OWASP Foundation Inc. · OWASP 5. OWASP The Open Web Application Security Project (OWASP Foundation Inc.) established 2001’. The vision is a software market that produces code that’s
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
OWASP IntroductionOWASP Project ParadeOWASP Near You?
OWASP 3
Agenda
OWASP IntroductionOWASP Project ParadeOWASP Near You?
OWASP
Web Applications
Webserver
Web app
Web app
Web app
Web app
transport
DB
DB
Appserver
(optional)
Web client:
IE, Mozilla,
etc.
HTTP reply (HTML,
JavaScript, VBScript,
etc.)
HTTP request
Clear- text or
SSL
• Apache• IIS• Netscape• etc.
•J2EE server• ColdFusion• Oracle 9iAS• etc.
• Perl• C++• CGI• Java• ASP• PHP• etc.
• ADO• ODBC• JDBC• etc.
• Oracle• SQL Server• etc.
Internet DMZ Protectednetwork
Internalnetwork
• AJP• IIOP• T9• etc.
OWASP 5
OWASP
The Open Web Application Security Project (OWASP Foundation Inc.) established 2001’. The vision is a software market that produces code that’s secure enough to rely on.
The mission (to achieve that vision) is to make security visible (or transparent) so that software buyers and sellers are on equal footing and market forces can work.
International not-for-profit charitable organization funded primarily by volunteers time, OWASP Memberships ($50 Individuals, $5k Supporters), and OWASP Conference fees
(25+) Volunteer Global Committee Members(see global committee slide)
(130+) Local Chapters Lots of Projects
OWASP Employees (6)
OWASP
Global Committee
http://www.owasp.org/index.php/About_OWASP
OWASP
2009 Supporters
http://www.owasp.org/index.php/Membership
OWASP 9
OWASP Mission
The mission is to make security visible (or transparent) so that software buyers and sellers are on equal footing and market forces can work.
OWASP
OWASP Resources and Community
OWASP 1111
www.owasp.org
OWASP
130+ Chapters Worldwide
12
OWASP
OWASP Conferences (2008-2009)
13
NYCSep 2008
NYCSep 2008
DCSep 2009
DCSep 2009
BrusselsMay 2008Brussels
May 2008 PolandMay 2009
PolandMay 2009
TaiwanOct 2008Taiwan
Oct 2008
PortugalSummit
Nov 2008
PortugalSummit
Nov 2008Israel
Sep 2008Israel
Sep 2008India
Aug 2008India
Aug 2008
Gold CoastFeb 2008
+2009
Gold CoastFeb 2008
+2009
MinnesotaOct 2008
MinnesotaOct 2008
DenverSpring 2009
DenverSpring 2009
GermanyNov 2008GermanyNov 2008
Ireland 2009
Ireland 2009
OWASP
Summit Portugal
2009 Focus80+ application security experts from 20+ countries
New Free Tools and Guidance (SoC08)New Outreach Program
technology vendors, framework providers, and standards bodiesnew program to provide free one- day seminars at universities and developer conferences worldwide
New Global Committee StructureEducation, Chapter, Conferences, Industry, Projects, Membership
14
OWASP 15
Agenda
OWASP IntroductionOWASP Project ParadeOWASP Near You?
OWASP
OWASP Projects: Improve Quality and Support
Define Criteria for Quality LevelsAlpha, Beta, Release
Encourage Increased QualityThrough Season of Code Funding and SupportProduce Professional OWASP books
Provide SupportFull time executive director (Kate Hartmann)Full time project manager (Paulo Coimbra)Half time technical editor (Kirsten Sitnick)Half time financial support (Alison Shrader)Looking to add programmers (Interns and professionals)
OWASP 17
OWASP Top 10
The Ten Most Critical Web Application Security Vulnerabilities2007 Release A great start, but not a standard3rd version of the Top 10 2009 coming soon *HelpWanted*
Information GatheringBusiness Logic TestingAuthentication TestingSession Management TestingData Validation TestingDenial of Service TestingWeb Services TestingAjax Testing
Testing PrinciplesTesting ProcessCustom Web Applications
Black Box TestingGrey Box Testing
Risk and ReportingAppendix: Testing ToolsAppendix: Fuzz Vectors
OWASP
Soc08 version 3Improve version 2
improved 9 articlesTotal of 10 Testing categoriesand 66 controls.New sections and controls
Configuration ManagementAuthorization Testing36 new articles
Your Security ServicesWrap your existing libraries and servicesExtend and customize your ESAPI implementationFill in gaps with the reference implementation
Your Coding GuidelineTailor the ESAPI coding guidelinesRetrofit ESAPI patterns to existing code
35
OWASP
OWASP CLASP
Comprehensive, Lightweight Application Security Process
Prescriptive and ProactiveCentered around 7 AppSec Best PracticesCover the entire software lifecycle (not just development)
36
Adaptable to any development processCLASP defines roles across the SDLC24 role-based process componentsStart small and dial-in to your needs
MeetingsLocal Mailing ListPresentations & GroupsOpen forum for discussionMeet fellow InfoSec professionalsCreate (Web)AppSec awarenessLocal projects?JOBS = http://www.owasp.org/index.php/OWASP_Jobs
OWASP 46
TTD Subscribe to local chapter mailing list
Visit www.owasp.orgFind your local chapterListen to PodCastsWatch VideosRead MaterialsPost your (Web)AppSec questionsCome to a meeting to meet peersContribute to discussionsConference