1 / 20

Tour of OWASP Projects

Tour of OWASP Projects. Jason Li jason.li@owasp.org. AppSec India Conference August 20 th , 2008. About Me. Senior Application Security Engineer, Aspect Security OWASP Involvement: OWASP AntiSamy Core Developer OWASP JSP Testing Tool Project Lead. Talk Outline. OWASP Project Structure

yoland
Download Presentation

Tour of OWASP Projects

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tour of OWASP Projects Jason Li jason.li@owasp.org AppSec India Conference August 20th, 2008

  2. About Me • Senior Application Security Engineer,Aspect Security • OWASP Involvement: • OWASP AntiSamy Core Developer • OWASP JSP Testing Tool Project Lead

  3. Talk Outline • OWASP Project Structure • OWASP Seasons of Code • Brief Overview of Selected OWASP Projects • Discussion of Validating Rich User Content Using OWASP AntiSamy

  4. OWASP Project Structure • Projects divided into two categories: • Tools • Documentation • Projects are free and open source • Projects have a designated project leader, mailing list, and documentation page • Projects have rated criteria assessments

  5. OWASP Project Assessment Criteria • Alpha Quality Tools & Documentation • Approved open source license • Code repository at GoogleCode or SourceForge (tools) • Article content in OWASP Wiki (documentation) • Project page with purpose, roadmap, and mailing list • Reviewed by at least one community member

  6. OWASP Project Assessment Criteria (cont) • Beta Quality Tools: • All alpha criteria • Easy to use installer • User documentation • Build instructions • Reviewed by at least two community members • Beta Quality Documentation: • All alpha criteria • Sufficiently complete • Reviewed for grammar, correctness, etc • Reviewed by at least two community members

  7. OWASP Project Assessment Criteria • Release Quality Tools: • All Beta Criteria • Complete online documentation • Public bug tracking system • Passes static analysis tools • Additionally reviewed by one board member • Release Quality Documentation: • All Beta Criteria • Reviewed against OWASP Writing Style guide • Documentation is made print-ready (long docs only) • Additionally reviewed by one board member

  8. OWASP Seasons of Code • Goal is to sponsor projects that are innovative and beneficial to the security community at large • Past Seasons of Code • Autumn of Code 2006 • $20,000 budget • 8 projects sponsored • Spring of Code 2007 • $117,500 budget • 21 projects sponsored

  9. OWASP Seasons of Code (cont) • Summer of Code 2008 • $126,000 budget • 31 projects sponsored including: • AppSensor • Teachable Static Analysis Workbench • XML/WS Testing Tool • Positive Security Project • JSP TagLib Tester • Online Code Signing Service • Access Control Rules Tester • Projects to be presented at OWASP EU Summit 2008

  10. Brief Overview of Selected OWASP Projects • Top Ten • Guides • WebGoat • WebScarab • ESAPI

  11. OWASP Top Ten • Awareness document that describes the top ten web application security vulnerabilities

  12. OWASP Guides • Several Guides available: • Application Security Desk Reference (beta)http://www.owasp.org/index.php/Category:OWASP_ASDR_Project • Code Review Guide (beta)http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project • Developer’s Guidehttp://www.owasp.org/index.php/Category:OWASP_Guide_Project • Testing Guidehttp://www.owasp.org/index.php/Category:OWASP_Testing_Project • Many more... • All guides available free from OWASP website • Many guides available in PDFs or print form

  13. OWASP Guides (cont) • Print versions available from:http://stores.lulu.com/owasp • Books are sold at cost • No profit is made by OWASP through these sales • For more info, see:http://www.owasp.org/index.php/Category:OWASP_Books

  14. OWASP WebGoat • Online training environment for hands-on learning about application security

  15. OWASP WebGoat (cont) • Deliberately insecure Java EE web application • Built-in lesson plans, exercises and hints • Extensive documentation and solutions available • Actively updated with new exercises • OWASP Release Quality Project

  16. OWASP WebScarab • Tool for performing all types of security testing on web applications and web services

  17. OWASP WebScarab (cont) • Security tools include: • HTTP/HTTPS intercepting proxy • Session ID Analysis • Parameter Fuzzer • Transcoder • Web Service testing • BeanShell scripting • Actively maintained by Rogan Dawes • OWASP Release Quality Project

  18. OWASP Enterprise Security API (ESAPI) • Free and open collection of all the security methods that a developer needs to build a secure web application.

  19. OWASP ESAPI (cont) • Provides common, consistent interface to security related mechanisms and functions • Saves development time, adds security and simplifies code review • Includes reference Java implementation • Actively maintained by Jeff Williams • Beta Quality Project

  20. Questions?

More Related