Embed Size (px)
DESCRIPTION
Presentation held 09.04.2012. in Belgrade. Overview of OWASP and OWASP Serbia Local Chapter.
Citation preview
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP Serbia Overview
Nikola MiloševićOWASP Serbia Local Chapter LeaderP3 [email protected]
9.4.2012.
OWASP 2
What is OWASP
Professional organization Professionals, students, companies,
universities Awarness Standards Tools Distributed, global peers
OWASP 3
Mission
Make application security visible so that people and organizations can make informed decisions about true application security risk
What causes? • Immediate causes – vulnerabilities themselves • Developers and operators • Organizational structure, development process, supporting
technology • Increasing connectivity and complexity • Legal and regulatory environment • Asymmetric information in the software market
OWASP 4
OWASP Core Values
OPEN Everything at OWASP is radically transparent from our finances to our code.
INNOVATION OWASP encourages and supports innovation/experiments for solutions to software security challenges.
GLOBAL Anyone around the world is encouraged to participate in the OWASP community.
INTEGRITY OWASP is an honest and truthful, vendor agnostic, global community
OWASP 5
OWASP Code of Ethics Perform all professional activities and duties in accordance
with all applicable laws and the highest ethical principles;
Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities;
To communicate openly and honestly;
Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of employers, the information security profession, or the Association;
To maintain and affirm our objectivity and independence;
To reject inappropriate pressure from industry or others;
OWASP 6
Why should I care about security?
OWASP 7
Why should I care about security?
Increased fraquency of attacks Complexity of malware Hacktivism Online crime Internet warfare Technological espionage Cracking Etc...
OWASP 8
OWASP Projects - General
3 groups:Protect – Tools and docs used to protectDetect – Tools and docs used to findLife Cycle – Tools and docs used to add
security related activities in Software Developement Lifecycle
Everyone can start project, after review and acceptance from Global Committee
OWASP 9
OWASP Projects – OWASP Top 10
OWASP 10
OWASP Projects – OWASP Application Security Verification Standard
OWASP Standardization The first internationally-recognized
standard for conducting application security assessments.
Security testing and code review techniques
Covers both automated and manual approaches for assessing
Web application – released Web services – in progress
OWASP 11
OWASP Projects – OWASP Live CD
Content
OWASP 12
OWASP Projects – OWASP Frameworks
OWASP AntySami Project (Java,.NET)API for validating rich HTML/CSS input from
users without exposure to cross-site scripting and phishing attacks
OWASP Enterprise Security API (ESAPI)Free and open collection of all the security
methods that a developer needs to build a secure web application.
OWASP Mod Security Rule Set Projectweb application firewall enginegeneric protection from unknown
vulnerabilities often found in web applications
OWASP 13
OWASP Projects – OWASP Guides
OWASP Development Guide OWASP .NET Project OWASP Ruby on Rails Security Guide OWASP Secure Coding Practices – Quick
Reference OWASP Code Review Guide OWASP Testing Guide OWASP Legal Project
OWASP 14
OWASP Projects – OWASP Tools
OWASP JBroFuzz Project JBroFuzz is a web application fuzzer for
requests being made over HTTP or HTTPS
OWASP Web Scarab ProjectTool for performing all types of security testing
on web applications and web services
OWASP Zed Attack Proxypenetration testing tool for finding
vulnerabilities in web applications. used by people with a wide range of security
experience Toolsmith tool of the year 2011
OWASP 15
OWASP Projects – OWASP Web Goat
Educational project Want to learn how to test security on web
app? Try Web Goat! Learn to perform OWASP Top 10 Other Goat projects:
GoatDroid iGoat
OWASP 16
OWASP Local chapters - Overview
94 Countries 288 Local Chapters
OWASP 17
OWASP Local chapters - Overview
Local communities Working on rising awareness of IT Security
Management levelDeveloper levelOrdinary people
Knowledge sharing Local chapters contribute on OWASP
projects Guided by Local Chapter Handbook
OWASP 18
AppSec conferences
OWASP AppSec conferences bring together industry, government, security researchers, and practitioners to discuss the state of the art in application security.
Started in 2004. in USA, 2005. in Europe Global AppSec conferences
AppSec Asia-Pacific 11. – 14. April, Sydney, Australia
Global AppSec Research 10 – 13 July, Athens, Greece
AppSec North America 22 – 26 Oct, Austin,TXAppSec Latin America 14 – 16 Nov, Buenos Aires,
Argentina
OWASP 19
AppSec conferences
Regional and Local AppSec Conferences OWASP Day – usualy one day conference One or more days
OWASP 20
Academic partners
OWASP 21
Sponsors
Content
OWASP
Google Summer of Code 2012
OWASP is officialy selected as GSoC mentoring organization 1) Think of a good idea – For reference see
GSoC 2012 Ideas 2) Do some research yourself based on the idea, write up
a proposal draft 3) Post it to the mailing list at [email protected] for
initial discussions with OWASP mentors. 4) Based on feedback, write a full proposal – See template
below:https://www.owasp.org/index.php/GSoC_SAT 5) Submit your proposal to Google from March 26–April 6,
2012.
April – August coding
22
OWASP
Local Chapter Serbia
Local chapter meetings – every month Spreading the avareness, do the PR OWASP day – hopefuly Competition Working groups – PR, FR, IT... Contribute on global projects Any other ideas?
23
OWASP
Questions and Discussion
24
