OWASP and Web Application Security trends in Italy: data and stats from everyday experiences Raoul Chiesa 6 th OWASP App. Sec Conference Milan - May 2007 OWASP, Director of Communications Italian Chapter Board of Directors, ISECOM, CLUSIT, TSTF rc@TSTF. net Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-Share. Alike 2. 5 License. To view this license, visit http: //creativecommons. org/licenses/by-sa/2. 5/ The OWASP Foundation http: //www. owasp. org/
Agenda < The speaker < ISECOM < OWASP, Italian Chapter 4 The Board 4 Planned goals 4 Reached goals < A quick intro to Web Security and a kind of “philosophy” < OWASP-Italy Survey and everyday’s experiences < Conclusion < Acknowledgements < Q&A 6 th OWASP App. Sec Conference – Milan – May 2007 2
The speaker < Raoul “Nobody” Chiesa, class 1973 < Hacker from 1986 until 1995 < Running my own company since 1997: vendor-independent, security consulting only: no box moving! < +200 Penetration Tests/year < Focused on telcos (x. Sx. N/mobile), finance, P. A. , military environments < OSSTMM Key Contributor (1. 5, 2. 0, 2. 1, 2. 2, 3. 0) < Board of Directors member for: OWASP (italian chapter), ISECOM, CLUSIT, TSTF. net (Telecom Security Task Force) 6 th OWASP App. Sec Conference – Milan – May 2007 3
ISECOM < I’ve decided to spend a few slides about ISECOM because: 4 At yesterday’s evening social dinner, I found many guys didn’t know about ISECOM and the OSSTMM at all 4 I strongly think that ISECOM and OWASP should work out something together 4 The OSSTMM covers all those areas (aka [many] Attack Vectors, Penetration Testing methodology, Metrics, Rules of Engagement, RAVs) that at OWASP we don’t cover. And vice-versa. 6 th OWASP App. Sec Conference – Milan – May 2007 4
ISECOM’s KEY PROJECTS OSSTMM – The Open Source Security Testing Methodology Manual RAVs – The Security Metrics BIT – Business Integrity Testing Methodology Manual OPRP – Open Protocol Resource Project SIPES – Security Incident Policy Enforcement System SPSMM – The Secure Programming Standards Methodology Manual – STICK – Software Testing Checklist – ISM 3. 0 – Information Security Maturity Model – – – HHS – Hacker High School www. hackerhighschool. org – HPP – Hacker’s Profiling Project (www. isecom. org/hpp ) 6 th OWASP App. Sec Conference – Milan – May 2007 5
The ISECOM mission < Our Mission: 4 To provide global, practical, useable security knowledge and knowledge-tools to solve problems caused by insecurity, privacy violations, ethical violations, and poor safety measures < Our Audience: 4 Corporations, Organizations, Governments (OSSTMM, Metrics, HPP) 4 Professionals and quasi-professionals (Rules of Engagement, HPP) 4 College students (Academic Alliance Program) 4 Teens and pre-teens (Hacker Highschool) 6 th OWASP App. Sec Conference – Milan – May 2007 6
OSSTMM: introduction q ISECOM’s chief project is the OSSTMM q The Open Source Security Testing Methodology Manual is used by: 4 Worldwide Financial Institutions 4 the U. S. Department of Treasury for testing U. S. financial institutions 4 U. S. Navy and Air Force 4 Security Market’s Players (Vendors, Consulting companies, freelances) 4 Telecommunications & Finance operators, Government and Military Institutions 4 MANY More companies than I can list here (but I brought you some examples) q The OSSTMM is a methodology for testing security systems for everything, from guards and locked doors to mobile communication towers and satellites. 6 th OWASP App. Sec Conference – Milan – May 2007 7
OSSTMM: who’s using it ? (quotes) CENSORED You should have joined us at the 6 th OWASP App. Sec Conference in Italy … if you really wanted to see this slide 6 th OWASP App. Sec Conference – Milan – May 2007 8
OWASP, Italian Chapter: the Board < The OWASP italian chapter’s board is composed of: 4 Founder and Country Chairman: Matteo Meucci 4 Director of Communications: Raoul Chiesa 4 Technical Director : Alberto Revelli 4 R&D Director: Stefano Di Paola 4 Technical Writer Director: Lorenzo De Santis 4 Italian Translation of docs and papers: Matteo Paolelli, Massimiliano Graziani 4 Official (very!) active members: Giorgio Fedon, Luca Carettoni, Antonio Parata, Carlo Pelliccioni, Claudio Merloni, Mauro Bregolin, Paolo Perego, Daniele Bellucci 6 th OWASP App. Sec Conference – Milan – May 2007 9
OWASP, Italian Chapter: planned goals for 2004 - 1 < Letting the Italian “underground” community discover OWASP and learn from its projects < Getting members (!) < Founding a local chapter < Produce some (interesting) work ! < Being able to show them at key Italian security events 6 th OWASP App. Sec Conference – Milan – May 2007 10
OWASP, Italian Chapter : planned goals for 2004 - 2 < In order to get access to those “key security events”, we had to establish “partnerships” < This hasn’t been as easy as it seemed to be. < Some of the issues we’ve encountered in ? 4 Politics 4 Corporations, “big 5” (well…. ” 4” ; ) 4 Lobbying 4 Credibility 4 Ignorance 4 “I just don’t care”… 4 “’Got no time” 4 Local scandals (of course, dealing with IT security!) 6 th OWASP App. Sec Conference – Milan – May 2007 11
OWASP, Italian Chapter : planned goals for 2004 - 3 < Along with our italian Chairman, Matteo Meucci, we’ve decided to identify the market’s drivers, both from a technical and a business-strategy point of view < Back in 2004, we identified the following main goals: 4 IDC: OWASP<-> IDC Strategic Alliance Partnership 4 CLUSIT: Educational and Strategic Partnership 4 ISCOM/OCSI. Superior Institute of Communications (Ministery of Communications), Central Organism for Information Security [Italian Government]. Self-commented 4 Infosecurity Italy. Yearly national top security fair 4 CNIPA. National Center for Information Technology in the Public Administration. Self-commented 6 th OWASP App. Sec Conference – Milan – May 2007 12
OWASP, Italian Chapter: reached goals - 1 < Letting the Italian “underground” community discover OWASP and its projects < Getting members (!) < Founding a local chapter < Produce some (interesting) work ! < Being able to show them at key Italian security events 6 th OWASP App. Sec Conference – Milan – May 2007 DONE ! DONE ! 13
OWASP, Italian Chapter : reached goals - 2 < Back in 2004, we’ve identified the following main goals: 4 IDC: OWASP<-> IDC Strategic Alliance Partnership 4 CLUSIT: Education Partnership 4 ISCOM/OCSI. Superior Institute of Communications (Ministery of Communications), Central Organism for Information Security [Italian Government]. 4 Infosecurity Italy 4 CNIPA. National Center for Information Technology in the Public Administration FAILED DONE ! IN PROGRESS 6 th OWASP App. Sec Conference – Milan – May 2007 14
CLUSIT: who is it ? < Non-profit organization, founded back in 2000, hosted at University of Milan, Department of Computer Sciences < CLUSIT goals: 4 Share an IT culture to companies, P. A. and citizens 4 Participate in laws, standards and rules writing, when related to IT/ICT environments, both on national and European level 4 Promoting the use of methodologies and technologies in order to raise global security 6 th OWASP App. Sec Conference – Milan – May 2007 15
CLUSIT: why ? - 1 < Because of its institutional role. < At a national level, CLUSIT cooperates with: 4 Ministery of Communication 4 Ministery of Internal 4 Ministery of Instruction 4 Counseil Presidence, Innovation and Technology Department 4 Postal and Communications Police Enforcement 4 National Data Protection Authority (privacy) 4 National Communications Protection Authority 4 Confindustria (private companies association) 4 University and Research Centers 4 Professional and Consumer’s Association 6 th OWASP App. Sec Conference – Milan – May 2007 16
CLUSIT: why ? - 2 < Because of its institutional role. < At a international level, CLUSIT co-operates with: 4 EU CERTs 4 CLUSI (CLUSIB, CLUSIF, CLUSIS, CLUSSIL) 4 Universities and Research Centers in Austria, Belgium, Denmark, France, Estonia, Greece, UK, Ireland, Luxembourg, Netherlands, Poland, spain, Sweden, Switzerland 4 European Commission, DG Information Society 4 ENISA (European Network and Information Security Agency) 4 OCSE (Organization for Economic Co-operation and Development) 4 Professional Associations (ISACA, ASIS, ISC 2, ISSa, SANS) and Consumer’s Associations 6 th OWASP App. Sec Conference – Milan – May 2007 17
A short brainstorming on general and Web-based Security issues (security philosophy ; ) 6 th OWASP App. Sec Conference – Milan – May 2007 18
Core problem q E-commerce (wow, that’s a BIG word!) application vendors are just selling mainly insecure software and core systems: q “Security Through Obscurity” concept = no source auditing/code review/testing by third parties, ‘cause “that’s my code dude, I LIVE on those revenues” q Open Source CMSs (Zope, PHPNuke) = no one forcing them to write secure code q The protocols themselves on which applications rely on are, more or less, insecure (SSL, WAP, SSH, DBs, Web Servers, etc. . . ) q The Project Managers hired by “market players” (mobile, finance, health, PA, etc. . ) in order to “take care” of E-commerce application development typically have very little knowledge of security issues - while fighting with customer’s time to market… q Let’s clearly state that Web applications are just the most exposed “attack vector” nowadays. This is a good news for the sec-guys, while it’s so bad for the end-users. 6 th OWASP App. Sec Conference – Milan – May 2007 19
Market players q Market players rely on vendors in order to find “secure solutions”… q M. P. are mainly focused on market trends, time to market, competitors, investor’s requests and stock exchange – and a lot of time-consuming routine tasks aka “Biz PRs”. q M. P. do not have in-house web security expertise. q M. P. are often split into B. U. or “departments”: MKTG and IT, Production vs. Development, etc. . They don’t talk to each other. Often, they dislike each other. q From the IT Security point of view, this is a big problem. q Basically, we have at least two separate security domains wherever they exist. 6 th OWASP App. Sec Conference – Milan – May 2007 20
e. g. Mobile operators: IT and Network Operations NETWORK OPS. I. T. q GSM operators typically split their network between IT (the incompetent team running the mail, the domains, the printers and the proxy/firewall) and Engineering (the telco side). q Usually there is distrust between the two entities, poor communications and certainly no common policy towards security. q IT of course believe they are important, but in fact they just have a support role. If all IT systems stop working, you can still make phone calls. (Emmanuel Gadaix, TSTF – Black Hat Asia Security Conference, 2001) 6 th OWASP App. Sec Conference – Milan – May 2007 21
Web Applications Security Italian Survey - 1 < Months ago, when I told Dave the title of this talk, my intention was to bring you an extremely updated survey of the situation down here. (Of course there’s no“ official data” around, except for OWASP’s local surveys, but who cares ) < Thank god, we love our job and we’re “IT guys”, meaning that we enjoy learning and sharing together. < Talking to other local people, all of my web app pen test results showed quite the same findings, results, issues and stats as theirs! < …and they were many (people). < Ah! Of course, our customers weren’t the same ones…!! 6 th OWASP App. Sec Conference – Milan – May 2007 22
Web Applications Security Italian Survey - 2 < So, why show you … 4 Evidence 4 Sanitized reports 4 Stats and nice-graphics-for-management stuff 40 -day exploits & “leet” screenshots 4 Unrealises, c 00 l t 00 lz 4 Whatever… ? ? ? < All the results would look the same, more or less… < That’s why there’s no survey 6 th OWASP App. Sec Conference – Milan – May 2007 23
Conclusion < From the day when the OWASP Italian Chapter started its activities, the security level on web applications in our country has changed. It’s higher. < This has been noticed by the all of us: security consultants, standards writers, coders, pentesters, hackers…end-users and citizens. < We’re on the right path, while a lot of work still has to be done. The Italian attendees here haven’t been very many, but we think this is a good starting point. < From the local OWASP chapter, we’d like to thank all of you for being here and making this 6 th conference even more special ! 6 th OWASP App. Sec Conference – Milan – May 2007 24
Acknowledgements < All of the OWASP Italian Chapter team < Gigi Tagliapietra, President of CLUSIT, and Paolo Giudice, General Secretary < Matteo Meucci and Dave Wichers at OWASP …for having made this event possible. < All the OWASP international community, for their everyday passion 6 th OWASP App. Sec Conference – Milan – May 2007 25
Скачать презентацию OWASP and Web Application Security trends in Italy
31acbf3ee9cbadeaf56f040cb0491479.ppt