OWASP - Where we are…
where we are going
Tom Brennan
Dave Wichers
Dinis Cruz
OWASP
Ireland 2009
OWASP Board Members
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
Why was the OWASP Project started?
 The Open Web Application Security Project was setup in 2001 to build an
industry standard framework for testing the security of web applications.
We have several main objectives including to:
• define the security requirements for secure web applications
• develop an industry standard web application security testing framework
• build quality open source tools to support the testing framework
• define a standard data exchange format to allow commercial, open source and
research tools to communicate and interoperate
 We will be developing the www.owasp.org website into a place where;
• people can learn about the common security problems that occur with web
applications and web services
• developers and system architects can learn about security requirements to build
secure web applications and web services
• security professionals and developers can learn how to effectively test the security of
web applications and web services
• system owners can learn what to expect of a security company or tool testing their
applications
• security professionals can understand if tools are appropriate and doing what they
should be doing
 <WAYBACK MACHINE OWASP.ORG>
OWASP Ireland 2009
OWASP 2009
 The Open Web Application Security Project (OWASP Foundation
Inc.)
 Participation in OWASP is free and open to all
 The vision is a software market that produces code that’s secure
enough to rely on. The mission (to achieve that vision) is to make
security visible (or transparent) so that software buyers and sellers
are on equal footing and market forces can work.
 International not-for-profit charitable organization funded primarily
by volunteers time, OWASP Memberships ($50 Individuals, $5k
Supporters), and OWASP Conference fees
 Website: 6,464 registered users, 21,552,771 page views, and 55,941
page edits , 10k members on mailing lists
OWASP Ireland 2009
3
Governance
Principles
•Free & Open
•Governed by rough consensus & running code
•Abide by a code of ethics (see ethics)
•Not-for-profit
•Not driven by commercial interests
•Risk based approach
OWASP Ireland 2009
4
Code of Ethics
Governance
• Perform all professional activities and duties in accordance with all
applicable laws and the highest ethical principles;
• Promote the implementation of and promote compliance with
standards, procedures, controls for application security; Maintain
appropriate confidentiality of proprietary or otherwise sensitive
information encountered in the course of professional activities;
• Discharge professional responsibilities with diligence and honesty;
Refrain from any activities which might constitute a conflict of interest
or otherwise damage the reputation of employers, the information
security profession, or the Association; and
• Not intentionally injure or impugn the professional reputation of
practice of colleagues, clients, or employers.
OWASP Ireland 2009
5
Governance
OWASP FOUNDATION INC.
(6) Volunteer Board
(Jeff, Dinis, Tom, Dave, Sebastian, <insert>)
(27) Volunteer Global Committee Members
(see next slide)
OWASP Employees (3)
(140) Local Chapters
(50) Projects
OWASP Ireland 2009
Governance
Global Committee
(27) Global Leaders
Voice for 7 Regions, 140 chapters and its members and users
OWASP Ireland 2009
2009 Organization Supporters (5000k usd)
OWASP Ireland 2009
2009 Educational Supporters (Free)
OWASP Ireland 2009
9
OWASP Projects
OWASP Ireland 2009
10
OWASP Top 10
The Ten Most Critical
Web Application Security
Vulnerabilities
2007 Release
A great start, but not a
standard
4th version of the Top 10
2009 coming soon
(Target Nov 2009)
OWASP Ireland 2009
11
OWASP Top Ten (2007 Edition)
http://www.owasp.org/index.php/Top_10
OWASP Ireland 2009
The ‘Big 4’ Documentation Projects + 1 new
ASVS
Developer
Guide
Code
Review
Guide
Testing
Guide
Application Security Desk Reference (ASDR)
OWASP Ireland 2009
Developer Guide
 The First OWASP ‘Guide’
 Complements
OWASP Top 10
 310p Book
 Many contributors
 Apps and web services
 Most platforms
 Examples are J2EE, ASP.NET,
and PHP
 Comprehensive
 Project Leader and Editor
Andrew van der Stock,
vanderaj@owasp.org
OWASP Ireland 2009
Code Review Guide
 Most comprehensive open
source secure code
review guide on the web
 Under development for 3
years
 Version 1.1 produced
during 2008 Summer of
Code
 Numerous contributors
 But still not complete
(may never be )
OWASP Ireland 2009
15
Testing Guide
1. Frontispiece
2. Introduction
3. The OWASP Testing Framework
4. Web Application Penetration Testing
5. Writing Reports: value the real risk
Appendix A: Testing Tools
Appendix B: Suggested Reading
Appendix C: Fuzz Vectors
Appendix D: Encoded Injection
http://www.owasp.org/index.php/TestingGuide
OWASP Ireland 2009
16
Application Security Desk Reference
(ASDR)
 Basic reference material on
application security terminology
 ASDR Contents
 Serves as the foundation definition
or description of many topics
covered by the OWASP
Development, Code Review, and
Testing Guides, and the ASVS
 Section
 Section
 Section
 Section
 Section
 Section
 Section
1:
2:
3:
4:
5:
6:
7:
Principles
Threat Agents
Attacks
Vulnerabilities
Controls
Technical Impacts
Business Impact
http://www.owasp.org/index.php/ASDR
OWASP Ireland 2009
17
New ‘Cheat Sheet’ Series
XSS Prevention Cheat Sheet
 www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
SQL Injection Prevention Cheat Sheet
 http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
More … ???
CSRF Prevention (being developed now)
Clickjacking Prevention
OWASP Ireland 2009
18
XSS Prevention Cheat Sheet
#1: &, <, >, "  &entity; ', /  &#xHH;
HTML Element Content
(e.g., <div> some text to display </div> )
#2: All non-alphanumeric < 256  &#xHH
HTML Attribute Values
(e.g., <input name='person' type='TEXT'
value='defaultValue'> )
#3: All non-alphanumeric < 256  \xHH
JavaScript Data
(e.g., <script> some javascript </script> )
HTML Style Property Values
#4: All non-alphanumeric < 256  \HH
(e.g., .pdiv a:hover {color: red; text-decoration:
underline} )
URI Attribute Values
#5: All non-alphanumeric < 256  %HH
(e.g., <a href="javascript:toggle('lesson')" )
ALL other contexts CANNOT include Untrusted Data
Recommendation: Only allow #1 and #2 and disallow all others
See: www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet for more details
OWASP Ireland 2009
OWASP Application Security
Verification Standard (ASVS)
OWASP’s 1st Standard
Defines 4 Verification
Levels
 Level 1: Automated Verification
 Level 1A: Dynamic Scan
 Level 1B: Source Code Scan
 Level 2: Manual Verification
 Level 2A: Penetration Test
 Level 2B: Code Review
 Level 3: Design Verification
 Level 4: Internal Verification
OWASP Ireland 2009
20
What Questions Does ASVS Answer?
 How can I compare verification
efforts?
 What security features should
be built into the required set of
security controls?
 What are reasonable increases
in coverage and level of rigor
when verifying the security of
a web application?
 How much trust can be placed
in a web application?
OWASP Ireland 2009
21
Software Assurance Maturity Model (SAMM)
The 4 Disciplines are high-level categories for activities
 Three security Functions under each Discipline are the specific
silos for improvement within an organization
Alignment &
Governance
Requirements
& Design
Verification &
Assessment
Deployment &
Operations
Disciplines
Functions
OWASP Ireland 2009
22
OWASP CLASP
 Comprehensive, Lightweight
Application Security Process
Prescriptive and Proactive
Centered around 7 AppSec Best
Practices
Cover the entire software lifecycle
(not just development)
 Adaptable to any development process
 CLASP defines roles across the SDLC
 24 role-based process components
 Start small and dial-in to your needs
OWASP Ireland 2009
23
OWASP Tools and Technology
• Vulnerability
Scanners
• Static Analysis
Tools
• Fuzzing
• Penetration
Testing Tools
• Code Review
Tools
• ESAPI
Automated
Security
Verification
Manual
Security
Verification
• AppSec Libraries
• ESAPI Reference
Implementation
• Guards and
Filters
• Reporting Tools
• Flawed Apps
• Learning
Environments
• Live CD
• SiteGenerator
Secure
Coding
AppSec
Management
AppSec
Education
Security
Architecture
OWASP Ireland 2009
24
OWASP WebGoat – 5.2
OWASP Ireland 2009
25
OWASP WebScarab – WebScarab-NG – New
Proxy Engine
OWASP Ireland 2009
26
OWASP Ireland 2009
SecurityConfiguration
IntrusionDetector
Logger
Exception Handling
Randomizer
EncryptedProperties
Encryptor
HTTPUtilities
Encoder
Validator
AccessReferenceMap
AccessController
User
Authenticator
OWASP Enterprise Security API (ESAPI)
Custom Enterprise Web Application
Enterprise Security API
Existing Enterprise Security Services/Libraries
27
OWASP CSRFGuard 2.0
OWASP
CSRFGuard
 Adds token to:
Verify Token
User
(Browser)
 href attribute
 src attribute
 hidden field in all forms
Business
Processing
 Actions:
Add Token
to HTML
http://www.owasp.org/index.php/CSRFGuard
 Log
 Invalidate
 Redirect
OWASP Ireland 2009
28
OWASP CSRFTester
OWASP Ireland 2009
29
OWASP AntiSamy – Safe Rich Input Validation
 AntiSamy
 Uses a positive security model for rich input validation
 High assurance mechanism against XSS (and phishing) attacks
 Java and .NET
 Now built into ESAPI
Slashdot
- links, markup
E-Bay
- links, markup, images,
etc
MySpace
- links, markup,
images, stylesheets, etc
(samy)
http://www.owasp.org/index.php/AntiSamy
OWASP Ireland 2009
Live CD
Project that collects some of the best open
source security projects in a single environment
http://www.owasp.org/index.php/LiveCD
Users can boot from Live CD and immediately
start using all tools without any configuration
OWASP Ireland 2009
31
Available Tools
25 “significant” tools
OWASP
WebScarab
v20090122
OWASP
WebGoat v5.2
OWASP
CAL9000 v2.0
OWASP
JBroFuzz v1.2
OWASP
DirBuster v0.12
OWASP
OWASP SQLiX
WSFuzzer
v1.0
v1.9.4
OWASP Wapiti
v2.0.0-beta
Paros Proxy
v3.2.13
nmap &
Zenmap v 4.76
Wireshark
v1.0.5
Firefox 3.06 +
25 addons
Burp Suite v1.2
Grendel Scan
v1.0
Metasploit v3.2 w3af + GUI svn Netcats –
(svn)
r2161
original + GNU
Nikto v2.03
Firece Domain
Scanner v1.0.3
Maltego CE
v2-210
Spike Proxy
v1.4.8-4
Rat Proxy
v1.53-beta
tcpdump v4.0.0
Httprint v301
SQLBrute v1.0
sqlmap v0.7-rc1 now included!
OWASP Ireland 2009
32
OWASP Code review tools
 Code Crawler
 Alessio Marziali
 Orizon Framework
 Paulo Prego
 LAPSE (Inactive)
 Ben Livshits (Stanford Project)
OWASP Ireland 2009
Want More ?
























OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
.NET Project
ASDR Project
AntiSamy Project
AppSec FAQ Project
Application Security Assessment Standards Project
Application Security Metrics Project
Application Security Requirements Project
CAL9000 Project
CLASP Project
CSRFGuard Project
CSRFTester Project
Career Development Project
Certification Criteria Project
Certification Project
Code Review Project
Communications Project
DirBuster Project
Education Project
Encoding Project
Enterprise Security API (ESAPI)
Flash Security Project
Guide Project
Insecure Web App Project
Interceptor Project























OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
JBroFuzz
Java Project
LAPSE Project
Legal Project
Live CD Project
Logging Project
Orizon Project
PHP Project
Pantera Web Assessment Studio Project
SASAP Project
SQLiX Project
SWAAT Project
Testing Project
Tools Project
Top Ten Project
Validation Project
WASS Project
WSFuzzer Project
Web Services Security Project
WebGoat Project
WebScarab Project
XML Security Gateway Evaluation Criteria Project
on the Move Project
OWASP Ireland 2009
34
Summer of Code: 2008

















OWASP Code review guide, V1.1
The Ruby on Rails Security Guide v2
OWASP UI Component Verification Project (a.k.a.
OWASP JSP Testing Tool)
Internationalization Guidelines and OWASP-Spanish
Project
OWASP Application Security Desk Reference
(ASDR)
OWASP .NET Project Leader
OWASP Education Project
OWASP Testing Guide v3
OWASP Application Security Verification Standard
Online code signing and integrity verification
service for open source community (OpenSign
Server)
Securing WebGoat using ModSecurity
OWASP Book Cover & Sleeve Design
OWASP Individual & Corporate Member Packs,
Conference Attendee Packs Brief
OWASP Access Control Rules Tester
OpenPGP Extensions for HTTP - Enigform and
mod_openpgp
OWASP-WeBekci Project
OWASP Backend Security Project














OWASP Application Security Tool Benchmarking
Environment and Site Generator refresh
Teachable Static Analysis Workbench
OWASP Positive Security Project
GTK+ GUI for w3af project
OWASP Interceptor Project - 2008 Update
Skavenger
SQL Injector Benchmarking Project (SQLiBENCH)
OWASP AppSensor - Detect and Respond to Attacks
from Within the Application
OWASP Orizon Project
OWASP Corporate Application Security Rating Guide
OWASP AntiSamy .NET
Python Static Analysis
OWASP Classic ASP Security Project
OWASP Live CD 2008 Project
OWASP Ireland 2009
35
OWASP Projects Are Alive!
2009
…
2007
2005
2003
2001
OWASP Ireland 2009
36
Get Involved
WWW.OWASP.ORG
OWASP Ireland 2009
37