SlideShare a Scribd company logo

OWASP Overview of Projects You Can Use Today - DefCamp 2012

DefCamp
DefCamp
1 of 38
Download to read offline
OWASP Projects and Resources You Can Use Today: An Overview marian.ventuneac@owasp.org OWASP 29.11.2012 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
About Myself  Security Architect  International Presenter  Member of OWASP and ISACA global organizations  OWASP Ireland Limerick Chapter Leader https://www.owasp.org/index.php/Ireland-Limerick  Security Researcher PhD, MEng http://www.ventuneac.net http://secureappdev.blogspot.com http://dcsl.ul.ie OWASP 2
State of Information Security The problem There are not enough qualified application security professionals What can we do about it?  Make application security visible  Provide Developers and Software Testers with materials and tools helping them to build more secure applications OWASP 3
Who is OWASP?  Open Web Application Security Project http://www.owasp.org  Global community driving and promoting safety and security of world’s software  OWASP is a registered nonprofit in the United States and Europe  Everyone is free to participate  All OWASP materials & tools are free OWASP 4
OWASP by the Numbers  11 years of community service  88+ Government & Industry Citations  including DHS, ISO, IEEE, NIST, SANS Institute, CSA, etc  30,000 + participant mailing lists  250,000+ unique visitors per month  800,000+ page views per month  15,000+ downloads per month OWASP 5
OWASP by the Numbers (cont)  Budget for 2012: $591,275  2081 individual members and honorary members from over 70 countries  55+ paid Corporate Members  53+ Academic Supporters  193+ Active Chapters  113+ Active Projects  4 Global AppSec Conferences per Year OWASP 6
OWASP by the Numbers (cont) OWASP 7
OWASP Near You – Romania Chapter Promote application security and create local security communities Started in 2008 by Claudiu Constantinescu 2012 Chapter Reboot Chapter Leader - Tudor Enache Penetration Tester @ Electronic Arts Specialized in web and mobile application security testing https://www.owasp.org/index.php/Romania OWASP 8
OWASP Projects & Tools  Make application security visible  Videos, podcasts, books, guidelines, cheat sheets, tools, …  Available under a free and open software license  Used, recommended and referenced by many government, standards and industry organisations  Open for everyone to participate OWASP 9
OWASP Projects & Tools - Classification  113+ Active Projects  PROTECT  guard against security-related design and implementation flaws.  DETECT  find security-related design and implementation flaws.  LIFE CYCLE  add security-related activities into software processes (eg. SDLC, agile, etc) OWASP 10
OWASP Projects & Tools – An Overview DETECT  OWASP Top 10  OWASP AppSec Tutorials  OWASP Code Review Guide  OWASP ASVS  OWASP Testing Guide  OWASP LiveCD / WTE  OWASP Cheat Sheet Series  OWASP ZAP Proxy PROTECT LIFE CYCLE  OWASP ESAPI  WebGoat J2EE  OWASP ModSecurity CRS  WebGoat .NET Full list of projects (release, beta, alpha) http://www.owasp.org/index.php/Category:OWASP_Project OWASP 11
OWASP Top 10 Security Risks (DETECT)  The most visible OWASP project  Classifies some of the most critical risks  Essential reading for anyone developing web applications  Referenced by standards, books, tools, and organizations, including MITRE, PCI DSS, FTC, and many more OWASP 12
OWASP Top 10 Security Risk (2010 edition) http://www.owasp.org/index.php/Top_10 OWASP 13
OWASP Top 10 Risk Rating Methodology Threat Attack Weakness Weakness Business Technical Impact Agent Vector Prevalence Detectability Impact 1 Easy Widespread Easy Severe ? 2 Average Common Average Moderate ? 3 Difficult Uncommon Difficult Minor 1 2 2 1 Injection Example 1.66 * 1 1.66 weighted risk rating OWASP 14
OWASP Code Review Guide  Code review is probably the most effective technique for identifying security flaws  Focuses on the mechanics of reviewing code for certain vulnerabilities  A key enabler for the OWASP fight against software insecurity  Stable release v1.1, v2 is in progress OWASP 15
OWASP Code Review Guide (cont)  Focuses on .NET and Java, but has some C/C++ and PHP  Integration of secure code review into software development processes  Understand what you are reviewing  Security code review is not a silver bullet, but a key component of an IS program OWASP 16
OWASP Testing Guide  Create a "best practices" web application penetration testing framework  A low-level web application penetration testing guide  Recommended for developers and software testers  Version 3 available, version 4 is in progress https://www.owasp.org/index.php/OWASP_Testing_Project OWASP 17
OWASP Cheat Sheet Series  Provide a concise collection of high value information on specific web application security topics Developer Cheat Assessment Cheat Sheets Sheets (Builder) (Breaker) Authentication Attack Surface Analysis Clickjacking Defense XSS Filter Evasion Cryptographic Storage … HTML5 Security Input Validation Mobile Cheat Sheets Query Parameterization Session Management IOS Developer SQL Injection Prevention Mobile Jailbreaking … … https://www.owasp.org/index.php/Cheat_Sheets OWASP 18
OWASP Cheat Sheet Series (cont)  The most visible OWASP project  Classifies some of the most critical risks  Essential reading for anyone developing web applications  Referenced by standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more OWASP 19
OWASP Cheat Sheet Series (cont) OWASP 20
OWASP AppSec Tutorial Series https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series  MAKE APPSEC MORE VISIBLE  Provide top notch application security video based training  Four episodes available OWASP 21
OWASP ASVS - Application Security Verification Standard  Provides a basis for testing application technical security controls  Use as a metric – assess the degree of trust on existing security controls  Use as guidance – for what to build as part of planned security controls  Use during procurement OWASP 22
OWASP ASVS Levels Level 1 – Automated Verification Level 1A – Dynamic Scan (Partial Automated Verification) Level 1B – Source Code Scan (Partial Automated Verification) Level 2 – Manual Verification Level 2A – Penetration Test (Partial Manual Verification) Level 2B – Code Review (Partial Manual Verification) Level 3 – Design Verification Level 4 – Internal Verification OWASP 23
OWASP ASVS Verification Requirements V1. Security Architecture V2. Authentication V3. Session Management V4. Access Control V5. Input Validation V6. Output Encoding/Escaping V7. Cryptography V8. Error Handling and Logging V9. Data Protection V10. Communication Security V11. HTTP Security V12. Security Configuration V13. Malicious Code Search V14. Internal Security OWASP 24
OWASP LiveCD / WTE  Make application security tools and documentation easily available  Collects some of the best open source security projects in a single environment  Boot from this Live CD and have access to a full security testing suite http://appseclive.org/ OWASP 25
OWASP Zed Attack Proxy Project (PREVENT)  One of the flagship OWASP projects  Easy to use integrated penetration testing tool for assessing web applications  Ideal for developers and functional testers who are new to penetration testing  Completely free and open source  Cross platform, internationalised  Current version 1.4.1 (v2 in progress) OWASP 26
OWASP ZAP Proxy - Features  Intercepting Proxy Upcoming:  Automated scanner  New Spider  Passive scanner  New 'Ajax‘ Spider  Brute Force scanner  Session Awareness  Spider  Web Socket Support  Fuzzer  Session Scope  Port scanner  Different Modes  Dynamic SSL certificates (Safe/Protected/Standard)  API  Scripting console  Beanshell integration OWASP 27
OWASP ZAP Proxy - DEMO OWASP 28
OWASP ESAPI – Enterprise Security API  Free, open source, web application security controls library  Provide developers with libraries for writing lower-risk applications  Allow retrofitting security into existing applications  Serve as a solid foundation for new development  Support for Java, PHP and Force.com – there could be more languages supported OWASP 29
Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor OWASP ESAPI (PROTECT) EncryptedProperties Randomizer Enterprise Security API Exception Handling Logger Custom Enterprise Web Application IntrusionDetector OWASP Existing Enterprise Security Services/Libraries SecurityConfiguration 30
OWASP ESAPI – Validation and Encoding User Controller Business Data Layer Backend Functions isValidCreditCard encodeForJavaScript isValidDataFromBrowser encodeForVBScript isValidDirectoryPath Validator Encoder encodeForURL isValidFileContent encodeForHTML isValidFileName encodeForHTMLAttribute isValidHTTPRequest encodeForLDAP isValidListItem Canonicalization encodeForDN isValidRedirectLocation Double Encoding Protection encodeForSQL isValidSafeHTML Sanitization encodeForXML isValidPrintable Normalization encodeForXMLAttribute safeReadLine encodeForXPath OWASP 31
OWASP ESAPI - OWASP Top 10 Coverage OWASP Top Ten OWASP ESAPI A1. Cross Site Scripting (XSS) Validator, Encoder A2. Injection Flaws Encoder A3. Malicious File Execution HTTPUtilities (Safe Upload) A4. Insecure Direct Object Reference AccessReferenceMap, AccessController A5. Cross Site Request Forgery (CSRF) User (CSRF Token) A6. Leakage and Improper Error Handling EnterpriseSecurityException, HTTPUtils A7. Broken Authentication and Sessions Authenticator, User, HTTPUtils A8. Insecure Cryptographic Storage Encryptor A9. Insecure Communications HTTPUtilities (Secure Cookie, Channel) A10. Failure to Restrict URL Access AccessController OWASP 32
OWASP ModSecurity Core Rule Set  Free certified rule set for ModSecurity WAF  Generic web applications protection:  Common Web Attacks Protection  HTTP Protection  Real-time Blacklist Lookups  HTTP Denial of Service Protection  Automation Detection  Integration with AV Scanning for File Uploads  Tracking Sensitive Data  Identification of Application Defects  Error Detection and Hiding https://www.owasp.org/index.php/Category:OWASP_ModSecurity_C ore_Rule_Set_Project OWASP 33
OWASP WebGoat Java Project  Deliberately insecure J2EE web application to teach web application security lessons  Over 30 lessons, providing hands-on learning about  Cross-Site Scripting (XSS)  Access Control  Blind/Numeric/String SQL Injection  Web Services  … and many more  Version 5.4 available, v6 in progress https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project OWASP 34
OWASP WebGoat Java Project - DEMO OWASP 35
OWASP WebGoat.NET Project  A purposefully broken ASP.NET web application  Contains many common vulnerabilities  Intended for use in classroom environments https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET OWASP 36
DEMO  OWASP ZAP Proxy  OWASP WebGoat Java Project OWASP 37
Thank You OWASP 38

Recommended

Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...POSSCON
 
Mobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGMobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGRomuald SZKUDLAREK
 
Owasp masvs spain 17
Owasp masvs spain 17Owasp masvs spain 17
Owasp masvs spain 17Luis A. Solís
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageVandana Verma
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Owasp Serbia overview
Owasp Serbia overviewOwasp Serbia overview
Owasp Serbia overviewNikola Milosevic
 
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory LectureG. Geshev
 
OWASP Bulgaria
OWASP BulgariaOWASP Bulgaria
OWASP BulgariaZero Science Lab
 

Recommended

Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...POSSCON
 
Mobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGMobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGRomuald SZKUDLAREK
 
Owasp masvs spain 17
Owasp masvs spain 17Owasp masvs spain 17
Owasp masvs spain 17Luis A. Solís
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageVandana Verma
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Owasp Serbia overview
Owasp Serbia overviewOwasp Serbia overview
Owasp Serbia overviewNikola Milosevic
 
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory LectureG. Geshev
 
OWASP Bulgaria
OWASP BulgariaOWASP Bulgaria
OWASP BulgariaZero Science Lab
 
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Sherif Koussa
 
Matteo Meucci Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017Matteo Meucci Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017Minded Security
 
The Path of Secure Software
The Path of Secure SoftwareThe Path of Secure Software
The Path of Secure SoftwareKaty Anton
 
42 minutes to secure your code....
42 minutes to secure your code....42 minutes to secure your code....
42 minutes to secure your code....Sebastien Gioria
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pjSébastien GIORIA
 
Continuous Security Testing
Continuous Security TestingContinuous Security Testing
Continuous Security TestingRay Lai
 
Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure CodingJPCERT Coordination Center
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
Can consumer av products protect
Can consumer av products protectCan consumer av products protect
Can consumer av products protectAnatoliy Tkachev
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Sherif Koussa
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...Denim Group
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
WAFEC
WAFECWAFEC
WAFECConferencias FIST
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 ProjectMuhammad Shehata
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application FrewallAbhishek Singh
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to meMichelle Ribeiro
 
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceConfess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceMasoud Kalali
 
The 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyThe 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyTEST Huddle
 

More Related Content

What's hot

Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Sherif Koussa
 
Matteo Meucci Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017Matteo Meucci Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017Minded Security
 
The Path of Secure Software
The Path of Secure SoftwareThe Path of Secure Software
The Path of Secure SoftwareKaty Anton
 
42 minutes to secure your code....
42 minutes to secure your code....42 minutes to secure your code....
42 minutes to secure your code....Sebastien Gioria
 
Continuous Security Testing
Continuous Security TestingContinuous Security Testing
Continuous Security TestingRay Lai
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
Can consumer av products protect
Can consumer av products protectCan consumer av products protect
Can consumer av products protectAnatoliy Tkachev
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Sherif Koussa
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...Denim Group
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application FrewallAbhishek Singh
 

What's hot (20)

Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
 
Matteo Meucci Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017Matteo Meucci Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017
 
The Path of Secure Software
The Path of Secure SoftwareThe Path of Secure Software
The Path of Secure Software
 
42 minutes to secure your code....
42 minutes to secure your code....42 minutes to secure your code....
42 minutes to secure your code....
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
 
Continuous Security Testing
Continuous Security TestingContinuous Security Testing
Continuous Security Testing
 
Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure Coding
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
Can consumer av products protect
Can consumer av products protectCan consumer av products protect
Can consumer av products protect
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
WAFEC
WAFECWAFEC
WAFEC
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application Frewall
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to me
 

Viewers also liked

Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceConfess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceMasoud Kalali
 
The 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyThe 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyTEST Huddle
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)OWASP Ottawa
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLCPaul Yang
 

Viewers also liked (9)

Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceConfess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
 
The 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyThe 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a Proxy
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
 
Agile sdlc
Agile sdlcAgile sdlc
Agile sdlc
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 

Similar to OWASP Overview of Projects You Can Use Today - DefCamp 2012

OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applicationsalexbe
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsMarco Morana
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
 
Chirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita Ionel
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...Neil Matatall
 
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonOWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonAlex Cachia
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)PrashantDhakol
 
OWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfOWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfSamSepiolRhodes
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017malvvv
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideSharebnmbroti
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideSharenwnftpbv
 
香港六合彩
香港六合彩香港六合彩
香港六合彩pibpjsxy
 
香港六合彩
香港六合彩香港六合彩
香港六合彩gxsdjh
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩rakfbe
 
香港六合彩<六合彩
香港六合彩<六合彩香港六合彩<六合彩
香港六合彩<六合彩dqsmesc
 
Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3RazaMehmood7
 

Similar to OWASP Overview of Projects You Can Use Today - DefCamp 2012 (20)

OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applications
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
 
Chirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita ionel owasp europe tour
Chirita ionel owasp europe tour
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
 
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonOWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
 
Owasp o
Owasp oOwasp o
Owasp o
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)
 
OWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfOWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdf
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩
 
香港六合彩<六合彩
香港六合彩<六合彩香港六合彩<六合彩
香港六合彩<六合彩
 
Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3
 

More from DefCamp

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)DefCamp
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFADefCamp
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationDefCamp
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money downDefCamp
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...DefCamp
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochDefCamp
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareDefCamp
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?DefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured DefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber SecurityDefCamp
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering holeDefCamp
 

More from DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 

OWASP Overview of Projects You Can Use Today - DefCamp 2012

  • 1. OWASP Projects and Resources You Can Use Today: An Overview marian.ventuneac@owasp.org OWASP 29.11.2012 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. About Myself  Security Architect  International Presenter  Member of OWASP and ISACA global organizations  OWASP Ireland Limerick Chapter Leader https://www.owasp.org/index.php/Ireland-Limerick  Security Researcher PhD, MEng http://www.ventuneac.net http://secureappdev.blogspot.com http://dcsl.ul.ie OWASP 2
  • 3. State of Information Security The problem There are not enough qualified application security professionals What can we do about it?  Make application security visible  Provide Developers and Software Testers with materials and tools helping them to build more secure applications OWASP 3
  • 4. Who is OWASP?  Open Web Application Security Project http://www.owasp.org  Global community driving and promoting safety and security of world’s software  OWASP is a registered nonprofit in the United States and Europe  Everyone is free to participate  All OWASP materials & tools are free OWASP 4
  • 5. OWASP by the Numbers  11 years of community service  88+ Government & Industry Citations  including DHS, ISO, IEEE, NIST, SANS Institute, CSA, etc  30,000 + participant mailing lists  250,000+ unique visitors per month  800,000+ page views per month  15,000+ downloads per month OWASP 5
  • 6. OWASP by the Numbers (cont)  Budget for 2012: $591,275  2081 individual members and honorary members from over 70 countries  55+ paid Corporate Members  53+ Academic Supporters  193+ Active Chapters  113+ Active Projects  4 Global AppSec Conferences per Year OWASP 6
  • 7. OWASP by the Numbers (cont) OWASP 7
  • 8. OWASP Near You – Romania Chapter Promote application security and create local security communities Started in 2008 by Claudiu Constantinescu 2012 Chapter Reboot Chapter Leader - Tudor Enache Penetration Tester @ Electronic Arts Specialized in web and mobile application security testing https://www.owasp.org/index.php/Romania OWASP 8
  • 9. OWASP Projects & Tools  Make application security visible  Videos, podcasts, books, guidelines, cheat sheets, tools, …  Available under a free and open software license  Used, recommended and referenced by many government, standards and industry organisations  Open for everyone to participate OWASP 9
  • 10. OWASP Projects & Tools - Classification  113+ Active Projects  PROTECT  guard against security-related design and implementation flaws.  DETECT  find security-related design and implementation flaws.  LIFE CYCLE  add security-related activities into software processes (eg. SDLC, agile, etc) OWASP 10
  • 11. OWASP Projects & Tools – An Overview DETECT  OWASP Top 10  OWASP AppSec Tutorials  OWASP Code Review Guide  OWASP ASVS  OWASP Testing Guide  OWASP LiveCD / WTE  OWASP Cheat Sheet Series  OWASP ZAP Proxy PROTECT LIFE CYCLE  OWASP ESAPI  WebGoat J2EE  OWASP ModSecurity CRS  WebGoat .NET Full list of projects (release, beta, alpha) http://www.owasp.org/index.php/Category:OWASP_Project OWASP 11
  • 12. OWASP Top 10 Security Risks (DETECT)  The most visible OWASP project  Classifies some of the most critical risks  Essential reading for anyone developing web applications  Referenced by standards, books, tools, and organizations, including MITRE, PCI DSS, FTC, and many more OWASP 12
  • 13. OWASP Top 10 Security Risk (2010 edition) http://www.owasp.org/index.php/Top_10 OWASP 13
  • 14. OWASP Top 10 Risk Rating Methodology Threat Attack Weakness Weakness Business Technical Impact Agent Vector Prevalence Detectability Impact 1 Easy Widespread Easy Severe ? 2 Average Common Average Moderate ? 3 Difficult Uncommon Difficult Minor 1 2 2 1 Injection Example 1.66 * 1 1.66 weighted risk rating OWASP 14
  • 15. OWASP Code Review Guide  Code review is probably the most effective technique for identifying security flaws  Focuses on the mechanics of reviewing code for certain vulnerabilities  A key enabler for the OWASP fight against software insecurity  Stable release v1.1, v2 is in progress OWASP 15
  • 16. OWASP Code Review Guide (cont)  Focuses on .NET and Java, but has some C/C++ and PHP  Integration of secure code review into software development processes  Understand what you are reviewing  Security code review is not a silver bullet, but a key component of an IS program OWASP 16
  • 17. OWASP Testing Guide  Create a "best practices" web application penetration testing framework  A low-level web application penetration testing guide  Recommended for developers and software testers  Version 3 available, version 4 is in progress https://www.owasp.org/index.php/OWASP_Testing_Project OWASP 17
  • 18. OWASP Cheat Sheet Series  Provide a concise collection of high value information on specific web application security topics Developer Cheat Assessment Cheat Sheets Sheets (Builder) (Breaker) Authentication Attack Surface Analysis Clickjacking Defense XSS Filter Evasion Cryptographic Storage … HTML5 Security Input Validation Mobile Cheat Sheets Query Parameterization Session Management IOS Developer SQL Injection Prevention Mobile Jailbreaking … … https://www.owasp.org/index.php/Cheat_Sheets OWASP 18
  • 19. OWASP Cheat Sheet Series (cont)  The most visible OWASP project  Classifies some of the most critical risks  Essential reading for anyone developing web applications  Referenced by standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more OWASP 19
  • 20. OWASP Cheat Sheet Series (cont) OWASP 20
  • 21. OWASP AppSec Tutorial Series https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series  MAKE APPSEC MORE VISIBLE  Provide top notch application security video based training  Four episodes available OWASP 21
  • 22. OWASP ASVS - Application Security Verification Standard  Provides a basis for testing application technical security controls  Use as a metric – assess the degree of trust on existing security controls  Use as guidance – for what to build as part of planned security controls  Use during procurement OWASP 22
  • 23. OWASP ASVS Levels Level 1 – Automated Verification Level 1A – Dynamic Scan (Partial Automated Verification) Level 1B – Source Code Scan (Partial Automated Verification) Level 2 – Manual Verification Level 2A – Penetration Test (Partial Manual Verification) Level 2B – Code Review (Partial Manual Verification) Level 3 – Design Verification Level 4 – Internal Verification OWASP 23
  • 24. OWASP ASVS Verification Requirements V1. Security Architecture V2. Authentication V3. Session Management V4. Access Control V5. Input Validation V6. Output Encoding/Escaping V7. Cryptography V8. Error Handling and Logging V9. Data Protection V10. Communication Security V11. HTTP Security V12. Security Configuration V13. Malicious Code Search V14. Internal Security OWASP 24
  • 25. OWASP LiveCD / WTE  Make application security tools and documentation easily available  Collects some of the best open source security projects in a single environment  Boot from this Live CD and have access to a full security testing suite http://appseclive.org/ OWASP 25
  • 26. OWASP Zed Attack Proxy Project (PREVENT)  One of the flagship OWASP projects  Easy to use integrated penetration testing tool for assessing web applications  Ideal for developers and functional testers who are new to penetration testing  Completely free and open source  Cross platform, internationalised  Current version 1.4.1 (v2 in progress) OWASP 26
  • 27. OWASP ZAP Proxy - Features  Intercepting Proxy Upcoming:  Automated scanner  New Spider  Passive scanner  New 'Ajax‘ Spider  Brute Force scanner  Session Awareness  Spider  Web Socket Support  Fuzzer  Session Scope  Port scanner  Different Modes  Dynamic SSL certificates (Safe/Protected/Standard)  API  Scripting console  Beanshell integration OWASP 27
  • 28. OWASP ZAP Proxy - DEMO OWASP 28
  • 29. OWASP ESAPI – Enterprise Security API  Free, open source, web application security controls library  Provide developers with libraries for writing lower-risk applications  Allow retrofitting security into existing applications  Serve as a solid foundation for new development  Support for Java, PHP and Force.com – there could be more languages supported OWASP 29
  • 30. Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor OWASP ESAPI (PROTECT) EncryptedProperties Randomizer Enterprise Security API Exception Handling Logger Custom Enterprise Web Application IntrusionDetector OWASP Existing Enterprise Security Services/Libraries SecurityConfiguration 30
  • 31. OWASP ESAPI – Validation and Encoding User Controller Business Data Layer Backend Functions isValidCreditCard encodeForJavaScript isValidDataFromBrowser encodeForVBScript isValidDirectoryPath Validator Encoder encodeForURL isValidFileContent encodeForHTML isValidFileName encodeForHTMLAttribute isValidHTTPRequest encodeForLDAP isValidListItem Canonicalization encodeForDN isValidRedirectLocation Double Encoding Protection encodeForSQL isValidSafeHTML Sanitization encodeForXML isValidPrintable Normalization encodeForXMLAttribute safeReadLine encodeForXPath OWASP 31
  • 32. OWASP ESAPI - OWASP Top 10 Coverage OWASP Top Ten OWASP ESAPI A1. Cross Site Scripting (XSS) Validator, Encoder A2. Injection Flaws Encoder A3. Malicious File Execution HTTPUtilities (Safe Upload) A4. Insecure Direct Object Reference AccessReferenceMap, AccessController A5. Cross Site Request Forgery (CSRF) User (CSRF Token) A6. Leakage and Improper Error Handling EnterpriseSecurityException, HTTPUtils A7. Broken Authentication and Sessions Authenticator, User, HTTPUtils A8. Insecure Cryptographic Storage Encryptor A9. Insecure Communications HTTPUtilities (Secure Cookie, Channel) A10. Failure to Restrict URL Access AccessController OWASP 32
  • 33. OWASP ModSecurity Core Rule Set  Free certified rule set for ModSecurity WAF  Generic web applications protection:  Common Web Attacks Protection  HTTP Protection  Real-time Blacklist Lookups  HTTP Denial of Service Protection  Automation Detection  Integration with AV Scanning for File Uploads  Tracking Sensitive Data  Identification of Application Defects  Error Detection and Hiding https://www.owasp.org/index.php/Category:OWASP_ModSecurity_C ore_Rule_Set_Project OWASP 33
  • 34. OWASP WebGoat Java Project  Deliberately insecure J2EE web application to teach web application security lessons  Over 30 lessons, providing hands-on learning about  Cross-Site Scripting (XSS)  Access Control  Blind/Numeric/String SQL Injection  Web Services  … and many more  Version 5.4 available, v6 in progress https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project OWASP 34
  • 35. OWASP WebGoat Java Project - DEMO OWASP 35
  • 36. OWASP WebGoat.NET Project  A purposefully broken ASP.NET web application  Contains many common vulnerabilities  Intended for use in classroom environments https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET OWASP 36
  • 37. DEMO  OWASP ZAP Proxy  OWASP WebGoat Java Project OWASP 37
  • 38. Thank You OWASP 38