The document introduces the Open Web Application Security Project (OWASP), a resource established to improve security testing in web applications. The top ten vulnerabilities identified by OWASP highlight critical risks such as injection, authentication issues, and insecure data exposure. Additionally, it mentions the effectiveness of crowd-sourced security testing through bug bounty programs involving public participation.

1. Introduction to
OWASP: a Security
Testing Resource
Thomas F. Maher, Jr. (“T.J.”)
Sr. QA Engineer, Fitbit
4/30/2015

2. My Experience using OWASP
• OWASP: Open Web Application Security Project
• Worked as part of Security Testing Team at Intralinks (2011 –
2013)
• Purpose: Integrate security testing into Quality Assurance
practices
• Three person team:
• QA Manager
• Chief Security Architect
• QA Engineer (me)
• Weekly Meetings: hour long discussions on introduction to
security testing and what manual tests QA could perform,
using OWASP as a guide

3. Introducing OWASP.org
• Open Web Application Security Project (OWASP)
https://www.owasp.org/
• OWASP has been active since 2001
• Produces a list of Testing Guides. Version 4 released Sept.
2014: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
• Produces a list of Top Ten Vulnerabilities available as a wiki or
PDF format: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
• Developers Guide: https://www.owasp.org/index.php/Category:OWASP_Guide_Project
• Creates tools so security testers and developers can improve
security and test against various web applications: WebGoat,
RailsGoat, NodeGoat https://github.com/OWASP

4. OWASP Top 10 - 2013
Risk Description
A1 - Injection Untrusted data sent to SQL command or query
A2 – Broken Authentication & Session
Management
User authentication isn’t protected by hashing or encryption. Weak
account management / forgot password. Session IDs don’t time
out.
A3 – Cross Site Scripting (XSS) Untrusted data sent to browser without validation. User sessions
can be hijacked, browsers defaced.
A4 – Insecure Direct Object Readiness References to files, directories or database keys that are exposed to
the public but aren’t in password protected area.
A5 – Security Misconfiguration Security configurations need to be activate and up-to-date.
A6 – Sensitive Data Exposure Credit cards, tax ids, need to be encrypted both being stored and in
transit.
A7 – Missing Function Level Access
Control
Applications need access control checks each time functions are
accessed so requests can’t be forged.
A8 - Cross Site Request Forgery Forged HTTP requests, forged session cookies.
A9 – Using Components with Known
Vulnerabilities
Libraries, frameworks, running with full privileges, if vulnerable, can
be exploited causing server takeover.
A10 – Unvalidated Redirects and Forwards Victims redirected to phishing or malware sites.
Taken from https://www.owasp.org/index.php/Top_10_2013-Top_10

5. Top10–2013–A3-CrossSiteScripting
Taken from https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)

6. OWASPRailsGoat
OWASP RailsGoat test application runs locally from local computer
• Official page: https://www.owasp.org/index.php/OWASP_Rails_Goat_Project
• Unofficial page: http://railsgoat.cktricky.com/
• GitHub: https://github.com/OWASP/railsgoat

7. How the Crowd is Discovering Critical Vulnerabilities Missed by Traditional
Methods:
Wednesday, May 6th, 2015 @ 6:30 PM
Hosted by Akamai in Kendall Square, Cambridge, MA
• How companies setting up “Bug Bounties” are getting the general public
involved in security testing.
• The speaker, Leif Dreizler, is a Sr. Security Engineer from Bugcrowd
https://bugcrowd.com/products
More about Leif Dreizler:
• LinkedIn: https://www.linkedin.com/in/leifdreizler
• Twitter: https://twitter.com/leifdreizler
• Github: https://github.com/leifdreizler
Taken from http://www.meetup.com/owaspboston/events/221696816/