2. About Myself
Security Architect
International Presenter
Member of OWASP and ISACA global organizations
OWASP Ireland Limerick Chapter Leader
https://www.owasp.org/index.php/Ireland-Limerick
Security Researcher PhD, MEng
http://www.ventuneac.net
http://secureappdev.blogspot.com
http://dcsl.ul.ie
OWASP 2
3. State of Information Security
The problem
There are not enough qualified
application security professionals
What can we do about it?
Make application security visible
Provide Developers and Software Testers with materials
and tools helping them to build more secure applications
OWASP 3
4. Who is OWASP?
Open Web Application Security Project
http://www.owasp.org
Global community driving and promoting safety and
security of world’s software
OWASP is a registered nonprofit in the United States and
Europe
Everyone is free to participate
All OWASP materials & tools are free
OWASP 4
5. OWASP by the Numbers
11 years of community service
88+ Government & Industry Citations
including DHS, ISO, IEEE, NIST, SANS Institute, CSA, etc
30,000 + participant mailing lists
250,000+ unique visitors per month
800,000+ page views per month
15,000+ downloads per month
OWASP 5
6. OWASP by the Numbers (cont)
Budget for 2012: $591,275
2081 individual members and honorary members from
over 70 countries
55+ paid Corporate Members
53+ Academic Supporters
193+ Active Chapters
113+ Active Projects
4 Global AppSec Conferences per Year
OWASP 6
8. OWASP Near You – Romania Chapter
Promote application security and create local
security communities
Started in 2008 by Claudiu Constantinescu
2012 Chapter Reboot
Chapter Leader - Tudor Enache
Penetration Tester @ Electronic Arts
Specialized in web and mobile application security
testing
https://www.owasp.org/index.php/Romania
OWASP 8
9. OWASP Projects & Tools
Make application security visible
Videos, podcasts, books, guidelines, cheat sheets, tools, …
Available under a free and open software license
Used, recommended and referenced by many
government, standards and industry organisations
Open for everyone
to participate
OWASP 9
10. OWASP Projects & Tools - Classification
113+ Active Projects
PROTECT
guard against security-related design and implementation
flaws.
DETECT
find security-related design and implementation flaws.
LIFE CYCLE
add security-related activities into software processes (eg.
SDLC, agile, etc)
OWASP 10
11. OWASP Projects & Tools – An Overview
DETECT
OWASP Top 10 OWASP AppSec Tutorials
OWASP Code Review Guide OWASP ASVS
OWASP Testing Guide OWASP LiveCD / WTE
OWASP Cheat Sheet Series OWASP ZAP Proxy
PROTECT LIFE CYCLE
OWASP ESAPI WebGoat J2EE
OWASP ModSecurity CRS WebGoat .NET
Full list of projects (release, beta, alpha)
http://www.owasp.org/index.php/Category:OWASP_Project
OWASP 11
12. OWASP Top 10 Security Risks (DETECT)
The most visible OWASP project
Classifies some of the most
critical risks
Essential reading for anyone
developing web applications
Referenced by standards, books,
tools, and organizations,
including MITRE, PCI DSS,
FTC, and many more
OWASP 12
14. OWASP Top 10 Risk Rating Methodology
Threat Attack Weakness Weakness Business
Technical Impact
Agent Vector Prevalence Detectability Impact
1 Easy Widespread Easy Severe
? 2 Average Common Average Moderate ?
3 Difficult Uncommon Difficult Minor
1 2 2 1
Injection Example 1.66 * 1
1.66 weighted risk rating
OWASP 14
15. OWASP Code Review Guide
Code review is probably the
most effective technique
for identifying security flaws
Focuses on the mechanics of
reviewing code for certain
vulnerabilities
A key enabler for the OWASP
fight against software insecurity
Stable release v1.1, v2 is in
progress
OWASP 15
16. OWASP Code Review Guide (cont)
Focuses on .NET and Java, but
has some C/C++ and PHP
Integration of secure code
review into software
development processes
Understand what you are
reviewing
Security code review is not a
silver bullet, but a key
component of an IS program
OWASP 16
17. OWASP Testing Guide
Create a "best practices" web
application penetration testing
framework
A low-level web application
penetration testing guide
Recommended for developers
and software testers
Version 3 available, version 4 is
in progress
https://www.owasp.org/index.php/OWASP_Testing_Project
OWASP 17
18. OWASP Cheat Sheet Series
Provide a concise collection of high value information on
specific web application security topics
Developer Cheat Assessment Cheat Sheets
Sheets (Builder) (Breaker)
Authentication Attack Surface Analysis
Clickjacking Defense XSS Filter Evasion
Cryptographic Storage …
HTML5 Security
Input Validation Mobile Cheat Sheets
Query Parameterization
Session Management IOS Developer
SQL Injection Prevention Mobile Jailbreaking
… …
https://www.owasp.org/index.php/Cheat_Sheets
OWASP 18
19. OWASP Cheat Sheet Series (cont)
The most visible OWASP project
Classifies some of the most
critical risks
Essential reading for anyone
developing web applications
Referenced by standards, books,
tools, and organizations,
including MITRE, PCI DSS, DISA,
FTC, and many more
OWASP 19
21. OWASP AppSec Tutorial Series
https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series
MAKE APPSEC MORE VISIBLE
Provide top notch application security video based training
Four episodes available
OWASP 21
22. OWASP ASVS - Application Security
Verification Standard
Provides a basis for testing application technical security
controls
Use as a metric – assess
the degree of trust on existing
security controls
Use as guidance – for what
to build as part of planned
security controls
Use during procurement
OWASP 22
25. OWASP LiveCD / WTE
Make application security tools and documentation easily
available
Collects some of the best open
source security projects in a
single environment
Boot from this Live CD and have
access to a full security testing
suite
http://appseclive.org/
OWASP 25
26. OWASP Zed Attack Proxy Project (PREVENT)
One of the flagship OWASP projects
Easy to use integrated penetration
testing tool for assessing web
applications
Ideal for developers and functional
testers who are new to penetration
testing
Completely free and open source
Cross platform, internationalised
Current version 1.4.1 (v2 in progress) OWASP 26
27. OWASP ZAP Proxy - Features
Intercepting Proxy Upcoming:
Automated scanner New Spider
Passive scanner New 'Ajax‘ Spider
Brute Force scanner Session Awareness
Spider Web Socket Support
Fuzzer Session Scope
Port scanner Different Modes
Dynamic SSL certificates (Safe/Protected/Standard)
API Scripting console
Beanshell integration
OWASP 27
29. OWASP ESAPI – Enterprise Security API
Free, open source, web application security controls
library
Provide developers with libraries for writing lower-risk
applications
Allow retrofitting security into existing applications
Serve as a solid foundation for new development
Support for Java, PHP and Force.com – there could be
more languages supported
OWASP 29
32. OWASP ESAPI - OWASP Top 10 Coverage
OWASP Top Ten OWASP ESAPI
A1. Cross Site Scripting (XSS) Validator, Encoder
A2. Injection Flaws Encoder
A3. Malicious File Execution HTTPUtilities (Safe Upload)
A4. Insecure Direct Object Reference AccessReferenceMap, AccessController
A5. Cross Site Request Forgery (CSRF) User (CSRF Token)
A6. Leakage and Improper Error Handling EnterpriseSecurityException, HTTPUtils
A7. Broken Authentication and Sessions Authenticator, User, HTTPUtils
A8. Insecure Cryptographic Storage Encryptor
A9. Insecure Communications HTTPUtilities (Secure Cookie, Channel)
A10. Failure to Restrict URL Access AccessController
OWASP 32
33. OWASP ModSecurity Core Rule Set
Free certified rule set for ModSecurity WAF
Generic web applications protection:
Common Web Attacks Protection
HTTP Protection
Real-time Blacklist Lookups
HTTP Denial of Service Protection
Automation Detection
Integration with AV Scanning for File Uploads
Tracking Sensitive Data
Identification of Application Defects
Error Detection and Hiding
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_C
ore_Rule_Set_Project OWASP 33
34. OWASP WebGoat Java Project
Deliberately insecure J2EE web application to teach web
application security lessons
Over 30 lessons, providing hands-on learning about
Cross-Site Scripting (XSS)
Access Control
Blind/Numeric/String SQL Injection
Web Services
… and many more
Version 5.4 available, v6 in progress
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
OWASP 34
36. OWASP WebGoat.NET Project
A purposefully broken ASP.NET web application
Contains many common vulnerabilities
Intended for use in classroom environments
https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET
OWASP 36