Matteo Meucci OWASP Testing Guide v4

3.10.2014 - Venezia - ISACA VENICE Chapter
1
OWASP Testing Guide v4- M. MEUCCI
The new OWASP
standard for the Web
Application
Penetration Testing
Matteo Meucci
Venezia, 3 October 2014
Application Security:
internet, mobile
ed oltre

2
Application Security: internet, mobile ed oltre
Sponsor e
sostenitori di
ISACA VENICE
Chapter
Con il
patrocinio di
Organizzatori

3
Matteo Meucci
Matteo Meucci is the CEO and a cofounder of Minded Security, where
he is responsible for strategic direction and business development for
the Company.
Matteo has more than 13 years of specializing in information security
and collaborates from several years at the OWASP project:
 he founded the OWASP-Italy Chapter in 2005
 he leads the OWASP Testing Guide from 2006.
Matteo has undergraduate degrees in Computer Science Engineering
from the University of Bologna.

4
Agenda
OWASP Today
 The OWASP Testing Guide v4
 Why?
 What the TG answers?
 How can you use it?
 Common misunderstanding of the use of the TG

5
OWASP CORE MISSION
• Worldwide charitable organization focused on improving
the security of software
• Our mission is to make application security visible
• Help people and organizations can make informed decisions
about true application security risks
• Everyone is welcome to participate in OWASP
• All of our tools and materials are available under free and
open software or documentation licenses

OWASP CORE VALUES
•OPEN - Everything at OWASP is radically transparent from our finances to our code.
•INNOVATION - OWASP encourages and supports innovation/experiments for solutions to software security challenges.
•GLOBAL - Anyone around the world is encouraged to participate in the OWASP community.
•INTEGRITY - OWASP is an honest and truthful, vendor agnostic, global community.

7
~140 Projects
• PROTECT - These are tools and documents that can be used
to guard against security-related design and
implementation flaws.
• DETECT - These are tools and documents that can be used to
find security-related design and implementation flaws.
• LIFE CYCLE - These are tools and documents that can be
used to add security-related activities into the Software
Development Life Cycle (SDLC).

8
Conferences
San Jose
Sep 2010
Brussels
May 2008
Poland
May 2009
Ireland
May 2011
Israel
Sep 2008-11
Brazil
Oct 2011
Minnesota
Sep 2011
DC
Nov 2009
Sweden
June 2010
NYC
Sep 2008
Asia
Nov 2011
Greece
July 2012
Austin, TX
Oct 2012
Sydney
Argentina Mar 2012
Nov 2012

9
Local Chapters
 174 active chapters, with 388 chapter leaders
 Each with Chapter and/or Regional Events

10
OWASP Members
20,000+ Participants
50+ Paid Corporate Supporters
50+ Academic Supporters

11
Developer Guide
• The First OWASP ‘Guide’
• Complements
OWASP Top 10
• 310p Book (on wiki too)
• Many contributors
• Apps and web services
• Most platforms
• Examples are J2EE, ASP.NET,
and PHP
• Unfortunately Outdated
• Project Leader and Editor
 Andrew van der Stock,
vanderaj@owasp.org

12
Code Review Guide
• Most comprehensive open
source secure code review
guide on the web
• Years of development effort
• Version 1.1 produced during
2008
• Numerous contributors
• Version 2.0 effort launched in
2012
 Eoin Keary, eoin.keary@owasp.org
www.owasp.org/index.php/Code_Review_Guide

13
Testing Guide
www.owasp.org/index.php/Testing_Guide
• Most comprehensive open source
secure testing guide on the web
• Years of development effort
• Version 4.0 produced 2014
• Hundred of contributors
• Matteo Meucci, Andrew Muller
 matteo.meucci@owasp.org,
andrew.muller@owasp.org

14
What is Secure Software?
It’s secure! Looks at the
lock, down on the right!
It’s secure! It’s Google!
Sure! The news says that is
unbreakable!

15
Software Security Principles
 Security vulnerabilities in the software development process are expected.
 The control of the security bugs and flaws in the software should be
considered as part of the process of software development.
 Vulnerability management (fixing process) is the most important step of the
process of software security.

16
The new Testing Guide: why?

17
Community driven for all the Enterprises

18
The state of the art of the Web Application
Penetration Testing

19
Fight with the same weapons (knowledge)

20
Testing Guide History
July 14, 2004
– "OWASP Web Application
Penetration Checklist", V1.0
December 25, 2006
– "OWASP Testing Guide", V2.0
December 16, 2008
– "OWASP Testing Guide", V3.0
September 17, 2014
– "OWASP Testing Guide", V 4.0
Citations:
• NIST SP800-115 “Technical Guide to
Information Security Testing and Assessment”
• Gary McGraw (CTO Cigital) says: “In my
opinion it is the strongest piece of Intellectual
Property in the OWASP portfolio” – OWASP
Podcast by Jim Manico
• NSA’s "Guidelines for Implementation of REST“
• Official (ISC)2 Guide to the CSSLP - Page: 70,
365
• Many books, blogs and websites
Testing Guide History

21
Testing Guide v4 goals
 Create a more readable guide,
eliminating some sections that are not
really useful as DoS test.
 Insert new testing techniques: HTTP
Verb tampering, HTTP Parameter
Pollutions, etc.,
 Rationalize some sections as Session
Management Testing, Authentication
Testing
 Create new sections: Client side Testing,
Cryptography, Identity Management

22
Contents
 The OWASP Testing Framework
 The set of active tests have been split into 11 sub-categories for a total of 91
controls:
 Information Gathering
 Configuration and Deployment Management Testing
 Identity Management Testing
 Authentication Testing
 Authorization Testing
 Session Management Testing
 Input Validation Testing
 Error Handling
 Cryptography
 Business Logic Testing
 Client Side Testing

23
How to use the methodology
Web Application Methodology Report
Source Code Fixing Methodology Retest Report
public void findUser()
{ boolean showResult = false;
String username =
this.request.getParameter("us
ername");
...
this.context.put("username",
ESAPI.encoder().encodeForHT
MLAttribute(username));
this.context.put("showResult",
showResult);
}

24
Common misunderstanding

25
Example of unstructured approach:
Ministry of Informatics

26
Actors
User: who uses the
software
Ministry of
Informatics:
those who buy
the software
Development
teams
(internal/external):
those who develop
the software

27
Press conference for the launch of the service
Now you can take advantage
of a new service on the
portal of the Ministry of
Informatics
Fantastic!!
Compliments!!

28
The day after…

29
Users access to the portal…
Mario Verdi – 12/12/1970 – m.verdi@azienda.it
Mario Rossi- 10/09/1982 – mariorossi@azienda.it
Paolo Rossi – 09/02/1960 – p_rossi@azienda.it

30
Users access to the portal…
Oh oh...I find a problem...

31
Some days after…

32
The reactions…
Ohh..how it was possible?
Fault of the developers!
but it is impossible !?
We followed all your
instructions
If you do not ask for security, no one will develop secure software
Use the Testing Guide as common framework

33
An year after…another security breach
but it is impossible !?
We adopt the OWASP
Testing Guide!
Web Application Penetration testing is not enough!
Testing without fixing is like to throw money out the window
Ohh..how it was possible?
Fault of the developers!

34
Conclusion
 Adopt the OWASP Testing Guide as your standard for verify the security of
your Web Application.
 Remember that the Testing Guide is not the panacea of Software Security!
 You need to create an application security program to address awareness,
secure coding guidelines, threat modelling, secure design, Secure Code
Review and Web Application Penetration Testing.
 Focus more on fixing the vulnerabilities of your reports.

www.owasp.org https://www.owasp.org/index.php/Italy matteo.meucci@owasp.org
Thanks! Questions?

Matteo Meucci OWASP Testing Guide v4

More Related Content

What's hot

Similar to Matteo Meucci OWASP Testing Guide v4

Recently uploaded

Matteo Meucci OWASP Testing Guide v4