OWASP Overview Pete Perfetti NY-NJ Metro Committee Member [email protected] OWASP Copyright - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP http://www.owasp.org Foundation Agenda OWASP Introduction OWASP Project Parade

OWASP Near You? OWASP 2 Agenda OWASP Introduction OWASP Project Parade OWASP Near You? OWASP 3 OWASP The Open Web Application Security Project (OWASP) International not-for-profit charitable Open

Source organization funded primarily by volunteers time, OWASP Memberships, and OWASP Conference fees Participation in OWASP is free and open to all OWASP 4 OWASP Mission to make application security "visible," so that people and organizations can make informed decisions about application security risks

OWASP 5 OWASP Mission Through Research Grants and Funding, Make People Aware of The Real Threat OWASP 6 OWASP Mission Make people and organizations AWARE that security does not end

after the test! OWASP 7 OWASP Resources and Community OWASP www.owasp.org OWASP 9 9 130+ Chapters Worldwide OWASP

10 OWASP Conferences (2008-2009) Minnesota Oct 2008 NYC Sep 2008 Brussels May 2008 Germany Nov 2008 Poland May 2009

Denver Spring 2009 San Jose? Sep 2009 Portugal Nov 2008 Israel Sep 2008 India Aug 2008 Taiwan Oct 2008 Gold Coast Feb 2008 +2009

OWASP 11 Summit Portugal 2009 Focus 80+ application security experts from 20+ countries New Free Tools and Guidance (SoC08) New Outreach Program technology vendors, framework providers, and standards bodies new program to provide free one- day seminars at universities and developer conferences worldwide New Global Committee Structure Education, Chapter, Conferences, Industry, Projects and Tools, Membership

OWASP 12 Agenda OWASP Introduction OWASP Project Parade OWASP Near You? OWASP 13 OWASP Projects: Improve Quality and Support Define Criteria for Quality Levels Alpha, Beta, Release Encourage Increased Quality

Through Season of Code Funding and Support Produce Professional OWASP books Provide Support Full time executive director (Kate Hartmann) Full time project manager (Paulo Coimbra) Half time technical editor (Kirsten Sitnick) Half time financial support (Alison Shrader) Looking to add programmers (Interns and professionals) OWASP OWASP Top 10 The Ten Most Critical

Web Application Security Vulnerabilities 2007 Release A great start, but not a standard 3rd version of theTop 10 2009 coming soon OWASP 15 Key Application Security Vulnerabilities www.owasp.org/index.php?title=Top_10_2007 OWASP 16

The Big 4 Documentation Projects Building Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR) OWASP The Guide

Complements OWASP Top 10 310p Book Free and open source Gnu Free Doc License Many contributors Apps and web services Most platforms Examples are J2EE, ASP.NET, and PHP Comprehensive Project Leader and Editor Andrew van der Stock, [email protected] OWASP Uses of the Guide

Developers Use for guidance on implementing security mechanisms and avoiding vulnerabilities Project Managers Use for identifying activities (threat modeling, code review, penetration testing) that need to occur Security Teams Use for structuring evaluations, learning about application security, remediation approaches OWASP Each Topic Includes Basic Information (like OWASP T10) How to Determine If You Are Vulnerable How to Protect Yourself Adds

Objectives Environments Affected Relevant COBIT Topics Theory Best Practices Misconceptions Code Snippets OWASP Testing Guide v2: Index

1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors Version 3.0 Released TODAY !! Check your email OWASP 21 What Is the OWASP Testing Guide? Testing Principles

Testing Process Custom Web Applications Black Box Testing Grey Box Testing Risk and Reporting Appendix: Testing Tools Appendix: Fuzz Vectors Information Gathering Business Logic Testing Authentication Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing OWASP

22 Soc08 version 3 Improve version 2 improved 9 articles Total of 10 Testing categories and 66 controls. New sections and controls Configuration Management Authorization Testing 36 new articles New Encoded Injection Appendix; OWASP How the Guide helps the security industry Testers

A structured approach to the testing activities A checklist to be followed A learning and training tool Organisatio ns

A tool to understand web vulnerabilities and their impact A way to check the quality of security tests More generally, the Guide aims to provide a pen-testing standard that creates a 'common ground' between the testing groups and its customers. This will raise the overall quality and understanding of this kind of activity and therefore the general level of security of our applications OWASP 24 Tools http://www.owasp.org/index.php/Phoenix/T ools Best known OWASP Tools

WebGoat WebScarab Remember: A Fool with a Tool is still a Fool OWASP Tools At Best 45% MITRE found that all application security tool vendors claims put together cover only 45% of the known vulnerability types (over 600 in CWE) They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)


29 OWASP CSRFGuard 2.0 Adds token to: href attribute src attribute hidden field in all forms Actions: Log Invalidate Redirect http://www.owasp.org/index.php/CSRFGuard OWASP

30 The OWASP Enterprise Security API OWASP 31 Coverage OWASP Create Your ESAPI Implementation Your Security Services Wrap your existing libraries and services Extend and customize your ESAPI implementation Fill in gaps with the reference implementation

Your Coding Guideline Tailor the ESAPI coding guidelines Retrofit ESAPI patterns to existing code OWASP 33 OWASP CLASP Comprehensive, Lightweight Application Security Process Prescriptive and Proactive Centered around 7 AppSec Best Practices Cover the entire software lifecycle (not just development) Adaptable to any development process

CLASP defines roles across the SDLC 24 role-based process components Start small and dial-in to your needs OWASP 34 The CLASP Best Practices 1. 2. 3. 4. 5. Institute awareness programs Perform application assessments Capture security requirements Implement secure development practices

Build vulnerability remediation procedures 6. Define and monitor metrics 7. Publish operational security guidelines OWASP 35 SDLC & OWASP Guidelines OWASP Framework OWASP 36 Want More ?


OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP .NET Project ASDR Project AntiSamy Project AppSec FAQ Project Application Security Assessment Standards

Application Security Metrics Project Application Security Requirements Project CAL9000 Project CLASP Project CSRFGuard Project CSRFTester Project Career Development Project Certification Criteria Project Certification Project Code Review Project Communications Project DirBuster Project Education Project Encoding Project Enterprise Security API Flash Security Project Guide Project Honeycomb Project Insecure Web App Project

Interceptor Project



Logging Project Orizon Project PHP Project Pantera Web Assessment Studio Project SASAP Project SQLiX Project SWAAT Project Sprajax Project Testing Project Tools Project Top Ten Project Validation Project WASS Project WSFuzzer Project Web Services Security Project WebGoat Project WebScarab Project XML Security Gateway Evaluation Criteria Project on the Move Project

OWASP 37 SoC2008 selection

OWASP Code review guide, V1.1 The Ruby on Rails Security Guide v2 OWASP UI Component Verification Project (a.k.a. OWASP JSP Testing Tool) Internationalization Guidelines and OWASPSpanish Project OWASP Application Security Desk Reference (ASDR) OWASP .NET Project Leader OWASP Education Project The OWASP Testing Guide v3 OWASP Application Security Verification Standard Online code signing and integrity verification service for open source community (OpenSign

Server) Securing WebGoat using ModSecurity OWASP Book Cover & Sleeve Design OWASP Individual & Corporate Member Packs, Conference Attendee Packs Brief OWASP Access Control Rules Tester OpenPGP Extensions for HTTP - Enigform and mod_openpgp OWASP-WeBekci Project OWASP Backend Security Project

OWASP Application Security Tool Benchmarking Environment and Site Generator refresh Teachable Static Analysis Workbench OWASP Positive Security Project GTK+ GUI for w3af project OWASP Interceptor Project - 2008 Update Skavenger SQL Injector Benchmarking Project (SQLiBENCH) OWASP AppSensor - Detect and Respond to Attacks from Within the Application Owasp Orizon Project OWASP Corporate Application Security Rating

Guide OWASP AntiSamy .NET Python Static Analysis OWASP Classic ASP Security Project OWASP Live CD 2008 Project OWASP 38 OWASP Projects Are Alive! 2009 2007 2005

2003 2001 OWASP 39 Agenda OWASP Introduction OWASP Project Parade OWASP Near You? OWASP 40 www.owasp.tv 56 videos - 40 h OWASP

41 Upcoming Conferences February 2009 - Day 3 Italy OWASP Day III: "Web Application Security: research meets industry" 23rd February 2009 - Bari (Italy) February 2009 - OWASP AppSec Australia 2009 - Gold Coast Training & Conference, Gold Coast Convention Center, QLD Australia March 2009 - OWASP Front Range Conference March 5th, 2nd Annual 1-Day Conference in Denver, Colorado May 2009 - OWASP AppSec Europe 2009 Poland May 11th - 14th - Conference and Training, Qubus Hotel, Krakow, Poland Back to back with Confidence09 June 2009 - OWASP AppSec - Dublin Ireland October 2009 - OWASP AppSec US 2009 - Washington, D.C. OWASP

42 NY/NJ Metro Chapter Meetings Local Mailing List Presentations & Groups Open forum for discussion Meet fellow InfoSec professionals Create (Web)AppSec awareness Local projects? OWASP Subscribe to local chapter mailing list Find your local chapter at www.owasp.org Post your (Web)AppSec questions Keep up to date! Get OWASP news letters Contribute to discussions!

OWASP 44 Thank you for your time Any Questions? www.owasp.org OWASP 45

Recently Viewed Presentations

  • Plant Circulation and Transport

    Plant Circulation and Transport

    transport. phloem . is a complex tissue . sieve-tube members. transport nutrients. function . as living cells, lack a nucleus and most . organelles. stacked . on top of each . other, forming pipelines. ... Plant Circulation and Transport Last...
  • 6 Descriptive Statistics CHAPTER OUTLINE 6-1 Numerical Summaries

    6 Descriptive Statistics CHAPTER OUTLINE 6-1 Numerical Summaries

    Chapter 6 Title and Outline. 6. Descriptive Statistics. 6-1 Numerical Summaries of Data. 6-2 Stem-and-Leaf Diagrams. 6-3 Frequency Distributions and Histograms
  • 2015 American Society for Industrial Security Rochester New ...

    2015 American Society for Industrial Security Rochester New ...

    "Golf Outing" in memo line. Mail Payments to: Bob Lukasiewicz. 225 Chestnut Street. Rochester, NY 14604. Sponsorship Information ___ Corporate Sponsor . $550.00. Golf Foursome. Sign at Hole. Company Logo on Banner displayed at registration desk and dinner.
  • GIT Lecture 7

    GIT Lecture 7

    Cephalic phase. Before food enters stomach. Sight, smell, thought. Taste, food being eaten. Gastric phase. When food in in stomach. Intestinal phase. When food reaches upper portion of small intestine
  • NIMHD Mission and Funding Opportunities Rina Das, PhD

    NIMHD Mission and Funding Opportunities Rina Das, PhD

    Editor's choice by NIMHD Director Dr. Eliseo J. PĂ©rez-Stable and NIH Director Dr. Francis S. Collins . Definitions for minority health, health disparities, and NIMHD Research Framework. Thirty research strategies in methods and measurement, etiology, and interventions ... Ruth L....
  • Folie 1 - ucl.ac.uk

    Folie 1 - ucl.ac.uk

    Bloomsbury Conference 2009, UCL, London ... Developments in the arena of science policy History, state of the art and missing elements ESSD - "Earth System Science Data", a journal A practical contribution to an emerging genre of scholarly communication Aims...
  • Practical strategies for advising and counseling students ...

    Practical strategies for advising and counseling students ...

    Introduction: "It can be easy to feel overwhelmed or to sometimes wonder to yourself 'do I really belong here?'" Independent reflective writing activity. Students listen to quotes from graduating seniors designed to highlight overcoming challenges and initial loneliness. Discuss essay...
  • Civil Engineer - sites.google.com

    Civil Engineer - sites.google.com

    How to Get noticed . If I have shown an interest in engineering early on in my high school years, that would show dedication to a university.Doing well at the university would show employers my willingness to learn and my...