Back To Schedule
Tuesday, January 27 • 1:45pm - 2:45pm
OWASP Top Ten Proactive Controls

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

The major cause of web insecurity is poor development practices. We cannot “firewall” or “patch” our way to secure websites. Programmers need to learn to build websites differently. No company or industry is immune.
The OWASP Ten Ten Proactive Controls Project is a Top-Ten like document that focuses directly on informing developers of necessary secure coding techniques. This talk describes the bare minimum required of a development team if they wish to have even a small chance of producing secure software.

- Validation
- Whitelist Validation (struggles with internationalization)
- URL validation (as part of redirect features)
- HTML Validation (as part of untrusted content from features like TinyMCE)

- Password storage, HMAC's for scale
- Multi-factor AuthN implementation details
- OAuth
- Forgot password workflow

Access Control
- Limits of access control
- Permission-based access control

- Output encoding for XSS
- Query Parameterization
- Other encodings for LDAP, XML construction and OS Command injection resistance

Data Protection
- Secure number generation
- Certificate pinning
- Proper use of AES (CBC/IV Management)

Secure Requirements
- Core requirements for any project (technical)
- Business logic requirements (project specific)

Secure Architecture and Design
- When to use request, session or database for data flow

avatar for Jim Manico

Jim Manico

Troll, The Internet
Jim Manico is an author and educator of developer security awareness trainings and has a 17 year history building software as a developer and architect. He is a frequent speaker on secure software practices and is a member of the JavaOne rockstar speaker community. Jim is also a Global... Read More →

Tuesday January 27, 2015 1:45pm - 2:45pm PST
Annenberg Community Beach House: Track 3 415 Pacific Coast Hwy, Santa Monica, CA 90402

Attendees (0)