of bussiness
Non-profit
OWASP supports
o Secure software development
o Risk Decision Making
o Free resources to developer teams – publications, articles, standards
Examples of OWASP publicationa
*Top 10 …
*“Guide to building secure web applications”
*Legal Project
OWASPP is used in our unit, what list is used
“Top 10 Cloud Security Risks”
Top 10 Cloud Security Risks according to OWASP
- Accountability & Data Ownership
- User Identity Federation
- Regulatory Compliance
- Bussiness Continuity & Resiliency
- User Privacy & Secondary Usage of Data
- Service & Data Integration
- Multi-Tennacy & Physical Security
- Incidence Analysis & FOrensics
- Infrastructure Security
- Non Production Enviroment Exposure
Handy Mnemonic to remember Top 10 CLoud Security Risks
A Dynamic
Fireman
Creatively
Calms
People
In
Intimidating
Incidents
Near
Manchester
OWASP: Accountability & Data Ownership
GDPR
Policies
RACI model
Mitigation – Delete data, keys
OWASP: User Identity FEderation
OWASP supports using SAML (Security Assertion Market Lanaguage)
Google eco system, other options (WSO2, 0Auth)
Takes control of user lifecycle out of administrators hand
“one right to rule them all”
OWASP: Regulatory Compliance
- Geographic
- Use understanding cloud vendor / parnters
OWASP: Business Continuity & Resiliency
- AWS went down – 2.6 million @ 13 mins
- Pre-contracts: SLA’s, MTTR, Objectives etc
- ISO22301
OWASP: User Privacy & Secondary Usage of Data
- GDPR
- Policies – Terms of Use
- User v Provider
- Encrypted storage
OWASP: Service & Data Integration
- Use secure protocols – TLS
- Data at use / data at rest
OWASP: Multi-tenancy & Physical Security
Multi tennancy shiz
OWASP: Infrastrucutre Security
- Network Security
- Previously this was where the battles were faught
- Progressive - Zero-Trust
