2 Who Am I? 5 years developer experience 13 April 2017Who Am I?5 years developer experience8 years information security experienceLead application security Telindus, Belgacom ICT (Belgium)Belgian OWASP chapter founderOWASP board membertype here level of Sensitivity "Unrestricted", Internal Use Only" or "Confidential"
3 Agenda OWASP Introduction OWASP Project Parade OWASP Near You? Get an idea of population?InfoSec consultants? Developers? Industry? Finance?
4 Agenda OWASP Introduction OWASP Project Parade OWASP Near You? Get an idea of population?InfoSec consultants? Developers? Industry? Finance?
5 The Open Web Application Security Project (OWASP) International not-for-profit charitable Open Source organization funded primarily by volunteers time, OWASP Memberships, and OWASP Conference feesParticipation in OWASP is free and open to all55
6 OWASP Missionto make application security "visible," so that people and organizations can make informed decisions about application security risks66
7 OWASP Resources and Community Documentation (Wiki and Books)Code Review, Testing, Building, Legal, more …Code ProjectsDefensive, Offensive (Test tools), Education, Process, more …ChaptersOver 130 and growingConferencesMajor and minor events all around the world
10 OWASP Conferences (2008-2009) Australia – Justin Derry GermanyNov 2008BrusselsMay 2008MinnesotaOct 2008PolandMay 2009NYCSep 2008DenverSpring 2009PortugalNov 2008San Jose?Sep 2009IsraelSep 2008TaiwanOct 2008IndiaAug 2008Australia – Justin DerryGold Coast – 2008 March 29-31, similar time next yearEurope – Sebastien DeleersnyderBrussels – May 19-22, 2008, Kracow Poland, May 2009Israel – Ofer ShezafTaiwan – Wayne HuangU.S. – NY – Tom Brennan - We are here!2009 – probably San Jose – Hopefully at eBay againIndia – Dhruv Soi, Puneet MehtaOWASP Summit – Portugal – Paulo Coimbra/Dinis CruzNov , 2008Gold CoastFeb 2008+2009
11 New Free Tools and Guidance (SoC08) New Outreach Program Summit Portugal2009 Focus80+ application security experts from 20+ countriesNew Free Tools and Guidance (SoC08)New Outreach Programtechnology vendors, framework providers, and standards bodiesnew program to provide free one- day seminars at universities and developer conferences worldwideNew Global Committee StructureEducation, Chapter, Conferences, Industry, Projects and Tools, Membership
12 Agenda OWASP Introduction OWASP Project Parade OWASP Near You? Get an idea of population?InfoSec consultants? Developers? Industry? Finance?
13 OWASP Projects: Improve Quality and Support Define Criteria for Quality LevelsAlpha, Beta, ReleaseEncourage Increased QualityThrough Season of Code Funding and SupportProduce Professional OWASP booksProvide SupportFull time executive director (Kate Hartmann)Full time project manager (Paulo Coimbra)Half time technical editor (Kirsten Sitnick)Half time financial support (Alison Shrader)Looking to add programmers (Interns and professionals)
14 The Ten Most Critical Web Application Security Vulnerabilities OWASP Top 10The Ten Most Critical Web Application Security Vulnerabilities2007 ReleaseA great start, but not a standardThe primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities – a great start to your secure coding security program.Security is not a one-time event. It is insufficient to secure your code just once. By 2008, this Top 10 will have changed, and without changing a line of your application’s code, you may be vulnerable. Please review the advice in Where to go from here for more information.A secure coding initiative must deal with all stages of a program’s lifecycle. Secure web applications are only possible when a secure SDLC is used. Secure programs are secure by design, during development, and by default. There are at least 300 issues that affect the overall security of a web application. These 300+ issues are detailed in the OWASP Guide, which is essential reading for anyone developing web applications today.This document is first and foremost an education piece, not a standard. Please do not adopt this document as a policy or standard without talking to us first! If you need a secure coding policy or standard, OWASP has secure coding policies and standards projects in progress.
15 Key Application Security Vulnerabilities A1: Cross Site Scripting (XSS)A2: Injection FlawsA3: Malicious File ExecutionA4: Insecure Direct Object ReferenceA5: Cross Site Request Forgery (CSRF)A6: Information Leakage and Improper Error HandlingA7: Broken Authentication and Session ManagementA8: Insecure Cryptographic StorageA9: Insecure CommunicationsA10: Failure to Restrict URL AccessKey Application Security VulnerabilitiesBased on vulnerabilities in 2006.But it got worse
16 The ‘Big 4’ Documentation Projects Building GuideCode Review GuideTesting GuideApplication Security Desk Reference (ASDR)ASDR Defines all the issues and provides basic guidance. Each of the guides then provides detailed info on how to deal with that issue from the respective of that guide.
17 The Guide Complements OWASP Top 10 310p Book Free and open source Gnu Free Doc LicenseMany contributorsApps and web servicesMost platformsExamples are J2EE, ASP.NET, and PHPComprehensiveProject Leader and EditorAndrew van der Stock,
18 Uses of the Guide Developers Project Managers Security Teams Use for guidance on implementing security mechanisms and avoiding vulnerabilitiesProject ManagersUse for identifying activities (threat modeling, code review, penetration testing) that need to occurSecurity TeamsUse for structuring evaluations, learning about application security, remediation approaches
19 Each Topic Includes Basic Information (like OWASP T10) Adds How to Determine If You Are VulnerableHow to Protect YourselfAddsObjectivesEnvironments AffectedRelevant COBIT TopicsTheoryBest PracticesMisconceptionsCode Snippets
20 Testing Guide v2: Index 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework4. Web Application Penetration Testing5. Writing Reports: value the real riskAppendix A: Testing ToolsAppendix B: Suggested ReadingAppendix C: Fuzz Vectors
21 What Is the OWASP Testing Guide? Testing PrinciplesTesting ProcessCustom Web ApplicationsBlack Box TestingGrey Box TestingRisk and ReportingAppendix: Testing ToolsAppendix: Fuzz VectorsInformation GatheringBusiness Logic TestingAuthentication TestingSession Management TestingData Validation TestingDenial of Service TestingWeb Services TestingAjax TestingThe Guide ContentsA series of articles on the most common web application security problemsSome process information, but not much…The world desperately needs a body of knowledge on application security. One important piece of this body of knowledge is about application security testing.
22 Soc08 version 3 Improve version 2 improved 9 articles Total of 10 Testing categories and 66 controls.New sections and controlsConfiguration ManagementAuthorization Testing36 new articlesNew Encoded Injection Appendix;
23 How the Guide helps the security industry A structured approach to the testing activitiesA checklist to be followedA learning and training toolTestersA tool to understand web vulnerabilities and their impactA way to check the quality of security testsOrganisation sMore generally, the Guide aims to provide a pen-testing standard that creates a 'common ground' between the testing groups and its ‘customers’.This will raise the overall quality and understanding of this kind of activity and therefore the general level of security of our applications
24 Tools http://www.owasp.org/index.php/Phoenix/Tools Best known OWASP ToolsWebGoatWebScarabRemember:A Fool with a Tool is still a Fool
25 Tools – At Best 45%MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE)They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)
26 OWASP WebGoatWebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.
27 OWASP WebScarabWebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.
28 OWASP CSRFTesterJust when developers are starting to run in circles over Cross Site Scripting, the 'sleeping giant' awakes for yet another web-catastrophe. Cross-Site Request Forgery (CSRF) is an attack whereby the victim is tricked into loading information from or submitting information to a web application for which they are currently authenticated. The problem is that the web application has no means of verifying the integrity of the request. The OWASP CSRFTester Project attempts to give developers the ability to test their applications for CSRF flaws.
29 OWASP CSRFGuard 2.0User(Browser)OWASP CSRFGuardVerify TokenBusiness ProcessingAdds token to:href attributesrc attributehidden field in all formsActions:LogInvalidateRedirectAdd Token to HTMLThe OWASP CSRFGuard Project attempts to address this issue through the use of unique request tokens.
30 The OWASP Enterprise Security API Custom Enterprise Web ApplicationEnterprise Security APIAuthenticatorUserAccessControllerAccessReferenceMapValidatorEncoderHTTPUtilitiesEncryptorEncryptedPropertiesRandomizerException HandlingLoggerIntrusionDetectorSecurityConfigurationThe ESAPI is a free and open collection of all the security methods that a developer needs to build a secure web application. You can just use the interfaces and build your own implementation using your company's infrastructure. Or, you can use the reference implementation as a starting point. In concept, the API is language independent. However, the first deliverables from the project are a Java API and a Java reference implementation. Efforts to build ESAPI in .NET and PHP are already underway.Unfortunately, the available platforms, frameworks, and toolkits (Java EE, Struts, Spring, etc...) simply do not provide enough protection. This leaves developers with responsibility for designing and building security mechanisms. This reinventing the wheel for every application leads to wasted time and massive security holes.The cost savings through reduced development time, and the increased security due to using heavily analyzed and carefully designed security methods provide developers with a massive advantage over organizations that are trying to deal with security using existing ad hoc secure coding techniques. This API is designed to automatically take care of many aspects of application security, making these issues invisible to the developers.Existing Enterprise Security Services/Libraries
31 Coverage OWASP Top Ten OWASP ESAPI A1. Cross Site Scripting (XSS) A2. Injection FlawsA3. Malicious File ExecutionA4. Insecure Direct Object ReferenceA5. Cross Site Request Forgery (CSRF)A6. Leakage and Improper Error HandlingA7. Broken Authentication and SessionsA8. Insecure Cryptographic StorageA9. Insecure CommunicationsA10. Failure to Restrict URL AccessOWASP ESAPIValidator, EncoderEncoderHTTPUtilities (upload)AccessReferenceMapUser (csrftoken)EnterpriseSecurityException, HTTPUtilsAuthenticator, User, HTTPUtilsEncryptorHTTPUtilities (secure cookie, channel)AccessController
32 Create Your ESAPI Implementation Your Security ServicesWrap your existing libraries and servicesExtend and customize your ESAPI implementationFill in gaps with the reference implementationYour Coding GuidelineTailor the ESAPI coding guidelinesRetrofit ESAPI patterns to existing code
33 Comprehensive, Lightweight Application Security Process OWASP CLASPComprehensive, Lightweight Application Security ProcessPrescriptive and ProactiveCentered around 7 AppSec Best PracticesCover the entire software lifecycle (not just development)Adaptable to any development processCLASP defines roles across the SDLC24 role-based process componentsStart small and dial-in to your needs
34 The CLASP Best Practices Institute awareness programsPerform application assessmentsCapture security requirementsImplement secure development practicesBuild vulnerability remediation proceduresDefine and monitor metricsPublish operational security guidelines
36 Want More ? About 50 projects! OWASP .NET Project OWASP ASDR Project OWASP AntiSamy ProjectOWASP AppSec FAQ ProjectOWASP Application Security Assessment Standards ProjectOWASP Application Security Metrics ProjectOWASP Application Security Requirements ProjectOWASP CAL9000 ProjectOWASP CLASP ProjectOWASP CSRFGuard ProjectOWASP CSRFTester ProjectOWASP Career Development ProjectOWASP Certification Criteria ProjectOWASP Certification ProjectOWASP Code Review ProjectOWASP Communications ProjectOWASP DirBuster ProjectOWASP Education ProjectOWASP Encoding ProjectOWASP Enterprise Security APIOWASP Flash Security ProjectOWASP Guide ProjectOWASP Honeycomb ProjectOWASP Insecure Web App ProjectOWASP Interceptor ProjectOWASP JBroFuzzOWASP Java ProjectOWASP LAPSE ProjectOWASP Legal ProjectOWASP Live CD ProjectOWASP Logging ProjectOWASP Orizon ProjectOWASP PHP ProjectOWASP Pantera Web Assessment Studio ProjectOWASP SASAP ProjectOWASP SQLiX ProjectOWASP SWAAT ProjectOWASP Sprajax ProjectOWASP Testing ProjectOWASP Tools ProjectOWASP Top Ten ProjectOWASP Validation ProjectOWASP WASS ProjectOWASP WSFuzzer ProjectOWASP Web Services Security ProjectOWASP WebGoat ProjectOWASP WebScarab ProjectOWASP XML Security Gateway Evaluation Criteria ProjectOWASP on the Move ProjectAbout 50 projects!
37 SoC2008 selection OWASP Code review guide, V1.1 The Ruby on Rails Security Guide v2OWASP UI Component Verification Project (a.k.a. OWASP JSP Testing Tool)Internationalization Guidelines and OWASP-Spanish ProjectOWASP Application Security Desk Reference (ASDR)OWASP .NET Project LeaderOWASP Education ProjectThe OWASP Testing Guide v3OWASP Application Security Verification StandardOnline code signing and integrity verification service for open source community (OpenSign Server)Securing WebGoat using ModSecurityOWASP Book Cover & Sleeve DesignOWASP Individual & Corporate Member Packs, Conference Attendee Packs BriefOWASP Access Control Rules TesterOpenPGP Extensions for HTTP - Enigform and mod_openpgpOWASP-WeBekci ProjectOWASP Backend Security ProjectOWASP Application Security Tool Benchmarking Environment and Site Generator refreshTeachable Static Analysis WorkbenchOWASP Positive Security ProjectGTK+ GUI for w3af projectOWASP Interceptor Project UpdateSkavengerSQL Injector Benchmarking Project (SQLiBENCH)OWASP AppSensor - Detect and Respond to Attacks from Within the ApplicationOwasp Orizon ProjectOWASP Corporate Application Security Rating GuideOWASP AntiSamy .NETPython Static AnalysisOWASP Classic ASP Security ProjectOWASP Live CD 2008 Project
38 OWASP Projects Are Alive! 2009…20072005The Testing is alive…When they say, “print is dead” they don’t mean it’s out of style – it’s static not living! Do you have a bookshelf of security books? When’s the last time you opened them? They don’t have answers to today’s problems because they’re dead.It’s a process for translating security principles to the latest technologies and getting them to developers fastIt’s an evolving growing living thing200320013838
39 Agenda OWASP Introduction OWASP Project Parade OWASP Near You? Get an idea of population?InfoSec consultants? Developers? Industry? Finance?
41 Upcoming Conferences May 2009 - OWASP AppSec Europe 2009 February Day 3 Italy OWASP Day III: "Web Application Security: research meets industry" 23rd February Bari (Italy)February OWASP AppSec Australia Gold Coast Training & Conference, Gold Coast Convention Center, QLD AustraliaMarch OWASP Front Range Conference March 5th, 2nd Annual 1-Day Conference in Denver, ColoradoMay OWASP AppSec Europe 2009Poland May 11th - 14th - Conference and Training, Qubus Hotel, Krakow, PolandBack to back with Confidence09June OWASP AppSec - Dublin IrelandOctober OWASP AppSec US Washington, D.C.
42 German ChapterMeetingsLocal Mailing ListPresentations & GroupsOpen forum for discussionMeet fellow InfoSec professionalsCreate (Web)AppSec awarenessLocal projects?
43 Subscribe to German Chapter mailing list Post your (Web)AppSec questionsKeep up to date!Get OWASP news lettersContribute to discussions!
44 That’s it… Any Questions? Thank you! http://www.owasp.org Thank you!