Open Web Application Security

Project

Ralf Durkee
Rochester OWASP Chapter Leader

Andrea Cogliati
OWASP Rochester OWASP Web and Communications

Copyright © The OWASP Foundation

Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.

The OWASP Foundation

http://www.owasp.org
What is OWASP?

Open Web Application Security Project

worldwide free and open community focused
on improving the security of application
software
Promotes secure software development
Oriented to the delivery of web oriented
services
An open forum for discussion
A free resource for any development team

OWASP 2
What is OWASP?

Open Web Application Security Project

Non-profit (501c3), volunteer driven organization
 All members are volunteers (save 4 employees)
 All work is donated by volunteers and sponsors
Provide free resources to the community
 Publications, Articles, Standards
 Testing and Training Software
 Local Chapters & Mailing Lists
Supported through sponsorships
 Corporate support through financial or project sponsorship
 Personal sponsorships from members

OWASP 3
OWASP Principles

Free & Open

Governed by rough consensus & running code
Abide by a code of ethics (see ethics)
Not-for-profit
Not driven by commercial interests
Risk based approach

OWASP
OWASP Code of Ethics

 Perform all professional activities and duties in accordance with all

applicable laws and the highest ethical principles
 Promote the implementation of and promote compliance with
standards, procedures, controls for application security
 Maintain appropriate confidentiality of proprietary or otherwise
sensitive information encountered in the course of professional
activities
 Discharge professional responsibilities with diligence and honesty
 Refrain from any activities which might constitute a conflict of
interest or otherwise damage the reputation of employers, the
information security profession, or the Association
 Not intentionally injure or impugn the professional reputation of
practice of colleagues, clients, or employers

OWASP
OWASP Organization

Global Board
Global Committees
Education
Chapters
Conferences
Industry
Projects & Tools
Membership
Employees
Volunteers
OWASP
OWASP membership

Membership category Annual membership fee

Individual Supporters $50
Organization Supporters $5,000
Accredited University Supporters FREE (in exchange of meeting space
at least 2x per year)

Funds OWASP Speakers via OWASP On the Move

Funds Season of Code projects
Helps Support Local Chapters

OWASP
OWASP Goals: Improve Quality and Support

 Define Criteria for Quality Levels

 Alpha, Beta, Release

 Encourage Increased Quality

 Through Season of Code Funding and Support
 Produce Professional OWASP books

 Provide Support
 Full time executive director (Kate Hartmann)
 Full time project manager (Paulo Coimbra)
 Half time technical editor (Kirsten Sitnick)
 Half time financial support (Alison Shrader)
 Looking to add programmers (Interns and Professionals)

OWASP
OWASP Resources and Community

OWASP
 OWASP Conferences (2008-2009)

Brussels
Minnesota May 2008
NYC Poland
Oct 2008
May 2009
Sep 2008
Denver
Spring 2009

Portugal
San Jose Nov 2008 Israel
Sep 2009 Sep 2008 Taiwan
India Oct 2008
Aug 2008

Gold Coast
Feb 2008

OWASP 10
Rochester Security Summit

 The Rochester Security Summit is a community focal point for education

and awareness in collaboration with higher education, business and
industry partners, held during National Cyber Security Awareness Month
 Area collaboration partners include:
 The Rochester Chapter of the Information Systems Security Association
(ISSA)
 University of Rochester Information Technology Office
 Rochester Cyber Safety and Ethics Initiative
 ISACA
 OWASP
 Area businesses and organizations
 Oct 28-29, 2009 at The Woodcliff Hotel & Spa Conference
Center in Fairport, NY
 http://rochestersecurity.org

OWASP
Major initiatives:
Top 10
Guide
CLASP Training
Ajax Conferences

J2EE WebGoat
.NET Building our
brand
Yours!

Chapters
Testing Project
incubator
WebScarab Wiki portal
Validation Forums

Certification Blogs

OWASP
 OWASP Publications

Major Publications
Top 10 Web Application Security Vulnerabilities
Guide to Building Secure Web Applications
Legal Project
Code Review Guide
Testing Guide
AppSec Faq
Software Assurance Maturity Model
Application Security Verification Standards
OWASP 13
Organizing the Big 4

Code
Building Testing
Review
Guide Guide
Guide

Application Security Desk Reference (ASDR)

OWASP
OWASP Publications

Common Features
All OWASP publications are available free for
download from http://www.owasp.org
Publications are released under any approved free
licenses
Living Documents
 Updating as needed
 Ongoing Projects
OWASP Publications feature collaborative work in a
competitive field

OWASP 15
OWASP Publications – OWASP Top 10

Top 10 Web Application Security Vulnerabilities

A list of the 10 most severe security issues
Updated ever few years
Address issues with applications on the perimeter
Growing industry acceptance
 Federal Trade Commission (US Gov)
 US Defense Information Systems Agency
 VISA (Cardholder Information Security Program)
 Referenced by PCI-DSS standard
Strong push to present as a standard

OWASP 16
OWASP Publications - OWASP Top 10

Current Top Ten Issues (2007)

A1. Cross Site Scripting (XSS)
A2. Injection Flaws
A3. Malicious File Execution
A4. Insecure Direct Object Reference
A5. Cross Site Request Forgery (CSRF)
A6. Information Leakage and Improper Error Handling
A7. Broken Authentication and Session Management
A8. Insecure Cryptographic Storage
A9. Insecure Communications
A10. Failure to Restrict URL Access

OWASP 17
OWASP Publications - OWASP Guide

Guide to Building Secure Web Applications

Provides a baseline for developing secure software
 Introduction to security in general
 Introduction to application level security
 Discusses key implementation areas
– Architecture
– Authentication
– Session Management
– Access Controls and Authorization
– Event Logging
– Data Validation
Under continuous development

OWASP 18
OWASP Software

Common Features
All OWASP software are provided free for download
from http://www.owasp.org
Software is released under any approved free licenses
Active Projects
 Updating as needed
 Ongoing Projects
 Many maintainers and contributors
OWASP Software is free for download and can be
used by individuals or businesses

OWASP 19
OWASP Software - WebGoat

WebGoat
Primarily a training application
Provides
 An educational tool for learning about application security
 A baseline to test security tools against (i.e. known issues)
What is it?
 A J2EE web application arranged in “Security Lessons”
 Based on Tomcat and JDK 1.5
 Oriented to learning
– Easy to use
– Illustrates credible scenarios
– Teaches realistic attacks, and viable solutions
OWASP 20
OWASP Software - WebGoat

WebGoat – What can you learn?

A number of constantly growing attacks and solutions
 Cross Site Scripting
 SQL Injection Attacks
 Thread Safety
 Field & Parameter Manipulation
 Session Hijacking and Management
 Weak Authentication Mechanisms
 Many more attacks added
Getting the Tools
 http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
 Simply download, unzip, and execute the jar file.

OWASP 21
OWASP Software - WebScarab

WebScarab
A framework for analyzing HTTP/HTTPS traffic
Web Proxy written in Java
Multiple Uses
 Developer: Debug exchanges between client and server
 Security Analyst: Analyze traffic to identify vulnerabilities
Technical Tool
 Focused on software developers
 Extensible plug-in architecture
 Open source
 Very powerful tool
Getting the Tool
 http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

OWASP 22
OWASP Software - WebScarab

WebScarab - What can it do?

Features
 Fragment Analysis – extract scripts and html as presented
to the browser, instead of source code presented by the
browser post render
 Proxy – observe traffic between the browser and server,
includes the ability to modify data in transit, expose hidden
fields, and perform bandwidth manipulation
 Manual Intercept - allows the user to modify HTTP and
HTTPS requests and responses on the fly, before they reach
the server or browser.
 Spider – identifies new URLs within each page viewed
 SessionID Analysis – Collection and analysis of cookies to
determine predictability of session tokens
 Much more…
OWASP 23
OWASP Local Chapters

Building Communities
Local Chapters provide opportunities for OWASP
members to share ideas and learn information
security
Open to all; any level of proficiency
Provide a forum to discuss issues, latest research,
and experiences
Provide venue for invited guests to present new ideas
and projects

OWASP 24
OWASP Rochester Chapter

Rochester Chapter
Chapter started 2004, by Ralph Durkee
Chapter Web site http://www.owasp.org/rochester
Current Board:
 President: Ralf Durkee
 Vice President: Chris Karr
 Secretary and Treasurer: Steve Buck
 Web and Communications: Andrea Cogliati
Monthly Meetings & Presentations
Mailing Lists
Vendor Neutral Environments
Open Forums for Discussion
OWASP 25
OWASP Rochester Chapter Meetings

Formal meeting with presentations on odd

numbered months
 Currently held at Bryant & Stratton College
1225 Jefferson Rd, (near I-390) Rochester, NY
 Generally 3rd Monday of each Month
 Next Meeting May 18th
– Key Management Issues by Lou Leone
 Food often provided by sponsors.
 Questions and Discussion afterwards
 Join the mailing lists for meeting announcements
as dates and locations sometimes have to change.
OWASP 26
OWASP Rochester Chapter Meetings

Informal social gatherings on even numbered

months
 Gatherings for beer, food and informal discussion
 An open environment for discussion of information
security suitable for novices, professionals, and
experts
 Next would be June 15th
 Currently gathering at
– Mac Gregor's Grill & Tap Room
– 300 Jefferson Rd (Near RIT)
 Each pays for the beverage and food they order
OWASP
OWASP Rochester Chapter Mail Lists

2 Rochester Chapter Mailing Lists

Rochester Announcement Only List
 Need to be subscribed to receive Rochester chapter meeting
and organizational announcements.
 Closed list, only used by Rochester Chapter Board.
Rochester Discussion List
 Highly Recommended
 Used for chapter discussions and questions
 Currently very low traffic
 All mail list members may post to the list
 Couple of basics: keep it professional; No sales or marketing
materials

OWASP 28
OWASP Local Chapters

Vendor Neutral Environments

Learn about security without the sales pitches
Strict guidelines for chapter presentations and sponsorship
 All sponsors must be approved
 No product presentation may take place at any meeting of a
local chapter.
 Presentations that focus on a problem or set of problems
and discuss solution approaches that may refer to or show
examples of various products are allowed.
 Sponsorship shall be in the form of donations to The OWASP
Foundation in the name of the local chapter and/or to
provide food and beverages at meeting events.

OWASP 29
OWASP Local Chapters

What can you offer?

The mailing lists, meetings, and focus groups are
open forums for discussion of any relevant topics
Members are encouraged to bring forward questions
Members are encouraged to participate in OWASP
projects
 Contribute to existing projects
 Propose new projects
 Spearhead new ventures
Local chapter executive team will work towards
building the organization as a free, open, and
technically oriented resource for the general public
and members
OWASP 30
That’s it…
Any questions or comments?

Presentation will be online:

Thank you!

OWASP 31