open%web%applicaon%security%project - hacking … · – web%applicaon%threats%and%countermeasures%...

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation http://www.owasp.org

Open Web Applica-on Security Project Antonio Fontes

[email protected] SWISS CYBER STORM Conference – May 2011

Rapperswil

A few words about me •  Antonio Fontes

–  6 years background working on soMware security & privacy –  Founder and principal consultant at L7 Securité Sàrl –  Lecturer at HST Yverdon (HEIG-‐VD)

•  Focus: –  Web applica-on threats and countermeasures –  Secure development lifecycle –  Penetra-on tes-ng and vulnerability assessment –  SoMware threat modelling and risk analysis

•  OWASP: –  OWASP Switzerland : member of the board, western Switzerland delegate –  OWASP Geneva: Chapter leader

12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 2

cat /wwwroot/agenda.html

•  Why do organiza-ons need OWASP? •  OWASP worldwide •  OWASP in Switzerland •  Q/A


Thermometer:


“Is your organization already using OWASP material?” - For internal software development? - For outsourced custom software? - For COTS acquisition?

photo by Dave Oshry

Why do organisa-ons need OWASP?




77 million users! 101 million users!



Handout from Sony Entertainment Online conference on the recent computer intrusion that led to more than 110 million user accounts being stolen. (May. 1st. 2011)

photo by Dave Oshry

Just a lihle check:


“Who knows PBKDF2?”



Who understands this in your organisa6on?



Use hashes!!

No! Don't use hashes!!


•  Outside the organisa-on: –  Increasing adop-on of “Anything over HTTP” –  Increasing “hos-le” interest in online services: –  Increasing “threat popula-on” – Web hacking/security is easy to understand/teach – Low risk of being “caught” –  Increasing offer in security consul-ng, services and products



•  Inside organisa-ons: – Developers dealing with dozens web technologies – Heterogonous development teams and lifecycles –  Constant pressure for delivery –  Turnover and loss of internal know-‐how – Who in the company is actually both up-‐to-‐date on the concept of “(web) applica-ons security” and has the power to take decisions?

– Who in the company is actually able to qualify security products and services that are paid for?




2001

2003

2005

2007

2010 2011

OWASP founda-on


Mission

“Make applica+on security visible, so that people and organisa+ons can make informed decisions about applica+on security risks.”

U.S. 501c3 not-‐for-‐profit charitable interna-onal organiza-on

Structure

Core values

Open, Global, Innova+on, Worldwide

Code of ethics

Independence from vendors, technology-‐agnos+c

"strategy" (or so...)


Web Applica-on

Tools

Methods

People

Threat

Company assets

Web Applica-on Summit

Commihees

Board

Chapters

Projects

Conferences

Members

Website

?

OWASP people


Project Leaders

•  Responsible for driving volunteers effort on OWASP material projects: – Workshops – Brainstorming sessions – Analysis/repor-ng – Guides edi-ng – Tools coding – 19 quality-‐release and 26 beta-‐status projects


P

M T

Chapter Leaders

•  Responsible for leading Local Chapters: – 188 Chapters worldwide – More than 300 yearly mee-ngs worldwide

– Connect with local organisa-ons


Next local chapter mee-ng: Zurich – June 14th

P

M T

Global Commihees •  Responsible for driving volunteers effort on global OWASP outreach.

•  OWASP current Global Commihees: –  Industries – Membership – Government –  Educa-on –  Projects –  Events –  Connec-ons


P

M T

Employees and contractors

•  Kate Hartmann –  Logis-cs and day-‐to-‐day support for leaders of the 188 local chapters

•  Alison Shrader – Accoun-ng & Administra-on

•  Paulo Coimbra – OWASP PMO

•  Sarah Basso – Opera-ons during OWASP events


•  Conference dedicated to research work on applica-on security

Research conference


P

M T

•  Yearly global applica-on security focused conferences: – Europe – North America – South America – Asia

Appsec conference


P

M T

Next OWASP Conference in Europe: Dublin – June 7th-‐10th 2011

•  Intensive 1-‐week workshop event with leaders, contributors, sponsors and soMware vendors: –  Ability to connect with leading soMware vendors and corporate members

– More than 150 reunited chapter & project leaders

–  80 workshops

Summits


P

M T

OWASP members


OWASP Membership

•  Individual members: – Annual fee: 50$/year – Free access to OWASP Training day events – Reduced fees at OWASP Events – Current count:

1383 individual contribu-ng members


OWASP Membership

•  Corporate members: 52 public corporate members Annual fee: 5’000$/year Delegates for the Summit event

Logo on website, use as marke-ng argument

Majority is from the US, but Switzerland is also there


OWASP Membership

•  Academic members: – Annual fee: 0$/year – Donate: support – 40 members – Switzerland:

•  1 officialised partnership (HEIG-‐VD) •  2 pending partnerships


OWASP: the web portal


hhps://www.owasp.org

– 250’000 unique visitors monthly – 650’000 pages viewed monthly – 60% driven by search engines – 19% referred by other websites – Highest traffic mo-ves:

•  OWASP Top 10 • Webscarab project •  XSS preven6on cheat sheet •  “sql injec6on”


hhp://lists.owasp.org

•  More than 400 mailing lists currently running

•  25’900 users •  Related to: tools, documents, methods, commihees, events, outreach, leaders, etc.


OWASP projects


OWASP projects: Tools


Analyze Design Implement Verify Deploy Respond

ModSecurity CRS

Academy portal, Broken Web applica-ons, ESAPI Swingset, Webgoat

JBroFuzz

LiveCD

WebScarab

Code Crawler

O2

DirBuster

WebScarab

Orizon

Zed Ahack Proxy

An-SAMMY

ESAPI

CSRFGuard

Encoding

S-nger

OWASP projects: Documents


Analyze Design Implement Verify Deploy Respond

Code Review

Tes-ng

ASVS

Academy, Appsec FAQ, Appsec metrics, Common Vuln. List, Educa-on, Exams, Legal, OWASP Top 10

Code Review

Tes-ng

Backend Security

Threat risk modeling

Secure contract

Applica-on security

requirements

Development

RoR Security

.NET Security

Secure coding prac-ces

AJAX Security

J2EE Security

PHP Security

•  COTS web applica-on for webapp security (CBT) training –  Click and run –  /index.php/Webgoat

Tools: webgoat


P

M T

Tools: ModSecurity core ruleset

•  Cri-cal protec-ons centralized in a core ruleset (CRS) to be installed on ModSecurity enabled Apache servers

•  Provides: – HTTP Protocol compliance – Ahack detec-on –  Error detec-on –  Search engine monitoring

•  hhps://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project


P

M T

Tools: Entreprise Security API •  Control library encapsula-ng most security func-ons required in web applica-ons: –  Authen-ca-on –  Access control –  Sessions –  Encoding –  Input valida-on –  Encryp-on –  Logging –  Intrusion detec-on –  …

•  hhps://www.owasp.org/index.php/ESAPI 12/05/2011 Swiss Cyber Storm III -‐ May 2011 -‐ Rapperswil 38

P

M T

Documents: OWASP Top 10 •  hhps://www.owasp.org/index.php/Top10


P

M T

Documents: code review guide

•  Instruc-ons and methodology manual for conduc-ng code security reviews

•  Guidance on detec-ng the major security flaws created during implementa-on

•  hhps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project


P

M T

Documents: ASVS

•  ASVS: Applica-on Security Verifica-on Standard

•  4 verifica-on (assurance) levels across more than 120 security controls

•  Tailored to your own risk aversion

•  hhps://www.owasp.org/index.php/ASVS


P

M T

Documents: OpenSAMM

•  Open SoMware Assurance Maturity Model

hhps://www.owasp.org/index.php/Category:SoMware_Assurance_Maturity_Model


P

M T

OWASP Switzerland


OWASP Switzerland's structure •  No legal form (yet, just a few days leM) •  Leader: Sven Vetsch •  Board members: Tobias Christen, Antonio Fontes –  Based in Zurich –  130 mailing list members – Next mee6ng: June 14th

•  Other local city/region chapters: – OWASP Geneva

•  90 list members •  Next mee-ng: September 6th


Ac-vi-es: mee-ngs and conferences

•  Local chapter mee-ngs: –  1,2,3 speakers per event –  Geneva, Yverdon, Zurich –  ~8 mee-ngs/year –  Ahendance: 15-‐100 people –  People love these mee-ngs!

•  (Historical) conference partnerships:


Ac-vi-es: awareness sessions

•  Awareness session for Swiss organiza-ons: – 1 hour, head-‐to-‐head session with an OWASP representa-ve at your company

– Syllabus: OWASP organiza-on, OWASP projects and membership opportuni-es

– 4 Swiss private companies requested this in 2010 –  It’s free!

•  BUT: it’s not free training or consul-ng!! à No product names à No "reviews" à No training.


OWASP Switzerland is live! (non exhaus-ve list, sorry for those I forgot L) –  Ivan Butler: Web applica-on firewall & Hacking lab

–  Tobias Christen: Security & Usability –  Alexis Fitzgerald : Gathering applica-on security requirements

–  Chris-an Folini : ModSecurity CRS & DDoS defense

–  Antonio Fontes : Threat modelling & Lifecycle security

–  Axel Neumann: Zed Ahack Proxy –  Sylvain Maret : Strong authen-ca-on –  Pierre Parrend : Java mobile applica-ons

–  Sven Vetsch : Advanced XSS ahacks and defense –  ... ß come to me aMer the talk if you want your name here


Visit the OWSAP Website: hhps://www.owasp.org Join the OWASP Switzerland mailing list: hhp://www.owasp.ch Follow us on Twiher: @OWASP_ch / @OWASP Get in touch with your local OWASP representa-ves: Sven Vetsch Antonio Fontes (Switzerland) (Western/French Switzerland)

[email protected] [email protected]


Thank you!