1. Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec Europe May 2006 http://www.owasp.org/ Conference Wrapup and Projects’ Status Report Dave Wichers, OWASP Conferences Chair Aspect Security dave.wichers@owasp.org dave.wichers@aspectsecurity.com

2. OWASP AppSec Europe 2006 2 So How Was the Conference?  Did you like:  The tutorials?  The panels?  The refereed papers?  Multiple tracks?  Suggestions?  Where should it be next time?  Paris, Rome, Munich, ????

3. OWASP AppSec Europe 2006 3 What do YOU want out of OWASP?  Mission: (Just updated on new Wiki) The Open Web Application Security Project (OWASP) is dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted.  What (else) do we need to accomplish this mission?

4. OWASP AppSec Europe 2006 4 Main OWASP Projects  OWASP Top Ten: lead: Jeff Williams  OWASP Guide: lead: Andrew Van Der Stock  OWASP Testing Guide: lead: Eion Keary  OWASP.NET: lead: Dinis Cruz  Many Subprojects (see later slide)  OWASP WebGoat: lead: Bruce Mayhew  OWASP WebScarab: lead: Rogan Dawes  OWASP WASS Project (NEW!!): lead: Mike Andrews  OWASP CLASP (NEW!!): lead: Pravir Chandra

5. OWASP AppSec Europe 2006 5 OWASP Top Ten Most Critical Web Application Security Vulnerabilities  Purpose: Generate Awareness of Most Critical Web Application Security Vulnerabilities  Published: Jan 2003, updated Jan 2004  Translated into Chinese, French, Italian, Japanese, and Spanish  Adopted by many companies and organizations  Such as the Payment Card Industry (PCI) Standard  Still accurate but probably deserves an update at this point

6. OWASP AppSec Europe 2006 6 OWASP Guide to Building Secure Web Applications  Purpose: To help designers and developers produce secure web applications  Published:  V1 released in 2002  V2.0 released July 2005 (293 pp.)  V2.1 release targeted for late 2006 as a book, and available in the new OWASP Wiki  Usage:  V1 downloaded over 2 Million times

7. OWASP AppSec Europe 2006 7 OWASP Testing Project  OWASP Testing Guide  60% done, broad range of areas covered. Techniques include:  Application Penetration Testing  Application Code Analysis  More to be done. Needs authors and reviewers.  Finished? First cut: End of the Summer (I hope).  OWASP “Live CD”  Goal: Application testing toolkit “In your pocket”.  Contains OWASP Tools, to include.NET tools  Shall include indexable HTML version of the Testing GUIDE. Shall include other commonly used freeware tools.  Beta Built: To be hosted as ISO image on owasp.net.

8. OWASP AppSec Europe 2006 8 OWASP.NET Project  Hosted at www.owasp.net  OWASP Site Generator  Generates flawed sample apps to test tools against  OWASP Validator.NET  Partial port of ModSecurity to.Net platform  Other.Net alpha/beta projects  Beretta, ANBS, SAM’SHE, ASP.NET Reflector,.NetMon

9. OWASP AppSec Europe 2006 9 OWASP WebGoat  Purpose: Teach application security principles to developers and analysts  Published:  V1.0 released in Oct 2002  V4.0 released May 2006  Usage:  Downloaded almost 100,000 times - One of the most widely used OWASP Tools

10. OWASP AppSec Europe 2006 10 OWASP WebGoat Overview  Deliberately insecure J2EE web application  Download, unzip and click to run  Teaches application security principles  Access control  SQL injection  Authentication & session management  Input validation  Many more …  Training environment  Hands-on learning for developers and analysts

11. OWASP AppSec Europe 2006 11 Version 4.0 A Complete Rewrite (almost)

12. OWASP AppSec Europe 2006 12 WebGoat 4.0 Released  New Multi-Stage Lessons  Role based access control  SQL injection  Cross-site scripting  Updated Architecture  Uses JSPs  Simple front controller  Multi-stage lesson support  New user guide  Multi-user environment

13. OWASP AppSec Europe 2006 13 WebGoat Wants Your Ideas!  Is WebGoat part of your training environment?  What features or lessons do you need?  How can you get involved?  Lessons needed  Forced browsing  Denial of service  Admin interfaces  Privilege escalation  Better lesson plans Send your comments, ideas, suggestions to: bruce.mayhew@aspectsecurity.com

14. OWASP AppSec Europe 2006 14 OWASP WebScarab  Purpose:  To help test web applications. It is a scriptable proxy and framework that allows a tester to view and modify any traffic between a web client (browser) and a target web application.  Other features:  Spider, Fuzzer, Session ID graphing  Highly Scriptable  Web Services interface  Published:  First released: late 90‘s before OWASP with different name – Moved to OWASP in July 2003 – Continuous incremental releases since then (simply dated, no version numbers)  Usage:  Downloaded over 30,000 times – One of most widely used OWASP tools

15. OWASP AppSec Europe 2006 15 What does WebScarab do?  Allows user to view HTTP(S) conversations between browser and server  Allows user to review/save those conversations  Allows user to intercept and modify on the fly  Allows user to replay previous requests  Allows user to script conversations with full access to the the request and response object models  And much more!

16. OWASP AppSec Europe 2006 16 WebScarab Recent Activities  Bug-fixes, mostly, some UI changes  New plugins  Extensions – brute forces common extensions  E.g. http://example.com/index.jsp -> index.jsp.bak?http://example.com/index.jsp  E.g. http://example.com/images/ -> images.zip?http://example.com/images/  XSS tester – in progress  “Next Generation” in development  Using Spring Framework and Spring Rich Client  DB backed  Not likely anytime soon...

17. OWASP AppSec Europe 2006 17 OWASP WASS Project (New!)  Purpose (Web Application Security Standards Project)  Create a minimum set of specific, testable, security requirements for a web application to safely process credit card information.  The VISA Cardholder Information Security Program (CISP) / Payment Card Industry (PCI) standards address network security but have very little on web application security.  Status: Initial strawman set of requirements developed and available for review  Needed: Contributors and Reviewers

18. OWASP AppSec Europe 2006 18 OWASP CLASP Project (New!)  Purpose: Provide software development organizations everything they need to develop their own secure development lifecycle.  Status: CLASP developed by Secure Software and just donated to OWASP. In the process of moving all of CLASP into the new OWASP Wiki.  Needed: Complete transition to the OWASP Wiki and the focus on developing new materials that expand the process activities and show how they fit into the entire software development lifecycle.