SlideShare a Scribd company logo

Meet the OWASP

Download as PPTX, PDF
Antonio Fontes
Antonio Fontes

Web security track - opening talk: OWASP & OWASP Switzerland Swiss Cyber Storm 3 (Rapperswil, May 2011) Original powerpoint slides can be downloaded and re-used under following conditions: - you're free to copy, distribute and transmit the work - you're free to adapt the work - if you alter, transform, or build upon this work, you may distribute the resulting work under the same or similar rights to this one

Technology
1 of 48
Open Web Application Security Project Antonio Fontes antonio.fontes@owasp.org SWISS CYBER STORM Conference – May 2011Rapperswil
A few words about me Antonio Fontes 6 years background working on software security & privacy Founder and principal consultant at L7 SecuritéSàrl Lecturer at HST Yverdon (HEIG-VD) Focus: Web application threats and countermeasures Secure development lifecycle Penetration testing and vulnerability assessment Software threat modelling and risk analysis OWASP: OWASP Switzerland : member of the board, western Switzerland delegate OWASP Geneva: Chapter leader 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 2
cat /wwwroot/agenda.html Why do organizations need OWASP? OWASP worldwide OWASP in Switzerland Q/A 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 3
Thermometer: 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 4 “Is your organization already using OWASP material?” - For internal software development? - For outsourced custom software? - For COTS acquisition? photo by Dave Oshry
Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 5
Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 6
Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 7 101 million users! 77 million users!
Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 8 Handout from Sony Entertainment Online conference on the recent computer intrusion that led to more than 110 million user accounts being stolen.(May. 1st. 2011) photo by Dave Oshry
Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 9
Just a little check: 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 10 “Who knows PBKDF2?”
Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 11 Who understands this in your organisation?
Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 12 Use hashes!! No! Don't use hashes!!
Why do organisations need OWASP? Outside the organisation: Increasing adoption of “Anything over HTTP” Increasing “hostile” interest in online services: Increasing “threat population” Web hacking/security is easy to understand/teach Low risk of being “caught” Increasing offer in security consulting, services and products 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 13
Why do organisations need OWASP? Inside organisations: Developers dealing with dozens web technologies Heterogonous development teams and lifecycles Constant pressure for delivery Turnover and loss of internal know-how Who in the company is actually both up-to-date on the concept of “(web) applications security” and has the power to take decisions? Who in the company is actually able to qualify security products and services that are paid for? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 14
Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 15 2011 2010 2007 2005 2003 2001
OWASP foundation 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 16 “Make application security visible, so that people and organisations can make informed decisions about application security risks.” U.S. 501c3 not-for-profit charitable international organization Structure Mission Core values Code of ethics Open, Global, Innovation, Worldwide Independence from vendors, technology-agnostic
"strategy" 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 17 Threat Website Board Web Application Web Application People Committees Methods Summit Tools Chapters ? Projects Company assets Conferences Members
OWASP people 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 18
Project Leaders Driving volunteers effort on OWASP material projects: Workshops Brainstorming sessions Analysis/reporting Guides editing Tools coding 19 quality-release and 26 beta-status projects 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 19 P T M
Chapter Leaders Leading Local Chapters meetings: 188 Chapters worldwide More than 300 yearly meetings worldwide Connection with local organisations 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 20 P T M Next local chapter meeting: Zurich – June 14th
Global Committees Driving volunteers effort on global/focused OWASP outreach. Active Global Committees: Industries Membership Government Education Projects Events Connections 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 21 P T M
Full-time Kate Hartmann Logistics and day-to-day support for leaders of the 188 local chapters Alison Shrader Accounting & Administration Paulo Coimbra PMO Sarah Basso Operations before/during/after OWASP events 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 22
Conference dedicated to research work on application security Conferences: research 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 23 P T M
Yearly global application security focused conferences: Europe North America South America Asia Conferences: Appsec 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 24 P T M Next OWASP Conference in Europe: Dublin – June 7th-10th 2011
Intensive 1-week workshop event with leaders, contributors, sponsors and software vendors: Ability to connect with leading software vendors and corporate members More than 150 reunited chapter & project leaders 80 workshops The Summit 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 25 P T M
OWASP members 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 26
OWASP Membership Individual members: Annual fee: 50$/year Free access to OWASP Training day events Reduced fees at OWASP Events Current count: 1383 individual contributing members 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 27
OWASP Membership Corporate members: 52 public corporate members Annual fee: 5’000$/year Delegates for the Summit event Logo on website, use as marketing argument Majority is from the US, but Switzerland is also there 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 28
OWASP Membership Academic members: Annual fee: 0$/year Donate: support 40 members Switzerland: 1 officialised partnership (HEIG-VD) 2 pending partnerships 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 29
OWASP: the web portal 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 30
https://www.owasp.org 250’000 unique visitors monthly 650’000 pages viewed monthly 60% driven by search engines 19% referred by other websites Highest traffic motives: OWASP Top 10 Webscarab project XSS prevention cheat sheet “sql injection” 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 31
http://lists.owasp.org More than 400 mailing lists currently running 25’900 memberships About: tools, documents, methods, committees, events, outreach, leaders, etc. 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 32
OWASP projects 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 33
OWASP projects: Tools 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 34 Analyze Design Implement Verify Deploy Respond ModSecurity CRS JBroFuzz AntiSAMMY LiveCD ESAPI DirBuster WebScarab WebScarab CSRFGuard O2 Orizon Encoding Code Crawler Zed Attack Proxy Stinger Academy portal, Broken Web applications, ESAPI Swingset, Webgoat
OWASP projects: Documents 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 35 Analyze Design Implement Verify Deploy Respond Secure contract Development Code Review Code Review Backend Security Threat risk modeling J2EE Security Testing Testing Application security requirements RoR Security ASVS .NET Security AJAX Security PHP Security Secure coding practices Academy, Appsec FAQ, Appsec metrics, Common Vuln. List, Education, Exams, Legal, OWASP Top 10
COTS web application for webapp security (CBT) training Click and run /index.php/Webgoat Tools: webgoat 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 36 P T M
Tools: ModSecurity core ruleset Critical protections centralized in a core ruleset (CRS) to be installed on ModSecurity enabled Apache servers Provides: HTTP Protocol compliance Attack detection Error detection Search engine monitoring https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 37 P T M
Tools: Entreprise Security API Control library encapsulating most security functions required in web applications: Authentication Access control Sessions Encoding Input validation Encryption Logging Intrusion detection … https://www.owasp.org/index.php/ESAPI 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 38 P T M
Documents: OWASP Top 10 https://www.owasp.org/index.php/Top10 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 39 P T M
Documents: code review guide Instructions and methodology manual for conducting code security reviews Guidance on detecting the major security flaws created during implementation https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 40 P T M
Documents: ASVS ASVS: Application SecurityVerification Standard 4 verification (assurance) levels across more than 120 security controls Tailored to your own risk aversion https://www.owasp.org/index.php/ASVS 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 41 P T M
Documents: OpenSAMM Open Software Assurance Maturity Model https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 42 P T M
OWASP Switzerland 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 43
OWASP Switzerland's structure No legalform (yet, just a few daysleft) Leader: Sven Vetsch Board members: Tobias Christen, Antonio Fontes Based in Zurich 130 mailing list members Next meeting: June 14th Other local city/region chapters: OWASP Geneva 90 list members Next meeting: September 6th 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 44
Activities: meetings and conferences Local chapter meetings: 1,2,3 speakers per event Geneva, Yverdon, Zurich ~8 meetings/year Attendance: 15-100 people People love these meetings! (Historical) conference partnerships: 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 45
Activities: awareness sessions Awareness session for Swiss organizations: 1 hour, head-to-head session with an OWASP representative at your company Syllabus: OWASP organization, OWASP projects and membership opportunities 4 Swiss private companies requested this in 2010 It’s free! BUT: it’s not free training or consulting!!  No product names  No "reviews"  No training. 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 46
Swiss speakers and contributors(non exhaustive list, sorry for those I forgot ) Ivan Butler: Web application firewall & Hacking lab Tobias Christen: Security & Usability Alexis Fitzgerald : Gathering application security requirements Christian Folini : ModSecurity CRS & DDoSdefense Antonio Fontes : Threat modelling & Lifecycle security Axel Neumann: Zed Attack Proxy Sylvain Maret : Strong authentication Pierre Parrend : Java mobile applications Sven Vetsch : Advanced XSS attacks and defense ...  come to me after the talk if you want your name here 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 47
Visit the OWSAP Website: https://www.owasp.org Join the OWASP Switzerland mailing list: http://www.owasp.ch Follow us on Twitter: @OWASP_ch / @OWASP Get in touch with your local OWASP representatives: Sven Vetsch Antonio Fontes(Switzerland) (Western/French Switzerland) sven.vetsch@disenchant.chantonio.fontes@owasp.org 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 48 Thank you!

Recommended

香港六合彩<六合彩
香港六合彩<六合彩香港六合彩<六合彩
香港六合彩<六合彩
dqsmesc
 
Standardization for M2M
Standardization for M2MStandardization for M2M
Standardization for M2M
M2M Alliance e.V.
 
ION Hangzhou - Keynote: Collaborative Security and an Open Internet
ION Hangzhou - Keynote: Collaborative Security and an Open InternetION Hangzhou - Keynote: Collaborative Security and an Open Internet
ION Hangzhou - Keynote: Collaborative Security and an Open Internet
Deploy360 Programme (Internet Society)
 
ION Hangzhou - Developing the Internet of Things (Morning Keynote)
ION Hangzhou - Developing the Internet of Things (Morning Keynote)ION Hangzhou - Developing the Internet of Things (Morning Keynote)
ION Hangzhou - Developing the Internet of Things (Morning Keynote)
Deploy360 Programme (Internet Society)
 
ION Hangzhou - About IETF
ION Hangzhou - About IETFION Hangzhou - About IETF
ION Hangzhou - About IETF
Deploy360 Programme (Internet Society)
 
Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010
Poulopoulos Ioannis
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
SeniorStoryteller
 
ESEC/FSE 2017 - On Evidence Preservation Requirements for Forensic-ready Systems
ESEC/FSE 2017 - On Evidence Preservation Requirements for Forensic-ready SystemsESEC/FSE 2017 - On Evidence Preservation Requirements for Forensic-ready Systems
ESEC/FSE 2017 - On Evidence Preservation Requirements for Forensic-ready Systems
spareuseratlero
 

Recommended

香港六合彩<六合彩
香港六合彩<六合彩香港六合彩<六合彩
香港六合彩<六合彩
dqsmesc
 
Standardization for M2M
Standardization for M2MStandardization for M2M
Standardization for M2M
M2M Alliance e.V.
 
ION Hangzhou - Keynote: Collaborative Security and an Open Internet
ION Hangzhou - Keynote: Collaborative Security and an Open InternetION Hangzhou - Keynote: Collaborative Security and an Open Internet
ION Hangzhou - Keynote: Collaborative Security and an Open Internet
Deploy360 Programme (Internet Society)
 
ION Hangzhou - Developing the Internet of Things (Morning Keynote)
ION Hangzhou - Developing the Internet of Things (Morning Keynote)ION Hangzhou - Developing the Internet of Things (Morning Keynote)
ION Hangzhou - Developing the Internet of Things (Morning Keynote)
Deploy360 Programme (Internet Society)
 
ION Hangzhou - About IETF
ION Hangzhou - About IETFION Hangzhou - About IETF
ION Hangzhou - About IETF
Deploy360 Programme (Internet Society)
 
Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010
Poulopoulos Ioannis
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
SeniorStoryteller
 
ESEC/FSE 2017 - On Evidence Preservation Requirements for Forensic-ready Systems
ESEC/FSE 2017 - On Evidence Preservation Requirements for Forensic-ready SystemsESEC/FSE 2017 - On Evidence Preservation Requirements for Forensic-ready Systems
ESEC/FSE 2017 - On Evidence Preservation Requirements for Forensic-ready Systems
spareuseratlero
 
AARC Assurance Profiles for Kantara Initiative
AARC Assurance Profiles for Kantara InitiativeAARC Assurance Profiles for Kantara Initiative
AARC Assurance Profiles for Kantara Initiative
kantarainitiative
 
ION Hangzhou - Opening Remarks
ION Hangzhou - Opening RemarksION Hangzhou - Opening Remarks
ION Hangzhou - Opening Remarks
Deploy360 Programme (Internet Society)
 
IoT—Let’s Code Like It’s 1999!
IoT—Let’s Code Like It’s 1999!IoT—Let’s Code Like It’s 1999!
IoT—Let’s Code Like It’s 1999!
TechWell
 
Continuous Security Testing
Continuous Security TestingContinuous Security Testing
Continuous Security Testing
Ray Lai
 
About Deploy360 (Presented at ARIN 31)
About Deploy360 (Presented at ARIN 31)About Deploy360 (Presented at ARIN 31)
About Deploy360 (Presented at ARIN 31)
Deploy360 Programme (Internet Society)
 
ION Hangzhou - An IETF Journey for CNNIC
ION Hangzhou - An IETF Journey for CNNICION Hangzhou - An IETF Journey for CNNIC
ION Hangzhou - An IETF Journey for CNNIC
Deploy360 Programme (Internet Society)
 
OWASP Wikipedia Training Presentation
OWASP Wikipedia Training PresentationOWASP Wikipedia Training Presentation
OWASP Wikipedia Training Presentation
Noreen Whysel
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and Manico
Eoin Keary
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Abraham Aranguren
 
What is big data?
What is big data?What is big data?
What is big data?
David Wellman
 
Hacking & its types
Hacking & its typesHacking & its types
Hacking & its types
Sai Sakoji
 
What is Big Data?
What is Big Data?What is Big Data?
What is Big Data?
Bernard Marr
 
Death by PowerPoint
Death by PowerPointDeath by PowerPoint
Death by PowerPoint
Alexei Kapterev
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
bnmbroti
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩
rakfbe
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
gxsdjh
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
nwnftpbv
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
pibpjsxy
 
Do You... Legal?
Do You... Legal?Do You... Legal?
Do You... Legal?
Ludovic Petit
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017
malvvv
 

More Related Content

What's hot

AARC Assurance Profiles for Kantara Initiative
AARC Assurance Profiles for Kantara InitiativeAARC Assurance Profiles for Kantara Initiative
AARC Assurance Profiles for Kantara Initiative
kantarainitiative
 
ION Hangzhou - Opening Remarks
ION Hangzhou - Opening RemarksION Hangzhou - Opening Remarks
ION Hangzhou - Opening Remarks
Deploy360 Programme (Internet Society)
 
IoT—Let’s Code Like It’s 1999!
IoT—Let’s Code Like It’s 1999!IoT—Let’s Code Like It’s 1999!
IoT—Let’s Code Like It’s 1999!
TechWell
 
Continuous Security Testing
Continuous Security TestingContinuous Security Testing
Continuous Security Testing
Ray Lai
 
About Deploy360 (Presented at ARIN 31)
About Deploy360 (Presented at ARIN 31)About Deploy360 (Presented at ARIN 31)
About Deploy360 (Presented at ARIN 31)
Deploy360 Programme (Internet Society)
 
ION Hangzhou - An IETF Journey for CNNIC
ION Hangzhou - An IETF Journey for CNNICION Hangzhou - An IETF Journey for CNNIC
ION Hangzhou - An IETF Journey for CNNIC
Deploy360 Programme (Internet Society)
 

What's hot (6)

AARC Assurance Profiles for Kantara Initiative
AARC Assurance Profiles for Kantara InitiativeAARC Assurance Profiles for Kantara Initiative
AARC Assurance Profiles for Kantara Initiative
 
ION Hangzhou - Opening Remarks
ION Hangzhou - Opening RemarksION Hangzhou - Opening Remarks
ION Hangzhou - Opening Remarks
 
IoT—Let’s Code Like It’s 1999!
IoT—Let’s Code Like It’s 1999!IoT—Let’s Code Like It’s 1999!
IoT—Let’s Code Like It’s 1999!
 
Continuous Security Testing
Continuous Security TestingContinuous Security Testing
Continuous Security Testing
 
About Deploy360 (Presented at ARIN 31)
About Deploy360 (Presented at ARIN 31)About Deploy360 (Presented at ARIN 31)
About Deploy360 (Presented at ARIN 31)
 
ION Hangzhou - An IETF Journey for CNNIC
ION Hangzhou - An IETF Journey for CNNICION Hangzhou - An IETF Journey for CNNIC
ION Hangzhou - An IETF Journey for CNNIC
 

Viewers also liked

OWASP Wikipedia Training Presentation
OWASP Wikipedia Training PresentationOWASP Wikipedia Training Presentation
OWASP Wikipedia Training Presentation
Noreen Whysel
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and Manico
Eoin Keary
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Abraham Aranguren
 
What is big data?
What is big data?What is big data?
What is big data?
David Wellman
 
Hacking & its types
Hacking & its typesHacking & its types
Hacking & its types
Sai Sakoji
 
What is Big Data?
What is Big Data?What is Big Data?
What is Big Data?
Bernard Marr
 
Death by PowerPoint
Death by PowerPointDeath by PowerPoint
Death by PowerPoint
Alexei Kapterev
 

Viewers also liked (9)

OWASP Wikipedia Training Presentation
OWASP Wikipedia Training PresentationOWASP Wikipedia Training Presentation
OWASP Wikipedia Training Presentation
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and Manico
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
 
What is big data?
What is big data?What is big data?
What is big data?
 
Hacking & its types
Hacking & its typesHacking & its types
Hacking & its types
 
What is Big Data?
What is Big Data?What is Big Data?
What is Big Data?
 
Death by PowerPoint
Death by PowerPointDeath by PowerPoint
Death by PowerPoint
 

Similar to Meet the OWASP

香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
bnmbroti
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩
rakfbe
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
gxsdjh
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
nwnftpbv
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
pibpjsxy
 
Do You... Legal?
Do You... Legal?Do You... Legal?
Do You... Legal?
Ludovic Petit
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017
malvvv
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)
PrashantDhakol
 
OWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfOWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdf
SamSepiolRhodes
 
OWASP Top Ten 2013
OWASP Top Ten 2013OWASP Top Ten 2013
OWASP Top Ten 2013
Alessandro Bonu
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Aryan G
 
Owasp top 10_-_2013
Owasp top 10_-_2013Owasp top 10_-_2013
Owasp top 10_-_2013
Edho Armando
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Bee_Ware
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]geeksec80
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]geeksec0306
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10
Pensamiento Libre
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
alessiomarziali
 

Similar to Meet the OWASP (20)

香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Do You... Legal?
Do You... Legal?Do You... Legal?
Do You... Legal?
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017
 
Owasp o
Owasp oOwasp o
Owasp o
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)
 
OWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfOWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdf
 
OWASP Top Ten 2013
OWASP Top Ten 2013OWASP Top Ten 2013
OWASP Top Ten 2013
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Owasp top 10_-_2013
Owasp top 10_-_2013Owasp top 10_-_2013
Owasp top 10_-_2013
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 

More from Antonio Fontes

Sécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défenseSécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défense
Antonio Fontes
 
Owasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-finalOwasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-final
Antonio Fontes
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
Antonio Fontes
 
Modéliser les menaces d'une application web
Modéliser les menaces d'une application webModéliser les menaces d'une application web
Modéliser les menaces d'une application web
Antonio Fontes
 
Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012
Antonio Fontes
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteAntonio Fontes
 
Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)
Antonio Fontes
 
Rapid Threat Modeling : case study
Rapid Threat Modeling : case studyRapid Threat Modeling : case study
Rapid Threat Modeling : case study
Antonio Fontes
 
Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...
Antonio Fontes
 
IT Security Days - Threat Modeling
IT Security Days - Threat ModelingIT Security Days - Threat Modeling
IT Security Days - Threat Modeling
Antonio Fontes
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
Antonio Fontes
 
The top 10 web application intrusion techniques
The top 10 web application intrusion techniquesThe top 10 web application intrusion techniques
The top 10 web application intrusion techniques
Antonio Fontes
 
Cyber-attaques: mise au point
Cyber-attaques: mise au pointCyber-attaques: mise au point
Cyber-attaques: mise au point
Antonio Fontes
 
Web application security: how to start?
Web application security: how to start?Web application security: how to start?
Web application security: how to start?
Antonio Fontes
 
Owasp Top10 2010 rc1
Owasp Top10 2010 rc1Owasp Top10 2010 rc1
Owasp Top10 2010 rc1
Antonio Fontes
 

More from Antonio Fontes (15)

Sécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défenseSécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défense
 
Owasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-finalOwasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-final
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
 
Modéliser les menaces d'une application web
Modéliser les menaces d'une application webModéliser les menaces d'une application web
Modéliser les menaces d'une application web
 
Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynote
 
Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)
 
Rapid Threat Modeling : case study
Rapid Threat Modeling : case studyRapid Threat Modeling : case study
Rapid Threat Modeling : case study
 
Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...
 
IT Security Days - Threat Modeling
IT Security Days - Threat ModelingIT Security Days - Threat Modeling
IT Security Days - Threat Modeling
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
The top 10 web application intrusion techniques
The top 10 web application intrusion techniquesThe top 10 web application intrusion techniques
The top 10 web application intrusion techniques
 
Cyber-attaques: mise au point
Cyber-attaques: mise au pointCyber-attaques: mise au point
Cyber-attaques: mise au point
 
Web application security: how to start?
Web application security: how to start?Web application security: how to start?
Web application security: how to start?
 
Owasp Top10 2010 rc1
Owasp Top10 2010 rc1Owasp Top10 2010 rc1
Owasp Top10 2010 rc1
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 

Meet the OWASP

  • 1. Open Web Application Security Project Antonio Fontes antonio.fontes@owasp.org SWISS CYBER STORM Conference – May 2011Rapperswil
  • 2. A few words about me Antonio Fontes 6 years background working on software security & privacy Founder and principal consultant at L7 SecuritéSàrl Lecturer at HST Yverdon (HEIG-VD) Focus: Web application threats and countermeasures Secure development lifecycle Penetration testing and vulnerability assessment Software threat modelling and risk analysis OWASP: OWASP Switzerland : member of the board, western Switzerland delegate OWASP Geneva: Chapter leader 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 2
  • 3. cat /wwwroot/agenda.html Why do organizations need OWASP? OWASP worldwide OWASP in Switzerland Q/A 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 3
  • 4. Thermometer: 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 4 “Is your organization already using OWASP material?” - For internal software development? - For outsourced custom software? - For COTS acquisition? photo by Dave Oshry
  • 5. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 5
  • 6. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 6
  • 7. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 7 101 million users! 77 million users!
  • 8. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 8 Handout from Sony Entertainment Online conference on the recent computer intrusion that led to more than 110 million user accounts being stolen.(May. 1st. 2011) photo by Dave Oshry
  • 9. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 9
  • 10. Just a little check: 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 10 “Who knows PBKDF2?”
  • 11. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 11 Who understands this in your organisation?
  • 12. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 12 Use hashes!! No! Don't use hashes!!
  • 13. Why do organisations need OWASP? Outside the organisation: Increasing adoption of “Anything over HTTP” Increasing “hostile” interest in online services: Increasing “threat population” Web hacking/security is easy to understand/teach Low risk of being “caught” Increasing offer in security consulting, services and products 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 13
  • 14. Why do organisations need OWASP? Inside organisations: Developers dealing with dozens web technologies Heterogonous development teams and lifecycles Constant pressure for delivery Turnover and loss of internal know-how Who in the company is actually both up-to-date on the concept of “(web) applications security” and has the power to take decisions? Who in the company is actually able to qualify security products and services that are paid for? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 14
  • 15. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 15 2011 2010 2007 2005 2003 2001
  • 16. OWASP foundation 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 16 “Make application security visible, so that people and organisations can make informed decisions about application security risks.” U.S. 501c3 not-for-profit charitable international organization Structure Mission Core values Code of ethics Open, Global, Innovation, Worldwide Independence from vendors, technology-agnostic
  • 17. "strategy" 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 17 Threat Website Board Web Application Web Application People Committees Methods Summit Tools Chapters ? Projects Company assets Conferences Members
  • 18. OWASP people 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 18
  • 19. Project Leaders Driving volunteers effort on OWASP material projects: Workshops Brainstorming sessions Analysis/reporting Guides editing Tools coding 19 quality-release and 26 beta-status projects 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 19 P T M
  • 20. Chapter Leaders Leading Local Chapters meetings: 188 Chapters worldwide More than 300 yearly meetings worldwide Connection with local organisations 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 20 P T M Next local chapter meeting: Zurich – June 14th
  • 21. Global Committees Driving volunteers effort on global/focused OWASP outreach. Active Global Committees: Industries Membership Government Education Projects Events Connections 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 21 P T M
  • 22. Full-time Kate Hartmann Logistics and day-to-day support for leaders of the 188 local chapters Alison Shrader Accounting & Administration Paulo Coimbra PMO Sarah Basso Operations before/during/after OWASP events 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 22
  • 23. Conference dedicated to research work on application security Conferences: research 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 23 P T M
  • 24. Yearly global application security focused conferences: Europe North America South America Asia Conferences: Appsec 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 24 P T M Next OWASP Conference in Europe: Dublin – June 7th-10th 2011
  • 25. Intensive 1-week workshop event with leaders, contributors, sponsors and software vendors: Ability to connect with leading software vendors and corporate members More than 150 reunited chapter & project leaders 80 workshops The Summit 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 25 P T M
  • 26. OWASP members 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 26
  • 27. OWASP Membership Individual members: Annual fee: 50$/year Free access to OWASP Training day events Reduced fees at OWASP Events Current count: 1383 individual contributing members 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 27
  • 28. OWASP Membership Corporate members: 52 public corporate members Annual fee: 5’000$/year Delegates for the Summit event Logo on website, use as marketing argument Majority is from the US, but Switzerland is also there 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 28
  • 29. OWASP Membership Academic members: Annual fee: 0$/year Donate: support 40 members Switzerland: 1 officialised partnership (HEIG-VD) 2 pending partnerships 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 29
  • 30. OWASP: the web portal 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 30
  • 31. https://www.owasp.org 250’000 unique visitors monthly 650’000 pages viewed monthly 60% driven by search engines 19% referred by other websites Highest traffic motives: OWASP Top 10 Webscarab project XSS prevention cheat sheet “sql injection” 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 31
  • 32. http://lists.owasp.org More than 400 mailing lists currently running 25’900 memberships About: tools, documents, methods, committees, events, outreach, leaders, etc. 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 32
  • 33. OWASP projects 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 33
  • 34. OWASP projects: Tools 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 34 Analyze Design Implement Verify Deploy Respond ModSecurity CRS JBroFuzz AntiSAMMY LiveCD ESAPI DirBuster WebScarab WebScarab CSRFGuard O2 Orizon Encoding Code Crawler Zed Attack Proxy Stinger Academy portal, Broken Web applications, ESAPI Swingset, Webgoat
  • 35. OWASP projects: Documents 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 35 Analyze Design Implement Verify Deploy Respond Secure contract Development Code Review Code Review Backend Security Threat risk modeling J2EE Security Testing Testing Application security requirements RoR Security ASVS .NET Security AJAX Security PHP Security Secure coding practices Academy, Appsec FAQ, Appsec metrics, Common Vuln. List, Education, Exams, Legal, OWASP Top 10
  • 36. COTS web application for webapp security (CBT) training Click and run /index.php/Webgoat Tools: webgoat 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 36 P T M
  • 37. Tools: ModSecurity core ruleset Critical protections centralized in a core ruleset (CRS) to be installed on ModSecurity enabled Apache servers Provides: HTTP Protocol compliance Attack detection Error detection Search engine monitoring https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 37 P T M
  • 38. Tools: Entreprise Security API Control library encapsulating most security functions required in web applications: Authentication Access control Sessions Encoding Input validation Encryption Logging Intrusion detection … https://www.owasp.org/index.php/ESAPI 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 38 P T M
  • 39. Documents: OWASP Top 10 https://www.owasp.org/index.php/Top10 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 39 P T M
  • 40. Documents: code review guide Instructions and methodology manual for conducting code security reviews Guidance on detecting the major security flaws created during implementation https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 40 P T M
  • 41. Documents: ASVS ASVS: Application SecurityVerification Standard 4 verification (assurance) levels across more than 120 security controls Tailored to your own risk aversion https://www.owasp.org/index.php/ASVS 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 41 P T M
  • 42. Documents: OpenSAMM Open Software Assurance Maturity Model https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 42 P T M
  • 43. OWASP Switzerland 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 43
  • 44. OWASP Switzerland's structure No legalform (yet, just a few daysleft) Leader: Sven Vetsch Board members: Tobias Christen, Antonio Fontes Based in Zurich 130 mailing list members Next meeting: June 14th Other local city/region chapters: OWASP Geneva 90 list members Next meeting: September 6th 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 44
  • 45. Activities: meetings and conferences Local chapter meetings: 1,2,3 speakers per event Geneva, Yverdon, Zurich ~8 meetings/year Attendance: 15-100 people People love these meetings! (Historical) conference partnerships: 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 45
  • 46. Activities: awareness sessions Awareness session for Swiss organizations: 1 hour, head-to-head session with an OWASP representative at your company Syllabus: OWASP organization, OWASP projects and membership opportunities 4 Swiss private companies requested this in 2010 It’s free! BUT: it’s not free training or consulting!!  No product names  No "reviews"  No training. 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 46
  • 47. Swiss speakers and contributors(non exhaustive list, sorry for those I forgot ) Ivan Butler: Web application firewall & Hacking lab Tobias Christen: Security & Usability Alexis Fitzgerald : Gathering application security requirements Christian Folini : ModSecurity CRS & DDoSdefense Antonio Fontes : Threat modelling & Lifecycle security Axel Neumann: Zed Attack Proxy Sylvain Maret : Strong authentication Pierre Parrend : Java mobile applications Sven Vetsch : Advanced XSS attacks and defense ...  come to me after the talk if you want your name here 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 47
  • 48. Visit the OWSAP Website: https://www.owasp.org Join the OWASP Switzerland mailing list: http://www.owasp.ch Follow us on Twitter: @OWASP_ch / @OWASP Get in touch with your local OWASP representatives: Sven Vetsch Antonio Fontes(Switzerland) (Western/French Switzerland) sven.vetsch@disenchant.chantonio.fontes@owasp.org 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 48 Thank you!

Editor's Notes

  1. 1) Web frontends, Web 2.0 portals Intranets / Extranets for b/c/c servicesVPN over SSLsWeb services, SOAs, online APIs, …Access to public services, personal data, business automation, etc.2) the value of information / service3) GovernmentsCompetitorsDisgruntled peopleHackers…?4) The advantage of not being “there”“Blacklist” countries (from a legal perspective)
  2. Basic context: threat exercice on a web facingentity, potentiallyexposingcompanyassets.Need for information, visibility.Achievedwith people, methods and toolsOWASP creates the necessaryecosystem to build up these 3 componentsVisibility on appsecuritythenisbrought to the company
  3. Statisticsindicate the major searchtermsbeing support for XSS defense and understanding SQL injection. Althoughvery &quot;basic&quot; and quiteold, SQL Injection remains a major searchtermthe message STILL needs to betransmitted do not OVERSTIMATE!!!
  4. Coverageacross the developmentlifecycle
  5. Objective: Help youidentifywhat OWASP canprovideyou Help youidentifyopportunities for internalsecuredevelopment Help youidentifyopportunities for secure COTS/outsourced software vendor agreement Help youidentifymaterialthatyoucan use to leverageyour relation withyoursecurity services/product provider