1 / 39

Tour of OWASP’s projects

Tour of OWASP’s projects. Sebastien Deleersnyder Dec 1, 2010. OWASP Tools and Technology. OWASP Body of Knowledge. Guidance and Tools for Measuring and Managing Application Security. Guide to Application Security Testing and Guide to Application Security Code Review.

nikkos
Download Presentation

Tour of OWASP’s projects

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tour of OWASP’s projects Sebastien Deleersnyder Dec 1, 2010

  2. OWASP Tools and Technology

  3. OWASP Body of Knowledge Guidance and Tools for Measuring and Managing Application Security Guide to Application Security Testing and Guide to Application Security Code Review VerifyingApplicationSecurity ManagingApplicationSecurity Guide to Building Secure Web Applications and Web Services Core Application SecurityKnowledge Base Chapters AppSec Conferences Projects ApplicationSecurityTools Acquiring andBuildingSecureApplications Tools for Scanning, Testing, Simulating, and Reporting Web Application Security Issues AppSecEducation and CBT Research to Secure New Technologies Research Projects to Figure Out How to Secure the Use of New Technologies (like Ajax) Principles Threat Agents, Attacks, Vulnerabilities, Impacts, and Countermeasures OWASP Community Platform (wiki, forums, mailing lists) Web Based Learning Environment and Guide for Learning Application Security OWASP Foundation 501c3

  4. Top level view

  5. There are a lot of OWASP projects

  6. Metrics • Categorizing and organizing projects • Maturity, activity level, quality, relevance

  7. Assessment Criteria

  8. Categories • PROTECT - These are tools and documents that can be used to guard against security-related design and implementation flaws. • DETECT - These are tools and documents that can be used to find security-related design and implementation flaws. • LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).

  9. OWASP projects by numbers • Total Projects: 122 • Release quality: 19 • Beta quality: 28 • Alpha quality: 89 • Inactive: 6

  10. Dashboard

  11. Assessment details

  12. Project Parade

  13. The ‘Big 4’ Documentation Projects Building Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR)

  14. The Guide • Complements OWASP Top 10 • 310p Book • Free and open source • Gnu Free Doc License • Many contributors • Apps and web services • Most platforms • Examples are J2EE, ASP.NET, and PHP • Comprehensive • Project Leader and Editor • Andrew van der Stock, vanderaj@owasp.org

  15. Uses of the Guide • Developers • Use for guidance on implementing security mechanisms and avoiding vulnerabilities • Project Managers • Use for identifying activities (threat modeling, code review, penetration testing) that need to occur • Security Teams • Use for structuring evaluations, learning about application security, remediation approaches

  16. Each Topic • Includes Basic Information (like OWASP T10) • How to Determine If You Are Vulnerable • How to Protect Yourself • Adds • Objectives • Environments Affected • Relevant COBIT Topics • Theory • Best Practices • Misconceptions • Code Snippets

  17. Testing Guide v3: Index 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors

  18. Evolution V3 • Information Gathering • Config. Management Testing • Business Logic Testing • Authentication Testing • Authorization Testing • Session Management Testing • Data Validation Testing • Denial of Service Testing • Web Services Testing • Ajax Testing • Encoded Appendix • Information Gathering • Business Logic Testing • Authentication Testing • Session Management Testing • Data Validation Testing • Denial of Service Testing • Web Services Testing • Ajax Testing

  19. How the Guide helps the security industry • A structured approach to the testing activities • A checklist to be followed • A learning and training tool Pen-testers • A tool to understand web vulnerabilities and their impact • A way to check the quality of the penetration tests they buy Organisations More in general, the Guide aims to provide a pen-testing standard that creates a 'common ground' between the pen-testing industry and its client. This will raise the overall quality and understanding of this kind of activity and therefore the general level of security in our infrastructures

  20. OWASP Application Security Verification Std • Standard for verifying the security of web applications • Four levels • Automated • Manual • Architecture • Internal

  21. OWASP Software Assurance Maturity Model

  22. Tools • http://www.owasp.org/index.php/Phoenix/Tools • Best known OWASP Tools • WebGoat • WebScarab • Remember: • A Fool with a Tool is still a Fool

  23. Live CD • Project that collects some of the best open source security projects in a single environment • http://www.owasp.org/index.php/LiveCD • Users can boot from Live CD and immediately start using all tools without any configuration

  24. Available Tools 25 “significant” tools sqlmap v0.7-rc1 now included!

  25. OWASP WebGoat

  26. OWASP WebScarab

  27. Tools – At Best 45% MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE) They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)

  28. The OWASP Enterprise Security API Existing Enterprise Security Services/Libraries

  29. Create Your ESAPI Implementation • Your Security Services • Wrap your existing libraries and services • Extend and customize your ESAPI implementation • Fill in gaps with the reference implementation • Your Coding Guideline • Tailor the ESAPI coding guidelines • Retrofit ESAPI patterns to existing code

  30. OWASP CSRFTester

  31. OWASP CSRFGuard 2.0 Business Processing OWASPCSRFGuard Verify Token Add Tokento HTML • Adds token to: • href attribute • src attribute • hidden field in all forms • Actions: • Log • Invalidate • Redirect User (Browser) • http://www.owasp.org/index.php/CSRFGuard

  32. SDLC & OWASP Guidelines OWASP Framework

  33. Want More ? • OWASP .NET Project • OWASP ASDR Project • OWASP AntiSamy Project • OWASP AppSec FAQ Project • OWASP Application Security Assessment Standards Project • OWASP Application Security Metrics Project • OWASP Application Security Requirements Project • OWASP CAL9000 Project • OWASP CLASP Project • OWASP CSRFGuard Project • OWASP CSRFTester Project • OWASP Career Development Project • OWASP Certification Criteria Project • OWASP Certification Project • OWASP Code Review Project • OWASP Communications Project • OWASP DirBuster Project • OWASP Education Project • OWASP Encoding Project • OWASP Enterprise Security API • OWASP Flash Security Project • OWASP Guide Project • OWASP Honeycomb Project • OWASP Insecure Web App Project • OWASP Interceptor Project • OWASP JBroFuzz • OWASP Java Project • OWASP LAPSE Project • OWASP Legal Project • OWASP Live CD Project • OWASP Logging Project • OWASP Orizon Project • OWASP PHP Project • OWASP Pantera Web Assessment Studio Project • OWASP SASAP Project • OWASP SQLiX Project • OWASP SWAAT Project • OWASP Sprajax Project • OWASP Testing Project • OWASP Tools Project • OWASP Top Ten Project • OWASP Validation Project • OWASP WASS Project • OWASP WSFuzzer Project • OWASP Web Services Security Project • OWASP WebGoat Project • OWASP WebScarab Project • OWASP XML Security Gateway Evaluation Criteria Project • OWASP on the Move Project

  34. OWASP Research Grants • We support the research that keeps your organization safe!

  35. OWASP Projects Are Alive! 2009 … 2007 2005 2003 2001 37

  36. How to participate? • Start your own project • The best OWASP projects are strategic get the community involved / build a team • Contribute exising (open license) • Promotion! • ‘Help’ an existing project

  37. Questions and Answers

More Related