Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux Tour of OWASP’s projects Sebastien Deleersnyder Dec 1, 2010
OWASP OWASP Tools and Technology 2 Vulnerability Scanners Static Analysis Tools Fuzzing Automated Security Verification Penetration Testing Tools Code Review Tools Manual Security Verification ESAPI Security Architecture AppSec Libraries ESAPI Reference Implementation Guards and Filters Secure Coding Reporting Tools AppSec Management Flawed Apps Learning Environments Live CD SiteGenerator AppSec Education
OWASP OWASP Body of Knowledge Core Application Security Knowledge Base Acquiring and Building Secure Applications Verifying Application Security Managing Application Security Application Security Tools AppSec Education and CBT Research to Secure New Technologies Principles Threat Agents, Attacks, Vulnerabilities, Impacts, and Countermeasures Principles Threat Agents, Attacks, Vulnerabilities, Impacts, and Countermeasures OWASP Foundation 501c3 OWASP Community Platform (wiki, forums, mailing lists) Projects Chapters AppSec Conferences Guide to Building Secure Web Applications and Web Services Guide to Application Security Testing and Guide to Application Security Code Review Tools for Scanning, Testing, Simulating, and Reporting Web Application Security Issues Web Based Learning Environment and Guide for Learning Application Security Guidance and Tools for Measuring and Managing Application Security Research Projects to Figure Out How to Secure the Use of New Technologies (like Ajax)
Top level view
OWASP There are a lot of OWASP projects
OWASP Metrics Categorizing and organizing projects Maturity, activity level, quality, relevance 6
OWASP Assessment Criteria 7
OWASP 8
9
Categories PROTECT - These are tools and documents that can be used to guard against security-related design and implementation flaws. DETECT - These are tools and documents that can be used to find security-related design and implementation flaws. LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC). 10
OWASP OWASP projects by numbers Total Projects: 122 Release quality: 19 Beta quality: 28 Alpha quality: 89 Inactive: 6
OWASP Dashboard 12
OWASP Assessment details 13
Project Parade
OWASP The ‘Big 4’ Documentation Projects Building Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR)
OWASP The Guide Complements OWASP Top 10 310p Book Free and open source Gnu Free Doc License Many contributors Apps and web services Most platforms Examples are J2EE, ASP.NET, and PHP Comprehensive Project Leader and Editor Andrew van der Stock,
OWASP Uses of the Guide Developers Use for guidance on implementing security mechanisms and avoiding vulnerabilities Project Managers Use for identifying activities (threat modeling, code review, penetration testing) that need to occur Security Teams Use for structuring evaluations, learning about application security, remediation approaches
OWASP Each Topic Includes Basic Information (like OWASP T10) How to Determine If You Are Vulnerable How to Protect Yourself Adds Objectives Environments Affected Relevant COBIT Topics Theory Best Practices Misconceptions Code Snippets
OWASP 19 Testing Guide v3: Index 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors
OWASP 20 Evolution V3 Information Gathering Config. Management Testing Business Logic Testing Authentication Testing Authorization Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing Encoded Appendix Information Gathering Business Logic Testing Authentication Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing
OWASP 21 How the Guide helps the security industry A structured approach to the testing activities A checklist to be followed A learning and training tool Pen-testers A tool to understand web vulnerabilities and their impact A way to check the quality of the penetration tests they buy Organisations More in general, the Guide aims to provide a pen-testing standard that creates a 'common ground' between the pen-testing industry and its client. This will raise the overall quality and understanding of this kind of activity and therefore the general level of security in our infrastructures
OWASP OWASP Application Security Verification Std Standard for verifying the security of web applications Four levels Automated Manual Architecture Internal 22
OWASP OWASP Software Assurance Maturity Model 23
OWASP Tools Best known OWASP Tools WebGoat WebScarab Remember: A Fool with a Tool is still a Fool
OWASP Live CD Project that collects some of the best open source security projects in a single environment Users can boot from Live CD and immediately start using all tools without any configuration 25
OWASP 26 Available Tools 25 “significant” tools OWASP WebScarab v OWASP WebGoat v5.2 OWASP CAL9000 v2.0 OWASP JBroFuzz v1.2 OWASP DirBuster v0.12 OWASP SQLiX v1.0 OWASP WSFuzzer v1.9.4 OWASP Wapiti v2.0.0-beta Paros Proxy v nmap & Zenmap v 4.76 Wireshark v1.0.5 tcpdump v4.0.0 Firefox addons Burp Suite v1.2 Grendel Scan v1.0 Metasploit v3.2 (svn) w3af + GUI svn r2161 Netcats – original + GNU Nikto v2.03 Firece Domain Scanner v1.0.3 Maltego CE v2-210 Httprint v301SQLBrute v1.0 Spike Proxy v Rat Proxy v1.53-beta sqlmap v0.7-rc1 now included!
OWASP OWASP WebGoat 27
OWASP OWASP WebScarab 28
OWASP 29 Tools – At Best 45% MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE) They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)
OWASP The OWASP Enterprise Security API 30 Custom Enterprise Web Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Existing Enterprise Security Services/Libraries
OWASP Create Your ESAPI Implementation Your Security Services Wrap your existing libraries and services Extend and customize your ESAPI implementation Fill in gaps with the reference implementation Your Coding Guideline Tailor the ESAPI coding guidelines Retrofit ESAPI patterns to existing code 31
OWASP OWASP CSRFTester 32
OWASP Add Token to HTML OWASP CSRFGuard User (Browser) Business Processing OWASP CSRFGuard Verify Token Adds token to: href attribute src attribute hidden field in all forms Actions: Log Invalidate Redirect
OWASP 34 OWASP Framework SDLC & OWASP Guidelines
OWASP Want More ? OWASP.NET Project OWASP ASDR Project OWASP AntiSamy Project OWASP AppSec FAQ Project OWASP Application Security Assessment Standards Project OWASP Application Security Metrics Project OWASP Application Security Requirements Project OWASP CAL9000 Project OWASP CLASP Project OWASP CSRFGuard Project OWASP CSRFTester Project OWASP Career Development Project OWASP Certification Criteria Project OWASP Certification Project OWASP Code Review Project OWASP Communications Project OWASP DirBuster Project OWASP Education Project OWASP Encoding Project OWASP Enterprise Security API OWASP Flash Security Project OWASP Guide Project OWASP Honeycomb Project OWASP Insecure Web App Project OWASP Interceptor Project OWASP JBroFuzz OWASP Java Project OWASP LAPSE Project OWASP Legal Project OWASP Live CD Project OWASP Logging Project OWASP Orizon Project OWASP PHP Project OWASP Pantera Web Assessment Studio Project OWASP SASAP Project OWASP SQLiX Project OWASP SWAAT Project OWASP Sprajax Project OWASP Testing Project OWASP Tools Project OWASP Top Ten Project OWASP Validation Project OWASP WASS Project OWASP WSFuzzer Project OWASP Web Services Security Project OWASP WebGoat Project OWASP WebScarab Project OWASP XML Security Gateway Evaluation Criteria Project OWASP on the Move Project 35
OWASP OWASP Research Grants We support the research that keeps your organization safe! 36
OWASP 37 OWASP Projects Are Alive! …
OWASP How to participate? Start your own project The best OWASP projects are strategic get the community involved / build a team Contribute exising (open license) Promotion! ‘Help’ an existing project
OWASP Questions and Answers