Your SlideShare is downloading. ×
0
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
OWASP, the life and the universe
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

OWASP, the life and the universe

304

Published on

Published in: Technology, News & Politics
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
304
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. OWASP,  the  Life  and  the  UniverseCLUSIR-­‐EST  -­‐  Strasbourg6th  June  2013Sébas&en  GioriaSebasEen.Gioria@owasp.orgChapter  Leader  OWASP  FranceThursday, June 6, 13
  • 2. http://www.google.fr/#q=sebastien gioria‣OWASP France Leader & Founder &Evangelist‣Application Security freelance consultant.Twitter :@SPoint2‣Application Security group leader for theCLUSIF‣Proud father of youngs kids trying to hack mydigital life.Thursday, June 6, 13
  • 3. Agenda• ApplicaEon  Security  :– where  we  are  (no  bullshit)– where  we  are  (hopefully)  going  ?• Open  Web  ApplicaEon  Security  Project  ?• Update  on  OWASP  Top10  (2013  version)    and  major  projects3Thursday, June 6, 13
  • 4. Why  ApplicaEon  Security  ?44Thursday, June 6, 13
  • 5. Why  ApplicaEon  Security  ?44YourApplicationbeenHackedThursday, June 6, 13
  • 6. Why  ApplicaEon  Security  ?44YourApplicationbeenHackedYESThursday, June 6, 13
  • 7. Why  ApplicaEon  Security  ?44YourApplicationbeenHackedNOYESThursday, June 6, 13
  • 8. Why  ApplicaEon  Security  ?44YourApplicationwill beHacked ;)YourApplicationbeenHackedNOYESThursday, June 6, 13
  • 9. Why  ApplicaEon  Security  ?44YourApplicationwill beHacked ;)YourApplicationbeenHackedYESNOYESThursday, June 6, 13
  • 10. Why  ApplicaEon  Security  ?44YourApplicationwill beHacked ;)YourApplicationbeenHackedYESNONOYESThursday, June 6, 13
  • 11. Why  ApplicaEon  Security  ?4Let Me takeyou on theright way 4YourApplicationwill beHacked ;)YourApplicationbeenHackedYESNONOYESThursday, June 6, 13
  • 12. Why  ApplicaEon  Security  ?4My Application will behacked !Let Me takeyou on theright way 4YourApplicationwill beHacked ;)YourApplicationbeenHackedYESNONOYESThursday, June 6, 13
  • 13. Why  ApplicaEon  Security  ?4My Application will behacked !Let Me takeyou on theright way 4YourApplicationwill beHacked ;)YourApplicationbeenHackedYESNONOYESNextStepThursday, June 6, 13
  • 14. Game5What’s  this  ?  Thursday, June 6, 13
  • 15. Game  26What’s  this  ?  Thursday, June 6, 13
  • 16. Game  37What’s  this  ?  Thursday, June 6, 13
  • 17. Game  37What’s  this  ?  Thursday, June 6, 13
  • 18. Game  48What’s  this  ?  Thursday, June 6, 13
  • 19. Game  Over....• Did  you  have  VoIP  Phone  ?  • Did  you  have  IP  Router  /  Broadband  box    ?  • Did  you  have  smartphone  ?• Did  you  have  customers  /  partners  over  Internet  ?9Thursday, June 6, 13
  • 20. Anything  else  ?  10Thursday, June 6, 13
  • 21. We  are  living  in  a  Digital  environment,  in  a  Connected  Worldv Most  of  websites  vulnerable  to  a`acksv Important  %  of  web-­‐based  Business  (Services,  Online  Store,  Self-­‐care,  Telcos,  SCADA,  ...)Why  ApplicaEon  Security  ?  Age  of  AnEvirusAge  of  Network  SecurityAge  of  ApplicaEon  Security11Thursday, June 6, 13
  • 22. 12(c)  WhiteHatSecurity  2013Thursday, June 6, 13
  • 23. 13(c)  WhiteHatSecurity  2013Thursday, June 6, 13
  • 24. OWASP  ?  The  Open  Web  ApplicaEon  Security  ProjectOWASP:  Swarms  of  WASPS:  Local  Chapters14Thursday, June 6, 13
  • 25. Mission  DrivenNonprofit  |  World  Wide  |  UnbiasedOWASP  does  not  endorse  or  recommend  commercial  products  or  servicesWhat  is  OWASP15Thursday, June 6, 13
  • 26. Community  Driven30,000  Mail  List  ParEcipants200  AcEve  Chapters  in  70  countries  1600+  Members,  56  Corporate  Supporters  What  is  OWASP16Thursday, June 6, 13
  • 27. 200  Chapters,  1  600+  Members,  20  000+  Builders,  Breakers  and  DefendersAround  the  World17Thursday, June 6, 13
  • 28. Quality  Resources200+  Projects15,000+  downloads  of  tools,  documentaEonWhat  is  OWASP18Thursday, June 6, 13
  • 29. Documenta&onToolsCode50%10% 40%Quality  Resources19Thursday, June 6, 13
  • 30. Security  Lifecycle20Thursday, June 6, 13
  • 31. Security  Resources21Thursday, June 6, 13
  • 32. TOP  10  WEB  APPLICATION  SECURITY  RISKSThe OWASP Top Ten22Thursday, June 6, 13
  • 33. TOP  10  WEB  APPLICATION  SECURITY  RISKSA1: InjectionA2: Cross SiteScriptingA3: BrokenAuthenticatioA4: InsecureDirect ObjectA5: Cross SiteRequestA6: SecurityMisconfiguratiA7: Failure toRestrict URLA8:UnvalidatedA9: InsecureCryptographicA10:InsufficientThe OWASP Top Ten22Thursday, June 6, 13
  • 34. TOP  10  WEB  APPLICATION  SECURITY  RISKSA1: InjectionA2: Cross SiteScriptingA3: BrokenAuthenticatioA4: InsecureDirect ObjectA5: Cross SiteRequestA6: SecurityMisconfiguratiA7: Failure toRestrict URLA8:UnvalidatedA9: InsecureCryptographicA10:InsufficientThe OWASP Top Ten222010 Version ! soon updatedThursday, June 6, 13
  • 35.  NEWSA  BLOGA  PODCASTMEMBERSHIPSMAILING  LISTSA  NEWSLETTERAPPLE  APP  STOREVIDEO  TUTORIALSTRAINING  SESSIONSSOCIAL  NETWORKING23Thursday, June 6, 13
  • 36. 7  Global  Commi`ees24Thursday, June 6, 13
  • 37. All  over  the  world25NSEWThursday, June 6, 13
  • 38. OWASP  Projects26Thursday, June 6, 13
  • 39. Developer  Cheat  Sheets§ OWASP  Top  Ten  Cheat  Sheet§ AuthenEcaEon  Cheat  Sheet§ Cross-­‐Site  Request  Forgery  (CSRF)  PrevenEon  Cheat  Sheet§ Cryptographic  Storage  Cheat  Sheet§ Input  ValidaEon  Cheat  Sheet§ XSS  (Cross  Site  ScripEng)  PrevenEon  Cheat  Sheet§ DOM  based  XSS  PrevenEon  Cheat  Sheet§ Forgot  Password  Cheat  Sheet§ Query  ParameterizaEon  Cheat  Sheet§ SQL  InjecEon  PrevenEon  Cheat  Sheet§ Session  Management  Cheat  Sheet§ HTML5  Security  Cheat  Sheet§ Transport  Layer  ProtecEon  Cheat  Sheet§ Web  Service  Security  Cheat  Sheet§ Logging  Cheat  Sheet§ JAAS  Cheat  SheetMobile  Cheat  Sheets§ IOS  Developer  Cheat  Sheet§ Mobile  Jailbreaking  Cheat  SheetDral  Cheat  Sheets§ Access  Control  Cheat  Sheet§ REST  Security  Cheat  Sheet§ Abridged  XSS  PrevenEon  Cheat  Sheet§ PHP  Security  Cheat  Sheet§ Password  Storage  Cheat  Sheet§ Secure  Coding  Cheat  Sheet§ Threat  Modeling  Cheat  Sheet§ Clickjacking  Cheat  Sheet§ Virtual  Patching  Cheat  Sheet§ Secure  SDLC  Cheat  Sheet§ Web  ApplicaEon  Security  TesEng  Cheat  Sheet§ ApplicaEon  Security  Architecture  Cheat  SheetCheat  Sheets27Thursday, June 6, 13
  • 40. Project  Leader:  Chris  Schmidt,  Chris.Schmidt@owasp.orgPurpose:  A  free,  open  source,  web  applicaEon  security  control  library  that  makes  it  easier  for  programmers  to  write  lower-­‐risk  applicaEonsh`ps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_APIEnterprise  Security  APIfor  Reboot28Thursday, June 6, 13
  • 41. Project  Leader:  Jason  Li,  jason.li@owasp.orgPurpose:  An  HTML  validaEon  tool  and  API  to  safely  and  gracefully  handle  rich   html   input,   for   ensuring   user-­‐supplied   HTML/CSS   is   in   compliance  within  an  applicaEons  rules.h`ps://www.owasp.org/index.php/AnESamyAnESamy29Thursday, June 6, 13
  • 42. Development   Guide:   comprehensive   manual   for   designing,   developing   and  deploying  secure  Web  ApplicaEons  and  Web  ServicesCode   Review   Guide:   mechanics   of   reviewing   code   for   certain   vulnerabiliEes   &  validaEon  of  proper  security  controlsTesEng  Guide:  understand  the  what,  why,  when,  where,  and  how  of  tesEng  web  applicaEonsh`ps://www.owasp.org/index.php/Category:OWASP_Guide_Projecth`ps://www.owasp.org/index.php/Category:OWASP_Code_Review_Projecth`ps://www.owasp.org/index.php/Category:OWASP_TesEng_ProjectGuidesfor  Reboot30Thursday, June 6, 13
  • 43. Zed  A`ack  Proxyfor  RebootProject  Leader:  Simon  Benne`s  (aka  Psiinon),  psiinon@gmail.comPurpose:  The  Zed  A`ack  Proxy  (ZAP)  provides  automated  scanners  as  well  as  a  set  of  tools  that  allow  you  to  find  security  vulnerabiliEes  manually  in  web  applicaEons.Last  Release:  ZAP  2.0.0  (30  Jan  2013)h`ps://www.owasp.org/index.php/OWASP_Zed_A`ack_Proxy_Project 31Thursday, June 6, 13
  • 44. AppSensorProject  Leader(s):  Michael  Coates,  John  Melton,  Colin  WatsonPurpose:   Defines  a   conceptual   framework   and  methodology   that   offers  prescripEve   guidance   to   implement   intrusion   detecEon   and   automated  response  into  an  exisEng  applicaEon.Release:  AppSensor  0.1.3  -­‐  Nov  2010  (Tool)  &  September  2008  (doc)  h`ps://www.owasp.org/index.php/AppSensorCreate  aUack  aware  applica&ons32Thursday, June 6, 13
  • 45. Project  Leader:  Vinay  Bansal,  Vinaykbansal@gmail.comPurpose:  Develop  and  maintain  a  list  of  Top  10  Security  Risks  faced  with  the  Cloud  CompuEng  and  SaaS  Models.  Serve  as  a  Quick  List  of  Top  Risks  with  Cloud  adopEon,  and  Provide  Guidelines  on  MiEgaEng  the  Risks.Deliverables  -­‐ Cloud  Top  10  Security  Risks  (DraE  expected  for  early  2013)h`ps://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_ProjectCloud  Top10  Project33Thursday, June 6, 13
  • 46. Cloud  Top10  Security  Risks•  R1.  Accountability  &  Data  Risk•  R2.  User  IdenEty  FederaEon•  R3.  Legal  &  Regulatory  Compliance•  R4.  Business  ConEnuity  &  Resiliency•  R5.  User  Privacy  &  Secondary  Usage  of  Data•  R6.  Service  &  Data  IntegraEon•  R7.  MulE-­‐tenancy  &  Physical  Security•  R8.  Incidence  Analysis  &  Forensics•  R9.  Infrastructure  Security•  R10.  Non-­‐producEon  Environment  Exposure34Thursday, June 6, 13
  • 47. Project  Leader:  Jack  Mannino,  Jack@nvisiumsecurity.comPurpose:   Establish   an   OWASP   Top   10   Mobile   Risks.   Intended   to   be   plaRorm-­‐agnosEc.  Focused  on  areas  of  risk  rather  than  individual  vulnerabiliEes.Deliverables  -­‐ Top  10  Mobile  Risks  (currently  Release  Candidate  v1.0)-­‐ Top  10  Mobile  Controls  (OWASP/ENISA  CollaboraOon)-­‐ OWASP  Wiki,  ‘Smartphone  Secure  Development  Guidelines’  (ENISA)-­‐ Mobile  Cheat  Sheet  Series-­‐ OWASP  GoatDroid  Project-­‐ OWASP  Mobile  Threat  Model  Projecth`ps://www.owasp.org/index.php/OWASP_Mobile_Security_ProjectMobile  Security  Projectfor  Reboot35Thursday, June 6, 13
  • 48. Top  10  Mobile  Risks• M1.  Insecure  Data  Storage• M2.  Weak  Server  Side  Controls• M3.  Insufficient  Transport  Layer  ProtecEon• M4.  Client  Side  InjecEon• M5.  Poor  AuthorizaEon  and  AuthenEcaEon• M6.  Improper  Session  Handling• M7.  Security  Decisions  via  Untrusted  Inputs• M8.  Side  Channel  Data  Leakage• M9.  Broken  Cryptography• M10.  SensiEve  InformaEon  Disclosure36Thursday, June 6, 13
  • 49. Project  Leader:  Anurag  "Archie"  Agarwal,  anurag.agarwal@owasp.orgPurpose:  Establish  a  single  and  inclusive  so[ware-­‐centric  OWASP  Threat  modeling   Methodology,   addressing   vulnerability   in   client   and   web  applicaEon-­‐level  services  over  the  Internet.Deliverables  (1st  DraE  expected  for  end  of  2012  /  early  2013)-­‐ An  OWASP  Threat  Modeling  methodology-­‐ A  glossary  of  threat  modeling  termsh`ps://www.owasp.org/index.php/OWASP_Threat_Modelling_ProjectThreat  Modeling  Project37Thursday, June 6, 13
  • 50. Intended   to   help   solware   developers   and   their   clients   negoEate   important  contractual  terms  and  condiEons  related  to  the  security  of  the  solware  to  be  developed  or  delivered.CONTEXT:  Most  contracts  are  silent  on  these  issues,  and  the  parEes  frequently  have  dramaEcally  different  views  on  what  has  actually  been  agreed  to.  OBJECTIVE:   Clearly   define   these   terms   is   the   best   way   to   ensure   that   both  parEes  can  make  informed  decisions  about  how  to  proceed.h`ps://www.owasp.org/index.php/OWASP_Secure_Solware_Contract_AnnexThe  OWASP  Secure  Solware  Contract  Annex38Thursday, June 6, 13
  • 51. Refresh,  revitalize  &  update  Projects,  rewrite  &  complete  Guides  or  Tools.Projects  Reboot  2012h`ps://www.owasp.org/index.php/Projects_Reboot_2012Current  Submissions  • OWASP  ApplicaEon  Security  Guide  For  CISOs  -­‐  Selected  for  Reboot• OWASP  Development  Guide  -­‐  Selected  for  Reboot• Zed  A`ack  Proxy  -­‐  Selected  for  Reboot• OWASP  WebGoat  • OWASP  AppSensor• OWASP  Mobile  Project  -­‐  Selected  for  Reboot• OWASP  Portuguese  Language  Project• OWASP_ApplicaEon_TesEng_guide_v4• OWASP  ESAPI• OWASP  Eliminate  Vulnerable  Code  Project• OWASP_Code_Review_Guide_Reboot  Projects  selected  via  first  round  of  review1.OWASP   Development   Guide:   Funding   Amount:  $5000  iniEal  funding2.OWASP   CISO   Guide:   Funding   Amount:   $5000  iniEal  funding3.OWASP   Zed   A;ack   Proxy:   Funding   Amount:  $5000  iniEal  funding4.OWASP  Mobile  Project:   Funding  Amount:   $5000  iniEal  fundingOngoing  discussions  about  the  Code  Review  and  the  TesOng  Guides39Thursday, June 6, 13
  • 52. OWASP  Top10  2013• Final  publicaEon  OWASP  Top10  2013– Very  Very  Soon.  • French  translaEon  done• Not  a  lot  of  new  things.40Thursday, June 6, 13
  • 53. Top10  2013  –  RC141A1:  Injec&onA2:  Mauvaise  ges&on  des  sessions  et  de  l’authen&fica&onA3:  Cross  Site  Scrip&ng  (XSS)A4:Référence  directe  non  sécurisée  à  un  objetA5:  Mauvaise  configura&on  sécuritéA6  :  Exposi&on  de  données  A7  :  Mauvais  contrôle  d’accèsA8:  Cross  Site  Request  Forgery  (CSRF)A9:  U&lisa&on  de  composants  non  sécurisésA10:Mauvaise  ges&on  des  redirec&ons  et  des  transfertsThursday, June 6, 13
  • 54. OWASP  News• New  projects    :  – OWASP  Scada  Project– OWASP  OpenStack  Security  Project42Thursday, June 6, 13
  • 55. Dates• RSSIA  Bordeaux  :  21  Juin– OWASP  Top10  2013  en  praEque  • OWASP  EU  Tour  2013  :  – 24  Juin  -­‐  Sophia  AnEpolis– 25  Juin  -­‐  Geneve• Java  User  Groupe  Poitou  Charentes  :  27  Juin– Secure  Coding  for  Java  • AppSec  Research  Europe  2013  :  20/23  Aout  –  Hambourg  –  Allemagne•  OWASP  Benelux  :  28/29  Novembre  201343Thursday, June 6, 13
  • 56. Soutenir  l’OWASP• Différentes  soluEons  :  – Membre  Individuel  :  50  $– Membre  Entreprise  :  5000  $– DonaEon  Libre• Soutenir  uniquement    le  chapitre  France  :– Single  MeeEng  supporter  • Nous  offrir  une  salle  de  meeEng  !  • ParEciper  par  un  talk  ou  autre  !  • DonaEon  simple  – Local  Chapter  supporter  :  • 500  $  à  2000  $  44Thursday, June 6, 13
  • 57. Prochains  meeEngs• Septembre  2013  – Salle  :  Mozilla  Center  Paris– Speaker  :  • Security  on  Firefox  OS• A  définir• Novembre  2013– Salle  :  a  définir– Speaker  :  a  définirThursday, June 6, 13
  • 58. License46Thursday, June 6, 13

×