Upload
lamnguyet
View
218
Download
0
Embed Size (px)
Citation preview
OWASP, the Life and the UniverseCLUSIR-‐EST -‐ Strasbourg
6th June 2013
Sébas&en [email protected] Leader OWASP France
Thursday, June 6, 13
http://www.google.fr/#q=sebastien gioria
‣OWASP France Leader & Founder & Evangelist
‣Application Security freelance consultant.
Twitter :@SPoint
2
‣Application Security group leader for the CLUSIF
‣Proud father of youngs kids trying to hack my digital life.
Thursday, June 6, 13
Agenda
• ApplicaEon Security :– where we are (no bullshit)– where we are (hopefully) going ?
• Open Web ApplicaEon Security Project ?• Update on OWASP Top10 (2013 version) and major projects
3
Thursday, June 6, 13
Why ApplicaEon Security ?
44
Your Application
will be Hacked ;)
Your Application
been Hacked
NO
YES
Thursday, June 6, 13
Why ApplicaEon Security ?
44
Your Application
will be Hacked ;)
Your Application
been Hacked
YES
NO
YES
Thursday, June 6, 13
Why ApplicaEon Security ?
44
Your Application
will be Hacked ;)
Your Application
been Hacked
YES
NO
NO
YES
Thursday, June 6, 13
Why ApplicaEon Security ?
4
Let Me take you on the right way 4
Your Application
will be Hacked ;)
Your Application
been Hacked
YES
NO
NO
YES
Thursday, June 6, 13
Why ApplicaEon Security ?
4
My Application will be hacked !
Let Me take you on the right way 4
Your Application
will be Hacked ;)
Your Application
been Hacked
YES
NO
NO
YES
Thursday, June 6, 13
Why ApplicaEon Security ?
4
My Application will be hacked !
Let Me take you on the right way 4
Your Application
will be Hacked ;)
Your Application
been Hacked
YES
NO
NO
YES
NextStep
Thursday, June 6, 13
Game Over....
• Did you have VoIP Phone ?
• Did you have IP Router / Broadband box ?
• Did you have smartphone ?
• Did you have customers / partners over Internet ?
9
Thursday, June 6, 13
We are living in a Digital environment, in a Connected World
vMost of websites vulnerable to a`acks
v Important % of web-‐based Business (Services, Online Store, Self-‐care, Telcos, SCADA, ...)
Why ApplicaEon Security ?
Age of AnEvirus Age of Network Security
Age of ApplicaEon Security
11
Thursday, June 6, 13
OWASP ?
The Open Web ApplicaEon Security Project
OWASP:
Swarms of WASPS: Local Chapters
14
Thursday, June 6, 13
Mission Driven
Nonprofit | World Wide | Unbiased
OWASP does not endorse or recommend commercial products or services
What is OWASP
15
Thursday, June 6, 13
Community Driven
30,000 Mail List ParEcipants200 AcEve Chapters in 70 countries
1600+ Members, 56 Corporate Supporters
What is OWASP
16
Thursday, June 6, 13
200 Chapters, 1 600+ Members, 20 000+ Builders, Breakers and Defenders
Around the World
17
Thursday, June 6, 13
Quality Resources
200+ Projects15,000+ downloads of tools, documentaEon
What is OWASP
18
Thursday, June 6, 13
TOP 10 WEB APPLICATION SECURITY RISKS
A1: Injection A2: Cross Site Scripting
A3: Broken Authenticatio
A4: Insecure Direct Object
A5: Cross Site Request
A6: Security Misconfigurati
A7: Failure to Restrict URL
A8: Unvalidated
A9: Insecure Cryptographic
A10: Insufficient
The OWASP Top Ten
22Thursday, June 6, 13
TOP 10 WEB APPLICATION SECURITY RISKS
A1: Injection A2: Cross Site Scripting
A3: Broken Authenticatio
A4: Insecure Direct Object
A5: Cross Site Request
A6: Security Misconfigurati
A7: Failure to Restrict URL
A8: Unvalidated
A9: Insecure Cryptographic
A10: Insufficient
The OWASP Top Ten
22
2010 Version ! soon updated
Thursday, June 6, 13
NEWS
A BLOG
A PODCAST
MEMBERSHIPS
MAILING LISTS
A NEWSLETTER
APPLE APP STORE
VIDEO TUTORIALS
TRAINING SESSIONS
SOCIAL NETWORKING23
Thursday, June 6, 13
Developer Cheat Sheets§ OWASP Top Ten Cheat Sheet§ AuthenEcaEon Cheat Sheet§ Cross-‐Site Request Forgery (CSRF) PrevenEon Cheat
Sheet§ Cryptographic Storage Cheat Sheet§ Input ValidaEon Cheat Sheet§ XSS (Cross Site ScripEng) PrevenEon Cheat Sheet§ DOM based XSS PrevenEon Cheat Sheet§ Forgot Password Cheat Sheet§ Query ParameterizaEon Cheat Sheet§ SQL InjecEon PrevenEon Cheat Sheet§ Session Management Cheat Sheet§ HTML5 Security Cheat Sheet§ Transport Layer ProtecEon Cheat Sheet§ Web Service Security Cheat Sheet§ Logging Cheat Sheet§ JAAS Cheat Sheet
Mobile Cheat Sheets§ IOS Developer Cheat Sheet§ Mobile Jailbreaking Cheat Sheet
Dral Cheat Sheets§ Access Control Cheat Sheet§ REST Security Cheat Sheet§ Abridged XSS PrevenEon Cheat Sheet§ PHP Security Cheat Sheet§ Password Storage Cheat Sheet§ Secure Coding Cheat Sheet§ Threat Modeling Cheat Sheet§ Clickjacking Cheat Sheet§ Virtual Patching Cheat Sheet§ Secure SDLC Cheat Sheet§ Web ApplicaEon Security TesEng Cheat
Sheet§ ApplicaEon Security Architecture Cheat
Sheet
Cheat Sheets
27
Thursday, June 6, 13
Project Leader: Chris Schmidt, [email protected]
Purpose: A free, open source, web applicaEon security control library that makes it easier for programmers to write lower-‐risk applicaEons
h`ps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Enterprise Security API
for Reboot
28
Thursday, June 6, 13
Project Leader: Jason Li, [email protected]: An HTML validaEon tool and API to safely and gracefully handle rich html input, for ensuring user-‐supplied HTML/CSS is in compliance within an applicaEon's rules.
h`ps://www.owasp.org/index.php/AnESamy
AnESamy
29
Thursday, June 6, 13
Development Guide: comprehensive manual for designing, developing and deploying secure Web ApplicaEons and Web Services
Code Review Guide: mechanics of reviewing code for certain vulnerabiliEes & validaEon of proper security controls
TesEng Guide: understand the what, why, when, where, and how of tesEng web applicaEons
h`ps://www.owasp.org/index.php/Category:OWASP_Guide_Projecth`ps://www.owasp.org/index.php/Category:OWASP_Code_Review_Projecth`ps://www.owasp.org/index.php/Category:OWASP_TesEng_Project
Guides
for Reboot
30
Thursday, June 6, 13
Zed A`ack Proxy
for Reboot
Project Leader: Simon Benne`s (aka Psiinon), [email protected]: The Zed A`ack Proxy (ZAP) provides automated scanners as well as a set of tools that allow you to find security vulnerabiliEes manually in web applicaEons.
Last Release: ZAP 2.0.0 (30 Jan 2013)
h`ps://www.owasp.org/index.php/OWASP_Zed_A`ack_Proxy_Project 31
Thursday, June 6, 13
AppSensor
Project Leader(s): Michael Coates, John Melton, Colin WatsonPurpose: Defines a conceptual framework and methodology that offers prescripEve guidance to implement intrusion detecEon and automated response into an exisEng applicaEon.
Release: AppSensor 0.1.3 -‐ Nov 2010 (Tool) & September 2008 (doc)
h`ps://www.owasp.org/index.php/AppSensor
Create aUack aware applica&ons
32
Thursday, June 6, 13
Project Leader: Vinay Bansal, [email protected]
Purpose: Develop and maintain a list of Top 10 Security Risks faced with the Cloud CompuEng and SaaS Models. Serve as a Quick List of Top Risks with Cloud adopEon, and Provide Guidelines on MiEgaEng the Risks.
Deliverables -‐ Cloud Top 10 Security Risks (DraE expected for early 2013)
h`ps://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project
Cloud Top10 Project
33
Thursday, June 6, 13
Cloud Top10 Security Risks
• R1. Accountability & Data Risk• R2. User IdenEty FederaEon• R3. Legal & Regulatory Compliance• R4. Business ConEnuity & Resiliency• R5. User Privacy & Secondary Usage of Data• R6. Service & Data IntegraEon• R7. MulE-‐tenancy & Physical Security• R8. Incidence Analysis & Forensics• R9. Infrastructure Security• R10. Non-‐producEon Environment Exposure
34
Thursday, June 6, 13
Project Leader: Jack Mannino, [email protected]
Purpose: Establish an OWASP Top 10 Mobile Risks. Intended to be plaRorm-‐agnosEc. Focused on areas of risk rather than individual vulnerabiliEes.
Deliverables -‐ Top 10 Mobile Risks (currently Release Candidate v1.0)-‐ Top 10 Mobile Controls (OWASP/ENISA CollaboraOon)
-‐ OWASP Wiki, ‘Smartphone Secure Development Guidelines’ (ENISA)-‐ Mobile Cheat Sheet Series-‐ OWASP GoatDroid Project-‐ OWASP Mobile Threat Model Project
h`ps://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Mobile Security Project
for Reboot
35
Thursday, June 6, 13
Top 10 Mobile Risks
• M1. Insecure Data Storage• M2. Weak Server Side Controls• M3. Insufficient Transport Layer ProtecEon• M4. Client Side InjecEon• M5. Poor AuthorizaEon and AuthenEcaEon• M6. Improper Session Handling• M7. Security Decisions via Untrusted Inputs• M8. Side Channel Data Leakage• M9. Broken Cryptography• M10. SensiEve InformaEon Disclosure
36
Thursday, June 6, 13
Project Leader: Anurag "Archie" Agarwal, [email protected]
Purpose: Establish a single and inclusive so[ware-‐centric OWASP Threat modeling Methodology, addressing vulnerability in client and web applicaEon-‐level services over the Internet.
Deliverables (1st DraE expected for end of 2012 / early 2013)-‐ An OWASP Threat Modeling methodology-‐ A glossary of threat modeling terms
h`ps://www.owasp.org/index.php/OWASP_Threat_Modelling_Project
Threat Modeling Project
37
Thursday, June 6, 13
Intended to help solware developers and their clients negoEate important contractual terms and condiEons related to the security of the solware to be developed or delivered.
CONTEXT: Most contracts are silent on these issues, and the parEes frequently have dramaEcally different views on what has actually been agreed to.
OBJECTIVE: Clearly define these terms is the best way to ensure that both parEes can make informed decisions about how to proceed.
h`ps://www.owasp.org/index.php/OWASP_Secure_Solware_Contract_Annex
The OWASP Secure Solware Contract Annex
38
Thursday, June 6, 13
Refresh, revitalize & update Projects, rewrite & complete Guides or Tools.
Projects Reboot 2012
h`ps://www.owasp.org/index.php/Projects_Reboot_2012
Current Submissions • OWASP ApplicaEon Security Guide For CISOs -‐ Selected for Reboot
• OWASP Development Guide -‐ Selected for Reboot• Zed A`ack Proxy -‐ Selected for Reboot• OWASP WebGoat • OWASP AppSensor• OWASP Mobile Project -‐ Selected for Reboot• OWASP Portuguese Language Project• OWASP_ApplicaEon_TesEng_guide_v4• OWASP ESAPI• OWASP Eliminate Vulnerable Code Project• OWASP_Code_Review_Guide_Reboot
Projects selected via first round of review
1.OWASP Development Guide: Funding Amount: $5000 iniEal funding
2.OWASP CISO Guide: Funding Amount: $5000 iniEal funding
3.OWASP Zed A;ack Proxy: Funding Amount: $5000 iniEal funding
4.OWASP Mobile Project: Funding Amount: $5000 iniEal funding
Ongoing discussions about the Code Review and the TesOng Guides
39
Thursday, June 6, 13
OWASP Top10 2013
• Final publicaEon OWASP Top10 2013– Very Very Soon.
• French translaEon done• Not a lot of new things.
40
Thursday, June 6, 13
Top10 2013 – RC1
41
A1: Injec&on
A2: Mauvaise ges&on des
sessions et de l’authen&fica&on
A3: Cross Site Scrip&ng (XSS)
A4:Référence directe non
sécurisée à un objet
A5: Mauvaise configura&on
sécurité
A6 : Exposi&on de
données
A7 : Mauvais contrôle d’accès
A8: Cross Site Request
Forgery (CSRF)
A9: U&lisa&on de composants non
sécurisés
A10:Mauvaise ges&on des
redirec&ons et des transferts
Thursday, June 6, 13
OWASP News
• New projects : – OWASP Scada Project– OWASP OpenStack Security Project
42
Thursday, June 6, 13
Dates
• RSSIA Bordeaux : 21 Juin– OWASP Top10 2013 en praEque
• OWASP EU Tour 2013 : – 24 Juin -‐ Sophia AnEpolis– 25 Juin -‐ Geneve
• Java User Groupe Poitou Charentes : 27 Juin– Secure Coding for Java
• AppSec Research Europe 2013 : 20/23 Aout – Hambourg – Allemagne
• OWASP Benelux : 28/29 Novembre 2013
43
Thursday, June 6, 13
Soutenir l’OWASP
• Différentes soluEons : – Membre Individuel : 50 $– Membre Entreprise : 5000 $– DonaEon Libre
• Soutenir uniquement le chapitre France :– Single MeeEng supporter
• Nous offrir une salle de meeEng ! • ParEciper par un talk ou autre ! • DonaEon simple
– Local Chapter supporter : • 500 $ à 2000 $
44
Thursday, June 6, 13
Prochains meeEngs
• Septembre 2013 – Salle : Mozilla Center Paris– Speaker :
• Security on Firefox OS• A définir
• Novembre 2013– Salle : a définir– Speaker : a définir
Thursday, June 6, 13