Open Web Applica-on Security Project

Transcription

1 The OWASP Foundation Open Web Applica-on Security Project Antonio Fontes SWISS CYBER STORM Conference May 2011 Rapperswil Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

2 A few words about me Antonio Fontes 6 years background working on somware security & privacy Founder and principal consultant at L7 Securité Sàrl Lecturer at HST Yverdon (HEIG- VD) Focus: Web applica-on threats and countermeasures Secure development lifecycle Penetra-on tes-ng and vulnerability assessment SoMware threat modelling and risk analysis OWASP: OWASP Switzerland : member of the board, western Switzerland delegate OWASP Geneva: Chapter leader 2

3 cat /wwwroot/agenda.html Why do organiza-ons need OWASP? OWASP worldwide OWASP in Switzerland Q/A 3

4 Thermometer: Is your organization already using OWASP material? - For internal software development? - For outsourced custom software? - For COTS acquisition? photo by Dave Oshry 4

5 Why do organisa-ons need OWASP? 5

6 Why do organisa-ons need OWASP? 6

7 Why do organisa-ons need OWASP? 77 million users! 101 million users! 7

8 Why do organisa-ons need OWASP? Handout from Sony Entertainment Online conference on the recent computer intrusion that led to more than 110 million user accounts being stolen. (May. 1 st. 2011) 8 photo by Dave Oshry

9 Why do organisa-ons need OWASP? 9

10 Just a lihle check: Who knows PBKDF2? 10

11 Why do organisa-ons need OWASP? Who understands this in your organisa6on? 11

12 Why do organisa-ons need OWASP? Use hashes!! No! Don't use hashes!! 12

13 Why do organisa-ons need OWASP? Outside the organisa-on: Increasing adop-on of Anything over HTTP Increasing hos-le interest in online services: Increasing threat popula-on Web hacking/security is easy to understand/teach Low risk of being caught Increasing offer in security consul-ng, services and products 13

14 Why do organisa-ons need OWASP? Inside organisa-ons: Developers dealing with dozens web technologies Heterogonous development teams and lifecycles Constant pressure for delivery Turnover and loss of internal know- how Who in the company is actually both up- to- date on the concept of (web) applica-ons security and has the power to take decisions? Who in the company is actually able to qualify security products and services that are paid for? 14

15 Why do organisa-ons need OWASP? Swiss Cyber Storm III - May Rapperswil

16 U.S. 501c3 not- for- profit charitable interna-onal organiza-on Structure Make applica+on security visible, so that people and organisa+ons can make informed decisions about applica+on security risks. OWASP founda-on Mission Code of ethics Independence from vendors, technology- agnos+c Core values Open, Global, Innova+on, Worldwide 16

17 "strategy" (or so...) Website Threat Board Commihees Summit Chapters Projects Conferences Members People Methods Tools Web Applica-on? Company assets 17

18 OWASP people 18

19 Project Leaders Responsible for driving volunteers effort on OWASP material projects: Workshops Brainstorming sessions Analysis/repor-ng Guides edi-ng Tools coding 19 quality- release and 26 beta- status projects P T M 19

20 Chapter Leaders Responsible for leading Local Chapters: 188 Chapters worldwide More than 300 yearly mee-ngs worldwide Connect with local organisa-ons P T M Next local chapter mee-ng: Zurich June 14 th 20

21 Global Commihees Responsible for driving volunteers effort on global OWASP outreach. OWASP current Global Commihees: Industries Membership Government Educa-on Projects Events Connec-ons P T M 21

22 Employees and contractors Kate Hartmann Logis-cs and day- to- day support for leaders of the 188 local chapters Alison Shrader Accoun-ng & Administra-on Paulo Coimbra OWASP PMO Sarah Basso Opera-ons during OWASP events 22

23 Research conference Conference dedicated to research work on applica-on security P T M 23

24 Appsec conference P T M Yearly global applica-on security focused conferences: Europe North America South America Asia Next OWASP Conference in Europe: Dublin June 7th- 10th Swiss Cyber Storm III - May Rapperswil

25 Summits Intensive 1- week workshop event with leaders, contributors, sponsors and somware vendors: Ability to connect with leading somware vendors and corporate members More than 150 reunited chapter & project leaders 80 workshops P T M 25

26 OWASP members 26

27 OWASP Membership Individual members: Annual fee: 50$/year Free access to OWASP Training day events Reduced fees at OWASP Events Current count: 1383 individual contribu-ng members 27

28 OWASP Membership Corporate members: 52 public corporate members Annual fee: 5 000$/year Delegates for the Summit event Logo on website, use as marke-ng argument Majority is from the US, but Switzerland is also there 28

29 OWASP Membership Academic members: Annual fee: 0$/year Donate: support 40 members Switzerland: 1 officialised partnership (HEIG- VD) 2 pending partnerships 29

30 OWASP: the web portal 30

31 hhps:// unique visitors monthly pages viewed monthly 60% driven by search engines 19% referred by other websites Highest traffic mo-ves: OWASP Top 10 Webscarab project XSS preven6on cheat sheet sql injec6on 31

32 hhp://lists.owasp.org More than 400 mailing lists currently running users Related to: tools, documents, methods, commihees, events, outreach, leaders, etc. 32

33 OWASP projects 33

34 OWASP projects: Tools Analyze Design Implement Verify Deploy Respond An-SAMMY ESAPI CSRFGuard Encoding S-nger JBroFuzz LiveCD WebScarab O2 Code Crawler ModSecurity CRS DirBuster WebScarab Orizon Zed Ahack Proxy Academy portal, Broken Web applica-ons, ESAPI Swingset, Webgoat 34

35 OWASP projects: Documents Analyze Design Implement Verify Deploy Respond Secure contract Applica-on security requirements Threat risk modeling Development J2EE Security RoR Security.NET Security Code Review Tes-ng ASVS Backend Security Code Review Tes-ng AJAX Security PHP Security Secure coding prac-ces Academy, Appsec FAQ, Appsec metrics, Common Vuln. List, Educa-on, Exams, Legal, OWASP Top 10 35

36 Tools: webgoat COTS web applica-on for webapp security (CBT) training Click and run /index.php/webgoat P T M 36

37 Tools: ModSecurity core ruleset Cri-cal protec-ons centralized in a core ruleset (CRS) to be installed on ModSecurity enabled Apache servers Provides: HTTP Protocol compliance Ahack detec-on Error detec-on Search engine monitoring hhps:// P T M 37

38 Tools: Entreprise Security API Control library encapsula-ng most security func-ons required in web applica-ons: Authen-ca-on Access control Sessions Encoding Input valida-on Encryp-on Logging Intrusion detec-on hhps:// P T M 38

39 Documents: OWASP Top 10 hhps:// P T M 39

40 Documents: code review guide Instruc-ons and methodology manual for conduc-ng code security reviews Guidance on detec-ng the major security flaws created during implementa-on hhps:// Category:OWASP_Code_Review_Project P T M 40

41 Documents: ASVS ASVS: Applica-on Security Verifica-on Standard 4 verifica-on (assurance) levels across more than 120 security controls Tailored to your own risk aversion hhps:// P T M 41

42 Documents: OpenSAMM Open SoMware Assurance Maturity Model P T M hhps:// Category:SoMware_Assurance_Maturity_Model 42

43 OWASP Switzerland 43

44 OWASP Switzerland's structure No legal form (yet, just a few days lem) Leader: Sven Vetsch Board members: Tobias Christen, Antonio Fontes Based in Zurich 130 mailing list members Next mee6ng: June 14 th Other local city/region chapters: OWASP Geneva 90 list members Next mee-ng: September 6 th 44

45 Ac-vi-es: mee-ngs and conferences Local chapter mee-ngs: 1,2,3 speakers per event Geneva, Yverdon, Zurich ~8 mee-ngs/year Ahendance: people People love these mee-ngs! (Historical) conference partnerships: 45

46 Ac-vi-es: awareness sessions Awareness session for Swiss organiza-ons: 1 hour, head- to- head session with an OWASP representa-ve at your company Syllabus: OWASP organiza-on, OWASP projects and membership opportuni-es 4 Swiss private companies requested this in 2010 It s free! BUT: it s not free training or consul-ng!! à No product names à No "reviews" à No training. 46

47 OWASP Switzerland is live! (non exhaus-ve list, sorry for those I forgot L ) Ivan Butler: Web applica-on firewall & Hacking lab Tobias Christen: Security & Usability Alexis Fitzgerald : Gathering applica-on security requirements Chris-an Folini : ModSecurity CRS & DDoS defense Antonio Fontes : Threat modelling & Lifecycle security Axel Neumann: Zed Ahack Proxy Sylvain Maret : Strong authen-ca-on Pierre Parrend : Java mobile applica-ons Sven Vetsch : Advanced XSS ahacks and defense... ß come to me amer the talk if you want your name here 47

48 Thank you! Visit the OWSAP Website: hhps:// Join the OWASP Switzerland mailing list: hhp:// Follow us on Get in touch with your local OWASP representa-ves: Sven Vetsch (Switzerland) sven.vetsch@disenchant.ch Antonio Fontes (Western/French Switzerland) antonio.fontes@owasp.org 48