Tour of OWASP’s projects

Copyright © 2010 - The OWASP FoundationThis work is available under the Creative Commons SA 2.5 license

The OWASP Foundation

OWASPBeNeLux 2010

http://www.owasp.org

Tour of OWASP’s projects

Sebastien Deleersnyder

Dec 1, 2010

OWASP

OWASP Tools and Technology

2

• Vulnerability Scanners

• Static Analysis Tools

• Fuzzing

Automated Security Verification

• Penetration Testing Tools

• Code Review Tools

Manual Security Verification

• ESAPI

Security Architecture

• AppSec Libraries

• ESAPI Reference Implementation

• Guards and FiltersSecure

Coding

• Reporting Tools

AppSec Management

• Flawed Apps• Learning

Environments• Live CD• SiteGenerator

AppSec Education

OWASP

OWASP Body of Knowledge

Core Application Security

Knowledge Base

Acquiring andBuildingSecure

Applications

VerifyingApplication

Security

ManagingApplication

Security

ApplicationSecurity

Tools

AppSecEducation and

CBTResearch toSecure NewTechnologies Principles

Threat Agents, Attacks,

Vulnerabilities, Impacts, and

CountermeasuresOWASP Foundation 501c3

OWASP Community Platform(wiki, forums, mailing lists)

Proj

ects

Chap

ters

AppS

ec C

onfe

renc

es

Guide to Building Secure Web

Applications and Web Services

Guide to Application

Security Testing and

Guide to Application

Security Code Review

Tools for Scanning, Testing,

Simulating, and Reporting Web

Application Security Issues

Web Based Learning

Environment and Guide for Learning

Application Security

Guidance and Tools for

Measuring and Managing

Application Security

Research Projects to

Figure Out How to Secure the Use of New

Technologies (like Ajax)

Top level view

OWASP

There are a lot of OWASP projects

OWASP

Metrics

Categorizing and organizing projectsMaturity, activity level, quality, relevance

6

OWASP

Assessment Criteria

7

OWASP 8

OWASP 9

OWASP

Categories

PROTECT - These are tools and documents that can be used to guard against security-related design and implementation flaws.

DETECT - These are tools and documents that can be used to find security-related design and implementation flaws.

LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).

10

OWASP

OWASP projects by numbers

Total Projects: 122Release quality: 19Beta quality: 28Alpha quality: 89 Inactive: 6

OWASP

Dashboard

12

OWASP

Assessment details

13

Project Parade

OWASP

The ‘Big 4’ Documentation Projects

Building Guide

Code Review Guide

Testing Guide

Application Security Desk Reference (ASDR)

OWASP

The Guide

Complements OWASP Top 10

310p Book Free and open source

Gnu Free Doc License Many contributors Apps and web services Most platforms

Examples are J2EE, ASP.NET, and PHP

Comprehensive Project Leader and Editor

Andrew van der Stock, [email protected]

mailto:[email protected]

OWASP

Uses of the Guide

DevelopersUse for guidance on implementing security

mechanisms and avoiding vulnerabilities

Project ManagersUse for identifying activities (threat modeling,

code review, penetration testing) that need to occur

Security TeamsUse for structuring evaluations, learning about

application security, remediation approaches

OWASP

Each Topic

Includes Basic Information (like OWASP T10) How to Determine If You Are Vulnerable How to Protect Yourself

Adds Objectives Environments Affected Relevant COBIT Topics Theory Best Practices Misconceptions Code Snippets

OWASP 19

Testing Guide v3: Index

1. Frontispiece2. Introduction3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing ToolsAppendix B: Suggested ReadingAppendix C: Fuzz Vectors

OWASP 20

Evolution V3

Information GatheringConfig. Management TestingBusiness Logic TestingAuthentication TestingAuthorization Testing Session Management TestingData Validation TestingDenial of Service TestingWeb Services TestingAjax TestingEncoded Appendix

Information GatheringBusiness Logic TestingAuthentication TestingSession Management TestingData Validation TestingDenial of Service TestingWeb Services TestingAjax Testing

OWASP 21

How the Guide helps the security industry

A structured approach to the testing activities

A checklist to be followed A learning and training tool

Pen-testers

A tool to understand web vulnerabilities and their impact

A way to check the quality of the penetration tests they buy

Organisations

More in general, the Guide aims to provide a pen-testing standard that creates a 'common ground' between the pen-testing industry and its client.

This will raise the overall quality and understanding of this kind of activity and therefore the general level of security in our infrastructures

OWASP

OWASP Application Security Verification Std Standard for

verifying the security of web applications

Four levelsAutomatedManualArchitecture Internal

22

OWASP

OWASP Software Assurance Maturity Model

23

OWASP

Tools

http://www.owasp.org/index.php/Phoenix/Tools

Best known OWASP ToolsWebGoatWebScarab

Remember:A Fool with a Tool is still a Fool



OWASP

Live CD

Project that collects some of the best open source security projects in a single environmenthttp://www.owasp.org/index.php/LiveCD

Users can boot from Live CD and immediately start using all tools without any configuration

25

http://www.owasp.org/index.php/LiveCD

http://www.owasp.org/index.php/Image:SoC_08_Logo.jpg

OWASP 26

Available Tools

25 “significant” toolsOWASP WebScarab v20090122

OWASP WebGoat v5.2

OWASP CAL9000 v2.0

OWASP JBroFuzz v1.2

OWASP DirBuster v0.12

OWASP SQLiX v1.0

OWASP WSFuzzer v1.9.4

OWASP Wapiti v2.0.0-beta

Paros Proxy v3.2.13

nmap & Zenmap v 4.76

Wireshark v1.0.5 tcpdump v4.0.0 Firefox 3.06 +

25 addons Burp Suite v1.2 Grendel Scan v1.0

Metasploit v3.2 (svn)

w3af + GUI svn r2161

Netcats – original + GNU Nikto v2.03 Firece Domain

Scanner v1.0.3

Maltego CE v2-210 Httprint v301 SQLBrute v1.0 Spike Proxy

v1.4.8-4Rat Proxy v1.53-beta

sqlmap v0.7-rc1 now included!

OWASP

OWASP WebGoat

27

http://www.owasp.org/images/f/f3/WebGoat-Bypass-Access-Control-Lesson.JPG

OWASP

OWASP WebScarab

28

http://www.owasp.org/index.php/Image:WebScarab_after_browsing.png

OWASP 29

Tools – At Best 45%

MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE)

They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)

OWASP

The OWASP Enterprise Security API

30

Custom Enterprise Web Application

Enterprise Security API

Auth

enti

cato

r

Use

r

Acce

ssCo

ntro

ller

Acce

ssRe

fere

nceM

ap

Valid

ator

Enco

der

HTT

PUti

litie

s

Encr

ypto

r

Encr

ypte

dPro

pert

ies

Rand

omiz

er

Exce

ptio

n H

andl

ing

Logg

er

Intr

usio

nDet

ecto

r

Secu

rity

Confi

gura

tion

Existing Enterprise Security Services/Libraries

OWASP

Create Your ESAPI Implementation

Your Security ServicesWrap your existing libraries and servicesExtend and customize your ESAPI

implementationFill in gaps with the reference implementation

Your Coding GuidelineTailor the ESAPI coding guidelinesRetrofit ESAPI patterns to existing code

31

OWASP

OWASP CSRFTester

32

OWASP

Add Tokento HTML

OWASP CSRFGuard 2.0

33

User(Browser)

Business Processing

OWASPCSRFGuard

Verify Token Adds token to:

href attribute src attribute hidden field in all

forms

Actions: Log Invalidate Redirect

http://www.owasp.org/index.php/CSRFGuard

http://www.owasp.org/index.php/CSRFGuard

OWASP 34

OW

ASP Fram

ework

SDLC & OWASP Guidelines

OWASP

Want More ? OWASP .NET Project OWASP ASDR Project OWASP AntiSamy Project OWASP AppSec FAQ Project OWASP Application Security Assessment Standards

Project OWASP Application Security Metrics Project OWASP Application Security Requirements Project OWASP CAL9000 Project OWASP CLASP Project OWASP CSRFGuard Project OWASP CSRFTester Project OWASP Career Development Project OWASP Certification Criteria Project OWASP Certification Project OWASP Code Review Project OWASP Communications Project OWASP DirBuster Project OWASP Education Project OWASP Encoding Project OWASP Enterprise Security API OWASP Flash Security Project OWASP Guide Project OWASP Honeycomb Project OWASP Insecure Web App Project OWASP Interceptor Project

OWASP JBroFuzz OWASP Java Project OWASP LAPSE Project OWASP Legal Project OWASP Live CD Project OWASP Logging Project OWASP Orizon Project OWASP PHP Project OWASP Pantera Web Assessment Studio Project OWASP SASAP Project OWASP SQLiX Project OWASP SWAAT Project OWASP Sprajax Project OWASP Testing Project OWASP Tools Project OWASP Top Ten Project OWASP Validation Project OWASP WASS Project OWASP WSFuzzer Project OWASP Web Services Security Project OWASP WebGoat Project OWASP WebScarab Project OWASP XML Security Gateway Evaluation Criteria

Project OWASP on the Move Project

35

OWASP

OWASP Research Grants We support the

research that keeps your organization safe!

36

http://www.owasp.org/index.php/Image:SoC_08_Logo.jpg

http://www.owasp.org/index.php/Image:OWASP_AOC_Logo.jpg

http://www.owasp.org/index.php/Image:SpoC_007.jpg

OWASP 37

OWASP Projects Are Alive!

2001

2003

2005

2007

2009 …

http://www.amazon.com/Security-Development-Lifecycle-Michael-Howard/dp/0735622140/sr=8-36/qid=1169351879/ref=sr_1_36/103-6175548-3897446?ie=UTF8&s=books

http://books.google.com/books?vid=ISBN0072227834&id=MDVTbFceXvwC&pg=RA7-PA134&lpg=RA7-PA134&ots=xrEpp_SM9R&dq=owasp&num=100&sig=Rp9XAMFxtQ2bDMq0RTXjddpkcKQ

http://books.google.com/books?vid=ISBN059600611X&id=QvTzBiwehOoC&pg=PA96&lpg=PA96&ots=uscGD05ZSd&dq=owasp&num=100&sig=UzWqVHxlHNw984PTMgfGngzuvug

http://books.google.com/books?vid=ISBN193226647X&id=i8j865qq7dYC&pg=PA260&lpg=PA260&ots=Mb5TcIyFKC&dq=owasp&num=100&sig=a4fd0jjbmWu48n_HMKzkfWzKjJE

http://books.google.com/books?vid=ISBN0072227842&id=6T4jrz6PbjAC&pg=PP1&lpg=PP1&ots=dBoN7I40n0&dq=owasp&num=100&sig=LpexheevY0rqKxeFd8e5-LOkXe8

http://books.google.com/books?vid=ISBN1931836361&id=fKsc9NwsNpMC&pg=PA478&lpg=PA478&dq=owasp&num=100&sig=p23ci0e9s72yyc9q7F5cKipwuyY

http://books.google.com/books?vid=ISBN0596007949&id=iV8DRekYvg0C&pg=PA183&lpg=PA183&dq=owasp&num=100&sig=ViVx6MhMJRaokqE2QrCoJJKwcCM

http://books.google.com/books?vid=ISBN0849329981&id=tbo_JZ5IRKQC&pg=RA2-PA275&lpg=RA2-PA275&dq=owasp&num=100&sig=cV6tieHfrr9Eo_wuEfeyuC-Gwow

http://books.google.com/books?vid=ISBN0596002424&id=-Qj5aMPujwMC&pg=RA2-PA194&lpg=RA2-PA194&dq=owasp&num=100&sig=6Dcl8qgL2dWy7SRviwtv8VqQQXc

http://books.google.com/books?vid=ISBN0596007248&id=5yiULnTkN6oC&pg=RA1-PA377&lpg=RA1-PA377&dq=owasp&num=100&sig=fASJI79UXTDdYiYjEI9YPMwEoR0

http://books.google.com/books?vid=ISBN0072226307&id=npYOWjVR0q4C&pg=RA4-PA301&lpg=RA4-PA301&dq=owasp&num=100&sig=O6rHxhdcuFiGDPMMMkPN1GbWXsE

http://books.google.com/books?vid=ISBN0130355488&id=O3VB-zspJo4C&pg=PA716&lpg=PA716&dq=owasp&num=100&sig=_joUK2T4cwJO9075QLXOBvqw8XU

http://books.google.com/books?vid=ISBN1932266658&id=79FMJAl_-qoC&pg=PP1&lpg=PP1&dq=owasp&num=100&sig=W6bbEaUrpKFQ3CAWpvu5P_G0_eQ

http://books.google.com/books?vid=ISBN1565924029&id=nuhf5r_TL14C&pg=PP1&lpg=PP1&ots=GyKee8-_23&dq=cryptography&num=100&sig=JK8NV6zwR-Wsw47Hv0h2q_jPYY8

http://books.google.com/books?vid=ISBN0201440997&id=NHWRH3xXQpgC&pg=PP1&lpg=PP1&ots=uBTf_a0YcT&dq=computer+security&num=100&sig=HC69to8ZQFU6RnPepyU9likCLyg

http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471128457/sr=8-3/qid=1169351746/ref=pd_bbs_sr_3/103-6175548-3897446?ie=UTF8&s=books

OWASP

How to participate?

Start your own projectThe best OWASP projects are strategic get the

community involved / build a teamContribute exising (open license)Promotion!

‘Help’ an existing project

OWASP

Questions and Answers

Date post:	18-Mar-2016
Category:	Documents
Upload:	nikkos
View:	38 times
Download:	2 times

Tour of OWASP’s projects

Documents