This document summarizes a presentation given by Sébastien Gioria on application security. The presentation provided an overview of the current state of application security, described the Open Web Application Security Project (OWASP) including its mission and resources, and highlighted several OWASP projects that developers can use to help secure applications. It also listed upcoming security events in France and ways to support OWASP.
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
2014 09-04-pj
1. TechItDays 2014
Séminaire
DT
Solocal
2014
4th
September
2014
OWASP,
the
Life,the
Universe
Sébas&en
Gioria
Sebas8en.Gioria@owasp.org
Chapter
Leader
&
Evangelist
OWASP
France
2. 2
http://www.google.fr/#q=sebastien gioria
‣ Innovation and Technology @Advens &&
Application Security Expert
‣ OWASP France Leader & Founder &
Evangelist,
‣ OWASP ISO Project & OWASP SonarQube Project
Leader
‣ Application Security group leader for the
CLUSIF
‣ Proud father of youngs kids trying to hack my
digital life.
Twitter :@SPoint/@OWASP_France
2
3. Agenda
• Applica8on
Security
:
– where
we
are
(no
bullshit)
– where
we
are
(hopefully)
going
?
• Open
Web
Applica8on
Security
Project
?
• Major
projects
you
can
use
3
4. Why
Applica8on
Security
?
Your
Application
has been
Hacked
Let Me take
you on the
right way 4
4
My Application will be
hacked !
Your
Application
will be
Hacked ;)
YES
NO
NO
YES
Next
Step
5. SQL
in
Java
5
http://stackoverflow.com/questions/9123084/how-to-execute-a-sql-statement-with-a-variable-as-where"
ResultSet rs = stmd.executeQuery("select * from person where uid = "+ userid);"
while (rs.next()) { "
"System.out.println("Name= " + rs.getString(1));"
}
7. Game
Over....
• Did
you
develop
Web
Site?
• Did
you
develop
embeded
products
?
• Did
you
develop
smartphone
applica8ons
?
• Did
you
have
customers
/
partners
over
Internet
?
7
8. We
are
living
in
a
Digital
environment,
in
a
Connected
World
v Most
of
websites
vulnerable
to
a[acks
v Important
%
of
web-‐based
Business
(Services,
Online
Store,
Self-‐care,
Telcos,
SCADA,
...)
Why
Applica8on
Security
?
Age
of
An8virus
Age
of
Network
Security
Age
of
Applica8on
Security
8
13. What
is
OWASP
Mission
Driven
Nonprofit
|
World
Wide
|
Unbiased
OWASP
does
not
endorse
or
recommend
commercial
products
or
services
13
14. What
is
OWASP
Community
Driven
30,000
Mail
List
Par8cipants
200
Ac8ve
Chapters
in
70
countries
1600+
Members,
56
Corporate
Supporters
69
Academic
Supporters
14
15. Around
the
World
200
Chapters,
1
600+
Members,
20
000+
Builders,
Breakers
and
Defenders
15
16. What
is
OWASP
Quality
Resources
200+
Projects
15,000+
downloads
of
tools,
documenta8on
250,000+
unique
visitors
800,000+
page
views
(monthly)
16
22. OWASP
Top10
2013
22
A1:
Injec&on
A2:
Viola&on
de
Ges&on
d’authen&fica&on
et
de
session
A3:
Cross
Site
Scrip&ng
(XSS)
A4:Référence
directe
non
sécurisée
à
un
objet
A5:
Mauvaise
configura&on
sécurité
A6
:
Exposi&on
de
données
sensibles
A8:
Cross
Site
Request
Forgery
(CSRF)
A7:
Manque
de
contrôle
d’accès
fonc&onnel
A10:
Redirec&ons
et
transferts
non
validés
A9:
U&lisa&on
de
composants
avec
des
vulnérabilités
connues
ex-‐A9(transport
non
sécurisé)
+
A7(Stockage
crypto)
24. Project
Leader:
Enterprise
Security
API
Chris
Schmidt,
Chris.Schmidt@owasp.org
Purpose:
A
free,
open
source,
web
applica8on
security
control
library
that
makes
it
easier
for
programmers
to
write
lower-‐risk
applica8ons
h[ps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
24
25. Java
HTML
Sani8zer,
Java
Encoder
Project
Leader:
Mike
Samuel
Mike.samuel@owasp.org
Purpose:
The
OWASP
HTML
Sani8zer
is
a
fast
and
easy
to
configure
HTML
Sani8zer
wri[en
in
Java
which
lets
you
include
HTML
authored
by
third-‐par&es
in
your
web
applica&on
while
protec8ng
against
XSS.
h[ps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Project
Leader:
Jeff
Ichnowski
Purpose:
The
OWASP
Java
Encoder
is
a
Java
1.5+
simple-‐to-‐use
drop-‐in
high-‐
performance
encoder
class
with
no
dependencies
and
li[le
baggage.
This
project
will
help
Java
web
developers
defend
against
Cross
Site
Scrip8ng!
h[ps://www.owasp.org/index.php/OWASP_Java_Encoder_Project
26. Java
Encoder
Project
Project
Leader:
Mike
Samuel
Mike.samuel@owasp.org
Purpose:
The
OWASP
Java
Encoder
is
a
Java
1.5+
simple-‐to-‐use
drop-‐in
high-‐
performance
encoder
class
with
no
dependencies
and
li[le
baggage.
This
project
will
help
Java
web
developers
defend
against
Cross
Site
Scrip8ng!
h[ps://www.owasp.org/index.php/OWASP_Java_Encoder_Project
28. OWASP
IoT
Project
• The
OWASP
Internet
of
Things
Top
10
-‐
2014
is
as
follows:
• I1
Insecure
Web
Interface
• I2
Insufficient
Authen8ca8on/Authoriza8on
• I3
Insecure
Network
Services
• I4
Lack
of
Transport
Encryp8on
• I5
Privacy
Concerns
• I6
Insecure
Cloud
Interface
• I7
Insecure
Mobile
Interface
• I8
Insufficient
Security
Configurability
• I9
Insecure
Sonware/Firmware
• I10
Poor
Physical
Security
29. Development
Guide:
Guides
comprehensive
manual
for
designing,
developing
and
deploying
secure
Web
Applica8ons
and
Web
Services
Code
Review
Guide:
mechanics
of
reviewing
code
for
certain
vulnerabili8es
&
valida8on
of
proper
security
controls
Tes&ng
Guide:
understand
the
what,
why,
when,
where,
and
how
of
tes8ng
web
applica8ons
Applica&on
Security
Verifica&on
Standard
(ASVS):
comprehensive
manual
for
designing,
verify
the
security
of
an
applica8on
h[ps://www.owasp.org/index.php/Category:OWASP_Guide_Project
h[ps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
h[ps://www.owasp.org/index.php/Category:OWASP_Tes8ng_Project
h[ps://www.owasp.org/index.php/Category:OWASP_Applica8on_Security_Verifica8on_Standard_Project
29
30. Zed
A[ack
Proxy
Project
Leader:
Simon
Benne[s
(aka
Psiinon),
psiinon@gmail.com
Purpose:
The
Zed
A[ack
Proxy
(ZAP)
provides
automated
scanners
as
well
as
a
set
of
tools
that
allow
you
to
find
security
vulnerabili8es
manually
in
web
applica8ons.
Last
Release:
ZAP
2.3.1
(21
May
2014)
h[ps://www.owasp.org/index.php/OWASP_Zed_A[ack_Proxy_Project
30
31. The
OWASP
Secure
Sonware
Contract
Annex
Intended
to
help
sonware
developers
and
their
clients
nego8ate
important
contractual
terms
and
condi8ons
related
to
the
security
of
the
sonware
to
be
developed
or
delivered.
CONTEXT:
Most
contracts
are
silent
on
these
issues,
and
the
par8es
frequently
have
drama8cally
different
views
on
what
has
actually
been
agreed
to.
OBJECTIVE:
Clearly
define
these
terms
is
the
best
way
to
ensure
that
both
par8es
can
make
informed
decisions
about
how
to
proceed.
h[ps://www.owasp.org/index.php/OWASP_Secure_Sonware_Contract_Annex
31
32. Dates
• 11
Septembre
2014
–
OWASP
France
Mee8ng
Paris
@Mozilla
Office
– Programme
:
– 18h30
:
Ouverture
des
portes
– 19h
:
Welcome
by
OWASP
France
et
Mozilla
– 19h15
:
SonarQube
pour
la
sécurité
par
Sébas8en
Gioria
(OWASP
France)
– 19h45
:
Warning
Ahead:
Security
Storms
are
Brewing
in
Your
JavaScript
-‐
Par
Laurent
Levi
(Checkmarx)
-‐
En
Francais
– 20h15
:
OWASP
News
&&
Closing
par
Sébas8en
Gioria
(OWASP
France)
– 20h30
:
Networking
hkp://www.eventbrite.fr/e/billets-‐owasp-‐france-‐mee&ng-‐septembre-‐2014-‐12738480137
• Applica8on
Security
Forum
Western
Switzerland
–
Yverdon
les
Bains
–
4/6
Novembre
2014
– h[p://www.appsec-‐forum.ch/
• Club
27001
/Paris
-‐
25
Septembre
2014
– Présenta8on
de
la
norme
ISO
27034
32
33. Soutenir
l’OWASP
• Différentes
solu8ons
:
– Membre
Individuel
:
50
$
– Membre
Entreprise
:
5000
$
– Dona8on
Libre
• Soutenir
uniquement
le
chapitre
France
:
– Single
Mee8ng
supporter
• Nous
offrir
une
salle
de
mee8ng
!
• Par8ciper
par
un
talk
ou
autre
!
• Dona8on
simple
– Local
Chapter
supporter
:
• 500
$
à
2000
$
33