1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Limerick Chapter Introduction to OWASP Projects and Resources marian.ventuneac@owasp.org 24.03.2011

2. OWASP 2 OWASP Projects and Resources  Make application security visible  video, podcasts, books, guidelines, security cheatsheets, software tools, etc  Focused on improving the security of application software.  Available under a free and open software license.  Used, recommended and referenced by many government, standards and industry organisations.  Open for everyone to participate.

3. OWASP 3 OWASP Projects and Resources Classification  PROTECT  guard against security-related design and implementation flaws.  DETECT  find security-related design and implementation flaws.  LIFE CYCLE  add security-related activities into software processes (eg. SDLC, agile, etc)

4. OWASP 4 OWASP Projects and Resources  OWASP Top 10  OWASP Testing Guide  OWASP WebScarab  OWASP WebGoat  OWASP ESAPI  OWASP Backend Security  OWASP Code Review Guide  OWASP CodeCrawler  OWASP SAMM  OWASP AppSensor  OWASP AntiSammy  OWASP ModSecurity Core Rule Set  OWASP Application Security Verification Standard  OWASP LiveCD / WTE  … Full list of projects (release, beta, alpha) http://www.owasp.org/index.php/Category:OWASP_Project

5. OWASP 5 Software Development Life Cycle (SDLC) – General Security Requirements Requirements definition Architecture and Design DevelopmentTestDeploymentMaintenance Application Security Requirements Application Security Design Threat Modelling Secure Coding Security Testing Security Code Review Penetration Testing Remediation Plan Secure Configuration Management Secure Deployment SDLC phases Security Requirements

6. OWASP 6 OWASP Top 10  Defines the most critical security vulnerabilities, how to find it, and what to do to protect your applications against it A1: Injection (SQL, LDAP, OS) A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards

7. OWASP 7 OWASP CLASP  Comprehensive, Lightweight Application Security Process (CLASP)  Address security concerns into the early stages of the software development processes  Defines process pieces that can be integrated into any software development process  Provides guidance on implementing a secure software development lifecycle

8. OWASP 8 OWASP Application Threat Modeling  An approach for analyzing the security of an application  Allows identifying, quantifying, and addressing the security risks associated with an application  Threat modeling process steps  Decompose the Application - use-cases, entry points, identify assets, and identify users’ access rights  Determine and rank threats - threat categorization methodologies such as STRIDE, Application Security Frame (ASF)  Determine countermeasures and mitigation - threat-countermeasure mapping lists

9. OWASP 9 OWASP Secure Coding Practices  A technology agnostic set of general software security coding practices (checklist) that can be integrated into development processes.  The focus is on secure coding requirements  to serve as a secure coding kick-start tool and easy reference  to help development teams quickly understand secure coding practices  Implementation of these practices mitigates most common software vulnerabilities.

10. OWASP 10 OWASP WebGoat  Deliberately insecure J2EE web application to teach web application security lessons  30 lessons, providing hands-on learning about  Cross-Site Scripting (XSS)  Access Control  Thread Safety  Hidden Form Field Manipulation  Parameter Manipulation  Weak Session Cookies  Blind/Numeric/String SQL Injection  Web Services  Fail Open Authentication  … and many more

11. OWASP 11 OWASP Enterprise Security API (ESAPI)  Free and open collection of security methods for building secure Web applications  Languages/ Technologies  JAVA  PHP .NET  ASP  ColdFusion  Python  JavaScript  Haskell  Force.com

12. OWASP 12 OWASP Backend Security  Guide for developers, administrators and testers.  Security aspects of backend components that directly communicate with the web applications, as well as databases, LDAPs, payment gateway.  Covers backend  security development  security hardening  and security testing

13. OWASP 13 OWASP Application Security Verification Standard  OWASP ASVS - standard for conducting application security assessments.  Covers automated and manual approaches for verifying applications using both security testing and code review techniques.  Can be used to establish a level of confidence in the security of Web applications  Metric - assess the degree of trust that can be placed in their Web applications  Guidance - provide guidance to security control developers as to what to build into security controls to satisfy security requirements  Use during procurement - provide a basis for specifying application security verification requirements in contracts

14. OWASP 14 OWASP Testing Guide  Focused on application security testing procedures and checklists.  Includes a "best practice" penetration testing framework.  “Low level" penetration testing guide that describes techniques for testing most common web application and web service security issues.

15. OWASP 15 OWASP Code Review Guide  Manual security code review provides insight into the “real risk” associated with insecure code.  Code Review is the single-most effective technique for identifying security flaws.  Best practices for reviewing code for security defects.  Focuses on reviewing code for certain vulnerabilities.

16. OWASP 16 OWASP LiveCD/Web Testing Environment (WTE)  A collection of some of the best open source security tools for testing web applications:  OWASP WebScarab  OWASP WebGoat  OWASP JBroFuzz  Paros Proxy  nmap & Zenmap  Wireshark  Burp Suite  Grenedel-Scan  Rat Proxy  …  http://appseclive.org http://appseclive.org

17. OWASP 17 OWASP ModSecurity Core Rule Set  The Core Rule Set (CRS) provides critical protections against attacks across most every web architecture.  CRS is based on generic rules which focus on attack payload identification  Provides protection from zero day and unknown vulnerabilities often found in web applications.  Related project: Securing WebGoat using ModSecurity

18. OWASP 18 Questions?