SlideShare ist ein Scribd-Unternehmen logo

[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture

G. Geshev
G. Geshev
Technologie
1 von 36
Downloaden Sie, um offline zu lesen
OWASP Plan - Strawman Georgi Geshev OWASP Bulgaria Leader OWASP georgi.geshev@owasp.org 03.04.10 +359-884-237-207 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
Agenda Part 1: Introduction -Who are we? • What is this project all about? • Would you like to join the OWASP community? Part 2: Real world stories • Care to know about the OWASP Top 10 project? • How’s the web down there in Wonderland? OWASP 2
Introduction Who Am I? (1) Free and Open Source Software Evangelist OWASP 3
Introduction Who Am I? (1) Free and Open Source Software Evangelist (2) Enthusiastic Infosec Ninja OWASP 4
Introduction Who Am I? (1) Free and Open Source Software Evangelist (2) Enthusiastic Infosec Ninja ① + ②= ? OWASP 5
Introduction Who Am I? (1) Free and Open Source Software Evangelist (2) Enthusiastic Infosec Ninja ① + ②= ? Here’s the OWASP formula.. FOSS + WEB × APP × SEC = OWASP OWASP 6
The Open Web Application Security Project The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. http://www.owasp.org/index.php OWASP 7
The Open Web Application Security Project The Local Chapters Over 150 local chapters worldwide.. OWASP 8
The Open Web Application Security Project OWASP Bulgaria • This local chapter was founded in late 2010 • Less than 10 mailing list members • Please consider joining the local chapter mailing list • Regular chapter meetings • Welcome to the first one of ‘em!  • For submissions, suggestions, offers and questions.. • Forward your message to the mailing list • Contact me via email OWASP 9
The Open Web Application Security Project Organization Supporters OWASP 10
OWASP 11
The Open Web Application Security Project Show Your Support Consider… • Donating • Becoming an OWASP (local chapter) member • Attending the local chapter regular meetings • Attending an OWASP AppSec series conference • Global AppSec Europe - June 6th-11th 2011 @Dublin, Ireland • Contributing to an OWASP project • Developers, beta testers, etc. OWASP 12
The Open Web Application Security Project Affiliation and Membership Categories of Membership and Supporters • Individual Supporters • Single Meeting Supporter • Organization Supporters • Accredited University Supporters OWASP 13
The Open Web Application Security Project Membership Why Become a Supporting Member? • Ethics and principals of OWASP Foundation • Underscore your awareness of web application software security • Attend OWASP conferences at a discount • Expand your personal network of contacts • Support a local chapter of your choice • Get your @owasp.org email address • Have individual vote in elections http://www.owasp.org/index.php/Membership OWASP 14
The Open Web Application Security Project OWASP Projects Tools and documents are organized into the following categories: • Protect – These are tools and documents that can be used to guard against security-related design and implementation flaws. • Detect – These are tools and documents that can be used to find security-related design and implementation flaws. • Life Cycle – These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC). OWASP 15
The Open Web Application Security Project The OWASP Top 10 Project Project details.. • The OWASP Top Ten provides a powerful awareness document for web application security. • The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. • Its latest (stable) release dates from April 2010. • Creative Commons Attribution Share Alike 3.0 License ;) http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP 16
The Open Web Application Security Project The OWASP Top 10 Project The OWASP Top 10 Web Application Security Risks - A1: Injection OWASP 17
The Open Web Application Security Project The OWASP Top 10 Project The OWASP Top 10 Web Application Security Risks - A1: Injection A2: Cross-Site Scripting (XSS) OWASP 18
The Open Web Application Security Project The OWASP Top 10 Project The OWASP Top 10 Web Application Security Risks - A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management OWASP 19
The Open Web Application Security Project The OWASP Top 10 Project The OWASP Top 10 Web Application Security Risks - A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References OWASP 20
The Open Web Application Security Project The OWASP Top 10 Project The OWASP Top 10 Web Application Security Risks - A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) OWASP 21
The Open Web Application Security Project The OWASP Top 10 Project The OWASP Top 10 Web Application Security Risks - A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration OWASP 22
The Open Web Application Security Project The OWASP Top 10 Project The OWASP Top 10 Web Application Security Risks - A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage OWASP 23
The Open Web Application Security Project The OWASP Top 10 Project The OWASP Top 10 Web Application Security Risks - A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access OWASP 24
The Open Web Application Security Project The OWASP Top 10 Project The OWASP Top 10 Web Application Security Risks - A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection OWASP 25
The Open Web Application Security Project The OWASP Top 10 Project The OWASP Top 10 Web Application Security Risks - A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection OWASP 26 A10: Unvalidated Redirects and Forwards
The Open Web Application Security Project The OWASP Top 10 Project OWASP 27
The Open Web Application Security Project The OWASP Top 10 Project OWASP 28
The Open Web Application Security Project The OWASP Top 10 Project “Attackers can potentially use many different paths through your application to do harm to your business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention.” http://www.owasp.org/index.php/Top_10_2010-Main OWASP 29
The Open Web Application Security Project The OWASP Top 10 Project Companies, vendors and others (officially) profiting from The OWASP Top 10.. OWASP 30
The Open Web Application Security Project OWASP Guides Don’t stop at The OWASP Top 10! Because The OWASP Top 10 project is simply not enough.. • OWASP Development Guide (Developer’s Guide) • OWASP Testing Project (Testing Guide) • OWASP Code Review Project (Code Review Guide) OWASP 31
The Open Web Application Security Project В страната на чудесата ;) OWASP 32
The Open Web Application Security Project В страната на чудесата ;) “Здравословното” състояние на българския уеб.. OWASP 33
The Open Web Application Security Project В страната на чудесата ;) OWASP 34
Shout outs go to … • Kate Hartmann (Operations Director at OWASP) • Tom Brennan (Global Board Member at OWASP) All of these folks and a few more.. • P. Stefanov • Y. Kolev • M. Soler ..for kindly recommending and helping me set up this chapter! • Thank you to all of you for attending this very first meeting ;) OWASP 35
Thank you for your attention! Please forward any questions, comments and suggestions to: georgi.geshev@owasp.org OWASP 36

Empfohlen

OWASP Bulgaria
OWASP BulgariaOWASP Bulgaria
OWASP BulgariaZero Science Lab
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014Sebastien Gioria
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open SourcePOSSCON
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр АнтухOWASP Russia
 
Owasp tunisia web day 2011
Owasp tunisia web day 2011Owasp tunisia web day 2011
Owasp tunisia web day 2011OWASPTunisia
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
State of Web App Security 2012
State of Web App Security 2012State of Web App Security 2012
State of Web App Security 2012Robert Rowley
 

Empfohlen

OWASP Bulgaria
OWASP BulgariaOWASP Bulgaria
OWASP BulgariaZero Science Lab
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014Sebastien Gioria
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open SourcePOSSCON
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр АнтухOWASP Russia
 
Owasp tunisia web day 2011
Owasp tunisia web day 2011Owasp tunisia web day 2011
Owasp tunisia web day 2011OWASPTunisia
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
State of Web App Security 2012
State of Web App Security 2012State of Web App Security 2012
State of Web App Security 2012Robert Rowley
 
Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1robin_bene
 
[OWASP-Bulgaria] G. Geshev - Web Application Firewalls from an Attacker's Per...
[OWASP-Bulgaria] G. Geshev - Web Application Firewalls from an Attacker's Per...[OWASP-Bulgaria] G. Geshev - Web Application Firewalls from an Attacker's Per...
[OWASP-Bulgaria] G. Geshev - Web Application Firewalls from an Attacker's Per...G. Geshev
 
[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS Networks
[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS Networks[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS Networks
[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS NetworksG. Geshev
 
How to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanHow to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanPost Planner
 
Learn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionLearn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionIn a Rocket
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting PersonalKirsty Hulse
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
Owasp Serbia overview
Owasp Serbia overviewOwasp Serbia overview
Owasp Serbia overviewNikola Milosevic
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxgerardkortney
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pjSébastien GIORIA
 
OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec PresentationCiNPA Security SIG
 
Chirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita Ionel
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)PrashantDhakol
 
OWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfOWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfSamSepiolRhodes
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017malvvv
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageVandana Verma
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Websec México, S.C.
 
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction alessiomarziali
 
SARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalSARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalVandana Verma
 

Weitere ähnliche Inhalte

Andere mochten auch

Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1robin_bene
 
[OWASP-Bulgaria] G. Geshev - Web Application Firewalls from an Attacker's Per...
[OWASP-Bulgaria] G. Geshev - Web Application Firewalls from an Attacker's Per...[OWASP-Bulgaria] G. Geshev - Web Application Firewalls from an Attacker's Per...
[OWASP-Bulgaria] G. Geshev - Web Application Firewalls from an Attacker's Per...G. Geshev
 
[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS Networks
[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS Networks[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS Networks
[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS NetworksG. Geshev
 
How to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanHow to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanPost Planner
 
Learn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionLearn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionIn a Rocket
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting PersonalKirsty Hulse
 

Andere mochten auch (6)

Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1
 
[OWASP-Bulgaria] G. Geshev - Web Application Firewalls from an Attacker's Per...
[OWASP-Bulgaria] G. Geshev - Web Application Firewalls from an Attacker's Per...[OWASP-Bulgaria] G. Geshev - Web Application Firewalls from an Attacker's Per...
[OWASP-Bulgaria] G. Geshev - Web Application Firewalls from an Attacker's Per...
 
[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS Networks
[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS Networks[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS Networks
[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS Networks
 
How to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanHow to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media Plan
 
Learn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionLearn BEM: CSS Naming Convention
Learn BEM: CSS Naming Convention
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting Personal
 

Ähnlich wie [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture

Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxgerardkortney
 
Chirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita Ionel
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)PrashantDhakol
 
OWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfOWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfSamSepiolRhodes
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017malvvv
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageVandana Verma
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Websec México, S.C.
 
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG
 
SARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalSARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalVandana Verma
 
Ofer Maor - OWASP Top 10
Ofer Maor - OWASP Top 10Ofer Maor - OWASP Top 10
Ofer Maor - OWASP Top 10CSAIsrael
 
Owasp top 10 2013 - rc1
Owasp top 10 2013 - rc1Owasp top 10 2013 - rc1
Owasp top 10 2013 - rc1Ajay Ohri
 

Ähnlich wie [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture (20)

Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
Owasp Serbia overview
Owasp Serbia overviewOwasp Serbia overview
Owasp Serbia overview
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
 
OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec Presentation
 
Chirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita ionel owasp europe tour
Chirita ionel owasp europe tour
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)
 
OWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfOWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdf
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec Village
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
 
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec Presentation
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
SARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalSARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma Sehgal
 
Owasp o
Owasp oOwasp o
Owasp o
 
Ofer Maor - OWASP Top 10
Ofer Maor - OWASP Top 10Ofer Maor - OWASP Top 10
Ofer Maor - OWASP Top 10
 
OWASP overview 2017
OWASP overview 2017OWASP overview 2017
OWASP overview 2017
 
Owasp top 10 2013 - rc1
Owasp top 10 2013 - rc1Owasp top 10 2013 - rc1
Owasp top 10 2013 - rc1
 

Kürzlich hochgeladen

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 

Kürzlich hochgeladen (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 

[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture

  • 1. OWASP Plan - Strawman Georgi Geshev OWASP Bulgaria Leader OWASP georgi.geshev@owasp.org 03.04.10 +359-884-237-207 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. Agenda Part 1: Introduction -Who are we? • What is this project all about? • Would you like to join the OWASP community? Part 2: Real world stories • Care to know about the OWASP Top 10 project? • How’s the web down there in Wonderland? OWASP 2
  • 3. Introduction Who Am I? (1) Free and Open Source Software Evangelist OWASP 3
  • 4. Introduction Who Am I? (1) Free and Open Source Software Evangelist (2) Enthusiastic Infosec Ninja OWASP 4
  • 5. Introduction Who Am I? (1) Free and Open Source Software Evangelist (2) Enthusiastic Infosec Ninja ① + ②= ? OWASP 5
  • 6. Introduction Who Am I? (1) Free and Open Source Software Evangelist (2) Enthusiastic Infosec Ninja ① + ②= ? Here’s the OWASP formula.. FOSS + WEB × APP × SEC = OWASP OWASP 6
  • 7. The Open Web Application Security Project The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. http://www.owasp.org/index.php OWASP 7
  • 8. The Open Web Application Security Project The Local Chapters Over 150 local chapters worldwide.. OWASP 8
  • 9. The Open Web Application Security Project OWASP Bulgaria • This local chapter was founded in late 2010 • Less than 10 mailing list members • Please consider joining the local chapter mailing list • Regular chapter meetings • Welcome to the first one of ‘em!  • For submissions, suggestions, offers and questions.. • Forward your message to the mailing list • Contact me via email OWASP 9
  • 10. The Open Web Application Security Project Organization Supporters OWASP 10
  • 11. OWASP 11
  • 12. The Open Web Application Security Project Show Your Support Consider… • Donating • Becoming an OWASP (local chapter) member • Attending the local chapter regular meetings • Attending an OWASP AppSec series conference • Global AppSec Europe - June 6th-11th 2011 @Dublin, Ireland • Contributing to an OWASP project • Developers, beta testers, etc. OWASP 12
  • 13. The Open Web Application Security Project Affiliation and Membership Categories of Membership and Supporters • Individual Supporters • Single Meeting Supporter • Organization Supporters • Accredited University Supporters OWASP 13
  • 14. The Open Web Application Security Project Membership Why Become a Supporting Member? • Ethics and principals of OWASP Foundation • Underscore your awareness of web application software security • Attend OWASP conferences at a discount • Expand your personal network of contacts • Support a local chapter of your choice • Get your @owasp.org email address • Have individual vote in elections http://www.owasp.org/index.php/Membership OWASP 14
  • 15. The Open Web Application Security Project OWASP Projects Tools and documents are organized into the following categories: • Protect – These are tools and documents that can be used to guard against security-related design and implementation flaws. • Detect – These are tools and documents that can be used to find security-related design and implementation flaws. • Life Cycle – These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC). OWASP 15
  • 16. The Open Web Application Security Project The OWASP Top 10 Project Project details.. • The OWASP Top Ten provides a powerful awareness document for web application security. • The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. • Its latest (stable) release dates from April 2010. • Creative Commons Attribution Share Alike 3.0 License ;) http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP 16
  • 17. The Open Web Application Security Project The OWASP Top 10 Project The OWASP Top 10 Web Application Security Risks - A1: Injection OWASP 17
  • 18. The Open Web Application Security Project The OWASP Top 10 Project The OWASP Top 10 Web Application Security Risks - A1: Injection A2: Cross-Site Scripting (XSS) OWASP 18
  • 19. The Open Web Application Security Project The OWASP Top 10 Project The OWASP Top 10 Web Application Security Risks - A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management OWASP 19
  • 20. The Open Web Application Security Project The OWASP Top 10 Project The OWASP Top 10 Web Application Security Risks - A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References OWASP 20
  • 21. The Open Web Application Security Project The OWASP Top 10 Project The OWASP Top 10 Web Application Security Risks - A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) OWASP 21
  • 22. The Open Web Application Security Project The OWASP Top 10 Project The OWASP Top 10 Web Application Security Risks - A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration OWASP 22
  • 23. The Open Web Application Security Project The OWASP Top 10 Project The OWASP Top 10 Web Application Security Risks - A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage OWASP 23
  • 24. The Open Web Application Security Project The OWASP Top 10 Project The OWASP Top 10 Web Application Security Risks - A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access OWASP 24
  • 25. The Open Web Application Security Project The OWASP Top 10 Project The OWASP Top 10 Web Application Security Risks - A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection OWASP 25
  • 26. The Open Web Application Security Project The OWASP Top 10 Project The OWASP Top 10 Web Application Security Risks - A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection OWASP 26 A10: Unvalidated Redirects and Forwards
  • 27. The Open Web Application Security Project The OWASP Top 10 Project OWASP 27
  • 28. The Open Web Application Security Project The OWASP Top 10 Project OWASP 28
  • 29. The Open Web Application Security Project The OWASP Top 10 Project “Attackers can potentially use many different paths through your application to do harm to your business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention.” http://www.owasp.org/index.php/Top_10_2010-Main OWASP 29
  • 30. The Open Web Application Security Project The OWASP Top 10 Project Companies, vendors and others (officially) profiting from The OWASP Top 10.. OWASP 30
  • 31. The Open Web Application Security Project OWASP Guides Don’t stop at The OWASP Top 10! Because The OWASP Top 10 project is simply not enough.. • OWASP Development Guide (Developer’s Guide) • OWASP Testing Project (Testing Guide) • OWASP Code Review Project (Code Review Guide) OWASP 31
  • 32. The Open Web Application Security Project В страната на чудесата ;) OWASP 32
  • 33. The Open Web Application Security Project В страната на чудесата ;) “Здравословното” състояние на българския уеб.. OWASP 33
  • 34. The Open Web Application Security Project В страната на чудесата ;) OWASP 34
  • 35. Shout outs go to … • Kate Hartmann (Operations Director at OWASP) • Tom Brennan (Global Board Member at OWASP) All of these folks and a few more.. • P. Stefanov • Y. Kolev • M. Soler ..for kindly recommending and helping me set up this chapter! • Thank you to all of you for attending this very first meeting ;) OWASP 35
  • 36. Thank you for your attention! Please forward any questions, comments and suggestions to: georgi.geshev@owasp.org OWASP 36