Introduzione all’OWASP-Day III Matteo Meucci OWASP-Italy Chair CEO Minded Security

Who am I? Research Work OWASP-Italy Chair OWASP Testing Guide Lead CEO @ Minded Security Application Security Consulting 8+ years on Information Security focusing on Application Security

OWASP-Day III: Research meets Industry Oggi vorremmo discutere di a che punto siamo con la ricerca e come viene adottatta dall’industria, dalle aziende

OWASP Day III: Research "Trusted Computing: tecnologia ed applicazione alla protezione del web" Prof. Antonio Lioy - Politecnico di Torino 12.15h "A Software Security Maturity Model“ (ENG) Brian Chess - Chief Scientist at Fortify Software 14.00h "Http Parameter Injection" Stefano Di Paola - CTO Minded Security 14.30h "SHIELDS: metrics, tools and Internet services to improve security in application developments" D.Rotondi, A.Bagnato, E.Coscia, C.Rubattino - TXT e-solutions Spa 15.00h “Secure Code Review: dalla teoria alla pratica" Antonio Parata - Security Consultant Emaze Networks 16.00h “Automatic Generation of Test Cases for Web Application Security: a Software Engineering Perspective" Prof. Corrado Aaron Visaggio - Università del Sannio

OWASP Day III: Industry 11.00h "L'implementazione di un modello di sicurezza in ambito bancario: l'esperienza di ABN AMRO" Manuele Cavallari - Responsabile IT Security Office - Consorzio Operativo Gruppo MPS 11.30h "Analisi forense dopo un cyber attack" Ass. Davide Gabrini - Analista forense presso il Compartimento Polizia Postale e delle Comunicazioni di Milano 16.30h "Harden your Java Components!“ (ENG) Pierre Parrend - SE FZI Karlsruhe

Round Table 17.00h Round table:“La ricerca nella Web Application Security, qual’ è lo stato dell’arte? Quali progetti/iniziative per aiutare le aziende a creare applicazioni più sicure e a difendersi da nuove forme di attacchi? Cosa sta facendo l’Università in tal senso? Quanto sono vicini il mondo aziendale al mondo accademico?” Panelist: Danilo Caivano - Università di Bari, Corrado Aaron Visaggio - Università del Sannio, Giorgio Fedon - COO Minded Security

La partecipazione ad OWASP è aperta a tutti The Open Web Application Security Project (OWASP) è un progetto opens source dedicato a sviluppare tool , metodologie e linee guida per la Web Application Security. La partecipazione ad OWASP è aperta a tutti Tutto è free e accessibile dal sito www.owasp.org Migliaia di membri attivi in tutto il mondo, 100+ local chapters Millions of hits on www.owasp.org Centinaia di aziende che adottano la documentazione OWASP The OWASP Foundation is the not for profit (501c3) entity that provides the infrastructure for the OWASP community. The Foundation provides our servers and bandwidth, facilitates projects and chapters, and manages the worldwide OWASP Application Security Conferences. The Open Web Application Security Project (OWASP) is dedicated to finding and fighting the causes of insecure software. The OWASP Foundation is a non-profit organization that ensures the ongoing availability and support for our work. What makes OWASP unique is that it makes it possible for everybody to collaborate and share thoughts which will allow both the community and the project itself to improve constantly. Everything here is free and our tools and documents are open source. Our main objectives are: producing tools, standards and documentation related to Web Application Security. Currently we have more than 100 local chapters in the world and thousands active members.

La comunità OWASP Thousand of individual members, More the 100 local chapters. Millions of hits on www.owasp.org at month. Defense Information Systems Agency (DISA) , US Federal Trade Commission (FTC), VISA, Mastercard, American Express hanno adottato la documentazione OWASP nei loro standard e linee guida

What are the OWASP projects?

Principali progetti OWASP BOOKS Owasp top10 Building guide Code review guide Testing guide TOOLS WebGoat WebScarab SQLMap – SQL Ninja SWF Intruder Orizon Code Crawler

OWASP & PCI v1.2

OWASP Goals: migliorare la qualità e il supporto Define Criteria for Quality Levels Alpha, Beta, Release Encourage Increased Quality Through Season of Code Funding and Support Produce Professional OWASP books Provide Support Full time executive director (Kate Hartmann) Full time project manager (Paulo Coimbra) Half time technical editor (Kirsten Sitnick) Half time financial support (Alison Shrader)

OWASP-Italy e la ricerca OWASP Italy nasce nel Gennaio 2005 Raccoglie centinaia di persone appassionate alla Web Application Security Obiettivi Organizzazione conferenze Scrittura articoli Sviluppo tool Sviluppo documentazione e linee guida La ricerca come base per l’industria Mai come nell’application security si ha un’esigenza di ricerca per lo sviluppo di attività di innovazione

OWASP-Italy tools: Orizon This project born in 2006 in order to provide a framework to all Owasp projects developing code review services. The project is in a quite stable stage and it is usable for Java static code review and some dynamic tests against XSS. Owasp Orizon includes also APIs for code crawling, usable for code crawling tools.

OWASP-Italy tools: SWF Intruder

OWASP-Italy tools: SQLMap sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.. Changes Some of the new features include: Major enhancement to get list of targets to test from Burp proxy requests log file path or WebScarab proxy ‘conversations/’ folder path with option -l; Major enhancement to support Partial UNION query SQL injection technique; Major enhancement to test if the web application technology sup ports stacked queries (multiple statements) by providing option –stacked-test which will be then used someday also by takeover functionality; Major enhancement to test if the injectable parameter is affected by a time based blind SQL injection technique by providing option –time-test; Major bug fix to correctly enumerate columns on Microsoft SQL Server; Major bug fix so that when the user provide a SELECT statement to be processed with an asterisk as columns, now it also work if in the FROM there is no database name specified;

OWASP-Italy tools: SQL Ninja Sqlninja è sviluppato in PERL da Alberto Revelli (aka Icesurfer). Tool che sfrutta SQL Injection per MS SQL Server. Non individua SQL Injection, ma si focalizza nel creare una shell interattiva sul DB remoto e sfruttare questa per avere una “base” nella rete target. Fingerprint del SQL Server Bruteforce della password dell’utente 'sa' Privilege escalation to 'sa' Creazione di custom xp_cmdshell Upload di file eseguibili DNS tunneled pseudoshell, when no ports are available for a bindshell E molto altro… Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB Server authentication mode) Bruteforce of the 'sa' password Privilege escalation to 'sa' Creation of a custom xp_cmdshell if the original one has been disabled Upload of executables Reverse scan in order to look for a port that can be used for a reverse shell Direct and reverse shell, both TCP and UDP DNS tunneled pseudoshell, when no ports are available for a bindshell Metasploit wrapping, when you want to use Meterpreter or even want to get GUI access on the remote DB server All of the above can be done with obfuscated SQL code, in order to confuse IDS/IPS systems

OWASP Italy Project: Anti-Malware La diffusione di Malware risulta in continuo aumento. Nel solo anno 2008 su Internet si sono contati circa 15 milioni di malware. Banking Malware: sempre più sofisticati. Si aggiornano in base al paese e alle configurazioni del server su cui si installano. Obiettivi: Descrivere i comuni problemi di sicurezza nel design per la protezione di siti di banking Fornire best-practice che dovrebbero essere considerate per realizzare soluzioni antimalware

OWASP Italy Project: Testing Guide Testing Guide was growing faster from v1.1 to v2 and the project become more and more complex We use the wiki model to add new contributes and at the end of the project we publish it in PDF format

OWASP Testing Guide v3: roadmap 26th April 2008: start the new project OWASP Leaders brainstorming Call for participation: 21 authors Index brainstorming Discuss the article content 20th May 2008: New draft Index 1st June 2008: Let's start writing! 27th August 2008: started the reviewing phase: 4 Reviewers October 2008: Review all the Guide December 2008: published the new version of the OWASP Testing Guide: http://www.owasp.org/index.php/OWASP_Testing_Project (347pages +80!)

Web Application Penetration Testing Che cos’è un Web Application Penetration Testing? É un processo che prevede un’analisi dell’applicazione al fine di identificare ogni debolezza o vulnerabilità nei controlli di sicurezza implementati E’ un’analisi Black Box (non conosciamo il funzionamento dell’applicazione ed il codice) Metodologia + tools (OWASP WebScarab, SQLMap,...) Il nostro approccio nello scrivere la guida: Open Collaborattivo We have just described the Testing Framework: now we are going to take a deeper look at the OWASP Web Application Penetration testing methodology Firstly we have to define what a Web Application Penetration Testing is In general, a penetration test is a method of evaluating the security of a computer system or network by simulating an attack. A Web Application Penetration Test focuses only on evaluating the security of a web application. The process involves an active analysis of the application for any weaknesses, technical flaws or vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. Our approach in writing this guide The OWASP approach is Open and Collaborative: Open: every security expert can participate with his experience in the project. Everything is free. Collaborative: we usually perform brainstorming before the articles are written. So we can share our ideas and develop a collective vision of the project. That means rough consensus, wider audience and participation. This approach tends to create a defined Testing Methodology that will be: Consistent Reproducible Under quality control We think that it’s important to use a method to test all the known vulnerabilities and document all the pen test activities. So, what is the OWASP testing methodology? Penetration testing will never be an exact science where a complete list of all possible issues that should be tested can be defined. Indeed, penetration testing is only an appropriate technique for testing the security of web applications under certain circumstances. The goal is to collect all the possible testing techniques, explain them and keep the guide updated.

OWASP Testing Guide v3 Descrive la metodologia OWASP per testare un applicativo web 347 pagine, 66 controlli Approccio della metodologia: Definita Consistente Ripetibile Di qualità Bandiera italiana SANS Top 20 2007 NIST “Technical Guide to Information Security Testing (Draft)” Cita la Testing Guide come referenza per il testing

What’s new in v3? V2 8 sub-categories (for a total amount of 48 controls) V3 10 sub-categories (for a total amount of 66 controls) 36 new articles! Information Gathering Business Logic Testing Authentication Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing Information Gathering Config. Management Testing Business Logic Testing Authentication Testing Authorization Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing Encoded Appendix The Guide Contents A series of articles on the most common web application security problems Some process information, but not much… Here you can see all the Testing Guide categories of test The world desperately needs a body of knowledge on application security. One important piece of this body of knowledge is about application security testing.

Testing paragraph template Brief Summary Describe in "natural language" what we want to test. The target of this section is non-technical people (e.g.: client executive) Description of the Issue Short Description of the Issue: Topic and Explanation Black Box testing and example How to test for vulnerabilities: Result Expected: ... Gray Box testing and example References Whitepapers Tools esempio di come da ricerca a industria Example

Come può aiutare la guida nel campo della security industry? Approccio strutturato alle attività di Testing Checklist da seguire A learning and training tool Tester Strumento per capire cosa viene testato, le vulnerabilità ed il loro impatta sull’applicazionei Un modo per controllare la qualità dell’azienda che verifica la sicurezza Cliente La Testing Guide rappresenta una metodologia che è divenuta standard a livello internazionale e richiesta dalla maggioranza delle aziende Security =! Black Art

SDLC & OWASP Before SDLC Define&Design Development Deploy&Maintenance OWASP Framework Guidelines Building Guide Code Review Guide Testing Guide Cosa fornisce OWASP per le aziende? Tool e metodologie In questo caso la ricerca produce risorse disponibili e utilizzate dalle aziende TLC It, Vodafone, Banche Consorzio Monte Paschi,società di sviluppo sw, Ministeri OWASP Top10 Web Goat .NET CSRFGuard ESAPI Orizon LAPSE WebScarab SWF Intruder SQLNinja SQLMap Pantera

Grazie!   Matteo Meucci matteo.meucci@owasp.org