1 / 45

Protecting your web applications with OWASP - RISK 2008

Protecting your web applications with OWASP - RISK 2008. Sebastien Deleersnyder, OWASP Board CISSP, CISA, CISM Apr, 2008. Seba?. Developer + Security = AppSec Consultant Started OWASP Belgium Chapter OWASP Board Member Work @ Telindus. Agenda. OWASP Introduction OWASP Projects Parade

fred
Télécharger la présentation

Protecting your web applications with OWASP - RISK 2008

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protecting your web applications with OWASP - RISK 2008 Sebastien Deleersnyder, OWASP Board CISSP, CISA, CISM Apr, 2008

  2. Seba? • Developer + Security = AppSec Consultant • Started OWASP Belgium Chapter • OWASP Board Member • Work @ Telindus

  3. Agenda • OWASP Introduction • OWASP Projects Parade • OWASP NearYou?

  4. Agenda • OWASP Introduction • OWASP Projects Parade • OWASP NearYou?

  5. OWASP The Open Web Application Security Project (OWASP) International not-for-profit charitable Open Source organization funded primarily by volunteers time, OWASP Memberships, and OWASP Conference fees Participation in OWASP is free and open to all 5

  6. OWASP Mission to make application security "visible," so that people and organizations can make informed decisions about application security risks 6

  7. Public Health Warning 7 • XSS and CSRF have evolved • Any website you visit could infect your browser • An infected browser can do anything you can do • An infected browser can scan, infect, spread • 70-90% of web applications are ‘carriers’

  8. Top Ten Web Hacks 2007 • XSS Vulnerabilities in Common Shockwave Flash Files • Universal XSS in Adobe’s Acrobat Reader Plugin • Firefox’s JAR: Protocol issues • Cross-Site Printing (Printer Spamming) • Hiding JS in Valid Images • Firefoxurl URI Handler Flaw • Anti-DNS Pinning ( DNS Rebinding ) • Google GMail E-mail Hijack Technique • PDF XSS Can Compromise Your Machine • Port Scan without JavaScript Honorable Mention: Microsoft ASP.NET Request Validation Bypass Vulnerability (POC) Blog poll Jeremiah Grossman (WhiteHatSec)

  9. OWASP Contribution Provide free resources to the community Publications, Articles, Standards Testing and Training Software Local Chapters & Mailing Lists Dual license model: Open Source Licenses Commercial License for Members 9

  10. OWASP Knowledge and Tools Guide to Application Security Testing and Guide to Application Security Code Review Guidance and Tools for Measuring and Managing Application Security VerifyingApplicationSecurity ManagingApplicationSecurity Core Application SecurityKnowledge Base Guide to Building Secure Web Applications and Web Services Tools for Scanning, Testing, Simulating, and Reporting Web Application Security Issues ApplicationSecurityTools Acquiring andBuildingSecureApplications AppSecEducation and CBT Research to Secure New Technologies Research Projects on Securing New Technologies (like Web Services & Ajax) Web Based Learning Environment and Education Project

  11. OWASP Community Platform VerifyingApplicationSecurity ManagingApplicationSecurity Core Application SecurityKnowledge Base ApplicationSecurityTools Acquiring andBuildingSecureApplications AppSecEducation and CBT Research to Secure New Technologies Chapters AppSec Conferences Projects (tools and documentation) OWASP Community Platform (wiki, forums, mailing lists, leaders) OWASP Foundation 501c3 (finances, legal, infrastructure, communications) 11

  12. www.owasp.org 12 12

  13. OWASP by the Numbers 13 420,000 page views per month 15,000 downloads per month (SF alone) 10,000 members on mailing lists 4,165 wiki users 1,500 wiki updates per month 115 chapters worldwide 150 individual memberships 49 tool and documentation projects 48 corporate/educational memberships 30 new projects funded through Summer of Code 2 employees

  14. Employees Alison McNamee OWASP Operations Director Paulo Coimbra OWASP Project Manager

  15. Agenda • OWASP Introduction • OWASP Projects Parade • OWASP NearYou?

  16. OWASP Top 10 • The Ten Most Critical Web Application Security Vulnerabilities • 2007 Release • A great start, but not a standard

  17. Key Application Security Vulnerabilities www.owasp.org/index.php?title=Top_10_2007

  18. Tools • http://www.owasp.org/index.php/Phoenix/Tools • Best known OWASP Tools • WebGoat • WebScarab • Remember: • A Fool with a Tool is still a Fool

  19. Tools – At Best 45% MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE) They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)

  20. The Guide • Complements OWASP Top 10 • 310p Book • Free and open source • Gnu Free Doc License • Many contributors • Apps and web services • Most platforms • Examples are J2EE, ASP.NET, and PHP • Comprehensive • Project Leader and Editor • Andrew van der Stock, vanderaj@owasp.org

  21. Uses of the Guide • Developers • Use for guidance on implementing security mechanisms and avoiding vulnerabilities • Project Managers • Use for identifying activities (threat modeling, code review, penetration testing) that need to occur • Security Teams • Use for structuring evaluations, learning about application security, remediation approaches

  22. Each Topic • Includes Basic Information (like OWASP T10) • How to Determine If You Are Vulnerable • How to Protect Yourself • Adds • Objectives • Environments Affected • Relevant COBIT Topics • Theory • Best Practices • Misconceptions • Code Snippets

  23. OWASP WebGoat

  24. OWASP WebScarab

  25. WebScarab NG

  26. Testing Guide v2: Index 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors

  27. Testing Model • 8 test sub-categories (for a total amount of 48 controls): • Information Gathering • Business logic testing • Authentication Testing • Session Management Testing • Data Validation Testing • Denial of Service Testing • Web Services Testing • AJAX Testing

  28. How the Guide helps the security industry • A structured approach to the testing activities • A checklist to be followed • A learning and training tool Pen-testers • A tool to understand web vulnerabilities and their impact • A way to check the quality of the penetration tests they buy Organisations More in general, the Guide aims to provide a pen-testing standard that creates a 'common ground' between the pen-testing industry and its client. This will raise the overall quality and understanding of this kind of activity and therefore the general level of security in our infrastructures

  29. OWASP CLASP • Comprehensive, Lightweight Application Security Process • Prescriptive and Proactive • Centered around 7 AppSec Best Practices • Cover the entire software lifecycle (not just development) • Adaptable to any development process • CLASP defines roles across the SDLC • 24 role-based process components • Start small and dial-in to your needs

  30. The CLASP Best Practices • Institute awareness programs • Perform application assessments • Capture security requirements • Implement secure development practices • Build vulnerability remediation procedures • Define and monitor metrics • Publish operational security guidelines

  31. The OWASP Enterprise Security API • Existing Enterprise Security Services/Libraries

  32. Create Your ESAPI Implementation • Your Security Services • Wrap your existing libraries and services • Extend and customize your ESAPI implementation • Fill in gaps with the reference implementation • Your Coding Guideline • Tailor the ESAPI coding guidelines • Retrofit ESAPI patterns to existing code

  33. OWASP CSRFTester

  34. OWASP CSRFGuard 2.0 Business Processing OWASPCSRFGuard Verify Token Add Tokento HTML • Adds token to: • href attribute • src attribute • hidden field in all forms • Actions: • Log • Invalidate • Redirect User (Browser) • http://www.owasp.org/index.php/CSRFGuard

  35. Bringingittogether CSRFGuard ES API Test Guide WebScarab The Guide Code review .NET / Java The Guide field test build plan CLASP - Top10 - Education- Metrics - Honeycomb

  36. Want More ? • OWASP .NET Project • OWASP ASDR Project • OWASP AntiSamy Project • OWASP AppSec FAQ Project • OWASP Application Security Assessment Standards Project • OWASP Application Security Metrics Project • OWASP Application Security Requirements Project • OWASP CAL9000 Project • OWASP CLASP Project • OWASP CSRFGuard Project • OWASP CSRFTester Project • OWASP Career Development Project • OWASP Certification Criteria Project • OWASP Certification Project • OWASP Code Review Project • OWASP Communications Project • OWASP DirBuster Project • OWASP Education Project • OWASP Encoding Project • OWASP Enterprise Security API • OWASP Flash Security Project • OWASP Guide Project • OWASP Honeycomb Project • OWASP Insecure Web App Project • OWASP Interceptor Project • OWASP JBroFuzz • OWASP Java Project • OWASP LAPSE Project • OWASP Legal Project • OWASP Live CD Project • OWASP Logging Project • OWASP Orizon Project • OWASP PHP Project • OWASP Pantera Web Assessment Studio Project • OWASP SASAP Project • OWASP SQLiX Project • OWASP SWAAT Project • OWASP Sprajax Project • OWASP Testing Project • OWASP Tools Project • OWASP Top Ten Project • OWASP Validation Project • OWASP WASS Project • OWASP WSFuzzer Project • OWASP Web Services Security Project • OWASP WebGoat Project • OWASP WebScarab Project • OWASP XML Security Gateway Evaluation Criteria Project • OWASP on the Move Project

  37. SoC2008 selection • OWASP Code review guide, V1.1 • The Ruby on Rails Security Guide v2 • OWASP UI Component Verification Project (a.k.a. OWASP JSP Testing Tool) • Internationalization Guidelines and OWASP-Spanish Project • OWASP Application Security Desk Reference (ASDR) • OWASP .NET Project Leader • OWASP Education Project • The OWASP Testing Guide v3 • OWASP Application Security Verification Standard • Online code signing and integrity verification service for open source community (OpenSign Server) • Securing WebGoat using ModSecurity • OWASP Book Cover & Sleeve Design • OWASP Individual & Corporate Member Packs, Conference Attendee Packs Brief • OWASP Access Control Rules Tester • OpenPGP Extensions for HTTP - Enigform and mod_openpgp • OWASP-WeBekci Project • OWASP Backend Security Project • OWASP Application Security Tool Benchmarking Environment and Site Generator refresh • Teachable Static Analysis Workbench • OWASP Positive Security Project • GTK+ GUI for w3af project • OWASP Interceptor Project - 2008 Update • Skavenger • SQL Injector Benchmarking Project (SQLiBENCH) • OWASP AppSensor - Detect and Respond to Attacks from Within the Application • OwaspOrizon Project • OWASP Corporate Application Security Rating Guide • OWASP AntiSamy .NET • Python Static Analysis • OWASP Classic ASP Security Project • OWASP Live CD 2008 Project

  38. OWASP Projects Are Alive! 2009 … 2007 2005 2003 2001 38

  39. Agenda • OWASP Introduction • OWASP Projects Parade • OWASP NearYou?

  40. Norway Chapter? • Meetings • Local Mailing List • Presentations & Groups • Open forum for discussion • Meet fellow InfoSec professionals • Create (Web)AppSec awareness • Local projects?

  41. Subscribe to Norway Chapter mailing list • Post your (Web)AppSec questions • Keep up to date! • Get monthly news letters • Contribute to discussions!

  42. OWASP EU08 • Belgium - Ghent – May 19-22, 2008 • Refereed papers track, vendor expo, CTF! • Two day tutorials – two day conference • Tutorials • Building and Testing Secure Web Applications • Leading the Development of Secure Applications • Building Secure Rich Internet Applications • Web Services and XML Security • Open Source ModSecurity Training

  43. That’s it… • Any Questions? http://www.owasp.org http://www.owasp.org/index.php/Norway seba@owasp.org Thank you!

More Related