OWASP Application Security Project

OWASP

Justin Derry Brisbane Chapter Lead & Conference Chair Australia b-sec Consulting g Pty y Ltd [email protected] Mobile 0411 411 881 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation http://www.owasp.org

The OWASP Project j & Application pp Security y Justin Derryy ((Practice Leader,, Application pp Security, b-sec Consulting Pty Ltd) Agenda What is the OWASP Project? What’s all the fuss about Application Security? T d within Trends ithi the th Industry I d t What do we need to do? Resources: R Projects P j t & Tools T l Online O li OWASP in Australia OWASP

2

OWASP = Application pp Security y  OWASP (Open Web Application Security Project)  Effectively the defacto standard for Application Security on the Internet  Used & Referenced by Industry leading companies (Microsoft, PCI, NSA, Mastercard, Google, SANS)  Open Collaborative effort from the Industry (no one person runs the project)  Publishes P bli h the th Top T Ten T & Definitive D fi iti Guide G id to t Application A li ti Security Online for FREE  Many resources available on the wiki

OWASP

3

Are y you Online? Then you y are at Risk!  If you either surf the internet or put content online then you are at risk of an application security vulnerability.  Over 78% of Internet related attacks are now targeted directly at the application and not the network. (Gartner Group 2006-2007)  74% off applications li ti reviewed i d by b b-sec b over the th pastt 6 years have at least one serious application exploit.  What about all those web sites that hold your personal information? Are they protecting it!  Yes that Firewall Appliance or SSL is not going to stop the attacks from happening! OWASP

4

Billing

Hum man Resrcs s

Dirrectories

APPLICATION ATTACK

Web b Services

Custom Developed Application Code

Legac cy Systems

Your security “perimeter” has huge holes at the application layer Da atabases

Applic cation Laye er

Attacking g the Application pp

Web Server Hardened OS Firew wall

Firew wall

Ne etwork Laye er

App Server

You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks

OWASP

5

Trends In Application pp Security y Business demands more bells and whistles Internal applications get ‘web-enabled’ and are exposed to Intranet or Internet Increasing complexity of software Rush R h software ft outt without ith t adequate d t ttesting ti Poor security training and awareness Web 2.0 Generation (Facebook, LinkedIn etc)

OWASP

6

Recent Attacks! It’s really y Happening pp g Australian Banks Facing XSS Flaws (April-May 2006) Database of User Accounts stolen from NSW Police Service Virgin Credit Cards (1400 Card Details Lost) – July 2007 Microsoft UK Web Site Hack (SQL Injection) July 2007 Our Favourite Paris Hilton Online T-Mobile Sidekick account compromised (SQL Injection)  BigBrother (TEN) 2007 Web Site Security Holes (April 2007)  Howard “Heart Attack” Email SCAM (February 2007)     

 Australian Federal Police agent, Nigel Phair, said most Australian organisations g sweep p security y breaches under the carpet to avoid public scrutiny in the courts.

OWASP

7

What do we need to do?  Word towards building more secure software. (OWASP Mission)  Teach Developers how to address problems in the code before a breach occurs within the application  Awareness within the Industry that this is a real problem  Stop relying completely on Network or software from Vendors  MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE)

 Theyy found veryy little overlap p between tools, so to get 45% you need them all OWASP (assuming their claims are true)

8

We need to start thinking g differently. y Since most securityy for f Web applications can be implemented by a system administrator, application developers need not pay attention to the details of securing the application…" BEA WebLogic Documentation (2006)

OWASP

9

Resources: OWASP Top p Ten Vulnerabilities

OWASP

10

Resources: OWASP Wiki & Projects j  OWASP WIKI Online with the Guide, Top Ten, Education Projects & much more development resources  OWASP WebGoat (Training Application)  OWASP WebScarab (Proxy Tool)  OWASP FAQ, Guide, Legal and Top Ten Projects  CAL9000 (Javascript Web Application Testing)  LiveCD Project (CD Image containing tools)  OWASP Pantera Web Assessment Studio  OWASP Sprajax p j (AJAX ( Enabled Applications) pp )  SQLix, WS Fuzzer, Report Generator, Site Generator, Tiger, Interceptor, JBroFuzz, Orizon, Stinger and many many more projects OWASP

11

OWASP Australia & the 2008 Conference

OWASP Chapters p meeting g (Brisbane, ( , Sydney y y& Melbourne) OWASP-Australia OWASP Australia Mailing Lists OWASP OWASP Australia A t li Conference C f 2008 February 2008 (27th 28th 29th Feb) Gold Coast Convention Centre Registrations Open online now (www.owasp.org) OWASP

12

OWASP Application pp Security y Thanks & Questions Q

Mr Justin Derry Mail: [email protected] Mobile: 0411 411 881 b-sec Consulting Pty Ltd (Brisbane Sydney & Melbourne) (Brisbane,

OWASP

13