[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
-
Upload
g-geshev -
Category
Technology
-
view
581 -
download
1
Transcript of [OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP Plan - Strawman
Georgi GeshevOWASP Bulgaria [email protected]+359-884-237-20703.04.10
OWASP 2
Agenda
Part 1: Introduction -Who are we?• What is this project all about?• Would you like to join the OWASP community?
Part 2: Real world stories• Care to know about the OWASP Top 10 project?• How’s the web down there in Wonderland?
OWASP 3
Introduction
Who Am I?(1) Free and Open Source Software Evangelist
OWASP 4
Introduction
Who Am I?(1) Free and Open Source Software Evangelist
(2) Enthusiastic Infosec Ninja
OWASP 5
Introduction
Who Am I?(1) Free and Open Source Software Evangelist
(2) Enthusiastic Infosec Ninja① + ②= ?
OWASP 6
Introduction
Who Am I?(1) Free and Open Source Software Evangelist
(2) Enthusiastic Infosec Ninja① + ②= ?
Here’s the OWASP formula..FOSS + WEB × APP × SEC = OWASP
OWASP 7
The Open Web Application Security Project
The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
http://www.owasp.org/index.php
OWASP 8
The Open Web Application Security ProjectThe Local Chapters
Over 150 local chapters worldwide..
OWASP 9
The Open Web Application Security ProjectOWASP Bulgaria
• This local chapter was founded in late 2010• Less than 10 mailing list members• Please consider joining the local chapter mailing list
• Regular chapter meetings• Welcome to the first one of ‘em!
• For submissions, suggestions, offers and questions..• Forward your message to the mailing list• Contact me via email
OWASP 10
The Open Web Application Security ProjectOrganization Supporters
OWASP 11
OWASP 12
The Open Web Application Security ProjectShow Your Support
Consider…• Donating• Becoming an OWASP (local chapter) member• Attending the local chapter regular meetings• Attending an OWASP AppSec series conference• Global AppSec Europe - June 6th-11th 2011 @Dublin, Ireland
• Contributing to an OWASP project• Developers, beta testers, etc.
OWASP 13
The Open Web Application Security ProjectAffiliation and Membership
Categories of Membership and Supporters• Individual Supporters• Single Meeting Supporter• Organization Supporters• Accredited University Supporters
OWASP 14
The Open Web Application Security ProjectMembership
Why Become a Supporting Member?• Ethics and principals of OWASP Foundation• Underscore your awareness of web application software security• Attend OWASP conferences at a discount• Expand your personal network of contacts• Support a local chapter of your choice• Get your @owasp.org email address• Have individual vote in electionshttp://www.owasp.org/index.php/Membership
OWASP 15
The Open Web Application Security ProjectOWASP Projects
Tools and documents are organized into the following categories:
• Protect – These are tools and documents that can be used to guard against security-related design and implementation flaws.
• Detect – These are tools and documents that can be used to find security-related design and implementation flaws.
• Life Cycle – These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).
OWASP 16
The Open Web Application Security ProjectThe OWASP Top 10 Project
Project details..• The OWASP Top Ten provides a powerful awareness
document for web application security. • The OWASP Top Ten represents a broad consensus about
what the most critical web application security flaws are.• Its latest (stable) release dates from April 2010.• Creative Commons Attribution Share Alike 3.0 License ;)http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
OWASP 17
The Open Web Application Security ProjectThe OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks -
A1: Injection
OWASP 18
The Open Web Application Security ProjectThe OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks -
A1: InjectionA2: Cross-Site Scripting (XSS)
OWASP 19
The Open Web Application Security ProjectThe OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks -
A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session Management
OWASP 20
The Open Web Application Security ProjectThe OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks -
A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object References
OWASP 21
The Open Web Application Security ProjectThe OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks -
A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)
OWASP 22
The Open Web Application Security ProjectThe OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks -
A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security Misconfiguration
OWASP 23
The Open Web Application Security ProjectThe OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks -
A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security MisconfigurationA7: Insecure Cryptographic Storage
OWASP 24
The Open Web Application Security ProjectThe OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks -
A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security MisconfigurationA7: Insecure Cryptographic StorageA8: Failure to Restrict URL Access
OWASP 25
The Open Web Application Security ProjectThe OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks -
A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security MisconfigurationA7: Insecure Cryptographic StorageA8: Failure to Restrict URL AccessA9: Insufficient Transport Layer Protection
OWASP 26
The Open Web Application Security ProjectThe OWASP Top 10 Project
The OWASP Top 10 Web Application Security Risks -
A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security MisconfigurationA7: Insecure Cryptographic StorageA8: Failure to Restrict URL AccessA9: Insufficient Transport Layer ProtectionA10: Unvalidated Redirects and Forwards
OWASP 27
The Open Web Application Security ProjectThe OWASP Top 10 Project
OWASP 28
The Open Web Application Security ProjectThe OWASP Top 10 Project
OWASP 29
The Open Web Application Security ProjectThe OWASP Top 10 Project
“Attackers can potentially use many different paths through your application to do harm to your business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention.”
http://www.owasp.org/index.php/Top_10_2010-Main
OWASP 30
The Open Web Application Security ProjectThe OWASP Top 10 Project
Companies, vendors and others (officially) profiting from The OWASP Top 10..
OWASP 31
The Open Web Application Security ProjectOWASP Guides
Don’t stop at The OWASP Top 10!Because The OWASP Top 10 project is simply not enough..• OWASP Development Guide (Developer’s Guide)• OWASP Testing Project (Testing Guide)• OWASP Code Review Project (Code Review Guide)
OWASP 32
The Open Web Application Security ProjectВ страната на чудесата ;)
OWASP 33
The Open Web Application Security ProjectВ страната на чудесата ;)
“Здравословното” състояние на българския уеб..
OWASP 34
The Open Web Application Security ProjectВ страната на чудесата ;)
OWASP 35
Shout outs go to …
• Kate Hartmann (Operations Director at OWASP)• Tom Brennan (Global Board Member at OWASP)
All of these folks and a few more..• P. Stefanov• Y. Kolev• M. Soler
..for kindly recommending and helping me set up this chapter!• Thank you to all of you for attending this very first meeting ;)
OWASP 36
Thank you for your attention!
Please forward any questions, comments and suggestions to: [email protected]