Presentation is loading. Please wait.

Presentation is loading. Please wait.

OWASP in favor of a more secure world

Published byErlin Hermanto Modified over 6 years ago

Similar presentations

Presentation on theme: "OWASP in favor of a more secure world"— Presentation transcript:

1 OWASP in favor of a more secure world
Porto Alegre Chapter OWASP in favor of a more secure world L. GUSTAVO. C. BARBATO, Ph.D. Chapter Leader, OWASP Porto Alegre / Brazil Member, Global Chapter Committee Porto Alegre Chapter Meeting 03/31/2011 UNISINOS –São Leopoldo

2 Introduction

3 OWASP (Open Web Application Security Project)
OWASP is an international organization and the OWASP Foundation supports OWASP efforts around the world OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security

4 Knowledge base 2001 2003 2005 2007 2009 2011

5 History OWASP was started on September 9, 2001 By Mark Curphey and Dennis Groves Since late 2003, Jeff Williams has served as the volunteer Chair of OWASP The OWASP Foundation, a 501(c)(3) organization (in the USA) was established in 2004 Thounds of individual members, nowadays OWASP Foundation has over 80 Active Local Chapters and only 3 employees

6 Ecosystem Volunteers Knowledge sharing People/Project Leadership
Events presentations Administration Sustained by Conferences Individual supporters, annually Banner advertisements Corporate sponsors

7 Structure

8 OWASP Board Jeff Williams - USA jeff.williams@owasp.org
Sebastien Deleersnyder - Belgium Tom Brennan - USA Eoin Keary - Ireland Dave Wichers - USA Matt Tesauro - USA

9 Global Committees

10 Local Chapters Hundreds of Local Chapters but only around 80 are Active Porto Alegre Curitiba São Paulo Campinas Brasília Goiania Recife Paraíba

11 Organization Supporters

12 Projects

13 Resources http://www.owasp.org/index.php/Category:OWASP_Project
Vulnerability Scanners Static Analysis Tools Fuzzing Automated Security Verification Penetration Testing Tools Code Review Tools Manual Security Verification ESAPI Security Architecture AppSec Libraries ESAPI Reference Implementation Guards and Filters Secure Coding Reporting Tools AppSec Management Flawed Apps Learning Environments Live CD SiteGenerator AppSec Education

14 OWASP Top Ten 2010 http://www.owasp.org/index.php/Top_10 A1: Injection
A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Failure to Restrict URL Access A8: Insecure Cryptographic Storage A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards

15 ESAPI (Enterprise Security API)
Custom Enterprise Web Application OWASP Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Your Existing Enterprise Services or Libraries

16 SAMM (Software Assurance Maturity Model)

17 CLASP (Comprehensive, Lightweight, Application Security Process)

18 ASVS (Application Security Verification Standard)

19 OWASP Testing Guide

20 WebScarab

21 WebGoat

22 OWASP Live CD

23 ModSecurity Core Rules Set Project
Supports any type of parameters, POST , GET or any other SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES| REQUEST_HEADERS|!REQUEST_HEADERS:Referer \ "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:… … … \ “capture,log,deny,t:replaceComments, t:urlDecodeUni, t:htmlEntityDecode, t:lowercase,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950001',severity:'2'“ Every SQL injection related keyword is checked Common evasiontechniques are mitigated SQL comments are compensated for

24 Books

25 Conferences

26 Global AppSec Europe (June 6, 2011 - June 10, 2011)

27 Global AppSec North America (Sept. 20, 2011 - Sept. 23, 2011)

28 Global AppSec Asia (Nov. 3, 2011 - Nov. 5, 2011)

29 Global AppSec Latin America (Oct. 4, 2011 - Oct. 7, 2011)

30 How to participate?

31 How to participate? http://www.owasp.org/index.php/Porto_Alegre
Papers, wiki Mailing lists Projects Proposing new ones, testing existents, feedbacks Translations Presentations Contributing annually (US$ 50)

32 Questions ???

33 References Decks used to create this one:

Download ppt "OWASP in favor of a more secure world"

Similar presentations

Don’t Teach Developers Security Caleb Sima Armorize Technologies.

Don’t Teach Developers Security Caleb Sima Armorize Technologies.
OWASP Top-10 2013 Dave Wichers OWASP Top 10 Project Lead OWASP Board Member Cofounder, Aspect Security & Contrast Security.

OWASP Top Dave Wichers OWASP Top 10 Project Lead OWASP Board Member Cofounder, Aspect Security & Contrast Security.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
OpenSAMM Software Assurance Maturity Model Seba Deleersnyder SAMM project co-leaders Pravir Chandra AppSec USA 2014 Project.

OpenSAMM Software Assurance Maturity Model Seba Deleersnyder SAMM project co-leaders Pravir Chandra AppSec USA 2014 Project.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2009 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
Security for Managers and Executives

Security for Managers and Executives
ESAPI Pictures For Javadoc.

ESAPI Pictures For Javadoc.
Copyright © 2009 - The OWASP Foundation This work is available under the Creative Commons SA 3.0 license The OWASP Foundation OWASP

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 3.0 license The OWASP Foundation OWASP
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.

Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.
The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.

The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.
Copyright © 2010 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010
10 Steps To Agile Development Without Compromising Enterprise Security

10 Steps To Agile Development Without Compromising Enterprise Security
OWASP - Where we are… where we are going

OWASP - Where we are… where we are going
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
The OWASP Foundation AppSecEU11 Where we are.. Where we are going Tom Brennan, Eoin Keary, Seba Deleersnyder, Dave Wichers, Jeff Williams,

The OWASP Foundation AppSecEU11 Where we are.. Where we are going Tom Brennan, Eoin Keary, Seba Deleersnyder, Dave Wichers, Jeff Williams,
Copyright 2008 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright 2008 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google