The OWASP Foundation OWASP Education Computer based training Security for Managers and Executives Nishi Kumar IT Architect Specialist, FIS Chair, Software Security Forum at FIS OWASP CBT Project Lead OWASP Global Industry Committee Contributor and Reviewer Keith Turpin
2 Objectives Bring application security awareness Things we can do that will help build secure applications Processes we can have for achieving this goal How OWASP can help? How can you contribute?
3 How would you feel if your confidential data is stolen? Angry! Frustrated!
4 Identity Theft Phishing
5 Facebook Phishing Attack Lures people to a fake Facebook page and prompts them to log in. Unsuspecting Facebook users get a message from a friend urging them to "check this out" and including a link to a Web page that appears to be a Facebook log-in page.
6
customer data, 77 Million compromised. (potentially CCs as well) 7
8 Why Should We Care? Let’s just think this through… How likely is a successful web application attack? Stunningly prevalent Easy to exploit without special tools or knowledge Little chance of being detected Hundreds of thousands of developers, tiny fraction with security Consequences? Corruption or disclosure of database contents Root access to web and application servers Loss of authentication and access control for users Defacement Secondary attacks from your application
9 Cost of Non-Compliance In the event of the a breach the acquirer CAN make the merchant responsible for: Any fines from PCI-Co Up to $500,000 per incident Cost to notify victims Cost to replace cards (about $10/card) Cost for any fraudulent transactions Forensics from a QDSC Level 1 certification from a QDSC The QDSC (Qualified Data Security Company certification) by Visa © authorizes a company to perform level-one onsite assessments for merchants and service providers requiring a "Report on Compliance" (ROC).
10 Cost of Non-Compliance (Cont) Example: 50,000 credit cards stolen PCI Penalty - $100,000 per incident $500,000 if you do not have a self-assessment Card Replacement - $500,000 (50,000 x $10 dollars per card) Fraudulent Transaction – $61,750,000 ($1,235 x 50,000) $1, average fraudulent transaction Bad Publicity – Priceless!
11 Why Web Application Security important? Attacks Shift Towards Application Layer Network Server Web Applications % of Attacks% of Dollars 90% Sources: Gartner, Watchfire SecuritySpending of All Web Applications Are Vulnerable 2/3 75% 25% 10%
12 Problem Illustrated Application Layer Attacker sends attacks inside valid HTTP requests Your custom code is tricked into doing something it should not Security requires software development expertise, not signatures Network Layer Firewall, hardening, patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests. Security relies on signature databases Firewall Hardened OS Web Server App Server Firewall Databases Legacy Systems Web Services Directories Human Resrcs Billing Custom Code APPLICATION ATTACK Network Layer Application Layer Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Insider
13 AppSec Visibility Cycle Audit Developers Infosec Legal Architects Users Research Business Monitor Threat Create Security Architecture Define Security Requirements Implement Controls Share Findings Understand Laws Verify Compliance Understand Stakeholders Our Mission: Visibility
14 OWASP Foundation (OWASP Board) Projects Membership Education Conferences Industry Chapters Connections OWASP Leaders (Chapters and Project) OWASP Meritocracy OWASP Members OWASP Users and Participants
15 What are the Top 10 Vulnerabilities? OWASP Top 10
16 Common Security Issues: The OWASP Top The Ten Most Critical Risk Aimed to educate developers, architects and security practitioners about the consequences of the most common web application security risk Living document: Top10 different from 2007 T10
17 Users and Adopters Payment Card Industry (PCI) PCI DSS - Requirements 6.5 OWASP Guide (OWASP Top 10) PA-DSS - Requirements 5.2 is OWASP Guide (OWASP Top 10) Security code review for all the custom code. OWASP Supporters
18 Educational Supporters
19 Common Security Issues: The OWASP Top
20 OWASP ESAPI (Enterprise Security API) Custom Enterprise Web Application OWASP Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Your Existing Enterprise Services or Libraries ESAPI Homepage:
21 OWASP ESAPI 2.0 & OWASP Top 10 for 2010 mapping A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards Encoder Encoder, Validator Authenticator, User, HTTPUtilities AccessReferenceMap, AccessController User (CSRF Token) Security Configuration Encryptor AccessController HTTPUtilities AccessController
22 OWASP Documentation on Web Application Security Developer Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR) ASVS Application Security Desk Reference (ASDR) Basic reference material on application security terminology Developer Guide Comprehensive guide for Web applications and Web services security Secure Coding Practices Quick Reference Guide for secure coding practices Code Review Guide Comprehensive secure code review guide on the web Testing Guide Web Application penetration testing ASVS Application Security Verification Standard Secure Coding Practices
23 OWASP Tools and Technology Vulnerability Scanners Static Analysis Tools Fuzzing Automated Security Verification Penetration Testing Tools Code Review Tools Manual Security Verification ESAPI Security Architecture AppSec Libraries ESAPI Reference Implementation Guards and Filters Secure Coding Reporting Tools AppSec Management CBT(Computer based training) Flawed Apps Learning Environments Live CD AppSec Education
24 Web Testing Environment (Live CD) Project that collects some of the best open source security projects in a single environment Users can boot from Live CD and immediately start using all tools without any configuration
25 Web Testing Environment (Live CD) Burpsuite Cal Ende 1.0rc3 Fierce Firefox 3.6 Grendel-scan 1.0 Httprint 301 Jbrofuzz 2.4 Maltego 3.0 Metasploit Netcat Nikto Nmap 5.00 Paros Ratproxy 1.58 Spikeproxy Sqlbrute 1.0 Sqlmap 0.8 Tcpdump w3af-svn 4041 wapiti Webgoat 5.3-RC1 Webscarab Webslayer- svn r4 Wireshark Wsfuzzer Zap 1.2.0
26 Secure Coding Practices The Secure Coding Practices Quick Reference Guide is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development lifecycle. It is designed to serve as a secure coding kick-start tool and easy reference, to help development teams quickly understand secure coding practices.
OWASP Education project: ucation_Project ucation_Project OWASP Project and resources you can use: SP_projects_and_resources_you_can_use_TODAY SP_projects_and_resources_you_can_use_TODAY 27 Training and Education
OWASP CBT Project: OWASP_CBT_Project OWASP_CBT_Project 28 Training and Education(cont)
29 Web Goat A classic vulnerable application to teach developers security code flaws
30 WebScarab – A Proxy Engine A Proxy tool to intercept Http Request and Http Response
31 Software Assurance Maturity Model (SAMM) Alignment & Governance Requirements & Design Verification & Assessment Deployment & Operations The four Disciplines are high-level categories for activities Three security Functions under each Discipline are the specific silos for improvement within an organization Disciplines Functions
32 Software Assurance Maturity Model (SAMM) Check out this one...
33 SAMM Conducting assessments SAMM includes assessment worksheets for each Security Practice
34 SAMM Creating Scorecards Gap analysis Capturing scores from detailed assessments versus expected performance levels Demonstrating improvement Capturing scores from before and after an iteration of assurance program build-out Ongoing measurement Capturing scores over consistent time frames for an assurance program that is already in place
35 Process perspective: Build Security in the SDLC
How do I participate? 36 $5000 USD for a 12 month term Organization Supporters Cost:
Organization Supporter 37 OWASP provides documentation, tools, methodologies, standards, articles, and message forums freely to a worldwide audience in order to improve application security These materials help organizations acquire, build, test, and operate secure software Organizational supporters play a crucial role in supporting the creation, growth, and improvement of OWASP materials Because we are an open, non-commercial entity, we can take on projects that commercial entities can't Why Should I Become An OWASP Organization Supporter?
Organization Supporter 38 Post a rotating banner ad on the front page for 30 days at no additional cost Posting your organization's logo on the OWASP website Be listed as a sponsor in the newsletter that goes to over 10,000 individuals around the world Have a collective voice via the Global Industry Committee Have 1 member vote in elections and on issues that shape the direction of the community U.S. Organization support of OWASP is 100% tax deductible Benefits for Organization Supporters:
Where does the funds go? 39 OWASP is a U.S. 501c3 not-for-profit foundation. All funds go directly to support OWASP projects, grants, chapters, and infrastructure. Funding:
Become Organization Supporter
41