110 likes | 189 Views
Finding and Fighting the Causes of Insecure Applications. Jeff Williams OWASP Chair jeff.williams@owasp.org New York/New Jersey Chapter Meeting June 12, 2007. Public Health Warning. XSS and CSRF have evolved Any website you visit could infect your browser
E N D
Finding and Fighting the Causes of Insecure Applications Jeff Williams OWASP Chair jeff.williams@owasp.org New York/New Jersey Chapter Meeting June 12, 2007
Public Health Warning • XSS and CSRF have evolved • Any website you visit could infect your browser • An infected browser can do anything you can do • An infected browser can scan, infect, spread • 70-90% of web applications are ‘carriers’
Key Application Security Vulnerabilities http://www.owasp.org/index.php?title=Top_10_2007
Tools – At Best 45% • MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE) • They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)
OWASP Knowledge and Tools Guide to Application Security Testing and Guide to Application Security Code Review Guidance and Tools for Measuring and Managing Application Security VerifyingApplicationSecurity ManagingApplicationSecurity Core Application SecurityKnowledge Base Guide to Building Secure Web Applications and Web Services Tools for Scanning, Testing, Simulating, and Reporting Web Application Security Issues ApplicationSecurityTools Acquiring andBuildingSecureApplications AppSecEducation and CBT Research to Secure New Technologies Research Projects on Securing New Technologies (like Web Services & Ajax) Web Based Learning Environment and Education Project
OWASP Community Platform VerifyingApplicationSecurity ManagingApplicationSecurity Core Application SecurityKnowledge Base ApplicationSecurityTools Acquiring andBuildingSecureApplications AppSecEducation and CBT Research to Secure New Technologies Chapters AppSec Conferences Projects (tools and documentation) OWASP Community Platform (wiki, forums, mailing lists, leaders) OWASP Foundation 501c3 (finances, legal, infrastructure, communications)
OWASP Projects Are Alive! 2009 … 2007 2005 2003 2001
OWASP by the Numbers • 420,000 page views per month • 15,000 downloads per month (SF alone) • 10,000 members on mailing lists • 2,600 wiki users • 1,500 wiki updates per month • 89 chapters worldwide • 75 individual memberships • 38 tool and documentation projects • 28 corporate/educational memberships • 25 new projects funded through Spring of Code • 0 employees
How Can You Help? • Update the wiki! • Share! • Push us to do better! • Become a member