SlideShare ist ein Scribd-Unternehmen logo

[Wroclaw #5] OWASP Projects: beyond Top 10

Als PPTX, PDF herunterladen
OWASP
OWASP

- Breakers (WebGoat, OWTF, ZAP, Testing Guide) - Pawel Rzepa, Andrii Sygida, Daniel Ramirez - Builders (Security Knowledge Framework, CheatSheets, Cornucopia) - Alexander Antukh, Andrii Sygida - Defenders (ASVS, MASVS, Pipeline) - Marek Puchalski, Andrii Sygida

Internet
1 von 131
OWASP Projects: beyond Top 10 OWASP Poland Wroclaw Meetup #5 17.02.2017
About us • Alexander Antukh • OWASP Poland Board Member • Head of Product Security at • @c0rdis
About us • Marek Puchalski • OWASP Poland member • Developer and Security Consultant at Capgemini • https://marek.puchal.ski
About us • Pawel Rzepa • Security Engineer in Intive • Contributor in OWASP MSTG (Mobile Security Testing Guide)
About us • Andrii Sygida • OWASP Poland almost member • Application security specialist at
About us • Daniel Ramirez • OWASP Member • Security Specialist in EY • Hands-on VA experience in the different kinds of apps.
Thank you for the support!
Motivation • Top 10 is a de-facto standard in Webappsec world • OWASP is mostly associated with it … • but there are many more! As of 2016, there are 133 different projects, which can help you whether you are on attacker’s or defender’s parts of the barricades!
Program for today ZAP WebGoat OWTF
Program for today (M)ASVS CheatSheets Cornucopia SKF Pipeline Testing Guides
Let the fun begin!
Agenda • Problem 1: efficient security training • Solution: WebGoat • Problem 2: efficient management of multiple penetration testing tasks • Solution: Offensive Web Testing Framework
Problem of efficient security training …and XSS allows you injecting such horrifying pop up windows!!! Security awareness trainings for developers are quite common, but reality shows they are still ineffective :(
Problem of efficient security training
What about… Finally a security training which isn’t an online course to fly through and forget! Internal course that is free and isn’t a corpo- bullshit?! Cannot believe that… …arranging internal hands- on labs for developers and testers, where they can deeply understand vulnerabilities by finding and fixing them?
WebGoat: few words about • A deliberately insecure Java-based application, which allows you to test common vulnerabilities • 50+ lessons • After finding a vulnerability, learn to fix it! • Easy manageable lessons via plugins • You can create your own lessons and easily customize a content and language …or .Net-based: https://www.owasp.org/index.php/ WebGoatFor.Net WebGoat: few words about • A deliberately insecure Java-based (or .Net based: https://www.owasp.org/index.php/WebGoatFor.Net) application, which allows you to test common vulnerabilities • 50+ lessons • After finding a vulnerability, learn to fix it! • Easy manageable lessons via plugins • You can create your own lessons and easily customize a content and language
Not only web apps… • Ruby on Rails: OWASP Rails Goat Project • PHP: OWASP WebGoatPHP • Node.js: OWASP Node_js Goat Project • Android: OWASP GoatDroid Project • iOS: OWASP iGoat Project
WebGoat: how to run? • Prerequisites: Java VM 1.8 • To start just follow these commands: $> wget https://github.com/WebGoat/WebGoat/releases/download /7.0.1/webgoat-container-7.0.1-war-exec.jar $> java -jar java -jar webgoat-container-7.0.1-war-exec.jar • Open in you browser: http://localhost:8080/WebGoat/ • That’s all!
WebGoat: first view
WebGoat: lessons & labs
WebGoat: creating your own lesson • Plugin = lesson • Create NewLesson.java: https://www.owasp.org/index.php/ How_to_write_a_new_WebGoat_les son • Plugin is just a folder, which follows this format 
WebGoat: useful links • Project: https://www.owasp.org/index.php/Category:OWASP_WebGoat _Project • Documentation: https://github.com/WebGoat/WebGoat
Problem: how to efficiently manage outputs from many different applications? • Each pentester uses many different applications (vuln scanner, web crawler, SSL/TLS tests, session management tests) • Running each of those tests consumes time, right? • It’s easy to automate those tasks, but analysing a consolidated output is much more difficult :( • And finally you have to form a readable report from all those tests… • …oooh… :(
Typical penetration testing process <which generates lots of output> <cpy/pst interesting parts> …of course in notepad ;) (…) <runs a lot of tests>
• A goal of OWTF is to use penetration testing time as efficient as possible. It’s done by: • Running different tools (Nikto/Arachni/w3af/etc) • Running direct tests (header searches/session tests/etc) • Knowledge repository (OWASP mapping/resource links) • Helping human analysis (flag severity/manage output) • In other words OWTF provides optimal balance between automation and human analysis OWTF: Idea of the project
• Want to quickly start? Follow this one-liner: $> wget -N https://raw.githubusercontent.com/owtf /bootstrap-script/master/bootstrap.sh; bash bootstrap.sh OWTF: Installation
OWTF
OWTF: Set a target
sends normal traffic to target active vulnerability probing probing services (e.g. FTP/SMB ) assist manual testing searches on HTTP transactions test via 3rd parties (no traffic to target) Testing web apps Testing network services OWTF: Choose plugins and run!
OWTF: Useful links • Project: https://www.owasp.org/index.php/OWASP_OWTF • Documentation: http://docs.owtf.org/en/latest/ • Online passive scanner: https://owtf.github.io/online-passive-scanner
• Use OWASP WebGoat to provide efficient security trainings in your company. • Use OWASP OWTF to automate your penetration testing tasks. It allows you for easy test’s output analyse and create reports in a fast way. Summary
OWASP ASVS (Application Security Verification Standard)
SANS Institute, May 2015, State of Application Security: Closing the Gap https://www.sans.org/reading-room/whitepapers/analyst/2015-state-application-security-closing-gap-35942 Application Security Standards in use
OWASP Application Security Verification Standard (ASVS) is a list of application security requirements or tests that can be used by architects, developers, testers, security professionals, and even consumers to define what a secure application is. In short
Example requirements
Example requirements • Architecture and design • Input handling • Data protection • Session management • Error handling • Business logic • Configuration • Web services • 19 sections in total • Every chapter has control objective, reqs and references
First introduced: June 2008 ASVS v1.0: 2009 ASVS v2.0: 2014 ASVS v3.0: 2015 Current version: v3.0.1 (July 2016) History
Idea behind • Use as a metric - provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications • Use as guidance - provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements • Use during procurement - provide a basis for specifying application security verification requirements in contracts
Application Security Verification Levels • ASVS Level 3 – for applications that „shoot missiles” ;) • ASVS Level 2 – for applications that contain sensitive data • ASVS Level 1 – for all software
Benefits for you • Helps you to develop and maintain secure applications • Contains clear and ready-to-use high level checklists and use cases • Allows you as well as security services, vendors, and consumers to align requirements and offerings
More ideas • Train your developers in AppSec • Take your standard software architecture and prepare standard security solutions Open Application Standard Platform (OASP) https://oasp.github.io/
Projects based on ASVS • Secure Knowledge Framework - training developers in writing secure code and providing a knowledge base of secure design patterns • Zed Attack Proxy - easy to use integrated penetration testing tool for finding vulnerabilities in web applications, both automatically and manually • Cornucopia - mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.
Useful links • Project: https://www.owasp.org/index.php/Category:OWASP_Application_Sec urity_Verification_Standard_Project • Excel checklist: https://github.com/OWASP/ASVS/blob/master/ASVS-excel-v3.0.1.xlsx • OWASP ASVS mailing list https://lists.owasp.org/mailman/listinfo/owasp-application-security- verification-standard
OWASP MASVS (Mobile Application Security Verification Standard)
Mobile web usage overtakes desktop for first time http://www.telegraph.co.uk/technology/2016/11/01/mobile-web-usage-overtakes-desktop-for-first-time/ Current state
In short • There is a significant difference between security assurance of web and mobile applications • MASVS is to mobiles, what ASVS is to web • The project is work in progress (v0.9.2 is currently available)
Example
Mobile Security Verification Levels Following assurance levels are possible: L1, L1 + L2, but also L1 + R and L1 + L2 + R.
Requirements • Architecture, Design and Threat Modelling • Data Storage and Privacy • Cryptography • Authentication and Session Management • Network Communication • Environmental Interaction • Code Quality and Build Setting • Resiliency Against Reverse Engineering
Useful links • Homepage: https://www.owasp.org/index.php/OWASP_Mobile_Security_Te sting_Guide • Github: https://github.com/OWASP/owasp-masvs
OWASP Cornucopia
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic. Cornucopia is based on the concepts and game ideas from Microsoft SDL EoP game and OWASP Secure Coding Practices Guide. OWASP Cornucopia Ecommerce Website Edition is in the current Payment Card Industry Security Standards Council information supplement PCI DSS E-commerce Guidelines v2, January 2013 In short
Idea behind • Help development teams to identify application security requirements and develop security-based user stories • Aimed at first place at Agile-based methodologies • Gamification approach to threat modeling
Suite Rank Threat References: - Secure Coding Practices - ASVS - AppSensor project - Common Attack Pattern (CAPEC) - Software Assurance Forum for Excellence in Code (SAFECode) Cornucopia card
Cornucopia rules • Prepare everything (deck, cards, data flow diagram, prizes…) • Deal all the cards • Play a round – every player has to utilize one card of the selected suit. Highest played card in the suit wins and starts next round until all cards are played • Count points and define the winner • Closure: review all threats and matching security requirements https://www.owasp.org/index.php/OWASP_Cornucopia#tab=How_to_Play
Cornucopia rules Playing a card: • each player reads it out loud • explains how the threat could apply (or not) to his application • player gets a point for attacks that work, and the group thinks it is an actionable bug At this point we don’t think of mitigations and don’t exclude a threat just because it is believed it is already mitigated – the card should be recorded on the score sheet anyway
Cornucopia rules
Cornucopia deck • Clear who said what • Exact descriptions of threats • Actionable items • Developers know precisely what functionality is affected
Benefits for you • Teaching developers on how to identify and assess vulnerabilities on every sprint • Training sessions for developers • Raising awareness in application security field in your organization
Useful links • Project: https://www.owasp.org/index.php/OWASP_Cornucopia • Rules explained on Youtube: https://www.youtube.com/watch?v=i5Y0akWj31k • Presentation from OWASP EEE (Hungary): http://www.slideshare.net/OWASPEEE/hungary-i-play-jack- of-information-disclosure
OWASP SKF (Security Knowledge Framework)
OWASP SKF is a fully open-source Python-Flask expert system web-application that uses the OWASP Application Security Verification Standard and code examples and can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3) „we decided to develop a proof of concept framework in order to create a guide system available for all developers so they can develop applications secure by design” In short http://secureby.design
Idea behind The 4 Core usage of SKF: • Security Requirements ASVS for development and third party vendor applications • Security knowledge reference (code examples/ knowledge base items) • Security is part of design with the pre-development functionality in SKF • Security post-development functionality in SKF for verification with the ASVS
Installation Super-easy! Supported ways to install it: • Automated installation with Chef • AWS by using CloudFormation • … or manually as you would do with any other Python project: sudo pip install owasp-skf https://github.com/blabla1337/skf-flask#installing
https://demo.securityknowledgeframework.org admin : test-skf Overview
SKF: Projects That’s what you start with for the very beginning
SKF: Pre-development stage Definition of a technology stack Adding different functionalities to the system: • Access controls / login systems • Registration • Submit forms • External XML files • File uploads • SQL commands…
SKF: Pre-development stage First assessment and security recommendations for selected functionality
SKF: Post-development stage • Double-check your app by means of pre-defined or custom checklists • ASVS-based checklists for different levels of criticality of the application are auto-generated after pre- development stage! • After providing answers to clear and simple questions, reports with failed items are ready to be downloaded and prioritized
SKF: Post-development stage Failed items and recommendations can be viewed in the application, or exported for further processing
SKF: Knowledge Base • „Use info, do not get hacked, profit!” • Multiple options of secure design patterns with examples • Gives a good understanding for developers not only about what to fix but also why to do so
SKF: Knowledge Base Descriptions, solutions and many different language-agnostic patterns
SKF: Code examples • We were talking about generic secure patterns so far • Code examples with extensive comments provide ready-to-use solutions on how to do things right! • Currently supported languages: PHP, .NET and Java (soon ☺)
SKF: Code examples Can be reused directly, and have extensive comments to know how and why to fix an issue
SKF: Improve yourself! • Cherry on top of a pie: you can easily add your use-cases and adjust it as you like! • Checklists, knowledge base and code examples must follow the markdown and appear immediately in your panel Directory/path traversal <-- name as seen in the drop-down head ------- **Example:** <-- Bold separator telling where the example starts /* Your code has to indent the 4 spaces(tab) in order for the markdown engine to know it has to interpreted this as written code */
Benefits for you • Guide to secure programming • Secuity by design, not implementing afterwards • Security awareness • Will inform about threats even before one wrote a single line of code • Central place for security reference • Provides information applicable for specific needs on the spot
Useful links • Project: http://secureby.design • Source code: https://github.com/blabla1337/skf-flask • SKF workshop (DevOpsDays 2015): https://www.owasp.org/images/5/54/Skf-design- workshop.pptx.pdf
Appsec Pipeline
Software development lifecycle today
The AppSec pipeline project • Place to gather together information, techniques and tools to create your own AppSec pipeline • Right now: AppSec pipeline patterns and tools https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
Example of workflow - Code written - Code committed to repository - Unit test the code - Package the code for deployment - Integration testing - Deploy code in production
Pipeline design patterns
Pipeline design patterns
Security tools evaluation criteria • API is the first • Pipeline position • Cloud scalable • Runs as a service • Client libraries • CI/CD plugins
What is OWASP ZAP? • Webapp security testing tool • Free and open source • Written in Java → cross platform https://www.owasp.org/index.php/ZAP
OWASP ZAP Features • GUI, headless and REST API • Intercepting proxy • Classic and AJAX spiders • Passive and active scanning • … and of course can be extended via addons!
Addons
How can it all help me???
ZAP for pentests • Configure your browser to use ZAP as a proxy • Explore the application manually • Use the spider to find other content and input points • See what security issues the passive scanner has found • Use the active scanner to find vulnerabilities • Do manual pentesting 😎
ZAP as a part of your appsec pipeline The baseline scan • Simple inline security control • Mass scan of big number of targets • Post release (production) control Full scan • Regular heavy asynchronous scan • More power and integration into your infrastructure and processes
The baseline scan • Uses Docker • Only passive scanning • Time limited spider of target • By default warns on all issues: – Missing / incorrect security headers like CSP – Cookie problems – Information / error disclosure – Missing CSRF tokens etc.
The baseline scan example $ docker run -t owasp/zap2docker-weekly zap-baseline.py -t https://oxdef.info ... Total of 81 URLs PASS: Cookie No HttpOnly Flag [10010] ... WARN: Web Browser XSS Protection Not Enabled [10016] x 52 https://oxdef.info ... FAIL: 0 WARN: 5 INFO: 0 IGNORE: 0 PASS: 21
1 n33d m0re p0w3r! • REST API is your choice 😏 • zap.sh -daemon -host 0.0.0.0 -port 8080 • http(s)://zap/<format>/<component>/<operation>/< op name>[/?<params>] • Also available in Docker image owasp/zap2docker-* • Maps closely to the UI / code • JSON, HTML and XML formats • Clients in: Java, Python, NodeJS, .Net, PHP, Go ...
Simple scan using API and client in Python target = 'http://some-target.com' zap = ZAPv2() scanid = zap.spider.scan(target) while(int(zap.spider.status(scanid)) < 100): print 'Spider progress %: ' + zap.spider.status(scanid) scanid = zap.ascan.scan(target) while(int(zap.ascan.status(scanid)) < 100): print 'Scan progress %: ' + zap.ascan.status(scanid) pprint(zap.core.alerts())
Cheat Sheet Series
Cheat Sheet Series
Cheat Sheet Series • «The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific web application security topics» • You can browse it online or get as PDF book • Mostly fresh and actual topics https://www.owasp.org/index.php/Cheat_Sheets
3rd party JavaScript management The invocation of 3rd party JS code in a web application requires consideration for 3 risks in particular: • The loss of control over changes to the client application • The execution of arbitrary code on client systems • The disclosure or leakage of sensitive information to 3rd parties https://www.owasp.org/index.php/3rd_Party_Javascript_ Management_Cheat_Sheet
XSS Prevention RULE #3 - JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values Except for alphanumeric characters, escape all characters less than 256 with the xHH format to prevent switching out of the data value into the script context or into another attribute. https://www.owasp.org/index.php/XSS_(Cross_Site_Scrip ting)_Prevention_Cheat_Sheet
XXE Prevention Libxml2: the Enum xmlParserOption should not have the following options defined: • XML_PARSE_NOENT: Expands entities and substitutes them with replacement text • XML_PARSE_DTDLOAD: Load the external DT https://www.owasp.org/index.php/XML_External_Entity_ (XXE)_Prevention_Cheat_Sheet
Featured cheat sheets • Clickjacking Defense • Cross-Site Request Forgery (CSRF) Prevention • Deserialization • DOM based XSS Prevention • REST Security • Virtual Patching
Summary • OWASP AppSec Pipeline helps you with choosing suitable tools and building your own AppSec pipeline • OWASP ZAP is one of such tools. Using it you can make manual pentest of web app or automate web app security testing in SDL • OWASP Cheat Sheets helps you in specific areas of application security
Testing Guide
OWASP Testing Guide Versions • V1 – December 2004 • V2 – 25th December 2005 • V3 – 15th September 2008 – Configuration Management and Authorization Testing sections • V4 – 2014 – Identity Management Testing – Error Handling – Cryptography – Client Side Testing
Purpose • The OWASP Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and • a "low level" penetration testing guide that describes techniques for testing most common web application and services security issues.
Typical Testing Guide chapter • Summary • How to test • Tools • Remediation • References Fingerprint Web Application Framework
Why to test • The steps that need to be undertaken to build and operate a testing program on web apps. • Effective testing program: – People – Process – Technology • Testing just the technical implementation of an application will not uncover management or operational vulnerabilities that could be present
When to test • Don’t test software until it has already been created and is in the deployment phase of its life cycle  ineffective and cost-prohibitive practice • One of the best methods to prevent security bugs from appearing in production applications is to improve the SDLC by including security in each of its phases
Example Testing guide XXE
Summary • Constant work in progress • Anybody is welcome to collaborate • Best practice for web penetration tests
OWASP Mobile Security Testing Guide
OWASP MSTG Leaders • MSTG was initiated by Milan Singh Thakur in 2015. The original document was hosted on Google Drive  Github • Bernhard Mueller (2016) • Sven Schleier (2016)
OWASP MSTG • MSTG is a manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the MASVS • MSTG is meant to provide a baseline set of test cases for black-box and white-box security tests, and to help ensure completeness and consistency of the tests
MSTG Structure • High-Level Guides – Mobile Platforms Overview – Security Testing Processes, Tools and Techniques • Complementary – Security Testing in the Application Development Lifecycle – Tools
MSTG Structure
Typical MSTG chapter • Summary • White-box testing / Black-box testing • Remediation • References • Tools
Typical MSTG chapter Practical examples of how to test it right, with tools, samples and references
Summary  • Constant work in progress • Anybody is welcome to collaborate • Best practice for mobile penetration tests
References • https://www.owasp.org/index.php/OWASP_T esting_Guide_v4_Table_of_Contents • https://github.com/OWASP/owasp-mstg
Foreword
Foreword • There are many projects happening right now (very good examples are MASVS and MSTG) • Due to a huge front of work every small help is valuable • Do something good today – contribute to OWASP Projects 
[Wroclaw #5] OWASP Projects: beyond Top 10

Empfohlen

[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
OWASP
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
OWASP
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures
OWASP
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsec
Thoughtworks
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
ThreatReel Podcast
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
OWASP
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
OWASP
 

Empfohlen

[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
OWASP
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
OWASP
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures
OWASP
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsec
Thoughtworks
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
ThreatReel Podcast
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
OWASP
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
OWASP
 
Mirai botnet
Mirai botnetMirai botnet
Mirai botnet
OWASP
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
ColdFusionConference
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101
OWASP
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
Linkesh Kanna Velu
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
OWASP
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
Mike Saunders
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
karthik menon
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Anant Shrivastava
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
Anant Shrivastava
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open Source
POSSCON
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learned
Anant Shrivastava
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
Vishal Kumar
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 

Weitere ähnliche Inhalte

Was ist angesagt?

[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
OWASP
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 

Was ist angesagt? (20)

Mirai botnet
Mirai botnetMirai botnet
Mirai botnet
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open Source
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learned
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 

Andere mochten auch

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
Web Application Security Testing Essential Training
Web Application Security Testing Essential TrainingWeb Application Security Testing Essential Training
Web Application Security Testing Essential Training
ayman diab
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Geneva Application Security Forum: Vers une authentification plus forte dans ...Geneva Application Security Forum: Vers une authentification plus forte dans ...
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
7 Must-Have Managed IT Services Offerings for 2015
7 Must-Have Managed IT Services Offerings for 20157 Must-Have Managed IT Services Offerings for 2015
7 Must-Have Managed IT Services Offerings for 2015
Continuum
 
Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA
Nick Galbreath
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b
 

Andere mochten auch (20)

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applications
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
Web Application Security Testing Essential Training
Web Application Security Testing Essential TrainingWeb Application Security Testing Essential Training
Web Application Security Testing Essential Training
 
Click to Edit
Click to EditClick to Edit
Click to Edit
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Geneva Application Security Forum: Vers une authentification plus forte dans ...Geneva Application Security Forum: Vers une authentification plus forte dans ...
Geneva Application Security Forum: Vers une authentification plus forte dans ...
 
OWASP TOP 10 Proactive
OWASP TOP 10 ProactiveOWASP TOP 10 Proactive
OWASP TOP 10 Proactive
 
7 Must-Have Managed IT Services Offerings for 2015
7 Must-Have Managed IT Services Offerings for 20157 Must-Have Managed IT Services Offerings for 2015
7 Must-Have Managed IT Services Offerings for 2015
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
 
Sécurité et Quaité de code PHP
Sécurité et Quaité de code PHPSécurité et Quaité de code PHP
Sécurité et Quaité de code PHP
 
Javascript et JQuery
Javascript et JQueryJavascript et JQuery
Javascript et JQuery
 
Web Application Security | A developer's perspective - Insecure Direct Object...
Web Application Security | A developer's perspective - Insecure Direct Object...Web Application Security | A developer's perspective - Insecure Direct Object...
Web Application Security | A developer's perspective - Insecure Direct Object...
 
Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 
Owasp Au Rev4
Owasp Au Rev4Owasp Au Rev4
Owasp Au Rev4
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwc
 

Ähnlich wie [Wroclaw #5] OWASP Projects: beyond Top 10

[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
OWASP Russia
 
Null singapore - Mobile Security Essentials
Null singapore - Mobile Security EssentialsNull singapore - Mobile Security Essentials
Null singapore - Mobile Security Essentials
Sven Schleier
 
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 PrimerAppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
ThreatReel Podcast
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
bnmbroti
 
香港六合彩<六合彩
香港六合彩<六合彩香港六合彩<六合彩
香港六合彩<六合彩
dqsmesc
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
pibpjsxy
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩
rakfbe
 

Ähnlich wie [Wroclaw #5] OWASP Projects: beyond Top 10 (20)

AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptx
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptx
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec Village
 
OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec Presentation
 
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec Presentation
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
Null singapore - Mobile Security Essentials
Null singapore - Mobile Security EssentialsNull singapore - Mobile Security Essentials
Null singapore - Mobile Security Essentials
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 PrimerAppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
 
香港六合彩<六合彩
香港六合彩<六合彩香港六合彩<六合彩
香港六合彩<六合彩
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
 

Mehr von OWASP

[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
OWASP
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
OWASP
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
OWASP
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
OWASP
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
OWASP
 
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
OWASP
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
OWASP
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
OWASP
 
[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing
OWASP
 
[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC
OWASP
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
 
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
OWASP
 

Mehr von OWASP (20)

[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
 
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
 
[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing
 
[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 
[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzing[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzing
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
 
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
 

Kürzlich hochgeladen

VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
gwenoracqe6
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
nilamkumrai
 
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
SUHANI PANDEY
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
tanu pandey
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
Escorts Call Girls
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
@Chandigarh #call #Girls 9053900678 @Call #Girls in @Punjab 9053900678
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
SUHANI PANDEY
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
tanu pandey
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
singhpriety023
 
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceReal Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Escorts Call Girls
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
soniya singh
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
Neha Pandey
 
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
soniya singh
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Delhi Call girls
 

Kürzlich hochgeladen (20)

VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
 
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceReal Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
 

[Wroclaw #5] OWASP Projects: beyond Top 10

  • 1. OWASP Projects: beyond Top 10 OWASP Poland Wroclaw Meetup #5 17.02.2017
  • 2. About us • Alexander Antukh • OWASP Poland Board Member • Head of Product Security at • @c0rdis
  • 3. About us • Marek Puchalski • OWASP Poland member • Developer and Security Consultant at Capgemini • https://marek.puchal.ski
  • 4. About us • Pawel Rzepa • Security Engineer in Intive • Contributor in OWASP MSTG (Mobile Security Testing Guide)
  • 5. About us • Andrii Sygida • OWASP Poland almost member • Application security specialist at
  • 6. About us • Daniel Ramirez • OWASP Member • Security Specialist in EY • Hands-on VA experience in the different kinds of apps.
  • 7. Thank you for the support!
  • 8. Motivation • Top 10 is a de-facto standard in Webappsec world • OWASP is mostly associated with it … • but there are many more! As of 2016, there are 133 different projects, which can help you whether you are on attacker’s or defender’s parts of the barricades!
  • 9. Program for today ZAP WebGoat OWTF
  • 10. Program for today (M)ASVS CheatSheets Cornucopia SKF Pipeline Testing Guides
  • 11. Let the fun begin!
  • 12. Agenda • Problem 1: efficient security training • Solution: WebGoat • Problem 2: efficient management of multiple penetration testing tasks • Solution: Offensive Web Testing Framework
  • 13. Problem of efficient security training …and XSS allows you injecting such horrifying pop up windows!!! Security awareness trainings for developers are quite common, but reality shows they are still ineffective :(
  • 14. Problem of efficient security training
  • 15. What about… Finally a security training which isn’t an online course to fly through and forget! Internal course that is free and isn’t a corpo- bullshit?! Cannot believe that… …arranging internal hands- on labs for developers and testers, where they can deeply understand vulnerabilities by finding and fixing them?
  • 16.
  • 17. WebGoat: few words about • A deliberately insecure Java-based application, which allows you to test common vulnerabilities • 50+ lessons • After finding a vulnerability, learn to fix it! • Easy manageable lessons via plugins • You can create your own lessons and easily customize a content and language …or .Net-based: https://www.owasp.org/index.php/ WebGoatFor.Net WebGoat: few words about • A deliberately insecure Java-based (or .Net based: https://www.owasp.org/index.php/WebGoatFor.Net) application, which allows you to test common vulnerabilities • 50+ lessons • After finding a vulnerability, learn to fix it! • Easy manageable lessons via plugins • You can create your own lessons and easily customize a content and language
  • 18. Not only web apps… • Ruby on Rails: OWASP Rails Goat Project • PHP: OWASP WebGoatPHP • Node.js: OWASP Node_js Goat Project • Android: OWASP GoatDroid Project • iOS: OWASP iGoat Project
  • 19. WebGoat: how to run? • Prerequisites: Java VM 1.8 • To start just follow these commands: $> wget https://github.com/WebGoat/WebGoat/releases/download /7.0.1/webgoat-container-7.0.1-war-exec.jar $> java -jar java -jar webgoat-container-7.0.1-war-exec.jar • Open in you browser: http://localhost:8080/WebGoat/ • That’s all!
  • 22. WebGoat: creating your own lesson • Plugin = lesson • Create NewLesson.java: https://www.owasp.org/index.php/ How_to_write_a_new_WebGoat_les son • Plugin is just a folder, which follows this format 
  • 23. WebGoat: useful links • Project: https://www.owasp.org/index.php/Category:OWASP_WebGoat _Project • Documentation: https://github.com/WebGoat/WebGoat
  • 24. Problem: how to efficiently manage outputs from many different applications? • Each pentester uses many different applications (vuln scanner, web crawler, SSL/TLS tests, session management tests) • Running each of those tests consumes time, right? • It’s easy to automate those tasks, but analysing a consolidated output is much more difficult :( • And finally you have to form a readable report from all those tests… • …oooh… :(
  • 25. Typical penetration testing process <which generates lots of output> <cpy/pst interesting parts> …of course in notepad ;) (…) <runs a lot of tests>
  • 26.
  • 27. • A goal of OWTF is to use penetration testing time as efficient as possible. It’s done by: • Running different tools (Nikto/Arachni/w3af/etc) • Running direct tests (header searches/session tests/etc) • Knowledge repository (OWASP mapping/resource links) • Helping human analysis (flag severity/manage output) • In other words OWTF provides optimal balance between automation and human analysis OWTF: Idea of the project
  • 28. • Want to quickly start? Follow this one-liner: $> wget -N https://raw.githubusercontent.com/owtf /bootstrap-script/master/bootstrap.sh; bash bootstrap.sh OWTF: Installation
  • 29. OWTF
  • 30. OWTF: Set a target
  • 31. sends normal traffic to target active vulnerability probing probing services (e.g. FTP/SMB ) assist manual testing searches on HTTP transactions test via 3rd parties (no traffic to target) Testing web apps Testing network services OWTF: Choose plugins and run!
  • 32.
  • 33. OWTF: Useful links • Project: https://www.owasp.org/index.php/OWASP_OWTF • Documentation: http://docs.owtf.org/en/latest/ • Online passive scanner: https://owtf.github.io/online-passive-scanner
  • 34. • Use OWASP WebGoat to provide efficient security trainings in your company. • Use OWASP OWTF to automate your penetration testing tasks. It allows you for easy test’s output analyse and create reports in a fast way. Summary
  • 35.
  • 36. OWASP ASVS (Application Security Verification Standard)
  • 37. SANS Institute, May 2015, State of Application Security: Closing the Gap https://www.sans.org/reading-room/whitepapers/analyst/2015-state-application-security-closing-gap-35942 Application Security Standards in use
  • 38. OWASP Application Security Verification Standard (ASVS) is a list of application security requirements or tests that can be used by architects, developers, testers, security professionals, and even consumers to define what a secure application is. In short
  • 40. Example requirements • Architecture and design • Input handling • Data protection • Session management • Error handling • Business logic • Configuration • Web services • 19 sections in total • Every chapter has control objective, reqs and references
  • 41. First introduced: June 2008 ASVS v1.0: 2009 ASVS v2.0: 2014 ASVS v3.0: 2015 Current version: v3.0.1 (July 2016) History
  • 42. Idea behind • Use as a metric - provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications • Use as guidance - provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements • Use during procurement - provide a basis for specifying application security verification requirements in contracts
  • 43. Application Security Verification Levels • ASVS Level 3 – for applications that „shoot missiles” ;) • ASVS Level 2 – for applications that contain sensitive data • ASVS Level 1 – for all software
  • 44. Benefits for you • Helps you to develop and maintain secure applications • Contains clear and ready-to-use high level checklists and use cases • Allows you as well as security services, vendors, and consumers to align requirements and offerings
  • 45. More ideas • Train your developers in AppSec • Take your standard software architecture and prepare standard security solutions Open Application Standard Platform (OASP) https://oasp.github.io/
  • 46. Projects based on ASVS • Secure Knowledge Framework - training developers in writing secure code and providing a knowledge base of secure design patterns • Zed Attack Proxy - easy to use integrated penetration testing tool for finding vulnerabilities in web applications, both automatically and manually • Cornucopia - mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.
  • 47. Useful links • Project: https://www.owasp.org/index.php/Category:OWASP_Application_Sec urity_Verification_Standard_Project • Excel checklist: https://github.com/OWASP/ASVS/blob/master/ASVS-excel-v3.0.1.xlsx • OWASP ASVS mailing list https://lists.owasp.org/mailman/listinfo/owasp-application-security- verification-standard
  • 48. OWASP MASVS (Mobile Application Security Verification Standard)
  • 49. Mobile web usage overtakes desktop for first time http://www.telegraph.co.uk/technology/2016/11/01/mobile-web-usage-overtakes-desktop-for-first-time/ Current state
  • 50. In short • There is a significant difference between security assurance of web and mobile applications • MASVS is to mobiles, what ASVS is to web • The project is work in progress (v0.9.2 is currently available)
  • 52. Mobile Security Verification Levels Following assurance levels are possible: L1, L1 + L2, but also L1 + R and L1 + L2 + R.
  • 53. Requirements • Architecture, Design and Threat Modelling • Data Storage and Privacy • Cryptography • Authentication and Session Management • Network Communication • Environmental Interaction • Code Quality and Build Setting • Resiliency Against Reverse Engineering
  • 55.
  • 57. OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic. Cornucopia is based on the concepts and game ideas from Microsoft SDL EoP game and OWASP Secure Coding Practices Guide. OWASP Cornucopia Ecommerce Website Edition is in the current Payment Card Industry Security Standards Council information supplement PCI DSS E-commerce Guidelines v2, January 2013 In short
  • 58. Idea behind • Help development teams to identify application security requirements and develop security-based user stories • Aimed at first place at Agile-based methodologies • Gamification approach to threat modeling
  • 59. Suite Rank Threat References: - Secure Coding Practices - ASVS - AppSensor project - Common Attack Pattern (CAPEC) - Software Assurance Forum for Excellence in Code (SAFECode) Cornucopia card
  • 60. Cornucopia rules • Prepare everything (deck, cards, data flow diagram, prizes…) • Deal all the cards • Play a round – every player has to utilize one card of the selected suit. Highest played card in the suit wins and starts next round until all cards are played • Count points and define the winner • Closure: review all threats and matching security requirements https://www.owasp.org/index.php/OWASP_Cornucopia#tab=How_to_Play
  • 61. Cornucopia rules Playing a card: • each player reads it out loud • explains how the threat could apply (or not) to his application • player gets a point for attacks that work, and the group thinks it is an actionable bug At this point we don’t think of mitigations and don’t exclude a threat just because it is believed it is already mitigated – the card should be recorded on the score sheet anyway
  • 63. Cornucopia deck • Clear who said what • Exact descriptions of threats • Actionable items • Developers know precisely what functionality is affected
  • 64. Benefits for you • Teaching developers on how to identify and assess vulnerabilities on every sprint • Training sessions for developers • Raising awareness in application security field in your organization
  • 65. Useful links • Project: https://www.owasp.org/index.php/OWASP_Cornucopia • Rules explained on Youtube: https://www.youtube.com/watch?v=i5Y0akWj31k • Presentation from OWASP EEE (Hungary): http://www.slideshare.net/OWASPEEE/hungary-i-play-jack- of-information-disclosure
  • 67. OWASP SKF is a fully open-source Python-Flask expert system web-application that uses the OWASP Application Security Verification Standard and code examples and can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3) „we decided to develop a proof of concept framework in order to create a guide system available for all developers so they can develop applications secure by design” In short http://secureby.design
  • 68. Idea behind The 4 Core usage of SKF: • Security Requirements ASVS for development and third party vendor applications • Security knowledge reference (code examples/ knowledge base items) • Security is part of design with the pre-development functionality in SKF • Security post-development functionality in SKF for verification with the ASVS
  • 69. Installation Super-easy! Supported ways to install it: • Automated installation with Chef • AWS by using CloudFormation • … or manually as you would do with any other Python project: sudo pip install owasp-skf https://github.com/blabla1337/skf-flask#installing
  • 71. SKF: Projects That’s what you start with for the very beginning
  • 72. SKF: Pre-development stage Definition of a technology stack Adding different functionalities to the system: • Access controls / login systems • Registration • Submit forms • External XML files • File uploads • SQL commands…
  • 73. SKF: Pre-development stage First assessment and security recommendations for selected functionality
  • 74. SKF: Post-development stage • Double-check your app by means of pre-defined or custom checklists • ASVS-based checklists for different levels of criticality of the application are auto-generated after pre- development stage! • After providing answers to clear and simple questions, reports with failed items are ready to be downloaded and prioritized
  • 75. SKF: Post-development stage Failed items and recommendations can be viewed in the application, or exported for further processing
  • 76. SKF: Knowledge Base • „Use info, do not get hacked, profit!” • Multiple options of secure design patterns with examples • Gives a good understanding for developers not only about what to fix but also why to do so
  • 77. SKF: Knowledge Base Descriptions, solutions and many different language-agnostic patterns
  • 78. SKF: Code examples • We were talking about generic secure patterns so far • Code examples with extensive comments provide ready-to-use solutions on how to do things right! • Currently supported languages: PHP, .NET and Java (soon ☺)
  • 79. SKF: Code examples Can be reused directly, and have extensive comments to know how and why to fix an issue
  • 80. SKF: Improve yourself! • Cherry on top of a pie: you can easily add your use-cases and adjust it as you like! • Checklists, knowledge base and code examples must follow the markdown and appear immediately in your panel Directory/path traversal <-- name as seen in the drop-down head ------- **Example:** <-- Bold separator telling where the example starts /* Your code has to indent the 4 spaces(tab) in order for the markdown engine to know it has to interpreted this as written code */
  • 81. Benefits for you • Guide to secure programming • Secuity by design, not implementing afterwards • Security awareness • Will inform about threats even before one wrote a single line of code • Central place for security reference • Provides information applicable for specific needs on the spot
  • 82. Useful links • Project: http://secureby.design • Source code: https://github.com/blabla1337/skf-flask • SKF workshop (DevOpsDays 2015): https://www.owasp.org/images/5/54/Skf-design- workshop.pptx.pdf
  • 83.
  • 86. The AppSec pipeline project • Place to gather together information, techniques and tools to create your own AppSec pipeline • Right now: AppSec pipeline patterns and tools https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
  • 87. Example of workflow - Code written - Code committed to repository - Unit test the code - Package the code for deployment - Integration testing - Deploy code in production
  • 90. Security tools evaluation criteria • API is the first • Pipeline position • Cloud scalable • Runs as a service • Client libraries • CI/CD plugins
  • 91.
  • 92. What is OWASP ZAP? • Webapp security testing tool • Free and open source • Written in Java → cross platform https://www.owasp.org/index.php/ZAP
  • 93. OWASP ZAP Features • GUI, headless and REST API • Intercepting proxy • Classic and AJAX spiders • Passive and active scanning • … and of course can be extended via addons!
  • 95. How can it all help me???
  • 96. ZAP for pentests • Configure your browser to use ZAP as a proxy • Explore the application manually • Use the spider to find other content and input points • See what security issues the passive scanner has found • Use the active scanner to find vulnerabilities • Do manual pentesting 😎
  • 97. ZAP as a part of your appsec pipeline The baseline scan • Simple inline security control • Mass scan of big number of targets • Post release (production) control Full scan • Regular heavy asynchronous scan • More power and integration into your infrastructure and processes
  • 98. The baseline scan • Uses Docker • Only passive scanning • Time limited spider of target • By default warns on all issues: – Missing / incorrect security headers like CSP – Cookie problems – Information / error disclosure – Missing CSRF tokens etc.
  • 99. The baseline scan example $ docker run -t owasp/zap2docker-weekly zap-baseline.py -t https://oxdef.info ... Total of 81 URLs PASS: Cookie No HttpOnly Flag [10010] ... WARN: Web Browser XSS Protection Not Enabled [10016] x 52 https://oxdef.info ... FAIL: 0 WARN: 5 INFO: 0 IGNORE: 0 PASS: 21
  • 100.
  • 101. 1 n33d m0re p0w3r! • REST API is your choice 😏 • zap.sh -daemon -host 0.0.0.0 -port 8080 • http(s)://zap/<format>/<component>/<operation>/< op name>[/?<params>] • Also available in Docker image owasp/zap2docker-* • Maps closely to the UI / code • JSON, HTML and XML formats • Clients in: Java, Python, NodeJS, .Net, PHP, Go ...
  • 102. Simple scan using API and client in Python target = 'http://some-target.com' zap = ZAPv2() scanid = zap.spider.scan(target) while(int(zap.spider.status(scanid)) < 100): print 'Spider progress %: ' + zap.spider.status(scanid) scanid = zap.ascan.scan(target) while(int(zap.ascan.status(scanid)) < 100): print 'Scan progress %: ' + zap.ascan.status(scanid) pprint(zap.core.alerts())
  • 105. Cheat Sheet Series • «The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific web application security topics» • You can browse it online or get as PDF book • Mostly fresh and actual topics https://www.owasp.org/index.php/Cheat_Sheets
  • 106. 3rd party JavaScript management The invocation of 3rd party JS code in a web application requires consideration for 3 risks in particular: • The loss of control over changes to the client application • The execution of arbitrary code on client systems • The disclosure or leakage of sensitive information to 3rd parties https://www.owasp.org/index.php/3rd_Party_Javascript_ Management_Cheat_Sheet
  • 107. XSS Prevention RULE #3 - JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values Except for alphanumeric characters, escape all characters less than 256 with the xHH format to prevent switching out of the data value into the script context or into another attribute. https://www.owasp.org/index.php/XSS_(Cross_Site_Scrip ting)_Prevention_Cheat_Sheet
  • 108. XXE Prevention Libxml2: the Enum xmlParserOption should not have the following options defined: • XML_PARSE_NOENT: Expands entities and substitutes them with replacement text • XML_PARSE_DTDLOAD: Load the external DT https://www.owasp.org/index.php/XML_External_Entity_ (XXE)_Prevention_Cheat_Sheet
  • 109. Featured cheat sheets • Clickjacking Defense • Cross-Site Request Forgery (CSRF) Prevention • Deserialization • DOM based XSS Prevention • REST Security • Virtual Patching
  • 110. Summary • OWASP AppSec Pipeline helps you with choosing suitable tools and building your own AppSec pipeline • OWASP ZAP is one of such tools. Using it you can make manual pentest of web app or automate web app security testing in SDL • OWASP Cheat Sheets helps you in specific areas of application security
  • 111.
  • 113. OWASP Testing Guide Versions • V1 – December 2004 • V2 – 25th December 2005 • V3 – 15th September 2008 – Configuration Management and Authorization Testing sections • V4 – 2014 – Identity Management Testing – Error Handling – Cryptography – Client Side Testing
  • 114. Purpose • The OWASP Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and • a "low level" penetration testing guide that describes techniques for testing most common web application and services security issues.
  • 115. Typical Testing Guide chapter • Summary • How to test • Tools • Remediation • References Fingerprint Web Application Framework
  • 116. Why to test • The steps that need to be undertaken to build and operate a testing program on web apps. • Effective testing program: – People – Process – Technology • Testing just the technical implementation of an application will not uncover management or operational vulnerabilities that could be present
  • 117. When to test • Don’t test software until it has already been created and is in the deployment phase of its life cycle  ineffective and cost-prohibitive practice • One of the best methods to prevent security bugs from appearing in production applications is to improve the SDLC by including security in each of its phases
  • 119. Summary • Constant work in progress • Anybody is welcome to collaborate • Best practice for web penetration tests
  • 121. OWASP MSTG Leaders • MSTG was initiated by Milan Singh Thakur in 2015. The original document was hosted on Google Drive  Github • Bernhard Mueller (2016) • Sven Schleier (2016)
  • 122. OWASP MSTG • MSTG is a manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the MASVS • MSTG is meant to provide a baseline set of test cases for black-box and white-box security tests, and to help ensure completeness and consistency of the tests
  • 123. MSTG Structure • High-Level Guides – Mobile Platforms Overview – Security Testing Processes, Tools and Techniques • Complementary – Security Testing in the Application Development Lifecycle – Tools
  • 125. Typical MSTG chapter • Summary • White-box testing / Black-box testing • Remediation • References • Tools
  • 126. Typical MSTG chapter Practical examples of how to test it right, with tools, samples and references
  • 127. Summary  • Constant work in progress • Anybody is welcome to collaborate • Best practice for mobile penetration tests
  • 130. Foreword • There are many projects happening right now (very good examples are MASVS and MSTG) • Due to a huge front of work every small help is valuable • Do something good today – contribute to OWASP Projects 