owasp beyond the top 10 · 2020. 1. 17. · toronto, on – 2013-07-10 owasp – beyond the top 10...
TRANSCRIPT
![Page 1: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/1.jpg)
The OWASP Foundation http://www.owasp.org
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
OWASP AppSec Toronto, ON – 2013-07-10
OWASP – Beyond the Top 10
André Rochefort TELUS Security Assessment Services
Sr. Consultant
“All programmers are playwrights and all computers are lousy actors.” (unknown)
![Page 2: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/2.jpg)
What is this about?
OWASP Present & Future Solutions:
• Flagship Projects
• Labs Projects
• Incubator Projects
2
![Page 3: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/3.jpg)
Communities
3
![Page 4: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/4.jpg)
Target Audiences
1) Students* and AppSec neophytes
• The ones eager to learn
2) Developers and IT Security Administrators
• The ones anxious to defend
3) AppSec Professionals & Community
• The ones making all the noise
4
![Page 5: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/5.jpg)
5
Why?
• Raise awareness
• Call to Arms / Engage
• Sharpen those soft skills
“No man is exempt from saying silly things; the mischief is to say them deliberately.” - Michel de Montaigne
![Page 6: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/6.jpg)
6
WebAppSec Resources vs. Backlog
![Page 7: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/7.jpg)
The Top 10 (and other news)
![Page 8: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/8.jpg)
Recent OWASP News
• The 2013 WebAppSec Top 10 Launched
• https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
• Source Code Analyzer Coverity joins OWASP
• http://www.coverity.com/company/press-releases/read/coverity-joins-open-web-application-security-project-owasp
• State of the Community
8
![Page 9: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/9.jpg)
OWASP Top 10 2013
9
![Page 10: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/10.jpg)
OWASP Top 10 2013
10
e.g. PRISM
e.g. Facebook
Shadow
Profiles
e.g. WS Amplification
![Page 11: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/11.jpg)
Other Top 10s
- Top 10 Mobile Risks (refresh: 2013)
- Top 10 Mobile Security Controls
- Top 10 Source Code Flaws (2010)
- Top 10 Defenses
- Top 10 Cloud Risks
Also:
- Alternative classification schemes, e.g. The Seven
Pernicious Kingdoms 11
![Page 12: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/12.jpg)
Gartner Magic Quadrant
12
![Page 13: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/13.jpg)
State of the Community
• Mark Curphey on OWASP; Seconauts, and Security Tools for Developers
• OWASP Top 10 – 9 Too Many?
• Dini Cruz and OWASP in 2014
• http://blog.diniscruz.com/2012/11/i-wish-that-owasp-in-2014.html
• Pushing for more activity in T.O.
13
![Page 14: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/14.jpg)
Top 5 Developer Fears
(from: Itworld/StackOverflow)
1. Screwing up*
2. Losing their jobs
3. No longer liking the job
4. Learning new technologies
5. Incompetent Management/Coworkers
14
![Page 15: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/15.jpg)
Beyond the Top 10
![Page 16: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/16.jpg)
The Inventory*
• Resources for WebAppSec Training
• Secure Coding Materials, APIs, SCAs
• Tools for Vulnerability Mitigation, Discovery
• Miscellany in between
16
![Page 17: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/17.jpg)
The Learning Curve
OWASP Tools for WAS Education:
• Tutorials / Exercised-based Training
• Vulnerable Web Applications
• Books!
Download the PDFs free or buy hardcopies and
support OWASP
17
![Page 18: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/18.jpg)
OWASP WebGoat
18
![Page 19: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/19.jpg)
OWASP WebGoat
• Platform variants: Java, .NET and Rails (coming), Desktop(+Top 5?)
• Mobile variants: iGoat/GoatDroid
• Content-rich; Roll-Your-Own Lessons
• Video tutorials online & downloadable
• Report Cards, Challenge Mode
19
![Page 20: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/20.jpg)
OWASP Mutillidae 2
20
![Page 21: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/21.jpg)
OWASP Mutillidae 2
• Includes HTML5-oriented lessons
• Plenty of content (lessons, tutorials)
• Video guides available (YouTube)
• Gamified! Keeps track of your score
• PHP, requires (L|W|M)AMP stack
21
![Page 22: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/22.jpg)
OWASP Bricks
22
![Page 23: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/23.jpg)
OWASP Security Shepherd
23
![Page 24: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/24.jpg)
Guided Lessons
e-Learning Project (CBT)
OWASP
(live version: http://hackademic1.teilar.gr/)
http://vicnum.ciphertechs.com/ (Games!)
http://google-gruyere.appspot.com/
http://www.hackertest.net/
Advanced: https://www.hacking-lab.com/about/ (english language issues)
24
![Page 25: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/25.jpg)
*Vulnerable Web Apps
(*intentionally!)
• OWASP Broken Web Apps (VM)
• Damn Vulnerable Web Application
• KILL ALL THE VENDOR’S SITES! (live)
• OWASP SiteGenerator (RIP)
• Build your own, then break it!
25
![Page 26: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/26.jpg)
26
TRY TO HACK THEM
ALL!
![Page 27: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/27.jpg)
More from OWASP
• Book: WebGoat and WebScarab
• The AppSec Tutorial Series (Videos):
• https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series
• Cheat Sheets
• Book: Securing WebGoat with ModSecurity
27
![Page 28: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/28.jpg)
Tangent: Visualization
• Tilt (DEMO!)
• Logstalgia (DEMO!)
• glTail (video!)
• Kinectaploit (video!)
• http://secviz.org/
28
![Page 29: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/29.jpg)
psDoom
29
![Page 30: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/30.jpg)
Defending the Code
• Guides, Guides and More Guides
• Enterprise Security API
• AntiSAMY
• Source Code Analyzers
• Java Dependency Checker
30
![Page 31: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/31.jpg)
Guides! (ick, PDFs)
• Web Application Secure Development Guide
• Code Review Guide (2.0 underway)
• Testing Guide
• Software Assurance Maturity Model (SAMM)
• Periodic Table of Vulnerabilities
• Application Security Verification Standard
31
![Page 32: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/32.jpg)
Security Requirements
32
![Page 33: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/33.jpg)
OWASP ASVS
Flagship Project
A standard to verify a
web app’s security
Application- and lifecycle- independent
33
![Page 34: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/34.jpg)
OWASP Cornucopia
34
![Page 35: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/35.jpg)
35
![Page 36: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/36.jpg)
d0xed
36
![Page 37: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/37.jpg)
37
![Page 38: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/38.jpg)
Daily Crossword
38
![Page 39: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/39.jpg)
39
Not hard
enough?
RegEx
Crossword
FTOMGWTF
![Page 40: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/40.jpg)
OWASP ESAPI
• FREE Security Control Library
• Reference implementations included
• Extensible, customizable, mature*
• Support includes Java, .NET, PHP, ...
• AppSensor integration
“Good artists copy; great artists steal”
40
![Page 41: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/41.jpg)
OWASP AntiSAMY
• Policy-based HTML/CSS input validator
• Support includes Java and .NET
• Sample policies available
• PHP: use HTMLPurifier instead
• Sadly, dormant.
41
![Page 42: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/42.jpg)
OWASP YASCA
42
![Page 43: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/43.jpg)
OWASP YASCA
• Yet Another Source/Static Code Analyzer
• Frontend to Lint, FindBugs, ClamAV,...
• Pattern-matching engine
• Still in active development
43
![Page 44: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/44.jpg)
OWASP Code Crawler
44
![Page 45: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/45.jpg)
OWASP CodeCrawler
• Static SCA supporting Java and .NET
• Last Update: April 2010 (3-person team)
• RegEx filtering; basic, configurable pattern matching
• No Data Flow validation; Windows Only
• High False Positive/False Negative potential
45
![Page 46: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/46.jpg)
Defending the Web App
ModSecurity Core Rule Set (new release July 2)
AppSensor (App-based IDS)
More WAF projects on the horizon
46
![Page 47: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/47.jpg)
Hunting for Vulnerability
• WebScarab
• Zed Attack Proxy
• JoomScan and CMS Scan
• WebSlayer with Skanda
• O2 platform
47
![Page 48: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/48.jpg)
OWASP WebScarab
48
Classic!
![Page 49: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/49.jpg)
OWASP Zed Attack Proxy
49
![Page 50: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/50.jpg)
OWASP Mantra
50
![Page 51: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/51.jpg)
Includes FireCat
51
![Page 52: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/52.jpg)
52
![Page 53: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/53.jpg)
53
![Page 54: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/54.jpg)
OWASP OWTF
Offensive Web Testing Framework
GASP! VIDEO BREAK!
https://www.owasp.org/index.php/OWASP_OWTF
54
![Page 55: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/55.jpg)
OWASP Pantera
55
![Page 56: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/56.jpg)
O2 Platform
56
![Page 57: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/57.jpg)
O2 Platform
57
Warning:
Tangent
![Page 58: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/58.jpg)
WARNING: TANGENT
• Jon McCoy @ SecTor 2012
• <video excerpt>
58
![Page 59: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/59.jpg)
Swiss Army Knives
• OWASP Mantra OS (Mobile: MobiSec)
• Samurai Web Testing Framework
Alternatives:
• Kali (aka BackTrack)
• Fedora Security Spin
59
![Page 60: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/60.jpg)
Incubators and More
• iSABEL Proxy Server, NAXSI, WAF Project
• Xenotix XSS Framework vs. XSSer, X5s
• Security Tools for Developers
• Java HTML Sanitizer (released)
• S.T.I.N.G. For Security Requirements?
• VaultDB vs Scytale (DBMS crypto-proxies)
60
![Page 61: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/61.jpg)
Project Gaps?
• Lots of duplication; re-inventing the wheel
• Inconsistent Quality, no unity in delivery
• No visualization projects; forensics a stub
• Fragmentation; resources spread thin
• Over-promising; under-delivering
• Solutions?
61
![Page 62: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/62.jpg)
Google Summer of Code 2013
62
![Page 63: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/63.jpg)
Go, Toronto, Go!
• Chapter participation appears to be on the rise
• Tremendous amount of infosec talent in the GTA and surrounding areas
• IRC? Reddit? Hackernews?
• Anyone need an opening act next time?
63
![Page 65: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/65.jpg)
Thank you
![Page 66: OWASP Beyond the Top 10 · 2020. 1. 17. · Toronto, ON – 2013-07-10 OWASP – Beyond the Top 10 André Rochefort TELUS Security Assessment Services Sr. Consultant andre.rochefort@telus.com](https://reader036.vdocuments.site/reader036/viewer/2022071107/5fe219a608b91c3b94210465/html5/thumbnails/66.jpg)
66
I always keep a supply of stimulant
handy in case I see a snake--which I
also keep handy.
W. C. Fields (1880 - 1946)