owasp foundation inc. · owasp 5. owasp the open web application security project (owasp foundation...
TRANSCRIPT
Copyright © - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP Foundation Inc.
Overview Version 2.0May 25th 2009
OWASP 2
Agenda
OWASP IntroductionOWASP Project ParadeOWASP Near You?
OWASP 3
Agenda
OWASP IntroductionOWASP Project ParadeOWASP Near You?
OWASP
Web Applications
Webserver
Web app
Web app
Web app
Web app
transport
DB
DB
Appserver
(optional)
Web client:
IE, Mozilla,
etc.
HTTP reply (HTML,
JavaScript, VBScript,
etc.)
HTTP request
Clear- text or
SSL
• Apache• IIS• Netscape• etc.
•J2EE server• ColdFusion• Oracle 9iAS• etc.
• Perl• C++• CGI• Java• ASP• PHP• etc.
• ADO• ODBC• JDBC• etc.
• Oracle• SQL Server• etc.
Internet DMZ Protectednetwork
Internalnetwork
• AJP• IIOP• T9• etc.
OWASP 5
OWASP
The Open Web Application Security Project (OWASP Foundation Inc.) established 2001’. The vision is a software market that produces code that’s secure enough to rely on.
The mission (to achieve that vision) is to make security visible (or transparent) so that software buyers and sellers are on equal footing and market forces can work.
International not-for-profit charitable organization funded primarily by volunteers time, OWASP Memberships ($50 Individuals, $5k Supporters), and OWASP Conference fees
Website: 6,464 registered users, 21,552,771 page views, and 55,941 page edits
Participation in OWASP is free and open to all
OWASP
OWASP FOUNDATION INC. - 501(3)c
(5) Volunteer Board(Jeff, Dinis, Tom, Dave, Seba)
(25+) Volunteer Global Committee Members(see global committee slide)
(130+) Local Chapters Lots of Projects
OWASP Employees (6)
OWASP
Global Committee
http://www.owasp.org/index.php/About_OWASP
OWASP
2009 Supporters
http://www.owasp.org/index.php/Membership
OWASP 9
OWASP Mission
The mission is to make security visible (or transparent) so that software buyers and sellers are on equal footing and market forces can work.
OWASP
OWASP Resources and Community
OWASP 1111
www.owasp.org
OWASP
130+ Chapters Worldwide
12
OWASP
OWASP Conferences (2008-2009)
13
NYCSep 2008
NYCSep 2008
DCSep 2009
DCSep 2009
BrusselsMay 2008Brussels
May 2008 PolandMay 2009
PolandMay 2009
TaiwanOct 2008Taiwan
Oct 2008
PortugalSummit
Nov 2008
PortugalSummit
Nov 2008Israel
Sep 2008Israel
Sep 2008India
Aug 2008India
Aug 2008
Gold CoastFeb 2008
+2009
Gold CoastFeb 2008
+2009
MinnesotaOct 2008
MinnesotaOct 2008
DenverSpring 2009
DenverSpring 2009
GermanyNov 2008GermanyNov 2008
Ireland 2009
Ireland 2009
OWASP
Summit Portugal
2009 Focus80+ application security experts from 20+ countries
New Free Tools and Guidance (SoC08)New Outreach Program
technology vendors, framework providers, and standards bodiesnew program to provide free one- day seminars at universities and developer conferences worldwide
New Global Committee StructureEducation, Chapter, Conferences, Industry, Projects, Membership
14
OWASP 15
Agenda
OWASP IntroductionOWASP Project ParadeOWASP Near You?
OWASP
OWASP Projects: Improve Quality and Support
Define Criteria for Quality LevelsAlpha, Beta, Release
Encourage Increased QualityThrough Season of Code Funding and SupportProduce Professional OWASP books
Provide SupportFull time executive director (Kate Hartmann)Full time project manager (Paulo Coimbra)Half time technical editor (Kirsten Sitnick)Half time financial support (Alison Shrader)Looking to add programmers (Interns and professionals)
OWASP 17
OWASP Top 10
The Ten Most Critical Web Application Security Vulnerabilities2007 Release A great start, but not a standard3rd version of the Top 10 2009 coming soon *HelpWanted*
OWASP 18
Key Application Security Vulnerabilities
www.owasp.org/index.php?title=Top_10_2007
OWASP
The ‘Big 4’ Documentation Projects
Building Guide
Building Guide
Code Review Guide
Code Review Guide
Testing Guide
Testing Guide
Application Security Desk Reference (ASDR)
OWASP
The Guide
Complements OWASP Top 10310p BookFree and open source
Gnu Free Doc LicenseMany contributorsApps and web servicesMost platforms
Examples are J2EE, ASP.NET, and PHP
ComprehensiveProject Leader and Editor
Andrew van der Stock, [email protected]
OWASP
Uses of the Guide
DevelopersUse for guidance on implementing security mechanisms and avoiding vulnerabilities
Project ManagersUse for identifying activities (threat modeling, code review, penetration testing) that need to occur
Security TeamsUse for structuring evaluations, learning about application security, remediation approaches
OWASP
Each Topic
Includes Basic Information (like OWASP T10)How to Determine If You Are VulnerableHow to Protect Yourself
AddsObjectivesEnvironments AffectedRelevant COBIT TopicsTheoryBest PracticesMisconceptionsCode Snippets
OWASP 23
Testing Guide v2: Index (NOW AT VERSION 3.0)
1. Frontispiece1. Frontispiece
2. Introduction2. Introduction
3. The OWASP Testing Framework 3. The OWASP Testing Framework
4. Web Application Penetration Testing 4. Web Application Penetration Testing
5. Writing Reports: value the real risk 5. Writing Reports: value the real risk
Appendix A: Testing ToolsAppendix A: Testing Tools
Appendix B: Suggested ReadingAppendix B: Suggested Reading
Appendix C: Fuzz Vectors Appendix C: Fuzz Vectors
OWASP 24
What Is the OWASP Testing Guide?
Information GatheringBusiness Logic TestingAuthentication TestingSession Management TestingData Validation TestingDenial of Service TestingWeb Services TestingAjax Testing
Testing PrinciplesTesting ProcessCustom Web Applications
Black Box TestingGrey Box Testing
Risk and ReportingAppendix: Testing ToolsAppendix: Fuzz Vectors
OWASP
Soc08 version 3Improve version 2
improved 9 articlesTotal of 10 Testing categoriesand 66 controls.New sections and controls
Configuration ManagementAuthorization Testing36 new articles
New Encoded Injection Appendix;
OWASP 26
How the Guide helps the security industry
A structured approach to the testing activitiesA checklist to be followedA learning and training tool
Testers
A tool to understand web vulnerabilities and their impactA way to check the quality of security tests
Organisations
More generally, the Guide aims to provide a pen-testing standard that creates a 'common ground' between the testing groups and its ‘customers’.
This will raise the overall quality and understanding of this kind of activity and therefore the general level of security of our applications
OWASP
Tools
http://www.owasp.org/index.php/Phoenix/ToolsBest known OWASP Tools
WebGoatWebScarab
Remember:A Fool with a Tool is still a Fool
OWASP 28
Tools – At Best 45%
MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE)
They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)
OWASP
OWASP CSRFTester
31
OWASP
OWASP CSRFGuard 2.0
32
Adds token to:href attributesrc attributehidden field in all forms
Actions:LogInvalidateRedirect
http://www.owasp.org/index.php/CSRFGuard
OWASP
The OWASP Enterprise Security API
33
OWASP
Coverage
OWASP
Create Your ESAPI Implementation
Your Security ServicesWrap your existing libraries and servicesExtend and customize your ESAPI implementationFill in gaps with the reference implementation
Your Coding GuidelineTailor the ESAPI coding guidelinesRetrofit ESAPI patterns to existing code
35
OWASP
OWASP CLASP
Comprehensive, Lightweight Application Security Process
Prescriptive and ProactiveCentered around 7 AppSec Best PracticesCover the entire software lifecycle (not just development)
36
Adaptable to any development processCLASP defines roles across the SDLC24 role-based process componentsStart small and dial-in to your needs
OWASP 37
The CLASP Best Practices
1. Institute awareness programs2. Perform application assessments3. Capture security requirements4. Implement secure development practices5. Build vulnerability remediation procedures6. Define and monitor metrics7. Publish operational security guidelines
OWASP 38
OWASP
Framew
ork
SDLC & OWASP Guidelines
OWASP
Want More ?
OWASP .NET ProjectOWASP ASDR ProjectOWASP AntiSamy ProjectOWASP AppSec FAQ ProjectOWASP Application Security Assessment Standards ProjectOWASP Application Security Metrics ProjectOWASP Application Security Requirements ProjectOWASP CAL9000 ProjectOWASP CLASP ProjectOWASP CSRFGuard ProjectOWASP CSRFTester ProjectOWASP Career Development ProjectOWASP Certification Criteria ProjectOWASP Certification ProjectOWASP Code Review ProjectOWASP Communications ProjectOWASP DirBuster ProjectOWASP Education ProjectOWASP Encoding ProjectOWASP Enterprise Security APIOWASP Flash Security ProjectOWASP Guide ProjectOWASP Honeycomb ProjectOWASP Insecure Web App ProjectOWASP Interceptor Project
OWASP JBroFuzzOWASP Java ProjectOWASP LAPSE ProjectOWASP Legal ProjectOWASP Live CD ProjectOWASP Logging ProjectOWASP Orizon ProjectOWASP PHP ProjectOWASP Pantera Web Assessment Studio ProjectOWASP SASAP ProjectOWASP SQLiX ProjectOWASP SWAAT ProjectOWASP Sprajax ProjectOWASP Testing ProjectOWASP Tools ProjectOWASP Top Ten ProjectOWASP Validation ProjectOWASP WASS ProjectOWASP WSFuzzer ProjectOWASP Web Services Security ProjectOWASP WebGoat ProjectOWASP WebScarab ProjectOWASP XML Security Gateway Evaluation Criteria ProjectOWASP on the Move Project
39
OWASP
SoC2008 selectionOWASP Code review guide, V1.1 The Ruby on Rails Security Guide v2 OWASP UI Component Verification Project (a.k.a. OWASP JSP Testing Tool) Internationalization Guidelines and OWASP-Spanish Project OWASP Application Security Desk Reference (ASDR) OWASP .NET Project Leader OWASP Education Project The OWASP Testing Guide v3 OWASP Application Security Verification Standard Online code signing and integrity verification service for open source community (OpenSignServer) Securing WebGoat using ModSecurityOWASP Book Cover & Sleeve Design OWASP Individual & Corporate Member Packs, Conference Attendee Packs Brief OWASP Access Control Rules Tester OpenPGP Extensions for HTTP - Enigform and mod_openpgpOWASP-WeBekci Project OWASP Backend Security Project
40
OWASP Application Security Tool Benchmarking Environment and Site Generator refresh Teachable Static Analysis Workbench OWASP Positive Security Project GTK+ GUI for w3af project OWASP Interceptor Project - 2008 Update SkavengerSQL Injector Benchmarking Project (SQLiBENCH) OWASP AppSensor - Detect and Respond to Attacks from Within the Application Owasp Orizon Project OWASP Corporate Application Security Rating Guide OWASP AntiSamy .NET Python Static Analysis OWASP Classic ASP Security Project OWASP Live CD 2008 Project
OWASP 41
OWASP Projects Are Alive!
2001
2003
2005
2007
2009 …
OWASP 42
Agenda
OWASP IntroductionOWASP Project ParadeOWASP Near You?
OWASP
Upcoming Conferences
July 2009 - OWASP New Zealand Day 2009 - New ZealandJuly 13th - 2 track conference, University of Auckland, Auckland, New
Zealand (Registrations are Open)
September 2009 - OWASP AppSec Ireland 2009September 10th - 1-Day Conference at Trinity College in Dublin
October 2009 - OWASP AppSec Brazil 2009October 7- 27th-30th Conference and tutorials at Câmara dos
Deputados, Anexo II, Praça dos Três Poderes
November 2009 - OWASP AppSec US 2009 - Washington, D.C.
http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference
44
OWASP
Chapter Resources
MeetingsLocal Mailing ListPresentations & GroupsOpen forum for discussionMeet fellow InfoSec professionalsCreate (Web)AppSec awarenessLocal projects?JOBS = http://www.owasp.org/index.php/OWASP_Jobs
OWASP 46
TTD Subscribe to local chapter mailing list
Visit www.owasp.orgFind your local chapterListen to PodCastsWatch VideosRead MaterialsPost your (Web)AppSec questionsCome to a meeting to meet peersContribute to discussionsConference