OWASP Overview
Germany 2008 Conference
Sebastien Deleersnyder,
OWASP Board
CISSP, CISA, CISM
Nov, 2008
OWASP
Copyright © - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License.
The OWASP Foundation
http://www.owasp.org
Who Am I?
 5 years developer experience
 8 years information security experience
 Lead application security
Telindus, Belgacom ICT (Belgium)
 Belgian OWASP chapter founder
 OWASP board member
 www.owasp.org
OWASP
Agenda
OWASP Introduction
OWASP Project Parade
OWASP Near You?
OWASP
3
Agenda
OWASP Introduction
OWASP Project Parade
OWASP Near You?
OWASP
4
OWASP
The Open Web Application Security Project
(OWASP)
International not-for-profit charitable Open
Source organization funded primarily by
volunteers time, OWASP Memberships, and
OWASP Conference fees
Participation in OWASP is free and open to all
OWASP
5
OWASP Mission
to make application
security "visible," so that
people and organizations
can make informed
decisions about
application security risks
OWASP
6
OWASP Resources and Community
Documentation (Wiki and Books)
• Code Review, Testing, Building, Legal, more …
Code Projects
• Defensive, Offensive (Test tools), Education,
Process, more …
Chapters
• Over 130 and growing
Conferences
• Major and minor events all around the world
OWASP
www.owasp.org
OWASP
8 8
130+ Chapters Worldwide
OWASP
9
OWASP Conferences (2008-2009)
Minnesota
Oct 2008
NYC
Sep 2008
Brussels
May 2008
Germany
Nov 2008
Poland
May 2009
Denver
Spring 2009
San Jose?
Sep 2009
Portugal
Nov 2008
Israel
Sep 2008
India
Aug 2008
Taiwan
Oct 2008
Gold Coast
Feb 2008
+2009
OWASP
10
Summit Portugal
2009 Focus
80+ application security experts from 20+ countries
New Free Tools and Guidance (SoC08)
New Outreach Program
technology vendors, framework providers, and
standards bodies
new program to provide free one- day seminars at
universities and developer conferences worldwide
New Global Committee Structure
Education, Chapter, Conferences, Industry, Projects
and Tools, Membership
OWASP
11
Agenda
OWASP Introduction
OWASP Project Parade
OWASP Near You?
OWASP
12
OWASP Projects:
Improve Quality and Support
 Define Criteria for Quality Levels
 Alpha, Beta, Release
 Encourage Increased Quality
 Through Season of Code Funding and Support
 Produce Professional OWASP books
 Provide Support
 Full time executive director (Kate Hartmann)
 Full time project manager (Paulo Coimbra)
 Half time technical editor (Kirsten Sitnick)
 Half time financial support (Alison Shrader)
 Looking to add programmers (Interns and professionals)
OWASP
OWASP Top 10
The Ten Most Critical
Web Application Security
Vulnerabilities
2007 Release
A great start, but not a
standard
OWASP
14
Key Application Security Vulnerabilities
www.owasp.org/index.php?title=Top_10_2007
OWASP
15
The ‘Big 4’ Documentation Projects
Building
Guide
Code
Review
Guide
Testing
Guide
Application Security Desk Reference
(ASDR)
OWASP
The Guide
 Complements
OWASP Top 10
 310p Book
 Free and open source
 Gnu Free Doc License
 Many contributors
 Apps and web services
 Most platforms
 Examples are J2EE, ASP.NET,
and PHP
 Comprehensive
 Project Leader and Editor
Andrew van der Stock,
[email protected]
OWASP
Uses of the Guide
Developers
Use for guidance on implementing security
mechanisms and avoiding vulnerabilities
Project Managers
Use for identifying activities (threat modeling, code
review, penetration testing) that need to occur
Security Teams
Use for structuring evaluations, learning about
application security, remediation approaches
OWASP
Each Topic
 Includes Basic Information (like OWASP T10)
 How to Determine If You Are Vulnerable
 How to Protect Yourself
 Adds
 Objectives
 Environments Affected
 Relevant COBIT Topics
 Theory
 Best Practices
 Misconceptions
 Code Snippets
OWASP
Testing Guide v2: Index
1. Frontispiece
2. Introduction
3. The OWASP Testing Framework
4. Web Application Penetration Testing
5. Writing Reports: value the real risk
Appendix A: Testing Tools
Appendix B: Suggested Reading
Appendix C: Fuzz Vectors
OWASP
20
What Is the OWASP Testing Guide?
Testing Principles
Testing Process
Custom Web Applications
Black Box Testing
Grey Box Testing
Risk and Reporting
Appendix: Testing Tools
Appendix: Fuzz Vectors
Information Gathering
Business Logic Testing
Authentication Testing
Session Management Testing
Data Validation Testing
Denial of Service Testing
Web Services Testing
Ajax Testing
OWASP
21
Soc08 version 3
 Improve version 2
 improved 9 articles
 Total of 10 Testing categories
and 66 controls.
 New sections and controls
 Configuration Management
 Authorization Testing
 36 new articles
 New Encoded Injection Appendix;
OWASP
How the Guide helps the security industry
Testers

A structured approach to the testing activities

A checklist to be followed

A learning and training tool

Organisation
s

A tool to understand web vulnerabilities and
their impact
A way to check the quality of security tests
More generally, the Guide aims to provide a pen-testing standard that creates a
'common ground' between the testing groups and its ‘customers’.
This will raise the overall quality and understanding of this kind of activity and
therefore the general level of security of our applications
OWASP
23
Tools
http://www.owasp.org/index.php/Phoenix/Tools
Best known OWASP Tools
WebGoat
WebScarab
Remember:
A Fool with a Tool is still a Fool
OWASP
Tools – At Best 45%
 MITRE found that all application
security tool vendors’ claims put
together cover only 45% of the known
vulnerability types (over 600 in CWE)
 They found very little overlap between
tools, so to get 45% you need them all
(assuming their claims are true)
OWASP
25
OWASP WebGoat
OWASP
26
OWASP WebScarab
OWASP
27
OWASP CSRFTester
OWASP
28
OWASP CSRFGuard 2.0
OWASP
CSRFGuard
 Adds token to:
Verify Token
User
(Browser)
Business
Processing
 href attribute
 src attribute
 hidden field in all forms
 Actions:
Add Token
to HTML
 Log
 Invalidate
 Redirect
http://www.owasp.org/index.php/CSRFGuard
OWASP
29
OWASP
SecurityConfiguration
IntrusionDetector
Logger
Exception Handling
Randomizer
EncryptedProperties
Encryptor
HTTPUtilities
Encoder
Validator
AccessReferenceMap
AccessController
User
Authenticator
The OWASP Enterprise Security API
Custom Enterprise Web Application
Enterprise Security API
Existing Enterprise Security Services/Libraries
30
Coverage
OWASP Top Ten
OWASP ESAPI
A1. Cross Site Scripting (XSS)
Validator, Encoder
A2. Injection Flaws
Encoder
A3. Malicious File Execution
HTTPUtilities (upload)
A4. Insecure Direct Object Reference
AccessReferenceMap
A5. Cross Site Request Forgery (CSRF)
User (csrftoken)
A6. Leakage and Improper Error Handling
EnterpriseSecurityException, HTTPUtils
A7. Broken Authentication and Sessions
Authenticator, User, HTTPUtils
A8. Insecure Cryptographic Storage
Encryptor
A9. Insecure Communications
HTTPUtilities (secure cookie, channel)
A10. Failure to Restrict URL Access
AccessController
OWASP
Create Your ESAPI Implementation
Your Security Services
Wrap your existing libraries and services
Extend and customize your ESAPI implementation
Fill in gaps with the reference implementation
Your Coding Guideline
Tailor the ESAPI coding guidelines
Retrofit ESAPI patterns to existing code
OWASP
32
OWASP CLASP
 Comprehensive, Lightweight
Application Security Process
Prescriptive and Proactive
Centered around 7 AppSec Best
Practices
Cover the entire software lifecycle
(not just development)
 Adaptable to any development process
 CLASP defines roles across the SDLC
 24 role-based process components
 Start small and dial-in to your needs
OWASP
33
The CLASP Best Practices
1.
2.
3.
4.
5.
6.
7.
Institute awareness programs
Perform application assessments
Capture security requirements
Implement secure development practices
Build vulnerability remediation procedures
Define and monitor metrics
Publish operational security guidelines
OWASP
34
SDLC & OWASP Guidelines
OWASP
Framework
OWASP
35
Want More ?

























OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
.NET Project
ASDR Project
AntiSamy Project
AppSec FAQ Project
Application Security Assessment Standards Project
Application Security Metrics Project
Application Security Requirements Project
CAL9000 Project
CLASP Project
CSRFGuard Project
CSRFTester Project
Career Development Project
Certification Criteria Project
Certification Project
Code Review Project
Communications Project
DirBuster Project
Education Project
Encoding Project
Enterprise Security API
Flash Security Project
Guide Project
Honeycomb Project
Insecure Web App Project
Interceptor Project
























OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
JBroFuzz
Java Project
LAPSE Project
Legal Project
Live CD Project
Logging Project
Orizon Project
PHP Project
Pantera Web Assessment Studio Project
SASAP Project
SQLiX Project
SWAAT Project
Sprajax Project
Testing Project
Tools Project
Top Ten Project
Validation Project
WASS Project
WSFuzzer Project
Web Services Security Project
WebGoat Project
WebScarab Project
XML Security Gateway Evaluation Criteria Project
on the Move Project
OWASP
36
SoC2008 selection

















OWASP Code review guide, V1.1
The Ruby on Rails Security Guide v2
OWASP UI Component Verification Project (a.k.a.
OWASP JSP Testing Tool)
Internationalization Guidelines and OWASP-Spanish
Project
OWASP Application Security Desk Reference
(ASDR)
OWASP .NET Project Leader
OWASP Education Project
The OWASP Testing Guide v3
OWASP Application Security Verification Standard
Online code signing and integrity verification
service for open source community (OpenSign
Server)
Securing WebGoat using ModSecurity
OWASP Book Cover & Sleeve Design
OWASP Individual & Corporate Member Packs,
Conference Attendee Packs Brief
OWASP Access Control Rules Tester
OpenPGP Extensions for HTTP - Enigform and
mod_openpgp
OWASP-WeBekci Project
OWASP Backend Security Project














OWASP Application Security Tool Benchmarking
Environment and Site Generator refresh
Teachable Static Analysis Workbench
OWASP Positive Security Project
GTK+ GUI for w3af project
OWASP Interceptor Project - 2008 Update
Skavenger
SQL Injector Benchmarking Project (SQLiBENCH)
OWASP AppSensor - Detect and Respond to Attacks
from Within the Application
Owasp Orizon Project
OWASP Corporate Application Security Rating Guide
OWASP AntiSamy .NET
Python Static Analysis
OWASP Classic ASP Security Project
OWASP Live CD 2008 Project
OWASP
37
OWASP Projects Are Alive!
2009
…
2007
2005
2003
2001
OWASP
38
Agenda
OWASP Introduction
OWASP Project Parade
OWASP Near You?
OWASP
39
www.owasp.tv
56 videos - 40 h
OWASP
40
Upcoming Conferences
 February 2009 - Day 3 Italy OWASP Day III: "Web Application
Security: research meets industry" 23rd February 2009 - Bari (Italy)
 February 2009 - OWASP AppSec Australia 2009 - Gold Coast
Training & Conference, Gold Coast Convention Center, QLD
Australia
 March 2009 - OWASP Front Range Conference March 5th, 2nd
Annual 1-Day Conference in Denver, Colorado
 May 2009 - OWASP AppSec Europe 2009
 Poland May 11th - 14th - Conference and Training, Qubus Hotel,
Krakow, Poland
 Back to back with Confidence09
 June 2009 - OWASP AppSec - Dublin Ireland
 October 2009 - OWASP AppSec US 2009 - Washington, D.C.
OWASP
41
German Chapter
Meetings
Local Mailing List
Presentations & Groups
Open forum for discussion
Meet fellow InfoSec professionals
Create (Web)AppSec awareness
Local projects?
OWASP
Subscribe to German Chapter mailing list
Post your (Web)AppSec questions
Keep up to date!
Get OWASP news letters
Contribute to discussions!
OWASP
43
That’s it…
Any Questions?
http://www.owasp.org
http://www.owasp.org/index.php/Germany
[email protected]
Thank you!
OWASP
44