Transcription
IMPROVING THESECURITY OF SOFTWAREOWASP FoundationOWASP Foundation
The OWASP Foundation We are a Global not-for-profit charitable organisation Vendor-Neutral Community Collective Wisdom of the Best Minds in Application Security Worldwide Provide free tools, guidance, documentationIMPROVING SOFTWARE SECURITY, WORLDWIDE
We are all VOLUNTEERS!45,000 OWASP volunteers worldwideIMPROVING SOFTWARE SECURITY, WORLDWIDE
World Wide 207 local Chapters in 56 countries and counting!IMPROVING SOFTWARE SECURITY, WORLDWIDE
OWASP.ORGAnnually, aboutseven millionunique visitorsuse owasp.orgIMPROVING SOFTWARE SECURITY, WORLDWIDE
OWASP Projects 189 Projects including 20 Flagship ProjectsList: https://owasp.org/projects/IMPROVING SOFTWARE SECURITY, WORLDWIDE
s/IMPROVING SOFTWARE SECURITY, WORLDWIDE
OWASP Community Events Our mission is to make applicationsecurity visible so that people andorganisations can make informeddecisions about application securityrisks. Meetings are free to attend(free drinks & food included) Meetings are usually 1-2 hourseminars or workshopsIMPROVING SOFTWARE SECURITY, WORLDWIDESession at Global AppSec Amsterdam
Canadian Chapters OWASP Calgary OWASP Montreal OWASP Moncton OWASP Ottawa OWASP Quebec City OWASP Toronto OWASP Vancouverhttps://owasp.org/chapters/IMPROVING SOFTWARE SECURITY, WORLDWIDE
Its all for free Everyone is free to participate in OWASPand all of our materials are available undera free and open software license. All OWASP events (except conferences) arefree to attend by both members andnon-members of OWASP - and can beattended by anyone who is interested inApplication Security and Cyber Security ingeneral.IMPROVING SOFTWARE SECURITY, WORLDWIDEMember Lounge at OWASP Conference
Premier members (donate 20,000/year):New Corporate MembersIMPROVING SOFTWARE SECURITY, WORLDWIDE
IMPROVING SOFTWARE SECURITY, WORLDWIDE
Keep In TouchJoin an OWASP Mailing List:https://groups.google.com/a/owasp.comFollow us on Twitter“Like” us on ASPSlack: owasp.slack.com #owasp-communityWatch us on OWASPVisit the OWASP websitehttps://owasp.orgIMPROVING SOFTWARE SECURITY, WORLDWIDE
Introduction toOWASP Projects(a small sample)OWASP Foundation
OWASP Zed Attack ProxyMore than just a proxy15
Intro to OWASP Zed Attack Proxy (ZAP)OWASP Flagship Project!Free and Open source!Apache 2 LicenseAn HTTP proxy and DAST Tool forBreakers and Builders Alike!16
ZAP for Testers17
ZAP for DAST18
Automating DAST19
Deploying ZAP20
Learn more!ZAP Resources https://www.zaproxy.org/ https://www.alldaydevops.com/zap-in-ten https://github.com/Grunny/zap-cliOWASP https://owasp.orgOWASP Toronto https://owasp.org/www-chapter-toronto/ https://meetup.com/OWASP-Toronto/21
OWASP ASVSA brief overview22
Intro to OWASP Application SecurityVerification Standard (ASVS)OWASP Flagship Project!Open source!Creative Commons AttributionShareAlike 3.0 license.Meant to be a commonframework of application securityverification requirements Normalizing range ofcoverageNormalizing level of rigour23
ASVS version 4.0.224
LevelsASVS Level 1 for low assurance levels, and is completely “penetration testable”ASVS Level 2 for applications that contain sensitive data which requires protection and is the recommended levelfor most appsASVS Level 3 for the most critical applications - applications that perform high value transactions, containsensitive medical data, or any application that requires the highest level of trust.25
Example content:26
Examplecontent:27
UsesAs a metric for verifications and assessmentsAs input for secure development trainingAs detailed security architecture guidanceAs a driver for agile application securityAs secure coding checklistAs a framework for guiding software procurementAs guide for automated testing28
To find out more .ASVS project page -verification-standard/OWASP Toronto https://owasp.org/www-chapter-toronto/ https://meetup.com/OWASP-Toronto/OWASP https://owasp.org29
https://cheatsheetseries.owasp.org/IMPROVING SOFTWARE SECURITY, WORLDWIDE
OWASP SAMM(Software Assurance Maturity Model)
Where to find it?Main Site: https://owaspsamm.org/Guidance: /v2.0/toolboxhttps://concordusa.com/SAMM/
Model OperationsStrategy & MetricsThreat AssessmentSecure e &PromoteMeasure &ImprovePolicy & CompliancePolicy &StandardsComplianceManagementEducation &GuidanceTraining &AwarenessApplicationRisk RequirementsSupplierSecuritySecure ArchitectureOrganization& ProcessSoftwareDependenciesSecure gDefect ManagementSecurity TestingDefectTrackingScalableBaselinesMetrics ngPatch nagement
Thank you!Yuk Fai Chan, yukfai.chan@owasp.orgAdam Greenhill, adam.greenhill@owasp.orgJack Enders, jack.enders@owasp.orgOpheliar Chan, P-Toronto/34
Other Projects
https://owasp.org/www-project-amass/IMPROVING SOFTWARE SECURITY, WORLDWIDE
ithub.com/DefectDojo/IMPROVING SOFTWARE SECURITY, WORLDWIDE
https://securityknowledgeframework.orgIMPROVING SOFTWARE SECURITY, WORLDWIDE
ardIMPROVING SOFTWARE SECURITY, WORLDWIDE
andbook-free/online/IMPROVING SOFTWARE SECURITY, WORLDWIDE
IMPROVING SOFTWARE SECURITY, WORLDWIDE OWASP Community Events Our mission is to make application security visible so that people and organisations can make informed decisions about application security risks. Meetings are free to attend (free drinks & food included) Meetings are usually 1-2 hour seminars or workshops
