2014 09-04-pj
1 like1,717 views
This document summarizes a presentation given by Sébastien Gioria on application security. The presentation provided an overview of the current state of application security, described the Open Web Application Security Project (OWASP) including its mission and resources, and highlighted several OWASP projects that developers can use to help secure applications. It also listed upcoming security events in France and ways to support OWASP.
2014 09-04-pj
- 1. TechItDays 2014 Séminaire DT Solocal 2014 4th September 2014 OWASP, the Life,the Universe Sébas&en Gioria Sebas8en.Gioria@owasp.org Chapter Leader & Evangelist OWASP France
- 2. 2 http://www.google.fr/#q=sebastien gioria ‣ Innovation and Technology @Advens && Application Security Expert ‣ OWASP France Leader & Founder & Evangelist, ‣ OWASP ISO Project & OWASP SonarQube Project Leader ‣ Application Security group leader for the CLUSIF ‣ Proud father of youngs kids trying to hack my digital life. Twitter :@SPoint/@OWASP_France 2
- 3. Agenda • Applica8on Security : – where we are (no bullshit) – where we are (hopefully) going ? • Open Web Applica8on Security Project ? • Major projects you can use 3
- 4. Why Applica8on Security ? Your Application has been Hacked Let Me take you on the right way 4 4 My Application will be hacked ! Your Application will be Hacked ;) YES NO NO YES Next Step
- 5. SQL in Java 5 http://stackoverflow.com/questions/9123084/how-to-execute-a-sql-statement-with-a-variable-as-where" ResultSet rs = stmd.executeQuery("select * from person where uid = "+ userid);" while (rs.next()) { " "System.out.println("Name= " + rs.getString(1));" }
- 7. Game Over.... • Did you develop Web Site? • Did you develop embeded products ? • Did you develop smartphone applica8ons ? • Did you have customers / partners over Internet ? 7
- 8. We are living in a Digital environment, in a Connected World v Most of websites vulnerable to a[acks v Important % of web-‐based Business (Services, Online Store, Self-‐care, Telcos, SCADA, ...) Why Applica8on Security ? Age of An8virus Age of Network Security Age of Applica8on Security 8
- 9. 9 (c) Verizon 2014
- 10. Who win ? 10 (c) WhiteHatSecurity 2013"
- 11. Vulnerabili8es ? 11 (c) WhiteHatSecurity 2013
- 12. Anything else ? 12
- 13. What is OWASP Mission Driven Nonprofit | World Wide | Unbiased OWASP does not endorse or recommend commercial products or services 13
- 14. What is OWASP Community Driven 30,000 Mail List Par8cipants 200 Ac8ve Chapters in 70 countries 1600+ Members, 56 Corporate Supporters 69 Academic Supporters 14
- 15. Around the World 200 Chapters, 1 600+ Members, 20 000+ Builders, Breakers and Defenders 15
- 16. What is OWASP Quality Resources 200+ Projects 15,000+ downloads of tools, documenta8on 250,000+ unique visitors 800,000+ page views (monthly) 16
- 17. Quality Resources Documenta&on Code Tools 50% 10% 40% 17
- 20. NEWS A BLOG A PODCAST MEMBERSHIPS MAILING LISTS A NEWSLETTER APPLE APP STORE VIDEO TUTORIALS TRAINING SESSIONS SOCIAL NETWORKING 20
- 22. OWASP Top10 2013 22 A1: Injec&on A2: Viola&on de Ges&on d’authen&fica&on et de session A3: Cross Site Scrip&ng (XSS) A4:Référence directe non sécurisée à un objet A5: Mauvaise configura&on sécurité A6 : Exposi&on de données sensibles A8: Cross Site Request Forgery (CSRF) A7: Manque de contrôle d’accès fonc&onnel A10: Redirec&ons et transferts non validés A9: U&lisa&on de composants avec des vulnérabilités connues ex-‐A9(transport non sécurisé) + A7(Stockage crypto)
- 23. Cheat Sheets Developer Cheat Sheets § PHP Security Cheat Sheet § OWASP Top Ten Cheat Sheet § Authen8ca8on Cheat Sheet § Cross-‐Site Request Forgery (CSRF) Preven&on Cheat Sheet § Cryptographic Storage Cheat Sheet § Input Valida8on Cheat Sheet § XSS (Cross Site Scrip&ng) Preven&on Cheat Sheet § DOM based XSS Preven8on Cheat Sheet § Forgot Password Cheat Sheet § Query Parameteriza&on Cheat Sheet § SQL Injec&on Preven&on Cheat Sheet § Session Management Cheat Sheet § HTML5 Security Cheat Sheet § Transport Layer Protec8on Cheat Sheet § Web Service Security Cheat Sheet § Logging Cheat Sheet § JAAS Cheat Sheet Mobile Cheat Sheets § IOS Developer Cheat Sheet § Mobile Jailbreaking Cheat Sheet Dran Cheat Sheets § Access Control Cheat Sheet § REST Security Cheat Sheet § Abridged XSS Preven8on Cheat Sheet § Password Storage Cheat Sheet § Secure Coding Cheat Sheet § Threat Modeling Cheat Sheet § Clickjacking Cheat Sheet § Virtual Patching Cheat Sheet § Secure SDLC Cheat Sheet § Web Applica8on Security Tes8ng Cheat Sheet § Applica8on Security Architecture Cheat Sheet 23
- 24. Project Leader: Enterprise Security API Chris Schmidt, Chris.Schmidt@owasp.org Purpose: A free, open source, web applica8on security control library that makes it easier for programmers to write lower-‐risk applica8ons h[ps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API 24
- 25. Java HTML Sani8zer, Java Encoder Project Leader: Mike Samuel Mike.samuel@owasp.org Purpose: The OWASP HTML Sani8zer is a fast and easy to configure HTML Sani8zer wri[en in Java which lets you include HTML authored by third-‐par&es in your web applica&on while protec8ng against XSS. h[ps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Project Leader: Jeff Ichnowski Purpose: The OWASP Java Encoder is a Java 1.5+ simple-‐to-‐use drop-‐in high-‐ performance encoder class with no dependencies and li[le baggage. This project will help Java web developers defend against Cross Site Scrip8ng! h[ps://www.owasp.org/index.php/OWASP_Java_Encoder_Project
- 26. Java Encoder Project Project Leader: Mike Samuel Mike.samuel@owasp.org Purpose: The OWASP Java Encoder is a Java 1.5+ simple-‐to-‐use drop-‐in high-‐ performance encoder class with no dependencies and li[le baggage. This project will help Java web developers defend against Cross Site Scrip8ng! h[ps://www.owasp.org/index.php/OWASP_Java_Encoder_Project
- 27. OWASP Top10 Mobile project
- 28. OWASP IoT Project • The OWASP Internet of Things Top 10 -‐ 2014 is as follows: • I1 Insecure Web Interface • I2 Insufficient Authen8ca8on/Authoriza8on • I3 Insecure Network Services • I4 Lack of Transport Encryp8on • I5 Privacy Concerns • I6 Insecure Cloud Interface • I7 Insecure Mobile Interface • I8 Insufficient Security Configurability • I9 Insecure Sonware/Firmware • I10 Poor Physical Security
- 29. Development Guide: Guides comprehensive manual for designing, developing and deploying secure Web Applica8ons and Web Services Code Review Guide: mechanics of reviewing code for certain vulnerabili8es & valida8on of proper security controls Tes&ng Guide: understand the what, why, when, where, and how of tes8ng web applica8ons Applica&on Security Verifica&on Standard (ASVS): comprehensive manual for designing, verify the security of an applica8on h[ps://www.owasp.org/index.php/Category:OWASP_Guide_Project h[ps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project h[ps://www.owasp.org/index.php/Category:OWASP_Tes8ng_Project h[ps://www.owasp.org/index.php/Category:OWASP_Applica8on_Security_Verifica8on_Standard_Project 29
- 30. Zed A[ack Proxy Project Leader: Simon Benne[s (aka Psiinon), psiinon@gmail.com Purpose: The Zed A[ack Proxy (ZAP) provides automated scanners as well as a set of tools that allow you to find security vulnerabili8es manually in web applica8ons. Last Release: ZAP 2.3.1 (21 May 2014) h[ps://www.owasp.org/index.php/OWASP_Zed_A[ack_Proxy_Project 30
- 31. The OWASP Secure Sonware Contract Annex Intended to help sonware developers and their clients nego8ate important contractual terms and condi8ons related to the security of the sonware to be developed or delivered. CONTEXT: Most contracts are silent on these issues, and the par8es frequently have drama8cally different views on what has actually been agreed to. OBJECTIVE: Clearly define these terms is the best way to ensure that both par8es can make informed decisions about how to proceed. h[ps://www.owasp.org/index.php/OWASP_Secure_Sonware_Contract_Annex 31
- 32. Dates • 11 Septembre 2014 – OWASP France Mee8ng Paris @Mozilla Office – Programme : – 18h30 : Ouverture des portes – 19h : Welcome by OWASP France et Mozilla – 19h15 : SonarQube pour la sécurité par Sébas8en Gioria (OWASP France) – 19h45 : Warning Ahead: Security Storms are Brewing in Your JavaScript -‐ Par Laurent Levi (Checkmarx) -‐ En Francais – 20h15 : OWASP News && Closing par Sébas8en Gioria (OWASP France) – 20h30 : Networking hkp://www.eventbrite.fr/e/billets-‐owasp-‐france-‐mee&ng-‐septembre-‐2014-‐12738480137 • Applica8on Security Forum Western Switzerland – Yverdon les Bains – 4/6 Novembre 2014 – h[p://www.appsec-‐forum.ch/ • Club 27001 /Paris -‐ 25 Septembre 2014 – Présenta8on de la norme ISO 27034 32
- 33. Soutenir l’OWASP • Différentes solu8ons : – Membre Individuel : 50 $ – Membre Entreprise : 5000 $ – Dona8on Libre • Soutenir uniquement le chapitre France : – Single Mee8ng supporter • Nous offrir une salle de mee8ng ! • Par8ciper par un talk ou autre ! • Dona8on simple – Local Chapter supporter : • 500 $ à 2000 $ 33
- 34. License 34 @SPoint sebas8en.gioria@owasp.org