Download - Feb 25th, 2010
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Feb 25th, 2010
Welcome to OWASP Bay Area Application Security Summit February 25th, 2010
Mandeep KheraOWASP Bay Area Chapter [email protected] [email protected]: 408-200-0712
2OWASP 2
Agenda 1.15 – 1.30 - Welcome, Overview – Mandeep Khera
1.30 – 2.15 – Keynote, Kaj Van Da Loo, Sr. VP, Platforms and OnDemand, SAP
2.15 – 3.00 – WebBlaze: New Techniques and Tools – Prof. Dawn Song, UC Berkeley
3.00 – 3.30 - Networking Break
3.30 – 4.00 – State of the Art: Automated Black-Box Testing: Prof. Mitchell, Stanford University, Jason Bau
4.00 – 4.30 – Controlling Data in the Cloud: Outsourcing Computation Without Outsourcing Control – Richard Chow, PARC
4.30 – 4.45 – Mini-Break
4.45 – 6.00 – Panel – App Security Issues – Cloud, Inertia, Future
6.00 – 8.00 – Networking Reception – Food and Drinks 2
4OWASP
Web Vulnerabilities Trend
Source: Cenzic Trends Report
68
70
72
74
76
78
80
82
Q2 2008 Q3-Q42008
Q1-Q22009
Q3-Q42009
Web Vulnerabilities as a % of Total Vulnerabilities
Web Vuln %
6OWASP
Trends for the next few years…
Cyber War will accelerate
• More countries will take offensive actionsSocial Networking sites will continue to be the targets
• Too big, too many users, too vulnerableCloud computing security issues
• Moving to the cloud but what about security?Regulations
• Payment Card Industry (PCI) continues to drive the need for app security; other new regulations also coming
Mobile Apps
• Computing moving to mobile, more attacks likey
8OWASP
OWASP World
OWASP is a worldwide free and open community focused on improving the security of application software.
Our mission is to make application security visible so that people and organizations can make informed decisions about application security risks.
OWASP is a worldwide free and open community focused on improving the security of application software.
Our mission is to make application security visible so that people and organizations can make informed decisions about application security risks.
Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work.
Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work.
10OWASP
OWASP Worldwide Community
10
Membership
Individual: 750Organizations: 27
Chapters
158 around world
Participants
1,470 Wiki accounts+20,000 users
12OWASP
OWASP Conferences (2008-2009)
12
NYCSep 2008
NYCSep 2008
DCSep 2009
DCSep 2009
BrusselsMay 2008BrusselsMay 2008 Poland
May 2009Poland
May 2009
TaiwanOct 2008Taiwan
Oct 2008
PortugalSummit
Nov 2008
PortugalSummit
Nov 2008
IsraelSep 2008
IsraelSep 2008
IndiaAug 2008
IndiaAug 2008
Gold CoastFeb 2008
+2009
Gold CoastFeb 2008
+2009
MinnesotaOct 2008
MinnesotaOct 2008
DenverSpring 2009
DenverSpring 2009
GermanyNov 2008GermanyNov 2008
Ireland
2009
Ireland
2009
BrazilOct 2009
BrazilOct 2009
13OWASP
OWASP KnowledgeBase •9,421 total articles
•427 presentations
•200 updates per day
•+300 mailing lists
•180 blogs monitored
•19 deface attempts
•2,962 uploaded files
14OWASP
OWASP AppSec News and Intelligence
Moderated AppSec News Feedhttp://www.google.com/reader/
public/atom/user/16712724397688793161/state/com.google/broadcast
OWASP Podcasthttp://
itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012
OWASP TVhttp://www.owasp.tv
14
16OWASP 16
OWASP Top 10 Critical Vulnerabilities - 2010
www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
17OWASP
Lot more than OWASP Top 10
OWASP .NET Project OWASP ASDR Project OWASP AntiSamy Project OWASP AppSec FAQ Project OWASP Application Security Assessment Standards
Project OWASP Application Security Metrics Project OWASP Application Security Requirements Project OWASP CAL9000 Project OWASP CLASP Project OWASP CSRFGuard Project OWASP CSRFTester Project OWASP Career Development Project OWASP Certification Criteria Project OWASP Certification Project OWASP Code Review Project OWASP Communications Project OWASP DirBuster Project OWASP Education Project OWASP Encoding Project OWASP Enterprise Security API OWASP Flash Security Project OWASP Guide Project OWASP Honeycomb Project OWASP Insecure Web App Project OWASP Interceptor Project
OWASP JBroFuzz OWASP Java Project OWASP LAPSE Project OWASP Legal Project OWASP Live CD Project OWASP Logging Project OWASP Orizon Project OWASP PHP Project OWASP Pantera Web Assessment Studio Project OWASP SASAP Project OWASP SQLiX Project OWASP SWAAT Project OWASP Sprajax Project OWASP Testing Project OWASP Tools Project OWASP Top Ten Project OWASP Validation Project OWASP WASS Project OWASP WSFuzzer Project OWASP Web Services Security Project OWASP WebGoat Project OWASP WebScarab Project OWASP XML Security Gateway Evaluation Criteria
Project OWASP on the Move Project
17
19OWASP
What Does Membership Do For OWASP?
Funds OWASP Speakers via OWASP On the Move
Funds Season of Code projects Helps Support Local Chapters
A portion of your membership fees helps fund your local chapter
19
21OWASP
Individual Members
Cost: $50/year First Time Members Get A Membership
Pack:Membership card and certificateOWASP DVDAttractive OWASP t-shirtOWASP tote bagPen
10% discount on OWASP conferences
21
22OWASP
Organizational Supporters
Cost: $5000/year Logo on OWASP website Online job postings on OWASP website Invitation to special OWASP events such as
Industry Outreach Two complimentary attendees to OWASP
annual Summit Employees get 10% discount on OWASP
conferences Onsite OWASP briefing
22