Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Open Web Application Security Project Ralf Durkee Rochester OWASP Chapter Leader Lou Leone Rochester OWASP Communications Andrea Cogliati Rochester OWASP VP

OWASP 2 What is OWASP? Open Web Application Security Project  Worldwide free and open community  Focused on improving the security of Web applications  Promotes secure software development  An open forum for discussion  Provides free resources to the community  Publications, Articles, Standards  Testing and Training Software  Local Chapters and Mailing Lists  Software libraries and tools

OWASP OWASP membership Membership categoryAnnual membership fee Individual Supporters$50 Organization Supporters$5,000 Accredited University SupportersFREE (in exchange of meeting space at least 2x per year)  Funds OWASP Speakers via OWASP On the Move  Funds Season of Code projects  Helps Support Local Chapters

OWASP OWASP Resources and Community Documentation (Wiki and Books) SAMM, Code Review, Testing, Building, Legal, … Code Projects Defensive, Offensive (Test tools), Education, Process, more … Chapters Over 100 and growing Conferences Major and minor events all around the world

OWASP OWASP Conferences ( ) 5 NYC Sep 2008 NYC Sep 2008 San Jose Sep 2009 San Jose Sep 2009 Brussels May 2008 Brussels May 2008 Poland May 2009 Poland May 2009 Taiwan Oct 2008 Taiwan Oct 2008 Portugal Nov 2008 Portugal Nov 2008 Israel Sep 2008 Israel Sep 2008 India Aug 2008 India Aug 2008 Gold Coast Feb 2008 Gold Coast Feb 2008 Minnesota Oct 2008 Minnesota Oct 2008 Denver Spring 2009 Denver Spring 2009

OWASP Rochester Security Summit  The Rochester Security Summit is a community focal point for education and awareness in collaboration with higher education, business and industry partners, held during National Cyber Security Awareness Month  Area collaboration partners include:  Rochester ISSA Chapter  Rochester OWASP Chapter  Rochester ISACA  Area businesses and organizations  Oct 28-29, 2009 at The Woodcliff Hotel & Spa Conference Center in Fairport, NY 

OWASP Major initiatives: Training CLASP Testing Project incubator Wiki portal Forums Blogs Top 10 Conferences WebScarab WebGoat Ajax J2EE.NET Yours! Validation Chapters Building our brand Certification Guide

OWASP 8 OWASP Publications Major Publications  Top 10 Web Application Security Vulnerabilities  G uide to Building Secure Web Applications  Legal Project  Code Review Guide  Testing Guide  AppSec Faq  Software Assurance Maturity Model  Application Security Verification Standards

OWASP 9 OWASP Publications Common Features  All OWASP publications are available free for download from  Released under any approved free licenses  Living Documents  Updating as needed  Ongoing Projects  OWASP Publications feature collaborative work in a leading-edge competitive field

OWASP 10 OWASP Publications – OWASP Top 10 Top 10 Web Application Security Vulnerabilities  A list of the 10 most severe security issues  Updated ever few years  Address issues with applications on the perimeter  Growing industry acceptance  Federal Trade Commission (US Gov)  US Defense Information Systems Agency  VISA (Cardholder Information Security Program)  Referenced by PCI-DSS standard  Strong push to present as a standard

OWASP 11 OWASP Publications - OWASP Top 10  Current Top Ten Issues (2007)  A1. Cross Site Scripting (XSS)  A2. Injection Flaws  A3. Malicious File Execution  A4. Insecure Direct Object Reference  A5. Cross Site Request Forgery (CSRF)  A6. Information Leakage and Improper Error Handling  A7. Broken Authentication and Session Management  A8. Insecure Cryptographic Storage  A9. Insecure Communications  A10. Failure to Restrict URL Access

OWASP 12 OWASP Publications - OWASP Guide Guide to Building Secure Web Applications  Provides a baseline for developing secure software  Introduction to security in general  Introduction to application level security  Discusses key implementation areas –Architecture –Authentication –Session Management –Access Controls and Authorization –Event Logging –Data Validation  Under continuous development

OWASP 13 OWASP Software Common Features  All OWASP software are provided free for download from  Software is released under any approved free licenses  Active Projects  Updating as needed  Ongoing Projects  Many maintainers and contributors  OWASP Software is free for download and can be used by individuals or businesses

OWASP 14 OWASP Software - WebGoat WebGoat  Primarily a training application  Provides  An educational tool for learning about application security  A baseline to test security tools against (i.e. known issues)  What is it?  A J2EE web application arranged in “Security Lessons”  Based on Tomcat and JDK 1.5  Oriented to learning –Easy to use –Illustrates credible scenarios –Teaches realistic attacks, and viable solutions

OWASP 15 OWASP Software - WebGoat WebGoat – What can you learn?  A number of constantly growing attacks and solutions  Cross Site Scripting  SQL Injection Attacks  Thread Safety  Field & Parameter Manipulation  Session Hijacking and Management  Weak Authentication Mechanisms  Many more attacks added  Getting the Tools   Simply download, unzip, and execute the jar file.

OWASP 16 OWASP Software - WebScarab WebScarab  A framework for analyzing HTTP/HTTPS traffic  Web Proxy written in Java  Multiple Uses  Developer: Debug exchanges between client and server  Security Analyst: Analyze traffic to identify vulnerabilities  Technical Tool  Focused on software developers  Extensible plug-in architecture  Open source  Very powerful tool  Getting the Tool 

OWASP 17 OWASP Software - WebScarab WebScarab - What can it do?  Features  Proxy – observe traffic between the browser and server, includes the ability to modify data in transit, expose hidden fields, and perform bandwidth manipulation  Fragment Analysis – extract scripts and html as presented to the browser, instead of source code presented by the browser post render  Manual Intercept - allows the user to modify HTTP and HTTPS requests and responses on the fly, before they reach the server or browser.  Spider – identifies new URLs within each page viewed  SessionID Analysis – Collection and analysis of cookies to determine predictability of session tokens  Much more…

OWASP 18 OWASP Local Chapters Building Communities  Local Chapters provide opportunities for OWASP members to share ideas and learn information security  Open to all; any level of proficiency  Provide a forum to discuss issues, latest research, and experiences  Provide venue for invited guests to present new ideas and projects

OWASP 19 OWASP Rochester Chapter Rochester Chapter  Chapter started 2004, by Ralph Durkee  Chapter Web site  Current Board:  President: Ralph Durkee  Vice President and Treasurer: Andrea Cogliati  Communications and Chapter Evangelist: Lou Leone  Web and Mail List: Duane Peifer  Monthly Meetings & Presentations  Mailing Lists  Vendor Neutral Environments  Open Forums for Discussion

OWASP 20 OWASP Rochester Chapter Meetings Semi-Formal meeting with presentations on odd numbered months  Generally 3 rd Monday of each Month  Next Meeting Nov 16 th  Location: Mykonos Software  Food sometimes provided by sponsors.  Questions and Discussion afterwards  Join the mailing lists for meeting announcements as dates and locations sometimes have to change.

OWASP OWASP Rochester Chapter Meetings Informal social gatherings on even numbered months  Gatherings for beer, food and informal discussion  An open environment for discussion of information security suitable for novices, professionals, and experts  Next would be Dec 14 th  Currently gathering at –Mac Gregor's Grill & Tap Room –300 Jefferson Rd (Near RIT)  Each pays for the beverage and food they order

OWASP 22 OWASP Rochester Chapter Mail Lists 2 Rochester Chapter Mailing Lists  Rochester Announcement Only List  Need to be subscribed to receive Rochester chapter meeting and organizational announcements.  Closed list, only used by Rochester Chapter Board.  Rochester Discussion List  Highly Recommended  Used for chapter discussions and questions  Currently very low traffic  All mail list members may post to the list  Couple of basics: keep it professional; No sales or marketing materials

OWASP 23 OWASP Local Chapters Vendor Neutral Environments  Learn about security without the sales pitches  Strict guidelines for chapter presentations and sponsorship  All sponsors must be approved  No product presentation may take place at any meeting of a local chapter.  Presentations that focus on a problem or set of problems and discuss solution approaches that may refer to or show examples of various products are allowed.  Sponsorship shall be in the form of donations to The OWASP Foundation in the name of the local chapter and/or to provide food and beverages at meeting events.

OWASP 24 OWASP Local Chapters What can you offer?  The mailing lists, meetings, and focus groups are open forums for discussion of any relevant topics  Members are encouraged to bring forward questions  Members are encouraged to participate in OWASP projects  Contribute to existing projects  Propose new projects  Spearhead new ventures  Local chapter executive team will work towards building the organization as a free, open, and technically oriented resource for the general public and members

OWASP 25 That’s it…  Any questions or comments?  Presentation will be online: Thank you!