OWASP: An Introduction
description
Transcript of OWASP: An Introduction
![Page 1: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/1.jpg)
Copyright © 2004 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP: An Introduction
Sebastien DeleersnyderCISSPMay, [email protected]
![Page 2: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/2.jpg)
2OWASP
Agenda
Introduction OWASP OWASP Projects Belgium Chapter (Web)AppSec Resources
![Page 3: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/3.jpg)
3OWASP
Agenda
Introduction OWASP OWASP Projects Belgium Chapter (Web)AppSec Resources
![Page 4: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/4.jpg)
4OWASP
Introduction
Sponsor this evening: www.ascure.com
Call for additional sponsors Chapter meeting places & catering Support for local projects
OWASP cannot recommend the use of products, services, or recommend specific companies
![Page 5: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/5.jpg)
5OWASP
Introduction
Program for this evening: 18h00 - 18h45:
Sebastien Deleersnyder, Ascure OWASP Introduction
19h00 - 19h45: Erwin Geirnaert, Security InnovationHow to Break Web Application Security
20h00 - 20h45: professor Frank Piessens, KU LeuvenHow to Build Secure Web Applications
![Page 6: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/6.jpg)
6OWASP
Agenda
Introduction OWASP OWASP Projects Belgium Chapter (Web)AppSec Resources
![Page 7: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/7.jpg)
7OWASP
Software Is A Black Box
ComplexMillions of lines of codeLeaky abstractionsMassively interconnected
CompiledDifficult to reverse engineerDifferent on every platform
Legal ProtectionsNo peekingWe’re not liable
![Page 8: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/8.jpg)
8OWASP
Application Security Is In Its Infancy
Formal Modeling Process Assurance Penetrate and Patch Manual Code Review Static Analysis Developer Training Top Ten Lists Programming Books Bugtraq Common Criteria Certification Peer Review Guidelines Penetration Test
Tools Vulnerability
Scanning Proxy Solutions … and more
Nobody understandsNobody caresSnake oil rulesNo proof anything worksNo metricsOne application at a timeGetting easier to write bad
codeWe can’t even stamp out
buffer overflows
![Page 9: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/9.jpg)
9OWASP
Enter OWASP
OWASP is dedicated to finding and fighting the causes of insecure software
People Projects International Community
“Charitable Open Source”
![Page 10: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/10.jpg)
10OWASP
What is OWASP?
Open Web Application Security ProjectNon-profit, volunteer driven organization
All members are volunteers All work is donated by sponsors
Provide free resources to the community Publications, Articles, Standards Testing and Training Software Local Chapters & Mailing Lists
Supported through sponsorships Corporate support through financial or project
sponsorship Personal sponsorships from members
![Page 11: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/11.jpg)
11OWASP
What is OWASP?
What do they provide?Publications
OWASP Top 10 OWASP Guide to Building Secure Web Applications
Software WebGoat WebScarab .NET Projects
Local Chapters Community Orientation
![Page 12: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/12.jpg)
12OWASP
Looking for a second breath
OWASP finally achieved 501c3 status in Dec.Charitable not-for-profit
OWASP needs more contributorsWe should provide everything contributors needBetter infrastructureProject managementTechnical editing
OWASP needs fundingNeed full time director
![Page 13: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/13.jpg)
13OWASP
OWASP Roadmap for 2005
Continue to deliver on existing projects Gather requirements from industry Find a full time director
New projects OWASP Standard – minimum criteria for people,
process, and technology OWASP Legal – guidance on contracts, gov’t
regulations, RFP language J2EE – guidelines, methodologies, tools Web Services – guidelines, methodologies, tools OWASP Training Course
![Page 14: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/14.jpg)
14OWASP
Agenda
Introduction OWASP OWASP Projects Belgium Chapter (Web)AppSec Resources
![Page 15: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/15.jpg)
15OWASP
OWASP Current Status
WebGoat WebScarab DotNet Validation oLabs
Local Chapters International Conferences
Legal Guide Papers Testing Metrics AppSec FAQ Top Ten ISO17799
GreatGreat
GreatNo Progress
No Progress
ExcellentGreatGreat
No ProgressNo Progress
GreatGreatGreat
No Progress
GreatNo Progress
![Page 16: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/16.jpg)
16OWASP
OWASP Testing Project
Create a "best practices" testing framework
"low level" testing guide to find issues Phase 1 released Dec 2004
The scope of what to testPrinciples of testingTesting techniques explainedThe OWASP testing framework explained
Currently 2nd phase ongoing (TOC) Lead by Daniel Cuthbert
![Page 17: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/17.jpg)
17OWASP
WebScarab Project
Tool for anyone involved with HTTP-based applications (e.g. web applications)
Key featuresFull visibility into the HTTP protocolAlso supports HTTPS (incl client certs)Persistent audit trail can easily be reviewed
Primary usesSecurity analysisApplication debugging
Lead by Rogan Dawes
![Page 18: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/18.jpg)
18OWASP
Conferences
Previous Conference UK April 05 – Royal Holloway
Next Conference US Oct 05 – NIST Washington DC
![Page 19: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/19.jpg)
19OWASP
Agenda
Introduction OWASP OWASP Projects Belgium Chapter (Web)AppSec Resources
![Page 20: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/20.jpg)
20OWASP
Belgium Chapter -What do we have to offer? Quarterly (?) Meetings Mailing List Presentations & Groups Open forum for discussion Meet fellow InfoSec professionals Create (Web)AppSec awareness in
Belgium Local projects:
Dutch & French Top 10 / Guide ?
![Page 21: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/21.jpg)
21OWASP
Belgium Chapter – House Rules
Free & open to everyone Language
English preferredNative language: no problem!
No vendor pitches or $ales presentations Respect for different opinions No flaming (including M$ bashing)
![Page 22: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/22.jpg)
22OWASP
Next Chapter Meetings program proposal Short OWASP intro Presentation on one specific topic Follow-up
Open discussion on topic (with panel?)Split up per topic + feedback into group
![Page 23: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/23.jpg)
23OWASP
OWASP Local Chapters
Next Meeting: Sep + Dec 2005 Topics:
? Location:
?
![Page 24: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/24.jpg)
24OWASP
Agenda
Introduction OWASP OWASP Projects Belgium Chapter (Web)AppSec Resources
![Page 25: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/25.jpg)
25OWASP
Resources Online
OWASP Project Mailing lists Secure Coding List [email protected] [email protected] (WASC)
Low signal-to-noise ratio www.threatsandcountermeasures.com
![Page 26: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/26.jpg)
26OWASP
Resources - Blogs
Michael Howard's Web Log Keith Brown Blog T&C BLOGS
Mark Curphey Michael Silk …
![Page 27: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/27.jpg)
27OWASP
Resources Hard Copy
IEEE Security & Privacy (bimonthly)
Security Engineering – Anderson Building Secure Software – Viega & McGraw Exploiting Software : How to Break Code –
Hoglund & McGraw Writing Secure Code – Howard & Leblanc Enterprise Java Security – Pistoia, et al Securing Web Services with WS-Security –
Rosenberg & Remy
![Page 28: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/28.jpg)
28OWASP
That’s it…Any Questions?
http://www.owasp.org/local/belgium.html
Thank you!
![Page 29: OWASP: An Introduction](https://reader030.fdocuments.us/reader030/viewer/2022013004/56816847550346895dde2a89/html5/thumbnails/29.jpg)
29OWASP
Subscribe to Chapter mailing list
Keep up to date! Post your (Web)AppSec questions Contribute to discussions!