Beruflich Dokumente
Kultur Dokumente
Copyright 2010 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license
ESAPI
Security Architecture
Reporting Tools
AppSec Management
Guide to Building Secure Web Applications and Web Services AppSec Conferences
Chapters
Projects
Application Security Tools Tools for Scanning, Testing, Simulating, and Reporting Web Application Security Issues
Research Projects to Figure Out How to Secure the Use OWASP Community Platform of New (wiki, forums, mailing lists) Technologies (like Ajax) OWASP Foundation 501c3
Research to Secure New Technologies Web Based Learning Environment and Guide for Learning Application Security
OWASP
OWASP
Metrics Categorizing and organizing projects Maturity, activity level, quality, relevance
OWASP
Assessment Criteria
OWASP
OWASP
OWASP
Categories PROTECT - These are tools and documents that can be used to guard against security-related design and implementation flaws. DETECT - These are tools and documents that can be used to find security-related design and implementation flaws. LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).
OWASP
10
OWASP
Dashboard
OWASP
12
Assessment details
OWASP
13
Project Parade
Building Guide
Testing Guide
OWASP
The Guide
Complements OWASP Top 10 310p Book Free and open source
Gnu Free Doc License
Project Managers
Use for identifying activities (threat modeling, code review, penetration testing) that need to occur
Security Teams
Use for structuring evaluations, learning about application security, remediation approaches
OWASP
Each Topic
Includes Basic Information (like OWASP T10)
How to Determine If You Are Vulnerable How to Protect Yourself
Adds
Objectives Environments Affected Relevant COBIT Topics Theory Best Practices Misconceptions Code Snippets
OWASP
1. Frontispiece 2. Introduction
OWASP
19
Evolution V3
Information Gathering Business Logic Testing Authentication Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing
Information Gathering Config. Management Testing Business Logic Testing Authentication Testing Authorization Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing Encoded Appendix
OWASP
20
Pen-testers
A structured approach to the testing activities A checklist to be followed A learning and training tool
A tool to understand web vulnerabilities and their impact A way to check the quality of the penetration tests they buy
Organisations
More in general, the Guide aims to provide a pen-testing standard that creates a 'common ground' between the pen-testing industry and its client. This will raise the overall quality and understanding of this kind of activity and therefore the general level of security in our infrastructures
OWASP
21
OWASP Application Security Verification Std Standard for verifying the security of web applications Four levels
Automated Manual Architecture Internal
OWASP
22
OWASP
23
Remember:
A Fool with a Tool is still a Fool
OWASP
Live CD Project that collects some of the best open source security projects in a single environment
http://www.owasp.org/index.php/LiveCD
Users can boot from Live CD and immediately start using all tools without any configuration
OWASP
25
Available Tools
25 significant tools
OWASP WebScarab v20090122
OWASP OWASP SQLiX WSFuzzer v1.0 v1.9.4 Wireshark v1.0.5 tcpdump v4.0.0
Metasploit v3.2 w3af + GUI svn Netcats (svn) r2161 original + GNU Maltego CE v2-210 Httprint v301 SQLBrute v1.0
OWASP WebGoat
OWASP
27
OWASP WebScarab
OWASP
28
OWASP
29
Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger
OWASP
30
OWASP
31
OWASP CSRFTester
OWASP
32
User (Browser)
Business Processing
Actions:
Add Token to HTML
http://www.owasp.org/index.php/CSRFGuard
OWASP
33
OWASP
OWASP Framework
34
Want More ?
OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP .NET Project ASDR Project AntiSamy Project AppSec FAQ Project Application Security Assessment Standards Project Application Security Metrics Project Application Security Requirements Project CAL9000 Project CLASP Project CSRFGuard Project CSRFTester Project Career Development Project Certification Criteria Project Certification Project Code Review Project Communications Project DirBuster Project Education Project Encoding Project Enterprise Security API Flash Security Project Guide Project Honeycomb Project Insecure Web App Project Interceptor Project OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP JBroFuzz Java Project LAPSE Project Legal Project Live CD Project Logging Project Orizon Project PHP Project Pantera Web Assessment Studio Project SASAP Project SQLiX Project SWAAT Project Sprajax Project Testing Project Tools Project Top Ten Project Validation Project WASS Project WSFuzzer Project Web Services Security Project WebGoat Project WebScarab Project XML Security Gateway Evaluation Criteria Project on the Move Project
OWASP
35
OWASP
36
2009 2007
2005 2003
2001
OWASP
37
OWASP
OWASP