Locust Fear


Published on

This is the "joke" presentation I gave at Lotusphere, where I mistakenly thought the conference was about Locust Fear.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • A plague of locusts is a devastating natural disaster. These infestations have been feared and revered throughout history. Unfortunately, they still wreak havoc today.Locusts are part of a large group of insects commonly called grasshoppers which have big hind legs for jumping. Locusts belong to the family called Acrididae. Locusts differ from grasshoppers in that they have the ability to change their behaviour and habits and can migrate over large distances.Locust swarms can vary from less than one square kilometre to several hundred square kilometres. There can be at least 40 million and sometimes as many as 80 million locust adults in each square kilometre of swarm.<number>
  • Locust Fear

    1. 1. OWASP Overview Germany 2008 Conference Sebastien Deleersnyder, OWASP Board CISSP, CISA, CISM Nov, 2008 OWASP Copyright © - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation
    2. 2. Who Am I?  5 years developer experience  8 years information security experience  Lead application security Telindus, Belgacom ICT (Belgium)  Belgian OWASP chapter founder  OWASP board member  OWASP
    3. 3. Agenda OWASP Introduction OWASP Project Parade OWASP Near You? OWASP 3
    4. 4. Agenda OWASP Introduction OWASP Project Parade OWASP Near You? OWASP 4
    5. 5. OWASP The Open Web Application Security Project (OWASP) International not-for-profit charitable Open Source organization funded primarily by volunteers time, OWASP Memberships, and OWASP Conference fees Participation in OWASP is free and open to all OWASP 5
    6. 6. OWASP Mission to make application security quot;visible,quot; so that people and organizations can make informed decisions about application security risks OWASP 6
    7. 7. OWASP Resources and Community Documentation (Wiki and Books) • Code Review, Testing, Building, Legal, more … Code Projects • Defensive, Offensive (Test tools), Education, Process, more … Chapters • Over 130 and growing Conferences • Major and minor events all around the world OWASP
    8. 8. OWASP 88
    9. 9. 130+ Chapters Worldwide OWASP 9
    10. 10. OWASP Conferences (2008-2009) Germany Nov 2008 Brussels Minnesota May 2008 Poland NYC Oct 2008 May 2009 Sep 2008 Denver Spring 2009 Portugal San Jose? Israel Nov 2008 Sep 2009 Sep 2008 Taiwan Oct 2008 India Aug 2008 Gold Coast Feb 2008 +2009 OWASP 10
    11. 11. Summit Portugal 2009 Focus 80+ application security experts from 20+ countries New Free Tools and Guidance (SoC08) New Outreach Program technology vendors, framework providers, and standards bodies new program to provide free one- day seminars at universities and developer conferences worldwide New Global Committee Structure Education, Chapter, Conferences, Industry, Projects and Tools, Membership OWASP 11
    12. 12. Agenda OWASP Introduction OWASP Project Parade OWASP Near You? OWASP 12
    13. 13. OWASP Projects: Improve Quality and Support  Define Criteria for Quality Levels  Alpha, Beta, Release  Encourage Increased Quality  Through Season of Code Funding and Support  Produce Professional OWASP books  Provide Support  Full time executive director (Kate Hartmann)  Full time project manager (Paulo Coimbra)  Half time technical editor (Kirsten Sitnick)  Half time financial support (Alison Shrader)  Looking to add programmers (Interns and professionals) OWASP
    14. 14. OWASP Top 10 The Ten Most Critical Web Application Security Vulnerabilities 2007 Release A great start, but not a standard OWASP 14
    15. 15. Key Application Security Vulnerabilities OWASP 15
    16. 16. The ‘Big 4’ Documentation Projects Code Building Testing Review Guide Guide Guide Application Security Desk Reference (ASDR) OWASP
    17. 17. The Guide  Complements OWASP Top 10  310p Book  Free and open source  Gnu Free Doc License  Many contributors  Apps and web services  Most platforms  Examples are J2EE, ASP.NET, and PHP  Comprehensive  Project Leader and Editor Andrew van der Stock, OWASP
    18. 18. Uses of the Guide Developers Use for guidance on implementing security mechanisms and avoiding vulnerabilities Project Managers Use for identifying activities (threat modeling, code review, penetration testing) that need to occur Security Teams Use for structuring evaluations, learning about application security, remediation approaches OWASP
    19. 19. Each Topic  Includes Basic Information (like OWASP T10)  How to Determine If You Are Vulnerable  How to Protect Yourself  Adds  Objectives  Environments Affected  Relevant COBIT Topics  Theory  Best Practices  Misconceptions  Code Snippets OWASP
    20. 20. Testing Guide v2: Index 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors OWASP 20
    21. 21. What Is the OWASP Testing Guide? Information Gathering Testing Principles Business Logic Testing Testing Process Authentication Testing Custom Web Applications Session Management Testing Black Box Testing Data Validation Testing Grey Box Testing Denial of Service Testing Risk and Reporting Web Services Testing Appendix: Testing Tools Ajax Testing Appendix: Fuzz Vectors OWASP 21
    22. 22. Soc08 version 3  Improve version 2  improved 9 articles  Total of 10 Testing categories and 66 controls.  New sections and controls  Configuration Management  Authorization Testing  36 new articles  New Encoded Injection Appendix; OWASP
    23. 23. How the Guide helps the security industry A structured approach to the testing activities  Testers A checklist to be followed  A learning and training tool  A tool to understand web vulnerabilities and  Organisations their impact A way to check the quality of security tests  More generally, the Guide aims to provide a pen-testing standard that creates a 'common ground' between the testing groups and its ‘customers’. This will raise the overall quality and understanding of this kind of activity and therefore the general level of security of our applications OWASP 23
    24. 24. Tools  Best known OWASP Tools WebGoat WebScarab Remember: A Fool with a Tool is still a Fool OWASP
    25. 25. Tools – At Best 45%  MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE)  They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true) OWASP 25
    26. 26. OWASP WebGoat OWASP 26
    27. 27. OWASP WebScarab OWASP 27
    28. 28. OWASP CSRFTester OWASP 28
    29. 29. OWASP CSRFGuard 2.0 OWASP CSRFGuard  Adds token to: Verify Token  href attribute  src attribute  hidden field in all forms User Business (Browser) Processing  Actions:  Log Add Token to HTML  Invalidate  Redirect OWASP 29
    30. 30. Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Enterprise Security API Exception Handling The OWASP Enterprise Security API Custom Enterprise Web Application Logger IntrusionDetector OWASP Existing Enterprise Security Services/Libraries SecurityConfiguration 30
    31. 31. Coverage OWASP Top Ten OWASP ESAPI A1. Cross Site Scripting (XSS) Validator, Encoder A2. Injection Flaws Encoder A3. Malicious File Execution HTTPUtilities (upload) A4. Insecure Direct Object Reference AccessReferenceMap A5. Cross Site Request Forgery (CSRF) User (csrftoken) A6. Leakage and Improper Error Handling EnterpriseSecurityException, HTTPUtils A7. Broken Authentication and Sessions Authenticator, User, HTTPUtils A8. Insecure Cryptographic Storage Encryptor A9. Insecure Communications HTTPUtilities (secure cookie, channel) A10. Failure to Restrict URL Access AccessController OWASP
    32. 32. Create Your ESAPI Implementation Your Security Services Wrap your existing libraries and services Extend and customize your ESAPI implementation Fill in gaps with the reference implementation Your Coding Guideline Tailor the ESAPI coding guidelines Retrofit ESAPI patterns to existing code OWASP 32
    33. 33. OWASP CLASP  Comprehensive, Lightweight Application Security Process Prescriptive and Proactive Centered around 7 AppSec Best Practices Cover the entire software lifecycle (not just development)  Adaptable to any development process  CLASP defines roles across the SDLC  24 role-based process components  Start small and dial-in to your needs OWASP 33
    34. 34. The CLASP Best Practices 1. Institute awareness programs 2. Perform application assessments 3. Capture security requirements 4. Implement secure development practices 5. Build vulnerability remediation procedures 6. Define and monitor metrics 7. Publish operational security guidelines OWASP 34
    35. 35. SDLC & OWASP Guidelines Framework OWASP OWASP 35
    36. 36. Want More ? OWASP .NET Project OWASP JBroFuzz   OWASP ASDR Project OWASP Java Project   OWASP AntiSamy Project OWASP LAPSE Project   OWASP AppSec FAQ Project OWASP Legal Project   OWASP Application Security Assessment Standards Project OWASP Live CD Project   OWASP Application Security Metrics Project OWASP Logging Project   OWASP Application Security Requirements Project OWASP Orizon Project   OWASP CAL9000 Project OWASP PHP Project   OWASP CLASP Project OWASP Pantera Web Assessment Studio Project   OWASP CSRFGuard Project OWASP SASAP Project   OWASP CSRFTester Project OWASP SQLiX Project   OWASP Career Development Project OWASP SWAAT Project   OWASP Certification Criteria Project OWASP Sprajax Project   OWASP Certification Project OWASP Testing Project   OWASP Code Review Project OWASP Tools Project   OWASP Communications Project OWASP Top Ten Project   OWASP DirBuster Project OWASP Validation Project   OWASP Education Project OWASP WASS Project   OWASP Encoding Project OWASP WSFuzzer Project   OWASP Enterprise Security API OWASP Web Services Security Project   OWASP Flash Security Project OWASP WebGoat Project   OWASP Guide Project OWASP WebScarab Project   OWASP Honeycomb Project OWASP XML Security Gateway Evaluation Criteria Project   OWASP Insecure Web App Project OWASP on the Move Project   OWASP Interceptor Project  OWASP 36
    37. 37. SoC2008 selection OWASP Code review guide, V1.1  The Ruby on Rails Security Guide v2  OWASP UI Component Verification Project (a.k.a.  OWASP JSP Testing Tool) Internationalization Guidelines and OWASP-Spanish  Project OWASP Application Security Desk Reference  (ASDR) OWASP Application Security Tool Benchmarking  Environment and Site Generator refresh OWASP .NET Project Leader  Teachable Static Analysis Workbench OWASP Education Project   OWASP Positive Security Project The OWASP Testing Guide v3   GTK+ GUI for w3af project OWASP Application Security Verification Standard   OWASP Interceptor Project - 2008 Update Online code signing and integrity verification   service for open source community (OpenSign Skavenger  Server) SQL Injector Benchmarking Project (SQLiBENCH)  Securing WebGoat using ModSecurity  OWASP AppSensor - Detect and Respond to Attacks  OWASP Book Cover & Sleeve Design from Within the Application  OWASP Individual & Corporate Member Packs, Owasp Orizon Project   Conference Attendee Packs Brief OWASP Corporate Application Security Rating Guide  OWASP Access Control Rules Tester  OWASP AntiSamy .NET  OpenPGP Extensions for HTTP - Enigform and  Python Static Analysis  mod_openpgp OWASP Classic ASP Security Project  OWASP-WeBekci Project  OWASP Live CD 2008 Project  OWASP Backend Security Project  OWASP 37
    38. 38. OWASP Projects Are Alive! 2009 … 2007 2005 2003 2001 OWASP 38
    39. 39. Agenda OWASP Introduction OWASP Project Parade OWASP Near You? OWASP 39
    40. 40. 56 videos - 40 h OWASP 40
    41. 41. Upcoming Conferences  February 2009 - Day 3 Italy OWASP Day III: quot;Web Application Security: research meets industryquot; 23rd February 2009 - Bari (Italy)  February 2009 - OWASP AppSec Australia 2009 - Gold Coast Training & Conference, Gold Coast Convention Center, QLD Australia  March 2009 - OWASP Front Range Conference March 5th, 2nd Annual 1-Day Conference in Denver, Colorado  May 2009 - OWASP AppSec Europe 2009  Poland May 11th - 14th - Conference and Training, Qubus Hotel, Krakow, Poland  Back to back with Confidence09  June 2009 - OWASP AppSec - Dublin Ireland  October 2009 - OWASP AppSec US 2009 - Washington, D.C. OWASP 41
    42. 42. German Chapter Meetings Local Mailing List Presentations & Groups Open forum for discussion Meet fellow InfoSec professionals Create (Web)AppSec awareness Local projects? OWASP
    43. 43. Subscribe to German Chapter mailing list Post your (Web)AppSec questions Keep up to date! Get OWASP news letters Contribute to discussions! OWASP 43
    44. 44. That’s it… Any Questions? Thank you! OWASP 44