1. Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland

2. About myself Software / Web application security architect Independent (no ties with any integrator/vendor) OWASP Leader: – Member of the Board, OWASP Switzerland – Leader, OWASP Geneva Chapter Core interests: – Software Assurance Maturity Model (SAMM) – Application Security Verification Standard (ASVS)

3. State of Information Security The problem? There are not enough qualified application security professionals What can we do about it? Make application security visible Provide Developers and Software Testers with materials and tools helping them to build more secure applications 3

4. What is OWASP? Open Web Application Security Project https://www.owasp.org Global community, driving and promoting safety and security of world’s software Not-for-profit foundation registered in the United States and a non- profit association registered in European Union Open: – Everyone is free to participate – All OWASP materials & tools are free 4

5. OWASP by Numbers 12 years of community service 88+ Government & Industry Citations – including DHS, ISO, IEEE, NIST, SANS Institute, PCI-DSS, CSA, etc 36,000+ registered members to the mailing lists 320,000+ unique visitors per month 1,000,000+ page viewed per month 15,000+ tools and documents downloaded each month 5

6. OWASP by the Numbers (cont) Year 2013 Budget: USD$580,000 2081 individual members and honorary members 70 countries 60+ donating Corporate Members 100+ supporting Academic Members 198 Active Chapters 168 Active Projects 4 Global AppSec Conferences per Year 6

7. OWASP by the Numbers (cont) 7

8. Started in 2008 Promote application security through chapter meetings and collaboration with local developer communities 2013: – Contact initiated with local developer groups (*UG) – 5 meetings planned – Board made of 3 industry representatives: consulting, banking/finance and public administration sectors: 8 Simon Blanchet simon.blanchet@owasp.org Thomas Hofer thomas.hofer@owasp.org Antonio Fontes antonio.fontes@owasp.org

9. 9 OWASP Projects & Tools Make application security visible Videos, podcasts, books, guidelines, cheat sheets, tools, … Available under a free and open software license Used, recommended and referenced by many government, standards and industry organisations Open for everyone to participate

10. 10 OWASP Projects & Tools - Classification 168+ Active Projects PROTECT – guard against security-related design and implementation flaws. DETECT – find security-related design and implementation flaws. LIFE CYCLE – add security-related activities into software processes (eg. SDLC, agile, etc)

11. 11 OWASP Projects & Tools – An Overview DETECT  OWASP Top 10  OWASP Code Review Guide  OWASP Testing Guide  OWASP Cheat Sheet Series PROTECT  OWASP ESAPI  OWASP ModSecurity CRS  OWASP AppSec Tutorials  OWASP ASVS  OWASP LiveCD / WTE  OWASP ZAP Proxy LIFE CYCLE  WebGoat J2EE  WebGoat.NET Full list of projects (release, beta, alpha) http://www.owasp.org/index.php/Category:OWASP_Project

12. 10 Most critical web application security risks The most visible OWASP project Classifies some of the most critical risks Essential reading for anyone developing web applications Referenced by standards, books, tools, and organizations, including MITRE, PCI DSS, FTC, and many more 12

13. OWASP Top Ten (2013 Edition)

14. OWASP Top 10 Risk Rating Methodology Threat Agent Attack Vector Weakness Prevalence Weakness Detectability Technical ImpactBusiness Impact ? EasyWidespreadEasySevere ? AverageCommonAverageModerate DifficultUncommonDifficultMinor 1221 1.66*1 1.66 weighted risk rating Injection Example 123123

15. Code Review Guide 15 Code review is probably the most effective technique for identifying security flaws Focuses on the mechanics of reviewing code for certain vulnerabilities A key enabler for the OWASP fight against software insecurity Update is in progress

16. Code Review Guide (cont) 16 Focuses on.NET and Java, but has some C/C++ and PHP Integration of secure code review into software development processes Understand what you are reviewing Security code review is not a silver bullet, but a key component of an IS program

17. Testing Guide 17 Create a "best practices" web application penetration testing framework A low-level web application penetration testing guide Recommended for developers and software testers Update in progress https://www.owasp.org/index.php/OWASP_Testing_Project

18. Cheat Sheet Series 18 Provide a concise collection of high value information on specific web application security topics https://www.owasp.org/index.php/Cheat_Sheets Developer Cheat Sheets (Builder) Authentication Clickjacking Defense Cryptographic Storage HTML5 Security Input Validation Query Parameterization Session Management SQL Injection Prevention … Developer Cheat Sheets (Builder) Authentication Clickjacking Defense Cryptographic Storage HTML5 Security Input Validation Query Parameterization Session Management SQL Injection Prevention … Assessment Cheat Sheets (Breaker) Attack Surface Analysis XSS Filter Evasion … Assessment Cheat Sheets (Breaker) Attack Surface Analysis XSS Filter Evasion … Mobile Cheat Sheets IOS Developer Mobile Jailbreaking … Mobile Cheat Sheets IOS Developer Mobile Jailbreaking …

19. Cheat Sheet Series (cont) 19 The most visible OWASP project Classifies some of the most critical risks Essential reading for anyone developing web applications Referenced by standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more

20. Cheat Sheet Series (cont) 20

21. AppSec Tutorial Series 21 https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series Application security video based training Four episodes are available

22. ASVS: Application Security Verification Standard Provides a basis for testing application technical security controls Use as a metric – assess the degree of trust on existing security controls Use as guidance – for what to build as part of planned security controls Use during procurement 22

23. ASVS: Levels 23

24. ASVS: Verification Requirements 24 V1. Authentication V2. Session Management V3. Access Control V4. Input Validation V5. Cryptography (at Rest) V6. Error Handling and Logging V7. Data Protection V8. Communication Security V9. HTTP Security V10. Malicious Controls V11. Business Logic V12. Files and Resources V13. Mobile

25. SAMM: Software Assurance Maturity Model A framework to integrate security into software development and procurement/acquisition processes. A maturity model to qualify a software security initiative under a repeatable process, in time or across several uits. 25

26. SAMM: Software Assurance Maturity Model 26

27. LiveCD / WTE 27 Make application security tools and documentation easily available Collects some of the best open source security projects in a single environment Boot from this Live CD and have access to a full security testing suite http://appseclive.org/

28. Mailing list 101 A list for introductory questions on application security Open access: https://lists.owasp.org/mailman/listinfo/security101

29. Zed Attack Proxy 29 One of the flagship OWASP projects Easy to use integrated penetration testing tool for assessing web applications Ideal for developers and functional testers who are new to penetration testing Completely free and open source Cross platform, internationalised

30. ZAP Proxy: Features 30 Intercepting Proxy Automated scanner Passive scanner Brute Force scanner Spider Fuzzer Port scanner Dynamic SSL certificates API Beanshell integration Upcoming:  New Spider with Ajax functionality  Session scope awareness  Web socket support  Scanning modes (Safe/Protected/Standard)  Scripting console

31. ESAPI: Enterprise Security API 31 Free, open source, web application security controls library Provide developers with libraries for writing lower-risk applications Allow retrofitting security into existing applications Serve as a solid foundation for new development Support for Java, PHP and Force.com – there could be more languages supported

32. ESAPI: functions and services 32 Existing Enterprise Security Services/Libraries

33. ESAPI: Validation and Encoding 33 Backend ControllerBusiness Functions User Data Layer Validator Encoder encodeForURL encodeForJavaScript encodeForVBScript encodeForDN encodeForHTML encodeForHTMLAttribute encodeForLDAP encodeForSQL encodeForXML encodeForXMLAttribute encodeForXPath isValidDirectoryPath isValidCreditCard isValidDataFromBrowser isValidListItem isValidFileContent isValidFileName isValidHTTPRequest isValidRedirectLocation isValidSafeHTML isValidPrintable safeReadLine Canonicalization Double Encoding Protection Normalization Sanitization

34. ModSecurity CRS: Core Rule Set 34 Free certified rule set for ModSecurity WAF Generic web applications protection: – Common Web Attacks Protection – HTTP Protection – Real-time Blacklist Lookups – HTTP Denial of Service Protection – Automation Detection – Integration with AV Scanning for File Uploads – Tracking Sensitive Data – Identification of Application Defects – Error Detection and Hiding https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

35. WebGoat 35 Deliberately insecure web application to teach web application security lessons Over 30 lessons, providing hands-on learning about – Cross-Site Scripting (XSS) – Access Control – Blind/Numeric/String SQL Injection – Web Services – … and many more https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

36. WebGoat: Java 36

37. WebGoat:.NET 37 A purposefully broken ASP.NET web application Contains many common vulnerabilities Intended for use in classroom environments https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET

38. DEMO 38 OWASP ZAP Proxy OWASP WebGoat Java Project

39. Thank You!

40. Q&A if you need inspiration: Where/How do we start using OWASP? How can we help OWASP in return? Can you tell us more about project ______ ?

41. https://www.owasp.org https://www.owasp.org/index.php/Geneva