Page 1
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Feb 25th, 2010
Welcome to OWASP Bay Area Application Security Summit February 25th, 2010
Mandeep KheraOWASP Bay Area Chapter [email protected] [email protected] : 408-200-0712
Page 2
2OWASP 2
Agenda 1.15 – 1.30 - Welcome, Overview – Mandeep Khera
1.30 – 2.15 – Keynote, Kaj Van Da Loo, Sr. VP, Platforms and OnDemand, SAP
2.15 – 3.00 – WebBlaze: New Techniques and Tools – Prof. Dawn Song, UC Berkeley
3.00 – 3.30 - Networking Break
3.30 – 4.00 – State of the Art: Automated Black-Box Testing: Prof. Mitchell, Stanford University, Jason Bau
4.00 – 4.30 – Controlling Data in the Cloud: Outsourcing Computation Without Outsourcing Control – Richard Chow, PARC
4.30 – 4.45 – Mini-Break
4.45 – 6.00 – Panel – App Security Issues – Cloud, Inertia, Future
6.00 – 8.00 – Networking Reception – Food and Drinks 2
Page 3
3OWASP 3
Thanks to our sponsors!!
Page 4
4OWASP
Web Vulnerabilities Trend
Source: Cenzic Trends Report
68
70
72
74
76
78
80
82
Q2 2008 Q3-Q42008
Q1-Q22009
Q3-Q42009
Web Vulnerabilities as a % of Total Vulnerabilities
Web Vuln %
Page 5
5OWASP 5
Internet Usage Continues to Grow
Page 6
6OWASP
Trends for the next few years…
Cyber War will accelerate
• More countries will take offensive actionsSocial Networking sites will continue to be the targets
• Too big, too many users, too vulnerableCloud computing security issues
• Moving to the cloud but what about security?Regulations
• Payment Card Industry (PCI) continues to drive the need for app security; other new regulations also coming
Mobile Apps
• Computing moving to mobile, more attacks likey
Page 7
7OWASP 7
Sophistication of Hackers..
Page 8
8OWASP
OWASP World
OWASP is a worldwide free and open community focused on improving the security of application software.
Our mission is to make application security visible so that people and organizations can make informed decisions about application security risks.
OWASP is a worldwide free and open community focused on improving the security of application software.
Our mission is to make application security visible so that people and organizations can make informed decisions about application security risks.
Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work.
Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work.
Page 9
9OWASP
2009 OWASP Supporters
Page 10
10OWASP
OWASP Worldwide Community
10
Membership
Individual: 750Organizations: 27
Chapters
158 around world
Participants
1,470 Wiki accounts+20,000 users
Page 11
11OWASP
OWASP Dashboard
11
Worldwide Users Most New Visitors
29,748,796 page views
Page 12
12OWASP
OWASP Conferences (2008-2009)
12
NYCSep 2008
NYCSep 2008
DCSep 2009
DCSep 2009
BrusselsMay 2008BrusselsMay 2008 Poland
May 2009Poland
May 2009
TaiwanOct 2008Taiwan
Oct 2008
PortugalSummit
Nov 2008
PortugalSummit
Nov 2008
IsraelSep 2008
IsraelSep 2008
IndiaAug 2008
IndiaAug 2008
Gold CoastFeb 2008
+2009
Gold CoastFeb 2008
+2009
MinnesotaOct 2008
MinnesotaOct 2008
DenverSpring 2009
DenverSpring 2009
GermanyNov 2008GermanyNov 2008
Ireland
2009
Ireland
2009
BrazilOct 2009
BrazilOct 2009
Page 13
13OWASP
OWASP KnowledgeBase •9,421 total articles
•427 presentations
•200 updates per day
•+300 mailing lists
•180 blogs monitored
•19 deface attempts
•2,962 uploaded files
Page 14
14OWASP
OWASP AppSec News and Intelligence
Moderated AppSec News Feedhttp://www.google.com/reader/
public/atom/user/16712724397688793161/state/com.google/broadcast
OWASP Podcasthttp://
itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012
OWASP TVhttp://www.owasp.tv
14
Page 15
15OWASP
OWASP AppSec Job Board
15
Page 16
16OWASP 16
OWASP Top 10 Critical Vulnerabilities - 2010
www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Page 17
17OWASP
Lot more than OWASP Top 10
OWASP .NET Project OWASP ASDR Project OWASP AntiSamy Project OWASP AppSec FAQ Project OWASP Application Security Assessment Standards
Project OWASP Application Security Metrics Project OWASP Application Security Requirements Project OWASP CAL9000 Project OWASP CLASP Project OWASP CSRFGuard Project OWASP CSRFTester Project OWASP Career Development Project OWASP Certification Criteria Project OWASP Certification Project OWASP Code Review Project OWASP Communications Project OWASP DirBuster Project OWASP Education Project OWASP Encoding Project OWASP Enterprise Security API OWASP Flash Security Project OWASP Guide Project OWASP Honeycomb Project OWASP Insecure Web App Project OWASP Interceptor Project
OWASP JBroFuzz OWASP Java Project OWASP LAPSE Project OWASP Legal Project OWASP Live CD Project OWASP Logging Project OWASP Orizon Project OWASP PHP Project OWASP Pantera Web Assessment Studio Project OWASP SASAP Project OWASP SQLiX Project OWASP SWAAT Project OWASP Sprajax Project OWASP Testing Project OWASP Tools Project OWASP Top Ten Project OWASP Validation Project OWASP WASS Project OWASP WSFuzzer Project OWASP Web Services Security Project OWASP WebGoat Project OWASP WebScarab Project OWASP XML Security Gateway Evaluation Criteria
Project OWASP on the Move Project
17
Page 18
18OWASP
Finances and Grants
18
Page 19
19OWASP
What Does Membership Do For OWASP?
Funds OWASP Speakers via OWASP On the Move
Funds Season of Code projects Helps Support Local Chapters
A portion of your membership fees helps fund your local chapter
19
Page 20
20OWASP
Membership Benefits
Individual Members Organizational Supporters University Supporters
20
Page 21
21OWASP
Individual Members
Cost: $50/year First Time Members Get A Membership
Pack:Membership card and certificateOWASP DVDAttractive OWASP t-shirtOWASP tote bagPen
10% discount on OWASP conferences
21
Page 22
22OWASP
Organizational Supporters
Cost: $5000/year Logo on OWASP website Online job postings on OWASP website Invitation to special OWASP events such as
Industry Outreach Two complimentary attendees to OWASP
annual Summit Employees get 10% discount on OWASP
conferences Onsite OWASP briefing
22
Page 23
23OWASP
University Supporters
No cost (!) – Universities must agree to provide meeting space twice per year and to include OWASP in their curriculum
Must be an accredited University Logo on OWASP website OWASP briefings for University – students
and staff
23