Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Application Security Tools

advertisement 
Tour of OWASP’s projects
Sebastien Deleersnyder
Dec 1, 2010
OWASP
BeNeLux
2010
Copyright © 2010 - The OWASP Foundation
This work is available under the Creative Commons SA 2.5 license
The OWASP Foundation
http://www.owasp.org
OWASP Tools and Technology
• Vulnerability
Scanners
• Static Analysis
Tools
• Fuzzing
• Penetration
Testing Tools
• Code Review
Tools
• ESAPI
Automated
Security
Verification
Manual
Security
Verification
• AppSec Libraries
• ESAPI Reference
Implementation
• Guards and
Filters
• Reporting Tools
• Flawed Apps
• Learning
Environments
• Live CD
• SiteGenerator
Secure
Coding
AppSec
Management
AppSec
Education
Security
Architecture
OWASP
2
OWASP Body of Knowledge
Guidance and Tools
for Measuring and
Managing
Application
Security
Guide to Application
Security Testing and
Guide to Application
Security Code
Review
Verifying
Application
Security
AppSec Conferences
Chapters
Projects
Guide to Building
Secure Web
Applications and
Web Services
Acquiring and
Building
Secure
Applications
Research Projects
to Figure Out How
to Secure the Use
OWASP Community Platform
of New
(wiki, forums, mailing lists)
Technologies (like
Ajax)
OWASP Foundation 501c3
Managing
Application
Security
Core Application
Security
Knowledge Base
Research to
Secure New
Technologies
Web Based
Learning
Environment and
Guide for Learning
Application
Security
Application
Security
Tools
AppSec
Education and
CBT
Tools for Scanning,
Testing,
Simulating, and
Reporting Web
Application
Security Issues
Principles
Threat Agents,
Attacks,
Vulnerabilities,
Impacts, and
Countermeasures
OWASP
Top level view
There are a lot of OWASP projects
OWASP
Metrics
Categorizing and organizing projects
Maturity, activity level, quality, relevance

OWASP
6
Assessment Criteria
OWASP
7
OWASP
8
OWASP
9
Categories
PROTECT - These are tools and documents that
can be used to guard against security-related
design and implementation flaws.
DETECT - These are tools and documents that
can be used to find security-related design and
implementation flaws.
LIFE CYCLE - These are tools and documents
that can be used to add security-related
activities into the Software Development Life
Cycle (SDLC).
OWASP
10
OWASP projects by numbers
Total Projects: 122
Release quality: 19
Beta quality: 28
Alpha quality: 89
Inactive: 6
OWASP
Dashboard
OWASP
12
Assessment details
OWASP
13
Project Parade
The ‘Big 4’ Documentation Projects
Building
Guide
Code
Review
Guide
Testing
Guide
Application Security Desk Reference (ASDR)
OWASP
The Guide
 Complements
OWASP Top 10
 310p Book
 Free and open source
 Gnu Free Doc License
 Many contributors
 Apps and web services
 Most platforms
 Examples are J2EE, ASP.NET,
and PHP
 Comprehensive
 Project Leader and Editor
Andrew van der Stock,
vanderaj@owasp.org
OWASP
Uses of the Guide
Developers
Use for guidance on implementing security
mechanisms and avoiding vulnerabilities
Project Managers
Use for identifying activities (threat modeling, code
review, penetration testing) that need to occur
Security Teams
Use for structuring evaluations, learning about
application security, remediation approaches
OWASP
Each Topic
 Includes Basic Information (like OWASP T10)
 How to Determine If You Are Vulnerable
 How to Protect Yourself
 Adds
 Objectives
 Environments Affected
 Relevant COBIT Topics
 Theory
 Best Practices
 Misconceptions
 Code Snippets
OWASP
Testing Guide v3: Index
1. Frontispiece
2. Introduction
3. The OWASP Testing Framework
4. Web Application Penetration Testing
5. Writing Reports: value the real risk
Appendix A: Testing Tools
Appendix B: Suggested Reading
Appendix C: Fuzz Vectors
OWASP
19
Evolution V3
Information Gathering
Business Logic Testing
Authentication Testing
Session Management Testing
Data Validation Testing
Denial of Service Testing
Web Services Testing
Ajax Testing
Information Gathering
Config. Management Testing
Business Logic Testing
Authentication Testing
Authorization Testing
Session Management Testing
Data Validation Testing
Denial of Service Testing
Web Services Testing
Ajax Testing
Encoded Appendix
OWASP
20
How the Guide helps the security industry
Pen-testers
Organisations

A structured approach to the testing activities

A checklist to be followed

A learning and training tool

A tool to understand web vulnerabilities and their impact

A way to check the quality of the penetration tests they
buy
More in general, the Guide aims to provide a pen-testing standard that creates a
'common ground' between the pen-testing industry and its client.
This will raise the overall quality and understanding of this kind of activity and therefore
the general level of security in our infrastructures
OWASP
21
OWASP Application Security Verification Std
Standard for verifying
the security of web
applications
Four levels
Automated
Manual
Architecture
Internal
OWASP
22
OWASP Software Assurance Maturity Model
OWASP
23
Tools
http://www.owasp.org/index.php/Phoenix/Tools
Best known OWASP Tools
WebGoat
WebScarab
Remember:
A Fool with a Tool is still a Fool
OWASP
Live CD
Project that collects some of the best open
source security projects in a single environment
http://www.owasp.org/index.php/LiveCD
Users can boot from Live CD and immediately
start using all tools without any configuration
OWASP
25
Available Tools
25 “significant” tools
OWASP
WebScarab
v20090122
OWASP
WebGoat v5.2
OWASP
CAL9000 v2.0
OWASP
JBroFuzz v1.2
OWASP
DirBuster v0.12
OWASP
OWASP SQLiX
WSFuzzer
v1.0
v1.9.4
OWASP Wapiti
v2.0.0-beta
Paros Proxy
v3.2.13
nmap &
Zenmap v 4.76
Wireshark
v1.0.5
Firefox 3.06 +
25 addons
Burp Suite v1.2
Grendel Scan
v1.0
Metasploit v3.2 w3af + GUI svn Netcats –
(svn)
r2161
original + GNU
Nikto v2.03
Firece Domain
Scanner v1.0.3
Maltego CE
v2-210
Spike Proxy
v1.4.8-4
Rat Proxy
v1.53-beta
tcpdump v4.0.0
Httprint v301
SQLBrute v1.0
sqlmap v0.7-rc1 now included!
OWASP
26
OWASP WebGoat
OWASP
27
OWASP WebScarab
OWASP
28
Tools – At Best 45%
 MITRE found that all application
security tool vendors’ claims put
together cover only 45% of the known
vulnerability types (over 600 in CWE)
 They found very little overlap between
tools, so to get 45% you need them all
(assuming their claims are true)
OWASP
29
OWASP
SecurityConfiguration
IntrusionDetector
Logger
Exception Handling
Randomizer
EncryptedProperties
Encryptor
HTTPUtilities
Encoder
Validator
AccessReferenceMap
AccessController
User
Authenticator
The OWASP Enterprise Security API
Custom Enterprise Web Application
Enterprise Security API
Existing Enterprise Security Services/Libraries
30
Create Your ESAPI Implementation
Your Security Services
Wrap your existing libraries and services
Extend and customize your ESAPI implementation
Fill in gaps with the reference implementation
Your Coding Guideline
Tailor the ESAPI coding guidelines
Retrofit ESAPI patterns to existing code
OWASP
31
OWASP CSRFTester
OWASP
32
OWASP CSRFGuard 2.0
OWASP
CSRFGuard
 Adds token to:
Verify Token
User
(Browser)
 href attribute
 src attribute
 hidden field in all forms
Business
Processing
 Actions:
Add Token
to HTML
http://www.owasp.org/index.php/CSRFGuard
 Log
 Invalidate
 Redirect
OWASP
33
SDLC & OWASP Guidelines
OWASP
Framework
OWASP
34
Want More ?

























OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
.NET Project
ASDR Project
AntiSamy Project
AppSec FAQ Project
Application Security Assessment Standards Project
Application Security Metrics Project
Application Security Requirements Project
CAL9000 Project
CLASP Project
CSRFGuard Project
CSRFTester Project
Career Development Project
Certification Criteria Project
Certification Project
Code Review Project
Communications Project
DirBuster Project
Education Project
Encoding Project
Enterprise Security API
Flash Security Project
Guide Project
Honeycomb Project
Insecure Web App Project
Interceptor Project
























OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
JBroFuzz
Java Project
LAPSE Project
Legal Project
Live CD Project
Logging Project
Orizon Project
PHP Project
Pantera Web Assessment Studio Project
SASAP Project
SQLiX Project
SWAAT Project
Sprajax Project
Testing Project
Tools Project
Top Ten Project
Validation Project
WASS Project
WSFuzzer Project
Web Services Security Project
WebGoat Project
WebScarab Project
XML Security Gateway Evaluation Criteria Project
on the Move Project
OWASP
35
OWASP Research Grants
We support the
research that keeps
your organization
safe!
OWASP
36
OWASP Projects Are Alive!
2009
…
2007
2005
2003
2001
OWASP
37
How to participate?
Start your own project
The best OWASP projects are strategic get the
community involved / build a team
Contribute exising (open license)
Promotion!
‘Help’ an existing project
OWASP
Questions and Answers
OWASP
Related documents
Dangerous Wi-Fi Access Point: Attacks to Benign Smartphone
Dangerous Wi-Fi Access Point: Attacks to Benign Smartphone
Common Web Vulnerabilities
Common Web Vulnerabilities
Origins, Cookies and Security * Oh My!
Origins, Cookies and Security * Oh My!
PROPOSED ADVERTISEMENT
PROPOSED ADVERTISEMENT
Application Security 101
Application Security 101
IUTGetRoot
IUTGetRoot
Training_Instructor_Agreement
Training_Instructor_Agreement
Presentation Tagline - OWASP AppSec USA 2011
Presentation Tagline - OWASP AppSec USA 2011
Download
advertisement