[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
-
Upload
g-geshev -
Category
Technology
-
view
581 -
download
1
Transcript of [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
![Page 1: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/1.jpg)
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP Plan - Strawman
Georgi GeshevOWASP Bulgaria [email protected]+359-884-237-20703.04.10
![Page 2: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/2.jpg)
OWASP 2
Agenda
Part 1: Introduction -Who are we?• What is this project all about?• Would you like to join the OWASP community?
Part 2: Real world stories• Care to know about the OWASP Top 10 project?• How’s the web down there in Wonderland?
![Page 3: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/3.jpg)
OWASP 3
Introduction
Who Am I?(1) Free and Open Source Software Evangelist
![Page 4: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/4.jpg)
OWASP 4
Introduction
Who Am I?(1) Free and Open Source Software Evangelist
(2) Enthusiastic Infosec Ninja
![Page 5: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/5.jpg)
OWASP 5
Introduction
Who Am I?(1) Free and Open Source Software Evangelist
(2) Enthusiastic Infosec Ninja① + ②= ?
![Page 6: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/6.jpg)
OWASP 6
Introduction
Who Am I?(1) Free and Open Source Software Evangelist
(2) Enthusiastic Infosec Ninja① + ②= ?
Here’s the OWASP formula..FOSS + WEB × APP × SEC = OWASP
![Page 7: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/7.jpg)
OWASP 7
The Open Web Application Security Project
The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
http://www.owasp.org/index.php
![Page 8: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/8.jpg)
OWASP 8
The Open Web Application Security ProjectThe Local Chapters
Over 150 local chapters worldwide..
![Page 9: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/9.jpg)
OWASP 9
The Open Web Application Security ProjectOWASP Bulgaria
• This local chapter was founded in late 2010• Less than 10 mailing list members• Please consider joining the local chapter mailing list
• Regular chapter meetings• Welcome to the first one of ‘em!
• For submissions, suggestions, offers and questions..• Forward your message to the mailing list• Contact me via email
![Page 10: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/10.jpg)
OWASP 10
The Open Web Application Security ProjectOrganization Supporters
![Page 11: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/11.jpg)
OWASP 11
![Page 12: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/12.jpg)
OWASP 12
The Open Web Application Security ProjectShow Your Support
Consider…• Donating• Becoming an OWASP (local chapter) member• Attending the local chapter regular meetings• Attending an OWASP AppSec series conference• Global AppSec Europe - June 6th-11th 2011 @Dublin, Ireland
• Contributing to an OWASP project• Developers, beta testers, etc.
![Page 13: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/13.jpg)
OWASP 13
The Open Web Application Security ProjectAffiliation and Membership
Categories of Membership and Supporters• Individual Supporters• Single Meeting Supporter• Organization Supporters• Accredited University Supporters
![Page 14: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/14.jpg)
OWASP 14
The Open Web Application Security ProjectMembership
Why Become a Supporting Member?• Ethics and principals of OWASP Foundation• Underscore your awareness of web application software security• Attend OWASP conferences at a discount• Expand your personal network of contacts• Support a local chapter of your choice• Get your @owasp.org email address• Have individual vote in electionshttp://www.owasp.org/index.php/Membership
![Page 15: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/15.jpg)
OWASP 15
The Open Web Application Security ProjectOWASP Projects
Tools and documents are organized into the following categories:
• Protect – These are tools and documents that can be used to guard against security-related design and implementation flaws.
• Detect – These are tools and documents that can be used to find security-related design and implementation flaws.
• Life Cycle – These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).
![Page 16: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/16.jpg)
OWASP 16
The Open Web Application Security ProjectThe OWASP Top 10 Project
Project details..• The OWASP Top Ten provides a powerful awareness
document for web application security. • The OWASP Top Ten represents a broad consensus about
what the most critical web application security flaws are.• Its latest (stable) release dates from April 2010.• Creative Commons Attribution Share Alike 3.0 License ;)http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
![Page 17: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/17.jpg)
OWASP 17
The Open Web Application Security ProjectThe OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks -
A1: Injection
![Page 18: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/18.jpg)
OWASP 18
The Open Web Application Security ProjectThe OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks -
A1: InjectionA2: Cross-Site Scripting (XSS)
![Page 19: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/19.jpg)
OWASP 19
The Open Web Application Security ProjectThe OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks -
A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session Management
![Page 20: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/20.jpg)
OWASP 20
The Open Web Application Security ProjectThe OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks -
A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object References
![Page 21: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/21.jpg)
OWASP 21
The Open Web Application Security ProjectThe OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks -
A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)
![Page 22: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/22.jpg)
OWASP 22
The Open Web Application Security ProjectThe OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks -
A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security Misconfiguration
![Page 23: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/23.jpg)
OWASP 23
The Open Web Application Security ProjectThe OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks -
A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security MisconfigurationA7: Insecure Cryptographic Storage
![Page 24: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/24.jpg)
OWASP 24
The Open Web Application Security ProjectThe OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks -
A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security MisconfigurationA7: Insecure Cryptographic StorageA8: Failure to Restrict URL Access
![Page 25: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/25.jpg)
OWASP 25
The Open Web Application Security ProjectThe OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks -
A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security MisconfigurationA7: Insecure Cryptographic StorageA8: Failure to Restrict URL AccessA9: Insufficient Transport Layer Protection
![Page 26: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/26.jpg)
OWASP 26
The Open Web Application Security ProjectThe OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks -
A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security MisconfigurationA7: Insecure Cryptographic StorageA8: Failure to Restrict URL AccessA9: Insufficient Transport Layer ProtectionA10: Unvalidated Redirects and Forwards
![Page 27: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/27.jpg)
OWASP 27
The Open Web Application Security ProjectThe OWASP Top 10 Project
![Page 28: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/28.jpg)
OWASP 28
The Open Web Application Security ProjectThe OWASP Top 10 Project
![Page 29: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/29.jpg)
OWASP 29
The Open Web Application Security ProjectThe OWASP Top 10 Project
“Attackers can potentially use many different paths through your application to do harm to your business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention.”
http://www.owasp.org/index.php/Top_10_2010-Main
![Page 30: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/30.jpg)
OWASP 30
The Open Web Application Security ProjectThe OWASP Top 10 Project
Companies, vendors and others (officially) profiting from The OWASP Top 10..
![Page 31: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/31.jpg)
OWASP 31
The Open Web Application Security ProjectOWASP Guides
Don’t stop at The OWASP Top 10!Because The OWASP Top 10 project is simply not enough..• OWASP Development Guide (Developer’s Guide)• OWASP Testing Project (Testing Guide)• OWASP Code Review Project (Code Review Guide)
![Page 32: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/32.jpg)
OWASP 32
The Open Web Application Security ProjectВ страната на чудесата ;)
![Page 33: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/33.jpg)
OWASP 33
The Open Web Application Security ProjectВ страната на чудесата ;)
“Здравословното” състояние на българския уеб..
![Page 34: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/34.jpg)
OWASP 34
The Open Web Application Security ProjectВ страната на чудесата ;)
![Page 35: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/35.jpg)
OWASP 35
Shout outs go to …
• Kate Hartmann (Operations Director at OWASP)• Tom Brennan (Global Board Member at OWASP)
All of these folks and a few more..• P. Stefanov• Y. Kolev• M. Soler
..for kindly recommending and helping me set up this chapter!• Thank you to all of you for attending this very first meeting ;)
![Page 36: [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture](https://reader034.fdocuments.us/reader034/viewer/2022052522/554ba45ab4c905ae618b4d0a/html5/thumbnails/36.jpg)
OWASP 36
Thank you for your attention!
Please forward any questions, comments and suggestions to: [email protected]