OWASP Foundation Inc.
OWASP Foundation Inc.Tom “jinxpuppy” BrennanBoard Member, OWASP Foundationtomb@owasp.orgOWASPSecurity StrategistWhiteHat Security Inc.www.whitehatsec.comCopyright - The OWASP FoundationPermission is granted to copy, distribute and/or modify thisdocument under the terms of the GNU Free DocumentationLicense.The OWASP Foundationhttp://www.owasp.org
From: http://preview.tinyurl.com/ccxbvgOWASP2
Agenda OWASP Introduction OWASP Project Parade OWASP Near You?OWASP3
Agenda OWASP Introduction OWASP Project Parade OWASP Near You?OWASP4
Web Applications - 215M/1MInternetInternalnetworkProtectednetworkDMZ HTTPrequest*netcraftCleartext orSSLAJPIIOPT9etc.DBWeb appWeb appWebservertransportAppserver(optional)Web appWeb appWebclient:IE,Mozilla,etc.HTTP reply(HTML,JavaScript,VBScript,etc.) ApacheIISNetscapeetc. J2EE server ColdFusion Oracle9iAS etc. PerlC CGIJavaASPPHPetc.DB ADOODBCJDBCetc.OWASP Oracle SQLServer etc.
OWASP The Open Web Application Security Project (OWASPFoundation Inc.) established 2001’. Participation in OWASP is free and open to all The vision is a software market that produces codethat’s secure enough to rely on. The mission (toachieve that vision) is to make security visible (ortransparent) so that software buyers and sellers areon equal footing and market forces can work. International not-for-profit charitable organizationfunded primarily by volunteers time, OWASPMemberships ( 50 Individuals, 5k Supporters), andOWASP Conference fees Website: 6,464 registered users, 21,552,771 pageviews, and 55,941 page edits , 10k members onmailing listsOWASP6
Principles Free & Open Governed by rough consensus & running code Abide by a code of ethics (see ethics) Not-for-profit Not driven by commercial interests Risk based approachOWASP7
Code of Ethics Perform all professional activities and duties in accordance with allapplicable laws and the highest ethical principles; Promote the implementation of and promote compliance withstandards, procedures, controls for application security; Maintainappropriate confidentiality of proprietary or otherwise sensitiveinformation encountered in the course of professional activities; Discharge professional responsibilities with diligence and honesty;Refrain from any activities which might constitute a conflict of interestor otherwise damage the reputation of employers, the informationsecurity profession, or the Association; and Not intentionally injure or impugn the professional reputation ofpractice of colleagues, clients, or employers.OWASP8
OWASP FOUNDATION INC. - Structure(5) Volunteer Board(Jeff, Dinis, Tom, Dave, Seba)(25 ) Volunteer Global Committee Members(see slide)OWASP Employees (6)(140) Local Chapters(50) ProjectsOWASP
Global Committeehttp://www.owasp.org/index.php/About OWASPOWASP
2009 Organization SupportersOWASP
2009 Educational SupportersOWASP12
OWASP MissionThe vision is a software market thatproduces code that’s secure enough torely on.The mission (to achieve that vision) isto make security visible (ortransparent) so that software buyersand sellers are on equal footing andmarket forces can work.OWASP13
OWASP Resources and CommunityOWASP
www.owasp.orgOWASP15 15
130 chaptersOWASP16
Mailing Lists 100 Mailing Lists Local Chapters Projects Regional/Global Committees LinkedIn Group too 2700 membersOWASP17
OWASP Conferences (2008-2009)MinnesotaOct 2008DenverSpring 2009NYCSep 2008DCSep 2009BrusselsMay 2008GermanyNov 2008PolandMay 2009Ireland2009PortugalSummitNov 2008IsraelSep 2008IndiaAug 2008TaiwanOct 2008Gold CoastFeb 2008 2009OWASP18
Summit Portugal 2009 Focus Application security experts from 20 countries New Free Tools and Guidance (SoC08) New Outreach Program technology vendors, framework providers, andstandards bodies new program to provide free one- dayseminars at universities and developerconferences worldwide New Global Committee Structure Education, Chapter, Conferences, Industry,OWASPProjects, Membership19
Agenda OWASP Introduction OWASP Project Parade OWASP Near You?OWASP20
Industry Committee Start outreach to critical infrastructures worldwide such as: electricity generation, transmission and distribution; gasproduction, transport and distribution; oil and oil products production, transport anddistribution; telecommunication; water supply (drinking water, waste water/sewage,stemming of surface water (e.g. dikes and sluices)); agriculture, food production and distribution; heating (e.g. natural gas, fuel oil, district heating); public health (hospitals, ambulances); transportation systems (fuel supply, railway network,airports, harbors, inland shipping); financial services (banking, clearing); security services (police, military).OWASP21
Industry - Accomplishments1. Has submitted RFC feedback for bothBritish and US/NIST 800-53 rev 3standards2. Have been promoting supportermembership to raise awareness inindustry verticals3. Have established working relationshipswith ISSA & ISACA to assist with industryfocused outreach and international OWASPinsight22
Membership Committee Increase individual membership 100% in 18months (Individuals) Increase organizational supporters 100% in18 months (Supporters) Increase university supporters 100% in 18months1. Has created and launched a newmembership model2. Has created and launched Membershipdrive to support our efforts3. Has created video to promote/explain (tbd)OWASP23
Chapters CommitteeOWASP24
Education Committee Establish a adoptable program that can beincorporated into Univ., and technicaleducation programs that leverages theefforts of many at OWASP to raise thelevel of awareness to secure software. Training at Conferences Obtain grants to further our workOWASP25
Projects Committee1. Organizing the next OWASP Season ofCode3. Drafting proposals for standardizationand organization of the OWASP Projectspage5. Establishing a baseline assessment of allOWASP ProjectsOWASP26
OWASP Projects:Improve Quality and Support Define Criteria for Quality Levels Alpha, Beta, Release PROTECT - These are tools and documents that canbe used to guard against security-related design andimplementation flaws. DETECT - These are tools and documents that can beused to find security-related design andimplementation flaws. LIFE CYCLE - These are tools and documents that canbe used to add security-related activities into theSoftware Development Life Cycle (SDLC).OWASP
SDLCOWASPFramework28OWASP
OWASP Top 10 The Ten Most CriticalWeb ApplicationSecurityVulnerabilities 2007 Release A great start, but nota standard 4th version of the Top10 200x coming soon*Help WantedOWASP29
Key Application Security Vulnerabilitieswww.owasp.org/index.php?title Top 10 2007OWASP30
The ‘Big 4’ Documentation plication Security Desk Reference(ASDR)OWASP
The Developer Guide ComplementsOWASP Top 10 310p Book Free and open source Gnu Free Doc License Many contributors Apps and web services Most platforms Examples are J2EE,ASP.NET, and PHP Comprehensive Project Leader andEditor Andrew van der Stock,vanderaj@owasp.orgOWASP
Uses of the Guide Developers Use for guidance on implementing securitymechanisms and avoiding vulnerabilities Project Managers Use for identifying activities (threat modeling,code review, penetration testing) that need tooccur Security Teams Use for structuring evaluations, learning aboutapplication security, remediation approachesOWASP
Each Topic Includes Basic Information (like OWASP T10) How to Determine If You Are Vulnerable How to Protect Yourself Adds Objectives Environments Affected Relevant COBIT Topics Theory Best Practices Misconceptions Code SnippetsOWASP
Testing Guide(NOW AT VERSION 3.0)1. Frontispiece2. Introduction3. The OWASP Testing Framework4. Web Application Penetration Testing5. Writing Reports: value the real riskAppendix A: Testing ToolsAppendix B: Suggested ReadingAppendix C: Fuzz VectorsAppendix D: Encoded Injectionhttp://www.owasp.org/index.php/OWASP Testing Guide ContributorsOWASP35
What Is the OWASP Testing Guide? V2 8 sub-categories (for a total amount of 48 controls) V3 10 sub-categories (for a total amount of 66 controls) 36 new articles! Testing Principles Testing Process Custom Web Applications Black Box Testing Grey Box Testing Risk and Reporting Appendix: Testing Tools Appendix: Fuzz Vectors Information Gathering Config. Management Testing Business Logic Testing Authentication Testing Authorization Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing Encoded AppendixOWASP36
How the Guide helps the securityindustryTesters A structured approach to the testingactivities A checklist to be followed A learning and training tool Organization A tool to understand web vulnerabilities andtheir impactA way to check the quality of security testsMore generally, the Guide aims to provide a pen-testing standard that createsa 'common ground' between the testing groups and its ‘customers’.This will raise the overall quality and understanding of this kind of activity andtherefore the general level of security of our applicationsOWASP37
Phoneix Project -Tools http://www.owasp.org/index.php/Phoenix/Tools Best known OWASP Tools WebGoat WebScarab Remember: A Fool with a Tool is still a Fool – press thisbutton and your secure ;)OWASP
Tools – At Best 45% MITRE found that all applicationsecurity tool vendors’ claims puttogether cover only 45% of theknown vulnerability types (over600 in CWE) They found very little overlapbetween tools, so to get 45% youneed them all (assuming theirclaims are true) NIST and SAMATE Static AnalysisTool Exposition (SATE)Vadim OkunOWASP39
OWASP WebGoatOWASP40
OWASP WebScarabOWASP41
OWASP CSRFTesterOWASP42
OWASP CSRFGuard 2.0 Adds token to: href attribute src attribute hidden field in allforms Actions: Log Invalidate ASP43
The OWASP Enterprise Security APIOWASP44
CoverageOWASP
Create Your ESAPI Implementation Your Security Services Wrap your existing libraries and services Extend and customize your ESAPIimplementation Fill in gaps with the reference implementation Your Coding Guideline Tailor the ESAPI coding guidelines Retrofit ESAPI patterns to existing codeOWASP46
OWASP CLASP Comprehensive,Lightweight ApplicationSecurity Process Prescriptive and Proactive Centered around 7 AppSecBest Practices Cover the entire softwarelifecycle (not just Adaptable to any development processdevelopment) CLASP defines roles across the SDLC 24 role-based process components Start small and dial-in to your needsOWASP47
The CLASP Best Practices2.3.4.5.6.Institute awareness programsPerform application assessmentsCapture security requirementsImplement secure development practicesBuild vulnerability remediationprocedures7. Define and monitor metrics8. Publish operational security guidelinesOWASP48
OWASPSoftware Assurance Maturity Model(SAMM) The 4 Disciplines are high-level categories foractivities Three security Functions under each Discipline are thespecific silos for improvement within an organizationAlignment &GovernanceRequirements& DesignVerification &AssessmentDeployment &OperationsDisciplinesFunctionsOWASP49
Want More ? SPOWASPOWASPOWASPOWASPOWASPOWASP.NET ProjectASDR ProjectAntiSamy ProjectAppSec FAQ ProjectApplication Security Assessment StandardsApplication Security Metrics ProjectApplication Security Requirements ProjectCAL9000 ProjectCLASP ProjectCSRFGuard ProjectCSRFTester ProjectCareer Development ProjectCertification Criteria ProjectCertification ProjectCode Review ProjectCommunications ProjectDirBuster ProjectEducation ProjectEncoding ProjectEnterprise Security APIFlash Security ProjectGuide ProjectHoneycomb ProjectInsecure Web App ProjectInterceptor Project OWASPOWASPOWASPProjectOWASPJBroFuzzJava ProjectLAPSE ProjectLegal ProjectLive CD ProjectLogging ProjectOrizon ProjectPHP ProjectPantera Web Assessment Studio ProjectSASAP ProjectSQLiX ProjectSWAAT ProjectSprajax ProjectTesting ProjectTools ProjectTop Ten ProjectValidation ProjectWASS ProjectWSFuzzer ProjectWeb Services Security ProjectWebGoat ProjectWebScarab ProjectXML Security Gateway Evaluation Criteriaon the Move ProjectOWASP50
SoC2008 selection OWASP Code review guide, V1.1The Ruby on Rails Security Guide v2OWASP UI Component Verification Project(a.k.a. OWASP JSP Testing Tool)Internationalization Guidelines and OWASPSpanish ProjectOWASP Application Security Desk Reference(ASDR)OWASP .NET Project LeaderOWASP Education ProjectThe OWASP Testing Guide v3OWASP Application Security VerificationStandardOnline code signing and integrity verificationservice for open source community(OpenSign Server)Securing WebGoat using ModSecurityOWASP Book Cover & Sleeve DesignOWASP Individual & Corporate MemberPacks, Conference Attendee Packs BriefOWASP Access Control Rules TesterOpenPGP Extensions for HTTP - Enigform andmod openpgpOWASP-WeBekci ProjectOWASP Backend Security Project OWASP Application Security ToolBenchmarking Environment and SiteGenerator refreshTeachable Static Analysis WorkbenchOWASP Positive Security ProjectGTK GUI for w3af projectOWASP Interceptor Project - 2008 UpdateSkavengerSQL Injector Benchmarking Project(SQLiBENCH)OWASP AppSensor - Detect and Respond toAttacks from Within the ApplicationOwasp Orizon ProjectOWASP Corporate Application Security RatingGuideOWASP AntiSamy .NETPython Static AnalysisOWASP Classic ASP Security ProjectOWASP Live CD 2008 Project OWASP51
OWASP Projects Are Alive!2009 2007200520032001OWASP52
Agenda OWASP Introduction OWASP Project Parade OWASP Near You?OWASP53
Got OWASP?OWASP54
Upcoming “Big”Conferences OWASP AppSec Europe 2009 - Poland May 11th-14th - 3track conference and 8 tutorials, Krakow, Poland OWASP AppSec Ireland 2009 September 10th Conferenceat Trinity College in Dublin November 2009 OWASP AppSec US 2009 – November Washington, D.C.OWASP55
www.owasp.tv56 videos40 hrsOWASP56
Local Chapter Resources Local Meetings Regional Mailing List Presentations Forum for discussion Meet fellow InfoSec professionals Create (Web)AppSec awareness Local projects JOBS http://www.owasp.org/index.php/OWASP JobsOWASP
Who comes to a OWASP meeting?OWASP58
TTD Visit www.owasp.org Find your local chapter / conferences Listen to PodCasts Watch Videos Read Materials Post your (Web)AppSec questions Spread the word invite peers Pentagon City Mall / 6pm Phones @ PandaExpress Contribute to discussionsOWASP59
Get InvolvedWWW.OWASP.ORGTom BrennanOWASP Foundation, Board Membertomb@owasp.org / 973-202-0122OWASP60
OWASP Code review guide, V1.1 The Ruby on Rails Security Guide v2 OWASP UI Component Verification Project (a.k.a. OWASP JSP Testing Tool) Internationalization Guidelines and OWASP-Spanish Project OWASP Application Security Desk Reference (ASDR) OWASP .NET Project Leader OWASP Education Project
work with clients, we also find that the OWASP Top 10 vulnerabilities are some of the most prevalent. This tells us that all companies should at least be looking for the OWASP Top 10 on a regular basis. A1 - Injection OWASP Top 10 -2013 OWASP Top 10 -2017 A2 - Broken Authentication and Session Managament A3 - Cross-Site Scripting (XSS)
Threat Prevention Coverage – OWASP Top 10 Analysis of Check Point Coverage for OWASP Top 10 Website Vulnerability Classes The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. OWASP mission is to make software security visible, so that individuals and
OWASP effort. This shows how much passion the community has for the OWASP Top 10, and thus how critical it is for OWASP to get the Top 10 right for the majority of use cases. Although the original goal of the OWASP Top 10 project was simply to raise awareness amongst developers and managers, it has become . the. de facto application security .
The OWASP Top 10 Proactive Controls is similar to the OWASP Top 10 but is focused on defensive techniques and controls as opposed to risks. Each technique or control in this document will . OWASP Mobile Application Security Verification Standard (MASVS) OWASP Top Ten .
Planning the OWASP Testing Guide v4 Matteo Meucci, Giorgio Fedon, Pavol Luptak Few words about the TG history and adoption by the Companies Why we need the Common Numbering . -"OWASP Testing Guide", Version 2.0 December 16, 2008 -"OWASP Testing Guide", Version 3.0 -Released at the OWASP Summit 08. Project Complexity 0 50 100 .
commercial security technology. OWASP produces many types of materials in a collaborative, transparent, and open way. The OWASP Foundation is the non-profit entity that ensures the project's long-term success. Almost everyone associated with OWASP is a volunteer, including the OWASP board, chapter leaders, project leaders, and project members.
OWASP Testing Guide OWASP Code Review Guide OWASP Top 10 – 2017 OWASP Top 10 Proactive Controls National Institute of Standards and Techn
3 Lorsqu’un additif présent dans un arôme, un additif ou une enzyme alimentaire a une fonction technologique dans la denrée alimentaire à laquelle il est adjoint, il est considéré comme additif de cette denrée alimentaire, et non de l’arôme, de l’additif ou de l’enzyme alimentaire ajouté et doit dès lors remplir les conditions d’emploi définies pour la denrée en question .
