Finding and Fighting the Causes of Insecure Applications Jeff Williams OWASP Chair jeff.williams@owasp.org New York/New Jersey Chapter Meeting June 12, 2007

Public Health Warning XSS and CSRF have evolved Any website you visit could infect your browser An infected browser can do anything you can do An infected browser can scan, infect, spread 70-90% of web applications are ‘carriers’

Key Application Security Vulnerabilities A1: Cross Site Scripting (XSS) A2: Injection Flaws A3: Malicious File Execution A4: Insecure Direct Object Reference A5: Cross Site Request Forgery (CSRF) A6: Information Leakage and Improper Error Handling A7: Broken Authentication and Session Management A8: Insecure Cryptographic Storage A9: Insecure Communications A10: Failure to Restrict URL Access http://www.owasp.org/index.php?title=Top_10_2007

Tools – At Best 45% MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE) They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)

OWASP Knowledge and Tools Guide to Application Security Testing and Guide to Application Security Code Review Guidance and Tools for Measuring and Managing Application Security Verifying Application Security Managing Application Security Core Application Security Knowledge Base Guide to Building Secure Web Applications and Web Services Tools for Scanning, Testing, Simulating, and Reporting Web Application Security Issues Application Security Tools Acquiring and Building Secure Applications Everything people need to understand and practice application security AppSec Education and CBT Research to Secure New Technologies Research Projects on Securing New Technologies (like Web Services & Ajax) Web Based Learning Environment and Education Project

OWASP Community Platform Verifying Application Security Managing Application Security Core Application Security Knowledge Base Acquiring and Building Secure Applications Application Security Tools Research to Secure New Technologies AppSec Education and CBT Projects (tools and documentation) Chapters AppSec Conferences Everything people need to understand and practice application security OWASP Community Platform (wiki, forums, mailing lists, leaders) OWASP Foundation 501c3 (finances, legal, infrastructure, communications)

OWASP Projects Are Alive! 2009 … 2007 2005 The Testing is alive… When they say, “print is dead” they don’t mean it’s out of style – it’s static not living! Do you have a bookshelf of security books? When’s the last time you opened them? They don’t have answers to today’s problems because they’re dead. It’s a process for translating security principles to the latest technologies and getting them to developers fast It’s an evolving growing living thing 2003 2001

www.owasp.org (our wiki)

OWASP by the Numbers 420,000 page views per month 15,000 downloads per month (SF alone) 10,000 members on mailing lists 2,600 wiki users 1,500 wiki updates per month 89 chapters worldwide 75 individual memberships 38 tool and documentation projects 28 corporate/educational memberships 25 new projects funded through Spring of Code 0 employees

How Can You Help? Update the wiki! Share! Push us to do better! Become a member

Thank You for Supporting OWASP! OWASP Worldwide 10,000 chapter and project members around the world