Agile Austin 2011

The OWASP Foundation http://www.owasp.org

OWASP WTE: Testing your way. Matt Tesauro OWASP Foundation Board Member, WTE Project Lead [email protected] Vice President, Services for Praetorian [email protected] James Wickett [email protected]

Who's this Matt guy anyway? Broad IT background Developer, DBA, Sys Admin, Pen Tester, Application Security professional, CISSP, CEH, RHCE, Linux+

Long history with Linux and Open Source Contributor to many projects Leader of OWASP Live CD / WTE

OWASP Foundation Board Member VP, Services for Praetorian 2

OWASP WTE: A History

At all started that summer...

4

•Current Release •OWASP WTE Feb 2011 •Previous Releases •OWASP WTE Beta Jan 2010 •AppSecEU May 2009 •AustinTerrier Feb 2009 •Portugal Release Dec 2008 •SoC Release Sept 2008 •Beta1 and Beta2 releases during the SoC Note: Not all of these had ISO, VirtualBox and Vmware versions 5

Overall downloads: 330,081 (as of 2009-10-05)

Other fun facts ~5,094 GB of bandwidth since launch (Jul 2008) Most downloads in 1 month = 81,607 (Mar 2009)

6

There's a new kid in town OWASP WTE Web Testing Environment

7

The project has grown to more than just a Live CD VMWare installs/appliances VirtualBox installs USB Installs Training Environment .... Add in the transition to Ubuntu and the possibilities are endless (plus the 26,000+ packages in the Ubuntu repos) 8

GOAL Make application security tools and documentation easily available and easy to use Compliment's OWASP goal to make application security visible

Design goals Easy for users to keep updated Easy for project lead to keep updated Easy to produce releases (more on this later) Focused on just application security – not general pen testing 9

What's on WTE

11

12

26 “Significant” Tools Available OWASP Tools: Web Scarab a tool for performing all types of security testing on web apps and web services

Web Goat an online training environment for hands-on learning about app sec

CAL9000 a collection of web app sec testing tools especially encoding/decoding

JBroFuzz a web application fuzzer for requests being made over HTTP and/or HTTPS.

EnDe An amazing collection of encoding and decoding tools as well as many other utilities

WSFuzzer a fuzzer with HTTP based SOAP services as its main target

Wapiti audits the security of web apps by performing "black-box" scans

DirBuster a multi threaded Java app to brute force directory and file names

WebSlayer A tool designed for brute-forcing web applications such as resource discovery, GET and POST fuzzing, etc

ZAP Proxy A fork of the popular but moribund Paros Proxy

13

Other Proxies: Burp Suite

Paros

Spike Proxy

Scanners:

SQL-i:

Others:

w3af

sqlmap

Grendel Scan

SQL Brute

Nikto

Metasploit

Httprint

Maltego CE

Duh: Rat Proxy

nmap

Zenmap

Firefox

netcat

Wireshark

Fierce Domain Scanner tcpdump

14

Why is it different?

16

17

18

OWASP Documents Testing Guide v2 & v3 CLASP and OpenSamm Top 10 for 2010 Top 10 for Java Enterprise Edition AppSec FAQ Books – tried to get all of them CLASP, Top 10 2010, Top 10 + Testing + Legal, WebGoat and Web Scarab, Guide 2.0, Code Review Others WASC Threat Classification, OSTTMM 3.0 & 2.2 19

20

21

22

23

24

What is next?

26

Among the new ides for WTE are Live CDs & Live DVDs Virtual installs/appliances A package repository Can add 1+ tool to any Debian based Linux # apt-get install owasp-wte-* Custom remixes of any of the above Targeted installs WebGoat Developer Version Wubi USB and Kiosk version 27

Builder vs Breaker

Builder is where the ROI is

But darn it, breaking is really fun. Builder tools coming in future releases. (Thanks Top Gear!) 28

Goals going forward Showcase great OWASP projects Provide the best, freely distributable application security tools/documents in an easy to use package Ensure that tools provided are easy to use as possible 29

Goals going forward Continue to document how to use the tools and how the modules were created Align the tools with the OWASP Testing Guide v3 to provide maximum coverage Add more developer and QA focused tools

30

How can you get involved? Join the mail list Announcements are there – low traffic Post on the AppSecLive.org forums Download an ISO or VM Complain or praise, suggest improvements Submit a bug to the Google Code site Create deb package of a tool How I create the debs will be documented, command by command and I'll answer questions gladly Suggest missing docs or links Do a screencast of one of the tools being used on the OWASP WTE 31

Learn More...

OWASP Site http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project or just look on the OWASP project page (release quality)

http://www.owasp.org/index.php/Category:OWASP_Project

or Google “OWASP Live CD”

Download & Community Site http://AppSecLive.org Previously: http://mtesauro.com/livecd/

32

Getting Agile with WTE

Two Keys to Agile Testing Targeted Testing Automation

34

Targeted Testing Match security testing to sprints – Sprint story features vs Security testing categories OWASP Testing Guide v3 outlines – 9 categories, 66 controls – 349 pages 35

Targeted Testing Costs of targeting testing – Someone to “diff” features vs controls – Someone to test the relevant areas Benefits – Only testing relevant areas – Testing scope/time is reduced 36

Targeted Testing Security Sprints + Common Controls – Set aside a sprint or two – Focus on security stories Create a common/shared security library – OWASP's ESAPI – Both an API reference and implementations 37

Targeted Testing Security Sprints + Common Controls – Set aside a sprint or two – Focus on security stories Create a common/shared security library – OWASP's ESAPI – Both an API reference and implementations 38

Targeted Testing Costs of security sprint + controls – 1+ sprints to implement controls – Rigorous initial testing of the controls Benefits – With common controls, testing is now ensuring controls are used, not their implementation – Testing scope/time is reduced – Testing may be automate-able 39

Automation Two primary types of security testing – Dynamic – testing running code – Static – testing source code

40

Automating Dynamic Testing Dynamic testing tools – Crawl an application • Get a list of URLs/pages – Inject potential attacks, gauge response Crawling pitfalls – AJAX / RIA – Flash / Flex Crawling work-around – Use a local proxy 41

Quick step back... If you run a local proxy server on the same machine as your browser, you can intercept and modify all HTTP and HTTPS traffic Server

Local Proxy

42

Automating Dynamic Testing Leverage existing “browser drivers” to also drive security tools – Automates generating a list of URLs for tools – Examples • Selenium (free FF add-on) • QTP (commercial) Record application “click through” – Replay “click through” for security tools – May already have functional tests to re-use 43

Automating Zap Setup Zap as your browser's proxy Use “click through” to explore the app Options – Passive only tests – Active Scanning Costs – Upfront creation of “click through” – Time to run “click through” and active scan 44

Automating w3af Option #1 Select pre-existing policy file – WebSpider discovery plugin Let w3af crawl and scan Costs – Upfront time to create scanning policy Pitfalls – Crawling issues, app coverage 45

Automating w3af Option #2 Setup w3af the browsers local proxy Select pre-existing policy file – SpiderMan discovery plugin Use a “click through” to provide URLs Costs – Upfront time to create scanning policy – Upfront time to create “click through” – Updates to the “click through” for new app areas 46

General Warning about Dynamic Testing  Need to have a browse-able application at end of Sprint.  If app is rapidly adding new areas (pages), “click through” will need to be maintained to ensure coverage.  Some dynamic scans can take a long time – 8+ hours for w3af with many plugins enabled • Tweak plugin selection • May have to be an end of sprint activity

47

Automating Static Testing  Few good free tools in this space – FindBugs, PMD, etc – Look at code quality tools also  Commercial tools – Source vs binary analysis – Local vs SAAS – IDE integration 48

Automating Static Testing  Tie static tools to specific events – Source code check-in – Nightly build processes – Continuous Integration  Watch out for – Long run time (parallel execution) – Manageable output 49

Automating Static Testing  Most commercial tools have (or will sell you) a “Mothership” – Allows for centralized reporting, trending, etc.  Integration with bug tracking systems – Spotty across vendors / projects  Reporting is weak in free tools, varies in commercial tools 50

A bit about OWASP

OWASP The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

52

OWASP Meritocracy

53

Security Vulnerabilities

Change Control Source Code Mgmt Strategy & Metrics Policy & Compliance Education & Training Threat Assessment Security Requirements Secure Architecture Design Review Code Review Remediation Hardening ... 54

A Look at OWASP Projects

55

Projects to look into Secure Coding Practices – Quick Reference Guide Securing the Core JEE Patterns OWASP Phoenix Tools list OWASP AppSensor

OWASP Top 10 Cheat Sheets OWASP ESAPI WebGoat Zap Proxy OWASP Testing Guide 56

What have I missed?  Help me walk a mile in your shoes...  What is WTE missing?  Where are your pain points?  Where is OWASP missing the mark? 57

Why do I do this?

58

Questions?

59