1 / 37

OWASP - Where we are… where we are going

OWASP - Where we are… where we are going. Tom Brennan Dave Wichers Dinis Cruz OWASP Board Members. Why was the OWASP Project started?.

urit
Download Presentation

OWASP - Where we are… where we are going

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. OWASP - Where we are… where we are going Tom Brennan Dave Wichers Dinis Cruz OWASP Board Members

  2. Why was the OWASP Project started? • The Open Web Application Security Project was setup in 2001 to build an industry standard framework for testing the security of web applications. We have several main objectives including to: • define the security requirements for secure web applications • develop an industry standard web application security testing framework • build quality open source tools to support the testing framework • define a standard data exchange format to allow commercial, open source and research tools to communicate and interoperate • We will be developing the www.owasp.org website into a place where; • people can learn about the common security problems that occur with web applications and web services • developers and system architects can learn about security requirements to build secure web applications and web services • security professionals and developers can learn how to effectively test the security of web applications and web services • system owners can learn what to expect of a security company or tool testing their applications • security professionals can understand if tools are appropriate and doing what they should be doing • <WAYBACK MACHINE OWASP.ORG>

  3. OWASP 2009 • The Open Web Application Security Project (OWASP Foundation Inc.) • Participation in OWASP is free and open to all • The vision is a software market that produces code that’s secure enough to rely on.  The mission (to achieve that vision) is to make security visible (or transparent) so that software buyers and sellers are on equal footing and market forces can work.  • International not-for-profit charitable organization funded primarily by volunteers time, OWASP Memberships ($50 Individuals, $5k Supporters), and OWASP Conference fees • Website: 6,464 registered users, 21,552,771 page views, and 55,941 page edits , 10k members on mailing lists 3

  4. Governance • Principles • Free & Open • Governed by rough consensus & running code • Abide by a code of ethics (see ethics) • Not-for-profit • Not driven by commercial interests • Risk based approach 4

  5. Code of Ethics • Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles; • Promote the implementation of and promote compliance with standards, procedures, controls for application security; Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities; • Discharge professional responsibilities with diligence and honesty; Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of employers, the information security profession, or the Association; and • Not intentionally injure or impugn the professional reputation of practice of colleagues, clients, or employers. Governance 5

  6. OWASP FOUNDATION INC. Governance (6) Volunteer Board (Jeff, Dinis, Tom, Dave, Sebastian, <insert>) (27) Volunteer Global Committee Members (see next slide) OWASP Employees (3) (140) Local Chapters (50) Projects

  7. Global Committee Governance (27) Global Leaders Voice for 7 Regions, 140 chapters and its members and users

  8. 2009 Organization Supporters (5000k usd)

  9. 2009 Educational Supporters (Free) 9

  10. OWASP Projects

  11. OWASP Top 10 • The Ten Most Critical Web Application Security Vulnerabilities • 2007 Release • A great start, but not a standard • 4th version of the Top 10 2009 coming soon (Target Nov 2009)

  12. OWASP Top Ten (2007 Edition) http://www.owasp.org/index.php/Top_10

  13. The ‘Big 4’ Documentation Projects + 1 new ASVS Developer Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR)

  14. Developer Guide • The First OWASP ‘Guide’ • Complements OWASP Top 10 • 310p Book • Many contributors • Apps and web services • Most platforms • Examples are J2EE, ASP.NET, and PHP • Comprehensive • Project Leader and Editor • Andrew van der Stock, vanderaj@owasp.org

  15. Code Review Guide • Most comprehensive open source secure code review guide on the web • Under development for 3 years • Version 1.1 produced during 2008 Summer of Code • Numerous contributors • But still not complete (may never be )

  16. Testing Guide 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors Appendix D: Encoded Injection http://www.owasp.org/index.php/TestingGuide

  17. Application Security Desk Reference (ASDR) • Basic reference material on application security terminology • Serves as the foundation definition or description of many topics covered by the OWASP Development, Code Review, and Testing Guides, and the ASVS http://www.owasp.org/index.php/ASDR • ASDR Contents • Section 1: Principles • Section 2: Threat Agents • Section 3: Attacks • Section 4: Vulnerabilities • Section 5: Controls • Section 6: Technical Impacts • Section 7: Business Impact

  18. New ‘Cheat Sheet’ Series • XSS Prevention Cheat Sheet • www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet • SQL Injection Prevention Cheat Sheet • http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet • More … ??? • CSRF Prevention (being developed now) • Clickjacking Prevention

  19. XSS Prevention Cheat Sheet #1: &, <, >, "  &entity; ', /  &#xHH; HTML Element Content • (e.g., <div> some text to display </div> ) #2: All non-alphanumeric < 256  &#xHH HTML Attribute Values • (e.g., <input name='person' type='TEXT' value='defaultValue'> ) #3: All non-alphanumeric < 256  \xHH JavaScript Data (e.g., <script> some javascript</script> ) #4: All non-alphanumeric < 256  \HH HTML Style Property Values • (e.g., .pdiv a:hover {color: red; text-decoration: underline} ) #5: All non-alphanumeric < 256  %HH URI Attribute Values • (e.g., <a href="javascript:toggle('lesson')" ) ALL other contexts CANNOT include Untrusted Data Recommendation: Only allow #1 and #2 and disallow all others See: www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet for more details

  20. OWASP Application Security Verification Standard (ASVS) • OWASP’s 1st Standard • Defines 4 Verification Levels • Level 1: Automated Verification • Level 1A: Dynamic Scan • Level 1B: Source Code Scan • Level 2: Manual Verification • Level 2A: Penetration Test • Level 2B: Code Review • Level 3: Design Verification • Level 4: Internal Verification

  21. What Questions Does ASVS Answer? • How can I compare verification efforts? • What security features should be built into the required set of security controls? • What are reasonable increases in coverage and level of rigor when verifying the security of a web application? • How much trust can be placed in a web application?

  22. Requirements & Design Deployment & Operations Verification & Assessment Alignment & Governance Software Assurance Maturity Model (SAMM) • The 4 Disciplines are high-level categories for activities • Three security Functions under each Discipline are the specific silos for improvement within an organization Disciplines Functions

  23. OWASP CLASP • Comprehensive, Lightweight Application Security Process • Prescriptive and Proactive • Centered around 7 AppSec Best Practices • Cover the entire software lifecycle (not just development) • Adaptable to any development process • CLASP defines roles across the SDLC • 24 role-based process components • Start small and dial-in to your needs

  24. OWASP Tools and Technology

  25. OWASP WebGoat – 5.2

  26. OWASP WebScarab – WebScarab-NG – New Proxy Engine

  27. OWASP Enterprise Security API (ESAPI) Existing Enterprise Security Services/Libraries

  28. OWASP CSRFGuard 2.0 Business Processing OWASPCSRFGuard Verify Token Add Tokento HTML • Adds token to: • href attribute • src attribute • hidden field in all forms • Actions: • Log • Invalidate • Redirect User (Browser) • http://www.owasp.org/index.php/CSRFGuard

  29. OWASP CSRFTester

  30. OWASP AntiSamy – Safe Rich Input Validation • AntiSamy • Uses a positive security model for rich input validation • High assurance mechanism against XSS (and phishing) attacks • Java and .NET • Now built into ESAPI xss attack surface (samy) • http://www.owasp.org/index.php/AntiSamy

  31. Live CD • Project that collects some of the best open source security projects in a single environment • http://www.owasp.org/index.php/LiveCD • Users can boot from Live CD and immediately start using all tools without any configuration

  32. Available Tools 25 “significant” tools sqlmap v0.7-rc1 now included!

  33. OWASP Code review tools • Code Crawler • AlessioMarziali • Orizon Framework • Paulo Prego • LAPSE (Inactive) • Ben Livshits (Stanford Project)

  34. Want More ? • OWASP .NET Project • OWASP ASDR Project • OWASP AntiSamy Project • OWASP AppSec FAQ Project • OWASP Application Security Assessment Standards Project • OWASP Application Security Metrics Project • OWASP Application Security Requirements Project • OWASP CAL9000 Project • OWASP CLASP Project • OWASP CSRFGuard Project • OWASP CSRFTester Project • OWASP Career Development Project • OWASP Certification Criteria Project • OWASP Certification Project • OWASP Code Review Project • OWASP Communications Project • OWASP DirBuster Project • OWASP Education Project • OWASP Encoding Project • OWASP Enterprise Security API (ESAPI) • OWASP Flash Security Project • OWASP Guide Project • OWASP Insecure Web App Project • OWASP Interceptor Project • OWASP JBroFuzz • OWASP Java Project • OWASP LAPSE Project • OWASP Legal Project • OWASP Live CD Project • OWASP Logging Project • OWASP Orizon Project • OWASP PHP Project • OWASP Pantera Web Assessment Studio Project • OWASP SASAP Project • OWASP SQLiX Project • OWASP SWAAT Project • OWASP Testing Project • OWASP Tools Project • OWASP Top Ten Project • OWASP Validation Project • OWASP WASS Project • OWASP WSFuzzer Project • OWASP Web Services Security Project • OWASP WebGoat Project • OWASP WebScarab Project • OWASP XML Security Gateway Evaluation Criteria Project • OWASP on the Move Project

  35. Summer of Code: 2008 • OWASP Code review guide, V1.1 • The Ruby on Rails Security Guide v2 • OWASP UI Component Verification Project (a.k.a. OWASP JSP Testing Tool) • Internationalization Guidelines and OWASP-Spanish Project • OWASP Application Security Desk Reference (ASDR) • OWASP .NET Project Leader • OWASP Education Project • OWASP Testing Guide v3 • OWASP Application Security Verification Standard • Online code signing and integrity verification service for open source community (OpenSign Server) • Securing WebGoat using ModSecurity • OWASP Book Cover & Sleeve Design • OWASP Individual & Corporate Member Packs, Conference Attendee Packs Brief • OWASP Access Control Rules Tester • OpenPGP Extensions for HTTP - Enigform and mod_openpgp • OWASP-WeBekci Project • OWASP Backend Security Project • OWASP Application Security Tool Benchmarking Environment and Site Generator refresh • Teachable Static Analysis Workbench • OWASP Positive Security Project • GTK+ GUI for w3af project • OWASP Interceptor Project - 2008 Update • Skavenger • SQL Injector Benchmarking Project (SQLiBENCH) • OWASP AppSensor - Detect and Respond to Attacks from Within the Application • OWASP Orizon Project • OWASP Corporate Application Security Rating Guide • OWASP AntiSamy .NET • Python Static Analysis • OWASP Classic ASP Security Project • OWASP Live CD 2008 Project

  36. OWASP Projects Are Alive! 2009 … 2007 2005 2003 2001 36

  37. Get Involved WWW.OWASP.ORG

More Related