Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Similar presentations

Presentation on theme: "The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under."— Presentation transcript:

1 The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. OWASP Atlanta March 2014 Chapter Meeting Getting More Out of OWASP Leveraging Today’s Nest of Projects Tony “UV” UcedaVelez VerSprite, Inc. OWASP Atlanta Chapter Leader @t0nyuv

2 2 Reasons for Talk After 11 years, many people still don’t know about OWASP Problems in InfoSec are bountiful Opportunities for solving problems are catalyzed by OWASP Those that ‘DO’ will be best served by OWASP projects Get involved to further OWASP mission & projects Consultant viewpoint from close to 20 years in the trenches

3 3 ‘Get’ Topics to Cover Get Familiar Get more from OWASP Get involved

4 OWASP is a Belief  Community driven  Software security shouldn’t be reserved to those who can afford it.  Intra-personal exchanges and interactions reveal true opportunities for collaboration  Cultural, industry, country related challenges exposed and addressed.  Massively supportive and responsive. 4

5 More basic on OWASP  A non-profit (501c), global org – Please Donate! or become a Member.  Consortium of tools and deliverables aimed at application security.  OPENness is heart of the org – from its content, dialogue, to administration.  OWASP content can be leveraged in ANY org 5

6 Core Values (from site)  OPEN – radical transparency; from finances to our code.  INNOVATION - encourages innovation for solutions to software security challenges.  GLOBAL – truly a global community.  INTEGRITY - truthful, vendor neutral, global community. 6

7 7

8 8

9 9 …now to the projects…

10 OWASP Project Runway 10

11 11 Untangling the OWASP Projects knot

12 Governance, Maturity Modeling & Metrics 12

13 13 OWASP Open SAMM  The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.  Benefits  Evaluate your organization's existing software security practices  Build a balanced software security program in well- defined iterations.  Demonstrating concrete improvements

14 14

15 15 Wide Scope Covered by OpenSAMM  Supports a Security Plan or Roadmap  Establish governance  Perform against assessments  Test and Report  Enhance Security Operations  Building a S-SDLC Initiative  Measures success/ shortcomings  Provides metrics for reporting

16 16

17 17 is a valuable resource for any company involved with online payment card transactions. Dell uses OWASP’s Software Assurance Maturity Model (OpenSAMM) to help focus our resources and determine which components of our secure application development program to prioritize. Participation in OWASP’s local chapter meetings and conferences around the globe helps us build stronger networks with our colleagues., (Michael J. Craigue, Information Security & Compliance, Dell, Inc.)

18 SAMM ScoreCard

19 Operationalizing Security Case Study & Prescriptive Advice on Implementing OWASP Projects 19

20 20 Challenges in SecOps  Security Operations are becoming zombified  Over-reliance on vendors (tools and services)  Ask most security operations people – are you getting better – they really don’t know  Measuring and Trending is key  Part of challenge in measuring is having the right tools; other part is knowing what consistent values to check for

21 21 Prescriptive Advice in SecOps  Define metrics operational metrics around security  Contemplating Bug Bounties  Measuring security by events  Validated alerts (blocked)  False Positive Analysis (for Tuning purposes)  Mitigate new layers of attacks  Doing more with less

22 22 Case Study: U.S. Financial Company  Company name will not be disclosed (We need a name for this company) UFS (Unidentified Financial Services)

23 23 USF: Company Overview  Relative size  Among the largest 25 banks in the U.S.  Branches in many states in the U.S.  General information  Company Type: Subsidiary of larger firm  Industry: Finance and Banking  Revenue: 2+ Billion USD  Employees: 13,000+  Parent Company: ~$14 Billion in revenue, ~110,000 employees and ~$650 Billion in assets

24 24 USF: IT Security  The USF Security group  8 IT Security Analysts (full-time employees)  Mission and Goals  Compliance efforts  PCI DSS & SOx (Sarbanes-Oxley Act)  Compliance is a starting point for them. They aim for secure and get compliance along the way.  Assessment / security reviews of online assets  Online assets include multiple web applications  Traditional network based security services  Anti-Phishing efforts

25 25 USF: Before OWASP  Fiscal Year 2007  Web Application security reviews  Utilized only outside security firms  USF security group handled remediation tasks  Request for additional details on review findings represented additional costs  Average engagement cost: $8,000 per site Web App Security reviews for 2007 = 30 sites or $240,000 total cost

26 26 USF: With OWASP  Fiscal Year 2008  Web Application security reviews  Utilized only internal security analysts  Used the OWASP Testing Guide v2 plus WebScarab as their standard for testing web applications  Printed guide copies for all 8 analysts for $200  USF security group handles remediation tasks  Average engagement cost: $0 per site  Assumes salaries are a fixed cost  No new staff added for this effort  Assessed 48 sites in 2008

27 27 USF: With OWASP Web App Security review costs: 2007 $240,000 (30 sites x $8,000/site) 2008 $200 for 48 sites (printing costs) If 2008 didn't have OWASP: $384,000 (48 sites x $8,000/site) OWASP Savings = $383,800 in year 1

28 28 USF: The Pros with OWASP  Cost reduction will continue past year 1  Accomplished more reviews at a lower cost  Time to assess should trend down  Reports are standardized now  Different vendor = different reporting in prior years  Standard reporting = better trend analysis  Increased Efficiency in remediation  Analysts better understand the reported findings  Analysts can better address audit questions  Annual audits from Govn't & parent company  Federal auditors praised the “well developed internal review process”

29 29 USF: The Cons with OWASP  Starting up the program was initially slow  Mid-year efficiency gains allowed them to surpass the 2007 review number in 2008  Requires strong management support  Must accept the potential for a slow year 1  At least one analyst must be familiar with application security to lead the effort  Additional training is still needed for some USF analysts  Level out the skills of the analysts  One time cost of $15,000 to $25,000 for on-site, instructor based training

30 30 Some Personal Anecdotes  OWASP Projects used in my security career  OWASP WebGoat  How I first learned about application security  OWASP WebScarab  Used during many penetration test  OWASP Live CD  My current preferred App Sec testing environment  OWASP Testing Guide  Used in creating reports during security reviews  OWASP Legal Project  Utilized language from the project to add security language to our procurement process documents

31 Security Assurance 31

32 32

33 33 Challenges in Security Assurance  Relatively new to most organizations  Non-existent in the SMB space  Most don’t know what they are assuring against  If they do know what they are assuring against, its not consistently validated over time

34 34 Prescriptive Advice  Simplify!!!  Create Roadmap  Standardize  Follow a Methodology  Define Key Metrics  Measure over time

35 Test & Verify 35

36 36 OWASP ASVS Provides Methodology for Security Assurance  The OWASP Application Security Verification Standard (ASVS) defines a standard for conducting app sec verifications.  Covers automated and manual approaches for external testing and code review techniques  Recently created and already adopted by several companies and government agencies  Benefits  Standardizes the coverage and level of rigor used to perform app sec assessments  Allows for better comparisons

37 37 OWASP Testing Guide  Provides a “best practice” penetration framework and a “low level” penetration testing guide that describes techniques for testing web applications.  Version 3 is the latest and is a 349 page book  Tests split into 9 sub-categories with 66 controls to test  Benefits  Ready made testing framework  Great categories and identifiers for reporting  Excellent to augment skills of analysts

38 38 Threat Modeling & Security Architecture  OWASP ASDR  Provides internal taxonomy of terms for the enterprise  Great reference material for application security  OWASP’s ‘man page’ for appsec related terms  Perfect for building threat modeling content

39 S-SDLC - Build Security In Already! 39

40 40 OWASP Testing Guide S-SDLC/ Building Security-In

41 41 Challenges in Development & QA Groups  No time for security at the DEV stage  Security is an after thought  Perception: Security is blowing smoke up my @$$ (FUD)  Security architecture is non-existent  Groups don’t have time to learn about security  PMs don’t have time to wait for security requirements to be factored in  No executive sponsorship to forcing security requirements in apps.  Myopic developers are only seeing functional code design

42 42 Prescribed Solutions for Development & QA Process OWASP Code Review Methodology for source code reviews Book (2 nd best selling for OWASP) OWASP Development Guide Establishes a process for secure development efforts across various SDLCs OWASP Cheat Sheet Series See following slide OWASP Countermeasures OWASP CSRFGuard OWASP Anti-Samy OWASP Enterprise API (ESAPI) Reference OWASP WebGoat Deliberate broken Apache web server with courses on common web insecurities OWASP ASDR Great reference for developers and QA professionals OWASP Video Series Free video series geared towards Developers and Security Testers (QA) OWASP Podcast Series Multiple topics covered – not just for dev. Dev can pick and choose what is relevant for them. Great listen as you work resource. OWASP Top Ten Ranks top web app related risks Serves as a good scope for initial testing Tools OWASP Zed Attack Proxy Test against OWASP Top Ten Use in conformance to Testing Guide Exercise successful implementation of OWAPSP Countermeasures OWASP YASCA Leverages FindBugs, PMD, JLint, JavaScript Lint, PHPLint, Cppcheck, ClamAV, RATS, and Pixy to scan

43 43 List of Cheats Clickjacking Defense Cheat Sheet C-Based Toolchain Hardening Cheat Sheet Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet Cryptographic Storage Cheat Sheet DOM based XSS Prevention Cheat Sheet Forgot Password Cheat Sheet HTML5 Security Cheat Sheet Input Validation Cheat Sheet JAAS Cheat Sheet Logging Cheat Sheet.NET Security Cheat Sheet OWASP Top Ten Cheat Sheet Password Storage Cheat Sheet Pinning Cheat Sheet Query Parameterization Cheat Sheet Ruby on Rails Cheat sheet REST Security Cheat Sheet Session Management Cheat Sheet SQL Injection Prevention Cheat Sheet Transport Layer Protection Cheat Sheet Unvalidated Redirects and Forwards Cheat Sheet User Privacy Protection Cheat Sheet Web Service Security Cheat Sheet XSS (Cross Site Scripting) Prevention Cheat Sheet Attack Surface Analysis Cheat Sheet XSS Filter Evasion Cheat Sheet REST Assessment Cheat Sheet IOS Developer Cheat Sheet Mobile Jailbreaking Cheat Sheet OpSec Cheat Sheets (Defender) Virtual Patching Cheat Sheet

44 44 Cheat Snippets Insecure Direct object references It may seem obvious, but if you had a bank account REST web service, you have to make sure there is adequate checking of primary and foreign keys: unt=$100.00&toAccount=473846376 In this case, it would be possible to transfer money from any account to any other account, which is clearly insane. Not even a random token makes this safe. In this case, it would be possible to get a copy of all invoices. Please make sure you understand how to protect against insecure direct object references in the OWASP Top 10 2010.insecure direct object references Java Regex Usage Example Example validating the parameter “zip” using a regular expression. private static final Pattern zipPattern = Pattern.compile("^\d{5}(- \d{4})?$"); public void doPost( HttpServletRequest request, HttpServletResponse response) { try { String zipCode = request.getParameter( "zip" ); if ( !zipPattern.matcher( zipCode ).matches() { throw new YourValidationException( "Improper zipcode format." ); }.. do what you want here, after its been validated.. } catch(YourValidationException e ) { response.sendError( response.SC_BAD_REQUEST, e.getMessage() ); }

45 45

46 46 OWASP AntiSamy  OWASP AntiSamy is an API for ensuring user-supplied HTML/CSS is compliant within the applications rules.  API plus implementations  Java,.Net, Coldfusion, PHP (HTMLPurifier)  Benefits  It helps you ensure that clients don't supply malicious code into your application  A safer way to allow for rich content from an application's users

47 47 OWASP CSRFGuard  OWASP CSRFGuard utilizes request tokens to address Cross-Site Request Forgery. CSRF is an attack where the victim is tricked into interacting with a website where they are already authenticated.  Java,.Net and PHP implementations  CSRF is considered the app sec sleeping giant  Benefits  Provides code to generate unique request tokens to mitigate CSRF risks

48 48 OWASP ESAPI  OWASP Enterprise Security API (ESAPI) is a free and open collection of all the security methods that a developer needs to build a secure web application.  API is fully documented and online  Implementations in multiple languages  Benefits  Provides a great reference  Implementation can be adapted/used directly  Provides a benchmark to measure frameworks

49 Security Testing: You Can Start Tomorrow 49

50 50 OWASP Top Ten  The OWASP Top Ten represents a broad consensus of what the most critical web application security flaws are.  Adopted by the Payment Card Industry (PCI)  Recommended as a best practice by many government and industry entities  Benefits  Powerful awareness document for web application security  Great starting point and reference for developers

51 51 The Zed Attack Proxy Released September 2010 Ease of use a priority Comprehensive help pages Free, Open source Cross platform A fork of the well regarded Paros Proxy Involvement actively encouraged Adopted by OWASP October 2010

52 ZAP Overview ZAP is: Easy to use (for a web app pentest tool;) Ideal for appsec newcomers Ideal for training courses Being used by Professional Pen Testers Easy to contribute to (and please do!) Improving rapidly 52

53 53 ZAP Principles Free, Open source Cross platform Easy to use Easy to install Internationalized Fully documented Involvement actively encouraged Reuse well regarded components

54 Where is ZAP being used? 54

55 55 The Main Features All the essentials for web application testing Intercepting Proxy Active and Passive Scanners Spider Report Generation Brute Force (using OWASP DirBuster code) Fuzzing (using OWASP JBroFuzz code)

56 56 The Additional Features Auto tagging Port scanner Smart card support Session comparison Invoke external apps BeanShell integration API + Headless mode Dynamic SSL Certificates Anti CSRF token handling

57 57 The Future Enhance scanners to detect more vulnerabilities Extend API, better integration Fuzzing analysis Easier to use, better help More localization (all offers gratefully received!) Parameter analysis? Technology detection?

58 ZAP Summary ZAP has: An active development community An international user base The potential to reach people new to OWASP and appsec, especially developers and functional testers ZAP is a key OWASP project Security Tool of the Year 2013 58

59 To Get More Out of OWASP, start here> 59

60 Any Questions? @owaspatl

Download ppt "The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under."

Similar presentations

Ads by Google