110 likes | 336 Vues
Mark Roxberry OWASP .NET Project Lead. OWASP .NET. Agenda. What and Why OWASP .NET? OWASP .NET Season of Code 2008 Project Tracking Resources & Guides Active Projects Research Projects Help Wanted!. What is OWASP .NET and Why?. What is OWASP .NET?
E N D
Mark Roxberry OWASP .NET Project Lead OWASP .NET
Agenda What and Why OWASP .NET? OWASP .NET Season of Code 2008 Project Tracking Resources & Guides Active Projects Research Projects Help Wanted!
What is OWASP .NET and Why? What is OWASP .NET? • A collaborative hub for documentation, tools and research for .NET web security • An objective source of security information • A project with broad vision and scope for all aspects of .NET security Why OWASP .NET? • We need to trust, but verify source code and security resources for .NET. • Our Motivation is not profit, but knowledge (not that profit is a bad thing)
OWASP .NET Project Season Of Code 2008 • I volunteered to take up the mantle and reorganize the OWASP .NET Project and assume a caretaker role. • My goals for the SoC 2008 project are to: • Logically redesign the OWASP .NET Project Wiki, Recategorization • Reach out to the .NET security community for contributions • Raise awareness of OWASP .NET
OWASP .NET Project Contents • Project Tracker • Resources • Advisories, Articles and Projects • Online References • Books and Publications • Tools • Blogs & People • Security Guides • Architects • Developers • IT Pros • Testers • Incident Response • Active Projects (Tools, Reference Applications, Workspaces) • Research Projects (Documentation, Vulnerability Research)
Project Tracking • Started at the end of the SoC 2008, moderated .NET security resources • ASP.NET Security Forum • MSDN Security Developer • Silverlight Security Forums • Mono Forums • ALT.NET User Groups
Security Guides Guides • Architect .NET Application Lifecycle Identity and Trust Concerns Design Review & Checklists • Developer Secure Development Lifecycle .NET Secure Coding Development Checklists • IT Professionals Secure Server Maintenance and Configuration Auditing, Instrumentation and Diagnostics Deployment Scenarios • Penetration Testing Planning, Attack and Reporting Ethical hacking • Incident Response Incident Response Plan Evidence Handling Recovery and Continuity
Resources • OWASP Wiki Content .NET ESAPI Full Trust ASP.NET Security Vulnerabilities Mono vs. Medium Trust • Recommended Resources Threat Modeling Guidance Patterns and Practices Web Service Specifications
Active Projects • OWASP Site Generator • OWASP Report Generator • OWASP ESAPI .NET • ASP.NET Reflector • .NET CSRF Guard • HACME • .NETMON • Validator.NET
Research Projects So much to do, so little time. We have ongoing research in many areas of .NET: • ASP.NET Membership • Mono • WCF • Silverlight • Linq • Sharepoint • Community Server • ...
Help Wanted • OWASP .NET Project 2009 • OWASP .NET Project is ongoing • Recruit your friends, peers or mentors • PRIMARY Research!!! • Silverlight • Sharepoint • ADO.NET Data Services • ASP.NET Application Services • OWASP .NET Secure ALM Guide • ALT.NET, Mono, .NET in the wild • Your idea here!