[owasp-bulgaria] g. geshev - chapter introductory lecture

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

OWASP Plan - Strawman

Georgi GeshevOWASP Bulgaria [email protected]+359-884-237-20703.04.10

OWASP 2

Agenda

Part 1: Introduction -Who are we?• What is this project all about?• Would you like to join the OWASP community?

Part 2: Real world stories• Care to know about the OWASP Top 10 project?• How’s the web down there in Wonderland?

OWASP 3

Introduction

Who Am I?(1) Free and Open Source Software Evangelist

OWASP 4

Introduction


(2) Enthusiastic Infosec Ninja

OWASP 5

Introduction


(2) Enthusiastic Infosec Ninja① + ②= ?

OWASP 6

Introduction


(2) Enthusiastic Infosec Ninja① + ②= ?

Here’s the OWASP formula..FOSS + WEB × APP × SEC = OWASP

OWASP 7

The Open Web Application Security Project

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

http://www.owasp.org/index.php

OWASP 8

The Open Web Application Security ProjectThe Local Chapters

Over 150 local chapters worldwide..

OWASP 9

The Open Web Application Security ProjectOWASP Bulgaria

• This local chapter was founded in late 2010• Less than 10 mailing list members• Please consider joining the local chapter mailing list

• Regular chapter meetings• Welcome to the first one of ‘em!

• For submissions, suggestions, offers and questions..• Forward your message to the mailing list• Contact me via email

OWASP 10

The Open Web Application Security ProjectOrganization Supporters

OWASP 11

OWASP 12

The Open Web Application Security ProjectShow Your Support

Consider…• Donating• Becoming an OWASP (local chapter) member• Attending the local chapter regular meetings• Attending an OWASP AppSec series conference• Global AppSec Europe - June 6th-11th 2011 @Dublin, Ireland

• Contributing to an OWASP project• Developers, beta testers, etc.

OWASP 13

The Open Web Application Security ProjectAffiliation and Membership

Categories of Membership and Supporters• Individual Supporters• Single Meeting Supporter• Organization Supporters• Accredited University Supporters

OWASP 14

The Open Web Application Security ProjectMembership

Why Become a Supporting Member?• Ethics and principals of OWASP Foundation• Underscore your awareness of web application software security• Attend OWASP conferences at a discount• Expand your personal network of contacts• Support a local chapter of your choice• Get your @owasp.org email address• Have individual vote in electionshttp://www.owasp.org/index.php/Membership

OWASP 15

The Open Web Application Security ProjectOWASP Projects

Tools and documents are organized into the following categories:

• Protect – These are tools and documents that can be used to guard against security-related design and implementation flaws.

• Detect – These are tools and documents that can be used to find security-related design and implementation flaws.

• Life Cycle – These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).

OWASP 16

The Open Web Application Security ProjectThe OWASP Top 10 Project

Project details..• The OWASP Top Ten provides a powerful awareness

document for web application security. • The OWASP Top Ten represents a broad consensus about

what the most critical web application security flaws are.• Its latest (stable) release dates from April 2010.• Creative Commons Attribution Share Alike 3.0 License ;)http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

OWASP 17


The OWASP Top 10 Web Application Security Risks -

A1: Injection

OWASP 18



A1: InjectionA2: Cross-Site Scripting (XSS)

OWASP 19



A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session Management

OWASP 20



A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object References

OWASP 21



A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)

OWASP 22



A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security Misconfiguration

OWASP 23



A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security MisconfigurationA7: Insecure Cryptographic Storage

OWASP 24



A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security MisconfigurationA7: Insecure Cryptographic StorageA8: Failure to Restrict URL Access

OWASP 25



A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security MisconfigurationA7: Insecure Cryptographic StorageA8: Failure to Restrict URL AccessA9: Insufficient Transport Layer Protection

OWASP 26



A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security MisconfigurationA7: Insecure Cryptographic StorageA8: Failure to Restrict URL AccessA9: Insufficient Transport Layer ProtectionA10: Unvalidated Redirects and Forwards

OWASP 27


OWASP 28


OWASP 29


“Attackers can potentially use many different paths through your application to do harm to your business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention.”

http://www.owasp.org/index.php/Top_10_2010-Main

OWASP 30


Companies, vendors and others (officially) profiting from The OWASP Top 10..

OWASP 31

The Open Web Application Security ProjectOWASP Guides

Don’t stop at The OWASP Top 10!Because The OWASP Top 10 project is simply not enough..• OWASP Development Guide (Developer’s Guide)• OWASP Testing Project (Testing Guide)• OWASP Code Review Project (Code Review Guide)

OWASP 32

The Open Web Application Security ProjectВ страната на чудесата ;)

OWASP 33


“Здравословното” състояние на българския уеб..

OWASP 34


OWASP 35

Shout outs go to …

• Kate Hartmann (Operations Director at OWASP)• Tom Brennan (Global Board Member at OWASP)

All of these folks and a few more..• P. Stefanov• Y. Kolev• M. Soler

..for kindly recommending and helping me set up this chapter!• Thank you to all of you for attending this very first meeting ;)

OWASP 36

Thank you for your attention!

Please forward any questions, comments and suggestions to: [email protected]

[owasp-bulgaria] g. geshev - chapter introductory lecture

Technology