This document provides an overview of the Open Web Application Security Project (OWASP) Bulgaria chapter. It introduces the chapter leader and discusses OWASP's mission to improve software security. The document outlines membership benefits and encourages participation in OWASP projects and events. It also summarizes the OWASP Top 10 project, which identifies the most critical web application security risks.
2. Agenda
Part 1: Introduction -Who are we?
• What is this project all about?
• Would you like to join the OWASP community?
Part 2: Real world stories
• Care to know about the OWASP Top 10 project?
• How’s the web down there in Wonderland?
OWASP 2
4. Introduction
Who Am I?
(1) Free and Open Source Software Evangelist
(2) Enthusiastic Infosec Ninja
OWASP 4
5. Introduction
Who Am I?
(1) Free and Open Source Software Evangelist
(2) Enthusiastic Infosec Ninja
① + ②= ?
OWASP 5
6. Introduction
Who Am I?
(1) Free and Open Source Software Evangelist
(2) Enthusiastic Infosec Ninja
① + ②= ?
Here’s the OWASP formula..
FOSS + WEB × APP × SEC = OWASP
OWASP 6
7. The Open Web Application Security Project
The Open Web Application Security Project (OWASP) is a 501c3
not-for-profit worldwide charitable organization focused on
improving the security of application software. Our mission is to
make application security visible, so that people and organizations
can make informed decisions about true application security risks.
Everyone is free to participate in OWASP and all of our materials
are available under a free and open software license.
http://www.owasp.org/index.php
OWASP 7
8. The Open Web Application Security Project
The Local Chapters
Over 150 local chapters worldwide..
OWASP 8
9. The Open Web Application Security Project
OWASP Bulgaria
• This local chapter was founded in late 2010
• Less than 10 mailing list members
• Please consider joining the local chapter mailing list
• Regular chapter meetings
• Welcome to the first one of ‘em!
• For submissions, suggestions, offers and questions..
• Forward your message to the mailing list
• Contact me via email OWASP 9
10. The Open Web Application Security Project
Organization Supporters
OWASP 10
12. The Open Web Application Security Project
Show Your Support
Consider…
• Donating
• Becoming an OWASP (local chapter) member
• Attending the local chapter regular meetings
• Attending an OWASP AppSec series conference
• Global AppSec Europe - June 6th-11th 2011 @Dublin, Ireland
• Contributing to an OWASP project
• Developers, beta testers, etc. OWASP 12
13. The Open Web Application Security Project
Affiliation and Membership
Categories of Membership and Supporters
• Individual Supporters
• Single Meeting Supporter
• Organization Supporters
• Accredited University Supporters
OWASP 13
14. The Open Web Application Security Project
Membership
Why Become a Supporting Member?
• Ethics and principals of OWASP Foundation
• Underscore your awareness of web application software security
• Attend OWASP conferences at a discount
• Expand your personal network of contacts
• Support a local chapter of your choice
• Get your @owasp.org email address
• Have individual vote in elections
http://www.owasp.org/index.php/Membership
OWASP 14
15. The Open Web Application Security Project
OWASP Projects
Tools and documents are organized into the following categories:
• Protect – These are tools and documents that can be used to
guard against security-related design and implementation flaws.
• Detect – These are tools and documents that can be used to find
security-related design and implementation flaws.
• Life Cycle – These are tools and documents that can be used to
add security-related activities into the Software Development Life
Cycle (SDLC).
OWASP 15
16. The Open Web Application Security Project
The OWASP Top 10 Project
Project details..
• The OWASP Top Ten provides a powerful awareness
document for web application security.
• The OWASP Top Ten represents a broad consensus about
what the most critical web application security flaws are.
• Its latest (stable) release dates from April 2010.
• Creative Commons Attribution Share Alike 3.0 License ;)
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
OWASP 16
17. The Open Web Application Security Project
The OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks
A1: Injection
OWASP 17
18. The Open Web Application Security Project
The OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks
A1: Injection
A2: Cross-Site Scripting (XSS)
OWASP 18
19. The Open Web Application Security Project
The OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
OWASP 19
20. The Open Web Application Security Project
The OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
OWASP 20
21. The Open Web Application Security Project
The OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
OWASP 21
22. The Open Web Application Security Project
The OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
OWASP 22
23. The Open Web Application Security Project
The OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
OWASP 23
24. The Open Web Application Security Project
The OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
OWASP 24
25. The Open Web Application Security Project
The OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
OWASP 25
26. The Open Web Application Security Project
The OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
OWASP 26
A10: Unvalidated Redirects and Forwards
27. The Open Web Application Security Project
The OWASP Top 10 Project
OWASP 27
28. The Open Web Application Security Project
The OWASP Top 10 Project
OWASP 28
29. The Open Web Application Security Project
The OWASP Top 10 Project
“Attackers can potentially use many different paths through your application to
do harm to your business or organization. Each of these paths represents a risk
that may, or may not, be serious enough to warrant attention.”
http://www.owasp.org/index.php/Top_10_2010-Main
OWASP 29
30. The Open Web Application Security Project
The OWASP Top 10 Project
Companies, vendors and others (officially) profiting from The OWASP Top 10
OWASP 30
31. The Open Web Application Security Project
OWASP Guides
Don’t stop at The OWASP Top 10!
Because The OWASP Top 10 project is simply not enough..
• OWASP Development Guide (Developer’s Guide)
• OWASP Testing Project (Testing Guide)
• OWASP Code Review Project (Code Review Guide)
OWASP 31
32. The Open Web Application Security Project
В страната на чудесата ;)
OWASP 32
33. The Open Web Application Security Project
В страната на чудесата ;)
“Здравословното” състояние на
българския уеб..
OWASP 33
34. The Open Web Application Security Project
В страната на чудесата ;)
OWASP 34
35. The Open Web Application Security Project
В страната на чудесата ;)
Дискусия?
OWASP 35
36. The Open Web Application Security Project
В страната на чудесата ;)
Дискусия?
Бира?
OWASP 36
37. Shout outs go to …
• Kate Hartmann (Operations Director at OWASP)
• Tom Brennan (Global Board Member at OWASP)
All of these folks and a few more..
• P. Stefanov
• Y. Kolev
• M. Soler
..for kindly recommending and helping me set up this chapter!
• Thank you to all of you for attending this very first meeting ;)
OWASP 37
38. Thank you for your attention!
Please forward any questions, comments and suggestions to:
georgi.geshev@owasp.org
OWASP 38