480 likes | 724 Vues
Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland. About myself. Software / Web application security architect Independent (no ties with any integrator/vendor) OWASP Leader: Member of the Board, OWASP Switzerland
E N D
Meet OWASP: resources you can use, today. Antonio Fontesantonio.fontes@owasp.orgOWASP Geneva Chapter LeaderSwitzerland
About myself • Software / Web application security architect • Independent (no ties with any integrator/vendor) • OWASP Leader: • Member of the Board, OWASP Switzerland • Leader, OWASP Geneva Chapter • Core interests: • Software Assurance Maturity Model (SAMM) • Application Security Verification Standard (ASVS)
State of Information Security The problem?There are not enough qualifiedapplication security professionals What can we do about it? • Make application security visible • Provide Developers and Software Testers with materials and tools helping them to build more secure applications
What is OWASP? • Open Web Application Security Project https://www.owasp.org • Global community, driving and promoting safety and security of world’s software • Not-for-profit foundation registered in the United States and a non-profit association registered in European Union • Open: • Everyone is free to participate • All OWASP materials & tools are free
OWASP by Numbers • 12 years of community service • 88+ Government & Industry Citations • including DHS, ISO, IEEE, NIST, SANS Institute, PCI-DSS, CSA, etc • 36,000+ registered members to the mailing lists • 320,000+ unique visitors per month • 1,000,000+ page viewed per month • 15,000+ tools and documents downloaded each month
OWASP by the Numbers (cont) • Year 2013 Budget: USD$580,000 • 2081 individual members and honorary members • 70 countries • 60+ donating Corporate Members • 100+ supporting Academic Members • 198 Active Chapters • 168 Active Projects • 4 Global AppSec Conferences per Year
Started in 2008 • Promote application security through chapter meetings and collaboration with local developer communities • 2013: • Contact initiated with local developer groups (*UG) • 5 meetings planned • Board made of 3 industry representatives: consulting, banking/finance and public administration sectors: Antonio Fontesantonio.fontes@owasp.org Thomas Hoferthomas.hofer@owasp.org Simon Blanchetsimon.blanchet@owasp.org
OWASP Projects & Tools • Make application security visible • Videos, podcasts, books, guidelines, cheat sheets, tools, … • Available under a free and open software license • Used, recommended and referenced by many government, standards and industry organisations • Open for everyone to participate 9
OWASP Projects & Tools - Classification • 168+ Active Projects • PROTECT • guard against security-related design and implementation flaws. • DETECT • find security-related design and implementation flaws. • LIFE CYCLE • add security-related activities into software processes (eg. SDLC, agile, etc) 10
OWASP Projects & Tools – An Overview • DETECT • OWASP Top 10 • OWASP Code Review Guide • OWASP Testing Guide • OWASP Cheat Sheet Series • PROTECT • OWASP ESAPI • OWASP ModSecurity CRS • OWASP AppSec Tutorials • OWASP ASVS • OWASP LiveCD / WTE • OWASP ZAP Proxy • LIFE CYCLE • WebGoat J2EE • WebGoat .NET Full list of projects (release, beta, alpha) http://www.owasp.org/index.php/Category:OWASP_Project 11
10 Most critical web application security risks • The most visible OWASP project • Classifies some of the most critical risks • Essential reading for anyone developing web applications • Referenced by standards, books, tools, and organizations, including MITRE, PCI DSS, FTC, and many more
OWASP Top 10 Risk Rating Methodology 1 2 3 Injection Example 1.66 weighted risk rating
Code Review Guide • Code review is probably the most effective technique for identifying security flaws • Focuses on the mechanics of reviewing code for certain vulnerabilities • A key enabler for the OWASP fight against software insecurity • Update is in progress
Code Review Guide (cont) • Focuses on .NET and Java, but has some C/C++ and PHP • Integration of secure code review into software development processes • Understand what you are reviewing • Security code review is not a silver bullet, but a key component of an IS program
Testing Guide • Create a "best practices" web application penetration testing framework • A low-level web application penetration testing guide • Recommended for developers and software testers • Update in progress https://www.owasp.org/index.php/OWASP_Testing_Project
Cheat Sheet Series • Provide a concise collection of high value information on specific web application security topics https://www.owasp.org/index.php/Cheat_Sheets Developer Cheat Sheets (Builder) Authentication Clickjacking Defense Cryptographic Storage HTML5 Security Input Validation Query Parameterization Session Management SQL Injection Prevention … Assessment Cheat Sheets (Breaker) Attack Surface Analysis XSS Filter Evasion … Mobile Cheat Sheets IOS Developer Mobile Jailbreaking …
Cheat Sheet Series (cont) • The most visible OWASP project • Classifies some of the most critical risks • Essential reading for anyone developing web applications • Referenced by standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more
AppSec Tutorial Series https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series • Application security video based training • Four episodes are available
ASVS: Application Security Verification Standard • Provides a basis for testing application technical security controls • Use as a metric – assess the degree of trust on existing security controls • Use as guidance – for what to build as part of planned security controls • Use during procurement
ASVS: Verification Requirements V1. Authentication V2. Session Management V3. Access Control V4. Input Validation V5. Cryptography (at Rest) V6. Error Handling and Logging V7. Data Protection V8. Communication Security V9. HTTP Security V10. Malicious Controls V11. Business Logic V12. Files and Resources V13. Mobile
SAMM: Software Assurance Maturity Model • A framework to integrate security into software development and procurement/acquisition processes. • A maturity model to qualify a software security initiative under a repeatable process, in time or across several uits.
LiveCD / WTE • Make application security tools and documentation easily available • Collects some of the best open source security projects in a single environment • Boot from this Live CD and have access to a full security testing suite http://appseclive.org/
Mailing list 101 • A list for introductoryquestions on application security Open access: https://lists.owasp.org/mailman/listinfo/security101
Zed Attack Proxy • One of the flagship OWASP projects • Easy to use integrated penetration testing tool for assessing web applications • Ideal for developers and functional testers who are new to penetration testing • Completely free and open source • Cross platform, internationalised
ZAP Proxy: Features • Upcoming: • New Spider with Ajax functionality • Session scope awareness • Web socket support • Scanning modes • (Safe/Protected/Standard) • Scripting console • Intercepting Proxy • Automated scanner • Passive scanner • Brute Force scanner • Spider • Fuzzer • Port scanner • Dynamic SSL certificates • API • Beanshell integration
ESAPI: Enterprise Security API • Free, open source, web application security controls library • Provide developers with libraries for writing lower-risk applications • Allow retrofitting security into existing applications • Serve as a solid foundation for new development • Support for Java, PHP and Force.com – there could be more languages supported
ESAPI: functions and services Existing Enterprise Security Services/Libraries
ESAPI: Validation and Encoding Controller Business Functions Data Layer Validator Encoder User Backend encodeForJavaScript isValidCreditCard encodeForVBScript isValidDataFromBrowser encodeForURL isValidDirectoryPath encodeForHTML isValidFileContent encodeForHTMLAttribute isValidFileName encodeForLDAP isValidHTTPRequest encodeForDN isValidListItem encodeForSQL isValidRedirectLocation Canonicalization encodeForXML isValidSafeHTML Double Encoding Protection encodeForXMLAttribute isValidPrintable Sanitization encodeForXPath safeReadLine Normalization
ModSecurity CRS: Core Rule Set • Free certified rule set for ModSecurity WAF • Generic web applications protection: • Common Web Attacks Protection • HTTP Protection • Real-time Blacklist Lookups • HTTP Denial of Service Protection • Automation Detection • Integration with AV Scanning for File Uploads • Tracking Sensitive Data • Identification of Application Defects • Error Detection and Hiding https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
WebGoat • Deliberately insecure web application to teach web application security lessons • Over 30 lessons, providing hands-on learning about • Cross-Site Scripting (XSS) • Access Control • Blind/Numeric/String SQL Injection • Web Services • … and many more https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
WebGoat: .NET • A purposefully broken ASP.NET web application • Contains many common vulnerabilities • Intended for use in classroom environments https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET
DEMO • OWASP ZAP Proxy • OWASP WebGoat Java Project
Q&Aif you need inspiration:Where/How do we start using OWASP?How can we help OWASP in return?Can you tell us more about project ______ ?