owasp projects to know - maven securityowasp resources to know page 5 course intro course intro...
TRANSCRIPT
OWASP Resources to Know
Presented by David Rhoades * Maven Security Consulting Inc. * www.MavenSecurity.com
facebook.com/MavenSec * @MavenSecurity
Presented to ISSA Delaware
Valley - June 2015
Page 2 OWASP Resources to Know
OWASP Resources to Know
Copyright © Maven Security Consulting Inc. - www.MavenSecurity.com
All rights reserved. No part of this product may be reproduced, distributed, or
transmitted in any form or by any means, including photocopying, recording, or other
electronic or mechanical methods, without the prior written permission of the publisher.
Document Revision
Revision Date 6/21/2015
Document Backlink
Please use the following link to refer others to this document:
https://www.MavenSecurity.com/resources
OWASP Resources to Know Page 3
Table of Contents
Course Intro 5
Course Intro 5
Speaker Intro 6
OWASP Intro 7
OWASP Delaware Intro 8
OWTF 9
OWTF 9
ASVS 16
ASVS 16
WTE 20
WTE 20
Dependency Check 26
Dependency Check 26
Up & Coming Projects 28
Up & Coming Projects 28
Mobile App Project 29
Pro Active Controls 31
SonarQube 33
SKF 34
WHID 40
Conclusion 43
Q&A 43
Conclusion 44
Author Contact Info 45
Page 4 OWASP Resources to Know
Slide 1
OWASP Resources to Know Page 5
Course Intro
Course Intro
Slide 2
OWASP has lots of free resources to improve application security, but it's hard to keep track of what's important. This presentation will review the essential tools and resources to consider when planning, coding, deploying, and auditing application security. Some of the newer mobile app resources will be covered.
Page 6 OWASP Resources to Know
Course Intro
Speaker Intro
Slide 3
About the Author
<PROPAGANDA> David Rhoades is a director with Maven Security Consulting Inc. (www.mavensecurity.com). Maven Security Consulting Inc. provides information security assessments and training, and is headquartered in Delaware (USA). David’s expertise includes web application security, network security architectures, and vulnerability assessments. Past customers have included domestic and international companies in various industries, as well as various US government agencies. David has been active in information security consulting since 1996, when he began his career with the computer security and telephony fraud group at Bell Communications Research (Bellcore). David teaches domestically and internationally at various security conferences, including Interop and others. David has a Bachelor of Science degree in Computer Engineering from the Pennsylvania State University (psu.edu). www.MavenSecurity.com </PROPAGANDA>
OWASP Resources to Know Page 7
Course Intro
OWASP Intro
Slide 4
OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. OWASP is free from commercial pressures...to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. OWASP produces many types of materials in a collaborative and open way. The OWASP Foundation is a not-for-profit entity that ensures the project's long-term success. www.owasp.org
Page 8 OWASP Resources to Know
Course Intro
OWASP Delaware Intro
Slide 5
OWASP Resources to Know Page 9
OWTF
OWTF
Slide 6
Slide 7
Page 10 OWASP Resources to Know
OWTF
OWTF
http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines
Full install docs are here: http://owtf.readthedocs.org/en/latest/install.html [*] Do not forget to add the /root/.owtf/proxy/ca.crt as a trusted CA in your browser [*] Don't forget to edit /root/.owtf/db.cfg …if you want something other than localhost access.
Slide 8
https://www.owasp.org/index.php/Breakers
OWASP Resources to Know Page 11
OWTF
OWTF
Slide 9
root@kali110:~/owtf# ./owtf.py [*] OWTF Version: 1.0.1, Release: LionHeart (Beta) [-] Loading framework please wait.. [*] 127.0.0.1:8008 <-- HTTP(S) Proxy to which requests can be directed
[*] http://127.0.0.1:8009 <-- Web UI URL
root@kali110:~/owtf#
Page 12 OWASP Resources to Know
OWTF
OWTF
Slide 10
Slide 11
OWASP Resources to Know Page 13
OWTF
OWTF
Source: https://vimeo.com/128008174
2:30 web interface (using Kali VM for OWTF, and host OS for web browser)
Slide 12
Page 14 OWASP Resources to Know
OWTF
OWTF
Slide 13
Zest is an experimental specialized scripting language developed by the Mozilla security team and is intended to be used in web oriented security tools. https://developer.mozilla.org/en-US/docs/Zest
Generating Zest scripts from OWTF provides an automated mechanism to replicate exploitation of security vulnerabilities in a format that facilitates information exchange between tools such as ZAP and others which can reproduce the same vulnerabilities in their own development environment.
OWASP Resources to Know Page 15
OWTF
OWTF
Slide 14
Page 16 OWASP Resources to Know
ASVS
ASVS
Slide 15
Slide 16
OWASP Resources to Know Page 17
ASVS
ASVS
Slide 17
Page 18 OWASP Resources to Know
ASVS
ASVS
Slide 18
Slide 19
OWASP Resources to Know Page 19
ASVS
ASVS
Page 20 OWASP Resources to Know
WTE
WTE
Slide 20
Slide 21
OWASP Resources to Know Page 21
WTE
WTE
Slide 22
Page 22 OWASP Resources to Know
WTE
WTE
Slide 23
Slide 24
OWASP Resources to Know Page 23
WTE
WTE
Slide 25
Page 24 OWASP Resources to Know
WTE
WTE
Slide 26
Slide 27
OWASP Resources to Know Page 25
WTE
WTE
Slide 28
Page 26 OWASP Resources to Know
Dependency Check
Dependency Check
Slide 29
Slide 30
OWASP Resources to Know Page 27
Dependency Check
Dependency Check
Slide 31
Page 28 OWASP Resources to Know
Up & Coming Projects
Up & Coming Projects
Slide 32
OWASP Resources to Know Page 29
Up & Coming Projects
Mobile App Project
Slide 33
Slide 34
Page 30 OWASP Resources to Know
Up & Coming Projects
Mobile App Project
OWASP Resources to Know Page 31
Up & Coming Projects
Pro Active Controls
Slide 35
Slide 36
Page 32 OWASP Resources to Know
Up & Coming Projects
Pro Active Controls
Ordered by importance, with control number 1 being the most important. They mostly seem to keep the phrase "Top Ten" out of the name, which helps avoid
confusion when they eventually want to add an 11th
control.
Slide 37
OWASP Resources to Know Page 33
Up & Coming Projects
SonarQube
Slide 38
Page 34 OWASP Resources to Know
Up & Coming Projects
SKF
Slide 39
Slide 40
OWASP Resources to Know Page 35
Up & Coming Projects
SKF
Slide 41
Page 36 OWASP Resources to Know
Up & Coming Projects
SKF
Slide 42
Slide 43
OWASP Resources to Know Page 37
Up & Coming Projects
SKF
Slide 44
For official docs on the install process see: http://skf.readme.io/v1.0/docs/installation
My demo is running inside the Web Security Dojo (which is built on Ubuntu): NOTE: Default user is dojo and password is dojo (needed for sudo commands). You need Python pip and sqlite3 database support. $ sudo apt-get install python-pip sqlite3 lib32z1-dev python-dev libxml2-dev libxslt-dev libffi-dev libssl-dev
After the prerequisites you can install the Python packages. $ sudo pip install https://github.com/mitsuhiko/flask/tarball/master
$ sudo pip install owasp-skf Now go to the proper folder and run: $ cd /usr/local/lib/python2.7/dist-packages/skf $ sudo python skf.py
When invoked it will dump the URL and password onto the terminal, like this: Generated Password for access SKF: RaNd0mP@$$w0rd * Running on https://127.0.0.1:5443/ (Press CTRL+C to quit) Note that the default username: admin
Page 38 OWASP Resources to Know
Up & Coming Projects
SKF
Slide 45
From the documentation (typos and awkward grammar retained): NOTE: Whenever the applications measures to much violations the user acount will be blocked! you than have to clear your log files in order to gain access to the system again.
Slide 46
OWASP Resources to Know Page 39
Up & Coming Projects
SKF
Slide 47
Page 40 OWASP Resources to Know
Up & Coming Projects
WHID
Slide 48
Slide 49
OWASP Resources to Know Page 41
Up & Coming Projects
WHID
Slide 50
Page 42 OWASP Resources to Know
Up & Coming Projects
WHID
Slide 51
OWASP Resources to Know Page 43
Conclusion
Q&A
Slide 52
Page 44 OWASP Resources to Know
Conclusion
Conclusion
Slide 53
OWASP Resources to Know Page 45
Conclusion
Author Contact Info
Slide 54
David Rhoades * Maven Security Consulting Inc. * MavenSecurity.com
facebook.com/MavenSec * @MavenSecurity