OWASP Top Ten 2013 – PolyHack Montreal

As part of PolyHack when I was in Montreal last winter, I still follow what they do and organize.

On the 12th of September they hosted an OWASP top ten conference in Polytechnic Montreal. The speaker was Jonathan Marcil, the Montreal OWASP chapter leader. He presented the OWASP top ten 2013. This is the top 10 vulnerabilities that are spotted by security professionals, it gives an idea of what the main threat may be as well as measures and references to be protected against them.

This guide is very complete and well written. You get a snapshot of every threat, with examples and counter measures. The top threat is Injection. This concept is probably the one that rules them all … or nearly all :-). An XSS attack is an injection, session hijacking is also related to injection and so on … The simple fact that, to exploit some vulnerabilities, you have to interact with it, means you have to inject things into the system to get some results. Furthermore, I found that security concerns are not as holy or educated as they should be. Speaking for myself, I only heard about OWASP in Montreal from a friend that was involved in computer security and I think that’s a shame.

It is true that this subject can become very technical very fast, but it is necessary to build great applications that people can trust. Although this is something that should be a concern for any computer science curriculum, I have never heard of computer security from the Ecole des Mines de Nantes, yet.

Back to the subject, the talk made by Jonathan Marcil was very interesting, he takes time to explain what’s an injection and gives live examples. He spends nearly half of the talk on injections and then goes over the 9 other threats that are mentioned in the manifest.

You should check the manifest from the link above and the video of the conference just below. Unfortunately for some people it is in french.