The OWASP Foundationhttp://www.owasp.org

ABC About me

MOSHIUL ISLAM, CISA

A: Information System AuditorB: Currently working for a Bank – EBL, IT Security DepartmentC: Contributor of OWASP,

Chapter leader & Chair,OWASP Bangladesh  And also Board member of ISACA Dhaka chapter.

Awareness test

2

Only 2 Compromised ATM = -$2M

3

Friday 06-01-2012

• DBS Bank Singapore• 400 Customer become

victim

Hack makes ATM vomit cash

• Mr. Barnaby Jack demonstrated various ATM Attack

• Network attack was significant.

4

Zeus Strikes Mobile Banking

• Real e-banking fraud incidents

• ZeuS Man in the Mobile (MitMo)

–September 2010, Spain

–February 2011, Poland

5

Internet Banking

Infected browser gives full control of the account to attacker

6

High tech crimes are difficult to prove

How you will prove if you become a victim of account forgery?

RSA Hacked, SecurID a Little Less Secure Now

• Breach Size: Data related to SecureID tokens

• Date: March 2011

• Why Significant?

• Targeted criminal hacking

• External threat goes inside the corporation

• Source:

http://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/

Access to Hacked GOV, EDU and MIL Websites Sold on Underground Market

8

http://blog.imperva.com/2011/01/major-websites-govmiledu-are-hacked-and-up-for-sale.html

Source:

Where we are ?

•No information

•Don’t know much

9

Our Myth

We have Firewall (which was never updated )

IPS and we are using VPN too.

We are secure

11

Problem Illustrated

Application LayerAttacker sends attacks

inside valid HTTP requestsYour custom code is

tricked into doing something it should not

Security requires software development expertise, not signatures

Network LayerFirewall, hardening,

patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests.

Security relies on signature databasesF

irew

all

Hardened OS

Web Server

App ServerF

irew

all

Dat

abas

es

Leg

acy

Sys

tem

s

Web

Ser

vice

s

Dir

ecto

ries

Hu

man

Res

rcs

Bill

ing

Custom Code

APPLICATIONATTACK

Ne

two

rk L

ay

er

Ap

pli

ca

tio

n L

ay

er

Acc

ou

nts

Fin

ance

Ad

min

istr

atio

n

Tran

sact

ion

s

Co

mm

un

icat

ion

Kn

ow

led

ge

Mg

mt

E-C

om

mer

ce

Bu

s. F

un

ctio

ns

Insider

12

Why Web Application Security important?

Attacks Shift Towards Application Layer

Network Server

WebApplications

% of Attacks % of Dollars

90%

Sources: Gartner, Watchfire

Security Spending

of All Web Applications Are Vulnerable2/3

75%

25%

10%

13

Application Security Is Just Getting Started

You can’t improve what you can’t measure

We need to…

• Experiment

• Share what works

• Combine our efforts

• Long way to go!

What we should do?

We can mitigate Information Security risks by

• Being AWARE,

• Staying up to date

• Following to policy and procedure, and adopting best practices

• MOST Importantly, Placing right person in right place

InfoSec is about People, Process & Technology

14

OWASPThe Open Web Application Security Project (OWASP) is a not-for-profit worldwide organization focused on improving the security of application software.

Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks.

Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

220 Chapters

16

17

Our Successes• OWASP Tools and

Documentation:

• ~15,000 downloads (per month)

• ~30,000 unique visitors (per month)

• ~2 million website hits (per month)

• OWASP Chapters are blossoming worldwide

• 1500+ OWASP Members in active chapters worldwide

• 20,000+ participants

• OWASP AppSec Conferences:

• Chicago, New York, London, Washington D.C, Brazil, China, Germany, more…

• Distributed content portal

• 100+ authors for tools, projects, and chapters

• OWASP and its materials are used, recommended and referenced by many government, standards and industry organizations.

~140 Projects• PROTECT - These are tools and documents

that can be used to guard against security-related design and implementation flaws.

• DETECT - These are tools and documents that can be used to find security-related design and implementation flaws.

• LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).

The OWASP Foundationhttp://www.owasp.org

New projects - last 6 months• Common Numbering Project• HTTP Post Tool• Forward Exploit Tool Project• Java XML Templates Project• ASIDE Project• Secure Password Project• Secure the Flag Competition Project• Security Baseline Project• ESAPI Objective – C Project• Academy Portal Project• Exams Project• Portuguese Language Project• Browser Security ACID Tests Project• Web Browser Testing System Project• Java Project• Myth Breakers Project• LAPSE Project• Software Security Assurance Process• Enhancing Security Options Framework

• German Language Project• Mantra – Security Framework• Java HTML Sanitizer• Java Encoder Project• WebScarab NG Project• Threat Modelling Project• Application Security Assessment

Standards Project• Hackademic Challenges Project• Hatkit Proxy Project• Hatkit Datafiddler Project• ESAPI Swingset Interactive Project• ESAPI Swingset Demo Project• Web Application Security Accessibility

Project• Cloud ‐ 10 Project• Web Testing Environment Project• iGoat Project• Opa• Mobile Security Project – Mobile Threat

Model• Codes of Conduct

Conferences

20

Download Get OWASP Books

22

Web Goat A classic vulnerable application to teach developers security code flaws

23

WebScarab – A Proxy Engine

A Proxy tool to intercept Http Request and Http Response

24

Software Assurance Maturity Model

25

Process perspective: Build Security in the SDLC

26

Users and Adopters Payment Card Industry (PCI)

PCI DSS - Requirements 6.5 OWASP Guide (OWASP Top 10) PA-DSS - Requirements 5.2 is OWASP Guide (OWASP Top 10)

Security code review for all the custom code.

OWASP Supporters

27

Educational Supporters

Call for action

• Join OWASP Bangladesh chapter mailing list.

• Join OWASP projects

•Translate material (documents, tool interfaces)

•Together we will achieve our mission!

28

The OWASP Foundationhttp://www.owasp.org

Thank you & enjoy securITy

29