Tour of OWASPs projects

Sebastien Deleersnyder Dec 1, 2010

OWASP BeNeLux 2010

Copyright 2010 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license

The OWASP Foundation

http://www.owasp.org

OWASP Tools and Technology

Vulnerability Scanners Static Analysis Tools Fuzzing
Automated Security Verification

Penetration Testing Tools Code Review Tools

Manual Security Verification

ESAPI

Security Architecture

AppSec Libraries ESAPI Reference Implementation Guards and Filters

Secure Coding

Reporting Tools

Flawed Apps Learning Environments Live CD SiteGenerator

AppSec Education
OWASP
2

AppSec Management

OWASP Body of Knowledge

Guide to Application Security Testing and Guide to Application Security Code Review

Guidance and Tools for Measuring and Managing Application Security

Guide to Building Secure Web Applications and Web Services AppSec Conferences

Verifying Application Security

Managing Application Security

Chapters

Projects

Acquiring and Building Secure Applications

Core Application Security Knowledge Base

Application Security Tools Tools for Scanning, Testing, Simulating, and Reporting Web Application Security Issues

Research Projects to Figure Out How to Secure the Use OWASP Community Platform of New (wiki, forums, mailing lists) Technologies (like Ajax) OWASP Foundation 501c3

Research to Secure New Technologies Web Based Learning Environment and Guide for Learning Application Security

AppSec Education and CBT

Principles Threat Agents, Attacks, Vulnerabilities, Impacts, and Countermeasures

OWASP

Top level view

There are a lot of OWASP projects

OWASP

Metrics Categorizing and organizing projects Maturity, activity level, quality, relevance

OWASP

Assessment Criteria

OWASP

OWASP

OWASP

Categories PROTECT - These are tools and documents that can be used to guard against security-related design and implementation flaws. DETECT - These are tools and documents that can be used to find security-related design and implementation flaws. LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).
OWASP
10

OWASP projects by numbers Total Projects: 122

Release quality: 19 Beta quality: 28 Alpha quality: 89 Inactive: 6

OWASP

Dashboard

OWASP

12

Assessment details

OWASP

13

Project Parade

The Big 4 Documentation Projects

Building Guide

Code Review Guide

Testing Guide

Application Security Desk Reference (ASDR)

OWASP

The Guide
Complements OWASP Top 10 310p Book Free and open source
Gnu Free Doc License

Many contributors Apps and web services Most platforms

Examples are J2EE, ASP.NET, and PHP

Comprehensive Project Leader and Editor

Andrew van der Stock, vanderaj@owasp.org
OWASP

Uses of the Guide Developers

Use for guidance on implementing security mechanisms and avoiding vulnerabilities

Project Managers
Use for identifying activities (threat modeling, code review, penetration testing) that need to occur

Security Teams
Use for structuring evaluations, learning about application security, remediation approaches
OWASP

Each Topic
Includes Basic Information (like OWASP T10)
How to Determine If You Are Vulnerable How to Protect Yourself

Adds
Objectives Environments Affected Relevant COBIT Topics Theory Best Practices Misconceptions Code Snippets

OWASP

Testing Guide v3: Index

1. Frontispiece 2. Introduction

3. The OWASP Testing Framework

4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools

Appendix B: Suggested Reading

Appendix C: Fuzz Vectors

OWASP

19

Evolution V3

Information Gathering Business Logic Testing Authentication Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing

Information Gathering Config. Management Testing Business Logic Testing Authentication Testing Authorization Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing Encoded Appendix
OWASP
20

How the Guide helps the security industry

Pen-testers

A structured approach to the testing activities A checklist to be followed A learning and training tool
A tool to understand web vulnerabilities and their impact A way to check the quality of the penetration tests they buy

Organisations

More in general, the Guide aims to provide a pen-testing standard that creates a 'common ground' between the pen-testing industry and its client. This will raise the overall quality and understanding of this kind of activity and therefore the general level of security in our infrastructures

OWASP

21

OWASP Application Security Verification Std Standard for verifying the security of web applications Four levels
Automated Manual Architecture Internal

OWASP

22

OWASP Software Assurance Maturity Model

OWASP

23

Tools http://www.owasp.org/index.php/Phoenix/Tools Best known OWASP Tools

WebGoat WebScarab

Remember:
A Fool with a Tool is still a Fool

OWASP

Live CD Project that collects some of the best open source security projects in a single environment
http://www.owasp.org/index.php/LiveCD

Users can boot from Live CD and immediately start using all tools without any configuration

OWASP

25

Available Tools
25 significant tools
OWASP WebScarab v20090122

OWASP WebGoat v5.2

OWASP CAL9000 v2.0

OWASP Wapiti v2.0.0-beta Firefox 3.06 + 25 addons

OWASP JBroFuzz v1.2

Paros Proxy v3.2.13 Burp Suite v1.2

OWASP DirBuster v0.12

nmap & Zenmap v 4.76 Grendel Scan v1.0 Firece Domain Scanner v1.0.3 Rat Proxy v1.53-beta

OWASP OWASP SQLiX WSFuzzer v1.0 v1.9.4 Wireshark v1.0.5 tcpdump v4.0.0

Metasploit v3.2 w3af + GUI svn Netcats (svn) r2161 original + GNU Maltego CE v2-210 Httprint v301 SQLBrute v1.0

Nikto v2.03 Spike Proxy v1.4.8-4

sqlmap v0.7-rc1 now included!

OWASP
26

OWASP WebGoat

OWASP

27

OWASP WebScarab

OWASP

28

Tools At Best 45%

MITRE found that all application security tool vendors claims put together cover only 45% of the known vulnerability types (over 600 in CWE) They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)

OWASP

29

Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger
OWASP
30

The OWASP Enterprise Security API

Custom Enterprise Web Application Enterprise Security API

Existing Enterprise Security Services/Libraries

IntrusionDetector SecurityConfiguration

Create Your ESAPI Implementation Your Security Services

Wrap your existing libraries and services Extend and customize your ESAPI implementation Fill in gaps with the reference implementation

Your Coding Guideline

Tailor the ESAPI coding guidelines Retrofit ESAPI patterns to existing code

OWASP

31

OWASP CSRFTester

OWASP

32

OWASP CSRFGuard 2.0

OWASP CSRFGuard Verify Token

Adds token to:

href attribute src attribute hidden field in all forms

User (Browser)

Business Processing

Actions:
Add Token to HTML

Log Invalidate Redirect

http://www.owasp.org/index.php/CSRFGuard

OWASP

33

SDLC & OWASP Guidelines

OWASP

OWASP Framework
34

Want More ?
OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP .NET Project ASDR Project AntiSamy Project AppSec FAQ Project Application Security Assessment Standards Project Application Security Metrics Project Application Security Requirements Project CAL9000 Project CLASP Project CSRFGuard Project CSRFTester Project Career Development Project Certification Criteria Project Certification Project Code Review Project Communications Project DirBuster Project Education Project Encoding Project Enterprise Security API Flash Security Project Guide Project Honeycomb Project Insecure Web App Project Interceptor Project OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP OWASP JBroFuzz Java Project LAPSE Project Legal Project Live CD Project Logging Project Orizon Project PHP Project Pantera Web Assessment Studio Project SASAP Project SQLiX Project SWAAT Project Sprajax Project Testing Project Tools Project Top Ten Project Validation Project WASS Project WSFuzzer Project Web Services Security Project WebGoat Project WebScarab Project XML Security Gateway Evaluation Criteria Project on the Move Project

OWASP

35

OWASP Research Grants

We support the research that keeps your organization safe!

OWASP

36

OWASP Projects Are Alive!

2009 2007

2005 2003

2001
OWASP
37

How to participate? Start your own project

The best OWASP projects are strategic get the community involved / build a team Contribute exising (open license) Promotion!

Help an existing project

OWASP

Questions and Answers

OWASP