Upload
defcamp
View
1.768
Download
0
Embed Size (px)
Citation preview
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP Projects and Resources You Can Use Today: An Overview
29.11.2012
OWASP
About Myself
Security Architect
International Presenter
Member of OWASP and ISACA global organizations
OWASP Ireland Limerick Chapter Leader https://www.owasp.org/index.php/Ireland-Limerick
Security Researcher PhD, MEng
http://www.ventuneac.net
http://secureappdev.blogspot.com
http://dcsl.ul.ie
2
OWASP
State of Information Security
The problem
There are not enough qualified application security professionals
What can we do about it?
Make application security visible
Provide Developers and Software Testers with materials and tools helping them to build more secure applications
3
OWASP
Who is OWASP?
Open Web Application Security Project
http://www.owasp.org
Global community driving and promoting safety and security of world’s software
OWASP is a registered nonprofit in the United States and Europe
Everyone is free to participate
All OWASP materials & tools are free
4
OWASP
OWASP by the Numbers
11 years of community service
88+ Government & Industry Citations
including DHS, ISO, IEEE, NIST, SANS Institute, CSA, etc
30,000 + participant mailing lists
250,000+ unique visitors per month
800,000+ page views per month
15,000+ downloads per month
5
OWASP
OWASP by the Numbers (cont)
Budget for 2012: $591,275
2081 individual members and honorary members from over 70 countries
55+ paid Corporate Members
53+ Academic Supporters
193+ Active Chapters
113+ Active Projects
4 Global AppSec Conferences per Year
6
OWASP
OWASP by the Numbers (cont)
7
OWASP
OWASP Near You – Romania Chapter
Promote application security and create local security communities
Started in 2008 by Claudiu Constantinescu
2012 Chapter Reboot
Chapter Leader - Tudor Enache
Penetration Tester @ Electronic Arts
Specialized in web and mobile application security testing
https://www.owasp.org/index.php/Romania
8
OWASP 9
OWASP Projects & Tools
Make application security visible
Videos, podcasts, books, guidelines, cheat sheets, tools, …
Available under a free and open software license
Used, recommended and referenced by many government, standards and industry organisations
Open for everyone to participate
OWASP 10
OWASP Projects & Tools - Classification
113+ Active Projects
PROTECT
guard against security-related design and implementation flaws.
DETECT
find security-related design and implementation flaws.
LIFE CYCLE
add security-related activities into software processes (eg. SDLC, agile, etc)
OWASP 11
OWASP Projects & Tools – An Overview
DETECT
OWASP Top 10
OWASP Code Review Guide
OWASP Testing Guide
OWASP Cheat Sheet Series
PROTECT
OWASP ESAPI
OWASP ModSecurity CRS
OWASP AppSec Tutorials
OWASP ASVS
OWASP LiveCD / WTE
OWASP ZAP Proxy
LIFE CYCLE
WebGoat J2EE
WebGoat .NET
Full list of projects (release, beta, alpha) http://www.owasp.org/index.php/Category:OWASP_Project
OWASP
OWASP Top 10 Security Risks (DETECT)
12
The most visible OWASP project
Classifies some of the most critical risks
Essential reading for anyone developing web applications
Referenced by standards, books, tools, and organizations, including MITRE, PCI DSS, FTC, and many more
OWASP
OWASP Top 10 Security Risk (2010 edition)
13
http://www.owasp.org/index.php/Top_10
OWASP
OWASP Top 10 Risk Rating Methodology
Threat Agent
Attack Vector
Weakness Prevalence
Weakness Detectability
Technical Impact Business Impact
? Easy Widespread Easy Severe
? Average Common Average Moderate
Difficult Uncommon Difficult Minor
1 2 2 1
1.66 * 1
1.66 weighted risk rating
Injection Example
1
2
3
14
OWASP
OWASP Code Review Guide
15
Code review is probably the most effective technique for identifying security flaws
Focuses on the mechanics of reviewing code for certain vulnerabilities
A key enabler for the OWASP fight against software insecurity
Stable release v1.1, v2 is in progress
OWASP
OWASP Code Review Guide (cont)
16
Focuses on .NET and Java, but has some C/C++ and PHP
Integration of secure code review into software development processes
Understand what you are reviewing
Security code review is not a silver bullet, but a key component of an IS program
OWASP
OWASP Testing Guide
17
Create a "best practices" web application penetration testing framework
A low-level web application penetration testing guide
Recommended for developers and software testers
Version 3 available, version 4 is in progress
https://www.owasp.org/index.php/OWASP_Testing_Project
OWASP
OWASP Cheat Sheet Series
18
Provide a concise collection of high value information on specific web application security topics
https://www.owasp.org/index.php/Cheat_Sheets
Developer Cheat Sheets (Builder) Authentication Clickjacking Defense Cryptographic Storage HTML5 Security Input Validation Query Parameterization Session Management SQL Injection Prevention …
Assessment Cheat Sheets (Breaker) Attack Surface Analysis XSS Filter Evasion …
Mobile Cheat Sheets IOS Developer Mobile Jailbreaking …
OWASP
OWASP Cheat Sheet Series (cont)
19
The most visible OWASP project
Classifies some of the most critical risks
Essential reading for anyone developing web applications
Referenced by standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more
OWASP
OWASP Cheat Sheet Series (cont)
20
OWASP
OWASP AppSec Tutorial Series
21
https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series
MAKE APPSEC MORE VISIBLE
Provide top notch application security video based training
Four episodes available
OWASP
OWASP ASVS - Application Security Verification Standard
22
Provides a basis for testing application technical security controls
Use as a metric – assess the degree of trust on existing security controls
Use as guidance – for what to build as part of planned security controls
Use during procurement
OWASP
OWASP ASVS Levels
23
Level 1 – Automated Verification
Level 1A – Dynamic Scan
(Partial Automated Verification)
Level 1B – Source Code Scan
(Partial Automated Verification)
Level 2 – Manual Verification
Level 2A – Penetration Test
(Partial Manual Verification)
Level 2B – Code Review
(Partial Manual Verification)
Level 3 – Design Verification
Level 4 – Internal Verification
OWASP
OWASP ASVS Verification Requirements
24
V1. Security Architecture
V2. Authentication
V3. Session Management
V4. Access Control
V5. Input Validation
V6. Output Encoding/Escaping
V7. Cryptography
V8. Error Handling and Logging
V9. Data Protection
V10. Communication Security
V11. HTTP Security
V12. Security Configuration
V13. Malicious Code Search
V14. Internal Security
OWASP
OWASP LiveCD / WTE
25
Make application security tools and documentation easily available
Collects some of the best open source security projects in a single environment
Boot from this Live CD and have access to a full security testing suite
http://appseclive.org/
OWASP
OWASP Zed Attack Proxy Project (PREVENT)
26
One of the flagship OWASP projects
Easy to use integrated penetration testing tool for assessing web applications
Ideal for developers and functional testers who are new to penetration testing
Completely free and open source
Cross platform, internationalised
Current version 1.4.1 (v2 in progress)
OWASP
OWASP ZAP Proxy - Features
27
Intercepting Proxy
Automated scanner
Passive scanner
Brute Force scanner
Spider
Fuzzer
Port scanner
Dynamic SSL certificates
API
Beanshell integration
Upcoming:
New Spider
New 'Ajax‘ Spider
Session Awareness
Web Socket Support
Session Scope
Different Modes
(Safe/Protected/Standard)
Scripting console
OWASP
OWASP ZAP Proxy - DEMO
28
OWASP
OWASP ESAPI – Enterprise Security API
29
Free, open source, web application security controls library
Provide developers with libraries for writing lower-risk applications
Allow retrofitting security into existing applications
Serve as a solid foundation for new development
Support for Java, PHP and Force.com – there could be more languages supported
OWASP
OWASP ESAPI (PROTECT)
30
Custom Enterprise Web Application
Enterprise Security API
Au
the
nti
ca
tor
Use
r
Acce
ssC
on
tro
lle
r
Acce
ssR
efe
ren
ce
Ma
p
Va
lid
ato
r
En
co
de
r
HT
TP
Uti
liti
es
En
cry
pto
r
En
cry
pte
dP
rop
ert
ies
Ra
nd
om
ize
r
Ex
ce
pti
on
Ha
nd
lin
g
Lo
gg
er
In
tru
sio
nD
ete
cto
r
Se
cu
rity
Co
nfi
gu
rati
on
Existing Enterprise Security Services/Libraries
OWASP
OWASP ESAPI – Validation and Encoding
31
Backend Controller Business Functions
User Data Layer
Validator Encoder encodeForURL
encodeForJavaScript
encodeForVBScript
encodeForDN
encodeForHTML
encodeForHTMLAttribute
encodeForLDAP
encodeForSQL
encodeForXML
encodeForXMLAttribute
encodeForXPath
isValidDirectoryPath
isValidCreditCard
isValidDataFromBrowser
isValidListItem
isValidFileContent
isValidFileName
isValidHTTPRequest
isValidRedirectLocation
isValidSafeHTML
isValidPrintable
safeReadLine
Canonicalization Double Encoding Protection
Normalization Sanitization
OWASP
OWASP ESAPI - OWASP Top 10 Coverage
32
OWASP Top Ten
A1. Cross Site Scripting (XSS)
A2. Injection Flaws
A3. Malicious File Execution
A4. Insecure Direct Object Reference
A5. Cross Site Request Forgery (CSRF)
A6. Leakage and Improper Error Handling
A7. Broken Authentication and Sessions
A8. Insecure Cryptographic Storage
A9. Insecure Communications
A10. Failure to Restrict URL Access
OWASP ESAPI
Validator, Encoder
Encoder
HTTPUtilities (Safe Upload)
AccessReferenceMap, AccessController
User (CSRF Token)
EnterpriseSecurityException, HTTPUtils
Authenticator, User, HTTPUtils
Encryptor
HTTPUtilities (Secure Cookie, Channel)
AccessController
OWASP
OWASP ModSecurity Core Rule Set
33
Free certified rule set for ModSecurity WAF
Generic web applications protection:
Common Web Attacks Protection
HTTP Protection
Real-time Blacklist Lookups
HTTP Denial of Service Protection
Automation Detection
Integration with AV Scanning for File Uploads
Tracking Sensitive Data
Identification of Application Defects
Error Detection and Hiding
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_C
ore_Rule_Set_Project
OWASP
OWASP WebGoat Java Project
34
Deliberately insecure J2EE web application to teach web application security lessons
Over 30 lessons, providing hands-on learning about
Cross-Site Scripting (XSS)
Access Control
Blind/Numeric/String SQL Injection
Web Services
… and many more
Version 5.4 available, v6 in progress
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
OWASP
OWASP WebGoat Java Project - DEMO
35
OWASP
OWASP WebGoat.NET Project
36
A purposefully broken ASP.NET web application
Contains many common vulnerabilities
Intended for use in classroom environments
https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET
OWASP
DEMO
37
OWASP ZAP Proxy
OWASP WebGoat Java Project
OWASP 38
Thank You