2. What is OWASP
Professional organization
Professionals, students, companies, universities
Awarness
Standards
Tools
Distributed, global peers
OWASP 2
3. Mission
Make application security visible so that people and
organizations can make informed decisions about true
application security risk
What causes?
• Immediate causes – vulnerabilities themselves
• Developers and operators
• Organizational structure, development process, supporting technology
• Increasing connectivity and complexity
• Legal and regulatory environment
• Asymmetric information in the software market
OWASP 3
4. OWASP Core Values
OPEN Everything at OWASP is radically transparent from our
finances to our code.
INNOVATION OWASP encourages and supports
innovation/experiments for solutions to software security
challenges.
GLOBAL Anyone around the world is encouraged to participate in
the OWASP community.
INTEGRITY OWASP is an honest and truthful, vendor agnostic,
global community
OWASP 4
5. OWASP Code of Ethics
Perform all professional activities and duties in accordance with all
applicable laws and the highest ethical principles;
Maintain appropriate confidentiality of proprietary or otherwise
sensitive information encountered in the course of professional
activities;
To communicate openly and honestly;
Refrain from any activities which might constitute a conflict of
interest or otherwise damage the reputation of employers, the
information security profession, or the Association;
To maintain and affirm our objectivity and independence;
To reject inappropriate pressure from industry or others; OWASP 5
7. Why should I care about security?
Increased fraquency of attacks
Complexity of malware
Hacktivism
Online crime
Internet warfare
Technological espionage
Cracking
Etc...
OWASP 7
8. OWASP Projects - General
3 groups:
Protect – Tools and docs used to protect
Detect – Tools and docs used to find
Life Cycle – Tools and docs used to add security
related activities in Software Developement Lifecycle
Everyone can start project, after review and
acceptance from Global Committee
OWASP 8
10. OWASP Projects – OWASP Application
Security Verification Standard
OWASP Standardization
The first internationally-recognized standard for
conducting application security assessments.
Security testing and code review techniques
Covers both automated and manual approaches
for assessing
Web application – released
Web services – in progress
OWASP 10
12. OWASP Projects – OWASP Frameworks
OWASP AntySami Project (Java,.NET)
API for validating rich HTML/CSS input from users
without exposure to cross-site scripting and phishing
attacks
OWASP Enterprise Security API (ESAPI)
Free and open collection of all the security methods
that a developer needs to build a secure web
application.
OWASP Mod Security Rule Set Project
web application firewall engine
generic protection from unknown vulnerabilities often
found in web applications
OWASP 12
14. OWASP Projects – OWASP Tools
OWASP JBroFuzz Project
JBroFuzz is a web application fuzzer for requests
being made over HTTP or HTTPS
OWASP Web Scarab Project
Tool for performing all types of security testing on
web applications and web services
OWASP Zed Attack Proxy
penetration testing tool for finding vulnerabilities in
web applications.
used by people with a wide range of security
experience
Toolsmith tool of the year 2011 OWASP 14
15. OWASP Projects – OWASP Web Goat
Educational project
Want to learn how to test security on web app?
Try Web Goat!
Learn to perform OWASP Top 10
Other Goat projects:
GoatDroid
iGoat
OWASP 15
17. OWASP Local chapters - Overview
Local communities
Working on rising awareness of IT Security
Management level
Developer level
Ordinary people
Knowledge sharing
Local chapters contribute on OWASP projects
Guided by Local Chapter Handbook
OWASP 17
18. AppSec conferences
OWASP AppSec conferences bring together industry,
government, security researchers, and practitioners to
discuss the state of the art in application security.
Started in 2004. in USA, 2005. in Europe
Global AppSec conferences
AppSec Asia-Pacific 11. – 14. April, Sydney, Australia
Global AppSec Research 10 – 13 July, Athens, Greece
AppSec North America 22 – 26 Oct, Austin,TX
AppSec Latin America 14 – 16 Nov, Buenos Aires,
Argentina
OWASP 18
22. Google Summer of Code 2012
OWASP is officialy selected as GSoC mentoring
organization
1) Think of a good idea – For reference see GSoC 2012 Ideas
2) Do some research yourself based on the idea, write up a
proposal draft
3) Post it to the mailing list at gsoc@lists.owasp.org for initial
discussions with OWASP mentors.
4) Based on feedback, write a full proposal – See template
below:https://www.owasp.org/index.php/GSoC_SAT
5) Submit your proposal to Google from March 26–April 6, 2012.
April – August coding
OWASP 22
23. Local Chapter Serbia
Local chapter meetings – every month
Spreading the avareness, do the PR
OWASP day – hopefuly
Competition
Working groups – PR, FR, IT...
Contribute on global projects
Any other ideas?
OWASP 23