Application Security for the Masses. OWASP Greek Chapter Meeting 16/3/2011. The OWASP Foundation

Similar documents
OWASP Top 10 The Ten Most Critical Web Application Security Risks

Welcome to OWASP Bay Area Application Security Summit July 23rd, OWASP July 23 rd, The OWASP Foundation

OWASP Romania Chapter

Where we are.. Where we are going!

How to hack and secure your Java web applications

OWASP ESAPI SwingSet. OWASP 26 April Fabio Cerullo Ireland Chapter Leader Global Education Committee

OWASP InfoSec Romania 2013

Developing Secure Applications with OWASP OWASP. The OWASP Foundation Martin Knobloch

OWASP Stammtisch #37 Frankfurt,

V Conference on Application Security and Modern Technologies

Notes From The field

Development*Process*for*Secure* So2ware

CSWAE Certified Secure Web Application Engineer

Certified Secure Web Application Engineer

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

OWASP ROI: OWASP Austin Chapter. The OWASP Foundation Optimize Security Spending using OWASP

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Tobias Gondrom (OWASP Member)

TRAINING CURRICULUM 2017 Q2

Aguascalientes Local Chapter. Kickoff

OWASP TOP 10 vs OWASP ASVS. Joe Blanchard St. Louis OWASP Chapter

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Under the hood testing - Code Reviews - - Harshvardhan Parmar

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

Solving Real-World Problems with an Enterprise Security API (ESAPI) Jim Manico OWASP Board Member

Hacking by Numbers OWASP. The OWASP Foundation

Application. Security. on line training. Academy. by Appsec Labs

Professional Services Overview

Application Security Approach

The Need for Confluence

Web Application Penetration Testing

C1: Define Security Requirements

SDLC Maturity Models

N different strategies to automate OWASP ZAP

Open Web Application Security Project

Andrew van der Stock OWASP Foundation

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Secure DevOps: A Puma s Tail

OWASP Top The Top 10 Most Critical Web Application Security Risks. The OWASP Foundation

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Penetration testing.

Ranking Vulnerability for Web Application based on Severity Ratings Analysis

RiskSense Attack Surface Validation for Web Applications

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Getting Ready. I have copies on flash drives Uncompress the VM. Mandiant Corporation. All rights reserved.

About the OWASP Top 10

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

HQ 754 th Electronic Systems Group. Application Software Assurance Center of Excellence (ASACoE) Maj Michael Kleffman, CTO ASACoE

Security Communications and Awareness

Improving Security in the Application Development Life-cycle

Surrogate Dependencies (in

Presentation Overview

The requirements were developed with the following objectives in mind:

Web Applications Penetration Testing

The Business Case for Security in the SDLC

Web Application Threats and Remediation. Terry Labach, IST Security Team

THE THREE WAYS OF SECURITY. Jeff Williams Co-founder and CTO Contrast Security

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Sichere Software vom Java-Entwickler

OWASP Application Security Verification Standard (ASVS) Web Application Edition OWASP 03/09. The OWASP Foundation

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle

AppSensor. The OWASP Foundation. OWASP Training Dublin. Colin Watson colin.watson(at)owasp.org. 11 th March

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

Automating the Top 20 CIS Critical Security Controls

CALENDAR FOR THE YEAR 2018

State of Software Security Report Volume 2. Jeff Ennis, CEH Solutions Architect Veracode

OWASP CISO Survey Report 2015 Tactical Insights for Managers

Developing Secure Systems. Associate Professor

Vulnerability Management From B Movie to Blockbuster Rahim Jina

OWASP Global AppSec Conference Sponsorship

Security analysis and assessment of threats in European signalling systems?

Ingram Micro Cyber Security Portfolio

ShiftLeft. Real-World Runtime Protection Benchmarking

OWASP 5/07/09. The OWASP Foundation OWASP Static Analysis (SA) Track Session 1: Intro to Static Analysis

Security Management Models And Practices Feb 5, 2008

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

Continuously Discover and Eliminate Security Risk in Production Apps

Certified Information Security Manager (CISM) Course Overview

10 FOCUS AREAS FOR BREACH PREVENTION

Application Security & Verification Requirements

Overview of Web Application Security and Setup

Web Applications (Part 2) The Hackers New Target

Product Security Program

Certification Report

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Security Communications and Awareness

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

1 About Web Security. What is application security? So what can happen? see [?]

ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation

Welcome to the OWASP TOP 10

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

Threat Modeling OWASP. The OWASP Foundation Martin Knobloch OWASP NL Chapter Board

INFORMATION SESSION. MS Software Engineering, specialization in Cybersecurity

OWASP Hackademic: A practical environment for teaching application security! Dr Konstantinos

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

Transcription:

Application Security for the Masses Konstantinos Papapanagiotou Greek Chapter Leader Syntax IT Inc Greek Chapter Meeting 16/3/2011 Konstantinos@owasp.org Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the License. The Foundation http://www.owasp.org

Projects Chapters AppSec Conferences Body of Knowledge Guide to Application Security Testing and Guide to Application Security Code Review Guidance and Tools for Measuring and Managing Application Security Guide to Building Secure Web Applications and Web Services Verifying Application Security Managing Application Security Community Platform (wiki, forums, mailing lists) Foundation 501c3 Research Projects to Figure Out How to Secure the Use of New Technologies (like Ajax) Acquiring and Building Secure Applications Research to Secure New Technologies Web Based Learning Environment and Guide for Learning Application Security Core Application Security Knowledge Base AppSec Education and CBT Application Security Tools Tools for Scanning, Testing, Simulating, and Reporting Web Application Security Issues Principles Threat Agents, Attacks, Vulnerabilities, Impacts, and Countermeasures 3

Tools and Technology Vulnerability Scanners Static Analysis Tools Fuzzing Penetration Testing Tools Code Review Tools ESAPI AppSensor Automated Security Verification Manual Security Verification Security Architecture AppSec Libraries ESAPI Reference Implementation Guards and Filters Secure Coding Reporting Tools AppSec Management Flawed Apps Learning Environments Live CD SiteGenerator AppSec Education 4

5

10+1 Projects you should know about

The Documentation Projects Top 10 Prevention Cheat Sheet Series ASVS Building Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR) 7

1) Top 10 [2010] 8

Top Ten (2010 Edition) http://www.owasp.org/index.php/top_10 9

Top 10 Risk Rating Methodology Threat Agent? 1 2 3 Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Easy Widespread Easy Severe Average Common Average Moderate Difficult Uncommon Difficult Minor 1 2 2 1 Business Impact? Injection Example 1.66 * 1 1.66 weighted risk rating 10

Prevention Cheat Sheet Series How to avoid the most common web security problems XSS Prevention Cheat Sheet www.owasp.org/index.php/xss_(cross_site_scripting)_prevention_cheat_sheet SQL Injection Prevention Cheat Sheet http://www.owasp.org/index.php/sql_injection_prevention_cheat_sheet CSRF Prevention Cheat Sheet http://www.owasp.org/index.php/cross-site_request_forgery_(csrf)_prevention_cheat_sheet Transport Layer Protection Cheat Sheet http://www.owasp.org/index.php/transport_layer_protection_cheat_sheet Cryptographic Storage Cheat Sheet http://www.owasp.org/index.php/cryptographic_storage_cheat_sheet Authentication Cheat Sheet http://www.owasp.org/index.php/authentication_cheat_sheet

2) [Developers] Guide Describes how to develop secure web applications Covers Secure Coding Threat Modeling New Technologies (Web Services, AJAX) 16 Security Areas 293 Pages http://www.owasp.org/index.php/guide 12

3) Secure Coding Practices Quick Reference Technology agnostic coding practices What to do, not how to do it Compact, but comprehensive checklist format Focuses on secure coding requirements, rather than on vulnerabilities and exploits Includes a cross referenced glossary to get developers and security folks talking the same language 13

Checklist Sections - Only 9 pages long Input Validation Output Encoding Authentication and Password Management Session Management Access Control Cryptographic Practices Data Protection Communication Security System Configuration Database Security File Management Memory Management General Coding Practices Error Handling and Logging 15

Using the guide Scenario #1: Developing Guidance Documents Coding Practices Guiding Principles What to do How to do it General Security Policies Application Security Procedures Application Security Coding Standards 16

Using the guide continued Scenario #2: Support Secure Development Lifecycle What to do How you should do it What you did Did it work Application Security Requirements Secure Development Processes Standardized Libraries Review Solutions Test Solution Implementation Standard Guidance for non-library Solutions Coding Practices 17

Using the guide continued Scenario #3: Contracted Development Identify security requirements to be added to outsourced software development projects. Include them in the RFP and Contract How do I make it work We can build anything Coding Practices I need cool Software RFP Best Software Best Ever Software Ever Contract Programmer Salesman Customer 18

4) Secure Software Contract Annex Part of Legal Project Starting point for negotiation between customer and developer Clearly explains possible flaws to the customer High level of rigor - can be used in larger enterprise or government projects Helps contractors to suit the security part of contract for their needs 19

5) Application Security Verification Standard (ASVS) s 1 st Standard Requires Positive Reporting! Defines 4 Verification Levels Level 1: Automated Verification Level 1A: Dynamic Scan Level 1B: Source Code Scan Level 2: Manual Verification Level 2A: Penetration Test Level 2B: Code Review Level 3: Design Verification Level 4: Internal Verification 42 Pages http://www.owasp.org/index.php/asvs 20

What Questions Does ASVS Answer? How can I compare verification efforts? What security features should be built into the required set of security controls? What are reasonable increases in coverage and level of rigor when verifying the security of a web application? How much trust can be placed in a web application? Also a GREAT source of web application security requirements 21

6) Testing Guide Massive document Over 100 contributors Testing Approach Covers 10 Categories 66 Specific Controls 347 Pages http://www.owasp.org/index.php/testing_guide 22

7) Code Review Guide World s first open source security code review guide Discusses approaches to code review, reporting, metrics, risk Approach is "by example". (Examples of good and bad code) Covers: Java, ASP, php, XML, C/C++ By vulnerability and (more useful) by technical control 216 Pages http://www.owasp.org/index.php/code_review_guide 23

8) OpenSAMM 24

SAMM Business Functions Start with the core activities tied to any organization performing software development Named generically, but should resonate with any developer or manager 25

SAMM Security Practices From each of the Business Functions, 3 Security Practices are defined The Security Practices cover all areas relevant to software security assurance Each one is a silo for improvement 26

9) WebGoat project with ~115,000 downloads Deliberately insecure Java EE web application Teaches common application vulnerabilities via a series of individual lessons 27

Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration 10) ESAPI Custom Enterprise Web Application Enterprise Security API Existing Enterprise Security Services/Libraries http://www.owasp.org/index.php/esapi 28

10+1) AppSensor Detect INSIDE the Application Automatic Detection Comprehensive Minimize False Positives Understand Business Logic Immediate Response No Manual Efforts Required 29

How do you address AppSec problems? Develop Secure Code Follow the best practices in s Guide to Building Secure Web Applications http://www.owasp.org/index.php/guide Use s Application Security Verification Standard as a guide to what an application needs to be secure http://www.owasp.org/index.php/asvs Use standard security components that are a fit for your organization Use s ESAPI as a basis for your standard components http://www.owasp.org/index.php/esapi Review Your Applications Have an expert team review your applications Review your applications yourselves following Guidelines Code Review Guide: http://www.owasp.org/index.php/code_review_guide Testing Guide: http://www.owasp.org/index.php/testing_guide 30

Industry Citations Έργα ηοσ ποσ τρηζιμοποιούνηαι από οργανιζμούς ζε παγκόζμιο επίπεδο. Χρηζιμοποιείηε έργα ηοσ ; Επικοινωνήζηε μαζί μας για να προζηεθεί ο οργανιζμός/εηαιρείας ζας ζηη λίζηα http://www.owasp.org/index.php/industry:citations 31

Join, Support, and Take Advantage of the Resources Supplied by Denver Spring 08-10 Minnesota Oct 08-11 New York Nov 2008 Oct 2012 Ireland Sept 08-09 June 2011 Brussels May 2008 Sweden June 2010 Germany Oct 08-10 Poland May 2009 Greece June 2012 China Oct 2010 DC Sep 2009 Nov 2010 Brazil Oct 09-10 Portugal Nov 2008 Israel Sep 07-08 India Aug 2008 Nov 2009 Taiwan Oct 07-08 Australia Feb 08-09 New Zealand July 09-10 Sampling of Conferences around the World! 32

Thank You 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback