1 / 20

OWASP – an Introduction

OWASP – an Introduction. Simon Bennetts OWASP chapter and project lead psiinon@gmail.com. Manchester Linux Users Group February 2011. What is OWASP?. Open Web Application Security Project Promotes secure software development Oriented to the delivery of web oriented services

aristotle-carter
Download Presentation

OWASP – an Introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OWASP – an Introduction Simon Bennetts OWASP chapter and project lead psiinon@gmail.com Manchester Linux Users Group February 2011

  2. What is OWASP? • Open Web Application Security Project • Promotes secure software development • Oriented to the delivery of web oriented services • Focused primarily on the “back-end” than web-design issues • An open forum for discussion • A free resource for any development team

  3. What is OWASP? • Open Web Application Security Project • Non-profit, volunteer driven organization • All members are volunteers • All work is donated by sponsors • Provide free resources to the community • Software, Publications, Articles, Standards • Testing and Training Software • Local Chapters & Mailing Lists • Supported through sponsorships • Corporate support through financial or project sponsorship • Personal sponsorships from members

  4. OWASP Top Ten Category: Detection Type: Documentation Status: Release quality An awareness document that describes the top ten most common web application security risks 4

  5. OWASP Developers Guide Category: Protection Type: Documentation Status: Release quality Guidance on building security in to web applications and web services 5

  6. OWASP Code Review Guide Category: Detection Type: Documentation Status: Release quality Best practices for reviewing source code for application defects 6

  7. OWASP Testing Guide Category: Detection Type: Documentation Status: Release quality Application security tests and testing methodology 7

  8. OWASP AntiSamy Category: Protection Type: Tool Status: Release quality API (available in Java and .NET) for validating rich HTML/CSS input from users to prevent exposure to cross-site scripting and phishing attacks 8

  9. OWASP Enterprise Security API Category: Protection Type: Tool Status: Release quality A collection of security methods needed to build secure web applications (Java EE, .NET, classic ASP, PHP, ColdFusion, Python, JavaScript, Objective C, Force.com, Ruby, Swingset) 9

  10. OWASP ModSecurity Core Rule Set Category: Protection Type: Tool Status: Release quality A set of critical protections against attacks across most every web architecture, for the ModSecurity web application firewall Apache web server module 10

  11. OWASP WebScarab Category: Detection Type: Tool Status: Release quality HTTP intercepting proxy and tool for performing security testing on web applications 11

  12. OWASP JBroFuzz Category: Detection Type: Tool Status: Release quality A web application protocol fuzzer for requests being made over HTTP and/or HTTPS 12

  13. OWASP WebGoat Category: Life cycle Type: Tool Status: Release quality A deliberately insecure J2EE web application designed to provide web application security lessons 13

  14. OWASP AppSensor project Category: Protection Type: Documentation (& Tool) Status: Beta A framework for detecting and responding to attacks from within the application – application layer intrusion detection and prevention 14

  15. OWASP Zed Attack Proxy Category: Detection Type: Tool Status: Beta HTTP intercepting proxy / penetration testing tool for developers and functional testers 15

  16. OWASP AppSec Tutorial Series

  17. What else is there? • Scores of other projects • Common numbering scheme • Wiki • Cheat sheet series • Codes of Conduct • Committees • Collaborative activities • Podcast and newsletter • Mailing lists • Local chapters 17

  18. The OWASP top 10 • A1: Injection • Especially SQL: • A2: Cross-Site Scripting (XSS) • Injecting HTML / Javascript: • A3: Broken Authentication and Session Management • A multitude of sins, including session hijacking • A4: Insecure Direct Object References • Not checking that the user is allowed to access the specified object • https://www.mybank.com/AccDetails?acc=12345678 • A5: Cross-Site Request Forgery (CSRF) • Performing an action on a GET request, like: • https://www.mybank.com/Transfer?dest=bad.hacker&amount=100000 • <imgsrc="https://www.mybank.com/Transfer?... height="0" width="0"/> ' OR 1=1 -- <script>alert('XSS!');</script>

  19. The OWASP top 10 • A6: Security Misconfiguration • Out of date software, default passwords, detailed error messages, … • A7: Insecure Cryptographic Storage • E.g. storing passwords hashed with DES (hello Gawker!) • A8: Failure to Restrict URL Access • E.g. Hoping https://example.com/admin wont be found • A9: Insufficient Transport Layer Protection • http:// instead of https:// • A10: Unvalidated Redirects and Forwards • http://www.example.com/redirect.jsp?url=evil.com • http://www.example.com/boring.jsp?fwd=admin.jsp

  20. Questions

More Related