1 / 18

Conference Wrapup and Projects’ Status Report

Conference Wrapup and Projects’ Status Report. Dave Wichers, OWASP Conferences Chair Aspect Security dave.wichers@owasp.org dave.wichers@aspectsecurity.com. So How Was the Conference?. Did you like: The tutorials? The panels? The refereed papers? Multiple tracks? Suggestions?

booth
Download Presentation

Conference Wrapup and Projects’ Status Report

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Conference Wrapup and Projects’ Status Report Dave Wichers, OWASP Conferences Chair Aspect Security dave.wichers@owasp.org dave.wichers@aspectsecurity.com

  2. So How Was the Conference? • Did you like: • The tutorials? • The panels? • The refereed papers? • Multiple tracks? • Suggestions? • Where should it be next time? • Paris, Rome, Munich, ????

  3. What do YOU want out of OWASP? • Mission: (Just updated on new Wiki) The Open Web Application Security Project (OWASP) is dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. • What (else) do we need to accomplish this mission?

  4. Main OWASP Projects • OWASP Top Ten: lead: Jeff Williams • OWASP Guide: lead: Andrew Van Der Stock • OWASP Testing Guide: lead: Eion Keary • OWASP .NET: lead: Dinis Cruz • Many Subprojects (see later slide) • OWASP WebGoat: lead: Bruce Mayhew • OWASP WebScarab: lead: Rogan Dawes • OWASP WASS Project (NEW!!): lead: Mike Andrews • OWASP CLASP (NEW!!): lead: Pravir Chandra

  5. OWASP Top Ten Most Critical Web Application Security Vulnerabilities • Purpose: Generate Awareness of Most Critical Web Application Security Vulnerabilities • Published: Jan 2003, updated Jan 2004 • Translated into Chinese, French, Italian, Japanese, and Spanish • Adopted by many companies and organizations • Such as the Payment Card Industry (PCI) Standard • Still accurate but probably deserves an update at this point

  6. OWASP Guide to Building Secure Web Applications • Purpose: To help designers and developers produce secure web applications • Published: • V1 released in 2002 • V2.0 released July 2005 (293 pp.) • V2.1 release targeted for late 2006 as a book, and available in the new OWASP Wiki • Usage: • V1 downloaded over 2 Million times

  7. OWASP Testing Project • OWASP Testing Guide • 60% done, broad range of areas covered. Techniques include: • Application Penetration Testing • Application Code Analysis • More to be done. Needs authors and reviewers. • Finished? First cut: End of the Summer (I hope). • OWASP “Live CD” • Goal: Application testing toolkit “In your pocket”. • Contains OWASP Tools, to include .NET tools • Shall include indexable HTML version of the Testing GUIDE. Shall include other commonly used freeware tools. • Beta Built: To be hosted as ISO image on owasp.net.

  8. OWASP .NET Project • Hosted at www.owasp.net • OWASP Site Generator • Generates flawed sample apps to test tools against • OWASP Validator.NET • Partial port of ModSecurity to .Net platform • Other .Net alpha/beta projects • Beretta, ANBS, SAM’SHE, ASP.NET Reflector, .NetMon

  9. OWASP WebGoat • Purpose: Teach application security principles to developers and analysts • Published: • V1.0 released in Oct 2002 • V4.0 released May 2006 • Usage: • Downloaded almost 100,000 times - One of the most widely used OWASP Tools

  10. OWASP WebGoat Overview • Deliberately insecure J2EE web application • Download, unzip and click to run • Teaches application security principles • Access control • SQL injection • Authentication & session management • Input validation • Many more … • Training environment • Hands-on learning for developers and analysts

  11. Version 4.0 A Complete Rewrite (almost)

  12. WebGoat 4.0 Released • New Multi-Stage Lessons • Role based access control • SQL injection • Cross-site scripting • Updated Architecture • Uses JSPs • Simple front controller • Multi-stage lesson support • New user guide • Multi-user environment

  13. WebGoat Wants Your Ideas! • Is WebGoat part of your training environment? • What features or lessons do you need? • How can you get involved? • Lessons needed • Forced browsing • Denial of service • Admin interfaces • Privilege escalation • Better lesson plans Send your comments, ideas, suggestions to: bruce.mayhew@aspectsecurity.com

  14. OWASP WebScarab • Purpose: • To help test web applications. It is a scriptable proxy and framework that allows a tester to view and modify any traffic between a web client (browser) and a target web application. • Other features: • Spider, Fuzzer, Session ID graphing • Highly Scriptable • Web Services interface • Published: • First released: late 90‘s before OWASP with different name – Moved to OWASP in July 2003 – Continuous incremental releases since then (simply dated, no version numbers) • Usage: • Downloaded over 30,000 times – One of most widely used OWASP tools

  15. What does WebScarab do? • Allows user to view HTTP(S) conversations between browser and server • Allows user to review/save those conversations • Allows user to intercept and modify on the fly • Allows user to replay previous requests • Allows user to script conversations with full access to the the request and response object models • And much more!

  16. WebScarab Recent Activities • Bug-fixes, mostly, some UI changes • New plugins • Extensions – brute forces common extensions • E.g. http://example.com/index.jsp -> index.jsp.bak? • E.g. http://example.com/images/ -> images.zip? • XSS tester – in progress • “Next Generation” in development • Using Spring Framework and Spring Rich Client • DB backed • Not likely anytime soon . . .

  17. OWASP WASS Project (New!) • Purpose(Web Application Security Standards Project) • Create a minimum set of specific, testable, security requirements for a web application to safely process credit card information. • The VISA Cardholder Information Security Program (CISP) / Payment Card Industry (PCI) standards address network security but have very little on web application security. • Status: Initial strawman set of requirements developed and available for review • Needed: Contributors and Reviewers

  18. OWASP CLASP Project (New!) • Purpose: Provide software development organizations everything they need to develop their own secure development lifecycle. • Status: CLASP developed by Secure Software and just donated to OWASP. In the process of moving all of CLASP into the new OWASP Wiki. • Needed: Complete transition to the OWASP Wiki and the focus on developing new materials that expand the process activities and show how they fit into the entire software development lifecycle.

More Related