Meet the OWASP

  • 2,980 views
Uploaded on

Web security track - opening talk: …

Web security track - opening talk:
OWASP & OWASP Switzerland

Swiss Cyber Storm 3 (Rapperswil, May 2011)


Original powerpoint slides can be downloaded and re-used under following conditions:
- you're free to copy, distribute and transmit the work
- you're free to adapt the work
- if you alter, transform, or build upon this work, you may distribute the resulting work under the same or similar rights to this one

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,980
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
49
Comments
0
Likes
4

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • 1) Web frontends, Web 2.0 portals Intranets / Extranets for b/c/c servicesVPN over SSLsWeb services, SOAs, online APIs, …Access to public services, personal data, business automation, etc.2) the value of information / service3) GovernmentsCompetitorsDisgruntled peopleHackers…?4) The advantage of not being “there”“Blacklist” countries (from a legal perspective)
  • Basic context: threat exercice on a web facingentity, potentiallyexposingcompanyassets.Need for information, visibility.Achievedwith people, methods and toolsOWASP creates the necessaryecosystem to build up these 3 componentsVisibility on appsecuritythenisbrought to the company
  • Statisticsindicate the major searchtermsbeing support for XSS defense and understanding SQL injection. Althoughvery "basic" and quiteold, SQL Injection remains a major searchtermthe message STILL needs to betransmitted do not OVERSTIMATE!!!
  • Coverageacross the developmentlifecycle
  • Objective: Help youidentifywhat OWASP canprovideyou Help youidentifyopportunities for internalsecuredevelopment Help youidentifyopportunities for secure COTS/outsourced software vendor agreement Help youidentifymaterialthatyoucan use to leverageyour relation withyoursecurity services/product provider

Transcript

  • 1. Open Web Application Security Project
    Antonio Fontes
    antonio.fontes@owasp.org
    SWISS CYBER STORM Conference – May 2011Rapperswil
  • 2. A few words about me
    Antonio Fontes
    6 years background working on software security & privacy
    Founder and principal consultant at L7 SecuritéSàrl
    Lecturer at HST Yverdon (HEIG-VD)
    Focus:
    Web application threats and countermeasures
    Secure development lifecycle
    Penetration testing and vulnerability assessment
    Software threat modelling and risk analysis
    OWASP:
    OWASP Switzerland : member of the board, western Switzerland delegate
    OWASP Geneva: Chapter leader
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    2
  • 3. cat /wwwroot/agenda.html
    Why do organizations need OWASP?
    OWASP worldwide
    OWASP in Switzerland
    Q/A
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    3
  • 4. Thermometer:
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    4
    “Is your organization already using OWASP material?”
    - For internal software development?
    - For outsourced custom software?
    - For COTS acquisition?
    photo by Dave Oshry
  • 5. Why do organisations need OWASP?
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    5
  • 6. Why do organisations need OWASP?
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    6
  • 7. Why do organisations need OWASP?
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    7
    101 million users!
    77 million users!
  • 8. Why do organisations need OWASP?
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    8
    Handout from Sony Entertainment Online conference on the recent computer intrusion that led to more than 110 million user accounts being stolen.(May. 1st. 2011)
    photo by Dave Oshry
  • 9. Why do organisations need OWASP?
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    9
  • 10. Just a little check:
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    10
    “Who knows PBKDF2?”
  • 11. Why do organisations need OWASP?
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    11
    Who understands this in your organisation?
  • 12. Why do organisations need OWASP?
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    12
    Use hashes!!
    No! Don't use hashes!!
  • 13. Why do organisations need OWASP?
    Outside the organisation:
    Increasing adoption of “Anything over HTTP”
    Increasing “hostile” interest in online services:
    Increasing “threat population”
    Web hacking/security is easy to understand/teach
    Low risk of being “caught”
    Increasing offer in security consulting, services and products
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    13
  • 14. Why do organisations need OWASP?
    Inside organisations:
    Developers dealing with dozens web technologies
    Heterogonous development teams and lifecycles
    Constant pressure for delivery
    Turnover and loss of internal know-how
    Who in the company is actually both up-to-date on the concept of “(web) applications security” and has the power to take decisions?
    Who in the company is actually able to qualify security products and services that are paid for?
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    14
  • 15. Why do organisations need OWASP?
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    15
    2011
    2010
    2007
    2005
    2003
    2001
  • 16. OWASP foundation
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    16
    “Make application security visible, so that people and organisations can make informed decisions about application security risks.”
    U.S. 501c3 not-for-profit charitable international organization
    Structure
    Mission
    Core values
    Code of ethics
    Open, Global, Innovation, Worldwide
    Independence from vendors, technology-agnostic
  • 17. "strategy"
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    17
    Threat
    Website
    Board
    Web Application
    Web Application
    People
    Committees
    Methods
    Summit
    Tools
    Chapters
    ?
    Projects
    Company assets
    Conferences
    Members
  • 18. OWASP people
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    18
  • 19. Project Leaders
    Driving volunteers effort on OWASP material projects:
    Workshops
    Brainstorming sessions
    Analysis/reporting
    Guides editing
    Tools coding
    19 quality-release and 26 beta-status projects
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    19
    P
    T
    M
  • 20. Chapter Leaders
    Leading Local Chapters meetings:
    188 Chapters worldwide
    More than 300 yearly meetings worldwide
    Connection with local organisations
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    20
    P
    T
    M
    Next local chapter meeting:
    Zurich – June 14th
  • 21. Global Committees
    Driving volunteers effort on global/focused OWASP outreach.
    Active Global Committees:
    Industries
    Membership
    Government
    Education
    Projects
    Events
    Connections
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    21
    P
    T
    M
  • 22. Full-time
    Kate Hartmann
    Logistics and day-to-day support for leaders of the 188 local chapters
    Alison Shrader
    Accounting & Administration
    Paulo Coimbra
    PMO
    Sarah Basso
    Operations before/during/after OWASP events
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    22
  • 23. Conference dedicated to research work on application security
    Conferences: research
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    23
    P
    T
    M
  • 24. Yearly global application security focused conferences:
    Europe
    North America
    South America
    Asia
    Conferences: Appsec
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    24
    P
    T
    M
    Next OWASP Conference in Europe:
    Dublin – June 7th-10th 2011
  • 25. Intensive 1-week workshop event with leaders, contributors, sponsors and software vendors:
    Ability to connect with leading software vendors and corporate members
    More than 150 reunited chapter & project leaders
    80 workshops
    The Summit
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    25
    P
    T
    M
  • 26. OWASP members
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    26
  • 27. OWASP Membership
    Individual members:
    Annual fee: 50$/year
    Free access to OWASP Training day events
    Reduced fees at OWASP Events
    Current count:
    1383 individual contributing members
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    27
  • 28. OWASP Membership
    Corporate members:
    52 public corporate members
    Annual fee: 5’000$/year
    Delegates for the Summit event
    Logo on website, use as marketing argument
    Majority is from the US,
    but Switzerland is also
    there
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    28
  • 29. OWASP Membership
    Academic members:
    Annual fee: 0$/year
    Donate: support
    40 members
    Switzerland:
    1 officialised partnership (HEIG-VD)
    2 pending partnerships
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    29
  • 30. OWASP: the web portal
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    30
  • 31. https://www.owasp.org
    250’000 unique visitors monthly
    650’000 pages viewed monthly
    60% driven by search engines
    19% referred by other websites
    Highest traffic motives:
    OWASP Top 10
    Webscarab project
    XSS prevention cheat sheet
    “sql injection”
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    31
  • 32. http://lists.owasp.org
    More than 400 mailing lists currently running
    25’900 memberships
    About: tools, documents, methods, committees, events, outreach, leaders, etc.
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    32
  • 33. OWASP projects
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    33
  • 34. OWASP projects: Tools
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    34
    Analyze
    Design
    Implement
    Verify
    Deploy
    Respond
    ModSecurity CRS
    JBroFuzz
    AntiSAMMY
    LiveCD
    ESAPI
    DirBuster
    WebScarab
    WebScarab
    CSRFGuard
    O2
    Orizon
    Encoding
    Code Crawler
    Zed Attack Proxy
    Stinger
    Academy portal, Broken Web applications, ESAPI Swingset, Webgoat
  • 35. OWASP projects: Documents
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    35
    Analyze
    Design
    Implement
    Verify
    Deploy
    Respond
    Secure contract
    Development
    Code Review
    Code Review
    Backend Security
    Threat risk modeling
    J2EE Security
    Testing
    Testing
    Application security requirements
    RoR Security
    ASVS
    .NET Security
    AJAX Security
    PHP Security
    Secure coding practices
    Academy, Appsec FAQ, Appsec metrics, Common Vuln. List, Education, Exams, Legal, OWASP Top 10
  • 36. COTS web application for webapp security (CBT) training
    Click and run
    /index.php/Webgoat
    Tools: webgoat
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    36
    P
    T
    M
  • 37. Tools: ModSecurity core ruleset
    Critical protections centralized in a core ruleset (CRS) to be installed on ModSecurity enabled Apache servers
    Provides:
    HTTP Protocol compliance
    Attack detection
    Error detection
    Search engine monitoring
    https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    37
    P
    T
    M
  • 38. Tools: Entreprise Security API
    Control library encapsulating most security functions required in web applications:
    Authentication
    Access control
    Sessions
    Encoding
    Input validation
    Encryption
    Logging
    Intrusion detection

    https://www.owasp.org/index.php/ESAPI
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    38
    P
    T
    M
  • 39. Documents: OWASP Top 10
    https://www.owasp.org/index.php/Top10
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    39
    P
    T
    M
  • 40. Documents: code review guide
    Instructions and methodology manual for conducting code security reviews
    Guidance on detecting the major security flaws created during implementation
    https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    40
    P
    T
    M
  • 41. Documents: ASVS
    ASVS: Application SecurityVerification Standard
    4 verification (assurance) levels across more than 120 security controls
    Tailored to your own risk aversion
    https://www.owasp.org/index.php/ASVS
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    41
    P
    T
    M
  • 42. Documents: OpenSAMM
    Open Software Assurance Maturity Model
    https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    42
    P
    T
    M
  • 43. OWASP Switzerland
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    43
  • 44. OWASP Switzerland's structure
    No legalform (yet, just a few daysleft)
    Leader: Sven Vetsch
    Board members: Tobias Christen, Antonio Fontes
    Based in Zurich
    130 mailing list members
    Next meeting: June 14th
    Other local city/region chapters:
    OWASP Geneva
    90 list members
    Next meeting: September 6th
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    44
  • 45. Activities: meetings and conferences
    Local chapter meetings:
    1,2,3 speakers per event
    Geneva, Yverdon, Zurich
    ~8 meetings/year
    Attendance: 15-100 people
    People love these meetings!
    (Historical) conference partnerships:
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    45
  • 46. Activities: awareness sessions
    Awareness session for Swiss organizations:
    1 hour, head-to-head session with an OWASP representative at your company
    Syllabus: OWASP organization, OWASP projects and membership opportunities
    4 Swiss private companies requested this in 2010
    It’s free!
    BUT: it’s not free training or consulting!!
     No product names  No "reviews"  No training.
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    46
  • 47. Swiss speakers and contributors(non exhaustive list, sorry for those I forgot )
    Ivan Butler: Web application firewall & Hacking lab
    Tobias Christen: Security & Usability
    Alexis Fitzgerald : Gathering application security requirements
    Christian Folini : ModSecurity CRS & DDoSdefense
    Antonio Fontes : Threat modelling & Lifecycle security
    Axel Neumann: Zed Attack Proxy
    Sylvain Maret : Strong authentication
    Pierre Parrend : Java mobile applications
    Sven Vetsch : Advanced XSS attacks and defense
    ...  come to me after the talk if you want your name here
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    47
  • 48. Visit the OWSAP Website: https://www.owasp.org
    Join the OWASP Switzerland mailing list: http://www.owasp.ch
    Follow us on Twitter: @OWASP_ch / @OWASP
    Get in touch with your local OWASP representatives:
    Sven Vetsch Antonio Fontes(Switzerland) (Western/French Switzerland)
    sven.vetsch@disenchant.chantonio.fontes@owasp.org
    12/05/2011
    Swiss Cyber Storm III - May 2011 - Rapperswil
    48
    Thank you!