Copyright © 2010 - The OWASP FoundationThis work is available under the Creative Commons SA 2.5 license

The OWASP Foundation

OWASPBeNeLux 2010

http://www.owasp.org

Tour of OWASP’s projects

Sebastien Deleersnyder

Dec 1, 2010

OWASP

OWASP Tools and Technology

2

• Vulnerability Scanners

• Static Analysis Tools

• Fuzzing

Automated Security Verification

• Penetration Testing Tools

• Code Review Tools

Manual Security Verification

• ESAPI

Security Architecture

• AppSec Libraries

• ESAPI Reference Implementation

• Guards and FiltersSecure

Coding

• Reporting Tools

AppSec Management

• Flawed Apps• Learning

Environments• Live CD• SiteGenerator

AppSec Education

OWASP

OWASP Body of Knowledge

Core Application Security

Knowledge Base

Acquiring andBuildingSecure

Applications

VerifyingApplication

Security

ManagingApplication

Security

ApplicationSecurity

Tools

AppSecEducation and

CBT

Research toSecure NewTechnologies Principles

Threat Agents, Attacks,

Vulnerabilities, Impacts, and

Countermeasures

PrinciplesThreat Agents,

Attacks, Vulnerabilities, Impacts, and

CountermeasuresOWASP Foundation 501c3

OWASP Community Platform(wiki, forums, mailing lists)

Pro

jects

Ch

ap

ters

Ap

pS

ec C

on

fere

nces

Guide to Building Secure Web

Applications and Web Services

Guide to Building Secure Web

Applications and Web Services

Guide to Application

Security Testing and

Guide to Application

Security Code Review

Guide to Application

Security Testing and

Guide to Application

Security Code Review

Tools for Scanning, Testing,

Simulating, and Reporting Web

Application Security Issues

Tools for Scanning, Testing,

Simulating, and Reporting Web

Application Security Issues

Web Based Learning

Environment and Guide for Learning

Application Security

Web Based Learning

Environment and Guide for Learning

Application Security

Guidance and Tools for

Measuring and Managing

Application Security

Guidance and Tools for

Measuring and Managing

Application Security

Research Projects to

Figure Out How to Secure the Use of New

Technologies (like Ajax)

Research Projects to

Figure Out How to Secure the Use of New

Technologies (like Ajax)

Top level view

OWASP

There are a lot of OWASP projects

OWASP

Metrics

Categorizing and organizing projectsMaturity, activity level, quality, relevance

6

OWASP

Assessment Criteria

7

OWASP 8

OWASP 9

OWASP

Categories

PROTECT - These are tools and documents that can be used to guard against security-related design and implementation flaws.

DETECT - These are tools and documents that can be used to find security-related design and implementation flaws.

LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).

10

OWASP

OWASP projects by numbers

Total Projects: 122

Release quality: 19Beta quality: 28Alpha quality: 89 Inactive: 6

OWASP

Dashboard

12

OWASP

Assessment details

13

Project Parade

OWASP

The ‘Big 4’ Documentation Projects

Building Guide

Code Review Guide

Testing Guide

Application Security Desk Reference (ASDR)

OWASP

The Guide

Complements OWASP Top 10

310p Book Free and open source

Gnu Free Doc License Many contributors Apps and web services Most platforms

Examples are J2EE, ASP.NET, and PHP

Comprehensive Project Leader and Editor

Andrew van der Stock, vanderaj@owasp.org

OWASP

Uses of the Guide

DevelopersUse for guidance on implementing security

mechanisms and avoiding vulnerabilities

Project ManagersUse for identifying activities (threat modeling,

code review, penetration testing) that need to occur

Security TeamsUse for structuring evaluations, learning about

application security, remediation approaches

OWASP

Each Topic

Includes Basic Information (like OWASP T10) How to Determine If You Are Vulnerable How to Protect Yourself

Adds Objectives Environments Affected Relevant COBIT Topics Theory Best Practices Misconceptions Code Snippets

OWASP 19

Testing Guide v3: Index

1. Frontispiece

2. Introduction

3. The OWASP Testing Framework

4. Web Application Penetration Testing

5. Writing Reports: value the real risk

Appendix A: Testing Tools

Appendix B: Suggested Reading

Appendix C: Fuzz Vectors

OWASP 20

Evolution V3

Information GatheringConfig. Management TestingBusiness Logic TestingAuthentication TestingAuthorization Testing Session Management TestingData Validation TestingDenial of Service TestingWeb Services TestingAjax TestingEncoded Appendix

Information GatheringBusiness Logic TestingAuthentication TestingSession Management TestingData Validation TestingDenial of Service TestingWeb Services TestingAjax Testing

OWASP 21

How the Guide helps the security industry

A structured approach to the testing activities

A checklist to be followed A learning and training tool

Pen-testers

A tool to understand web vulnerabilities and their impact

A way to check the quality of the penetration tests they buy

Organisations

More in general, the Guide aims to provide a pen-testing standard that creates a 'common ground' between the pen-testing industry and its client.

This will raise the overall quality and understanding of this kind of activity and therefore the general level of security in our infrastructures

OWASP

OWASP Application Security Verification Std

Standard for verifying the security of web applications

Four levelsAutomatedManualArchitecture Internal

22

OWASP

OWASP Software Assurance Maturity Model

23

OWASP

Tools

http://www.owasp.org/index.php/Phoenix/Tools

Best known OWASP ToolsWebGoatWebScarab

Remember:A Fool with a Tool is still a Fool

OWASP

Live CD

Project that collects some of the best open source security projects in a single environmenthttp://www.owasp.org/index.php/LiveCD

Users can boot from Live CD and immediately start using all tools without any configuration

25

OWASP 26

Available Tools

25 “significant” toolsOWASP WebScarab v20090122

OWASP WebGoat v5.2

OWASP CAL9000 v2.0

OWASP JBroFuzz v1.2

OWASP DirBuster v0.12

OWASP SQLiX v1.0

OWASP WSFuzzer v1.9.4

OWASP Wapiti v2.0.0-beta

Paros Proxy v3.2.13

nmap & Zenmap v 4.76

Wireshark v1.0.5 tcpdump v4.0.0 Firefox 3.06 +

25 addons Burp Suite v1.2 Grendel Scan v1.0

Metasploit v3.2 (svn)

w3af + GUI svn r2161

Netcats – original + GNU Nikto v2.03 Firece Domain

Scanner v1.0.3

Maltego CE v2-210 Httprint v301 SQLBrute v1.0 Spike Proxy

v1.4.8-4Rat Proxy v1.53-beta

sqlmap v0.7-rc1 now included!

OWASP

OWASP WebGoat

27

OWASP

OWASP WebScarab

28

OWASP 29

Tools – At Best 45%

MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE)

They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)

OWASP

The OWASP Enterprise Security API

30

Custom Enterprise Web Application

Enterprise Security API

Au

then

ticato

r

User

AccessC

on

troller

AccessR

efe

ren

ceM

ap

Valid

ato

r

En

cod

er

HT

TP

Uti

liti

es

En

cry

pto

r

En

cry

pte

dP

rop

ert

ies

Ran

dom

izer

Excep

tion

Han

dlin

g

Log

ger

Intr

usio

nD

ete

cto

r

Secu

rity

Con

fig

ura

tion

Existing Enterprise Security Services/Libraries

OWASP

Create Your ESAPI Implementation

Your Security ServicesWrap your existing libraries and servicesExtend and customize your ESAPI

implementationFill in gaps with the reference implementation

Your Coding GuidelineTailor the ESAPI coding guidelinesRetrofit ESAPI patterns to existing code

31

OWASP

OWASP CSRFTester

32

OWASP

Add Tokento HTML

OWASP CSRFGuard 2.0

33

User(Browser)

Business Processing

OWASPCSRFGuard

Verify Token

Adds token to: href attribute src attribute hidden field in all

forms

Actions: Log Invalidate Redirect

http://www.owasp.org/index.php/CSRFGuard

OWASP 34

OW

ASP

Framew

ork

SDLC & OWASP Guidelines

OWASP

Want More ?

OWASP .NET Project OWASP ASDR Project OWASP AntiSamy Project OWASP AppSec FAQ Project OWASP Application Security Assessment Standards

Project OWASP Application Security Metrics Project OWASP Application Security Requirements Project OWASP CAL9000 Project OWASP CLASP Project OWASP CSRFGuard Project OWASP CSRFTester Project OWASP Career Development Project OWASP Certification Criteria Project OWASP Certification Project OWASP Code Review Project OWASP Communications Project OWASP DirBuster Project OWASP Education Project OWASP Encoding Project OWASP Enterprise Security API OWASP Flash Security Project OWASP Guide Project OWASP Honeycomb Project OWASP Insecure Web App Project OWASP Interceptor Project

OWASP JBroFuzz OWASP Java Project OWASP LAPSE Project OWASP Legal Project OWASP Live CD Project OWASP Logging Project OWASP Orizon Project OWASP PHP Project OWASP Pantera Web Assessment Studio Project OWASP SASAP Project OWASP SQLiX Project OWASP SWAAT Project OWASP Sprajax Project OWASP Testing Project OWASP Tools Project OWASP Top Ten Project OWASP Validation Project OWASP WASS Project OWASP WSFuzzer Project OWASP Web Services Security Project OWASP WebGoat Project OWASP WebScarab Project OWASP XML Security Gateway Evaluation Criteria

Project OWASP on the Move Project

35

OWASP

OWASP Research Grants

We support the research that keeps your organization safe!

36

OWASP 37

OWASP Projects Are Alive!

2001

2003

2005

2007

2009 …

OWASP

How to participate?

Start your own projectThe best OWASP projects are strategic get the

community involved / build a teamContribute exising (open license)Promotion!

‘Help’ an existing project

OWASP

Questions and Answers