Owasp Serbia overview


Published on

Presentation held 09.04.2012. in Belgrade. Overview of OWASP and OWASP Serbia Local Chapter.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Owasp Serbia overview

  1. 1. OWASP Serbia Overview Nikola Milošević OWASP Serbia Local Chapter Leader P3 Communications nikola.milosevic@owasp.orgOWASP9.4.2012. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  2. 2. What is OWASPProfessional organizationProfessionals, students, companies, universitiesAwarnessStandardsToolsDistributed, global peers OWASP 2
  3. 3. Mission Make application security visible so that people and organizations can make informed decisions about true application security risk What causes? • Immediate causes – vulnerabilities themselves • Developers and operators • Organizational structure, development process, supporting technology • Increasing connectivity and complexity • Legal and regulatory environment • Asymmetric information in the software market OWASP 3
  4. 4. OWASP Core Values OPEN Everything at OWASP is radically transparent from our finances to our code. INNOVATION OWASP encourages and supports innovation/experiments for solutions to software security challenges. GLOBAL Anyone around the world is encouraged to participate in the OWASP community. INTEGRITY OWASP is an honest and truthful, vendor agnostic, global community OWASP 4
  5. 5. OWASP Code of Ethics Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles; Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities; To communicate openly and honestly; Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of employers, the information security profession, or the Association; To maintain and affirm our objectivity and independence; To reject inappropriate pressure from industry or others; OWASP 5
  6. 6. Why should I care about security? OWASP 6
  7. 7. Why should I care about security?Increased fraquency of attacksComplexity of malwareHacktivismOnline crimeInternet warfareTechnological espionageCrackingEtc... OWASP 7
  8. 8. OWASP Projects - General3 groups: Protect – Tools and docs used to protect Detect – Tools and docs used to find Life Cycle – Tools and docs used to add security related activities in Software Developement LifecycleEveryone can start project, after review and acceptance from Global Committee OWASP 8
  9. 9. OWASP Projects – OWASP Top 10 OWASP 9
  10. 10. OWASP Projects – OWASP ApplicationSecurity Verification StandardOWASP StandardizationThe first internationally-recognized standard for conducting application security assessments.Security testing and code review techniquesCovers both automated and manual approaches for assessingWeb application – releasedWeb services – in progress OWASP 10
  11. 11. OWASP Projects – OWASP Live CDContent OWASP 11
  12. 12. OWASP Projects – OWASP FrameworksOWASP AntySami Project (Java,.NET) API for validating rich HTML/CSS input from users without exposure to cross-site scripting and phishing attacksOWASP Enterprise Security API (ESAPI) Free and open collection of all the security methods that a developer needs to build a secure web application.OWASP Mod Security Rule Set Project web application firewall engine generic protection from unknown vulnerabilities often found in web applications OWASP 12
  13. 13. OWASP Projects – OWASP GuidesOWASP Development GuideOWASP .NET ProjectOWASP Ruby on Rails Security GuideOWASP Secure Coding Practices – Quick ReferenceOWASP Code Review GuideOWASP Testing GuideOWASP Legal Project OWASP 13
  14. 14. OWASP Projects – OWASP ToolsOWASP JBroFuzz Project JBroFuzz is a web application fuzzer for requests being made over HTTP or HTTPSOWASP Web Scarab Project Tool for performing all types of security testing on web applications and web servicesOWASP Zed Attack Proxy penetration testing tool for finding vulnerabilities in web applications. used by people with a wide range of security experience Toolsmith tool of the year 2011 OWASP 14
  15. 15. OWASP Projects – OWASP Web GoatEducational projectWant to learn how to test security on web app?Try Web Goat!Learn to perform OWASP Top 10Other Goat projects: GoatDroid iGoat OWASP 15
  16. 16. OWASP Local chapters - Overview94 Countries288 Local Chapters OWASP 16
  17. 17. OWASP Local chapters - OverviewLocal communitiesWorking on rising awareness of IT Security Management level Developer level Ordinary peopleKnowledge sharingLocal chapters contribute on OWASP projectsGuided by Local Chapter Handbook OWASP 17
  18. 18. AppSec conferences OWASP AppSec conferences bring together industry, government, security researchers, and practitioners to discuss the state of the art in application security.Started in 2004. in USA, 2005. in EuropeGlobal AppSec conferences AppSec Asia-Pacific 11. – 14. April, Sydney, Australia Global AppSec Research 10 – 13 July, Athens, Greece AppSec North America 22 – 26 Oct, Austin,TX AppSec Latin America 14 – 16 Nov, Buenos Aires, Argentina OWASP 18
  19. 19. AppSec conferencesRegional and Local AppSec ConferencesOWASP Day – usualy one day conferenceOne or more days OWASP 19
  20. 20. Academic partners OWASP 20
  21. 21. SponsorsContent OWASP 21
  22. 22. Google Summer of Code 2012OWASP is officialy selected as GSoC mentoring organization  1) Think of a good idea – For reference see GSoC 2012 Ideas  2) Do some research yourself based on the idea, write up a proposal draft  3) Post it to the mailing list at gsoc@lists.owasp.org for initial discussions with OWASP mentors.  4) Based on feedback, write a full proposal – See template below:https://www.owasp.org/index.php/GSoC_SAT  5) Submit your proposal to Google from March 26–April 6, 2012.April – August coding OWASP 22
  23. 23. Local Chapter SerbiaLocal chapter meetings – every monthSpreading the avareness, do the PROWASP day – hopefulyCompetitionWorking groups – PR, FR, IT...Contribute on global projectsAny other ideas? OWASP 23
  24. 24. Questions and Discussion OWASP 24