OWASP Developer Guide Reboot
-
Upload
andrew-van-der-stock -
Category
Technology
-
view
761 -
download
6
description
Transcript of OWASP Developer Guide Reboot
![Page 2: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/2.jpg)
ABOUT MEAssociate director, KPMG
Security Technical Assessments and Architecture
!
Project Lead, OWASP Developer Guide
Co-Lead, OWASP Proactive Controls
Lead author, OWASP Application Security Verification Standard
Lead author, OWASP Top 10 2007
Project Lead, OWASP ESAPI for PHP
!
ISC2 CSSLP
Help set SANS GIAC GSSP (Java) exam (2007)
![Page 3: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/3.jpg)
“Think Evil.”
![Page 4: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/4.jpg)
AUDITING SOFTWARE FOR FUN AND PROFIT
linux.conf.au 2002
![Page 5: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/5.jpg)
How did that work out for you?
![Page 6: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/6.jpg)
Mea culpa
![Page 7: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/7.jpg)
![Page 8: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/8.jpg)
0"
1,000"
2,000"
3,000"
4,000"
5,000"
6,000"
7,000"
2000" 2001" 2002" 2003" 2004" 2005" 2006" 2007" 2008" 2009" 2010" 2011" 2012"
http://nvd.nist.gov
![Page 9: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/9.jpg)
Your threat model did not include me!
![Page 10: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/10.jpg)
![Page 11: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/11.jpg)
ENABLE SECURE BUSINESSThink outside the box - don’t be a speed bump
![Page 12: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/12.jpg)
VALUE
• What is “valuable” to your organization is almost not valuable to someone else
• There is no “<client>” profile in any automated tool
• Embed the notion of “value” into the Developer Guide
![Page 13: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/13.jpg)
OWASP DEVELOPER GUIDE 2013• A comprehensive dictionary of all
the things
• Designed to be a tertiary level text book for application architects and developers
• SMART - Specific, measurable (testable), attainable, relevant, time effective
• Need help!
![Page 14: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/14.jpg)
OWASP APPLICATION SECURITY VERIFICATION STANDARD 2.0
• A comprehensive standard with three levels of verification
• Designed to be a standard(!)
• SMART - Specific, measurable (testable), attainable, relevant, time effective
• GA - November 2013
![Page 15: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/15.jpg)
OWASP PROACTIVE CONTROLS 2013
• The things every development team should be doing to be secure
• Designed to be a standard(!)
• SMART - Specific, measurable (testable), attainable, relevant, time effective
• GA - November 2013
![Page 16: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/16.jpg)
WHAT HASN’T WORKED• Converting to XML. Failed x1 time so far (1.1.1)
• Minor updates. Failed x1 times so far (2.1)
• Starting from scratch. Failed x3 times so far (3.0, 2010, 2012)
• No project manager, roadmap or deadlines.
• Community. Help!
• Succession.
![Page 17: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/17.jpg)
WHO• We need a project manager
• We need lots of help writing material
• We need lots of help with UML diagrams
• We need lots of help with code snippets
• Eventually, we will need technical and normal reviewers
• Eventually, we would like translators
![Page 18: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/18.jpg)
WRITING PROCESS
![Page 19: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/19.jpg)
WHAT NEEDS TO BE WRITTEN• Everything
!
• Large table of contents
• Don’t freak out - contributions great and small gratefully accepted!
• Need to decide on refactor or re-write
![Page 20: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/20.jpg)
EDITING
![Page 21: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/21.jpg)
RESEARCH
![Page 22: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/22.jpg)
RESEARCH
• Need better research methods
• Need better quality results
• Need to support our views by performing basic research
![Page 23: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/23.jpg)
EVIDENCE BASED RESULTS• Controls must be
• In place
• In use
• Effective
• foreach ($thing in $all_the_things) { $thing()->test(); }
![Page 24: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/24.jpg)
SNIPPETS
![Page 25: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/25.jpg)
TRANSLATION
![Page 26: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/26.jpg)
HOW YOU CAN HELP• Be part of the community
• Join the Dev Guide mail list https://lists.owasp.org/mailman/listinfo/owasp-guide
• Tell us what you want to work on
• Write! Contribute! Review! Translate!
![Page 27: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/27.jpg)
DECISIONS, DECISIONS
• How best to build community?
![Page 28: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/28.jpg)
DECISIONS, DECISIONS
• How best to fund the project?
![Page 29: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/29.jpg)
DECISIONS, DECISIONS
• Refactor or re-write?
![Page 30: OWASP Developer Guide Reboot](https://reader034.fdocuments.net/reader034/viewer/2022052209/559c1cf31a28ab00158b46c7/html5/thumbnails/30.jpg)
DECISIONS, DECISIONS
• Private Wiki or dog food?