owasp an introduction n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
OWASP – an Introduction PowerPoint Presentation
Download Presentation
OWASP – an Introduction

Loading in 2 Seconds...

play fullscreen
1 / 20
aristotle-carter

OWASP – an Introduction - PowerPoint PPT Presentation

148 Views
Download Presentation
OWASP – an Introduction
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. OWASP – an Introduction Simon Bennetts OWASP chapter and project lead psiinon@gmail.com Manchester Linux Users Group February 2011

  2. What is OWASP? • Open Web Application Security Project • Promotes secure software development • Oriented to the delivery of web oriented services • Focused primarily on the “back-end” than web-design issues • An open forum for discussion • A free resource for any development team

  3. What is OWASP? • Open Web Application Security Project • Non-profit, volunteer driven organization • All members are volunteers • All work is donated by sponsors • Provide free resources to the community • Software, Publications, Articles, Standards • Testing and Training Software • Local Chapters & Mailing Lists • Supported through sponsorships • Corporate support through financial or project sponsorship • Personal sponsorships from members

  4. OWASP Top Ten Category: Detection Type: Documentation Status: Release quality An awareness document that describes the top ten most common web application security risks 4

  5. OWASP Developers Guide Category: Protection Type: Documentation Status: Release quality Guidance on building security in to web applications and web services 5

  6. OWASP Code Review Guide Category: Detection Type: Documentation Status: Release quality Best practices for reviewing source code for application defects 6

  7. OWASP Testing Guide Category: Detection Type: Documentation Status: Release quality Application security tests and testing methodology 7

  8. OWASP AntiSamy Category: Protection Type: Tool Status: Release quality API (available in Java and .NET) for validating rich HTML/CSS input from users to prevent exposure to cross-site scripting and phishing attacks 8

  9. OWASP Enterprise Security API Category: Protection Type: Tool Status: Release quality A collection of security methods needed to build secure web applications (Java EE, .NET, classic ASP, PHP, ColdFusion, Python, JavaScript, Objective C, Force.com, Ruby, Swingset) 9

  10. OWASP ModSecurity Core Rule Set Category: Protection Type: Tool Status: Release quality A set of critical protections against attacks across most every web architecture, for the ModSecurity web application firewall Apache web server module 10

  11. OWASP WebScarab Category: Detection Type: Tool Status: Release quality HTTP intercepting proxy and tool for performing security testing on web applications 11

  12. OWASP JBroFuzz Category: Detection Type: Tool Status: Release quality A web application protocol fuzzer for requests being made over HTTP and/or HTTPS 12

  13. OWASP WebGoat Category: Life cycle Type: Tool Status: Release quality A deliberately insecure J2EE web application designed to provide web application security lessons 13

  14. OWASP AppSensor project Category: Protection Type: Documentation (& Tool) Status: Beta A framework for detecting and responding to attacks from within the application – application layer intrusion detection and prevention 14

  15. OWASP Zed Attack Proxy Category: Detection Type: Tool Status: Beta HTTP intercepting proxy / penetration testing tool for developers and functional testers 15

  16. OWASP AppSec Tutorial Series

  17. What else is there? • Scores of other projects • Common numbering scheme • Wiki • Cheat sheet series • Codes of Conduct • Committees • Collaborative activities • Podcast and newsletter • Mailing lists • Local chapters 17

  18. The OWASP top 10 • A1: Injection • Especially SQL: • A2: Cross-Site Scripting (XSS) • Injecting HTML / Javascript: • A3: Broken Authentication and Session Management • A multitude of sins, including session hijacking • A4: Insecure Direct Object References • Not checking that the user is allowed to access the specified object • https://www.mybank.com/AccDetails?acc=12345678 • A5: Cross-Site Request Forgery (CSRF) • Performing an action on a GET request, like: • https://www.mybank.com/Transfer?dest=bad.hacker&amount=100000 • <imgsrc="https://www.mybank.com/Transfer?... height="0" width="0"/> ' OR 1=1 -- <script>alert('XSS!');</script>

  19. The OWASP top 10 • A6: Security Misconfiguration • Out of date software, default passwords, detailed error messages, … • A7: Insecure Cryptographic Storage • E.g. storing passwords hashed with DES (hello Gawker!) • A8: Failure to Restrict URL Access • E.g. Hoping https://example.com/admin wont be found • A9: Insufficient Transport Layer Protection • http:// instead of https:// • A10: Unvalidated Redirects and Forwards • http://www.example.com/redirect.jsp?url=evil.com • http://www.example.com/boring.jsp?fwd=admin.jsp

  20. Questions