1. OWASP,
the
Life
and
the
Universe
CLUSIR-‐EST
-‐
Strasbourg
6th
June
2013
Sébas&en
Gioria
SebasEen.Gioria@owasp.org
Chapter
Leader
OWASP
France
Thursday, June 6, 13
2. http://www.google.fr/#q=sebastien gioria
‣OWASP France Leader & Founder &
Evangelist
‣Application Security freelance consultant.
Twitter :@SPoint
2
‣Application Security group leader for the
CLUSIF
‣Proud father of youngs kids trying to hack my
digital life.
Thursday, June 6, 13
3. Agenda
• ApplicaEon
Security
:
– where
we
are
(no
bullshit)
– where
we
are
(hopefully)
going
?
• Open
Web
ApplicaEon
Security
Project
?
• Update
on
OWASP
Top10
(2013
version)
and
major
projects
3
Thursday, June 6, 13
8. Why
ApplicaEon
Security
?
4
4
Your
Application
will be
Hacked ;)
Your
Application
been
Hacked
NO
YES
Thursday, June 6, 13
9. Why
ApplicaEon
Security
?
4
4
Your
Application
will be
Hacked ;)
Your
Application
been
Hacked
YES
NO
YES
Thursday, June 6, 13
10. Why
ApplicaEon
Security
?
4
4
Your
Application
will be
Hacked ;)
Your
Application
been
Hacked
YES
NO
NO
YES
Thursday, June 6, 13
11. Why
ApplicaEon
Security
?
4
Let Me take
you on the
right way 4
Your
Application
will be
Hacked ;)
Your
Application
been
Hacked
YES
NO
NO
YES
Thursday, June 6, 13
12. Why
ApplicaEon
Security
?
4
My Application will be
hacked !
Let Me take
you on the
right way 4
Your
Application
will be
Hacked ;)
Your
Application
been
Hacked
YES
NO
NO
YES
Thursday, June 6, 13
13. Why
ApplicaEon
Security
?
4
My Application will be
hacked !
Let Me take
you on the
right way 4
Your
Application
will be
Hacked ;)
Your
Application
been
Hacked
YES
NO
NO
YES
Next
Step
Thursday, June 6, 13
19. Game
Over....
• Did
you
have
VoIP
Phone
?
• Did
you
have
IP
Router
/
Broadband
box
?
• Did
you
have
smartphone
?
• Did
you
have
customers
/
partners
over
Internet
?
9
Thursday, June 6, 13
21. We
are
living
in
a
Digital
environment,
in
a
Connected
World
v Most
of
websites
vulnerable
to
a`acks
v Important
%
of
web-‐based
Business
(Services,
Online
Store,
Self-‐care,
Telcos,
SCADA,
...)
Why
ApplicaEon
Security
?
Age
of
AnEvirus
Age
of
Network
Security
Age
of
ApplicaEon
Security
11
Thursday, June 6, 13
24. OWASP
?
The
Open
Web
ApplicaEon
Security
Project
OWASP:
Swarms
of
WASPS:
Local
Chapters
14
Thursday, June 6, 13
25. Mission
Driven
Nonprofit
|
World
Wide
|
Unbiased
OWASP
does
not
endorse
or
recommend
commercial
products
or
services
What
is
OWASP
15
Thursday, June 6, 13
26. Community
Driven
30,000
Mail
List
ParEcipants
200
AcEve
Chapters
in
70
countries
1600+
Members,
56
Corporate
Supporters
What
is
OWASP
16
Thursday, June 6, 13
27. 200
Chapters,
1
600+
Members,
20
000+
Builders,
Breakers
and
Defenders
Around
the
World
17
Thursday, June 6, 13
32. TOP
10
WEB
APPLICATION
SECURITY
RISKS
The OWASP Top Ten
22
Thursday, June 6, 13
33. TOP
10
WEB
APPLICATION
SECURITY
RISKS
A1: Injection
A2: Cross Site
Scripting
A3: Broken
Authenticatio
A4: Insecure
Direct Object
A5: Cross Site
Request
A6: Security
Misconfigurati
A7: Failure to
Restrict URL
A8:
Unvalidated
A9: Insecure
Cryptographic
A10:
Insufficient
The OWASP Top Ten
22
Thursday, June 6, 13
34. TOP
10
WEB
APPLICATION
SECURITY
RISKS
A1: Injection
A2: Cross Site
Scripting
A3: Broken
Authenticatio
A4: Insecure
Direct Object
A5: Cross Site
Request
A6: Security
Misconfigurati
A7: Failure to
Restrict URL
A8:
Unvalidated
A9: Insecure
Cryptographic
A10:
Insufficient
The OWASP Top Ten
22
2010 Version ! soon updated
Thursday, June 6, 13
40. Project
Leader:
Chris
Schmidt,
Chris.Schmidt@owasp.org
Purpose:
A
free,
open
source,
web
applicaEon
security
control
library
that
makes
it
easier
for
programmers
to
write
lower-‐risk
applicaEons
h`ps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Enterprise
Security
API
for
Reboot
28
Thursday, June 6, 13
41. Project
Leader:
Jason
Li,
jason.li@owasp.org
Purpose:
An
HTML
validaEon
tool
and
API
to
safely
and
gracefully
handle
rich
html
input,
for
ensuring
user-‐supplied
HTML/CSS
is
in
compliance
within
an
applicaEon's
rules.
h`ps://www.owasp.org/index.php/AnESamy
AnESamy
29
Thursday, June 6, 13
42. Development
Guide:
comprehensive
manual
for
designing,
developing
and
deploying
secure
Web
ApplicaEons
and
Web
Services
Code
Review
Guide:
mechanics
of
reviewing
code
for
certain
vulnerabiliEes
&
validaEon
of
proper
security
controls
TesEng
Guide:
understand
the
what,
why,
when,
where,
and
how
of
tesEng
web
applicaEons
h`ps://www.owasp.org/index.php/Category:OWASP_Guide_Project
h`ps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
h`ps://www.owasp.org/index.php/Category:OWASP_TesEng_Project
Guides
for
Reboot
30
Thursday, June 6, 13
43. Zed
A`ack
Proxy
for
Reboot
Project
Leader:
Simon
Benne`s
(aka
Psiinon),
psiinon@gmail.com
Purpose:
The
Zed
A`ack
Proxy
(ZAP)
provides
automated
scanners
as
well
as
a
set
of
tools
that
allow
you
to
find
security
vulnerabiliEes
manually
in
web
applicaEons.
Last
Release:
ZAP
2.0.0
(30
Jan
2013)
h`ps://www.owasp.org/index.php/OWASP_Zed_A`ack_Proxy_Project 31
Thursday, June 6, 13
44. AppSensor
Project
Leader(s):
Michael
Coates,
John
Melton,
Colin
Watson
Purpose:
Defines
a
conceptual
framework
and
methodology
that
offers
prescripEve
guidance
to
implement
intrusion
detecEon
and
automated
response
into
an
exisEng
applicaEon.
Release:
AppSensor
0.1.3
-‐
Nov
2010
(Tool)
&
September
2008
(doc)
h`ps://www.owasp.org/index.php/AppSensor
Create
aUack
aware
applica&ons
32
Thursday, June 6, 13
45. Project
Leader:
Vinay
Bansal,
Vinaykbansal@gmail.com
Purpose:
Develop
and
maintain
a
list
of
Top
10
Security
Risks
faced
with
the
Cloud
CompuEng
and
SaaS
Models.
Serve
as
a
Quick
List
of
Top
Risks
with
Cloud
adopEon,
and
Provide
Guidelines
on
MiEgaEng
the
Risks.
Deliverables
-‐ Cloud
Top
10
Security
Risks
(DraE
expected
for
early
2013)
h`ps://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project
Cloud
Top10
Project
33
Thursday, June 6, 13
46. Cloud
Top10
Security
Risks
•
R1.
Accountability
&
Data
Risk
•
R2.
User
IdenEty
FederaEon
•
R3.
Legal
&
Regulatory
Compliance
•
R4.
Business
ConEnuity
&
Resiliency
•
R5.
User
Privacy
&
Secondary
Usage
of
Data
•
R6.
Service
&
Data
IntegraEon
•
R7.
MulE-‐tenancy
&
Physical
Security
•
R8.
Incidence
Analysis
&
Forensics
•
R9.
Infrastructure
Security
•
R10.
Non-‐producEon
Environment
Exposure
34
Thursday, June 6, 13
47. Project
Leader:
Jack
Mannino,
Jack@nvisiumsecurity.com
Purpose:
Establish
an
OWASP
Top
10
Mobile
Risks.
Intended
to
be
plaRorm-‐
agnosEc.
Focused
on
areas
of
risk
rather
than
individual
vulnerabiliEes.
Deliverables
-‐ Top
10
Mobile
Risks
(currently
Release
Candidate
v1.0)
-‐ Top
10
Mobile
Controls
(OWASP/ENISA
CollaboraOon)
-‐ OWASP
Wiki,
‘Smartphone
Secure
Development
Guidelines’
(ENISA)
-‐ Mobile
Cheat
Sheet
Series
-‐ OWASP
GoatDroid
Project
-‐ OWASP
Mobile
Threat
Model
Project
h`ps://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Mobile
Security
Project
for
Reboot
35
Thursday, June 6, 13
48. Top
10
Mobile
Risks
• M1.
Insecure
Data
Storage
• M2.
Weak
Server
Side
Controls
• M3.
Insufficient
Transport
Layer
ProtecEon
• M4.
Client
Side
InjecEon
• M5.
Poor
AuthorizaEon
and
AuthenEcaEon
• M6.
Improper
Session
Handling
• M7.
Security
Decisions
via
Untrusted
Inputs
• M8.
Side
Channel
Data
Leakage
• M9.
Broken
Cryptography
• M10.
SensiEve
InformaEon
Disclosure
36
Thursday, June 6, 13
49. Project
Leader:
Anurag
"Archie"
Agarwal,
anurag.agarwal@owasp.org
Purpose:
Establish
a
single
and
inclusive
so[ware-‐centric
OWASP
Threat
modeling
Methodology,
addressing
vulnerability
in
client
and
web
applicaEon-‐level
services
over
the
Internet.
Deliverables
(1st
DraE
expected
for
end
of
2012
/
early
2013)
-‐ An
OWASP
Threat
Modeling
methodology
-‐ A
glossary
of
threat
modeling
terms
h`ps://www.owasp.org/index.php/OWASP_Threat_Modelling_Project
Threat
Modeling
Project
37
Thursday, June 6, 13
50. Intended
to
help
solware
developers
and
their
clients
negoEate
important
contractual
terms
and
condiEons
related
to
the
security
of
the
solware
to
be
developed
or
delivered.
CONTEXT:
Most
contracts
are
silent
on
these
issues,
and
the
parEes
frequently
have
dramaEcally
different
views
on
what
has
actually
been
agreed
to.
OBJECTIVE:
Clearly
define
these
terms
is
the
best
way
to
ensure
that
both
parEes
can
make
informed
decisions
about
how
to
proceed.
h`ps://www.owasp.org/index.php/OWASP_Secure_Solware_Contract_Annex
The
OWASP
Secure
Solware
Contract
Annex
38
Thursday, June 6, 13
51. Refresh,
revitalize
&
update
Projects,
rewrite
&
complete
Guides
or
Tools.
Projects
Reboot
2012
h`ps://www.owasp.org/index.php/Projects_Reboot_2012
Current
Submissions
• OWASP
ApplicaEon
Security
Guide
For
CISOs
-‐
Selected
for
Reboot
• OWASP
Development
Guide
-‐
Selected
for
Reboot
• Zed
A`ack
Proxy
-‐
Selected
for
Reboot
• OWASP
WebGoat
• OWASP
AppSensor
• OWASP
Mobile
Project
-‐
Selected
for
Reboot
• OWASP
Portuguese
Language
Project
• OWASP_ApplicaEon_TesEng_guide_v4
• OWASP
ESAPI
• OWASP
Eliminate
Vulnerable
Code
Project
• OWASP_Code_Review_Guide_Reboot
Projects
selected
via
first
round
of
review
1.OWASP
Development
Guide:
Funding
Amount:
$5000
iniEal
funding
2.OWASP
CISO
Guide:
Funding
Amount:
$5000
iniEal
funding
3.OWASP
Zed
A;ack
Proxy:
Funding
Amount:
$5000
iniEal
funding
4.OWASP
Mobile
Project:
Funding
Amount:
$5000
iniEal
funding
Ongoing
discussions
about
the
Code
Review
and
the
TesOng
Guides
39
Thursday, June 6, 13
52. OWASP
Top10
2013
• Final
publicaEon
OWASP
Top10
2013
– Very
Very
Soon.
• French
translaEon
done
• Not
a
lot
of
new
things.
40
Thursday, June 6, 13
53. Top10
2013
–
RC1
41
A1:
Injec&on
A2:
Mauvaise
ges&on
des
sessions
et
de
l’authen&fica&on
A3:
Cross
Site
Scrip&ng
(XSS)
A4:Référence
directe
non
sécurisée
à
un
objet
A5:
Mauvaise
configura&on
sécurité
A6
:
Exposi&on
de
données
A7
:
Mauvais
contrôle
d’accès
A8:
Cross
Site
Request
Forgery
(CSRF)
A9:
U&lisa&on
de
composants
non
sécurisés
A10:Mauvaise
ges&on
des
redirec&ons
et
des
transferts
Thursday, June 6, 13
55. Dates
• RSSIA
Bordeaux
:
21
Juin
– OWASP
Top10
2013
en
praEque
• OWASP
EU
Tour
2013
:
– 24
Juin
-‐
Sophia
AnEpolis
– 25
Juin
-‐
Geneve
• Java
User
Groupe
Poitou
Charentes
:
27
Juin
– Secure
Coding
for
Java
• AppSec
Research
Europe
2013
:
20/23
Aout
–
Hambourg
–
Allemagne
•
OWASP
Benelux
:
28/29
Novembre
2013
43
Thursday, June 6, 13
56. Soutenir
l’OWASP
• Différentes
soluEons
:
– Membre
Individuel
:
50
$
– Membre
Entreprise
:
5000
$
– DonaEon
Libre
• Soutenir
uniquement
le
chapitre
France
:
– Single
MeeEng
supporter
• Nous
offrir
une
salle
de
meeEng
!
• ParEciper
par
un
talk
ou
autre
!
• DonaEon
simple
– Local
Chapter
supporter
:
• 500
$
à
2000
$
44
Thursday, June 6, 13
57. Prochains
meeEngs
• Septembre
2013
– Salle
:
Mozilla
Center
Paris
– Speaker
:
• Security
on
Firefox
OS
• A
définir
• Novembre
2013
– Salle
:
a
définir
– Speaker
:
a
définir
Thursday, June 6, 13