[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture

OWASP Plan - Strawman

Georgi Geshev
OWASP Bulgaria Leader
OWASP georgi.geshev@owasp.org
03.04.10
+359-884-237-207
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.

The OWASP Foundation
http://www.owasp.org

Agenda

Part 1: Introduction -Who are we?
• What is this project all about?
• Would you like to join the OWASP community?
Part 2: Real world stories
• Care to know about the OWASP Top 10 project?
• How’s the web down there in Wonderland?
OWASP 2

Introduction

Who Am I?
(1) Free and Open Source Software Evangelist

OWASP 3

Introduction

Who Am I?

(2) Enthusiastic Infosec Ninja

OWASP 4

Introduction

Who Am I?

① + ②= ?

OWASP 5

Introduction

Who Am I?

① + ②= ?
Here’s the OWASP formula..
FOSS + WEB × APP × SEC = OWASP

OWASP 6

The Open Web Application Security Project

The Open Web Application Security Project (OWASP) is a 501c3
not-for-profit worldwide charitable organization focused on
improving the security of application software. Our mission is to
make application security visible, so that people and organizations
can make informed decisions about true application security risks.
Everyone is free to participate in OWASP and all of our materials
are available under a free and open software license.

http://www.owasp.org/index.php
OWASP 7

The Local Chapters
Over 150 local chapters worldwide..

OWASP 8

OWASP Bulgaria
• This local chapter was founded in late 2010
• Less than 10 mailing list members
• Please consider joining the local chapter mailing list
• Regular chapter meetings
• Welcome to the first one of ‘em! 
• For submissions, suggestions, offers and questions..
• Forward your message to the mailing list
• Contact me via email OWASP 9

Organization Supporters

OWASP 10

Show Your Support

Consider…
• Donating
• Becoming an OWASP (local chapter) member
• Attending the local chapter regular meetings
• Attending an OWASP AppSec series conference
• Global AppSec Europe - June 6th-11th 2011 @Dublin, Ireland
• Contributing to an OWASP project
• Developers, beta testers, etc. OWASP 12

Affiliation and Membership

Categories of Membership and Supporters
• Individual Supporters
• Single Meeting Supporter
• Organization Supporters
• Accredited University Supporters

OWASP 13

Membership

Why Become a Supporting Member?
• Ethics and principals of OWASP Foundation
• Underscore your awareness of web application software security
• Attend OWASP conferences at a discount
• Expand your personal network of contacts
• Support a local chapter of your choice
• Get your @owasp.org email address
• Have individual vote in elections
http://www.owasp.org/index.php/Membership
OWASP 14

OWASP Projects

Tools and documents are organized into the following categories:
• Protect – These are tools and documents that can be used to
guard against security-related design and implementation flaws.
• Detect – These are tools and documents that can be used to find
security-related design and implementation flaws.
• Life Cycle – These are tools and documents that can be used to
add security-related activities into the Software Development Life
Cycle (SDLC).
OWASP 15

The OWASP Top 10 Project

Project details..
• The OWASP Top Ten provides a powerful awareness
document for web application security.
• The OWASP Top Ten represents a broad consensus about
what the most critical web application security flaws are.
• Its latest (stable) release dates from April 2010.
• Creative Commons Attribution Share Alike 3.0 License ;)
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
OWASP 16

The OWASP Top 10 Web Application Security Risks -
A1: Injection

OWASP 17

A1: Injection
A2: Cross-Site Scripting (XSS)

OWASP 18

A1: Injection
A3: Broken Authentication and Session Management

OWASP 19

A1: Injection
A4: Insecure Direct Object References

OWASP 20

A1: Injection
A5: Cross-Site Request Forgery (CSRF)

OWASP 21

A1: Injection
A6: Security Misconfiguration

OWASP 22

A1: Injection
A7: Insecure Cryptographic Storage

OWASP 23

A1: Injection
A8: Failure to Restrict URL Access
OWASP 24

A1: Injection
A9: Insufficient Transport Layer Protection
OWASP 25

A1: Injection
A9: Insufficient Transport Layer Protection
OWASP 26
A10: Unvalidated Redirects and Forwards


OWASP 27


OWASP 28

“Attackers can potentially use many different paths through your application to
do harm to your business or organization. Each of these paths represents a risk
that may, or may not, be serious enough to warrant attention.”

http://www.owasp.org/index.php/Top_10_2010-Main
OWASP 29


Companies, vendors and others (officially) profiting from The OWASP Top 10..

OWASP 30

OWASP Guides

Don’t stop at The OWASP Top 10!
Because The OWASP Top 10 project is simply not enough..
• OWASP Development Guide (Developer’s Guide)
• OWASP Testing Project (Testing Guide)
• OWASP Code Review Project (Code Review Guide)

OWASP 31

В страната на чудесата ;)

OWASP 32

“Здравословното” състояние на
българския уеб..

OWASP 33


OWASP 34

Shout outs go to …

• Kate Hartmann (Operations Director at OWASP)
• Tom Brennan (Global Board Member at OWASP)
All of these folks and a few more..
• P. Stefanov
• Y. Kolev
• M. Soler
..for kindly recommending and helping me set up this chapter!
• Thank you to all of you for attending this very first meeting ;)
OWASP 35

Thank you for your attention!

Please forward any questions, comments and suggestions to:
georgi.geshev@owasp.org

OWASP 36

[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture

More Related Content

Viewers also liked

Similar to [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture

Recently uploaded

[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture