https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=EdalciOWASP - User contributions [en]2026-04-16T01:53:00ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=68872Code Review and Static Analysis with tools2009-09-15T01:10:23Z<p>Edalci: /* Session 4: Tool Assisted Code Reviews with Ounce Lab, September 2009 (date to be confirmed) */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews with Fortify SCA, September 17th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Fortify (Erik Klein)<br />
*Time: 2hours and half<br />
*Location: AOL, 22260 Pacific blvd, Sterling, VA. 20166<br />
<br />
This is an introduction course to the Fortify SCA Static Analysis tool:<br />
* Fortify will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor.<br />
<br />
===Session 3: Customization Lab for Fortify SCA, date: TBD ===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc.<br />
<br />
===Session 4: Tool Assisted Code Reviews with Ounce Lab, (date to be confirmed)===<br />
*Speaker: Dalci, Eric (Cigital), Ounce Lab (tbd)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Ounce Lab Static Analysis tool:<br />
* Ounce Lab will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
===Session 5: Customization Lab for Ounce Lab, September 2009 (date to be confirmed)===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI<br />
<br />
===Session 6: Tool Adoption and Deployment, September 2009 (date to be confirmed)===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=68871Code Review and Static Analysis with tools2009-09-15T01:10:03Z<p>Edalci: /* Session 3: Customization Lab for Fortify SCA, September 27th 2009 */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews with Fortify SCA, September 17th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Fortify (Erik Klein)<br />
*Time: 2hours and half<br />
*Location: AOL, 22260 Pacific blvd, Sterling, VA. 20166<br />
<br />
This is an introduction course to the Fortify SCA Static Analysis tool:<br />
* Fortify will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor.<br />
<br />
===Session 3: Customization Lab for Fortify SCA, date: TBD ===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc.<br />
<br />
===Session 4: Tool Assisted Code Reviews with Ounce Lab, September 2009 (date to be confirmed)===<br />
*Speaker: Dalci, Eric (Cigital), Ounce Lab (tbd)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Ounce Lab Static Analysis tool:<br />
* Ounce Lab will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
===Session 5: Customization Lab for Ounce Lab, September 2009 (date to be confirmed)===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI<br />
<br />
===Session 6: Tool Adoption and Deployment, September 2009 (date to be confirmed)===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=68870Code Review and Static Analysis with tools2009-09-15T01:09:44Z<p>Edalci: /* Session 2: Tool Assisted Code Reviews with Fortify SCA, August 13th 2009 */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews with Fortify SCA, September 17th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Fortify (Erik Klein)<br />
*Time: 2hours and half<br />
*Location: AOL, 22260 Pacific blvd, Sterling, VA. 20166<br />
<br />
This is an introduction course to the Fortify SCA Static Analysis tool:<br />
* Fortify will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor.<br />
<br />
===Session 3: Customization Lab for Fortify SCA, September 27th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc.<br />
<br />
===Session 4: Tool Assisted Code Reviews with Ounce Lab, September 2009 (date to be confirmed)===<br />
*Speaker: Dalci, Eric (Cigital), Ounce Lab (tbd)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Ounce Lab Static Analysis tool:<br />
* Ounce Lab will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
===Session 5: Customization Lab for Ounce Lab, September 2009 (date to be confirmed)===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI<br />
<br />
===Session 6: Tool Adoption and Deployment, September 2009 (date to be confirmed)===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=68869Code Review and Static Analysis with tools2009-09-15T01:07:43Z<p>Edalci: /* Session 3: Customization Lab for Fortify SCA, August 27th 2009 */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews with Fortify SCA, August 13th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Fortify (Mike Mauro)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Fortify SCA Static Analysis tool:<br />
* Fortify will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own.<br />
<br />
===Session 3: Customization Lab for Fortify SCA, September 27th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc.<br />
<br />
===Session 4: Tool Assisted Code Reviews with Ounce Lab, September 2009 (date to be confirmed)===<br />
*Speaker: Dalci, Eric (Cigital), Ounce Lab (tbd)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Ounce Lab Static Analysis tool:<br />
* Ounce Lab will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
===Session 5: Customization Lab for Ounce Lab, September 2009 (date to be confirmed)===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI<br />
<br />
===Session 6: Tool Adoption and Deployment, September 2009 (date to be confirmed)===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=File:Owasp_SAtrack_plan.png&diff=68868File:Owasp SAtrack plan.png2009-09-15T01:05:35Z<p>Edalci: uploaded a new version of "File:Owasp SAtrack plan.png"</p>
<hr />
<div></div>Edalcihttps://wiki.owasp.org/index.php?title=File:Owasp_SAtrack_plan.png&diff=68867File:Owasp SAtrack plan.png2009-09-15T01:03:11Z<p>Edalci: uploaded a new version of "File:Owasp SAtrack plan.png"</p>
<hr />
<div></div>Edalcihttps://wiki.owasp.org/index.php?title=Virginia&diff=68866Virginia2009-09-15T00:57:46Z<p>Edalci: /* Next Meeting */</p>
<hr />
<div>==== About ====<br />
[[Image:Owasp-nova.JPG|275px|right]]The '''OWASP Washington VA Local Chapter''' meetings are FREE and OPEN to anyone interested in learning more about application security. We encourage individuals to provide knowledge transfer via hands-on training and presentations of specific OWASP projects and research topics and sharing SDLC knowledge. <br />
<br />
We the encourage vendor-agnostic presentations to utilize the OWASP Powerpoint template when applicable and individual volunteerism to enable perpetual growth. As a 501(3)c non-profit association donations of meeting space or refreshments sponsorship is encouraged, simply contact the local chapter leaders listed on this page to discuss. Prior to participating with OWASP please review the Chapter Rules.<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams@owasp.org Jeff Williams] and has had members from Virginia to Delaware. In April 2005 a new chapter, OWASP Washington VA Local Chapter, was formed and the DC Chapter was renamed to DC-Maryland. The two are sister chapters and include common members and shared discourse. The chapters meet in opposite halves of the month to facilitate this relationship.<br />
<br />
{{Chapter Template|chaptername=Virginia|extra=The chapter leader is [mailto:John.Steven@owasp.org John Steven]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-CHANGEME|emailarchives=http://lists.owasp.org/pipermail/owasp-CHANGEME}}<br />
* [http://lists.owasp.org/mailman/listinfo/owasp-wash_dc_va Click here to join local chapter mailing list]<br />
* Add August 6th to my [https://www.google.com/calendar/hosted/owasp.org/event?action=TEMPLATE&amp;tmeid=NjNhbjFsZ3FrdXRqYzVuNW11amhsbmRqZHMgb3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGc&amp;tmsrc=b3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGdyb3VwLmNhbGVuZGFyLmdvb2dsZS5jb20 Google Calendar], [http://www.google.com/calendar/event?action=VIEW&eid=djRqZHZramU3bmZtdXQyMnA4aGVmcGxlMzQganN0ZXZlbkBjaWdpdGFsLmNvbQ&tok=MjEjam9obi5zdGV2ZW5Ab3dhc3Aub3JnY2ZmNDM1Nzc1YmZlNDVhMzE2NTcyNzIzMjgwNzNjZGVkZDgxYTJhYQ&ctz=America%2FNew_York&hl=en Exchange Calendar]<br />
<br />
==== Locations ====<br />
'''If you plan to attend in person:'''<br />
<br />
Directions to Booz Allen's One Dulles facility:<br />
<br />
13200 Woodland Park Road<br />
Herndon, VA 20171<br />
<br />
From Tyson's Corner:<br />
<br />
* Take LEESBURG PIKE / VA-7 WEST<br />
* Merge onto VA-267 WEST / DULLES TOLL ROAD (Portions Toll)<br />
* Take the VA-657 Exit (Exit Number 10 towards Herndon / Chantilly)<br />
* Take the ramp toward CHANTILLY<br />
* Turn Left onto CENTERVILLE ROAD (at end of ramp)<br />
* Turn Left onto WOODLAND PARK ROAD (less than 1⁄2 mile)<br />
* End at 13200 WOODLAND PARK ROAD<br />
<br />
<br>'''If you plan to attend via Webinar:'''<br />
<br />
You can attend through [[OWASPNoVA WebEx]] <br />
<br />
==== Schedule ====<br />
Meetings are held the first thursday of the month.<br />
<br />
===== Next Meeting =====<br />
<br />
<p><br />
'''DATE''': Thursday, September 17, 2009. 6:00pm Eastern Daylight Time<BR/><br />
'''LOCATION''': 22260 Pacific blvd, Sterling, VA. 20166<BR><br />
'''TOPIC''': "Fortify 360"<BR><br />
'''SPEAKER''': Erik Klein (Fortify Software), Eric Dalci (Cigital)</p><br />
<br />
'''INSTRUCTIONS''': RSVP through [mailto:wade.woolwine@owasp.org?Subject=OWASP%20RSVP Wade Woodline] with “OWASP RSVP” in the subject.<br />
<br />
'''DESCRIPTION''':<br />
<p> We're pleased to invite you to our next week's OWASP Session (Thursday September 17th). We will be hosting a presentation, demo and hands on session of Fortify 360 (http://www.fortify.com). Fortify 360 includes Fortify SCA (Source Code Analyzer) and the Fortify 360 Server which is Fortify's solution for an enterprise deployment of SCA. The session will start with a presentation by Fortify engineers, followed by a demo and finally a hands on session where the audience will be free to install Fortify SCA on the machine and try it the SCA tool on a sample application that we will provide. The audience will also be introduced with the Fortify 360 Server and try some of the enterprise level features such as collaborative code review, metrics and so on. Bring your laptop if you want to try Fortify 360!</p><br />
<p><br />
The target audience is anyone interested in Secure Code Review with a Static Analysis tool at the desktop level and/or enterprise level. We will need to register visitors before hand...please email wade.woolwine@owasp.org for registration and confirm attendance. Pizza and refreshments will be served.</p><br />
<br />
<br />
<p><br />
'''DATE''': Thursday, September 3, 2009. 6:00pm.<BR/><br />
'''LOCATION''': 13200 Woodland Park Road Herndon, VA 20171<BR><br />
'''TOPIC''': "Conducting Application Assessment"<BR><br />
'''SPEAKER''': Jeremy Epstein, SRI</p><br />
<br />
'''INSTRUCTIONS''': RSVP through [mailto:wisseman_stan@bah.com?Subject=OWASP%20RSVP Stan Wisseman] with “OWASP RSVP” in the subject.<br />
<br />
'''DESCRIPTION''':<br />
<P>After the 2000 election, many states launched headlong into electronic<br />
voting systems to avoid the problems with "hanging chads". Once<br />
problems with those systems started appearing, many localities started<br />
moving to optical scan, which was used by a majority of US voters in<br />
the 2008 election. There are other technologies in use around the<br />
country, including lever machines, vote-by-mail, vote-by-phone, and<br />
Internet voting. What are the tradeoffs among these technologies?<br />
Particularly relevant to OWASP, what are the security issues<br />
associated with different types of equipment, and what measures do<br />
vendors of voting equipment use to try to address the security<br />
problems? Are software security problems important, or can<br />
non-technical measures protect against them? In this talk, we'll<br />
discuss a wide variety of voting technologies, and their pros and cons<br />
from both a technical and societal perspective.</p><br />
<br />
'''ABOUT THE SPEAKER''':<br />
Jeremy Epstein is Senior Computer Scientist at SRI International. His<br />
background includes more than 20 years experience in computer security<br />
research, product development, and consulting. Prior to joining SRI<br />
International, he was Principal Consultant with Cigital, and before<br />
that spent nine years as Senior Director of Product Security at<br />
Software AG, an international business software company. Within the area<br />
of voting systems, Jeremy has been involved for over<br />
five years in voting technology and advocacy, both as an employee and<br />
as an independent consultant.<br />
<br />
===== Upcoming Speakers =====<br />
<br />
If you want to present, please contact John. We're very open to hearing from all our members.<br />
Future speakers to include Gunnar Peterson and more.</p><br />
<br />
[http://www.google.com/calendar/hosted/owasp.org/embed?src=owasp.org_1ht5oegk8kd0dtat5cko71e7dc%40group.calendar.google.com&ctz=America/New_York View the OWASP NoVA Chapter Calendar]<BR><br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. '''REGISTRATION IS OPEN!'''<br />
<br />
Please send an email to [mailto:John.Steven@owasp.org John Steven] with your skill level with Statis Analysis tools, your motivation and '''the dates''' that you want to sign in for. <br />
Students are required to bring their own laptop. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop<br />
<br />
=== Past meetings ===<br />
July 9th 6pm-9pm EST<br><br />
LOCATION: 13200 Woodland Park Road Herndon, VA 20171<BR><br />
TOPIC: "Ounce's 02"<BR><br />
SPEAKER(S): Dinis Cruz, OWASP, Ounce Labs.<BR><br />
PANEL: TBD<BR><br />
INSTRUCTIONS: RSVP through Stan Wisseman wisseman_stan@bah.com with “OWASP RSVP” in the subject.<BR><br />
<br />
DESCRIPTION: So what is O2?<br />
<br />
Well in my mind O2 is a combination of advanced tools (Technology) which are designed to be used on a particular way (Process) by knowledgeable Individuals (People)<br />
<br />
Think about it as a Fighter Jet who is able to go very fast, has tons of controls, needs to be piloted by somebody who knows what they are doing and needs to have a purpose (i.e. mission).<br />
<br />
Basically what I did with O2 was to automate the workflow that I have when I'm engaged on a source-code security review.<br />
<br />
Now, here is the catch, this version is NOT for the faint-of-heart. I designed this to suit my needs, which although are the same as most other security consultants, have its own particularities :)<br />
<br />
The whole model of O2 development is based around the concept of automating a security consultant’s brain, so I basically ensure that the main O2 Developer (Dinis Cruz) has a very good understanding of the feature requirements of the targeted Security Consultant (Dinis Cruz) :) . And this proved (even to my surprise) spectacularly productive, since suddenly I (i.e. the security consultant) didn't had to wait months for new features to be added to its toolkit. If there was something that needed to be added, it would just be added in days or hours.<br />
<br />
* View the OWASP NoVA Chapter [http://www.google.com/calendar/hosted/owasp.org/embed?src=owasp.org_1ht5oegk8kd0dtat5cko71e7dc%40group.calendar.google.com&ctz=America/New_York Calendar ]<br />
<br />
* The next meeting is '''Thursday, July 9th, 2009.''' <br />
* Add July 9th to my [https://www.google.com/calendar/hosted/owasp.org/event?action=TEMPLATE&amp;tmeid=azV2NGU4Zjc0M2w1a3NxMG4zam84cXZyMmcgb3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGc&amp;tmsrc=b3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGdyb3VwLmNhbGVuZGFyLmdvb2dsZS5jb20 Google Calendar], [https://cigital.webex.com/cigital/j.php?ED=124134682&UID=1012271922&ICS=MI&LD=1&RD=2&ST=1&SHA2=CWCN2pMk85HfkpUHyB/6CNfutu79JBWjL2LWsdybwEw= Exchange Calendar]<br />
<br />
==== Knowledge ====<br />
<br />
The Northern Virginia (NoVA) chapter is committed to compiling resources on interesting and valuable topic areas. We hope that this structure helps you access information pertinent to your tasks at hand as you move through a secure application development life cycle. Currently, our topic areas of focus include activities such as:<br />
<br />
* Threat Modeling<br />
* [[Code Review and Static Analysis with tools]]<br />
* Penetration Testing and Dynamic Analysis tools<br />
* Monitoring/Dynamic patching (WAFs)<br />
<br />
Certain projects our members are involved in cross-cut these activities, providing value throughout. They include:<br />
<br />
* ASVS<br />
<br />
<br />
==== Contributors and Sponsors ====<br />
<br />
'''Chapter Leader'''<br />
<br />
* [mailto:John.Steven@owasp.org John Steven], with assistance from [mailto:paco@cigital.com Paco Hope]<br />
<br />
'''Refreshment Sponsors'''<br />
<br />
[[Image:Cigital_OWASP.GIF]]<br />
<br />
'''Facility Sponsors'''<br />
<br />
[[Image:Bah-bw.JPG|215px]]<br />
<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<paypal>Northern Virginia</paypal><br />
<br />
== Past Meetings ==<br />
<br />
===June 2009===<br />
''Gary McGraw, Cigital Inc.'':''Building Security In Maturity Model''<BR><br />
Later, an interview:<br />
''Jim Routh, formerly of DTCC'':''The Economic Advantages of a Resilient Supply Chain- Software Security<br />
''<BR><br />
<br />
Gary McGraw talked about the experience he, Sammy Migues, and Brian Chess gained conducting a survey of some of America's top Software Security groups. Study results are available under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Share Alike license] at [http://www.bsi-mm.com www.bsi-mm.com]. Gary described the common structural elements and activities of successful software security programs, present the maturity model that resulted from survey data, and discuss lessons learned from listening to those leading these groups. <br />
<br />
Jim Routh gave an incredibly insightful interview regarding his own experiences crafting their security group. <br />
<br />
Download presentation notes at: [http://www.owasp.org/images/0/03/JMR-Economics_of_Security_Goups.ppt The Economic Advantages of a Resilient Supply Chain- Software Security]<br />
<br />
===May 2009 ===<br />
''Eric Dalci, Cigital Inc.'':''Introduction to Static Analysis''<BR><br />
Later, a panel:<br />
<UL><br />
<LI>Steven Lavenhar, Booz Allen Hamilton;<br />
<LI>Eric Dalci, Cigital Inc.<br />
</UL><br />
Panel moderated by John Steven<br />
<BR><br />
<br />
This session is an introductory to Static Analysis. This session presents the different types of analysis used by today's Static Analysis tools. Examples of direct application to find vulnerabilities will be shown (ex: Data Flow Analysis, Semantic, Control Flow, etc.). Current limitations of Static Analysis will also be exposed. This session is tool agnostic, but will cover the approach taken by various leading commercial (as well as open-source) tools.<br />
<br />
Download: [http://www.owasp.org/images/e/ea/OWASP_Virginia_Edalci_May09.pdf Intro to Static Analysis]<br />
<br />
===April 2009 ===<br />
''Jeremiah Grossman, Whitehat Security'': '''Top 10 Web Hacking Techniques 2008'''<br><br />
Jeremiah Spoke on (what he and colleagues determined were the) top ten web hacking techniques of 2008. This talk was a preview of his RSA '09 talk.<br><br />
<br />
Download http://www.whitehatsec.com/home/assets/presentations/09PPT/PPT_OWASPNoVA04082008.pdf<br />
<br />
<br />
Later,<br />
<UL><br />
<LI>Nate Miller, Stratum Security;<br />
<LI>Jeremiah Grossman, Whitehat Security;<br />
<LI>Tom Brennan, Whitehat Security; and<br />
<LI>Wade Woolwine, AOL<br />
</UL><br />
served as penetration testing panels answering questions posed and moderated by Ken Van Wyk.<br />
<br />
=== February 2009 ===<br />
<br />
''Ryan C. Barnett, Breach Security'': '''Patching Challenge: Securing WebGoat with ModSecurity'''<br />
<br />
Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth.<br />
<br />
This talk will provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the talk, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of some of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this talk is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.<br />
<br />
Ryan C. Barnett is the Director of Application Security Research at Breach Security and leads Breach Security Labs. He is also a Faculty Member for the SANS Institute, Team Lead for the Center for Internet Security Apache Benchmark Project and a Member of the Web Application Security Consortium where he leads the Distributed Open Proxy Honeypot Project. Mr. Barnett has also authored a web security book for Addison/Wesley Publishing entitled "Preventing Web Attacks with Apache."<br />
<br />
(This talk is a preview of Ryan's talk at Blackhat Federal the following week - see https://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Barnett )<br />
<br />
Download [[Media:Virtual_Patching_Ryan_Barnett_Blackhat_Federal_09.zip| WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity]]<br />
<br />
''John Steven, Cigital'': '''Moving Beyond Top N Lists'''<br />
<br />
Download [[Media:Moving_Beyond_Top_N_Lists.ppt.zip| Moving Beyond Top N Lists]]<br />
<br />
<br />
Cigital published an article: The Top 11 Reasons Why Top 10 (or 25) Lists Don’t Work. Yet, these lists are a staple of conference abstracts, industry best practice lists, and the like. Are they good or bad? We’ll explore how to get beyond the Top 10 (or 25) list in making your software security effort real.<br />
<br />
John is Senior Director, Advanced Technology Consulting at Cigital. His experience includes research in static code analysis and hands-on architecture and implementation of high-performance, scalable Java EE systems. John has provided security consulting services to a broad variety of commercial clients including two of the largest trading platforms in the world and has advised America's largest internet provider in the Midwest on security and forensics. John led the development of Cigital's architectural analysis methodology and its approach to deploying enterprise software security frameworks. He has demonstrated success in building Cigital's intellectual property for providing cutting-edge security. He brings this experience and a track record of effective strategic innovation to clients seeking to change, whether to adopt more cutting-edge approaches, or to solidify ROI. John currently chairs the SD Best Practices security track and co-edits the building security in department of IEEE's Security and Privacy magazine. John has served on numerous conference panels regarding software security, wireless security and Java EE system development. He holds a B.S. in Computer Engineering and an M.S. in Computer Science from Case Western Reserve University.<br />
<br />
=== January 2009 ===<br />
<br />
To kick off 2009, our January meeting featured a discussion of the relationship between application security and CMMI, and an overview of the OWASP ASVS project.<br />
<br />
''Michele Moss, Booz Allen Hamilton'': '''Evolutions In The Relationship Between Application Security And The CMMI'''<br />
<br />
Addressing new and complex threats and IT security challenges requires repeatable, reliable, rapid, and cost effective solutions. To implement these solutions, organizations have begun to align their security improvement efforts with their system and software development practices. During a “Birds of a Feather” at the March 2007 SEPG, a group of industry representatives initiated an effort which led to the definition of assurance practices that can be applied in the context of the CMMI. This presentation will provide an understanding how applying the assurance practices in the context of security contribute to the overall increased quality of products and services, illustrate how the a focus on assurance in the context of CMMI practices is related to application security practices, and present and approach to evaluate and improve the repeatability and reliability of assurance practices. <br />
<br />
Michele Moss, CISSP, is a security engineer with more than 12 years of experience in process improvement. She specializes in integrating assurance processes and practices into project lifecycles. Michele is the Co-Chair of the DHS Software Assurance Working Group on Processes & Practices. She has assisted numerous organizations with maturing their information technology, information assurance, project management, and support practices through the use of the capability maturity models including the CMMI, and the SSE-CMM. She is one of the key contributors in an effort to apply an assurance focus to CMMI.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Moss-AppSecurityAndCMMI.pdf]]<br />
<br />
''Mike Boberski, Booz Allen Hamilton'': '''About OWASP ASVS'''<br />
<br />
The primary aim of the OWASP ASVS Project is to normalize the range<br />
of coverage and level of rigor available in the market when it comes to<br />
performing application-level security verification. The goal is to<br />
create a set of commercially-workable open standards that are tailored<br />
to specific web-based technologies.<br />
<br />
Mike Boberski works at Booz Allen Hamilton. He has a background in<br />
application security and the use of cryptography by applications. He is<br />
experienced in trusted product evaluation, security-related software<br />
development and integration, and cryptomodule testing. For OWASP, he is<br />
the project lead and a co-author of the OWASP Application Security<br />
Verification Standard, the first OWASP standard.<br />
<br />
Slides available: [[https://www.owasp.org/images/5/52/About_OWASP_ASVS_Web_Edition.ppt]]<br />
<br />
=== November 2008 ===<br />
For our November 2008 meeting, we had two great presentations on software assurance and security testing.<br />
<br />
''Nadya Bartol, Booz Allen Hamilton'': '''Framework for Software Assurance'''<br />
<br />
Nadya's presentation will provide an update on the Software Assurance<br />
Forum efforts to establish a comprehensive framework for software<br />
assurance (SwA) and security measurement. The Framework addresses<br />
measuring achievement of SwA goals and objectives within the context of<br />
individual projects, programs, or enterprises. It targets a variety of<br />
audiences including executives, developers, vendors, suppliers, and<br />
buyers. The Framework leverages existing measurement methodologies,<br />
including Practical Software and System Measurement (PSM); CMMI Goal,<br />
Question, Indicator, Measure (GQ(I)M); NIST SP 800-55 Rev1; and ISO/IEC<br />
27004 and identifies commonalities among the methodologies to help<br />
organizations integrate SwA measurement in their overall measurement<br />
efforts cost-effectively and as seamlessly as possible, rather than<br />
establish a standalone SwA measurement effort within an organization.<br />
The presentation will provide an update on the SwA Forum Measurement<br />
Working Group work, present the current version of the Framework and underlying measures<br />
development and implementation processes, and propose example SwA<br />
measures applicable to a variety of SwA stakeholders. The presentation<br />
will update the group on the latest NIST and ISO standards on<br />
information security measurement that are being integrated into the<br />
Framework as the standards are being developed.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Bartol-MeasurementForOWASP11-13-08.pdf]]<br />
<br />
''Paco Hope, Cigital'': '''The Web Security Testing Cookbook'''<br />
<br />
The Web Security Testing Cookbook (O'Reilly & Associates, October 2008)<br />
gives developers and testers the tools they need to make security<br />
testing a regular part of their development lifecycle. Its recipe style<br />
approach covers manual, exploratory testing as well automated techniques<br />
that you can make part of your unit tests or regression cycle. The<br />
recipes cover the basics like observing messages between clients and<br />
servers, to multi-phase tests that script the login and execution of web<br />
application features. This book complements many of the security texts<br />
in the market that tell you what a vulnerability is, but not how to<br />
systematically test it day in and day out. Leverage the recipes in this<br />
book to add significant security coverage to your testing without adding<br />
significant time and cost to your effort.<br />
<br />
Congratulations to Tim Bond who won an autographed copy of Paco's book.<br />
Get your copy here [[http://www.amazon.com/Security-Testing-Cookbook-Paco-Hope/dp/0596514832]]<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/PacoHope-WebSecCookbook.pdf]]<br />
<br />
=== October 2008 ===<br />
For our October 2008 meeting, we had two fascinating talks relating to forensics.<br />
<br />
''Dave Merkel, Mandiant'': '''Enterprise Grade Incident Management - Responding to Persistent Threats'''<br />
<br />
Dave Merkel is Vice President of Products at Mandiant, a leading provider of information security services, education and products. Mr. Merkel has worked in the information security and incident response industry for over 10 years. His background includes service as a federal agent in the US Air Force and over 7 years experience directing security operations at America Online. He currently oversees the product business at Mandiant, and is in charge of building Mandiant Intelligent Response - an enterprise incident response solution. But no, he won't be selling you anything today.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Mandiant-EnterpriseIRandAPTpresentation.pdf]]<br />
<br />
''Inno Eroraha, NetSecurity'': '''[Responding to the Digital Crime Scene: Gathering Volatile Data'''<br />
<br />
Inno Eroraha is the founder and chief strategist of NetSecurity Corporation, a company that provides digital forensics, hands-on security consulting, and Hands-on How-To® training solutions that are high-quality, timely, and customer-focused. In this role, Mr. Eroraha helps clients plan, formulate, and execute the best security and forensics strategy that aligns with their business goals and priorities. He has consulted with Fortune 500 companies, IRS, DHS, VA, DoD, and other entities.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/NetSecurity-RespondingToTheDigitalCrimeScene-GatheringVolatileData-TechnoForensics-102908.pdf] ]<br />
<br />
==Knowledge==<br />
On the [[Knowledge]] page, you'll find links to this chapter's contributions organized by topic area.<br />
<br />
[[Category:Virginia]]<br />
[[Category:Washington, DC]]</div>Edalcihttps://wiki.owasp.org/index.php?title=Virginia&diff=68865Virginia2009-09-15T00:56:47Z<p>Edalci: /* Next Meeting */</p>
<hr />
<div>==== About ====<br />
[[Image:Owasp-nova.JPG|275px|right]]The '''OWASP Washington VA Local Chapter''' meetings are FREE and OPEN to anyone interested in learning more about application security. We encourage individuals to provide knowledge transfer via hands-on training and presentations of specific OWASP projects and research topics and sharing SDLC knowledge. <br />
<br />
We the encourage vendor-agnostic presentations to utilize the OWASP Powerpoint template when applicable and individual volunteerism to enable perpetual growth. As a 501(3)c non-profit association donations of meeting space or refreshments sponsorship is encouraged, simply contact the local chapter leaders listed on this page to discuss. Prior to participating with OWASP please review the Chapter Rules.<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams@owasp.org Jeff Williams] and has had members from Virginia to Delaware. In April 2005 a new chapter, OWASP Washington VA Local Chapter, was formed and the DC Chapter was renamed to DC-Maryland. The two are sister chapters and include common members and shared discourse. The chapters meet in opposite halves of the month to facilitate this relationship.<br />
<br />
{{Chapter Template|chaptername=Virginia|extra=The chapter leader is [mailto:John.Steven@owasp.org John Steven]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-CHANGEME|emailarchives=http://lists.owasp.org/pipermail/owasp-CHANGEME}}<br />
* [http://lists.owasp.org/mailman/listinfo/owasp-wash_dc_va Click here to join local chapter mailing list]<br />
* Add August 6th to my [https://www.google.com/calendar/hosted/owasp.org/event?action=TEMPLATE&amp;tmeid=NjNhbjFsZ3FrdXRqYzVuNW11amhsbmRqZHMgb3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGc&amp;tmsrc=b3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGdyb3VwLmNhbGVuZGFyLmdvb2dsZS5jb20 Google Calendar], [http://www.google.com/calendar/event?action=VIEW&eid=djRqZHZramU3bmZtdXQyMnA4aGVmcGxlMzQganN0ZXZlbkBjaWdpdGFsLmNvbQ&tok=MjEjam9obi5zdGV2ZW5Ab3dhc3Aub3JnY2ZmNDM1Nzc1YmZlNDVhMzE2NTcyNzIzMjgwNzNjZGVkZDgxYTJhYQ&ctz=America%2FNew_York&hl=en Exchange Calendar]<br />
<br />
==== Locations ====<br />
'''If you plan to attend in person:'''<br />
<br />
Directions to Booz Allen's One Dulles facility:<br />
<br />
13200 Woodland Park Road<br />
Herndon, VA 20171<br />
<br />
From Tyson's Corner:<br />
<br />
* Take LEESBURG PIKE / VA-7 WEST<br />
* Merge onto VA-267 WEST / DULLES TOLL ROAD (Portions Toll)<br />
* Take the VA-657 Exit (Exit Number 10 towards Herndon / Chantilly)<br />
* Take the ramp toward CHANTILLY<br />
* Turn Left onto CENTERVILLE ROAD (at end of ramp)<br />
* Turn Left onto WOODLAND PARK ROAD (less than 1⁄2 mile)<br />
* End at 13200 WOODLAND PARK ROAD<br />
<br />
<br>'''If you plan to attend via Webinar:'''<br />
<br />
You can attend through [[OWASPNoVA WebEx]] <br />
<br />
==== Schedule ====<br />
Meetings are held the first thursday of the month.<br />
<br />
===== Next Meeting =====<br />
<br />
<p><br />
'''DATE''': Thursday, September 17, 2009. 6:00pm Eastern Daylight Time<BR/><br />
'''LOCATION''': 22260 Pacific blvd, Sterling, VA. 20166<BR><br />
'''TOPIC''': "Fortify 360"<BR><br />
'''SPEAKER''': Erik Klein (Fortify Software), Eric Dalci (Cigital)</p><br />
<br />
'''INSTRUCTIONS''': RSVP through [mailto:wade.woolwine@owasp.org?Subject=OWASP%20RSVP Wade Woodline] with “OWASP RSVP” in the subject.<br />
<br />
'''DESCRIPTION''':<br />
<p> We're pleased to invite you to our next week's OWASP Session (Thursday September 17th). We will be hosting a presentation, demo and hands on session of Fortify 360 (http://www.fortify.com). Fortify 360 includes Fortify SCA (Source Code Analyzer) and the Fortify 360 Server which is Fortify's solution for an enterprise deployment of SCA. The session will start with a presentation by Fortify engineers, followed by a demo and finally a hands on session where the audience will be free to install Fortify SCA on the machine and try it the SCA tool on a sample application that we will provide. The audience will also be introduced with the Fortify 360 Server and try some of the enterprise level features such as collaborative code review, metrics and so on. Bring your laptop if you want to try Fortify 360!<br />
<br />
The target audience is anyone interested in Secure Code Review with a Static Analysis tool at the desktop level and/or enterprise level. We will need to register visitors before hand...please email wade.woolwine@owasp.org for registration and confirm attendance. Pizza and refreshments will be served.</p><br />
<br />
<br />
<p><br />
'''DATE''': Thursday, September 3, 2009. 6:00pm.<BR/><br />
'''LOCATION''': 13200 Woodland Park Road Herndon, VA 20171<BR><br />
'''TOPIC''': "Conducting Application Assessment"<BR><br />
'''SPEAKER''': Jeremy Epstein, SRI</p><br />
<br />
'''INSTRUCTIONS''': RSVP through [mailto:wisseman_stan@bah.com?Subject=OWASP%20RSVP Stan Wisseman] with “OWASP RSVP” in the subject.<br />
<br />
'''DESCRIPTION''':<br />
<P>After the 2000 election, many states launched headlong into electronic<br />
voting systems to avoid the problems with "hanging chads". Once<br />
problems with those systems started appearing, many localities started<br />
moving to optical scan, which was used by a majority of US voters in<br />
the 2008 election. There are other technologies in use around the<br />
country, including lever machines, vote-by-mail, vote-by-phone, and<br />
Internet voting. What are the tradeoffs among these technologies?<br />
Particularly relevant to OWASP, what are the security issues<br />
associated with different types of equipment, and what measures do<br />
vendors of voting equipment use to try to address the security<br />
problems? Are software security problems important, or can<br />
non-technical measures protect against them? In this talk, we'll<br />
discuss a wide variety of voting technologies, and their pros and cons<br />
from both a technical and societal perspective.</p><br />
<br />
'''ABOUT THE SPEAKER''':<br />
Jeremy Epstein is Senior Computer Scientist at SRI International. His<br />
background includes more than 20 years experience in computer security<br />
research, product development, and consulting. Prior to joining SRI<br />
International, he was Principal Consultant with Cigital, and before<br />
that spent nine years as Senior Director of Product Security at<br />
Software AG, an international business software company. Within the area<br />
of voting systems, Jeremy has been involved for over<br />
five years in voting technology and advocacy, both as an employee and<br />
as an independent consultant.<br />
<br />
===== Upcoming Speakers =====<br />
<br />
If you want to present, please contact John. We're very open to hearing from all our members.<br />
Future speakers to include Gunnar Peterson and more.</p><br />
<br />
[http://www.google.com/calendar/hosted/owasp.org/embed?src=owasp.org_1ht5oegk8kd0dtat5cko71e7dc%40group.calendar.google.com&ctz=America/New_York View the OWASP NoVA Chapter Calendar]<BR><br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. '''REGISTRATION IS OPEN!'''<br />
<br />
Please send an email to [mailto:John.Steven@owasp.org John Steven] with your skill level with Statis Analysis tools, your motivation and '''the dates''' that you want to sign in for. <br />
Students are required to bring their own laptop. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop<br />
<br />
=== Past meetings ===<br />
July 9th 6pm-9pm EST<br><br />
LOCATION: 13200 Woodland Park Road Herndon, VA 20171<BR><br />
TOPIC: "Ounce's 02"<BR><br />
SPEAKER(S): Dinis Cruz, OWASP, Ounce Labs.<BR><br />
PANEL: TBD<BR><br />
INSTRUCTIONS: RSVP through Stan Wisseman wisseman_stan@bah.com with “OWASP RSVP” in the subject.<BR><br />
<br />
DESCRIPTION: So what is O2?<br />
<br />
Well in my mind O2 is a combination of advanced tools (Technology) which are designed to be used on a particular way (Process) by knowledgeable Individuals (People)<br />
<br />
Think about it as a Fighter Jet who is able to go very fast, has tons of controls, needs to be piloted by somebody who knows what they are doing and needs to have a purpose (i.e. mission).<br />
<br />
Basically what I did with O2 was to automate the workflow that I have when I'm engaged on a source-code security review.<br />
<br />
Now, here is the catch, this version is NOT for the faint-of-heart. I designed this to suit my needs, which although are the same as most other security consultants, have its own particularities :)<br />
<br />
The whole model of O2 development is based around the concept of automating a security consultant’s brain, so I basically ensure that the main O2 Developer (Dinis Cruz) has a very good understanding of the feature requirements of the targeted Security Consultant (Dinis Cruz) :) . And this proved (even to my surprise) spectacularly productive, since suddenly I (i.e. the security consultant) didn't had to wait months for new features to be added to its toolkit. If there was something that needed to be added, it would just be added in days or hours.<br />
<br />
* View the OWASP NoVA Chapter [http://www.google.com/calendar/hosted/owasp.org/embed?src=owasp.org_1ht5oegk8kd0dtat5cko71e7dc%40group.calendar.google.com&ctz=America/New_York Calendar ]<br />
<br />
* The next meeting is '''Thursday, July 9th, 2009.''' <br />
* Add July 9th to my [https://www.google.com/calendar/hosted/owasp.org/event?action=TEMPLATE&amp;tmeid=azV2NGU4Zjc0M2w1a3NxMG4zam84cXZyMmcgb3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGc&amp;tmsrc=b3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGdyb3VwLmNhbGVuZGFyLmdvb2dsZS5jb20 Google Calendar], [https://cigital.webex.com/cigital/j.php?ED=124134682&UID=1012271922&ICS=MI&LD=1&RD=2&ST=1&SHA2=CWCN2pMk85HfkpUHyB/6CNfutu79JBWjL2LWsdybwEw= Exchange Calendar]<br />
<br />
==== Knowledge ====<br />
<br />
The Northern Virginia (NoVA) chapter is committed to compiling resources on interesting and valuable topic areas. We hope that this structure helps you access information pertinent to your tasks at hand as you move through a secure application development life cycle. Currently, our topic areas of focus include activities such as:<br />
<br />
* Threat Modeling<br />
* [[Code Review and Static Analysis with tools]]<br />
* Penetration Testing and Dynamic Analysis tools<br />
* Monitoring/Dynamic patching (WAFs)<br />
<br />
Certain projects our members are involved in cross-cut these activities, providing value throughout. They include:<br />
<br />
* ASVS<br />
<br />
<br />
==== Contributors and Sponsors ====<br />
<br />
'''Chapter Leader'''<br />
<br />
* [mailto:John.Steven@owasp.org John Steven], with assistance from [mailto:paco@cigital.com Paco Hope]<br />
<br />
'''Refreshment Sponsors'''<br />
<br />
[[Image:Cigital_OWASP.GIF]]<br />
<br />
'''Facility Sponsors'''<br />
<br />
[[Image:Bah-bw.JPG|215px]]<br />
<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<paypal>Northern Virginia</paypal><br />
<br />
== Past Meetings ==<br />
<br />
===June 2009===<br />
''Gary McGraw, Cigital Inc.'':''Building Security In Maturity Model''<BR><br />
Later, an interview:<br />
''Jim Routh, formerly of DTCC'':''The Economic Advantages of a Resilient Supply Chain- Software Security<br />
''<BR><br />
<br />
Gary McGraw talked about the experience he, Sammy Migues, and Brian Chess gained conducting a survey of some of America's top Software Security groups. Study results are available under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Share Alike license] at [http://www.bsi-mm.com www.bsi-mm.com]. Gary described the common structural elements and activities of successful software security programs, present the maturity model that resulted from survey data, and discuss lessons learned from listening to those leading these groups. <br />
<br />
Jim Routh gave an incredibly insightful interview regarding his own experiences crafting their security group. <br />
<br />
Download presentation notes at: [http://www.owasp.org/images/0/03/JMR-Economics_of_Security_Goups.ppt The Economic Advantages of a Resilient Supply Chain- Software Security]<br />
<br />
===May 2009 ===<br />
''Eric Dalci, Cigital Inc.'':''Introduction to Static Analysis''<BR><br />
Later, a panel:<br />
<UL><br />
<LI>Steven Lavenhar, Booz Allen Hamilton;<br />
<LI>Eric Dalci, Cigital Inc.<br />
</UL><br />
Panel moderated by John Steven<br />
<BR><br />
<br />
This session is an introductory to Static Analysis. This session presents the different types of analysis used by today's Static Analysis tools. Examples of direct application to find vulnerabilities will be shown (ex: Data Flow Analysis, Semantic, Control Flow, etc.). Current limitations of Static Analysis will also be exposed. This session is tool agnostic, but will cover the approach taken by various leading commercial (as well as open-source) tools.<br />
<br />
Download: [http://www.owasp.org/images/e/ea/OWASP_Virginia_Edalci_May09.pdf Intro to Static Analysis]<br />
<br />
===April 2009 ===<br />
''Jeremiah Grossman, Whitehat Security'': '''Top 10 Web Hacking Techniques 2008'''<br><br />
Jeremiah Spoke on (what he and colleagues determined were the) top ten web hacking techniques of 2008. This talk was a preview of his RSA '09 talk.<br><br />
<br />
Download http://www.whitehatsec.com/home/assets/presentations/09PPT/PPT_OWASPNoVA04082008.pdf<br />
<br />
<br />
Later,<br />
<UL><br />
<LI>Nate Miller, Stratum Security;<br />
<LI>Jeremiah Grossman, Whitehat Security;<br />
<LI>Tom Brennan, Whitehat Security; and<br />
<LI>Wade Woolwine, AOL<br />
</UL><br />
served as penetration testing panels answering questions posed and moderated by Ken Van Wyk.<br />
<br />
=== February 2009 ===<br />
<br />
''Ryan C. Barnett, Breach Security'': '''Patching Challenge: Securing WebGoat with ModSecurity'''<br />
<br />
Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth.<br />
<br />
This talk will provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the talk, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of some of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this talk is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.<br />
<br />
Ryan C. Barnett is the Director of Application Security Research at Breach Security and leads Breach Security Labs. He is also a Faculty Member for the SANS Institute, Team Lead for the Center for Internet Security Apache Benchmark Project and a Member of the Web Application Security Consortium where he leads the Distributed Open Proxy Honeypot Project. Mr. Barnett has also authored a web security book for Addison/Wesley Publishing entitled "Preventing Web Attacks with Apache."<br />
<br />
(This talk is a preview of Ryan's talk at Blackhat Federal the following week - see https://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Barnett )<br />
<br />
Download [[Media:Virtual_Patching_Ryan_Barnett_Blackhat_Federal_09.zip| WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity]]<br />
<br />
''John Steven, Cigital'': '''Moving Beyond Top N Lists'''<br />
<br />
Download [[Media:Moving_Beyond_Top_N_Lists.ppt.zip| Moving Beyond Top N Lists]]<br />
<br />
<br />
Cigital published an article: The Top 11 Reasons Why Top 10 (or 25) Lists Don’t Work. Yet, these lists are a staple of conference abstracts, industry best practice lists, and the like. Are they good or bad? We’ll explore how to get beyond the Top 10 (or 25) list in making your software security effort real.<br />
<br />
John is Senior Director, Advanced Technology Consulting at Cigital. His experience includes research in static code analysis and hands-on architecture and implementation of high-performance, scalable Java EE systems. John has provided security consulting services to a broad variety of commercial clients including two of the largest trading platforms in the world and has advised America's largest internet provider in the Midwest on security and forensics. John led the development of Cigital's architectural analysis methodology and its approach to deploying enterprise software security frameworks. He has demonstrated success in building Cigital's intellectual property for providing cutting-edge security. He brings this experience and a track record of effective strategic innovation to clients seeking to change, whether to adopt more cutting-edge approaches, or to solidify ROI. John currently chairs the SD Best Practices security track and co-edits the building security in department of IEEE's Security and Privacy magazine. John has served on numerous conference panels regarding software security, wireless security and Java EE system development. He holds a B.S. in Computer Engineering and an M.S. in Computer Science from Case Western Reserve University.<br />
<br />
=== January 2009 ===<br />
<br />
To kick off 2009, our January meeting featured a discussion of the relationship between application security and CMMI, and an overview of the OWASP ASVS project.<br />
<br />
''Michele Moss, Booz Allen Hamilton'': '''Evolutions In The Relationship Between Application Security And The CMMI'''<br />
<br />
Addressing new and complex threats and IT security challenges requires repeatable, reliable, rapid, and cost effective solutions. To implement these solutions, organizations have begun to align their security improvement efforts with their system and software development practices. During a “Birds of a Feather” at the March 2007 SEPG, a group of industry representatives initiated an effort which led to the definition of assurance practices that can be applied in the context of the CMMI. This presentation will provide an understanding how applying the assurance practices in the context of security contribute to the overall increased quality of products and services, illustrate how the a focus on assurance in the context of CMMI practices is related to application security practices, and present and approach to evaluate and improve the repeatability and reliability of assurance practices. <br />
<br />
Michele Moss, CISSP, is a security engineer with more than 12 years of experience in process improvement. She specializes in integrating assurance processes and practices into project lifecycles. Michele is the Co-Chair of the DHS Software Assurance Working Group on Processes & Practices. She has assisted numerous organizations with maturing their information technology, information assurance, project management, and support practices through the use of the capability maturity models including the CMMI, and the SSE-CMM. She is one of the key contributors in an effort to apply an assurance focus to CMMI.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Moss-AppSecurityAndCMMI.pdf]]<br />
<br />
''Mike Boberski, Booz Allen Hamilton'': '''About OWASP ASVS'''<br />
<br />
The primary aim of the OWASP ASVS Project is to normalize the range<br />
of coverage and level of rigor available in the market when it comes to<br />
performing application-level security verification. The goal is to<br />
create a set of commercially-workable open standards that are tailored<br />
to specific web-based technologies.<br />
<br />
Mike Boberski works at Booz Allen Hamilton. He has a background in<br />
application security and the use of cryptography by applications. He is<br />
experienced in trusted product evaluation, security-related software<br />
development and integration, and cryptomodule testing. For OWASP, he is<br />
the project lead and a co-author of the OWASP Application Security<br />
Verification Standard, the first OWASP standard.<br />
<br />
Slides available: [[https://www.owasp.org/images/5/52/About_OWASP_ASVS_Web_Edition.ppt]]<br />
<br />
=== November 2008 ===<br />
For our November 2008 meeting, we had two great presentations on software assurance and security testing.<br />
<br />
''Nadya Bartol, Booz Allen Hamilton'': '''Framework for Software Assurance'''<br />
<br />
Nadya's presentation will provide an update on the Software Assurance<br />
Forum efforts to establish a comprehensive framework for software<br />
assurance (SwA) and security measurement. The Framework addresses<br />
measuring achievement of SwA goals and objectives within the context of<br />
individual projects, programs, or enterprises. It targets a variety of<br />
audiences including executives, developers, vendors, suppliers, and<br />
buyers. The Framework leverages existing measurement methodologies,<br />
including Practical Software and System Measurement (PSM); CMMI Goal,<br />
Question, Indicator, Measure (GQ(I)M); NIST SP 800-55 Rev1; and ISO/IEC<br />
27004 and identifies commonalities among the methodologies to help<br />
organizations integrate SwA measurement in their overall measurement<br />
efforts cost-effectively and as seamlessly as possible, rather than<br />
establish a standalone SwA measurement effort within an organization.<br />
The presentation will provide an update on the SwA Forum Measurement<br />
Working Group work, present the current version of the Framework and underlying measures<br />
development and implementation processes, and propose example SwA<br />
measures applicable to a variety of SwA stakeholders. The presentation<br />
will update the group on the latest NIST and ISO standards on<br />
information security measurement that are being integrated into the<br />
Framework as the standards are being developed.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Bartol-MeasurementForOWASP11-13-08.pdf]]<br />
<br />
''Paco Hope, Cigital'': '''The Web Security Testing Cookbook'''<br />
<br />
The Web Security Testing Cookbook (O'Reilly & Associates, October 2008)<br />
gives developers and testers the tools they need to make security<br />
testing a regular part of their development lifecycle. Its recipe style<br />
approach covers manual, exploratory testing as well automated techniques<br />
that you can make part of your unit tests or regression cycle. The<br />
recipes cover the basics like observing messages between clients and<br />
servers, to multi-phase tests that script the login and execution of web<br />
application features. This book complements many of the security texts<br />
in the market that tell you what a vulnerability is, but not how to<br />
systematically test it day in and day out. Leverage the recipes in this<br />
book to add significant security coverage to your testing without adding<br />
significant time and cost to your effort.<br />
<br />
Congratulations to Tim Bond who won an autographed copy of Paco's book.<br />
Get your copy here [[http://www.amazon.com/Security-Testing-Cookbook-Paco-Hope/dp/0596514832]]<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/PacoHope-WebSecCookbook.pdf]]<br />
<br />
=== October 2008 ===<br />
For our October 2008 meeting, we had two fascinating talks relating to forensics.<br />
<br />
''Dave Merkel, Mandiant'': '''Enterprise Grade Incident Management - Responding to Persistent Threats'''<br />
<br />
Dave Merkel is Vice President of Products at Mandiant, a leading provider of information security services, education and products. Mr. Merkel has worked in the information security and incident response industry for over 10 years. His background includes service as a federal agent in the US Air Force and over 7 years experience directing security operations at America Online. He currently oversees the product business at Mandiant, and is in charge of building Mandiant Intelligent Response - an enterprise incident response solution. But no, he won't be selling you anything today.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Mandiant-EnterpriseIRandAPTpresentation.pdf]]<br />
<br />
''Inno Eroraha, NetSecurity'': '''[Responding to the Digital Crime Scene: Gathering Volatile Data'''<br />
<br />
Inno Eroraha is the founder and chief strategist of NetSecurity Corporation, a company that provides digital forensics, hands-on security consulting, and Hands-on How-To® training solutions that are high-quality, timely, and customer-focused. In this role, Mr. Eroraha helps clients plan, formulate, and execute the best security and forensics strategy that aligns with their business goals and priorities. He has consulted with Fortune 500 companies, IRS, DHS, VA, DoD, and other entities.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/NetSecurity-RespondingToTheDigitalCrimeScene-GatheringVolatileData-TechnoForensics-102908.pdf] ]<br />
<br />
==Knowledge==<br />
On the [[Knowledge]] page, you'll find links to this chapter's contributions organized by topic area.<br />
<br />
[[Category:Virginia]]<br />
[[Category:Washington, DC]]</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=67215Code Review and Static Analysis with tools2009-08-04T18:06:07Z<p>Edalci: /* Tool license and Vendor IP */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews with Fortify SCA, August 13th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Fortify (Mike Mauro)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Fortify SCA Static Analysis tool:<br />
* Fortify will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own.<br />
<br />
===Session 3: Customization Lab for Fortify SCA, August 27th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc.<br />
<br />
===Session 4: Tool Assisted Code Reviews with Ounce Lab, September 2009 (date to be confirmed)===<br />
*Speaker: Dalci, Eric (Cigital), Ounce Lab (tbd)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Ounce Lab Static Analysis tool:<br />
* Ounce Lab will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
===Session 5: Customization Lab for Ounce Lab, September 2009 (date to be confirmed)===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI<br />
<br />
===Session 6: Tool Adoption and Deployment, September 2009 (date to be confirmed)===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=67214Code Review and Static Analysis with tools2009-08-04T18:05:12Z<p>Edalci: /* Session 2: Tool Assisted Code Reviews with Fortify SCA, August 13th 2009 */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews with Fortify SCA, August 13th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Fortify (Mike Mauro)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Fortify SCA Static Analysis tool:<br />
* Fortify will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own.<br />
<br />
===Session 3: Customization Lab for Fortify SCA, August 27th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc.<br />
<br />
===Session 4: Tool Assisted Code Reviews with Ounce Lab, September 2009 (date to be confirmed)===<br />
*Speaker: Dalci, Eric (Cigital), Ounce Lab (tbd)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Ounce Lab Static Analysis tool:<br />
* Ounce Lab will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
===Session 5: Customization Lab for Ounce Lab, September 2009 (date to be confirmed)===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI<br />
<br />
===Session 6: Tool Adoption and Deployment, September 2009 (date to be confirmed)===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=66598Code Review and Static Analysis with tools2009-07-27T00:40:33Z<p>Edalci: /* Session 6: Tool Adoption and Deployment, September 2009 (date not set) */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews with Fortify SCA, August 13th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Fortify (Mike Mauro)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Fortify SCA Static Analysis tool:<br />
* Fortify will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
===Session 3: Customization Lab for Fortify SCA, August 27th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc.<br />
<br />
===Session 4: Tool Assisted Code Reviews with Ounce Lab, September 2009 (date to be confirmed)===<br />
*Speaker: Dalci, Eric (Cigital), Ounce Lab (tbd)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Ounce Lab Static Analysis tool:<br />
* Ounce Lab will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
===Session 5: Customization Lab for Ounce Lab, September 2009 (date to be confirmed)===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI<br />
<br />
===Session 6: Tool Adoption and Deployment, September 2009 (date to be confirmed)===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=66597Code Review and Static Analysis with tools2009-07-27T00:40:07Z<p>Edalci: /* Session 5: Customization Lab for Ounce Lab, September 2009 (date not set) */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews with Fortify SCA, August 13th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Fortify (Mike Mauro)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Fortify SCA Static Analysis tool:<br />
* Fortify will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
===Session 3: Customization Lab for Fortify SCA, August 27th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc.<br />
<br />
===Session 4: Tool Assisted Code Reviews with Ounce Lab, September 2009 (date to be confirmed)===<br />
*Speaker: Dalci, Eric (Cigital), Ounce Lab (tbd)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Ounce Lab Static Analysis tool:<br />
* Ounce Lab will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
===Session 5: Customization Lab for Ounce Lab, September 2009 (date to be confirmed)===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI<br />
<br />
===Session 6: Tool Adoption and Deployment, September 2009 (date not set)===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=66596Code Review and Static Analysis with tools2009-07-27T00:39:53Z<p>Edalci: /* Session 4: Tool Assisted Code Reviews with Ounce Lab, September 2009 (date not set) */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews with Fortify SCA, August 13th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Fortify (Mike Mauro)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Fortify SCA Static Analysis tool:<br />
* Fortify will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
===Session 3: Customization Lab for Fortify SCA, August 27th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc.<br />
<br />
===Session 4: Tool Assisted Code Reviews with Ounce Lab, September 2009 (date to be confirmed)===<br />
*Speaker: Dalci, Eric (Cigital), Ounce Lab (tbd)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Ounce Lab Static Analysis tool:<br />
* Ounce Lab will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
===Session 5: Customization Lab for Ounce Lab, September 2009 (date not set)===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI<br />
<br />
===Session 6: Tool Adoption and Deployment, September 2009 (date not set)===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=66595Code Review and Static Analysis with tools2009-07-27T00:38:43Z<p>Edalci: /* Session 5: Tool Adoption and Deployment, September 2009 (date not set) */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews with Fortify SCA, August 13th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Fortify (Mike Mauro)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Fortify SCA Static Analysis tool:<br />
* Fortify will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
===Session 3: Customization Lab for Fortify SCA, August 27th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc.<br />
<br />
===Session 4: Tool Assisted Code Reviews with Ounce Lab, September 2009 (date not set)===<br />
*Speaker: Dalci, Eric (Cigital), Ounce Lab (tbd)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Ounce Lab Static Analysis tool:<br />
* Ounce Lab will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
<br />
===Session 5: Customization Lab for Ounce Lab, September 2009 (date not set)===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI<br />
<br />
===Session 6: Tool Adoption and Deployment, September 2009 (date not set)===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=66594Code Review and Static Analysis with tools2009-07-27T00:36:35Z<p>Edalci: /* Session 5: Tool Adoption and Deployment, September 17th 2009 */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews with Fortify SCA, August 13th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Fortify (Mike Mauro)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Fortify SCA Static Analysis tool:<br />
* Fortify will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
===Session 3: Customization Lab for Fortify SCA, August 27th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc.<br />
<br />
===Session 4: Tool Assisted Code Reviews with Ounce Lab, September 2009 (date not set)===<br />
*Speaker: Dalci, Eric (Cigital), Ounce Lab (tbd)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Ounce Lab Static Analysis tool:<br />
* Ounce Lab will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
<br />
===Session 5: Customization Lab for Ounce Lab, September 2009 (date not set)===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI<br />
<br />
===Session 5: Tool Adoption and Deployment, September 2009 (date not set)===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=66593Code Review and Static Analysis with tools2009-07-27T00:36:19Z<p>Edalci: /* Session 5: Customization Lab for Ounce Lab, August 27th 2009 */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews with Fortify SCA, August 13th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Fortify (Mike Mauro)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Fortify SCA Static Analysis tool:<br />
* Fortify will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
===Session 3: Customization Lab for Fortify SCA, August 27th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc.<br />
<br />
===Session 4: Tool Assisted Code Reviews with Ounce Lab, September 2009 (date not set)===<br />
*Speaker: Dalci, Eric (Cigital), Ounce Lab (tbd)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Ounce Lab Static Analysis tool:<br />
* Ounce Lab will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
<br />
===Session 5: Customization Lab for Ounce Lab, September 2009 (date not set)===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI<br />
<br />
===Session 5: Tool Adoption and Deployment, September 17th 2009===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=66592Code Review and Static Analysis with tools2009-07-27T00:35:49Z<p>Edalci: /* Session 4: Customization Lab (Ounce Lab), August 27th 2009 */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews with Fortify SCA, August 13th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Fortify (Mike Mauro)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Fortify SCA Static Analysis tool:<br />
* Fortify will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
===Session 3: Customization Lab for Fortify SCA, August 27th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc.<br />
<br />
===Session 4: Tool Assisted Code Reviews with Ounce Lab, September 2009 (date not set)===<br />
*Speaker: Dalci, Eric (Cigital), Ounce Lab (tbd)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Ounce Lab Static Analysis tool:<br />
* Ounce Lab will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
<br />
===Session 5: Customization Lab for Ounce Lab, August 27th 2009===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI<br />
<br />
===Session 5: Tool Adoption and Deployment, September 17th 2009===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=66591Code Review and Static Analysis with tools2009-07-27T00:33:43Z<p>Edalci: /* Session 3: Customization Lab (Fortify), August 27th 2009 */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews with Fortify SCA, August 13th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Fortify (Mike Mauro)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Fortify SCA Static Analysis tool:<br />
* Fortify will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
===Session 3: Customization Lab for Fortify SCA, August 27th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc.<br />
<br />
===Session 4: Customization Lab (Ounce Lab), August 27th 2009===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI <br />
<br />
===Session 5: Tool Adoption and Deployment, September 17th 2009===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=66590Code Review and Static Analysis with tools2009-07-27T00:33:20Z<p>Edalci: /* Session 2: Tool Assisted Code Reviews, August 13th 2009 */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews with Fortify SCA, August 13th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Fortify (Mike Mauro)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Fortify SCA Static Analysis tool:<br />
* Fortify will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
===Session 3: Customization Lab (Fortify), August 27th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc.<br />
<br />
===Session 4: Customization Lab (Ounce Lab), August 27th 2009===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI <br />
<br />
===Session 5: Tool Adoption and Deployment, September 17th 2009===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=66589Code Review and Static Analysis with tools2009-07-27T00:32:40Z<p>Edalci: /* Session 3: Customization Lab (Fortify), August 13th 2009 */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews, August 13th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Fortify (Mike Mauro)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Fortify SCA Static Analysis tool:<br />
* Fortify will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
===Session 3: Customization Lab (Fortify), August 27th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc.<br />
<br />
===Session 4: Customization Lab (Ounce Lab), August 27th 2009===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI <br />
<br />
===Session 5: Tool Adoption and Deployment, September 17th 2009===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=66588Code Review and Static Analysis with tools2009-07-27T00:32:17Z<p>Edalci: /* Session 2: Tool Assisted Code Reviews, August 13th 2009 */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews, August 13th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Fortify (Mike Mauro)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to the Fortify SCA Static Analysis tool:<br />
* Fortify will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.<br />
<br />
===Session 3: Customization Lab (Fortify), August 13th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc. <br />
<br />
===Session 4: Customization Lab (Ounce Lab), August 27th 2009===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI <br />
<br />
===Session 5: Tool Adoption and Deployment, September 17th 2009===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=66587Code Review and Static Analysis with tools2009-07-27T00:28:00Z<p>Edalci: /* Session 2: Tool Assisted Code Reviews, August 6th 2009 */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews, August 13th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Fortify (Mike Mauro)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: AOL, 22000 AOL Way, Dulles, VA 20166<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to two Static Analysis tools (Fortify SCA and Ounce Labs 6):<br />
* Fortify will demo its tool and scan Webgoat. Ounce Lab will demo its tool, but we may scan a different project such as HacmeBank just to avoid tool comparison. We will have an open discussion session after each demo for students to ask questions to the vendors. Vendors should not interfere with each other’s session. Questions related to tool comparison will not be answered since this is not the goal of this session.<br />
<br />
===Session 3: Customization Lab (Fortify), August 13th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc. <br />
<br />
===Session 4: Customization Lab (Ounce Lab), August 27th 2009===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI <br />
<br />
===Session 5: Tool Adoption and Deployment, September 17th 2009===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=66586Code Review and Static Analysis with tools2009-07-27T00:25:47Z<p>Edalci: /* Static Analysis Curriculum */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews, August 6th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Bruce Mayhew (Ounce Lab) and Fortify (tbd)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to two Static Analysis tools (Fortify SCA and Ounce Labs 6):<br />
* Fortify will demo its tool and scan Webgoat. Ounce Lab will demo its tool, but we may scan a different project such as HacmeBank just to avoid tool comparison. We will have an open discussion session after each demo for students to ask questions to the vendors. Vendors should not interfere with each other’s session. Questions related to tool comparison will not be answered since this is not the goal of this session.<br />
<br />
===Session 3: Customization Lab (Fortify), August 13th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc. <br />
<br />
===Session 4: Customization Lab (Ounce Lab), August 27th 2009===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI <br />
<br />
===Session 5: Tool Adoption and Deployment, September 17th 2009===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=File:Owasp_SAtrack_plan.png&diff=66585File:Owasp SAtrack plan.png2009-07-27T00:25:03Z<p>Edalci: uploaded a new version of "File:Owasp SAtrack plan.png"</p>
<hr />
<div></div>Edalcihttps://wiki.owasp.org/index.php?title=Virginia&diff=66584Virginia2009-07-27T00:22:48Z<p>Edalci: /* Static Analysis Curriculum */</p>
<hr />
<div>==== About ====<br />
[[Image:Owasp-nova.JPG|275px|right]]The '''OWASP Washington VA Local Chapter''' meetings are FREE and OPEN to anyone interested in learning more about application security. We encourage individuals to provide knowledge transfer via hands-on training and presentations of specific OWASP projects and research topics and sharing SDLC knowledge. <br />
<br />
We the encourage vendor-agnostic presentations to utilize the OWASP Powerpoint template when applicable and individual volunteerism to enable perpetual growth. As a 501(3)c non-profit association donations of meeting space or refreshments sponsorship is encouraged, simply contact the local chapter leaders listed on this page to discuss. Prior to participating with OWASP please review the Chapter Rules.<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams@owasp.org Jeff Williams] and has had members from Virginia to Delaware. In April 2005 a new chapter, OWASP Washington VA Local Chapter, was formed and the DC Chapter was renamed to DC-Maryland. The two are sister chapters and include common members and shared discourse. The chapters meet in opposite halves of the month to facilitate this relationship.<br />
<br />
{{Chapter Template|chaptername=Virginia|extra=The chapter leader is [mailto:John.Steven@owasp.org John Steven]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-CHANGEME|emailarchives=http://lists.owasp.org/pipermail/owasp-CHANGEME}}<br />
* [http://lists.owasp.org/mailman/listinfo/owasp-wash_dc_va Click here to join local chapter mailing list]<br />
* Add July 9th to my [https://www.google.com/calendar/hosted/owasp.org/event?action=TEMPLATE&amp;tmeid=azV2NGU4Zjc0M2w1a3NxMG4zam84cXZyMmcgb3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGc&amp;tmsrc=b3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGdyb3VwLmNhbGVuZGFyLmdvb2dsZS5jb20 Google Calendar], [https://cigital.webex.com/cigital/j.php?ED=124134682&UID=1012271922&ICS=MI&LD=1&RD=2&ST=1&SHA2=CWCN2pMk85HfkpUHyB/6CNfutu79JBWjL2LWsdybwEw= Exchange Calendar]<br />
<br />
==== Locations ====<br />
'''If you plan to attend in person:'''<br />
<br />
Directions to Booz Allen's One Dulles facility:<br />
<br />
13200 Woodland Park Road<br />
Herndon, VA 20171<br />
<br />
From Tyson's Corner:<br />
<br />
* Take LEESBURG PIKE / VA-7 WEST<br />
* Merge onto VA-267 WEST / DULLES TOLL ROAD (Portions Toll)<br />
* Take the VA-657 Exit (Exit Number 10 towards Herndon / Chantilly)<br />
* Take the ramp toward CHANTILLY<br />
* Turn Left onto CENTERVILLE ROAD (at end of ramp)<br />
* Turn Left onto WOODLAND PARK ROAD (less than 1⁄2 mile)<br />
* End at 13200 WOODLAND PARK ROAD<br />
<br />
<br>'''If you plan to attend via Webinar:'''<br />
<br />
You can attend through [[OWASPNoVA WebEx]] <br />
<br />
==== Schedule ====<br />
'''Next Meeting'''<P><br />
Future speakers to include Gunnar Peterson, Dan Cornell, and more.</p><br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. '''REGISTRATION IS OPEN!'''<br />
<br />
Please send an email to [mailto:John.Steven@owasp.org John Steven] with your skill level with Statis Analysis tools, your motivation and '''the dates''' that you want to sign in for. <br />
Students are required to bring their own laptop. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop<br />
<br />
=== Past meetings ===<br />
July 9th 6pm-9pm EST<br><br />
LOCATION: 13200 Woodland Park Road Herndon, VA 20171<BR><br />
TOPIC: "Ounce's 02"<BR><br />
SPEAKER(S): Dinis Cruz, OWASP, Ounce Labs.<BR><br />
PANEL: TBD<BR><br />
INSTRUCTIONS: RSVP through Stan Wisseman wisseman_stan@bah.com with “OWASP RSVP” in the subject.<BR><br />
<br />
DESCRIPTION: So what is O2?<br />
<br />
Well in my mind O2 is a combination of advanced tools (Technology) which are designed to be used on a particular way (Process) by knowledgeable Individuals (People)<br />
<br />
Think about it as a Fighter Jet who is able to go very fast, has tons of controls, needs to be piloted by somebody who knows what they are doing and needs to have a purpose (i.e. mission).<br />
<br />
Basically what I did with O2 was to automate the workflow that I have when I'm engaged on a source-code security review.<br />
<br />
Now, here is the catch, this version is NOT for the faint-of-heart. I designed this to suit my needs, which although are the same as most other security consultants, have its own particularities :)<br />
<br />
The whole model of O2 development is based around the concept of automating a security consultant’s brain, so I basically ensure that the main O2 Developer (Dinis Cruz) has a very good understanding of the feature requirements of the targeted Security Consultant (Dinis Cruz) :) . And this proved (even to my surprise) spectacularly productive, since suddenly I (i.e. the security consultant) didn't had to wait months for new features to be added to its toolkit. If there was something that needed to be added, it would just be added in days or hours.<br />
<br />
* View the OWASP NoVA Chapter [http://www.google.com/calendar/hosted/owasp.org/embed?src=owasp.org_1ht5oegk8kd0dtat5cko71e7dc%40group.calendar.google.com&ctz=America/New_York Calendar ]<br />
<br />
* The next meeting is '''Thursday, July 9th, 2009.''' <br />
* Add July 9th to my [https://www.google.com/calendar/hosted/owasp.org/event?action=TEMPLATE&amp;tmeid=azV2NGU4Zjc0M2w1a3NxMG4zam84cXZyMmcgb3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGc&amp;tmsrc=b3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGdyb3VwLmNhbGVuZGFyLmdvb2dsZS5jb20 Google Calendar], [https://cigital.webex.com/cigital/j.php?ED=124134682&UID=1012271922&ICS=MI&LD=1&RD=2&ST=1&SHA2=CWCN2pMk85HfkpUHyB/6CNfutu79JBWjL2LWsdybwEw= Exchange Calendar]<br />
<br />
==== Knowledge ====<br />
<br />
The Northern Virginia (NoVA) chapter is committed to compiling resources on interesting and valuable topic areas. We hope that this structure helps you access information pertinent to your tasks at hand as you move through a secure application development life cycle. Currently, our topic areas of focus include activities such as:<br />
<br />
* Threat Modeling<br />
* [[Code Review and Static Analysis with tools]]<br />
* Penetration Testing and Dynamic Analysis tools<br />
* Monitoring/Dynamic patching (WAFs)<br />
<br />
Certain projects our members are involved in cross-cut these activities, providing value throughout. They include:<br />
<br />
* ASVS<br />
<br />
<br />
==== Contributors and Sponsors ====<br />
<br />
'''Chapter Leader'''<br />
<br />
* [mailto:John.Steven@owasp.org John Steven], with assistance from [mailto:paco@cigital.com Paco Hope]<br />
<br />
'''Refreshment Sponsors'''<br />
<br />
[[Image:Cigital_OWASP.GIF]]<br />
<br />
'''Facility Sponsors'''<br />
<br />
[[Image:Bah-bw.JPG|215px]]<br />
<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<paypal>Northern Virginia</paypal><br />
<br />
== Past Meetings ==<br />
<br />
===June 2009===<br />
''Gary McGraw, Cigital Inc.'':''Building Security In Maturity Model''<BR><br />
Later, an interview:<br />
''Jim Routh, formerly of DTCC'':''The Economic Advantages of a Resilient Supply Chain- Software Security<br />
''<BR><br />
<br />
Gary McGraw talked about the experience he, Sammy Migues, and Brian Chess gained conducting a survey of some of America's top Software Security groups. Study results are available under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Share Alike license] at [http://www.bsi-mm.com www.bsi-mm.com]. Gary described the common structural elements and activities of successful software security programs, present the maturity model that resulted from survey data, and discuss lessons learned from listening to those leading these groups. <br />
<br />
Jim Routh gave an incredibly insightful interview regarding his own experiences crafting their security group. <br />
<br />
Download presentation notes at: [http://www.owasp.org/images/0/03/JMR-Economics_of_Security_Goups.ppt The Economic Advantages of a Resilient Supply Chain- Software Security]<br />
<br />
===May 2009 ===<br />
''Eric Dalci, Cigital Inc.'':''Introduction to Static Analysis''<BR><br />
Later, a panel:<br />
<UL><br />
<LI>Steven Lavenhar, Booz Allen Hamilton;<br />
<LI>Eric Dalci, Cigital Inc.<br />
</UL><br />
Panel moderated by John Steven<br />
<BR><br />
<br />
This session is an introductory to Static Analysis. This session presents the different types of analysis used by today's Static Analysis tools. Examples of direct application to find vulnerabilities will be shown (ex: Data Flow Analysis, Semantic, Control Flow, etc.). Current limitations of Static Analysis will also be exposed. This session is tool agnostic, but will cover the approach taken by various leading commercial (as well as open-source) tools.<br />
<br />
Download: [http://www.owasp.org/images/e/ea/OWASP_Virginia_Edalci_May09.pdf Intro to Static Analysis]<br />
<br />
===April 2009 ===<br />
''Jeremiah Grossman, Whitehat Security'': '''Top 10 Web Hacking Techniques 2008'''<br><br />
Jeremiah Spoke on (what he and colleagues determined were the) top ten web hacking techniques of 2008. This talk was a preview of his RSA '09 talk.<br><br />
<br />
Download http://www.whitehatsec.com/home/assets/presentations/09PPT/PPT_OWASPNoVA04082008.pdf<br />
<br />
<br />
Later,<br />
<UL><br />
<LI>Nate Miller, Stratum Security;<br />
<LI>Jeremiah Grossman, Whitehat Security;<br />
<LI>Tom Brennan, Whitehat Security; and<br />
<LI>Wade Woolwine, AOL<br />
</UL><br />
served as penetration testing panels answering questions posed and moderated by Ken Van Wyk.<br />
<br />
=== February 2009 ===<br />
<br />
''Ryan C. Barnett, Breach Security'': '''Patching Challenge: Securing WebGoat with ModSecurity'''<br />
<br />
Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth.<br />
<br />
This talk will provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the talk, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of some of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this talk is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.<br />
<br />
Ryan C. Barnett is the Director of Application Security Research at Breach Security and leads Breach Security Labs. He is also a Faculty Member for the SANS Institute, Team Lead for the Center for Internet Security Apache Benchmark Project and a Member of the Web Application Security Consortium where he leads the Distributed Open Proxy Honeypot Project. Mr. Barnett has also authored a web security book for Addison/Wesley Publishing entitled "Preventing Web Attacks with Apache."<br />
<br />
(This talk is a preview of Ryan's talk at Blackhat Federal the following week - see https://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Barnett )<br />
<br />
Download [[Media:Virtual_Patching_Ryan_Barnett_Blackhat_Federal_09.zip| WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity]]<br />
<br />
''John Steven, Cigital'': '''Moving Beyond Top N Lists'''<br />
<br />
Download [[Media:Moving_Beyond_Top_N_Lists.ppt.zip| Moving Beyond Top N Lists]]<br />
<br />
<br />
Cigital published an article: The Top 11 Reasons Why Top 10 (or 25) Lists Don’t Work. Yet, these lists are a staple of conference abstracts, industry best practice lists, and the like. Are they good or bad? We’ll explore how to get beyond the Top 10 (or 25) list in making your software security effort real.<br />
<br />
John is Senior Director, Advanced Technology Consulting at Cigital. His experience includes research in static code analysis and hands-on architecture and implementation of high-performance, scalable Java EE systems. John has provided security consulting services to a broad variety of commercial clients including two of the largest trading platforms in the world and has advised America's largest internet provider in the Midwest on security and forensics. John led the development of Cigital's architectural analysis methodology and its approach to deploying enterprise software security frameworks. He has demonstrated success in building Cigital's intellectual property for providing cutting-edge security. He brings this experience and a track record of effective strategic innovation to clients seeking to change, whether to adopt more cutting-edge approaches, or to solidify ROI. John currently chairs the SD Best Practices security track and co-edits the building security in department of IEEE's Security and Privacy magazine. John has served on numerous conference panels regarding software security, wireless security and Java EE system development. He holds a B.S. in Computer Engineering and an M.S. in Computer Science from Case Western Reserve University.<br />
<br />
=== January 2009 ===<br />
<br />
To kick off 2009, our January meeting featured a discussion of the relationship between application security and CMMI, and an overview of the OWASP ASVS project.<br />
<br />
''Michele Moss, Booz Allen Hamilton'': '''Evolutions In The Relationship Between Application Security And The CMMI'''<br />
<br />
Addressing new and complex threats and IT security challenges requires repeatable, reliable, rapid, and cost effective solutions. To implement these solutions, organizations have begun to align their security improvement efforts with their system and software development practices. During a “Birds of a Feather” at the March 2007 SEPG, a group of industry representatives initiated an effort which led to the definition of assurance practices that can be applied in the context of the CMMI. This presentation will provide an understanding how applying the assurance practices in the context of security contribute to the overall increased quality of products and services, illustrate how the a focus on assurance in the context of CMMI practices is related to application security practices, and present and approach to evaluate and improve the repeatability and reliability of assurance practices. <br />
<br />
Michele Moss, CISSP, is a security engineer with more than 12 years of experience in process improvement. She specializes in integrating assurance processes and practices into project lifecycles. Michele is the Co-Chair of the DHS Software Assurance Working Group on Processes & Practices. She has assisted numerous organizations with maturing their information technology, information assurance, project management, and support practices through the use of the capability maturity models including the CMMI, and the SSE-CMM. She is one of the key contributors in an effort to apply an assurance focus to CMMI.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Moss-AppSecurityAndCMMI.pdf]]<br />
<br />
''Mike Boberski, Booz Allen Hamilton'': '''About OWASP ASVS'''<br />
<br />
The primary aim of the OWASP ASVS Project is to normalize the range<br />
of coverage and level of rigor available in the market when it comes to<br />
performing application-level security verification. The goal is to<br />
create a set of commercially-workable open standards that are tailored<br />
to specific web-based technologies.<br />
<br />
Mike Boberski works at Booz Allen Hamilton. He has a background in<br />
application security and the use of cryptography by applications. He is<br />
experienced in trusted product evaluation, security-related software<br />
development and integration, and cryptomodule testing. For OWASP, he is<br />
the project lead and a co-author of the OWASP Application Security<br />
Verification Standard, the first OWASP standard.<br />
<br />
Slides available: [[https://www.owasp.org/images/5/52/About_OWASP_ASVS_Web_Edition.ppt]]<br />
<br />
=== November 2008 ===<br />
For our November 2008 meeting, we had two great presentations on software assurance and security testing.<br />
<br />
''Nadya Bartol, Booz Allen Hamilton'': '''Framework for Software Assurance'''<br />
<br />
Nadya's presentation will provide an update on the Software Assurance<br />
Forum efforts to establish a comprehensive framework for software<br />
assurance (SwA) and security measurement. The Framework addresses<br />
measuring achievement of SwA goals and objectives within the context of<br />
individual projects, programs, or enterprises. It targets a variety of<br />
audiences including executives, developers, vendors, suppliers, and<br />
buyers. The Framework leverages existing measurement methodologies,<br />
including Practical Software and System Measurement (PSM); CMMI Goal,<br />
Question, Indicator, Measure (GQ(I)M); NIST SP 800-55 Rev1; and ISO/IEC<br />
27004 and identifies commonalities among the methodologies to help<br />
organizations integrate SwA measurement in their overall measurement<br />
efforts cost-effectively and as seamlessly as possible, rather than<br />
establish a standalone SwA measurement effort within an organization.<br />
The presentation will provide an update on the SwA Forum Measurement<br />
Working Group work, present the current version of the Framework and underlying measures<br />
development and implementation processes, and propose example SwA<br />
measures applicable to a variety of SwA stakeholders. The presentation<br />
will update the group on the latest NIST and ISO standards on<br />
information security measurement that are being integrated into the<br />
Framework as the standards are being developed.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Bartol-MeasurementForOWASP11-13-08.pdf]]<br />
<br />
''Paco Hope, Cigital'': '''The Web Security Testing Cookbook'''<br />
<br />
The Web Security Testing Cookbook (O'Reilly & Associates, October 2008)<br />
gives developers and testers the tools they need to make security<br />
testing a regular part of their development lifecycle. Its recipe style<br />
approach covers manual, exploratory testing as well automated techniques<br />
that you can make part of your unit tests or regression cycle. The<br />
recipes cover the basics like observing messages between clients and<br />
servers, to multi-phase tests that script the login and execution of web<br />
application features. This book complements many of the security texts<br />
in the market that tell you what a vulnerability is, but not how to<br />
systematically test it day in and day out. Leverage the recipes in this<br />
book to add significant security coverage to your testing without adding<br />
significant time and cost to your effort.<br />
<br />
Congratulations to Tim Bond who won an autographed copy of Paco's book.<br />
Get your copy here [[http://www.amazon.com/Security-Testing-Cookbook-Paco-Hope/dp/0596514832]]<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/PacoHope-WebSecCookbook.pdf]]<br />
<br />
=== October 2008 ===<br />
For our October 2008 meeting, we had two fascinating talks relating to forensics.<br />
<br />
''Dave Merkel, Mandiant'': '''Enterprise Grade Incident Management - Responding to Persistent Threats'''<br />
<br />
Dave Merkel is Vice President of Products at Mandiant, a leading provider of information security services, education and products. Mr. Merkel has worked in the information security and incident response industry for over 10 years. His background includes service as a federal agent in the US Air Force and over 7 years experience directing security operations at America Online. He currently oversees the product business at Mandiant, and is in charge of building Mandiant Intelligent Response - an enterprise incident response solution. But no, he won't be selling you anything today.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Mandiant-EnterpriseIRandAPTpresentation.pdf]]<br />
<br />
''Inno Eroraha, NetSecurity'': '''[Responding to the Digital Crime Scene: Gathering Volatile Data'''<br />
<br />
Inno Eroraha is the founder and chief strategist of NetSecurity Corporation, a company that provides digital forensics, hands-on security consulting, and Hands-on How-To® training solutions that are high-quality, timely, and customer-focused. In this role, Mr. Eroraha helps clients plan, formulate, and execute the best security and forensics strategy that aligns with their business goals and priorities. He has consulted with Fortune 500 companies, IRS, DHS, VA, DoD, and other entities.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/NetSecurity-RespondingToTheDigitalCrimeScene-GatheringVolatileData-TechnoForensics-102908.pdf] ]<br />
<br />
==Knowledge==<br />
On the [[Knowledge]] page, you'll find links to this chapter's contributions organized by topic area.<br />
<br />
[[Category:Virginia]]<br />
[[Category:Washington, DC]]</div>Edalcihttps://wiki.owasp.org/index.php?title=File:Owasp_SAtrack_plan.png&diff=66583File:Owasp SAtrack plan.png2009-07-27T00:22:05Z<p>Edalci: </p>
<hr />
<div></div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=66509Code Review and Static Analysis with tools2009-07-24T14:45:29Z<p>Edalci: </p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owaspsa-track2.PNG|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews, August 6th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Bruce Mayhew (Ounce Lab) and Fortify (tbd)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to two Static Analysis tools (Fortify SCA and Ounce Labs 6):<br />
* Fortify will demo its tool and scan Webgoat. Ounce Lab will demo its tool, but we may scan a different project such as HacmeBank just to avoid tool comparison. We will have an open discussion session after each demo for students to ask questions to the vendors. Vendors should not interfere with each other’s session. Questions related to tool comparison will not be answered since this is not the goal of this session.<br />
<br />
===Session 3: Customization Lab (Fortify), August 13th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc. <br />
<br />
===Session 4: Customization Lab (Ounce Lab), August 27th 2009===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI <br />
<br />
===Session 5: Tool Adoption and Deployment, September 17th 2009===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Virginia&diff=66029Virginia2009-07-15T18:34:31Z<p>Edalci: /* Student’s prerequisites */</p>
<hr />
<div>==== About ====<br />
[[Image:Owasp-nova.JPG|275px|right]]The '''OWASP Washington VA Local Chapter''' meetings are FREE and OPEN to anyone interested in learning more about application security. We encourage individuals to provide knowledge transfer via hands-on training and presentations of specific OWASP projects and research topics and sharing SDLC knowledge. <br />
<br />
We the encourage vendor-agnostic presentations to utilize the OWASP Powerpoint template when applicable and individual volunteerism to enable perpetual growth. As a 501(3)c non-profit association donations of meeting space or refreshments sponsorship is encouraged, simply contact the local chapter leaders listed on this page to discuss. Prior to participating with OWASP please review the Chapter Rules.<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams@owasp.org Jeff Williams] and has had members from Virginia to Delaware. In April 2005 a new chapter, OWASP Washington VA Local Chapter, was formed and the DC Chapter was renamed to DC-Maryland. The two are sister chapters and include common members and shared discourse. The chapters meet in opposite halves of the month to facilitate this relationship.<br />
<br />
{{Chapter Template|chaptername=Virginia|extra=The chapter leader is [mailto:John.Steven@owasp.org John Steven]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-CHANGEME|emailarchives=http://lists.owasp.org/pipermail/owasp-CHANGEME}}<br />
* [http://lists.owasp.org/mailman/listinfo/owasp-wash_dc_va Click here to join local chapter mailing list]<br />
* Add July 9th to my [https://www.google.com/calendar/hosted/owasp.org/event?action=TEMPLATE&amp;tmeid=azV2NGU4Zjc0M2w1a3NxMG4zam84cXZyMmcgb3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGc&amp;tmsrc=b3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGdyb3VwLmNhbGVuZGFyLmdvb2dsZS5jb20 Google Calendar], [https://cigital.webex.com/cigital/j.php?ED=124134682&UID=1012271922&ICS=MI&LD=1&RD=2&ST=1&SHA2=CWCN2pMk85HfkpUHyB/6CNfutu79JBWjL2LWsdybwEw= Exchange Calendar]<br />
<br />
==== Locations ====<br />
'''If you plan to attend in person:'''<br />
<br />
Directions to Booz Allen's One Dulles facility:<br />
<br />
13200 Woodland Park Road<br />
Herndon, VA 20171<br />
<br />
From Tyson's Corner:<br />
<br />
* Take LEESBURG PIKE / VA-7 WEST<br />
* Merge onto VA-267 WEST / DULLES TOLL ROAD (Portions Toll)<br />
* Take the VA-657 Exit (Exit Number 10 towards Herndon / Chantilly)<br />
* Take the ramp toward CHANTILLY<br />
* Turn Left onto CENTERVILLE ROAD (at end of ramp)<br />
* Turn Left onto WOODLAND PARK ROAD (less than 1⁄2 mile)<br />
* End at 13200 WOODLAND PARK ROAD<br />
<br />
<br>'''If you plan to attend via Webinar:'''<br />
<br />
You can attend through [[OWASPNoVA WebEx]] <br />
<br />
==== Schedule ====<br />
'''Next Meeting'''<P><br />
Future speakers to include Gunnar Peterson, Dan Cornell, and more.</p><br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owaspsa-track2.PNG|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. '''REGISTRATION IS OPEN!'''<br />
<br />
Please send an email to [mailto:John.Steven@owasp.org John Steven] with your skill level with Statis Analysis tools, your motivation and '''the dates''' that you want to sign in for. <br />
Students are required to bring their own laptop. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop<br />
<br />
=== Past meetings ===<br />
July 9th 6pm-9pm EST<br><br />
LOCATION: 13200 Woodland Park Road Herndon, VA 20171<BR><br />
TOPIC: "Ounce's 02"<BR><br />
SPEAKER(S): Dinis Cruz, OWASP, Ounce Labs.<BR><br />
PANEL: TBD<BR><br />
INSTRUCTIONS: RSVP through Stan Wisseman wisseman_stan@bah.com with “OWASP RSVP” in the subject.<BR><br />
<br />
DESCRIPTION: So what is O2?<br />
<br />
Well in my mind O2 is a combination of advanced tools (Technology) which are designed to be used on a particular way (Process) by knowledgeable Individuals (People)<br />
<br />
Think about it as a Fighter Jet who is able to go very fast, has tons of controls, needs to be piloted by somebody who knows what they are doing and needs to have a purpose (i.e. mission).<br />
<br />
Basically what I did with O2 was to automate the workflow that I have when I'm engaged on a source-code security review.<br />
<br />
Now, here is the catch, this version is NOT for the faint-of-heart. I designed this to suit my needs, which although are the same as most other security consultants, have its own particularities :)<br />
<br />
The whole model of O2 development is based around the concept of automating a security consultant’s brain, so I basically ensure that the main O2 Developer (Dinis Cruz) has a very good understanding of the feature requirements of the targeted Security Consultant (Dinis Cruz) :) . And this proved (even to my surprise) spectacularly productive, since suddenly I (i.e. the security consultant) didn't had to wait months for new features to be added to its toolkit. If there was something that needed to be added, it would just be added in days or hours.<br />
<br />
* View the OWASP NoVA Chapter [http://www.google.com/calendar/hosted/owasp.org/embed?src=owasp.org_1ht5oegk8kd0dtat5cko71e7dc%40group.calendar.google.com&ctz=America/New_York Calendar ]<br />
<br />
* The next meeting is '''Thursday, July 9th, 2009.''' <br />
* Add July 9th to my [https://www.google.com/calendar/hosted/owasp.org/event?action=TEMPLATE&amp;tmeid=azV2NGU4Zjc0M2w1a3NxMG4zam84cXZyMmcgb3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGc&amp;tmsrc=b3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGdyb3VwLmNhbGVuZGFyLmdvb2dsZS5jb20 Google Calendar], [https://cigital.webex.com/cigital/j.php?ED=124134682&UID=1012271922&ICS=MI&LD=1&RD=2&ST=1&SHA2=CWCN2pMk85HfkpUHyB/6CNfutu79JBWjL2LWsdybwEw= Exchange Calendar]<br />
<br />
==== Knowledge ====<br />
<br />
The Northern Virginia (NoVA) chapter is committed to compiling resources on interesting and valuable topic areas. We hope that this structure helps you access information pertinent to your tasks at hand as you move through a secure application development life cycle. Currently, our topic areas of focus include activities such as:<br />
<br />
* Threat Modeling<br />
* [[Code Review and Static Analysis with tools]]<br />
* Penetration Testing and Dynamic Analysis tools<br />
* Monitoring/Dynamic patching (WAFs)<br />
<br />
Certain projects our members are involved in cross-cut these activities, providing value throughout. They include:<br />
<br />
* ASVS<br />
<br />
<br />
==== Contributors and Sponsors ====<br />
<br />
'''Chapter Leader'''<br />
<br />
* [mailto:John.Steven@owasp.org John Steven], with assistance from [mailto:paco@cigital.com Paco Hope]<br />
<br />
'''Refreshment Sponsors'''<br />
<br />
[[Image:Cigital_OWASP.GIF]]<br />
<br />
'''Facility Sponsors'''<br />
<br />
[[Image:Bah-bw.JPG|215px]]<br />
<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<paypal>Northern Virginia</paypal><br />
<br />
== Past Meetings ==<br />
<br />
===June 2009===<br />
''Gary McGraw, Cigital Inc.'':''Building Security In Maturity Model''<BR><br />
Later, an interview:<br />
''Jim Routh, formerly of DTCC'':''The Economic Advantages of a Resilient Supply Chain- Software Security<br />
''<BR><br />
<br />
Gary McGraw talked about the experience he, Sammy Migues, and Brian Chess gained conducting a survey of some of America's top Software Security groups. Study results are available under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Share Alike license] at [http://www.bsi-mm.com www.bsi-mm.com]. Gary described the common structural elements and activities of successful software security programs, present the maturity model that resulted from survey data, and discuss lessons learned from listening to those leading these groups. <br />
<br />
Jim Routh gave an incredibly insightful interview regarding his own experiences crafting their security group. <br />
<br />
Download presentation notes at: [http://www.owasp.org/images/0/03/JMR-Economics_of_Security_Goups.ppt The Economic Advantages of a Resilient Supply Chain- Software Security]<br />
<br />
===May 2009 ===<br />
''Eric Dalci, Cigital Inc.'':''Introduction to Static Analysis''<BR><br />
Later, a panel:<br />
<UL><br />
<LI>Steven Lavenhar, Booz Allen Hamilton;<br />
<LI>Eric Dalci, Cigital Inc.<br />
</UL><br />
Panel moderated by John Steven<br />
<BR><br />
<br />
This session is an introductory to Static Analysis. This session presents the different types of analysis used by today's Static Analysis tools. Examples of direct application to find vulnerabilities will be shown (ex: Data Flow Analysis, Semantic, Control Flow, etc.). Current limitations of Static Analysis will also be exposed. This session is tool agnostic, but will cover the approach taken by various leading commercial (as well as open-source) tools.<br />
<br />
Download: [http://www.owasp.org/images/e/ea/OWASP_Virginia_Edalci_May09.pdf Intro to Static Analysis]<br />
<br />
===April 2009 ===<br />
''Jeremiah Grossman, Whitehat Security'': '''Top 10 Web Hacking Techniques 2008'''<br><br />
Jeremiah Spoke on (what he and colleagues determined were the) top ten web hacking techniques of 2008. This talk was a preview of his RSA '09 talk.<br><br />
<br />
Download http://www.whitehatsec.com/home/assets/presentations/09PPT/PPT_OWASPNoVA04082008.pdf<br />
<br />
<br />
Later,<br />
<UL><br />
<LI>Nate Miller, Stratum Security;<br />
<LI>Jeremiah Grossman, Whitehat Security;<br />
<LI>Tom Brennan, Whitehat Security; and<br />
<LI>Wade Woolwine, AOL<br />
</UL><br />
served as penetration testing panels answering questions posed and moderated by Ken Van Wyk.<br />
<br />
=== February 2009 ===<br />
<br />
''Ryan C. Barnett, Breach Security'': '''Patching Challenge: Securing WebGoat with ModSecurity'''<br />
<br />
Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth.<br />
<br />
This talk will provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the talk, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of some of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this talk is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.<br />
<br />
Ryan C. Barnett is the Director of Application Security Research at Breach Security and leads Breach Security Labs. He is also a Faculty Member for the SANS Institute, Team Lead for the Center for Internet Security Apache Benchmark Project and a Member of the Web Application Security Consortium where he leads the Distributed Open Proxy Honeypot Project. Mr. Barnett has also authored a web security book for Addison/Wesley Publishing entitled "Preventing Web Attacks with Apache."<br />
<br />
(This talk is a preview of Ryan's talk at Blackhat Federal the following week - see https://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Barnett )<br />
<br />
Download [[Media:Virtual_Patching_Ryan_Barnett_Blackhat_Federal_09.zip| WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity]]<br />
<br />
''John Steven, Cigital'': '''Moving Beyond Top N Lists'''<br />
<br />
Download [[Media:Moving_Beyond_Top_N_Lists.ppt.zip| Moving Beyond Top N Lists]]<br />
<br />
<br />
Cigital published an article: The Top 11 Reasons Why Top 10 (or 25) Lists Don’t Work. Yet, these lists are a staple of conference abstracts, industry best practice lists, and the like. Are they good or bad? We’ll explore how to get beyond the Top 10 (or 25) list in making your software security effort real.<br />
<br />
John is Senior Director, Advanced Technology Consulting at Cigital. His experience includes research in static code analysis and hands-on architecture and implementation of high-performance, scalable Java EE systems. John has provided security consulting services to a broad variety of commercial clients including two of the largest trading platforms in the world and has advised America's largest internet provider in the Midwest on security and forensics. John led the development of Cigital's architectural analysis methodology and its approach to deploying enterprise software security frameworks. He has demonstrated success in building Cigital's intellectual property for providing cutting-edge security. He brings this experience and a track record of effective strategic innovation to clients seeking to change, whether to adopt more cutting-edge approaches, or to solidify ROI. John currently chairs the SD Best Practices security track and co-edits the building security in department of IEEE's Security and Privacy magazine. John has served on numerous conference panels regarding software security, wireless security and Java EE system development. He holds a B.S. in Computer Engineering and an M.S. in Computer Science from Case Western Reserve University.<br />
<br />
=== January 2009 ===<br />
<br />
To kick off 2009, our January meeting featured a discussion of the relationship between application security and CMMI, and an overview of the OWASP ASVS project.<br />
<br />
''Michele Moss, Booz Allen Hamilton'': '''Evolutions In The Relationship Between Application Security And The CMMI'''<br />
<br />
Addressing new and complex threats and IT security challenges requires repeatable, reliable, rapid, and cost effective solutions. To implement these solutions, organizations have begun to align their security improvement efforts with their system and software development practices. During a “Birds of a Feather” at the March 2007 SEPG, a group of industry representatives initiated an effort which led to the definition of assurance practices that can be applied in the context of the CMMI. This presentation will provide an understanding how applying the assurance practices in the context of security contribute to the overall increased quality of products and services, illustrate how the a focus on assurance in the context of CMMI practices is related to application security practices, and present and approach to evaluate and improve the repeatability and reliability of assurance practices. <br />
<br />
Michele Moss, CISSP, is a security engineer with more than 12 years of experience in process improvement. She specializes in integrating assurance processes and practices into project lifecycles. Michele is the Co-Chair of the DHS Software Assurance Working Group on Processes & Practices. She has assisted numerous organizations with maturing their information technology, information assurance, project management, and support practices through the use of the capability maturity models including the CMMI, and the SSE-CMM. She is one of the key contributors in an effort to apply an assurance focus to CMMI.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Moss-AppSecurityAndCMMI.pdf]]<br />
<br />
''Mike Boberski, Booz Allen Hamilton'': '''About OWASP ASVS'''<br />
<br />
The primary aim of the OWASP ASVS Project is to normalize the range<br />
of coverage and level of rigor available in the market when it comes to<br />
performing application-level security verification. The goal is to<br />
create a set of commercially-workable open standards that are tailored<br />
to specific web-based technologies.<br />
<br />
Mike Boberski works at Booz Allen Hamilton. He has a background in<br />
application security and the use of cryptography by applications. He is<br />
experienced in trusted product evaluation, security-related software<br />
development and integration, and cryptomodule testing. For OWASP, he is<br />
the project lead and a co-author of the OWASP Application Security<br />
Verification Standard, the first OWASP standard.<br />
<br />
Slides available: [[https://www.owasp.org/images/5/52/About_OWASP_ASVS_Web_Edition.ppt]]<br />
<br />
=== November 2008 ===<br />
For our November 2008 meeting, we had two great presentations on software assurance and security testing.<br />
<br />
''Nadya Bartol, Booz Allen Hamilton'': '''Framework for Software Assurance'''<br />
<br />
Nadya's presentation will provide an update on the Software Assurance<br />
Forum efforts to establish a comprehensive framework for software<br />
assurance (SwA) and security measurement. The Framework addresses<br />
measuring achievement of SwA goals and objectives within the context of<br />
individual projects, programs, or enterprises. It targets a variety of<br />
audiences including executives, developers, vendors, suppliers, and<br />
buyers. The Framework leverages existing measurement methodologies,<br />
including Practical Software and System Measurement (PSM); CMMI Goal,<br />
Question, Indicator, Measure (GQ(I)M); NIST SP 800-55 Rev1; and ISO/IEC<br />
27004 and identifies commonalities among the methodologies to help<br />
organizations integrate SwA measurement in their overall measurement<br />
efforts cost-effectively and as seamlessly as possible, rather than<br />
establish a standalone SwA measurement effort within an organization.<br />
The presentation will provide an update on the SwA Forum Measurement<br />
Working Group work, present the current version of the Framework and underlying measures<br />
development and implementation processes, and propose example SwA<br />
measures applicable to a variety of SwA stakeholders. The presentation<br />
will update the group on the latest NIST and ISO standards on<br />
information security measurement that are being integrated into the<br />
Framework as the standards are being developed.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Bartol-MeasurementForOWASP11-13-08.pdf]]<br />
<br />
''Paco Hope, Cigital'': '''The Web Security Testing Cookbook'''<br />
<br />
The Web Security Testing Cookbook (O'Reilly & Associates, October 2008)<br />
gives developers and testers the tools they need to make security<br />
testing a regular part of their development lifecycle. Its recipe style<br />
approach covers manual, exploratory testing as well automated techniques<br />
that you can make part of your unit tests or regression cycle. The<br />
recipes cover the basics like observing messages between clients and<br />
servers, to multi-phase tests that script the login and execution of web<br />
application features. This book complements many of the security texts<br />
in the market that tell you what a vulnerability is, but not how to<br />
systematically test it day in and day out. Leverage the recipes in this<br />
book to add significant security coverage to your testing without adding<br />
significant time and cost to your effort.<br />
<br />
Congratulations to Tim Bond who won an autographed copy of Paco's book.<br />
Get your copy here [[http://www.amazon.com/Security-Testing-Cookbook-Paco-Hope/dp/0596514832]]<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/PacoHope-WebSecCookbook.pdf]]<br />
<br />
=== October 2008 ===<br />
For our October 2008 meeting, we had two fascinating talks relating to forensics.<br />
<br />
''Dave Merkel, Mandiant'': '''Enterprise Grade Incident Management - Responding to Persistent Threats'''<br />
<br />
Dave Merkel is Vice President of Products at Mandiant, a leading provider of information security services, education and products. Mr. Merkel has worked in the information security and incident response industry for over 10 years. His background includes service as a federal agent in the US Air Force and over 7 years experience directing security operations at America Online. He currently oversees the product business at Mandiant, and is in charge of building Mandiant Intelligent Response - an enterprise incident response solution. But no, he won't be selling you anything today.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Mandiant-EnterpriseIRandAPTpresentation.pdf]]<br />
<br />
''Inno Eroraha, NetSecurity'': '''[Responding to the Digital Crime Scene: Gathering Volatile Data'''<br />
<br />
Inno Eroraha is the founder and chief strategist of NetSecurity Corporation, a company that provides digital forensics, hands-on security consulting, and Hands-on How-To® training solutions that are high-quality, timely, and customer-focused. In this role, Mr. Eroraha helps clients plan, formulate, and execute the best security and forensics strategy that aligns with their business goals and priorities. He has consulted with Fortune 500 companies, IRS, DHS, VA, DoD, and other entities.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/NetSecurity-RespondingToTheDigitalCrimeScene-GatheringVolatileData-TechnoForensics-102908.pdf] ]<br />
<br />
==Knowledge==<br />
On the [[Knowledge]] page, you'll find links to this chapter's contributions organized by topic area.<br />
<br />
[[Category:Virginia]]<br />
[[Category:Washington, DC]]</div>Edalcihttps://wiki.owasp.org/index.php?title=Virginia&diff=66028Virginia2009-07-15T18:32:36Z<p>Edalci: /* Registration */</p>
<hr />
<div>==== About ====<br />
[[Image:Owasp-nova.JPG|275px|right]]The '''OWASP Washington VA Local Chapter''' meetings are FREE and OPEN to anyone interested in learning more about application security. We encourage individuals to provide knowledge transfer via hands-on training and presentations of specific OWASP projects and research topics and sharing SDLC knowledge. <br />
<br />
We the encourage vendor-agnostic presentations to utilize the OWASP Powerpoint template when applicable and individual volunteerism to enable perpetual growth. As a 501(3)c non-profit association donations of meeting space or refreshments sponsorship is encouraged, simply contact the local chapter leaders listed on this page to discuss. Prior to participating with OWASP please review the Chapter Rules.<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams@owasp.org Jeff Williams] and has had members from Virginia to Delaware. In April 2005 a new chapter, OWASP Washington VA Local Chapter, was formed and the DC Chapter was renamed to DC-Maryland. The two are sister chapters and include common members and shared discourse. The chapters meet in opposite halves of the month to facilitate this relationship.<br />
<br />
{{Chapter Template|chaptername=Virginia|extra=The chapter leader is [mailto:John.Steven@owasp.org John Steven]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-CHANGEME|emailarchives=http://lists.owasp.org/pipermail/owasp-CHANGEME}}<br />
* [http://lists.owasp.org/mailman/listinfo/owasp-wash_dc_va Click here to join local chapter mailing list]<br />
* Add July 9th to my [https://www.google.com/calendar/hosted/owasp.org/event?action=TEMPLATE&amp;tmeid=azV2NGU4Zjc0M2w1a3NxMG4zam84cXZyMmcgb3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGc&amp;tmsrc=b3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGdyb3VwLmNhbGVuZGFyLmdvb2dsZS5jb20 Google Calendar], [https://cigital.webex.com/cigital/j.php?ED=124134682&UID=1012271922&ICS=MI&LD=1&RD=2&ST=1&SHA2=CWCN2pMk85HfkpUHyB/6CNfutu79JBWjL2LWsdybwEw= Exchange Calendar]<br />
<br />
==== Locations ====<br />
'''If you plan to attend in person:'''<br />
<br />
Directions to Booz Allen's One Dulles facility:<br />
<br />
13200 Woodland Park Road<br />
Herndon, VA 20171<br />
<br />
From Tyson's Corner:<br />
<br />
* Take LEESBURG PIKE / VA-7 WEST<br />
* Merge onto VA-267 WEST / DULLES TOLL ROAD (Portions Toll)<br />
* Take the VA-657 Exit (Exit Number 10 towards Herndon / Chantilly)<br />
* Take the ramp toward CHANTILLY<br />
* Turn Left onto CENTERVILLE ROAD (at end of ramp)<br />
* Turn Left onto WOODLAND PARK ROAD (less than 1⁄2 mile)<br />
* End at 13200 WOODLAND PARK ROAD<br />
<br />
<br>'''If you plan to attend via Webinar:'''<br />
<br />
You can attend through [[OWASPNoVA WebEx]] <br />
<br />
==== Schedule ====<br />
'''Next Meeting'''<P><br />
Future speakers to include Gunnar Peterson, Dan Cornell, and more.</p><br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owaspsa-track2.PNG|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. '''REGISTRATION IS OPEN!'''<br />
<br />
Please send an email to [mailto:John.Steven@owasp.org John Steven] with your skill level with Statis Analysis tools, your motivation and '''the dates''' that you want to sign in for. <br />
Students are required to bring their own laptop. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop<br />
<br />
<br />
July 9th 6pm-9pm EST<br><br />
LOCATION: 13200 Woodland Park Road Herndon, VA 20171<BR><br />
TOPIC: "Ounce's 02"<BR><br />
SPEAKER(S): Dinis Cruz, OWASP, Ounce Labs.<BR><br />
PANEL: TBD<BR><br />
INSTRUCTIONS: RSVP through Stan Wisseman wisseman_stan@bah.com with “OWASP RSVP” in the subject.<BR><br />
<br />
DESCRIPTION: So what is O2?<br />
<br />
Well in my mind O2 is a combination of advanced tools (Technology) which are designed to be used on a particular way (Process) by knowledgeable Individuals (People)<br />
<br />
Think about it as a Fighter Jet who is able to go very fast, has tons of controls, needs to be piloted by somebody who knows what they are doing and needs to have a purpose (i.e. mission).<br />
<br />
Basically what I did with O2 was to automate the workflow that I have when I'm engaged on a source-code security review.<br />
<br />
Now, here is the catch, this version is NOT for the faint-of-heart. I designed this to suit my needs, which although are the same as most other security consultants, have its own particularities :)<br />
<br />
The whole model of O2 development is based around the concept of automating a security consultant’s brain, so I basically ensure that the main O2 Developer (Dinis Cruz) has a very good understanding of the feature requirements of the targeted Security Consultant (Dinis Cruz) :) . And this proved (even to my surprise) spectacularly productive, since suddenly I (i.e. the security consultant) didn't had to wait months for new features to be added to its toolkit. If there was something that needed to be added, it would just be added in days or hours.<br />
<br />
* View the OWASP NoVA Chapter [http://www.google.com/calendar/hosted/owasp.org/embed?src=owasp.org_1ht5oegk8kd0dtat5cko71e7dc%40group.calendar.google.com&ctz=America/New_York Calendar ]<br />
<br />
* The next meeting is '''Thursday, July 9th, 2009.''' <br />
* Add July 9th to my [https://www.google.com/calendar/hosted/owasp.org/event?action=TEMPLATE&amp;tmeid=azV2NGU4Zjc0M2w1a3NxMG4zam84cXZyMmcgb3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGc&amp;tmsrc=b3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGdyb3VwLmNhbGVuZGFyLmdvb2dsZS5jb20 Google Calendar], [https://cigital.webex.com/cigital/j.php?ED=124134682&UID=1012271922&ICS=MI&LD=1&RD=2&ST=1&SHA2=CWCN2pMk85HfkpUHyB/6CNfutu79JBWjL2LWsdybwEw= Exchange Calendar]<br />
<br />
==== Knowledge ====<br />
<br />
The Northern Virginia (NoVA) chapter is committed to compiling resources on interesting and valuable topic areas. We hope that this structure helps you access information pertinent to your tasks at hand as you move through a secure application development life cycle. Currently, our topic areas of focus include activities such as:<br />
<br />
* Threat Modeling<br />
* [[Code Review and Static Analysis with tools]]<br />
* Penetration Testing and Dynamic Analysis tools<br />
* Monitoring/Dynamic patching (WAFs)<br />
<br />
Certain projects our members are involved in cross-cut these activities, providing value throughout. They include:<br />
<br />
* ASVS<br />
<br />
<br />
==== Contributors and Sponsors ====<br />
<br />
'''Chapter Leader'''<br />
<br />
* [mailto:John.Steven@owasp.org John Steven], with assistance from [mailto:paco@cigital.com Paco Hope]<br />
<br />
'''Refreshment Sponsors'''<br />
<br />
[[Image:Cigital_OWASP.GIF]]<br />
<br />
'''Facility Sponsors'''<br />
<br />
[[Image:Bah-bw.JPG|215px]]<br />
<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<paypal>Northern Virginia</paypal><br />
<br />
== Past Meetings ==<br />
<br />
===June 2009===<br />
''Gary McGraw, Cigital Inc.'':''Building Security In Maturity Model''<BR><br />
Later, an interview:<br />
''Jim Routh, formerly of DTCC'':''The Economic Advantages of a Resilient Supply Chain- Software Security<br />
''<BR><br />
<br />
Gary McGraw talked about the experience he, Sammy Migues, and Brian Chess gained conducting a survey of some of America's top Software Security groups. Study results are available under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Share Alike license] at [http://www.bsi-mm.com www.bsi-mm.com]. Gary described the common structural elements and activities of successful software security programs, present the maturity model that resulted from survey data, and discuss lessons learned from listening to those leading these groups. <br />
<br />
Jim Routh gave an incredibly insightful interview regarding his own experiences crafting their security group. <br />
<br />
Download presentation notes at: [http://www.owasp.org/images/0/03/JMR-Economics_of_Security_Goups.ppt The Economic Advantages of a Resilient Supply Chain- Software Security]<br />
<br />
===May 2009 ===<br />
''Eric Dalci, Cigital Inc.'':''Introduction to Static Analysis''<BR><br />
Later, a panel:<br />
<UL><br />
<LI>Steven Lavenhar, Booz Allen Hamilton;<br />
<LI>Eric Dalci, Cigital Inc.<br />
</UL><br />
Panel moderated by John Steven<br />
<BR><br />
<br />
This session is an introductory to Static Analysis. This session presents the different types of analysis used by today's Static Analysis tools. Examples of direct application to find vulnerabilities will be shown (ex: Data Flow Analysis, Semantic, Control Flow, etc.). Current limitations of Static Analysis will also be exposed. This session is tool agnostic, but will cover the approach taken by various leading commercial (as well as open-source) tools.<br />
<br />
Download: [http://www.owasp.org/images/e/ea/OWASP_Virginia_Edalci_May09.pdf Intro to Static Analysis]<br />
<br />
===April 2009 ===<br />
''Jeremiah Grossman, Whitehat Security'': '''Top 10 Web Hacking Techniques 2008'''<br><br />
Jeremiah Spoke on (what he and colleagues determined were the) top ten web hacking techniques of 2008. This talk was a preview of his RSA '09 talk.<br><br />
<br />
Download http://www.whitehatsec.com/home/assets/presentations/09PPT/PPT_OWASPNoVA04082008.pdf<br />
<br />
<br />
Later,<br />
<UL><br />
<LI>Nate Miller, Stratum Security;<br />
<LI>Jeremiah Grossman, Whitehat Security;<br />
<LI>Tom Brennan, Whitehat Security; and<br />
<LI>Wade Woolwine, AOL<br />
</UL><br />
served as penetration testing panels answering questions posed and moderated by Ken Van Wyk.<br />
<br />
=== February 2009 ===<br />
<br />
''Ryan C. Barnett, Breach Security'': '''Patching Challenge: Securing WebGoat with ModSecurity'''<br />
<br />
Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth.<br />
<br />
This talk will provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the talk, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of some of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this talk is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.<br />
<br />
Ryan C. Barnett is the Director of Application Security Research at Breach Security and leads Breach Security Labs. He is also a Faculty Member for the SANS Institute, Team Lead for the Center for Internet Security Apache Benchmark Project and a Member of the Web Application Security Consortium where he leads the Distributed Open Proxy Honeypot Project. Mr. Barnett has also authored a web security book for Addison/Wesley Publishing entitled "Preventing Web Attacks with Apache."<br />
<br />
(This talk is a preview of Ryan's talk at Blackhat Federal the following week - see https://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Barnett )<br />
<br />
Download [[Media:Virtual_Patching_Ryan_Barnett_Blackhat_Federal_09.zip| WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity]]<br />
<br />
''John Steven, Cigital'': '''Moving Beyond Top N Lists'''<br />
<br />
Download [[Media:Moving_Beyond_Top_N_Lists.ppt.zip| Moving Beyond Top N Lists]]<br />
<br />
<br />
Cigital published an article: The Top 11 Reasons Why Top 10 (or 25) Lists Don’t Work. Yet, these lists are a staple of conference abstracts, industry best practice lists, and the like. Are they good or bad? We’ll explore how to get beyond the Top 10 (or 25) list in making your software security effort real.<br />
<br />
John is Senior Director, Advanced Technology Consulting at Cigital. His experience includes research in static code analysis and hands-on architecture and implementation of high-performance, scalable Java EE systems. John has provided security consulting services to a broad variety of commercial clients including two of the largest trading platforms in the world and has advised America's largest internet provider in the Midwest on security and forensics. John led the development of Cigital's architectural analysis methodology and its approach to deploying enterprise software security frameworks. He has demonstrated success in building Cigital's intellectual property for providing cutting-edge security. He brings this experience and a track record of effective strategic innovation to clients seeking to change, whether to adopt more cutting-edge approaches, or to solidify ROI. John currently chairs the SD Best Practices security track and co-edits the building security in department of IEEE's Security and Privacy magazine. John has served on numerous conference panels regarding software security, wireless security and Java EE system development. He holds a B.S. in Computer Engineering and an M.S. in Computer Science from Case Western Reserve University.<br />
<br />
=== January 2009 ===<br />
<br />
To kick off 2009, our January meeting featured a discussion of the relationship between application security and CMMI, and an overview of the OWASP ASVS project.<br />
<br />
''Michele Moss, Booz Allen Hamilton'': '''Evolutions In The Relationship Between Application Security And The CMMI'''<br />
<br />
Addressing new and complex threats and IT security challenges requires repeatable, reliable, rapid, and cost effective solutions. To implement these solutions, organizations have begun to align their security improvement efforts with their system and software development practices. During a “Birds of a Feather” at the March 2007 SEPG, a group of industry representatives initiated an effort which led to the definition of assurance practices that can be applied in the context of the CMMI. This presentation will provide an understanding how applying the assurance practices in the context of security contribute to the overall increased quality of products and services, illustrate how the a focus on assurance in the context of CMMI practices is related to application security practices, and present and approach to evaluate and improve the repeatability and reliability of assurance practices. <br />
<br />
Michele Moss, CISSP, is a security engineer with more than 12 years of experience in process improvement. She specializes in integrating assurance processes and practices into project lifecycles. Michele is the Co-Chair of the DHS Software Assurance Working Group on Processes & Practices. She has assisted numerous organizations with maturing their information technology, information assurance, project management, and support practices through the use of the capability maturity models including the CMMI, and the SSE-CMM. She is one of the key contributors in an effort to apply an assurance focus to CMMI.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Moss-AppSecurityAndCMMI.pdf]]<br />
<br />
''Mike Boberski, Booz Allen Hamilton'': '''About OWASP ASVS'''<br />
<br />
The primary aim of the OWASP ASVS Project is to normalize the range<br />
of coverage and level of rigor available in the market when it comes to<br />
performing application-level security verification. The goal is to<br />
create a set of commercially-workable open standards that are tailored<br />
to specific web-based technologies.<br />
<br />
Mike Boberski works at Booz Allen Hamilton. He has a background in<br />
application security and the use of cryptography by applications. He is<br />
experienced in trusted product evaluation, security-related software<br />
development and integration, and cryptomodule testing. For OWASP, he is<br />
the project lead and a co-author of the OWASP Application Security<br />
Verification Standard, the first OWASP standard.<br />
<br />
Slides available: [[https://www.owasp.org/images/5/52/About_OWASP_ASVS_Web_Edition.ppt]]<br />
<br />
=== November 2008 ===<br />
For our November 2008 meeting, we had two great presentations on software assurance and security testing.<br />
<br />
''Nadya Bartol, Booz Allen Hamilton'': '''Framework for Software Assurance'''<br />
<br />
Nadya's presentation will provide an update on the Software Assurance<br />
Forum efforts to establish a comprehensive framework for software<br />
assurance (SwA) and security measurement. The Framework addresses<br />
measuring achievement of SwA goals and objectives within the context of<br />
individual projects, programs, or enterprises. It targets a variety of<br />
audiences including executives, developers, vendors, suppliers, and<br />
buyers. The Framework leverages existing measurement methodologies,<br />
including Practical Software and System Measurement (PSM); CMMI Goal,<br />
Question, Indicator, Measure (GQ(I)M); NIST SP 800-55 Rev1; and ISO/IEC<br />
27004 and identifies commonalities among the methodologies to help<br />
organizations integrate SwA measurement in their overall measurement<br />
efforts cost-effectively and as seamlessly as possible, rather than<br />
establish a standalone SwA measurement effort within an organization.<br />
The presentation will provide an update on the SwA Forum Measurement<br />
Working Group work, present the current version of the Framework and underlying measures<br />
development and implementation processes, and propose example SwA<br />
measures applicable to a variety of SwA stakeholders. The presentation<br />
will update the group on the latest NIST and ISO standards on<br />
information security measurement that are being integrated into the<br />
Framework as the standards are being developed.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Bartol-MeasurementForOWASP11-13-08.pdf]]<br />
<br />
''Paco Hope, Cigital'': '''The Web Security Testing Cookbook'''<br />
<br />
The Web Security Testing Cookbook (O'Reilly & Associates, October 2008)<br />
gives developers and testers the tools they need to make security<br />
testing a regular part of their development lifecycle. Its recipe style<br />
approach covers manual, exploratory testing as well automated techniques<br />
that you can make part of your unit tests or regression cycle. The<br />
recipes cover the basics like observing messages between clients and<br />
servers, to multi-phase tests that script the login and execution of web<br />
application features. This book complements many of the security texts<br />
in the market that tell you what a vulnerability is, but not how to<br />
systematically test it day in and day out. Leverage the recipes in this<br />
book to add significant security coverage to your testing without adding<br />
significant time and cost to your effort.<br />
<br />
Congratulations to Tim Bond who won an autographed copy of Paco's book.<br />
Get your copy here [[http://www.amazon.com/Security-Testing-Cookbook-Paco-Hope/dp/0596514832]]<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/PacoHope-WebSecCookbook.pdf]]<br />
<br />
=== October 2008 ===<br />
For our October 2008 meeting, we had two fascinating talks relating to forensics.<br />
<br />
''Dave Merkel, Mandiant'': '''Enterprise Grade Incident Management - Responding to Persistent Threats'''<br />
<br />
Dave Merkel is Vice President of Products at Mandiant, a leading provider of information security services, education and products. Mr. Merkel has worked in the information security and incident response industry for over 10 years. His background includes service as a federal agent in the US Air Force and over 7 years experience directing security operations at America Online. He currently oversees the product business at Mandiant, and is in charge of building Mandiant Intelligent Response - an enterprise incident response solution. But no, he won't be selling you anything today.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Mandiant-EnterpriseIRandAPTpresentation.pdf]]<br />
<br />
''Inno Eroraha, NetSecurity'': '''[Responding to the Digital Crime Scene: Gathering Volatile Data'''<br />
<br />
Inno Eroraha is the founder and chief strategist of NetSecurity Corporation, a company that provides digital forensics, hands-on security consulting, and Hands-on How-To® training solutions that are high-quality, timely, and customer-focused. In this role, Mr. Eroraha helps clients plan, formulate, and execute the best security and forensics strategy that aligns with their business goals and priorities. He has consulted with Fortune 500 companies, IRS, DHS, VA, DoD, and other entities.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/NetSecurity-RespondingToTheDigitalCrimeScene-GatheringVolatileData-TechnoForensics-102908.pdf] ]<br />
<br />
==Knowledge==<br />
On the [[Knowledge]] page, you'll find links to this chapter's contributions organized by topic area.<br />
<br />
[[Category:Virginia]]<br />
[[Category:Washington, DC]]</div>Edalcihttps://wiki.owasp.org/index.php?title=Virginia&diff=66027Virginia2009-07-15T18:30:55Z<p>Edalci: </p>
<hr />
<div>==== About ====<br />
[[Image:Owasp-nova.JPG|275px|right]]The '''OWASP Washington VA Local Chapter''' meetings are FREE and OPEN to anyone interested in learning more about application security. We encourage individuals to provide knowledge transfer via hands-on training and presentations of specific OWASP projects and research topics and sharing SDLC knowledge. <br />
<br />
We the encourage vendor-agnostic presentations to utilize the OWASP Powerpoint template when applicable and individual volunteerism to enable perpetual growth. As a 501(3)c non-profit association donations of meeting space or refreshments sponsorship is encouraged, simply contact the local chapter leaders listed on this page to discuss. Prior to participating with OWASP please review the Chapter Rules.<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams@owasp.org Jeff Williams] and has had members from Virginia to Delaware. In April 2005 a new chapter, OWASP Washington VA Local Chapter, was formed and the DC Chapter was renamed to DC-Maryland. The two are sister chapters and include common members and shared discourse. The chapters meet in opposite halves of the month to facilitate this relationship.<br />
<br />
{{Chapter Template|chaptername=Virginia|extra=The chapter leader is [mailto:John.Steven@owasp.org John Steven]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-CHANGEME|emailarchives=http://lists.owasp.org/pipermail/owasp-CHANGEME}}<br />
* [http://lists.owasp.org/mailman/listinfo/owasp-wash_dc_va Click here to join local chapter mailing list]<br />
* Add July 9th to my [https://www.google.com/calendar/hosted/owasp.org/event?action=TEMPLATE&amp;tmeid=azV2NGU4Zjc0M2w1a3NxMG4zam84cXZyMmcgb3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGc&amp;tmsrc=b3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGdyb3VwLmNhbGVuZGFyLmdvb2dsZS5jb20 Google Calendar], [https://cigital.webex.com/cigital/j.php?ED=124134682&UID=1012271922&ICS=MI&LD=1&RD=2&ST=1&SHA2=CWCN2pMk85HfkpUHyB/6CNfutu79JBWjL2LWsdybwEw= Exchange Calendar]<br />
<br />
==== Locations ====<br />
'''If you plan to attend in person:'''<br />
<br />
Directions to Booz Allen's One Dulles facility:<br />
<br />
13200 Woodland Park Road<br />
Herndon, VA 20171<br />
<br />
From Tyson's Corner:<br />
<br />
* Take LEESBURG PIKE / VA-7 WEST<br />
* Merge onto VA-267 WEST / DULLES TOLL ROAD (Portions Toll)<br />
* Take the VA-657 Exit (Exit Number 10 towards Herndon / Chantilly)<br />
* Take the ramp toward CHANTILLY<br />
* Turn Left onto CENTERVILLE ROAD (at end of ramp)<br />
* Turn Left onto WOODLAND PARK ROAD (less than 1⁄2 mile)<br />
* End at 13200 WOODLAND PARK ROAD<br />
<br />
<br>'''If you plan to attend via Webinar:'''<br />
<br />
You can attend through [[OWASPNoVA WebEx]] <br />
<br />
==== Schedule ====<br />
'''Next Meeting'''<P><br />
Future speakers to include Gunnar Peterson, Dan Cornell, and more.</p><br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owaspsa-track2.PNG|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. '''REGISTRATION IS OPEN!'''<br />
<br />
Please send an email to [mailto:John.Steven@owasp.org John Steven] with your skills level with Statis Analysis and your motivation. Students are required to bring their own laptop. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop<br />
<br />
<br />
July 9th 6pm-9pm EST<br><br />
LOCATION: 13200 Woodland Park Road Herndon, VA 20171<BR><br />
TOPIC: "Ounce's 02"<BR><br />
SPEAKER(S): Dinis Cruz, OWASP, Ounce Labs.<BR><br />
PANEL: TBD<BR><br />
INSTRUCTIONS: RSVP through Stan Wisseman wisseman_stan@bah.com with “OWASP RSVP” in the subject.<BR><br />
<br />
DESCRIPTION: So what is O2?<br />
<br />
Well in my mind O2 is a combination of advanced tools (Technology) which are designed to be used on a particular way (Process) by knowledgeable Individuals (People)<br />
<br />
Think about it as a Fighter Jet who is able to go very fast, has tons of controls, needs to be piloted by somebody who knows what they are doing and needs to have a purpose (i.e. mission).<br />
<br />
Basically what I did with O2 was to automate the workflow that I have when I'm engaged on a source-code security review.<br />
<br />
Now, here is the catch, this version is NOT for the faint-of-heart. I designed this to suit my needs, which although are the same as most other security consultants, have its own particularities :)<br />
<br />
The whole model of O2 development is based around the concept of automating a security consultant’s brain, so I basically ensure that the main O2 Developer (Dinis Cruz) has a very good understanding of the feature requirements of the targeted Security Consultant (Dinis Cruz) :) . And this proved (even to my surprise) spectacularly productive, since suddenly I (i.e. the security consultant) didn't had to wait months for new features to be added to its toolkit. If there was something that needed to be added, it would just be added in days or hours.<br />
<br />
* View the OWASP NoVA Chapter [http://www.google.com/calendar/hosted/owasp.org/embed?src=owasp.org_1ht5oegk8kd0dtat5cko71e7dc%40group.calendar.google.com&ctz=America/New_York Calendar ]<br />
<br />
* The next meeting is '''Thursday, July 9th, 2009.''' <br />
* Add July 9th to my [https://www.google.com/calendar/hosted/owasp.org/event?action=TEMPLATE&amp;tmeid=azV2NGU4Zjc0M2w1a3NxMG4zam84cXZyMmcgb3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGc&amp;tmsrc=b3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGdyb3VwLmNhbGVuZGFyLmdvb2dsZS5jb20 Google Calendar], [https://cigital.webex.com/cigital/j.php?ED=124134682&UID=1012271922&ICS=MI&LD=1&RD=2&ST=1&SHA2=CWCN2pMk85HfkpUHyB/6CNfutu79JBWjL2LWsdybwEw= Exchange Calendar]<br />
<br />
==== Knowledge ====<br />
<br />
The Northern Virginia (NoVA) chapter is committed to compiling resources on interesting and valuable topic areas. We hope that this structure helps you access information pertinent to your tasks at hand as you move through a secure application development life cycle. Currently, our topic areas of focus include activities such as:<br />
<br />
* Threat Modeling<br />
* [[Code Review and Static Analysis with tools]]<br />
* Penetration Testing and Dynamic Analysis tools<br />
* Monitoring/Dynamic patching (WAFs)<br />
<br />
Certain projects our members are involved in cross-cut these activities, providing value throughout. They include:<br />
<br />
* ASVS<br />
<br />
<br />
==== Contributors and Sponsors ====<br />
<br />
'''Chapter Leader'''<br />
<br />
* [mailto:John.Steven@owasp.org John Steven], with assistance from [mailto:paco@cigital.com Paco Hope]<br />
<br />
'''Refreshment Sponsors'''<br />
<br />
[[Image:Cigital_OWASP.GIF]]<br />
<br />
'''Facility Sponsors'''<br />
<br />
[[Image:Bah-bw.JPG|215px]]<br />
<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<paypal>Northern Virginia</paypal><br />
<br />
== Past Meetings ==<br />
<br />
===June 2009===<br />
''Gary McGraw, Cigital Inc.'':''Building Security In Maturity Model''<BR><br />
Later, an interview:<br />
''Jim Routh, formerly of DTCC'':''The Economic Advantages of a Resilient Supply Chain- Software Security<br />
''<BR><br />
<br />
Gary McGraw talked about the experience he, Sammy Migues, and Brian Chess gained conducting a survey of some of America's top Software Security groups. Study results are available under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Share Alike license] at [http://www.bsi-mm.com www.bsi-mm.com]. Gary described the common structural elements and activities of successful software security programs, present the maturity model that resulted from survey data, and discuss lessons learned from listening to those leading these groups. <br />
<br />
Jim Routh gave an incredibly insightful interview regarding his own experiences crafting their security group. <br />
<br />
Download presentation notes at: [http://www.owasp.org/images/0/03/JMR-Economics_of_Security_Goups.ppt The Economic Advantages of a Resilient Supply Chain- Software Security]<br />
<br />
===May 2009 ===<br />
''Eric Dalci, Cigital Inc.'':''Introduction to Static Analysis''<BR><br />
Later, a panel:<br />
<UL><br />
<LI>Steven Lavenhar, Booz Allen Hamilton;<br />
<LI>Eric Dalci, Cigital Inc.<br />
</UL><br />
Panel moderated by John Steven<br />
<BR><br />
<br />
This session is an introductory to Static Analysis. This session presents the different types of analysis used by today's Static Analysis tools. Examples of direct application to find vulnerabilities will be shown (ex: Data Flow Analysis, Semantic, Control Flow, etc.). Current limitations of Static Analysis will also be exposed. This session is tool agnostic, but will cover the approach taken by various leading commercial (as well as open-source) tools.<br />
<br />
Download: [http://www.owasp.org/images/e/ea/OWASP_Virginia_Edalci_May09.pdf Intro to Static Analysis]<br />
<br />
===April 2009 ===<br />
''Jeremiah Grossman, Whitehat Security'': '''Top 10 Web Hacking Techniques 2008'''<br><br />
Jeremiah Spoke on (what he and colleagues determined were the) top ten web hacking techniques of 2008. This talk was a preview of his RSA '09 talk.<br><br />
<br />
Download http://www.whitehatsec.com/home/assets/presentations/09PPT/PPT_OWASPNoVA04082008.pdf<br />
<br />
<br />
Later,<br />
<UL><br />
<LI>Nate Miller, Stratum Security;<br />
<LI>Jeremiah Grossman, Whitehat Security;<br />
<LI>Tom Brennan, Whitehat Security; and<br />
<LI>Wade Woolwine, AOL<br />
</UL><br />
served as penetration testing panels answering questions posed and moderated by Ken Van Wyk.<br />
<br />
=== February 2009 ===<br />
<br />
''Ryan C. Barnett, Breach Security'': '''Patching Challenge: Securing WebGoat with ModSecurity'''<br />
<br />
Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth.<br />
<br />
This talk will provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the talk, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of some of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this talk is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.<br />
<br />
Ryan C. Barnett is the Director of Application Security Research at Breach Security and leads Breach Security Labs. He is also a Faculty Member for the SANS Institute, Team Lead for the Center for Internet Security Apache Benchmark Project and a Member of the Web Application Security Consortium where he leads the Distributed Open Proxy Honeypot Project. Mr. Barnett has also authored a web security book for Addison/Wesley Publishing entitled "Preventing Web Attacks with Apache."<br />
<br />
(This talk is a preview of Ryan's talk at Blackhat Federal the following week - see https://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Barnett )<br />
<br />
Download [[Media:Virtual_Patching_Ryan_Barnett_Blackhat_Federal_09.zip| WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity]]<br />
<br />
''John Steven, Cigital'': '''Moving Beyond Top N Lists'''<br />
<br />
Download [[Media:Moving_Beyond_Top_N_Lists.ppt.zip| Moving Beyond Top N Lists]]<br />
<br />
<br />
Cigital published an article: The Top 11 Reasons Why Top 10 (or 25) Lists Don’t Work. Yet, these lists are a staple of conference abstracts, industry best practice lists, and the like. Are they good or bad? We’ll explore how to get beyond the Top 10 (or 25) list in making your software security effort real.<br />
<br />
John is Senior Director, Advanced Technology Consulting at Cigital. His experience includes research in static code analysis and hands-on architecture and implementation of high-performance, scalable Java EE systems. John has provided security consulting services to a broad variety of commercial clients including two of the largest trading platforms in the world and has advised America's largest internet provider in the Midwest on security and forensics. John led the development of Cigital's architectural analysis methodology and its approach to deploying enterprise software security frameworks. He has demonstrated success in building Cigital's intellectual property for providing cutting-edge security. He brings this experience and a track record of effective strategic innovation to clients seeking to change, whether to adopt more cutting-edge approaches, or to solidify ROI. John currently chairs the SD Best Practices security track and co-edits the building security in department of IEEE's Security and Privacy magazine. John has served on numerous conference panels regarding software security, wireless security and Java EE system development. He holds a B.S. in Computer Engineering and an M.S. in Computer Science from Case Western Reserve University.<br />
<br />
=== January 2009 ===<br />
<br />
To kick off 2009, our January meeting featured a discussion of the relationship between application security and CMMI, and an overview of the OWASP ASVS project.<br />
<br />
''Michele Moss, Booz Allen Hamilton'': '''Evolutions In The Relationship Between Application Security And The CMMI'''<br />
<br />
Addressing new and complex threats and IT security challenges requires repeatable, reliable, rapid, and cost effective solutions. To implement these solutions, organizations have begun to align their security improvement efforts with their system and software development practices. During a “Birds of a Feather” at the March 2007 SEPG, a group of industry representatives initiated an effort which led to the definition of assurance practices that can be applied in the context of the CMMI. This presentation will provide an understanding how applying the assurance practices in the context of security contribute to the overall increased quality of products and services, illustrate how the a focus on assurance in the context of CMMI practices is related to application security practices, and present and approach to evaluate and improve the repeatability and reliability of assurance practices. <br />
<br />
Michele Moss, CISSP, is a security engineer with more than 12 years of experience in process improvement. She specializes in integrating assurance processes and practices into project lifecycles. Michele is the Co-Chair of the DHS Software Assurance Working Group on Processes & Practices. She has assisted numerous organizations with maturing their information technology, information assurance, project management, and support practices through the use of the capability maturity models including the CMMI, and the SSE-CMM. She is one of the key contributors in an effort to apply an assurance focus to CMMI.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Moss-AppSecurityAndCMMI.pdf]]<br />
<br />
''Mike Boberski, Booz Allen Hamilton'': '''About OWASP ASVS'''<br />
<br />
The primary aim of the OWASP ASVS Project is to normalize the range<br />
of coverage and level of rigor available in the market when it comes to<br />
performing application-level security verification. The goal is to<br />
create a set of commercially-workable open standards that are tailored<br />
to specific web-based technologies.<br />
<br />
Mike Boberski works at Booz Allen Hamilton. He has a background in<br />
application security and the use of cryptography by applications. He is<br />
experienced in trusted product evaluation, security-related software<br />
development and integration, and cryptomodule testing. For OWASP, he is<br />
the project lead and a co-author of the OWASP Application Security<br />
Verification Standard, the first OWASP standard.<br />
<br />
Slides available: [[https://www.owasp.org/images/5/52/About_OWASP_ASVS_Web_Edition.ppt]]<br />
<br />
=== November 2008 ===<br />
For our November 2008 meeting, we had two great presentations on software assurance and security testing.<br />
<br />
''Nadya Bartol, Booz Allen Hamilton'': '''Framework for Software Assurance'''<br />
<br />
Nadya's presentation will provide an update on the Software Assurance<br />
Forum efforts to establish a comprehensive framework for software<br />
assurance (SwA) and security measurement. The Framework addresses<br />
measuring achievement of SwA goals and objectives within the context of<br />
individual projects, programs, or enterprises. It targets a variety of<br />
audiences including executives, developers, vendors, suppliers, and<br />
buyers. The Framework leverages existing measurement methodologies,<br />
including Practical Software and System Measurement (PSM); CMMI Goal,<br />
Question, Indicator, Measure (GQ(I)M); NIST SP 800-55 Rev1; and ISO/IEC<br />
27004 and identifies commonalities among the methodologies to help<br />
organizations integrate SwA measurement in their overall measurement<br />
efforts cost-effectively and as seamlessly as possible, rather than<br />
establish a standalone SwA measurement effort within an organization.<br />
The presentation will provide an update on the SwA Forum Measurement<br />
Working Group work, present the current version of the Framework and underlying measures<br />
development and implementation processes, and propose example SwA<br />
measures applicable to a variety of SwA stakeholders. The presentation<br />
will update the group on the latest NIST and ISO standards on<br />
information security measurement that are being integrated into the<br />
Framework as the standards are being developed.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Bartol-MeasurementForOWASP11-13-08.pdf]]<br />
<br />
''Paco Hope, Cigital'': '''The Web Security Testing Cookbook'''<br />
<br />
The Web Security Testing Cookbook (O'Reilly & Associates, October 2008)<br />
gives developers and testers the tools they need to make security<br />
testing a regular part of their development lifecycle. Its recipe style<br />
approach covers manual, exploratory testing as well automated techniques<br />
that you can make part of your unit tests or regression cycle. The<br />
recipes cover the basics like observing messages between clients and<br />
servers, to multi-phase tests that script the login and execution of web<br />
application features. This book complements many of the security texts<br />
in the market that tell you what a vulnerability is, but not how to<br />
systematically test it day in and day out. Leverage the recipes in this<br />
book to add significant security coverage to your testing without adding<br />
significant time and cost to your effort.<br />
<br />
Congratulations to Tim Bond who won an autographed copy of Paco's book.<br />
Get your copy here [[http://www.amazon.com/Security-Testing-Cookbook-Paco-Hope/dp/0596514832]]<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/PacoHope-WebSecCookbook.pdf]]<br />
<br />
=== October 2008 ===<br />
For our October 2008 meeting, we had two fascinating talks relating to forensics.<br />
<br />
''Dave Merkel, Mandiant'': '''Enterprise Grade Incident Management - Responding to Persistent Threats'''<br />
<br />
Dave Merkel is Vice President of Products at Mandiant, a leading provider of information security services, education and products. Mr. Merkel has worked in the information security and incident response industry for over 10 years. His background includes service as a federal agent in the US Air Force and over 7 years experience directing security operations at America Online. He currently oversees the product business at Mandiant, and is in charge of building Mandiant Intelligent Response - an enterprise incident response solution. But no, he won't be selling you anything today.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Mandiant-EnterpriseIRandAPTpresentation.pdf]]<br />
<br />
''Inno Eroraha, NetSecurity'': '''[Responding to the Digital Crime Scene: Gathering Volatile Data'''<br />
<br />
Inno Eroraha is the founder and chief strategist of NetSecurity Corporation, a company that provides digital forensics, hands-on security consulting, and Hands-on How-To® training solutions that are high-quality, timely, and customer-focused. In this role, Mr. Eroraha helps clients plan, formulate, and execute the best security and forensics strategy that aligns with their business goals and priorities. He has consulted with Fortune 500 companies, IRS, DHS, VA, DoD, and other entities.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/NetSecurity-RespondingToTheDigitalCrimeScene-GatheringVolatileData-TechnoForensics-102908.pdf] ]<br />
<br />
==Knowledge==<br />
On the [[Knowledge]] page, you'll find links to this chapter's contributions organized by topic area.<br />
<br />
[[Category:Virginia]]<br />
[[Category:Washington, DC]]</div>Edalcihttps://wiki.owasp.org/index.php?title=Virginia&diff=66021Virginia2009-07-15T18:21:57Z<p>Edalci: </p>
<hr />
<div>==== About ====<br />
[[Image:Owasp-nova.JPG|275px|right]]The '''OWASP Washington VA Local Chapter''' meetings are FREE and OPEN to anyone interested in learning more about application security. We encourage individuals to provide knowledge transfer via hands-on training and presentations of specific OWASP projects and research topics and sharing SDLC knowledge. <br />
<br />
We the encourage vendor-agnostic presentations to utilize the OWASP Powerpoint template when applicable and individual volunteerism to enable perpetual growth. As a 501(3)c non-profit association donations of meeting space or refreshments sponsorship is encouraged, simply contact the local chapter leaders listed on this page to discuss. Prior to participating with OWASP please review the Chapter Rules.<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams@owasp.org Jeff Williams] and has had members from Virginia to Delaware. In April 2005 a new chapter, OWASP Washington VA Local Chapter, was formed and the DC Chapter was renamed to DC-Maryland. The two are sister chapters and include common members and shared discourse. The chapters meet in opposite halves of the month to facilitate this relationship.<br />
<br />
{{Chapter Template|chaptername=Virginia|extra=The chapter leader is [mailto:John.Steven@owasp.org John Steven]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-CHANGEME|emailarchives=http://lists.owasp.org/pipermail/owasp-CHANGEME}}<br />
* [http://lists.owasp.org/mailman/listinfo/owasp-wash_dc_va Click here to join local chapter mailing list]<br />
* Add July 9th to my [https://www.google.com/calendar/hosted/owasp.org/event?action=TEMPLATE&amp;tmeid=azV2NGU4Zjc0M2w1a3NxMG4zam84cXZyMmcgb3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGc&amp;tmsrc=b3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGdyb3VwLmNhbGVuZGFyLmdvb2dsZS5jb20 Google Calendar], [https://cigital.webex.com/cigital/j.php?ED=124134682&UID=1012271922&ICS=MI&LD=1&RD=2&ST=1&SHA2=CWCN2pMk85HfkpUHyB/6CNfutu79JBWjL2LWsdybwEw= Exchange Calendar]<br />
<br />
==== Locations ====<br />
'''If you plan to attend in person:'''<br />
<br />
Directions to Booz Allen's One Dulles facility:<br />
<br />
13200 Woodland Park Road<br />
Herndon, VA 20171<br />
<br />
From Tyson's Corner:<br />
<br />
* Take LEESBURG PIKE / VA-7 WEST<br />
* Merge onto VA-267 WEST / DULLES TOLL ROAD (Portions Toll)<br />
* Take the VA-657 Exit (Exit Number 10 towards Herndon / Chantilly)<br />
* Take the ramp toward CHANTILLY<br />
* Turn Left onto CENTERVILLE ROAD (at end of ramp)<br />
* Turn Left onto WOODLAND PARK ROAD (less than 1⁄2 mile)<br />
* End at 13200 WOODLAND PARK ROAD<br />
<br />
<br>'''If you plan to attend via Webinar:'''<br />
<br />
You can attend through [[OWASPNoVA WebEx]] <br />
<br />
==== Schedule ====<br />
'''Next Meeting'''<P><br />
Future speakers to include Gunnar Peterson, Dan Cornell, and more.</p><br />
July 9th 6pm-9pm EST<br><br />
LOCATION: 13200 Woodland Park Road Herndon, VA 20171<BR><br />
TOPIC: "Ounce's 02"<BR><br />
SPEAKER(S): Dinis Cruz, OWASP, Ounce Labs.<BR><br />
PANEL: TBD<BR><br />
INSTRUCTIONS: RSVP through Stan Wisseman wisseman_stan@bah.com with “OWASP RSVP” in the subject.<BR><br />
<br />
DESCRIPTION: So what is O2?<br />
<br />
Well in my mind O2 is a combination of advanced tools (Technology) which are designed to be used on a particular way (Process) by knowledgeable Individuals (People)<br />
<br />
Think about it as a Fighter Jet who is able to go very fast, has tons of controls, needs to be piloted by somebody who knows what they are doing and needs to have a purpose (i.e. mission).<br />
<br />
Basically what I did with O2 was to automate the workflow that I have when I'm engaged on a source-code security review.<br />
<br />
Now, here is the catch, this version is NOT for the faint-of-heart. I designed this to suit my needs, which although are the same as most other security consultants, have its own particularities :)<br />
<br />
The whole model of O2 development is based around the concept of automating a security consultant’s brain, so I basically ensure that the main O2 Developer (Dinis Cruz) has a very good understanding of the feature requirements of the targeted Security Consultant (Dinis Cruz) :) . And this proved (even to my surprise) spectacularly productive, since suddenly I (i.e. the security consultant) didn't had to wait months for new features to be added to its toolkit. If there was something that needed to be added, it would just be added in days or hours.<br />
<br />
* View the OWASP NoVA Chapter [http://www.google.com/calendar/hosted/owasp.org/embed?src=owasp.org_1ht5oegk8kd0dtat5cko71e7dc%40group.calendar.google.com&ctz=America/New_York Calendar ]<br />
<br />
* The next meeting is '''Thursday, July 9th, 2009.''' <br />
* Add July 9th to my [https://www.google.com/calendar/hosted/owasp.org/event?action=TEMPLATE&amp;tmeid=azV2NGU4Zjc0M2w1a3NxMG4zam84cXZyMmcgb3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGc&amp;tmsrc=b3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGdyb3VwLmNhbGVuZGFyLmdvb2dsZS5jb20 Google Calendar], [https://cigital.webex.com/cigital/j.php?ED=124134682&UID=1012271922&ICS=MI&LD=1&RD=2&ST=1&SHA2=CWCN2pMk85HfkpUHyB/6CNfutu79JBWjL2LWsdybwEw= Exchange Calendar]<br />
<br />
==== Knowledge ====<br />
<br />
The Northern Virginia (NoVA) chapter is committed to compiling resources on interesting and valuable topic areas. We hope that this structure helps you access information pertinent to your tasks at hand as you move through a secure application development life cycle. Currently, our topic areas of focus include activities such as:<br />
<br />
* Threat Modeling<br />
* [[Code Review and Static Analysis with tools]]<br />
* Penetration Testing and Dynamic Analysis tools<br />
* Monitoring/Dynamic patching (WAFs)<br />
<br />
Certain projects our members are involved in cross-cut these activities, providing value throughout. They include:<br />
<br />
* ASVS<br />
<br />
<br />
==== Contributors and Sponsors ====<br />
<br />
'''Chapter Leader'''<br />
<br />
* [mailto:John.Steven@owasp.org John Steven], with assistance from [mailto:paco@cigital.com Paco Hope]<br />
<br />
'''Refreshment Sponsors'''<br />
<br />
[[Image:Cigital_OWASP.GIF]]<br />
<br />
'''Facility Sponsors'''<br />
<br />
[[Image:Bah-bw.JPG|215px]]<br />
<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<paypal>Northern Virginia</paypal><br />
<br />
== Past Meetings ==<br />
<br />
===June 2009===<br />
''Gary McGraw, Cigital Inc.'':''Building Security In Maturity Model''<BR><br />
Later, an interview:<br />
''Jim Routh, formerly of DTCC'':''The Economic Advantages of a Resilient Supply Chain- Software Security<br />
''<BR><br />
<br />
Gary McGraw talked about the experience he, Sammy Migues, and Brian Chess gained conducting a survey of some of America's top Software Security groups. Study results are available under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Share Alike license] at [http://www.bsi-mm.com www.bsi-mm.com]. Gary described the common structural elements and activities of successful software security programs, present the maturity model that resulted from survey data, and discuss lessons learned from listening to those leading these groups. <br />
<br />
Jim Routh gave an incredibly insightful interview regarding his own experiences crafting their security group. <br />
<br />
Download presentation notes at: [http://www.owasp.org/images/0/03/JMR-Economics_of_Security_Goups.ppt The Economic Advantages of a Resilient Supply Chain- Software Security]<br />
<br />
===May 2009 ===<br />
''Eric Dalci, Cigital Inc.'':''Introduction to Static Analysis''<BR><br />
Later, a panel:<br />
<UL><br />
<LI>Steven Lavenhar, Booz Allen Hamilton;<br />
<LI>Eric Dalci, Cigital Inc.<br />
</UL><br />
Panel moderated by John Steven<br />
<BR><br />
<br />
This session is an introductory to Static Analysis. This session presents the different types of analysis used by today's Static Analysis tools. Examples of direct application to find vulnerabilities will be shown (ex: Data Flow Analysis, Semantic, Control Flow, etc.). Current limitations of Static Analysis will also be exposed. This session is tool agnostic, but will cover the approach taken by various leading commercial (as well as open-source) tools.<br />
<br />
Download: [http://www.owasp.org/images/e/ea/OWASP_Virginia_Edalci_May09.pdf Intro to Static Analysis]<br />
<br />
===April 2009 ===<br />
''Jeremiah Grossman, Whitehat Security'': '''Top 10 Web Hacking Techniques 2008'''<br><br />
Jeremiah Spoke on (what he and colleagues determined were the) top ten web hacking techniques of 2008. This talk was a preview of his RSA '09 talk.<br><br />
<br />
Download http://www.whitehatsec.com/home/assets/presentations/09PPT/PPT_OWASPNoVA04082008.pdf<br />
<br />
<br />
Later,<br />
<UL><br />
<LI>Nate Miller, Stratum Security;<br />
<LI>Jeremiah Grossman, Whitehat Security;<br />
<LI>Tom Brennan, Whitehat Security; and<br />
<LI>Wade Woolwine, AOL<br />
</UL><br />
served as penetration testing panels answering questions posed and moderated by Ken Van Wyk.<br />
<br />
=== February 2009 ===<br />
<br />
''Ryan C. Barnett, Breach Security'': '''Patching Challenge: Securing WebGoat with ModSecurity'''<br />
<br />
Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth.<br />
<br />
This talk will provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the talk, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of some of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this talk is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.<br />
<br />
Ryan C. Barnett is the Director of Application Security Research at Breach Security and leads Breach Security Labs. He is also a Faculty Member for the SANS Institute, Team Lead for the Center for Internet Security Apache Benchmark Project and a Member of the Web Application Security Consortium where he leads the Distributed Open Proxy Honeypot Project. Mr. Barnett has also authored a web security book for Addison/Wesley Publishing entitled "Preventing Web Attacks with Apache."<br />
<br />
(This talk is a preview of Ryan's talk at Blackhat Federal the following week - see https://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Barnett )<br />
<br />
Download [[Media:Virtual_Patching_Ryan_Barnett_Blackhat_Federal_09.zip| WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity]]<br />
<br />
''John Steven, Cigital'': '''Moving Beyond Top N Lists'''<br />
<br />
Download [[Media:Moving_Beyond_Top_N_Lists.ppt.zip| Moving Beyond Top N Lists]]<br />
<br />
<br />
Cigital published an article: The Top 11 Reasons Why Top 10 (or 25) Lists Don’t Work. Yet, these lists are a staple of conference abstracts, industry best practice lists, and the like. Are they good or bad? We’ll explore how to get beyond the Top 10 (or 25) list in making your software security effort real.<br />
<br />
John is Senior Director, Advanced Technology Consulting at Cigital. His experience includes research in static code analysis and hands-on architecture and implementation of high-performance, scalable Java EE systems. John has provided security consulting services to a broad variety of commercial clients including two of the largest trading platforms in the world and has advised America's largest internet provider in the Midwest on security and forensics. John led the development of Cigital's architectural analysis methodology and its approach to deploying enterprise software security frameworks. He has demonstrated success in building Cigital's intellectual property for providing cutting-edge security. He brings this experience and a track record of effective strategic innovation to clients seeking to change, whether to adopt more cutting-edge approaches, or to solidify ROI. John currently chairs the SD Best Practices security track and co-edits the building security in department of IEEE's Security and Privacy magazine. John has served on numerous conference panels regarding software security, wireless security and Java EE system development. He holds a B.S. in Computer Engineering and an M.S. in Computer Science from Case Western Reserve University.<br />
<br />
=== January 2009 ===<br />
<br />
To kick off 2009, our January meeting featured a discussion of the relationship between application security and CMMI, and an overview of the OWASP ASVS project.<br />
<br />
''Michele Moss, Booz Allen Hamilton'': '''Evolutions In The Relationship Between Application Security And The CMMI'''<br />
<br />
Addressing new and complex threats and IT security challenges requires repeatable, reliable, rapid, and cost effective solutions. To implement these solutions, organizations have begun to align their security improvement efforts with their system and software development practices. During a “Birds of a Feather” at the March 2007 SEPG, a group of industry representatives initiated an effort which led to the definition of assurance practices that can be applied in the context of the CMMI. This presentation will provide an understanding how applying the assurance practices in the context of security contribute to the overall increased quality of products and services, illustrate how the a focus on assurance in the context of CMMI practices is related to application security practices, and present and approach to evaluate and improve the repeatability and reliability of assurance practices. <br />
<br />
Michele Moss, CISSP, is a security engineer with more than 12 years of experience in process improvement. She specializes in integrating assurance processes and practices into project lifecycles. Michele is the Co-Chair of the DHS Software Assurance Working Group on Processes & Practices. She has assisted numerous organizations with maturing their information technology, information assurance, project management, and support practices through the use of the capability maturity models including the CMMI, and the SSE-CMM. She is one of the key contributors in an effort to apply an assurance focus to CMMI.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Moss-AppSecurityAndCMMI.pdf]]<br />
<br />
''Mike Boberski, Booz Allen Hamilton'': '''About OWASP ASVS'''<br />
<br />
The primary aim of the OWASP ASVS Project is to normalize the range<br />
of coverage and level of rigor available in the market when it comes to<br />
performing application-level security verification. The goal is to<br />
create a set of commercially-workable open standards that are tailored<br />
to specific web-based technologies.<br />
<br />
Mike Boberski works at Booz Allen Hamilton. He has a background in<br />
application security and the use of cryptography by applications. He is<br />
experienced in trusted product evaluation, security-related software<br />
development and integration, and cryptomodule testing. For OWASP, he is<br />
the project lead and a co-author of the OWASP Application Security<br />
Verification Standard, the first OWASP standard.<br />
<br />
Slides available: [[https://www.owasp.org/images/5/52/About_OWASP_ASVS_Web_Edition.ppt]]<br />
<br />
=== November 2008 ===<br />
For our November 2008 meeting, we had two great presentations on software assurance and security testing.<br />
<br />
''Nadya Bartol, Booz Allen Hamilton'': '''Framework for Software Assurance'''<br />
<br />
Nadya's presentation will provide an update on the Software Assurance<br />
Forum efforts to establish a comprehensive framework for software<br />
assurance (SwA) and security measurement. The Framework addresses<br />
measuring achievement of SwA goals and objectives within the context of<br />
individual projects, programs, or enterprises. It targets a variety of<br />
audiences including executives, developers, vendors, suppliers, and<br />
buyers. The Framework leverages existing measurement methodologies,<br />
including Practical Software and System Measurement (PSM); CMMI Goal,<br />
Question, Indicator, Measure (GQ(I)M); NIST SP 800-55 Rev1; and ISO/IEC<br />
27004 and identifies commonalities among the methodologies to help<br />
organizations integrate SwA measurement in their overall measurement<br />
efforts cost-effectively and as seamlessly as possible, rather than<br />
establish a standalone SwA measurement effort within an organization.<br />
The presentation will provide an update on the SwA Forum Measurement<br />
Working Group work, present the current version of the Framework and underlying measures<br />
development and implementation processes, and propose example SwA<br />
measures applicable to a variety of SwA stakeholders. The presentation<br />
will update the group on the latest NIST and ISO standards on<br />
information security measurement that are being integrated into the<br />
Framework as the standards are being developed.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Bartol-MeasurementForOWASP11-13-08.pdf]]<br />
<br />
''Paco Hope, Cigital'': '''The Web Security Testing Cookbook'''<br />
<br />
The Web Security Testing Cookbook (O'Reilly & Associates, October 2008)<br />
gives developers and testers the tools they need to make security<br />
testing a regular part of their development lifecycle. Its recipe style<br />
approach covers manual, exploratory testing as well automated techniques<br />
that you can make part of your unit tests or regression cycle. The<br />
recipes cover the basics like observing messages between clients and<br />
servers, to multi-phase tests that script the login and execution of web<br />
application features. This book complements many of the security texts<br />
in the market that tell you what a vulnerability is, but not how to<br />
systematically test it day in and day out. Leverage the recipes in this<br />
book to add significant security coverage to your testing without adding<br />
significant time and cost to your effort.<br />
<br />
Congratulations to Tim Bond who won an autographed copy of Paco's book.<br />
Get your copy here [[http://www.amazon.com/Security-Testing-Cookbook-Paco-Hope/dp/0596514832]]<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/PacoHope-WebSecCookbook.pdf]]<br />
<br />
=== October 2008 ===<br />
For our October 2008 meeting, we had two fascinating talks relating to forensics.<br />
<br />
''Dave Merkel, Mandiant'': '''Enterprise Grade Incident Management - Responding to Persistent Threats'''<br />
<br />
Dave Merkel is Vice President of Products at Mandiant, a leading provider of information security services, education and products. Mr. Merkel has worked in the information security and incident response industry for over 10 years. His background includes service as a federal agent in the US Air Force and over 7 years experience directing security operations at America Online. He currently oversees the product business at Mandiant, and is in charge of building Mandiant Intelligent Response - an enterprise incident response solution. But no, he won't be selling you anything today.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Mandiant-EnterpriseIRandAPTpresentation.pdf]]<br />
<br />
''Inno Eroraha, NetSecurity'': '''[Responding to the Digital Crime Scene: Gathering Volatile Data'''<br />
<br />
Inno Eroraha is the founder and chief strategist of NetSecurity Corporation, a company that provides digital forensics, hands-on security consulting, and Hands-on How-To® training solutions that are high-quality, timely, and customer-focused. In this role, Mr. Eroraha helps clients plan, formulate, and execute the best security and forensics strategy that aligns with their business goals and priorities. He has consulted with Fortune 500 companies, IRS, DHS, VA, DoD, and other entities.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/NetSecurity-RespondingToTheDigitalCrimeScene-GatheringVolatileData-TechnoForensics-102908.pdf] ]<br />
<br />
==Knowledge==<br />
On the [[Knowledge]] page, you'll find links to this chapter's contributions organized by topic area.<br />
<br />
[[Category:Virginia]]<br />
[[Category:Washington, DC]]</div>Edalcihttps://wiki.owasp.org/index.php?title=Virginia&diff=66019Virginia2009-07-15T18:20:50Z<p>Edalci: </p>
<hr />
<div>==== About ====<br />
[[Image:Owasp-nova.JPG|275px|right]]The '''OWASP Washington VA Local Chapter''' meetings are FREE and OPEN to anyone interested in learning more about application security. We encourage individuals to provide knowledge transfer via hands-on training and presentations of specific OWASP projects and research topics and sharing SDLC knowledge. <br />
<br />
We the encourage vendor-agnostic presentations to utilize the OWASP Powerpoint template when applicable and individual volunteerism to enable perpetual growth. As a 501(3)c non-profit association donations of meeting space or refreshments sponsorship is encouraged, simply contact the local chapter leaders listed on this page to discuss. Prior to participating with OWASP please review the Chapter Rules.<br />
<br />
The original DC Chapter was founded in June 2004 by [mailto:jeff.williams@owasp.org Jeff Williams] and has had members from Virginia to Delaware. In April 2005 a new chapter, OWASP Washington VA Local Chapter, was formed and the DC Chapter was renamed to DC-Maryland. The two are sister chapters and include common members and shared discourse. The chapters meet in opposite halves of the month to facilitate this relationship.<br />
<br />
{{Chapter Template|chaptername=Virginia|extra=The chapter leader is [mailto:John.Steven@owasp.org John Steven]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-CHANGEME|emailarchives=http://lists.owasp.org/pipermail/owasp-CHANGEME}}<br />
* [http://lists.owasp.org/mailman/listinfo/owasp-wash_dc_va Click here to join local chapter mailing list]<br />
* Add July 9th to my [https://www.google.com/calendar/hosted/owasp.org/event?action=TEMPLATE&amp;tmeid=azV2NGU4Zjc0M2w1a3NxMG4zam84cXZyMmcgb3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGc&amp;tmsrc=b3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGdyb3VwLmNhbGVuZGFyLmdvb2dsZS5jb20 Google Calendar], [https://cigital.webex.com/cigital/j.php?ED=124134682&UID=1012271922&ICS=MI&LD=1&RD=2&ST=1&SHA2=CWCN2pMk85HfkpUHyB/6CNfutu79JBWjL2LWsdybwEw= Exchange Calendar]<br />
<br />
==== Locations ====<br />
'''If you plan to attend in person:'''<br />
<br />
Directions to Booz Allen's One Dulles facility:<br />
<br />
13200 Woodland Park Road<br />
Herndon, VA 20171<br />
<br />
From Tyson's Corner:<br />
<br />
* Take LEESBURG PIKE / VA-7 WEST<br />
* Merge onto VA-267 WEST / DULLES TOLL ROAD (Portions Toll)<br />
* Take the VA-657 Exit (Exit Number 10 towards Herndon / Chantilly)<br />
* Take the ramp toward CHANTILLY<br />
* Turn Left onto CENTERVILLE ROAD (at end of ramp)<br />
* Turn Left onto WOODLAND PARK ROAD (less than 1⁄2 mile)<br />
* End at 13200 WOODLAND PARK ROAD<br />
<br />
<br>'''If you plan to attend via Webinar:'''<br />
<br />
You can attend through [[OWASPNoVA WebEx]] <br />
<br />
==== Schedule ====<br />
'''Next Meeting'''<P><br />
Future speakers to include Gunnar Peterson, Dan Cornell, and more.</p><br />
July 9th 6pm-9pm EST<br><br />
LOCATION: 13200 Woodland Park Road Herndon, VA 20171<BR><br />
TOPIC: "Ounce's 02"<BR><br />
SPEAKER(S): Dinis Cruz, OWASP, Ounce Labs.<BR><br />
PANEL: TBD<BR><br />
INSTRUCTIONS: RSVP through Stan Wisseman wisseman_stan@bah.com with “OWASP RSVP” in the subject.<BR><br />
<br />
DESCRIPTION: So what is O2?<br />
<br />
Well in my mind O2 is a combination of advanced tools (Technology) which are designed to be used on a particular way (Process) by knowledgeable Individuals (People)<br />
<br />
Think about it as a Fighter Jet who is able to go very fast, has tons of controls, needs to be piloted by somebody who knows what they are doing and needs to have a purpose (i.e. mission).<br />
<br />
Basically what I did with O2 was to automate the workflow that I have when I'm engaged on a source-code security review.<br />
<br />
Now, here is the catch, this version is NOT for the faint-of-heart. I designed this to suit my needs, which although are the same as most other security consultants, have its own particularities :)<br />
<br />
The whole model of O2 development is based around the concept of automating a security consultant’s brain, so I basically ensure that the main O2 Developer (Dinis Cruz) has a very good understanding of the feature requirements of the targeted Security Consultant (Dinis Cruz) :) . And this proved (even to my surprise) spectacularly productive, since suddenly I (i.e. the security consultant) didn't had to wait months for new features to be added to its toolkit. If there was something that needed to be added, it would just be added in days or hours.<br />
<br />
* View the OWASP NoVA Chapter [http://www.google.com/calendar/hosted/owasp.org/embed?src=owasp.org_1ht5oegk8kd0dtat5cko71e7dc%40group.calendar.google.com&ctz=America/New_York Calendar ]<br />
<br />
* The next meeting is '''Thursday, July 9th, 2009.''' <br />
* Add July 9th to my [https://www.google.com/calendar/hosted/owasp.org/event?action=TEMPLATE&amp;tmeid=azV2NGU4Zjc0M2w1a3NxMG4zam84cXZyMmcgb3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGc&amp;tmsrc=b3dhc3Aub3JnXzFodDVvZWdrOGtkMGR0YXQ1Y2tvNzFlN2RjQGdyb3VwLmNhbGVuZGFyLmdvb2dsZS5jb20 Google Calendar], [https://cigital.webex.com/cigital/j.php?ED=124134682&UID=1012271922&ICS=MI&LD=1&RD=2&ST=1&SHA2=CWCN2pMk85HfkpUHyB/6CNfutu79JBWjL2LWsdybwEw= Exchange Calendar]<br />
<br />
==== Knowledge ====<br />
<br />
==== Contributors and Sponsors ====<br />
<br />
'''Chapter Leader'''<br />
<br />
* [mailto:John.Steven@owasp.org John Steven], with assistance from [mailto:paco@cigital.com Paco Hope]<br />
<br />
'''Refreshment Sponsors'''<br />
<br />
[[Image:Cigital_OWASP.GIF]]<br />
<br />
'''Facility Sponsors'''<br />
<br />
[[Image:Bah-bw.JPG|215px]]<br />
<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<paypal>Northern Virginia</paypal><br />
<br />
== Past Meetings ==<br />
<br />
===June 2009===<br />
''Gary McGraw, Cigital Inc.'':''Building Security In Maturity Model''<BR><br />
Later, an interview:<br />
''Jim Routh, formerly of DTCC'':''The Economic Advantages of a Resilient Supply Chain- Software Security<br />
''<BR><br />
<br />
Gary McGraw talked about the experience he, Sammy Migues, and Brian Chess gained conducting a survey of some of America's top Software Security groups. Study results are available under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Share Alike license] at [http://www.bsi-mm.com www.bsi-mm.com]. Gary described the common structural elements and activities of successful software security programs, present the maturity model that resulted from survey data, and discuss lessons learned from listening to those leading these groups. <br />
<br />
Jim Routh gave an incredibly insightful interview regarding his own experiences crafting their security group. <br />
<br />
Download presentation notes at: [http://www.owasp.org/images/0/03/JMR-Economics_of_Security_Goups.ppt The Economic Advantages of a Resilient Supply Chain- Software Security]<br />
<br />
===May 2009 ===<br />
''Eric Dalci, Cigital Inc.'':''Introduction to Static Analysis''<BR><br />
Later, a panel:<br />
<UL><br />
<LI>Steven Lavenhar, Booz Allen Hamilton;<br />
<LI>Eric Dalci, Cigital Inc.<br />
</UL><br />
Panel moderated by John Steven<br />
<BR><br />
<br />
This session is an introductory to Static Analysis. This session presents the different types of analysis used by today's Static Analysis tools. Examples of direct application to find vulnerabilities will be shown (ex: Data Flow Analysis, Semantic, Control Flow, etc.). Current limitations of Static Analysis will also be exposed. This session is tool agnostic, but will cover the approach taken by various leading commercial (as well as open-source) tools.<br />
<br />
Download: [http://www.owasp.org/images/e/ea/OWASP_Virginia_Edalci_May09.pdf Intro to Static Analysis]<br />
<br />
===April 2009 ===<br />
''Jeremiah Grossman, Whitehat Security'': '''Top 10 Web Hacking Techniques 2008'''<br><br />
Jeremiah Spoke on (what he and colleagues determined were the) top ten web hacking techniques of 2008. This talk was a preview of his RSA '09 talk.<br><br />
<br />
Download http://www.whitehatsec.com/home/assets/presentations/09PPT/PPT_OWASPNoVA04082008.pdf<br />
<br />
<br />
Later,<br />
<UL><br />
<LI>Nate Miller, Stratum Security;<br />
<LI>Jeremiah Grossman, Whitehat Security;<br />
<LI>Tom Brennan, Whitehat Security; and<br />
<LI>Wade Woolwine, AOL<br />
</UL><br />
served as penetration testing panels answering questions posed and moderated by Ken Van Wyk.<br />
<br />
=== February 2009 ===<br />
<br />
''Ryan C. Barnett, Breach Security'': '''Patching Challenge: Securing WebGoat with ModSecurity'''<br />
<br />
Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth.<br />
<br />
This talk will provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the talk, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of some of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this talk is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.<br />
<br />
Ryan C. Barnett is the Director of Application Security Research at Breach Security and leads Breach Security Labs. He is also a Faculty Member for the SANS Institute, Team Lead for the Center for Internet Security Apache Benchmark Project and a Member of the Web Application Security Consortium where he leads the Distributed Open Proxy Honeypot Project. Mr. Barnett has also authored a web security book for Addison/Wesley Publishing entitled "Preventing Web Attacks with Apache."<br />
<br />
(This talk is a preview of Ryan's talk at Blackhat Federal the following week - see https://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Barnett )<br />
<br />
Download [[Media:Virtual_Patching_Ryan_Barnett_Blackhat_Federal_09.zip| WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity]]<br />
<br />
''John Steven, Cigital'': '''Moving Beyond Top N Lists'''<br />
<br />
Download [[Media:Moving_Beyond_Top_N_Lists.ppt.zip| Moving Beyond Top N Lists]]<br />
<br />
<br />
Cigital published an article: The Top 11 Reasons Why Top 10 (or 25) Lists Don’t Work. Yet, these lists are a staple of conference abstracts, industry best practice lists, and the like. Are they good or bad? We’ll explore how to get beyond the Top 10 (or 25) list in making your software security effort real.<br />
<br />
John is Senior Director, Advanced Technology Consulting at Cigital. His experience includes research in static code analysis and hands-on architecture and implementation of high-performance, scalable Java EE systems. John has provided security consulting services to a broad variety of commercial clients including two of the largest trading platforms in the world and has advised America's largest internet provider in the Midwest on security and forensics. John led the development of Cigital's architectural analysis methodology and its approach to deploying enterprise software security frameworks. He has demonstrated success in building Cigital's intellectual property for providing cutting-edge security. He brings this experience and a track record of effective strategic innovation to clients seeking to change, whether to adopt more cutting-edge approaches, or to solidify ROI. John currently chairs the SD Best Practices security track and co-edits the building security in department of IEEE's Security and Privacy magazine. John has served on numerous conference panels regarding software security, wireless security and Java EE system development. He holds a B.S. in Computer Engineering and an M.S. in Computer Science from Case Western Reserve University.<br />
<br />
=== January 2009 ===<br />
<br />
To kick off 2009, our January meeting featured a discussion of the relationship between application security and CMMI, and an overview of the OWASP ASVS project.<br />
<br />
''Michele Moss, Booz Allen Hamilton'': '''Evolutions In The Relationship Between Application Security And The CMMI'''<br />
<br />
Addressing new and complex threats and IT security challenges requires repeatable, reliable, rapid, and cost effective solutions. To implement these solutions, organizations have begun to align their security improvement efforts with their system and software development practices. During a “Birds of a Feather” at the March 2007 SEPG, a group of industry representatives initiated an effort which led to the definition of assurance practices that can be applied in the context of the CMMI. This presentation will provide an understanding how applying the assurance practices in the context of security contribute to the overall increased quality of products and services, illustrate how the a focus on assurance in the context of CMMI practices is related to application security practices, and present and approach to evaluate and improve the repeatability and reliability of assurance practices. <br />
<br />
Michele Moss, CISSP, is a security engineer with more than 12 years of experience in process improvement. She specializes in integrating assurance processes and practices into project lifecycles. Michele is the Co-Chair of the DHS Software Assurance Working Group on Processes & Practices. She has assisted numerous organizations with maturing their information technology, information assurance, project management, and support practices through the use of the capability maturity models including the CMMI, and the SSE-CMM. She is one of the key contributors in an effort to apply an assurance focus to CMMI.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Moss-AppSecurityAndCMMI.pdf]]<br />
<br />
''Mike Boberski, Booz Allen Hamilton'': '''About OWASP ASVS'''<br />
<br />
The primary aim of the OWASP ASVS Project is to normalize the range<br />
of coverage and level of rigor available in the market when it comes to<br />
performing application-level security verification. The goal is to<br />
create a set of commercially-workable open standards that are tailored<br />
to specific web-based technologies.<br />
<br />
Mike Boberski works at Booz Allen Hamilton. He has a background in<br />
application security and the use of cryptography by applications. He is<br />
experienced in trusted product evaluation, security-related software<br />
development and integration, and cryptomodule testing. For OWASP, he is<br />
the project lead and a co-author of the OWASP Application Security<br />
Verification Standard, the first OWASP standard.<br />
<br />
Slides available: [[https://www.owasp.org/images/5/52/About_OWASP_ASVS_Web_Edition.ppt]]<br />
<br />
=== November 2008 ===<br />
For our November 2008 meeting, we had two great presentations on software assurance and security testing.<br />
<br />
''Nadya Bartol, Booz Allen Hamilton'': '''Framework for Software Assurance'''<br />
<br />
Nadya's presentation will provide an update on the Software Assurance<br />
Forum efforts to establish a comprehensive framework for software<br />
assurance (SwA) and security measurement. The Framework addresses<br />
measuring achievement of SwA goals and objectives within the context of<br />
individual projects, programs, or enterprises. It targets a variety of<br />
audiences including executives, developers, vendors, suppliers, and<br />
buyers. The Framework leverages existing measurement methodologies,<br />
including Practical Software and System Measurement (PSM); CMMI Goal,<br />
Question, Indicator, Measure (GQ(I)M); NIST SP 800-55 Rev1; and ISO/IEC<br />
27004 and identifies commonalities among the methodologies to help<br />
organizations integrate SwA measurement in their overall measurement<br />
efforts cost-effectively and as seamlessly as possible, rather than<br />
establish a standalone SwA measurement effort within an organization.<br />
The presentation will provide an update on the SwA Forum Measurement<br />
Working Group work, present the current version of the Framework and underlying measures<br />
development and implementation processes, and propose example SwA<br />
measures applicable to a variety of SwA stakeholders. The presentation<br />
will update the group on the latest NIST and ISO standards on<br />
information security measurement that are being integrated into the<br />
Framework as the standards are being developed.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Bartol-MeasurementForOWASP11-13-08.pdf]]<br />
<br />
''Paco Hope, Cigital'': '''The Web Security Testing Cookbook'''<br />
<br />
The Web Security Testing Cookbook (O'Reilly & Associates, October 2008)<br />
gives developers and testers the tools they need to make security<br />
testing a regular part of their development lifecycle. Its recipe style<br />
approach covers manual, exploratory testing as well automated techniques<br />
that you can make part of your unit tests or regression cycle. The<br />
recipes cover the basics like observing messages between clients and<br />
servers, to multi-phase tests that script the login and execution of web<br />
application features. This book complements many of the security texts<br />
in the market that tell you what a vulnerability is, but not how to<br />
systematically test it day in and day out. Leverage the recipes in this<br />
book to add significant security coverage to your testing without adding<br />
significant time and cost to your effort.<br />
<br />
Congratulations to Tim Bond who won an autographed copy of Paco's book.<br />
Get your copy here [[http://www.amazon.com/Security-Testing-Cookbook-Paco-Hope/dp/0596514832]]<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/PacoHope-WebSecCookbook.pdf]]<br />
<br />
=== October 2008 ===<br />
For our October 2008 meeting, we had two fascinating talks relating to forensics.<br />
<br />
''Dave Merkel, Mandiant'': '''Enterprise Grade Incident Management - Responding to Persistent Threats'''<br />
<br />
Dave Merkel is Vice President of Products at Mandiant, a leading provider of information security services, education and products. Mr. Merkel has worked in the information security and incident response industry for over 10 years. His background includes service as a federal agent in the US Air Force and over 7 years experience directing security operations at America Online. He currently oversees the product business at Mandiant, and is in charge of building Mandiant Intelligent Response - an enterprise incident response solution. But no, he won't be selling you anything today.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/Mandiant-EnterpriseIRandAPTpresentation.pdf]]<br />
<br />
''Inno Eroraha, NetSecurity'': '''[Responding to the Digital Crime Scene: Gathering Volatile Data'''<br />
<br />
Inno Eroraha is the founder and chief strategist of NetSecurity Corporation, a company that provides digital forensics, hands-on security consulting, and Hands-on How-To® training solutions that are high-quality, timely, and customer-focused. In this role, Mr. Eroraha helps clients plan, formulate, and execute the best security and forensics strategy that aligns with their business goals and priorities. He has consulted with Fortune 500 companies, IRS, DHS, VA, DoD, and other entities.<br />
<br />
Slides available: [[http://www.epsteinmania.com/owasp/NetSecurity-RespondingToTheDigitalCrimeScene-GatheringVolatileData-TechnoForensics-102908.pdf] ]<br />
<br />
==Knowledge==<br />
On the [[Knowledge]] page, you'll find links to this chapter's contributions organized by topic area.<br />
<br />
[[Category:Virginia]]<br />
[[Category:Washington, DC]]</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=66018Code Review and Static Analysis with tools2009-07-15T18:19:03Z<p>Edalci: /* Static Analysis Curriculum */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:Owaspsa-track2.PNG|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews, July 30th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Bruce Mayhew (Ounce Lab) and Fortify (tbd)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to two Static Analysis tools (Fortify SCA and Ounce Labs 6):<br />
* Fortify will demo its tool and scan Webgoat. Ounce Lab will demo its tool, but we may scan a different project such as HacmeBank just to avoid tool comparison. We will have an open discussion session after each demo for students to ask questions to the vendors. Vendors should not interfere with each other’s session. Questions related to tool comparison will not be answered since this is not the goal of this session.<br />
<br />
===Session 3: Customization Lab (Fortify), August 13th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc. <br />
<br />
===Session 4: Customization Lab (Ounce Lab), August 27th 2009===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI <br />
<br />
===Session 5: Tool Adoption and Deployment, September 17th 2009===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=File:Owaspsa-track2.PNG&diff=66017File:Owaspsa-track2.PNG2009-07-15T18:18:29Z<p>Edalci: </p>
<hr />
<div></div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=62895Code Review and Static Analysis with tools2009-05-28T07:59:58Z<p>Edalci: /* Session 2: Tool Assisted Code Reviews, July 30th 2009 */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:OWASP roadmap.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews, July 30th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Bruce Mayhew (Ounce Lab) and Fortify (tbd)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to two Static Analysis tools (Fortify SCA and Ounce Labs 6):<br />
* Fortify will demo its tool and scan Webgoat. Ounce Lab will demo its tool, but we may scan a different project such as HacmeBank just to avoid tool comparison. We will have an open discussion session after each demo for students to ask questions to the vendors. Vendors should not interfere with each other’s session. Questions related to tool comparison will not be answered since this is not the goal of this session.<br />
<br />
===Session 3: Customization Lab (Fortify), August 13th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc. <br />
<br />
===Session 4: Customization Lab (Ounce Lab), August 27th 2009===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI <br />
<br />
===Session 5: Tool Adoption and Deployment, September 17th 2009===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=62894Code Review and Static Analysis with tools2009-05-28T07:58:30Z<p>Edalci: </p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].<br />
<br />
[[Image:OWASP roadmap.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
*Download slide from [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) here]<br />
<br />
===Session 2: Tool Assisted Code Reviews, July 30th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Bruce Mayhew (Ounce Lab) and Fortify (tbd)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to two Static Analysis tools (Fortify SCA and Ounce Labs 6):<br />
* Fortify will demo its tool and scan Webgoat.<br />
* Ounce Lab will demo its tool, but we may scan a different project such as HacmeBank just to avoid tool comparison.<br />
* We will have an open discussion session after each demo for students to ask questions to the vendors.<br />
* Vendors should not interfere with each other’s session. Questions related to tool comparison will not be answered since this is not the goal of this session.<br />
<br />
===Session 3: Customization Lab (Fortify), August 13th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc. <br />
<br />
===Session 4: Customization Lab (Ounce Lab), August 27th 2009===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI <br />
<br />
===Session 5: Tool Adoption and Deployment, September 17th 2009===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=62893Code Review and Static Analysis with tools2009-05-28T07:56:49Z<p>Edalci: </p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the Northern Virginia Chapter.<br />
<br />
[[Image:OWASP roadmap.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric (Cigital)<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
<br />
===Session 2: Tool Assisted Code Reviews, July 30th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Bruce Mayhew (Ounce Lab) and Fortify (tbd)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to two Static Analysis tools (Fortify SCA and Ounce Labs 6):<br />
* Fortify will demo its tool and scan Webgoat.<br />
* Ounce Lab will demo its tool, but we may scan a different project such as HacmeBank just to avoid tool comparison.<br />
* We will have an open discussion session after each demo for students to ask questions to the vendors.<br />
* Vendors should not interfere with each other’s session. Questions related to tool comparison will not be answered since this is not the goal of this session.<br />
<br />
===Session 3: Customization Lab (Fortify), August 13th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc. <br />
<br />
===Session 4: Customization Lab (Ounce Lab), August 27th 2009===<br />
*Speaker: Nabil Hannan (Cigital)<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI <br />
<br />
===Session 5: Tool Adoption and Deployment, September 17th 2009===<br />
*Speaker: Shivang Trivedi (Cigital)<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=62892Code Review and Static Analysis with tools2009-05-28T07:55:54Z<p>Edalci: /* Session 2: Tool Assisted Code Reviews, July 30th 2009 */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the Northern Virginia Chapter.<br />
<br />
[[Image:OWASP roadmap.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
<br />
===Session 2: Tool Assisted Code Reviews, July 30th 2009===<br />
*Speaker: Dalci, Eric (Cigital), Bruce Mayhew (Ounce Lab) and Fortify (tbd)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to two Static Analysis tools (Fortify SCA and Ounce Labs 6):<br />
* Fortify will demo its tool and scan Webgoat.<br />
* Ounce Lab will demo its tool, but we may scan a different project such as HacmeBank just to avoid tool comparison.<br />
* We will have an open discussion session after each demo for students to ask questions to the vendors.<br />
* Vendors should not interfere with each other’s session. Questions related to tool comparison will not be answered since this is not the goal of this session.<br />
<br />
===Session 3: Customization Lab (Fortify), August 13th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc. <br />
<br />
===Session 4: Customization Lab (Ounce Lab), August 27th 2009===<br />
*Speaker: Nabil Hannan<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI <br />
<br />
===Session 5: Tool Adoption and Deployment, September 17th 2009===<br />
*Speaker: Shivang Trivedi<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=62891Code Review and Static Analysis with tools2009-05-28T07:54:58Z<p>Edalci: /* Contacts */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the Northern Virginia Chapter.<br />
<br />
[[Image:OWASP roadmap.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
<br />
===Session 2: Tool Assisted Code Reviews, July 30th 2009===<br />
*Speaker: Dalci, Eric, Bruce Mayhew (Ounce Lab) and Fortify (?)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to two Static Analysis tools (Fortify SCA and Ounce Labs 6):<br />
* Fortify will demo its tool and scan Webgoat.<br />
* Ounce Lab will demo its tool, but we may scan a different project such as HacmeBank just to avoid tool comparison.<br />
* We will have an open discussion session after each demo for students to ask questions to the vendors.<br />
* Vendors should not interfere with each other’s session. Questions related to tool comparison will not be answered since this is not the goal of this session.<br />
<br />
===Session 3: Customization Lab (Fortify), August 13th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc. <br />
<br />
===Session 4: Customization Lab (Ounce Lab), August 27th 2009===<br />
*Speaker: Nabil Hannan<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI <br />
<br />
===Session 5: Tool Adoption and Deployment, September 17th 2009===<br />
*Speaker: Shivang Trivedi<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=62890Code Review and Static Analysis with tools2009-05-28T07:54:40Z<p>Edalci: /* Static Analysis Curriculum */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the Northern Virginia Chapter.<br />
<br />
[[Image:OWASP roadmap.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Contacts===<br />
Questions related to this currculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
<br />
===Session 2: Tool Assisted Code Reviews, July 30th 2009===<br />
*Speaker: Dalci, Eric, Bruce Mayhew (Ounce Lab) and Fortify (?)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to two Static Analysis tools (Fortify SCA and Ounce Labs 6):<br />
* Fortify will demo its tool and scan Webgoat.<br />
* Ounce Lab will demo its tool, but we may scan a different project such as HacmeBank just to avoid tool comparison.<br />
* We will have an open discussion session after each demo for students to ask questions to the vendors.<br />
* Vendors should not interfere with each other’s session. Questions related to tool comparison will not be answered since this is not the goal of this session.<br />
<br />
===Session 3: Customization Lab (Fortify), August 13th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc. <br />
<br />
===Session 4: Customization Lab (Ounce Lab), August 27th 2009===<br />
*Speaker: Nabil Hannan<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI <br />
<br />
===Session 5: Tool Adoption and Deployment, September 17th 2009===<br />
*Speaker: Shivang Trivedi<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=62889Code Review and Static Analysis with tools2009-05-28T07:52:05Z<p>Edalci: </p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the Northern Virginia Chapter.<br />
<br />
[[Image:OWASP roadmap.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students. <br />
<br />
Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
<br />
===Session 2: Tool Assisted Code Reviews, July 30th 2009===<br />
*Speaker: Dalci, Eric, Bruce Mayhew (Ounce Lab) and Fortify (?)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to two Static Analysis tools (Fortify SCA and Ounce Labs 6):<br />
* Fortify will demo its tool and scan Webgoat.<br />
* Ounce Lab will demo its tool, but we may scan a different project such as HacmeBank just to avoid tool comparison.<br />
* We will have an open discussion session after each demo for students to ask questions to the vendors.<br />
* Vendors should not interfere with each other’s session. Questions related to tool comparison will not be answered since this is not the goal of this session.<br />
<br />
===Session 3: Customization Lab (Fortify), August 13th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc. <br />
<br />
===Session 4: Customization Lab (Ounce Lab), August 27th 2009===<br />
*Speaker: Nabil Hannan<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI <br />
<br />
===Session 5: Tool Adoption and Deployment, September 17th 2009===<br />
*Speaker: Shivang Trivedi<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=62888Code Review and Static Analysis with tools2009-05-28T07:47:38Z<p>Edalci: </p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the Northern Virginia Chapter.<br />
<br />
[[Image:OWASP roadmap.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Registration=== <br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we will have to put a hard limit of 40 attendees. <br />
<br />
Registration for sessions will be on first come and first served basis. But we will give preference to people who show regularity and sign up for many sessions. Students will also have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH preinstalled. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. This will mitigate side-by-side comparison of tool & findings. Vendors are not allowed to interfere with other vendors’ session or demo (Note: we have only 2 vendors: Fortify & Ounce Lab). Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
<br />
===Session 2: Tool Assisted Code Reviews, July 30th 2009===<br />
*Speaker: Dalci, Eric, Bruce Mayhew (Ounce Lab) and Fortify (?)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to two Static Analysis tools (Fortify SCA and Ounce Labs 6):<br />
* Fortify will demo its tool and scan Webgoat.<br />
* Ounce Lab will demo its tool, but we may scan a different project such as HacmeBank just to avoid tool comparison.<br />
* We will have an open discussion session after each demo for students to ask questions to the vendors.<br />
* Vendors should not interfere with each other’s session. Questions related to tool comparison will not be answered since this is not the goal of this session.<br />
<br />
===Session 3: Customization Lab (Fortify), August 13th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc. <br />
<br />
===Session 4: Customization Lab (Ounce Lab), August 27th 2009===<br />
*Speaker: Nabil Hannan<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI <br />
<br />
===Session 5: Tool Adoption and Deployment, September 17th 2009===<br />
*Speaker: Shivang Trivedi<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=62887Code Review and Static Analysis with tools2009-05-28T07:46:57Z<p>Edalci: </p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the Northern Virginia Chapter.<br />
<br />
[[Image:OWASP roadmap.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
===Logistics Preparation for hands on===<br />
<br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we will have to put a hard limit of 40 attendees. <br />
<br />
===Registration=== <br />
Registration for sessions will be on first come and first served basis. But we will give preference to people who show regularity and sign up for many sessions. Students will also have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH preinstalled. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
===Student’s prerequisites===<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
===Tool license and Vendor IP===<br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. This will mitigate side-by-side comparison of tool & findings. Vendors are not allowed to interfere with other vendors’ session or demo (Note: we have only 2 vendors: Fortify & Ounce Lab). Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
===Session 1: Intro To Static Analysis, May 7th 2009===<br />
*Speaker: Dalci, Eric<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
<br />
===Session 2: Tool Assisted Code Reviews, July 30th 2009===<br />
*Speaker: Dalci, Eric, Bruce Mayhew (Ounce Lab) and Fortify (?)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to two Static Analysis tools (Fortify SCA and Ounce Labs 6):<br />
* Fortify will demo its tool and scan Webgoat.<br />
* Ounce Lab will demo its tool, but we may scan a different project such as HacmeBank just to avoid tool comparison.<br />
* We will have an open discussion session after each demo for students to ask questions to the vendors.<br />
* Vendors should not interfere with each other’s session. Questions related to tool comparison will not be answered since this is not the goal of this session.<br />
<br />
===Session 3: Customization Lab (Fortify), August 13th 2009===<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc. <br />
<br />
===Session 4: Customization Lab (Ounce Lab), August 27th 2009===<br />
*Speaker: Nabil Hannan<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI <br />
<br />
===Session 5: Tool Adoption and Deployment, September 17th 2009===<br />
*Speaker: Shivang Trivedi<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=62886Code Review and Static Analysis with tools2009-05-28T07:45:33Z<p>Edalci: </p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the Northern Virginia Chapter.<br />
<br />
[[Image:OWASP roadmap.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
<br />
===Logistics Preparation for hands on===<br />
<br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we will have to put a hard limit of 40 attendees. <br />
<br />
====Registration==== <br />
Registration for sessions will be on first come and first served basis. But we will give preference to people who show regularity and sign up for many sessions. Students will also have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH preinstalled. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
====Student’s prerequisites====<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
====Tool license and Vendor IP==== <br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. This will mitigate side-by-side comparison of tool & findings. Vendors are not allowed to interfere with other vendors’ session or demo (Note: we have only 2 vendors: Fortify & Ounce Lab). Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
====Session 1: Intro To Static Analysis, May 7th 2009====<br />
*Speaker: Dalci, Eric<br />
*Time: 2 hours + open discussion<br />
*Classroom size: This is open. <br />
This presentation will give a taste about what Static Analysis is.<br />
<br />
====Session 2: Tool Assisted Code Reviews, July 30th 2009====<br />
*Speaker: Dalci, Eric, Bruce Mayhew (Ounce Lab) and Fortify (?)<br />
*Time: 2hours and half<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
<br />
This is an introduction course to two Static Analysis tools (Fortify SCA and Ounce Labs 6):<br />
* Fortify will demo its tool and scan Webgoat.<br />
* Ounce Lab will demo its tool, but we may scan a different project such as HacmeBank just to avoid tool comparison.<br />
* We will have an open discussion session after each demo for students to ask questions to the vendors.<br />
* Vendors should not interfere with each other’s session. Questions related to tool comparison will not be answered since this is not the goal of this session.<br />
<br />
====Session 3: Customization Lab (Fortify), August 13th 2009====<br />
*Speaker: Mike Ware<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (2 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
* Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
* Semantic [use of a sensitive API [getEmployeeSSN()]<br />
* Structural [all Struts ActionForms must extend custom base ActionForm]<br />
* Configuration [properties: data.encryption = off]<br />
* Control flow [always call securityCheck() before downloadFile()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Priority filters (e.g., P1, P2, etc) <br />
** Isolating findings ("security controls" example)<br />
* Authentication<br />
* Authorization<br />
* Data validation<br />
* Session management<br />
* Etc. <br />
<br />
====Session 4: Customization Lab (Ounce Lab), August 27th 2009====<br />
*Speaker: Nabil Hannan<br />
*Time: 3 hours<br />
*Logistics: Hands on setup as in logistic section.<br />
*Location: TBD<br />
*Classroom size: 30 stations, 40 attendees max<br />
*Prerequisite: Attended session 2<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
* Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
* Custom rules (1.5 hours)<br />
** Hands on examples of different rule types applied to code that resembles real business logic<br />
* Data flow sources and sinks [private data sent to custom logger]<br />
* Data flow cleanse [cleanse: HTML encoding]<br />
* Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
* Filtering (.5 hours)<br />
** Prioritizing remediation efforts<br />
* Understanding the Ounce Vulnerability Matrix<br />
* Modifying finding severity/category <br />
** Isolating findings (using "bundles")<br />
* Input Validation<br />
* SQL Injection<br />
* Cross-Site Scripting<br />
* Etc.<br />
* Reporting (.5 hours)<br />
** Demonstrate compliance with industry regulations and best practices<br />
* OWASP Top 10<br />
* PCI <br />
<br />
====Session 5: Tool Adoption and Deployment, September 17th 2009====<br />
*Speaker: Shivang Trivedi<br />
*Time: 2 hours<br />
*Location: TBD<br />
*Prerequisite: Preferably attended session 2, but not mandatory <br />
*Classroom size: Open<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
Agenda (draft):<br />
* Tool Selection<br />
** Flexible with Static Analysis and/or Penetration Testing<br />
** Coverage<br />
** Enterprise Support<br />
** Quality of Security Findings <br />
* Phases of Integration<br />
** Pre-requisites<br />
** Goals and Challenges<br />
** Distribution of Roles and Responsibilities<br />
** Considering LOE <br />
* Model Per Activity<br />
** Activity Flow<br />
** Phase Transition <br />
* Deployment Model<br />
** Advantages<br />
** Disadvantages <br />
* Free and Handy Tools to<br />
** Continuously Integrate<br />
** Join activity flow <br />
* Improvements and Lessons Learned<br />
** Effective use of tool’s capabilities<br />
** Expanding Coverage<br />
** Analysis Techniques<br />
** Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=File:OWASP_roadmap.png&diff=62885File:OWASP roadmap.png2009-05-28T07:38:31Z<p>Edalci: uploaded a new version of "Image:OWASP roadmap.png"</p>
<hr />
<div></div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=62884Code Review and Static Analysis with tools2009-05-28T07:38:08Z<p>Edalci: /* Static Analysis Curriculum */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap for the Northern Virginia Chapter.<br />
<br />
[[Image:OWASP roadmap.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
<br />
===Logistics Preparation for hands on===<br />
<br />
Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we will have to put a hard limit of 40 attendees. <br />
<br />
====Registration==== <br />
Registration for sessions will be on first come and first served basis. But we will give preference to people who show regularity and sign up for many sessions. Students will also have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH preinstalled. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.<br />
<br />
====Student’s prerequisites====<br />
All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed. <br />
<br />
====Tool license and Vendor IP==== <br />
Vendors will need to provide tools license for the hands on sessions. Students will not have tool installation on their machine. They will be piloting copies of the tool in a remote VM image. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. This will mitigate side-by-side comparison of tool & findings. Vendors are not allowed to interfere with other vendors’ session or demo (Note: we have only 2 vendors: Fortify & Ounce Lab). Questions related to tool comparison between the present vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.<br />
<br />
====Session 1: Intro To Static Analysis, July 16th 2009====<br />
Speaker: Dalci, Eric<br />
Time: 2 hours + open discussion<br />
Logistics: Slideware and projector<br />
Location: <TBD>: AOL, Booz ?<br />
Classroom size: This is open. <br />
The last couple meetings have been averaging to about 40 attendees or so. This presentation will give a taste about what Static Analysis is. We will also try to raise interest for people to sign up for the successive session. People may want to sign up early for the session 2 and 3 since those will have limited seats. <br />
Outcome: Sign up sheet with preregistered students for other sessions <br />
To-dos: <br />
• Keep students engaged and mail them prerequisites about the following sessions.<br />
• Continue to prepare logistics for other sessions<br />
Session 2: Tool Assisted Code Reviews, July 30th 2009<br />
Speaker: Dalci, Eric, Bruce Mayhew (Ounce Lab) and Fortify (?)<br />
Time: 2hours and half<br />
Logistics: Hands on setup as in logistic section.<br />
Location: TBD<br />
Classroom size: 30 stations, 40 attendees max<br />
Outcome: Sign up sheet with preregistered students for other sessions <br />
To-dos: <br />
• Keep students engaged and mail them prerequisites about the following sessions.<br />
• Continue to prepare logistics for other sessions<br />
<br />
<br />
Eric will introduce the session and the vendors. This is an introduction course to two Static Analysis tools (Fortify SCA and Ounce Labs 6):<br />
• Fortify will demo its tool and scan Webgoat.<br />
• Ounce Lab will demo its tool, but we may scan a different project such as HacmeBank just to avoid tool comparison.<br />
• We will have an open discussion session after each demo for students to ask questions to the vendors.<br />
• Vendors should not interfere with each other’s session. Questions related to tool comparison will not be answered since this is not the goal of this session.<br />
Session 3: Customization Lab (Fortify), August 13th 2009<br />
Speaker: Mike Ware<br />
Time: 3 hours<br />
Logistics: Hands on setup as in logistic section.<br />
Location: TBD<br />
Classroom size: 30 stations, 40 attendees max<br />
Prerequisite: Attended session 2<br />
Outcome: Sign up sheet with preregistered students for other sessions <br />
To-dos: <br />
• Keep students engaged and mail them prerequisites about the following sessions.<br />
• Continue to prepare logistics for other sessions<br />
<br />
<br />
Mike will train the students on how to customize the Fortify Source Code Analyzer (SCA)<br />
Agenda (draft):<br />
• Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
• Custom rules (2 hours)<br />
o Hands on examples of different rule types applied to code that resembles real business logic<br />
• Data flow sources and sinks [private data sent to custom logger, turn web service entry points into data flow rules?]<br />
• Data flow cleanse and pass through [cleanse: HTML escaping, pass through: third party library]<br />
• Semantic [use of a sensitive API [getEmployeeSSN()]<br />
• Structural [all Struts ActionForms must extend custom base ActionForm]<br />
• Configuration [properties: data.encryption = off]<br />
• Control flow [always call securityCheck() before downloadFile()] <br />
• Filtering (.5 hours)<br />
o Prioritizing remediation efforts<br />
• Priority filters (e.g., P1, P2, etc) <br />
o Isolating findings ("security controls" example)<br />
• Authentication<br />
• Authorization<br />
• Data validation<br />
• Session management<br />
• Etc. <br />
<br />
Session 4: Customization Lab (Ounce Lab), August 27th 2009<br />
Speaker: Nabil Hannan<br />
Time: 3 hours<br />
Logistics: Hands on setup as in logistic section.<br />
Location: TBD<br />
Classroom size: 30 stations, 40 attendees max<br />
Prerequisite: Attended session 2<br />
Outcome: Sign up sheet with preregistered students for other sessions <br />
To-dos: <br />
• Keep students engaged and mail them prerequisites about the following sessions.<br />
• Continue to prepare logistics for other sessions<br />
<br />
<br />
Nabil will train the students on how to customize the Ounce Labs 6 tool<br />
Agenda (draft):<br />
• Approach to auditing scan results to determine true positives and false positives (.5 hours)<br />
• Custom rules (1.5 hours)<br />
o Hands on examples of different rule types applied to code that resembles real business logic<br />
• Data flow sources and sinks [private data sent to custom logger]<br />
• Data flow cleanse [cleanse: HTML encoding]<br />
• Semantic [use of a sensitive API e.g. getEmployeeSSN()] <br />
• Filtering (.5 hours)<br />
o Prioritizing remediation efforts<br />
• Understanding the Ounce Vulnerability Matrix<br />
• Modifying finding severity/category <br />
o Isolating findings (using "bundles")<br />
• Input Validation<br />
• SQL Injection<br />
• Cross-Site Scripting<br />
• Etc.<br />
• Reporting (.5 hours)<br />
o Demonstrate compliance with industry regulations and best practices<br />
• OWASP Top 10<br />
• PCI <br />
<br />
Session 5: Tool Adoption and Deployment, September 10th 2009<br />
Speaker: Shivang Trivedi<br />
Time: 2 hours<br />
Logistics: Slideware and projector<br />
Location: TBD<br />
Prerequisite: Preferably attended session 2, but not mandatory <br />
Classroom size: Open<br />
Outcome: Sign up sheet with preregistered students for other sessions <br />
To-dos: <br />
• Keep students engaged and mail them prerequisites about the following sessions.<br />
• Continue to prepare logistics for other sessions<br />
<br />
<br />
Shivang will talk about integration of a Static Analysis tool into the SDLC.<br />
<br />
Agenda (draft):<br />
<br />
• Tool Selection<br />
o Flexible with Static Analysis and/or Penetration Testing<br />
o Coverage<br />
o Enterprise Support<br />
o Quality of Security Findings <br />
• Phases of Integration<br />
o Pre-requisites<br />
o Goals and Challenges<br />
o Distribution of Roles and Responsibilities<br />
o Considering LOE <br />
• Model Per Activity<br />
o Activity Flow<br />
o Phase Transition <br />
• Deployment Model<br />
o Advantages<br />
o Disadvantages <br />
• Free and Handy Tools to<br />
o Continuously Integrate<br />
o Join activity flow <br />
• Improvements and Lessons Learned<br />
o Effective use of tool’s capabilities<br />
o Expanding Coverage<br />
o Analysis Techniques<br />
o Improving Results Accuracy<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=62882Code Review and Static Analysis with tools2009-05-28T07:27:18Z<p>Edalci: /* Static Analysis Curriculum */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap.<br />
<br />
[[Image:OWASP roadmap.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=File:OWASP_roadmap.png&diff=62881File:OWASP roadmap.png2009-05-28T07:26:18Z<p>Edalci: uploaded a new version of "Image:OWASP roadmap.png"</p>
<hr />
<div></div>Edalcihttps://wiki.owasp.org/index.php?title=Code_Review_and_Static_Analysis_with_tools&diff=62880Code Review and Static Analysis with tools2009-05-28T07:25:37Z<p>Edalci: /* Static Analysis Curriculum */</p>
<hr />
<div>Chapter: [[Virginia_(Northern_Virginia)#OWASP_Washington_VA_Local_Chapter | OWASP NoVA]] >> [[Virginia_(Northern_Virginia)#Knowledge | Knowledge]]<br />
<br />
== Static Analysis Curriculum ==<br />
<br />
* For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].<br />
<br />
The following is the agenda of the OWASP Static Analysis track roadmap.<br />
<br />
[[Image:OWASP roadmap.png|800px|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]<br />
<br />
== Code Review and Static Analysis with tools ==<br />
<br />
<UL><br />
<LI>What: [[Security_Code_Review_in_the_SDLC | Secure Code Review]]<br />
<LI>Who: Performed by Security Analysts<br />
<LI>Where it fits: [http://bsi-mm.com/ssf/ssdl/cr/ BSIMM Secure Code Review]<br />
<LI>Cost: Scales with depth, threat facing application, and application size/complexity<br />
</UL><br />
<br />
This article will answer the following questions about secure code review and use of static analysis tools:<br />
<OL><br />
<LI>What are static analysis tools and how do I use them?<br />
<LI>How do I select a static analysis tool?<br />
<LI>How do I customize a static analysis tool?<br />
<LI>How do I scale my assessment practices with secure code review?<br />
</OL> <br />
<br />
== Organizational == <br />
How do I scale my assessment practices with secure code review?<p><br />
<br />
Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.<br><br />
<br />
[[Media:Cigital_-_Fortify_Implementation_Preso.ppt|Implementing a Static Analysis Tool.ppt]]<br><br />
<br />
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:<br />
<br />
[[Maturing_Software_Assessment_Through_Static_Analysis | Maturing Assessment Through Static Analysis]]<br />
<br />
== Customization ==<br />
People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect:<br />
<br />
<UL><br />
<LI>Dramatically better accuracy (increased true positives, decreased false positives, and decreased false negatives)<br />
<LI>Automated scanning for corporate security standards<br />
<LI>Automated scanning for an organization's top problems<br />
<LI>Visibility into adherence to (or inclusion of) sanctioned toolkits<br />
</UL> <br />
<br />
The following presentation was given at the NoVA chapter in '06 and discusses deployment and customization:<br />
<br />
[[Media:OWASP_Adopting_a_Static_Analysis_Tool.ppt|Adopting a Static Analysis Tool]]<br />
<br />
Warning: this presentation is old and gives examples using the now defunct "CodeAssure" from what was then SecureSoftware.</div>Edalcihttps://wiki.owasp.org/index.php?title=File:OWASP_roadmap.png&diff=62879File:OWASP roadmap.png2009-05-28T07:19:07Z<p>Edalci: </p>
<hr />
<div></div>Edalci