Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec Europe May Conference Wrapup and Projects’ Status Report Dave Wichers, OWASP Conferences Chair Aspect Security
OWASP AppSec Europe So How Was the Conference? Did you like: The tutorials? The panels? The refereed papers? Multiple tracks? Suggestions? Where should it be next time? Paris, Rome, Munich, ????
OWASP AppSec Europe What do YOU want out of OWASP? Mission: (Just updated on new Wiki) The Open Web Application Security Project (OWASP) is dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. What (else) do we need to accomplish this mission?
OWASP AppSec Europe Main OWASP Projects OWASP Top Ten: lead: Jeff Williams OWASP Guide: lead: Andrew Van Der Stock OWASP Testing Guide: lead: Eion Keary OWASP.NET: lead: Dinis Cruz Many Subprojects (see later slide) OWASP WebGoat: lead: Bruce Mayhew OWASP WebScarab: lead: Rogan Dawes OWASP WASS Project (NEW!!): lead: Mike Andrews OWASP CLASP (NEW!!): lead: Pravir Chandra
OWASP AppSec Europe OWASP Top Ten Most Critical Web Application Security Vulnerabilities Purpose: Generate Awareness of Most Critical Web Application Security Vulnerabilities Published: Jan 2003, updated Jan 2004 Translated into Chinese, French, Italian, Japanese, and Spanish Adopted by many companies and organizations Such as the Payment Card Industry (PCI) Standard Still accurate but probably deserves an update at this point
OWASP AppSec Europe OWASP Guide to Building Secure Web Applications Purpose: To help designers and developers produce secure web applications Published: V1 released in 2002 V2.0 released July 2005 (293 pp.) V2.1 release targeted for late 2006 as a book, and available in the new OWASP Wiki Usage: V1 downloaded over 2 Million times
OWASP AppSec Europe OWASP Testing Project OWASP Testing Guide 60% done, broad range of areas covered. Techniques include: Application Penetration Testing Application Code Analysis More to be done. Needs authors and reviewers. Finished? First cut: End of the Summer (I hope). OWASP “Live CD” Goal: Application testing toolkit “In your pocket”. Contains OWASP Tools, to include.NET tools Shall include indexable HTML version of the Testing GUIDE. Shall include other commonly used freeware tools. Beta Built: To be hosted as ISO image on owasp.net.
OWASP AppSec Europe OWASP.NET Project Hosted at OWASP Site Generator Generates flawed sample apps to test tools against OWASP Validator.NET Partial port of ModSecurity to.Net platform Other.Net alpha/beta projects Beretta, ANBS, SAM’SHE, ASP.NET Reflector,.NetMon
OWASP AppSec Europe OWASP WebGoat Purpose: Teach application security principles to developers and analysts Published: V1.0 released in Oct 2002 V4.0 released May 2006 Usage: Downloaded almost 100,000 times - One of the most widely used OWASP Tools
OWASP AppSec Europe OWASP WebGoat Overview Deliberately insecure J2EE web application Download, unzip and click to run Teaches application security principles Access control SQL injection Authentication & session management Input validation Many more … Training environment Hands-on learning for developers and analysts
OWASP AppSec Europe Version 4.0 A Complete Rewrite (almost)
OWASP AppSec Europe WebGoat 4.0 Released New Multi-Stage Lessons Role based access control SQL injection Cross-site scripting Updated Architecture Uses JSPs Simple front controller Multi-stage lesson support New user guide Multi-user environment
OWASP AppSec Europe WebGoat Wants Your Ideas! Is WebGoat part of your training environment? What features or lessons do you need? How can you get involved? Lessons needed Forced browsing Denial of service Admin interfaces Privilege escalation Better lesson plans Send your comments, ideas, suggestions to:
OWASP AppSec Europe OWASP WebScarab Purpose: To help test web applications. It is a scriptable proxy and framework that allows a tester to view and modify any traffic between a web client (browser) and a target web application. Other features: Spider, Fuzzer, Session ID graphing Highly Scriptable Web Services interface Published: First released: late 90‘s before OWASP with different name – Moved to OWASP in July 2003 – Continuous incremental releases since then (simply dated, no version numbers) Usage: Downloaded over 30,000 times – One of most widely used OWASP tools
OWASP AppSec Europe What does WebScarab do? Allows user to view HTTP(S) conversations between browser and server Allows user to review/save those conversations Allows user to intercept and modify on the fly Allows user to replay previous requests Allows user to script conversations with full access to the the request and response object models And much more!
OWASP AppSec Europe WebScarab Recent Activities Bug-fixes, mostly, some UI changes New plugins Extensions – brute forces common extensions E.g. -> index.jsp.bak? E.g. -> images.zip? XSS tester – in progress “Next Generation” in development Using Spring Framework and Spring Rich Client DB backed Not likely anytime soon...
OWASP AppSec Europe OWASP WASS Project (New!) Purpose (Web Application Security Standards Project) Create a minimum set of specific, testable, security requirements for a web application to safely process credit card information. The VISA Cardholder Information Security Program (CISP) / Payment Card Industry (PCI) standards address network security but have very little on web application security. Status: Initial strawman set of requirements developed and available for review Needed: Contributors and Reviewers
OWASP AppSec Europe OWASP CLASP Project (New!) Purpose: Provide software development organizations everything they need to develop their own secure development lifecycle. Status: CLASP developed by Secure Software and just donated to OWASP. In the process of moving all of CLASP into the new OWASP Wiki. Needed: Complete transition to the OWASP Wiki and the focus on developing new materials that expand the process activities and show how they fit into the entire software development lifecycle.