world • OWASP is mostly associated with it … • but there are many more! As of 2016, there are 133 different projects, which can help you whether you are on attacker’s or defender’s parts of the barricades!
course to fly through and forget! Internal course that is free and isn’t a corpo- bullshit?! Cannot believe that… …arranging internal hands- on labs for developers and testers, where they can deeply understand vulnerabilities by finding and fixing them?
which allows you to test common vulnerabilities • 50+ lessons • After finding a vulnerability, learn to fix it! • Easy manageable lessons via plugins • You can create your own lessons and easily customize a content and language …or .Net-based: https://www.owasp.org/index.php/ WebGoatFor.Net WebGoat: few words about • A deliberately insecure Java-based (or .Net based: https://www.owasp.org/index.php/WebGoatFor.Net) application, which allows you to test common vulnerabilities • 50+ lessons • After finding a vulnerability, learn to fix it! • Easy manageable lessons via plugins • You can create your own lessons and easily customize a content and language
To start just follow these commands: $> wget https://github.com/WebGoat/WebGoat/releases/download /7.0.1/webgoat-container-7.0.1-war-exec.jar $> java -jar java -jar webgoat-container-7.0.1-war-exec.jar • Open in you browser: http://localhost:8080/WebGoat/ • That’s all!
• Each pentester uses many different applications (vuln scanner, web crawler, SSL/TLS tests, session management tests) • Running each of those tests consumes time, right? • It’s easy to automate those tasks, but analysing a consolidated output is much more difficult :( • And finally you have to form a readable report from all those tests… • …oooh… :(
time as efficient as possible. It’s done by: • Running different tools (Nikto/Arachni/w3af/etc) • Running direct tests (header searches/session tests/etc) • Knowledge repository (OWASP mapping/resource links) • Helping human analysis (flag severity/manage output) • In other words OWTF provides optimal balance between automation and human analysis OWTF: Idea of the project
(e.g. FTP/SMB ) assist manual testing searches on HTTP transactions test via 3rd parties (no traffic to target) Testing web apps Testing network services OWTF: Choose plugins and run!
your company. • Use OWASP OWTF to automate your penetration testing tasks. It allows you for easy test’s output analyse and create reports in a fast way. Summary
application security requirements or tests that can be used by architects, developers, testers, security professionals, and even consumers to define what a secure application is. In short
Data protection • Session management • Error handling • Business logic • Configuration • Web services • 19 sections in total • Every chapter has control objective, reqs and references
developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications • Use as guidance - provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements • Use during procurement - provide a basis for specifying application security verification requirements in contracts
secure applications • Contains clear and ready-to-use high level checklists and use cases • Allows you as well as security services, vendors, and consumers to align requirements and offerings
developers in writing secure code and providing a knowledge base of secure design patterns • Zed Attack Proxy - easy to use integrated penetration testing tool for finding vulnerabilities in web applications, both automatically and manually • Cornucopia - mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.
card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic. Cornucopia is based on the concepts and game ideas from Microsoft SDL EoP game and OWASP Secure Coding Practices Guide. OWASP Cornucopia Ecommerce Website Edition is in the current Payment Card Industry Security Standards Council information supplement PCI DSS E-commerce Guidelines v2, January 2013 In short
prizes…) • Deal all the cards • Play a round – every player has to utilize one card of the selected suit. Highest played card in the suit wins and starts next round until all cards are played • Count points and define the winner • Closure: review all threats and matching security requirements https://www.owasp.org/index.php/OWASP_Cornucopia#tab=How_to_Play
out loud • explains how the threat could apply (or not) to his application • player gets a point for attacks that work, and the group thinks it is an actionable bug At this point we don’t think of mitigations and don’t exclude a threat just because it is believed it is already mitigated – the card should be recorded on the score sheet anyway
that uses the OWASP Application Security Verification Standard and code examples and can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3) „we decided to develop a proof of concept framework in order to create a guide system available for all developers so they can develop applications secure by design” In short http://secureby.design
Requirements ASVS for development and third party vendor applications • Security knowledge reference (code examples/ knowledge base items) • Security is part of design with the pre-development functionality in SKF • Security post-development functionality in SKF for verification with the ASVS
with Chef • AWS by using CloudFormation • … or manually as you would do with any other Python project: sudo pip install owasp-skf https://github.com/blabla1337/skf-flask#installing
pre-defined or custom checklists • ASVS-based checklists for different levels of criticality of the application are auto-generated after pre- development stage! • After providing answers to clear and simple questions, reports with failed items are ready to be downloaded and prioritized
profit!” • Multiple options of secure design patterns with examples • Gives a good understanding for developers not only about what to fix but also why to do so
patterns so far • Code examples with extensive comments provide ready-to-use solutions on how to do things right! • Currently supported languages: PHP, .NET and Java (soon ☺)
you can easily add your use-cases and adjust it as you like! • Checklists, knowledge base and code examples must follow the markdown and appear immediately in your panel Directory/path traversal <-- name as seen in the drop-down head ------- **Example:** <-- Bold separator telling where the example starts /* Your code has to indent the 4 spaces(tab) in order for the markdown engine to know it has to interpreted this as written code */
by design, not implementing afterwards • Security awareness • Will inform about threats even before one wrote a single line of code • Central place for security reference • Provides information applicable for specific needs on the spot
techniques and tools to create your own AppSec pipeline • Right now: AppSec pipeline patterns and tools https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
as a proxy • Explore the application manually • Use the spider to find other content and input points • See what security issues the passive scanner has found • Use the active scanner to find vulnerabilities • Do manual pentesting
scan • Simple inline security control • Mass scan of big number of targets • Post release (production) control Full scan • Regular heavy asynchronous scan • More power and integration into your infrastructure and processes
• Time limited spider of target • By default warns on all issues: – Missing / incorrect security headers like CSP – Cookie problems – Information / error disclosure – Missing CSRF tokens etc.
• zap.sh -daemon -host 0.0.0.0 -port 8080 • http(s)://zap/<format>/<component>/<operation>/< op name>[/?<params>] • Also available in Docker image owasp/zap2docker-* • Maps closely to the UI / code • JSON, HTML and XML formats • Clients in: Java, Python, NodeJS, .Net, PHP, Go ...
created to provide a concise collection of high value information on specific web application security topics» • You can browse it online or get as PDF book • Mostly fresh and actual topics https://www.owasp.org/index.php/Cheat_Sheets
code in a web application requires consideration for 3 risks in particular: • The loss of control over changes to the client application • The execution of arbitrary code on client systems • The disclosure or leakage of sensitive information to 3rd parties https://www.owasp.org/index.php/3rd_Party_Javascript_ Management_Cheat_Sheet
Data into JavaScript Data Values Except for alphanumeric characters, escape all characters less than 256 with the \xHH format to prevent switching out of the data value into the script context or into another attribute. https://www.owasp.org/index.php/XSS_(Cross_Site_Scrip ting)_Prevention_Cheat_Sheet
following options defined: • XML_PARSE_NOENT: Expands entities and substitutes them with replacement text • XML_PARSE_DTDLOAD: Load the external DT https://www.owasp.org/index.php/XML_External_Entity_ (XXE)_Prevention_Cheat_Sheet
tools and building your own AppSec pipeline • OWASP ZAP is one of such tools. Using it you can make manual pentest of web app or automate web app security testing in SDL • OWASP Cheat Sheets helps you in specific areas of application security
penetration testing framework which users can implement in their own organizations and • a "low level" penetration testing guide that describes techniques for testing most common web application and services security issues.
undertaken to build and operate a testing program on web apps. • Effective testing program: – People – Process – Technology • Testing just the technical implementation of an application will not uncover management or operational vulnerabilities that could be present
already been created and is in the deployment phase of its life cycle ineffective and cost-prohibitive practice • One of the best methods to prevent security bugs from appearing in production applications is to improve the SDLC by including security in each of its phases
security of mobile apps. It describes technical processes for verifying the controls listed in the MASVS • MSTG is meant to provide a baseline set of test cases for black-box and white-box security tests, and to help ensure completeness and consistency of the tests
good examples are MASVS and MSTG) • Due to a huge front of work every small help is valuable • Do something good today – contribute to OWASP Projects
SiteGround - Reliable hosting with speed, security, and support you can count on.
c0rdis
usanchuu
shinyasaita
_awache
jumtech
tsukuboshi
nrslib
hironobuiga
subroh0508
gawa
8maki
sonoda_mj
itouhi
khoart
techseoconnect
mza
cassininazir
mlcsv
kastner
oripsolob
tenderlove
jdejongh
dugsong
denniskardys
