OWASP,	  the	  Life	  and	  the	  UniverseCLUSIR-­‐EST	  -­‐	  Strasbourg6th	  June	  2013Sébas&en	  GioriaSebasEen.Gioria...
http://www.google.fr/#q=sebastien gioria‣OWASP France Leader & Founder &Evangelist‣Application Security freelance consulta...
Agenda• ApplicaEon	  Security	  :– where	  we	  are	  (no	  bullshit)– where	  we	  are	  (hopefully)	  going	  ?• Open	  ...
Why	  ApplicaEon	  Security	  ?44Thursday, June 6, 13
Why	  ApplicaEon	  Security	  ?44YourApplicationbeenHackedThursday, June 6, 13
Why	  ApplicaEon	  Security	  ?44YourApplicationbeenHackedYESThursday, June 6, 13
Why	  ApplicaEon	  Security	  ?44YourApplicationbeenHackedNOYESThursday, June 6, 13
Why	  ApplicaEon	  Security	  ?44YourApplicationwill beHacked ;)YourApplicationbeenHackedNOYESThursday, June 6, 13
Why	  ApplicaEon	  Security	  ?44YourApplicationwill beHacked ;)YourApplicationbeenHackedYESNOYESThursday, June 6, 13
Why	  ApplicaEon	  Security	  ?44YourApplicationwill beHacked ;)YourApplicationbeenHackedYESNONOYESThursday, June 6, 13
Why	  ApplicaEon	  Security	  ?4Let Me takeyou on theright way 4YourApplicationwill beHacked ;)YourApplicationbeenHackedYE...
Why	  ApplicaEon	  Security	  ?4My Application will behacked !Let Me takeyou on theright way 4YourApplicationwill beHacked...
Why	  ApplicaEon	  Security	  ?4My Application will behacked !Let Me takeyou on theright way 4YourApplicationwill beHacked...
Game5What’s	  this	  ?	  Thursday, June 6, 13
Game	  26What’s	  this	  ?	  Thursday, June 6, 13
Game	  37What’s	  this	  ?	  Thursday, June 6, 13
Game	  37What’s	  this	  ?	  Thursday, June 6, 13
Game	  48What’s	  this	  ?	  Thursday, June 6, 13
Game	  Over....• Did	  you	  have	  VoIP	  Phone	  ?	  • Did	  you	  have	  IP	  Router	  /	  Broadband	  box	  	  ?	  • D...
Anything	  else	  ?	  10Thursday, June 6, 13
We	  are	  living	  in	  a	  Digital	  environment,	  in	  a	  Connected	  Worldv Most	  of	  websites	  vulnerable	  to	...
12(c)	  WhiteHatSecurity	  2013Thursday, June 6, 13
13(c)	  WhiteHatSecurity	  2013Thursday, June 6, 13
OWASP	  ?	  The	  Open	  Web	  ApplicaEon	  Security	  ProjectOWASP:	  Swarms	  of	  WASPS:	  Local	  Chapters14Thursday, ...
Mission	  DrivenNonprofit	  |	  World	  Wide	  |	  UnbiasedOWASP	  does	  not	  endorse	  or	  recommend	  commercial	  pro...
Community	  Driven30,000	  Mail	  List	  ParEcipants200	  AcEve	  Chapters	  in	  70	  countries	  1600+	  Members,	  56	 ...
200	  Chapters,	  1	  600+	  Members,	  20	  000+	  Builders,	  Breakers	  and	  DefendersAround	  the	  World17Thursday, ...
Quality	  Resources200+	  Projects15,000+	  downloads	  of	  tools,	  documentaEonWhat	  is	  OWASP18Thursday, June 6, 13
Documenta&onToolsCode50%10% 40%Quality	  Resources19Thursday, June 6, 13
Security	  Lifecycle20Thursday, June 6, 13
Security	  Resources21Thursday, June 6, 13
TOP	  10	  WEB	  APPLICATION	  SECURITY	  RISKSThe OWASP Top Ten22Thursday, June 6, 13
TOP	  10	  WEB	  APPLICATION	  SECURITY	  RISKSA1: InjectionA2: Cross SiteScriptingA3: BrokenAuthenticatioA4: InsecureDire...
TOP	  10	  WEB	  APPLICATION	  SECURITY	  RISKSA1: InjectionA2: Cross SiteScriptingA3: BrokenAuthenticatioA4: InsecureDire...
 NEWSA	  BLOGA	  PODCASTMEMBERSHIPSMAILING	  LISTSA	  NEWSLETTERAPPLE	  APP	  STOREVIDEO	  TUTORIALSTRAINING	  SESSIONSSOC...
7	  Global	  Commi`ees24Thursday, June 6, 13
All	  over	  the	  world25NSEWThursday, June 6, 13
OWASP	  Projects26Thursday, June 6, 13
Developer	  Cheat	  Sheets§ OWASP	  Top	  Ten	  Cheat	  Sheet§ AuthenEcaEon	  Cheat	  Sheet§ Cross-­‐Site	  Request	  F...
Project	  Leader:	  Chris	  Schmidt,	  Chris.Schmidt@owasp.orgPurpose:	  A	  free,	  open	  source,	  web	  applicaEon	  s...
Project	  Leader:	  Jason	  Li,	  jason.li@owasp.orgPurpose:	  An	  HTML	  validaEon	  tool	  and	  API	  to	  safely	  an...
Development	   Guide:	   comprehensive	   manual	   for	   designing,	   developing	   and	  deploying	  secure	  Web	  Ap...
Zed	  A`ack	  Proxyfor	  RebootProject	  Leader:	  Simon	  Benne`s	  (aka	  Psiinon),	  psiinon@gmail.comPurpose:	  The	  ...
AppSensorProject	  Leader(s):	  Michael	  Coates,	  John	  Melton,	  Colin	  WatsonPurpose:	   Defines	  a	   conceptual	  ...
Project	  Leader:	  Vinay	  Bansal,	  Vinaykbansal@gmail.comPurpose:	  Develop	  and	  maintain	  a	  list	  of	  Top	  10...
Cloud	  Top10	  Security	  Risks• 	  R1.	  Accountability	  &	  Data	  Risk• 	  R2.	  User	  IdenEty	  FederaEon• 	  R3.	 ...
Project	  Leader:	  Jack	  Mannino,	  Jack@nvisiumsecurity.comPurpose:	   Establish	   an	   OWASP	   Top	   10	   Mobile	...
Top	  10	  Mobile	  Risks• M1.	  Insecure	  Data	  Storage• M2.	  Weak	  Server	  Side	  Controls• M3.	  Insufficient	  Tran...
Project	  Leader:	  Anurag	  "Archie"	  Agarwal,	  anurag.agarwal@owasp.orgPurpose:	  Establish	  a	  single	  and	  inclu...
Intended	   to	   help	   solware	   developers	   and	   their	   clients	   negoEate	   important	  contractual	  terms	...
Refresh,	  revitalize	  &	  update	  Projects,	  rewrite	  &	  complete	  Guides	  or	  Tools.Projects	  Reboot	  2012h`ps...
OWASP	  Top10	  2013• Final	  publicaEon	  OWASP	  Top10	  2013– Very	  Very	  Soon.	  • French	  translaEon	  done• Not	 ...
Top10	  2013	  –	  RC141A1:	  Injec&onA2:	  Mauvaise	  ges&on	  des	  sessions	  et	  de	  l’authen&fica&onA3:	  Cross	  Si...
OWASP	  News• New	  projects	  	  :	  – OWASP	  Scada	  Project– OWASP	  OpenStack	  Security	  Project42Thursday, June 6,...
Dates• RSSIA	  Bordeaux	  :	  21	  Juin– OWASP	  Top10	  2013	  en	  praEque	  • OWASP	  EU	  Tour	  2013	  :	  – 24	  Jui...
Soutenir	  l’OWASP• Différentes	  soluEons	  :	  – Membre	  Individuel	  :	  50	  $– Membre	  Entreprise	  :	  5000	  $– Do...
Prochains	  meeEngs• Septembre	  2013	  – Salle	  :	  Mozilla	  Center	  Paris– Speaker	  :	  • Security	  on	  Firefox	  ...
License46Thursday, June 6, 13
Upcoming SlideShare
Loading in …5
×

OWASP, the life and the universe

644 views

Published on

Published in: Technology, News & Politics
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
644
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

OWASP, the life and the universe

  1. 1. OWASP,  the  Life  and  the  UniverseCLUSIR-­‐EST  -­‐  Strasbourg6th  June  2013Sébas&en  GioriaSebasEen.Gioria@owasp.orgChapter  Leader  OWASP  FranceThursday, June 6, 13
  2. 2. http://www.google.fr/#q=sebastien gioria‣OWASP France Leader & Founder &Evangelist‣Application Security freelance consultant.Twitter :@SPoint2‣Application Security group leader for theCLUSIF‣Proud father of youngs kids trying to hack mydigital life.Thursday, June 6, 13
  3. 3. Agenda• ApplicaEon  Security  :– where  we  are  (no  bullshit)– where  we  are  (hopefully)  going  ?• Open  Web  ApplicaEon  Security  Project  ?• Update  on  OWASP  Top10  (2013  version)    and  major  projects3Thursday, June 6, 13
  4. 4. Why  ApplicaEon  Security  ?44Thursday, June 6, 13
  5. 5. Why  ApplicaEon  Security  ?44YourApplicationbeenHackedThursday, June 6, 13
  6. 6. Why  ApplicaEon  Security  ?44YourApplicationbeenHackedYESThursday, June 6, 13
  7. 7. Why  ApplicaEon  Security  ?44YourApplicationbeenHackedNOYESThursday, June 6, 13
  8. 8. Why  ApplicaEon  Security  ?44YourApplicationwill beHacked ;)YourApplicationbeenHackedNOYESThursday, June 6, 13
  9. 9. Why  ApplicaEon  Security  ?44YourApplicationwill beHacked ;)YourApplicationbeenHackedYESNOYESThursday, June 6, 13
  10. 10. Why  ApplicaEon  Security  ?44YourApplicationwill beHacked ;)YourApplicationbeenHackedYESNONOYESThursday, June 6, 13
  11. 11. Why  ApplicaEon  Security  ?4Let Me takeyou on theright way 4YourApplicationwill beHacked ;)YourApplicationbeenHackedYESNONOYESThursday, June 6, 13
  12. 12. Why  ApplicaEon  Security  ?4My Application will behacked !Let Me takeyou on theright way 4YourApplicationwill beHacked ;)YourApplicationbeenHackedYESNONOYESThursday, June 6, 13
  13. 13. Why  ApplicaEon  Security  ?4My Application will behacked !Let Me takeyou on theright way 4YourApplicationwill beHacked ;)YourApplicationbeenHackedYESNONOYESNextStepThursday, June 6, 13
  14. 14. Game5What’s  this  ?  Thursday, June 6, 13
  15. 15. Game  26What’s  this  ?  Thursday, June 6, 13
  16. 16. Game  37What’s  this  ?  Thursday, June 6, 13
  17. 17. Game  37What’s  this  ?  Thursday, June 6, 13
  18. 18. Game  48What’s  this  ?  Thursday, June 6, 13
  19. 19. Game  Over....• Did  you  have  VoIP  Phone  ?  • Did  you  have  IP  Router  /  Broadband  box    ?  • Did  you  have  smartphone  ?• Did  you  have  customers  /  partners  over  Internet  ?9Thursday, June 6, 13
  20. 20. Anything  else  ?  10Thursday, June 6, 13
  21. 21. We  are  living  in  a  Digital  environment,  in  a  Connected  Worldv Most  of  websites  vulnerable  to  a`acksv Important  %  of  web-­‐based  Business  (Services,  Online  Store,  Self-­‐care,  Telcos,  SCADA,  ...)Why  ApplicaEon  Security  ?  Age  of  AnEvirusAge  of  Network  SecurityAge  of  ApplicaEon  Security11Thursday, June 6, 13
  22. 22. 12(c)  WhiteHatSecurity  2013Thursday, June 6, 13
  23. 23. 13(c)  WhiteHatSecurity  2013Thursday, June 6, 13
  24. 24. OWASP  ?  The  Open  Web  ApplicaEon  Security  ProjectOWASP:  Swarms  of  WASPS:  Local  Chapters14Thursday, June 6, 13
  25. 25. Mission  DrivenNonprofit  |  World  Wide  |  UnbiasedOWASP  does  not  endorse  or  recommend  commercial  products  or  servicesWhat  is  OWASP15Thursday, June 6, 13
  26. 26. Community  Driven30,000  Mail  List  ParEcipants200  AcEve  Chapters  in  70  countries  1600+  Members,  56  Corporate  Supporters  What  is  OWASP16Thursday, June 6, 13
  27. 27. 200  Chapters,  1  600+  Members,  20  000+  Builders,  Breakers  and  DefendersAround  the  World17Thursday, June 6, 13
  28. 28. Quality  Resources200+  Projects15,000+  downloads  of  tools,  documentaEonWhat  is  OWASP18Thursday, June 6, 13
  29. 29. Documenta&onToolsCode50%10% 40%Quality  Resources19Thursday, June 6, 13
  30. 30. Security  Lifecycle20Thursday, June 6, 13
  31. 31. Security  Resources21Thursday, June 6, 13
  32. 32. TOP  10  WEB  APPLICATION  SECURITY  RISKSThe OWASP Top Ten22Thursday, June 6, 13
  33. 33. TOP  10  WEB  APPLICATION  SECURITY  RISKSA1: InjectionA2: Cross SiteScriptingA3: BrokenAuthenticatioA4: InsecureDirect ObjectA5: Cross SiteRequestA6: SecurityMisconfiguratiA7: Failure toRestrict URLA8:UnvalidatedA9: InsecureCryptographicA10:InsufficientThe OWASP Top Ten22Thursday, June 6, 13
  34. 34. TOP  10  WEB  APPLICATION  SECURITY  RISKSA1: InjectionA2: Cross SiteScriptingA3: BrokenAuthenticatioA4: InsecureDirect ObjectA5: Cross SiteRequestA6: SecurityMisconfiguratiA7: Failure toRestrict URLA8:UnvalidatedA9: InsecureCryptographicA10:InsufficientThe OWASP Top Ten222010 Version ! soon updatedThursday, June 6, 13
  35. 35.  NEWSA  BLOGA  PODCASTMEMBERSHIPSMAILING  LISTSA  NEWSLETTERAPPLE  APP  STOREVIDEO  TUTORIALSTRAINING  SESSIONSSOCIAL  NETWORKING23Thursday, June 6, 13
  36. 36. 7  Global  Commi`ees24Thursday, June 6, 13
  37. 37. All  over  the  world25NSEWThursday, June 6, 13
  38. 38. OWASP  Projects26Thursday, June 6, 13
  39. 39. Developer  Cheat  Sheets§ OWASP  Top  Ten  Cheat  Sheet§ AuthenEcaEon  Cheat  Sheet§ Cross-­‐Site  Request  Forgery  (CSRF)  PrevenEon  Cheat  Sheet§ Cryptographic  Storage  Cheat  Sheet§ Input  ValidaEon  Cheat  Sheet§ XSS  (Cross  Site  ScripEng)  PrevenEon  Cheat  Sheet§ DOM  based  XSS  PrevenEon  Cheat  Sheet§ Forgot  Password  Cheat  Sheet§ Query  ParameterizaEon  Cheat  Sheet§ SQL  InjecEon  PrevenEon  Cheat  Sheet§ Session  Management  Cheat  Sheet§ HTML5  Security  Cheat  Sheet§ Transport  Layer  ProtecEon  Cheat  Sheet§ Web  Service  Security  Cheat  Sheet§ Logging  Cheat  Sheet§ JAAS  Cheat  SheetMobile  Cheat  Sheets§ IOS  Developer  Cheat  Sheet§ Mobile  Jailbreaking  Cheat  SheetDral  Cheat  Sheets§ Access  Control  Cheat  Sheet§ REST  Security  Cheat  Sheet§ Abridged  XSS  PrevenEon  Cheat  Sheet§ PHP  Security  Cheat  Sheet§ Password  Storage  Cheat  Sheet§ Secure  Coding  Cheat  Sheet§ Threat  Modeling  Cheat  Sheet§ Clickjacking  Cheat  Sheet§ Virtual  Patching  Cheat  Sheet§ Secure  SDLC  Cheat  Sheet§ Web  ApplicaEon  Security  TesEng  Cheat  Sheet§ ApplicaEon  Security  Architecture  Cheat  SheetCheat  Sheets27Thursday, June 6, 13
  40. 40. Project  Leader:  Chris  Schmidt,  Chris.Schmidt@owasp.orgPurpose:  A  free,  open  source,  web  applicaEon  security  control  library  that  makes  it  easier  for  programmers  to  write  lower-­‐risk  applicaEonsh`ps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_APIEnterprise  Security  APIfor  Reboot28Thursday, June 6, 13
  41. 41. Project  Leader:  Jason  Li,  jason.li@owasp.orgPurpose:  An  HTML  validaEon  tool  and  API  to  safely  and  gracefully  handle  rich   html   input,   for   ensuring   user-­‐supplied   HTML/CSS   is   in   compliance  within  an  applicaEons  rules.h`ps://www.owasp.org/index.php/AnESamyAnESamy29Thursday, June 6, 13
  42. 42. Development   Guide:   comprehensive   manual   for   designing,   developing   and  deploying  secure  Web  ApplicaEons  and  Web  ServicesCode   Review   Guide:   mechanics   of   reviewing   code   for   certain   vulnerabiliEes   &  validaEon  of  proper  security  controlsTesEng  Guide:  understand  the  what,  why,  when,  where,  and  how  of  tesEng  web  applicaEonsh`ps://www.owasp.org/index.php/Category:OWASP_Guide_Projecth`ps://www.owasp.org/index.php/Category:OWASP_Code_Review_Projecth`ps://www.owasp.org/index.php/Category:OWASP_TesEng_ProjectGuidesfor  Reboot30Thursday, June 6, 13
  43. 43. Zed  A`ack  Proxyfor  RebootProject  Leader:  Simon  Benne`s  (aka  Psiinon),  psiinon@gmail.comPurpose:  The  Zed  A`ack  Proxy  (ZAP)  provides  automated  scanners  as  well  as  a  set  of  tools  that  allow  you  to  find  security  vulnerabiliEes  manually  in  web  applicaEons.Last  Release:  ZAP  2.0.0  (30  Jan  2013)h`ps://www.owasp.org/index.php/OWASP_Zed_A`ack_Proxy_Project 31Thursday, June 6, 13
  44. 44. AppSensorProject  Leader(s):  Michael  Coates,  John  Melton,  Colin  WatsonPurpose:   Defines  a   conceptual   framework   and  methodology   that   offers  prescripEve   guidance   to   implement   intrusion   detecEon   and   automated  response  into  an  exisEng  applicaEon.Release:  AppSensor  0.1.3  -­‐  Nov  2010  (Tool)  &  September  2008  (doc)  h`ps://www.owasp.org/index.php/AppSensorCreate  aUack  aware  applica&ons32Thursday, June 6, 13
  45. 45. Project  Leader:  Vinay  Bansal,  Vinaykbansal@gmail.comPurpose:  Develop  and  maintain  a  list  of  Top  10  Security  Risks  faced  with  the  Cloud  CompuEng  and  SaaS  Models.  Serve  as  a  Quick  List  of  Top  Risks  with  Cloud  adopEon,  and  Provide  Guidelines  on  MiEgaEng  the  Risks.Deliverables  -­‐ Cloud  Top  10  Security  Risks  (DraE  expected  for  early  2013)h`ps://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_ProjectCloud  Top10  Project33Thursday, June 6, 13
  46. 46. Cloud  Top10  Security  Risks•  R1.  Accountability  &  Data  Risk•  R2.  User  IdenEty  FederaEon•  R3.  Legal  &  Regulatory  Compliance•  R4.  Business  ConEnuity  &  Resiliency•  R5.  User  Privacy  &  Secondary  Usage  of  Data•  R6.  Service  &  Data  IntegraEon•  R7.  MulE-­‐tenancy  &  Physical  Security•  R8.  Incidence  Analysis  &  Forensics•  R9.  Infrastructure  Security•  R10.  Non-­‐producEon  Environment  Exposure34Thursday, June 6, 13
  47. 47. Project  Leader:  Jack  Mannino,  Jack@nvisiumsecurity.comPurpose:   Establish   an   OWASP   Top   10   Mobile   Risks.   Intended   to   be   plaRorm-­‐agnosEc.  Focused  on  areas  of  risk  rather  than  individual  vulnerabiliEes.Deliverables  -­‐ Top  10  Mobile  Risks  (currently  Release  Candidate  v1.0)-­‐ Top  10  Mobile  Controls  (OWASP/ENISA  CollaboraOon)-­‐ OWASP  Wiki,  ‘Smartphone  Secure  Development  Guidelines’  (ENISA)-­‐ Mobile  Cheat  Sheet  Series-­‐ OWASP  GoatDroid  Project-­‐ OWASP  Mobile  Threat  Model  Projecth`ps://www.owasp.org/index.php/OWASP_Mobile_Security_ProjectMobile  Security  Projectfor  Reboot35Thursday, June 6, 13
  48. 48. Top  10  Mobile  Risks• M1.  Insecure  Data  Storage• M2.  Weak  Server  Side  Controls• M3.  Insufficient  Transport  Layer  ProtecEon• M4.  Client  Side  InjecEon• M5.  Poor  AuthorizaEon  and  AuthenEcaEon• M6.  Improper  Session  Handling• M7.  Security  Decisions  via  Untrusted  Inputs• M8.  Side  Channel  Data  Leakage• M9.  Broken  Cryptography• M10.  SensiEve  InformaEon  Disclosure36Thursday, June 6, 13
  49. 49. Project  Leader:  Anurag  "Archie"  Agarwal,  anurag.agarwal@owasp.orgPurpose:  Establish  a  single  and  inclusive  so[ware-­‐centric  OWASP  Threat  modeling   Methodology,   addressing   vulnerability   in   client   and   web  applicaEon-­‐level  services  over  the  Internet.Deliverables  (1st  DraE  expected  for  end  of  2012  /  early  2013)-­‐ An  OWASP  Threat  Modeling  methodology-­‐ A  glossary  of  threat  modeling  termsh`ps://www.owasp.org/index.php/OWASP_Threat_Modelling_ProjectThreat  Modeling  Project37Thursday, June 6, 13
  50. 50. Intended   to   help   solware   developers   and   their   clients   negoEate   important  contractual  terms  and  condiEons  related  to  the  security  of  the  solware  to  be  developed  or  delivered.CONTEXT:  Most  contracts  are  silent  on  these  issues,  and  the  parEes  frequently  have  dramaEcally  different  views  on  what  has  actually  been  agreed  to.  OBJECTIVE:   Clearly   define   these   terms   is   the   best   way   to   ensure   that   both  parEes  can  make  informed  decisions  about  how  to  proceed.h`ps://www.owasp.org/index.php/OWASP_Secure_Solware_Contract_AnnexThe  OWASP  Secure  Solware  Contract  Annex38Thursday, June 6, 13
  51. 51. Refresh,  revitalize  &  update  Projects,  rewrite  &  complete  Guides  or  Tools.Projects  Reboot  2012h`ps://www.owasp.org/index.php/Projects_Reboot_2012Current  Submissions  • OWASP  ApplicaEon  Security  Guide  For  CISOs  -­‐  Selected  for  Reboot• OWASP  Development  Guide  -­‐  Selected  for  Reboot• Zed  A`ack  Proxy  -­‐  Selected  for  Reboot• OWASP  WebGoat  • OWASP  AppSensor• OWASP  Mobile  Project  -­‐  Selected  for  Reboot• OWASP  Portuguese  Language  Project• OWASP_ApplicaEon_TesEng_guide_v4• OWASP  ESAPI• OWASP  Eliminate  Vulnerable  Code  Project• OWASP_Code_Review_Guide_Reboot  Projects  selected  via  first  round  of  review1.OWASP   Development   Guide:   Funding   Amount:  $5000  iniEal  funding2.OWASP   CISO   Guide:   Funding   Amount:   $5000  iniEal  funding3.OWASP   Zed   A;ack   Proxy:   Funding   Amount:  $5000  iniEal  funding4.OWASP  Mobile  Project:   Funding  Amount:   $5000  iniEal  fundingOngoing  discussions  about  the  Code  Review  and  the  TesOng  Guides39Thursday, June 6, 13
  52. 52. OWASP  Top10  2013• Final  publicaEon  OWASP  Top10  2013– Very  Very  Soon.  • French  translaEon  done• Not  a  lot  of  new  things.40Thursday, June 6, 13
  53. 53. Top10  2013  –  RC141A1:  Injec&onA2:  Mauvaise  ges&on  des  sessions  et  de  l’authen&fica&onA3:  Cross  Site  Scrip&ng  (XSS)A4:Référence  directe  non  sécurisée  à  un  objetA5:  Mauvaise  configura&on  sécuritéA6  :  Exposi&on  de  données  A7  :  Mauvais  contrôle  d’accèsA8:  Cross  Site  Request  Forgery  (CSRF)A9:  U&lisa&on  de  composants  non  sécurisésA10:Mauvaise  ges&on  des  redirec&ons  et  des  transfertsThursday, June 6, 13
  54. 54. OWASP  News• New  projects    :  – OWASP  Scada  Project– OWASP  OpenStack  Security  Project42Thursday, June 6, 13
  55. 55. Dates• RSSIA  Bordeaux  :  21  Juin– OWASP  Top10  2013  en  praEque  • OWASP  EU  Tour  2013  :  – 24  Juin  -­‐  Sophia  AnEpolis– 25  Juin  -­‐  Geneve• Java  User  Groupe  Poitou  Charentes  :  27  Juin– Secure  Coding  for  Java  • AppSec  Research  Europe  2013  :  20/23  Aout  –  Hambourg  –  Allemagne•  OWASP  Benelux  :  28/29  Novembre  201343Thursday, June 6, 13
  56. 56. Soutenir  l’OWASP• Différentes  soluEons  :  – Membre  Individuel  :  50  $– Membre  Entreprise  :  5000  $– DonaEon  Libre• Soutenir  uniquement    le  chapitre  France  :– Single  MeeEng  supporter  • Nous  offrir  une  salle  de  meeEng  !  • ParEciper  par  un  talk  ou  autre  !  • DonaEon  simple  – Local  Chapter  supporter  :  • 500  $  à  2000  $  44Thursday, June 6, 13
  57. 57. Prochains  meeEngs• Septembre  2013  – Salle  :  Mozilla  Center  Paris– Speaker  :  • Security  on  Firefox  OS• A  définir• Novembre  2013– Salle  :  a  définir– Speaker  :  a  définirThursday, June 6, 13
  58. 58. License46Thursday, June 6, 13

×