Upload
tracey
View
49
Download
0
Tags:
Embed Size (px)
DESCRIPTION
OWASP Porto Alegre Chapter. OWASP in favor of a more secure world. L. GUSTAVO . C. BARBATO , Ph.D. [email protected] Chapter Leader, OWASP Porto Alegre / Brazil Member, Global Chapter Committee Porto Alegre Chapter Meeting 03/31/2011 UNISINOS –São Leopoldo. Introduction. - PowerPoint PPT Presentation
Citation preview
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
OWASPPorto Alegre Chapter
OWASPin favor of a more secure world
L. GUSTAVO. C. BARBATO, [email protected]
Chapter Leader, OWASP Porto Alegre / Brazil Member, Global Chapter Committee
Porto Alegre Chapter Meeting03/31/2011
UNISINOS –São Leopoldo
Introduction
3
OWASP(Open Web Application Security
Project)• OWASP is an international organization and the
OWASP Foundation supports OWASP efforts around the world
• OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted
• All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security
http://www.owasp.org/index.php/About_OWASP
4
Knowledge base
2001
2003
2005
2007
2009 2011
http://www.owasp.org
5
History• OWASP was started on September 9, 2001 By
Mark Curphey and Dennis Groves • Since late 2003, Jeff Williams has served as the
volunteer Chair of OWASP• The OWASP Foundation, a 501(c)(3) organization
(in the USA) was established in 2004 • Thounds of individual members, nowadays• OWASP Foundation has over 80 Active Local
Chapters• and only 3 employees
http://en.wikipedia.org/wiki/OWASP
6
EcosystemVolunteers
• Knowledge sharing• People/Project Leadership• Events presentations• Administration
Sustained by • Conferences• Individual supporters, annually• Banner advertisements• Corporate sponsors
http://www.owasp.org/images/0/0d/OWASP_ByLaws.pdf
Structure
8
OWASP Board• Jeff Williams - USA
[email protected] • Sebastien Deleersnyder - Belgium
[email protected] • Tom Brennan - USA
[email protected] • Eoin Keary - Ireland
[email protected] • Dave Wichers - USA
[email protected] • Matt Tesauro - USA
[email protected] http://www.owasp.org/index.php/Contact
9
Global Committees
http://www.owasp.org/index.php/Global_Committee_Pages
10
Local Chapters• Hundreds of Local Chapters but only around 80 are
Active• http://www.owasp.org/index.php/Category:Brasil
• Porto Alegre• Curitiba• São Paulo• Campinas• Brasília• Goiania• Recife• Paraíbahttp://www.owasp.org/index.php/Category:OWASP_Chapter
11
Organization Supporters
http://www.owasp.org/index.php/Membership
Projects
Resources
13
• Vulnerability Scanners
• Static Analysis Tools
• Fuzzing
Automated Security Verification
• Penetration Testing Tools
• Code Review Tools
Manual Security Verification
• ESAPI
Security Architecture
• AppSec Libraries
• ESAPI Reference Implementation
• Guards and FiltersSecure
Coding
• Reporting Tools
AppSec Management
• Flawed Apps• Learning
Environments• Live CD• SiteGenerator
AppSec Education
http://www.owasp.org/index.php/Category:OWASP_Project
OWASP Top Ten 2010A1: Injection A2: Cross-Site
Scripting (XSS)
A3: Broken Authentication
and Session Management
A4: Insecure Direct Object References
A5: Cross Site Request
Forgery (CSRF)
A6: Security Misconfigurati
on
A7: Failure to Restrict URL
Access
A8: Insecure Cryptographic
Storage
A9: Insufficient Transport
Layer Protection
A10: Unvalidated
Redirects and Forwards
http://www.owasp.org/index.php/Top_10
ESAPI (Enterprise Security API)
Custom Enterprise Web Application
OWASP Enterprise Security API
Auth
enti
cato
r
Use
r
Acce
ssCo
ntro
ller
Acce
ssRe
fere
nceM
ap
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Rand
omiz
er
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
Your Existing Enterprise Services or Libraries
http://www.owasp.org/index.php/ESAPI
SAMM(Software Assurance Maturity Model)
http://www.owasp.org/index.php/Software_Assurance_Maturity_Model
CLASP(Comprehensive, Lightweight, Application Security
Process)
http://www.owasp.org/index.php/OWASP_CLASP_Project
18
ASVS (Application Security Verification
Standard)
http://www.owasp.org/index.php/ASVS
OWASP Testing Guide
http://www.owasp.org/index.php/OWASP_Testing_Project
WebScarab
http://www.owasp.org/index.php/OWASP_WebScarab
WebGoat
http://www.owasp.org/index.php/OWASP_WebGoat_Project
22
OWASP Live CD
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
"(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|
(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|
makewebtask)|ql_(?:… … … \
“capture,log,deny,t:replaceComments, t:urlDecodeUni, t:htmlEntityDecode,
t:lowercase,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950001',severity:'2'“
Supports any type of
parameters, POST , GET or
any other
Common evasiontechniques are mitigated
Every SQL injection related
keyword is checked
SQL comments are
compensated for
ModSecurity Core Rules Set Project
http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
Conferences
26
Global AppSec Europe (June 6, 2011 - June 10, 2011)
http://www.owasp.org/index.php/AppSecEU2011
27
Global AppSec North America
(Sept. 20, 2011 - Sept. 23, 2011)
http://www.appsecusa.org
28
Global AppSec Asia(Nov. 3, 2011 - Nov. 5, 2011)
http://www.owasp.org/index.php/China_AppSec_2011
29
Global AppSec Latin America
(Oct. 4, 2011 - Oct. 7, 2011)
http://www.appseclatam.org
How to participate?
How to participate?• http://www.owasp.org/index.php/Porto_Alegre• Papers, wiki• Mailing lists• Projects
• Proposing new ones, testing existents, feedbacks
• Translations• Presentations• Contributing annually (US$ 50)
31
http://www.regonline.com/owasp_membership
Questions ???
33
ReferencesDecks used to create this one:
http://www.owasp.org/images/b/b4/OWASP-Intro-2008-pt-br.ppt
https://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt
http://www.owasp.org/images/7/71/About_OWASP_ASVS.ppt
https://www.owasp.org/images/8/88/OWASP_EU_Summit_2008_WebScarab_treasures.ppt
http://www.opensamm.org/downloads/resources/OpenSAMM-1.0.ppt
http://www.owasp.org/images/a/ac/CLASPOverviewPresentation20080807NickCoblentz.ppt
http://www.owasp.org/images/4/46/AppSecEU09_OWASP_Live_CD-mtesauro.ppt
http://www.owasp.org/images/2/21/OWASPAppSec2007Milan_ModSecurityCoreRuleSet.ppt