Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP Foundation ABC About me MOSHIUL ISLAM, CISA A: Information System Auditor B: Currently working for a Bank – EBL, IT Security.

Published byBlake Gerald Shelton Modified over 9 years ago

Similar presentations

Presentation on theme: "The OWASP Foundation ABC About me MOSHIUL ISLAM, CISA A: Information System Auditor B: Currently working for a Bank – EBL, IT Security."— Presentation transcript:

1 The OWASP Foundation http://www.owasp.org ABC About me MOSHIUL ISLAM, CISA A: Information System Auditor B: Currently working for a Bank – EBL, IT Security Department C: Contributor of OWASP, Chapter leader & Chair, OWASP Bangladesh And also Board member of ISACA Dhaka chapter.

2 Awareness test 2

3 Only 2 Compromised ATM = -$2M 3 Friday 06-01-2012 DBS Bank Singapore 400 Customer become victim

4 Hack makes ATM vomit cash Mr. Barnaby Jack demonstrated various ATM Attack Network attack was significant. 4

5 Zeus Strikes Mobile Banking Real e-banking fraud incidents ZeuS Man in the Mobile (MitMo) –September 2010, Spain –February 2011, Poland 5

6 Internet Banking Infected browser gives full control of the account to attacker 6 High tech crimes are difficult to prove How you will prove if you become a victim of account forgery?

7 RSA Hacked, SecurID a Little Less Secure Now Breach Size: Data related to SecureID tokens Date: March 2011 Why Significant? Targeted criminal hacking External threat goes inside the corporation Source: http://bits.blogs.nytimes.com/2011/04/02/the-rsa- hack-how-they-did-it/

8 Access to Hacked GOV, EDU and MIL Websites Sold on Underground Market 8 http://blog.imperva.com/2011/01/major- websites-govmiledu-are-hacked-and-up-for- sale.html Source:

9 Where we are ? No information Don’t know much 9

10 Our Myth We have Firewall (which was never updated ) IPS and we are using VPN too. We are secure

11 11 Problem Illustrated Application Layer  Attacker sends attacks inside valid HTTP requests  Your custom code is tricked into doing something it should not  Security requires software development expertise, not signatures Network Layer  Firewall, hardening, patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests.  Security relies on signature databases Firewall Hardened OS Web Server App Server Firewall Databases Legacy Systems Web Services Directories Human Resrcs Billing Custom Code APPLICATION ATTACK Network Layer Application Layer Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Insider

12 12 Why Web Application Security important? Attacks Shift Towards Application Layer Network Server Web Applications % of Attacks% of Dollars 90% Sources: Gartner, Watchfire SecuritySpending of All Web Applications Are Vulnerable 2/3 75% 25% 10%

13 13 Application Security Is Just Getting Started You can’t improve what you can’t measure We need to… Experiment Share what works Combine our efforts Long way to go!

14 What we should do? We can mitigate Information Security risks by Being AWARE, Staying up to date Following to policy and procedure, and adopting best practices MOST Importantly, Placing right person in right place InfoSec is about People, Process & Technology 14

15 OWASP The Open Web Application Security Project (OWASP) is a not-for-profit worldwide organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

16 220 Chapters 16

17 Our Successes OWASP Tools and Documentation: ~15,000 downloads (per month) ~30,000 unique visitors (per month) ~2 million website hits (per month) OWASP Chapters are blossoming worldwide 1500+ OWASP Members in active chapters worldwide 20,000+ participants OWASP AppSec Conferences: Chicago, New York, London, Washington D.C, Brazil, China, Germany, more… Distributed content portal 100+ authors for tools, projects, and chapters OWASP and its materials are used, recommended and referenced by many government, standards and industry organizations. 17

18 ~140 Projects PROTECT - These are tools and documents that can be used to guard against security- related design and implementation flaws. DETECT - These are tools and documents that can be used to find security-related design and implementation flaws. LIFE CYCLE - These are tools and documents that can be used to add security- related activities into the Software Development Life Cycle (SDLC).

19 The OWASP Foundation http://www.owasp.org New projects - last 6 months Common Numbering Project HTTP Post Tool Forward Exploit Tool Project Java XML Templates Project ASIDE Project Secure Password Project Secure the Flag Competition Project Security Baseline Project ESAPI Objective – C Project Academy Portal Project Exams Project Portuguese Language Project Browser Security ACID Tests Project Web Browser Testing System Project Java Project Myth Breakers Project LAPSE Project Software Security Assurance Process Enhancing Security Options Framework German Language Project Mantra – Security Framework Java HTML Sanitizer Java Encoder Project WebScarab NG Project Threat Modelling Project Application Security Assessment Standards Project Hackademic Challenges Project Hatkit Proxy Project Hatkit Datafiddler Project ESAPI Swingset Interactive Project ESAPI Swingset Demo Project Web Application Security Accessibility Project Cloud ‐ 10 Project Web Testing Environment Project iGoat Project Opa Mobile Security Project – Mobile Threat Model Codes of Conduct

20 Conferences 20

21 Download Get OWASP Books

22 22 Web Goat A classic vulnerable application to teach developers security code flaws

23 23 WebScarab – A Proxy Engine A Proxy tool to intercept Http Request and Http Response

24 24 Software Assurance Maturity Model

25 25 Process perspective: Build Security in the SDLC

26 26 Users and Adopters Payment Card Industry (PCI) PCI DSS - Requirements 6.5 OWASP Guide (OWASP Top 10) PA-DSS - Requirements 5.2 is OWASP Guide (OWASP Top 10) Security code review for all the custom code. OWASP Supporters

27 27 Educational Supporters

28 Call for action Join OWASP Bangladesh chapter mailing list. Join OWASP projects Translate material (documents, tool interfaces) Together we will achieve our mission! 28

29 The OWASP Foundation http://www.owasp.org Thank you & enjoy securITy 29

Download ppt "The OWASP Foundation ABC About me MOSHIUL ISLAM, CISA A: Information System Auditor B: Currently working for a Bank – EBL, IT Security."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
Assuring Your Web Application Security Will Smith, CISA Senior IT Auditor E. W. Scripps IIA Cincinnati Research Chair.

Assuring Your Web Application Security Will Smith, CISA Senior IT Auditor E. W. Scripps IIA Cincinnati Research Chair.
Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.

Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
2 whoami The OWASP Foundation Nahidul Kibria Co-Leader, OWASP Bangladesh, Senior Software Engineer, KAZ Software Ltd.

2 whoami The OWASP Foundation Nahidul Kibria Co-Leader, OWASP Bangladesh, Senior Software Engineer, KAZ Software Ltd.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
SiteLock Internet Security: Big Threats for Small Business.

SiteLock Internet Security: Big Threats for Small Business.
Maintaining & Reviewing a Web Application’s Security By: Karen Baldacchino Date: 15 September 2012.

Maintaining & Reviewing a Web Application’s Security By: Karen Baldacchino Date: 15 September 2012.
The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.

The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Agenda Do You Need to Be Concerned? Information Risk at Nationwide

Agenda Do You Need to Be Concerned? Information Risk at Nationwide
The OWASP Foundation AppSecEU11 Where we are.. Where we are going Tom Brennan, Eoin Keary, Seba Deleersnyder, Dave Wichers, Jeff Williams,

The OWASP Foundation AppSecEU11 Where we are.. Where we are going Tom Brennan, Eoin Keary, Seba Deleersnyder, Dave Wichers, Jeff Williams,
“Security is a process, not a product” -- Bruce Schneier.

“Security is a process, not a product” -- Bruce Schneier.
Copyright © 2011 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Similar presentations

Ads by Google