open%web%applicaon%security%project - hacking … · – web%applicaon%threats%and%countermeasures%...
TRANSCRIPT
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org
Open Web Applica-on Security Project Antonio Fontes
[email protected] SWISS CYBER STORM Conference – May 2011
Rapperswil
A few words about me • Antonio Fontes
– 6 years background working on soMware security & privacy – Founder and principal consultant at L7 Securité Sàrl – Lecturer at HST Yverdon (HEIG-‐VD)
• Focus: – Web applica-on threats and countermeasures – Secure development lifecycle – Penetra-on tes-ng and vulnerability assessment – SoMware threat modelling and risk analysis
• OWASP: – OWASP Switzerland : member of the board, western Switzerland delegate – OWASP Geneva: Chapter leader
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 2
cat /wwwroot/agenda.html
• Why do organiza-ons need OWASP? • OWASP worldwide • OWASP in Switzerland • Q/A
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 3
Thermometer:
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 4
“Is your organization already using OWASP material?” - For internal software development? - For outsourced custom software? - For COTS acquisition?
photo by Dave Oshry
Why do organisa-ons need OWASP?
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 7
77 million users! 101 million users!
Why do organisa-ons need OWASP?
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 8
Handout from Sony Entertainment Online conference on the recent computer intrusion that led to more than 110 million user accounts being stolen. (May. 1st. 2011)
photo by Dave Oshry
Just a lihle check:
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 10
“Who knows PBKDF2?”
Why do organisa-ons need OWASP?
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 11
Who understands this in your organisa6on?
Why do organisa-ons need OWASP?
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 12
Use hashes!!
No! Don't use hashes!!
Why do organisa-ons need OWASP?
• Outside the organisa-on: – Increasing adop-on of “Anything over HTTP” – Increasing “hos-le” interest in online services: – Increasing “threat popula-on” – Web hacking/security is easy to understand/teach – Low risk of being “caught” – Increasing offer in security consul-ng, services and products
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 13
Why do organisa-ons need OWASP?
• Inside organisa-ons: – Developers dealing with dozens web technologies – Heterogonous development teams and lifecycles – Constant pressure for delivery – Turnover and loss of internal know-‐how – Who in the company is actually both up-‐to-‐date on the concept of “(web) applica-ons security” and has the power to take decisions?
– Who in the company is actually able to qualify security products and services that are paid for?
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 14
Why do organisa-ons need OWASP?
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 15
2001
2003
2005
2007
2010 2011
OWASP founda-on
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 16
Mission
“Make applica+on security visible, so that people and organisa+ons can make informed decisions about applica+on security risks.”
U.S. 501c3 not-‐for-‐profit charitable interna-onal organiza-on
Structure
Core values
Open, Global, Innova+on, Worldwide
Code of ethics
Independence from vendors, technology-‐agnos+c
"strategy" (or so...)
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 17
Web Applica-on
Tools
Methods
People
Threat
Company assets
Web Applica-on Summit
Commihees
Board
Chapters
Projects
Conferences
Members
Website
?
Project Leaders
• Responsible for driving volunteers effort on OWASP material projects: – Workshops – Brainstorming sessions – Analysis/repor-ng – Guides edi-ng – Tools coding – 19 quality-‐release and 26 beta-‐status projects
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 19
P
M T
Chapter Leaders
• Responsible for leading Local Chapters: – 188 Chapters worldwide – More than 300 yearly mee-ngs worldwide
– Connect with local organisa-ons
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 20
Next local chapter mee-ng: Zurich – June 14th
P
M T
Global Commihees • Responsible for driving volunteers effort on global OWASP outreach.
• OWASP current Global Commihees: – Industries – Membership – Government – Educa-on – Projects – Events – Connec-ons
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 21
P
M T
Employees and contractors
• Kate Hartmann – Logis-cs and day-‐to-‐day support for leaders of the 188 local chapters
• Alison Shrader – Accoun-ng & Administra-on
• Paulo Coimbra – OWASP PMO
• Sarah Basso – Opera-ons during OWASP events
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 22
• Conference dedicated to research work on applica-on security
Research conference
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 23
P
M T
• Yearly global applica-on security focused conferences: – Europe – North America – South America – Asia
Appsec conference
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 24
P
M T
Next OWASP Conference in Europe: Dublin – June 7th-‐10th 2011
• Intensive 1-‐week workshop event with leaders, contributors, sponsors and soMware vendors: – Ability to connect with leading soMware vendors and corporate members
– More than 150 reunited chapter & project leaders
– 80 workshops
Summits
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 25
P
M T
OWASP Membership
• Individual members: – Annual fee: 50$/year – Free access to OWASP Training day events – Reduced fees at OWASP Events – Current count:
1383 individual contribu-ng members
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 27
OWASP Membership
• Corporate members: 52 public corporate members Annual fee: 5’000$/year Delegates for the Summit event
Logo on website, use as marke-ng argument
Majority is from the US, but Switzerland is also there
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 28
OWASP Membership
• Academic members: – Annual fee: 0$/year – Donate: support – 40 members – Switzerland:
• 1 officialised partnership (HEIG-‐VD) • 2 pending partnerships
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 29
hhps://www.owasp.org
– 250’000 unique visitors monthly – 650’000 pages viewed monthly – 60% driven by search engines – 19% referred by other websites – Highest traffic mo-ves:
• OWASP Top 10 • Webscarab project • XSS preven6on cheat sheet • “sql injec6on”
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 31
hhp://lists.owasp.org
• More than 400 mailing lists currently running
• 25’900 users • Related to: tools, documents, methods, commihees, events, outreach, leaders, etc.
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 32
OWASP projects: Tools
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 34
Analyze Design Implement Verify Deploy Respond
ModSecurity CRS
Academy portal, Broken Web applica-ons, ESAPI Swingset, Webgoat
JBroFuzz
LiveCD
WebScarab
Code Crawler
O2
DirBuster
WebScarab
Orizon
Zed Ahack Proxy
An-SAMMY
ESAPI
CSRFGuard
Encoding
S-nger
OWASP projects: Documents
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 35
Analyze Design Implement Verify Deploy Respond
Code Review
Tes-ng
ASVS
Academy, Appsec FAQ, Appsec metrics, Common Vuln. List, Educa-on, Exams, Legal, OWASP Top 10
Code Review
Tes-ng
Backend Security
Threat risk modeling
Secure contract
Applica-on security
requirements
Development
RoR Security
.NET Security
Secure coding prac-ces
AJAX Security
J2EE Security
PHP Security
• COTS web applica-on for webapp security (CBT) training – Click and run – /index.php/Webgoat
Tools: webgoat
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 36
P
M T
Tools: ModSecurity core ruleset
• Cri-cal protec-ons centralized in a core ruleset (CRS) to be installed on ModSecurity enabled Apache servers
• Provides: – HTTP Protocol compliance – Ahack detec-on – Error detec-on – Search engine monitoring
• hhps://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 37
P
M T
Tools: Entreprise Security API • Control library encapsula-ng most security func-ons required in web applica-ons: – Authen-ca-on – Access control – Sessions – Encoding – Input valida-on – Encryp-on – Logging – Intrusion detec-on – …
• hhps://www.owasp.org/index.php/ESAPI 12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 38
P
M T
Documents: OWASP Top 10 • hhps://www.owasp.org/index.php/Top10
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 39
P
M T
Documents: code review guide
• Instruc-ons and methodology manual for conduc-ng code security reviews
• Guidance on detec-ng the major security flaws created during implementa-on
• hhps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 40
P
M T
Documents: ASVS
• ASVS: Applica-on Security Verifica-on Standard
• 4 verifica-on (assurance) levels across more than 120 security controls
• Tailored to your own risk aversion
• hhps://www.owasp.org/index.php/ASVS
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 41
P
M T
Documents: OpenSAMM
• Open SoMware Assurance Maturity Model
hhps://www.owasp.org/index.php/Category:SoMware_Assurance_Maturity_Model
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 42
P
M T
OWASP Switzerland's structure • No legal form (yet, just a few days leM) • Leader: Sven Vetsch • Board members: Tobias Christen, Antonio Fontes – Based in Zurich – 130 mailing list members – Next mee6ng: June 14th
• Other local city/region chapters: – OWASP Geneva
• 90 list members • Next mee-ng: September 6th
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 44
Ac-vi-es: mee-ngs and conferences
• Local chapter mee-ngs: – 1,2,3 speakers per event – Geneva, Yverdon, Zurich – ~8 mee-ngs/year – Ahendance: 15-‐100 people – People love these mee-ngs!
• (Historical) conference partnerships:
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 45
Ac-vi-es: awareness sessions
• Awareness session for Swiss organiza-ons: – 1 hour, head-‐to-‐head session with an OWASP representa-ve at your company
– Syllabus: OWASP organiza-on, OWASP projects and membership opportuni-es
– 4 Swiss private companies requested this in 2010 – It’s free!
• BUT: it’s not free training or consul-ng!! à No product names à No "reviews" à No training.
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 46
OWASP Switzerland is live! (non exhaus-ve list, sorry for those I forgot L) – Ivan Butler: Web applica-on firewall & Hacking lab
– Tobias Christen: Security & Usability – Alexis Fitzgerald : Gathering applica-on security requirements
– Chris-an Folini : ModSecurity CRS & DDoS defense
– Antonio Fontes : Threat modelling & Lifecycle security
– Axel Neumann: Zed Ahack Proxy – Sylvain Maret : Strong authen-ca-on – Pierre Parrend : Java mobile applica-ons
– Sven Vetsch : Advanced XSS ahacks and defense – ... ß come to me aMer the talk if you want your name here
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 47
Visit the OWSAP Website: hhps://www.owasp.org Join the OWASP Switzerland mailing list: hhp://www.owasp.ch Follow us on Twiher: @OWASP_ch / @OWASP Get in touch with your local OWASP representa-ves: Sven Vetsch Antonio Fontes (Switzerland) (Western/French Switzerland)
[email protected] [email protected]
12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 48
Thank you!