Meet OWASP: resources you can use, today. Antonio Fontes [email protected] OWASP Geneva...
-
Upload
theodore-lawson -
Category
Documents
-
view
219 -
download
3
Transcript of Meet OWASP: resources you can use, today. Antonio Fontes [email protected] OWASP Geneva...
![Page 1: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/1.jpg)
Meet OWASP: resources you can use, today.
Antonio [email protected] Geneva Chapter LeaderSwitzerland
![Page 2: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/2.jpg)
About myself
• Software / Web application security architect
• Independent (no ties with any integrator/vendor)
• OWASP Leader:
– Member of the Board, OWASP Switzerland
– Leader, OWASP Geneva Chapter
• Core interests:
– Software Assurance Maturity Model (SAMM)
– Application Security Verification Standard (ASVS)
![Page 3: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/3.jpg)
State of Information Security
The problem?
There are not enough qualifiedapplication security professionals
What can we do about it?• Make application security visible• Provide Developers and Software Testers with materials and
tools helping them to build more secure applications
3
![Page 4: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/4.jpg)
What is OWASP?
• Open Web Application Security Projecthttps://www.owasp.org
• Global community, driving and promoting safety and security of world’s software
• Not-for-profit foundation registered in the United States and a non-profit association registered in European Union
• Open:
– Everyone is free to participate
– All OWASP materials & tools are free
4
![Page 5: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/5.jpg)
OWASP by Numbers
• 12 years of community service
• 88+ Government & Industry Citations
– including DHS, ISO, IEEE, NIST, SANS Institute, PCI-DSS, CSA, etc
• 36,000+ registered members to the mailing lists
• 320,000+ unique visitors per month
• 1,000,000+ page viewed per month
• 15,000+ tools and documents downloaded each month
5
![Page 6: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/6.jpg)
OWASP by the Numbers (cont)
• Year 2013 Budget: USD$580,000
• 2081 individual members and honorary members
• 70 countries
• 60+ donating Corporate Members
• 100+ supporting Academic Members
• 198 Active Chapters
• 168 Active Projects
• 4 Global AppSec Conferences per Year
6
![Page 7: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/7.jpg)
OWASP by the Numbers (cont)
7
![Page 8: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/8.jpg)
• Started in 2008• Promote application security through chapter meetings and
collaboration with local developer communities• 2013:
– Contact initiated with local developer groups (*UG)– 5 meetings planned– Board made of 3 industry representatives: consulting, banking/finance
and public administration sectors:
8
Simon [email protected]
Thomas [email protected]
Antonio [email protected]
![Page 9: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/9.jpg)
9
OWASP Projects & Tools
• Make application security visible
• Videos, podcasts, books, guidelines, cheat sheets, tools, …
• Available under a free and open software license
• Used, recommended and referenced by many government, standards and industry organisations
• Open for everyone to participate
![Page 10: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/10.jpg)
10
OWASP Projects & Tools - Classification
• 168+ Active Projects
• PROTECT– guard against security-related design and
implementation flaws.
• DETECT– find security-related design and implementation flaws.
• LIFE CYCLE – add security-related activities into software processes
(eg. SDLC, agile, etc)
![Page 11: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/11.jpg)
11
OWASP Projects & Tools – An Overview
DETECT OWASP Top 10 OWASP Code Review
Guide OWASP Testing Guide OWASP Cheat Sheet
Series
PROTECT OWASP ESAPI OWASP ModSecurity CRS
OWASP AppSec Tutorials
OWASP ASVS OWASP LiveCD / WTE OWASP ZAP Proxy
LIFE CYCLE WebGoat J2EE WebGoat .NET
Full list of projects (release, beta, alpha)http://www.owasp.org/index.php/Category:OWASP_Project
![Page 12: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/12.jpg)
10 Most critical web application security risks
• The most visible OWASP project
• Classifies some of the most critical risks
• Essential reading for anyone developing web applications
• Referenced by standards, books, tools, and organizations, including MITRE, PCI DSS, FTC, and many more
12
![Page 13: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/13.jpg)
OWASP Top Ten (2013 Edition)
A1: Injection
A2: Broken Authentication
and Session Management
A3: Cross-Site Scripting (XSS)
A4: Insecure Direct Object References
A5: Security Misconfiguration
A6: Sensitive Data Exposure
A7: Missing Function Level Access Control
A8: Cross Site Request Forgery
(CSRF)
A9: Using Known Vulnerable
Components
A10: Unvalidated Redirects and
Forwards
![Page 14: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/14.jpg)
OWASP Top 10 Risk Rating Methodology
ThreatAgent
AttackVector Weakness Prevalence Weakness
Detectability Technical Impact Business Impact
?Easy Widespread Easy Severe
?Average Common Average Moderate
Difficult Uncommon Difficult Minor
1 2 2 1
1.66 * 1
1.66 weighted risk rating
Injection Example
123
![Page 15: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/15.jpg)
Code Review Guide
15
• Code review is probably the most effective technique for identifying security flaws
• Focuses on the mechanics of reviewing code for certain vulnerabilities
• A key enabler for the OWASP fight against software insecurity
• Update is in progress
![Page 16: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/16.jpg)
Code Review Guide (cont)
16
• Focuses on .NET and Java, but has some C/C++ and PHP
• Integration of secure code review into software development processes
• Understand what you are reviewing
• Security code review is not a silver bullet, but a key component of an IS program
![Page 17: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/17.jpg)
Testing Guide
17
• Create a "best practices" web application penetration testing framework
• A low-level web application penetration testing guide
• Recommended for developers and software testers
• Update in progress
https://www.owasp.org/index.php/OWASP_Testing_Project
![Page 18: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/18.jpg)
Cheat Sheet Series
18
• Provide a concise collection of high value information on specific web application security topics
https://www.owasp.org/index.php/Cheat_Sheets
Developer Cheat Sheets (Builder)
Authentication Clickjacking Defense Cryptographic Storage HTML5 Security Input ValidationQuery Parameterization Session ManagementSQL Injection Prevention…
Assessment Cheat Sheets (Breaker)
Attack Surface AnalysisXSS Filter Evasion…
Mobile Cheat Sheets
IOS Developer Mobile Jailbreaking…
![Page 19: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/19.jpg)
Cheat Sheet Series (cont)
19
• The most visible OWASP project
• Classifies some of the most critical risks
• Essential reading for anyone developing web applications
• Referenced by standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more
![Page 20: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/20.jpg)
Cheat Sheet Series (cont)
20
![Page 21: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/21.jpg)
AppSec Tutorial Series
21
https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series
• Application security video based training
• Four episodes are available
![Page 22: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/22.jpg)
ASVS: Application Security Verification Standard
• Provides a basis for testing application technical security controls
• Use as a metric – assess the degree of trust on existing security controls
• Use as guidance – for what to build as part of planned security controls
• Use during procurement
22
![Page 23: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/23.jpg)
ASVS: Levels
23
![Page 24: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/24.jpg)
ASVS: Verification Requirements
24
V1. Authentication V2. Session ManagementV3. Access Control V4. Input ValidationV5. Cryptography (at Rest) V6. Error Handling and Logging V7. Data Protection V8. Communication Security V9. HTTP Security V10. Malicious Controls V11. Business LogicV12. Files and ResourcesV13. Mobile
![Page 25: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/25.jpg)
25
SAMM: Software Assurance Maturity Model
• A framework to integrate security into software development and procurement/acquisition processes.
• A maturity model to qualify a software security initiative under a repeatable process, in time or across several uits.
![Page 26: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/26.jpg)
26
SAMM: Software Assurance Maturity Model
![Page 27: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/27.jpg)
LiveCD / WTE
27
• Make application security tools and documentation easily available
• Collects some of the best open source security projects in a single environment
• Boot from this Live CD and have access to a full security testing suite
http://appseclive.org/
![Page 28: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/28.jpg)
Mailing list 101
• A list for introductory questions on application security
Open access:https://lists.owasp.org/mailman/listinfo/security101
![Page 29: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/29.jpg)
Zed Attack Proxy
29
• One of the flagship OWASP projects
• Easy to use integrated penetration testing tool for assessing web applications
• Ideal for developers and functional testers who are new to penetration testing
• Completely free and open source
• Cross platform, internationalised
![Page 30: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/30.jpg)
ZAP Proxy: Features
30
• Intercepting Proxy • Automated scanner • Passive scanner • Brute Force scanner • Spider • Fuzzer • Port scanner • Dynamic SSL certificates • API• Beanshell integration
Upcoming: New Spider with Ajax functionality Session scope awareness Web socket support Scanning modes
(Safe/Protected/Standard) Scripting console
![Page 31: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/31.jpg)
ESAPI: Enterprise Security API
31
• Free, open source, web application security controls library
• Provide developers with libraries for writing lower-risk applications
• Allow retrofitting security into existing applications
• Serve as a solid foundation for new development
• Support for Java, PHP and Force.com – there could be more languages supported
![Page 32: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/32.jpg)
ESAPI: functions and services
32
Custom Enterprise Web Application
Enterprise Security API
Au
then
ticato
r
User
AccessC
on
troller
AccessR
efe
ren
ce
Map
Valid
ato
r
En
cod
er
HT
TP
Uti
liti
es
En
cry
pto
r
En
cry
pte
dP
rop
ert
ies
Ran
dom
izer
Excep
tion
H
an
dlin
g
Log
ger
Intr
usio
nD
ete
cto
r
Secu
rity
Con
fig
ura
tion
Existing Enterprise Security Services/Libraries
![Page 33: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/33.jpg)
ESAPI: Validation and Encoding
33
BackendController Business Functions
User Data Layer
Validator Encoder encodeForURL
encodeForJavaScriptencodeForVBScript
encodeForDN
encodeForHTMLencodeForHTMLAttribute
encodeForLDAP
encodeForSQLencodeForXML
encodeForXMLAttributeencodeForXPath
isValidDirectoryPath
isValidCreditCardisValidDataFromBrowser
isValidListItem
isValidFileContentisValidFileNameisValidHTTPRequest
isValidRedirectLocationisValidSafeHTMLisValidPrintablesafeReadLine
CanonicalizationDouble Encoding Protection
NormalizationSanitization
![Page 34: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/34.jpg)
ModSecurity CRS: Core Rule Set
34
• Free certified rule set for ModSecurity WAF
• Generic web applications protection:– Common Web Attacks Protection– HTTP Protection– Real-time Blacklist Lookups– HTTP Denial of Service Protection– Automation Detection– Integration with AV Scanning for File Uploads– Tracking Sensitive Data– Identification of Application Defects– Error Detection and Hiding
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
![Page 35: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/35.jpg)
WebGoat
35
• Deliberately insecure web application to teach web application security lessons
• Over 30 lessons, providing hands-on learning about– Cross-Site Scripting (XSS)– Access Control– Blind/Numeric/String SQL Injection– Web Services– … and many more
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
![Page 36: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/36.jpg)
WebGoat: Java
36
![Page 37: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/37.jpg)
WebGoat: .NET
37
• A purposefully broken ASP.NET web application
• Contains many common vulnerabilities
• Intended for use in classroom environments
https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET
![Page 38: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/38.jpg)
DEMO
38
• OWASP ZAP Proxy
• OWASP WebGoat Java Project
![Page 39: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/39.jpg)
Thank You!
![Page 40: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/40.jpg)
Q&A
if you need inspiration:Where/How do we start using OWASP?
How can we help OWASP in return?Can you tell us more about project ______ ?
![Page 41: Meet OWASP: resources you can use, today. Antonio Fontes antonio.fontes@owasp.org OWASP Geneva Chapter Leader Switzerland.](https://reader035.fdocuments.in/reader035/viewer/2022081514/56649e575503460f94b4f24e/html5/thumbnails/41.jpg)
https://www.owasp.org
https://www.owasp.org/index.php/Geneva