Your SlideShare is downloading. ×
OWASP Overview of Projects You Can Use Today - DefCamp 2012
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

OWASP Overview of Projects You Can Use Today - DefCamp 2012

1,713
views

Published on


0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,713
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
96
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. OWASP Projects and Resources You Can Use Today: An Overview marian.ventuneac@owasp.orgOWASP29.11.2012 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. About Myself Security Architect International Presenter Member of OWASP and ISACA global organizations OWASP Ireland Limerick Chapter Leader https://www.owasp.org/index.php/Ireland-Limerick Security Researcher PhD, MEng http://www.ventuneac.net http://secureappdev.blogspot.com http://dcsl.ul.ie OWASP 2
  • 3. State of Information SecurityThe problem There are not enough qualified application security professionalsWhat can we do about it? Make application security visible Provide Developers and Software Testers with materials and tools helping them to build more secure applications OWASP 3
  • 4. Who is OWASP? Open Web Application Security Project http://www.owasp.org Global community driving and promoting safety and security of world’s software OWASP is a registered nonprofit in the United States and Europe Everyone is free to participate All OWASP materials & tools are free OWASP 4
  • 5. OWASP by the Numbers 11 years of community service 88+ Government & Industry Citations  including DHS, ISO, IEEE, NIST, SANS Institute, CSA, etc 30,000 + participant mailing lists 250,000+ unique visitors per month 800,000+ page views per month 15,000+ downloads per month OWASP 5
  • 6. OWASP by the Numbers (cont) Budget for 2012: $591,275 2081 individual members and honorary members from over 70 countries 55+ paid Corporate Members 53+ Academic Supporters 193+ Active Chapters 113+ Active Projects 4 Global AppSec Conferences per Year OWASP 6
  • 7. OWASP by the Numbers (cont) OWASP 7
  • 8. OWASP Near You – Romania ChapterPromote application security and create local security communitiesStarted in 2008 by Claudiu Constantinescu2012 Chapter Reboot Chapter Leader - Tudor Enache Penetration Tester @ Electronic Arts Specialized in web and mobile application security testing https://www.owasp.org/index.php/Romania OWASP 8
  • 9. OWASP Projects & Tools  Make application security visible  Videos, podcasts, books, guidelines, cheat sheets, tools, …  Available under a free and open software license  Used, recommended and referenced by many government, standards and industry organisations  Open for everyone to participate OWASP 9
  • 10. OWASP Projects & Tools - Classification  113+ Active Projects  PROTECT  guard against security-related design and implementation flaws.  DETECT  find security-related design and implementation flaws.  LIFE CYCLE  add security-related activities into software processes (eg. SDLC, agile, etc) OWASP 10
  • 11. OWASP Projects & Tools – An Overview DETECT  OWASP Top 10  OWASP AppSec Tutorials  OWASP Code Review Guide  OWASP ASVS  OWASP Testing Guide  OWASP LiveCD / WTE  OWASP Cheat Sheet Series  OWASP ZAP Proxy PROTECT LIFE CYCLE  OWASP ESAPI  WebGoat J2EE  OWASP ModSecurity CRS  WebGoat .NET Full list of projects (release, beta, alpha) http://www.owasp.org/index.php/Category:OWASP_Project OWASP 11
  • 12. OWASP Top 10 Security Risks (DETECT) The most visible OWASP project Classifies some of the most critical risks Essential reading for anyone developing web applications Referenced by standards, books, tools, and organizations, including MITRE, PCI DSS, FTC, and many more OWASP 12
  • 13. OWASP Top 10 Security Risk (2010 edition) http://www.owasp.org/index.php/Top_10 OWASP 13
  • 14. OWASP Top 10 Risk Rating Methodology Threat Attack Weakness Weakness Business Technical Impact Agent Vector Prevalence Detectability Impact 1 Easy Widespread Easy Severe ? 2 Average Common Average Moderate ? 3 Difficult Uncommon Difficult Minor 1 2 2 1 Injection Example 1.66 * 1 1.66 weighted risk rating OWASP 14
  • 15. OWASP Code Review Guide Code review is probably the most effective technique for identifying security flaws Focuses on the mechanics of reviewing code for certain vulnerabilities A key enabler for the OWASP fight against software insecurity Stable release v1.1, v2 is in progress OWASP 15
  • 16. OWASP Code Review Guide (cont) Focuses on .NET and Java, but has some C/C++ and PHP Integration of secure code review into software development processes Understand what you are reviewing Security code review is not a silver bullet, but a key component of an IS program OWASP 16
  • 17. OWASP Testing Guide Create a "best practices" web application penetration testing framework A low-level web application penetration testing guide Recommended for developers and software testers Version 3 available, version 4 is in progress https://www.owasp.org/index.php/OWASP_Testing_Project OWASP 17
  • 18. OWASP Cheat Sheet Series Provide a concise collection of high value information on specific web application security topics Developer Cheat Assessment Cheat Sheets Sheets (Builder) (Breaker) Authentication Attack Surface Analysis Clickjacking Defense XSS Filter Evasion Cryptographic Storage … HTML5 Security Input Validation Mobile Cheat Sheets Query Parameterization Session Management IOS Developer SQL Injection Prevention Mobile Jailbreaking … … https://www.owasp.org/index.php/Cheat_Sheets OWASP 18
  • 19. OWASP Cheat Sheet Series (cont) The most visible OWASP project Classifies some of the most critical risks Essential reading for anyone developing web applications Referenced by standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more OWASP 19
  • 20. OWASP Cheat Sheet Series (cont) OWASP 20
  • 21. OWASP AppSec Tutorial Serieshttps://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series MAKE APPSEC MORE VISIBLE Provide top notch application security video based training Four episodes available OWASP 21
  • 22. OWASP ASVS - Application SecurityVerification Standard Provides a basis for testing application technical security controls Use as a metric – assess the degree of trust on existing security controls Use as guidance – for what to build as part of planned security controls Use during procurement OWASP 22
  • 23. OWASP ASVS Levels Level 1 – Automated Verification Level 1A – Dynamic Scan (Partial Automated Verification) Level 1B – Source Code Scan (Partial Automated Verification) Level 2 – Manual Verification Level 2A – Penetration Test (Partial Manual Verification) Level 2B – Code Review (Partial Manual Verification) Level 3 – Design Verification Level 4 – Internal Verification OWASP 23
  • 24. OWASP ASVS Verification Requirements V1. Security Architecture V2. Authentication V3. Session Management V4. Access Control V5. Input Validation V6. Output Encoding/Escaping V7. Cryptography V8. Error Handling and Logging V9. Data Protection V10. Communication Security V11. HTTP Security V12. Security Configuration V13. Malicious Code Search V14. Internal Security OWASP 24
  • 25. OWASP LiveCD / WTE Make application security tools and documentation easily available Collects some of the best open source security projects in a single environment Boot from this Live CD and have access to a full security testing suitehttp://appseclive.org/ OWASP 25
  • 26. OWASP Zed Attack Proxy Project (PREVENT) One of the flagship OWASP projects Easy to use integrated penetration testing tool for assessing web applications Ideal for developers and functional testers who are new to penetration testing Completely free and open source Cross platform, internationalised Current version 1.4.1 (v2 in progress) OWASP 26
  • 27. OWASP ZAP Proxy - Features Intercepting Proxy Upcoming: Automated scanner  New Spider Passive scanner  New Ajax‘ Spider Brute Force scanner  Session Awareness Spider  Web Socket Support Fuzzer  Session Scope Port scanner  Different Modes Dynamic SSL certificates (Safe/Protected/Standard) API  Scripting console Beanshell integration OWASP 27
  • 28. OWASP ZAP Proxy - DEMO OWASP 28
  • 29. OWASP ESAPI – Enterprise Security API Free, open source, web application security controls library Provide developers with libraries for writing lower-risk applications Allow retrofitting security into existing applications Serve as a solid foundation for new development Support for Java, PHP and Force.com – there could be more languages supported OWASP 29
  • 30. Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor OWASP ESAPI (PROTECT) EncryptedProperties Randomizer Enterprise Security API Exception Handling Logger Custom Enterprise Web Application IntrusionDetectorOWASP Existing Enterprise Security Services/Libraries SecurityConfiguration30
  • 31. OWASP ESAPI – Validation and Encoding User Controller Business Data Layer Backend FunctionsisValidCreditCard encodeForJavaScriptisValidDataFromBrowser encodeForVBScriptisValidDirectoryPath Validator Encoder encodeForURLisValidFileContent encodeForHTMLisValidFileName encodeForHTMLAttributeisValidHTTPRequest encodeForLDAPisValidListItem Canonicalization encodeForDNisValidRedirectLocation Double Encoding Protection encodeForSQLisValidSafeHTML Sanitization encodeForXMLisValidPrintable Normalization encodeForXMLAttributesafeReadLine encodeForXPath OWASP 31
  • 32. OWASP ESAPI - OWASP Top 10 Coverage OWASP Top Ten OWASP ESAPIA1. Cross Site Scripting (XSS) Validator, EncoderA2. Injection Flaws EncoderA3. Malicious File Execution HTTPUtilities (Safe Upload)A4. Insecure Direct Object Reference AccessReferenceMap, AccessControllerA5. Cross Site Request Forgery (CSRF) User (CSRF Token)A6. Leakage and Improper Error Handling EnterpriseSecurityException, HTTPUtilsA7. Broken Authentication and Sessions Authenticator, User, HTTPUtilsA8. Insecure Cryptographic Storage EncryptorA9. Insecure Communications HTTPUtilities (Secure Cookie, Channel)A10. Failure to Restrict URL Access AccessController OWASP 32
  • 33. OWASP ModSecurity Core Rule Set Free certified rule set for ModSecurity WAF Generic web applications protection:  Common Web Attacks Protection  HTTP Protection  Real-time Blacklist Lookups  HTTP Denial of Service Protection  Automation Detection  Integration with AV Scanning for File Uploads  Tracking Sensitive Data  Identification of Application Defects  Error Detection and Hiding https://www.owasp.org/index.php/Category:OWASP_ModSecurity_C ore_Rule_Set_Project OWASP 33
  • 34. OWASP WebGoat Java Project Deliberately insecure J2EE web application to teach web application security lessons Over 30 lessons, providing hands-on learning about  Cross-Site Scripting (XSS)  Access Control  Blind/Numeric/String SQL Injection  Web Services  … and many more Version 5.4 available, v6 in progresshttps://www.owasp.org/index.php/Category:OWASP_WebGoat_Project OWASP 34
  • 35. OWASP WebGoat Java Project - DEMO OWASP 35
  • 36. OWASP WebGoat.NET Project A purposefully broken ASP.NET web application Contains many common vulnerabilities Intended for use in classroom environmentshttps://www.owasp.org/index.php/Category:OWASP_WebGoat.NET OWASP 36
  • 37. DEMO OWASP ZAP Proxy OWASP WebGoat Java Project OWASP 37
  • 38. Thank You OWASP 38