Getting More Out of OWASP Leveraging Today’s Nest of Projects
description
Transcript of Getting More Out of OWASP Leveraging Today’s Nest of Projects
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
OWASP AtlantaMarch 2014 Chapter
Meeting
Getting More Out of OWASP
Leveraging Today’s Nest of Projects
Tony “UV” UcedaVelezVerSprite, Inc.
OWASP Atlanta Chapter Leader
[email protected]@t0nyuv
2
Reasons for Talk• After 11 years, many people still don’t know
about OWASP• Problems in InfoSec are bountiful• Opportunities for solving problems are
catalyzed by OWASP• Those that ‘DO’ will be best served by
OWASP projects• Get involved to further OWASP mission &
projects• Consultant viewpoint from close to 20 years
in the trenches
3
‘Get’ Topics to Cover• Get Familiar
•Get more from OWASP
• Get involved
4
OWASP is a Belief Community driven Software security shouldn’t be reserved
to those who can afford it. Intra-personal exchanges and
interactions reveal true opportunities for collaboration
Cultural, industry, country related challenges exposed and addressed.
Massively supportive and responsive.
5
More basic on OWASP A non-profit (501c), global org – Please
Donate! or become a Member. Consortium of tools and deliverables
aimed at application security. OPENness is heart of the org – from its
content, dialogue, to administration. OWASP content can be leveraged in
ANY org
6
Core Values (from site) OPEN – radical transparency; from
finances to our code. INNOVATION - encourages innovation for
solutions to software security challenges.
GLOBAL – truly a global community. INTEGRITY - truthful, vendor neutral,
global community.
7
8
9
…now to the projects…
10
OWASP Project Runway
11
Untangling the OWASP Projects knot
It can’t be done! >:/
12
Governance, Maturity Modeling & Metrics
13
OWASP Open SAMM
The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.
BenefitsEvaluate your organization's existing software
security practicesBuild a balanced software security program in
well-defined iterations.Demonstrating concrete improvements
http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project
14
15
Wide Scope Covered by OpenSAMM
Supports a Security Plan or RoadmapEstablish governancePerform against assessmentsTest and ReportEnhance Security OperationsBuilding a S-SDLC Initiative Measures success/ shortcomingsProvides metrics for reporting
http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project
16
17
OWASP.org is a valuable resource for any company involved with online payment card transactions. Dell uses OWASP’s Software Assurance Maturity Model (OpenSAMM) to help focus our resources and determine which components of our secure application development program to prioritize. Participation in OWASP’s local chapter meetings and conferences around the globe helps us build stronger networks with our colleagues. , (Michael J. Craigue, Information Security & Compliance, Dell, Inc.)
SAMM ScoreCardSM 1.A 21 TA 1.A 16 DR 1.A 0 VM 1.A 0SM 1.B 34 TA 1.B 30 DR 1.B 56 VM 1.B 59SM 2.A 26 TA 2.A 11 DR 2.A 10 VM 2.A 50SM 2.B 20 TA 2.B 0 DR 2.B 24 VM 2.B 0SM 3.A 0 TA 3.A 8 DR 3.A 8 VM 3.A 6SM 3.B 16 TA 3.B 0 DR 3.B 0 VM 3.B 44PC 1.A 43 SR 1.A 19 CR 1.A 24 EH 1.A 0PC 1.B 52 SR 1.B 45 CR 1.B 34 EH 1.B 0PC 2.A 23 SR 2.A 0 CR 2.A 1 EH 2.A 19PC 2.B 57 SR 2.B 0 CR 2.B 0 EH 2.B 61PC 3.A 31 SR 3.A 12 CR 3.A 6 EH 3.A 9PC 3.B 4 SR 3.B 0 CR 3.B 23 EH 3.B 0EG 1.A 9 SA 1.A 54 ST 1.A 13 OE 1.A 0EG 1.B 43 SA 1.B 53 ST 1.B 62 OE 1.B 0EG 2.A 9 SA 2.A 29 ST 2.A 27 OE 2.A 0EG 2.B 23 SA 2.B 26 ST 2.B 11 OE 2.B 31EG 3.A 25 SA 3.A 13 ST 3.A 7 OE 3.A 0EG 3.B 4 SA 3.B 9 ST 3.B 27 OE 3.B 10
Governance Construction Verification Deployment
19
Operationalizing SecurityCase Study & Prescriptive Advice on Implementing OWASP Projects
20
Challenges in SecOps
Security Operations are becoming zombifiedOver-reliance on vendors (tools and services)Ask most security operations people – are you
getting better – they really don’t knowMeasuring and Trending is keyPart of challenge in measuring is having the right
tools; other part is knowing what consistent values to check for
21
Prescriptive Advice in SecOps
Define metrics operational metrics around securityContemplating Bug BountiesMeasuring security by eventsValidated alerts (blocked)False Positive Analysis (for Tuning purposes)Mitigate new layers of attacksDoing more with less
22
Case Study: U.S. Financial Company
Company name will not be disclosed (We need a name for this company)
UFS (Unidentified Financial Services)
23
USF: Company Overview
Relative sizeAmong the largest 25 banks in the U.S.Branches in many states in the U.S.
General informationCompany Type: Subsidiary of larger firmIndustry: Finance and BankingRevenue: 2+ Billion USDEmployees: 13,000+Parent Company: ~$14 Billion in revenue,
~110,000 employees and ~$650 Billion in assets
24
USF: IT Security
The USF Security group8 IT Security Analysts (full-time employees)
Mission and GoalsCompliance efforts
PCI DSS & SOx (Sarbanes-Oxley Act)Compliance is a starting point for them. They aim for secure and get compliance along the way.
Assessment / security reviews of online assetsOnline assets include multiple web applications
Traditional network based security servicesAnti-Phishing efforts
25
USF: Before OWASP
Fiscal Year 2007Web Application security reviews
Utilized only outside security firmsUSF security group handled remediation tasksRequest for additional details on review findings
represented additional costsAverage engagement cost: $8,000 per site
Web App Security reviews for 2007 = 30 sites or $240,000 total cost
26
USF: With OWASP
Fiscal Year 2008Web Application security reviews
Utilized only internal security analystsUsed the OWASP Testing Guide v2 plus WebScarab as their standard for testing web applications
Printed guide copies for all 8 analysts for $200USF security group handles remediation tasksAverage engagement cost: $0 per site
Assumes salaries are a fixed costNo new staff added for this effort
Assessed 48 sites in 2008
27
USF: With OWASP
Web App Security review costs:
2007 $240,000 (30 sites x $8,000/site)
2008 $200 for 48 sites (printing costs) If 2008 didn't have OWASP: $384,000 (48 sites x $8,000/site)
OWASP Savings = $383,800 in year 1
28
USF: The Pros with OWASP
Cost reduction will continue past year 1Accomplished more reviews at a lower costTime to assess should trend down
Reports are standardized nowDifferent vendor = different reporting in prior yearsStandard reporting = better trend analysis
Increased Efficiency in remediationAnalysts better understand the reported findings
Analysts can better address audit questionsAnnual audits from Govn't & parent companyFederal auditors praised the “well developed internal review process”
29
USF: The Cons with OWASP
Starting up the program was initially slowMid-year efficiency gains allowed them to surpass the 2007 review number in 2008
Requires strong management supportMust accept the potential for a slow year 1
At least one analyst must be familiar with application security to lead the effort
Additional training is still needed for some USF analystsLevel out the skills of the analystsOne time cost of $15,000 to $25,000 for on-site, instructor based training
30
Some Personal Anecdotes
OWASP Projects used in my security careerOWASP WebGoat
How I first learned about application securityOWASP WebScarab
Used during many penetration testOWASP Live CD
My current preferred App Sec testing environmentOWASP Testing Guide
Used in creating reports during security reviewsOWASP Legal Project
Utilized language from the project to add security language to our procurement process documents
31
Security Assurance
32
33
Challenges in Security Assurance
Relatively new to most organizationsNon-existent in the SMB spaceMost don’t know what they are assuring againstIf they do know what they are assuring against, its
not consistently validated over time
34
Prescriptive Advice
Simplify!!!Create RoadmapStandardizeFollow a MethodologyDefine Key MetricsMeasure over time
35
Test & Verify
36
OWASP ASVS Provides Methodology for Security AssuranceThe OWASP Application Security Verification
Standard (ASVS) defines a standard for conducting app sec verifications.Covers automated and manual approaches for
external testing and code review techniquesRecently created and already adopted by several
companies and government agenciesBenefits
Standardizes the coverage and level of rigor used to perform app sec assessments
Allows for better comparisonshttp://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
http://www.owasp.org/index.php/Category:OWASP_Testing_Project37
OWASP Testing Guide
Provides a “best practice” penetration framework and a “low level” penetration testing guide that describes techniques for testing web applications.Version 3 is the latest and is a 349 page bookTests split into 9 sub-categories with 66 controls to
test Benefits
Ready made testing frameworkGreat categories and identifiers for reportingExcellent to augment skills of analysts
38
Threat Modeling & Security ArchitectureOWASP ASDR
Provides internal taxonomy of terms for the enterprise
Great reference material for application securityOWASP’s ‘man page’ for appsec related termsPerfect for building threat modeling content
39
S-SDLC - Build Security In Already!
40
OWASP Testing GuideS-SDLC/ Building Security-In
41
Challenges in Development & QA GroupsNo time for security at the DEV stageSecurity is an after thoughtPerception: Security is blowing smoke up my @$$
(FUD)Security architecture is non-existentGroups don’t have time to learn about security PMs don’t have time to wait for security
requirements to be factored inNo executive sponsorship to forcing security
requirements in apps.Myopic developers are only seeing functional code
design
42
Prescribed Solutions for Development & QA
ProcessOWASP Code Review • Methodology for source
code reviews• Book (2nd best selling for
OWASP)
OWASP Development Guide• Establishes a process for secure
development efforts across various SDLCs
OWASP Cheat Sheet Series• See following slide
OWASP Countermeasures• OWASP CSRFGuard• OWASP Anti-Samy• OWASP Enterprise API (ESAPI)
Reference
OWASP WebGoat• Deliberate broken Apache web server
with courses on common web insecurities
OWASP ASDR• Great reference for developers
and QA professionals
OWASP Video Series• Free video series geared towards
Developers and Security Testers (QA)
OWASP Podcast Series• Multiple topics covered – not just for
dev. • Dev can pick and choose what is
relevant for them.• Great listen as you work resource.OWASP Top Ten•Ranks top web app related risks•Serves as a good scope for initial testing
ToolsOWASP Zed Attack Proxy• Test against OWASP Top Ten• Use in conformance to Testing
Guide• Exercise successful
implementation of OWAPSP Countermeasures
OWASP YASCA• Leverages FindBugs, PMD, JLint,
JavaScript Lint, PHPLint, Cppcheck, ClamAV, RATS, and Pixy to scan
43
List of CheatsClickjacking Defense Cheat Sheet C-Based Toolchain Hardening Cheat Sheet Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet Cryptographic Storage Cheat Sheet DOM based XSS Prevention Cheat Sheet Forgot Password Cheat Sheet HTML5 Security Cheat Sheet Input Validation Cheat Sheet JAAS Cheat Sheet Logging Cheat Sheet .NET Security Cheat Sheet OWASP Top Ten Cheat Sheet Password Storage Cheat Sheet Pinning Cheat Sheet Query Parameterization Cheat Sheet Ruby on Rails Cheat sheet REST Security Cheat Sheet
Session Management Cheat Sheet SQL Injection Prevention Cheat Sheet Transport Layer Protection Cheat Sheet Unvalidated Redirects and Forwards Cheat Sheet User Privacy Protection Cheat Sheet Web Service Security Cheat Sheet XSS (Cross Site Scripting) Prevention Cheat Sheet Attack Surface Analysis Cheat Sheet XSS Filter Evasion Cheat Sheet REST Assessment Cheat Sheet IOS Developer Cheat Sheet Mobile Jailbreaking Cheat Sheet OpSec Cheat Sheets (Defender) Virtual Patching Cheat Sheet
44
Cheat SnippetsInsecure Direct object references
It may seem obvious, but if you had a bank account REST web service, you have to make sure there is adequate checking of primary and foreign keys:
https://example.com/account/325365436/transfer?amount=$100.00&toAccount=473846376
In this case, it would be possible to transfer money from any account to any other account, which is clearly insane. Not even a random token makes this safe.
https://example.com/invoice/2362365
In this case, it would be possible to get a copy of all invoices.
Please make sure you understand how to protect against insecure direct object references in the OWASP Top 10 2010.
Java Regex Usage Example
Example validating the parameter “zip” using a regular expression.
private static final Pattern zipPattern = Pattern.compile("^\d{5}(-\d{4})?$");
public void doPost( HttpServletRequest request, HttpServletResponse response) {
try {
String zipCode = request.getParameter( "zip" );
if ( !zipPattern.matcher( zipCode ).matches() {
throw new YourValidationException( "Improper zipcode format." );
}
.. do what you want here, after its been validated ..
} catch(YourValidationException e ) {
response.sendError( response.SC_BAD_REQUEST, e.getMessage() );
}
}
45
46
OWASP AntiSamy
OWASP AntiSamy is an API for ensuring user-supplied HTML/CSS is compliant within the applications rules. API plus implementationsJava, .Net, Coldfusion, PHP (HTMLPurifier)
BenefitsIt helps you ensure that clients don't supply
malicious code into your applicationA safer way to allow for rich content from an
application's users
http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
47
OWASP CSRFGuard
OWASP CSRFGuard utilizes request tokens to address Cross-Site Request Forgery. CSRF is an attack where the victim is tricked into interacting with a website where they are already authenticated.Java, .Net and PHP implementationsCSRF is considered the app sec sleeping giant
BenefitsProvides code to generate unique request tokens
to mitigate CSRF risks
http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project
48
OWASP ESAPI
OWASP Enterprise Security API (ESAPI) is a free and open collection of all the security methods that a developer needs to build a secure web application.API is fully documented and onlineImplementations in multiple languages
BenefitsProvides a great referenceImplementation can be adapted/used directlyProvides a benchmark to measure frameworks
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
49
Security Testing:You Can Start Tomorrow
50
OWASP Top Ten
The OWASP Top Ten represents a broad consensus of what the most critical web application security flaws are.Adopted by the Payment Card Industry (PCI)Recommended as a best practice by many
government and industry entitiesBenefits
Powerful awareness document for web application security
Great starting point and reference for developers
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
51
The Zed Attack Proxy• Released September 2010• Ease of use a priority• Comprehensive help pages• Free, Open source• Cross platform• A fork of the well regarded Paros Proxy• Involvement actively encouraged• Adopted by OWASP October 2010
ZAP Overview• ZAP is:
• Easy to use (for a web app pentest tool;)• Ideal for appsec newcomers• Ideal for training courses• Being used by Professional Pen Testers • Easy to contribute to (and please do!)• Improving rapidly
52
53
ZAP Principles• Free, Open source• Cross platform• Easy to use• Easy to install• Internationalized• Fully documented• Involvement actively
encouraged• Reuse well regarded components
Where is ZAP being used?
United StatesJapanSpainUnited KingdomGermanyChinaUkraineSwitzerlandMexicoCanada
54
55
The Main FeaturesAll the essentials for web application testing• Intercepting Proxy• Active and Passive Scanners• Spider• Report Generation• Brute Force (using OWASP DirBuster code)• Fuzzing (using OWASP JBroFuzz code)
56
The Additional Features• Auto tagging• Port scanner• Smart card support• Session comparison• Invoke external apps• BeanShell integration• API + Headless mode• Dynamic SSL Certificates• Anti CSRF token handling
57
The Future• Enhance scanners to detect more
vulnerabilities• Extend API, better integration• Fuzzing analysis• Easier to use, better help• More localization
(all offers gratefully received!)• Parameter analysis?• Technology detection?
ZAP Summary • ZAP has:• An active development
community• An international user base• The potential to reach people
new to OWASP and appsec, especially developers and functional testers
• ZAP is a key OWASP project• Security Tool of the Year 2013 5
8
Any Questions?http://www.owasp.org/index.php/atlanta
www.meetup.com/owasp-atlanta @owaspatl