O PDF estava no meu e-mail há alguns dias, mas só hoje consegui dar uma atenção.
O Owasp Top 10 é uma lista dos principais riscos aos quais as aplicações web estão submetidas. A escolha desses riscos é feita através da metodologia do projeto Owasp, bastante completa e amplamente discutida.
Veja os top 10 de 2010:
* Preferi não traduzir o nome das falhas por que é mais fácil encontrar referências sobre elas em inglês.
A1 Injection
Brechas de injeção, como as de SQL, Sistema Operacional, e LDAP, ocorrem quando dados não confiáveis são enviados a um intepretador como parte de um comando ou query. Os dados hostis do atacante podem enganar o interpretador fazendo-o executar comandos indesejpaveis ou acessando dados não autorizados.
A2 Cross Site Scripting (XSS)
Brechas de XSS ocorrem sempre que uma aplicação usa dados não-confiáveis e os envia para um browser se a devida validação e tratamento (scaping). XSS permite que o atacante execute scripts no browser da vitima, que pode sequestrar sessão de usuário, deformar web sites, ou redirecionar o usuário para sites maliciosos.
A3 Broken Authentication and Session Management
Funções da aplicação relacionadas a autenticação e gerenciamento de sessão são mal implementadas com freqüência, permitindo atacantes a comprometer senhas, chaves/índices, tokens de sessão, ou explorar brechas de implementação para assumir a identidade de outros usuários.
A4 Insecure Direct Object References
Uma referência direta a um objeto ocorre quando um desenvolver expõe a referência a implementação de um objeto interno, como um arquivo, diretório, ou índice de banco de dados. Se uma verificação de controle de acesso ou outra proteção, atacantes podem manipular estas referências para acessar dados não autorizados.
A5 Cross Site Request Forgery (CSRF)
Um ataque de CSRFG força o browser de uma vitima logada a enviar uma requisição HTTP forjada, incluindo o cookie de sessão da vítima e qualquer outra informação de autenticação, para uma aplicação web vulnerável. Isto permite que o atacante force o browser da vitima a gerar requisições que a aplicação vulnerável pense que sejam requisições legítimas da vítima.
A6 Security Misconfiguration
Segurança depende da existência de uma configuração segura bem definida para a aplicação, framework, web server, application server, e plataforma. Convém que todas estas configurações sejam definidas, implementadas e mantidas uma vez que muitas não são distribuídas com padrões seguros pré-definidos.
A7 Failure to Restrict URL Access
Muitas aplicações web verificam direitos de acesso antes de renderizar links protegidos e botões. No entanto, aplicações precisam realizar controles de acesso similares quando estas páginas são acessoas, ou atacantes estará hábeis a forjar URLs para acessar essas páginas escondidas de qualquer forma.
A8 UnvalidatedRedirects and Forwards
Aplicações web redirecionam e encaminham usuário para outras páginas e websites com frequência, e usam dados não-confiáveis para determinar o destino das páginas. Sem a devida validação, atacantes podem redirecionar vítimas para sites de phishing ou malware, ou use os encaminhamentos para acessar páginas não autorizadas.
A9 Insecure Cryptographic Storage
Muitas aplicações web não protegem devidamente dados sensíveis, como números de cartão de crédito, SSNs (Números de seguridade social), e credenciais de atenticação, com algoritimos de encriptação e hashing apropriados. Atacantes podem usar estes dados mal protegidos para conduzir furto de identidade, fraude de cartão de crédito, ou outros crimes.
A10 Insufficient Transport Layer Protection
Aplicações falham frequêntemente ao encriptar seu tráfego de dados em rede quando é necessário proteger comunicações sensíveis. Quando elas fazem, as vezes utilizam algorítmos fracos, certificadas expirados ou inválidos, ou não os usam corretamente.
Veja descrições completas das falhas, assim como exemplos, e técnicas e ferramentas que podem ser usadas para mitigar ou eliminar esses riscos.
26 de novembro de 2009
Saiu a release candidate do Owasp top 10, 2010!
Assinar:
Postar comentários (Atom)
RSS
Fique a vontade
31 comentários:
It's going to be ending of mine day, but before finish I am reading this enormous piece of writing to improve my experience.
Here is my homepage canada goose jacket
Hi there, I think your website might be having web browser compatibility problems.
Whenever I look at your website in Safari, it looks fine
however, when opening in Internet Explorer, it's got some overlapping issues. I simply wanted to give you a quick heads up! Besides that, great site!
My web page > canada goose
I must thank you for the efforts you have put in writing this website.
I'm hoping to check out the same high-grade content by you later on as well. In truth, your creative writing abilities has encouraged me to get my own, personal site now ;)
Feel free to surf my page - http://www.chirstianlouboutinsaleoutlet.com
Greetings from Ohio! I'm bored to death at work so I decided to check out your site on my iphone during lunch break. I enjoy the info you provide here and can't wait to take a look when I get home.
I'm shocked at how fast your blog loaded on my cell phone .. I'm not even
using WIFI, just 3G .. Anyhow, very good site!
Also visit my homepage ; www.cheapnfljerseys-vips.com
My developer is trying to convince me to move to .net from PHP.
I have always disliked the idea because of the expenses. But he's tryiong none the less. I've been using WordPress on a
variety of websites for about a year and am nervous about switching to another
platform. I have heard fantastic things about blogengine.
net. Is there a way I can import all my wordpress posts into it?
Any help would be greatly appreciated!
My web page > nfl jerseys
As soon as the fact is genuine estate, you will have an understanding
of what you want. Your smile need to be gorgeous
and attractive. Any kind of artwork offers color and measurement
to a place. The plan tends to trade Air flow Utmost Ninety
times in modern a long time. http://www.airmax90s2013.
co.uk
This excellent website certainly has all of the information I wanted
about this subject and didn't know who to ask.
Review my web blog; air max 2012
Asking questions are in fact pleasant thing if you are not understanding anything entirely, however this paragraph gives fastidious understanding
yet.
Also visit my website; nike air max 95
Post writing is also a excitement, if you be acquainted with after that you
can write or else it is complex to write.
Also visit my homepage wholesale polo shirts
Good post. I learn something new and challenging
on blogs I stumbleupon everyday. It will always be helpful to read articles from other writers and use a
little something from other websites.
my homepage - http://www.lensacanon.com/search.php?q=Just+About+All+Attractive+But+Chemical+Substances+Caterpillars+On+Country&page=1
Hey! This post could not be written any better! Reading through this post reminds me of my previous room mate!
He always kept chatting about this. I will forward this post to him.
Fairly certain he will have a good read. Thank you
for sharing!
Also visit my web-site www.shemenskifoundation.org
That is very attention-grabbing, You're a very professional blogger. I've
joined your feed and stay up for looking for extra of your magnificent
post. Also, I have shared your website in my social networks
Check out my site - www.miumiuoutletshop2013.com
It's truly very complicated in this busy life to listen news on TV, so I only use the web for that reason, and get the newest information.
my web-site: christianlouboutinoutletshop2013.com
I read this post completely about the difference of most recent and preceding technologies,
it's remarkable article.
Also visit my blog post :: www.christianlouboutinoutletshopx.com
I think that what you typed made a ton of sense.
But, think on this, suppose you added a little content?
I ain't saying your content is not good., however what if you added a title that grabbed people's attention?
I mean "Saiu a release candidate do Owasp top 10, 2010!" is a
little boring. You might look at Yahoo's home page and note how they create news titles to grab viewers interested. You might try adding a video or a pic or two to grab readers excited about everything've got to say.
Just my opinion, it could make your website a little bit more interesting.
Here is my web page :: ミュウミュウ
Woah! I'm really enjoying the template/theme of this site. It's simple, yet effective.
A lot of times it's very difficult to get that "perfect balance" between superb usability and appearance. I must say you have done a excellent job with this. Additionally, the blog loads extremely fast for me on Opera. Outstanding Blog!
Here is my webpage; クロエ アウトレット
Preserve your focus peeled for currently the tastiest of you're bunch. Zero word on price, but we can expect them to turn into about $80-100. The older models have one magnesium-aluminum casing. I utilized to have one nagging knee problem when I ran. http://amherstblock.com/index.php?do=/blog/40782/fair-homegrown-custom-11-new-stlye-nike-air-max/
Just wish to say your article is as surprising. The clarity in your post is just cool and
i can assume you are an expert on this subject.
Well with your permission let me to grab your RSS
feed to keep up to date with forthcoming post. Thanks
a million and please keep up the enjoyable work.
Here is my website ... クリスチャンルブタン
Excellent post. I used to be checking constantly this weblog and I'm impressed! Very helpful info specially the ultimate part :) I take care of such information much. I used to be looking for this particular information for a long time. Thank you and good luck.
Feel free to surf to my web page; クリスチャンルブタン
Great article! That is the type of info that are supposed to be shared around the web.
Shame on Google for no longer positioning this publish higher!
Come on over and talk over with my website .
Thanks =)
Also visit my site - コーチ 店舗
I'd like to thank you for the efforts you've put
in writing this site. I'm hoping to see the same high-grade content by you in the future as well. In fact, your creative writing abilities has inspired me to get my own blog now ;)
my site: Replica Watches
whoah this weblog is magnificent i really like
studying your posts. Stay up the great work! You understand, many persons are looking round
for this info, you can aid them greatly.
Also visit my web site トリーバーチ
Brock consults his guidebook, and they focus on to explore.
Employing a debit counselor may make it easier to you learn to price range
your money. Leading jewelers from around exciting world of made rings, earrings and tiaras so
that they can wear. Dior used a lovely look that was elegant and luxurious.
http://forum.shaiya-cube.com//index.php//index.php/index.
php?page=User&userID=3861&s=a8bf71cb886ef5c5bc11e7b427bd89e17e870301
Hi, its fastidious article concerning media print, we all know media
is a great source of facts.
Have a look at my web-site :: ジョーダン
Saved as a favorite, I love your blog!
Also visit my web-site ... トリーバーチ
If some one needs expert view regarding blogging afterward i suggest him/her to pay a quick
visit this webpage, Keep up the nice work.
Review my web-site; ミュウミュウ
I'm amazed, I must say. Seldom do I come across a blog that's both educative and interesting, and without a doubt, you have hit the nail on the head.
The problem is something that too few people are
speaking intelligently about. I'm very happy that I found this during my hunt for something concerning this.
my web site ... Christian Louboutin Pumps
My partner and I stumbled over here coming from a different web address and thought
I should check things out. I like what I see so now i'm following you. Look forward to exploring your web page for a second time.
Feel free to visit my blog post ... cheap christian louboutin
Woah! I'm really loving the template/theme of this site. It's simple, yet effective.
A lot of times it's tough to get that "perfect balance" between usability and visual appearance. I must say you've done
a very good job with this. Additionally, the blog loads extremely fast for me on Chrome.
Excellent Blog!
Also visit my blog: christian louboutin shoes
I'm really enjoying the design and layout of your site. It's a very easy on the eyes
which makes it much more pleasant for me to come here and visit more often.
Did you hire out a developer to create your theme? Exceptional work!
Feel free to visit my blog post :: red bottom shoes
Awesome! Its genuinely awesome article, I have got much
clear idea about from this paragraph.
Have a look at my website; クリスチャンルブタン靴
Postar um comentário