Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2014 09-04-pj

1,610 views

Published on

Présentation OWASP lors des TechItDays Pages Jaunes

Published in: Internet
  • Be the first to comment

2014 09-04-pj

  1. 1. TechItDays 2014 Séminaire DT Solocal 2014 4th September 2014 OWASP, the Life,the Universe Sébas&en Gioria Sebas8en.Gioria@owasp.org Chapter Leader & Evangelist OWASP France
  2. 2. 2 http://www.google.fr/#q=sebastien gioria ‣ Innovation and Technology @Advens && Application Security Expert ‣ OWASP France Leader & Founder & Evangelist, ‣ OWASP ISO Project & OWASP SonarQube Project Leader ‣ Application Security group leader for the CLUSIF ‣ Proud father of youngs kids trying to hack my digital life. Twitter :@SPoint/@OWASP_France 2
  3. 3. Agenda • Applica8on Security : – where we are (no bullshit) – where we are (hopefully) going ? • Open Web Applica8on Security Project ? • Major projects you can use 3
  4. 4. Why Applica8on Security ? Your Application has been Hacked Let Me take you on the right way 4 4 My Application will be hacked ! Your Application will be Hacked ;) YES NO NO YES Next Step
  5. 5. SQL in Java 5 http://stackoverflow.com/questions/9123084/how-to-execute-a-sql-statement-with-a-variable-as-where" ResultSet rs = stmd.executeQuery("select * from person where uid = "+ userid);" while (rs.next()) { " "System.out.println("Name= " + rs.getString(1));" }
  6. 6. 6 http://www.advens.fr/blog/les-injections-sql-dans-les-applications-web-pourquoi-navancons-nous-pas"
  7. 7. Game Over.... • Did you develop Web Site? • Did you develop embeded products ? • Did you develop smartphone applica8ons ? • Did you have customers / partners over Internet ? 7
  8. 8. We are living in a Digital environment, in a Connected World v Most of websites vulnerable to a[acks v Important % of web-­‐based Business (Services, Online Store, Self-­‐care, Telcos, SCADA, ...) Why Applica8on Security ? Age of An8virus Age of Network Security Age of Applica8on Security 8
  9. 9. 9 (c) Verizon 2014
  10. 10. Who win ? 10 (c) WhiteHatSecurity 2013"
  11. 11. Vulnerabili8es ? 11 (c) WhiteHatSecurity 2013
  12. 12. Anything else ? 12
  13. 13. What is OWASP Mission Driven Nonprofit | World Wide | Unbiased OWASP does not endorse or recommend commercial products or services 13
  14. 14. What is OWASP Community Driven 30,000 Mail List Par8cipants 200 Ac8ve Chapters in 70 countries 1600+ Members, 56 Corporate Supporters 69 Academic Supporters 14
  15. 15. Around the World 200 Chapters, 1 600+ Members, 20 000+ Builders, Breakers and Defenders 15
  16. 16. What is OWASP Quality Resources 200+ Projects 15,000+ downloads of tools, documenta8on 250,000+ unique visitors 800,000+ page views (monthly) 16
  17. 17. Quality Resources Documenta&on Code Tools 50% 10% 40% 17
  18. 18. Security Lifecycle 18
  19. 19. Security Resources 19
  20. 20. NEWS A BLOG A PODCAST MEMBERSHIPS MAILING LISTS A NEWSLETTER APPLE APP STORE VIDEO TUTORIALS TRAINING SESSIONS SOCIAL NETWORKING 20
  21. 21. OWASP Projects 21
  22. 22. OWASP Top10 2013 22 A1: Injec&on A2: Viola&on de Ges&on d’authen&fica&on et de session A3: Cross Site Scrip&ng (XSS) A4:Référence directe non sécurisée à un objet A5: Mauvaise configura&on sécurité A6 : Exposi&on de données sensibles A8: Cross Site Request Forgery (CSRF) A7: Manque de contrôle d’accès fonc&onnel A10: Redirec&ons et transferts non validés A9: U&lisa&on de composants avec des vulnérabilités connues ex-­‐A9(transport non sécurisé) + A7(Stockage crypto)
  23. 23. Cheat Sheets Developer Cheat Sheets § PHP Security Cheat Sheet § OWASP Top Ten Cheat Sheet § Authen8ca8on Cheat Sheet § Cross-­‐Site Request Forgery (CSRF) Preven&on Cheat Sheet § Cryptographic Storage Cheat Sheet § Input Valida8on Cheat Sheet § XSS (Cross Site Scrip&ng) Preven&on Cheat Sheet § DOM based XSS Preven8on Cheat Sheet § Forgot Password Cheat Sheet § Query Parameteriza&on Cheat Sheet § SQL Injec&on Preven&on Cheat Sheet § Session Management Cheat Sheet § HTML5 Security Cheat Sheet § Transport Layer Protec8on Cheat Sheet § Web Service Security Cheat Sheet § Logging Cheat Sheet § JAAS Cheat Sheet Mobile Cheat Sheets § IOS Developer Cheat Sheet § Mobile Jailbreaking Cheat Sheet Dran Cheat Sheets § Access Control Cheat Sheet § REST Security Cheat Sheet § Abridged XSS Preven8on Cheat Sheet § Password Storage Cheat Sheet § Secure Coding Cheat Sheet § Threat Modeling Cheat Sheet § Clickjacking Cheat Sheet § Virtual Patching Cheat Sheet § Secure SDLC Cheat Sheet § Web Applica8on Security Tes8ng Cheat Sheet § Applica8on Security Architecture Cheat Sheet 23
  24. 24. Project Leader: Enterprise Security API Chris Schmidt, Chris.Schmidt@owasp.org Purpose: A free, open source, web applica8on security control library that makes it easier for programmers to write lower-­‐risk applica8ons h[ps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API 24
  25. 25. Java HTML Sani8zer, Java Encoder Project Leader: Mike Samuel Mike.samuel@owasp.org Purpose: The OWASP HTML Sani8zer is a fast and easy to configure HTML Sani8zer wri[en in Java which lets you include HTML authored by third-­‐par&es in your web applica&on while protec8ng against XSS. h[ps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Project Leader: Jeff Ichnowski Purpose: The OWASP Java Encoder is a Java 1.5+ simple-­‐to-­‐use drop-­‐in high-­‐ performance encoder class with no dependencies and li[le baggage. This project will help Java web developers defend against Cross Site Scrip8ng! h[ps://www.owasp.org/index.php/OWASP_Java_Encoder_Project
  26. 26. Java Encoder Project Project Leader: Mike Samuel Mike.samuel@owasp.org Purpose: The OWASP Java Encoder is a Java 1.5+ simple-­‐to-­‐use drop-­‐in high-­‐ performance encoder class with no dependencies and li[le baggage. This project will help Java web developers defend against Cross Site Scrip8ng! h[ps://www.owasp.org/index.php/OWASP_Java_Encoder_Project
  27. 27. OWASP Top10 Mobile project
  28. 28. OWASP IoT Project • The OWASP Internet of Things Top 10 -­‐ 2014 is as follows: • I1 Insecure Web Interface • I2 Insufficient Authen8ca8on/Authoriza8on • I3 Insecure Network Services • I4 Lack of Transport Encryp8on • I5 Privacy Concerns • I6 Insecure Cloud Interface • I7 Insecure Mobile Interface • I8 Insufficient Security Configurability • I9 Insecure Sonware/Firmware • I10 Poor Physical Security
  29. 29. Development Guide: Guides comprehensive manual for designing, developing and deploying secure Web Applica8ons and Web Services Code Review Guide: mechanics of reviewing code for certain vulnerabili8es & valida8on of proper security controls Tes&ng Guide: understand the what, why, when, where, and how of tes8ng web applica8ons Applica&on Security Verifica&on Standard (ASVS): comprehensive manual for designing, verify the security of an applica8on h[ps://www.owasp.org/index.php/Category:OWASP_Guide_Project h[ps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project h[ps://www.owasp.org/index.php/Category:OWASP_Tes8ng_Project h[ps://www.owasp.org/index.php/Category:OWASP_Applica8on_Security_Verifica8on_Standard_Project 29
  30. 30. Zed A[ack Proxy Project Leader: Simon Benne[s (aka Psiinon), psiinon@gmail.com Purpose: The Zed A[ack Proxy (ZAP) provides automated scanners as well as a set of tools that allow you to find security vulnerabili8es manually in web applica8ons. Last Release: ZAP 2.3.1 (21 May 2014) h[ps://www.owasp.org/index.php/OWASP_Zed_A[ack_Proxy_Project 30
  31. 31. The OWASP Secure Sonware Contract Annex Intended to help sonware developers and their clients nego8ate important contractual terms and condi8ons related to the security of the sonware to be developed or delivered. CONTEXT: Most contracts are silent on these issues, and the par8es frequently have drama8cally different views on what has actually been agreed to. OBJECTIVE: Clearly define these terms is the best way to ensure that both par8es can make informed decisions about how to proceed. h[ps://www.owasp.org/index.php/OWASP_Secure_Sonware_Contract_Annex 31
  32. 32. Dates • 11 Septembre 2014 – OWASP France Mee8ng Paris @Mozilla Office – Programme : – 18h30 : Ouverture des portes – 19h : Welcome by OWASP France et Mozilla – 19h15 : SonarQube pour la sécurité par Sébas8en Gioria (OWASP France) – 19h45 : Warning Ahead: Security Storms are Brewing in Your JavaScript -­‐ Par Laurent Levi (Checkmarx) -­‐ En Francais – 20h15 : OWASP News && Closing par Sébas8en Gioria (OWASP France) – 20h30 : Networking hkp://www.eventbrite.fr/e/billets-­‐owasp-­‐france-­‐mee&ng-­‐septembre-­‐2014-­‐12738480137 • Applica8on Security Forum Western Switzerland – Yverdon les Bains – 4/6 Novembre 2014 – h[p://www.appsec-­‐forum.ch/ • Club 27001 /Paris -­‐ 25 Septembre 2014 – Présenta8on de la norme ISO 27034 32
  33. 33. Soutenir l’OWASP • Différentes solu8ons : – Membre Individuel : 50 $ – Membre Entreprise : 5000 $ – Dona8on Libre • Soutenir uniquement le chapitre France : – Single Mee8ng supporter • Nous offrir une salle de mee8ng ! • Par8ciper par un talk ou autre ! • Dona8on simple – Local Chapter supporter : • 500 $ à 2000 $ 33
  34. 34. License 34 @SPoint sebas8en.gioria@owasp.org

×