AppSec California 2017

Day in and day out, web applications are subject to unwanted automated usage. These events often relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Example of these events include click fraud, comment spamming, content scraping, password cracking, and many more. 

Without common language and terminology between architects and developers architects, business owners and engineers, builders and defenders, and security vendors and buyers, misunderstandings do happen, and they can be costly. The OWASP project on Automated Threats to Web Applications has produced an ontology providing a common language to facilitate clear communication and help tackle the issues. The project identifies symptoms of these issues and discusses countermeasures against them. 

One product of the project is the OWASP Automated Threat Handbook, which has recently been updated. As with all OWASP materials, the book is free to download and use. This talk will help you navigate the swampland of malicious web automation using the handbook as guide, along with examples from the real world. It will also offer advice, and discussion, on countermeasure techniques usable by builders and defenders alike of web applications. 

This OWASP project is intended to be an information hub for web application owners, builders and defenders, providing practical resources to help them protect their web properties against unwanted automated processes. The project seeks input from the industry -- and the audience -- to continuously improve its impact on real-world unwanted web automation problems.