Meet OWASP program : resources you can use today
Download
Report
Transcript Meet OWASP program : resources you can use today
Meet OWASP:
resources you can use, today.
Antonio Fontes
[email protected]
OWASP Geneva Chapter Leader
Switzerland
About myself
• Software / Web application security architect
• Independent (no ties with any integrator/vendor)
• OWASP Leader:
– Member of the Board, OWASP Switzerland
– Leader, OWASP Geneva Chapter
• Core interests:
– Software Assurance Maturity Model (SAMM)
– Application Security Verification Standard (ASVS)
State of Information Security
The problem?
There are not enough qualified
application security professionals
What can we do about it?
• Make application security visible
• Provide Developers and Software Testers with materials and
tools helping them to build more secure applications
3
What is OWASP?
• Open Web Application Security Project
https://www.owasp.org
• Global community, driving and promoting safety and security of
world’s software
• Not-for-profit foundation registered in the United States and a nonprofit association registered in European Union
• Open:
– Everyone is free to participate
– All OWASP materials & tools are free
4
OWASP by Numbers
• 12 years of community service
• 88+ Government & Industry Citations
– including DHS, ISO, IEEE, NIST, SANS Institute, PCI-DSS, CSA, etc
• 36,000+ registered members to the mailing lists
• 320,000+ unique visitors per month
• 1,000,000+ page viewed per month
• 15,000+ tools and documents downloaded each month
5
OWASP by the Numbers (cont)
• Year 2013 Budget: USD$580,000
• 2081 individual members and honorary members
• 70 countries
• 60+ donating Corporate Members
• 100+ supporting Academic Members
• 198 Active Chapters
• 168 Active Projects
• 4 Global AppSec Conferences per Year
6
OWASP by the Numbers (cont)
7
• Started in 2008
• Promote application security through chapter meetings and
collaboration with local developer communities
• 2013:
– Contact initiated with local developer groups (*UG)
– 5 meetings planned
– Board made of 3 industry representatives: consulting, banking/finance
and public administration sectors:
8
Simon Blanchet
[email protected]
Antonio Fontes
[email protected]
Thomas Hofer
[email protected]
OWASP Projects & Tools
• Make application security visible
• Videos, podcasts, books, guidelines, cheat sheets, tools, …
• Available under a free and open software license
• Used, recommended and referenced by many government,
standards and industry organisations
• Open for everyone
to participate
9
OWASP Projects & Tools Classification
• 168+ Active Projects
• PROTECT
– guard against security-related design and implementation flaws.
• DETECT
– find security-related design and implementation flaws.
• LIFE CYCLE
– add security-related activities into software processes (eg. SDLC,
agile, etc)
10
OWASP Projects & Tools – An
Overview
DETECT
OWASP
OWASP
OWASP
OWASP
Top 10
Code Review Guide
Testing Guide
Cheat Sheet Series
PROTECT
OWASP ESAPI
OWASP ModSecurity CRS
OWASP
OWASP
OWASP
OWASP
AppSec Tutorials
ASVS
LiveCD / WTE
ZAP Proxy
LIFE CYCLE
WebGoat J2EE
WebGoat .NET
Full list of projects (release, beta, alpha)
http://www.owasp.org/index.php/Category:OWASP_Project
11
10 Most critical web
application security risks
• The most visible OWASP project
• Classifies some of the most
critical risks
• Essential reading for anyone
developing web applications
• Referenced by standards, books,
tools, and organizations,
including MITRE, PCI DSS,
FTC, and many more
12
OWASP Top Ten (2013 Edition)
OWASP Top 10 Risk Rating
Methodology
Threat
Agent
?
1
2
3
Attack
Vector
Weakness Prevalence
Weakness
Detectability
Technical Impact
Easy
Widespread
Easy
Severe
Average
Common
Average
Moderate
Difficult
Uncommon
Difficult
Minor
1
2
2
1
1.66
*
1
Injection Example
Business Impact
?
1.66 weighted risk rating
Code Review Guide
• Code review is probably the
most effective technique
for identifying security flaws
• Focuses on the mechanics of
reviewing code for certain
vulnerabilities
• A key enabler for the OWASP
fight against software insecurity
• Update is in progress
15
Code Review Guide (cont)
• Focuses on .NET and Java, but has
some C/C++ and PHP
• Integration of secure code review
into software development
processes
• Understand what you are
reviewing
• Security code review is not a silver
bullet, but a key component of an
IS program
16
Testing Guide
• Create a "best practices" web
application penetration testing
framework
• A low-level web application
penetration testing guide
• Recommended for developers and
software testers
• Update in progress
https://www.owasp.org/index.php/OWASP_Testing_Project
17
Cheat Sheet Series
• Provide a concise collection of high value information on specific
web application security topics
Developer Cheat Sheets
(Builder)
Assessment Cheat Sheets (Breaker)
Attack Surface Analysis
XSS Filter Evasion
…
Authentication
Clickjacking Defense
Cryptographic Storage
HTML5 Security
Mobile Cheat Sheets
Input Validation
Query Parameterization
IOS Developer
Session Management
Mobile Jailbreaking
SQL Injection Prevention
…
…
https://www.owasp.org/index.php/Cheat_Sheets
18
Cheat Sheet Series (cont)
• The most visible OWASP project
• Classifies some of the most
critical risks
• Essential reading for anyone
developing web applications
• Referenced by standards, books,
tools, and organizations,
including MITRE, PCI DSS, DISA,
FTC, and many more
19
Cheat Sheet Series (cont)
20
AppSec Tutorial Series
https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series
• Application security video based training
• Four episodes are available
21
ASVS: Application Security
Verification Standard
• Provides a basis for testing application technical security
controls
• Use as a metric – assess
the degree of trust on existing
security controls
• Use as guidance – for what
to build as part of planned
security controls
• Use during procurement
22
ASVS: Levels
23
ASVS: Verification
Requirements
V1. Authentication
V2. Session Management
V3. Access Control
V4. Input Validation
V5. Cryptography (at Rest)
V6. Error Handling and Logging
V7. Data Protection
V8. Communication Security
V9. HTTP Security
V10. Malicious Controls
V11. Business Logic
V12. Files and Resources
V13. Mobile
24
SAMM: Software Assurance
Maturity Model
• A framework to integrate security into
software development and
procurement/acquisition
processes.
• A maturity model to qualify a software
security initiative under a repeatable
process, in time or across several
uits.
25
SAMM: Software Assurance
Maturity Model
26
LiveCD / WTE
• Make application security tools and documentation easily
available
• Collects some of the best open
source security projects in a
single environment
• Boot from this Live CD and have
access to a full security testing
suite
http://appseclive.org/
27
Mailing list 101
• A list for introductory
questions on
application security
Open access:
https://lists.owasp.org/mailman/listinfo/security101
Zed Attack Proxy
• One of the flagship OWASP projects
• Easy to use integrated penetration
testing tool for assessing web
applications
• Ideal for developers and functional
testers who are new to penetration
testing
• Completely free and open source
• Cross platform, internationalised
29
ZAP Proxy: Features
•
•
•
•
•
•
•
•
•
•
30
Intercepting Proxy
Automated scanner
Passive scanner
Brute Force scanner
Spider
Fuzzer
Port scanner
Dynamic SSL certificates
API
Beanshell integration
Upcoming:
New Spider with Ajax functionality
Session scope awareness
Web socket support
Scanning modes
(Safe/Protected/Standard)
Scripting console
ESAPI: Enterprise Security API
• Free, open source, web application security controls library
• Provide developers with libraries for writing lower-risk
applications
• Allow retrofitting security into existing applications
• Serve as a solid foundation for new development
• Support for Java, PHP and Force.com – there could be more
languages supported
31
32
SecurityConfiguration
IntrusionDetector
Logger
Exception Handling
Randomizer
EncryptedProperties
Encryptor
HTTPUtilities
Encoder
Validator
AccessReferenceMap
AccessController
User
Authenticator
ESAPI: functions and services
Custom Enterprise Web Application
Enterprise Security API
Existing Enterprise Security Services/Libraries
ESAPI: Validation and Encoding
User
isValidCreditCard
isValidDataFromBrowser
isValidDirectoryPath
isValidFileContent
isValidFileName
isValidHTTPRequest
isValidListItem
isValidRedirectLocation
isValidSafeHTML
isValidPrintable
safeReadLine
33
Controller
Validator
Business
Functions
Data Layer
Encoder
Canonicalization
Double Encoding Protection
Sanitization
Normalization
Backend
encodeForJavaScript
encodeForVBScript
encodeForURL
encodeForHTML
encodeForHTMLAttribute
encodeForLDAP
encodeForDN
encodeForSQL
encodeForXML
encodeForXMLAttribute
encodeForXPath
ModSecurity CRS:
Core Rule Set
•
Free certified rule set for ModSecurity WAF
•
Generic web applications protection:
–
–
–
–
–
–
–
–
–
Common Web Attacks Protection
HTTP Protection
Real-time Blacklist Lookups
HTTP Denial of Service Protection
Automation Detection
Integration with AV Scanning for File Uploads
Tracking Sensitive Data
Identification of Application Defects
Error Detection and Hiding
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
34
WebGoat
• Deliberately insecure web application to teach web application
security lessons
• Over 30 lessons, providing hands-on learning about
–
–
–
–
–
Cross-Site Scripting (XSS)
Access Control
Blind/Numeric/String SQL Injection
Web Services
… and many more
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
35
WebGoat: Java
36
WebGoat: .NET
• A purposefully broken ASP.NET web application
• Contains many common vulnerabilities
• Intended for use in classroom environments
https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET
37
DEMO
• OWASP ZAP Proxy
• OWASP WebGoat Java Project
38
Thank You!
Q&A
if you need inspiration:
Where/How do we start using OWASP?
How can we help OWASP in return?
Can you tell us more about project ______ ?
https://www.owasp.org
https://www.owasp.org/index.php/Geneva