OWASP Overview Pete Perfetti NYNJ Metro Committee Member
OWASP Overview Pete Perfetti NY-NJ Metro Committee Member Peter. Perfetti@owasp. org OWASP Copyright © - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation http: //www. owasp. org
Agenda <OWASP Introduction <OWASP Project Parade <OWASP Near You? OWASP 2
Agenda <OWASP Introduction <OWASP Project Parade <OWASP Near You? OWASP 3
OWASP <The Open Web Application Security Project (OWASP) <International not-for-profit charitable Open Source organization funded primarily by volunteers time, OWASP Memberships, and OWASP Conference fees <Participation in OWASP is free and open to all OWASP 4
OWASP Mission <to make application security "visible, " so that people and organizations can make informed decisions about application security risks OWASP 5
OWASP Mission <Through Research Grants and Funding, “Make People Aware of The Real Threat” OWASP 6
OWASP Mission <Make people and organizations “AWARE” that security does not end after the test! OWASP 7
OWASP Resources and Community Documentation (Wiki and Books) • Code Review, Testing, Building, Legal, more … Code Projects • Defensive, Offensive (Test tools), Education, Process, more … Chapters • Over 130 and growing Conferences • Major and minor events all around the world OWASP
www. owasp. org OWASP 9 9
130+ Chapters Worldwide OWASP 10
OWASP Conferences (2008 -2009) Minnesota Oct 2008 NYC Sep 2008 Brussels May 2008 Germany Nov 2008 Poland May 2009 Denver Spring 2009 San Jose? Sep 2009 Portugal Nov 2008 Israel Sep 2008 India Aug 2008 Taiwan Oct 2008 Gold Coast Feb 2008 +2009 OWASP 11
Summit Portugal <2009 Focus 480+ application security experts from 20+ countries <New Free Tools and Guidance (So. C 08) <New Outreach Program 4 technology vendors, framework providers, and standards bodies 4 new program to provide free one- day seminars at universities and developer conferences worldwide <New Global Committee Structure 4 Education, Chapter, Conferences, Industry, Projects and Tools, Membership OWASP 12
Agenda <OWASP Introduction <OWASP Project Parade <OWASP Near You? OWASP 13
OWASP Projects: Improve Quality and Support < Define Criteria for Quality Levels 4 Alpha, Beta, Release < Encourage Increased Quality 4 Through Season of Code Funding and Support 4 Produce Professional OWASP books < Provide Support 4 Full time executive director (Kate Hartmann) 4 Full time project manager (Paulo Coimbra) 4 Half time technical editor (Kirsten Sitnick) 4 Half time financial support (Alison Shrader) 4 Looking to add programmers (Interns and professionals) OWASP
OWASP Top 10 <The Ten Most Critical Web Application Security Vulnerabilities <2007 Release <A great start, but not a standard <3 rd version of the. Top 10 2009 coming soon OWASP 15
Key Application Security Vulnerabilities A 1: Cross Site Scripting (XSS) A 2: Injection Flaws A 3: Malicious File Execution A 4: Insecure Direct Object Reference A 5: Cross Site Request Forgery (CSRF) A 6: Information Leakage and Improper Error Handling A 7: Broken Authentication and Session Management A 8: Insecure Cryptographic Storage A 9: Insecure Communications A 10: Failure to Restrict URL Access www. owasp. org/index. php? title=Top_10_2007 OWASP 16
The ‘Big 4’ Documentation Projects Building Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR) OWASP
The Guide < Complements OWASP Top 10 < 310 p Book < Free and open source 4 Gnu Free Doc License < Many contributors < Apps and web services < Most platforms 4 Examples are J 2 EE, ASP. NET, and PHP < Comprehensive < Project Leader and Editor 4 Andrew van der Stock, vanderaj@owasp. org OWASP
Uses of the Guide <Developers 4 Use for guidance on implementing security mechanisms and avoiding vulnerabilities <Project Managers 4 Use for identifying activities (threat modeling, code review, penetration testing) that need to occur <Security Teams 4 Use for structuring evaluations, learning about application security, remediation approaches OWASP
Each Topic < Includes Basic Information (like OWASP T 10) 4 How to Determine If You Are Vulnerable 4 How to Protect Yourself < Adds 4 Objectives 4 Environments Affected 4 Relevant COBIT Topics 4 Theory 4 Best Practices 4 Misconceptions 4 Code Snippets OWASP
Testing Guide v 2: Index 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors Version 3. 0 Released TODAY !! Check your email OWASP 21
What Is the OWASP Testing Guide? <Testing Principles <Testing Process <Custom Web Applications <Black Box Testing <Grey Box Testing <Risk and Reporting <Appendix: Testing Tools <Appendix: Fuzz Vectors <Information Gathering <Business Logic Testing <Authentication Testing <Session Management Testing <Data Validation Testing <Denial of Service Testing <Web Services Testing <Ajax Testing OWASP 22
Soc 08 version 3 < Improve version 2 < improved 9 articles < Total of 10 Testing categories and 66 controls. < New sections and controls < Configuration Management < Authorization Testing < 36 new articles < New Encoded Injection Appendix; OWASP
How the Guide helps the security industry Testers Organisations A structured approach to the testing activities A checklist to be followed A learning and training tool A tool to understand web vulnerabilities and their impact A way to check the quality of security tests More generally, the Guide aims to provide a pen-testing standard that creates a 'common ground' between the testing groups and its ‘customers’. This will raise the overall quality and understanding of this kind of activity and therefore the general level of security of our applications OWASP 24
Tools <http: //www. owasp. org/index. php/Phoenix/Tools <Best known OWASP Tools 4 Web. Goat 4 Web. Scarab <Remember: 4 A Fool with a Tool is still a Fool OWASP
Tools – At Best 45% < MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE) < They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true) OWASP 26
OWASP Web. Goat OWASP 27
OWASP Web. Scarab OWASP 28
OWASP CSRFTester OWASP 29
OWASP CSRFGuard 2. 0 < Adds token to: User (Browser) 4 href attribute 4 src attribute 4 hidden field in all forms < Actions: 4 Log 4 Invalidate 4 Redirect http: //www. owasp. org/index. php/CSRFGuard OWASP 30
OWASP Security. Configuration Intrusion. Detector Logger Exception Handling Randomizer Encrypted. Properties Encryptor HTTPUtilities Encoder Validator Access. Reference. Map Access. Controller User Authenticator The OWASP Enterprise Security API Custom Enterprise Web Application Enterprise Security API 31
Coverage OWASP Top Ten OWASP ESAPI A 1. Cross Site Scripting (XSS) Validator, Encoder A 2. Injection Flaws Encoder A 3. Malicious File Execution HTTPUtilities (upload) A 4. Insecure Direct Object Reference Access. Reference. Map A 5. Cross Site Request Forgery (CSRF) User (csrftoken) A 6. Leakage and Improper Error Handling Enterprise. Security. Exception, HTTPUtils A 7. Broken Authentication and Sessions Authenticator, User, HTTPUtils A 8. Insecure Cryptographic Storage Encryptor A 9. Insecure Communications HTTPUtilities (secure cookie, channel) A 10. Failure to Restrict URL Access. Controller OWASP
Create Your ESAPI Implementation <Your Security Services 4 Wrap your existing libraries and services 4 Extend and customize your ESAPI implementation 4 Fill in gaps with the reference implementation <Your Coding Guideline 4 Tailor the ESAPI coding guidelines 4 Retrofit ESAPI patterns to existing code OWASP 33
OWASP CLASP < Comprehensive, Lightweight Application Security Process 4 Prescriptive and Proactive 4 Centered around 7 App. Sec Best Practices 4 Cover the entire software lifecycle (not just development) < Adaptable to any development process Ø CLASP defines roles across the SDLC Ø 24 role-based process components Ø Start small and dial-in to your needs OWASP 34
The CLASP Best Practices 1. 2. 3. 4. 5. 6. 7. Institute awareness programs Perform application assessments Capture security requirements Implement secure development practices Build vulnerability remediation procedures Define and monitor metrics Publish operational security guidelines OWASP 35
SDLC & OWASP Guidelines OWASP Framework OWASP 36
Want More ? < < < < < < < OWASP OWASP OWASP OWASP OWASP OWASP OWASP . NET Project ASDR Project Anti. Samy Project App. Sec FAQ Project Application Security Assessment Standards Project Application Security Metrics Project Application Security Requirements Project CAL 9000 Project CLASP Project CSRFGuard Project CSRFTester Project Career Development Project Certification Criteria Project Certification Project Code Review Project Communications Project Dir. Buster Project Education Project Encoding Project Enterprise Security API Flash Security Project Guide Project Honeycomb Project Insecure Web App Project Interceptor Project < < < < < < OWASP OWASP OWASP OWASP OWASP OWASP JBro. Fuzz Java Project LAPSE Project Legal Project Live CD Project Logging Project Orizon Project PHP Project Pantera Web Assessment Studio Project SASAP Project SQLi. X Project SWAAT Project Sprajax Project Testing Project Tools Project Top Ten Project Validation Project WASS Project WSFuzzer Project Web Services Security Project Web. Goat Project Web. Scarab Project XML Security Gateway Evaluation Criteria Project on the Move Project OWASP 37
So. C 2008 selection < < < < < OWASP Code review guide, V 1. 1 The Ruby on Rails Security Guide v 2 OWASP UI Component Verification Project (a. k. a. OWASP JSP Testing Tool) Internationalization Guidelines and OWASP-Spanish Project OWASP Application Security Desk Reference (ASDR) OWASP. NET Project Leader OWASP Education Project The OWASP Testing Guide v 3 OWASP Application Security Verification Standard Online code signing and integrity verification service for open source community (Open. Sign Server) Securing Web. Goat using Mod. Security OWASP Book Cover & Sleeve Design OWASP Individual & Corporate Member Packs, Conference Attendee Packs Brief OWASP Access Control Rules Tester Open. PGP Extensions for HTTP - Enigform and mod_openpgp OWASP-We. Bekci Project OWASP Backend Security Project < < < < OWASP Application Security Tool Benchmarking Environment and Site Generator refresh Teachable Static Analysis Workbench OWASP Positive Security Project GTK+ GUI for w 3 af project OWASP Interceptor Project - 2008 Update Skavenger SQL Injector Benchmarking Project (SQLi. BENCH) OWASP App. Sensor - Detect and Respond to Attacks from Within the Application Owasp Orizon Project OWASP Corporate Application Security Rating Guide OWASP Anti. Samy. NET Python Static Analysis OWASP Classic ASP Security Project OWASP Live CD 2008 Project OWASP 38
OWASP Projects Are Alive! 2009 … 2007 2005 2003 2001 OWASP 39
Agenda <OWASP Introduction <OWASP Project Parade <OWASP Near You? OWASP 40
www. owasp. tv 56 videos - 40 h OWASP 41
Upcoming Conferences < February 2009 - Day 3 Italy OWASP Day III: "Web Application Security: research meets industry" 23 rd February 2009 - Bari (Italy) < February 2009 - OWASP App. Sec Australia 2009 - Gold Coast Training & Conference, Gold Coast Convention Center, QLD Australia < March 2009 - OWASP Front Range Conference March 5 th, 2 nd Annual 1 -Day Conference in Denver, Colorado < May 2009 - OWASP App. Sec Europe 2009 4 Poland May 11 th - 14 th - Conference and Training, Qubus Hotel, Krakow, Poland 4 Back to back with Confidence 09 < June 2009 - OWASP App. Sec - Dublin Ireland < October 2009 - OWASP App. Sec US 2009 - Washington, D. C. OWASP 42
NY/NJ Metro Chapter <Meetings <Local Mailing List <Presentations & Groups <Open forum for discussion <Meet fellow Info. Sec professionals <Create (Web)App. Sec awareness <Local projects? OWASP
Subscribe to local chapter mailing list <Find your local chapter at www. owasp. org <Post your (Web)App. Sec questions <Keep up to date! <Get OWASP news letters <Contribute to discussions! OWASP 44
Thank you for your time Any Questions? www. owasp. org OWASP 45
- Slides: 45