OWASP ROI: OWASP Austin Chapter. The OWASP Foundation Optimize Security Spending using OWASP

Similar documents
OWASP Top 10 The Ten Most Critical Web Application Security Risks

Developing Secure Applications with OWASP OWASP. The OWASP Foundation Martin Knobloch

Aguascalientes Local Chapter. Kickoff

CSWAE Certified Secure Web Application Engineer

Application Security for the Masses. OWASP Greek Chapter Meeting 16/3/2011. The OWASP Foundation

TRAINING CURRICULUM 2017 Q2

Notes From The field

Certified Secure Web Application Engineer

V Conference on Application Security and Modern Technologies

OWASP Romania Chapter

Welcome to OWASP Bay Area Application Security Summit July 23rd, OWASP July 23 rd, The OWASP Foundation

SECURITY TRAINING SECURITY TRAINING

OWASP ESAPI SwingSet. OWASP 26 April Fabio Cerullo Ireland Chapter Leader Global Education Committee

OWASP CISO Survey Report 2015 Tactical Insights for Managers

Web Application Penetration Testing

Ingram Micro Cyber Security Portfolio

Getting Ready. I have copies on flash drives Uncompress the VM. Mandiant Corporation. All rights reserved.

Security Communications and Awareness

Andrew van der Stock OWASP Foundation

Presentation Overview

Testing from the Cloud: Is the sky falling?

10 FOCUS AREAS FOR BREACH PREVENTION

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

TEL2813/IS2820 Security Management

90% of data breaches are caused by software vulnerabilities.

How to hack and secure your Java web applications

Security Communications and Awareness

SECURITY TESTING. Towards a safer web world

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

In collaborazione con

Testing from the Cloud: Is the sky falling?

SDLC Maturity Models

OWASP InfoSec Romania 2013

Data Security and Privacy at Handshake

OWASP - SAMM. OWASP 12 March The OWASP Foundation Matt Bartoldus Gotham Digital Science

Development*Process*for*Secure* So2ware

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Article II - Standards Section V - Continuing Education Requirements

Securing Digital Applications

Tobias Gondrom (OWASP Member)

Operations & Technology Seminar. Tuesday, November 8, 2016 Crowne Plaza Monroe, Monroe Township, NJ

PROFESSIONAL SERVICES (Solution Brief)

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

RISK MANAGEMENT FRAMEWORK: A LAB-BASED APPROACH TO SECURING INFORMATION SYSTEMS BY JAMES BROAD

Feb 28, :01-02:30 Welcome note & Introduction to OWASP : Somen Das, OWASP BBSR Chapter Lead

Effective Strategies for Managing Cybersecurity Risks

Hacking by Numbers OWASP. The OWASP Foundation

Copyright

Computer Information Systems (CIS) CIS 105 Current Operating Systems/Security CIS 101 Introduction to Computers

Application. Security. on line training. Academy. by Appsec Labs

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Improving Security in the Application Development Life-cycle

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Security Management Models And Practices Feb 5, 2008

DreamFactory Security Guide

EFFECTIVE, SCALABLE, #FULLSTACK VULNERABILITY MANAGEMENT

Security and Privacy Governance Program Guidelines

Effective COBIT Learning Solutions Information package Corporate customers

OWASP RFP CRITERIA v 1.1

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Security in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren

OWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST

CCISO Blueprint v1. EC-Council

Under the hood testing - Code Reviews - - Harshvardhan Parmar

OWASP TOP 10 vs OWASP ASVS. Joe Blanchard St. Louis OWASP Chapter

RISK MANAGEMENT Education and Certification

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

CAPABILITY. Managed testing services. Strong test managers experienced in working with business and technology stakeholders

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Computer Information Systems (CIS) CIS 105 Current Operating Systems/Security CIS 101 Introduction to Computers

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

Where we are.. Where we are going!

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Solutions Business Manager Web Application Security Assessment

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

All the Latest Data Security News. Best Practices and Compliance Information From the PCI Council

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

Department of Management Services REQUEST FOR INFORMATION

Protect Your Organization from Cyber Attacks

Welcome to the OWASP TOP 10

Training on CREST Practitioner Security Analyst (CPSA)

Open Web Application Security Project

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

SAMPLE QUESTIONS for: Test C , Security Dynamic and Static Applications V2, Fundamentals

N different strategies to automate OWASP ZAP

State of South Carolina Interim Security Assessment

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

W H IT E P A P E R. Salesforce Security for the IT Executive

Security Best Practices. For DNN Websites

Transcription:

OWASP ROI: Optimize Security Spending using OWASP OWASP Austin Chapter Matt Tesauro OWASP Global Projects Committee Member OWASP Live CD Project Lead mtesauro@gmail.com Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org

OWASP ROI: Optimize Security Spending with OWASP Introduction Case Study: U.S. Financial Institution Mission and Goals of the Security Team Before OWASP (How things were done) With OWASP (How things are done) OWASP in my career Projects you should probably know Projects already mentioned Projects you should probably know Projects to keep you eye on OWASP Austin Chapter Sept 2009 2

Who's this speaker anyway? Varied IT Background Developer, DBA, Sys Admin, Pen Tester, Application Security Engineer CISSP, CEH, RHCE, Linux+ Long history with Linux and Open Source First Linux install ~1998 DBA and Sys Admin was on open source Contributor to many projects, leader of one Background in Economics and taught at the business school at Texas A&M University OWASP Austin Chapter Sept 2009 3

Case Study: U.S. Financial Company Company name will not be disclosed (We need a name for this company) UFS (Unidentified Financial Services) OWASP Austin Chapter Sept 2009 4

USF: Company Overview Relative size Among the largest 25 banks in the U.S. Branches in many states in the U.S. General information Company Type: Subsidiary of larger firm Industry: Finance and Banking Revenue: 2+ Billion USD Employees: 13,000+ Parent Company: ~$14 Billion in revenue, ~110,000 employees and ~$650 Billion in assets OWASP Austin Chapter Sept 2009 5

USF: IT Security The USF Security group 8 IT Security Analysts (full-time employees) Mission and Goals Compliance efforts PCI DSS & SOx (Sarbanes-Oxley Act) Compliance is a starting point for them. They aim for secure and get compliance along the way. Assessment / security reviews of online assets Online assets include multiple web applications Traditional network based security services Anti-Phishing efforts OWASP Austin Chapter Sept 2009 6

USF: Before OWASP Fiscal Year 2007 Web Application security reviews Utilized only outside security firms USF security group handled remediation tasks Request for additional details on review findings represented additional costs Average engagement cost: $8,000 per site Web App Security reviews for 2007 = 30 sites or $240,000 total cost OWASP Austin Chapter Sept 2009 7

USF: With OWASP Fiscal Year 2008 Web Application security reviews Utilized only internal security analysts Used the OWASP Testing Guide v2 plus WebScarab as their standard for testing web applications Printed guide copies for all 8 analysts for $200 USF security group handles remediation tasks Average engagement cost: $0 per site Assumes salaries are a fixed cost No new staff added for this effort Assessed 48 sites in 2008 OWASP Austin Chapter Sept 2009 8

USF: With OWASP Web App Security review costs: 2007 $240,000 (30 sites x $8,000/site) 2008 $200 for 48 sites (printing costs) If 2008 didn't have OWASP: $384,000 (48 sites x $8,000/site) OWASP Savings = $383,800 in year 1 OWASP Austin Chapter Sept 2009 9

USF: The Pros with OWASP Cost reduction will continue past year 1 Accomplished more reviews at a lower cost Time to assess should trend down Reports are standardized now Different vendor = different reporting in prior years Standard reporting = better trend analysis Increased Efficiency in remediation Analysts better understand the reported findings Analysts can better address audit questions Annual audits from Govn't & parent company Federal auditors praised the well developed internal review process OWASP Austin Chapter Sept 2009 10

USF: The Cons with OWASP Starting up the program was initially slow Mid-year efficiency gains allowed them to surpass the 2007 review number in 2008 Requires strong management support Must accept the potential for a slow year 1 At least one analyst must be familiar with application security to lead the effort Additional training is still needed for some USF analysts Level out the skills of the analysts One time cost of $15,000 to $25,000 for on-site, instructor based training OWASP Austin Chapter Sept 2009 11

Some Personal Anecdotes OWASP Projects used in my security career OWASP WebGoat How I first learned about application security OWASP WebScarab Used during many penetration test OWASP Live CD My current preferred App Sec testing environment OWASP Testing Guide Used in creating reports during security reviews OWASP Legal Project Utilized language from the project to add security language to our procurement process documents OWASP Austin Chapter Sept 2009 12

Untangling the OWASP Projects knot OWASP Austin Chapter Sept 2009 13

Projects you should probably know Lets untangle the knot of OWASP Projects (120+) Review of those we've already mentioned Other good projects to know Things to keep your eye on For each project, A brief description / overview Suggestions on how it can help your security efforts A link to the website Note: These are projects that have the caught the speakers attention. It is possible, if not likely, that several great projects have been missed. My apologies to those projects. OWASP Austin Chapter Sept 2009 14

OWASP Testing Guide Provides a best practice penetration framework and a low level penetration testing guide that describes techniques for testing web applications. Version 3 is the latest and is a 349 page book Tests split into 9 sub-categories with 66 controls to test Benefits Ready made testing framework Great categories and identifiers for reporting Excellent to augment skills of analysts http://www.owasp.org/index.php/category:owasp_testing_project OWASP Austin Chapter Sept 2009 15

OWASP WebScarab WebScarab is a tool to analyze applications which communicate via HTTP/HTTPS. It is an intercepting proxy with numerous features Proxy, Spider, Manual Intercept, Fragments, Search, Compare, Fuzzer, Session Analysis, Bandwidth simulator, scripting support,... WebScarab NG is a re-write of the original Benefits Single tool which can cover the majority of manual testing needs Scripting allows for customization http://www.owasp.org/index.php/category:owasp_webscarab_project OWASP Austin Chapter Sept 2009 16

OWASP WebGoat WebGoat is a deliberately insecure J2EE web application created by OWASP and designed to teach web application security lessons Benefits Fantastic introduction to basic and more advanced application security concepts Fully developed and complete web application that can tested safely and without legal worries Detailed lesson solution hints Runs on Windows/OS-X/Linux http://www.owasp.org/index.php/category:owasp_webgoat_project OWASP Austin Chapter Sept 2009 17

OWASP Live CD The OWASP Live CD collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite. Virtual Box and VMware installs also available 26 pre-configured and integrated tools Benefits Web App Testing environment in one download No need to gather and configure all the tools Includes documentation also (OWASP Guides, etc) http://www.owasp.org/index.php/category:owasp_live_cd_project OWASP Austin Chapter Sept 2009 18

OWASP Legal Project The OWASP Legal Project helps software developers and their clients negotiate and capture important contractual terms and conditions related to the security of the software to be developed or delivered. The Contract Annex provides a framework for determining how software security will be handled when developing software Benefits Provides clear and complete language Can (and should) tailor it to the business's needs http://www.owasp.org/index.php/category:owasp_legal_project OWASP Austin Chapter Sept 2009 19

Unveiling projects we've not seen yet... OWASP Austin Chapter Sept 2009 20

OWASP Top Ten The OWASP Top Ten represents a broad consensus of what the most critical web application security flaws are. Adopted by the Payment Card Industry (PCI) Recommended as a best practice by many government and industry entities Benefits Powerful awareness document for web application security Great starting point and reference for developers http://www.owasp.org/index.php/category:owasp_top_ten_project OWASP Austin Chapter Sept 2009 21

OWASP ESAPI OWASP Enterprise Security API (ESAPI) is a free and open collection of all the security methods that a developer needs to build a secure web application. API is fully documented and online Implementations in multiple languages Benefits Provides a great reference Implementation can be adapted/used directly Provides a benchmark to measure frameworks http://www.owasp.org/index.php/category:owasp_enterprise_security_api OWASP Austin Chapter Sept 2009 22

OWASP ASVS The OWASP Application Security Verification Standard (ASVS) defines a standard for conducting app sec verifications. Covers automated and manual approaches for external testing and code review techniques Recently created and already adopted by several companies and government agencies Benefits Standardizes the coverage and level of rigor used to perform app sec assessments Allows for better comparisons http://www.owasp.org/index.php/category:owasp_application_security_verification_standard_project OWASP Austin Chapter Sept 2009 23

OWASP Open SAMM The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. Benefits Evaluate your organization's existing software security practices Build a balanced software security program in well-defined iterations. Demonstrating concrete improvements http://www.owasp.org/index.php/category:owasp_software_assurance_maturity_model_project OWASP Austin Chapter Sept 2009 24

OWASP Guides OWASP Testing Guide (already covered above) OWASP Code Review Guide Documentation on the best practices for reviewing code OWASP Application Security Desk Reference Reference volume of App Sec Fundamentals OWASP Development Guide (a bit old) A massive document covering all aspects of web application and web service security OWASP AppSec FAQ Project FAQ covering many app sec topics OWASP Austin Chapter Sept 2009 25

OWASP AntiSamy OWASP AntiSamy is an API for ensuring usersupplied HTML/CSS is compliant within the applications rules. API plus implementations Java,.Net, Coldfusion, PHP (HTMLPurifier) Benefits It helps you ensure that clients don't supply malicious code into your application A safer way to allow for rich content from an application's users http://www.owasp.org/index.php/category:owasp_antisamy_project OWASP Austin Chapter Sept 2009 26

OWASP CSRFGuard OWASP CSRFGuard utilizes request tokens to address Cross-Site Request Forgery. CSRF is an attack where the victim is tricked into interacting with a website where they are already authenticated. Java,.Net and PHP implementations CSRF is considered the app sec sleeping giant Benefits Provides code to generate unique request tokens to mitigate CSRF risks http://www.owasp.org/index.php/category:owasp_csrfguard_project OWASP Austin Chapter Sept 2009 27

Projects to keep your eye on OWASP Austin Chapter Sept 2009 28

OWASP OpenPGP Extensions for HTTP OWASP OpenPGP Extensions for HTTP utilize PKI to enhance secure session management. OpenPGP signing is added to the HTTP protocol. A server module plus a browser plugin exists. Benefits Provides a PKI alternative to SSL/TLS for authentication and integrity Allows for server to authenticate clients Allows for clients to authenticate servers Future enhancements will include encryption Proposed as an IETF specification http://www.owasp.org/index.php/category:owasp_openpgp_extensions_for_http_-_enigform_and_mod_openpgp OWASP Austin Chapter Sept 2009 29

OWASP Static Analysis tools OWASP Code Crawler.Net static code review tool Covers.Net and J2EE/Java languages Companion for the OWASP Code Review Guide OWASP Orizon Library + API + Reporting tools + GUI Advanced but in its early stages Working for Java other languages planned OWASP Yasca Command-line grep-based tool (HTML output) Java, C/C++, JavaScript,.Net OWASP Austin Chapter Sept 2009 30

OWASP Securing WebGoat using ModSecurity This project created a set of custom ModSecurity rulesets that augment the Core Set and protect WebGoat 5.2 from as many vulnerabilities as possible. Very challenging to protect a purposely vulnerable application Developed scripts (Lua) for ModSecurity as well as JavaScript injections Really pushed the boundaries of what a WAF can do even business logic issues See OWASP Podcast #2 for an interview http://www.owasp.org/index.php/category:owasp_securing_webgoat_using_modsecurity_project OWASP Austin Chapter Sept 2009 31

OWASP Security Spending Benchmarks This project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. The project will attempt to identify how many resources should go into various SDLC activities. Produced its first report on March 2009 Benefits Produces some of the first (and only) metrics on application security spending March report has a number of interesting findings http://www.owasp.org/index.php/category:owasp_security_spending_benchmarks OWASP Austin Chapter Sept 2009 32

Other projects of interest OWASP Security Analysis of Core J2EE Design Patterns Project Provides advice for J2EE patterns What pattern needs what additional controls OWASP O2 Recently released from Ounce Labs Static analysis + visualization OWASP Vicnum & OWASP Mutillidae Vulnerable apps to demonstrate sec issues Vicnum lightweight app / Vicnum Game Mutillidae implements the OWASP Top 10 OWASP Austin Chapter Sept 2009 33

Conclusion Almost anywhere you are in the SDLC, OWASP has something that can improve your security and lower your costs. You just have to know where to look OWASP Austin Chapter Sept 2009 34

Questions? OWASP Austin Chapter Sept 2009 35

Bonus Material: http://pseudosec.com/ The PseudoSec Security Challenge offers a unique opportunity to test your web application security skills and problem solving ability by uncovering and exploiting vulnerabilities in a simulated corporate website. Whether you are a seasoned infosec professional or a novice interested in learning the tricks of the trade, the PseudoSec Security Challenge provides an exciting and educational resource for users of all experience levels. OWASP Austin Chapter Sept 2009 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback