SlideShare a Scribd company logo

Meet the OWASP

Download as PPTX, PDF
Antonio Fontes
Antonio Fontes

Web security track - opening talk: OWASP & OWASP Switzerland Swiss Cyber Storm 3 (Rapperswil, May 2011) Original powerpoint slides can be downloaded and re-used under following conditions: - you're free to copy, distribute and transmit the work - you're free to adapt the work - if you alter, transform, or build upon this work, you may distribute the resulting work under the same or similar rights to this one

Related slideshows

AARC Assurance Profiles for Kantara Initiative
AARC Assurance Profiles for Kantara InitiativeAARC Assurance Profiles for Kantara Initiative
AARC Assurance Profiles for Kantara Initiative
 
ION Hangzhou - Opening Remarks
ION Hangzhou - Opening RemarksION Hangzhou - Opening Remarks
ION Hangzhou - Opening Remarks
 
IoT—Let’s Code Like It’s 1999!
IoT—Let’s Code Like It’s 1999!IoT—Let’s Code Like It’s 1999!
IoT—Let’s Code Like It’s 1999!
 
1 of 48
Open Web Application Security ProjectAntonio Fontesantonio.fontes@owasp.orgSWISS CYBER STORM Conference – May 2011Rapperswil
A few words about meAntonio Fontes6 years background working on software security & privacyFounder and principal consultant at L7 SecuritéSàrlLecturer at HST Yverdon (HEIG-VD)Focus: Web application threats and countermeasuresSecure development lifecyclePenetration testing and vulnerability assessmentSoftware threat modelling and risk analysisOWASP:OWASP Switzerland : member of the board, western Switzerland delegateOWASP Geneva: Chapter leader12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil2
cat /wwwroot/agenda.htmlWhy do organizations need OWASP?OWASP worldwideOWASP in SwitzerlandQ/A12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil3
Thermometer:12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil4“Is your organization already using OWASP material?”- For internal software development?- For outsourced custom software?- For COTS acquisition?photo by Dave Oshry
Why do organisations need OWASP?12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil5
Why do organisations need OWASP?12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil6
Why do organisations need OWASP?12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil7101 million users!77 million users!
Why do organisations need OWASP?12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil8Handout from Sony Entertainment Online conference on the recent computer intrusion that led to more than 110 million user accounts being stolen.(May. 1st. 2011)photo by Dave Oshry
Why do organisations need OWASP?12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil9
Just a little check:12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil10“Who knows PBKDF2?”
Why do organisations need OWASP?12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil11Who understands this in your organisation?
Why do organisations need OWASP?12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil12Use hashes!!No! Don't use hashes!!
Why do organisations need OWASP?Outside the organisation:Increasing adoption of “Anything over HTTP”Increasing “hostile” interest in online services:Increasing “threat population”Web hacking/security is easy to understand/teachLow risk of being “caught”Increasing offer in security consulting, services and products12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil13
Why do organisations need OWASP?Inside organisations:Developers dealing with dozens web technologiesHeterogonous development teams and lifecyclesConstant pressure for deliveryTurnover and loss of internal know-howWho in the company is actually both up-to-date on the concept of “(web) applications security” and has the power to take decisions?Who in the company is actually able to qualify security products and services that are paid for?12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil14
Why do organisations need OWASP?12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil15201120102007200520032001
OWASP foundation12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil16“Make application security visible, so that people and organisations can make informed decisions about application security risks.”U.S. 501c3 not-for-profit charitable international organizationStructureMissionCore valuesCode of ethicsOpen, Global, Innovation, WorldwideIndependence from vendors, technology-agnostic
"strategy"12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil17ThreatWebsiteBoardWeb ApplicationWeb ApplicationPeopleCommitteesMethodsSummitToolsChapters?ProjectsCompany assetsConferencesMembers
OWASP people12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil18
Project LeadersDriving volunteers effort on OWASP material projects:WorkshopsBrainstorming sessionsAnalysis/reportingGuides editingTools coding19 quality-release and 26 beta-status projects12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil19PTM
Chapter LeadersLeading Local Chapters meetings:188 Chapters worldwideMore than 300 yearly meetings worldwideConnection with local organisations 12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil20PTMNext local chapter meeting:Zurich – June 14th
Global CommitteesDriving volunteers effort on global/focused OWASP outreach.Active Global Committees: IndustriesMembershipGovernmentEducationProjectsEventsConnections12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil21PTM
Full-timeKate HartmannLogistics and day-to-day support for leaders of the 188 local chaptersAlison ShraderAccounting & AdministrationPaulo CoimbraPMOSarah BassoOperations before/during/after OWASP events12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil22
Conference dedicated to research work on application securityConferences: research12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil23PTM
Yearly global application security focused conferences: EuropeNorth AmericaSouth AmericaAsiaConferences: Appsec12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil24PTMNext OWASP Conference in Europe:Dublin – June 7th-10th 2011
Intensive 1-week workshop event with leaders, contributors, sponsors and software vendors:Ability to connect with leading software vendors and corporate membersMore than 150 reunited chapter & project leaders80 workshops The Summit12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil25PTM
OWASP members12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil26
OWASP MembershipIndividual members:Annual fee: 50$/yearFree access to OWASP Training day eventsReduced fees at OWASP EventsCurrent count: 1383 individual contributing members12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil27
OWASP MembershipCorporate members:52 public corporate membersAnnual fee: 5’000$/yearDelegates for the Summit eventLogo on website, use as marketing argumentMajority is from the US,but Switzerland is also there12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil28
OWASP MembershipAcademic members:Annual fee: 0$/yearDonate: support40 membersSwitzerland:1 officialised partnership (HEIG-VD)2 pending partnerships12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil29
OWASP: the web portal12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil30
https://www.owasp.org250’000 unique visitors monthly650’000 pages viewed monthly60% driven by search engines19% referred by other websites Highest traffic motives:OWASP Top 10Webscarab projectXSS prevention cheat sheet“sql injection”12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil31
http://lists.owasp.orgMore than 400 mailing lists currently running25’900 membershipsAbout: tools, documents, methods, committees, events, outreach, leaders, etc.12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil32
OWASP projects12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil33
OWASP projects: Tools12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil34AnalyzeDesignImplementVerifyDeployRespondModSecurity CRSJBroFuzzAntiSAMMYLiveCDESAPIDirBusterWebScarabWebScarabCSRFGuardO2OrizonEncodingCode CrawlerZed Attack ProxyStingerAcademy portal, Broken Web applications, ESAPI Swingset, Webgoat
OWASP projects: Documents12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil35AnalyzeDesignImplementVerifyDeployRespondSecure contractDevelopmentCode ReviewCode ReviewBackend SecurityThreat risk modelingJ2EE SecurityTestingTestingApplication security requirementsRoR SecurityASVS.NET SecurityAJAX SecurityPHP SecuritySecure coding practicesAcademy, Appsec FAQ, Appsec metrics, Common Vuln. List, Education, Exams, Legal, OWASP Top 10
COTS web application for webapp security (CBT) trainingClick and run/index.php/WebgoatTools: webgoat12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil36PTM
Tools: ModSecurity core rulesetCritical protections centralized in a core ruleset (CRS) to be installed on ModSecurity enabled Apache serversProvides:HTTP Protocol complianceAttack detectionError detectionSearch engine monitoringhttps://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil37PTM
Tools: Entreprise Security APIControl library encapsulating most security functions required in web applications:AuthenticationAccess controlSessionsEncodingInput validationEncryptionLoggingIntrusion detection…https://www.owasp.org/index.php/ESAPI12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil38PTM
Documents: OWASP Top 10https://www.owasp.org/index.php/Top1012/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil39PTM
Documents: code review guideInstructions and methodology manual for conducting code security reviewsGuidance on detecting the major security flaws created during implementationhttps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil40PTM
Documents: ASVSASVS: Application SecurityVerification Standard4 verification (assurance) levels across more than 120 security controlsTailored to your own risk aversionhttps://www.owasp.org/index.php/ASVS12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil41PTM
Documents: OpenSAMMOpen Software Assurance Maturity Modelhttps://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil42PTM
OWASP Switzerland12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil43
OWASP Switzerland's structureNo legalform (yet, just a few daysleft)Leader: Sven VetschBoard members: Tobias Christen, Antonio FontesBased in Zurich130 mailing list membersNext meeting: June 14thOther local city/region chapters: OWASP Geneva90 list membersNext meeting: September 6th12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil44
Activities: meetings and conferencesLocal chapter meetings:1,2,3 speakers per eventGeneva, Yverdon, Zurich~8 meetings/yearAttendance: 15-100 peoplePeople love these meetings!(Historical) conference partnerships:12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil45
Activities: awareness sessionsAwareness session for Swiss organizations:1 hour, head-to-head session with an OWASP representative at your companySyllabus: OWASP organization, OWASP projects and membership opportunities4 Swiss private companies requested this in 2010It’s free!BUT: it’s not free training or consulting!! No product names  No "reviews"  No training. 12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil46
Swiss speakers and contributors(non exhaustive list, sorry for those I forgot )Ivan Butler: Web application firewall & Hacking labTobias Christen: Security & UsabilityAlexis Fitzgerald : Gathering application security requirementsChristian Folini : ModSecurity CRS & DDoSdefenseAntonio Fontes : Threat modelling & Lifecycle securityAxel Neumann: Zed Attack ProxySylvain Maret : Strong authenticationPierre Parrend : Java mobile applicationsSven Vetsch : Advanced XSS attacks and defense...  come to me after the talk if you want your name here12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil47
Visit the OWSAP Website: https://www.owasp.orgJoin the OWASP Switzerland mailing list: http://www.owasp.chFollow us on Twitter: @OWASP_ch / @OWASPGet in touch with your local OWASP representatives: Sven Vetsch Antonio Fontes(Switzerland) (Western/French Switzerland)sven.vetsch@disenchant.chantonio.fontes@owasp.org12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil48Thank you!

More Related Content

Meet the OWASP

  • 1. Open Web Application Security ProjectAntonio Fontesantonio.fontes@owasp.orgSWISS CYBER STORM Conference – May 2011Rapperswil
  • 2. A few words about meAntonio Fontes6 years background working on software security & privacyFounder and principal consultant at L7 SecuritéSàrlLecturer at HST Yverdon (HEIG-VD)Focus: Web application threats and countermeasuresSecure development lifecyclePenetration testing and vulnerability assessmentSoftware threat modelling and risk analysisOWASP:OWASP Switzerland : member of the board, western Switzerland delegateOWASP Geneva: Chapter leader12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil2
  • 3. cat /wwwroot/agenda.htmlWhy do organizations need OWASP?OWASP worldwideOWASP in SwitzerlandQ/A12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil3
  • 4. Thermometer:12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil4“Is your organization already using OWASP material?”- For internal software development?- For outsourced custom software?- For COTS acquisition?photo by Dave Oshry
  • 5. Why do organisations need OWASP?12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil5
  • 6. Why do organisations need OWASP?12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil6
  • 7. Why do organisations need OWASP?12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil7101 million users!77 million users!
  • 8. Why do organisations need OWASP?12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil8Handout from Sony Entertainment Online conference on the recent computer intrusion that led to more than 110 million user accounts being stolen.(May. 1st. 2011)photo by Dave Oshry
  • 9. Why do organisations need OWASP?12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil9
  • 10. Just a little check:12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil10“Who knows PBKDF2?”
  • 11. Why do organisations need OWASP?12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil11Who understands this in your organisation?
  • 12. Why do organisations need OWASP?12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil12Use hashes!!No! Don't use hashes!!
  • 13. Why do organisations need OWASP?Outside the organisation:Increasing adoption of “Anything over HTTP”Increasing “hostile” interest in online services:Increasing “threat population”Web hacking/security is easy to understand/teachLow risk of being “caught”Increasing offer in security consulting, services and products12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil13
  • 14. Why do organisations need OWASP?Inside organisations:Developers dealing with dozens web technologiesHeterogonous development teams and lifecyclesConstant pressure for deliveryTurnover and loss of internal know-howWho in the company is actually both up-to-date on the concept of “(web) applications security” and has the power to take decisions?Who in the company is actually able to qualify security products and services that are paid for?12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil14
  • 15. Why do organisations need OWASP?12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil15201120102007200520032001
  • 16. OWASP foundation12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil16“Make application security visible, so that people and organisations can make informed decisions about application security risks.”U.S. 501c3 not-for-profit charitable international organizationStructureMissionCore valuesCode of ethicsOpen, Global, Innovation, WorldwideIndependence from vendors, technology-agnostic
  • 17. "strategy"12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil17ThreatWebsiteBoardWeb ApplicationWeb ApplicationPeopleCommitteesMethodsSummitToolsChapters?ProjectsCompany assetsConferencesMembers
  • 18. OWASP people12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil18
  • 19. Project LeadersDriving volunteers effort on OWASP material projects:WorkshopsBrainstorming sessionsAnalysis/reportingGuides editingTools coding19 quality-release and 26 beta-status projects12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil19PTM
  • 20. Chapter LeadersLeading Local Chapters meetings:188 Chapters worldwideMore than 300 yearly meetings worldwideConnection with local organisations 12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil20PTMNext local chapter meeting:Zurich – June 14th
  • 21. Global CommitteesDriving volunteers effort on global/focused OWASP outreach.Active Global Committees: IndustriesMembershipGovernmentEducationProjectsEventsConnections12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil21PTM
  • 22. Full-timeKate HartmannLogistics and day-to-day support for leaders of the 188 local chaptersAlison ShraderAccounting & AdministrationPaulo CoimbraPMOSarah BassoOperations before/during/after OWASP events12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil22
  • 23. Conference dedicated to research work on application securityConferences: research12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil23PTM
  • 24. Yearly global application security focused conferences: EuropeNorth AmericaSouth AmericaAsiaConferences: Appsec12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil24PTMNext OWASP Conference in Europe:Dublin – June 7th-10th 2011
  • 25. Intensive 1-week workshop event with leaders, contributors, sponsors and software vendors:Ability to connect with leading software vendors and corporate membersMore than 150 reunited chapter & project leaders80 workshops The Summit12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil25PTM
  • 26. OWASP members12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil26
  • 27. OWASP MembershipIndividual members:Annual fee: 50$/yearFree access to OWASP Training day eventsReduced fees at OWASP EventsCurrent count: 1383 individual contributing members12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil27
  • 28. OWASP MembershipCorporate members:52 public corporate membersAnnual fee: 5’000$/yearDelegates for the Summit eventLogo on website, use as marketing argumentMajority is from the US,but Switzerland is also there12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil28
  • 29. OWASP MembershipAcademic members:Annual fee: 0$/yearDonate: support40 membersSwitzerland:1 officialised partnership (HEIG-VD)2 pending partnerships12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil29
  • 30. OWASP: the web portal12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil30
  • 31. https://www.owasp.org250’000 unique visitors monthly650’000 pages viewed monthly60% driven by search engines19% referred by other websites Highest traffic motives:OWASP Top 10Webscarab projectXSS prevention cheat sheet“sql injection”12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil31
  • 32. http://lists.owasp.orgMore than 400 mailing lists currently running25’900 membershipsAbout: tools, documents, methods, committees, events, outreach, leaders, etc.12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil32
  • 33. OWASP projects12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil33
  • 34. OWASP projects: Tools12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil34AnalyzeDesignImplementVerifyDeployRespondModSecurity CRSJBroFuzzAntiSAMMYLiveCDESAPIDirBusterWebScarabWebScarabCSRFGuardO2OrizonEncodingCode CrawlerZed Attack ProxyStingerAcademy portal, Broken Web applications, ESAPI Swingset, Webgoat
  • 35. OWASP projects: Documents12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil35AnalyzeDesignImplementVerifyDeployRespondSecure contractDevelopmentCode ReviewCode ReviewBackend SecurityThreat risk modelingJ2EE SecurityTestingTestingApplication security requirementsRoR SecurityASVS.NET SecurityAJAX SecurityPHP SecuritySecure coding practicesAcademy, Appsec FAQ, Appsec metrics, Common Vuln. List, Education, Exams, Legal, OWASP Top 10
  • 36. COTS web application for webapp security (CBT) trainingClick and run/index.php/WebgoatTools: webgoat12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil36PTM
  • 37. Tools: ModSecurity core rulesetCritical protections centralized in a core ruleset (CRS) to be installed on ModSecurity enabled Apache serversProvides:HTTP Protocol complianceAttack detectionError detectionSearch engine monitoringhttps://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil37PTM
  • 38. Tools: Entreprise Security APIControl library encapsulating most security functions required in web applications:AuthenticationAccess controlSessionsEncodingInput validationEncryptionLoggingIntrusion detection…https://www.owasp.org/index.php/ESAPI12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil38PTM
  • 39. Documents: OWASP Top 10https://www.owasp.org/index.php/Top1012/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil39PTM
  • 40. Documents: code review guideInstructions and methodology manual for conducting code security reviewsGuidance on detecting the major security flaws created during implementationhttps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil40PTM
  • 41. Documents: ASVSASVS: Application SecurityVerification Standard4 verification (assurance) levels across more than 120 security controlsTailored to your own risk aversionhttps://www.owasp.org/index.php/ASVS12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil41PTM
  • 42. Documents: OpenSAMMOpen Software Assurance Maturity Modelhttps://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil42PTM
  • 43. OWASP Switzerland12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil43
  • 44. OWASP Switzerland's structureNo legalform (yet, just a few daysleft)Leader: Sven VetschBoard members: Tobias Christen, Antonio FontesBased in Zurich130 mailing list membersNext meeting: June 14thOther local city/region chapters: OWASP Geneva90 list membersNext meeting: September 6th12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil44
  • 45. Activities: meetings and conferencesLocal chapter meetings:1,2,3 speakers per eventGeneva, Yverdon, Zurich~8 meetings/yearAttendance: 15-100 peoplePeople love these meetings!(Historical) conference partnerships:12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil45
  • 46. Activities: awareness sessionsAwareness session for Swiss organizations:1 hour, head-to-head session with an OWASP representative at your companySyllabus: OWASP organization, OWASP projects and membership opportunities4 Swiss private companies requested this in 2010It’s free!BUT: it’s not free training or consulting!! No product names  No "reviews"  No training. 12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil46
  • 47. Swiss speakers and contributors(non exhaustive list, sorry for those I forgot )Ivan Butler: Web application firewall & Hacking labTobias Christen: Security & UsabilityAlexis Fitzgerald : Gathering application security requirementsChristian Folini : ModSecurity CRS & DDoSdefenseAntonio Fontes : Threat modelling & Lifecycle securityAxel Neumann: Zed Attack ProxySylvain Maret : Strong authenticationPierre Parrend : Java mobile applicationsSven Vetsch : Advanced XSS attacks and defense...  come to me after the talk if you want your name here12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil47
  • 48. Visit the OWSAP Website: https://www.owasp.orgJoin the OWASP Switzerland mailing list: http://www.owasp.chFollow us on Twitter: @OWASP_ch / @OWASPGet in touch with your local OWASP representatives: Sven Vetsch Antonio Fontes(Switzerland) (Western/French Switzerland)sven.vetsch@disenchant.chantonio.fontes@owasp.org12/05/2011Swiss Cyber Storm III - May 2011 - Rapperswil48Thank you!

Editor's Notes

  1. 1) Web frontends, Web 2.0 portals Intranets / Extranets for b/c/c servicesVPN over SSLsWeb services, SOAs, online APIs, …Access to public services, personal data, business automation, etc.2) the value of information / service3) GovernmentsCompetitorsDisgruntled peopleHackers…?4) The advantage of not being “there”“Blacklist” countries (from a legal perspective)
  2. Basic context: threat exercice on a web facingentity, potentiallyexposingcompanyassets.Need for information, visibility.Achievedwith people, methods and toolsOWASP creates the necessaryecosystem to build up these 3 componentsVisibility on appsecuritythenisbrought to the company
  3. Statisticsindicate the major searchtermsbeing support for XSS defense and understanding SQL injection. Althoughvery "basic" and quiteold, SQL Injection remains a major searchtermthe message STILL needs to betransmitted do not OVERSTIMATE!!!
  4. Coverageacross the developmentlifecycle
  5. Objective: Help youidentifywhat OWASP canprovideyou Help youidentifyopportunities for internalsecuredevelopment Help youidentifyopportunities for secure COTS/outsourced software vendor agreement Help youidentifymaterialthatyoucan use to leverageyour relation withyoursecurity services/product provider