Le téléchargement de votre SlideShare est en cours. ×
0
AFUP/MOZILLA/OWASP	
  	
  
Mee/ng	
  @Mozilla	
  Paris	
  
5th	
  June	
  2014Sébas&en	
  Gioria	
  
Sebas/en.Gioria@owasp...
2
http://www.google.fr/#q=sebastien gioria
‣OWASP France Leader & Founder &
Evangelist
‣Innovation and Technology @Advens &&...
Agenda
• Applica/on	
  Security	
  :	
  
– where	
  we	
  are	
  (no	
  bullshit)	
  
– where	
  we	
  are	
  (hopefully)	...
Why	
  Applica/on	
  Security	
  ?
5
4
Why	
  Applica/on	
  Security	
  ?
5
4
Your
Application
has been
Hacked
Why	
  Applica/on	
  Security	
  ?
5
4
Your
Application
has been
Hacked
YES
Why	
  Applica/on	
  Security	
  ?
5
4
Your
Application
has been
Hacked
NO
YES
Why	
  Applica/on	
  Security	
  ?
5
4
Your
Application
will be
Hacked ;)
Your
Application
has been
Hacked
NO
YES
Why	
  Applica/on	
  Security	
  ?
5
4
Your
Application
will be
Hacked ;)
Your
Application
has been
Hacked
YES
NO
YES
Why	
  Applica/on	
  Security	
  ?
5
4
Your
Application
will be
Hacked ;)
Your
Application
has been
Hacked
YES
NO
NO
YES
Why	
  Applica/on	
  Security	
  ?
5
!
Let Me take
you on the
right way 4
Your
Application
will be
Hacked ;)
Your
Applicat...
Why	
  Applica/on	
  Security	
  ?
5
My Application will be
hacked !
!
Let Me take
you on the
right way 4
Your
Application...
Why	
  Applica/on	
  Security	
  ?
5
My Application will be
hacked !
!
Let Me take
you on the
right way 4
Your
Application...
First	
  form	
  in	
  PHP
6
First	
  form	
  in	
  PHP
6
First	
  form	
  in	
  PHP
6
<?php	
  
	
  	
  $email	
  =	
  $_REQUEST['email']	
  ;	
  
	
  	
  $message	
  =	
  $_REQUE...
7
7
7
How	
  to	
  create	
  a	
  login	
  page	
  in	
  PHP	
  
and	
  Mysql
8
9
9
<?php !
define('DB_HOST', 'localhost'); !
define('DB_NAME', 'practice');!
define('DB_USER','root'); !
define('DB_PASSWORD','...
10
10
10
Game	
  Over....
• Did	
  you	
  have	
  VoIP	
  Phone	
  ?	
  	
  
!
• Did	
  you	
  have	
  IP	
  Router	
  /	
  Broadba...
Anything	
  else	
  ?	
  
12
We	
  are	
  living	
  in	
  a	
  Digital	
  environment,	
  in	
  a	
  Connected	
  World
v Most	
  of	
  websites	
  vu...
14
(c)	
  Verizon	
  2014
14
(c)	
  Verizon	
  2014
14
(c)	
  Verizon	
  2014
14
(c)	
  Verizon	
  2014
Who	
  win	
  ?	
  
15
(c) WhiteHatSecurity 2013
Vulnerabili/es	
  ?	
  
16
(c)	
  WhiteHatSecurity	
  2013
Mission	
  Driven
Nonprofit	
  |	
  World	
  Wide	
  |	
  Unbiased	
  
!
OWASP	
  does	
  not	
  endorse	
  or	
  recommend...
Community	
  Driven
30,000	
  Mail	
  List	
  Par/cipants	
  
200	
  Ac/ve	
  Chapters	
  in	
  70	
  countries	
  	
  
16...
200	
  Chapters,	
  1	
  600+	
  Members,	
  20	
  000+	
  Builders,	
  Breakers	
  and	
  Defenders
Around	
  the	
  Worl...
Quality	
  Resources
200+	
  Projects	
  
15,000+	
  downloads	
  of	
  tools,	
  documenta/on	
  
What	
  is	
  OWASP
20
Documenta&on
ToolsCode
50%
10% 40%
Quality	
  Resources
21
Security	
  Lifecycle
22
Security	
  Resources
23
 NEWS	
  
A	
  BLOG	
  
A	
  PODCAST	
  
MEMBERSHIPS	
  
MAILING	
  LISTS	
  
A	
  NEWSLETTER	
  
APPLE	
  APP	
  STORE	
 ...
OWASP	
  Projects
25
OWASP	
  Top10	
  2013
26
A1:	
  Injec&on
A2:	
  Viola&on	
  de	
  
Ges&on	
  
d’authen&fica&on	
  et	
  de	
  
session
A3:...
OWASP	
  Top10	
  2013
26
A1:	
  Injec&on
A2:	
  Viola&on	
  de	
  
Ges&on	
  
d’authen&fica&on	
  et	
  de	
  
session
A3:...
OWASP	
  Top10	
  2013
26
A1:	
  Injec&on
A2:	
  Viola&on	
  de	
  
Ges&on	
  
d’authen&fica&on	
  et	
  de	
  
session
A3:...
Developer	
  Cheat	
  Sheets	
  
§ PHP	
  Security	
  Cheat	
  Sheet	
  
§ OWASP	
  Top	
  Ten	
  Cheat	
  Sheet	
  
§ ...
Project	
  Leader:	
  Chris	
  Schmidt,	
  Chris.Schmidt@owasp.org	
  
Purpose:	
  A	
  free,	
  open	
  source,	
  web	
 ...
Project Leader: Abbas Naderi,
Abbas.Naderi@owasp.org
Purpose:	
  OWASP	
  PHP	
  Security	
  Project	
  is	
  an	
  effort	...
Development	
   Guide:	
   comprehensive	
   manual	
   for	
   designing,	
   developing	
   and	
  
deploying	
  secure	...
Zed	
  Agack	
  Proxy
Project	
  Leader:	
  Simon	
  Bennegs	
  (aka	
  Psiinon),	
  psiinon@gmail.com	
  
Purpose:	
  The...
Intended	
   to	
   help	
   soxware	
   developers	
   and	
   their	
   clients	
   nego/ate	
   important	
  
contractu...
Dates
• RSSIA	
  Bordeaux	
  :	
  20	
  Juin	
  
– HeartBleed	
  revisited	
  	
  
• AppSec	
  Europe	
  2014	
  -­‐	
  Ca...
Soutenir	
  l’OWASP
• Différentes	
  solu/ons	
  :	
  	
  
– Membre	
  Individuel	
  :	
  50	
  $	
  
– Membre	
  Entrepris...
License
35
@SPoint	
  
!
sebas/en.gioria@owasp.org
Prochain SlideShare
Chargement dans... 5
×

2014 06-05-mozilla-afup

604

Published on

Meeting OWASP /AFUP du 5 Juin 2014

Published in: Technologies
0 commentaires
0 mentions J'aime
Statistiques
Remarques
  • Soyez le premier à commenter

  • Be the first to like this

Aucun téléchargement
Vues
Total des vues
604
Sur Slideshare
0
À partir des ajouts
0
Nombre d'ajouts
2
Actions
Partages
0
Téléchargements
22
Commentaires
0
J'aime
0
Ajouts 0
No embeds

No notes for slide

Transcript of "2014 06-05-mozilla-afup"

  1. 1. AFUP/MOZILLA/OWASP     Mee/ng  @Mozilla  Paris   5th  June  2014Sébas&en  Gioria   Sebas/en.Gioria@owasp.org   Chapter  Leader  &  Evangelist  OWASP  France OWASP,  the   Life,the  Universe   and  the   ElePHPhants  
  2. 2. 2
  3. 3. http://www.google.fr/#q=sebastien gioria ‣OWASP France Leader & Founder & Evangelist ‣Innovation and Technology @Advens && Application Security Expert Twitter :@SPoint/@OWASP_France ‣Application Security group leader for the CLUSIF ‣Proud father of youngs kids trying to hack my digital life.
  4. 4. Agenda • Applica/on  Security  :   – where  we  are  (no  bullshit)   – where  we  are  (hopefully)  going  ?   • Open  Web  Applica/on  Security  Project  ?   • Major  projects  you  can  use 4
  5. 5. Why  Applica/on  Security  ? 5 4
  6. 6. Why  Applica/on  Security  ? 5 4 Your Application has been Hacked
  7. 7. Why  Applica/on  Security  ? 5 4 Your Application has been Hacked YES
  8. 8. Why  Applica/on  Security  ? 5 4 Your Application has been Hacked NO YES
  9. 9. Why  Applica/on  Security  ? 5 4 Your Application will be Hacked ;) Your Application has been Hacked NO YES
  10. 10. Why  Applica/on  Security  ? 5 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO YES
  11. 11. Why  Applica/on  Security  ? 5 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES
  12. 12. Why  Applica/on  Security  ? 5 ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES
  13. 13. Why  Applica/on  Security  ? 5 My Application will be hacked ! ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES
  14. 14. Why  Applica/on  Security  ? 5 My Application will be hacked ! ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES Next Step
  15. 15. First  form  in  PHP 6
  16. 16. First  form  in  PHP 6
  17. 17. First  form  in  PHP 6 <?php      $email  =  $_REQUEST['email']  ;      $message  =  $_REQUEST['message']  ;   !    mail(  "yourname@example.com",  "Feedback  Form  Results",          $message,  "From:  $email"  );      header(  "Loca/on:  hgp://www.example.com/thankyou.html"  );   ?>
  18. 18. 7
  19. 19. 7
  20. 20. 7
  21. 21. How  to  create  a  login  page  in  PHP   and  Mysql 8
  22. 22. 9
  23. 23. 9 <?php ! define('DB_HOST', 'localhost'); ! define('DB_NAME', 'practice');! define('DB_USER','root'); ! define('DB_PASSWORD','');! ! $con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Failed to connect to MySQL: " . mysql_error()); ! $db=mysql_select_db(DB_NAME,$con) or die("Failed to connect to MySQL: " . mysql_error()); ! /* $ID = $_POST['user']; $Password = $_POST['pass']; */! ! function SignIn() {! ! session_start(); //starting the session for user profile page! ! if(!empty($_POST['user'])) //checking the 'user' name which is from Sign-In.html, is it empty or have some text ! ! { ! ! $query = mysql_query("SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(mysql_error());! ! $row = mysql_fetch_array($query) or die(mysql_error());! ! ! ! ! if(!empty($row['userName']) AND !empty($row['pass'])) ! ! ! {! ! ! $_SESSION['userName'] = $row['pass']; ! ! ! ! echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE...";! ! ! } else { ! ! ! echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...";! ! ! } ! ! } ! } ! ! if(isset($_POST['submit'])) ! {! SignIn(); ! } ?>!
  24. 24. 10
  25. 25. 10
  26. 26. 10
  27. 27. Game  Over.... • Did  you  have  VoIP  Phone  ?     ! • Did  you  have  IP  Router  /  Broadband  box    ?     ! • Did  you  have  smartphone  ?   ! • Did  you  have  customers  /  partners  over   Internet  ? 11
  28. 28. Anything  else  ?   12
  29. 29. We  are  living  in  a  Digital  environment,  in  a  Connected  World v Most  of  websites  vulnerable  to  agacks   v Important  %  of  web-­‐based  Business  (Services,  Online  Store,  Self-­‐care,  Telcos,   SCADA,  ...) Why  Applica/on  Security  ?   Age  of  An/virus Age  of     Network  Security Age  of     Applica/on   Security 13
  30. 30. 14 (c)  Verizon  2014
  31. 31. 14 (c)  Verizon  2014
  32. 32. 14 (c)  Verizon  2014
  33. 33. 14 (c)  Verizon  2014
  34. 34. Who  win  ?   15 (c) WhiteHatSecurity 2013
  35. 35. Vulnerabili/es  ?   16 (c)  WhiteHatSecurity  2013
  36. 36. Mission  Driven Nonprofit  |  World  Wide  |  Unbiased   ! OWASP  does  not  endorse  or  recommend   commercial  products  or  services What  is  OWASP 17
  37. 37. Community  Driven 30,000  Mail  List  Par/cipants   200  Ac/ve  Chapters  in  70  countries     1600+  Members,  56  Corporate  Supporters     What  is  OWASP 18
  38. 38. 200  Chapters,  1  600+  Members,  20  000+  Builders,  Breakers  and  Defenders Around  the  World 19
  39. 39. Quality  Resources 200+  Projects   15,000+  downloads  of  tools,  documenta/on   What  is  OWASP 20
  40. 40. Documenta&on ToolsCode 50% 10% 40% Quality  Resources 21
  41. 41. Security  Lifecycle 22
  42. 42. Security  Resources 23
  43. 43.  NEWS   A  BLOG   A  PODCAST   MEMBERSHIPS   MAILING  LISTS   A  NEWSLETTER   APPLE  APP  STORE   VIDEO  TUTORIALS   TRAINING  SESSIONS   SOCIAL  NETWORKING 24
  44. 44. OWASP  Projects 25
  45. 45. OWASP  Top10  2013 26 A1:  Injec&on A2:  Viola&on  de   Ges&on   d’authen&fica&on  et  de   session A3:  Cross  Site  Scrip&ng   (XSS) A4:Référence  directe   non  sécurisée  à  un   objet A5:  Mauvaise   configura&on  sécurité   A6  :  Exposi&on  de   données  sensibles A8:  Cross  Site  Request   Forgery  (CSRF)   A10:    Redirec&ons    et   transferts  non  validés A7:  Manque  de   contrôle  d’accès   fonc&onnel A9:  U&lisa&on  de   composants  avec  des   vulnérabilités  connues
  46. 46. OWASP  Top10  2013 26 A1:  Injec&on A2:  Viola&on  de   Ges&on   d’authen&fica&on  et  de   session A3:  Cross  Site  Scrip&ng   (XSS) A4:Référence  directe   non  sécurisée  à  un   objet A5:  Mauvaise   configura&on  sécurité   A6  :  Exposi&on  de   données  sensibles A8:  Cross  Site  Request   Forgery  (CSRF)   A10:    Redirec&ons    et   transferts  non  validés A7:  Manque  de   contrôle  d’accès   fonc&onnel A9:  U&lisa&on  de   composants  avec  des   vulnérabilités  connues ex-­‐A9(transport  non  sécurisé)  +   A7(Stockage  crypto)
  47. 47. OWASP  Top10  2013 26 A1:  Injec&on A2:  Viola&on  de   Ges&on   d’authen&fica&on  et  de   session A3:  Cross  Site  Scrip&ng   (XSS) A4:Référence  directe   non  sécurisée  à  un   objet A5:  Mauvaise   configura&on  sécurité   A6  :  Exposi&on  de   données  sensibles A8:  Cross  Site  Request   Forgery  (CSRF)   A10:    Redirec&ons    et   transferts  non  validés A7:  Manque  de   contrôle  d’accès   fonc&onnel A9:  U&lisa&on  de   composants  avec  des   vulnérabilités  connues ex-­‐A9(transport  non  sécurisé)  +   A7(Stockage  crypto)
  48. 48. Developer  Cheat  Sheets   § PHP  Security  Cheat  Sheet   § OWASP  Top  Ten  Cheat  Sheet   § Authen/ca/on  Cheat  Sheet   § Cross-­‐Site  Request  Forgery  (CSRF)  Preven&on  Cheat   Sheet   § Cryptographic  Storage  Cheat  Sheet   § Input  Valida/on  Cheat  Sheet   § XSS  (Cross  Site  Scrip&ng)  Preven&on  Cheat  Sheet   § DOM  based  XSS  Preven/on  Cheat  Sheet   § Forgot  Password  Cheat  Sheet   § Query  Parameteriza&on  Cheat  Sheet   § SQL  Injec&on  Preven&on  Cheat  Sheet   § Session  Management  Cheat  Sheet   § HTML5  Security  Cheat  Sheet   § Transport  Layer  Protec/on  Cheat  Sheet   § Web  Service  Security  Cheat  Sheet   § Logging  Cheat  Sheet   § JAAS  Cheat  Sheet Mobile  Cheat  Sheets   § IOS  Developer  Cheat  Sheet   § Mobile  Jailbreaking  Cheat  Sheet   Drax  Cheat  Sheets   § Access  Control  Cheat  Sheet   § REST  Security  Cheat  Sheet   § Abridged  XSS  Preven/on  Cheat  Sheet   § Password  Storage  Cheat  Sheet   § Secure  Coding  Cheat  Sheet   § Threat  Modeling  Cheat  Sheet   § Clickjacking  Cheat  Sheet   § Virtual  Patching  Cheat  Sheet   § Secure  SDLC  Cheat  Sheet   § Web  Applica/on  Security  Tes/ng  Cheat   Sheet   § Applica/on  Security  Architecture  Cheat   Sheet Cheat  Sheets 27
  49. 49. Project  Leader:  Chris  Schmidt,  Chris.Schmidt@owasp.org   Purpose:  A  free,  open  source,  web  applica/on  security  control  library  that   makes  it  easier  for  programmers  to  write  lower-­‐risk  applica/ons   ! ! ! ! ! ! ! ! ! ! ! hgps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Enterprise  Security  API 28 PHP Version : https://code.google.com/p/ owasp-esapi-php/
  50. 50. Project Leader: Abbas Naderi, Abbas.Naderi@owasp.org Purpose:  OWASP  PHP  Security  Project  is  an  effort   by   a   group   of   PHP   developers   in   securing   PHP   web   applica/ons,   using   a   collec&on   of   decoupled  flexible  secure  PHP  libraries,  as  well   as  a  collec&on  of  PHP  tools.   OWASP  PHP  Security  Project 29 hgps://www.owasp.org/index.php/OWASP_PHP_Security_Project
  51. 51. Development   Guide:   comprehensive   manual   for   designing,   developing   and   deploying  secure  Web  Applica/ons  and  Web  Services   Code   Review   Guide:   mechanics   of   reviewing   code   for   certain   vulnerabili/es   &   valida/on  of  proper  security  controls   Tes/ng  Guide:  understand  the  what,  why,  when,  where,  and  how  of  tes/ng  web   applica/ons   ! ! hgps://www.owasp.org/index.php/Category:OWASP_Guide_Project   hgps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project   hgps://www.owasp.org/index.php/Category:OWASP_Tes/ng_Project Guides 30
  52. 52. Zed  Agack  Proxy Project  Leader:  Simon  Bennegs  (aka  Psiinon),  psiinon@gmail.com   Purpose:  The  Zed  Agack  Proxy  (ZAP)  provides  automated  scanners  as  well   as  a  set  of  tools  that  allow  you  to  find  security  vulnerabili/es  manually  in   web  applica/ons.   Last  Release:  ZAP  2.3.1  (21  May  2014)   ! ! ! ! ! ! ! ! ! ! hgps://www.owasp.org/index.php/OWASP_Zed_Agack_Proxy_Project 31
  53. 53. Intended   to   help   soxware   developers   and   their   clients   nego/ate   important   contractual  terms  and  condi/ons  related  to  the  security  of  the  soxware  to  be   developed  or  delivered.   CONTEXT:  Most  contracts  are  silent  on  these  issues,  and  the  par/es  frequently   have  drama/cally  different  views  on  what  has  actually  been  agreed  to.     OBJECTIVE:   Clearly   define   these   terms   is   the   best   way   to   ensure   that   both   par/es  can  make  informed  decisions  about  how  to  proceed.   hgps://www.owasp.org/index.php/OWASP_Secure_Soxware_Contract_Annex The  OWASP  Secure  Soxware     Contract  Annex 32
  54. 54. Dates • RSSIA  Bordeaux  :  20  Juin   – HeartBleed  revisited     • AppSec  Europe  2014  -­‐  Cambridge  :   ! ! ! ! ! • Java  User  Groupe  Lille  &  Paris     – Secure  Coding  for  Java    a  la  rentrée  2014   • Club  27001  /Paris  -­‐  25  Septembre  2014   –Présenta/on  de  la  norme  ISO  27034 33
  55. 55. Soutenir  l’OWASP • Différentes  solu/ons  :     – Membre  Individuel  :  50  $   – Membre  Entreprise  :  5000  $   – Dona/on  Libre   • Soutenir  uniquement    le  chapitre  France  :   – Single  Mee/ng  supporter     • Nous  offrir  une  salle  de  mee/ng  !     • Par/ciper  par  un  talk  ou  autre  !     • Dona/on  simple     – Local  Chapter  supporter  :     • 500  $  à  2000  $   34
  56. 56. License 35 @SPoint   ! sebas/en.gioria@owasp.org
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×