Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Overview of the OWASP foundation and the projec...

Overview of the OWASP foundation and the project Cheat Sheet Series

Presention performed at the LuxIO 2019 event: http://luxio-event.lu

Dominique RIGHETTO

November 14, 2019
Tweet

More Decks by Dominique RIGHETTO

Other Decks in Programming

Transcript

  1. The OWASP world Overview of the OWASP foundation and the

    project Cheat Sheet Series Dominique Righetto – LuxIO 2019 @righettod
  2. Objective The objective of the next 50 minutes: 1. Explains

    what is the OWASP foundation and his goals? 2. Explains what it brings to the world of software? 3. Explains what is the project OWASP Cheat Sheet Series? 4. Explain how it helps people involved in the development of software? 2
  3. The OWASP foundation OWASP stands for Open Web Application Security

    Project. Homepage is https://www.owasp.org Created in december 2001 as a non-profit charitable organization (USA status). 4
  4. The OWASP foundation Provide different kind of material to promote

    the integration and awareness regarding the security in the software. Even if W is for Web, the topics covered by the OWASP foundation are beyond the Web and include the Mobile, IOT, Cloud,... Composed mainly by volunteers contributing on their personal time to the different projects and initiatives. 5
  5. The OWASP foundation The different types of material provided are

    the following: • Awareness document & presentation. • Referential to: ◦ Include the security into the development process. ◦ Evaluate the security posture of a software. • Tools. • Guidance to address a specific kind of security issue. 6
  6. The OWASP foundation A local chapter has the following main

    objectives: • Organize events with presentation regarding the Application Security. • Promote OWASP locally. • Being the point of contact to reach the OWASP foundation. 8
  7. The OWASP foundation Status of the chapters in Luxemburg and

    border countries: Luxemburg Belgium France Germany 9 We are here
  8. The OWASP foundation OWASP projects are structured in 3 levels

    of maturity: 1 2 3 https://www.youtube.com/watch?v=5RmHQKeXgk4 Building an AppSec Program with a Budget of $0: Beyond the OWASP Top 10 Evolution path 10
  9. The OWASP foundation Project identity card • Name: OWASP Top

    10. • Type: Awareness. • Objective: Explain the 10 most prevalent security issue found on web application based on world-wide statistics. • Github: https://github.com/OWASP/Top10 11
  10. The OWASP foundation Project identity card (lab one) • Name:

    OWASP Proactive Controls. • Type: Referential. • Objective: Describes the most important control and control categories that every project must include. • Github: Not yet. 12
  11. The OWASP foundation Project identity card • Name: OWASP Application

    Security Verification Standard Project (ASVS). • Type: Referential. • Objective: Provides a basis for testing application technical security controls and define an expected level of security for a non-mobile project. • Github: https://github.com/OWASP/ASVS 13
  12. The OWASP foundation Project identity card • Name: OWASP Mobile

    Application Security Verification Standard Project (MASVS). • Type: Referential. • Objective: Provides a basis for testing application technical security controls and define an expected level of security for a mobile project. • Github: https://github.com/OWASP/owasp-masvs 14
  13. The OWASP foundation Project identity card • Name: OWASP Testing

    Guide. • Type: Referential. • Objective: Provides a methodology to evaluate the security posture of a web application. • Github: https://github.com/OWASP/wstg 15
  14. The OWASP foundation Project identity card • Name: OWASP Mobile

    Security Testing Guide (MSTG). • Type: Referential. • Objective: Provides a methodology to evaluate the security posture of a mobile application (Android / iOS). • Github: https://github.com/OWASP/owasp-mstg 16
  15. The OWASP foundation Project identity card • Name: OWASP Cheat

    Sheet Series. • Type: Guidance. • Objective: Provides a collection of hints/guidance to address common security issues. • Github: https://github.com/OWASP/CheatSheetSer ies More detail very soon :) 17
  16. The OWASP foundation Project identity card • Name: OWASP Zed

    Attack Proxy (ZAP). • Type: Tool. • Objective: HTTP proxy and a scanner for assessing the security posture of a web application. • Github: https://github.com/zaproxy/zaproxy 18
  17. The OWASP foundation Project identity card • Name: OWASP Dependency

    Check. • Type: Tool. • Objective: Identify the 3rd party dependencies containing public know vulnerabilities (CVE). • Github: https://github.com/jeremylong/DependencyCheck 19
  18. The OWASP foundation Project identity card • Name: OWASP Juice

    Shop. • Type: Tool (for training). • Objective: Insecure web app for security trainings which encompasses the entire OWASP Top Ten and other severe security flaws. • Github: https://github.com/bkimminich/juice-shop 20
  19. The OWASP foundation 01 02 03 04 TRAINING Top 10

    Juice Shop DESIGN Proactive Controls ASVS / MASVS VALIDATION Zed Attack Proxy Dependency Check Testing Guide / MSTG IMPLEMENTATION Cheat Sheet Series 21
  20. The Cheat Sheet Series project Origin: • Created in 2014

    by Jim Manico. • Hosted and managed on the OWASP WIKI. • Many contributors (> 100). Objective: • Provides a collection of hints/guidance to address common security issues. 23
  21. The Cheat Sheet Series project Main limitations: • Requiring an

    OWASP wiki account to work on it. • No offline version. • As a user: No way to receive notification when content is updated. • No validation/review process on the content. • Rendering on the wiki was no easy to read. • No index allowing to identify the suitable cheat sheet when using other OWASP referential (ASVS/Proactive Controls/etc). • Guidance provided was no always directly actionable by a dev team. • Aging content. • ... 24
  22. The Cheat Sheet Series project V2 project launched in December

    2018 with the following 7 key points in mind: 1. Move the entire project content to Github. 2. Open contribution to the world and only require a GitHub-free account. 3. Made contribution the easiest possible. 4. Add structure to the content as well as a validation process on it. 5. Made public every exchange and discussion on the project/content. 6. Tackle as much as possible the limitations of the V1. 7. Reach the Flagship graduation and maturity level. 25
  23. The Cheat Sheet Series project 9 months later (100% spare

    time work on evenings and weekends)... 26
  24. The Cheat Sheet Series project Overview of contribution flow leveraging

    Github features: Issue describing the proposition for a cheat sheet Issue reviewed by the core team Pull Request submitted Pull Request reviewed by the core team Pull Request merged Issue rejected with justification Pull Request rejected with justification Issue accepted 27
  25. The Cheat Sheet Series project Overview of an issue and

    his PR from Github point of view: 28
  26. The Cheat Sheet Series project Overview of an PR lifecycle

    from a CI/CD point of view (PR creation/update): Project Github repository Contributor create/update the PR from his fork TravisCI job triggered to validate the PR PR is compliant and the manual review can start…. PR is NOT compliant and the manual review is blocked until all errors are fixed 29
  27. The Cheat Sheet Series project Overview of an PR lifecycle

    from a CI/CD point of view (PR creation/update): 30
  28. The Cheat Sheet Series project Overview of an PR lifecycle

    from a CI/CD point of view (PR merge): Project Github repository CircleCI job triggered when a commit is done on the master branch Cookbook generating the HTML website and related assets Website deployed on Github pages ATOM feed generated with updates Downloadable archive build and published on the website 31
  29. The Cheat Sheet Series project Overview of an PR lifecycle

    from a CI/CD point of view (PR merge): 32
  30. The Cheat Sheet Series project Overview of an PR lifecycle

    from a CI/CD point of view (PR merge): 33
  31. The Cheat Sheet Series project Overview of an PR lifecycle

    from a CI/CD point of view (PR merge): 34
  32. The Cheat Sheet Series project Overview from a contributor point

    of view working locally on a cheat sheet: • Visual Studio Code workspace file provided with preconfigured Markdown validator (common central validation rules also used by the TravisCI job) 35
  33. The Cheat Sheet Series project 3 different indexes are provided

    to connect the project with the OWASP projects ecosystem: Collection of cheat sheets OWASP Proactive Controls Point of view OWASP ASVS Point of view Alphabetical Point of view 36
  34. The Cheat Sheet Series project 3 different indexes are provided

    to connect the project with the OWASP projects ecosystem: 37
  35. The Cheat Sheet Series project 3 different indexes are provided

    to connect the project with the OWASP projects ecosystem: 38
  36. The Cheat Sheet Series project 3 different indexes are provided

    to connect the project with the OWASP projects ecosystem: 39
  37. The Cheat Sheet Series project A cheat sheet has the

    following characteristic: 1. Explain the context in which the security issue occurs. 2. Explain the security issue itself. 3. Give recommendations on how to address/prevent/fix the security issue from a technology agnostic point of view. 4. Show a full documented example of implementation of the recommendation in technology. Let’s see an example with the error handling cheat sheet: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html 40
  38. Thank you... ↪ To the project core team for their

    amazing work: • Elie Saad • Jakub Maćkowski • Robin Bailey • Jim Manico ↪ To the amazing community of the project. ↪ To Intech and Excellium for this opportunity to present to you the OWASP world. 41