Open Web Applica-on Security Project

Copyright © The OWASP Foundation

Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

http://www.owasp.org

Open  Web  Applica-on  Security  Project  

Antonio  Fontes  

[email protected]  

SWISS  CYBER  STORM  Conference  –  May  2011  

Rapperswil  

A  few  words  about  me  

•

Antonio  Fontes  

–

6  years  background  working  on  soMware  security  &  privacy  

–

Founder  and  principal  consultant  at  L7  Securité  Sàrl  

–

Lecturer  at  HST  Yverdon  (HEIG-­‐VD)  

•

Focus:    

–

Web  applica-on  threats  and  countermeasures  

–

Secure  development  lifecycle  

–

Penetra-on  tes-ng  and  vulnerability  assessment  

–

SoMware  threat  modelling  and  risk  analysis  

•

OWASP:  

cat  /wwwroot/agenda.html  

•

Why  do  organiza-ons  need  OWASP?  

•

OWASP  worldwide  

•

OWASP  in  Switzerland  

Thermometer:  

“Is your organization already using

OWASP material?”

- For internal software development?

- For outsourced custom software?

- For COTS acquisition?

Why  do  organisa-ons  need  OWASP?  

Why  do  organisa-ons  need  OWASP?  

Handout  from  Sony  

Entertainment  Online  

conference  on  the  

recent  computer  

intrusion  that  led  to  

more  than  110  

million  user  accounts  

being  stolen.  

Just  a  lihle  check:  

Why  do  organisa-ons  need  OWASP?  

Who  understands  this  in  

your  organisa6on?  

Why  do  organisa-ons  need  OWASP?  

Use  hashes!!  

No!  Don't  use  

hashes!!  

Why  do  organisa-ons  need  OWASP?  

•

Outside  the  organisa-on:  

–

Increasing  adop-on  of  “Anything  over  HTTP”  

–

Increasing  “hos-le”  interest  in  online  services:  

–

Increasing  “threat  popula-on”  

–

Web  hacking/security  is  easy  to  understand/teach  

–

Low  risk  of  being  “caught”  

–

Increasing  offer  in  security  consul-ng,  services  

Why  do  organisa-ons  need  OWASP?  

•

Inside  organisa-ons:  

–

Developers  dealing  with  dozens  web  technologies  

–

Heterogonous  development  teams  and  lifecycles  

–

Constant  pressure  for  delivery  

–

Turnover  and  loss  of  internal  know-­‐how  

–

Who  in  the  company  is  actually  both  up-­‐to-­‐date  on  

the  concept  of  “(web)  applica-ons  security”  and  has  

the  power  to  take  decisions?  

–

Who  in  the  company  is  actually  able  to  qualify  

Why  do  organisa-ons  need  OWASP?  

2001

2003

2005

2007

2010

2011

OWASP  founda-on  

Mission  

“Make  applica+on  security  

visible,  so  that  people  and  

organisa+ons  can  make  

informed  decisions  about  

applica+on  security  risks.”  

U.S.  501c3  not-­‐for-­‐

profit  charitable  

interna-onal  

organiza-on  

Structure  

Core  values  

Open,  Global,  

Innova+on,  Worldwide  

Code  of  ethics  

Independence  from  vendors,  

technology-­‐agnos+c

"strategy"

 (or  so...)

Web  

Applica-on  

Tools  

Methods  

People  

Threat  

Company  assets  

Web  

Applica-on  

Summit  

Commihees  

Board  

Chapters  

Projects  

Conferences  

Members  

Website  

?

Project  Leaders  

•

Responsible  for  driving  volunteers  effort  on  

OWASP  material  projects:  

–

Workshops  

–

Brainstorming  sessions  

–

Analysis/repor-ng  

–

Guides  edi-ng  

–

Tools  coding  

–

19  quality-­‐release  and    

26  beta-­‐status  projects  

P  

M  

T  

Chapter  Leaders  

•

Responsible  for  leading  Local  Chapters:  

–

188  Chapters  worldwide  

–

More  than  300  yearly    

mee-ngs  worldwide  

–

Connect  with  local    

organisa-ons    

Next  local  chapter  mee-ng:  

Zurich  –  June  14

th

P  

M  

Global  Commihees  

•

Responsible  for  driving  volunteers  effort  on  

global  OWASP  outreach.  

•

OWASP  current  Global  Commihees:    

–

Industries  

–

Membership  

–

Government  

–

Educa-on  

–

Projects  

–

Events  

–

Connec-ons  

P  

M  

T  

Employees  and  contractors  

•

Kate  Hartmann  

–

Logis-cs  and  day-­‐to-­‐day  support    

for  leaders  of  the  188  local  chapters  

•

Alison  Shrader  

–

Accoun-ng  &  Administra-on  

•

Paulo  Coimbra  

–

OWASP  PMO  

•

Sarah  Basso  

•

Conference  dedicated  to  research  work  on  

applica-on  security  

Research  conference  

P  

M  

•

Yearly  global  applica-on  security  focused  

conferences:    

–

Europe  

–

North  America  

–

South  America  

–

Asia  

Appsec  conference  

P  

M  

T  

Next  OWASP  Conference  in  Europe:  

•

Intensive  1-­‐week  workshop  event  with  leaders,  

contributors,  sponsors  and  soMware  vendors:  

– 

Ability  to  connect    

with  leading  soMware    

vendors  and    

corporate  members  

– 

_{More  than  150}    

reunited  chapter  &    

project  leaders  

– 

_{80  workshops}    

Summits  

P  

M  

T  

OWASP  Membership  

•

Individual  members:  

–

Annual  fee:  50$/year  

–

Free  access  to  OWASP  Training  day  events  

–

Reduced  fees  at  OWASP  Events  

–

Current  count:    

OWASP  Membership  

•

Corporate  members:  

52  public  corporate  members  

Annual  fee:  5’000$/year  

Delegates  for  the    

Summit  event  

Logo  on  website,  use  as    

marke-ng  argument  

Majority  is  from  the  US,  

but  Switzerland  is  also    

OWASP  Membership  

•

Academic  members:  

–

Annual  fee:  0$/year  

–

Donate:  support  

–

40  members  

–

Switzerland:  

• 

1  officialised    

partnership    

(HEIG-­‐VD)  

• 

_{2  pending}    

partnerships  

hhps://www.owasp.org  

–

250’000  unique  visitors  monthly  

–

650’000  pages  viewed  monthly  

–

60%  driven  by  search  engines  

–

19%  referred  by  other  websites    

–

Highest  traffic  mo-ves:  

• 

_{OWASP  Top  10}  

• 

Webscarab  project  

• 

_{XSS  preven6on  cheat  sheet}  

• 

_{“sql  injec6on”}  

hhp://lists.owasp.org  

•

More  than  400  mailing  lists    

currently  running  

•

25’900  users  

•

Related  to:  tools,  documents,    

methods,  commihees,    

events,  outreach,  leaders,    

etc.  

OWASP  projects:  Tools  

Analyze  

Design  

Implement  

Verify  

Deploy  

Respond  

ModSecurity  

CRS  

JBroFuzz  

LiveCD  

WebScarab  

Code  Crawler  

O2  

DirBuster  

WebScarab  

Orizon  

Zed  Ahack  

Proxy  

An-SAMMY  

ESAPI  

CSRFGuard  

Encoding  

S-nger  

OWASP  projects:  Documents  

Analyze  

Design  

Implement  

Verify  

Deploy  

Respond  

Code  Review  

Tes-ng  

ASVS  

Academy,  Appsec  FAQ,  Appsec  metrics,  Common  Vuln.  List,  Educa-on,  Exams,  Legal,  OWASP  Top  10  

Code  Review  

Tes-ng  

Backend  

Security  

Threat  risk  

modeling  

Secure  

contract  

Applica-on  

security  

requirements  

Development  

RoR  Security  

.NET  Security  

Secure  coding  prac-ces  

AJAX  Security  

J2EE  Security  

•

COTS  web  applica-on  for  webapp  security  (CBT)  

training  

–

Click  and  run  

–

/index.php/Webgoat

Tools:  webgoat  

P  

M  

T  

Tools:  ModSecurity  core  ruleset  

•

Cri-cal  protec-ons  centralized  in  a  core  ruleset  

(CRS)  to  be  installed    

on  ModSecurity  enabled    

Apache  servers  

•

Provides:  

–

HTTP  Protocol  compliance  

–

Ahack  detec-on  

–

Error  detec-on  

–

Search  engine  monitoring  

•

hhps://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project    

P  

M  

Tools:  Entreprise  Security  API  

•

Control  library  encapsula-ng  most  security  func-ons  

required  in  web  applica-ons:  

– 

Authen-ca-on  

– 

_{Access  control}  

– 

Sessions  

– 

_Encoding  

– 

Input  valida-on  

– 

Encryp-on  

– 

_Logging  

– 

Intrusion  detec-on  

– 

_…  

P  

M  

T  

Documents:  OWASP  Top  10  

• 

hhps://www.owasp.org/index.php/Top10

P  

M  

Documents:  code  review  guide  

•

Instruc-ons  and    

methodology  manual  for    

conduc-ng  code  security    

reviews  

•

Guidance  on  detec-ng  the    

major  security  flaws  created    

during  implementa-on  

• 

_{hhps://www.owasp.org/index.php/}

P  

M  

Documents:  ASVS  

•

ASVS:  Applica-on  Security  

Verifica-on  Standard  

•

4  verifica-on  (assurance)    

levels  across  more  than  120    

security  controls  

•

Tailored  to  your  own  risk    

aversion  

• 

_{hhps://www.owasp.org/index.php/ASVS}

P  

M  

Documents:  OpenSAMM  

•

Open  SoMware  Assurance  Maturity  Model  

hhps://www.owasp.org/index.php/

P  

M  

OWASP  Switzerland's  structure  

•

No  legal  form

 (yet,  just  a  few  days  leM)

•

Leader:  Sven  Vetsch  

•

Board  members:  Tobias  Christen,  Antonio  Fontes  

–

Based  in  Zurich  

–

130  mailing  list  members  

–

Next  mee6ng:  June  14

th

•

Other  local  city/region  chapters:    

–

OWASP  Geneva  

Ac-vi-es:  mee-ngs  and  conferences  

•

Local  chapter  mee-ngs:  

– 

_{1,2,3  speakers  per  event}  

– 

_{Geneva,  Yverdon,  Zurich}  

– 

~8  mee-ngs/year  

– 

_{Ahendance:  15-­‐100  people}  

– 

_{People  love  these  mee-ngs!}  

Ac-vi-es:  awareness  sessions  

•

Awareness  session  for  Swiss  organiza-ons:  

–

1  hour,  head-­‐to-­‐head  session  with  an  OWASP  

representa-ve  at  your  company  

–

Syllabus:  OWASP  organiza-on,  OWASP  projects  

and  membership  opportuni-es  

–

4  Swiss  private  companies  requested  this  in  2010  

–

It’s  free!  

OWASP  Switzerland  is  live!  

(non  exhaus-ve  list,  sorry  for  those  I  forgot  

L

)

– 

Ivan  Butler:    

Web  applica-on  firewall  &  Hacking  lab  

– 

_{Tobias  Christen:}  

Security  &  Usability  

– 

Alexis  Fitzgerald  :  

Gathering  applica-on  security  requirements  

– 

Chris-an  Folini  :  

ModSecurity  CRS  &  DDoS  defense  

– 

_{Antonio  Fontes  :}  

Threat  modelling  &  Lifecycle  security  

– 

Axel  Neumann:  

Zed  Ahack  Proxy  

– 

Sylvain  Maret  :  

Strong  authen-ca-on  

– 

_{Pierre  Parrend  :}  

Java  mobile  applica-ons  

– 

_{Sven  Vetsch  :}  

Advanced  XSS  ahacks  and  defense  

Visit  the  OWSAP  Website:  

hhp

s

://www.owasp.org

Join  the  OWASP  Switzerland  mailing  list:  

hhp://www.owasp.ch

Follow  us  on  Twiher:  @OWASP_ch        /    @OWASP  

Get  in  touch  with  your  local  OWASP  representa-ves:  

                   Sven  Vetsch  

                   Antonio  Fontes  

(Switzerland)                                                                                              (Western/French  Switzerland)