"Intro presentation about OWASP Russia", Alexander Antukh

Transcript

1. Why is it cool to join OWASP Russia? Alexander Antukh

   06/12/2014

2. OWASP Open Web Application Security Project … an open community

   dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.

3. OWASP Core Values OPEN INNOVATION GLOBAL INTEGRITY

4. OWASP by the numbers • 400 000+ unique visitors per

   month • 170+ active projects • 198 active chapters (102 countries) • 43 000+ participants mailing lists • 90 government and industry citations CIS, ISO, NIST, SANS, IEEE, W3C, PCI SSC…

5. What‘s OWASP for you? • Web application security wiki •

   Useful security tools and best practices ready to be implemented • All kinds of actual projects to work in • Way to extend your expertise (and earn CPEs:) • Career growth, complement to CV • Traveling and chatting to other OWASP Chapters

6. What‘s OWASP for you? • OWASP Top 10 • OWASP

   Testing Guide • OWASP Secure Coding Practices • OWASP Zed Attack Proxy • OWASP CSRFGuard • OWASP Mantra Security Framework • OWASP Antisamy • …

7. The value of volunteerism

8. OWASP Russia • Started in 2012 • Principal open security

   project • Best security practices • Supported by global community o Joint conferences o Coworking o Experience sharing • Translations/projects/meetups/ideas https://www.owasp.org/index.php/Russia

9. How to participate? • Volunteering o Projects o Documentation o

   Translations o Administrative work • Discussions / new ideas • Sponsorship • Presentations • Events organization

10. OWASP Russia Current project: OWASP Secure Configuration Guide https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide

11. Misconfiguration We are surrounded by security software, using standard crypto

    algorithms and trying to avoid writing custom code when creating a new web application as much as possible. Nevertheless, even by using those listed above, a lot of web applications/services are still insecure. No, I don’t mean 0-days now. It’s much simpler, yet a significant problem nowadays.

12. Misconfiguration “Citing numbers from Gartner, he said that 95 percent

    of firewall breaches are caused by misconfigurations of security tools. In addition, Hossein said that by 2015, the number of network connections per second will grow 3,000 percent, and that more than 100,000 new security threats are found every day” [1] [1] http://www.techweekeurope.co.uk/workspace/cisco-security-aci-fabric-131323
13. None

14. Misconfiguration The first step is to create a hardening guideline

    for your particular web server and application server configuration. This configuration should be used on all hosts running the application and in the development environment as well. [1] The hardening guideline should include the following topics: • Configuring all security mechanisms HOW? • Turning off all unused services WHY? • Setting up roles, permissions, and accounts, including disabling all default accounts or changing their passwords WHERE? [1] https://www.owasp.org/index.php/Insecure_Configuration_Management

15. Motivation There is an excellent OWASP Testing guide project which

    is intensively used by penetration testers throughout the world. Although the initial idea to describe everything seemed to be intimidating, the guys really did it well, and now this is undoubtful pearl in context of Web App Security on the Internet. We would like to make a great complement of the Testing guide, a unified and as complete as possible document on the Internet which will be useful for both defenders and attackers.

16. What‘s the problem with current configuration guides? • General words

    • “Use patches” • “Don’t use default passwords” • “Harden your configuration” • “Don’t be dumb” • Many scattered pages on OWASP with little information • Not clear how to use existing guides for specifically this piece of software/service

17. Attacker‘s point • I have a clear, unified guide on

    misconfigurations and I don’t have to spend hours looking for relevant information • I can better understand specifics of target framework/service (and not just be doing what they say) • I know what common configuration issues exist and how to test for them http://bit.ly/1vIwrFO

18. Defender‘s point http://bit.ly/1vIwrFO • I have a clear, unified guide

    on misconfigurations and I don’t have to spend hours looking for relevant information • I can better understand specifics of target framework/service (and not just be doing what they say) • I know what common configuration issues exist and how to avoid them

19. Join us and let’s make history! https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide