370 likes | 662 Views
OWASP - Where we are… where we are going. Tom Brennan Dave Wichers Dinis Cruz OWASP Board Members. Why was the OWASP Project started?.
E N D
OWASP - Where we are… where we are going Tom Brennan Dave Wichers Dinis Cruz OWASP Board Members
Why was the OWASP Project started? • The Open Web Application Security Project was setup in 2001 to build an industry standard framework for testing the security of web applications. We have several main objectives including to: • define the security requirements for secure web applications • develop an industry standard web application security testing framework • build quality open source tools to support the testing framework • define a standard data exchange format to allow commercial, open source and research tools to communicate and interoperate • We will be developing the www.owasp.org website into a place where; • people can learn about the common security problems that occur with web applications and web services • developers and system architects can learn about security requirements to build secure web applications and web services • security professionals and developers can learn how to effectively test the security of web applications and web services • system owners can learn what to expect of a security company or tool testing their applications • security professionals can understand if tools are appropriate and doing what they should be doing • <WAYBACK MACHINE OWASP.ORG>
OWASP 2009 • The Open Web Application Security Project (OWASP Foundation Inc.) • Participation in OWASP is free and open to all • The vision is a software market that produces code that’s secure enough to rely on. The mission (to achieve that vision) is to make security visible (or transparent) so that software buyers and sellers are on equal footing and market forces can work. • International not-for-profit charitable organization funded primarily by volunteers time, OWASP Memberships ($50 Individuals, $5k Supporters), and OWASP Conference fees • Website: 6,464 registered users, 21,552,771 page views, and 55,941 page edits , 10k members on mailing lists 3
Governance • Principles • Free & Open • Governed by rough consensus & running code • Abide by a code of ethics (see ethics) • Not-for-profit • Not driven by commercial interests • Risk based approach 4
Code of Ethics • Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles; • Promote the implementation of and promote compliance with standards, procedures, controls for application security; Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities; • Discharge professional responsibilities with diligence and honesty; Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of employers, the information security profession, or the Association; and • Not intentionally injure or impugn the professional reputation of practice of colleagues, clients, or employers. Governance 5
OWASP FOUNDATION INC. Governance (6) Volunteer Board (Jeff, Dinis, Tom, Dave, Sebastian, <insert>) (27) Volunteer Global Committee Members (see next slide) OWASP Employees (3) (140) Local Chapters (50) Projects
Global Committee Governance (27) Global Leaders Voice for 7 Regions, 140 chapters and its members and users
OWASP Top 10 • The Ten Most Critical Web Application Security Vulnerabilities • 2007 Release • A great start, but not a standard • 4th version of the Top 10 2009 coming soon (Target Nov 2009)
OWASP Top Ten (2007 Edition) http://www.owasp.org/index.php/Top_10
The ‘Big 4’ Documentation Projects + 1 new ASVS Developer Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR)
Developer Guide • The First OWASP ‘Guide’ • Complements OWASP Top 10 • 310p Book • Many contributors • Apps and web services • Most platforms • Examples are J2EE, ASP.NET, and PHP • Comprehensive • Project Leader and Editor • Andrew van der Stock, vanderaj@owasp.org
Code Review Guide • Most comprehensive open source secure code review guide on the web • Under development for 3 years • Version 1.1 produced during 2008 Summer of Code • Numerous contributors • But still not complete (may never be )
Testing Guide 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors Appendix D: Encoded Injection http://www.owasp.org/index.php/TestingGuide
Application Security Desk Reference (ASDR) • Basic reference material on application security terminology • Serves as the foundation definition or description of many topics covered by the OWASP Development, Code Review, and Testing Guides, and the ASVS http://www.owasp.org/index.php/ASDR • ASDR Contents • Section 1: Principles • Section 2: Threat Agents • Section 3: Attacks • Section 4: Vulnerabilities • Section 5: Controls • Section 6: Technical Impacts • Section 7: Business Impact
New ‘Cheat Sheet’ Series • XSS Prevention Cheat Sheet • www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet • SQL Injection Prevention Cheat Sheet • http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet • More … ??? • CSRF Prevention (being developed now) • Clickjacking Prevention
XSS Prevention Cheat Sheet #1: &, <, >, " &entity; ', / &#xHH; HTML Element Content • (e.g., <div> some text to display </div> ) #2: All non-alphanumeric < 256 &#xHH HTML Attribute Values • (e.g., <input name='person' type='TEXT' value='defaultValue'> ) #3: All non-alphanumeric < 256 \xHH JavaScript Data (e.g., <script> some javascript</script> ) #4: All non-alphanumeric < 256 \HH HTML Style Property Values • (e.g., .pdiv a:hover {color: red; text-decoration: underline} ) #5: All non-alphanumeric < 256 %HH URI Attribute Values • (e.g., <a href="javascript:toggle('lesson')" ) ALL other contexts CANNOT include Untrusted Data Recommendation: Only allow #1 and #2 and disallow all others See: www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet for more details
OWASP Application Security Verification Standard (ASVS) • OWASP’s 1st Standard • Defines 4 Verification Levels • Level 1: Automated Verification • Level 1A: Dynamic Scan • Level 1B: Source Code Scan • Level 2: Manual Verification • Level 2A: Penetration Test • Level 2B: Code Review • Level 3: Design Verification • Level 4: Internal Verification
What Questions Does ASVS Answer? • How can I compare verification efforts? • What security features should be built into the required set of security controls? • What are reasonable increases in coverage and level of rigor when verifying the security of a web application? • How much trust can be placed in a web application?
Requirements & Design Deployment & Operations Verification & Assessment Alignment & Governance Software Assurance Maturity Model (SAMM) • The 4 Disciplines are high-level categories for activities • Three security Functions under each Discipline are the specific silos for improvement within an organization Disciplines Functions
OWASP CLASP • Comprehensive, Lightweight Application Security Process • Prescriptive and Proactive • Centered around 7 AppSec Best Practices • Cover the entire software lifecycle (not just development) • Adaptable to any development process • CLASP defines roles across the SDLC • 24 role-based process components • Start small and dial-in to your needs
OWASP Enterprise Security API (ESAPI) Existing Enterprise Security Services/Libraries
OWASP CSRFGuard 2.0 Business Processing OWASPCSRFGuard Verify Token Add Tokento HTML • Adds token to: • href attribute • src attribute • hidden field in all forms • Actions: • Log • Invalidate • Redirect User (Browser) • http://www.owasp.org/index.php/CSRFGuard
OWASP AntiSamy – Safe Rich Input Validation • AntiSamy • Uses a positive security model for rich input validation • High assurance mechanism against XSS (and phishing) attacks • Java and .NET • Now built into ESAPI xss attack surface (samy) • http://www.owasp.org/index.php/AntiSamy
Live CD • Project that collects some of the best open source security projects in a single environment • http://www.owasp.org/index.php/LiveCD • Users can boot from Live CD and immediately start using all tools without any configuration
Available Tools 25 “significant” tools sqlmap v0.7-rc1 now included!
OWASP Code review tools • Code Crawler • AlessioMarziali • Orizon Framework • Paulo Prego • LAPSE (Inactive) • Ben Livshits (Stanford Project)
Want More ? • OWASP .NET Project • OWASP ASDR Project • OWASP AntiSamy Project • OWASP AppSec FAQ Project • OWASP Application Security Assessment Standards Project • OWASP Application Security Metrics Project • OWASP Application Security Requirements Project • OWASP CAL9000 Project • OWASP CLASP Project • OWASP CSRFGuard Project • OWASP CSRFTester Project • OWASP Career Development Project • OWASP Certification Criteria Project • OWASP Certification Project • OWASP Code Review Project • OWASP Communications Project • OWASP DirBuster Project • OWASP Education Project • OWASP Encoding Project • OWASP Enterprise Security API (ESAPI) • OWASP Flash Security Project • OWASP Guide Project • OWASP Insecure Web App Project • OWASP Interceptor Project • OWASP JBroFuzz • OWASP Java Project • OWASP LAPSE Project • OWASP Legal Project • OWASP Live CD Project • OWASP Logging Project • OWASP Orizon Project • OWASP PHP Project • OWASP Pantera Web Assessment Studio Project • OWASP SASAP Project • OWASP SQLiX Project • OWASP SWAAT Project • OWASP Testing Project • OWASP Tools Project • OWASP Top Ten Project • OWASP Validation Project • OWASP WASS Project • OWASP WSFuzzer Project • OWASP Web Services Security Project • OWASP WebGoat Project • OWASP WebScarab Project • OWASP XML Security Gateway Evaluation Criteria Project • OWASP on the Move Project
Summer of Code: 2008 • OWASP Code review guide, V1.1 • The Ruby on Rails Security Guide v2 • OWASP UI Component Verification Project (a.k.a. OWASP JSP Testing Tool) • Internationalization Guidelines and OWASP-Spanish Project • OWASP Application Security Desk Reference (ASDR) • OWASP .NET Project Leader • OWASP Education Project • OWASP Testing Guide v3 • OWASP Application Security Verification Standard • Online code signing and integrity verification service for open source community (OpenSign Server) • Securing WebGoat using ModSecurity • OWASP Book Cover & Sleeve Design • OWASP Individual & Corporate Member Packs, Conference Attendee Packs Brief • OWASP Access Control Rules Tester • OpenPGP Extensions for HTTP - Enigform and mod_openpgp • OWASP-WeBekci Project • OWASP Backend Security Project • OWASP Application Security Tool Benchmarking Environment and Site Generator refresh • Teachable Static Analysis Workbench • OWASP Positive Security Project • GTK+ GUI for w3af project • OWASP Interceptor Project - 2008 Update • Skavenger • SQL Injector Benchmarking Project (SQLiBENCH) • OWASP AppSensor - Detect and Respond to Attacks from Within the Application • OWASP Orizon Project • OWASP Corporate Application Security Rating Guide • OWASP AntiSamy .NET • Python Static Analysis • OWASP Classic ASP Security Project • OWASP Live CD 2008 Project
OWASP Projects Are Alive! 2009 … 2007 2005 2003 2001 36
Get Involved WWW.OWASP.ORG