1 / 33

OWASP in favor of a more secure world

OWASP Porto Alegre Chapter. OWASP in favor of a more secure world. L. GUSTAVO . C. BARBATO , Ph.D. lgbarbato@owasp.org Chapter Leader, OWASP Porto Alegre / Brazil Member, Global Chapter Committee Porto Alegre Chapter Meeting 03/31/2011 UNISINOS –São Leopoldo. Introduction.

tracey
Download Presentation

OWASP in favor of a more secure world

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OWASP Porto Alegre Chapter OWASPin favor of a more secure world • L. GUSTAVO. C. BARBATO, Ph.D. • lgbarbato@owasp.org • Chapter Leader, OWASP Porto Alegre / BrazilMember, Global Chapter Committee • Porto Alegre Chapter Meeting • 03/31/2011 • UNISINOS –São Leopoldo

  2. Introduction

  3. OWASP(Open Web Application Security Project) • OWASP is an international organization and the OWASP Foundation supports OWASP efforts around the world • OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted • All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security http://www.owasp.org/index.php/About_OWASP

  4. Knowledge base 2009 2011 2007 2005 2003 2001 http://www.owasp.org

  5. History • OWASP was started on September 9, 2001 By Mark Curphey and Dennis Groves • Since late 2003, Jeff Williams has served as the volunteer Chair of OWASP • The OWASP Foundation, a 501(c)(3) organization (in the USA) was established in 2004 • Thounds of individual members, nowadays • OWASP Foundation has over 80 ActiveLocal Chapters • and only 3 employees http://en.wikipedia.org/wiki/OWASP

  6. Ecosystem • Volunteers • Knowledge sharing • People/Project Leadership • Events presentations • Administration • Sustainedby • Conferences • Individual supporters, annually • Banner advertisements • Corporate sponsors http://www.owasp.org/images/0/0d/OWASP_ByLaws.pdf

  7. Structure

  8. OWASP Board • Jeff Williams- USA jeff.williams@owasp.org • Sebastien Deleersnyder - Belgium seba@owasp.org • Tom Brennan - USA tomb@owasp.org • Eoin Keary - Ireland Eoin.Keary@owasp.org • Dave Wichers - USA dave.wichers@owasp.org • Matt Tesauro - USA Matt.Tesauro@owasp.org http://www.owasp.org/index.php/Contact

  9. Global Committees http://www.owasp.org/index.php/Global_Committee_Pages

  10. Local Chapters • Hundreds of Local Chapters but only around 80 are Active • http://www.owasp.org/index.php/Category:Brasil • Porto Alegre • Curitiba • São Paulo • Campinas • Brasília • Goiania • Recife • Paraíba http://www.owasp.org/index.php/Category:OWASP_Chapter

  11. Organization Supporters http://www.owasp.org/index.php/Membership

  12. Projects

  13. Resources http://www.owasp.org/index.php/Category:OWASP_Project

  14. OWASP Top Ten 2010 http://www.owasp.org/index.php/Top_10

  15. Your Existing Enterprise Services or Libraries ESAPI(Enterprise Security API) • http://www.owasp.org/index.php/ESAPI

  16. SAMM(Software Assurance Maturity Model) http://www.owasp.org/index.php/Software_Assurance_Maturity_Model

  17. CLASP(Comprehensive, Lightweight, Application Security Process) http://www.owasp.org/index.php/OWASP_CLASP_Project

  18. ASVS(Application Security Verification Standard) http://www.owasp.org/index.php/ASVS

  19. OWASP Testing Guide http://www.owasp.org/index.php/OWASP_Testing_Project

  20. WebScarab http://www.owasp.org/index.php/OWASP_WebScarab

  21. WebGoat http://www.owasp.org/index.php/OWASP_WebGoat_Project

  22. OWASP Live CD http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project

  23. ModSecurity Core Rules Set Project Supports any type of parameters, POST , GET or any other SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \ "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:… … … \ “capture,log,deny,t:replaceComments, t:urlDecodeUni, t:htmlEntityDecode, t:lowercase,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950001',severity:'2'“ Every SQL injection related keyword is checked Common evasiontechniques are mitigated SQL comments are compensated for http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

  24. Books http://stores.lulu.com/owasp

  25. Conferences

  26. Global AppSec Europe (June 6, 2011 - June 10, 2011) http://www.owasp.org/index.php/AppSecEU2011

  27. Global AppSec North America(Sept. 20, 2011 - Sept. 23, 2011) http://www.appsecusa.org

  28. Global AppSecAsia(Nov. 3, 2011 - Nov. 5, 2011) http://www.owasp.org/index.php/China_AppSec_2011

  29. Global AppSec Latin America(Oct. 4, 2011 - Oct. 7, 2011) http://www.appseclatam.org

  30. How to participate?

  31. How to participate? • http://www.owasp.org/index.php/Porto_Alegre • Papers, wiki • Mailing lists • Projects • Proposing new ones, testing existents, feedbacks • Translations • Presentations • Contributing annually (US$ 50) http://www.regonline.com/owasp_membership

  32. Questions ???

  33. References • Decks used to create this one: http://www.owasp.org/images/b/b4/OWASP-Intro-2008-pt-br.ppt https://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt http://www.owasp.org/images/7/71/About_OWASP_ASVS.ppt https://www.owasp.org/images/8/88/OWASP_EU_Summit_2008_WebScarab_treasures.ppt http://www.opensamm.org/downloads/resources/OpenSAMM-1.0.ppt http://www.owasp.org/images/a/ac/CLASPOverviewPresentation20080807NickCoblentz.ppt http://www.owasp.org/images/4/46/AppSecEU09_OWASP_Live_CD-mtesauro.ppt http://www.owasp.org/images/2/21/OWASPAppSec2007Milan_ModSecurityCoreRuleSet.ppt

More Related