matteo meucci owasp testing guide v4
DESCRIPTION
The OWASP Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues. You'll notice several changes between v3 and v4. Some sections have been renamed, removed or reworked, but overall the OWASP Testing Guide version 4 improves on version 3 in three ways: 1. This version of the Testing Guide integrates with the two other flagship OWASP documentation products: the Developers Guide and the Code Review Guide. To achieve this we aligned the testing categories and test numbering with those in other OWASP products. The objective of the Testing and Code Review Guides is to evaluate the security controls described by the Developers Guide. 2. All chapters have been improved and test cases expanded to 87 (64 test cases in v3) including the introduction of four new chapters and controls: - Identity Management Testing - Error Handling - Cryptography - Client Side Testing 3. This version of the Testing Guide encourages the community not to simply accept the test cases outlined in this guide. We encourage security testers to integrate with other software testers and devise test cases specific to the target application. As we find test cases that have wider applicability we encourage the security testing community to share them and contribute them to the Testing Guide. This will continue to build the application security body of knowledge and allow the development of the Testing Guide to be an iterative rather than monolithic process.TRANSCRIPT
3.10.2014 - Venezia - ISACA VENICE Chapter
1 OWASP Testing Guide v4- M. MEUCCI
The new OWASP
standard for the Web
Application
Penetration Testing
Matteo Meucci
Venezia, 3 October 2014
Application Security: internet, mobile ed oltre
3.10.2014 - Venezia - ISACA VENICE Chapter
2 OWASP Testing Guide v4- M. MEUCCI
Application Security: internet, mobile ed oltre
Sponsor e
sostenitori di
ISACA VENICE
Chapter
Con il
patrocinio di
Organizzatori
3.10.2014 - Venezia - ISACA VENICE Chapter
3 OWASP Testing Guide v4- M. MEUCCI
Matteo Meucci
Matteo Meucci is the CEO and a cofounder of Minded Security, where he is responsible for strategic direction and business development for the Company.
Matteo has more than 13 years of specializing in information security and collaborates from several years at the OWASP project:
he founded the OWASP-Italy Chapter in 2005
he leads the OWASP Testing Guide from 2006.
Matteo has undergraduate degrees in Computer Science Engineering from the University of Bologna.
3.10.2014 - Venezia - ISACA VENICE Chapter
4 OWASP Testing Guide v4- M. MEUCCI
Agenda
OWASP Today
The OWASP Testing Guide v4
Why?
What the TG answers?
How can you use it?
Common misunderstanding of the use of the TG
3.10.2014 - Venezia - ISACA VENICE Chapter
5 OWASP Testing Guide v4- M. MEUCCI
OWASP CORE MISSION
• Worldwide charitable organization focused on improving the security of software
• Our mission is to make application security visible
• Help people and organizations can make informed decisions about true application security risks
• Everyone is welcome to participate in OWASP
• All of our tools and materials are available under free and open software or documentation licenses
OWASP CORE VALUES
• OPEN - Everything at OWASP is radically transparent from our
finances to our code.
• INNOVATION - OWASP encourages and supports
innovation/experiments for solutions to software security challenges.
• GLOBAL - Anyone around the world is encouraged to participate in
the OWASP community.
• INTEGRITY - OWASP is an honest and truthful, vendor agnostic,
global community.
3.10.2014 - Venezia - ISACA VENICE Chapter
7 OWASP Testing Guide v4- M. MEUCCI
~140 Projects
• PROTECT - These are tools and documents that can be used to guard against security-related design and implementation flaws.
• DETECT - These are tools and documents that can be used to find security-related design and implementation flaws.
• LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).
3.10.2014 - Venezia - ISACA VENICE Chapter
8 OWASP Testing Guide v4- M. MEUCCI
Conferences
San Jose Sep 2010
Brussels May 2008
Poland May 2009
Ireland May 2011
Israel
Sep 2008-11
Brazil Oct 2011
Minnesota
Sep 2011
DC Nov 2009
Sweden
June 2010
NYC Sep 2008
Asia Nov 2011
Greece July 2012
Austin, TX Oct 2012
Sydney Mar 2012 Argentina
Nov 2012
3.10.2014 - Venezia - ISACA VENICE Chapter
9 OWASP Testing Guide v4- M. MEUCCI
Local Chapters
174 active chapters, with 388 chapter leaders
Each with Chapter and/or Regional Events
3.10.2014 - Venezia - ISACA VENICE Chapter
10 OWASP Testing Guide v4- M. MEUCCI
OWASP Members
20,000+ Participants
50+ Paid Corporate Supporters
50+ Academic Supporters
3.10.2014 - Venezia - ISACA VENICE Chapter
11 OWASP Testing Guide v4- M. MEUCCI
Developer Guide
• The First OWASP ‘Guide’
• Complements OWASP Top 10
• 310p Book (on wiki too)
• Many contributors
• Apps and web services
• Most platforms
• Examples are J2EE, ASP.NET, and PHP
• Unfortunately Outdated
• Project Leader and Editor Andrew van der Stock,
3.10.2014 - Venezia - ISACA VENICE Chapter
12 OWASP Testing Guide v4- M. MEUCCI
Code Review Guide
• Most comprehensive open source secure code review guide on the web
• Years of development effort
• Version 1.1 produced during 2008
• Numerous contributors
• Version 2.0 effort launched in 2012
• Project Leader and Editor Eoin Keary, [email protected]
www.owasp.org/index.php/Code_Review_Guide
3.10.2014 - Venezia - ISACA VENICE Chapter
13 OWASP Testing Guide v4- M. MEUCCI
Testing Guide
www.owasp.org/index.php/Testing_Guide
• Most comprehensive open source secure testing guide on the web
• Years of development effort
• Version 4.0 produced 2014
• Hundred of contributors
• Project Leader and Editor
• Matteo Meucci, Andrew Muller
3.10.2014 - Venezia - ISACA VENICE Chapter
14 OWASP Testing Guide v4- M. MEUCCI
What is Secure Software?
It’s secure! Looks at the lock, down on the right!
It’s secure! It’s Google!
Sure! The news says that is unbreakable!
3.10.2014 - Venezia - ISACA VENICE Chapter
15 OWASP Testing Guide v4- M. MEUCCI
Software Security Principles
Security vulnerabilities in the software development process are expected.
The control of the security bugs and flaws in the software should be considered as part of the process of software development.
Vulnerability management (fixing process) is the most important step of the process of software security.
3.10.2014 - Venezia - ISACA VENICE Chapter
16 OWASP Testing Guide v4- M. MEUCCI
The new Testing Guide: why?
3.10.2014 - Venezia - ISACA VENICE Chapter
17 OWASP Testing Guide v4- M. MEUCCI
Community driven for all the Enterprises
3.10.2014 - Venezia - ISACA VENICE Chapter
18 OWASP Testing Guide v4- M. MEUCCI
The state of the art of the Web Application Penetration Testing
3.10.2014 - Venezia - ISACA VENICE Chapter
19 OWASP Testing Guide v4- M. MEUCCI
Fight with the same weapons (knowledge)
3.10.2014 - Venezia - ISACA VENICE Chapter
20 OWASP Testing Guide v4- M. MEUCCI
Testing Guide History
July 14, 2004 – "OWASP Web Application
Penetration Checklist", V1.0
December 25, 2006 – "OWASP Testing Guide", V2.0
December 16, 2008 – "OWASP Testing Guide", V3.0
September 17, 2014 – "OWASP Testing Guide", V 4.0
Citations:
• NIST SP800-115 “Technical Guide to
Information Security Testing and Assessment”
• Gary McGraw (CTO Cigital) says: “In my
opinion it is the strongest piece of Intellectual
Property in the OWASP portfolio” – OWASP
Podcast by Jim Manico
• NSA’s "Guidelines for Implementation of REST“
• Official (ISC)2 Guide to the CSSLP - Page: 70,
365
• Many books, blogs and websites
Testing Guide History
3.10.2014 - Venezia - ISACA VENICE Chapter
21 OWASP Testing Guide v4- M. MEUCCI
Testing Guide v4 goals
Create a more readable guide, eliminating some sections that are not really useful as DoS test.
Insert new testing techniques: HTTP Verb tampering, HTTP Parameter Pollutions, etc.,
Rationalize some sections as Session Management Testing, Authentication Testing
Create new sections: Client side Testing, Cryptography, Identity Management
3.10.2014 - Venezia - ISACA VENICE Chapter
22 OWASP Testing Guide v4- M. MEUCCI
Contents
The OWASP Testing Framework
The set of active tests have been split into 11 sub-categories for a total of 91 controls:
Information Gathering
Configuration and Deployment Management Testing
Identity Management Testing
Authentication Testing
Authorization Testing
Session Management Testing
Input Validation Testing
Error Handling
Cryptography
Business Logic Testing
Client Side Testing
3.10.2014 - Venezia - ISACA VENICE Chapter
23 OWASP Testing Guide v4- M. MEUCCI
How to use the methodology
Web Application Methodology Report
Source Code Fixing Methodology Retest Report
public void findUser() { boolean showResult = false; String username = this.request.getParameter("username"); ... this.context.put("username", ESAPI.encoder().encodeForHTMLAttribute(username)); this.context.put("showResult", showResult); }
3.10.2014 - Venezia - ISACA VENICE Chapter
24 OWASP Testing Guide v4- M. MEUCCI
Common misunderstanding
3.10.2014 - Venezia - ISACA VENICE Chapter
25 OWASP Testing Guide v4- M. MEUCCI
Example of unstructured approach: Ministry of Informatics
3.10.2014 - Venezia - ISACA VENICE Chapter
26 OWASP Testing Guide v4- M. MEUCCI
Actors
User: who uses the software
Ministry of Informatics: those who buy the software
Development teams (internal/external): those who develop the software
3.10.2014 - Venezia - ISACA VENICE Chapter
27 OWASP Testing Guide v4- M. MEUCCI
Press conference for the launch of the service
Now you can take advantage of a new service on the portal of the Ministry of Informatics
Fantastic!!
Compliments!!
3.10.2014 - Venezia - ISACA VENICE Chapter
28 OWASP Testing Guide v4- M. MEUCCI
The day after…
3.10.2014 - Venezia - ISACA VENICE Chapter
29 OWASP Testing Guide v4- M. MEUCCI
Users access to the portal…
Mario Verdi – 12/12/1970 – [email protected] Mario Rossi- 10/09/1982 – [email protected] Paolo Rossi – 09/02/1960 – [email protected]
3.10.2014 - Venezia - ISACA VENICE Chapter
30 OWASP Testing Guide v4- M. MEUCCI
Users access to the portal…
Oh oh...I find a problem...
3.10.2014 - Venezia - ISACA VENICE Chapter
31 OWASP Testing Guide v4- M. MEUCCI
Some days after…
3.10.2014 - Venezia - ISACA VENICE Chapter
32 OWASP Testing Guide v4- M. MEUCCI
The reactions…
Ohh..how it was possible? Fault of the developers!
but it is impossible !? We followed all your instructions
If you do not ask for security, no one will develop secure software
Use the Testing Guide as common framework
3.10.2014 - Venezia - ISACA VENICE Chapter
33 OWASP Testing Guide v4- M. MEUCCI
An year after…another security breach
but it is impossible !? We adopt the OWASP Testing Guide!
Web Application Penetration testing is not enough!
Testing without fixing is like to throw money out the window
Ohh..how it was possible? Fault of the developers!
3.10.2014 - Venezia - ISACA VENICE Chapter
34 OWASP Testing Guide v4- M. MEUCCI
Conclusion
Adopt the OWASP Testing Guide as your standard for verify the security of your Web Application.
Remember that the Testing Guide is not the panacea of Software Security!
You need to create an application security program to address awareness, secure coding guidelines, threat modelling, secure design, Secure Code Review and Web Application Penetration Testing.
Focus more on fixing the vulnerabilities of your reports.