1 / 41

Meet OWASP: resources you can use, today.

Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland. About myself. Software / Web application security architect Independent (no ties with any integrator/vendor) OWASP Leader: Member of the Board, OWASP Switzerland

thalia
Download Presentation

Meet OWASP: resources you can use, today.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Meet OWASP: resources you can use, today. Antonio Fontesantonio.fontes@owasp.orgOWASP Geneva Chapter LeaderSwitzerland

  2. About myself • Software / Web application security architect • Independent (no ties with any integrator/vendor) • OWASP Leader: • Member of the Board, OWASP Switzerland • Leader, OWASP Geneva Chapter • Core interests: • Software Assurance Maturity Model (SAMM) • Application Security Verification Standard (ASVS)

  3. State of Information Security The problem?There are not enough qualifiedapplication security professionals What can we do about it? • Make application security visible • Provide Developers and Software Testers with materials and tools helping them to build more secure applications

  4. What is OWASP? • Open Web Application Security Project https://www.owasp.org • Global community, driving and promoting safety and security of world’s software • Not-for-profit foundation registered in the United States and a non-profit association registered in European Union • Open: • Everyone is free to participate • All OWASP materials & tools are free

  5. OWASP by Numbers • 12 years of community service • 88+ Government & Industry Citations • including DHS, ISO, IEEE, NIST, SANS Institute, PCI-DSS, CSA, etc • 36,000+ registered members to the mailing lists • 320,000+ unique visitors per month • 1,000,000+ page viewed per month • 15,000+ tools and documents downloaded each month

  6. OWASP by the Numbers (cont) • Year 2013 Budget: USD$580,000 • 2081 individual members and honorary members • 70 countries • 60+ donating Corporate Members • 100+ supporting Academic Members • 198 Active Chapters • 168 Active Projects • 4 Global AppSec Conferences per Year

  7. OWASP by the Numbers (cont)

  8. Started in 2008 • Promote application security through chapter meetings and collaboration with local developer communities • 2013: • Contact initiated with local developer groups (*UG) • 5 meetings planned • Board made of 3 industry representatives: consulting, banking/finance and public administration sectors: Antonio Fontesantonio.fontes@owasp.org Thomas Hoferthomas.hofer@owasp.org Simon Blanchetsimon.blanchet@owasp.org

  9. OWASP Projects & Tools • Make application security visible • Videos, podcasts, books, guidelines, cheat sheets, tools, … • Available under a free and open software license • Used, recommended and referenced by many government, standards and industry organisations • Open for everyone to participate 9

  10. OWASP Projects & Tools - Classification • 168+ Active Projects • PROTECT • guard against security-related design and implementation flaws. • DETECT • find security-related design and implementation flaws. • LIFE CYCLE • add security-related activities into software processes (eg. SDLC, agile, etc) 10

  11. OWASP Projects & Tools – An Overview • DETECT • OWASP Top 10 • OWASP Code Review Guide • OWASP Testing Guide • OWASP Cheat Sheet Series • PROTECT • OWASP ESAPI • OWASP ModSecurity CRS • OWASP AppSec Tutorials • OWASP ASVS • OWASP LiveCD / WTE • OWASP ZAP Proxy • LIFE CYCLE • WebGoat J2EE • WebGoat .NET Full list of projects (release, beta, alpha) http://www.owasp.org/index.php/Category:OWASP_Project 11

  12. 10 Most critical web application security risks • The most visible OWASP project • Classifies some of the most critical risks • Essential reading for anyone developing web applications • Referenced by standards, books, tools, and organizations, including MITRE, PCI DSS, FTC, and many more

  13. OWASP Top Ten (2013 Edition)

  14. OWASP Top 10 Risk Rating Methodology 1 2 3 Injection Example 1.66 weighted risk rating

  15. Code Review Guide • Code review is probably the most effective technique for identifying security flaws • Focuses on the mechanics of reviewing code for certain vulnerabilities • A key enabler for the OWASP fight against software insecurity • Update is in progress

  16. Code Review Guide (cont) • Focuses on .NET and Java, but has some C/C++ and PHP • Integration of secure code review into software development processes • Understand what you are reviewing • Security code review is not a silver bullet, but a key component of an IS program

  17. Testing Guide • Create a "best practices" web application penetration testing framework • A low-level web application penetration testing guide • Recommended for developers and software testers • Update in progress https://www.owasp.org/index.php/OWASP_Testing_Project

  18. Cheat Sheet Series • Provide a concise collection of high value information on specific web application security topics https://www.owasp.org/index.php/Cheat_Sheets Developer Cheat Sheets (Builder) Authentication Clickjacking Defense Cryptographic Storage HTML5 Security Input Validation Query Parameterization Session Management SQL Injection Prevention … Assessment Cheat Sheets (Breaker) Attack Surface Analysis XSS Filter Evasion … Mobile Cheat Sheets IOS Developer Mobile Jailbreaking …

  19. Cheat Sheet Series (cont) • The most visible OWASP project • Classifies some of the most critical risks • Essential reading for anyone developing web applications • Referenced by standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more

  20. Cheat Sheet Series (cont)

  21. AppSec Tutorial Series https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series • Application security video based training • Four episodes are available

  22. ASVS: Application Security Verification Standard • Provides a basis for testing application technical security controls • Use as a metric – assess the degree of trust on existing security controls • Use as guidance – for what to build as part of planned security controls • Use during procurement

  23. ASVS: Levels

  24. ASVS: Verification Requirements V1. Authentication V2. Session Management V3. Access Control V4. Input Validation V5. Cryptography (at Rest) V6. Error Handling and Logging V7. Data Protection V8. Communication Security V9. HTTP Security V10. Malicious Controls V11. Business Logic V12. Files and Resources V13. Mobile

  25. SAMM: Software Assurance Maturity Model • A framework to integrate security into software development and procurement/acquisition processes. • A maturity model to qualify a software security initiative under a repeatable process, in time or across several uits.

  26. SAMM: Software Assurance Maturity Model

  27. LiveCD / WTE • Make application security tools and documentation easily available • Collects some of the best open source security projects in a single environment • Boot from this Live CD and have access to a full security testing suite http://appseclive.org/

  28. Mailing list 101 • A list for introductoryquestions on application security Open access: https://lists.owasp.org/mailman/listinfo/security101

  29. Zed Attack Proxy • One of the flagship OWASP projects • Easy to use integrated penetration testing tool for assessing web applications • Ideal for developers and functional testers who are new to penetration testing • Completely free and open source • Cross platform, internationalised

  30. ZAP Proxy: Features • Upcoming: • New Spider with Ajax functionality • Session scope awareness • Web socket support • Scanning modes • (Safe/Protected/Standard) • Scripting console • Intercepting Proxy • Automated scanner • Passive scanner • Brute Force scanner • Spider • Fuzzer • Port scanner • Dynamic SSL certificates • API • Beanshell integration

  31. ESAPI: Enterprise Security API • Free, open source, web application security controls library • Provide developers with libraries for writing lower-risk applications • Allow retrofitting security into existing applications • Serve as a solid foundation for new development • Support for Java, PHP and Force.com – there could be more languages supported

  32. ESAPI: functions and services Existing Enterprise Security Services/Libraries

  33. ESAPI: Validation and Encoding Controller Business Functions Data Layer Validator Encoder User Backend encodeForJavaScript isValidCreditCard encodeForVBScript isValidDataFromBrowser encodeForURL isValidDirectoryPath encodeForHTML isValidFileContent encodeForHTMLAttribute isValidFileName encodeForLDAP isValidHTTPRequest encodeForDN isValidListItem encodeForSQL isValidRedirectLocation Canonicalization encodeForXML isValidSafeHTML Double Encoding Protection encodeForXMLAttribute isValidPrintable Sanitization encodeForXPath safeReadLine Normalization

  34. ModSecurity CRS: Core Rule Set • Free certified rule set for ModSecurity WAF • Generic web applications protection: • Common Web Attacks Protection • HTTP Protection • Real-time Blacklist Lookups • HTTP Denial of Service Protection • Automation Detection • Integration with AV Scanning for File Uploads • Tracking Sensitive Data • Identification of Application Defects • Error Detection and Hiding https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

  35. WebGoat • Deliberately insecure web application to teach web application security lessons • Over 30 lessons, providing hands-on learning about • Cross-Site Scripting (XSS) • Access Control • Blind/Numeric/String SQL Injection • Web Services • … and many more https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

  36. WebGoat: Java

  37. WebGoat: .NET • A purposefully broken ASP.NET web application • Contains many common vulnerabilities • Intended for use in classroom environments https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET

  38. DEMO • OWASP ZAP Proxy • OWASP WebGoat Java Project

  39. Thank You!

  40. Q&Aif you need inspiration:Where/How do we start using OWASP?How can we help OWASP in return?Can you tell us more about project ______ ?

  41. https://www.owasp.orghttps://www.owasp.org/index.php/Geneva

More Related