1. AFUP/MOZILLA/OWASP
Mee/ng
@Mozilla
Paris
5th
June
2014Sébas&en
Gioria
Sebas/en.Gioria@owasp.org
Chapter
Leader
&
Evangelist
OWASP
France
OWASP,
the
Life,the
Universe
and
the
ElePHPhants
3. http://www.google.fr/#q=sebastien gioria
‣OWASP France Leader & Founder &
Evangelist
‣Innovation and Technology @Advens &&
Application Security Expert
Twitter :@SPoint/@OWASP_France
‣Application Security group leader for the
CLUSIF
‣Proud father of youngs kids trying to hack my
digital life.
4. Agenda
• Applica/on
Security
:
– where
we
are
(no
bullshit)
– where
we
are
(hopefully)
going
?
• Open
Web
Applica/on
Security
Project
?
• Major
projects
you
can
use
4
9. Why
Applica/on
Security
?
5
4
Your
Application
will be
Hacked ;)
Your
Application
has been
Hacked
NO
YES
10. Why
Applica/on
Security
?
5
4
Your
Application
will be
Hacked ;)
Your
Application
has been
Hacked
YES
NO
YES
11. Why
Applica/on
Security
?
5
4
Your
Application
will be
Hacked ;)
Your
Application
has been
Hacked
YES
NO
NO
YES
12. Why
Applica/on
Security
?
5
!
Let Me take
you on the
right way 4
Your
Application
will be
Hacked ;)
Your
Application
has been
Hacked
YES
NO
NO
YES
13. Why
Applica/on
Security
?
5
My Application will be
hacked !
!
Let Me take
you on the
right way 4
Your
Application
will be
Hacked ;)
Your
Application
has been
Hacked
YES
NO
NO
YES
14. Why
Applica/on
Security
?
5
My Application will be
hacked !
!
Let Me take
you on the
right way 4
Your
Application
will be
Hacked ;)
Your
Application
has been
Hacked
YES
NO
NO
YES
Next
Step
27. Game
Over....
• Did
you
have
VoIP
Phone
?
!
• Did
you
have
IP
Router
/
Broadband
box
?
!
• Did
you
have
smartphone
?
!
• Did
you
have
customers
/
partners
over
Internet
?
11
29. We
are
living
in
a
Digital
environment,
in
a
Connected
World
v Most
of
websites
vulnerable
to
agacks
v Important
%
of
web-‐based
Business
(Services,
Online
Store,
Self-‐care,
Telcos,
SCADA,
...)
Why
Applica/on
Security
?
Age
of
An/virus
Age
of
Network
Security
Age
of
Applica/on
Security
13
45. OWASP
Top10
2013
26
A1:
Injec&on
A2:
Viola&on
de
Ges&on
d’authen&fica&on
et
de
session
A3:
Cross
Site
Scrip&ng
(XSS)
A4:Référence
directe
non
sécurisée
à
un
objet
A5:
Mauvaise
configura&on
sécurité
A6
:
Exposi&on
de
données
sensibles
A8:
Cross
Site
Request
Forgery
(CSRF)
A10:
Redirec&ons
et
transferts
non
validés
A7:
Manque
de
contrôle
d’accès
fonc&onnel
A9:
U&lisa&on
de
composants
avec
des
vulnérabilités
connues
46. OWASP
Top10
2013
26
A1:
Injec&on
A2:
Viola&on
de
Ges&on
d’authen&fica&on
et
de
session
A3:
Cross
Site
Scrip&ng
(XSS)
A4:Référence
directe
non
sécurisée
à
un
objet
A5:
Mauvaise
configura&on
sécurité
A6
:
Exposi&on
de
données
sensibles
A8:
Cross
Site
Request
Forgery
(CSRF)
A10:
Redirec&ons
et
transferts
non
validés
A7:
Manque
de
contrôle
d’accès
fonc&onnel
A9:
U&lisa&on
de
composants
avec
des
vulnérabilités
connues
ex-‐A9(transport
non
sécurisé)
+
A7(Stockage
crypto)
47. OWASP
Top10
2013
26
A1:
Injec&on
A2:
Viola&on
de
Ges&on
d’authen&fica&on
et
de
session
A3:
Cross
Site
Scrip&ng
(XSS)
A4:Référence
directe
non
sécurisée
à
un
objet
A5:
Mauvaise
configura&on
sécurité
A6
:
Exposi&on
de
données
sensibles
A8:
Cross
Site
Request
Forgery
(CSRF)
A10:
Redirec&ons
et
transferts
non
validés
A7:
Manque
de
contrôle
d’accès
fonc&onnel
A9:
U&lisa&on
de
composants
avec
des
vulnérabilités
connues
ex-‐A9(transport
non
sécurisé)
+
A7(Stockage
crypto)
49. Project
Leader:
Chris
Schmidt,
Chris.Schmidt@owasp.org
Purpose:
A
free,
open
source,
web
applica/on
security
control
library
that
makes
it
easier
for
programmers
to
write
lower-‐risk
applica/ons
!
!
!
!
!
!
!
!
!
!
!
hgps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Enterprise
Security
API
28
PHP Version : https://code.google.com/p/
owasp-esapi-php/
50. Project Leader: Abbas Naderi,
Abbas.Naderi@owasp.org
Purpose:
OWASP
PHP
Security
Project
is
an
effort
by
a
group
of
PHP
developers
in
securing
PHP
web
applica/ons,
using
a
collec&on
of
decoupled
flexible
secure
PHP
libraries,
as
well
as
a
collec&on
of
PHP
tools.
OWASP
PHP
Security
Project
29
hgps://www.owasp.org/index.php/OWASP_PHP_Security_Project
51. Development
Guide:
comprehensive
manual
for
designing,
developing
and
deploying
secure
Web
Applica/ons
and
Web
Services
Code
Review
Guide:
mechanics
of
reviewing
code
for
certain
vulnerabili/es
&
valida/on
of
proper
security
controls
Tes/ng
Guide:
understand
the
what,
why,
when,
where,
and
how
of
tes/ng
web
applica/ons
!
!
hgps://www.owasp.org/index.php/Category:OWASP_Guide_Project
hgps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
hgps://www.owasp.org/index.php/Category:OWASP_Tes/ng_Project
Guides
30
52. Zed
Agack
Proxy
Project
Leader:
Simon
Bennegs
(aka
Psiinon),
psiinon@gmail.com
Purpose:
The
Zed
Agack
Proxy
(ZAP)
provides
automated
scanners
as
well
as
a
set
of
tools
that
allow
you
to
find
security
vulnerabili/es
manually
in
web
applica/ons.
Last
Release:
ZAP
2.3.1
(21
May
2014)
!
!
!
!
!
!
!
!
!
!
hgps://www.owasp.org/index.php/OWASP_Zed_Agack_Proxy_Project
31
53. Intended
to
help
soxware
developers
and
their
clients
nego/ate
important
contractual
terms
and
condi/ons
related
to
the
security
of
the
soxware
to
be
developed
or
delivered.
CONTEXT:
Most
contracts
are
silent
on
these
issues,
and
the
par/es
frequently
have
drama/cally
different
views
on
what
has
actually
been
agreed
to.
OBJECTIVE:
Clearly
define
these
terms
is
the
best
way
to
ensure
that
both
par/es
can
make
informed
decisions
about
how
to
proceed.
hgps://www.owasp.org/index.php/OWASP_Secure_Soxware_Contract_Annex
The
OWASP
Secure
Soxware
Contract
Annex
32
54. Dates
• RSSIA
Bordeaux
:
20
Juin
– HeartBleed
revisited
• AppSec
Europe
2014
-‐
Cambridge
:
!
!
!
!
!
• Java
User
Groupe
Lille
&
Paris
– Secure
Coding
for
Java
a
la
rentrée
2014
• Club
27001
/Paris
-‐
25
Septembre
2014
–Présenta/on
de
la
norme
ISO
27034
33
55. Soutenir
l’OWASP
• Différentes
solu/ons
:
– Membre
Individuel
:
50
$
– Membre
Entreprise
:
5000
$
– Dona/on
Libre
• Soutenir
uniquement
le
chapitre
France
:
– Single
Mee/ng
supporter
• Nous
offrir
une
salle
de
mee/ng
!
• Par/ciper
par
un
talk
ou
autre
!
• Dona/on
simple
– Local
Chapter
supporter
:
• 500
$
à
2000
$
34