Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2010 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010

Published byAldous Floyd Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 2010 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010"— Presentation transcript:

1 Copyright © 2010 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010 http://www.owasp.org Tour of OWASP’s projects Sebastien Deleersnyder Dec 1, 2010

2 OWASP OWASP Tools and Technology 2 Vulnerability Scanners Static Analysis Tools Fuzzing Automated Security Verification Penetration Testing Tools Code Review Tools Manual Security Verification ESAPI Security Architecture AppSec Libraries ESAPI Reference Implementation Guards and Filters Secure Coding Reporting Tools AppSec Management Flawed Apps Learning Environments Live CD SiteGenerator AppSec Education

3 OWASP OWASP Body of Knowledge Core Application Security Knowledge Base Acquiring and Building Secure Applications Verifying Application Security Managing Application Security Application Security Tools AppSec Education and CBT Research to Secure New Technologies Principles Threat Agents, Attacks, Vulnerabilities, Impacts, and Countermeasures Principles Threat Agents, Attacks, Vulnerabilities, Impacts, and Countermeasures OWASP Foundation 501c3 OWASP Community Platform (wiki, forums, mailing lists) Projects Chapters AppSec Conferences Guide to Building Secure Web Applications and Web Services Guide to Application Security Testing and Guide to Application Security Code Review Tools for Scanning, Testing, Simulating, and Reporting Web Application Security Issues Web Based Learning Environment and Guide for Learning Application Security Guidance and Tools for Measuring and Managing Application Security Research Projects to Figure Out How to Secure the Use of New Technologies (like Ajax)

4 Top level view

5 OWASP There are a lot of OWASP projects

6 OWASP Metrics Categorizing and organizing projects Maturity, activity level, quality, relevance 6

7 OWASP Assessment Criteria 7

8 OWASP 8

9 9

10 Categories  PROTECT - These are tools and documents that can be used to guard against security-related design and implementation flaws.  DETECT - These are tools and documents that can be used to find security-related design and implementation flaws.  LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC). 10

11 OWASP OWASP projects by numbers  Total Projects: 122  Release quality: 19  Beta quality: 28  Alpha quality: 89  Inactive: 6

12 OWASP Dashboard 12

13 OWASP Assessment details 13

14 Project Parade

15 OWASP The ‘Big 4’ Documentation Projects Building Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR)

16 OWASP The Guide  Complements OWASP Top 10  310p Book  Free and open source  Gnu Free Doc License  Many contributors  Apps and web services  Most platforms  Examples are J2EE, ASP.NET, and PHP  Comprehensive  Project Leader and Editor  Andrew van der Stock, vanderaj@owasp.org vanderaj@owasp.org

17 OWASP Uses of the Guide  Developers  Use for guidance on implementing security mechanisms and avoiding vulnerabilities  Project Managers  Use for identifying activities (threat modeling, code review, penetration testing) that need to occur  Security Teams  Use for structuring evaluations, learning about application security, remediation approaches

18 OWASP Each Topic  Includes Basic Information (like OWASP T10)  How to Determine If You Are Vulnerable  How to Protect Yourself  Adds  Objectives  Environments Affected  Relevant COBIT Topics  Theory  Best Practices  Misconceptions  Code Snippets

19 OWASP 19 Testing Guide v3: Index 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors

20 OWASP 20 Evolution V3  Information Gathering  Config. Management Testing  Business Logic Testing  Authentication Testing  Authorization Testing  Session Management Testing  Data Validation Testing  Denial of Service Testing  Web Services Testing  Ajax Testing  Encoded Appendix  Information Gathering  Business Logic Testing  Authentication Testing  Session Management Testing  Data Validation Testing  Denial of Service Testing  Web Services Testing  Ajax Testing

21 OWASP 21 How the Guide helps the security industry A structured approach to the testing activities A checklist to be followed A learning and training tool Pen-testers A tool to understand web vulnerabilities and their impact A way to check the quality of the penetration tests they buy Organisations More in general, the Guide aims to provide a pen-testing standard that creates a 'common ground' between the pen-testing industry and its client. This will raise the overall quality and understanding of this kind of activity and therefore the general level of security in our infrastructures

22 OWASP OWASP Application Security Verification Std  Standard for verifying the security of web applications  Four levels  Automated  Manual  Architecture  Internal 22

23 OWASP OWASP Software Assurance Maturity Model 23

24 OWASP Tools  http://www.owasp.org/index.php/Phoenix/Tools http://www.owasp.org/index.php/Phoenix/Tools  Best known OWASP Tools  WebGoat  WebScarab  Remember:  A Fool with a Tool is still a Fool

25 OWASP Live CD  Project that collects some of the best open source security projects in a single environment  http://www.owasp.org/index.php/LiveCD http://www.owasp.org/index.php/LiveCD  Users can boot from Live CD and immediately start using all tools without any configuration 25

26 OWASP 26 Available Tools 25 “significant” tools OWASP WebScarab v20090122 OWASP WebGoat v5.2 OWASP CAL9000 v2.0 OWASP JBroFuzz v1.2 OWASP DirBuster v0.12 OWASP SQLiX v1.0 OWASP WSFuzzer v1.9.4 OWASP Wapiti v2.0.0-beta Paros Proxy v3.2.13 nmap & Zenmap v 4.76 Wireshark v1.0.5 tcpdump v4.0.0 Firefox 3.06 + 25 addons Burp Suite v1.2 Grendel Scan v1.0 Metasploit v3.2 (svn) w3af + GUI svn r2161 Netcats – original + GNU Nikto v2.03 Firece Domain Scanner v1.0.3 Maltego CE v2-210 Httprint v301SQLBrute v1.0 Spike Proxy v1.4.8-4 Rat Proxy v1.53-beta sqlmap v0.7-rc1 now included!

27 OWASP OWASP WebGoat 27

28 OWASP OWASP WebScarab 28

29 OWASP 29 Tools – At Best 45%  MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE)  They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)

30 OWASP The OWASP Enterprise Security API 30 Custom Enterprise Web Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Existing Enterprise Security Services/Libraries

31 OWASP Create Your ESAPI Implementation  Your Security Services  Wrap your existing libraries and services  Extend and customize your ESAPI implementation  Fill in gaps with the reference implementation  Your Coding Guideline  Tailor the ESAPI coding guidelines  Retrofit ESAPI patterns to existing code 31

32 OWASP OWASP CSRFTester 32

33 OWASP Add Token to HTML OWASP CSRFGuard 2.0 33 User (Browser) Business Processing OWASP CSRFGuard Verify Token  Adds token to:  href attribute  src attribute  hidden field in all forms  Actions:  Log  Invalidate  Redirect http://www.owasp.org/index.php/CSRFGuard

34 OWASP 34 OWASP Framework SDLC & OWASP Guidelines

35 OWASP Want More ?  OWASP.NET Project  OWASP ASDR Project  OWASP AntiSamy Project  OWASP AppSec FAQ Project  OWASP Application Security Assessment Standards Project  OWASP Application Security Metrics Project  OWASP Application Security Requirements Project  OWASP CAL9000 Project  OWASP CLASP Project  OWASP CSRFGuard Project  OWASP CSRFTester Project  OWASP Career Development Project  OWASP Certification Criteria Project  OWASP Certification Project  OWASP Code Review Project  OWASP Communications Project  OWASP DirBuster Project  OWASP Education Project  OWASP Encoding Project  OWASP Enterprise Security API  OWASP Flash Security Project  OWASP Guide Project  OWASP Honeycomb Project  OWASP Insecure Web App Project  OWASP Interceptor Project  OWASP JBroFuzz  OWASP Java Project  OWASP LAPSE Project  OWASP Legal Project  OWASP Live CD Project  OWASP Logging Project  OWASP Orizon Project  OWASP PHP Project  OWASP Pantera Web Assessment Studio Project  OWASP SASAP Project  OWASP SQLiX Project  OWASP SWAAT Project  OWASP Sprajax Project  OWASP Testing Project  OWASP Tools Project  OWASP Top Ten Project  OWASP Validation Project  OWASP WASS Project  OWASP WSFuzzer Project  OWASP Web Services Security Project  OWASP WebGoat Project  OWASP WebScarab Project  OWASP XML Security Gateway Evaluation Criteria Project  OWASP on the Move Project 35

36 OWASP OWASP Research Grants  We support the research that keeps your organization safe! 36

37 OWASP 37 OWASP Projects Are Alive! 2001 2003 2005 2007 2009 …

38 OWASP How to participate?  Start your own project  The best OWASP projects are strategic get the community involved / build a team  Contribute exising (open license)  Promotion!  ‘Help’ an existing project

39 OWASP Questions and Answers

Download ppt "Copyright © 2010 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010"

Similar presentations

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Web Security Common security threats and hacking.

Web Security Common security threats and hacking.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Periodic Table of Vulnerabilities James Landis

OWASP Periodic Table of Vulnerabilities James Landis
OpenSAMM Software Assurance Maturity Model Seba Deleersnyder SAMM project co-leaders Pravir Chandra AppSec USA 2014 Project.

OpenSAMM Software Assurance Maturity Model Seba Deleersnyder SAMM project co-leaders Pravir Chandra AppSec USA 2014 Project.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Overview Germany 2008 Conference

OWASP Overview Germany 2008 Conference
Copyright © 2009 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Security for Managers and Executives

Security for Managers and Executives
Copyright © 2009 - The OWASP Foundation This work is available under the Creative Commons SA 3.0 license The OWASP Foundation OWASP

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 3.0 license The OWASP Foundation OWASP
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.
The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.

The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
10 Steps To Agile Development Without Compromising Enterprise Security

10 Steps To Agile Development Without Compromising Enterprise Security
OWASP - Where we are… where we are going

OWASP - Where we are… where we are going
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google