SlideShare a Scribd company logo

Meet the OWASP

Download as PPTX, PDF
Antonio Fontes
Antonio Fontes

Web security track - opening talk: OWASP & OWASP Switzerland Swiss Cyber Storm 3 (Rapperswil, May 2011) Original powerpoint slides can be downloaded and re-used under following conditions: - you're free to copy, distribute and transmit the work - you're free to adapt the work - if you alter, transform, or build upon this work, you may distribute the resulting work under the same or similar rights to this one

Technology
1 of 48
Open Web Application Security Project Antonio Fontes antonio.fontes@owasp.org SWISS CYBER STORM Conference – May 2011Rapperswil
A few words about me Antonio Fontes 6 years background working on software security & privacy Founder and principal consultant at L7 SecuritéSàrl Lecturer at HST Yverdon (HEIG-VD) Focus: Web application threats and countermeasures Secure development lifecycle Penetration testing and vulnerability assessment Software threat modelling and risk analysis OWASP: OWASP Switzerland : member of the board, western Switzerland delegate OWASP Geneva: Chapter leader 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 2
cat /wwwroot/agenda.html Why do organizations need OWASP? OWASP worldwide OWASP in Switzerland Q/A 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 3
Thermometer: 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 4 “Is your organization already using OWASP material?” - For internal software development? - For outsourced custom software? - For COTS acquisition? photo by Dave Oshry
Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 5
Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 6
Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 7 101 million users! 77 million users!
Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 8 Handout from Sony Entertainment Online conference on the recent computer intrusion that led to more than 110 million user accounts being stolen.(May. 1st. 2011) photo by Dave Oshry
Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 9
Just a little check: 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 10 “Who knows PBKDF2?”
Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 11 Who understands this in your organisation?
Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 12 Use hashes!! No! Don't use hashes!!
Why do organisations need OWASP? Outside the organisation: Increasing adoption of “Anything over HTTP” Increasing “hostile” interest in online services: Increasing “threat population” Web hacking/security is easy to understand/teach Low risk of being “caught” Increasing offer in security consulting, services and products 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 13
Why do organisations need OWASP? Inside organisations: Developers dealing with dozens web technologies Heterogonous development teams and lifecycles Constant pressure for delivery Turnover and loss of internal know-how Who in the company is actually both up-to-date on the concept of “(web) applications security” and has the power to take decisions? Who in the company is actually able to qualify security products and services that are paid for? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 14
Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 15 2011 2010 2007 2005 2003 2001
OWASP foundation 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 16 “Make application security visible, so that people and organisations can make informed decisions about application security risks.” U.S. 501c3 not-for-profit charitable international organization Structure Mission Core values Code of ethics Open, Global, Innovation, Worldwide Independence from vendors, technology-agnostic
"strategy" 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 17 Threat Website Board Web Application Web Application People Committees Methods Summit Tools Chapters ? Projects Company assets Conferences Members
OWASP people 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 18
Project Leaders Driving volunteers effort on OWASP material projects: Workshops Brainstorming sessions Analysis/reporting Guides editing Tools coding 19 quality-release and 26 beta-status projects 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 19 P T M
Chapter Leaders Leading Local Chapters meetings: 188 Chapters worldwide More than 300 yearly meetings worldwide Connection with local organisations 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 20 P T M Next local chapter meeting: Zurich – June 14th
Global Committees Driving volunteers effort on global/focused OWASP outreach. Active Global Committees: Industries Membership Government Education Projects Events Connections 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 21 P T M
Full-time Kate Hartmann Logistics and day-to-day support for leaders of the 188 local chapters Alison Shrader Accounting & Administration Paulo Coimbra PMO Sarah Basso Operations before/during/after OWASP events 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 22
Conference dedicated to research work on application security Conferences: research 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 23 P T M
Yearly global application security focused conferences: Europe North America South America Asia Conferences: Appsec 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 24 P T M Next OWASP Conference in Europe: Dublin – June 7th-10th 2011
Intensive 1-week workshop event with leaders, contributors, sponsors and software vendors: Ability to connect with leading software vendors and corporate members More than 150 reunited chapter & project leaders 80 workshops The Summit 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 25 P T M
OWASP members 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 26
OWASP Membership Individual members: Annual fee: 50$/year Free access to OWASP Training day events Reduced fees at OWASP Events Current count: 1383 individual contributing members 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 27
OWASP Membership Corporate members: 52 public corporate members Annual fee: 5’000$/year Delegates for the Summit event Logo on website, use as marketing argument Majority is from the US, but Switzerland is also there 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 28
OWASP Membership Academic members: Annual fee: 0$/year Donate: support 40 members Switzerland: 1 officialised partnership (HEIG-VD) 2 pending partnerships 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 29
OWASP: the web portal 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 30
https://www.owasp.org 250’000 unique visitors monthly 650’000 pages viewed monthly 60% driven by search engines 19% referred by other websites Highest traffic motives: OWASP Top 10 Webscarab project XSS prevention cheat sheet “sql injection” 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 31
http://lists.owasp.org More than 400 mailing lists currently running 25’900 memberships About: tools, documents, methods, committees, events, outreach, leaders, etc. 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 32
OWASP projects 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 33
OWASP projects: Tools 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 34 Analyze Design Implement Verify Deploy Respond ModSecurity CRS JBroFuzz AntiSAMMY LiveCD ESAPI DirBuster WebScarab WebScarab CSRFGuard O2 Orizon Encoding Code Crawler Zed Attack Proxy Stinger Academy portal, Broken Web applications, ESAPI Swingset, Webgoat
OWASP projects: Documents 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 35 Analyze Design Implement Verify Deploy Respond Secure contract Development Code Review Code Review Backend Security Threat risk modeling J2EE Security Testing Testing Application security requirements RoR Security ASVS .NET Security AJAX Security PHP Security Secure coding practices Academy, Appsec FAQ, Appsec metrics, Common Vuln. List, Education, Exams, Legal, OWASP Top 10
COTS web application for webapp security (CBT) training Click and run /index.php/Webgoat Tools: webgoat 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 36 P T M
Tools: ModSecurity core ruleset Critical protections centralized in a core ruleset (CRS) to be installed on ModSecurity enabled Apache servers Provides: HTTP Protocol compliance Attack detection Error detection Search engine monitoring https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 37 P T M
Tools: Entreprise Security API Control library encapsulating most security functions required in web applications: Authentication Access control Sessions Encoding Input validation Encryption Logging Intrusion detection … https://www.owasp.org/index.php/ESAPI 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 38 P T M
Documents: OWASP Top 10 https://www.owasp.org/index.php/Top10 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 39 P T M
Documents: code review guide Instructions and methodology manual for conducting code security reviews Guidance on detecting the major security flaws created during implementation https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 40 P T M
Documents: ASVS ASVS: Application SecurityVerification Standard 4 verification (assurance) levels across more than 120 security controls Tailored to your own risk aversion https://www.owasp.org/index.php/ASVS 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 41 P T M
Documents: OpenSAMM Open Software Assurance Maturity Model https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 42 P T M
OWASP Switzerland 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 43
OWASP Switzerland's structure No legalform (yet, just a few daysleft) Leader: Sven Vetsch Board members: Tobias Christen, Antonio Fontes Based in Zurich 130 mailing list members Next meeting: June 14th Other local city/region chapters: OWASP Geneva 90 list members Next meeting: September 6th 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 44
Activities: meetings and conferences Local chapter meetings: 1,2,3 speakers per event Geneva, Yverdon, Zurich ~8 meetings/year Attendance: 15-100 people People love these meetings! (Historical) conference partnerships: 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 45
Activities: awareness sessions Awareness session for Swiss organizations: 1 hour, head-to-head session with an OWASP representative at your company Syllabus: OWASP organization, OWASP projects and membership opportunities 4 Swiss private companies requested this in 2010 It’s free! BUT: it’s not free training or consulting!!  No product names  No "reviews"  No training. 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 46
Swiss speakers and contributors(non exhaustive list, sorry for those I forgot ) Ivan Butler: Web application firewall & Hacking lab Tobias Christen: Security & Usability Alexis Fitzgerald : Gathering application security requirements Christian Folini : ModSecurity CRS & DDoSdefense Antonio Fontes : Threat modelling & Lifecycle security Axel Neumann: Zed Attack Proxy Sylvain Maret : Strong authentication Pierre Parrend : Java mobile applications Sven Vetsch : Advanced XSS attacks and defense ...  come to me after the talk if you want your name here 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 47
Visit the OWSAP Website: https://www.owasp.org Join the OWASP Switzerland mailing list: http://www.owasp.ch Follow us on Twitter: @OWASP_ch / @OWASP Get in touch with your local OWASP representatives: Sven Vetsch Antonio Fontes(Switzerland) (Western/French Switzerland) sven.vetsch@disenchant.chantonio.fontes@owasp.org 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 48 Thank you!

Recommended

香港六合彩<六合彩
香港六合彩<六合彩香港六合彩<六合彩
香港六合彩<六合彩dqsmesc
 
Standardization for M2M
Standardization for M2MStandardization for M2M
Standardization for M2MM2M Alliance e.V.
 
ION Hangzhou - Keynote: Collaborative Security and an Open Internet
ION Hangzhou - Keynote: Collaborative Security and an Open InternetION Hangzhou - Keynote: Collaborative Security and an Open Internet
ION Hangzhou - Keynote: Collaborative Security and an Open InternetDeploy360 Programme (Internet Society)
 
ION Hangzhou - Developing the Internet of Things (Morning Keynote)
ION Hangzhou - Developing the Internet of Things (Morning Keynote)ION Hangzhou - Developing the Internet of Things (Morning Keynote)
ION Hangzhou - Developing the Internet of Things (Morning Keynote)Deploy360 Programme (Internet Society)
 
ION Hangzhou - About IETF
ION Hangzhou - About IETFION Hangzhou - About IETF
ION Hangzhou - About IETFDeploy360 Programme (Internet Society)
 
Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010Poulopoulos Ioannis
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 
ESEC/FSE 2017 - On Evidence Preservation Requirements for Forensic-ready Systems
ESEC/FSE 2017 - On Evidence Preservation Requirements for Forensic-ready SystemsESEC/FSE 2017 - On Evidence Preservation Requirements for Forensic-ready Systems
ESEC/FSE 2017 - On Evidence Preservation Requirements for Forensic-ready Systemsspareuseratlero
 

Recommended

香港六合彩<六合彩
香港六合彩<六合彩香港六合彩<六合彩
香港六合彩<六合彩dqsmesc
 
Standardization for M2M
Standardization for M2MStandardization for M2M
Standardization for M2MM2M Alliance e.V.
 
ION Hangzhou - Keynote: Collaborative Security and an Open Internet
ION Hangzhou - Keynote: Collaborative Security and an Open InternetION Hangzhou - Keynote: Collaborative Security and an Open Internet
ION Hangzhou - Keynote: Collaborative Security and an Open InternetDeploy360 Programme (Internet Society)
 
ION Hangzhou - Developing the Internet of Things (Morning Keynote)
ION Hangzhou - Developing the Internet of Things (Morning Keynote)ION Hangzhou - Developing the Internet of Things (Morning Keynote)
ION Hangzhou - Developing the Internet of Things (Morning Keynote)Deploy360 Programme (Internet Society)
 
ION Hangzhou - About IETF
ION Hangzhou - About IETFION Hangzhou - About IETF
ION Hangzhou - About IETFDeploy360 Programme (Internet Society)
 
Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010Athens Owasp workshop Athens Digital Week 2010
Athens Owasp workshop Athens Digital Week 2010Poulopoulos Ioannis
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 
ESEC/FSE 2017 - On Evidence Preservation Requirements for Forensic-ready Systems
ESEC/FSE 2017 - On Evidence Preservation Requirements for Forensic-ready SystemsESEC/FSE 2017 - On Evidence Preservation Requirements for Forensic-ready Systems
ESEC/FSE 2017 - On Evidence Preservation Requirements for Forensic-ready Systemsspareuseratlero
 
AARC Assurance Profiles for Kantara Initiative
AARC Assurance Profiles for Kantara InitiativeAARC Assurance Profiles for Kantara Initiative
AARC Assurance Profiles for Kantara Initiativekantarainitiative
 
ION Hangzhou - Opening Remarks
ION Hangzhou - Opening RemarksION Hangzhou - Opening Remarks
ION Hangzhou - Opening RemarksDeploy360 Programme (Internet Society)
 
IoT—Let’s Code Like It’s 1999!
IoT—Let’s Code Like It’s 1999!IoT—Let’s Code Like It’s 1999!
IoT—Let’s Code Like It’s 1999!TechWell
 
Continuous Security Testing
Continuous Security TestingContinuous Security Testing
Continuous Security TestingRay Lai
 
About Deploy360 (Presented at ARIN 31)
About Deploy360 (Presented at ARIN 31)About Deploy360 (Presented at ARIN 31)
About Deploy360 (Presented at ARIN 31)Deploy360 Programme (Internet Society)
 
ION Hangzhou - An IETF Journey for CNNIC
ION Hangzhou - An IETF Journey for CNNICION Hangzhou - An IETF Journey for CNNIC
ION Hangzhou - An IETF Journey for CNNICDeploy360 Programme (Internet Society)
 
OWASP Wikipedia Training Presentation
OWASP Wikipedia Training PresentationOWASP Wikipedia Training Presentation
OWASP Wikipedia Training PresentationNoreen Whysel
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Abraham Aranguren
 
What is big data?
What is big data?What is big data?
What is big data?David Wellman
 
Hacking & its types
Hacking & its typesHacking & its types
Hacking & its typesSai Sakoji
 
What is Big Data?
What is Big Data?What is Big Data?
What is Big Data?Bernard Marr
 
Death by PowerPoint
Death by PowerPointDeath by PowerPoint
Death by PowerPointAlexei Kapterev
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideSharebnmbroti
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideSharenwnftpbv
 
香港六合彩
香港六合彩香港六合彩
香港六合彩pibpjsxy
 
香港六合彩
香港六合彩香港六合彩
香港六合彩gxsdjh
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩rakfbe
 
Do You... Legal?
Do You... Legal?Do You... Legal?
Do You... Legal?Ludovic Petit
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017malvvv
 

More Related Content

What's hot

AARC Assurance Profiles for Kantara Initiative
AARC Assurance Profiles for Kantara InitiativeAARC Assurance Profiles for Kantara Initiative
AARC Assurance Profiles for Kantara Initiativekantarainitiative
 
IoT—Let’s Code Like It’s 1999!
IoT—Let’s Code Like It’s 1999!IoT—Let’s Code Like It’s 1999!
IoT—Let’s Code Like It’s 1999!TechWell
 
Continuous Security Testing
Continuous Security TestingContinuous Security Testing
Continuous Security TestingRay Lai
 

What's hot (6)

AARC Assurance Profiles for Kantara Initiative
AARC Assurance Profiles for Kantara InitiativeAARC Assurance Profiles for Kantara Initiative
AARC Assurance Profiles for Kantara Initiative
 
ION Hangzhou - Opening Remarks
ION Hangzhou - Opening RemarksION Hangzhou - Opening Remarks
ION Hangzhou - Opening Remarks
 
IoT—Let’s Code Like It’s 1999!
IoT—Let’s Code Like It’s 1999!IoT—Let’s Code Like It’s 1999!
IoT—Let’s Code Like It’s 1999!
 
Continuous Security Testing
Continuous Security TestingContinuous Security Testing
Continuous Security Testing
 
About Deploy360 (Presented at ARIN 31)
About Deploy360 (Presented at ARIN 31)About Deploy360 (Presented at ARIN 31)
About Deploy360 (Presented at ARIN 31)
 
ION Hangzhou - An IETF Journey for CNNIC
ION Hangzhou - An IETF Journey for CNNICION Hangzhou - An IETF Journey for CNNIC
ION Hangzhou - An IETF Journey for CNNIC
 

Viewers also liked

OWASP Wikipedia Training Presentation
OWASP Wikipedia Training PresentationOWASP Wikipedia Training Presentation
OWASP Wikipedia Training PresentationNoreen Whysel
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Abraham Aranguren
 
Hacking & its types
Hacking & its typesHacking & its types
Hacking & its typesSai Sakoji
 

Viewers also liked (9)

OWASP Wikipedia Training Presentation
OWASP Wikipedia Training PresentationOWASP Wikipedia Training Presentation
OWASP Wikipedia Training Presentation
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and Manico
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
 
What is big data?
What is big data?What is big data?
What is big data?
 
Hacking & its types
Hacking & its typesHacking & its types
Hacking & its types
 
What is Big Data?
What is Big Data?What is Big Data?
What is Big Data?
 
Death by PowerPoint
Death by PowerPointDeath by PowerPoint
Death by PowerPoint
 

Similar to Meet the OWASP

香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideSharebnmbroti
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideSharenwnftpbv
 
香港六合彩
香港六合彩香港六合彩
香港六合彩pibpjsxy
 
香港六合彩
香港六合彩香港六合彩
香港六合彩gxsdjh
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩rakfbe
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017malvvv
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)PrashantDhakol
 
OWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfOWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfSamSepiolRhodes
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Aryan G
 
Owasp top 10_-_2013
Owasp top 10_-_2013Owasp top 10_-_2013
Owasp top 10_-_2013Edho Armando
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Bee_Ware
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]geeksec80
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]geeksec0306
 

Similar to Meet the OWASP (20)

香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩
 
Do You... Legal?
Do You... Legal?Do You... Legal?
Do You... Legal?
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017
 
Owasp o
Owasp oOwasp o
Owasp o
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)
 
OWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfOWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdf
 
OWASP Top Ten 2013
OWASP Top Ten 2013OWASP Top Ten 2013
OWASP Top Ten 2013
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Owasp top 10_-_2013
Owasp top 10_-_2013Owasp top 10_-_2013
Owasp top 10_-_2013
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 

More from Antonio Fontes

Sécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défenseSécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défenseAntonio Fontes
 
Owasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-finalOwasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-finalAntonio Fontes
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organizationAntonio Fontes
 
Modéliser les menaces d'une application web
Modéliser les menaces d'une application webModéliser les menaces d'une application web
Modéliser les menaces d'une application webAntonio Fontes
 
Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012Antonio Fontes
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteAntonio Fontes
 
Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)Antonio Fontes
 
Rapid Threat Modeling : case study
Rapid Threat Modeling : case studyRapid Threat Modeling : case study
Rapid Threat Modeling : case studyAntonio Fontes
 
Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...Antonio Fontes
 
IT Security Days - Threat Modeling
IT Security Days - Threat ModelingIT Security Days - Threat Modeling
IT Security Days - Threat ModelingAntonio Fontes
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
The top 10 web application intrusion techniques
The top 10 web application intrusion techniquesThe top 10 web application intrusion techniques
The top 10 web application intrusion techniquesAntonio Fontes
 
Cyber-attaques: mise au point
Cyber-attaques: mise au pointCyber-attaques: mise au point
Cyber-attaques: mise au pointAntonio Fontes
 
Web application security: how to start?
Web application security: how to start?Web application security: how to start?
Web application security: how to start?Antonio Fontes
 

More from Antonio Fontes (15)

Sécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défenseSécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défense
 
Owasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-finalOwasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-final
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
 
Modéliser les menaces d'une application web
Modéliser les menaces d'une application webModéliser les menaces d'une application web
Modéliser les menaces d'une application web
 
Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynote
 
Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)
 
Rapid Threat Modeling : case study
Rapid Threat Modeling : case studyRapid Threat Modeling : case study
Rapid Threat Modeling : case study
 
Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...
 
IT Security Days - Threat Modeling
IT Security Days - Threat ModelingIT Security Days - Threat Modeling
IT Security Days - Threat Modeling
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
The top 10 web application intrusion techniques
The top 10 web application intrusion techniquesThe top 10 web application intrusion techniques
The top 10 web application intrusion techniques
 
Cyber-attaques: mise au point
Cyber-attaques: mise au pointCyber-attaques: mise au point
Cyber-attaques: mise au point
 
Web application security: how to start?
Web application security: how to start?Web application security: how to start?
Web application security: how to start?
 
Owasp Top10 2010 rc1
Owasp Top10 2010 rc1Owasp Top10 2010 rc1
Owasp Top10 2010 rc1
 

Recently uploaded

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 

Recently uploaded (20)

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 

Meet the OWASP

  • 1. Open Web Application Security Project Antonio Fontes antonio.fontes@owasp.org SWISS CYBER STORM Conference – May 2011Rapperswil
  • 2. A few words about me Antonio Fontes 6 years background working on software security & privacy Founder and principal consultant at L7 SecuritéSàrl Lecturer at HST Yverdon (HEIG-VD) Focus: Web application threats and countermeasures Secure development lifecycle Penetration testing and vulnerability assessment Software threat modelling and risk analysis OWASP: OWASP Switzerland : member of the board, western Switzerland delegate OWASP Geneva: Chapter leader 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 2
  • 3. cat /wwwroot/agenda.html Why do organizations need OWASP? OWASP worldwide OWASP in Switzerland Q/A 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 3
  • 4. Thermometer: 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 4 “Is your organization already using OWASP material?” - For internal software development? - For outsourced custom software? - For COTS acquisition? photo by Dave Oshry
  • 5. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 5
  • 6. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 6
  • 7. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 7 101 million users! 77 million users!
  • 8. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 8 Handout from Sony Entertainment Online conference on the recent computer intrusion that led to more than 110 million user accounts being stolen.(May. 1st. 2011) photo by Dave Oshry
  • 9. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 9
  • 10. Just a little check: 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 10 “Who knows PBKDF2?”
  • 11. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 11 Who understands this in your organisation?
  • 12. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 12 Use hashes!! No! Don't use hashes!!
  • 13. Why do organisations need OWASP? Outside the organisation: Increasing adoption of “Anything over HTTP” Increasing “hostile” interest in online services: Increasing “threat population” Web hacking/security is easy to understand/teach Low risk of being “caught” Increasing offer in security consulting, services and products 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 13
  • 14. Why do organisations need OWASP? Inside organisations: Developers dealing with dozens web technologies Heterogonous development teams and lifecycles Constant pressure for delivery Turnover and loss of internal know-how Who in the company is actually both up-to-date on the concept of “(web) applications security” and has the power to take decisions? Who in the company is actually able to qualify security products and services that are paid for? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 14
  • 15. Why do organisations need OWASP? 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 15 2011 2010 2007 2005 2003 2001
  • 16. OWASP foundation 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 16 “Make application security visible, so that people and organisations can make informed decisions about application security risks.” U.S. 501c3 not-for-profit charitable international organization Structure Mission Core values Code of ethics Open, Global, Innovation, Worldwide Independence from vendors, technology-agnostic
  • 17. "strategy" 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 17 Threat Website Board Web Application Web Application People Committees Methods Summit Tools Chapters ? Projects Company assets Conferences Members
  • 18. OWASP people 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 18
  • 19. Project Leaders Driving volunteers effort on OWASP material projects: Workshops Brainstorming sessions Analysis/reporting Guides editing Tools coding 19 quality-release and 26 beta-status projects 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 19 P T M
  • 20. Chapter Leaders Leading Local Chapters meetings: 188 Chapters worldwide More than 300 yearly meetings worldwide Connection with local organisations 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 20 P T M Next local chapter meeting: Zurich – June 14th
  • 21. Global Committees Driving volunteers effort on global/focused OWASP outreach. Active Global Committees: Industries Membership Government Education Projects Events Connections 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 21 P T M
  • 22. Full-time Kate Hartmann Logistics and day-to-day support for leaders of the 188 local chapters Alison Shrader Accounting & Administration Paulo Coimbra PMO Sarah Basso Operations before/during/after OWASP events 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 22
  • 23. Conference dedicated to research work on application security Conferences: research 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 23 P T M
  • 24. Yearly global application security focused conferences: Europe North America South America Asia Conferences: Appsec 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 24 P T M Next OWASP Conference in Europe: Dublin – June 7th-10th 2011
  • 25. Intensive 1-week workshop event with leaders, contributors, sponsors and software vendors: Ability to connect with leading software vendors and corporate members More than 150 reunited chapter & project leaders 80 workshops The Summit 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 25 P T M
  • 26. OWASP members 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 26
  • 27. OWASP Membership Individual members: Annual fee: 50$/year Free access to OWASP Training day events Reduced fees at OWASP Events Current count: 1383 individual contributing members 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 27
  • 28. OWASP Membership Corporate members: 52 public corporate members Annual fee: 5’000$/year Delegates for the Summit event Logo on website, use as marketing argument Majority is from the US, but Switzerland is also there 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 28
  • 29. OWASP Membership Academic members: Annual fee: 0$/year Donate: support 40 members Switzerland: 1 officialised partnership (HEIG-VD) 2 pending partnerships 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 29
  • 30. OWASP: the web portal 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 30
  • 31. https://www.owasp.org 250’000 unique visitors monthly 650’000 pages viewed monthly 60% driven by search engines 19% referred by other websites Highest traffic motives: OWASP Top 10 Webscarab project XSS prevention cheat sheet “sql injection” 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 31
  • 32. http://lists.owasp.org More than 400 mailing lists currently running 25’900 memberships About: tools, documents, methods, committees, events, outreach, leaders, etc. 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 32
  • 33. OWASP projects 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 33
  • 34. OWASP projects: Tools 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 34 Analyze Design Implement Verify Deploy Respond ModSecurity CRS JBroFuzz AntiSAMMY LiveCD ESAPI DirBuster WebScarab WebScarab CSRFGuard O2 Orizon Encoding Code Crawler Zed Attack Proxy Stinger Academy portal, Broken Web applications, ESAPI Swingset, Webgoat
  • 35. OWASP projects: Documents 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 35 Analyze Design Implement Verify Deploy Respond Secure contract Development Code Review Code Review Backend Security Threat risk modeling J2EE Security Testing Testing Application security requirements RoR Security ASVS .NET Security AJAX Security PHP Security Secure coding practices Academy, Appsec FAQ, Appsec metrics, Common Vuln. List, Education, Exams, Legal, OWASP Top 10
  • 36. COTS web application for webapp security (CBT) training Click and run /index.php/Webgoat Tools: webgoat 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 36 P T M
  • 37. Tools: ModSecurity core ruleset Critical protections centralized in a core ruleset (CRS) to be installed on ModSecurity enabled Apache servers Provides: HTTP Protocol compliance Attack detection Error detection Search engine monitoring https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 37 P T M
  • 38. Tools: Entreprise Security API Control library encapsulating most security functions required in web applications: Authentication Access control Sessions Encoding Input validation Encryption Logging Intrusion detection … https://www.owasp.org/index.php/ESAPI 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 38 P T M
  • 39. Documents: OWASP Top 10 https://www.owasp.org/index.php/Top10 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 39 P T M
  • 40. Documents: code review guide Instructions and methodology manual for conducting code security reviews Guidance on detecting the major security flaws created during implementation https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 40 P T M
  • 41. Documents: ASVS ASVS: Application SecurityVerification Standard 4 verification (assurance) levels across more than 120 security controls Tailored to your own risk aversion https://www.owasp.org/index.php/ASVS 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 41 P T M
  • 42. Documents: OpenSAMM Open Software Assurance Maturity Model https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 42 P T M
  • 43. OWASP Switzerland 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 43
  • 44. OWASP Switzerland's structure No legalform (yet, just a few daysleft) Leader: Sven Vetsch Board members: Tobias Christen, Antonio Fontes Based in Zurich 130 mailing list members Next meeting: June 14th Other local city/region chapters: OWASP Geneva 90 list members Next meeting: September 6th 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 44
  • 45. Activities: meetings and conferences Local chapter meetings: 1,2,3 speakers per event Geneva, Yverdon, Zurich ~8 meetings/year Attendance: 15-100 people People love these meetings! (Historical) conference partnerships: 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 45
  • 46. Activities: awareness sessions Awareness session for Swiss organizations: 1 hour, head-to-head session with an OWASP representative at your company Syllabus: OWASP organization, OWASP projects and membership opportunities 4 Swiss private companies requested this in 2010 It’s free! BUT: it’s not free training or consulting!!  No product names  No "reviews"  No training. 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 46
  • 47. Swiss speakers and contributors(non exhaustive list, sorry for those I forgot ) Ivan Butler: Web application firewall & Hacking lab Tobias Christen: Security & Usability Alexis Fitzgerald : Gathering application security requirements Christian Folini : ModSecurity CRS & DDoSdefense Antonio Fontes : Threat modelling & Lifecycle security Axel Neumann: Zed Attack Proxy Sylvain Maret : Strong authentication Pierre Parrend : Java mobile applications Sven Vetsch : Advanced XSS attacks and defense ...  come to me after the talk if you want your name here 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 47
  • 48. Visit the OWSAP Website: https://www.owasp.org Join the OWASP Switzerland mailing list: http://www.owasp.ch Follow us on Twitter: @OWASP_ch / @OWASP Get in touch with your local OWASP representatives: Sven Vetsch Antonio Fontes(Switzerland) (Western/French Switzerland) sven.vetsch@disenchant.chantonio.fontes@owasp.org 12/05/2011 Swiss Cyber Storm III - May 2011 - Rapperswil 48 Thank you!

Editor's Notes

  1. 1) Web frontends, Web 2.0 portals Intranets / Extranets for b/c/c servicesVPN over SSLsWeb services, SOAs, online APIs, …Access to public services, personal data, business automation, etc.2) the value of information / service3) GovernmentsCompetitorsDisgruntled peopleHackers…?4) The advantage of not being “there”“Blacklist” countries (from a legal perspective)
  2. Basic context: threat exercice on a web facingentity, potentiallyexposingcompanyassets.Need for information, visibility.Achievedwith people, methods and toolsOWASP creates the necessaryecosystem to build up these 3 componentsVisibility on appsecuritythenisbrought to the company
  3. Statisticsindicate the major searchtermsbeing support for XSS defense and understanding SQL injection. Althoughvery &quot;basic&quot; and quiteold, SQL Injection remains a major searchtermthe message STILL needs to betransmitted do not OVERSTIMATE!!!
  4. Coverageacross the developmentlifecycle
  5. Objective: Help youidentifywhat OWASP canprovideyou Help youidentifyopportunities for internalsecuredevelopment Help youidentifyopportunities for secure COTS/outsourced software vendor agreement Help youidentifymaterialthatyoucan use to leverageyour relation withyoursecurity services/product provider