The OWASP Foundationhttp://www.owasp.org

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

OWASP AtlantaMarch 2014 Chapter

Meeting

Getting More Out of OWASP

Leveraging Today’s Nest of Projects

Tony “UV” UcedaVelezVerSprite, Inc.

OWASP Atlanta Chapter Leader

tonyuv@owasp.org@t0nyuv

2

Reasons for Talk• After 11 years, many people still don’t know

about OWASP• Problems in InfoSec are bountiful• Opportunities for solving problems are

catalyzed by OWASP• Those that ‘DO’ will be best served by

OWASP projects• Get involved to further OWASP mission &

projects• Consultant viewpoint from close to 20 years

in the trenches

3

‘Get’ Topics to Cover• Get Familiar

•Get more from OWASP

• Get involved

4

OWASP is a Belief Community driven Software security shouldn’t be reserved

to those who can afford it. Intra-personal exchanges and

interactions reveal true opportunities for collaboration

Cultural, industry, country related challenges exposed and addressed.

Massively supportive and responsive.

5

More basic on OWASP A non-profit (501c), global org – Please

Donate! or become a Member. Consortium of tools and deliverables

aimed at application security. OPENness is heart of the org – from its

content, dialogue, to administration. OWASP content can be leveraged in

ANY org

6

Core Values (from site) OPEN – radical transparency; from

finances to our code. INNOVATION - encourages innovation for

solutions to software security challenges.

GLOBAL – truly a global community. INTEGRITY - truthful, vendor neutral,

global community.

7

8

9

…now to the projects…

10

OWASP Project Runway

11

Untangling the OWASP Projects knot

It can’t be done! >:/

12

Governance, Maturity Modeling & Metrics

13

OWASP Open SAMM

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.

BenefitsEvaluate your organization's existing software

security practicesBuild a balanced software security program in

well-defined iterations.Demonstrating concrete improvements

http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project

14

15

Wide Scope Covered by OpenSAMM

Supports a Security Plan or RoadmapEstablish governancePerform against assessmentsTest and ReportEnhance Security OperationsBuilding a S-SDLC Initiative Measures success/ shortcomingsProvides metrics for reporting

http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project

16

17

OWASP.org is a valuable resource for any company involved with online payment card transactions. Dell uses OWASP’s Software Assurance Maturity Model (OpenSAMM) to help focus our resources and determine which components of our secure application development program to prioritize. Participation in OWASP’s local chapter meetings and conferences around the globe helps us build stronger networks with our colleagues. , (Michael J. Craigue, Information Security & Compliance, Dell, Inc.)

SAMM ScoreCardSM 1.A 21 TA 1.A 16 DR 1.A 0 VM 1.A 0SM 1.B 34 TA 1.B 30 DR 1.B 56 VM 1.B 59SM 2.A 26 TA 2.A 11 DR 2.A 10 VM 2.A 50SM 2.B 20 TA 2.B 0 DR 2.B 24 VM 2.B 0SM 3.A 0 TA 3.A 8 DR 3.A 8 VM 3.A 6SM 3.B 16 TA 3.B 0 DR 3.B 0 VM 3.B 44PC 1.A 43 SR 1.A 19 CR 1.A 24 EH 1.A 0PC 1.B 52 SR 1.B 45 CR 1.B 34 EH 1.B 0PC 2.A 23 SR 2.A 0 CR 2.A 1 EH 2.A 19PC 2.B 57 SR 2.B 0 CR 2.B 0 EH 2.B 61PC 3.A 31 SR 3.A 12 CR 3.A 6 EH 3.A 9PC 3.B 4 SR 3.B 0 CR 3.B 23 EH 3.B 0EG 1.A 9 SA 1.A 54 ST 1.A 13 OE 1.A 0EG 1.B 43 SA 1.B 53 ST 1.B 62 OE 1.B 0EG 2.A 9 SA 2.A 29 ST 2.A 27 OE 2.A 0EG 2.B 23 SA 2.B 26 ST 2.B 11 OE 2.B 31EG 3.A 25 SA 3.A 13 ST 3.A 7 OE 3.A 0EG 3.B 4 SA 3.B 9 ST 3.B 27 OE 3.B 10

Governance Construction Verification Deployment

19

Operationalizing SecurityCase Study & Prescriptive Advice on Implementing OWASP Projects

20

Challenges in SecOps

Security Operations are becoming zombifiedOver-reliance on vendors (tools and services)Ask most security operations people – are you

getting better – they really don’t knowMeasuring and Trending is keyPart of challenge in measuring is having the right

tools; other part is knowing what consistent values to check for

21

Prescriptive Advice in SecOps

Define metrics operational metrics around securityContemplating Bug BountiesMeasuring security by eventsValidated alerts (blocked)False Positive Analysis (for Tuning purposes)Mitigate new layers of attacksDoing more with less

22

Case Study: U.S. Financial Company

Company name will not be disclosed (We need a name for this company)

UFS (Unidentified Financial Services)

23

USF: Company Overview

Relative sizeAmong the largest 25 banks in the U.S.Branches in many states in the U.S.

General informationCompany Type: Subsidiary of larger firmIndustry: Finance and BankingRevenue: 2+ Billion USDEmployees: 13,000+Parent Company: ~$14 Billion in revenue,

~110,000 employees and ~$650 Billion in assets

24

USF: IT Security

The USF Security group8 IT Security Analysts (full-time employees)

Mission and GoalsCompliance efforts

PCI DSS & SOx (Sarbanes-Oxley Act)Compliance is a starting point for them. They aim for secure and get compliance along the way.

Assessment / security reviews of online assetsOnline assets include multiple web applications

Traditional network based security servicesAnti-Phishing efforts

25

USF: Before OWASP

Fiscal Year 2007Web Application security reviews

Utilized only outside security firmsUSF security group handled remediation tasksRequest for additional details on review findings

represented additional costsAverage engagement cost: $8,000 per site

Web App Security reviews for 2007 = 30 sites or $240,000 total cost

26

USF: With OWASP

Fiscal Year 2008Web Application security reviews

Utilized only internal security analystsUsed the OWASP Testing Guide v2 plus WebScarab as their standard for testing web applications

Printed guide copies for all 8 analysts for $200USF security group handles remediation tasksAverage engagement cost: $0 per site

Assumes salaries are a fixed costNo new staff added for this effort

Assessed 48 sites in 2008

27

USF: With OWASP

Web App Security review costs:

2007 $240,000 (30 sites x $8,000/site)

2008 $200 for 48 sites (printing costs) If 2008 didn't have OWASP: $384,000 (48 sites x $8,000/site)

OWASP Savings = $383,800 in year 1

28

USF: The Pros with OWASP

Cost reduction will continue past year 1Accomplished more reviews at a lower costTime to assess should trend down

Reports are standardized nowDifferent vendor = different reporting in prior yearsStandard reporting = better trend analysis

Increased Efficiency in remediationAnalysts better understand the reported findings

Analysts can better address audit questionsAnnual audits from Govn't & parent companyFederal auditors praised the “well developed internal review process”

29

USF: The Cons with OWASP

Starting up the program was initially slowMid-year efficiency gains allowed them to surpass the 2007 review number in 2008

Requires strong management supportMust accept the potential for a slow year 1

At least one analyst must be familiar with application security to lead the effort

Additional training is still needed for some USF analystsLevel out the skills of the analystsOne time cost of $15,000 to $25,000 for on-site, instructor based training

30

Some Personal Anecdotes

OWASP Projects used in my security careerOWASP WebGoat

How I first learned about application securityOWASP WebScarab

Used during many penetration testOWASP Live CD

My current preferred App Sec testing environmentOWASP Testing Guide

Used in creating reports during security reviewsOWASP Legal Project

Utilized language from the project to add security language to our procurement process documents

31

Security Assurance

32

33

Challenges in Security Assurance

Relatively new to most organizationsNon-existent in the SMB spaceMost don’t know what they are assuring againstIf they do know what they are assuring against, its

not consistently validated over time

34

Prescriptive Advice

Simplify!!!Create RoadmapStandardizeFollow a MethodologyDefine Key MetricsMeasure over time

35

Test & Verify

36

OWASP ASVS Provides Methodology for Security AssuranceThe OWASP Application Security Verification

Standard (ASVS) defines a standard for conducting app sec verifications.Covers automated and manual approaches for

external testing and code review techniquesRecently created and already adopted by several

companies and government agenciesBenefits

Standardizes the coverage and level of rigor used to perform app sec assessments

Allows for better comparisonshttp://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

http://www.owasp.org/index.php/Category:OWASP_Testing_Project37

OWASP Testing Guide

Provides a “best practice” penetration framework and a “low level” penetration testing guide that describes techniques for testing web applications.Version 3 is the latest and is a 349 page bookTests split into 9 sub-categories with 66 controls to

test Benefits

Ready made testing frameworkGreat categories and identifiers for reportingExcellent to augment skills of analysts

38

Threat Modeling & Security ArchitectureOWASP ASDR

Provides internal taxonomy of terms for the enterprise

Great reference material for application securityOWASP’s ‘man page’ for appsec related termsPerfect for building threat modeling content

39

S-SDLC - Build Security In Already!

40

OWASP Testing GuideS-SDLC/ Building Security-In

41

Challenges in Development & QA GroupsNo time for security at the DEV stageSecurity is an after thoughtPerception: Security is blowing smoke up my @$$

(FUD)Security architecture is non-existentGroups don’t have time to learn about security PMs don’t have time to wait for security

requirements to be factored inNo executive sponsorship to forcing security

requirements in apps.Myopic developers are only seeing functional code

design

42

Prescribed Solutions for Development & QA

ProcessOWASP Code Review • Methodology for source

code reviews• Book (2nd best selling for

OWASP)

OWASP Development Guide• Establishes a process for secure

development efforts across various SDLCs

OWASP Cheat Sheet Series• See following slide

OWASP Countermeasures• OWASP CSRFGuard• OWASP Anti-Samy• OWASP Enterprise API (ESAPI)

Reference

OWASP WebGoat• Deliberate broken Apache web server

with courses on common web insecurities

OWASP ASDR• Great reference for developers

and QA professionals

OWASP Video Series• Free video series geared towards

Developers and Security Testers (QA)

OWASP Podcast Series• Multiple topics covered – not just for

dev. • Dev can pick and choose what is

relevant for them.• Great listen as you work resource.OWASP Top Ten•Ranks top web app related risks•Serves as a good scope for initial testing

ToolsOWASP Zed Attack Proxy• Test against OWASP Top Ten• Use in conformance to Testing

Guide• Exercise successful

implementation of OWAPSP Countermeasures

OWASP YASCA• Leverages FindBugs, PMD, JLint,

JavaScript Lint, PHPLint, Cppcheck, ClamAV, RATS, and Pixy to scan

43

List of CheatsClickjacking Defense Cheat Sheet C-Based Toolchain Hardening Cheat Sheet Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet Cryptographic Storage Cheat Sheet DOM based XSS Prevention Cheat Sheet Forgot Password Cheat Sheet HTML5 Security Cheat Sheet Input Validation Cheat Sheet JAAS Cheat Sheet Logging Cheat Sheet .NET Security Cheat Sheet OWASP Top Ten Cheat Sheet Password Storage Cheat Sheet Pinning Cheat Sheet Query Parameterization Cheat Sheet Ruby on Rails Cheat sheet REST Security Cheat Sheet

Session Management Cheat Sheet SQL Injection Prevention Cheat Sheet Transport Layer Protection Cheat Sheet Unvalidated Redirects and Forwards Cheat Sheet User Privacy Protection Cheat Sheet Web Service Security Cheat Sheet XSS (Cross Site Scripting) Prevention Cheat Sheet Attack Surface Analysis Cheat Sheet XSS Filter Evasion Cheat Sheet REST Assessment Cheat Sheet IOS Developer Cheat Sheet Mobile Jailbreaking Cheat Sheet OpSec Cheat Sheets (Defender) Virtual Patching Cheat Sheet

44

Cheat SnippetsInsecure Direct object references

It may seem obvious, but if you had a bank account REST web service, you have to make sure there is adequate checking of primary and foreign keys:

https://example.com/account/325365436/transfer?amount=$100.00&toAccount=473846376

In this case, it would be possible to transfer money from any account to any other account, which is clearly insane. Not even a random token makes this safe.

https://example.com/invoice/2362365

In this case, it would be possible to get a copy of all invoices.

Please make sure you understand how to protect against insecure direct object references in the OWASP Top 10 2010.

Java Regex Usage Example

Example validating the parameter “zip” using a regular expression.

private static final Pattern zipPattern = Pattern.compile("^\d{5}(-\d{4})?$");

public void doPost( HttpServletRequest request, HttpServletResponse response) {

try {

String zipCode = request.getParameter( "zip" );

if ( !zipPattern.matcher( zipCode ).matches() {

throw new YourValidationException( "Improper zipcode format." );

}

.. do what you want here, after its been validated ..

} catch(YourValidationException e ) {

response.sendError( response.SC_BAD_REQUEST, e.getMessage() );

}

}

45

46

OWASP AntiSamy

OWASP AntiSamy is an API for ensuring user-supplied HTML/CSS is compliant within the applications rules. API plus implementationsJava, .Net, Coldfusion, PHP (HTMLPurifier)

BenefitsIt helps you ensure that clients don't supply

malicious code into your applicationA safer way to allow for rich content from an

application's users

http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project

47

OWASP CSRFGuard

OWASP CSRFGuard utilizes request tokens to address Cross-Site Request Forgery. CSRF is an attack where the victim is tricked into interacting with a website where they are already authenticated.Java, .Net and PHP implementationsCSRF is considered the app sec sleeping giant

BenefitsProvides code to generate unique request tokens

to mitigate CSRF risks

http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project

48

OWASP ESAPI

OWASP Enterprise Security API (ESAPI) is a free and open collection of all the security methods that a developer needs to build a secure web application.API is fully documented and onlineImplementations in multiple languages

BenefitsProvides a great referenceImplementation can be adapted/used directlyProvides a benchmark to measure frameworks

http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

49

Security Testing:You Can Start Tomorrow

50

OWASP Top Ten

The OWASP Top Ten represents a broad consensus of what the most critical web application security flaws are.Adopted by the Payment Card Industry (PCI)Recommended as a best practice by many

government and industry entitiesBenefits

Powerful awareness document for web application security

Great starting point and reference for developers

http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

51

The Zed Attack Proxy• Released September 2010• Ease of use a priority• Comprehensive help pages• Free, Open source• Cross platform• A fork of the well regarded Paros Proxy• Involvement actively encouraged• Adopted by OWASP October 2010

ZAP Overview• ZAP is:

• Easy to use (for a web app pentest tool;)• Ideal for appsec newcomers• Ideal for training courses• Being used by Professional Pen Testers • Easy to contribute to (and please do!)• Improving rapidly

52

53

ZAP Principles• Free, Open source• Cross platform• Easy to use• Easy to install• Internationalized• Fully documented• Involvement actively

encouraged• Reuse well regarded components

Where is ZAP being used?

United StatesJapanSpainUnited KingdomGermanyChinaUkraineSwitzerlandMexicoCanada

54

55

The Main FeaturesAll the essentials for web application testing• Intercepting Proxy• Active and Passive Scanners• Spider• Report Generation• Brute Force (using OWASP DirBuster code)• Fuzzing (using OWASP JBroFuzz code)

56

The Additional Features• Auto tagging• Port scanner• Smart card support• Session comparison• Invoke external apps• BeanShell integration• API + Headless mode• Dynamic SSL Certificates• Anti CSRF token handling

57

The Future• Enhance scanners to detect more

vulnerabilities• Extend API, better integration• Fuzzing analysis• Easier to use, better help• More localization

(all offers gratefully received!)• Parameter analysis?• Technology detection?

ZAP Summary • ZAP has:• An active development

community• An international user base• The potential to reach people

new to OWASP and appsec, especially developers and functional testers

• ZAP is a key OWASP project• Security Tool of the Year 2013 5

8

59

To Get More Out of OWASP, start here> www.owasp.org

Any Questions?http://www.owasp.org/index.php/atlanta

www.meetup.com/owasp-atlanta @owaspatl