Upload
samestories
View
229
Download
0
Embed Size (px)
Citation preview
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
1/39
Copyright 2010 - The OWASP FoundationThis work is available under the Creative Commons SA 2.5 license
The OWASP Foundation
OWASP
BeNeLux2010
http://www.owasp.org
Tour of OWASPs projects
Sebastien Deleersnyder
Dec 1, 2010
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
2/39
OWASP
OWASP Tools and Technology
2
VulnerabilityScanners
Static AnalysisTools
Fuzzing
AutomatedSecurity
Verification
PenetrationTesting Tools
Code ReviewTools
ManualSecurity
Verification
ESAPI
SecurityArchitecture
AppSec Libraries
ESAPI ReferenceImplementation
Guards andFilters
SecureCoding
Reporting Tools
AppSecManagement
Flawed Apps
LearningEnvironments
Live CD SiteGenerator
AppSecEducation
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
3/39
OWASP
OWASP Body of Knowledge
Core ApplicationSecurity
Knowledge Base
Acquiring andBuildingSecure
Applications
VerifyingApplication
Security
ManagingApplication
Security
ApplicationSecurity
Tools
AppSec
Education andCBT
Research toSecure New
Technologies
PrinciplesThreat Agents,
Attacks,Vulnerabilities,
Impacts, andCountermeasures
OWASP Foundation 501c3
OWASP Community Platform(wiki, forums, mailing lists)
Projects
Chapters
AppSecConferences
Guide to BuildingSecure Web
Applications andWeb Services
Guide to ApplicationSecurity Testing andGuide to Application
Security CodeReview
Tools for Scanning,Testing,
Simulating, andReporting Web
Application
Security Issues
Web BasedLearning
Environment andGuide for Learning
Application
Security
Guidance and Toolsfor Measuring and
ManagingApplication
Security
Research Projectsto Figure Out Howto Secure the Use
of NewTechnologies (like
Ajax)
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
4/39
Top level view
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
5/39
OWASP
There are a lot of OWASP projects
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
6/39
OWASP
Metrics
Categorizing and organizing projectsMaturity, activity level, quality, relevance
6
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
7/39
OWASP
Assessment Criteria
7
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
8/39
OWASP 8
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
9/39
OWASP 9
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
10/39
OWASP
Categories
PROTECT - These are tools and documents thatcan be used to guard against security-relateddesign and implementation flaws.
DETECT - These are tools and documents that
can be used to find security-related design andimplementation flaws.
LIFE CYCLE - These are tools and documents
that can be used to add security-relatedactivities into the Software Development LifeCycle (SDLC).
10
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
11/39
OWASP
OWASP projects by numbers
Total Projects: 122
Release quality: 19
Beta quality: 28
Alpha quality: 89Inactive: 6
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
12/39
OWASP
Dashboard
12
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
13/39
OWASP
Assessment details
13
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
14/39
Project Parade
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
15/39
OWASP
The Big 4 Documentation Projects
Building
Guide
Code
ReviewGuide
Testing
Guide
Application Security Desk Reference (ASDR)
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
16/39
OWASP
The Guide
ComplementsOWASP Top 10
310p Book
Free and open sourceGnu Free Doc License
Many contributors
Apps and web services
Most platformsExamples are J2EE, ASP.NET,
and PHPComprehensive
Project Leader and EditorAndrew van der Stock,
mailto:[email protected]:[email protected]7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
17/39
OWASP
Uses of the Guide
DevelopersUse for guidance on implementing security
mechanisms and avoiding vulnerabilities
Project ManagersUse for identifying activities (threat modeling, code
review, penetration testing) that need to occur
Security Teams
Use for structuring evaluations, learning aboutapplication security, remediation approaches
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
18/39
OWASP
Each Topic
Includes Basic Information (like OWASP T10)How to Determine If You Are Vulnerable
How to Protect Yourself
AddsObjectives
Environments Affected
Relevant COBIT Topics
Theory
Best Practices
Misconceptions
Code Snippets
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
19/39
OWASP 19
Testing Guide v3: Index
1. Frontispiece
2. Introduction
3. The OWASP Testing Framework
4. Web Application Penetration Testing
5. Writing Reports: value the real risk
Appendix A: Testing Tools
Appendix B: Suggested Reading
Appendix C: Fuzz Vectors
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
20/39
OWASP 20
Evolution V3
Information Gathering
Config. Management Testing
Business Logic TestingAuthentication Testing
Authorization Testing
Session Management Testing
Data Validation Testing
Denial of Service Testing
Web Services Testing
Ajax Testing
Encoded Appendix
Information GatheringBusiness Logic Testing
Authentication Testing
Session Management Testing
Data Validation Testing
Denial of Service TestingWeb Services Testing
Ajax Testing
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
21/39
OWASP 21
How the Guide helps the security industry
A structured approach to the testing activities
A checklist to be followed
A learning and training tool
Pen-testers
A tool to understand web vulnerabilities and their impact
A way to check the quality of the penetration tests theybuy
Organisations
More in general, the Guide aims to provide a pen-testing standard that creates a'common ground' between the pen-testing industry and its client.
This will raise the overall quality and understanding of this kind of activity and thereforethe general level of security in our infrastructures
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
22/39
OWASP
OWASP Application Security Verification Std
Standard for verifyingthe security of webapplications
Four levels
Automated
Manual
ArchitectureInternal
22
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
23/39
OWASP
OWASP Software Assurance Maturity Model
23
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
24/39
OWASP
Tools
http://www.owasp.org/index.php/Phoenix/ToolsBest known OWASP Tools
WebGoat
WebScarab
Remember:
A Fool with a Tool is still a Fool
http://www.owasp.org/index.php/Phoenix/Toolshttp://www.owasp.org/index.php/Phoenix/Toolshttp://www.owasp.org/index.php/Image:SoC_08_Logo.jpg7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
25/39
OWASP
Live CD
Project that collects some of the best opensource security projects in a single environment
http://www.owasp.org/index.php/LiveCD
Users can boot from Live CD and immediatelystart using all tools without any configuration
25
http://www.owasp.org/index.php/LiveCDhttp://www.owasp.org/index.php/Image:SoC_08_Logo.jpghttp://www.owasp.org/index.php/LiveCD7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
26/39
OWASP 26
Available Tools
25 significant tools
OWASPWebScarabv20090122
OWASPWebGoat v5.2
OWASPCAL9000 v2.0
OWASPJBroFuzz v1.2
OWASPDirBuster v0.12
OWASP SQLiXv1.0
OWASPWSFuzzer
v1.9.4
OWASP Wapitiv2.0.0-beta
Paros Proxyv3.2.13
nmap &Zenmap v 4.76
Wiresharkv1.0.5
tcpdump v4.0.0Firefox 3.06 +25 addons
Burp Suite v1.2Grendel Scanv1.0
Metasploit v3.2
(svn)
w3af + GUI svn
r2161
Netcats
original + GNU
Nikto v2.03Firece Domain
Scanner v1.0.3
Maltego CEv2-210
Httprint v301 SQLBrute v1.0Spike Proxyv1.4.8-4
Rat Proxyv1.53-beta
sqlmap v0.7-rc1 now included!
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
27/39
OWASP
OWASP WebGoat
27
http://www.owasp.org/images/f/f3/WebGoat-Bypass-Access-Control-Lesson.JPG7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
28/39
OWASP
OWASP WebScarab
28
http://www.owasp.org/index.php/Image:WebScarab_after_browsing.png7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
29/39
OWASP 29
Tools At Best 45%
MITRE found that all applicationsecurity tool vendorsclaims puttogether cover only 45% of the knownvulnerability types (over 600 in CWE)
They found very little overlap betweentools, so to get 45% you need them all(assuming their claims are true)
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
30/39
OWASP
The OWASP Enterprise Security API
30
Custom Enterprise Web Application
Enterprise Security API
Authenticator
User
Acce
ssController
Access
ReferenceMap
Validator
Encoder
HT
TPUtilities
E
ncryptor
EncryptedProperties
Randomizer
Excep
tionHandling
Logger
Intru
sionDetector
Securit
yConfiguration
Existing Enterprise Security Services/Libraries
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
31/39
OWASP
Create Your ESAPI Implementation
Your Security ServicesWrap your existing libraries and services
Extend and customize your ESAPI implementation
Fill in gaps with the reference implementation
Your Coding Guideline
Tailor the ESAPI coding guidelines
Retrofit ESAPI patterns to existing code
31
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
32/39
OWASP
OWASP CSRFTester
32
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
33/39
OWASP
Add Token
to HTML
OWASP CSRFGuard 2.0
33
User(Browser)
BusinessProcessing
OWASPCSRFGuard
Verify Token
Adds token to:
href attribute
src attribute
hidden field in all forms
Actions:
Log
Invalidate
Redirect
http://www.owasp.org/index.php/CSRFGuard
http://www.owasp.org/index.php/CSRFGuardhttp://www.owasp.org/index.php/CSRFGuard7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
34/39
OWASP 34
OWASP
Framework
SDLC & OWASP Guidelines
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
35/39
OWASP
Want More ?
OWASP .NET Project
OWASP ASDR Project OWASP AntiSamy Project
OWASP AppSec FAQ Project
OWASP Application Security Assessment Standards Project
OWASP Application Security Metrics Project
OWASP Application Security Requirements Project
OWASP CAL9000 Project
OWASP CLASP Project
OWASP CSRFGuard Project OWASP CSRFTester Project
OWASP Career Development Project
OWASP Certification Criteria Project
OWASP Certification Project
OWASP Code Review Project
OWASP Communications Project
OWASP DirBuster Project
OWASP Education Project OWASP Encoding Project
OWASP Enterprise Security API
OWASP Flash Security Project
OWASP Guide Project
OWASP Honeycomb Project
OWASP Insecure Web App Project
OWASP Interceptor Project
OWASP JBroFuzz
OWASP Java Project OWASP LAPSE Project
OWASP Legal Project
OWASP Live CD Project
OWASP Logging Project
OWASP Orizon Project
OWASP PHP Project
OWASP Pantera Web Assessment Studio Project
OWASP SASAP Project OWASP SQLiX Project
OWASP SWAAT Project
OWASP Sprajax Project
OWASP Testing Project
OWASP Tools Project
OWASP Top Ten Project
OWASP Validation Project
OWASP WASS Project OWASP WSFuzzer Project
OWASP Web Services Security Project
OWASP WebGoat Project
OWASP WebScarab Project
OWASP XML Security Gateway Evaluation Criteria Project
OWASP on the Move Project
35
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
36/39
OWASP
OWASP Research Grants
We support the
research that keepsyour organizationsafe!
36
http://www.owasp.org/index.php/Image:SpoC_007.jpghttp://www.owasp.org/index.php/Image:OWASP_AOC_Logo.jpghttp://www.owasp.org/index.php/Image:SoC_08_Logo.jpg7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
37/39
OWASP 37
OWASP Projects Are Alive!
2001
2003
2005
2007
2009
http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471128457/sr=8-3/qid=1169351746/ref=pd_bbs_sr_3/103-6175548-3897446?ie=UTF8&s=bookshttp://books.google.com/books?vid=ISBN0201440997&id=NHWRH3xXQpgC&pg=PP1&lpg=PP1&ots=uBTf_a0YcT&dq=computer+security&num=100&sig=HC69to8ZQFU6RnPepyU9likCLyghttp://books.google.com/books?vid=ISBN1565924029&id=nuhf5r_TL14C&pg=PP1&lpg=PP1&ots=GyKee8-_23&dq=cryptography&num=100&sig=JK8NV6zwR-Wsw47Hv0h2q_jPYY8http://books.google.com/books?vid=ISBN1932266658&id=79FMJAl_-qoC&pg=PP1&lpg=PP1&dq=owasp&num=100&sig=W6bbEaUrpKFQ3CAWpvu5P_G0_eQhttp://books.google.com/books?vid=ISBN0130355488&id=O3VB-zspJo4C&pg=PA716&lpg=PA716&dq=owasp&num=100&sig=_joUK2T4cwJO9075QLXOBvqw8XUhttp://books.google.com/books?vid=ISBN0072226307&id=npYOWjVR0q4C&pg=RA4-PA301&lpg=RA4-PA301&dq=owasp&num=100&sig=O6rHxhdcuFiGDPMMMkPN1GbWXsEhttp://books.google.com/books?vid=ISBN0596007248&id=5yiULnTkN6oC&pg=RA1-PA377&lpg=RA1-PA377&dq=owasp&num=100&sig=fASJI79UXTDdYiYjEI9YPMwEoR0http://books.google.com/books?vid=ISBN0596002424&id=-Qj5aMPujwMC&pg=RA2-PA194&lpg=RA2-PA194&dq=owasp&num=100&sig=6Dcl8qgL2dWy7SRviwtv8VqQQXchttp://books.google.com/books?vid=ISBN0849329981&id=tbo_JZ5IRKQC&pg=RA2-PA275&lpg=RA2-PA275&dq=owasp&num=100&sig=cV6tieHfrr9Eo_wuEfeyuC-Gwowhttp://books.google.com/books?vid=ISBN0596007949&id=iV8DRekYvg0C&pg=PA183&lpg=PA183&dq=owasp&num=100&sig=ViVx6MhMJRaokqE2QrCoJJKwcCMhttp://books.google.com/books?vid=ISBN1931836361&id=fKsc9NwsNpMC&pg=PA478&lpg=PA478&dq=owasp&num=100&sig=p23ci0e9s72yyc9q7F5cKipwuyYhttp://books.google.com/books?vid=ISBN0072227842&id=6T4jrz6PbjAC&pg=PP1&lpg=PP1&ots=dBoN7I40n0&dq=owasp&num=100&sig=LpexheevY0rqKxeFd8e5-LOkXe8http://books.google.com/books?vid=ISBN193226647X&id=i8j865qq7dYC&pg=PA260&lpg=PA260&ots=Mb5TcIyFKC&dq=owasp&num=100&sig=a4fd0jjbmWu48n_HMKzkfWzKjJEhttp://books.google.com/books?vid=ISBN059600611X&id=QvTzBiwehOoC&pg=PA96&lpg=PA96&ots=uscGD05ZSd&dq=owasp&num=100&sig=UzWqVHxlHNw984PTMgfGngzuvughttp://books.google.com/books?vid=ISBN0072227834&id=MDVTbFceXvwC&pg=RA7-PA134&lpg=RA7-PA134&ots=xrEpp_SM9R&dq=owasp&num=100&sig=Rp9XAMFxtQ2bDMq0RTXjddpkcKQhttp://www.amazon.com/Security-Development-Lifecycle-Michael-Howard/dp/0735622140/sr=8-36/qid=1169351879/ref=sr_1_36/103-6175548-3897446?ie=UTF8&s=books7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
38/39
OWASP
How to participate?
Start your own projectThe best OWASP projects are strategic get the
community involved / build a team
Contribute exising (open license)
Promotion!
Help an existing project
7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2
39/39
OWASP
Questions and Answers