2. “The cost of cybercrime is greater than the
combined effect on the global economy of
trafficking in marijuana, heroin and cocaine”|
http://www.theregister.co.uk/2011/09/07/cost_is_more_than_some_drug_trafficking
http://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/
3. Why Security is important?
Ponemon Institute. (2012). 2012 Cost of Cyber Crime Study:. Ponemon Institute LLC.
4. Verizon. (2012). 2012 Data BREACH Investigations Report:. Verizon LLC.
Why Security is important?
6. Mission Driven
Nonprofit | World Wide | Unbiased
OWASP does not endorse or recommend
commercial products or services
What is OWASP
6
7. Community Driven
30,000 Mail List Participants
200 Active Chapters in 70 countries
1600+ Members, 56 Corporate Supporters
69 Academic Supporters
What is OWASP
7
8. OWASP Guadalajara Chapter
What do we have to offer?
• Community of security professional
• Monthly meetings
• Mailing List
• Presentations
• Workshops
• Open forums for discussion
• Vendor neutral environments
Meetings Workshops Conference News Letter Page Visit
3 1 1 3 2,528+
https://www.owasp.org/index.php/Guadalajara
March 2012 – Till Date
12. A1 – Injection
• Tricking an application into including unintended commands in the data sent to
an interpreter
Injection means…
• Take strings and interpret them as commands
• SQL, OS Shell, LDAP, XPath, Hibernate, etc…
Interpreters…
• Many applications still susceptible (really don’t know why)
• Even though it’s usually very simple to avoid
SQL injection is still quite common
• Usually severe. Entire database can usually be read or modified
• May also allow full database schema, or account access, or even OS level access
Typical Impact
13. SQL Injection – Illustrated
Firewall
Hardened OS
Web Server
App Server
Firewall
Databases
LegacySystems
WebServices
Directories
HumanResrcs
Billing
Custom Code
APPLICATION
ATTACK
NetworkLayerApplicationLayer
Accounts
Finance
Administration
Transactions
Communication
KnowledgeMgmt
E-Commerce
Bus.Functions
HTTP
request
SQL
query
DB Table
HTTP
response
"SELECT * FROM
accounts WHERE
acct=‘’ OR
1=1--’"
1. Application presents a form to
the attacker
2. Attacker sends an attack in the
form data
3. Application forwards attack to
the database in a SQL query
Account Summary
Acct:5424-6066-2134-4334
Acct:4128-7574-3921-0192
Acct:5424-9383-2039-4029
Acct:4128-0004-1234-0293
4. Database runs query containing
attack and sends encrypted results
back to application
5. Application decrypts data as
normal and sends results to the
user
Account:
SKU:
Account:
SKU:
14. A2 – Cross-Site Scripting (XSS)
• Raw data from attacker is sent to an innocent user’s browser
Occurs any time…
• Stored in database
• Reflected from web input (form field, hidden field, URL, etc…)
• Sent directly into rich JavaScript client
Raw data…
• Try this in your browser – javascript:alert(document.cookie)
Virtually every web application has this problem
• Steal user’s session, steal sensitive data, rewrite web page, redirect user to
phishing or malware site
• Most Severe: Install XSS proxy which allows attacker to observe and direct all
user’s behavior on vulnerable site and force user to other sites
Typical Impact
15. Cross-Site Scripting Illustrated
Application with
stored XSS
vulnerability
3
2
Attacker sets the trap – update my profile
Attacker enters a
malicious script into a web
page that stores the data
on the server
1
Victim views page – sees attacker profile
Script silently sends attacker Victim’s session cookie
Script runs inside victim’s
browser with full access to
the DOM and cookies
Custom Code
Accounts
Finance
Administration
Transactions
Communication
KnowledgeMgmt
E-Commerce
Bus.Functions
16. Project Leader: Chris Schmidt, Chris.Schmidt@owasp.org
Purpose: A free, open source, web application security control library
that makes it easier for programmers to write lower-risk applications
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Enterprise Security API
16
17. ESAPI - Vision
Build a common set of security controls for
today's most popular programming languages.
Have interfaces in common across programming
languages as much as possible and natural.
Provide at least a simple reference implementation
for each security control to serve as example if not
useful in itself.
Easily extensible
Provide functionality that is most often needed,
but lacking (or inconsistent) in various frameworks
/ languages.
18. Using ESAPI (1 of 3)
Getting started
https://www.owasp.org/index.php/Category:OWASP_Enter
prise_Security_API
Download: http://code.google.com/p/owasp-esapi-
java/
ESAPI Cheat Sheet:
https://www.owasp.org/index.php/ESAPI_Cheat_Sheet
ESAPI Swingset: http://code.google.com/p/owasp-
esapi-java-swingset/
19. Using ESAPI (2 of 3)
Getting help
ESAPI User mailing list (focuses on Java version):
https://lists.owasp.org/mailman/listinfo/esapi-
user
ESAPI Developer mailing list:
https://lists.owasp.org/mailman/listinfo/esapi-dev
ESAPI Project page: http://www.esapi.org/ (coming
soon)
20. Using ESAPI (3 of 3)
Getting involved
Many other language implementations, all
playing catch up
ESAPI for Java version needs help with user
documentation
ESAPI 2.1 (Java) starting soon
ESAPI Swingset and Swingset Interactive → Port
to use ESAPI 2.0
21. Enterprise Security API
Custom Enterprise Web Application
Enterprise Security API
Authenticator
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
ExceptionHandling
Logger
IntrusionDetector
SecurityConfiguration
Existing Enterprise Security Services/Libraries
26. Source Code and Javadoc
Online Now!
http://code.google.com/p/owasp-esapi-java
27. AppSensor
Project Leader(s): Michael Coates, John Melton, Colin Watson
Purpose: Defines a conceptual framework and methodology that offers
prescriptive guidance to implement intrusion detection and automated
response into an existing application.
Release: AppSensor 0.1.3 - Nov 2010 (Tool) & September 2008 (doc)
https://www.owasp.org/index.php/AppSensor
Create attack aware applications
27
28.
29.
30. Detecting Attacks
the Right Way
• Detect INSIDE the Application
• Automatic Detection
• Comprehensive
• Minimize False Positives
• Understand Business Logic
• Immediate Response
• No Manual Efforts Required
35. Take aways
• Open Source solutions
• Low cost and low effort
• Think out of the box for development teams
• Techniques used on the Industry
• OWASP Google Summer of Code 2013
https://www.owasp.org/index.php/GSoC
38. About OWASP
• Online since December 1st 2001
• Not-for-profit charitable organization
• OPEN Everything at OWASP is radically transparent from our finances to
our code.
• INNOVATION OWASP encourages and supports innovation/experiments
for solutions to software security challenges.
• GLOBAL Anyone around the world is encouraged to participate in the
OWASP community.
• INTEGRITY OWASP is an honest and truthful, vendor agnostic, global
community.
• https://www.owasp.org/index.php
40. OWASP Guadalajara Chapter
What do we have to offer?
• Community of security professional
• Monthly meetings
• Mailing List
• Presentations
• Workshops
• Open forums for discussion
• Vendor neutral environments
Meetings Workshops Conference News Letter Page Visit
3 1 1 3 2,528+
https://www.owasp.org/index.php/Guadalajara
March 2012 – Till Date
47. Business advantages of being
associated with OWASP
• The main benefit of becoming an OWASP corporate supporter is to demonstrate the organization's belief that
application security is important and that the organization is working to take necessary steps to properly address
application security risk in their businesses
• The organization itself gets security benefit at reduced costs
– Security code review tools are free
– Lots of open & free security testing tools
– Security guidelines & best practices
• Opportunity to endorse organization's logo in OWASP events, conferences, & website
• The organization gets listed as a sponsor in the newsletter that goes to over 20,000 individuals around the world
on owasp mailing lists and linked 'in group
– If you are looking to expand your business in emerging market here is an opportunity to reach out
• When organization becomes a supporter of a security community it helps employees, partners, suppliers and
customers to understand the value & importance of security, and improves application security throughout the
whole supply chain
• Membership options : https://www.owasp.org/index.php/Membership