Copyright © 2009 - The OWASP Foundation This work is available under the Creative Commons SA 3.0...

Copyright © 2009 - The OWASP FoundationThis work is available under the Creative Commons SA 3.0 license

The OWASP Foundation

OWASP

http://www.owasp.org

The Open Web Application Security Project

Jeff WilliamsAspect Security, CEOVolunteer OWASP [email protected] @planetlevel

June 25, 2009

mailto:[email protected]

OWASP

OWASP World

OWASP is a worldwide free and open community focused on improving the security of application software.

Our mission is to make application security visible so that people and organizations can make informed decisions about application security risks.

Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work.

OWASP

2009 OWASP Supporters

OWASP

OWASP Worldwide Community

4

2000

2002

2004

2006

2008

0

5000

10000

15000

20000

25000

Participants

2000

2002

2004

2006

2008

020406080

100120140160

Chapters

OWASP

OWASP Dashboard

5

01/10/2002 01/10/2003 01/10/2004 01/10/2005 01/10/2006 01/10/2007

0

50

100

150

200

250

Worldwide Users Most New Visitors

22,782,709 page views

OWASP

OWASP Conferences (2008-2009)

6

NYCSep 2008

DCSep 2009

BrusselsMay 2008 Poland

May 2009

TaiwanOct 2008

PortugalSummit

Nov 2008

IsraelSep 2008

IndiaAug 2008

Gold CoastFeb 2008

+2009

MinnesotaOct 2008

DenverSpring 2009

GermanyNov 2008

Ireland

2009

Ireland

2009

OWASP

OWASP KnowledgeBase

• 6,381 total articles• 427 presentations• 200 updates per

day• 271 mailing lists• 180 blogs

monitored• 19 deface attempts

http://mirrors.creativecommons.org/google-20061026/cc-logo.png

http://images.google.com/imgres?imgurl=http://www.leverageblog.com/leverage_the_internet/images/email_large.jpg&imgrefurl=http://www.wiseknow.com/blog/2008/05/03/82/&h=300&w=300&sz=28&hl=en&start=38&sig2=KdkMbfVfGpRaeaduHn3VHg&um=1&tbnid=BBVxvahhx2YbrM:&tbnh=116&tbnw=116&ei=be0wSL-hKJLUebvd0e0B&prev=/images?q=email&start=20&ndsp=20&um=1&hl=en&safe=off&rls=com.microsoft:*:IE-SearchBox&sa=N

OWASP

OWASP AppSec News and Intelligence

Moderated AppSec News Feedhttp://www.google.com/reader/

public/atom/user/16712724397688793161/state/com.google/broadcast

OWASP Podcasthttp://itunes.apple.com/WebObj

ects/MZStore.woa/wa/viewPodcast?id=300769012

OWASP TVhttp://www.owasp.tv

8

http://www.google.com/reader/public/atom/user/16712724397688793161/state/com.google/broadcast




http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012



http://www.owasp.tv/


http://www.owasp.org/download/jmanico/podcast.xml

http://images.google.com/imgres?imgurl=http://farm4.static.flickr.com/3001/2317512672_9b026a5070.jpg&imgrefurl=http://www.flickr.com/photos/joshjoseph/2317512672/&usg=__DtvIE8ROn2j1oqgxOSQ6OV9K0p8=&h=485&w=482&sz=38&hl=en&start=10&sig2=142-rjJgp8VKugfImf50ZQ&um=1&tbnid=j6-q57lwUcHM-M:&tbnh=129&tbnw=128&prev=/images?q=youtube+iphone&hl=en&rls=com.microsoft:en-us&um=1&ei=s41CSszlMKLflQfb07WdCQ

OWASP

OWASP AppSec Job Board

9

OWASP 10

OWASP Top Ten Critical VulnerabilitiesA1: Cross Site Scripting

(XSS)

A2: Injection

Flaws

A3: Malicious File

Execution

A4: Insecure Direct Object Reference

A5: Cross Site Request Forgery (CSRF)

A6: Information Leakage and

Improper Error Handling

A7: Broken Authentication

and Session Management

A8: Insecure Cryptographic Storage

A9: Insecure Communicat

ions

A10: Failure to Restrict URL Access

www.owasp.org/index.php?title=Top_10_2007

http://www.owasp.org/index.php?title=Top_10_2007

OWASP

OWASP AppSec Guides

Free and open source

Cheap printed copies Covers all critical

security controls Hundreds of expert

authors All aspects of

application security

11

http://4.bp.blogspot.com/_keJwBEZPgZE/SdgcWlR7KjI/AAAAAAAAB9A/rwJSK9RE974/s1600-h/OWASP+Code+Review+by+OWASP+Foundation+(Book)+in+Computers+&+Internet.png

OWASP

OWASP Application Security Verification Std

Standard for verifying the security of web applications

Four levelsAutomatedManualArchitecture Internal

12

OWASP

OWASP Software Assurance Maturity Model

13

OWASP

OWASP WebGoat

14

http://www.owasp.org/images/f/f3/WebGoat-Bypass-Access-Control-Lesson.JPG

OWASP

OWASP WebScarab

15

http://www.owasp.org/index.php/Image:WebScarab_after_browsing.png

OWASP

OWASP CSRFTester

16

OWASP

Add Tokento HTML

OWASP CSRFGuard

17

User(Browser

)

Business Processing

OWASPCSRFGuard

Verify Token

Adds token to: href attribute src attribute hidden field in all

forms

Actions: Log Invalidate Redirect

http://www.owasp.org/index.php/CSRFGuard

http://www.owasp.org/index.php/CSRFGuard

OWASP

OWASP Live CD

18

http://mtesauro.com/livecd/index.php?title=Image:SoC-boot.png

http://mtesauro.com/livecd/index.php?title=Image:SoC-kde-splash.png

http://mtesauro.com/livecd/index.php?title=Image:SoC-owasp-menu.png

OWASP

OWASP Enterprise Security API

19

Before After

http://www.owasp.org/index.php/Image:Esapi-before-after.JPG

OWASP

Want More OWASP?

OWASP .NET Project OWASP ASDR Project OWASP AntiSamy Project OWASP AppSec FAQ Project OWASP Application Security Assessment Standards

Project OWASP Application Security Metrics Project OWASP Application Security Requirements Project OWASP CAL9000 Project OWASP CLASP Project OWASP CSRFGuard Project OWASP CSRFTester Project OWASP Career Development Project OWASP Certification Criteria Project OWASP Certification Project OWASP Code Review Project OWASP Communications Project OWASP DirBuster Project OWASP Education Project OWASP Encoding Project OWASP Enterprise Security API OWASP Flash Security Project OWASP Guide Project OWASP Honeycomb Project OWASP Insecure Web App Project OWASP Interceptor Project

OWASP JBroFuzz OWASP Java Project OWASP LAPSE Project OWASP Legal Project OWASP Live CD Project OWASP Logging Project OWASP Orizon Project OWASP PHP Project OWASP Pantera Web Assessment Studio Project OWASP SASAP Project OWASP SQLiX Project OWASP SWAAT Project OWASP Sprajax Project OWASP Testing Project OWASP Tools Project OWASP Top Ten Project OWASP Validation Project OWASP WASS Project OWASP WSFuzzer Project OWASP Web Services Security Project OWASP WebGoat Project OWASP WebScarab Project OWASP XML Security Gateway Evaluation Criteria

Project OWASP on the Move Project

20

OWASP

OWASP Research Grants

We support the research that keeps your organization safe!

21

http://www.owasp.org/index.php/Image:SoC_08_Logo.jpg

http://www.owasp.org/index.php/Image:OWASP_AOC_Logo.jpg

http://www.owasp.org/index.php/Image:SpoC_007.jpg

OWASP

OWASP SoC2008 selection OWASP Code review guide, V1.1 The Ruby on Rails Security Guide v2 OWASP UI Component Verification Project

(a.k.a. OWASP JSP Testing Tool) Internationalization Guidelines and OWASP-

Spanish Project OWASP Application Security Desk Reference

(ASDR) OWASP .NET Project Leader OWASP Education Project The OWASP Testing Guide v3 OWASP Application Security Verification

Standard Online code signing and integrity verification

service for open source community (OpenSign Server)

Securing WebGoat using ModSecurity OWASP Book Cover & Sleeve Design OWASP Individual & Corporate Member

Packs, Conference Attendee Packs Brief OWASP Access Control Rules Tester OpenPGP Extensions for HTTP - Enigform and

mod_openpgp OWASP-WeBekci Project OWASP Backend Security Project

22

OWASP Application Security Tool Benchmarking Environment and Site Generator refresh

Teachable Static Analysis Workbench OWASP Positive Security Project GTK+ GUI for w3af project OWASP Interceptor Project - 2008 Update Skavenger SQL Injector Benchmarking Project

(SQLiBENCH) OWASP AppSensor - Detect and Respond to

Attacks from Within the Application Owasp Orizon Project OWASP Corporate Application Security Rating

Guide OWASP AntiSamy .NET Python Static Analysis OWASP Classic ASP Security Project OWASP Live CD 2008 Project

http://www.owasp.org/index.php/Image:SoC_08_Logo.jpg

OWASP

How Can You Help?

23

Join our community

Share and learn

Attend conferences

Push us to do better

Become a member!

OWASP

Questions and Answers

OWASP 25

OWASP

OWASP Projects Lifecycle

Define Criteria for Quality Levels Alpha, Beta, Release

Encourage Increased Quality Through Season of Code Funding and Support Produce Professional OWASP books

Provide Support Full time executive director (Kate Hartmann) Full time project manager (Paulo Coimbra) Half time technical editor (Kirsten Sitnick) Half time financial support (Alison Shrader) Looking to add programmers (Interns and professionals)

OWASP 27

OW

ASP

Framew

ork

SDLC & OWASP Guidelines

OWASP 28

OWASP Projects Are Alive!

2001

2003

2005

2007

2009 …

http://www.amazon.com/Security-Development-Lifecycle-Michael-Howard/dp/0735622140/sr=8-36/qid=1169351879/ref=sr_1_36/103-6175548-3897446?ie=UTF8&s=books

http://books.google.com/books?vid=ISBN0072227834&id=MDVTbFceXvwC&pg=RA7-PA134&lpg=RA7-PA134&ots=xrEpp_SM9R&dq=owasp&num=100&sig=Rp9XAMFxtQ2bDMq0RTXjddpkcKQ

http://books.google.com/books?vid=ISBN059600611X&id=QvTzBiwehOoC&pg=PA96&lpg=PA96&ots=uscGD05ZSd&dq=owasp&num=100&sig=UzWqVHxlHNw984PTMgfGngzuvug

http://books.google.com/books?vid=ISBN193226647X&id=i8j865qq7dYC&pg=PA260&lpg=PA260&ots=Mb5TcIyFKC&dq=owasp&num=100&sig=a4fd0jjbmWu48n_HMKzkfWzKjJE

http://books.google.com/books?vid=ISBN0072227842&id=6T4jrz6PbjAC&pg=PP1&lpg=PP1&ots=dBoN7I40n0&dq=owasp&num=100&sig=LpexheevY0rqKxeFd8e5-LOkXe8

http://books.google.com/books?vid=ISBN1931836361&id=fKsc9NwsNpMC&pg=PA478&lpg=PA478&dq=owasp&num=100&sig=p23ci0e9s72yyc9q7F5cKipwuyY

http://books.google.com/books?vid=ISBN0596007949&id=iV8DRekYvg0C&pg=PA183&lpg=PA183&dq=owasp&num=100&sig=ViVx6MhMJRaokqE2QrCoJJKwcCM

http://books.google.com/books?vid=ISBN0849329981&id=tbo_JZ5IRKQC&pg=RA2-PA275&lpg=RA2-PA275&dq=owasp&num=100&sig=cV6tieHfrr9Eo_wuEfeyuC-Gwow

http://books.google.com/books?vid=ISBN0596002424&id=-Qj5aMPujwMC&pg=RA2-PA194&lpg=RA2-PA194&dq=owasp&num=100&sig=6Dcl8qgL2dWy7SRviwtv8VqQQXc

http://books.google.com/books?vid=ISBN0596007248&id=5yiULnTkN6oC&pg=RA1-PA377&lpg=RA1-PA377&dq=owasp&num=100&sig=fASJI79UXTDdYiYjEI9YPMwEoR0

http://books.google.com/books?vid=ISBN0072226307&id=npYOWjVR0q4C&pg=RA4-PA301&lpg=RA4-PA301&dq=owasp&num=100&sig=O6rHxhdcuFiGDPMMMkPN1GbWXsE

http://books.google.com/books?vid=ISBN0130355488&id=O3VB-zspJo4C&pg=PA716&lpg=PA716&dq=owasp&num=100&sig=_joUK2T4cwJO9075QLXOBvqw8XU

http://books.google.com/books?vid=ISBN1932266658&id=79FMJAl_-qoC&pg=PP1&lpg=PP1&dq=owasp&num=100&sig=W6bbEaUrpKFQ3CAWpvu5P_G0_eQ

http://books.google.com/books?vid=ISBN1565924029&id=nuhf5r_TL14C&pg=PP1&lpg=PP1&ots=GyKee8-_23&dq=cryptography&num=100&sig=JK8NV6zwR-Wsw47Hv0h2q_jPYY8

http://books.google.com/books?vid=ISBN0201440997&id=NHWRH3xXQpgC&pg=PP1&lpg=PP1&ots=uBTf_a0YcT&dq=computer+security&num=100&sig=HC69to8ZQFU6RnPepyU9likCLyg

http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471128457/sr=8-3/qid=1169351746/ref=pd_bbs_sr_3/103-6175548-3897446?ie=UTF8&s=books

OWASP

Finances and Grants

29

100%

OWASP Grants

OWASP Autumn of Code 2006$20,000 budget

OWASP Spring of Code 2007$117,500 budget

OWASP Summer of Code 2008$126,000 budget

OWASP Foundation

55%

45%

http://images.google.com/imgres?imgurl=http://www.glpbookkeeping.co.uk/images/1.jpg&imgrefurl=http://www.glpbookkeeping.co.uk/&h=357&w=322&sz=55&hl=en&start=3&sig2=82KUlH6L7SA6oJRm24InZw&tbnid=6gxaxSNl6AR6qM:&tbnh=121&tbnw=109&ei=7RQxSIWxGJXkebv-yeYB&prev=/images?q=bookkeeping&gbv=2&hl=en&safe=off

https://www.owasp.org/index.php/Image:NYC08_468x60_72_newdates.gif

Copyright © 2009 - The OWASP Foundation This work is available under the Creative Commons SA 3.0...

Documents

Transcript of Copyright © 2009 - The OWASP Foundation This work is available under the Creative Commons SA 3.0...