Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP Foundation OWASP Education Computer based training Security for Managers and Executives Nishi Kumar IT Architect Specialist,

Published byIra Clinton Harvey Modified over 8 years ago

Similar presentations

Presentation on theme: "The OWASP Foundation OWASP Education Computer based training Security for Managers and Executives Nishi Kumar IT Architect Specialist,"— Presentation transcript:

1 The OWASP Foundation http://www.owasp.org OWASP Education Computer based training Security for Managers and Executives Nishi Kumar IT Architect Specialist, FIS Chair, Software Security Forum at FIS OWASP CBT Project Lead OWASP Global Industry Committee Nishi.Kumar@owasp.org Nishi.Kumar@owasp.org Contributor and Reviewer Keith Turpin

2 2 Objectives Bring application security awareness Things we can do that will help build secure applications Processes we can have for achieving this goal How OWASP can help? How can you contribute?

3 3 How would you feel if your confidential data is stolen? Angry! Frustrated!

4 4 Identity Theft Phishing

5 5 Facebook Phishing Attack Lures people to a fake Facebook page and prompts them to log in. Unsuspecting Facebook users get a message from a friend urging them to "check this out" and including a link to a Web page that appears to be a Facebook log-in page.

6 6

7 customer data, 77 Million compromised. (potentially CCs as well) 7

8 8 Why Should We Care? Let’s just think this through… How likely is a successful web application attack? Stunningly prevalent Easy to exploit without special tools or knowledge Little chance of being detected Hundreds of thousands of developers, tiny fraction with security Consequences? Corruption or disclosure of database contents Root access to web and application servers Loss of authentication and access control for users Defacement Secondary attacks from your application

9 9 Cost of Non-Compliance In the event of the a breach the acquirer CAN make the merchant responsible for: Any fines from PCI-Co Up to $500,000 per incident Cost to notify victims Cost to replace cards (about $10/card) Cost for any fraudulent transactions Forensics from a QDSC Level 1 certification from a QDSC The QDSC (Qualified Data Security Company certification) by Visa © authorizes a company to perform level-one onsite assessments for merchants and service providers requiring a "Report on Compliance" (ROC).

10 10 Cost of Non-Compliance (Cont) Example: 50,000 credit cards stolen PCI Penalty - $100,000 per incident $500,000 if you do not have a self-assessment Card Replacement - $500,000 (50,000 x $10 dollars per card) Fraudulent Transaction – $61,750,000 ($1,235 x 50,000) $1,235 - 2004 average fraudulent transaction Bad Publicity – Priceless!

11 11 Why Web Application Security important? Attacks Shift Towards Application Layer Network Server Web Applications % of Attacks% of Dollars 90% Sources: Gartner, Watchfire SecuritySpending of All Web Applications Are Vulnerable 2/3 75% 25% 10%

12 12 Problem Illustrated Application Layer  Attacker sends attacks inside valid HTTP requests  Your custom code is tricked into doing something it should not  Security requires software development expertise, not signatures Network Layer  Firewall, hardening, patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests.  Security relies on signature databases Firewall Hardened OS Web Server App Server Firewall Databases Legacy Systems Web Services Directories Human Resrcs Billing Custom Code APPLICATION ATTACK Network Layer Application Layer Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Insider

13 13 AppSec Visibility Cycle Audit Developers Infosec Legal Architects Users Research Business Monitor Threat Create Security Architecture Define Security Requirements Implement Controls Share Findings Understand Laws Verify Compliance Understand Stakeholders Our Mission: Visibility

14 14 OWASP Foundation (OWASP Board) Projects Membership Education Conferences Industry Chapters Connections OWASP Leaders (Chapters and Project) OWASP Meritocracy OWASP Members OWASP Users and Participants

15 15 What are the Top 10 Vulnerabilities? OWASP Top 10

16 16 Common Security Issues: The OWASP Top 10 2010 The Ten Most Critical Risk Aimed to educate developers, architects and security practitioners about the consequences of the most common web application security risk Living document: 20010 Top10 different from 2007 T10

17 17 Users and Adopters Payment Card Industry (PCI) PCI DSS - Requirements 6.5 OWASP Guide (OWASP Top 10) PA-DSS - Requirements 5.2 is OWASP Guide (OWASP Top 10) Security code review for all the custom code. OWASP Supporters

18 18 Educational Supporters

19 19 Common Security Issues: The OWASP Top 10 2010

20 20 OWASP ESAPI (Enterprise Security API) Custom Enterprise Web Application OWASP Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Your Existing Enterprise Services or Libraries ESAPI Homepage: http://www.owasp.org/index.php/ESAPIhttp://www.owasp.org/index.php/ESAPI

21 21 OWASP ESAPI 2.0 & OWASP Top 10 for 2010 mapping A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards Encoder Encoder, Validator Authenticator, User, HTTPUtilities AccessReferenceMap, AccessController User (CSRF Token) Security Configuration Encryptor AccessController HTTPUtilities AccessController

22 22 OWASP Documentation on Web Application Security Developer Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR) ASVS Application Security Desk Reference (ASDR) Basic reference material on application security terminology Developer Guide Comprehensive guide for Web applications and Web services security Secure Coding Practices Quick Reference Guide for secure coding practices Code Review Guide Comprehensive secure code review guide on the web Testing Guide Web Application penetration testing ASVS Application Security Verification Standard Secure Coding Practices

23 23 OWASP Tools and Technology Vulnerability Scanners Static Analysis Tools Fuzzing Automated Security Verification Penetration Testing Tools Code Review Tools Manual Security Verification ESAPI Security Architecture AppSec Libraries ESAPI Reference Implementation Guards and Filters Secure Coding Reporting Tools AppSec Management CBT(Computer based training) Flawed Apps Learning Environments Live CD AppSec Education

24 24 Web Testing Environment (Live CD) Project that collects some of the best open source security projects in a single environment Users can boot from Live CD and immediately start using all tools without any configuration http://www.owasp.org/index.php/LiveCD

25 25 Web Testing Environment (Live CD) Burpsuite 1.3.03 Cal9000 2.0 Ende 1.0rc3 Fierce 1.0.3 Firefox 3.6 Grendel-scan 1.0 Httprint 301 Jbrofuzz 2.4 Maltego 3.0 Metasploit 3.5.1 Netcat 0.7.1 Nikto 2.1.2 Nmap 5.00 Paros 3.2.13 Ratproxy 1.58 Spikeproxy 1.4.8 Sqlbrute 1.0 Sqlmap 0.8 Tcpdump 4.0.0 w3af-svn 4041 wapiti 2.2.1-1 Webgoat 5.3-RC1 Webscarab 20090122 Webslayer- svn r4 Wireshark 1.2.7 Wsfuzzer 1.9.4 Zap 1.2.0

26 26 Secure Coding Practices The Secure Coding Practices Quick Reference Guide is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development lifecycle. It is designed to serve as a secure coding kick-start tool and easy reference, to help development teams quickly understand secure coding practices.

27 OWASP Education project: https://www.owasp.org/index.php/Category:OWASP_Ed ucation_Project https://www.owasp.org/index.php/Category:OWASP_Ed ucation_Project OWASP Project and resources you can use: https://www.owasp.org/index.php/London/Training/OWA SP_projects_and_resources_you_can_use_TODAY https://www.owasp.org/index.php/London/Training/OWA SP_projects_and_resources_you_can_use_TODAY 27 Training and Education

28 OWASP CBT Project: https://www.owasp.org/index.php/Category: OWASP_CBT_Project https://www.owasp.org/index.php/Category: OWASP_CBT_Project 28 Training and Education(cont)

29 29 Web Goat A classic vulnerable application to teach developers security code flaws

30 30 WebScarab – A Proxy Engine A Proxy tool to intercept Http Request and Http Response

31 31 Software Assurance Maturity Model (SAMM) Alignment & Governance Requirements & Design Verification & Assessment Deployment & Operations The four Disciplines are high-level categories for activities Three security Functions under each Discipline are the specific silos for improvement within an organization Disciplines Functions

32 32 Software Assurance Maturity Model (SAMM) Check out this one...

33 33 SAMM Conducting assessments SAMM includes assessment worksheets for each Security Practice

34 34 SAMM Creating Scorecards Gap analysis Capturing scores from detailed assessments versus expected performance levels Demonstrating improvement Capturing scores from before and after an iteration of assurance program build-out Ongoing measurement Capturing scores over consistent time frames for an assurance program that is already in place

35 35 Process perspective: Build Security in the SDLC

36 How do I participate? 36 $5000 USD for a 12 month term Organization Supporters Cost: https://www.owasp.org/index.php/Membership

37 Organization Supporter 37 OWASP provides documentation, tools, methodologies, standards, articles, and message forums freely to a worldwide audience in order to improve application security These materials help organizations acquire, build, test, and operate secure software Organizational supporters play a crucial role in supporting the creation, growth, and improvement of OWASP materials Because we are an open, non-commercial entity, we can take on projects that commercial entities can't Why Should I Become An OWASP Organization Supporter?

38 Organization Supporter 38 Post a rotating banner ad on the front page for 30 days at no additional cost Posting your organization's logo on the OWASP website Be listed as a sponsor in the newsletter that goes to over 10,000 individuals around the world Have a collective voice via the Global Industry Committee Have 1 member vote in elections and on issues that shape the direction of the community U.S. Organization support of OWASP is 100% tax deductible Benefits for Organization Supporters:

39 Where does the funds go? 39 OWASP is a U.S. 501c3 not-for-profit foundation. All funds go directly to support OWASP projects, grants, chapters, and infrastructure. Funding:

40 Become Organization Supporter

41 41

Download ppt "The OWASP Foundation OWASP Education Computer based training Security for Managers and Executives Nishi Kumar IT Architect Specialist,"

Similar presentations

OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
OWASP Secure Coding Practices Quick Reference Guide

OWASP Secure Coding Practices Quick Reference Guide
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
The OWASP Foundation OpenSAMM Software Assurance Maturity Model Seba Deleersnyder OWASP Foundation Board Member OWASP.

The OWASP Foundation OpenSAMM Software Assurance Maturity Model Seba Deleersnyder OWASP Foundation Board Member OWASP.
OpenSAMM Software Assurance Maturity Model Seba Deleersnyder SAMM project co-leaders Pravir Chandra AppSec USA 2014 Project.

OpenSAMM Software Assurance Maturity Model Seba Deleersnyder SAMM project co-leaders Pravir Chandra AppSec USA 2014 Project.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The OWASP Foundation ABC About me MOSHIUL ISLAM, CISA A: Information System Auditor B: Currently working for a Bank – EBL, IT Security.

The OWASP Foundation ABC About me MOSHIUL ISLAM, CISA A: Information System Auditor B: Currently working for a Bank – EBL, IT Security.
Security for Managers and Executives

Security for Managers and Executives
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.

Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.
The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.

The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.
Copyright © 2010 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
10 Steps To Agile Development Without Compromising Enterprise Security

10 Steps To Agile Development Without Compromising Enterprise Security
OWASP - Where we are… where we are going

OWASP - Where we are… where we are going
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
“The cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”|

“The cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”|
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead

Similar presentations

Ads by Google