3. The OWASP Foundation
http://www.owasp.org
Computer Security
Day Activities
• Change your password
• Update anti-virus and Check for viruses
• Cleanup up your computer and surroundings
• Back-up your data
• Verify your inventory of computer utilities
and packaged software
• Monitor Event Logs
• Register and pay for all commercial software
that is used on your computer
3
4. The OWASP Foundation
http://www.owasp.org
- Large-scale intelligence activities targeting
Internet communication
- Attempts to undermine cryptographic
algorithms
- People, companies and governments
intentionally introduce defects or
vulnerabilities (or secret back-doors)
compromising the security, trust and
integrity of software and applications
Trends related to Security in
Internet
4
5. The OWASP Foundation
http://www.owasp.org
- Deep Web
- Firmware
- Ransomware
- POS Malware
- Steganography
Trends related to Security in
Internet
5
Age of Application
Security
Age of Network
Security
Age of Anti-
Virus
• 3 out of 4 web sites are vulnerable to
attacks (Source: Gartner)
• 75% of Attacks at the Application Layer
(Source: Gartner)
• Important % of sales via the Web
(Services, Shop On Line, Self-care)
6. The OWASP Foundation
http://www.owasp.orgThe Numbers
Cyber Crime:
“Second cause of economic crime experienced by the financial
services sector” – PwC
“Globally, every second, 18 adults become victims of
cybercrime” - Norton
US - $20.7 billion – (direct losses)
Globally 2012 - $110,000,000,000 – direct losses
“556 million adults across the world have first-hand experience of cybercrime --
more than the entire population of the European Union.”
6
10. The OWASP Foundation
http://www.owasp.org
Application
Code
COTS
(Commercial off
the shelf
Outsourced
development
Sub-
Contractors
Bespoke
outsourced
development
Bespoke Internal
development
Third Party
API’s
Third Party
Components
& Systems
Degrees of trust
You may not let some of the people who have developed your code into your offices!!
More LESS
10
11. The OWASP Foundation
http://www.owasp.org
2012/13 Study of 31 popular open source
libraries
- 19.8 million (26%) of the library
downloads have known vulnerabilities
- Today's applications may use up to 30 or
more libraries - 80% of the codebase
Dependencies
11
12. The OWASP Foundation
http://www.owasp.org
The Open Web Application Security Project (OWASP) is dedicated to
finding and fighting the causes of insecure software. The OWASP
Foundation is a 501c3 not-for-profit charitable organization that
ensures the on going availability and support for our work.
Participation in OWASP is free and open to all.
Everything here is free and open source and vendor neutral.
Main objectives: producing tools, standards and documentations
related to Web Application Security.
Thousands active members, hundreds of local chapters in the world
12
14. The OWASP Foundation
http://www.owasp.org
Making Security Visible , through…
Documentation
Top Ten, Dev. Guide, Design Guide, Testing Guide, …
Tools
WebGoat, WebScarab, ESAPI, CSRF Guard, Zed Attack Proxy (ZAP), …
Working Groups
Browser Security, Industry Sectors, Education, Mobile Phone Security,
Preventive Security, OWASP Governance
Security Community and Awareness
Local Chapters, Conferences, Mailing Lists
14
PROTECT
DETECT
LIFE CYCLE
15. The OWASP Foundation
http://www.owasp.org
Body of
Knowledge
Core Application
Security
Knowledge Base
Acquiring and
Building
Secure
Applications
Verifying
Application
Security
Managing
Application
Security
Application
Security
Tools
AppSec
Education and
CBT
Research to
Secure New
Technologies
Principles
Threat Agents,
Attacks,
Vulnerabilities,
Impacts, and
Countermeasures
OWASP Foundation 501c3
OWASP Community Platform
(wiki, forums, mailing lists)
Projects
Chapters
AppSecConferences
Guide to Building
Secure Web
Applications and Web
Services
Guide to Application
Security Testing and
Guide to Application
Security Code Review
Tools for Scanning,
Testing, Simulating,
and Reporting Web
Application Security
Issues
Web Based Learning
Environment and
Guide for Learning
Application Security
Guidance and Tools
for Measuring and
Managing Application
Security
Research Projects to
Figure Out How to
Secure the Use of
New Technologies
(like Ajax)
15
16. The OWASP Foundation
http://www.owasp.org
The OWASP Enterprise
Security API
Custom Enterprise Web Application
Enterprise Security API
Authenticator
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
ExceptionHandling
Logger
IntrusionDetector
SecurityConfiguration
Existing Enterprise Security Services/Libraries
16
18. The OWASP Foundation
http://www.owasp.org
Please Help
OWASP Grow
Push us to do better!
Be an active contributor
Stub articles – wiki contributions
New technologies to analyze
Be an OWASP member
Corporate Members
Individual Members
Please join us and share what you know!
18
9%
41%
50%
OWASP Projects
Code
Tools
Documentation