Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Open Web Application Security Project Ralf Durkee Rochester OWASP Chapter Leader Andrea Cogliati Rochester OWASP Web and Communications

OWASP 2 What is OWASP?  Open Web Application Security Project  worldwide free and open community focused on improving the security of application software  Promotes secure software development  Oriented to the delivery of web oriented services  An open forum for discussion  A free resource for any development team

OWASP 3 What is OWASP?  Open Web Application Security Project  Non-profit (501c3), volunteer driven organization  All members are volunteers (save 4 employees)  All work is donated by volunteers and sponsors  Provide free resources to the community  Publications, Articles, Standards  Testing and Training Software  Local Chapters & Mailing Lists  Supported through sponsorships  Corporate support through financial or project sponsorship  Personal sponsorships from members

OWASP OWASP Principles  Free & Open  Governed by rough consensus & running code  Abide by a code of ethics (see ethics)  Not-for-profit  Not driven by commercial interests  Risk based approach

OWASP OWASP Code of Ethics  Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles  Promote the implementation of and promote compliance with standards, procedures, controls for application security  Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities  Discharge professional responsibilities with diligence and honesty  Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of employers, the information security profession, or the Association  Not intentionally injure or impugn the professional reputation of practice of colleagues, clients, or employers

OWASP OWASP Organization  Global Board  Global Committees  Education  Chapters  Conferences  Industry  Projects & Tools  Membership  Employees  Volunteers

OWASP OWASP membership Membership categoryAnnual membership fee Individual Supporters$50 Organization Supporters$5,000 Accredited University SupportersFREE (in exchange of meeting space at least 2x per year)  Funds OWASP Speakers via OWASP On the Move  Funds Season of Code projects  Helps Support Local Chapters

OWASP OWASP Goals: Improve Quality and Support  Define Criteria for Quality Levels  Alpha, Beta, Release  Encourage Increased Quality  Through Season of Code Funding and Support  Produce Professional OWASP books  Provide Support  Full time executive director (Kate Hartmann)  Full time project manager (Paulo Coimbra)  Half time technical editor (Kirsten Sitnick)  Half time financial support (Alison Shrader)  Looking to add programmers (Interns and Professionals)

OWASP OWASP Resources and Community Documentation (Wiki and Books) SAMM, Code Review, Testing, Building, Legal, … Code Projects Defensive, Offensive (Test tools), Education, Process, more … Chapters Over 100 and growing Conferences Major and minor events all around the world

OWASP OWASP Conferences ( ) 10 NYC Sep 2008 NYC Sep 2008 San Jose Sep 2009 San Jose Sep 2009 Brussels May 2008 Brussels May 2008 Poland May 2009 Poland May 2009 Taiwan Oct 2008 Taiwan Oct 2008 Portugal Nov 2008 Portugal Nov 2008 Israel Sep 2008 Israel Sep 2008 India Aug 2008 India Aug 2008 Gold Coast Feb 2008 Gold Coast Feb 2008 Minnesota Oct 2008 Minnesota Oct 2008 Denver Spring 2009 Denver Spring 2009

OWASP Rochester Security Summit  The Rochester Security Summit is a community focal point for education and awareness in collaboration with higher education, business and industry partners, held during National Cyber Security Awareness Month  Area collaboration partners include:  The Rochester Chapter of the Information Systems Security Association (ISSA)  University of Rochester Information Technology Office  Rochester Cyber Safety and Ethics Initiative  ISACA  OWASP  Area businesses and organizations  Oct 28-29, 2009 at The Woodcliff Hotel & Spa Conference Center in Fairport, NY 

OWASP Major initiatives: Training CLASP Testing Project incubator Wiki portal Forums Blogs Top 10 Conferences WebScarab WebGoat Ajax J2EE.NET Yours! Validation Chapters Building our brand Certification Guide

OWASP 13 OWASP Publications Major Publications Top 10 Web Application Security Vulnerabilities G uide to Building Secure Web Applications Legal Project Code Review Guide Testing Guide AppSec Faq Software Assurance Maturity Model Application Security Verification Standards

OWASP Organizing the Big 4 Building Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR)

OWASP 15 OWASP Publications Common Features  All OWASP publications are available free for download from  Publications are released under any approved free licenses  Living Documents  Updating as needed  Ongoing Projects  OWASP Publications feature collaborative work in a competitive field

OWASP 16 OWASP Publications – OWASP Top 10 Top 10 Web Application Security Vulnerabilities  A list of the 10 most severe security issues  Updated ever few years  Address issues with applications on the perimeter  Growing industry acceptance  Federal Trade Commission (US Gov)  US Defense Information Systems Agency  VISA (Cardholder Information Security Program)  Referenced by PCI-DSS standard  Strong push to present as a standard

OWASP 17 OWASP Publications - OWASP Top 10  Current Top Ten Issues (2007)  A1. Cross Site Scripting (XSS)  A2. Injection Flaws  A3. Malicious File Execution  A4. Insecure Direct Object Reference  A5. Cross Site Request Forgery (CSRF)  A6. Information Leakage and Improper Error Handling  A7. Broken Authentication and Session Management  A8. Insecure Cryptographic Storage  A9. Insecure Communications  A10. Failure to Restrict URL Access

OWASP 18 OWASP Publications - OWASP Guide Guide to Building Secure Web Applications  Provides a baseline for developing secure software  Introduction to security in general  Introduction to application level security  Discusses key implementation areas –Architecture –Authentication –Session Management –Access Controls and Authorization –Event Logging –Data Validation  Under continuous development

OWASP 19 OWASP Software Common Features  All OWASP software are provided free for download from  Software is released under any approved free licenses  Active Projects  Updating as needed  Ongoing Projects  Many maintainers and contributors  OWASP Software is free for download and can be used by individuals or businesses

OWASP 20 OWASP Software - WebGoat WebGoat  Primarily a training application  Provides  An educational tool for learning about application security  A baseline to test security tools against (i.e. known issues)  What is it?  A J2EE web application arranged in “Security Lessons”  Based on Tomcat and JDK 1.5  Oriented to learning –Easy to use –Illustrates credible scenarios –Teaches realistic attacks, and viable solutions

OWASP 21 OWASP Software - WebGoat WebGoat – What can you learn?  A number of constantly growing attacks and solutions  Cross Site Scripting  SQL Injection Attacks  Thread Safety  Field & Parameter Manipulation  Session Hijacking and Management  Weak Authentication Mechanisms  Many more attacks added  Getting the Tools   Simply download, unzip, and execute the jar file.

OWASP 22 OWASP Software - WebScarab WebScarab  A framework for analyzing HTTP/HTTPS traffic  Web Proxy written in Java  Multiple Uses  Developer: Debug exchanges between client and server  Security Analyst: Analyze traffic to identify vulnerabilities  Technical Tool  Focused on software developers  Extensible plug-in architecture  Open source  Very powerful tool  Getting the Tool 

OWASP 23 OWASP Software - WebScarab WebScarab - What can it do?  Features  Fragment Analysis – extract scripts and html as presented to the browser, instead of source code presented by the browser post render  Proxy – observe traffic between the browser and server, includes the ability to modify data in transit, expose hidden fields, and perform bandwidth manipulation  Manual Intercept - allows the user to modify HTTP and HTTPS requests and responses on the fly, before they reach the server or browser.  Spider – identifies new URLs within each page viewed  SessionID Analysis – Collection and analysis of cookies to determine predictability of session tokens  Much more…

OWASP 24 OWASP Local Chapters Building Communities  Local Chapters provide opportunities for OWASP members to share ideas and learn information security  Open to all; any level of proficiency  Provide a forum to discuss issues, latest research, and experiences  Provide venue for invited guests to present new ideas and projects

OWASP 25 OWASP Rochester Chapter Rochester Chapter  Chapter started 2004, by Ralph Durkee  Chapter Web site  Current Board:  President: Ralf Durkee  Vice President: Chris Karr  Secretary and Treasurer: Steve Buck  Web and Communications: Andrea Cogliati  Monthly Meetings & Presentations  Mailing Lists  Vendor Neutral Environments  Open Forums for Discussion

OWASP 26 OWASP Rochester Chapter Meetings Formal meeting with presentations on odd numbered months  Currently held at Bryant & Stratton College 1225 Jefferson Rd, (near I-390) Rochester, NY  Generally 3 rd Monday of each Month  Next Meeting May 18 th –Key Management Issues by Lou Leone  Food often provided by sponsors.  Questions and Discussion afterwards  Join the mailing lists for meeting announcements as dates and locations sometimes have to change.

OWASP OWASP Rochester Chapter Meetings Informal social gatherings on even numbered months  Gatherings for beer, food and informal discussion  An open environment for discussion of information security suitable for novices, professionals, and experts  Next would be June 15 th  Currently gathering at –Mac Gregor's Grill & Tap Room –300 Jefferson Rd (Near RIT)  Each pays for the beverage and food they order

OWASP 28 OWASP Rochester Chapter Mail Lists 2 Rochester Chapter Mailing Lists  Rochester Announcement Only List  Need to be subscribed to receive Rochester chapter meeting and organizational announcements.  Closed list, only used by Rochester Chapter Board.  Rochester Discussion List  Highly Recommended  Used for chapter discussions and questions  Currently very low traffic  All mail list members may post to the list  Couple of basics: keep it professional; No sales or marketing materials

OWASP 29 OWASP Local Chapters Vendor Neutral Environments  Learn about security without the sales pitches  Strict guidelines for chapter presentations and sponsorship  All sponsors must be approved  No product presentation may take place at any meeting of a local chapter.  Presentations that focus on a problem or set of problems and discuss solution approaches that may refer to or show examples of various products are allowed.  Sponsorship shall be in the form of donations to The OWASP Foundation in the name of the local chapter and/or to provide food and beverages at meeting events.

OWASP 30 OWASP Local Chapters What can you offer?  The mailing lists, meetings, and focus groups are open forums for discussion of any relevant topics  Members are encouraged to bring forward questions  Members are encouraged to participate in OWASP projects  Contribute to existing projects  Propose new projects  Spearhead new ventures  Local chapter executive team will work towards building the organization as a free, open, and technically oriented resource for the general public and members

OWASP 31 That’s it…  Any questions or comments?  Presentation will be online: Thank you!