The new OWASP standard for the Web Application Penetration Testing

Application Security: internet, mobile ed oltre The new OWASP standard for the Web Application Penetration Testing Matteo Meucci Venezia, 3 October 2014 1

Application Security: internet, mobile ed oltre Organizzatori Sponsor e sostenitori di ISACA VENICE Chapter Con il patrocinio di 2

Matteo Meucci Matteo Meucci is the CEO and a cofounder of Minded Security, where he is responsible for strategic direction and business development for the Company. Matteo has more than 13 years of specializing in information security and collaborates from several years at the OWASP project: he founded the OWASP-Italy Chapter in 2005 he leads the OWASP Testing Guide from 2006. Matteo has undergraduate degrees in Computer Science Engineering from the University of Bologna. 3

Agenda OWASP Today The OWASP Testing Guide v4 Why? What the TG answers? How can you use it? Common misunderstanding of the use of the TG 4

OWASP CORE MISSION Worldwide charitable organization focused on improving the security of software Our mission is to make application security visible Help people and organizations can make informed decisions about true application security risks Everyone is welcome to participate in OWASP All of our tools and materials are available under free and open software or documentation licenses 5

OWASP CORE VALUES OPEN - Everything at OWASP is radically transparent from our finances to our code. INNOVATION - OWASP encourages and supports innovation/experiments for solutions to software security challenges. GLOBAL - Anyone around the world is encouraged to participate in the OWASP community. INTEGRITY - OWASP is an honest and truthful, vendor agnostic, global community.

~140 Projects PROTECT - These are tools and documents that can be used to guard against security-related design and implementation flaws. DETECT - These are tools and documents that can be used to find security-related design and implementation flaws. LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC). 7

Conferences San Jose Sep 2010 Minnesota Sep 2011 Austin, TX Oct 2012 NYC Sep 2008 DC Nov 2009 Ireland May 2011 Sweden June 2010 Brussels May 2008 Poland May 2009 Greece July 2012 Israel Sep 2008-11 Asia Nov 2011 Brazil Oct 2011 Argentina Nov 2012 Sydney Mar 2012 8

Local Chapters 174 active chapters, with 388 chapter leaders Each with Chapter and/or Regional Events 9

OWASP Members 20,000+ Participants 50+ Paid Corporate Supporters 50+ Academic Supporters 10

The First OWASP Guide Complements OWASP Top 10 310p Book (on wiki too) Many contributors Apps and web services Most platforms Examples are J2EE, ASP.NET, and PHP Unfortunately Outdated Project Leader and Editor Andrew van der Stock, vanderaj@owasp.org Developer Guide 11

Code Review Guide Most comprehensive open source secure code review guide on the web Years of development effort Version 1.1 produced during 2008 Numerous contributors Version 2.0 effort launched in 2012 Project Leader and Editor Eoin Keary, eoin.keary@owasp.org www.owasp.org/index.php/code_review_guide 12

Testing Guide Most comprehensive open source secure testing guide on the web Years of development effort Version 4.0 produced 2014 Hundred of contributors Project Leader and Editor Matteo Meucci, Andrew Muller matteo.meucci@owasp.org, andrew.muller@owasp.org www.owasp.org/index.php/testing_guide 13

What is Secure Software? It s secure! Looks at the lock, down on the right! Sure! The news says that is unbreakable! It s secure! It s Google! 14

Software Security Principles Security vulnerabilities in the software development process are expected. The control of the security bugs and flaws in the software should be considered as part of the process of software development. Vulnerability management (fixing process) is the most important step of the process of software security. 15

The new Testing Guide: why? 16

Community driven for all the Enterprises 17

The state of the art of the Web Application Penetration Testing 18

Fight with the same weapons (knowledge) 19

Testing Guide History Testing Guide History July 14, 2004 "OWASP Web Application Penetration Checklist", V1.0 December 25, 2006 "OWASP Testing Guide", V2.0 December 16, 2008 "OWASP Testing Guide", V3.0 September 17, 2014 "OWASP Testing Guide", V 4.0 Citations: NIST SP800-115 Technical Guide to Information Security Testing and Assessment Gary McGraw (CTO Cigital) says: In my opinion it is the strongest piece of Intellectual Property in the OWASP portfolio OWASP Podcast by Jim Manico NSA s "Guidelines for Implementation of REST Official (ISC)2 Guide to the CSSLP - Page: 70, 365 Many books, blogs and websites 20

Testing Guide v4 goals Create a more readable guide, eliminating some sections that are not really useful as DoS test. Insert new testing techniques: HTTP Verb tampering, HTTP Parameter Pollutions, etc., Rationalize some sections as Session Management Testing, Authentication Testing Create new sections: Client side Testing, Cryptography, Identity Management 21

The OWASP Testing Framework Contents The set of active tests have been split into 11 sub-categories for a total of 91 controls: Information Gathering Configuration and Deployment Management Testing Identity Management Testing Authentication Testing Authorization Testing Session Management Testing Input Validation Testing Error Handling Cryptography Business Logic Testing Client Side Testing 22

How to use the methodology Web Application Methodology Report public void finduser() { boolean showresult = false; String username = this.request.getparameter("us ername");... this.context.put("username", ESAPI.encoder().encodeForHT MLAttribute(username)); this.context.put("showresult", showresult); } Source Code Fixing Methodology Retest Report 23

Common misunderstanding 24

Example of unstructured approach: Ministry of Informatics 25

Actors Ministry of Informatics: those who buy the software Development teams (internal/external): those who develop the software User: who uses the software 26

Press conference for the launch of the service Now you can take advantage of a new service on the portal of the Ministry of Informatics Fantastic!! Compliments!! 27

The day after 28

Users access to the portal Mario Verdi 12/12/1970 m.verdi@azienda.it Mario Rossi- 10/09/1982 mariorossi@azienda.it Paolo Rossi 09/02/1960 p_rossi@azienda.it 29

Users access to the portal Oh oh...i find a problem... 30

Some days after 31

The reactions Ohh..how it was possible? Fault of the developers! but it is impossible!? We followed all your instructions If you do not ask for security, no one will develop secure software Use the Testing Guide as common framework 32

An year after another security breach Ohh..how it was possible? Fault of the developers! but it is impossible!? We adopt the OWASP Testing Guide! Web Application Penetration testing is not enough! Testing without fixing is like to throw money out the window 33

Conclusion Adopt the OWASP Testing Guide as your standard for verify the security of your Web Application. Remember that the Testing Guide is not the panacea of Software Security! You need to create an application security program to address awareness, secure coding guidelines, threat modelling, secure design, Secure Code Review and Web Application Penetration Testing. Focus more on fixing the vulnerabilities of your reports. 34

Thanks! Questions? www.owasp.org https://www.owasp.org/index.php/italy matteo.meucci@owasp.org