Web security track - opening talk:
OWASP & OWASP Switzerland
Swiss Cyber Storm 3 (Rapperswil, May 2011)
Original powerpoint slides can be downloaded and re-used under following conditions:
- you're free to copy, distribute and transmit the work
- you're free to adapt the work
- if you alter, transform, or build upon this work, you may distribute the resulting work under the same or similar rights to this one
1. Open Web Application Security Project Antonio Fontes antonio.fontes@owasp.org SWISS CYBER STORM Conference – May 2011Rapperswil
2. A few words about me Antonio Fontes 6 years background working on software security & privacy Founder and principal consultant at L7 SecuritéSàrl Lecturer at HST Yverdon (HEIG-VD) Focus: Web application threats and countermeasures Secure development lifecycle Penetration testing and vulnerability assessment Software threat modelling and risk analysis OWASP: OWASP Switzerland : member of the board, western Switzerland delegate OWASP Geneva: Chapter leader 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 2
3. cat /wwwroot/agenda.html Why do organizations need OWASP? OWASP worldwide OWASP in Switzerland Q/A 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 3
4. Thermometer: 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 4 “Is your organization already using OWASP material?” - For internal software development? - For outsourced custom software? - For COTS acquisition? photo by Dave Oshry
5. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 5
6. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 6
7. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 7 101 million users! 77 million users!
8. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 8 Handout from Sony Entertainment Online conference on the recent computer intrusion that led to more than 110 million user accounts being stolen.(May. 1st. 2011) photo by Dave Oshry
9. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 9
10. Just a little check: 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 10 “Who knows PBKDF2?”
11. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 11 Who understands this in your organisation?
12. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 12 Use hashes!! No! Don't use hashes!!
13. Why do organisations need OWASP? Outside the organisation: Increasing adoption of “Anything over HTTP” Increasing “hostile” interest in online services: Increasing “threat population” Web hacking/security is easy to understand/teach Low risk of being “caught” Increasing offer in security consulting, services and products 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 13
14. Why do organisations need OWASP? Inside organisations: Developers dealing with dozens web technologies Heterogonous development teams and lifecycles Constant pressure for delivery Turnover and loss of internal know-how Who in the company is actually both up-to-date on the concept of “(web) applications security” and has the power to take decisions? Who in the company is actually able to qualify security products and services that are paid for? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 14
15. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 15 2011 2010 2007 2005 2003 2001
16. OWASP foundation 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 16 “Make application security visible, so that people and organisations can make informed decisions about application security risks.” U.S. 501c3 not-for-profit charitable international organization Structure Mission Core values Code of ethics Open, Global, Innovation, Worldwide Independence from vendors, technology-agnostic
17. "strategy" 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 17 Threat Website Board Web Application Web Application People Committees Methods Summit Tools Chapters ? Projects Company assets Conferences Members
19. Project Leaders Driving volunteers effort on OWASP material projects: Workshops Brainstorming sessions Analysis/reporting Guides editing Tools coding 19 quality-release and 26 beta-status projects 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 19 P T M
20. Chapter Leaders Leading Local Chapters meetings: 188 Chapters worldwide More than 300 yearly meetings worldwide Connection with local organisations 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 20 P T M Next local chapter meeting: Zurich – June 14th
21. Global Committees Driving volunteers effort on global/focused OWASP outreach. Active Global Committees: Industries Membership Government Education Projects Events Connections 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 21 P T M
22. Full-time Kate Hartmann Logistics and day-to-day support for leaders of the 188 local chapters Alison Shrader Accounting & Administration Paulo Coimbra PMO Sarah Basso Operations before/during/after OWASP events 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 22
23. Conference dedicated to research work on application security Conferences: research 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 23 P T M
24. Yearly global application security focused conferences: Europe North America South America Asia Conferences: Appsec 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 24 P T M Next OWASP Conference in Europe: Dublin – June 7th-10th 2011
25. Intensive 1-week workshop event with leaders, contributors, sponsors and software vendors: Ability to connect with leading software vendors and corporate members More than 150 reunited chapter & project leaders 80 workshops The Summit 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 25 P T M
27. OWASP Membership Individual members: Annual fee: 50$/year Free access to OWASP Training day events Reduced fees at OWASP Events Current count: 1383 individual contributing members 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 27
28. OWASP Membership Corporate members: 52 public corporate members Annual fee: 5’000$/year Delegates for the Summit event Logo on website, use as marketing argument Majority is from the US, but Switzerland is also there 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 28
29. OWASP Membership Academic members: Annual fee: 0$/year Donate: support 40 members Switzerland: 1 officialised partnership (HEIG-VD) 2 pending partnerships 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 29
30. OWASP: the web portal 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 30
31. https://www.owasp.org 250’000 unique visitors monthly 650’000 pages viewed monthly 60% driven by search engines 19% referred by other websites Highest traffic motives: OWASP Top 10 Webscarab project XSS prevention cheat sheet “sql injection” 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 31
32. http://lists.owasp.org More than 400 mailing lists currently running 25’900 memberships About: tools, documents, methods, committees, events, outreach, leaders, etc. 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 32
36. COTS web application for webapp security (CBT) training Click and run /index.php/Webgoat Tools: webgoat 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 36 P T M
37. Tools: ModSecurity core ruleset Critical protections centralized in a core ruleset (CRS) to be installed on ModSecurity enabled Apache servers Provides: HTTP Protocol compliance Attack detection Error detection Search engine monitoring https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 37 P T M
38. Tools: Entreprise Security API Control library encapsulating most security functions required in web applications: Authentication Access control Sessions Encoding Input validation Encryption Logging Intrusion detection … https://www.owasp.org/index.php/ESAPI 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 38 P T M
39. Documents: OWASP Top 10 https://www.owasp.org/index.php/Top10 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 39 P T M
40. Documents: code review guide Instructions and methodology manual for conducting code security reviews Guidance on detecting the major security flaws created during implementation https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 40 P T M
41. Documents: ASVS ASVS: Application SecurityVerification Standard 4 verification (assurance) levels across more than 120 security controls Tailored to your own risk aversion https://www.owasp.org/index.php/ASVS 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 41 P T M
42. Documents: OpenSAMM Open Software Assurance Maturity Model https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 42 P T M
44. OWASP Switzerland's structure No legalform (yet, just a few daysleft) Leader: Sven Vetsch Board members: Tobias Christen, Antonio Fontes Based in Zurich 130 mailing list members Next meeting: June 14th Other local city/region chapters: OWASP Geneva 90 list members Next meeting: September 6th 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 44
45. Activities: meetings and conferences Local chapter meetings: 1,2,3 speakers per event Geneva, Yverdon, Zurich ~8 meetings/year Attendance: 15-100 people People love these meetings! (Historical) conference partnerships: 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 45
46. Activities: awareness sessions Awareness session for Swiss organizations: 1 hour, head-to-head session with an OWASP representative at your company Syllabus: OWASP organization, OWASP projects and membership opportunities 4 Swiss private companies requested this in 2010 It’s free! BUT: it’s not free training or consulting!! No product names No "reviews" No training. 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 46
47. Swiss speakers and contributors(non exhaustive list, sorry for those I forgot ) Ivan Butler: Web application firewall & Hacking lab Tobias Christen: Security & Usability Alexis Fitzgerald : Gathering application security requirements Christian Folini : ModSecurity CRS & DDoSdefense Antonio Fontes : Threat modelling & Lifecycle security Axel Neumann: Zed Attack Proxy Sylvain Maret : Strong authentication Pierre Parrend : Java mobile applications Sven Vetsch : Advanced XSS attacks and defense ... come to me after the talk if you want your name here 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 47
48. Visit the OWSAP Website: https://www.owasp.org Join the OWASP Switzerland mailing list: http://www.owasp.ch Follow us on Twitter: @OWASP_ch / @OWASP Get in touch with your local OWASP representatives: Sven Vetsch Antonio Fontes(Switzerland) (Western/French Switzerland) sven.vetsch@disenchant.chantonio.fontes@owasp.org 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 48 Thank you!
Editor's Notes
1) Web frontends, Web 2.0 portals Intranets / Extranets for b/c/c servicesVPN over SSLsWeb services, SOAs, online APIs, …Access to public services, personal data, business automation, etc.2) the value of information / service3) GovernmentsCompetitorsDisgruntled peopleHackers…?4) The advantage of not being “there”“Blacklist” countries (from a legal perspective)
Basic context: threat exercice on a web facingentity, potentiallyexposingcompanyassets.Need for information, visibility.Achievedwith people, methods and toolsOWASP creates the necessaryecosystem to build up these 3 componentsVisibility on appsecuritythenisbrought to the company
Statisticsindicate the major searchtermsbeing support for XSS defense and understanding SQL injection. Althoughvery "basic" and quiteold, SQL Injection remains a major searchtermthe message STILL needs to betransmitted do not OVERSTIMATE!!!
Coverageacross the developmentlifecycle
Objective: Help youidentifywhat OWASP canprovideyou Help youidentifyopportunities for internalsecuredevelopment Help youidentifyopportunities for secure COTS/outsourced software vendor agreement Help youidentifymaterialthatyoucan use to leverageyour relation withyoursecurity services/product provider