@okdt @owaspjapan

Hello

| Enabling Security for Developers |

2015 Asterisk Research, Inc. 1

hHps://commons.wikimedia.org/wiki/File:VerificaOon_in_SE.jpg

3hHps://www.reddit.com/r/funny/comments/1m628n/the_new_iphone_5s_provides_unmatched_security/

vs

PRIORITY Social Impact

Business decisions

FULL-STACK H/W

Network Application Database

Users

RISK Point of failure Unauthorized

access Disasters

Absence of key person

COMMU-NICATION

Team Stakeholders Government Community

4

Screen Shot 2015-08-14 at 19.54.28.png

8

1963 / 249420 = 0.0078.

Less than 1%

Keynote: Facebook CSO Alex Stamos

2015 Asterisk Research, Inc. 11

RMS Titanic deparOng Southampton on April 10, 1912. (Photo: CreaOve Commons)

Intel Edison SD Card size PC

Bluetooth/LE

Wi-Fi

24x32x2.1mm

22nm 500MHz

Linux

1GB RAM

4GB storage

Dual Core IA

hHp://www.intel.com/content/www/us/en/do-it-yourself/edison.html

: OWASP Japan

: OWASP Japan

: OWASP ja.stackoverflow.com

: OWASP stackoverflow.com

1. 2. 3. 4. 5.

OWASP Top 10

Level0()

Level1

Level2

Level3

OWASP ASVS

Level 0: (=)

Level 1: OpportunisOc ()

Level 2: Standard ()

Detailed VerificaOon Requirements OWASP Top 10

Level 3: Advanced ()

: L3+

ASVS L3 +

V2. AuthenOcaOon VerificaOon Requirements

Level 1

V2.1 V2.2 EchoV2.6

Level 2

V2.12 V2.13 Salt

Level 3V2.5

V. IdenOfy

V8. Error Handling and Logging

Level 1

V8.1

Level 2

V8.2

V8.8

Level 3

V8.9

V. IdenOfy

OWASP

OWASP ProActive Controls

ProacOve Controls!

OWASP Internet of Things Top 10

hHps://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project

I1 I2 I3 I4 I5 I6 I7 I8 I9 I10

OWASP IoT Top 10

OWASP Cheat Sheet Project

No 1 Web

2

3 Web

4

5 PHP

6

7 SQL

8 XSS9

201510Cheat Sheet

OWASP! ZAP

1IPAhttps://www.ipa.go.jp/about/technicalwatch/20131212.html

ZAP

POST /confirm.php HTTP/1.1Cookie: PHPSESSID=xxxxxxname=shonantoka>xss&mail=shonantoka%40example.org&gender=1

shonantoka>xssshonantoka@example.org

ZAP

| Enabling Security for Developers |

2015 Asterisk Research, Inc. 35

1. Find risky coding and vulnerabiliOes earlier

2. Fix & Prevent them

3. Improved educa8on and quality throughout SDLC

OWASP Kyushu2015.3

OWASP Kansai2014.3

OWASP Japan2012.3

OWASP SendaiNew

4

OWASP

31

OWASP

10/19

22

OWASP Japan Local Chapter MeeOngs

Reasons for holding OWASP Global AppSec in Japan OWASP Japan Local Chapter 2013.3.1

40

OWASP Japan

() 2015 IT ()IT (IPA2013)

| Enabling Security for Developers |

2015 Asterisk Research, Inc. 42

@okdt @owaspjapan

Thank you

| Enabling Security for Developers |

2015 Asterisk Research, Inc. 43