Why is it cool to join OWASP Russia?

Alexander Antukh06/12/2014

OWASP

Open Web Application Security Project

… an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.

OWASP Core Values

OPEN INNOVATION

GLOBAL INTEGRITY

OWASP by the numbers

• 400 000+ unique visitors per month• 170+ active projects• 198 active chapters (102 countries)• 43 000+ participants mailing lists• 90 government and industry citations

CIS, ISO, NIST, SANS, IEEE, W3C, PCI SSC…

What‘s OWASP for you?

• Web application security wiki• Useful security tools and best practices ready to

be implemented• All kinds of actual projects to work in• Way to extend your expertise (and earn CPEs:)• Career growth, complement to CV• Traveling and chatting to other OWASP Chapters

What‘s OWASP for you?

• OWASP Top 10• OWASP Testing Guide• OWASP Secure Coding Practices• OWASP Zed Attack Proxy• OWASP CSRFGuard• OWASP Mantra Security Framework• OWASP Antisamy• …

The value of volunteerism

OWASP Russia• Started in 2012• Principal open security project• Best security practices• Supported by global community

o Joint conferenceso Coworkingo Experience sharing

• Translations/projects/meetups/ideas

https://www.owasp.org/index.php/Russia

How to participate?• Volunteering

o Projectso Documentationo Translationso Administrative work

• Discussions / new ideas• Sponsorship• Presentations• Events organization

OWASP Russia

Current project:

OWASP Secure Configuration Guidehttps://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide

Misconfiguration

We are surrounded by security software, using standard crypto algorithms and trying to avoid writing custom code when creating a new web application as much as possible. Nevertheless, even by using those listed above, a lot of web applications/services are still insecure. No, I don’t mean 0-days now. It’s much simpler, yet a significant problem nowadays.

Misconfiguration

“Citing numbers from Gartner, he said that 95 percent of firewall breaches are caused by misconfigurations of security tools. In addition, Hossein said that by 2015, the number of network connections per second will grow 3,000 percent, and that more than 100,000 new security threats are found every day” [1]

[1] http://www.techweekeurope.co.uk/workspace/cisco-security-aci-fabric-131323

MisconfigurationThe first step is to create a hardening guideline for your particular web server and application server configuration. This configuration should be used on all hosts running the application and in the development environment as well. [1]

The hardening guideline should include the following topics:• Configuring all security mechanisms HOW?• Turning off all unused services WHY?• Setting up roles, permissions, and accounts, including disabling all default

accounts or changing their passwords WHERE?

[1] https://www.owasp.org/index.php/Insecure_Configuration_Management

MotivationThere is an excellent OWASP Testing guide project which is intensively used by penetration testers throughout the world. Although the initial idea to describe everything seemed to be intimidating, the guys really did it well, and now this is undoubtful pearl in context of Web App Security on the Internet.

We would like to make a great complement of the Testing guide, a unified and as complete as possible document on the Internet which will be useful for both defenders and attackers.

What‘s the problem with current configuration guides?

• General words• “Use patches”• “Don’t use default passwords”• “Harden your configuration”• “Don’t be dumb”

• Many scattered pages on OWASP with little information• Not clear how to use existing guides for specifically this piece

of software/service

Attacker‘s point• I have a clear, unified guide on

misconfigurations and I don’t have to spend hours looking for relevant information

• I can better understand specifics of target framework/service (and not just be doing what they say)

• I know what common configuration issues exist and how to test for them

http://bit.ly/1vIwrFO

Defender‘s point

http://bit.ly/1vIwrFO

• I have a clear, unified guide on misconfigurations and I don’t have to spend hours looking for relevant information

• I can better understand specifics of target framework/service (and not just be doing what they say)

• I know what common configuration issues exist and how to avoid them

Join us and let’s make history!https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide