Upload
sebastien-gioria
View
245
Download
0
Embed Size (px)
DESCRIPTION
Présentation OWASP lors des TechItDays Pages Jaunes
Citation preview
TechItDays 2014 Séminaire DT Solocal 2014 4th September 2014
Sébas&en Gioria [email protected] Chapter Leader & Evangelist OWASP France
OWASP, the Life,the Universe
2
http://www.google.fr/#q=sebastien gioria
‣ OWASP France Leader & Founder & Evangelist, ‣ OWASP ISO Project & OWASP SonarQube Project Leader
‣ Innovation and Technology @Advens && Application Security Expert
Twitter :@SPoint/@OWASP_France
2
‣ Application Security group leader for the CLUSIF
‣ Proud father of youngs kids trying to hack my digital life.
Agenda
• Applica8on Security : – where we are (no bullshit) – where we are (hopefully) going ?
• Open Web Applica8on Security Project ? • Major projects you can use
3
Why Applica8on Security ?
4
My Application will be hacked !
Let Me take you on the right way 4
Your Application
will be Hacked ;)
Your Application has been Hacked
YES
NO
NO
YES
Next Step
SQL in Java
5
ResultSet rs = stmd.executeQuery("select * from person where uid = "+ userid);" while (rs.next()) { "
"System.out.println("Name= " + rs.getString(1));"}
http://stackoverflow.com/questions/9123084/how-to-execute-a-sql-statement-with-a-variable-as-where"
6
http://www.advens.fr/blog/les-injections-sql-dans-les-applications-web-pourquoi-navancons-nous-pas"
Game Over....
• Did you develop Web Site?
• Did you develop embeded products ?
• Did you develop smartphone applica8ons ?
• Did you have customers / partners over Internet ?
7
We are living in a Digital environment, in a Connected World
v Most of websites vulnerable to a[acks v Important % of web-‐based Business (Services, Online Store, Self-‐care, Telcos, SCADA, ...)
Why Applica8on Security ?
Age of An8virus Age of Network Security
Age of Applica8on Security
8
9 (c) Verizon 2014
Who win ?
10 (c) WhiteHatSecurity 2013"
Vulnerabili8es ?
11 (c) WhiteHatSecurity 2013
Anything else ?
12
Mission Driven
Nonprofit | World Wide | Unbiased
OWASP does not endorse or recommend commercial products or services
What is OWASP
13
Community Driven
30,000 Mail List Par8cipants 200 Ac8ve Chapters in 70 countries
1600+ Members, 56 Corporate Supporters 69 Academic Supporters
What is OWASP
14
200 Chapters, 1 600+ Members, 20 000+ Builders, Breakers and Defenders
Around the World
15
Quality Resources
200+ Projects 15,000+ downloads of tools, documenta8on
250,000+ unique visitors 800,000+ page views (monthly)
What is OWASP
16
Documenta&on
Tools Code
50%
10% 40%
Quality Resources
17
Security Lifecycle
18
Security Resources
19
NEWS A BLOG
A PODCAST MEMBERSHIPS MAILING LISTS A NEWSLETTER
APPLE APP STORE VIDEO TUTORIALS
TRAINING SESSIONS SOCIAL NETWORKING
20
OWASP Projects
21
OWASP Top10 2013
22
A1: Injec&on
A2: Viola&on de Ges&on
d’authen&fica&on et de session
A3: Cross Site Scrip&ng (XSS)
A4:Référence directe non sécurisée à un
objet
A5: Mauvaise configura&on sécurité
A6 : Exposi&on de données sensibles
A8: Cross Site Request Forgery (CSRF)
A10: Redirec&ons et transferts non validés
A7: Manque de contrôle d’accès fonc&onnel
A9: U&lisa&on de composants avec des vulnérabilités connues
ex-‐A9(transport non sécurisé) + A7(Stockage crypto)
Developer Cheat Sheets § PHP Security Cheat Sheet § OWASP Top Ten Cheat Sheet § Authen8ca8on Cheat Sheet § Cross-‐Site Request Forgery (CSRF) Preven&on Cheat Sheet § Cryptographic Storage Cheat Sheet § Input Valida8on Cheat Sheet § XSS (Cross Site Scrip&ng) Preven&on Cheat Sheet § DOM based XSS Preven8on Cheat Sheet § Forgot Password Cheat Sheet § Query Parameteriza&on Cheat Sheet § SQL Injec&on Preven&on Cheat Sheet § Session Management Cheat Sheet § HTML5 Security Cheat Sheet § Transport Layer Protec8on Cheat Sheet § Web Service Security Cheat Sheet § Logging Cheat Sheet § JAAS Cheat Sheet
Mobile Cheat Sheets § IOS Developer Cheat Sheet § Mobile Jailbreaking Cheat Sheet Dran Cheat Sheets § Access Control Cheat Sheet § REST Security Cheat Sheet § Abridged XSS Preven8on Cheat Sheet § Password Storage Cheat Sheet § Secure Coding Cheat Sheet § Threat Modeling Cheat Sheet § Clickjacking Cheat Sheet § Virtual Patching Cheat Sheet § Secure SDLC Cheat Sheet § Web Applica8on Security Tes8ng Cheat Sheet
§ Applica8on Security Architecture Cheat Sheet
Cheat Sheets
23
Project Leader: Chris Schmidt, [email protected] Purpose: A free, open source, web applica8on security control library that makes it easier for programmers to write lower-‐risk applica8ons
h[ps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Enterprise Security API
24
Java HTML Sani8zer, Java Encoder
Project Leader: Mike Samuel [email protected]
Purpose: The OWASP HTML Sani8zer is a fast and easy to configure HTML Sani8zer wri[en in Java which lets you include HTML authored by third-‐par&es in your web applica&on while protec8ng against XSS.
h[ps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Project Leader: Jeff Ichnowski
Purpose: The OWASP Java Encoder is a Java 1.5+ simple-‐to-‐use drop-‐in high-‐performance encoder class with no dependencies and li[le baggage. This project will help Java web developers defend against Cross Site Scrip8ng!
h[ps://www.owasp.org/index.php/OWASP_Java_Encoder_Project
Java Encoder Project
Project Leader: Mike Samuel [email protected]
Purpose: The OWASP Java Encoder is a Java 1.5+ simple-‐to-‐use drop-‐in high-‐performance encoder class with no dependencies and li[le baggage. This project will help Java web developers defend against Cross Site Scrip8ng!
h[ps://www.owasp.org/index.php/OWASP_Java_Encoder_Project
OWASP Top10 Mobile project
OWASP IoT Project
• The OWASP Internet of Things Top 10 -‐ 2014 is as follows:
• I1 Insecure Web Interface • I2 Insufficient Authen8ca8on/Authoriza8on
• I3 Insecure Network Services
• I4 Lack of Transport Encryp8on • I5 Privacy Concerns
• I6 Insecure Cloud Interface • I7 Insecure Mobile Interface
• I8 Insufficient Security Configurability
• I9 Insecure Sonware/Firmware • I10 Poor Physical Security
Development Guide: comprehensive manual for designing, developing and deploying secure Web Applica8ons and Web Services Code Review Guide: mechanics of reviewing code for certain vulnerabili8es & valida8on of proper security controls Tes&ng Guide: understand the what, why, when, where, and how of tes8ng web applica8ons
Applica&on Security Verifica&on Standard (ASVS): comprehensive manual for designing, verify the security of an applica8on
h[ps://www.owasp.org/index.php/Category:OWASP_Guide_Project h[ps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project h[ps://www.owasp.org/index.php/Category:OWASP_Tes8ng_Project h[ps://www.owasp.org/index.php/Category:OWASP_Applica8on_Security_Verifica8on_Standard_Project
Guides
29
Zed A[ack Proxy
Project Leader: Simon Benne[s (aka Psiinon), [email protected] Purpose: The Zed A[ack Proxy (ZAP) provides automated scanners as well as a set of tools that allow you to find security vulnerabili8es manually in web applica8ons. Last Release: ZAP 2.3.1 (21 May 2014)
h[ps://www.owasp.org/index.php/OWASP_Zed_A[ack_Proxy_Project 30
Intended to help sonware developers and their clients nego8ate important contractual terms and condi8ons related to the security of the sonware to be developed or delivered. CONTEXT: Most contracts are silent on these issues, and the par8es frequently have drama8cally different views on what has actually been agreed to. OBJECTIVE: Clearly define these terms is the best way to ensure that both par8es can make informed decisions about how to proceed.
h[ps://www.owasp.org/index.php/OWASP_Secure_Sonware_Contract_Annex
The OWASP Secure Sonware Contract Annex
31
Dates
• 11 Septembre 2014 – OWASP France Mee8ng Paris @Mozilla Office – Programme :
– 18h30 : Ouverture des portes
– 19h : Welcome by OWASP France et Mozilla
– 19h15 : SonarQube pour la sécurité par Sébas8en Gioria (OWASP France)
– 19h45 : Warning Ahead: Security Storms are Brewing in Your JavaScript -‐ Par Laurent Levi (Checkmarx) -‐ En Francais
– 20h15 : OWASP News && Closing par Sébas8en Gioria (OWASP France)
– 20h30 : Networking
hkp://www.eventbrite.fr/e/billets-‐owasp-‐france-‐mee&ng-‐septembre-‐2014-‐12738480137
• Applica8on Security Forum Western Switzerland – Yverdon les Bains – 4/6 Novembre 2014
– h[p://www.appsec-‐forum.ch/
• Club 27001 /Paris -‐ 25 Septembre 2014 – Présenta8on de la norme ISO 27034
32
Soutenir l’OWASP
• Différentes solu8ons : – Membre Individuel : 50 $ – Membre Entreprise : 5000 $ – Dona8on Libre
• Soutenir uniquement le chapitre France : – Single Mee8ng supporter
• Nous offrir une salle de mee8ng ! • Par8ciper par un talk ou autre ! • Dona8on simple
– Local Chapter supporter : • 500 $ à 2000 $
33