1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Projects Flagship Projects Hassan El Hadary OWASP Speaker SecureMisr 12/4/2014

2. OWASP 2 Title  What Are Flagship Projects?  How Can We Make Use of OWASP Flagship Projects?  Learn How to Pen Test  Pen Test  Learn How to Secure the Code  Secure the Code

3. OWASP What Are Flagship Projects? OWASP projects that demonstrated superior maturity, established quality, and strategic value to OWASP and application security as a whole. Combination of: Tools (ex. OWASP ZAP,..) Code (ex. OWASP ESAPI,..) Documentation (ex. OWASP TOP 10,…)

4. OWASP How Can We Make Use of OWASP Flagship Projects? Learn How to Pen Test Pen Test Learn How to Secure the Code Secure the Code

5. OWASP Learn How to Pen Test OWASP Top Ten Project OWASP Testing Guide Project OWASP WebGoat Project

6. OWASP OWASP Top Ten Project Describes the most common application attacks

7. OWASP OWASP Testing Guide Project A guideline that outlines techniques for pen testing web applications

8. OWASP OWASP WebGoat Project A group of vulnerable applications prepared for practicing and testing

9. OWASP Demo

10. OWASP How Can We Make Use of OWASP Flagship Projects? Learn How to Pen Test Pen Test Pen Test Learn How to Secure the Code Secure the Code

11. OWASP Pen Test OWASP Zed Attack Proxy OWASP Web Testing Environment Project

12. OWASP OWASP Zed Attack Proxy A tool for web pen testing: HTTP proxy Spidering Vulnerability Scanning Bruteforcing Fuzzing

13. OWASP OWASP Zed Attack Proxy

14. OWASP Demo

15. OWASP How Can We Make Use of OWASP Flagship Projects? Learn How to Pen Test Pen Test Learn How to Secure the Code Learn How to Secure the Code Secure the Code

16. OWASP Learn How to Secure the Code OWASP Application Security Verification Standard Project (ASVS) OWASP Code Review Guide Project OWASP Secure Coding Practices - Quick Reference Guide

17. OWASP Learn How to Secure the Code OWASP Software Assurance Maturity Model (SAMM) OWASP Development Guide Project

18. OWASP Demo

19. OWASP Secure the Code OWASP Enterprise Security API (ESAPI) OWASP CSRFGuard Project OWASP AntiSamy Project OWASP ModSecurity Core Rule Set Project

20. OWASP OWASP Enterprise Security API (ESAPI) Libraries designed to make it easier for programmers to integrate security into existing applications. Support for Java EE, Dot NET, PHP, C, ASP,.. Validator, Encoders, Encryptor, Logger, IntrusionDetector

21. OWASP OWASP Enterprise Security API (ESAPI) Input validation example: IValidator validator = Esapi.Validator; Assert.IsTrue(validator.IsValid(BuiltinValidationRul es.CreditCard, "1234 9876 0000 0008"));

22. OWASP OWASP CSRFGuard Project A library that acts as a JavaEE Filter to protect from Cross Site Request Forgery attacks Enables integrating per-session or pseudo-per- request tokens into HTML

23. OWASP OWASP AntiSamy Project it is a Java API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. // Some fake input String dirtyInput = " alert(1); "; // Create Policy object Policy policy = Policy.getInstance(POLICY_FILE_LOCATION); // Scan dirtyInput AntiSamy as = new AntiSamy(); // Create AntiSamy object CleanResults cr = as.scan(dirtyInput, policy, AntiSamy.SAX);

24. OWASP OWASP ModSecurity Core Rule Set Project A set of web application defense rules for the open source, cross-platform ModSecurity Web Application Firewall (WAF).

25. OWASP Demo

26. OWASP Thank you