Technology First
16th Annual Ohio Information Security Conference
OISC 2019
#OISC19
The OWASP Top 10 & AppSec Primer
By Matt Scheurer (@c3rkah)
Dayton, Ohio
Date: 03/13/2019
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).
Technology First
16th Annual Ohio Information Security Conference
OISC 2019
#OISC19
The OWASP Top 10 & AppSec Primer
By Matt Scheurer (@c3rkah)
Dayton, Ohio
Date: 03/13/2019
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
This Session will focus on Mobile Top 10 2014-M3 : Insufficient Transport Layer protection. We will try to understand Transport Layer, Transport layer security (TLS), insecurities in TLS/SSL, and how this affects the overall security of Mobile Devices as well as what kind of protection can be applied and how this can be identified..
Problems With Parameters - A high-level overview of common vulnerabilities identified in web applications, techniques to mitigate these vulnerabilities, and thoughts on incorporating secure webapp development practices into your organization's development culture.
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
c0c0n 2015 Presentation. This talk discussed about the impact of using components with known vulnerabilities along with various tips and tools for software developer or administrator to facilitate identification of vulnerable components.
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
There are a number of reasons to use source code to assist in web application penetration testing such as making better use of penetration testers’ time, providing penetration testers with deeper insight into system behavior, and highlighting specific sections of so development teams can remediate vulnerabilities faster. Examples of these are provided using the open source ThreadFix plugin for the OWASP ZAP proxy and dynamic application security testing tool. These show opportunities attendees have to enhance their own penetration tests given access to source code.
This presentation covers the “ABCs” of source code assisted web application penetration testing: covering issues of attack surface enumeration, backdoor identification, and configuration issue discovery. Having access to the source lets an attacker enumerate all of the URLs and parameters an application exposes – essentially its attack surface. Knowing these allows pen testers greater application coverage during testing. In addition, access to source code can help to identify potential backdoors that have been intentionally added to the system. Comparing the results of blind spidering to a full attack surface model can identify items of interest such as hidden admin consoles or secret backdoor parameters. Finally, the presentation examines how access to source code can help identify configuration settings that may have an adverse impact on the security of the deployed application.
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet.
In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection, File Upload Bypass, Path Traversal etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.
Visual version of http://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto The presentation talks about how a disclsoure was forgotten and what we can do to prevent such issues and how to keep a track on Vulnerable components
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
This Session will focus on Mobile Top 10 2014-M3 : Insufficient Transport Layer protection. We will try to understand Transport Layer, Transport layer security (TLS), insecurities in TLS/SSL, and how this affects the overall security of Mobile Devices as well as what kind of protection can be applied and how this can be identified..
Problems With Parameters - A high-level overview of common vulnerabilities identified in web applications, techniques to mitigate these vulnerabilities, and thoughts on incorporating secure webapp development practices into your organization's development culture.
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
c0c0n 2015 Presentation. This talk discussed about the impact of using components with known vulnerabilities along with various tips and tools for software developer or administrator to facilitate identification of vulnerable components.
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
There are a number of reasons to use source code to assist in web application penetration testing such as making better use of penetration testers’ time, providing penetration testers with deeper insight into system behavior, and highlighting specific sections of so development teams can remediate vulnerabilities faster. Examples of these are provided using the open source ThreadFix plugin for the OWASP ZAP proxy and dynamic application security testing tool. These show opportunities attendees have to enhance their own penetration tests given access to source code.
This presentation covers the “ABCs” of source code assisted web application penetration testing: covering issues of attack surface enumeration, backdoor identification, and configuration issue discovery. Having access to the source lets an attacker enumerate all of the URLs and parameters an application exposes – essentially its attack surface. Knowing these allows pen testers greater application coverage during testing. In addition, access to source code can help to identify potential backdoors that have been intentionally added to the system. Comparing the results of blind spidering to a full attack surface model can identify items of interest such as hidden admin consoles or secret backdoor parameters. Finally, the presentation examines how access to source code can help identify configuration settings that may have an adverse impact on the security of the deployed application.
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet.
In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection, File Upload Bypass, Path Traversal etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.
Visual version of http://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto The presentation talks about how a disclsoure was forgotten and what we can do to prevent such issues and how to keep a track on Vulnerable components
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson
The OWASP Top 10 provides a list of the 10 most critical web application security risks. How do these relate to AngularJS applications? What security vulnerabilities should developers be aware of beyond XSS and CSRF?
This session will review the OWASP Top 10 with a front-end development focus on HTML and JavaScript. It will look at patterns to implement and others to consider avoiding. We will also explore several built-in features of AngularJS that help secure your application.
7 Must-Have Managed IT Services Offerings for 2015Continuum
Are your 2015 revenue goals baring down on you, seemingly unreachable? How are you tracking for MRR so far?
If you're not growing as fast as you'd like, take a deep breath. We may already be three months into the new year, but there's still plenty of time to take your MSP business to the next level. The solution may be simpler than you think: expand your portfolio of service offerings!
Maybe you're already offering proactive network monitoring and RMM services, but want to own a bigger piece of the SMB pie. If your clients are already satisfied with your current IT support bundle, chances are they'll look to you for their other network and device health needs. Would you rather work with a different vendor for each service or have one provider that covers all of your IT needs? It's a no-brainer!
Learn the 7 Must-Have Managed IT Services Offerings for 2015 and minimize client hassle while maximizing profits!
Rebooting Software Development - OWASP AppSecUSA Nick Galbreath
If we are ever going to get ahead of the whack-a-mole security vulnerability game, we, as security professionals need to start getting involved more in the development of software. Let's review the origins of the traditional software development, and what assumptions are made. Then we'll review if those assumptions still hold for modern web applications, and what problems they cause, especially for security. Continuous deployment helps address these problems and allows for faster, more secure development. It's more than just "pushing code a lot", when done correctly it can be transformative to the organization. We'll discuss what continuous deployment is, how to get started, and what components are needed to make it successful, and secure.
Most software developers have heard about OWASP Top Ten, describing the 10 most critical security vulnerabilities that should be avoided in web applications.
However, in order to prevent them, developers must be aware of the proactive controls that should be incorporated from early stages of software development lifecycle.
This talk briefly discusses the OWASP Top Ten Proactive Controls and then maps them to the respective OWASP Vulnerabilities that each of them addresses.
Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG)
AppSec Night & OWASP Top 10 2017 Review
By Matt Scheurer (@c3rkah)
From: 02/15/2018
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
HouSecCon 2019 Offensive Security - Starting from Scratch. Learn from Spencer Koch and Altaz Valani about how to build an offensive security program from scratch, incorporating application security, infrastructure vulnerability management, hardening, devsecops, security champions, and red teaming. Be able to organize these capabilities to tell a story and build maturity to help your organization be more secure. Includes gotchas and lessons learned from industry experience.
Null singapore - Mobile Security EssentialsSven Schleier
Even though modern mobile operating systems like iOS and Android offer great APIs for secure data storage and communication, those APIs have to be used correctly in order to be effective. Data storage, inter-app communication, proper usage of cryptographic APIs and secure network communication are only some of the aspects that require careful consideration.
The OWASP Mobile Application Verification Standard (MASVS) is an attempt to standardize mobile app security requirements using different verification levels. Complementary to the MASVS, we have developed the OWASP Mobile Security Testing Guide (MSTG) that provides detailed test cases for each requirement.
In this talk we will introduce both, the MASVS and MSTG which were both released this year and discuss the many challenges we faced during development, from dealing with the diversity and fragmentation of the Android ecosystem to clarifying the role of software protections in mobile security. Some mobile reverse engineering techniques described in the MSTG will be demonstrated including using objection to perform penetration testing on a non-jailbroken iOS device and using Frida to bypass client-side controls.
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
AppSec & OWASP Top 10 Primer
By Matt Scheurer (@c3rkah)
Cincinnati, Ohio
Date: 03/21/2019
Momentum Developer Conference
Sharonville Convention Center
#momentumdevcon
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP
Presentation of OWASP Global Chairman of the Board - Martin Knobloch at OWASP Poland meeting in Warsaw on 13 November 2018. Great review of important OWASP Projects.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
8. Motivation
• Top 10 is a de-facto standard in Webappsec world
• OWASP is mostly associated with it …
• but there are many more!
As of 2016, there are 133 different projects, which can help you
whether you are on attacker’s or defender’s parts of the
barricades!
12. Agenda
• Problem 1: efficient security training
• Solution: WebGoat
• Problem 2: efficient management of multiple
penetration testing tasks
• Solution: Offensive Web Testing Framework
13. Problem of efficient security training
…and XSS
allows you
injecting such
horrifying
pop up
windows!!!
Security awareness
trainings for
developers are quite
common, but reality
shows they are still
ineffective :(
15. What about…
Finally a security
training which isn’t
an online course to
fly through and
forget!
Internal course
that is free and
isn’t a corpo-
bullshit?! Cannot
believe that…
…arranging internal hands-
on labs for developers and
testers, where they can
deeply understand
vulnerabilities by finding and
fixing them?
16.
17. WebGoat: few words about
• A deliberately insecure Java-based
application, which allows you to
test common vulnerabilities
• 50+ lessons
• After finding a vulnerability, learn
to fix it!
• Easy manageable lessons via
plugins
• You can create your own lessons
and easily customize a content and
language
…or .Net-based:
https://www.owasp.org/index.php/
WebGoatFor.Net
WebGoat: few words about
• A deliberately insecure Java-based (or .Net based:
https://www.owasp.org/index.php/WebGoatFor.Net)
application, which allows you to test common
vulnerabilities
• 50+ lessons
• After finding a vulnerability, learn to fix it!
• Easy manageable lessons via plugins
• You can create your own lessons and easily customize a
content and language
18. Not only web apps…
• Ruby on Rails: OWASP Rails Goat Project
• PHP: OWASP WebGoatPHP
• Node.js: OWASP Node_js Goat Project
• Android: OWASP GoatDroid Project
• iOS: OWASP iGoat Project
19. WebGoat: how to run?
• Prerequisites: Java VM 1.8
• To start just follow these commands:
$> wget
https://github.com/WebGoat/WebGoat/releases/download
/7.0.1/webgoat-container-7.0.1-war-exec.jar
$> java -jar java -jar webgoat-container-7.0.1-war-exec.jar
• Open in you browser: http://localhost:8080/WebGoat/
• That’s all!
22. WebGoat: creating your own lesson
• Plugin = lesson
• Create NewLesson.java:
https://www.owasp.org/index.php/
How_to_write_a_new_WebGoat_les
son
• Plugin is just a folder, which
follows this format
24. Problem: how to efficiently manage
outputs from many different applications?
• Each pentester uses many different applications (vuln scanner,
web crawler, SSL/TLS tests, session management tests)
• Running each of those tests consumes time, right?
• It’s easy to automate those tasks, but analysing a consolidated
output is much more difficult :(
• And finally you have to form a readable report from all those
tests…
• …oooh… :(
25. Typical penetration testing process
<which generates lots of output>
<cpy/pst interesting parts>
…of course in notepad ;)
(…)
<runs a lot of tests>
26.
27. • A goal of OWTF is to use penetration testing time as efficient as possible.
It’s done by:
• Running different tools (Nikto/Arachni/w3af/etc)
• Running direct tests (header searches/session tests/etc)
• Knowledge repository (OWASP mapping/resource links)
• Helping human analysis (flag severity/manage output)
• In other words OWTF provides optimal balance between automation and
human analysis
OWTF: Idea of the project
28. • Want to quickly start? Follow this one-liner:
$> wget -N
https://raw.githubusercontent.com/owtf
/bootstrap-script/master/bootstrap.sh;
bash bootstrap.sh
OWTF: Installation
31. sends normal traffic to target
active vulnerability probing
probing services (e.g. FTP/SMB )
assist manual testing
searches on HTTP transactions test via 3rd parties
(no traffic to target)
Testing web apps
Testing network services
OWTF: Choose plugins and run!
34. • Use OWASP WebGoat to provide efficient security trainings in
your company.
• Use OWASP OWTF to automate your penetration testing tasks. It
allows you for easy test’s output analyse and create reports in a
fast way.
Summary
37. SANS Institute, May 2015, State of Application Security: Closing the Gap
https://www.sans.org/reading-room/whitepapers/analyst/2015-state-application-security-closing-gap-35942
Application Security Standards in use
38. OWASP Application Security Verification Standard
(ASVS) is a list of application security requirements or
tests that can be used by architects, developers, testers,
security professionals, and even consumers to define
what a secure application is.
In short
40. Example requirements
• Architecture and design
• Input handling
• Data protection
• Session management
• Error handling
• Business logic
• Configuration
• Web services
• 19 sections in total
• Every chapter has
control objective, reqs
and references
41. First introduced: June 2008
ASVS v1.0: 2009
ASVS v2.0: 2014
ASVS v3.0: 2015
Current version: v3.0.1 (July 2016)
History
42. Idea behind
• Use as a metric - provide application developers and
application owners with a yardstick with which to
assess the degree of trust that can be placed in their
Web applications
• Use as guidance - provide guidance to security control
developers as to what to build into security controls in
order to satisfy application security requirements
• Use during procurement - provide a basis for
specifying application security verification
requirements in contracts
43. Application Security Verification Levels
• ASVS Level 3 – for
applications that „shoot
missiles” ;)
• ASVS Level 2 – for
applications that contain
sensitive data
• ASVS Level 1 – for all
software
44. Benefits for you
• Helps you to develop and maintain secure applications
• Contains clear and ready-to-use high level checklists
and use cases
• Allows you as well as security services, vendors, and
consumers to align requirements and offerings
45. More ideas
• Train your developers in AppSec
• Take your standard software architecture and prepare
standard security solutions
Open Application Standard Platform (OASP)
https://oasp.github.io/
46. Projects based on ASVS
• Secure Knowledge Framework - training developers in
writing secure code and providing a knowledge base of
secure design patterns
• Zed Attack Proxy - easy to use integrated penetration testing
tool for finding vulnerabilities in web applications, both
automatically and manually
• Cornucopia - mechanism in the form of a card game to assist
software development teams identify security requirements
in Agile, conventional and formal development processes. It
is language, platform and technology agnostic.
49. Mobile web usage overtakes desktop for first time
http://www.telegraph.co.uk/technology/2016/11/01/mobile-web-usage-overtakes-desktop-for-first-time/
Current state
50. In short
• There is a significant difference between security
assurance of web and mobile applications
• MASVS is to mobiles, what ASVS is to web
• The project is work in progress (v0.9.2 is currently
available)
57. OWASP Cornucopia is a mechanism in the form of a card game
to assist software development teams identify security
requirements in Agile, conventional and formal development
processes. It is language, platform and technology agnostic.
Cornucopia is based on the concepts and game ideas from
Microsoft SDL EoP game and OWASP Secure Coding Practices
Guide.
OWASP Cornucopia Ecommerce Website Edition is in the
current Payment Card Industry Security Standards Council
information supplement PCI DSS E-commerce Guidelines v2,
January 2013
In short
58. Idea behind
• Help development teams to identify application
security requirements and develop security-based
user stories
• Aimed at first place at Agile-based methodologies
• Gamification approach to threat modeling
59. Suite
Rank
Threat
References:
- Secure Coding Practices
- ASVS
- AppSensor project
- Common Attack Pattern (CAPEC)
- Software Assurance Forum for
Excellence in Code (SAFECode)
Cornucopia card
60. Cornucopia rules
• Prepare everything (deck, cards, data flow diagram,
prizes…)
• Deal all the cards
• Play a round – every player has to utilize one card
of the selected suit. Highest played card in the suit
wins and starts next round until all cards are played
• Count points and define the winner
• Closure: review all threats and matching security
requirements
https://www.owasp.org/index.php/OWASP_Cornucopia#tab=How_to_Play
61. Cornucopia rules
Playing a card:
• each player reads it out loud
• explains how the threat could apply (or not) to his
application
• player gets a point for attacks that work, and the
group thinks it is an actionable bug
At this point we don’t think of mitigations and don’t
exclude a threat just because it is believed it is already
mitigated – the card should be recorded on the score
sheet anyway
63. Cornucopia deck
• Clear who said what
• Exact descriptions of
threats
• Actionable items
• Developers know
precisely what
functionality is affected
64. Benefits for you
• Teaching developers on how to
identify and assess
vulnerabilities on every sprint
• Training sessions for developers
• Raising awareness in application
security field in your
organization
67. OWASP SKF is a fully open-source Python-Flask expert system
web-application that uses the OWASP Application Security
Verification Standard and code examples and can be used to
support developers in pre-development (security by design) as
well as after code is released (OWASP ASVS Level 1-3)
„we decided to develop a proof of concept framework in order
to create a guide system available for all developers so they
can develop applications secure by design”
In short
http://secureby.design
68. Idea behind
The 4 Core usage of SKF:
• Security Requirements ASVS for development and third party vendor
applications
• Security knowledge reference (code examples/ knowledge base items)
• Security is part of design with the pre-development functionality in SKF
• Security post-development functionality in SKF for verification with the
ASVS
69. Installation
Super-easy! Supported ways to install it:
• Automated installation with Chef
• AWS by using CloudFormation
• … or manually as you would do with any other
Python project: sudo pip install owasp-skf
https://github.com/blabla1337/skf-flask#installing
72. SKF: Pre-development stage
Definition of a technology stack
Adding different functionalities to the system:
• Access controls / login systems
• Registration
• Submit forms
• External XML files
• File uploads
• SQL commands…
74. SKF: Post-development stage
• Double-check your app by means of pre-defined or
custom checklists
• ASVS-based checklists for different levels of criticality of
the application are auto-generated after pre-
development stage!
• After providing answers to clear and simple questions,
reports with failed items are ready to be downloaded
and prioritized
76. SKF: Knowledge Base
• „Use info, do not get hacked, profit!”
• Multiple options of secure design patterns with
examples
• Gives a good understanding for developers not only
about what to fix but also why to do so
78. SKF: Code examples
• We were talking about generic secure patterns so far
• Code examples with extensive comments provide
ready-to-use solutions on how to do things right!
• Currently supported languages: PHP, .NET and Java
(soon ☺)
79. SKF: Code examples
Can be reused directly, and have
extensive comments to know
how and why to fix an issue
80. SKF: Improve yourself!
• Cherry on top of a pie: you can easily add your use-cases
and adjust it as you like!
• Checklists, knowledge base and code examples must
follow the markdown and appear immediately in your
panel
Directory/path traversal <-- name as seen in the drop-down head
-------
**Example:** <-- Bold separator telling where the example starts
/*
Your code has to indent the 4 spaces(tab) in order for the markdown engine to know it has to
interpreted this as written code
*/
81. Benefits for you
• Guide to secure programming
• Secuity by design, not implementing
afterwards
• Security awareness
• Will inform about threats even before one
wrote a single line of code
• Central place for security reference
• Provides information applicable for specific
needs on the spot
86. The AppSec pipeline project
• Place to gather together information,
techniques and tools to create your own
AppSec pipeline
• Right now: AppSec pipeline patterns and tools
https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
87. Example of workflow
- Code written
- Code committed to repository
- Unit test the code
- Package the code for deployment
- Integration testing
- Deploy code in production
90. Security tools evaluation criteria
• API is the first
• Pipeline position
• Cloud scalable
• Runs as a service
• Client libraries
• CI/CD plugins
91.
92. What is OWASP ZAP?
• Webapp security testing tool
• Free and open source
• Written in Java → cross platform
https://www.owasp.org/index.php/ZAP
93. OWASP ZAP Features
• GUI, headless and REST API
• Intercepting proxy
• Classic and AJAX spiders
• Passive and active scanning
• … and of course can be extended via addons!
96. ZAP for pentests
• Configure your browser to use ZAP as a proxy
• Explore the application manually
• Use the spider to find other content and input points
• See what security issues the passive scanner has found
• Use the active scanner to find vulnerabilities
• Do manual pentesting 😎
97. ZAP as a part of your appsec pipeline
The baseline scan
• Simple inline security control
• Mass scan of big number of
targets
• Post release (production) control
Full scan
• Regular heavy asynchronous
scan
• More power and integration into
your infrastructure and
processes
98. The baseline scan
• Uses Docker
• Only passive scanning
• Time limited spider of target
• By default warns on all issues:
– Missing / incorrect security headers like CSP
– Cookie problems
– Information / error disclosure
– Missing CSRF tokens etc.
99. The baseline scan example
$ docker run -t owasp/zap2docker-weekly zap-baseline.py -t https://oxdef.info
...
Total of 81 URLs
PASS: Cookie No HttpOnly Flag [10010]
...
WARN: Web Browser XSS Protection Not Enabled [10016] x 52
https://oxdef.info
...
FAIL: 0 WARN: 5 INFO: 0 IGNORE: 0 PASS: 21
100.
101. 1 n33d m0re p0w3r!
• REST API is your choice 😏
• zap.sh -daemon -host 0.0.0.0 -port 8080
• http(s)://zap/<format>/<component>/<operation>/<
op name>[/?<params>]
• Also available in Docker image owasp/zap2docker-*
• Maps closely to the UI / code
• JSON, HTML and XML formats
• Clients in: Java, Python, NodeJS, .Net, PHP, Go ...
105. Cheat Sheet Series
• «The OWASP Cheat Sheet Series was created to
provide a concise collection of high value information
on specific web application security topics»
• You can browse it online or get as PDF book
• Mostly fresh and actual topics
https://www.owasp.org/index.php/Cheat_Sheets
106. 3rd party JavaScript management
The invocation of 3rd party JS code in a web application
requires consideration for 3 risks in particular:
• The loss of control over changes to the client application
• The execution of arbitrary code on client systems
• The disclosure or leakage of sensitive information to 3rd parties
https://www.owasp.org/index.php/3rd_Party_Javascript_
Management_Cheat_Sheet
107. XSS Prevention
RULE #3 - JavaScript Escape Before Inserting Untrusted
Data into JavaScript Data Values
Except for alphanumeric characters, escape all characters less
than 256 with the xHH format to prevent switching out of the
data value into the script context or into another attribute.
https://www.owasp.org/index.php/XSS_(Cross_Site_Scrip
ting)_Prevention_Cheat_Sheet
108. XXE Prevention
Libxml2: the Enum xmlParserOption should not have
the following options defined:
• XML_PARSE_NOENT: Expands entities and substitutes them with
replacement text
• XML_PARSE_DTDLOAD: Load the external DT
https://www.owasp.org/index.php/XML_External_Entity_
(XXE)_Prevention_Cheat_Sheet
109. Featured cheat sheets
• Clickjacking Defense
• Cross-Site Request Forgery (CSRF) Prevention
• Deserialization
• DOM based XSS Prevention
• REST Security
• Virtual Patching
110. Summary
• OWASP AppSec Pipeline helps you with choosing
suitable tools and building your own AppSec pipeline
• OWASP ZAP is one of such tools. Using it you can
make manual pentest of web app or automate web
app security testing in SDL
• OWASP Cheat Sheets helps you in specific areas of
application security
113. OWASP Testing Guide Versions
• V1 – December 2004
• V2 – 25th December 2005
• V3 – 15th September 2008
– Configuration Management and Authorization Testing
sections
• V4 – 2014
– Identity Management Testing
– Error Handling
– Cryptography
– Client Side Testing
114. Purpose
• The OWASP Testing Guide includes a "best
practice" penetration testing framework
which users can implement in their own
organizations and
• a "low level" penetration testing guide that
describes techniques for testing most
common web application and services security
issues.
115. Typical Testing Guide chapter
• Summary
• How to test
• Tools
• Remediation
• References
Fingerprint Web
Application
Framework
116. Why to test
• The steps that need to be undertaken to build
and operate a testing program on web apps.
• Effective testing program:
– People
– Process
– Technology
• Testing just the technical implementation of an
application will not uncover management or
operational vulnerabilities that could be present
117. When to test
• Don’t test software until it has already been
created and is in the deployment phase of its
life cycle ineffective and cost-prohibitive
practice
• One of the best methods to prevent security
bugs from appearing in production
applications is to improve the SDLC by
including security in each of its phases
121. OWASP MSTG Leaders
• MSTG was initiated by Milan Singh Thakur in
2015. The original document was hosted on
Google Drive Github
• Bernhard Mueller (2016)
• Sven Schleier (2016)
122. OWASP MSTG
• MSTG is a manual for testing the security of
mobile apps. It describes technical processes
for verifying the controls listed in the MASVS
• MSTG is meant to provide a baseline set of
test cases for black-box and white-box security
tests, and to help ensure completeness and
consistency of the tests
123. MSTG Structure
• High-Level Guides
– Mobile Platforms Overview
– Security Testing Processes, Tools and Techniques
• Complementary
– Security Testing in the Application Development
Lifecycle
– Tools
130. Foreword
• There are many projects happening right now (very
good examples are MASVS and MSTG)
• Due to a huge front of work every small help is
valuable
• Do something good today – contribute to OWASP
Projects