Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OWASP Overview of Projects You Can Use Today - DefCamp 2012


Published on

  • Be the first to comment

OWASP Overview of Projects You Can Use Today - DefCamp 2012

  1. 1. OWASP Projects and Resources You Can Use Today: An Overview marian.ventuneac@owasp.orgOWASP29.11.2012 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation
  2. 2. About Myself Security Architect International Presenter Member of OWASP and ISACA global organizations OWASP Ireland Limerick Chapter Leader Security Researcher PhD, MEng OWASP 2
  3. 3. State of Information SecurityThe problem There are not enough qualified application security professionalsWhat can we do about it? Make application security visible Provide Developers and Software Testers with materials and tools helping them to build more secure applications OWASP 3
  4. 4. Who is OWASP? Open Web Application Security Project Global community driving and promoting safety and security of world’s software OWASP is a registered nonprofit in the United States and Europe Everyone is free to participate All OWASP materials & tools are free OWASP 4
  5. 5. OWASP by the Numbers 11 years of community service 88+ Government & Industry Citations  including DHS, ISO, IEEE, NIST, SANS Institute, CSA, etc 30,000 + participant mailing lists 250,000+ unique visitors per month 800,000+ page views per month 15,000+ downloads per month OWASP 5
  6. 6. OWASP by the Numbers (cont) Budget for 2012: $591,275 2081 individual members and honorary members from over 70 countries 55+ paid Corporate Members 53+ Academic Supporters 193+ Active Chapters 113+ Active Projects 4 Global AppSec Conferences per Year OWASP 6
  7. 7. OWASP by the Numbers (cont) OWASP 7
  8. 8. OWASP Near You – Romania ChapterPromote application security and create local security communitiesStarted in 2008 by Claudiu Constantinescu2012 Chapter Reboot Chapter Leader - Tudor Enache Penetration Tester @ Electronic Arts Specialized in web and mobile application security testing OWASP 8
  9. 9. OWASP Projects & Tools  Make application security visible  Videos, podcasts, books, guidelines, cheat sheets, tools, …  Available under a free and open software license  Used, recommended and referenced by many government, standards and industry organisations  Open for everyone to participate OWASP 9
  10. 10. OWASP Projects & Tools - Classification  113+ Active Projects  PROTECT  guard against security-related design and implementation flaws.  DETECT  find security-related design and implementation flaws.  LIFE CYCLE  add security-related activities into software processes (eg. SDLC, agile, etc) OWASP 10
  11. 11. OWASP Projects & Tools – An Overview DETECT  OWASP Top 10  OWASP AppSec Tutorials  OWASP Code Review Guide  OWASP ASVS  OWASP Testing Guide  OWASP LiveCD / WTE  OWASP Cheat Sheet Series  OWASP ZAP Proxy PROTECT LIFE CYCLE  OWASP ESAPI  WebGoat J2EE  OWASP ModSecurity CRS  WebGoat .NET Full list of projects (release, beta, alpha) OWASP 11
  12. 12. OWASP Top 10 Security Risks (DETECT) The most visible OWASP project Classifies some of the most critical risks Essential reading for anyone developing web applications Referenced by standards, books, tools, and organizations, including MITRE, PCI DSS, FTC, and many more OWASP 12
  13. 13. OWASP Top 10 Security Risk (2010 edition) OWASP 13
  14. 14. OWASP Top 10 Risk Rating Methodology Threat Attack Weakness Weakness Business Technical Impact Agent Vector Prevalence Detectability Impact 1 Easy Widespread Easy Severe ? 2 Average Common Average Moderate ? 3 Difficult Uncommon Difficult Minor 1 2 2 1 Injection Example 1.66 * 1 1.66 weighted risk rating OWASP 14
  15. 15. OWASP Code Review Guide Code review is probably the most effective technique for identifying security flaws Focuses on the mechanics of reviewing code for certain vulnerabilities A key enabler for the OWASP fight against software insecurity Stable release v1.1, v2 is in progress OWASP 15
  16. 16. OWASP Code Review Guide (cont) Focuses on .NET and Java, but has some C/C++ and PHP Integration of secure code review into software development processes Understand what you are reviewing Security code review is not a silver bullet, but a key component of an IS program OWASP 16
  17. 17. OWASP Testing Guide Create a "best practices" web application penetration testing framework A low-level web application penetration testing guide Recommended for developers and software testers Version 3 available, version 4 is in progress OWASP 17
  18. 18. OWASP Cheat Sheet Series Provide a concise collection of high value information on specific web application security topics Developer Cheat Assessment Cheat Sheets Sheets (Builder) (Breaker) Authentication Attack Surface Analysis Clickjacking Defense XSS Filter Evasion Cryptographic Storage … HTML5 Security Input Validation Mobile Cheat Sheets Query Parameterization Session Management IOS Developer SQL Injection Prevention Mobile Jailbreaking … … OWASP 18
  19. 19. OWASP Cheat Sheet Series (cont) The most visible OWASP project Classifies some of the most critical risks Essential reading for anyone developing web applications Referenced by standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more OWASP 19
  20. 20. OWASP Cheat Sheet Series (cont) OWASP 20
  21. 21. OWASP AppSec Tutorial Series MAKE APPSEC MORE VISIBLE Provide top notch application security video based training Four episodes available OWASP 21
  22. 22. OWASP ASVS - Application SecurityVerification Standard Provides a basis for testing application technical security controls Use as a metric – assess the degree of trust on existing security controls Use as guidance – for what to build as part of planned security controls Use during procurement OWASP 22
  23. 23. OWASP ASVS Levels Level 1 – Automated Verification Level 1A – Dynamic Scan (Partial Automated Verification) Level 1B – Source Code Scan (Partial Automated Verification) Level 2 – Manual Verification Level 2A – Penetration Test (Partial Manual Verification) Level 2B – Code Review (Partial Manual Verification) Level 3 – Design Verification Level 4 – Internal Verification OWASP 23
  24. 24. OWASP ASVS Verification Requirements V1. Security Architecture V2. Authentication V3. Session Management V4. Access Control V5. Input Validation V6. Output Encoding/Escaping V7. Cryptography V8. Error Handling and Logging V9. Data Protection V10. Communication Security V11. HTTP Security V12. Security Configuration V13. Malicious Code Search V14. Internal Security OWASP 24
  25. 25. OWASP LiveCD / WTE Make application security tools and documentation easily available Collects some of the best open source security projects in a single environment Boot from this Live CD and have access to a full security testing suite OWASP 25
  26. 26. OWASP Zed Attack Proxy Project (PREVENT) One of the flagship OWASP projects Easy to use integrated penetration testing tool for assessing web applications Ideal for developers and functional testers who are new to penetration testing Completely free and open source Cross platform, internationalised Current version 1.4.1 (v2 in progress) OWASP 26
  27. 27. OWASP ZAP Proxy - Features Intercepting Proxy Upcoming: Automated scanner  New Spider Passive scanner  New Ajax‘ Spider Brute Force scanner  Session Awareness Spider  Web Socket Support Fuzzer  Session Scope Port scanner  Different Modes Dynamic SSL certificates (Safe/Protected/Standard) API  Scripting console Beanshell integration OWASP 27
  28. 28. OWASP ZAP Proxy - DEMO OWASP 28
  29. 29. OWASP ESAPI – Enterprise Security API Free, open source, web application security controls library Provide developers with libraries for writing lower-risk applications Allow retrofitting security into existing applications Serve as a solid foundation for new development Support for Java, PHP and – there could be more languages supported OWASP 29
  30. 30. Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor OWASP ESAPI (PROTECT) EncryptedProperties Randomizer Enterprise Security API Exception Handling Logger Custom Enterprise Web Application IntrusionDetectorOWASP Existing Enterprise Security Services/Libraries SecurityConfiguration30
  31. 31. OWASP ESAPI – Validation and Encoding User Controller Business Data Layer Backend FunctionsisValidCreditCard encodeForJavaScriptisValidDataFromBrowser encodeForVBScriptisValidDirectoryPath Validator Encoder encodeForURLisValidFileContent encodeForHTMLisValidFileName encodeForHTMLAttributeisValidHTTPRequest encodeForLDAPisValidListItem Canonicalization encodeForDNisValidRedirectLocation Double Encoding Protection encodeForSQLisValidSafeHTML Sanitization encodeForXMLisValidPrintable Normalization encodeForXMLAttributesafeReadLine encodeForXPath OWASP 31
  32. 32. OWASP ESAPI - OWASP Top 10 Coverage OWASP Top Ten OWASP ESAPIA1. Cross Site Scripting (XSS) Validator, EncoderA2. Injection Flaws EncoderA3. Malicious File Execution HTTPUtilities (Safe Upload)A4. Insecure Direct Object Reference AccessReferenceMap, AccessControllerA5. Cross Site Request Forgery (CSRF) User (CSRF Token)A6. Leakage and Improper Error Handling EnterpriseSecurityException, HTTPUtilsA7. Broken Authentication and Sessions Authenticator, User, HTTPUtilsA8. Insecure Cryptographic Storage EncryptorA9. Insecure Communications HTTPUtilities (Secure Cookie, Channel)A10. Failure to Restrict URL Access AccessController OWASP 32
  33. 33. OWASP ModSecurity Core Rule Set Free certified rule set for ModSecurity WAF Generic web applications protection:  Common Web Attacks Protection  HTTP Protection  Real-time Blacklist Lookups  HTTP Denial of Service Protection  Automation Detection  Integration with AV Scanning for File Uploads  Tracking Sensitive Data  Identification of Application Defects  Error Detection and Hiding ore_Rule_Set_Project OWASP 33
  34. 34. OWASP WebGoat Java Project Deliberately insecure J2EE web application to teach web application security lessons Over 30 lessons, providing hands-on learning about  Cross-Site Scripting (XSS)  Access Control  Blind/Numeric/String SQL Injection  Web Services  … and many more Version 5.4 available, v6 in progress OWASP 34
  35. 35. OWASP WebGoat Java Project - DEMO OWASP 35
  36. 36. OWASP WebGoat.NET Project A purposefully broken ASP.NET web application Contains many common vulnerabilities Intended for use in classroom environments OWASP 36
  37. 37. DEMO OWASP ZAP Proxy OWASP WebGoat Java Project OWASP 37
  38. 38. Thank You OWASP 38