to IT across multiple roles (System Administration, Development, Network Engineering, Support Operations, Implementation) Worked for top global companies across multiple sectors (Healthcare, Finance, Information Services, Government, Telecommunications, Banking, Consumer Electronics, Hospitality (F&B, Hotel, Tourism), BPO, Shared Service Models) Founder, CEO at VerSprite, Inc.
in AppSec Isolated SDLC Efforts Anti-Security Culture Expanding heterogeneous tech stack Decentralizing management Security is not built into IT functions early on Targeted attacks Open intel on application components Sound Solutions Establish Governance Security Requirements & Resources Implementation of S- SDLC Use Security Frameworks Test and Test Early Track Defects 5
Community driven; 11 years old Dedicated to openness of all content & materials International community focused on AppSec X-cultural, X-industry related challenges exposed and addressed. Massively supportive and responsive. Follow @OWASP (local to ATL? > @OWASPATL 8
finances to our code. INNOVATION - encourages innovation for solutions to software security challenges. GLOBAL – truly a global community. INTEGRITY - truthful, vendor neutral, global community. 9
Security Verification Standard (ASVS) defines a standard for conducting app sec verifications. Covers automated and manual approaches for external testing and code review techniques Recently created and already adopted by several companies and government agencies Benefits Standardizes the coverage and level of rigor used to perform app sec assessments Allows for better comparisons http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
broad consensus of what the most critical web application security flaws are. Adopted by the Payment Card Industry (PCI) Recommended as a best practice by many government and industry entities Benefits Powerful awareness document for web application security Great starting point and reference for developers http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. Benefits Evaluate your organization's existing software security practices Build a balanced software security program in well- defined iterations. Demonstrating concrete improvements http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project
or Roadmap Establish governance Perform against assessments Test and Report Enhance Security Operations Building a S-SDLC Initiative Measures success/ shortcomings Provides metrics for reporting http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project
with online payment card transactions. Dell uses OWASP’s Software Assurance Maturity Model (OpenSAMM) to help focus our resources and determine which components of our secure application development program to prioritize. Participation in OWASP’s local chapter meetings and conferences around the globe helps us build stronger networks with our colleagues. , (Michael J. Craigue, Information Security & Compliance, Dell, Inc.)
of OWAPSP Countermeasures OWASP Top Ten • Ranks top web app related risks • Serves as a good scope for initial testing Develop OWASP Code Review •Methodology for Source Code Reviews OWASP Development Guide •Establishes a process for secure development efforts across various SDLCs OWASP Cheat Sheet Series OWASP Countermeasures • OWASP CSRFGuard • OWASP Anti-Samy Test OWASP Zed Attack Proxy • Test against OWASP Top Ten • Use in conformance to Testing Guide OWASP YASCA • Leverages FindBugs, PMD, JLint, JavaScript Lint, PHPLint, Cppcheck, ClamAV, RATS, and Pixy to scan
may seem obvious, but if you had a bank account REST web service, you have to make sure there is adequate checking of primary and foreign keys: https://example.com/account/325365436/transfer?amou nt=$100.00&toAccount=473846376 In this case, it would be possible to transfer money from any account to any other account, which is clearly insane. Not even a random token makes this safe. https://example.com/invoice/2362365 In this case, it would be possible to get a copy of all invoices. Please make sure you understand how to protect against insecure direct object references in the OWASP Top 10 2010. Java Regex Usage Example Example validating the parameter “zip” using a regular expression. private static final Pattern zipPattern = Pattern.compile("^\d{5}(-\d{4})?$"); public void doPost( HttpServletRequest request, HttpServletResponse response) { try { String zipCode = request.getParameter( "zip" ); if ( !zipPattern.matcher( zipCode ).matches() { throw new YourValidationException( "Improper zipcode format." ); } .. do what you want here, after its been validated .. } catch(YourValidationException e ) { response.sendError( response.SC_BAD_REQUEST, e.getMessage() ); } }
user-supplied HTML/CSS is compliant within the applications rules. API plus implementations Java, .Net, Coldfusion, PHP (HTMLPurifier) Benefits It helps you ensure that clients don't supply malicious code into your application A safer way to allow for rich content from an application's users http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
Cross-Site Request Forgery. CSRF is an attack where the victim is tricked into interacting with a website where they are already authenticated. Java, .Net and PHP implementations CSRF is considered the app sec sleeping giant Benefits Provides code to generate unique request tokens to mitigate CSRF risks http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project
free and open collection of all the security methods that a developer needs to build a secure web application. API is fully documented and online Implementations in multiple languages Benefits Provides a great reference Implementation can be adapted/used directly Provides a benchmark to measure frameworks http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
implementation goes bad often sometimes. Tool highlights known vulnerabilities in the environment, Basic stats on SSH keys deployed Specific violations of best current practices. http://www.ssh.com/products/crypto-auditor (Free upon fake registration)
implementation goes bad often sometimes. Tool highlights known vulnerabilities in the environment, Basic stats on SSH keys deployed Specific violations of best current practices.
based tool (https://code.google.com/p/leak- finder-for-javascript/) helps web application developers find memory leaks in their JavaScript programs. In garbage-collected languages, such as JavaScript, you cannot have traditional memory leaks by forgetting to free memory: when all references to an object are dropped, the object is garbage-collected and the memory is freed However, JavaScript programs can leak memory by unintentionally retaining references to objects. EX: JavaScript library Closure
Fiddler2 Extension for fuzzing web apps (inspired by Burp Intruder feature in BurpSuite) Great tool for fuzzing, selecting automatic payloads (SQLi, XSS, etc) http://yamagata.int21h.jp/tool/BurplikeInspector/BurplikeI nspector-ver0_02.zip
brute-forcer Demonstrate the importance of choosing strong passwords Current features: Basic Authorization & FORM support HTTP/SOCKS 4 and 5 proxy support FORM auto-detection & Manual FORM input configuration. It is multi-threaded Integrated proxy randomization to defeat certain protection mechanisms Wordlist shuffling via macros Advanced coding and timeout settings makes it outperform any other brute forcer http://myproxylists.com/nix-brute-force
Ease of use a priority • Comprehensive help pages • Free, Open source • Cross platform • A fork of the well regarded Paros Proxy • Involvement actively encouraged • Adopted by OWASP October 2010
web app pentest tool;) Ideal for appsec newcomers Ideal for training courses Being used by Professional Pen Testers Easy to contribute to (and please do!) Improving rapidly 5
international user base The potential to reach people new to OWASP and appsec, especially developers and functional testers • ZAP is a key OWASP project • Security Tool of the Year 2013 5
• BeEF – Browser Exploitation Framework (http://www.bindshell.net/tools/beef.html) • Metasploit – http://www.metasploit.com/ • Kali - http://www.kali.org/ • Burp - http://portswigger.net/burp/ • Recon-ng – full featured web recon framework tool that is text based and written in Python https://bitbucket.org/LaNMaSteR53/recon-ng • Twitter? Yes, Twitter, 2nd to Google, is hacker’s paradise
security program development/ management • Do NOT make your security program free and open, keep it close to the vest • Keep abreast of security news is a must – ever changing threat landscape • Need to tell management that security is a process, not a one time mountain climb. Keeping executive support of security is the most important thing for longevity of your security program. • Diversify your security program.
versprite
msato
syntasso
minako__ph
kitsuya0828
emiki
oracle4engineer
kazuhitotakahashi
kazzpapa3
amixedcolor
onk
shujisado
bluesmoon
morganepeng
ammeep
scottboms
addyosmani
jlugia
chriscoyier
hannesfritz
danielanewman
eileencodes
speakerdeck
kneath
