Your SlideShare is downloading. ×
C S S L P &  OWASP 2010 & Web Goat By  Surachai.C  Publish  Presentation
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

C S S L P & OWASP 2010 & Web Goat By Surachai.C Publish Presentation

848
views

Published on

C S S L P & OWASP 2010 & Web Goat

C S S L P & OWASP 2010 & Web Goat


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
848
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Certified Secure Software Lifecycle Professional (CSSLP) Master Degree in Management Information Systems (MSMIS) Faculty of Commerce and Accountancy, Thammasat University 05-April-2010 Surachai Chatchalermpun
  • 2. Speaker Profile , CSSLP, ECSA , LPT 2
  • 3. Agenda Challenges Today… What is CSSLP? What is OWASP? What is WebGoat? WebGoat Lesson!
  • 4. Challenges Today… • Over 70% of breaches of security vulnerabilities exist at the application level. (Gartner Group, 2005) • Software is often not developed with security in mind • Attack targeted, financially motivated attacks continue to rise • Attacks are moving up the application stack • New technology waves keep on coming -- there are still numerous emerging threat vectors which require increased spending in certain security sub-segments. Source: Global Information Security & IT Security Personnel Development in USA – trend and hurdles, Prof. Howard A. Schmidt
  • 5. Source: Issue number 9 Info Security Professional Magazine
  • 6. W. Hord Tipton, CISSP- ISSEP, CAP, CISA (ISC)² Executive Director
  • 7. What is the CSSLP? • Certified Secure Software Lifecycle Professional (CSSLP) • Base credential • Professional certification program • Takes a holistic approach to security in the software lifecycle • Tests candidates competency (KSAs) to significantly mitigate the security concerns
  • 8. • Global leaders in certifying and educating information security professionals with the CISSP® and related concentrations, CAP® and SSCP®. • Established in 1989 – not-for-profit consortium of industry leaders. • More than 60,000 certified professionals in over 135 countries. • Board of Directors - top information security professionals worldwide. • All of our information security credentials are accredited ANSI/ISO/IEC Standard 17024 and were the first technology- related credentials to receive this accreditation.
  • 9. Over 70% of breaches of security vulnerabilities exist at the application level.* * Gartner Group, 2005
  • 10. Purpose • Provide a credential that speaks to the individual’s understanding of and ability to deliver secure software through the use of best practices. • The target professionals for this Certification would be anyone who is directly and in some cases indirectly, involved in the Software Lifecycle.
  • 11. Software Lifecycle Stakeholder Chart Top Management Auditors Business Unit Heads Client Side PM IT Manager Industry Group Delivery Heads Security Specialists Software Lifecycle Business Stakeholders Application Owners Analysts Developers/ Quality Coders Assurance Influencers Managers Primary Target Project Managers/ Technical Secondary Target Architects Team Leads
  • 12. Market Drivers • Security is everyone’s responsibility • Software vulnerabilities have emerged as a major concern • Off shoring of software development • Software is often not developed with security in mind • Desire to meet growing industry needs
  • 13. Certified Secure Software Lifecycle Professional (ISC)² CSSLP CBK 7 Domains: • Secure Software Concepts • Secure Software Requirements • Secure Software Design • Secure Software Implementation/Coding • Secure Software Testing • Software Acceptance • Software Deployment, Operations, Maintenance, and Disposal
  • 14. CSSLP Certification Requirements By Experience Assessment: • Experience Assessment will be open until March 31, 2009 • Candidate will be required to submit: – Experience Assessment Application – Signed candidate agreement and adherence to (ISC)² Code of Ethics – Detailed resume of experience – Four essay responses (Between 250-500 words) detailing experience in four of the following knowledge areas • Applying Security concepts to Software Development • Software Design • Software Implementation/Coding • Software Testing • Software Acceptance • Software Deployment, Operations, Maintenance, and Disposal – Fee of $650
  • 15. CSSLP Certification Requirements By Examination: • The first public exam will be held at the end of June 2009 • Candidate will be required to submit: – Completed examination registration form – Signed candidate agreement and adherence to the (ISC)² Code of ethics – Proof of 4 years of FTE experience in the Software Development Lifecycle (SDLC) Process or 3 years plus 1 year waiver of experience for degree in an IT related field – Fee of $549 early-bird and $599 standard • Candidate will be required to – Pass the official (ISC)² CSSLP certification examination – Complete the endorsement process • The Associate of (ISC)² Program will apply to those who have passed the exam but still need to acquire the necessary minimum experience requirements
  • 16. CSSLP CBK Overlap between other Certifications/Programs GSSP-C GSSP-J (SANS) (SANS) Software Coder Software Coder Certification Program Certification Program CSSE CSSLP (ISSECO) Entry-level Education (ISC)² Professional Certification Software Program Certificate of Program Assurance Completion Initiative (DHS) Awareness Effort CSDA CSDP Vendor- Specific Credentials (IEEE) (IEEE) Associate Level Professional Status Certification Program
  • 17. Future of CSSLP • International Marketing Efforts • ANSI/ISO/IEC17024 accreditation • Maintenance activities • Cert Education Program
  • 18. Hear what Anthony Lim, from IBM, has to say about CSSLP
  • 19. CSSLP Certification My CSSLP Certification
  • 20. Why is Web Application Security Important? • Easiest way to compromise hosts, networks and users. • Widely deployed. • No Logs! (POST Request payload) • Incredibly hard to defend against or detect. • Most don’t think of locking down web applications. • Intrusion detection is a joke. • Firewall? What firewall? I don’t see no firewall… • SSL Encrypted transport layer does nothing. Source: White Hat Security
  • 21. Web Application Hacking Outer DMZ Zone Inner Server farm Zone Source: White Hat Security
  • 22. Your “Code” is Part of Your Security Perimeter APPLICATION Your security “perimeter” has huge ATTACK Application Layer holes at the “Application layer” Legacy Systems Web Services Human Resource Directories Databases Custom Developed Billing Application Code App Server Network Layer Web Server Hardened OS Inner Firewall Outer Firewall You can’t use network layer protection (Firewall, SSL, IDS, hardening) to stop or detect application layer attacks Source: White Hat Security
  • 23. The Web Application Security Risk • Web Applications are vulnerable: – exposing its own vulnerabilities. – Change frequently, requiring constant tuning of application security. – Complex and feature rich with the advent of AJAX, Web Services and Web 2.0. (and Social Network) • Web Applications are threatened: – New business models drive “for profit” hacking. – Performed by Black hat professionals enabling complex attacks. • Potential impact may be severe: – Web applications are used for sensitive information and important transactions. Source: White Hat Security
  • 24. Threat is Difficult to Assess • Web Attacks are Stealth: – Victims hide breaches. – Incidents are not detected. • Statistics are Skewed: – Number of incident reported is statistically insignificant. Source: Breach Security
  • 25. Source: Web Hacking Incidents Database
  • 26. Source: Web Hacking Incidents Database
  • 27. Available Sources Attacks • Zone-H (The Hacker Community) – http://www.zone-h.org – The most comprehensive attack repository, very important for public awareness. – Reported by hackers and focus on defacements. • WASC Statistics Project – http://www.webappsec.org • OWASP top 10 – http://www.owasp.org
  • 28. Hacking Incidents (Defacement)
  • 29. Hacking Incidents (Defacement)
  • 30. Hacking Incidents (Defacement)
  • 31. Key Principle 3 Pillars of ICT 3 Pillars of Security Disclosure People Confidentiality PPT CIA Process Technology Integrity Availability (Tool) Alteration Disruption 31
  • 32. Root Causes of Application Insecurity : PPT Missing or • People and Organization Inadequate Examples Tools, Libraries, or – Lack of Application Security training Missing or Inadequate Infrastructure – Roles & Responsibilities not clear Processes – No budget allocated • Process Examples – Underestimated risks – Missed requirements Untrained – Inadequate testing and reviews People and Organizational – Lack of metrics Structure Issues – Lack of implementing Best Practices or Standards Knowledge Mgmt Communication Administration Bus. Functions Transactions E-Commerce – No detection of attacks Accounts Finance • Technology Examples Custom Code – Lack of appropriate tools – Lack of common infrastructure – Configuration errors Source: OWASP
  • 33. People / Processes / Technology Training Awareness Guidelines Automated Testing Secure Development Application Secure Code Firewalls Review Secure Security Testing Configuration 33
  • 34. SDLC & OWASP Guidelines Source: OWASP 34
  • 35. Source: OWASP
  • 36. Source: OWASP
  • 37. Source: OWASP
  • 38. Source: Microsoft
  • 39. CSSLP Certification What is OWASP? The Open Web Application Security Project (OWASP) is: A not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. Source: http://www.owasp.org
  • 40. OWASP Foundation has over 130 Local Chapters
  • 41. 41
  • 42. CSSLP is WebGoat? What Certification WebGoat is a deliberately insecure J2EE web application maintained by OWASP TOP 10 designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application.
  • 43. CSSLP is WebGoat? What Certification
  • 44. CSSLP Certification WebGoat Installation Windows - (Download, Extract, Double Click Release) 1. To start Tomcat, browse to the WebGoat directory unzipped above and double click "webgoat.bat“ 2. start your browser and browse to... (Notice the capital 'W' and 'G') http://localhost/WebGoat/attack 3. login in as: user = guest, password = guest 4. To stop WebGoat, simply close the window you launched it from.
  • 45. tion WebGoat Lesson 1
  • 46. tion WebGoat Lesson 2
  • 47. tion WebGoat Lesson 3
  • 48. tion Solution: WebGoat Lesson 3
  • 49. tion Solution: WebGoat Lesson 3 True OR ? = True
  • 50. tion WebGoat Lesson 4
  • 51. tion Solution: WebGoat Lesson 4
  • 52. tion WebGoat Lesson 5
  • 53. tion Solution: WebGoat Lesson 5 Use Tamper data (Firefox Plug-in)for edit variable value: AccessControlMatrix.help" | net user"
  • 54. Question & Answer Thank You Surachai Chatchalermpun surachai.c@pttict.com