The OWASP Foundationhttp://www.owasp.org
ABC About me
MOSHIUL ISLAM, CISA
A: Information System AuditorB: Currently working for a Bank – EBL, IT Security DepartmentC: Contributor of OWASP,
Chapter leader & Chair,OWASP Bangladesh And also Board member of ISACA Dhaka chapter.
Hack makes ATM vomit cash
• Mr. Barnaby Jack demonstrated various ATM Attack
• Network attack was significant.
4
Zeus Strikes Mobile Banking
• Real e-banking fraud incidents
• ZeuS Man in the Mobile (MitMo)
–September 2010, Spain
–February 2011, Poland
5
Internet Banking
Infected browser gives full control of the account to attacker
6
High tech crimes are difficult to prove
How you will prove if you become a victim of account forgery?
RSA Hacked, SecurID a Little Less Secure Now
• Breach Size: Data related to SecureID tokens
• Date: March 2011
• Why Significant?
• Targeted criminal hacking
• External threat goes inside the corporation
• Source:
http://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/
Access to Hacked GOV, EDU and MIL Websites Sold on Underground Market
8
http://blog.imperva.com/2011/01/major-websites-govmiledu-are-hacked-and-up-for-sale.html
Source:
11
Problem Illustrated
Application LayerAttacker sends attacks
inside valid HTTP requestsYour custom code is
tricked into doing something it should not
Security requires software development expertise, not signatures
Network LayerFirewall, hardening,
patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests.
Security relies on signature databasesF
irew
all
Hardened OS
Web Server
App ServerF
irew
all
Dat
abas
es
Leg
acy
Sys
tem
s
Web
Ser
vice
s
Dir
ecto
ries
Hu
man
Res
rcs
Bill
ing
Custom Code
APPLICATIONATTACK
Ne
two
rk L
ay
er
Ap
pli
ca
tio
n L
ay
er
Acc
ou
nts
Fin
ance
Ad
min
istr
atio
n
Tran
sact
ion
s
Co
mm
un
icat
ion
Kn
ow
led
ge
Mg
mt
E-C
om
mer
ce
Bu
s. F
un
ctio
ns
Insider
12
Why Web Application Security important?
Attacks Shift Towards Application Layer
Network Server
WebApplications
% of Attacks % of Dollars
90%
Sources: Gartner, Watchfire
Security Spending
of All Web Applications Are Vulnerable2/3
75%
25%
10%
13
Application Security Is Just Getting Started
You can’t improve what you can’t measure
We need to…
• Experiment
• Share what works
• Combine our efforts
• Long way to go!
What we should do?
We can mitigate Information Security risks by
• Being AWARE,
• Staying up to date
• Following to policy and procedure, and adopting best practices
• MOST Importantly, Placing right person in right place
InfoSec is about People, Process & Technology
14
OWASPThe Open Web Application Security Project (OWASP) is a not-for-profit worldwide organization focused on improving the security of application software.
Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks.
Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
17
Our Successes• OWASP Tools and
Documentation:
• ~15,000 downloads (per month)
• ~30,000 unique visitors (per month)
• ~2 million website hits (per month)
• OWASP Chapters are blossoming worldwide
• 1500+ OWASP Members in active chapters worldwide
• 20,000+ participants
• OWASP AppSec Conferences:
• Chicago, New York, London, Washington D.C, Brazil, China, Germany, more…
• Distributed content portal
• 100+ authors for tools, projects, and chapters
• OWASP and its materials are used, recommended and referenced by many government, standards and industry organizations.
~140 Projects• PROTECT - These are tools and documents
that can be used to guard against security-related design and implementation flaws.
• DETECT - These are tools and documents that can be used to find security-related design and implementation flaws.
• LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).
The OWASP Foundationhttp://www.owasp.org
New projects - last 6 months• Common Numbering Project• HTTP Post Tool• Forward Exploit Tool Project• Java XML Templates Project• ASIDE Project• Secure Password Project• Secure the Flag Competition Project• Security Baseline Project• ESAPI Objective – C Project• Academy Portal Project• Exams Project• Portuguese Language Project• Browser Security ACID Tests Project• Web Browser Testing System Project• Java Project• Myth Breakers Project• LAPSE Project• Software Security Assurance Process• Enhancing Security Options Framework
• German Language Project• Mantra – Security Framework• Java HTML Sanitizer• Java Encoder Project• WebScarab NG Project• Threat Modelling Project• Application Security Assessment
Standards Project• Hackademic Challenges Project• Hatkit Proxy Project• Hatkit Datafiddler Project• ESAPI Swingset Interactive Project• ESAPI Swingset Demo Project• Web Application Security Accessibility
Project• Cloud ‐ 10 Project• Web Testing Environment Project• iGoat Project• Opa• Mobile Security Project – Mobile Threat
Model• Codes of Conduct
24
Software Assurance Maturity Model
26
Users and Adopters Payment Card Industry (PCI)
PCI DSS - Requirements 6.5 OWASP Guide (OWASP Top 10) PA-DSS - Requirements 5.2 is OWASP Guide (OWASP Top 10)
Security code review for all the custom code.
OWASP Supporters
Call for action
• Join OWASP Bangladesh chapter mailing list.
• Join OWASP projects
•Translate material (documents, tool interfaces)
•Together we will achieve our mission!
28