Embed Size (px)
Citation preview
Meet OWASP: resources you can use, today.
Antonio [email protected] Geneva Chapter LeaderSwitzerland
About myself
• Software / Web application security architect
• Independent (no ties with any integrator/vendor)
• OWASP Leader:
– Member of the Board, OWASP Switzerland
– Leader, OWASP Geneva Chapter
• Core interests:
– Software Assurance Maturity Model (SAMM)
– Application Security Verification Standard (ASVS)
State of Information Security
The problem?
There are not enough qualifiedapplication security professionals
What can we do about it?• Make application security visible• Provide Developers and Software Testers with materials and
tools helping them to build more secure applications
3
What is OWASP?
• Open Web Application Security Projecthttps://www.owasp.org
• Global community, driving and promoting safety and security of world’s software
• Not-for-profit foundation registered in the United States and a non-profit association registered in European Union
• Open:
– Everyone is free to participate
– All OWASP materials & tools are free
4
OWASP by Numbers
• 12 years of community service
• 88+ Government & Industry Citations
– including DHS, ISO, IEEE, NIST, SANS Institute, PCI-DSS, CSA, etc
• 36,000+ registered members to the mailing lists
• 320,000+ unique visitors per month
• 1,000,000+ page viewed per month
• 15,000+ tools and documents downloaded each month
5
OWASP by the Numbers (cont)
• Year 2013 Budget: USD$580,000
• 2081 individual members and honorary members
• 70 countries
• 60+ donating Corporate Members
• 100+ supporting Academic Members
• 198 Active Chapters
• 168 Active Projects
• 4 Global AppSec Conferences per Year
6
OWASP by the Numbers (cont)
7
• Started in 2008• Promote application security through chapter meetings and
collaboration with local developer communities• 2013:
– Contact initiated with local developer groups (*UG)– 5 meetings planned– Board made of 3 industry representatives: consulting, banking/finance
and public administration sectors:
8
Simon [email protected]
Thomas [email protected]
Antonio [email protected]
9
OWASP Projects & Tools
• Make application security visible
• Videos, podcasts, books, guidelines, cheat sheets, tools, …
• Available under a free and open software license
• Used, recommended and referenced by many government, standards and industry organisations
• Open for everyone to participate
10
OWASP Projects & Tools - Classification
• 168+ Active Projects
• PROTECT– guard against security-related design and
implementation flaws.
• DETECT– find security-related design and implementation flaws.
• LIFE CYCLE – add security-related activities into software processes
(eg. SDLC, agile, etc)
11
OWASP Projects & Tools – An Overview
DETECT OWASP Top 10 OWASP Code Review
Guide OWASP Testing Guide OWASP Cheat Sheet
Series
PROTECT OWASP ESAPI OWASP ModSecurity CRS
OWASP AppSec Tutorials
OWASP ASVS OWASP LiveCD / WTE OWASP ZAP Proxy
LIFE CYCLE WebGoat J2EE WebGoat .NET
Full list of projects (release, beta, alpha)http://www.owasp.org/index.php/Category:OWASP_Project
10 Most critical web application security risks
• The most visible OWASP project
• Classifies some of the most critical risks
• Essential reading for anyone developing web applications
• Referenced by standards, books, tools, and organizations, including MITRE, PCI DSS, FTC, and many more
12
OWASP Top Ten (2013 Edition)
A1: Injection
A2: Broken Authentication
and Session Management
A3: Cross-Site Scripting (XSS)
A4: Insecure Direct Object References
A5: Security Misconfiguration
A6: Sensitive Data Exposure
A7: Missing Function Level Access Control
A8: Cross Site Request Forgery
(CSRF)
A9: Using Known Vulnerable
Components
A10: Unvalidated Redirects and
Forwards
OWASP Top 10 Risk Rating Methodology
ThreatAgent
AttackVector Weakness Prevalence Weakness
Detectability Technical Impact Business Impact
?Easy Widespread Easy Severe
?Average Common Average Moderate
Difficult Uncommon Difficult Minor
1 2 2 1
1.66 * 1
1.66 weighted risk rating
Injection Example
123
Code Review Guide
15
• Code review is probably the most effective technique for identifying security flaws
• Focuses on the mechanics of reviewing code for certain vulnerabilities
• A key enabler for the OWASP fight against software insecurity
• Update is in progress
Code Review Guide (cont)
16
• Focuses on .NET and Java, but has some C/C++ and PHP
• Integration of secure code review into software development processes
• Understand what you are reviewing
• Security code review is not a silver bullet, but a key component of an IS program
Testing Guide
17
• Create a "best practices" web application penetration testing framework
• A low-level web application penetration testing guide
• Recommended for developers and software testers
• Update in progress
https://www.owasp.org/index.php/OWASP_Testing_Project
Cheat Sheet Series
18
• Provide a concise collection of high value information on specific web application security topics
https://www.owasp.org/index.php/Cheat_Sheets
Developer Cheat Sheets (Builder)
Authentication Clickjacking Defense Cryptographic Storage HTML5 Security Input ValidationQuery Parameterization Session ManagementSQL Injection Prevention…
Assessment Cheat Sheets (Breaker)
Attack Surface AnalysisXSS Filter Evasion…
Mobile Cheat Sheets
IOS Developer Mobile Jailbreaking…
Cheat Sheet Series (cont)
19
• The most visible OWASP project
• Classifies some of the most critical risks
• Essential reading for anyone developing web applications
• Referenced by standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more
Cheat Sheet Series (cont)
20
AppSec Tutorial Series
21
https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series
• Application security video based training
• Four episodes are available
ASVS: Application Security Verification Standard
• Provides a basis for testing application technical security controls
• Use as a metric – assess the degree of trust on existing security controls
• Use as guidance – for what to build as part of planned security controls
• Use during procurement
22
ASVS: Levels
23
ASVS: Verification Requirements
24
V1. Authentication V2. Session ManagementV3. Access Control V4. Input ValidationV5. Cryptography (at Rest) V6. Error Handling and Logging V7. Data Protection V8. Communication Security V9. HTTP Security V10. Malicious Controls V11. Business LogicV12. Files and ResourcesV13. Mobile
25
SAMM: Software Assurance Maturity Model
• A framework to integrate security into software development and procurement/acquisition processes.
• A maturity model to qualify a software security initiative under a repeatable process, in time or across several uits.
26
SAMM: Software Assurance Maturity Model
LiveCD / WTE
27
• Make application security tools and documentation easily available
• Collects some of the best open source security projects in a single environment
• Boot from this Live CD and have access to a full security testing suite
http://appseclive.org/
Mailing list 101
• A list for introductory questions on application security
Open access:https://lists.owasp.org/mailman/listinfo/security101
Zed Attack Proxy
29
• One of the flagship OWASP projects
• Easy to use integrated penetration testing tool for assessing web applications
• Ideal for developers and functional testers who are new to penetration testing
• Completely free and open source
• Cross platform, internationalised
ZAP Proxy: Features
30
• Intercepting Proxy • Automated scanner • Passive scanner • Brute Force scanner • Spider • Fuzzer • Port scanner • Dynamic SSL certificates • API• Beanshell integration
Upcoming: New Spider with Ajax functionality Session scope awareness Web socket support Scanning modes
(Safe/Protected/Standard) Scripting console
ESAPI: Enterprise Security API
31
• Free, open source, web application security controls library
• Provide developers with libraries for writing lower-risk applications
• Allow retrofitting security into existing applications
• Serve as a solid foundation for new development
• Support for Java, PHP and Force.com – there could be more languages supported
ESAPI: functions and services
32
Custom Enterprise Web Application
Enterprise Security API
Au
then
ticato
r
User
AccessC
on
troller
AccessR
efe
ren
ce
Map
Valid
ato
r
En
cod
er
HT
TP
Uti
liti
es
En
cry
pto
r
En
cry
pte
dP
rop
ert
ies
Ran
dom
izer
Excep
tion
H
an
dlin
g
Log
ger
Intr
usio
nD
ete
cto
r
Secu
rity
Con
fig
ura
tion
Existing Enterprise Security Services/Libraries
ESAPI: Validation and Encoding
33
BackendController Business Functions
User Data Layer
Validator Encoder encodeForURL
encodeForJavaScriptencodeForVBScript
encodeForDN
encodeForHTMLencodeForHTMLAttribute
encodeForLDAP
encodeForSQLencodeForXML
encodeForXMLAttributeencodeForXPath
isValidDirectoryPath
isValidCreditCardisValidDataFromBrowser
isValidListItem
isValidFileContentisValidFileNameisValidHTTPRequest
isValidRedirectLocationisValidSafeHTMLisValidPrintablesafeReadLine
CanonicalizationDouble Encoding Protection
NormalizationSanitization
ModSecurity CRS: Core Rule Set
34
• Free certified rule set for ModSecurity WAF
• Generic web applications protection:– Common Web Attacks Protection– HTTP Protection– Real-time Blacklist Lookups– HTTP Denial of Service Protection– Automation Detection– Integration with AV Scanning for File Uploads– Tracking Sensitive Data– Identification of Application Defects– Error Detection and Hiding
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
WebGoat
35
• Deliberately insecure web application to teach web application security lessons
• Over 30 lessons, providing hands-on learning about– Cross-Site Scripting (XSS)– Access Control– Blind/Numeric/String SQL Injection– Web Services– … and many more
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
WebGoat: Java
36
WebGoat: .NET
37
• A purposefully broken ASP.NET web application
• Contains many common vulnerabilities
• Intended for use in classroom environments
https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET
DEMO
38
• OWASP ZAP Proxy
• OWASP WebGoat Java Project
Thank You!
Q&A
if you need inspiration:Where/How do we start using OWASP?
How can we help OWASP in return?Can you tell us more about project ______ ?
https://www.owasp.org
https://www.owasp.org/index.php/Geneva
