Jeff Williams
Chair – The OWASP Foundation
CEO – Aspect Security
jeff.williams@owasp.org
OWASP
AppSec DC
October 2005 Copyright © 2004 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation
License.
The OWASP
http://www.owasp.org
Foundation
The Guide
293 Book
Free and open
source
Gnu Free Doc License
Many contributors
Apps and web
services
Most platforms
Examples are J2EE,
ASP.NET, and PHP
Comprehensive OWASP AppSec DC 2
2005
Uses of the Guide
Developers
Use for guidance on implementing security
mechanisms and avoiding vulnerabilities
Project Managers
Use for identifying activities (threat modeling,
code review, penetration testing) that need to
occur
Security Teams
Use for structuring evaluations, learning about
application security, remediation approaches
OWASP AppSec DC 3
2005
The Guide Project
Project Leader and Editor
Andrew van der Stock, vanderaj@owasp.org
Bio
One of Australia's leading webappsec researchers
Andrew has presented at many conferences, including
BlackHat USA, linux.conf.au, SAGE-AU, and AusCERT
He helps with the OWASP Melbourne chapter and started the
OWASP Sydney chapter
Moderator of webappsec@securityfocus.com
Looks after UltimaBB, a secure forum
System administration of Aussieveedubbers, one of Australia's
largest and busiest forums with over 3000 members
Ex-President of SAGE-AU, the System Administrator's Guild of
Australia.
In his copious spare time, he spends time with his cats, cars
and food, not necessarily in that order.
OWASP AppSec DC 4
2005
History
Guide 1.0
First released in June 2002
93 pages
Interim releases bring Guide to 149 pages by
2004
Guide 2.0
Released at Black Hat in July 2005
293 pages
Major new version
Complete re-write
Peer reviewed ... (in progress)
OWASP AppSec DC 5
2005
Massive Overhaul
Adds
Objectives
Environments Affected
Relevant COBIT Topics
Theory
Best Practices
Misconceptions
Code Snippets
OWASP AppSec DC 7
2005
Guide 2.0 ~350 controls
350.0
262.5
175.0
87.5
0.0
Controls
OWASP AppSec DC 8
2005
Current State
OWASP AppSec DC 10
2005
Threat Modeling
OWASP AppSec DC 11
2005
Advice and Best Practices
OWASP AppSec DC 12
2005
Web Services
WS-Security
SAML
XML-DSIG
Lots more...
OWASP AppSec DC 13
2005
* Key Application Security
Areas *
OWASP AppSec DC 14
2005
Authentication
Major re-write
Covers a long list of areas:
Strong authentication, federated
authentication, client-side, positive
authentication, referer checks, remember my
password, default accounts, password strength,
encryption/hashing, automated reset, brute
force, timeout, logout, self-registration,
CAPTCHA
OWASP AppSec DC 15
2005
Authorization
Topics include:
ACL’s, centralization, authorization matrix,
client-side authorization tokens, access to
functions, access to static resources
OWASP AppSec DC 16
2005
Session Management
Complete re-write
Topics Include:
Permissive session generation, exposed
session variables, page and form tokens, weak
session ids, session encryption, session forging,
timeout, logout, hijacking, session brute
forcing, session fixation, HTTP split session
attacks, HTTP request smuggling
OWASP AppSec DC 17
2005
Data Validation
Complete re-write
Considerably shorter!
State of the art validation strategies
“Sanitize” is no longer an acceptable first
choice
Practical advice for several platforms
Topics:
Integrity checks, validation, business rule
validation, parameter tampering, hidden fields,
ASP.NET viewstate, URL encoding, HTML entity
encoding, special characters
OWASP AppSec DC 18
2005
Interpreter Injection
OWASP AppSec DC 19
2005
Canonicalization
OWASP AppSec DC 20
2005
Error Handling, Logging, Auditing
Complete re-write
Topics Include:
Traceability - aims for SOX compliance
Error messages, error handling
Don’t log noise, destruction, audit trails
OWASP AppSec DC 21
2005
File System
Topics:
File referencing, defacement, insecure
permissions, insecure indexing, unmapped files,
temp files, old files, second order injection
OWASP AppSec DC 22
2005
Buffer overflows
OWASP AppSec DC 23
2005
Administrative Interfaces
OWASP AppSec DC 24
2005
Cryptography
Revamped section
Future proofing (SHA1 / MD5 anyone?)
How to select algorithms
Poor secret storage
Stream ciphers
OWASP AppSec DC 25
2005
Privacy
New Section
Objective is to ensure that an application
is safe out of the box
Code Access Security Policies
Default passwords (NO!)
Clear text passwords in config files
Connecting to RDBMs and middleware
OWASP AppSec DC 27
2005
Maintenance
Topics include:
Security incident response, rescues and fixes,
update notifications, permission checking
OWASP AppSec DC 28
2005
Denial of Service Attacks
Topics include:
Excessive consumption of resources
Disk I/O
CPU
Network I/O
User Account Lockout
OWASP AppSec DC 29
2005
Coming Soon: Secure Deployment
OWASP AppSec DC 30
2005
Coming Soon: Software Quality
Assurance
Software Quality Assurance
How to improve your SQA to cover web
application security
OWASP AppSec DC 31
2005
Language Specific Chapters
OWASP AppSec DC 32
2005
XSS Cheat Sheet
OWASP AppSec DC 33
2005
Case Study: XMB Result
phpBB
Hundreds of thousands of boards, millions use
phpBB
Needed to test out OWASP 2.0 with PHP code
and FOSS methodologies
OWASP AppSec DC 35
2005
Guide 2.1
OWASP AppSec DC 36
2005