Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP OWASP Projects Flagship Projects Hassan El Hadary OWASP Speaker SecureMisr 12/4/2014

OWASP 2 Title  What Are Flagship Projects?  How Can We Make Use of OWASP Flagship Projects?  Learn How to Pen Test  Pen Test  Learn How to Secure the Code  Secure the Code

OWASP What Are Flagship Projects? OWASP projects that demonstrated superior maturity, established quality, and strategic value to OWASP and application security as a whole. Combination of: Tools (ex. OWASP ZAP,..) Code (ex. OWASP ESAPI,..) Documentation (ex. OWASP TOP 10,…)

OWASP How Can We Make Use of OWASP Flagship Projects? Learn How to Pen Test Pen Test Learn How to Secure the Code Secure the Code

OWASP Learn How to Pen Test OWASP Top Ten Project OWASP Testing Guide Project OWASP WebGoat Project

OWASP OWASP Top Ten Project Describes the most common application attacks

OWASP OWASP Testing Guide Project A guideline that outlines techniques for pen testing web applications

OWASP OWASP WebGoat Project A group of vulnerable applications prepared for practicing and testing

OWASP Demo

OWASP How Can We Make Use of OWASP Flagship Projects? Learn How to Pen Test Pen Test Pen Test Learn How to Secure the Code Secure the Code

OWASP Pen Test OWASP Zed Attack Proxy OWASP Web Testing Environment Project

OWASP OWASP Zed Attack Proxy A tool for web pen testing: HTTP proxy Spidering Vulnerability Scanning Bruteforcing Fuzzing

OWASP OWASP Zed Attack Proxy

OWASP Demo

OWASP How Can We Make Use of OWASP Flagship Projects? Learn How to Pen Test Pen Test Learn How to Secure the Code Learn How to Secure the Code Secure the Code

OWASP Learn How to Secure the Code OWASP Application Security Verification Standard Project (ASVS) OWASP Code Review Guide Project OWASP Secure Coding Practices - Quick Reference Guide

OWASP Learn How to Secure the Code OWASP Software Assurance Maturity Model (SAMM) OWASP Development Guide Project

OWASP Demo

OWASP Secure the Code OWASP Enterprise Security API (ESAPI) OWASP CSRFGuard Project OWASP AntiSamy Project OWASP ModSecurity Core Rule Set Project

OWASP OWASP Enterprise Security API (ESAPI) Libraries designed to make it easier for programmers to integrate security into existing applications. Support for Java EE, Dot NET, PHP, C, ASP,.. Validator, Encoders, Encryptor, Logger, IntrusionDetector

OWASP OWASP Enterprise Security API (ESAPI) Input validation example: IValidator validator = Esapi.Validator; Assert.IsTrue(validator.IsValid(BuiltinValidationRul es.CreditCard, " "));

OWASP OWASP CSRFGuard Project A library that acts as a JavaEE Filter to protect from Cross Site Request Forgery attacks Enables integrating per-session or pseudo-per- request tokens into HTML

OWASP OWASP AntiSamy Project it is a Java API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. // Some fake input String dirtyInput = " alert(1); "; // Create Policy object Policy policy = Policy.getInstance(POLICY_FILE_LOCATION); // Scan dirtyInput AntiSamy as = new AntiSamy(); // Create AntiSamy object CleanResults cr = as.scan(dirtyInput, policy, AntiSamy.SAX);

OWASP OWASP ModSecurity Core Rule Set Project A set of web application defense rules for the open source, cross-platform ModSecurity Web Application Firewall (WAF).

OWASP Demo

OWASP Thank you