OWASP,  the  Life  and  the  UniverseCLUSIR-­‐EST  -­‐  Strasbourg

6th  June  2013

Sébas&en  GioriaSebasEen.Gioria@owasp.orgChapter  Leader  OWASP  France

Thursday, June 6, 13

http://www.google.fr/#q=sebastien gioria

‣OWASP France Leader & Founder & Evangelist

‣Application Security freelance consultant.

Twitter :@SPoint

2

‣Application Security group leader for the CLUSIF

‣Proud father of youngs kids trying to hack my digital life.

Thursday, June 6, 13

Agenda

• ApplicaEon  Security  :– where  we  are  (no  bullshit)– where  we  are  (hopefully)  going  ?

• Open  Web  ApplicaEon  Security  Project  ?• Update  on  OWASP  Top10  (2013  version)    and  major  projects

3

Thursday, June 6, 13

Why  ApplicaEon  Security  ?

44

Thursday, June 6, 13

Why  ApplicaEon  Security  ?

44

Your Application

been Hacked

Thursday, June 6, 13

Why  ApplicaEon  Security  ?

44

Your Application

been Hacked

YES

Thursday, June 6, 13

Why  ApplicaEon  Security  ?

44

Your Application

been Hacked

NO

YES

Thursday, June 6, 13

Why  ApplicaEon  Security  ?

44

Your Application

will be Hacked ;)

Your Application

been Hacked

NO

YES

Thursday, June 6, 13

Why  ApplicaEon  Security  ?

44

Your Application

will be Hacked ;)

Your Application

been Hacked

YES

NO

YES

Thursday, June 6, 13

Why  ApplicaEon  Security  ?

44

Your Application

will be Hacked ;)

Your Application

been Hacked

YES

NO

NO

YES

Thursday, June 6, 13

Why  ApplicaEon  Security  ?

4

Let Me take you on the right way 4

Your Application

will be Hacked ;)

Your Application

been Hacked

YES

NO

NO

YES

Thursday, June 6, 13

Why  ApplicaEon  Security  ?

4

My Application will be hacked !

Let Me take you on the right way 4

Your Application

will be Hacked ;)

Your Application

been Hacked

YES

NO

NO

YES

Thursday, June 6, 13

Why  ApplicaEon  Security  ?

4

My Application will be hacked !

Let Me take you on the right way 4

Your Application

will be Hacked ;)

Your Application

been Hacked

YES

NO

NO

YES

NextStep

Thursday, June 6, 13

Game

5What’s  this  ?  Thursday, June 6, 13

Game  2

6

What’s  this  ?  

Thursday, June 6, 13

Game  3

7

What’s  this  ?  

Thursday, June 6, 13

Game  3

7

What’s  this  ?  

Thursday, June 6, 13

Game  4

8

What’s  this  ?  

Thursday, June 6, 13

Game  Over....

• Did  you  have  VoIP  Phone  ?  

• Did  you  have  IP  Router  /  Broadband  box    ?  

• Did  you  have  smartphone  ?

• Did  you  have  customers  /  partners  over  Internet  ?

9

Thursday, June 6, 13

Anything  else  ?  

10

Thursday, June 6, 13

We  are  living  in  a  Digital  environment,  in  a  Connected  World

vMost  of  websites  vulnerable  to  a`acks

v Important  %  of  web-­‐based  Business  (Services,  Online  Store,  Self-­‐care,  Telcos,  SCADA,  ...)

Why  ApplicaEon  Security  ?  

Age  of  AnEvirus Age  of  Network  Security

Age  of  ApplicaEon  Security

11

Thursday, June 6, 13

12(c)  WhiteHatSecurity  2013

Thursday, June 6, 13

13(c)  WhiteHatSecurity  2013

Thursday, June 6, 13

OWASP  ?  

The  Open  Web  ApplicaEon  Security  Project

OWASP:  

Swarms  of  WASPS:  Local  Chapters

14

Thursday, June 6, 13

Mission  Driven

Nonprofit  |  World  Wide  |  Unbiased

OWASP  does  not  endorse  or  recommend  commercial  products  or  services

What  is  OWASP

15

Thursday, June 6, 13

Community  Driven

30,000  Mail  List  ParEcipants200  AcEve  Chapters  in  70  countries  

1600+  Members,  56  Corporate  Supporters  

What  is  OWASP

16

Thursday, June 6, 13

200  Chapters,  1  600+  Members,  20  000+  Builders,  Breakers  and  Defenders

Around  the  World

17

Thursday, June 6, 13

Quality  Resources

200+  Projects15,000+  downloads  of  tools,  documentaEon

What  is  OWASP

18

Thursday, June 6, 13

Documenta&on

ToolsCode

50%

10% 40%

Quality  Resources

19

Thursday, June 6, 13

Security  Lifecycle

20

Thursday, June 6, 13

Security  Resources

21

Thursday, June 6, 13

TOP  10  WEB  APPLICATION  SECURITY  RISKSThe OWASP Top Ten

22Thursday, June 6, 13

TOP  10  WEB  APPLICATION  SECURITY  RISKS

A1: Injection A2: Cross Site Scripting

A3: Broken Authenticatio

A4: Insecure Direct Object

A5: Cross Site Request

A6: Security Misconfigurati

A7: Failure to Restrict URL

A8: Unvalidated

A9: Insecure Cryptographic

A10: Insufficient

The OWASP Top Ten

22Thursday, June 6, 13

TOP  10  WEB  APPLICATION  SECURITY  RISKS

A1: Injection A2: Cross Site Scripting

A3: Broken Authenticatio

A4: Insecure Direct Object

A5: Cross Site Request

A6: Security Misconfigurati

A7: Failure to Restrict URL

A8: Unvalidated

A9: Insecure Cryptographic

A10: Insufficient

The OWASP Top Ten

22

2010 Version ! soon updated

Thursday, June 6, 13

 NEWS

A  BLOG

A  PODCAST

MEMBERSHIPS

MAILING  LISTS

A  NEWSLETTER

APPLE  APP  STORE

VIDEO  TUTORIALS

TRAINING  SESSIONS

SOCIAL  NETWORKING23

Thursday, June 6, 13

7  Global  Commi`ees

24

Thursday, June 6, 13

All  over  the  world

25

N

S

EW

Thursday, June 6, 13

OWASP  Projects

26

Thursday, June 6, 13

Developer  Cheat  Sheets§ OWASP  Top  Ten  Cheat  Sheet§ AuthenEcaEon  Cheat  Sheet§ Cross-­‐Site  Request  Forgery  (CSRF)  PrevenEon  Cheat  

Sheet§ Cryptographic  Storage  Cheat  Sheet§ Input  ValidaEon  Cheat  Sheet§ XSS  (Cross  Site  ScripEng)  PrevenEon  Cheat  Sheet§ DOM  based  XSS  PrevenEon  Cheat  Sheet§ Forgot  Password  Cheat  Sheet§ Query  ParameterizaEon  Cheat  Sheet§ SQL  InjecEon  PrevenEon  Cheat  Sheet§ Session  Management  Cheat  Sheet§ HTML5  Security  Cheat  Sheet§ Transport  Layer  ProtecEon  Cheat  Sheet§ Web  Service  Security  Cheat  Sheet§ Logging  Cheat  Sheet§ JAAS  Cheat  Sheet

Mobile  Cheat  Sheets§ IOS  Developer  Cheat  Sheet§ Mobile  Jailbreaking  Cheat  Sheet

Dral  Cheat  Sheets§ Access  Control  Cheat  Sheet§ REST  Security  Cheat  Sheet§ Abridged  XSS  PrevenEon  Cheat  Sheet§ PHP  Security  Cheat  Sheet§ Password  Storage  Cheat  Sheet§ Secure  Coding  Cheat  Sheet§ Threat  Modeling  Cheat  Sheet§ Clickjacking  Cheat  Sheet§ Virtual  Patching  Cheat  Sheet§ Secure  SDLC  Cheat  Sheet§ Web  ApplicaEon  Security  TesEng  Cheat  

Sheet§ ApplicaEon  Security  Architecture  Cheat  

Sheet

Cheat  Sheets

27

Thursday, June 6, 13

Project  Leader:  Chris  Schmidt,  Chris.Schmidt@owasp.org

Purpose:  A  free,  open  source,  web  applicaEon  security  control  library  that  makes  it  easier  for  programmers  to  write  lower-­‐risk  applicaEons

h`ps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Enterprise  Security  API

for  Reboot

28

Thursday, June 6, 13

Project  Leader:  Jason  Li,  jason.li@owasp.orgPurpose:  An  HTML  validaEon  tool  and  API  to  safely  and  gracefully  handle  rich   html   input,   for   ensuring   user-­‐supplied   HTML/CSS   is   in   compliance  within  an  applicaEon's  rules.

h`ps://www.owasp.org/index.php/AnESamy

AnESamy

29

Thursday, June 6, 13

Development   Guide:   comprehensive   manual   for   designing,   developing   and  deploying  secure  Web  ApplicaEons  and  Web  Services

Code   Review   Guide:   mechanics   of   reviewing   code   for   certain   vulnerabiliEes   &  validaEon  of  proper  security  controls

TesEng  Guide:  understand  the  what,  why,  when,  where,  and  how  of  tesEng  web  applicaEons

h`ps://www.owasp.org/index.php/Category:OWASP_Guide_Projecth`ps://www.owasp.org/index.php/Category:OWASP_Code_Review_Projecth`ps://www.owasp.org/index.php/Category:OWASP_TesEng_Project

Guides

for  Reboot

30

Thursday, June 6, 13

Zed  A`ack  Proxy

for  Reboot

Project  Leader:  Simon  Benne`s  (aka  Psiinon),  psiinon@gmail.comPurpose:  The  Zed  A`ack  Proxy  (ZAP)  provides  automated  scanners  as  well  as  a  set  of  tools  that  allow  you  to  find  security  vulnerabiliEes  manually  in  web  applicaEons.

Last  Release:  ZAP  2.0.0  (30  Jan  2013)

h`ps://www.owasp.org/index.php/OWASP_Zed_A`ack_Proxy_Project 31

Thursday, June 6, 13

AppSensor

Project  Leader(s):  Michael  Coates,  John  Melton,  Colin  WatsonPurpose:   Defines   a   conceptual   framework   and  methodology   that   offers  prescripEve   guidance   to   implement   intrusion   detecEon   and   automated  response  into  an  exisEng  applicaEon.

Release:  AppSensor  0.1.3  -­‐  Nov  2010  (Tool)  &  September  2008  (doc)  

h`ps://www.owasp.org/index.php/AppSensor

Create  aUack  aware  applica&ons

32

Thursday, June 6, 13

Project  Leader:  Vinay  Bansal,  Vinaykbansal@gmail.com

Purpose:  Develop  and  maintain  a  list  of  Top  10  Security  Risks  faced  with  the  Cloud  CompuEng  and  SaaS  Models.  Serve  as  a  Quick  List  of  Top  Risks  with  Cloud  adopEon,  and  Provide  Guidelines  on  MiEgaEng  the  Risks.

Deliverables  -­‐ Cloud  Top  10  Security  Risks  (DraE  expected  for  early  2013)

h`ps://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project

Cloud  Top10  Project

33

Thursday, June 6, 13

Cloud  Top10  Security  Risks

•  R1.  Accountability  &  Data  Risk•  R2.  User  IdenEty  FederaEon•  R3.  Legal  &  Regulatory  Compliance•  R4.  Business  ConEnuity  &  Resiliency•  R5.  User  Privacy  &  Secondary  Usage  of  Data•  R6.  Service  &  Data  IntegraEon•  R7.  MulE-­‐tenancy  &  Physical  Security•  R8.  Incidence  Analysis  &  Forensics•  R9.  Infrastructure  Security•  R10.  Non-­‐producEon  Environment  Exposure

34

Thursday, June 6, 13

Project  Leader:  Jack  Mannino,  Jack@nvisiumsecurity.com

Purpose:   Establish   an   OWASP   Top   10   Mobile   Risks.   Intended   to   be   plaRorm-­‐agnosEc.  Focused  on  areas  of  risk  rather  than  individual  vulnerabiliEes.

Deliverables  -­‐ Top  10  Mobile  Risks  (currently  Release  Candidate  v1.0)-­‐ Top  10  Mobile  Controls  (OWASP/ENISA  CollaboraOon)

-­‐ OWASP  Wiki,  ‘Smartphone  Secure  Development  Guidelines’  (ENISA)-­‐ Mobile  Cheat  Sheet  Series-­‐ OWASP  GoatDroid  Project-­‐ OWASP  Mobile  Threat  Model  Project

h`ps://www.owasp.org/index.php/OWASP_Mobile_Security_Project

Mobile  Security  Project

for  Reboot

35

Thursday, June 6, 13

Top  10  Mobile  Risks

• M1.  Insecure  Data  Storage• M2.  Weak  Server  Side  Controls• M3.  Insufficient  Transport  Layer  ProtecEon• M4.  Client  Side  InjecEon• M5.  Poor  AuthorizaEon  and  AuthenEcaEon• M6.  Improper  Session  Handling• M7.  Security  Decisions  via  Untrusted  Inputs• M8.  Side  Channel  Data  Leakage• M9.  Broken  Cryptography• M10.  SensiEve  InformaEon  Disclosure

36

Thursday, June 6, 13

Project  Leader:  Anurag  "Archie"  Agarwal,  anurag.agarwal@owasp.org

Purpose:  Establish  a  single  and  inclusive  so[ware-­‐centric  OWASP  Threat  modeling   Methodology,   addressing   vulnerability   in   client   and   web  applicaEon-­‐level  services  over  the  Internet.

Deliverables  (1st  DraE  expected  for  end  of  2012  /  early  2013)-­‐ An  OWASP  Threat  Modeling  methodology-­‐ A  glossary  of  threat  modeling  terms

h`ps://www.owasp.org/index.php/OWASP_Threat_Modelling_Project

Threat  Modeling  Project

37

Thursday, June 6, 13

Intended   to   help   solware   developers   and   their   clients   negoEate   important  contractual  terms  and  condiEons  related  to  the  security  of   the  solware  to  be  developed  or  delivered.

CONTEXT:  Most  contracts  are  silent  on  these  issues,  and  the  parEes  frequently  have  dramaEcally  different  views  on  what  has  actually  been  agreed  to.  

OBJECTIVE:   Clearly   define   these   terms   is   the   best   way   to   ensure   that   both  parEes  can  make  informed  decisions  about  how  to  proceed.

h`ps://www.owasp.org/index.php/OWASP_Secure_Solware_Contract_Annex

The  OWASP  Secure  Solware  Contract  Annex

38

Thursday, June 6, 13

Refresh,  revitalize  &  update  Projects,  rewrite  &  complete  Guides  or  Tools.

Projects  Reboot  2012

h`ps://www.owasp.org/index.php/Projects_Reboot_2012

Current  Submissions  • OWASP  ApplicaEon  Security  Guide  For  CISOs  -­‐  Selected  for  Reboot

• OWASP  Development  Guide  -­‐  Selected  for  Reboot• Zed  A`ack  Proxy  -­‐  Selected  for  Reboot• OWASP  WebGoat  • OWASP  AppSensor• OWASP  Mobile  Project  -­‐  Selected  for  Reboot• OWASP  Portuguese  Language  Project• OWASP_ApplicaEon_TesEng_guide_v4• OWASP  ESAPI• OWASP  Eliminate  Vulnerable  Code  Project• OWASP_Code_Review_Guide_Reboot  

Projects  selected  via  first  round  of  review

1.OWASP   Development   Guide:   Funding   Amount:  $5000  iniEal  funding

2.OWASP   CISO   Guide:   Funding   Amount:   $5000  iniEal  funding

3.OWASP   Zed   A;ack   Proxy:   Funding   Amount:  $5000  iniEal  funding

4.OWASP  Mobile   Project:   Funding  Amount:   $5000  iniEal  funding

Ongoing  discussions  about  the  Code  Review  and  the  TesOng  Guides

39

Thursday, June 6, 13

OWASP  Top10  2013

• Final  publicaEon  OWASP  Top10  2013– Very  Very  Soon.  

• French  translaEon  done• Not  a  lot  of  new  things.

40

Thursday, June 6, 13

Top10  2013  –  RC1

41

A1:  Injec&on

A2:  Mauvaise  ges&on  des  

sessions  et  de  l’authen&fica&on

A3:  Cross  Site  Scrip&ng  (XSS)

A4:Référence  directe  non  

sécurisée  à  un  objet

A5:  Mauvaise  configura&on  

sécurité

A6  :  Exposi&on  de  

données  

A7  :  Mauvais  contrôle  d’accès

A8:  Cross  Site  Request  

Forgery  (CSRF)

A9:  U&lisa&on  de  composants  non  

sécurisés

A10:Mauvaise  ges&on  des  

redirec&ons  et  des  transferts

Thursday, June 6, 13

OWASP  News

• New  projects    :  – OWASP  Scada  Project– OWASP  OpenStack  Security  Project

42

Thursday, June 6, 13

Dates

• RSSIA  Bordeaux  :  21  Juin– OWASP  Top10  2013  en  praEque  

• OWASP  EU  Tour  2013  :  – 24  Juin  -­‐  Sophia  AnEpolis– 25  Juin  -­‐  Geneve

• Java  User  Groupe  Poitou  Charentes  :  27  Juin– Secure  Coding  for  Java  

• AppSec  Research  Europe  2013  :  20/23  Aout  –  Hambourg  –  Allemagne

•  OWASP  Benelux  :  28/29  Novembre  2013

43

Thursday, June 6, 13

Soutenir  l’OWASP

• Différentes  soluEons  :  – Membre  Individuel  :  50  $– Membre  Entreprise  :  5000  $– DonaEon  Libre

• Soutenir  uniquement    le  chapitre  France  :– Single  MeeEng  supporter  

• Nous  offrir  une  salle  de  meeEng  !  • ParEciper  par  un  talk  ou  autre  !  • DonaEon  simple  

– Local  Chapter  supporter  :  • 500  $  à  2000  $  

44

Thursday, June 6, 13

Prochains  meeEngs

• Septembre  2013  – Salle  :  Mozilla  Center  Paris– Speaker  :  

• Security  on  Firefox  OS• A  définir

• Novembre  2013– Salle  :  a  définir– Speaker  :  a  définir

Thursday, June 6, 13

License

46

Thursday, June 6, 13