OWASP Overview Germany 2008 Conference Sebastien Deleersnyder, OWASP Board CISSP, CISA, CISM Nov, 2008
Who Am I? 5 years developer experience 13 April 2017 Who Am I? 5 years developer experience 8 years information security experience Lead application security Telindus, Belgacom ICT (Belgium) Belgian OWASP chapter founder OWASP board member www.owasp.org type here level of Sensitivity "Unrestricted", Internal Use Only" or "Confidential"
Agenda OWASP Introduction OWASP Project Parade OWASP Near You? Get an idea of population? InfoSec consultants? Developers? Industry? Finance?
Agenda OWASP Introduction OWASP Project Parade OWASP Near You? Get an idea of population? InfoSec consultants? Developers? Industry? Finance?
The Open Web Application Security Project (OWASP) International not-for-profit charitable Open Source organization funded primarily by volunteers time, OWASP Memberships, and OWASP Conference fees Participation in OWASP is free and open to all 5 5
OWASP Mission to make application security "visible," so that people and organizations can make informed decisions about application security risks 6 6
OWASP Resources and Community Documentation (Wiki and Books) Code Review, Testing, Building, Legal, more … Code Projects Defensive, Offensive (Test tools), Education, Process, more … Chapters Over 130 and growing Conferences Major and minor events all around the world
www.owasp.org 8 8 8 8
130+ Chapters Worldwide
OWASP Conferences (2008-2009) Australia – Justin Derry Germany Nov 2008 Brussels May 2008 Minnesota Oct 2008 Poland May 2009 NYC Sep 2008 Denver Spring 2009 Portugal Nov 2008 San Jose? Sep 2009 Israel Sep 2008 Taiwan Oct 2008 India Aug 2008 Australia – Justin Derry Gold Coast – 2008 March 29-31, similar time next year Europe – Sebastien Deleersnyder Brussels – May 19-22, 2008, Kracow Poland, May 2009 Israel – Ofer Shezaf Taiwan – Wayne Huang U.S. – NY – Tom Brennan - We are here! 2009 – probably San Jose – Hopefully at eBay again India – Dhruv Soi, Puneet Mehta OWASP Summit – Portugal – Paulo Coimbra/Dinis Cruz Nov , 2008 Gold Coast Feb 2008 +2009
New Free Tools and Guidance (SoC08) New Outreach Program Summit Portugal 2009 Focus 80+ application security experts from 20+ countries New Free Tools and Guidance (SoC08) New Outreach Program technology vendors, framework providers, and standards bodies new program to provide free one- day seminars at universities and developer conferences worldwide New Global Committee Structure Education, Chapter, Conferences, Industry, Projects and Tools, Membership
Agenda OWASP Introduction OWASP Project Parade OWASP Near You? Get an idea of population? InfoSec consultants? Developers? Industry? Finance?
OWASP Projects: Improve Quality and Support Define Criteria for Quality Levels Alpha, Beta, Release Encourage Increased Quality Through Season of Code Funding and Support Produce Professional OWASP books Provide Support Full time executive director (Kate Hartmann) Full time project manager (Paulo Coimbra) Half time technical editor (Kirsten Sitnick) Half time financial support (Alison Shrader) Looking to add programmers (Interns and professionals)
The Ten Most Critical Web Application Security Vulnerabilities OWASP Top 10 The Ten Most Critical Web Application Security Vulnerabilities 2007 Release A great start, but not a standard The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities – a great start to your secure coding security program. Security is not a one-time event. It is insufficient to secure your code just once. By 2008, this Top 10 will have changed, and without changing a line of your application’s code, you may be vulnerable. Please review the advice in Where to go from here for more information. A secure coding initiative must deal with all stages of a program’s lifecycle. Secure web applications are only possible when a secure SDLC is used. Secure programs are secure by design, during development, and by default. There are at least 300 issues that affect the overall security of a web application. These 300+ issues are detailed in the OWASP Guide, which is essential reading for anyone developing web applications today. This document is first and foremost an education piece, not a standard. Please do not adopt this document as a policy or standard without talking to us first! If you need a secure coding policy or standard, OWASP has secure coding policies and standards projects in progress.
Key Application Security Vulnerabilities A1: Cross Site Scripting (XSS) A2: Injection Flaws A3: Malicious File Execution A4: Insecure Direct Object Reference A5: Cross Site Request Forgery (CSRF) A6: Information Leakage and Improper Error Handling A7: Broken Authentication and Session Management A8: Insecure Cryptographic Storage A9: Insecure Communications A10: Failure to Restrict URL Access Key Application Security Vulnerabilities Based on vulnerabilities in 2006. But it got worse www.owasp.org/index.php?title=Top_10_2007
The ‘Big 4’ Documentation Projects Building Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR) ASDR Defines all the issues and provides basic guidance. Each of the guides then provides detailed info on how to deal with that issue from the respective of that guide.
The Guide Complements OWASP Top 10 310p Book Free and open source Gnu Free Doc License Many contributors Apps and web services Most platforms Examples are J2EE, ASP.NET, and PHP Comprehensive Project Leader and Editor Andrew van der Stock, vanderaj@owasp.org
Uses of the Guide Developers Project Managers Security Teams Use for guidance on implementing security mechanisms and avoiding vulnerabilities Project Managers Use for identifying activities (threat modeling, code review, penetration testing) that need to occur Security Teams Use for structuring evaluations, learning about application security, remediation approaches
Each Topic Includes Basic Information (like OWASP T10) Adds How to Determine If You Are Vulnerable How to Protect Yourself Adds Objectives Environments Affected Relevant COBIT Topics Theory Best Practices Misconceptions Code Snippets
Testing Guide v2: Index 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors
What Is the OWASP Testing Guide? Testing Principles Testing Process Custom Web Applications Black Box Testing Grey Box Testing Risk and Reporting Appendix: Testing Tools Appendix: Fuzz Vectors Information Gathering Business Logic Testing Authentication Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing The Guide Contents A series of articles on the most common web application security problems Some process information, but not much… The world desperately needs a body of knowledge on application security. One important piece of this body of knowledge is about application security testing.
Soc08 version 3 Improve version 2 improved 9 articles Total of 10 Testing categories and 66 controls. New sections and controls Configuration Management Authorization Testing 36 new articles New Encoded Injection Appendix;
How the Guide helps the security industry A structured approach to the testing activities A checklist to be followed A learning and training tool Testers A tool to understand web vulnerabilities and their impact A way to check the quality of security tests Organisation s More generally, the Guide aims to provide a pen-testing standard that creates a 'common ground' between the testing groups and its ‘customers’. This will raise the overall quality and understanding of this kind of activity and therefore the general level of security of our applications
Tools http://www.owasp.org/index.php/Phoenix/Tools Best known OWASP Tools WebGoat WebScarab Remember: A Fool with a Tool is still a Fool
Tools – At Best 45% MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE) They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)
OWASP WebGoat WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.
OWASP WebScarab WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.
OWASP CSRFTester Just when developers are starting to run in circles over Cross Site Scripting, the 'sleeping giant' awakes for yet another web-catastrophe. Cross-Site Request Forgery (CSRF) is an attack whereby the victim is tricked into loading information from or submitting information to a web application for which they are currently authenticated. The problem is that the web application has no means of verifying the integrity of the request. The OWASP CSRFTester Project attempts to give developers the ability to test their applications for CSRF flaws.
OWASP CSRFGuard 2.0 User (Browser) OWASP CSRFGuard Verify Token Business Processing Adds token to: href attribute src attribute hidden field in all forms Actions: Log Invalidate Redirect Add Token to HTML The OWASP CSRFGuard Project attempts to address this issue through the use of unique request tokens. http://www.owasp.org/index.php/CSRFGuard
The OWASP Enterprise Security API Custom Enterprise Web Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration The ESAPI is a free and open collection of all the security methods that a developer needs to build a secure web application. You can just use the interfaces and build your own implementation using your company's infrastructure. Or, you can use the reference implementation as a starting point. In concept, the API is language independent. However, the first deliverables from the project are a Java API and a Java reference implementation. Efforts to build ESAPI in .NET and PHP are already underway. Unfortunately, the available platforms, frameworks, and toolkits (Java EE, Struts, Spring, etc...) simply do not provide enough protection. This leaves developers with responsibility for designing and building security mechanisms. This reinventing the wheel for every application leads to wasted time and massive security holes. The cost savings through reduced development time, and the increased security due to using heavily analyzed and carefully designed security methods provide developers with a massive advantage over organizations that are trying to deal with security using existing ad hoc secure coding techniques. This API is designed to automatically take care of many aspects of application security, making these issues invisible to the developers. Existing Enterprise Security Services/Libraries
Coverage OWASP Top Ten OWASP ESAPI A1. Cross Site Scripting (XSS) A2. Injection Flaws A3. Malicious File Execution A4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Leakage and Improper Error Handling A7. Broken Authentication and Sessions A8. Insecure Cryptographic Storage A9. Insecure Communications A10. Failure to Restrict URL Access OWASP ESAPI Validator, Encoder Encoder HTTPUtilities (upload) AccessReferenceMap User (csrftoken) EnterpriseSecurityException, HTTPUtils Authenticator, User, HTTPUtils Encryptor HTTPUtilities (secure cookie, channel) AccessController
Create Your ESAPI Implementation Your Security Services Wrap your existing libraries and services Extend and customize your ESAPI implementation Fill in gaps with the reference implementation Your Coding Guideline Tailor the ESAPI coding guidelines Retrofit ESAPI patterns to existing code
Comprehensive, Lightweight Application Security Process OWASP CLASP Comprehensive, Lightweight Application Security Process Prescriptive and Proactive Centered around 7 AppSec Best Practices Cover the entire software lifecycle (not just development) Adaptable to any development process CLASP defines roles across the SDLC 24 role-based process components Start small and dial-in to your needs
The CLASP Best Practices Institute awareness programs Perform application assessments Capture security requirements Implement secure development practices Build vulnerability remediation procedures Define and monitor metrics Publish operational security guidelines
SDLC & OWASP Guidelines OWASP Framework
Want More ? About 50 projects! OWASP .NET Project OWASP ASDR Project OWASP AntiSamy Project OWASP AppSec FAQ Project OWASP Application Security Assessment Standards Project OWASP Application Security Metrics Project OWASP Application Security Requirements Project OWASP CAL9000 Project OWASP CLASP Project OWASP CSRFGuard Project OWASP CSRFTester Project OWASP Career Development Project OWASP Certification Criteria Project OWASP Certification Project OWASP Code Review Project OWASP Communications Project OWASP DirBuster Project OWASP Education Project OWASP Encoding Project OWASP Enterprise Security API OWASP Flash Security Project OWASP Guide Project OWASP Honeycomb Project OWASP Insecure Web App Project OWASP Interceptor Project OWASP JBroFuzz OWASP Java Project OWASP LAPSE Project OWASP Legal Project OWASP Live CD Project OWASP Logging Project OWASP Orizon Project OWASP PHP Project OWASP Pantera Web Assessment Studio Project OWASP SASAP Project OWASP SQLiX Project OWASP SWAAT Project OWASP Sprajax Project OWASP Testing Project OWASP Tools Project OWASP Top Ten Project OWASP Validation Project OWASP WASS Project OWASP WSFuzzer Project OWASP Web Services Security Project OWASP WebGoat Project OWASP WebScarab Project OWASP XML Security Gateway Evaluation Criteria Project OWASP on the Move Project About 50 projects!
SoC2008 selection OWASP Code review guide, V1.1 The Ruby on Rails Security Guide v2 OWASP UI Component Verification Project (a.k.a. OWASP JSP Testing Tool) Internationalization Guidelines and OWASP-Spanish Project OWASP Application Security Desk Reference (ASDR) OWASP .NET Project Leader OWASP Education Project The OWASP Testing Guide v3 OWASP Application Security Verification Standard Online code signing and integrity verification service for open source community (OpenSign Server) Securing WebGoat using ModSecurity OWASP Book Cover & Sleeve Design OWASP Individual & Corporate Member Packs, Conference Attendee Packs Brief OWASP Access Control Rules Tester OpenPGP Extensions for HTTP - Enigform and mod_openpgp OWASP-WeBekci Project OWASP Backend Security Project OWASP Application Security Tool Benchmarking Environment and Site Generator refresh Teachable Static Analysis Workbench OWASP Positive Security Project GTK+ GUI for w3af project OWASP Interceptor Project - 2008 Update Skavenger SQL Injector Benchmarking Project (SQLiBENCH) OWASP AppSensor - Detect and Respond to Attacks from Within the Application Owasp Orizon Project OWASP Corporate Application Security Rating Guide OWASP AntiSamy .NET Python Static Analysis OWASP Classic ASP Security Project OWASP Live CD 2008 Project
OWASP Projects Are Alive! 2009 … 2007 2005 The Testing is alive… When they say, “print is dead” they don’t mean it’s out of style – it’s static not living! Do you have a bookshelf of security books? When’s the last time you opened them? They don’t have answers to today’s problems because they’re dead. It’s a process for translating security principles to the latest technologies and getting them to developers fast It’s an evolving growing living thing 2003 2001 38 38
Agenda OWASP Introduction OWASP Project Parade OWASP Near You? Get an idea of population? InfoSec consultants? Developers? Industry? Finance?
www.owasp.tv 56 videos - 40 h
Upcoming Conferences May 2009 - OWASP AppSec Europe 2009 February 2009 - Day 3 Italy OWASP Day III: "Web Application Security: research meets industry" 23rd February 2009 - Bari (Italy) February 2009 - OWASP AppSec Australia 2009 - Gold Coast Training & Conference, Gold Coast Convention Center, QLD Australia March 2009 - OWASP Front Range Conference March 5th, 2nd Annual 1-Day Conference in Denver, Colorado May 2009 - OWASP AppSec Europe 2009 Poland May 11th - 14th - Conference and Training, Qubus Hotel, Krakow, Poland Back to back with Confidence09 June 2009 - OWASP AppSec - Dublin Ireland October 2009 - OWASP AppSec US 2009 - Washington, D.C.
German Chapter Meetings Local Mailing List Presentations & Groups Open forum for discussion Meet fellow InfoSec professionals Create (Web)AppSec awareness Local projects?
Subscribe to German Chapter mailing list Post your (Web)AppSec questions Keep up to date! Get OWASP news letters Contribute to discussions!
That’s it… Any Questions? Thank you! http://www.owasp.org http://www.owasp.org/index.php/Germany seba@owasp.org Thank you!