Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Meet the OWASP

3,839 views

Published on

Web security track - opening talk:
OWASP & OWASP Switzerland

Swiss Cyber Storm 3 (Rapperswil, May 2011)


Original powerpoint slides can be downloaded and re-used under following conditions:
- you're free to copy, distribute and transmit the work
- you're free to adapt the work
- if you alter, transform, or build upon this work, you may distribute the resulting work under the same or similar rights to this one

Published in: Technology
  • Be the first to comment

Meet the OWASP

  1. 1. Open Web Application Security Project<br />Antonio Fontes<br />antonio.fontes@owasp.org<br />SWISS CYBER STORM Conference – May 2011Rapperswil<br />
  2. 2. A few words about me<br />Antonio Fontes<br />6 years background working on software security & privacy<br />Founder and principal consultant at L7 SecuritéSàrl<br />Lecturer at HST Yverdon (HEIG-VD)<br />Focus: <br />Web application threats and countermeasures<br />Secure development lifecycle<br />Penetration testing and vulnerability assessment<br />Software threat modelling and risk analysis<br />OWASP:<br />OWASP Switzerland : member of the board, western Switzerland delegate<br />OWASP Geneva: Chapter leader<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />2<br />
  3. 3. cat /wwwroot/agenda.html<br />Why do organizations need OWASP?<br />OWASP worldwide<br />OWASP in Switzerland<br />Q/A<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />3<br />
  4. 4. Thermometer:<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />4<br />“Is your organization already using OWASP material?”<br />- For internal software development?<br />- For outsourced custom software?<br />- For COTS acquisition?<br />photo by Dave Oshry<br />
  5. 5. Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />5<br />
  6. 6. Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />6<br />
  7. 7. Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />7<br />101 million users!<br />77 million users!<br />
  8. 8. Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />8<br />Handout from Sony Entertainment Online conference on the recent computer intrusion that led to more than 110 million user accounts being stolen.(May. 1st. 2011)<br />photo by Dave Oshry<br />
  9. 9. Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />9<br />
  10. 10. Just a little check:<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />10<br />“Who knows PBKDF2?”<br />
  11. 11. Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />11<br />Who understands this in your organisation?<br />
  12. 12. Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />12<br />Use hashes!!<br />No! Don't use hashes!!<br />
  13. 13. Why do organisations need OWASP?<br />Outside the organisation:<br />Increasing adoption of “Anything over HTTP”<br />Increasing “hostile” interest in online services:<br />Increasing “threat population”<br />Web hacking/security is easy to understand/teach<br />Low risk of being “caught”<br />Increasing offer in security consulting, services and products<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />13<br />
  14. 14. Why do organisations need OWASP?<br />Inside organisations:<br />Developers dealing with dozens web technologies<br />Heterogonous development teams and lifecycles<br />Constant pressure for delivery<br />Turnover and loss of internal know-how<br />Who in the company is actually both up-to-date on the concept of “(web) applications security” and has the power to take decisions?<br />Who in the company is actually able to qualify security products and services that are paid for?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />14<br />
  15. 15. Why do organisations need OWASP?<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />15<br />2011<br />2010<br />2007<br />2005<br />2003<br />2001<br />
  16. 16. OWASP foundation<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />16<br />“Make application security visible, so that people and organisations can make informed decisions about application security risks.”<br />U.S. 501c3 not-for-profit charitable international organization<br />Structure<br />Mission<br />Core values<br />Code of ethics<br />Open, Global, Innovation, Worldwide<br />Independence from vendors, technology-agnostic<br />
  17. 17. "strategy"<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />17<br />Threat<br />Website<br />Board<br />Web Application<br />Web Application<br />People<br />Committees<br />Methods<br />Summit<br />Tools<br />Chapters<br />?<br />Projects<br />Company assets<br />Conferences<br />Members<br />
  18. 18. OWASP people<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />18<br />
  19. 19. Project Leaders<br />Driving volunteers effort on OWASP material projects:<br />Workshops<br />Brainstorming sessions<br />Analysis/reporting<br />Guides editing<br />Tools coding<br />19 quality-release and 26 beta-status projects<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />19<br />P<br />T<br />M<br />
  20. 20. Chapter Leaders<br />Leading Local Chapters meetings:<br />188 Chapters worldwide<br />More than 300 yearly meetings worldwide<br />Connection with local organisations <br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />20<br />P<br />T<br />M<br />Next local chapter meeting:<br />Zurich – June 14th<br />
  21. 21. Global Committees<br />Driving volunteers effort on global/focused OWASP outreach.<br />Active Global Committees: <br />Industries<br />Membership<br />Government<br />Education<br />Projects<br />Events<br />Connections<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />21<br />P<br />T<br />M<br />
  22. 22. Full-time<br />Kate Hartmann<br />Logistics and day-to-day support for leaders of the 188 local chapters<br />Alison Shrader<br />Accounting & Administration<br />Paulo Coimbra<br />PMO<br />Sarah Basso<br />Operations before/during/after OWASP events<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />22<br />
  23. 23. Conference dedicated to research work on application security<br />Conferences: research<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />23<br />P<br />T<br />M<br />
  24. 24. Yearly global application security focused conferences: <br />Europe<br />North America<br />South America<br />Asia<br />Conferences: Appsec<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />24<br />P<br />T<br />M<br />Next OWASP Conference in Europe:<br />Dublin – June 7th-10th 2011 <br />
  25. 25. Intensive 1-week workshop event with leaders, contributors, sponsors and software vendors:<br />Ability to connect with leading software vendors and corporate members<br />More than 150 reunited chapter & project leaders<br />80 workshops <br />The Summit<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />25<br />P<br />T<br />M<br />
  26. 26. OWASP members<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />26<br />
  27. 27. OWASP Membership<br />Individual members:<br />Annual fee: 50$/year<br />Free access to OWASP Training day events<br />Reduced fees at OWASP Events<br />Current count: <br />1383 individual contributing members<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />27<br />
  28. 28. OWASP Membership<br />Corporate members:<br />52 public corporate members<br />Annual fee: 5’000$/year<br />Delegates for the Summit event<br />Logo on website, use as marketing argument<br />Majority is from the US,<br />but Switzerland is also <br />there<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />28<br />
  29. 29. OWASP Membership<br />Academic members:<br />Annual fee: 0$/year<br />Donate: support<br />40 members<br />Switzerland:<br />1 officialised partnership (HEIG-VD)<br />2 pending partnerships<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />29<br />
  30. 30. OWASP: the web portal<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />30<br />
  31. 31. https://www.owasp.org<br />250’000 unique visitors monthly<br />650’000 pages viewed monthly<br />60% driven by search engines<br />19% referred by other websites <br />Highest traffic motives:<br />OWASP Top 10<br />Webscarab project<br />XSS prevention cheat sheet<br />“sql injection”<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />31<br />
  32. 32. http://lists.owasp.org<br />More than 400 mailing lists currently running<br />25’900 memberships<br />About: tools, documents, methods, committees, events, outreach, leaders, etc.<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />32<br />
  33. 33. OWASP projects<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />33<br />
  34. 34. OWASP projects: Tools<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />34<br />Analyze<br />Design<br />Implement<br />Verify<br />Deploy<br />Respond<br />ModSecurity CRS<br />JBroFuzz<br />AntiSAMMY<br />LiveCD<br />ESAPI<br />DirBuster<br />WebScarab<br />WebScarab<br />CSRFGuard<br />O2<br />Orizon<br />Encoding<br />Code Crawler<br />Zed Attack Proxy<br />Stinger<br />Academy portal, Broken Web applications, ESAPI Swingset, Webgoat<br />
  35. 35. OWASP projects: Documents<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />35<br />Analyze<br />Design<br />Implement<br />Verify<br />Deploy<br />Respond<br />Secure contract<br />Development<br />Code Review<br />Code Review<br />Backend Security<br />Threat risk modeling<br />J2EE Security<br />Testing<br />Testing<br />Application security requirements<br />RoR Security<br />ASVS<br />.NET Security<br />AJAX Security<br />PHP Security<br />Secure coding practices<br />Academy, Appsec FAQ, Appsec metrics, Common Vuln. List, Education, Exams, Legal, OWASP Top 10<br />
  36. 36. COTS web application for webapp security (CBT) training<br />Click and run<br />/index.php/Webgoat<br />Tools: webgoat<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />36<br />P<br />T<br />M<br />
  37. 37. Tools: ModSecurity core ruleset<br />Critical protections centralized in a core ruleset (CRS) to be installed on ModSecurity enabled Apache servers<br />Provides:<br />HTTP Protocol compliance<br />Attack detection<br />Error detection<br />Search engine monitoring<br />https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />37<br />P<br />T<br />M<br />
  38. 38. Tools: Entreprise Security API<br />Control library encapsulating most security functions required in web applications:<br />Authentication<br />Access control<br />Sessions<br />Encoding<br />Input validation<br />Encryption<br />Logging<br />Intrusion detection<br />…<br />https://www.owasp.org/index.php/ESAPI<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />38<br />P<br />T<br />M<br />
  39. 39. Documents: OWASP Top 10<br />https://www.owasp.org/index.php/Top10<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />39<br />P<br />T<br />M<br />
  40. 40. Documents: code review guide<br />Instructions and methodology manual for conducting code security reviews<br />Guidance on detecting the major security flaws created during implementation<br />https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />40<br />P<br />T<br />M<br />
  41. 41. Documents: ASVS<br />ASVS: Application SecurityVerification Standard<br />4 verification (assurance) levels across more than 120 security controls<br />Tailored to your own risk aversion<br />https://www.owasp.org/index.php/ASVS<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />41<br />P<br />T<br />M<br />
  42. 42. Documents: OpenSAMM<br />Open Software Assurance Maturity Model<br />https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />42<br />P<br />T<br />M<br />
  43. 43. OWASP Switzerland<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />43<br />
  44. 44. OWASP Switzerland's structure<br />No legalform (yet, just a few daysleft)<br />Leader: Sven Vetsch<br />Board members: Tobias Christen, Antonio Fontes<br />Based in Zurich<br />130 mailing list members<br />Next meeting: June 14th<br />Other local city/region chapters: <br />OWASP Geneva<br />90 list members<br />Next meeting: September 6th<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />44<br />
  45. 45. Activities: meetings and conferences<br />Local chapter meetings:<br />1,2,3 speakers per event<br />Geneva, Yverdon, Zurich<br />~8 meetings/year<br />Attendance: 15-100 people<br />People love these meetings!<br />(Historical) conference partnerships:<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />45<br />
  46. 46. Activities: awareness sessions<br />Awareness session for Swiss organizations:<br />1 hour, head-to-head session with an OWASP representative at your company<br />Syllabus: OWASP organization, OWASP projects and membership opportunities<br />4 Swiss private companies requested this in 2010<br />It’s free!<br />BUT: it’s not free training or consulting!!<br /> No product names  No "reviews"  No training. <br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />46<br />
  47. 47. Swiss speakers and contributors(non exhaustive list, sorry for those I forgot )<br />Ivan Butler: Web application firewall & Hacking lab<br />Tobias Christen: Security & Usability<br />Alexis Fitzgerald : Gathering application security requirements<br />Christian Folini : ModSecurity CRS & DDoSdefense<br />Antonio Fontes : Threat modelling & Lifecycle security<br />Axel Neumann: Zed Attack Proxy<br />Sylvain Maret : Strong authentication<br />Pierre Parrend : Java mobile applications<br />Sven Vetsch : Advanced XSS attacks and defense<br />...  come to me after the talk if you want your name here<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />47<br />
  48. 48. Visit the OWSAP Website: https://www.owasp.org<br />Join the OWASP Switzerland mailing list: http://www.owasp.ch<br />Follow us on Twitter: @OWASP_ch / @OWASP<br />Get in touch with your local OWASP representatives:<br /> Sven Vetsch Antonio Fontes(Switzerland) (Western/French Switzerland)<br />sven.vetsch@disenchant.chantonio.fontes@owasp.org<br />12/05/2011<br />Swiss Cyber Storm III - May 2011 - Rapperswil<br />48<br />Thank you!<br />

×