Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

OWASP Overview

advertisement 
The Open Web Application
Security Project
OWASP
Jeff Williams
Aspect Security, CEO
Volunteer OWASP Chair
jeff.williams@owasp.org
Twitter @planetlevel
December 8, 2009
Copyright © 2009 - The OWASP Foundation
This work is available under the Creative Commons SA 3.0 license
The OWASP Foundation
http://www.owasp.org
OWASP World
OWASP is a worldwide free and
open community focused on
improving the security of
application software.
Everyone is free to participate in
OWASP and all of our materials
are available under a free and
open software license.
Our mission is to make
application security visible so
that people and organizations
can make informed decisions
about application security risks.
The OWASP Foundation is a
501c3 not-for-profit charitable
organization that ensures the
ongoing availability and support
for our work.
OWASP
2009 OWASP Supporters
OWASP
OWASP Worldwide Community
Membership
Individual: 750
Organizations: 27
Chapters
158 around world
Participants
1,470 Wiki accounts
+20,000 users
OWASP
4
OWASP Dashboard
Worldwide Users
Most New Visitors
250
29,748,796 page views
200
150
100
50
0
01/10/2002
01/10/2003
01/10/2004
01/10/2005
01/10/2006
01/10/2007
OWASP
5
OWASP Conferences (2008-2009)
Minnesota
Oct 2008
Denver
Spring 2009
Brussels
May 2008
NYC
Sep 2008
DC
Sep 2009
Germany
Nov 2008
Poland
May 2009
Ireland
2009
Portugal
Summit
Nov 2008
Israel
Sep 2008
India
Aug 2008
Taiwan
Oct 2008
Brazil
Oct 2009
Gold Coast
Feb 2008
+2009
OWASP
6
OWASP KnowledgeBase
•9,421 total articles
•427 presentations
•200 updates per day
•+300 mailing lists
•180 blogs monitored
•19 deface attempts
•2,962 uploaded files
OWASP
OWASP AppSec News and Intelligence
Moderated AppSec News Feed
http://www.google.com/reader/publ
ic/atom/user/167127243976887931
61/state/com.google/broadcast
OWASP Podcast
http://itunes.apple.com/WebObject
s/MZStore.woa/wa/viewPodcast?id=
300769012
OWASP TV
http://www.owasp.tv
OWASP
8
OWASP AppSec Job Board
OWASP
9
OWASP Top 10 Critical Vulnerabilities - 2010
www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
OWASP
10
OWASP AppSec Guides
Free and open source
Cheap printed copies
Covers all critical
security controls
Hundreds of expert
authors
All aspects of
application security
OWASP
11
OWASP Application Security Verification Std
Standard for verifying
the security of web
applications
Four levels
Automated
Manual
Architecture
Internal
OWASP
12
OWASP Software Assurance Maturity Model
OWASP
13
OWASP WebGoat
OWASP
14
OWASP WebScarab
OWASP
15
OWASP CSRFTester
OWASP
16
OWASP CSRFGuard
OWASP
CSRFGuard
 Adds token to:
Verify Token
User
(Browser)
Business
Processing
 href attribute
 src attribute
 hidden field in all forms
 Actions:
Add Token
to HTML
 Log
 Invalidate
 Redirect
http://www.owasp.org/index.php/CSRFGuard
OWASP
17
OWASP Live CD
OWASP
18
OWASP Enterprise Security API
Before
After
OWASP
19
Want More OWASP?

























OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
.NET Project
ASDR Project
AntiSamy Project
AppSec FAQ Project
Application Security Assessment Standards Project
Application Security Metrics Project
Application Security Requirements Project
CAL9000 Project
CLASP Project
CSRFGuard Project
CSRFTester Project
Career Development Project
Certification Criteria Project
Certification Project
Code Review Project
Communications Project
DirBuster Project
Education Project
Encoding Project
Enterprise Security API
Flash Security Project
Guide Project
Honeycomb Project
Insecure Web App Project
Interceptor Project
























OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
JBroFuzz
Java Project
LAPSE Project
Legal Project
Live CD Project
Logging Project
Orizon Project
PHP Project
Pantera Web Assessment Studio Project
SASAP Project
SQLiX Project
SWAAT Project
Sprajax Project
Testing Project
Tools Project
Top Ten Project
Validation Project
WASS Project
WSFuzzer Project
Web Services Security Project
WebGoat Project
WebScarab Project
XML Security Gateway Evaluation Criteria Project
on the Move Project
OWASP
20
OWASP Research Grants
We support the
research that keeps
your organization
safe!
OWASP
21
OWASP SoC2008 selection

















OWASP Code review guide, V1.1
The Ruby on Rails Security Guide v2
OWASP UI Component Verification Project (a.k.a.
OWASP JSP Testing Tool)
Internationalization Guidelines and OWASP-Spanish
Project
OWASP Application Security Desk Reference
(ASDR)
OWASP .NET Project Leader
OWASP Education Project
The OWASP Testing Guide v3
OWASP Application Security Verification Standard
Online code signing and integrity verification
service for open source community (OpenSign
Server)
Securing WebGoat using ModSecurity
OWASP Book Cover & Sleeve Design
OWASP Individual & Corporate Member Packs,
Conference Attendee Packs Brief
OWASP Access Control Rules Tester
OpenPGP Extensions for HTTP - Enigform and
mod_openpgp
OWASP-WeBekci Project
OWASP Backend Security Project














OWASP Application Security Tool Benchmarking
Environment and Site Generator refresh
Teachable Static Analysis Workbench
OWASP Positive Security Project
GTK+ GUI for w3af project
OWASP Interceptor Project - 2008 Update
Skavenger
SQL Injector Benchmarking Project (SQLiBENCH)
OWASP AppSensor - Detect and Respond to Attacks
from Within the Application
Owasp Orizon Project
OWASP Corporate Application Security Rating Guide
OWASP AntiSamy .NET
Python Static Analysis
OWASP Classic ASP Security Project
OWASP Live CD 2008 Project
OWASP
22
How Can You Help?
Join our community
Share and learn
Attend conferences
Push us to do better
Become a member!
OWASP
23
Questions and Answers
OWASP
OWASP
25
OWASP Projects Lifecycle
 Define Criteria for Assessment of:
 Projects: Level 0 to 3
 Releases Releases: Alpha, Beta, Stable
 Encourage Increased Quality
 Through Season of Code Funding and Support
 Produce Professional OWASP books
 Provide Support
 Full time executive director (Kate Hartmann)
 Full time project manager (Paulo Coimbra)
 Half time technical editor (Kirsten Sitnick)
 Half time financial support (Alison Shrader)
 Looking to add programmers (Interns and professionals)
OWASP
SDLC & OWASP Guidelines
OWASP
Framework
OWASP
27
OWASP Projects Are Alive!
2009
…
2007
2005
2003
2001
OWASP
28
Finances and Grants
OWASP Grants
OWASP Autumn of
Code 2006
$20,000 budget
100%
OWASP Spring of Code
2007
$117,500 budget
OWASP Summer of
Code 2008
55%
$126,000 budget
OWASP Foundation
45%
OWASP
29
Related documents
Dangerous Wi-Fi Access Point: Attacks to Benign Smartphone
Dangerous Wi-Fi Access Point: Attacks to Benign Smartphone
Common Web Vulnerabilities
Common Web Vulnerabilities
Origins, Cookies and Security * Oh My!
Origins, Cookies and Security * Oh My!
PROPOSED ADVERTISEMENT
PROPOSED ADVERTISEMENT
Application Security 101
Application Security 101
Training_Instructor_Agreement
Training_Instructor_Agreement
Presentation Tagline - OWASP AppSec USA 2011
Presentation Tagline - OWASP AppSec USA 2011
OWASP Plan - Strawman - OWASP AppSec USA 2011
OWASP Plan - Strawman - OWASP AppSec USA 2011
Download
advertisement