Copyright © 2007 - The OWASP FoundationThis work is available under the Creative Commons SA 2.5 license
The OWASP Foundation
OWASP
http://www.owasp.org
Finding and Fighting the Causes of Insecure
Applications
Jeff WilliamsOWASP [email protected]
New York/New Jersey Chapter MeetingJune 12, 2007
OWASP
Public Health Warning
XSS and CSRF have evolved
Any website you visit could infect your browser
An infected browser can do anything you can do
An infected browser can scan, infect, spread
70-90% of web applications are ‘carriers’
2
OWASP
Key Application Security Vulnerabilities
http://www.owasp.org/index.php?title=Top_10_2007
OWASP
Tools – At Best 45%
MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE)
They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)
OWASP
OWASP Knowledge and Tools
Core Application Security
Knowledge Base
Acquiring andBuildingSecure
Applications
VerifyingApplication
Security
ManagingApplication
Security
ApplicationSecurity
Tools
AppSecEducation and
CBTResearch toSecure New
Technologies
Guide to Building Secure Web
Applications and Web Services
Guide to Application
Security Testing and
Guide to Application
Security Code Review
Tools for Scanning, Testing,
Simulating, and Reporting Web
Application Security Issues
Web Based Learning
Environment and Education
Project
Guidance and Tools for
Measuring and Managing
Application Security
Research Projects on
Securing New Technologies
(like Web Services & Ajax)
OWASP 6
OWASP Community Platform
OWASP Foundation 501c3(finances, legal, infrastructure, communications)
OWASP Community Platform(wiki, forums, mailing lists, leaders)
Projects(tools and documentation) Chapters AppSec Conferences
Core Application Security
Knowledge Base
Acquiring andBuildingSecure
Applications
VerifyingApplication
Security
ManagingApplication
Security
ApplicationSecurity
Tools
AppSecEducation and
CBTResearch toSecure New
Technologies
OWASP 7
OWASP Projects Are Alive!
2001
2003
2005
2007
2009 …
OWASP 8
www.owasp.org (our wiki)
OWASP
OWASP by the Numbers
420,000 page views per month 15,000 downloads per month (SF alone) 10,000 members on mailing lists 2,600 wiki users 1,500 wiki updates per month 89 chapters worldwide 75 individual memberships 38 tool and documentation projects 28 corporate/educational memberships 25 new projects funded through Spring of Code 0 employees
9
OWASP
How Can You Help?
10
Update the wiki!
Share!
Push us to do better!
Become a member
OWASP 11
Thank You for Supporting OWASP!