Your SlideShare is downloading. ×
0
Open Web Application Security Project<br />Antonio Fontes<br />antonio.fontes@owasp.org<br />SWISS CYBER STORM Conference ...
A few words about me<br />Antonio Fontes<br />6 years background working on software security & privacy<br />Founder and p...
cat /wwwroot/agenda.html<br />Why do organizations need OWASP?<br />OWASP worldwide<br />OWASP in Switzerland<br />Q/A<br ...
Thermometer:<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />4<br />“Is your organization already ...
Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />5<br />
Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />6<br />
Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />7<br />101 millio...
Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />8<br />Handout fr...
Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />9<br />
Just a little check:<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />10<br />“Who knows PBKDF2?”<b...
Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />11<br />Who under...
Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />12<br />Use hashe...
Why do organisations need OWASP?<br />Outside the organisation:<br />Increasing adoption of “Anything over HTTP”<br />Incr...
Why do organisations need OWASP?<br />Inside organisations:<br />Developers dealing with dozens web technologies<br />Hete...
Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />15<br />2011<br /...
OWASP foundation<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />16<br />“Make application securit...
"strategy"<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />17<br />Threat<br />Website<br />Board<...
OWASP people<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />18<br />
Project Leaders<br />Driving volunteers effort on OWASP material projects:<br />Workshops<br />Brainstorming sessions<br /...
Chapter Leaders<br />Leading Local Chapters meetings:<br />188 Chapters worldwide<br />More than 300 yearly meetings world...
Global Committees<br />Driving volunteers effort on global/focused OWASP outreach.<br />Active Global Committees: <br />In...
Full-time<br />Kate Hartmann<br />Logistics and day-to-day support for leaders of the 188 local chapters<br />Alison Shrad...
Conference dedicated to research work on application security<br />Conferences: research<br />12/05/2011<br />Swiss Cyber ...
Yearly global application security focused conferences: <br />Europe<br />North America<br />South America<br />Asia<br />...
Intensive 1-week workshop event with leaders, contributors, sponsors and software vendors:<br />Ability to connect with le...
OWASP members<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />26<br />
OWASP Membership<br />Individual members:<br />Annual fee: 50$/year<br />Free access to OWASP Training day events<br />Red...
OWASP Membership<br />Corporate members:<br />52 public corporate members<br />Annual fee: 5’000$/year<br />Delegates for ...
OWASP Membership<br />Academic members:<br />Annual fee: 0$/year<br />Donate: support<br />40 members<br />Switzerland:<br...
OWASP: the web portal<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />30<br />
https://www.owasp.org<br />250’000 unique visitors monthly<br />650’000 pages viewed monthly<br />60% driven by search eng...
http://lists.owasp.org<br />More than 400 mailing lists currently running<br />25’900 memberships<br />About: tools, docum...
OWASP projects<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />33<br />
OWASP projects: Tools<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />34<br />Analyze<br />Design<...
OWASP projects: Documents<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />35<br />Analyze<br />Des...
COTS web application for webapp security (CBT) training<br />Click and run<br />/index.php/Webgoat<br />Tools: webgoat<br ...
Tools: ModSecurity core ruleset<br />Critical protections centralized in a core ruleset (CRS) to be installed on ModSecuri...
Tools: Entreprise Security API<br />Control library encapsulating most security functions required in web applications:<br...
Documents: OWASP Top 10<br />https://www.owasp.org/index.php/Top10<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 -...
Documents: code review guide<br />Instructions and methodology manual for conducting code security reviews<br />Guidance o...
Documents: ASVS<br />ASVS: Application SecurityVerification Standard<br />4 verification (assurance) levels across more th...
Documents: OpenSAMM<br />Open Software Assurance Maturity Model<br />https://www.owasp.org/index.php/Category:Software_Ass...
OWASP Switzerland<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />43<br />
OWASP Switzerland's structure<br />No legalform (yet, just a few daysleft)<br />Leader: Sven Vetsch<br />Board members: To...
Activities: meetings and conferences<br />Local chapter meetings:<br />1,2,3 speakers per event<br />Geneva, Yverdon, Zuri...
Activities: awareness sessions<br />Awareness session for Swiss organizations:<br />1 hour, head-to-head session with an O...
Swiss speakers and contributors(non exhaustive list, sorry for those I forgot )<br />Ivan Butler:  Web application firewa...
Visit the OWSAP Website: https://www.owasp.org<br />Join the OWASP Switzerland mailing list: http://www.owasp.ch<br />Foll...
Upcoming SlideShare
Loading in...5
×

Meet the OWASP

3,394

Published on

Web security track - opening talk:
OWASP & OWASP Switzerland

Swiss Cyber Storm 3 (Rapperswil, May 2011)


Original powerpoint slides can be downloaded and re-used under following conditions:
- you're free to copy, distribute and transmit the work
- you're free to adapt the work
- if you alter, transform, or build upon this work, you may distribute the resulting work under the same or similar rights to this one

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,394
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
52
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide
  • 1) Web frontends, Web 2.0 portals Intranets / Extranets for b/c/c servicesVPN over SSLsWeb services, SOAs, online APIs, …Access to public services, personal data, business automation, etc.2) the value of information / service3) GovernmentsCompetitorsDisgruntled peopleHackers…?4) The advantage of not being “there”“Blacklist” countries (from a legal perspective)
  • Basic context: threat exercice on a web facingentity, potentiallyexposingcompanyassets.Need for information, visibility.Achievedwith people, methods and toolsOWASP creates the necessaryecosystem to build up these 3 componentsVisibility on appsecuritythenisbrought to the company
  • Statisticsindicate the major searchtermsbeing support for XSS defense and understanding SQL injection. Althoughvery &quot;basic&quot; and quiteold, SQL Injection remains a major searchtermthe message STILL needs to betransmitted do not OVERSTIMATE!!!
  • Coverageacross the developmentlifecycle
  • Objective: Help youidentifywhat OWASP canprovideyou Help youidentifyopportunities for internalsecuredevelopment Help youidentifyopportunities for secure COTS/outsourced software vendor agreement Help youidentifymaterialthatyoucan use to leverageyour relation withyoursecurity services/product provider
  • Transcript of "Meet the OWASP"

    1. 1. Open Web Application Security Project<br />Antonio Fontes<br />antonio.fontes@owasp.org<br />SWISS CYBER STORM Conference – May 2011Rapperswil<br />
    2. 2. A few words about me<br />Antonio Fontes<br />6 years background working on software security & privacy<br />Founder and principal consultant at L7 SecuritéSàrl<br />Lecturer at HST Yverdon (HEIG-VD)<br />Focus: <br />Web application threats and countermeasures<br />Secure development lifecycle<br />Penetration testing and vulnerability assessment<br />Software threat modelling and risk analysis<br />OWASP:<br />OWASP Switzerland : member of the board, western Switzerland delegate<br />OWASP Geneva: Chapter leader<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />2<br />
    3. 3. cat /wwwroot/agenda.html<br />Why do organizations need OWASP?<br />OWASP worldwide<br />OWASP in Switzerland<br />Q/A<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />3<br />
    4. 4. Thermometer:<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />4<br />“Is your organization already using OWASP material?”<br />- For internal software development?<br />- For outsourced custom software?<br />- For COTS acquisition?<br />photo by Dave Oshry<br />
    5. 5. Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />5<br />
    6. 6. Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />6<br />
    7. 7. Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />7<br />101 million users!<br />77 million users!<br />
    8. 8. Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />8<br />Handout from Sony Entertainment Online conference on the recent computer intrusion that led to more than 110 million user accounts being stolen.(May. 1st. 2011)<br />photo by Dave Oshry<br />
    9. 9. Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />9<br />
    10. 10. Just a little check:<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />10<br />“Who knows PBKDF2?”<br />
    11. 11. Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />11<br />Who understands this in your organisation?<br />
    12. 12. Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />12<br />Use hashes!!<br />No! Don't use hashes!!<br />
    13. 13. Why do organisations need OWASP?<br />Outside the organisation:<br />Increasing adoption of “Anything over HTTP”<br />Increasing “hostile” interest in online services:<br />Increasing “threat population”<br />Web hacking/security is easy to understand/teach<br />Low risk of being “caught”<br />Increasing offer in security consulting, services and products<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />13<br />
    14. 14. Why do organisations need OWASP?<br />Inside organisations:<br />Developers dealing with dozens web technologies<br />Heterogonous development teams and lifecycles<br />Constant pressure for delivery<br />Turnover and loss of internal know-how<br />Who in the company is actually both up-to-date on the concept of “(web) applications security” and has the power to take decisions?<br />Who in the company is actually able to qualify security products and services that are paid for?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />14<br />
    15. 15. Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />15<br />2011<br />2010<br />2007<br />2005<br />2003<br />2001<br />
    16. 16. OWASP foundation<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />16<br />“Make application security visible, so that people and organisations can make informed decisions about application security risks.”<br />U.S. 501c3 not-for-profit charitable international organization<br />Structure<br />Mission<br />Core values<br />Code of ethics<br />Open, Global, Innovation, Worldwide<br />Independence from vendors, technology-agnostic<br />
    17. 17. "strategy"<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />17<br />Threat<br />Website<br />Board<br />Web Application<br />Web Application<br />People<br />Committees<br />Methods<br />Summit<br />Tools<br />Chapters<br />?<br />Projects<br />Company assets<br />Conferences<br />Members<br />
    18. 18. OWASP people<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />18<br />
    19. 19. Project Leaders<br />Driving volunteers effort on OWASP material projects:<br />Workshops<br />Brainstorming sessions<br />Analysis/reporting<br />Guides editing<br />Tools coding<br />19 quality-release and 26 beta-status projects<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />19<br />P<br />T<br />M<br />
    20. 20. Chapter Leaders<br />Leading Local Chapters meetings:<br />188 Chapters worldwide<br />More than 300 yearly meetings worldwide<br />Connection with local organisations <br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />20<br />P<br />T<br />M<br />Next local chapter meeting:<br />Zurich – June 14th<br />
    21. 21. Global Committees<br />Driving volunteers effort on global/focused OWASP outreach.<br />Active Global Committees: <br />Industries<br />Membership<br />Government<br />Education<br />Projects<br />Events<br />Connections<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />21<br />P<br />T<br />M<br />
    22. 22. Full-time<br />Kate Hartmann<br />Logistics and day-to-day support for leaders of the 188 local chapters<br />Alison Shrader<br />Accounting & Administration<br />Paulo Coimbra<br />PMO<br />Sarah Basso<br />Operations before/during/after OWASP events<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />22<br />
    23. 23. Conference dedicated to research work on application security<br />Conferences: research<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />23<br />P<br />T<br />M<br />
    24. 24. Yearly global application security focused conferences: <br />Europe<br />North America<br />South America<br />Asia<br />Conferences: Appsec<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />24<br />P<br />T<br />M<br />Next OWASP Conference in Europe:<br />Dublin – June 7th-10th 2011 <br />
    25. 25. Intensive 1-week workshop event with leaders, contributors, sponsors and software vendors:<br />Ability to connect with leading software vendors and corporate members<br />More than 150 reunited chapter & project leaders<br />80 workshops <br />The Summit<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />25<br />P<br />T<br />M<br />
    26. 26. OWASP members<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />26<br />
    27. 27. OWASP Membership<br />Individual members:<br />Annual fee: 50$/year<br />Free access to OWASP Training day events<br />Reduced fees at OWASP Events<br />Current count: <br />1383 individual contributing members<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />27<br />
    28. 28. OWASP Membership<br />Corporate members:<br />52 public corporate members<br />Annual fee: 5’000$/year<br />Delegates for the Summit event<br />Logo on website, use as marketing argument<br />Majority is from the US,<br />but Switzerland is also <br />there<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />28<br />
    29. 29. OWASP Membership<br />Academic members:<br />Annual fee: 0$/year<br />Donate: support<br />40 members<br />Switzerland:<br />1 officialised partnership (HEIG-VD)<br />2 pending partnerships<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />29<br />
    30. 30. OWASP: the web portal<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />30<br />
    31. 31. https://www.owasp.org<br />250’000 unique visitors monthly<br />650’000 pages viewed monthly<br />60% driven by search engines<br />19% referred by other websites <br />Highest traffic motives:<br />OWASP Top 10<br />Webscarab project<br />XSS prevention cheat sheet<br />“sql injection”<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />31<br />
    32. 32. http://lists.owasp.org<br />More than 400 mailing lists currently running<br />25’900 memberships<br />About: tools, documents, methods, committees, events, outreach, leaders, etc.<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />32<br />
    33. 33. OWASP projects<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />33<br />
    34. 34. OWASP projects: Tools<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />34<br />Analyze<br />Design<br />Implement<br />Verify<br />Deploy<br />Respond<br />ModSecurity CRS<br />JBroFuzz<br />AntiSAMMY<br />LiveCD<br />ESAPI<br />DirBuster<br />WebScarab<br />WebScarab<br />CSRFGuard<br />O2<br />Orizon<br />Encoding<br />Code Crawler<br />Zed Attack Proxy<br />Stinger<br />Academy portal, Broken Web applications, ESAPI Swingset, Webgoat<br />
    35. 35. OWASP projects: Documents<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />35<br />Analyze<br />Design<br />Implement<br />Verify<br />Deploy<br />Respond<br />Secure contract<br />Development<br />Code Review<br />Code Review<br />Backend Security<br />Threat risk modeling<br />J2EE Security<br />Testing<br />Testing<br />Application security requirements<br />RoR Security<br />ASVS<br />.NET Security<br />AJAX Security<br />PHP Security<br />Secure coding practices<br />Academy, Appsec FAQ, Appsec metrics, Common Vuln. List, Education, Exams, Legal, OWASP Top 10<br />
    36. 36. COTS web application for webapp security (CBT) training<br />Click and run<br />/index.php/Webgoat<br />Tools: webgoat<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />36<br />P<br />T<br />M<br />
    37. 37. Tools: ModSecurity core ruleset<br />Critical protections centralized in a core ruleset (CRS) to be installed on ModSecurity enabled Apache servers<br />Provides:<br />HTTP Protocol compliance<br />Attack detection<br />Error detection<br />Search engine monitoring<br />https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />37<br />P<br />T<br />M<br />
    38. 38. Tools: Entreprise Security API<br />Control library encapsulating most security functions required in web applications:<br />Authentication<br />Access control<br />Sessions<br />Encoding<br />Input validation<br />Encryption<br />Logging<br />Intrusion detection<br />…<br />https://www.owasp.org/index.php/ESAPI<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />38<br />P<br />T<br />M<br />
    39. 39. Documents: OWASP Top 10<br />https://www.owasp.org/index.php/Top10<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />39<br />P<br />T<br />M<br />
    40. 40. Documents: code review guide<br />Instructions and methodology manual for conducting code security reviews<br />Guidance on detecting the major security flaws created during implementation<br />https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />40<br />P<br />T<br />M<br />
    41. 41. Documents: ASVS<br />ASVS: Application SecurityVerification Standard<br />4 verification (assurance) levels across more than 120 security controls<br />Tailored to your own risk aversion<br />https://www.owasp.org/index.php/ASVS<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />41<br />P<br />T<br />M<br />
    42. 42. Documents: OpenSAMM<br />Open Software Assurance Maturity Model<br />https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />42<br />P<br />T<br />M<br />
    43. 43. OWASP Switzerland<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />43<br />
    44. 44. OWASP Switzerland's structure<br />No legalform (yet, just a few daysleft)<br />Leader: Sven Vetsch<br />Board members: Tobias Christen, Antonio Fontes<br />Based in Zurich<br />130 mailing list members<br />Next meeting: June 14th<br />Other local city/region chapters: <br />OWASP Geneva<br />90 list members<br />Next meeting: September 6th<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />44<br />
    45. 45. Activities: meetings and conferences<br />Local chapter meetings:<br />1,2,3 speakers per event<br />Geneva, Yverdon, Zurich<br />~8 meetings/year<br />Attendance: 15-100 people<br />People love these meetings!<br />(Historical) conference partnerships:<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />45<br />
    46. 46. Activities: awareness sessions<br />Awareness session for Swiss organizations:<br />1 hour, head-to-head session with an OWASP representative at your company<br />Syllabus: OWASP organization, OWASP projects and membership opportunities<br />4 Swiss private companies requested this in 2010<br />It’s free!<br />BUT: it’s not free training or consulting!!<br /> No product names  No "reviews"  No training. <br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />46<br />
    47. 47. Swiss speakers and contributors(non exhaustive list, sorry for those I forgot )<br />Ivan Butler: Web application firewall & Hacking lab<br />Tobias Christen: Security & Usability<br />Alexis Fitzgerald : Gathering application security requirements<br />Christian Folini : ModSecurity CRS & DDoSdefense<br />Antonio Fontes : Threat modelling & Lifecycle security<br />Axel Neumann: Zed Attack Proxy<br />Sylvain Maret : Strong authentication<br />Pierre Parrend : Java mobile applications<br />Sven Vetsch : Advanced XSS attacks and defense<br />...  come to me after the talk if you want your name here<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />47<br />
    48. 48. Visit the OWSAP Website: https://www.owasp.org<br />Join the OWASP Switzerland mailing list: http://www.owasp.ch<br />Follow us on Twitter: @OWASP_ch / @OWASP<br />Get in touch with your local OWASP representatives:<br /> Sven Vetsch Antonio Fontes(Switzerland) (Western/French Switzerland)<br />sven.vetsch@disenchant.chantonio.fontes@owasp.org<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />48<br />Thank you!<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×