2. Who Am I?
5 years developer experience
8 years information security experience
Lead application security
Telindus, Belgacom ICT (Belgium)
Belgian OWASP chapter founder
OWASP board member
www.owasp.org
OWASP
5. OWASP
The Open Web Application Security Project
(OWASP)
International not-for-profit charitable Open
Source organization funded primarily by
volunteers time, OWASP Memberships, and
OWASP Conference fees
Participation in OWASP is free and open to all
OWASP 5
6. OWASP Mission
to make application
security quot;visible,quot; so that
people and organizations
can make informed
decisions about
application security risks
OWASP 6
7. OWASP Resources and Community
Documentation (Wiki and Books)
• Code Review, Testing, Building, Legal, more …
Code Projects
• Defensive, Offensive (Test tools), Education,
Process, more …
Chapters
• Over 130 and growing
Conferences
• Major and minor events all around the world
OWASP
10. OWASP Conferences (2008-2009)
Germany
Nov 2008
Brussels
Minnesota May 2008 Poland
NYC
Oct 2008 May 2009
Sep 2008
Denver
Spring 2009
Portugal
San Jose? Israel
Nov 2008
Sep 2009 Sep 2008 Taiwan
Oct 2008
India
Aug 2008
Gold Coast
Feb 2008
+2009
OWASP 10
11. Summit Portugal
2009 Focus
80+ application security experts from 20+ countries
New Free Tools and Guidance (SoC08)
New Outreach Program
technology vendors, framework providers, and
standards bodies
new program to provide free one- day seminars at
universities and developer conferences worldwide
New Global Committee Structure
Education, Chapter, Conferences, Industry, Projects
and Tools, Membership
OWASP 11
13. OWASP Projects:
Improve Quality and Support
Define Criteria for Quality Levels
Alpha, Beta, Release
Encourage Increased Quality
Through Season of Code Funding and Support
Produce Professional OWASP books
Provide Support
Full time executive director (Kate Hartmann)
Full time project manager (Paulo Coimbra)
Half time technical editor (Kirsten Sitnick)
Half time financial support (Alison Shrader)
Looking to add programmers (Interns and professionals)
OWASP
14. OWASP Top 10
The Ten Most Critical
Web Application Security
Vulnerabilities
2007 Release
A great start, but not a
standard
OWASP 14
16. The ‘Big 4’ Documentation Projects
Code
Building Testing
Review
Guide Guide
Guide
Application Security Desk Reference
(ASDR)
OWASP
17. The Guide
Complements
OWASP Top 10
310p Book
Free and open source
Gnu Free Doc License
Many contributors
Apps and web services
Most platforms
Examples are J2EE, ASP.NET,
and PHP
Comprehensive
Project Leader and Editor
Andrew van der Stock,
vanderaj@owasp.org
OWASP
18. Uses of the Guide
Developers
Use for guidance on implementing security
mechanisms and avoiding vulnerabilities
Project Managers
Use for identifying activities (threat modeling, code
review, penetration testing) that need to occur
Security Teams
Use for structuring evaluations, learning about
application security, remediation approaches
OWASP
19. Each Topic
Includes Basic Information (like OWASP T10)
How to Determine If You Are Vulnerable
How to Protect Yourself
Adds
Objectives
Environments Affected
Relevant COBIT Topics
Theory
Best Practices
Misconceptions
Code Snippets
OWASP
20. Testing Guide v2: Index
1. Frontispiece
2. Introduction
3. The OWASP Testing Framework
4. Web Application Penetration Testing
5. Writing Reports: value the real risk
Appendix A: Testing Tools
Appendix B: Suggested Reading
Appendix C: Fuzz Vectors
OWASP 20
21. What Is the OWASP Testing Guide?
Information Gathering
Testing Principles
Business Logic Testing
Testing Process
Authentication Testing
Custom Web Applications
Session Management Testing
Black Box Testing
Data Validation Testing
Grey Box Testing
Denial of Service Testing
Risk and Reporting
Web Services Testing
Appendix: Testing Tools
Ajax Testing
Appendix: Fuzz Vectors
OWASP 21
22. Soc08 version 3
Improve version 2
improved 9 articles
Total of 10 Testing categories
and 66 controls.
New sections and controls
Configuration Management
Authorization Testing
36 new articles
New Encoded Injection Appendix;
OWASP
23. How the Guide helps the security industry
A structured approach to the testing activities
Testers
A checklist to be followed
A learning and training tool
A tool to understand web vulnerabilities and
Organisations their impact
A way to check the quality of security tests
More generally, the Guide aims to provide a pen-testing standard that creates a
'common ground' between the testing groups and its ‘customers’.
This will raise the overall quality and understanding of this kind of activity and
therefore the general level of security of our applications
OWASP 23
25. Tools – At Best 45%
MITRE found that all application
security tool vendors’ claims put
together cover only 45% of the known
vulnerability types (over 600 in CWE)
They found very little overlap between
tools, so to get 45% you need them all
(assuming their claims are true)
OWASP 25
29. OWASP CSRFGuard 2.0
OWASP
CSRFGuard
Adds token to:
Verify Token href attribute
src attribute
hidden field in all forms
User Business
(Browser) Processing
Actions:
Log
Add Token
to HTML
Invalidate
Redirect
http://www.owasp.org/index.php/CSRFGuard
OWASP 29
30. Authenticator
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
Enterprise Security API
Exception Handling
The OWASP Enterprise Security API
Custom Enterprise Web Application
Logger
IntrusionDetector
OWASP
Existing Enterprise Security Services/Libraries
SecurityConfiguration
30
31. Coverage
OWASP Top Ten OWASP ESAPI
A1. Cross Site Scripting (XSS) Validator, Encoder
A2. Injection Flaws Encoder
A3. Malicious File Execution HTTPUtilities (upload)
A4. Insecure Direct Object Reference AccessReferenceMap
A5. Cross Site Request Forgery (CSRF) User (csrftoken)
A6. Leakage and Improper Error Handling EnterpriseSecurityException, HTTPUtils
A7. Broken Authentication and Sessions Authenticator, User, HTTPUtils
A8. Insecure Cryptographic Storage Encryptor
A9. Insecure Communications HTTPUtilities (secure cookie, channel)
A10. Failure to Restrict URL Access AccessController
OWASP
32. Create Your ESAPI Implementation
Your Security Services
Wrap your existing libraries and services
Extend and customize your ESAPI implementation
Fill in gaps with the reference implementation
Your Coding Guideline
Tailor the ESAPI coding guidelines
Retrofit ESAPI patterns to existing code
OWASP 32
33. OWASP CLASP
Comprehensive, Lightweight
Application Security Process
Prescriptive and Proactive
Centered around 7 AppSec Best
Practices
Cover the entire software lifecycle
(not just development)
Adaptable to any development process
CLASP defines roles across the SDLC
24 role-based process components
Start small and dial-in to your needs
OWASP 33
34. The CLASP Best Practices
1. Institute awareness programs
2. Perform application assessments
3. Capture security requirements
4. Implement secure development practices
5. Build vulnerability remediation procedures
6. Define and monitor metrics
7. Publish operational security guidelines
OWASP 34
41. Upcoming Conferences
February 2009 - Day 3 Italy OWASP Day III: quot;Web Application
Security: research meets industryquot; 23rd February 2009 - Bari (Italy)
February 2009 - OWASP AppSec Australia 2009 - Gold Coast
Training & Conference, Gold Coast Convention Center, QLD
Australia
March 2009 - OWASP Front Range Conference March 5th, 2nd
Annual 1-Day Conference in Denver, Colorado
May 2009 - OWASP AppSec Europe 2009
Poland May 11th - 14th - Conference and Training, Qubus Hotel,
Krakow, Poland
Back to back with Confidence09
June 2009 - OWASP AppSec - Dublin Ireland
October 2009 - OWASP AppSec US 2009 - Washington, D.C.
OWASP 41
42. German Chapter
Meetings
Local Mailing List
Presentations & Groups
Open forum for discussion
Meet fellow InfoSec professionals
Create (Web)AppSec awareness
Local projects?
OWASP
43. Subscribe to German Chapter mailing list
Post your (Web)AppSec questions
Keep up to date!
Get OWASP news letters
Contribute to discussions!
OWASP 43
A plague of locusts is a devastating natural disaster. These infestations have been feared and revered throughout history. Unfortunately, they still wreak havoc today.Locusts are part of a large group of insects commonly called grasshoppers which have big hind legs for jumping. Locusts belong to the family called Acrididae. Locusts differ from grasshoppers in that they have the ability to change their behaviour and habits and can migrate over large distances.Locust swarms can vary from less than one square kilometre to several hundred square kilometres. There can be at least 40 million and sometimes as many as 80 million locust adults in each square kilometre of swarm.<number>