SlideShare a Scribd company logo
OWASP Projects and Resources
                  you can use today



                      Konstantinos Papapanagiotou
                      Greek Chapter Leader

                      conpap@owasp.gr
OWASP
Athens Digital Week
9/10/2010
                        Copyright © The OWASP Foundation
                        Permission is granted to copy, distribute and/or modify this document
                        under the terms of the OWASP License.




                        The OWASP Foundation
                        http://www.owasp.org
Your Code is Part of Your Security Perimeter
                   Your security “perimeter” has huge
                      holes at the application layer

                              Custom Developed
                              Application Code
 APPLICATION
   ATTACK




                                App Server
                                Web Server
                               Hardened OS




   You can’t use network layer protection (firewall, SSL, IDS, hardening)
                 to stop or detect application layer attacks
                                                                 OWASP      3
OWASP
  The Open Web Application Security Project
          http://www.owasp.org
http://www.owasp.gr – http://blog.owasp.gr
What is OWASP?

Open Web Application Security Project
  Worldwide, free and open community
  Non-profit, volunteer driven organization
  Mission: improve application software security
  Promotes secure software development
  An open forum for discussion
  A free resource for any development team
     Publications, Articles, Standards
     Testing and Training Software
     Local Chapters & Mailing Lists

                                          OWASP     5
The Greek Chapter

Created in 2005 but active since early 2007
Mission: raise security awareness in Greece
Activities:
  Translation of OWASP documentation
  Mailing list
  Blog
  Participation in working groups and conferences
  Awareness
~120 members
http://www.owasp.gr - http://blog.owasp.gr
                                              OWASP   6
OWASP Body of Knowledge                                                                                        Guidance and Tools
                                                                                                               for Measuring and
                                   Guide to Application                                                       Managing Application
                                    Security Testing and                                                            Security
                                   Guide to Application
                                   Security Code Review


                                                                         Verifying           Managing
                                                                        Application          Application
                            Guide to Building                            Security             Security
                               Secure Web
                           Applications and Web
                                 Services

                                                             Acquiring and                                 Application
                                                                                Core Application
                                        AppSec Conferences


                                                               Building                                     Security
                                                                                    Security
                                                                Secure                                       Tools
                                                                                Knowledge Base
                      Chapters
 Projects




                                                              Applications                                       Tools for Scanning,
                                                                                                                 Testing, Simulating,
                                                                                                                 and Reporting Web
                                                                                                                 Application Security
                                                                                              AppSec                    Issues
                                                                        Research to
                                                                        Secure New          Education and
                                      Research Projects to                                      CBT
                                      Figure Out How to                 Technologies                             Principles
                                     Secure the Use of New                                                     Threat Agents,
       OWASP Community Platform
                                                                    Web Based Learning                            Attacks,
        (wiki, forums, mailing lists) Technologies (like
                                             Ajax)                   Environment and                           Vulnerabilities,
                                                                    Guide for Learning                          Impacts, and
                                                                    Application Security                      Countermeasures
            OWASP Foundation 501c3

                                                                                                            OWASP
OWASP Tools and Technology
  • Vulnerability      • Penetration       • ESAPI
    Scanners             Testing Tools
  • Static Analysis    • Code Review
    Tools                Tools
  • Fuzzing

  Automated            Manual
                                           Security
  Security             Security
                                           Architecture
  Verification         Verification



  • AppSec Libraries   • Reporting Tools   • Flawed Apps
  • ESAPI Reference                        • Learning
    Implementation                           Environments
  • Guards and                             • Live CD
    Filters                                • SiteGenerator

  Secure               AppSec              AppSec
  Coding               Management          Education

                                                       OWASP   8
What’s a WebGoat
OWASP project with ~115,000 downloads
Deliberately insecure Java EE web application
Teaches common application vulnerabilities via a
 series of individual lessons




                                         OWASP      9
OWASP WebScarab




                  OWASP
Athens Owasp workshop Athens Digital Week 2010
Risk



 OWASP
OWASP Top 10 Risk Rating Methodology




            1
            2
            3



Injection Example

                      1.66 weighted risk rating
                                            OWASP   13
OWASP Top 10 2010




         http://www.owasp.org/index.php/Top_10

                                                 OWASP   14
A1. Injection

                                             "SELECT * FROM
                                              Account Summary
                                             accounts WHERE
                                            Account:

                 HTTP
                                           acct=‘’ OR 1=1--
                                              SKU:
                                         Acct:5424-6066-2134-4334
                             DB Table    Acct:4128-7574-3921-0192
 HTTP                 SQL
               response                              ’"
                                         Acct:5424-9383-2039-4029
 APPLICATION
request
   ATTACK            query               Acct:4128-0004-1234-0293
               Custom Code
                                        1. Application presents a form to
                                        the attacker
                                        2. Attacker sends an attack in the
                                        form data
                App Server
                                        3. Application forwards attack to
                Web Server
                                        the database in a SQL query
               Hardened OS
                                        4. Database runs query containing
                                        attack and sends encrypted results
                                        back to application
                                        5. Application decrypts data as
                                        normal and sends results to the user


                                                       OWASP            15
A2. Cross-Site Scripting (XSS)
          1   Attacker sets the trap – update my profile

                                                               Application with
                                                               stored XSS
                          Attacker enters a                    vulnerability
                          malicious script into a web
                          page that stores the data
                          on the server

          2   Victim views page – sees attacker profile

                                                                  Custom Code


                          Script runs inside victim’s
                          browser with full access to
                          the DOM and cookies



  3   Script silently sends attacker Victim’s session cookie
                                                                       OWASP      16
A3. Broken Authentication and Session
    Management        1  User sends credentials


     www.boi.com?JSESSIONID=9FA1DB9EA...
                                     Site uses URL rewriting      2          Custom Code
                                     (i.e., put session in URL)




                                    3    User clicks on a link to http://www.hacker.com
                                         in a forum

                         Hacker checks referer logs on www.hacker.com
                                         and finds user’s JSESSIONID     4
5   Hacker uses JSESSIONID
    and takes over victim’s
    account

                                                                          OWASP            17
A4. Insecure Direct Object References

                                             Attacker notices his acct
https://www.onlinebank.com/user?acct=6065     parameter is 6065
                                              ?acct=6065

                                             He modifies it to a
                                              nearby number
                                              ?acct=6066

                                             Attacker views the
                                              victim’s account
                                              information

                                                          OWASP      18
A5. Cross-Site Request Forgery (CSRF)
           Attacker sets the trap on some website on the internet
       1       (or simply via an e-mail)




                                                            Application with CSRF
                          Hidden <img> tag                  vulnerability
                          contains attack against
                          vulnerable site


           While logged into vulnerable site,
       2     victim views attacker site
                                                              Custom Code


                                                                3
                                                              Vulnerable site sees
                       <img> tag loaded by                    legitimate request from
                       browser – sends GET                    victim and performs the
                       request (including                     action requested
                       credentials) to vulnerable
                       site
                                                                    OWASP           19
A6 – Security Misconfiguration
  Web applications rely on a secure foundation

  • Everywhere from the OS up through the App Server
  • Don’t forget all the libraries you are using!!

  Is your source code a secret?

  • Think of all the places your source code goes
  • Security should not require secret source code

  CM must extend to all parts of the application

  • All credentials should change in production

  Typical Impact

  • Install backdoor through missing OS or server patch
  • XSS flaw exploits due to missing application framework patches
  • Unauthorized access to default accounts, application functionality or data,
    or unused but accessible functionality due to poor server configuration

                                                                         OWASP
A7. Insecure Cryptographic Storage


                     Victim enters credit
                1    card number in form




            Malicious insider                         Log files
        4
            steals 4 million credit             Error handler logs CC    2
            card numbers                      details because merchant
                                                gateway is unavailable

             Logs are accessible to all   3
              members of IT staff for
                 debugging purposes
                                                            OWASP            21
A8. Failure to Restrict URL Access

                                               Attacker notices the URL
https://www.onlinebank.com/user/getAccounts
                                                indicates his role
                                                 /user/getAccounts

                                               He modifies it to another
                                                directory (role)
                                                /admin/getAccounts, or
                                                /manager/getAccounts

                                               Attacker views more
                                                accounts than just their
                                                own
                                                            OWASP      22
A9. Insufficient Transport Layer Protection




                                                                  Business Partners
External Victim
                      Custom Code   Backend Systems




                                                                    Employees
                  1                                      2
             External attacker                           Internal attacker
             steals credentials                          steals credentials
             and data off                                and data from
             network                                     internal network
External Attacker                          Internal Attacker
                                                                    OWASP
A10. Unvalidated Redirects and Forwards
                 1   Attacker sends attack to victim via email or webpage

                       From: Internal Revenue Service
                       Subject: Your Unclaimed Tax Refund
                       Our records show you have an                     3   Application redirects
                       unclaimed federal tax refund. Please                 victim to attacker’s site
                       click here to initiate your claim.



                     Victim clicks link containing unvalidated
                 2     parameter

                                                                                Custom Code


                                 Request sent to vulnerable
                                 site, including attacker’s
                                 destination site as parameter.
                                 Redirect sends victim to
                                 attacker site                                          Evil Site



                                                                  4   Evil site installs malware on
http://www.irs.gov/taxrefund/claim.jsp?year=2006                      victim, or phish’s for private
   & … &dest=www.evilsite.com                                         information
                                                                                OWASP               24
Penetration
      Testing   OWASP
http://www.opensamm.org/
Goals and Purpose

 To define building blocks for an assurance program
    Delineate all functions within an organisation that could be
     improved over time
 To allow organizations to create customized roadmaps
    Each organisation can choose the order and extent they improve
     each function
 To provide sample roadmaps for common types of
  organisations
    Each roadmap is a baseline that can be tweaked based on the
     specific concerns of a given organisation




                                                           OWASP      27
OWASP SAMM
(Software Assurance Maturity Model)




                                      OWASP
Imagine an Enterprise Security API

 All the security controls a developer needs

 Standard
 Centralized
 Organized
 Integrated
 High Quality
 Intuitive
 Tested

 Solves the problems of missing and broken controls
                                                OWASP
Authenticator

                                                                       User

                                                                 AccessController

                                                               AccessReferenceMap

                                                                     Validator

                                                                     Encoder

                                                                   HTTPUtilities
                                                                                                                                                     Enterprise Security API




                                                                    Encryptor

                                                               EncryptedProperties

                                                                   Randomizer
                                                                                       Enterprise Security API




                                                                Exception Handling
                                                                                                                 Custom Enterprise Web Application




                                                                      Logger

                                                                IntrusionDetector
OWASP
             Existing Enterprise Security Services/Libraries




                                                               SecurityConfiguration
        30
Questions?




http://blog.owasp.gr
 http://www.owasp.gr

More Related Content

What's hot

Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
Denim Group
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixOptimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFix
Denim Group
 
Waratek ISACA Webinar
Waratek ISACA WebinarWaratek ISACA Webinar
Waratek ISACA Webinar
Waratek Ltd
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
Waratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside OutWaratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside Out
Waratek Ltd
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016
Waratek Ltd
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Denim Group
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Army
conjur_inc
 
The Path of Secure Software
The Path of Secure SoftwareThe Path of Secure Software
The Path of Secure Software
Katy Anton
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
Denim Group
 
OWASP Top Ten 2013
OWASP Top Ten 2013OWASP Top Ten 2013
OWASP Top Ten 2013
Alessandro Bonu
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
Denim Group
 
Owasp top 10 2013 - rc1
Owasp top 10   2013 - rc1Owasp top 10   2013 - rc1
Owasp top 10 2013 - rc1
Ajay Ohri
 

What's hot (20)

Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixOptimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFix
 
Waratek ISACA Webinar
Waratek ISACA WebinarWaratek ISACA Webinar
Waratek ISACA Webinar
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
 
Waratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside OutWaratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside Out
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 
Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Army
 
The Path of Secure Software
The Path of Secure SoftwareThe Path of Secure Software
The Path of Secure Software
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
 
OWASP Top Ten 2013
OWASP Top Ten 2013OWASP Top Ten 2013
OWASP Top Ten 2013
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
 
Owasp top 10 2013 - rc1
Owasp top 10   2013 - rc1Owasp top 10   2013 - rc1
Owasp top 10 2013 - rc1
 

Similar to Athens Owasp workshop Athens Digital Week 2010

Setting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyderSetting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyder
Sebastien Deleersnyder
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
DefCamp
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
SBWebinars
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Ludovic Petit
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital LandscapeDevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital Landscape
stevecooper930744
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci   Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci   Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Minded Security
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec Village
Vandana Verma
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applications
alexbe
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)
Arvind Bhardwaj [AB]
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
HCL Appscan on Cloud
HCL Appscan on CloudHCL Appscan on Cloud
HCL Appscan on Cloud
HCLSoftware
 
7 measures to overcome cyber attacks of web application
7 measures to overcome cyber attacks of web application7 measures to overcome cyber attacks of web application
7 measures to overcome cyber attacks of web application
TestingXperts
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
Marco Morana
 
application security.pdf
application security.pdfapplication security.pdf
application security.pdf
VSAM Technologies India Private Limited
 
application security.pptx
application security.pptxapplication security.pptx
application security.pptx
AbhishekThakur567842
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
Neil Matatall
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Suman Sourav
 
Null singapore - Mobile Security Essentials
Null singapore - Mobile Security EssentialsNull singapore - Mobile Security Essentials
Null singapore - Mobile Security Essentials
Sven Schleier
 
Matteo Meucci Isaca Venice - 2017
Matteo Meucci  Isaca Venice - 2017Matteo Meucci  Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017
Minded Security
 

Similar to Athens Owasp workshop Athens Digital Week 2010 (20)

Setting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyderSetting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyder
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital LandscapeDevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital Landscape
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci   Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci   Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec Village
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applications
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
HCL Appscan on Cloud
HCL Appscan on CloudHCL Appscan on Cloud
HCL Appscan on Cloud
 
7 measures to overcome cyber attacks of web application
7 measures to overcome cyber attacks of web application7 measures to overcome cyber attacks of web application
7 measures to overcome cyber attacks of web application
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
 
application security.pdf
application security.pdfapplication security.pdf
application security.pdf
 
application security.pptx
application security.pptxapplication security.pptx
application security.pptx
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
 
Null singapore - Mobile Security Essentials
Null singapore - Mobile Security EssentialsNull singapore - Mobile Security Essentials
Null singapore - Mobile Security Essentials
 
Matteo Meucci Isaca Venice - 2017
Matteo Meucci  Isaca Venice - 2017Matteo Meucci  Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017
 

Recently uploaded

Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
Bhajan Mehta
 
Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
Enterprise Knowledge
 
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
AimanAthambawa1
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
alexjohnson7307
 
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
OnBoard
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
bellared2
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
janagijoythi
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
AmandaCheung15
 
Accelerating Migrations = Recommendations
Accelerating Migrations = RecommendationsAccelerating Migrations = Recommendations
Accelerating Migrations = Recommendations
isBullShit
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
FIDO Alliance
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
ZachWylie3
 
NVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space ExplorationNVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space Exploration
Alison B. Lowndes
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
SubhamMandal40
 
Intel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdfIntel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdf
Tech Guru
 
It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...
Zilliz
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
Baishakhi Ray
 
Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1
DianaGray10
 

Recently uploaded (20)

Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
 
Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
 
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
 
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
 
Accelerating Migrations = Recommendations
Accelerating Migrations = RecommendationsAccelerating Migrations = Recommendations
Accelerating Migrations = Recommendations
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
 
NVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space ExplorationNVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space Exploration
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
 
Intel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdfIntel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdf
 
It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
 
Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1
 

Athens Owasp workshop Athens Digital Week 2010

  • 1. OWASP Projects and Resources you can use today Konstantinos Papapanagiotou Greek Chapter Leader conpap@owasp.gr OWASP Athens Digital Week 9/10/2010 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. Your Code is Part of Your Security Perimeter Your security “perimeter” has huge holes at the application layer Custom Developed Application Code APPLICATION ATTACK App Server Web Server Hardened OS You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks OWASP 3
  • 3. OWASP The Open Web Application Security Project http://www.owasp.org http://www.owasp.gr – http://blog.owasp.gr
  • 4. What is OWASP? Open Web Application Security Project Worldwide, free and open community Non-profit, volunteer driven organization Mission: improve application software security Promotes secure software development An open forum for discussion A free resource for any development team  Publications, Articles, Standards  Testing and Training Software  Local Chapters & Mailing Lists OWASP 5
  • 5. The Greek Chapter Created in 2005 but active since early 2007 Mission: raise security awareness in Greece Activities: Translation of OWASP documentation Mailing list Blog Participation in working groups and conferences Awareness ~120 members http://www.owasp.gr - http://blog.owasp.gr OWASP 6
  • 6. OWASP Body of Knowledge Guidance and Tools for Measuring and Guide to Application Managing Application Security Testing and Security Guide to Application Security Code Review Verifying Managing Application Application Guide to Building Security Security Secure Web Applications and Web Services Acquiring and Application Core Application AppSec Conferences Building Security Security Secure Tools Knowledge Base Chapters Projects Applications Tools for Scanning, Testing, Simulating, and Reporting Web Application Security AppSec Issues Research to Secure New Education and Research Projects to CBT Figure Out How to Technologies Principles Secure the Use of New Threat Agents, OWASP Community Platform Web Based Learning Attacks, (wiki, forums, mailing lists) Technologies (like Ajax) Environment and Vulnerabilities, Guide for Learning Impacts, and Application Security Countermeasures OWASP Foundation 501c3 OWASP
  • 7. OWASP Tools and Technology • Vulnerability • Penetration • ESAPI Scanners Testing Tools • Static Analysis • Code Review Tools Tools • Fuzzing Automated Manual Security Security Security Architecture Verification Verification • AppSec Libraries • Reporting Tools • Flawed Apps • ESAPI Reference • Learning Implementation Environments • Guards and • Live CD Filters • SiteGenerator Secure AppSec AppSec Coding Management Education OWASP 8
  • 8. What’s a WebGoat OWASP project with ~115,000 downloads Deliberately insecure Java EE web application Teaches common application vulnerabilities via a series of individual lessons OWASP 9
  • 12. OWASP Top 10 Risk Rating Methodology 1 2 3 Injection Example 1.66 weighted risk rating OWASP 13
  • 13. OWASP Top 10 2010 http://www.owasp.org/index.php/Top_10 OWASP 14
  • 14. A1. Injection "SELECT * FROM Account Summary accounts WHERE Account: HTTP acct=‘’ OR 1=1-- SKU: Acct:5424-6066-2134-4334 DB Table Acct:4128-7574-3921-0192 HTTP SQL response ’" Acct:5424-9383-2039-4029 APPLICATION request ATTACK query Acct:4128-0004-1234-0293 Custom Code 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data App Server 3. Application forwards attack to Web Server the database in a SQL query Hardened OS 4. Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user OWASP 15
  • 15. A2. Cross-Site Scripting (XSS) 1 Attacker sets the trap – update my profile Application with stored XSS Attacker enters a vulnerability malicious script into a web page that stores the data on the server 2 Victim views page – sees attacker profile Custom Code Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie OWASP 16
  • 16. A3. Broken Authentication and Session Management 1 User sends credentials www.boi.com?JSESSIONID=9FA1DB9EA... Site uses URL rewriting 2 Custom Code (i.e., put session in URL) 3 User clicks on a link to http://www.hacker.com in a forum Hacker checks referer logs on www.hacker.com and finds user’s JSESSIONID 4 5 Hacker uses JSESSIONID and takes over victim’s account OWASP 17
  • 17. A4. Insecure Direct Object References  Attacker notices his acct https://www.onlinebank.com/user?acct=6065 parameter is 6065 ?acct=6065  He modifies it to a nearby number ?acct=6066  Attacker views the victim’s account information OWASP 18
  • 18. A5. Cross-Site Request Forgery (CSRF) Attacker sets the trap on some website on the internet 1 (or simply via an e-mail) Application with CSRF Hidden <img> tag vulnerability contains attack against vulnerable site While logged into vulnerable site, 2 victim views attacker site Custom Code 3 Vulnerable site sees <img> tag loaded by legitimate request from browser – sends GET victim and performs the request (including action requested credentials) to vulnerable site OWASP 19
  • 19. A6 – Security Misconfiguration Web applications rely on a secure foundation • Everywhere from the OS up through the App Server • Don’t forget all the libraries you are using!! Is your source code a secret? • Think of all the places your source code goes • Security should not require secret source code CM must extend to all parts of the application • All credentials should change in production Typical Impact • Install backdoor through missing OS or server patch • XSS flaw exploits due to missing application framework patches • Unauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration OWASP
  • 20. A7. Insecure Cryptographic Storage Victim enters credit 1 card number in form Malicious insider Log files 4 steals 4 million credit Error handler logs CC 2 card numbers details because merchant gateway is unavailable Logs are accessible to all 3 members of IT staff for debugging purposes OWASP 21
  • 21. A8. Failure to Restrict URL Access  Attacker notices the URL https://www.onlinebank.com/user/getAccounts indicates his role /user/getAccounts  He modifies it to another directory (role) /admin/getAccounts, or /manager/getAccounts  Attacker views more accounts than just their own OWASP 22
  • 22. A9. Insufficient Transport Layer Protection Business Partners External Victim Custom Code Backend Systems Employees 1 2 External attacker Internal attacker steals credentials steals credentials and data off and data from network internal network External Attacker Internal Attacker OWASP
  • 23. A10. Unvalidated Redirects and Forwards 1 Attacker sends attack to victim via email or webpage From: Internal Revenue Service Subject: Your Unclaimed Tax Refund Our records show you have an 3 Application redirects unclaimed federal tax refund. Please victim to attacker’s site click here to initiate your claim. Victim clicks link containing unvalidated 2 parameter Custom Code Request sent to vulnerable site, including attacker’s destination site as parameter. Redirect sends victim to attacker site Evil Site 4 Evil site installs malware on http://www.irs.gov/taxrefund/claim.jsp?year=2006 victim, or phish’s for private & … &dest=www.evilsite.com information OWASP 24
  • 24. Penetration Testing OWASP
  • 26. Goals and Purpose  To define building blocks for an assurance program  Delineate all functions within an organisation that could be improved over time  To allow organizations to create customized roadmaps  Each organisation can choose the order and extent they improve each function  To provide sample roadmaps for common types of organisations  Each roadmap is a baseline that can be tweaked based on the specific concerns of a given organisation OWASP 27
  • 27. OWASP SAMM (Software Assurance Maturity Model) OWASP
  • 28. Imagine an Enterprise Security API  All the security controls a developer needs  Standard  Centralized  Organized  Integrated  High Quality  Intuitive  Tested  Solves the problems of missing and broken controls OWASP
  • 29. Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Enterprise Security API Encryptor EncryptedProperties Randomizer Enterprise Security API Exception Handling Custom Enterprise Web Application Logger IntrusionDetector OWASP Existing Enterprise Security Services/Libraries SecurityConfiguration 30