Copyright © 2010 - The OWASP Foundation This work is available under the Creative Commons SA 2.5...
-
Upload
aldous-floyd -
Category
Documents
-
view
216 -
download
0
Transcript of Copyright © 2010 - The OWASP Foundation This work is available under the Creative Commons SA 2.5...
Copyright © 2010 - The OWASP FoundationThis work is available under the Creative Commons SA 2.5 license
The OWASP Foundation
OWASPBeNeLux 2010
http://www.owasp.org
Tour of OWASP’s projects
Sebastien Deleersnyder
Dec 1, 2010
OWASP
OWASP Tools and Technology
2
• Vulnerability Scanners
• Static Analysis Tools
• Fuzzing
Automated Security Verification
• Penetration Testing Tools
• Code Review Tools
Manual Security Verification
• ESAPI
Security Architecture
• AppSec Libraries
• ESAPI Reference Implementation
• Guards and FiltersSecure
Coding
• Reporting Tools
AppSec Management
• Flawed Apps• Learning
Environments• Live CD• SiteGenerator
AppSec Education
OWASP
OWASP Body of Knowledge
Core Application Security
Knowledge Base
Acquiring andBuildingSecure
Applications
VerifyingApplication
Security
ManagingApplication
Security
ApplicationSecurity
Tools
AppSecEducation and
CBT
Research toSecure NewTechnologies Principles
Threat Agents, Attacks,
Vulnerabilities, Impacts, and
Countermeasures
PrinciplesThreat Agents,
Attacks, Vulnerabilities, Impacts, and
CountermeasuresOWASP Foundation 501c3
OWASP Community Platform(wiki, forums, mailing lists)
Pro
jects
Ch
ap
ters
Ap
pS
ec C
on
fere
nces
Guide to Building Secure Web
Applications and Web Services
Guide to Building Secure Web
Applications and Web Services
Guide to Application
Security Testing and
Guide to Application
Security Code Review
Guide to Application
Security Testing and
Guide to Application
Security Code Review
Tools for Scanning, Testing,
Simulating, and Reporting Web
Application Security Issues
Tools for Scanning, Testing,
Simulating, and Reporting Web
Application Security Issues
Web Based Learning
Environment and Guide for Learning
Application Security
Web Based Learning
Environment and Guide for Learning
Application Security
Guidance and Tools for
Measuring and Managing
Application Security
Guidance and Tools for
Measuring and Managing
Application Security
Research Projects to
Figure Out How to Secure the Use of New
Technologies (like Ajax)
Research Projects to
Figure Out How to Secure the Use of New
Technologies (like Ajax)
Top level view
OWASP
There are a lot of OWASP projects
OWASP
Metrics
Categorizing and organizing projectsMaturity, activity level, quality, relevance
6
OWASP
Assessment Criteria
7
OWASP 8
OWASP 9
OWASP
Categories
PROTECT - These are tools and documents that can be used to guard against security-related design and implementation flaws.
DETECT - These are tools and documents that can be used to find security-related design and implementation flaws.
LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).
10
OWASP
OWASP projects by numbers
Total Projects: 122
Release quality: 19Beta quality: 28Alpha quality: 89 Inactive: 6
OWASP
Dashboard
12
OWASP
Assessment details
13
Project Parade
OWASP
The ‘Big 4’ Documentation Projects
Building Guide
Code Review Guide
Testing Guide
Application Security Desk Reference (ASDR)
OWASP
The Guide
Complements OWASP Top 10
310p Book Free and open source
Gnu Free Doc License Many contributors Apps and web services Most platforms
Examples are J2EE, ASP.NET, and PHP
Comprehensive Project Leader and Editor
Andrew van der Stock, [email protected]
OWASP
Uses of the Guide
DevelopersUse for guidance on implementing security
mechanisms and avoiding vulnerabilities
Project ManagersUse for identifying activities (threat modeling,
code review, penetration testing) that need to occur
Security TeamsUse for structuring evaluations, learning about
application security, remediation approaches
OWASP
Each Topic
Includes Basic Information (like OWASP T10) How to Determine If You Are Vulnerable How to Protect Yourself
Adds Objectives Environments Affected Relevant COBIT Topics Theory Best Practices Misconceptions Code Snippets
OWASP 19
Testing Guide v3: Index
1. Frontispiece
2. Introduction
3. The OWASP Testing Framework
4. Web Application Penetration Testing
5. Writing Reports: value the real risk
Appendix A: Testing Tools
Appendix B: Suggested Reading
Appendix C: Fuzz Vectors
OWASP 20
Evolution V3
Information GatheringConfig. Management TestingBusiness Logic TestingAuthentication TestingAuthorization Testing Session Management TestingData Validation TestingDenial of Service TestingWeb Services TestingAjax TestingEncoded Appendix
Information GatheringBusiness Logic TestingAuthentication TestingSession Management TestingData Validation TestingDenial of Service TestingWeb Services TestingAjax Testing
OWASP 21
How the Guide helps the security industry
A structured approach to the testing activities
A checklist to be followed A learning and training tool
Pen-testers
A tool to understand web vulnerabilities and their impact
A way to check the quality of the penetration tests they buy
Organisations
More in general, the Guide aims to provide a pen-testing standard that creates a 'common ground' between the pen-testing industry and its client.
This will raise the overall quality and understanding of this kind of activity and therefore the general level of security in our infrastructures
OWASP
OWASP Application Security Verification Std
Standard for verifying the security of web applications
Four levelsAutomatedManualArchitecture Internal
22
OWASP
OWASP Software Assurance Maturity Model
23
OWASP
Tools
http://www.owasp.org/index.php/Phoenix/Tools
Best known OWASP ToolsWebGoatWebScarab
Remember:A Fool with a Tool is still a Fool
OWASP
Live CD
Project that collects some of the best open source security projects in a single environmenthttp://www.owasp.org/index.php/LiveCD
Users can boot from Live CD and immediately start using all tools without any configuration
25
OWASP 26
Available Tools
25 “significant” toolsOWASP WebScarab v20090122
OWASP WebGoat v5.2
OWASP CAL9000 v2.0
OWASP JBroFuzz v1.2
OWASP DirBuster v0.12
OWASP SQLiX v1.0
OWASP WSFuzzer v1.9.4
OWASP Wapiti v2.0.0-beta
Paros Proxy v3.2.13
nmap & Zenmap v 4.76
Wireshark v1.0.5 tcpdump v4.0.0 Firefox 3.06 +
25 addons Burp Suite v1.2 Grendel Scan v1.0
Metasploit v3.2 (svn)
w3af + GUI svn r2161
Netcats – original + GNU Nikto v2.03 Firece Domain
Scanner v1.0.3
Maltego CE v2-210 Httprint v301 SQLBrute v1.0 Spike Proxy
v1.4.8-4Rat Proxy v1.53-beta
sqlmap v0.7-rc1 now included!
OWASP 29
Tools – At Best 45%
MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE)
They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)
OWASP
The OWASP Enterprise Security API
30
Custom Enterprise Web Application
Enterprise Security API
Au
then
ticato
r
User
AccessC
on
troller
AccessR
efe
ren
ceM
ap
Valid
ato
r
En
cod
er
HT
TP
Uti
liti
es
En
cry
pto
r
En
cry
pte
dP
rop
ert
ies
Ran
dom
izer
Excep
tion
Han
dlin
g
Log
ger
Intr
usio
nD
ete
cto
r
Secu
rity
Con
fig
ura
tion
Existing Enterprise Security Services/Libraries
OWASP
Create Your ESAPI Implementation
Your Security ServicesWrap your existing libraries and servicesExtend and customize your ESAPI
implementationFill in gaps with the reference implementation
Your Coding GuidelineTailor the ESAPI coding guidelinesRetrofit ESAPI patterns to existing code
31
OWASP
OWASP CSRFTester
32
OWASP
Add Tokento HTML
OWASP CSRFGuard 2.0
33
User(Browser)
Business Processing
OWASPCSRFGuard
Verify Token
Adds token to: href attribute src attribute hidden field in all
forms
Actions: Log Invalidate Redirect
http://www.owasp.org/index.php/CSRFGuard
OWASP 34
OW
ASP
Framew
ork
SDLC & OWASP Guidelines
OWASP
Want More ?
OWASP .NET Project OWASP ASDR Project OWASP AntiSamy Project OWASP AppSec FAQ Project OWASP Application Security Assessment Standards
Project OWASP Application Security Metrics Project OWASP Application Security Requirements Project OWASP CAL9000 Project OWASP CLASP Project OWASP CSRFGuard Project OWASP CSRFTester Project OWASP Career Development Project OWASP Certification Criteria Project OWASP Certification Project OWASP Code Review Project OWASP Communications Project OWASP DirBuster Project OWASP Education Project OWASP Encoding Project OWASP Enterprise Security API OWASP Flash Security Project OWASP Guide Project OWASP Honeycomb Project OWASP Insecure Web App Project OWASP Interceptor Project
OWASP JBroFuzz OWASP Java Project OWASP LAPSE Project OWASP Legal Project OWASP Live CD Project OWASP Logging Project OWASP Orizon Project OWASP PHP Project OWASP Pantera Web Assessment Studio Project OWASP SASAP Project OWASP SQLiX Project OWASP SWAAT Project OWASP Sprajax Project OWASP Testing Project OWASP Tools Project OWASP Top Ten Project OWASP Validation Project OWASP WASS Project OWASP WSFuzzer Project OWASP Web Services Security Project OWASP WebGoat Project OWASP WebScarab Project OWASP XML Security Gateway Evaluation Criteria
Project OWASP on the Move Project
35
OWASP
OWASP Research Grants
We support the research that keeps your organization safe!
36
OWASP 37
OWASP Projects Are Alive!
2001
2003
2005
2007
2009 …
OWASP
How to participate?
Start your own projectThe best OWASP projects are strategic get the
community involved / build a teamContribute exising (open license)Promotion!
‘Help’ an existing project
OWASP
Questions and Answers