OWASP in favor of a more secure world

Slides:



Advertisements
Similar presentations
Don’t Teach Developers Security Caleb Sima Armorize Technologies.
Advertisements

OWASP Top Dave Wichers OWASP Top 10 Project Lead OWASP Board Member Cofounder, Aspect Security & Contrast Security.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
OpenSAMM Software Assurance Maturity Model Seba Deleersnyder SAMM project co-leaders Pravir Chandra AppSec USA 2014 Project.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
A Demo of and Preventing XSS in.NET Applications.
Security for Managers and Executives
ESAPI Pictures For Javadoc.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 3.0 license The OWASP Foundation OWASP
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.
The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010
10 Steps To Agile Development Without Compromising Enterprise Security
OWASP - Where we are… where we are going
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Zed Attack Proxy Project Lead
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
The OWASP Foundation AppSecEU11 Where we are.. Where we are going Tom Brennan, Eoin Keary, Seba Deleersnyder, Dave Wichers, Jeff Williams,
Copyright 2008 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
“Security is a process, not a product” -- Bruce Schneier.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.
Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
OWASP Cambridge 2 nd December Agenda Networking, food and refreshments Welcome Colin Watson Global Application Security Survey & Benchmarking John.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The OWASP Foundation Where we are Where we are going Seba DeleersnyderEoin Keary OWASP Foundation Board.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Applications Testing By Jamie Rougvie Supported by.
OWASP OWASP top 10 - Agenda  Background  Risk based  Top 10 items 1 – 6  Live demo  Top 10 items 7 – 10  OWASP resources.
The OWASP Foundation OWASP Education Computer based training Open Web Application Security Project Nishi Kumar IT Architect Specialist,
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The OWASP Foundation OWASP Education Computer based training Security for Managers and Executives Nishi Kumar IT Architect Specialist,
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP AppSec India Aug 2008.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Getting Started with OWASP The Top 10, ASVS, and the Guides Dave Wichers COO, Aspect Security OWASP Board Member OWASP Top 10 and ASVS Projects Lead.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
The OWASP Foundation OWASP Global Update Seba Deleersnyder OWASP Foundation Board Member.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 3.0 license The OWASP Foundation OWASP
OWASP London 4 th December Agenda Networking, food and refreshments Welcome Justin Clark Offensive OSINT Christian Martorella and Zigor Zumalde.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.
OpenSAMM Best Practices, Lessons from the Trenches
Web Application Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Securing Your Web Application in Azure with a WAF
Finding and Fighting the Causes of Insecure Applications
Jeff Williams OWASP Chair
Eoin Keary Code review Lead Irish Chapter Lead
Tour of OWASP’s projects
Sebastien Deleersnyder CISSP May, 2006
Agenda About OWASP Upcoming Events
Finding and Fighting the Causes of Insecure Applications
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Presentation transcript:

OWASP in favor of a more secure world Porto Alegre Chapter OWASP in favor of a more secure world L. GUSTAVO. C. BARBATO, Ph.D. lgbarbato@owasp.org Chapter Leader, OWASP Porto Alegre / Brazil Member, Global Chapter Committee Porto Alegre Chapter Meeting 03/31/2011 UNISINOS –São Leopoldo

Introduction

OWASP (Open Web Application Security Project) OWASP is an international organization and the OWASP Foundation supports OWASP efforts around the world OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security http://www.owasp.org/index.php/About_OWASP

Knowledge base 2001 2003 2005 2007 2009 2011 http://www.owasp.org

History OWASP was started on September 9, 2001 By Mark Curphey and Dennis Groves Since late 2003, Jeff Williams has served as the volunteer Chair of OWASP The OWASP Foundation, a 501(c)(3) organization (in the USA) was established in 2004 Thounds of individual members, nowadays OWASP Foundation has over 80 Active Local Chapters and only 3 employees http://en.wikipedia.org/wiki/OWASP

Ecosystem Volunteers Knowledge sharing People/Project Leadership Events presentations Administration Sustained by Conferences Individual supporters, annually Banner advertisements Corporate sponsors http://www.owasp.org/images/0/0d/OWASP_ByLaws.pdf

Structure

OWASP Board Jeff Williams - USA jeff.williams@owasp.org Sebastien Deleersnyder - Belgium seba@owasp.org Tom Brennan - USA tomb@owasp.org Eoin Keary - Ireland Eoin.Keary@owasp.org Dave Wichers - USA dave.wichers@owasp.org Matt Tesauro - USA Matt.Tesauro@owasp.org http://www.owasp.org/index.php/Contact

Global Committees http://www.owasp.org/index.php/Global_Committee_Pages

Local Chapters Hundreds of Local Chapters but only around 80 are Active http://www.owasp.org/index.php/Category:Brasil Porto Alegre Curitiba São Paulo Campinas Brasília Goiania Recife Paraíba http://www.owasp.org/index.php/Category:OWASP_Chapter

Organization Supporters http://www.owasp.org/index.php/Membership

Projects

Resources http://www.owasp.org/index.php/Category:OWASP_Project Vulnerability Scanners Static Analysis Tools Fuzzing Automated Security Verification Penetration Testing Tools Code Review Tools Manual Security Verification ESAPI Security Architecture AppSec Libraries ESAPI Reference Implementation Guards and Filters Secure Coding Reporting Tools AppSec Management Flawed Apps Learning Environments Live CD SiteGenerator AppSec Education http://www.owasp.org/index.php/Category:OWASP_Project

OWASP Top Ten 2010 http://www.owasp.org/index.php/Top_10 A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Failure to Restrict URL Access A8: Insecure Cryptographic Storage A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards http://www.owasp.org/index.php/Top_10

ESAPI (Enterprise Security API) Custom Enterprise Web Application OWASP Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Your Existing Enterprise Services or Libraries http://www.owasp.org/index.php/ESAPI

SAMM (Software Assurance Maturity Model) http://www.owasp.org/index.php/Software_Assurance_Maturity_Model

CLASP (Comprehensive, Lightweight, Application Security Process) http://www.owasp.org/index.php/OWASP_CLASP_Project

ASVS (Application Security Verification Standard) http://www.owasp.org/index.php/ASVS

OWASP Testing Guide http://www.owasp.org/index.php/OWASP_Testing_Project

WebScarab http://www.owasp.org/index.php/OWASP_WebScarab

WebGoat http://www.owasp.org/index.php/OWASP_WebGoat_Project

OWASP Live CD http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project

ModSecurity Core Rules Set Project Supports any type of parameters, POST , GET or any other SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES| REQUEST_HEADERS|!REQUEST_HEADERS:Referer \ "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:… … … \ “capture,log,deny,t:replaceComments, t:urlDecodeUni, t:htmlEntityDecode, t:lowercase,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950001',severity:'2'“ Every SQL injection related keyword is checked Common evasiontechniques are mitigated SQL comments are compensated for http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

Books http://stores.lulu.com/owasp

Conferences

Global AppSec Europe (June 6, 2011 - June 10, 2011) http://www.owasp.org/index.php/AppSecEU2011

Global AppSec North America (Sept. 20, 2011 - Sept. 23, 2011) http://www.appsecusa.org

Global AppSec Asia (Nov. 3, 2011 - Nov. 5, 2011) http://www.owasp.org/index.php/China_AppSec_2011

Global AppSec Latin America (Oct. 4, 2011 - Oct. 7, 2011) http://www.appseclatam.org

How to participate?

How to participate? http://www.owasp.org/index.php/Porto_Alegre Papers, wiki Mailing lists Projects Proposing new ones, testing existents, feedbacks Translations Presentations Contributing annually (US$ 50) http://www.regonline.com/owasp_membership

Questions ???

References Decks used to create this one: http://www.owasp.org/images/b/b4/OWASP-Intro-2008-pt-br.ppt https://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt http://www.owasp.org/images/7/71/About_OWASP_ASVS.ppt https://www.owasp.org/images/8/88/OWASP_EU_Summit_2008_WebScarab_treasures.ppt http://www.opensamm.org/downloads/resources/OpenSAMM-1.0.ppt http://www.owasp.org/images/a/ac/CLASPOverviewPresentation20080807NickCoblentz.ppt http://www.owasp.org/images/4/46/AppSecEU09_OWASP_Live_CD-mtesauro.ppt http://www.owasp.org/images/2/21/OWASPAppSec2007Milan_ModSecurityCoreRuleSet.ppt

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.