Welcome to OWASP Bay Area Application Security Summit February 25 th, 2010 OWASP Feb 25 th, 2010 Mandeep Khera OWASP Bay Area Chapter Leader mkhera@owasp. org mandeep@cenzic. com Phone: 408 -200 -0712 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http: //www. owasp. org
Agenda < 1. 15 – 1. 30 - Welcome, Overview – Mandeep Khera < 1. 30 – 2. 15 – Keynote, Kaj Van Da Loo, Sr. VP, Platforms and On. Demand, SAP < 2. 15 – 3. 00 – Web. Blaze: New Techniques and Tools – Prof. Dawn Song, UC Berkeley < 3. 00 – 3. 30 - Networking Break < 3. 30 – 4. 00 – State of the Art: Automated Black-Box Testing: Prof. Mitchell, Stanford University, Jason Bau < 4. 00 – 4. 30 – Controlling Data in the Cloud: Outsourcing Computation Without Outsourcing Control – Richard Chow, PARC < 4. 30 – 4. 45 – Mini-Break < 4. 45 – 6. 00 – Panel – App Security Issues – Cloud, Inertia, Future < 6. 00 – 8. 00 – Networking Reception – Food and Drinks OWASP 2 2
Thanks to our sponsors!! OWASP 3
Web Vulnerabilities Trend Source: Cenzic Trends Report OWASP 4
Internet Usage Continues to Grow OWASP 5
Trends for the next few years… <Cyber War will accelerate • More countries will take offensive actions <Social Networking sites will continue to be the targets • Too big, too many users, too vulnerable <Cloud computing security issues • Moving to the cloud but what about security? <Regulations • Payment Card Industry (PCI) continues to drive the need for app security; other new regulations also coming <Mobile Apps • Computing moving to mobile, more attacks likey OWASP 6
Sophistication of Hackers. . OWASP 7
OWASP World OWASP is a worldwide free and open community focused on improving the security of application software. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. Our mission is to make application security visible so that people and organizations can make informed decisions about application security risks. The OWASP Foundation is a 501 c 3 not-for-profit charitable organization that ensures the ongoing availability and support for our work. OWASP 8
2009 OWASP Supporters OWASP 9
OWASP Worldwide Community Membership Individual: 750 Organizations: 27 Chapters 158 around world Participants 1, 470 Wiki accounts +20, 000 users OWASP 10 10
OWASP Dashboard Worldwide Users Most New Visitors 250 29, 748, 796 page views 200 150 100 50 0 01/10/2002 01/10/2003 01/10/2004 01/10/2005 01/10/2006 01/10/2007 OWASP 11 11
OWASP Conferences (2008 -2009) Minnesota Oct 2008 Denver Spring 2009 Brussels May 2008 NYC Sep 2008 DC Sep 2009 Germany Nov 2008 Poland May 2009 Ireland 2009 Portugal Summit Nov 2008 Israel Sep 2008 India Aug 2008 Taiwan Oct 2008 Brazil Oct 2009 Gold Coast Feb 2008 +2009 OWASP 12 12
OWASP Knowledge. Base • 9, 421 total articles • 427 presentations • 200 updates per day • +300 mailing lists • 180 blogs monitored • 19 deface attempts • 2, 962 uploaded files OWASP 13
OWASP App. Sec News and Intelligence <Moderated App. Sec News Feed 4 http: //www. google. com/reader/publ ic/atom/user/167127243976887931 61/state/com. google/broadcast <OWASP Podcast 4 http: //itunes. apple. com/Web. Object s/MZStore. woa/wa/view. Podcast? id= 300769012 <OWASP TV 4 http: //www. owasp. tv OWASP 14 14
OWASP App. Sec Job Board OWASP 15 15
OWASP Top 10 Critical Vulnerabilities - 2010 A 3: Broken www. owasp. org/index. php/Category: OWASP_Top_Ten_Project A 2: Cross Site Authentication A 1: Injection Scripting (XSS) and Session Management A 5: Cross Site Request Forgery (CSRF) A 6: Security Misconfiguration A 7: Failure to Restrict URL Access A 9: Insecure Cryptographic Storage A 4: Insecure Direct Object Reference A 8: Unvalidated Redirects and Forwards A 10: Insufficient Transport Layer Protection OWASP 16 16
Lot more than OWASP Top 10 < < < < < < < OWASP OWASP OWASP OWASP OWASP OWASP OWASP . NET Project ASDR Project Anti. Samy Project App. Sec FAQ Project Application Security Assessment Standards Project Application Security Metrics Project Application Security Requirements Project CAL 9000 Project CLASP Project CSRFGuard Project CSRFTester Project Career Development Project Certification Criteria Project Certification Project Code Review Project Communications Project Dir. Buster Project Education Project Encoding Project Enterprise Security API Flash Security Project Guide Project Honeycomb Project Insecure Web App Project Interceptor Project < < < < < < OWASP OWASP OWASP OWASP OWASP OWASP JBro. Fuzz Java Project LAPSE Project Legal Project Live CD Project Logging Project Orizon Project PHP Project Pantera Web Assessment Studio Project SASAP Project SQLi. X Project SWAAT Project Sprajax Project Testing Project Tools Project Top Ten Project Validation Project WASS Project WSFuzzer Project Web Services Security Project Web. Goat Project Web. Scarab Project XML Security Gateway Evaluation Criteria Project on the Move Project OWASP 17
Finances and Grants 100% 55% 45% OWASP 18 18
What Does Membership Do For OWASP? <Funds OWASP Speakers via OWASP On the Move <Funds Season of Code projects <Helps Support Local Chapters 4 A portion of your membership fees helps fund your local chapter OWASP 19
Membership Benefits <Individual Members <Organizational Supporters <University Supporters OWASP 20
Individual Members <Cost: $50/year <First Time Members Get A Membership Pack: 4 Membership card and certificate 4 OWASP DVD 4 Attractive OWASP t-shirt 4 OWASP tote bag 4 Pen <10% discount on OWASP conferences OWASP 21
Organizational Supporters <Cost: $5000/year <Logo on OWASP website <Online job postings on OWASP website <Invitation to special OWASP events such as Industry Outreach <Two complimentary attendees to OWASP annual Summit <Employees get 10% discount on OWASP conferences <Onsite OWASP briefing OWASP 22
University Supporters <No cost (!) – Universities must agree to provide meeting space twice per year and to include OWASP in their curriculum <Must be an accredited University <Logo on OWASP website <OWASP briefings for University – students and staff OWASP 23
Скачать презентацию Welcome to OWASP Bay Area Application Security Summit
dcdbd69a28b9a6478b641ba88c7107e8.ppt