Status of OWASP Projects –
May 2009
Dinis Cruz, Member of OWASP Board
Independent Consultant
OWASP
EU09 Poland
Dave Wichers
COO, Aspect Security
Volunteer Conferences Chair of OWASP
Member of OWASP Board
dave.wichers@aspectsecurity.com
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
OWASP Projects
OWASP AppSecEU09 Poland
2
OWASP GPC (Global Projects Committee)
OWASP AppSecEU09 Poland
3
Assessment Criteria V.2
 OWASP created the project assessment criteria to define the quality
levels for OWASP Projects with the purpose of evaluating all OWASP
projects. The overall goal was to ensure that consistent quality
levels are maintained by OWASP projects.
 This benefits both the external audience and those working on
projects. The criteria allows the external audience to determine the
quality of any OWASP project they are considering.
 For project members, it provides a method to measure the quality of
their project in relation to other OWASP projects. Additionally, the
criteria allows for excellent contributions to be recognized and
projects which need further work to be identified.
 Currently, OWASP projects fall into three primary categories:
 Tools
 Documents
 Activities and Research
OWASP AppSecEU09 Poland
4
Assessing Projects
OWASP project consist of two critical pieces:
the project's health
one or more project releases
Each of these pieces will be have different
methods with which they are reviewed.
OWASP AppSecEU09 Poland
5
Project Health Level (draft)
 Projects almost have a life of their own - beyond the releases they
make.Multiple measures in combination make up a project's health:
 Level 0 - a project that exists or is just beginning. It is either a project with no
releases or all releases are no more then Alpha quality.
 Level 1 - a project that has a release at Beta quality. It is a project with a
release that has been reviewed by at least one project leader since Beta quality
level is the minimum.
 Level 2 - a project with at least some of the ratings of health. In general, it
should have roughly half.
 Level 3 - a project which has all the ratings of health. This level represents the
most healthy state for an OWASP project.
 The exact meta-data used to determine project health has not yet
been fully determined. Some, all or none of these may be used in
the final version:
 Number of releases, Size of the project's community, Industry participation,
Usability, Number of participants, Number of "stars" (the idea here is to have a
rating system similar to what Amazon uses for books, etc.)
OWASP AppSecEU09 Poland
6
Assessing Project Releases
 For project releases, OWASP has created a criteria with three
designations of quality: Alpha, Beta and Stable releases.
 As project releases move up the quality ladder from Alpha to Beta
and finally to a Stable release, the amount of rigour required
increases.
 Alpha release: The review consists of the Global Project Committee (GPC)
verifying that the project pre-assessment checklist is complete. Alpha release
projects are the easiest to achieve since anyone with a start on a solution to an
application security problem can self assess their project against the preassessment checklist.
 Beta release: The project lead completes the pre-assessment checklist. Then,
the review will first be conducted by the project's reviewer. After the reviewer
completes the review of the release, the GPC will validate the project's review.
 Stable release: The project lead completes the pre-assessment checklist. Then,
the two project reviewers will complete their review of the release (more on this
below). After the reviews are complete, the Global Projects Committee and
OWASP Board will validate the project's review.
OWASP AppSecEU09 Poland
7
Tool Assessment Criteria
OWASP AppSecEU09 Poland
8
Documents Assessment Criteria
OWASP AppSecEU09 Poland
9
Research and Activities Criteria
OWASP AppSecEU09 Poland
10
OWASP Season of Code 2009
OWASP AppSecEU09 Poland
11
OWASP Projects:
Improve Quality and Support
 Define Criteria for Quality Levels
 Alpha, Beta, Release
 Global Projects Committee working on enhancements to
Alpha/Beta/Release structure
 Organizational Structure within Tools and Docs
 PROTECT - These are tools and documents that can be used to guard
against security-related design and implementation flaws.
 DETECT - These are tools and documents that can be used to find
security-related design and implementation flaws.
 LIFE CYCLE - These are tools and documents that can be used to add
security-related activities into the Software Development Life Cycle
(SDLC).
OWASP AppSecEU09 Poland
Summer of Code: 2008

















OWASP Code review guide, V1.1
The Ruby on Rails Security Guide v2
OWASP UI Component Verification Project (a.k.a.
OWASP JSP Testing Tool)
Internationalization Guidelines and OWASP-Spanish
Project
OWASP Application Security Desk Reference
(ASDR)
OWASP .NET Project Leader
OWASP Education Project
OWASP Testing Guide v3
OWASP Application Security Verification Standard
Online code signing and integrity verification
service for open source community (OpenSign
Server)
Securing WebGoat using ModSecurity
OWASP Book Cover & Sleeve Design
OWASP Individual & Corporate Member Packs,
Conference Attendee Packs Brief
OWASP Access Control Rules Tester
OpenPGP Extensions for HTTP - Enigform and
mod_openpgp
OWASP-WeBekci Project
OWASP Backend Security Project














OWASP Application Security Tool Benchmarking
Environment and Site Generator refresh
Teachable Static Analysis Workbench
OWASP Positive Security Project
GTK+ GUI for w3af project
OWASP Interceptor Project - 2008 Update
Skavenger
SQL Injector Benchmarking Project (SQLiBENCH)
OWASP AppSensor - Detect and Respond to Attacks
from Within the Application
OWASP Orizon Project
OWASP Corporate Application Security Rating Guide
OWASP AntiSamy .NET
Python Static Analysis
OWASP Classic ASP Security Project
OWASP Live CD 2008 Project
OWASP AppSecEU09 Poland
13
OWASP Top 10
The Ten Most Critical
Web Application Security
Vulnerabilities
2007 Release
A great start, but not a
standard
4th version of the Top 10
2009 coming soon
(Target Nov 2009)
OWASP AppSecEU09 Poland
14
OWASP Top Ten (2007 Edition)
http://www.owasp.org/index.php/Top_10
OWASP AppSecEU09 Poland
The ‘Big 4’ Documentation Projects + 1 new
ASVS
Building Guide
Code Review Guide
Testing Guide
Application Security Desk Reference (ASDR)
OWASP AppSecEU09 Poland
Developer Guide
 The First OWASP ‘Guide’
 Complements
OWASP Top 10
 310p Book
 Many contributors
 Apps and web services
 Most platforms
 Examples are J2EE, ASP.NET,
and PHP
 Comprehensive
 Project Leader and Editor
Andrew van der Stock,
vanderaj@owasp.org
OWASP AppSecEU09 Poland
Code Review Guide
 Most comprehensive open
source secure code
review guide on the web
 Under development for 3
years
 Version 1.1 produced
during 2008 Summer of
Code
 Numerous contributors
 But still not complete
(may never be )
OWASP AppSecEU09 Poland
18
Testing Guide
1. Frontispiece
2. Introduction
3. The OWASP Testing Framework
4. Web Application Penetration Testing
5. Writing Reports: value the real risk
Appendix A: Testing Tools
Appendix B: Suggested Reading
Appendix C: Fuzz Vectors
Appendix D: Encoded Injection
http://www.owasp.org/index.php/TestingGuide
OWASP AppSecEU09 Poland
19
What is the OWASP Testing Guide?
 V2 8 sub-categories (for a total amount of 48 controls)
 V3 10 sub-categories (for a total amount of 66 controls)
 36 new articles!
Testing Principles
Testing Process
Custom Web Applications
Black Box Testing
Grey Box Testing
Risk and Reporting
Appendix: Testing Tools
Appendix: Fuzz Vectors
Information Gathering
Config. Management Testing
Business Logic Testing
Authentication Testing
Authorization Testing
Session Management Testing
Data Validation Testing
Denial of Service Testing
Web Services Testing
Ajax Testing
Encoded Appendix
OWASP AppSecEU09 Poland
20
Application Security Desk Reference
(ASDR)
 Basic reference material on
application security terminology
 ASDR Contents
 Serves as the foundation definition
or description of many topics
covered by the OWASP
Development, Code Review, and
Testing Guides, and the ASVS
 Section
 Section
 Section
 Section
 Section
 Section
 Section
1:
2:
3:
4:
5:
6:
7:
Principles
Threat Agents
Attacks
Vulnerabilities
Controls
Technical Impacts
Business Impact
http://www.owasp.org/index.php/ASDR
OWASP AppSecEU09 Poland
21
New ‘Cheat Sheet’ Series
XSS Prevention Cheat Sheet
 www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
SQL Injection Prevention Cheat Sheet
 http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
More … ???
CSRF Prevention
Clickjacking Prevention
OWASP AppSecEU09 Poland
22
XSS Prevention Cheet Sheet
#1: &, <, >, "  &entity; ', /  &#xHH;
HTML Element Content
(e.g., <div> some text to display </div> )
#2: All non-alphanumeric > 256  &#xHH
HTML Attribute Values
(e.g., <input name='person' type='TEXT'
value='defaultValue'> )
#3: All non-alphanumeric > 256  \xHH
JavaScript Data
(e.g., <script> some javascript </script> )
HTML Style Property Values
#4: All non-alphanumeric > 256  \HH
(e.g., .pdiv a:hover {color: red; text-decoration:
underline} )
URI Attribute Values
#5: All non-alphanumeric > 256  %HH
(e.g., <a href="javascript:toggle('lesson')" )
ALL other contexts CANNOT include Untrusted Data
Recommendation: Only allow #1 and #2 and disallow all others
See: www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet for more details
OWASP AppSecEU09 Poland
OWASP Application Security
Verification Standard (ASVS)
OWASP’s 1st Standard
Defines 4 Verification
Levels
 Level 1: Automated Verification
 Level 1A: Dynamic Scan
 Level 1B: Source Code Scan
 Level 2: Manual Verification
 Level 2A: Penetration Test
 Level 2B: Code Review
 Level 3: Design Verification
 Level 4: Internal Verification
OWASP AppSecEU09 Poland
24
What Questions Does ASVS Answer?
 How can I compare verification
efforts?
 What security features should
be built into the required set of
security controls?
 What are reasonable increases
in coverage and level of rigor
when verifying the security of
a web application?
 How much trust can be placed
in a web application?
OWASP AppSecEU09 Poland
25
Software Assurance Maturity Model (SAMM)
The 4 Disciplines are high-level categories for activities
 Three security Functions under each Discipline are the specific
silos for improvement within an organization
Alignment &
Governance
Requirements
& Design
Verification &
Assessment
Deployment &
Operations
Disciplines
Functions
OWASP AppSecEU09 Poland
26
OWASP CLASP
 Comprehensive, Lightweight
Application Security Process
Prescriptive and Proactive
Centered around 7 AppSec Best
Practices
Cover the entire software lifecycle
(not just development)
 Adaptable to any development process
 CLASP defines roles across the SDLC
 24 role-based process components
 Start small and dial-in to your needs
OWASP AppSecEU09 Poland
27
OWASP Education Project (Beta)
 Aims to provide building blocks of web application
security information. Modules can be combined together
in education tracks targeting different audiences.
 http://www.owasp.org/index.php/Education
 Core resources produced to date
 All OWASP Videos: http://www.owasp.org/index.php/Videos
 All OWASP Presentations:
http://www.owasp.org/index.php/OWASP_Education_Presentation
 Two Primers:
 http://www.owasp.org/index.php/Education_Track:_Web_Application_Security_Primer
 http://www.owasp.org/index.php/Education_Track:_What_Developers_Should_Know_
on_Web_Application_Security
OWASP AppSecEU09 Poland
28
OWASP Tools and Technology
• Vulnerability
Scanners
• Static Analysis
Tools
• Fuzzing
• Penetration
Testing Tools
• Code Review
Tools
• ESAPI
Automated
Security
Verification
Manual
Security
Verification
• AppSec Libraries
• ESAPI Reference
Implementation
• Guards and
Filters
• Reporting Tools
• Flawed Apps
• Learning
Environments
• Live CD
• SiteGenerator
Secure
Coding
AppSec
Management
AppSec
Education
Security
Architecture
OWASP AppSecEU09 Poland
29
OWASP WebGoat – 5.2
OWASP AppSecEU09 Poland
30
OWASP WebScarab – WebScarab-NG – New
Proxy Engine
OWASP AppSecEU09 Poland
31
OWASP CSRFTester
OWASP AppSecEU09 Poland
32
OWASP CSRFGuard 2.0
OWASP
CSRFGuard
 Adds token to:
Verify Token
User
(Browser)
 href attribute
 src attribute
 hidden field in all forms
Business
Processing
 Actions:
 Log
 Invalidate
 Redirect
Add Token
to HTML
http://www.owasp.org/index.php/CSRFGuard
OWASP AppSecEU09 Poland
33
OWASP AntiSamy – Safe Rich Input Validation
 AntiSamy
 Uses a positive security model for rich input validation
 High assurance mechanism against XSS (and phishing) attacks
 Java and .NET
 Now built into ESAPI
Slashdot
- links, markup
E-Bay
- links, markup, images,
etc
MySpace
- links, markup,
images, stylesheets, etc
(samy)
http://www.owasp.org/index.php/AntiSamy
OWASP AppSecEU09 Poland
OWASP AppSecEU09 Poland
SecurityConfiguration
IntrusionDetector
Logger
Exception Handling
Randomizer
EncryptedProperties
Encryptor
HTTPUtilities
Encoder
Validator
AccessReferenceMap
AccessController
User
Authenticator
OWASP Enterprise Security API (ESAPI)
Custom Enterprise Web Application
Enterprise Security API
Existing Enterprise Security Services/Libraries
35
ESAPI Progress Since Last OWASP EU Conf.
 Continuous improvements since last EU conference
 ESAPI Swingset sample app, Javadoc Overhaul
 Overhaul of Canonicalization reference implementation
 Other languages now being supported!!
 Started
 Starting this summer (OWASP intern)
 ESAPI Summit Held Dec 9-11, 2008 (16 attendees)
OWASP AppSecEU09 Poland
36
ESAPI Adopters and Supporters
Many unnamed
financial orgs…
OWASP AppSecEU09 Poland
37
ESAPI 2.0 Release Coming Soon!
 The ESAPI Summit sparked more changes
 Logging
 API simplification, Log4j, improved messages
 Access Control
 Strategy pattern for extensibility, simplified policy
 Input Validation
 Strategy pattern for extensibility
 XSS Defenses
 Direct support for http://www.owasp.org/index.php/XSS_Prevention
 Maven and Hudson Environment
 Continuous integration, dependency management
 Internationalization
 ESAPI WAF!!
 All in Java 2.0 RC1 being released soon
OWASP AppSecEU09 Poland
38
Live CD
Project that collects some of the best open
source security projects in a single environment
http://www.owasp.org/index.php/LiveCD
Users can boot from Live CD and immediately
start using all tools without any configuration
OWASP AppSecEU09 Poland
39
Available Tools
25 “significant” tools
OWASP
WebScarab
v20090122
OWASP
WebGoat v5.2
OWASP
CAL9000 v2.0
OWASP
JBroFuzz v1.2
OWASP
DirBuster v0.12
OWASP
OWASP SQLiX
WSFuzzer
v1.0
v1.9.4
OWASP Wapiti
v2.0.0-beta
Paros Proxy
v3.2.13
nmap &
Zenmap v 4.76
Wireshark
v1.0.5
Firefox 3.06 +
25 addons
Burp Suite v1.2
Grendel Scan
v1.0
Metasploit v3.2 w3af + GUI svn Netcats –
(svn)
r2161
original + GNU
Nikto v2.03
Firece Domain
Scanner v1.0.3
Maltego CE
v2-210
Spike Proxy
v1.4.8-4
Rat Proxy
v1.53-beta
tcpdump v4.0.0
Httprint v301
SQLBrute v1.0
sqlmap v0.7-rc1 now included!
OWASP AppSecEU09 Poland
40
OWASP Code review tools
 Code Crawler
 Alessio Marziali
 Orizon Framework
 Paulo Prego
 LAPSE (Inactive)
 Ben Livshits (Stanford Project)
OWASP AppSecEU09 Poland
Want More ?
























OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
.NET Project
ASDR Project
AntiSamy Project
AppSec FAQ Project
Application Security Assessment Standards Project
Application Security Metrics Project
Application Security Requirements Project
CAL9000 Project
CLASP Project
CSRFGuard Project
CSRFTester Project
Career Development Project
Certification Criteria Project
Certification Project
Code Review Project
Communications Project
DirBuster Project
Education Project
Encoding Project
Enterprise Security API (ESAPI)
Flash Security Project
Guide Project
Insecure Web App Project
Interceptor Project
























OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
JBroFuzz
Java Project
LAPSE Project
Legal Project
Live CD Project
Logging Project
Orizon Project
PHP Project
Pantera Web Assessment Studio Project
SASAP Project
SQLiX Project
SWAAT Project
Sprajax Project
Testing Project
Tools Project
Top Ten Project
Validation Project
WASS Project
WSFuzzer Project
Web Services Security Project
WebGoat Project
WebScarab Project
XML Security Gateway Evaluation Criteria Project
on the Move Project
OWASP AppSecEU09 Poland
42
OWASP Projects Are Alive!
2009
…
2007
2005
2003
2001
OWASP AppSecEU09 Poland
43
Get Involved
WWW.OWASP.ORG
Dave Wichers
OWASP Foundation, Board Member
dave.wichers@owasp.org / 443 745-6268
OWASP AppSecEU09 Poland
44