Your SlideShare is downloading. ×
0
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
how to secure web applications  with owasp - isaca sep 2009 - for distribution
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

how to secure web applications with owasp - isaca sep 2009 - for distribution

1,957

Published on

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,957
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
1
Comments
0
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. How to secure web applications with OWASP Santosh Satam Head-Technical Services MIEL
  • 2. No noble thing can be done without risks. Michel De Montaigne © 2009 MIEL eSecurity Pvt Ltd Confidential 2
  • 3. Due care has been taken to make this Presentation as accurate as possible. Certain statements made in this presentation may not be based on historical information or facts and may be “forward looking statements” and may be subject to risks and uncertainties that could cause actual results to differ materially and adversely from those that may be projected by such forward looking statements. MIEL makes no representation or warranties with respect to the contents hereof and shall not be responsible for any loss or damage caused to the user by the direct or indirect use of this Presentation. MIEL may alter, modify or otherwise change in any manner the content hereof, without obligation to notify any person of such revision or changes. All company and product names are trademarks of the respective companies with which they are associated. COPYRIGHT © 2009 MIEL e-Security Pvt. Ltd. All rights reserved. Softcopy Name : MIEL – OWASP Presentation – ISACA Sep 2009 Published Date : Sep 2009 Author : Santosh Satam © 2009 MIEL eSecurity Pvt Ltd Confidential 3
  • 4. Agenda  Introduction to Application Security  OWASP Projects  Way Forward © 2009 MIEL e-Security Pvt. Ltd Confidential 4
  • 5. You have been appointed as Head of Application Security Your first task is to define roadmap for application security .. © 2009 MIEL e-Security Pvt. Ltd Confidential 5
  • 6. You started digging into maze of applications .. © 2009 MIEL eSecurity Pvt Ltd Confidential 6
  • 7. COTS (Commercial Off the shelf) Applications In-house Developed Applications Legacy Systems Interface to External Systems Support Applications Open Source Applications Application Hosted in Cloud (SaaS) © 2009 MIEL eSecurity Pvt Ltd Confidential 7
  • 8. Even after two weeks you are still struggling … © 2009 MIEL eSecurity Pvt Ltd Confidential 8
  • 9. Stakeholders in Application Security Top Management Auditors BU Heads IT/Network Admin Quality Assurances Project Managers Architects Developers © 2009 MIEL eSecurity Pvt Ltd Confidential 9
  • 10. OWASP will help you !! © 2009 MIEL eSecurity Pvt Ltd Confidential 10
  • 11. What is OWASP ? OWASP – Open Web Application Security Project Open group focused on understanding and improving the security of web applications and web services! © 2009 MIEL e-Security Pvt. Ltd Confidential 11
  • 12. Who is using OWASP ? © 2009 MIEL e-Security Pvt. Ltd Confidential 12
  • 13. SDLC is King Requirements Design Development Testing Deployment © 2009 MIEL eSecurity Pvt Ltd Confidential 13
  • 14. OWASP – Guides throughout SDLC © 2009 MIEL eSecurity Pvt Ltd Confidential 14
  • 15. Requirements Phase OWASP METHODS  Identify Security Requirement AND TOOLS  Identify Mis-use cases Free Tools  Identify Attack Surface  Identify Deployment Scenarios * WebGoat Training Tool Projects * Web AppSec Guide © 2009 MIEL eSecurity Pvt Ltd Confidential 15
  • 16. Requirements Phase – Define Security Requirement Business Requirements Security Requirement The application stores credit card data Strong encryption should be that must be protected. used to protect the sensitive customer data. The application transmits sensitive user Communication channels must be information over the un-trusted network encrypted. The application must be available 24x7 Mitigate denial of service attack The application takes user input and uses SQL injection should be SQL mitigated by Input Validations © 2009 MIEL eSecurity Pvt Ltd Confidential 16
  • 17. Requirements Phase – Car Security Mis-use Case Drive Threatens Steal the Car the Car Mitigates Lock Threatens the Car Short the Ignition Lock the Mitigates Transmission © 2009 MIEL eSecurity Pvt Ltd Confidential 17
  • 18. Requirements Phase – Identify Attack Surface © 2009 MIEL eSecurity Pvt Ltd Confidential 18
  • 19. Requirements Phase – Identify Deployment Scenarios  Infrastructure Security  Scalability Secure Communication  Compliance © 2009 MIEL eSecurity Pvt Ltd Confidential 19
  • 20. Design Phase OWASP METHODS  Security Principles AND TOOLS  Threat Modeling Free Tools * WebGoat Training Tool Projects * Enterprise Security API (ESAPI) * AntiSamy (Java Project) * AntiSamy (.Net Project) © 2009 MIEL eSecurity Pvt Ltd Confidential 20
  • 21. Design Phase – Security Principles © 2009 MIEL eSecurity Pvt Ltd Confidential 21
  • 22. Design Phase – Threat Modeling  Identify Assets  Decompose Application  Identify Threats and Vulnerabilities  Document Threats  Rate Threats Mitigate Threats © 2009 MIEL eSecurity Pvt Ltd Confidential 22
  • 23. Design Phase – OWASP ESAPI © 2009 MIEL eSecurity Pvt Ltd Confidential 23
  • 24. Development Phase OWASP METHODS  Input Validations AND TOOLS Output Handling Free Tools Session Handling  Error Handling * WebScarab Proxy  Configuration Management * ASP.NET Analyzers  Cryptography Projects  Secure Code Review * Web AppSec Guide * Code Review Project * AppSec Metrics © 2009 MIEL eSecurity Pvt Ltd Confidential 24
  • 25. Testing Phase OWASP METHODS  Manual Inspection AND TOOLS  Threat Modeling Free Tools  Code Review  Penetration Testing * LiveCD Projects * OWASP Top 10 * Testing Project © 2009 MIEL eSecurity Pvt Ltd Confidential 25
  • 26. OWASP Top 10  A1 – Cross Site  A6 – Information Leakage Scripting (XSS) and Improper Error Handling  A2 – Injection Flaws  A7 – Broken Authentication and Session Management  A3 – Insecure Remote  A8 – Insecure Cryptographic File Include Storage  A4 – Insecure Direct  A9 – Insecure Object Reference Communications  A5 – Cross Site Request  A10 – Failure to Restrict URL Forgery (CSRF) Access © 2009 MIEL e-Security Pvt. Ltd Confidential 26
  • 27. Code Review • Code review helps to find vulnerabilities that may not be discoverable in a black-box/zero-knowledge testing scenario. • It covers following areas: Syntactical Business Infrastructure logic © 2009 MIEL eSecurity Pvt Ltd Confidential 27
  • 28. OWASP – LiveCD Tools 1 OWASP WebScarab 14 OWASP WSFuzzer 2 OWASP WebGoat 15 Metasploit 3 3 OWASP CAL9000 16 w3af & GTK GUI for w3af 4 OWASP JBroFuzz 17 Netcats collection 5 Paros Proxy 18 OWASP Wapiti 6 nmap & Zenmap 19 Nikto 7 Wireshark 20 Fierce Domain Scaner 8 tcpdump 21 Maltego CE 9 Firefox 3 22 Httprint 10 Burp Suite 23 SQLBrute 11 Grenedel-Scan 24 Spike Proxy 12 OWASP DirBuster 25 Rat Proxy 13 OWASP SQLiX © 2009 MIEL eSecurity Pvt Ltd Confidential 28
  • 29. Deployment Phase OWASP METHODS  System Hardening AND TOOLS Power on Sequence Free Tools  Secure Transmission  Database Security * LiveCD Projects * Web AppSec Guide * Testing Project © 2009 MIEL eSecurity Pvt Ltd Confidential 29
  • 30. Summary  Implement Application Security Practices in the Development Process  Conduct Awareness Program on Application Security  Conduct Code Reviews  Test, Test and Test each and “Prevention is always better than every application before it is put Cure” to Production © 2009 MIEL e-Security Pvt. Ltd Confidential 30
  • 31. Take a Systemic Approach © 2009 MIEL eSecurity Pvt Ltd Confidential 31
  • 32. Useful Links Description URL Open Web Application Security Project (OWASP) http://www.owasp.org SANS http://www.sans.org CERT http://www.cert.org ISACA http://www.isaca.org Security Focus http://www.securityfocus.com Microsoft Security http://microsoft.com/security/ IBM http://www- 106.ibm.com/developerworks/linux/library/ The Web Application Security Consortium (WASC) http://www.webappsec.org/ The Web Hacking Incidents Database http://www.webappsec.org/projects/whid/ © 2009 MIEL eSecurity Pvt Ltd Confidential 32
  • 33. Application Security - Certifications • CSSLP - Certified Secure Software Lifecycle Professional http://www.isc2.org/csslp/ • CSSLP CBK • Secure Software Concepts • Secure Software Requirements • Secure Software Design • Secure Software Implementation/Coding • Secure Software Testing • Software Acceptance • Software Deployment, Operations, Maintenance and Disposal © 2009 MIEL eSecurity Pvt Ltd Confidential 33
  • 34. OWASP Application Security – Forthcoming Conference © 2009 MIEL eSecurity Pvt Ltd Confidential
  • 35. Discussion Santosh Satam Head – Technical Services CISA | CISM | CISSP | CSSLP MIEL e-Security Pvt. Ltd. E-mail: ssatam@mielesecurity.com © 2009 MIEL e-Security Pvt. Ltd Confidential 35

×