owasp projects to know - maven securityowasp resources to know page 5 course intro course intro...

OWASP Resources to Know

Presented by David Rhoades * Maven Security Consulting Inc. * www.MavenSecurity.com

facebook.com/MavenSec * @MavenSecurity

Presented to ISSA Delaware

Valley - June 2015

http://www.mavensecurity.com/

facebook.com/MavenSec




Copyright © Maven Security Consulting Inc. - www.MavenSecurity.com

All rights reserved. No part of this product may be reproduced, distributed, or

transmitted in any form or by any means, including photocopying, recording, or other

electronic or mechanical methods, without the prior written permission of the publisher.

Document Revision

Revision Date 6/21/2015

Document Backlink

Please use the following link to refer others to this document:

https://www.MavenSecurity.com/resources

https://www.mavensecurity.com/resources


Table of Contents

Course Intro 5

Course Intro 5

Speaker Intro 6

OWASP Intro 7

OWASP Delaware Intro 8

OWTF 9

OWTF 9

ASVS 16

ASVS 16

WTE 20

WTE 20

Dependency Check 26

Dependency Check 26

Up & Coming Projects 28

Up & Coming Projects 28

Mobile App Project 29

Pro Active Controls 31

SonarQube 33

SKF 34

WHID 40

Conclusion 43

Q&A 43

Conclusion 44

Author Contact Info 45


Slide 1


Course Intro

Course Intro

Slide 2

OWASP has lots of free resources to improve application security, but it's hard to keep track of what's important. This presentation will review the essential tools and resources to consider when planning, coding, deploying, and auditing application security. Some of the newer mobile app resources will be covered.


Course Intro

Speaker Intro

Slide 3

About the Author

<PROPAGANDA> David Rhoades is a director with Maven Security Consulting Inc. (www.mavensecurity.com). Maven Security Consulting Inc. provides information security assessments and training, and is headquartered in Delaware (USA). David’s expertise includes web application security, network security architectures, and vulnerability assessments. Past customers have included domestic and international companies in various industries, as well as various US government agencies. David has been active in information security consulting since 1996, when he began his career with the computer security and telephony fraud group at Bell Communications Research (Bellcore). David teaches domestically and internationally at various security conferences, including Interop and others. David has a Bachelor of Science degree in Computer Engineering from the Pennsylvania State University (psu.edu). www.MavenSecurity.com </PROPAGANDA>


http://psu.edu/


Course Intro

OWASP Intro

Slide 4

OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. OWASP is free from commercial pressures...to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. OWASP produces many types of materials in a collaborative and open way. The OWASP Foundation is a not-for-profit entity that ensures the project's long-term success. www.owasp.org


Course Intro

OWASP Delaware Intro

Slide 5


OWTF

OWTF

Slide 6

Slide 7


OWTF

OWTF

http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines

Full install docs are here: http://owtf.readthedocs.org/en/latest/install.html [*] Do not forget to add the /root/.owtf/proxy/ca.crt as a trusted CA in your browser [*] Don't forget to edit /root/.owtf/db.cfg …if you want something other than localhost access.

Slide 8

https://www.owasp.org/index.php/Breakers


OWTF

OWTF

Slide 9

root@kali110:~/owtf# ./owtf.py [*] OWTF Version: 1.0.1, Release: LionHeart (Beta) [-] Loading framework please wait.. [*] 127.0.0.1:8008 <-- HTTP(S) Proxy to which requests can be directed

[*] http://127.0.0.1:8009 <-- Web UI URL

root@kali110:~/owtf#


OWTF

OWTF

Slide 10

Slide 11


OWTF

OWTF

Source: https://vimeo.com/128008174

2:30 web interface (using Kali VM for OWTF, and host OS for web browser)

Slide 12

https://vimeo.com/128008174


OWTF

OWTF

Slide 13

Zest is an experimental specialized scripting language developed by the Mozilla security team and is intended to be used in web oriented security tools. https://developer.mozilla.org/en-US/docs/Zest

Generating Zest scripts from OWTF provides an automated mechanism to replicate exploitation of security vulnerabilities in a format that facilitates information exchange between tools such as ZAP and others which can reproduce the same vulnerabilities in their own development environment.

https://developer.mozilla.org/en-US/docs/Zest

https://developer.mozilla.org/en-US/docs/Zest


OWTF

OWTF

Slide 14


ASVS

ASVS

Slide 15

Slide 16


ASVS

ASVS

Slide 17


ASVS

ASVS

Slide 18

Slide 19


ASVS

ASVS


WTE

WTE

Slide 20

Slide 21


WTE

WTE

Slide 22


WTE

WTE

Slide 23

Slide 24


WTE

WTE

Slide 25


WTE

WTE

Slide 26

Slide 27


WTE

WTE

Slide 28


Dependency Check

Dependency Check

Slide 29

Slide 30


Dependency Check

Dependency Check

Slide 31


Up & Coming Projects


Slide 32



Mobile App Project

Slide 33

Slide 34



Mobile App Project



Pro Active Controls

Slide 35

Slide 36



Pro Active Controls

Ordered by importance, with control number 1 being the most important. They mostly seem to keep the phrase "Top Ten" out of the name, which helps avoid

confusion when they eventually want to add an 11th

control.

Slide 37



SonarQube

Slide 38



SKF

Slide 39

Slide 40



SKF

Slide 41



SKF

Slide 42

Slide 43



SKF

Slide 44

For official docs on the install process see: http://skf.readme.io/v1.0/docs/installation

My demo is running inside the Web Security Dojo (which is built on Ubuntu): NOTE: Default user is dojo and password is dojo (needed for sudo commands). You need Python pip and sqlite3 database support. $ sudo apt-get install python-pip sqlite3 lib32z1-dev python-dev libxml2-dev libxslt-dev libffi-dev libssl-dev

After the prerequisites you can install the Python packages. $ sudo pip install https://github.com/mitsuhiko/flask/tarball/master

$ sudo pip install owasp-skf Now go to the proper folder and run: $ cd /usr/local/lib/python2.7/dist-packages/skf $ sudo python skf.py

When invoked it will dump the URL and password onto the terminal, like this: Generated Password for access SKF: RaNd0mP@$$w0rd * Running on https://127.0.0.1:5443/ (Press CTRL+C to quit) Note that the default username: admin



SKF

Slide 45

From the documentation (typos and awkward grammar retained): NOTE: Whenever the applications measures to much violations the user acount will be blocked! you than have to clear your log files in order to gain access to the system again.

Slide 46



SKF

Slide 47



WHID

Slide 48

Slide 49



WHID

Slide 50



WHID

Slide 51


Conclusion

Q&A

Slide 52


Conclusion

Conclusion

Slide 53


Conclusion

Author Contact Info

Slide 54

David Rhoades * Maven Security Consulting Inc. * MavenSecurity.com

facebook.com/MavenSec * @MavenSecurity




owasp projects to know - maven securityowasp resources to know page 5 course intro course intro...

Documents