https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Gary+David+RobinsonOWASP - User contributions [en]2026-04-21T15:02:12ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=File:OWASP_Presentation_-_Encryption_and_Digital_Certificates_-_Published.pdf&diff=244227File:OWASP Presentation - Encryption and Digital Certificates - Published.pdf2018-10-14T21:04:43Z<p>Gary David Robinson: Slides from OWASP Belfast presentation during October.</p>
<hr />
<div>Slides from OWASP Belfast presentation during October.</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=243698Belfast2018-09-25T09:16:54Z<p>Gary David Robinson: Updated for a new session</p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Sponsorship Opportunities ==<br />
<br />
There are many ways you can help the OWASP Belfast Chapter spread the word about computer security and secure coding. Including the following:<br />
* If you have a room available to hold a meeting, let us know.<br />
* Companies can cover the OWASP membership costs of their employees.<br />
* Supply a speaker on a topic of interest to the OWASP Belfast members, or cover their costs to present.<br />
* Sponsor food and drink for a session.<br />
* Further sponsorship can be provided directly to the OWASP Belfast Chapter itself, using the link above. Direct sponsorship allows the OWASP Belfast Board to use the funds as needed to run events.<br />
<br />
In return for any sponsorship we can add your company to our list of sponsors on the OWASP Wiki and Meetup sites, and share communications with session attendees. Contact the OWASP Belfast Board (below) for more details.<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:siobhan.gallagher@owasp.org Siobhan Gallagher]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter October Session - Wednesday, October 10, 2018'''<br />
<br />
6:30pm @ Queens Bernard Crossland Building (https://www.google.com/maps/search/?api=1&query=54.568462%2C-5.948391)<br />
<br />
https://www.meetup.com/OWASP-Belfast/events/254737546/<br />
<br />
'''Encryption and Digital Certificates – A Guide for Software Developers'''<br />
<br />
OWASP Belfast are delighted to announce their October session on Wednesday 10th in the Queens Computer Science building. This session will be a great talk by David Cochrane on encryption and digitial certificates, and will include the usual pizza and drinks.<br />
<br />
''Talk: Encryption and Digital Certificates – A Guide for Software Developers''<br />
<br />
''Abstract'': This presentation is a tutorial covering the basics of these important technologies but rapidly moving into practical use cases and some more in-depth information to assist troubleshooting. It also includes a case study entitled “Building your own Certifying Authority” that highlights some practical techniques for secure development.<br />
<br />
''Speaker Bio'': David Cochrane has responsibility for IT security and risk across the Viridian Group of companies. Viridian Group is an energy utility that owns Power NI and Energia, with over half a million customers throughout Ireland, two power stations and a large portfolio of wind farms. In addition to IT security management, David’s experience includes software design and development, infrastructure design, project management, technical architecture and a range of management roles.<br />
<br />
Thanks to Viridian Group for providing the pizzas and drinks for the event, and to Queens University for providing the venue.<br />
<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Gary_Robinson_2018_Bio_and_Why_me&diff=243461Gary Robinson 2018 Bio and Why me2018-09-16T08:15:15Z<p>Gary David Robinson: /* Bio */</p>
<hr />
<div>=== Bio ===<br />
Hi, I'm Gary Robinson and I've been involved with OWASP since 2011 in most aspects of the organization, including running a chapter, chairing a conference, co-leading a project, and attending numerous conferences, committees, and other behind-the-scene activities.<br />
<br />
As a professional, I'd worked for over 15 years as a software developer, pushing security as a discipline and wrapping it into the SDLC. More recently I've acted as a Senior Application Security Architect at CitiGroup, been a web application penetration tester, and consultant to a number of companies.<br />
<br />
I joined OWASP in 2011 to work on the OWASP Code Review Guide v2, and ever since then I've been impressed by the people and passion in the OWASP community. Some of the highlights of my time in OWASP include:<br />
* Becoming co-project leader of the OWASP Code Review Guide v2 - https://www.owasp.org/images/5/53/OWASP_Code_Review_Guide_v2.pdf<br />
* Starting the OWASP Belfast chapter in 2014, for it to become one of the largest chapters in Europe, with over 1000 members (on meetup) and regularly attracting over 100 attendees to our sessions, despite Belfast being a relatively small city. (https://www.meetup.com/OWASP-Belfast/)<br />
* Chairing OWASP AppSec EU 2017 conference, again in Belfast, which attracted over 700 attendees to become the largest AppSec Europe.<br />
* Being voted onto the OWASP Europe Board back in 2016.<br />
<br />
=== Why Me? ===<br />
Essentially - I understand the many aspects of what makes OWASP (chapters, projects, conferences) having been heavily involved with these in the past, and going forward I want to represent and enable some potential changes, or research, for OWASP to enable it to function better going forward. I think it's important to have been involved in all of these OWASP aspects, as it can allow you to know how they feed into each other, how they enable each other, and spot some opportunities for improvement.<br />
<br />
In terms of an agenda, there are 3 main things I want to look at:<br />
# Finances: We have had a few issues over the past few years, which have been very well debated over the leaders list. These include the Israel/London AppSec conference, the nature of OWASP member/free tickets to these conferences, and the nature of existing funds in chapter accounts. IMO all of these have come down to OWASP finances, and the potential lack of such finances which causes such issues. I'd like to look at ways OWASP can increase it's finances outside of these areas, such as government funding (worldwide), extra corporate funding (without selling our soul), the nature of the OWASP membership, and other areas. I know work has already been partially done in these areas, and if we manage to increase the funding to OWASP, we can better enable the community, and OWASP employees, to deliver the OWASP mission.<br />
# Communication: Let's face it - it's been lacking. I want to conduct some focused sessions examining what has gone wrong in the past, what can be done to improve it, and as Picard says "Make it so".<br />
# Quality: Project review committees have been attempted in the past, and other aspects of OWASP quality have been talked about, hence I'd like to see if there are ways to do this better in the future. Perhaps not with volunteers, but with paid employees if we had extra finance or sponsorship (see 1) above). Having worked on the code review guide, and spent a portion of our funds on review/quality, I know how hard this is to do, and for an industry respected document to have typos and other issues, unfortunately reflects on OWASP as an organization.<br />
Again, having worked on the team, logistics, and quality of a project, herded the cats and finances of a large conference, and built up a successful chapter, I believe I can represent these aspects of OWASP in the board, and move OWASP forward as an organization.<br />
<br />
Thank you,<br />
<br />
Gary</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=GSOC2018_Ideas&diff=238083GSOC2018 Ideas2018-02-25T14:35:16Z<p>Gary David Robinson: /* Removing OWASP Code Review Guide */</p>
<hr />
<div>'''OWASP Foundation has been selected as an organization to be part of the GOOGLE SUMMER CODE 2018''' <br />
<br />
=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
===Active Scanning WebSockets===<br />
'''Brief Explanation:'''<br />
<br />
ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesnt current support active scanning (automated attacking) of websockets.<br />
<br />
We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
<br />
'''Expected Results:'''<br />
* An plugable infrastructure that allows us to active scan websockets<br />
* Converting the relevant existing scan rules to work with websockets<br />
* Implementing new websocket specific scan rules<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== React Handling ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP doesnt understand React applications as well as it should be able to.<br />
<br />
It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.<br />
<br />
'''Expected Results:'''<br />
* ZAP able to explore React applications more effectively<br />
* ZAP able to attack React applications more effectively<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated authentication detection and configuration ===<br />
'''Brief Explanation:'''<br />
<br />
Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
<br />
This is time consuming and error prone.<br />
<br />
Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
<br />
'''Expected Results:'''<br />
* Detect login and registration pages<br />
* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
'''Brief Explanation:'''<br />
<br />
Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
<br />
A standardized text representation and parser would be very useful and help its adoption.<br />
<br />
'''Expected Results:'''<br />
* A documented definition of a text representation for Zest<br />
* A parser that converts the text representation into a working Zest script<br />
* An option in the Zest java implementation to output Zest scripts text format<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Develop Bamboo Addon ===<br />
'''Brief Explanation:'''<br />
<br />
It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]<br />
<br />
For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].<br />
<br />
'''Expected Results:'''<br />
<br />
A Bamboo addon that supports:<br />
* Spidering (using the traditional and Ajax spiders)<br />
* Active Scanning<br />
* Authentication<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2018 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Frontend Technology Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target client-architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, testing and building<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== UI/Graphics Design Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 5] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.<br />
<br />
'''Expected Results:'''<br />
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)<br />
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons<br />
* <del>Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop</del> ([https://github.com/bkimminich/juice-shop/issues/315 #315] in progress)<br />
* Add more flexibility and options to the existing theming/customization of the UI (see [https://github.com/bkimminich/juice-shop/issues/379 #379])<br />
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application<br />
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way<br />
<br />
''' Getting started: '''<br />
* Get familiar with the existing HTML views and CSS of the frontend<br />
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Strong web and graphic design experience<br />
* Sophisticated HTML and CSS experience<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP Security Knowledge Framework - Chatbot machine learning feature==<br />
<br />
=== Brief Explanation ===<br />
We want to create a SKF Chatbot service using the knowledge already inside SKF like the knowledge base items, code examples and the security controls like ASVS and PCI DSS.<br />
<br />
The chatbot service and core of this new feature can be consumed by website’s as an addon, IDE of developers and website chat channels like Gitter.im.<br />
<br />
The core of the SKF Chatbot will be using machine learning to accomplish the hard task of correlating data and merging different sources as a response/answer.<br />
<br />
=== Expected Results ===<br />
# A Defined Knowledge Base (Data Structure / DB) which can be used to define and search for entities. For example: if a query is:<br />
## How to mitigate CSRF in PHP the system should be able to understand or translate it to: {How: intent} to {mitigate: solution} {CSRF: attack} in {PHP: programming language} This kind of query can be further user to fetch right information in the knowledge base and provide right solution (code example) for mitigating CSRF in PHP.<br />
## What is CSRF? the system should be able to understand or translate it to: {What: intent} is {CSRF: attack/defense} This kind of query can be further user to fetch right information in the knowledge base that explains CSRF and provide the security control from example ASVS<br />
# An ETL process to convert existing SKF Knowledge data and ASVS data to above mentioned data structure.<br />
# A Chatbot (using existing frameworks) to:<br />
## Understand at least two intent like (How to, What is …..) and be able to enrich the user query as mentioned above.<br />
## Based on enriched query fetch relevant information from knowledge base and return.<br />
# An integration to some chat system like Gitter.im, IRC, Slack etc.<br />
<br />
=== Knowledge Prerequisites ===<br />
* Programming languages:<br />
** OWASP-SKF API is build in Python 3.6/3.7<br />
** OWASP-SKF Frontend is build with Angular 4 TS<br />
* Machine learning enthusiastic/interest<br />
<br />
=== Proposal from student ===<br />
* We want to ask from the student to write a proposal on how to approach the problem we described.<br />
'''Mentors''':<br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org] Minhaz [mailto:minhaz@owasp.org]<br />
<br />
==OWASP Nettacker==<br />
===Brief Explanation===<br />
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.<br />
<br />
if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).<br />
<br />
===Getting started===<br />
<br />
* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.<br />
<br />
'''A Better Penetration Testing Automated Framework'''<br />
<br />
===Expected Results===<br />
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.<br />
* Good knowledge of computer security (and penetration testing)<br />
* Knowledge of OS (Linux, Windows, Mac...) and Services<br />
* Familiar with IDS/IPS/Firewalls and ...<br />
* To develop the API you should be familiar with HTTP, Database...<br />
<br />
===Mentors===<br />
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/develop.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP CSRF Protector ==<br />
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form. <br />
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===<br />
'''Brief explanation:'''<br />
<br />
The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.<br />
<br />
Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;<br />
<br />
The goal of this project would be to:<br />
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]<br />
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]<br />
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues] <br />
'''Expected results:'''<br />
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)<br />
<br />
'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]<br />
== OWASP BLT (Bug Logging Tool) ==<br />
===Brief Explanation:===<br />
<br />
BLT lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.<br />
<br />
Check OWASP WIKI PAGE [https://www.owasp.org/index.php/OWASP_Bug_Logging_Tool] for some reference;<br />
<br />
===Expected Results:===<br />
* Fuse app to allow easy bug reporting from phone.<br />
* BUG cryptocurrency rewarded for each bug reported - requires a way to verify bugs are valid and not duplicates<br />
* Allow for companies to do private (paid) bug bounties<br />
* allow for bug reporting via email <br />
* build a referral program<br />
* integrate an idea / suggestion feature<br />
<br />
===Knowledge Prerequisite:===<br />
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential. Fusetools will be used for the app and C++ (Bitcoin based) or Ethereum will be used for the cryptocurrency part.<br />
<br />
===Proposals from student:===<br />
* Proposal on new features <br />
* Recommendations on how to use social applications to promote OWASP BLT<br />
<br />
'''Mentors:'''<br />
* Sean Auriti [https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] <br />
* Sourav Badami [https://www.owasp.org/index.php/User:Souravbadami Sourav Badami] [mailto:souravbadami@gmail.com @]<br />
<br />
==OWASP RailsGoat - 2017 OWASP Top Ten==<br />
<br />
===Brief Explanation:===<br />
Add support for multiple OWASP Top Ten versions, such as 2017 and 2010.<br />
Currently RailsGoat supports only the 2013 version of OWASP Top Ten.<br />
<br />
===Expected Results:===<br />
* Wonderful experience for Student Developers, Mentors, and Technical Advisors<br />
* A new feature that supports additional version(s) of OWASP Top Ten<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
===Getting Started===<br />
* Have a look at the RailsGoat https://github.com/OWASP/railsgoat/blob/master/README.md file, especially the 'Getting Started' section. We like to see student developers who have already contributed to RailsGoat, so try fixing one of the bugs.<br />
* We have created a dedicated wiki for the OWASP GSOC initiative: https://github.com/OWASP/railsgoat/wiki/RailsGoat-Summer-of-Code-Type-Project-Information<br />
* Issue 305 [https://github.com/OWASP/railsgoat/issues/305] has more details. <br />
<br />
===Knowledge Prerequisite:===<br />
* RailsGoat is written in Ruby and Ruby-on-Rails, so a good knowledge of this language ecosystem is recommended. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:'''<br />
* Frank Rietta [mailto:frank@rietta.com] - OWASP RailsGoat Mentor<br />
* [https://www.owasp.org/index.php/User:Ken Ken Johnson @] - OWASP RailsGoat "Technical Advisor, potentially mentor"<br />
* Al Snow [mailto:jasnow@hotmail.com] - OWASP RailsGoat Project Coordinator<br />
<br />
==OWASP RailsGoat - Capture-The-Flag RailsGoat Image Creation Automation==<br />
<br />
===Brief Explanation:===<br />
Create automation to build a Capture-The-Flag competition (CTF) image (VM, ISO, etc) which contains everything needed, such as [Operating System, Rails Stack, RailsGoat], so RailsGoat can easily be used in more Capture-The-Flag competitions.<br />
<br />
===Expected Results:===<br />
* Wonderful experience for Student Developers, Mentors, and Technical Advisors<br />
* A new feature that automates the process of building RailsGoat CTF images.<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
===Getting Started===<br />
* Have a look at the RailsGoat https://github.com/OWASP/railsgoat/blob/master/README.md file, especially the 'Getting Started' section. We like to see student developers who have already contributed to RailsGoat, so try fixing one of the bugs.<br />
* We have created a dedicated wiki for the OWASP GSOC initiative: https://github.com/OWASP/railsgoat/wiki/RailsGoat-Summer-of-Code-Type-Project-Information<br />
* Issue 306 [https://github.com/OWASP/railsgoat/issues/306] has more details. <br />
<br />
===Knowledge Prerequisite:===<br />
* Some background in creating VMs/ISOs would be helpful.<br />
* RailsGoat is written in Ruby and Ruby-on-Rails, so a good knowledge of this language ecosystem is recommended. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:'''<br />
* Frank Rietta [mailto:frank@rietta.com] - OWASP RailsGoat Mentor<br />
* [https://www.owasp.org/index.php/User:Ken Ken Johnson @] - OWASP RailsGoat "Technical Advisor, potentially mentor"<br />
* Al Snow [mailto:jasnow@hotmail.com] - OWASP RailsGoat Project Coordinator<br />
<br />
==OWASP RailsGoat - Merge "Security on Rails" book's lunchedin examples into RailsGoat==<br />
<br />
===Brief Explanation:===<br />
Merge "Security on Rails" book's lunchedin examples into RailsGoat. Need to get permission from publisher. @jasnow got permission previously.<br />
<br />
===Expected Results:===<br />
* Wonderful experience for Student Developers, Mentors, and Technical Advisors<br />
* More teaching RailsGoat examples based on "Security on Rails" book's lunchedin project.<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
===Getting Started===<br />
* Have a look at the RailsGoat https://github.com/OWASP/railsgoat/blob/master/README.md file, especially the 'Getting Started' section. We like to see student developers who have already contributed to RailsGoat, so try fixing one of the bugs.<br />
* We have created a dedicated wiki for the OWASP GSOC initiative: https://github.com/OWASP/railsgoat/wiki/RailsGoat-Summer-of-Code-Type-Project-Information<br />
* Issue 307 [https://github.com/OWASP/railsgoat/issues/307] has more details. <br />
<br />
===Knowledge Prerequisite:===<br />
* RailsGoat is written in Ruby and Ruby-on-Rails, so a good knowledge of this language ecosystem is recommended. Some knowledge of application security<br />
would be useful, but not essential.<br />
<br />
'''Mentors:'''<br />
* Frank Rietta [mailto:frank@rietta.com] - OWASP RailsGoat Mentor<br />
* [https://www.owasp.org/index.php/User:Ken Ken Johnson @] - OWASP RailsGoat "Technical Advisor, potentially mentor"<br />
* Al Snow [mailto:jasnow@hotmail.com] - OWASP RailsGoat Project Coordinator<br />
<br />
==OWASP RailsGoat - Add Devise Gem Support and Vulnerabilities to RailsGoat==<br />
<br />
===Brief Explanation:===<br />
Add Devise Support to RailsGoat along with adding Devise-related vulnerabilities.<br />
<br />
===Expected Results:===<br />
* Wonderful experience for Student Developers, Mentors, and Technical Advisors<br />
* Using Devise gem inside RailsGoat plus Devise-related vulnerabilities.<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
===Getting Started===<br />
* Have a look at the RailsGoat https://github.com/OWASP/railsgoat/blob/master/README.md file, especially the 'Getting Started' section. We like to see student developers who have already contributed to RailsGoat, so try fixing one of the bugs.<br />
* We have created a dedicated wiki for the OWASP GSOC initiative: https://github.com/OWASP/railsgoat/wiki/RailsGoat-Summer-of-Code-Type-Project-Information<br />
* Issue 207 [https://github.com/OWASP/railsgoat/issues/207] and * Issue 243 [https://github.com/OWASP/railsgoat/issues/243] has more details.<br />
<br />
===Knowledge Prerequisite:===<br />
* RailsGoat is written in Ruby and Ruby-on-Rails, so a good knowledge of this language ecosystem is recommended. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:'''<br />
* Frank Rietta [mailto:frank@rietta.com] - OWASP RailsGoat Mentor<br />
* [https://www.owasp.org/index.php/User:Ken Ken Johnson @] - OWASP RailsGoat "Technical Advisor, potentially mentor"<br />
* Al Snow [mailto:jasnow@hotmail.com] - OWASP RailsGoat Project Coordinator<br />
<br />
==OWASP RailsGoat - Generic Idea==<br />
<br />
===Brief Explanation:===<br />
RailsGoat is a great framework for learning about OWASP Top 10 2013 using a vulnerable version of the Ruby on Rails (versions 3 to 5), as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals. Feel free to check out the [Railsgoat Github site](https://github.com/OWASP/railsgoat) for more details. If you have an idea that is not on this list then don't worry, you can still submit it.<br />
<br />
===Expected Results:===<br />
* Wonderful experience for Student Developers, Mentors, and Technical Advisors<br />
* A new feature that makes RailsGoat even better<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
=== Needs: ===<br />
* Student Developers<br />
<br />
===Getting Started===<br />
* Have a look at the RailsGoat https://github.com/OWASP/railsgoat/blob/master/README.md file, especially the 'Getting Started' section. We like to see student developers who have already contributed to RailsGoat, so try fixing one of the bugs.<br />
<br />
===Knowledge Prerequisite:===<br />
* RailsGoat is written in Ruby and Ruby-on-Rails, so a good knowledge of this language ecosystem is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:'''<br />
* Frank Rietta [mailto:frank@rietta.com] - OWASP RailsGoat Mentor<br />
* [https://www.owasp.org/index.php/User:Ken Ken Johnson @] - OWASP RailsGoat "Technical Advisor, potentially mentor"<br />
* Al Snow [mailto:jasnow@hotmail.com] - OWASP RailsGoat Project Coordinator</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=235991Belfast2017-12-04T11:45:56Z<p>Gary David Robinson: Update for Dec session</p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Sponsorship Opportunities ==<br />
<br />
There are many ways you can help the OWASP Belfast Chapter spread the word about computer security and secure coding. Including the following:<br />
* If you have a room available to hold a meeting, let us know.<br />
* Companies can cover the OWASP membership costs of their employees.<br />
* Supply a speaker on a topic of interest to the OWASP Belfast members, or cover their costs to present.<br />
* Sponsor food and drink for a session.<br />
* Further sponsorship can be provided directly to the OWASP Belfast Chapter itself, using the link above. Direct sponsorship allows the OWASP Belfast Board to use the funds as needed to run events.<br />
<br />
In return for any sponsorship we can add your company to our list of sponsors on the OWASP Wiki and Meetup sites, and share communications with session attendees. Contact the OWASP Belfast Board (below) for more details.<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:siobhan.gallagher@owasp.org Siobhan Gallagher]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter December Session - Tuesday, December 5th 2017'''<br />
<br />
6:30pm @ Liberty IT<br />
<br />
https://www.meetup.com/OWASP-Belfast/events/245434502/<br />
<br />
'''Have you got what it takes to be one of Ireland’s most secure coders?'''<br />
<br />
Join the FIRST EVER All-Ireland OWASP Secure Coding Tournament, with venues in Belfast, along with Dublin & Cork. Whether you are eager to prove your web application AppSec knowledge of the OWASP Top 10 ….and watch as you climb to the top of the Leader board or simply want to learn more at your ease about how to code more securely.<br />
<br />
Note that this is a practical session - EVERYONE is welcome.<br />
<br />
In each challenge, participants will be presented with a series of vulnerable code snippets and will be required to identify the problem, locate the insecure code, and fix the vulnerability. Select from various software languages to complete the tournament, including: Java EE, Java Spring, C# MVC, C# WebForms, Ruby on Rails, Python Django & Node.Js.<br />
<br />
Watch as you climb to the top of the leaderboard and be crowned a 'Secure Code Warrior.' Prizes will be provided to the top three warriors. Please ensure you come with your laptop fully charged, there will be some charging facilities but it would be better for you to arrive prepared.<br />
<br />
To learn more about what to expect during the Tournament and sharpen your skills beforehand, register your account and work through challenges on our Training Mode. Simply, use the link and token key below:<br />
<br />
Registration is available in the weeks before the session, we recommend you register before the session starts:<br />
<br />
<nowiki>https://portal.securecodewarrior.com/#/register</nowiki><br />
<br />
Token Key: 027 549 455 533<br />
<br />
Big thanks to Liberty IT for their sponsorship of this session through use of their facilities, as well as providing pizza and drinks during the session.<br />
<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=234358Belfast2017-10-13T14:45:43Z<p>Gary David Robinson: /* Local News */</p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Sponsorship Opportunities ==<br />
<br />
There are many ways you can help the OWASP Belfast Chapter spread the word about computer security and secure coding. Including the following:<br />
* If you have a room available to hold a meeting, let us know.<br />
* Companies can cover the OWASP membership costs of their employees.<br />
* Supply a speaker on a topic of interest to the OWASP Belfast members, or cover their costs to present.<br />
* Sponsor food and drink for a session.<br />
* Further sponsorship can be provided directly to the OWASP Belfast Chapter itself, using the link above. Direct sponsorship allows the OWASP Belfast Board to use the funds as needed to run events.<br />
<br />
In return for any sponsorship we can add your company to our list of sponsors on the OWASP Wiki and Meetup sites, and share communications with session attendees. Contact the OWASP Belfast Board (below) for more details.<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:siobhan.gallagher@owasp.org Siobhan Gallagher]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter November Session - Wednesday, November 15th 2017'''<br />
<br />
6:00pm @ 6th Floor, Lombard House, Belfast<br />
<br />
https://www.meetup.com/OWASP-Belfast/events/244109993/<br />
<br />
'''Cyber Incident Detection in an Emergency'''<br />
<br />
Ever wondered how to know if you’re being hacked in the middle of an emergency?<br />
<br />
OWASP Belfast’s November session can help you out. In this session we’ll be covering Cyber Incident Detection in the middle of an emergency. This talk will be given by David McGlade, Cyber Security Lead at Kainos, one of Northern Irelands most successful software companies.<br />
<br />
This session will be held on the 6th floor or Lombard House, through the kind hosting of Entrepreneurial Spark and Ulster Bank. This also allows us to recognize Global Entrepreneurship Week and the many support facilities available to Northern Irish companies, including cyber security start-ups.<br />
<br />
Join us on Wednesday 15th November, from 6pm to 8pm, for pizza, drinks and talks. Special thanks to Kainos for sponsoring food and drinks on the night.<br />
<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=234195Belfast2017-10-07T14:50:25Z<p>Gary David Robinson: Updated for Oct session</p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Sponsorship Opportunities ==<br />
<br />
There are many ways you can help the OWASP Belfast Chapter spread the word about computer security and secure coding. Including the following:<br />
* If you have a room available to hold a meeting, let us know.<br />
* Companies can cover the OWASP membership costs of their employees.<br />
* Supply a speaker on a topic of interest to the OWASP Belfast members, or cover their costs to present.<br />
* Sponsor food and drink for a session.<br />
* Further sponsorship can be provided directly to the OWASP Belfast Chapter itself, using the link above. Direct sponsorship allows the OWASP Belfast Board to use the funds as needed to run events.<br />
<br />
In return for any sponsorship we can add your company to our list of sponsors on the OWASP Wiki and Meetup sites, and share communications with session attendees. Contact the OWASP Belfast Board (below) for more details.<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:siobhan.gallagher@owasp.org Siobhan Gallagher]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter October Session - Monday, October 9th 2017'''<br />
<br />
6:00pm @ Queens Ashby building, Belfast<br />
<br />
https://www.meetup.com/OWASP-Belfast/events/243114644/<br />
<br />
'''Security Biometrics'''<br />
<br />
In this session we're going to take a look at biometrics technology with the local security company B-secur. They have invented electrocardiogram (ECG) biometric technology that utilizes a person’s unique heartbeat for authentication.<br />
<br />
This talk will discuss biometrics and their own biometric technology, how it works, how it was developed, and where it can go in the future. We'll also learn how the cyber security market reacts to this new technology.<br />
<br />
Thanks to Hays for their sponsorship of pizza and drinks for this session. Thanks also to Queens University for allowing us use of the Ashby building again.<br />
<br />
'''Adrian Condon (CTO, B-secur)'''<br />
<br />
Adrian has significant experience and an impressive track record in new product design, leading technical teams and delivering strategic new technology across the industrial, automotive, aeronautical and medical industries.<br />
<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Code_review_feedback&diff=231820Code review feedback2017-07-23T11:42:05Z<p>Gary David Robinson: CRG update</p>
<hr />
<div>= OWASP Code Review Feedback Page=<br />
<br />
The purpose of this page is to record feedback and issues with the OWASP Code Review Guide version 2.0. Whilst a lot of time was spent towards the end of the project to remove these issues, and many issues were removed. As with any collaborated document development, especially of a document this size, there will be typos and the like, with technical issues. <br />
<br />
We appreciate the help of the community in providing feedback on any issues spotted so that we can improve this document. <br />
<br />
If you have access to the OWASP Wiki, please update this page with a list of issues you have spotted. If you do not have access to edit the wiki, then please e-mail the code review team at [mailto:owasp-codereview-project@owasp.org owasp-codereview-project@owasp.org]. <br />
<br />
== Feedback to date ==<br />
<br />
The following feedback items have been received so far regarding v2.0 of the Code Review Guide.<br />
<br />
{|<br />
|Page Number<br />
|Issue Description<br />
|Suggested Resolution<br />
|-<br />
|4<br />
|Word 'thru' used twice<br />
|Change to 'through'<br />
|-<br />
|7<br />
|Typo 'project life cycle will that code reviews should be done'<br />
|Change to 'project life cycle code reviews should be done'<br />
|-<br />
|7<br />
|Typo 'manfully feedback'<br />
|Change to 'meaningful feedback'<br />
|-<br />
|7<br />
|Typo 'on the type of code review do you want to accomplish'<br />
|Change to 'on the type of code review you want to accomplish'<br />
|-<br />
|7<br />
|Typo 'can be assistance to you'<br />
|Change to 'can assist you'<br />
|-<br />
|7<br />
|Typo 'whichh'<br />
|Change to 'which'<br />
|-<br />
|7<br />
|Typo 'prove code methods works'<br />
|Change to 'prove code methods work'<br />
|-<br />
|7<br />
|Typo 'in to the organizations'<br />
|Change to 'into the organizations'<br />
|-<br />
|7<br />
|Following section is unclear 'This book will also work as a reference guide for the code review as code is in the review process'<br />
|Change to 'This book will also work as a reference guide for the secure review of code during the code review process'<br />
|-<br />
|9<br />
|Why does the numbering start at 5?<br />
|This is due to it technically being the 5th section, though the previous sections are not clearly numbered. Is this an issue...?<br />
|-<br />
|10<br />
|Sentence unclear 'If informed decisions are being made based on a measurement of risk in the enterprise, which will be fully<br />
supported.'<br />
|Change to 'If informed decisions are being made based on a measurement of risk in the enterprise, this risk based approach should be fully supported by feedback from code reviews.'<br />
|-<br />
|Numerious places (starting with page 13)<br />
|HIPPA spelt incorrectly (it's HIPAA)<br />
|Change to HIPAA - 3 instances.<br />
|-<br />
|15<br />
|Typo 'encase'<br />
|Change to 'in case'<br />
|-<br />
|15<br />
|Typo 'par-ticular'<br />
|Change to 'particular'<br />
|-<br />
|18<br />
|Typo 'Requirement 6.5 address'<br />
|Change to 'Requirement 6.5 addresses'<br />
|-<br />
|44<br />
|Issue with SQL 'Select custName, address1,address2,city,postalCode WHERE custID= '<br />
|Change to 'SELECT custName, address1 FROM cust_table WHERE custID= '<br />
|-<br />
|57<br />
|Formatting of text 'fields, drop down lists, and other web components are properly validated.' <br />
|This seems to be its own bullet point, however it should be a line continuation of the last bullet point.<br />
|-<br />
|60<br />
|Sample 8.1 text needs to be changed from '‘’’flters.Add(new RequireHttpsAttribute());’’’'<br />
|Change to 'flters.Add(new RequireHttpsAttribute());' (i.e. remove the ''' at either end)<br />
|-<br />
|64<br />
|Formatting issue with text 'However this can be hard to enforce. a. If possible give users the choice of band they wish to use.' <br />
|Change to 'However this can be hard to enforce. If possible give users the choice of band they wish to use.' (i.e. remove the 'a.' and keep it all in the same paragraph.<br />
|-<br />
|68<br />
|Formatting issues<br />
|A number of the bullet points have newlines where they are not needed (3rd, 4th & 5th bullet points).<br />
|-<br />
|68<br />
|Session Fixation points should be bullet points and not numbered (numbers are wrong anyway). <br />
|2nd bullet point should be "All the session-ids should be generated by the application, and then stored in a pool to be checked later for. Application is the sole authority for session generation." - i.e. all 1 paragraph, no new line.<br />
|-<br />
|68<br />
|Formatting issue<br />
|2nd bullet point under session fixation has an unnecessary new line.<br />
|-<br />
|72 <br />
|Typo with 'Another level of to help prevent XSS is to use an Anti-XSS library'<br />
|Change to 'Another level of help to prevent XSS is to use an Anti-XSS library'<br />
|-<br />
|73<br />
|Typo with 'OWASP_Zed_Attack_Proxy_Project'<br />
|Change to 'OWASP Zed Attack Proxy Project'<br />
|-<br />
|90<br />
|Formatting issue<br />
|Need a newline (whitespace) before title "JBoss AS", and sample 11.8 appears mid-sentence<br />
|-<br />
|90<br />
|Formatting issue<br />
|Title "Oracle WebLogic" is at the bottom of the page, needs to be moved to the top of the next page.<br />
|-<br />
|91<br />
|Formatting issue<br />
|Remove text "Principal object"<br />
|}</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Code_review&diff=231819Code review2017-07-23T11:11:50Z<p>Gary David Robinson: Update to code review page</p>
<hr />
<div><div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<div style="border:0,margin:0;overflow: hidden;"><br />
{{OWASP Defenders}} {{OWASP Book|5691953}} <br />
<div style="margin: 5px; padding: 5px; float: left; width:70%">{{Social Media Links}} </div><br />
</div><br />
=Code Review Guide=<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==The Release Candidate for the OWASP Code Review Guide is now available!==<br />
Please forward to all the developers and development teams you know!! We would like to immediately start raising awareness about this OWASP resource. <br />
We plan to release the final version in Aug. 2017 after a public comment period ending July 31, 2017.<br />
<br />
Thank you,<br />
Larry Conklin, Gary Robinson<br />
OWASP Code Review Guides Co-Leaders<br />
<br />
==Introduction==<br />
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
Second sections deals with vulnerabilities. It is based on the poplar OWASP 2013 top 10. Here you will find most of the code examples for both on what not to do and on what to do. A word of caution on code examples; Perl is famous for its saying that there are 10,000 ways to do one thing. The same is true for C#, PHP and Java or any other computer language. Now add in "Object-Oriented Programming" and if we are using design patterns or even what designs patterns are being used and sample code becomes very “iff” in what to write. We tried to keep the sample code so code reviews can see red flags and not “do it my way or else”.<br />
<br />
The last section is the appendix. Here we have content like code reviewer check list, etc. of items that really don’t flow in book form but needed to be included to make the code review guide compete.<br />
<br />
==Review of Code Review Guide 2.0==<br />
Constructive comments on this OWASP Code Review Release Candidate should be forwarded via email to owasp-codereview-project@owasp.org. Private comments may be sent to larry.conklin@owasp.org or gary.robinson@owasp.org . All comments are welcome. All comments should indicate the specific relevant page and section.<br />
<br />
All feedback is critical to the continued success of the OWASP Code Review Guide.<br />
<br />
==Licensing==<br />
OWASP Code Review Guide is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Leader ==<br />
* Larry Conklin [mailto:larry.conklin@owasp.org]<br />
* Gary Robinson [mailto:gary.robinson@owasp.org]<br />
<br />
== Project Email ==<br />
* Project Email [mailto:Owasp-codereview-project@lists.owasp.org]<br />
<br />
==Classifications==<br />
[[File:Owasp-defenders-small.png|link=]]<br />
<br />
[[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
<br />
[[File:Project_Type_Files_DOC.jpg|link=]]<br />
<br />
== Related Projects ==<br />
<br />
OWASP Testing Guide [https://www.owasp.org/index.php/OWASP_Testing_Project]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
* [https://www.owasp.org/index.php/File:OWASP_Code_Review_Guide_v2.pdf Code Review Guide 2.0]<br />
<br />
== Feedback Page ==<br />
<br />
To leave feedback on the OWASP Code Review Guide V2.0, please use the following [[code_review_feedback|feedback page]], or e-mail the team at [mailto:owasp-codereview-project@owasp.org owasp-codereview-project@owasp.org]<br />
<br />
== In Print ==<br />
Code Review Guide 2.0 will be available in Lulu in the near future.<br />
<br />
[http://www.lulu.com/content/5678680 Code Review Guide V1.1] on Lulu.<br />
|}<br />
<br />
= Acknowledgements =<br />
The OWASP Code Review project was conceived by Eoin Keary, the OWASP Ireland Founder and Chapter Lead.<br />
<br />
Code Review Mailing list[mailto:Owasp-codereview-project@lists.owasp.org]<br />
<br />
Project leaders [mailto:larry.conklin@owasp.org larry.conklin@owasp.org] or [mailto:gary.robinson@owasp.org gary.robinson@owasp.org]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Code_review&diff=231817Code review2017-07-23T10:59:11Z<p>Gary David Robinson: </p>
<hr />
<div><div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<div style="border:0,margin:0;overflow: hidden;"><br />
{{OWASP Defenders}} {{OWASP Book|5691953}} <br />
<div style="margin: 5px; padding: 5px; float: left; width:70%">{{Social Media Links}} </div><br />
</div><br />
=Code Review Guide=<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==The Release Candidate for the OWASP Code Review Guide is now available!==<br />
Please forward to all the developers and development teams you know!! We would like to immediately start raising awareness about this OWASP resource. <br />
We plan to release the final version in Aug. 2017 after a public comment period ending July 31, 2017.<br />
<br />
Thank you,<br />
Larry Conklin, Gary Robinson<br />
OWASP Code Review Guides Co-Leaders<br />
<br />
==Introduction==<br />
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
Second sections deals with vulnerabilities. It is based on the poplar OWASP 2013 top 10. Here you will find most of the code examples for both on what not to do and on what to do. A word of caution on code examples; Perl is famous for its saying that there are 10,000 ways to do one thing. The same is true for C#, PHP and Java or any other computer language. Now add in "Object-Oriented Programming" and if we are using design patterns or even what designs patterns are being used and sample code becomes very “iff” in what to write. We tried to keep the sample code so code reviews can see red flags and not “do it my way or else”.<br />
<br />
The last section is the appendix. Here we have content like code reviewer check list, etc. of items that really don’t flow in book form but needed to be included to make the code review guide compete.<br />
<br />
==Review of Code Review Guide 2.0==<br />
Constructive comments on this OWASP Code Review Release Candidate should be forwarded via email to owasp-codereview-project@owasp.org. Private comments may be sent to larry.conklin@owasp.org or gary.robinson@owasp.org . All comments are welcome. All comments should indicate the specific relevant page and section.<br />
<br />
All feedback is critical to the continued success of the OWASP Code Review Guide.<br />
<br />
==Licensing==<br />
OWASP Code Review Guide is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Leader ==<br />
* Larry Conklin [mailto:larry.conklin@owasp.org]<br />
* Gary Robinson [mailto:gary.robinson@owasp.org]<br />
<br />
== Project Email ==<br />
* Project Email [mailto:Owasp-codereview-project@lists.owasp.org]<br />
<br />
==Classifications==<br />
[[File:Owasp-defenders-small.png|link=]]<br />
<br />
[[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
<br />
[[File:Project_Type_Files_DOC.jpg|link=]]<br />
<br />
== Related Projects ==<br />
<br />
OWASP Testing Guide [https://www.owasp.org/index.php/OWASP_Testing_Project]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
* [https://www.owasp.org/index.php/File:OWASP_Code_Review_Guide_v2.pdf Code Review Guide 2.0]<br />
<br />
== In Print ==<br />
Code Review Guide 2.0 will be available in Lulu in the near future.<br />
<br />
[http://www.lulu.com/content/5678680 Code Review Guide V1.1] on Lulu.<br />
|}<br />
<br />
= Acknowledgements =<br />
The OWASP Code Review project was conceived by Eoin Keary, the OWASP Ireland Founder and Chapter Lead.<br />
<br />
Code Review Mailing list[mailto:Owasp-codereview-project@lists.owasp.org]<br />
<br />
Project leaders [mailto:larry.conklin@owasp.org larry.conklin@owasp.org] or [mailto:gary.robinson@owasp.org gary.robinson@owasp.org]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=231756Belfast2017-07-19T10:45:46Z<p>Gary David Robinson: Adding summer social event</p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Sponsorship Opportunities ==<br />
<br />
There are many ways you can help the OWASP Belfast Chapter spread the word about computer security and secure coding. Including the following:<br />
* If you have a room available to hold a meeting, let us know.<br />
* Companies can cover the OWASP membership costs of their employees.<br />
* Supply a speaker on a topic of interest to the OWASP Belfast members, or cover their costs to present.<br />
* Sponsor food and drink for a session.<br />
* Further sponsorship can be provided directly to the OWASP Belfast Chapter itself, using the link above. Direct sponsorship allows the OWASP Belfast Board to use the funds as needed to run events.<br />
<br />
In return for any sponsorship we can add your company to our list of sponsors on the OWASP Wiki and Meetup sites, and share communications with session attendees. Contact the OWASP Belfast Board (below) for more details.<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:siobhan.gallagher@owasp.org Siobhan Gallagher]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter August Session - Thursday, August 3 2017'''<br />
<br />
6:30pm @ Allstate NI building, Lanyon Place, Belfast<br />
<br />
https://www.meetup.com/OWASP-Belfast/events/241017867/<br />
<br />
'''Security by Design: Continuous Delivery, Integration, and Audit'''<br />
<br />
We are interrupting our summer break to take advantage of a visit by Nathan Gibson, Information Security & Privacy Professional at AllState.<br />
<br />
Nathan will be giving an session on maintaining, analyzing, confirming, and reporting on the status of required information security, compliance, and privacy controls is a difficult and significant task for software and security engineers. This talk discusses real world applications and examples for integrating Security by Design with your Continuous Deployment environment. Tools include the use of Jenkins, Chef, Metasploit, Fuzzers, vulnerability scanning (Nexpose), test driven development and system hardening.<br />
<br />
Refreshments will be provided, all are welcome. This event will contain the one session by Nathan, and there will be time for questions and discussions afterwards.<br />
<br />
'''Nathan Gibson'''<br />
<br />
Nathan is an Information Security & Privacy Professional who specializes in continuous integration, inspection, and deployment environments. He brings information security and risk management concepts into the product portfolio realization pipeline and embeds the behavior naturally into design, develop, test, and refactor pipelines as a member of the technical team.<br />
<br />
Nathan enjoys coding, studying software development methodologies, and keeping up to date on the latest information security trends and methodologies.<br />
<br />
Nathan’s professional qualifications include over 15 years experience in the industry where he has successfully managed secure information systems in dynamic, multinational environments. Nathan is experienced in all aspects of enterprise wide security with tasks ranging from governance and risk assessments through writing code and configuring systems.<br />
<br />
To compliment this background, Nathan maintains numerous certifications and academic training covering everything from governance to cryptography. He holds a Masters In Information Security and a Bachelors in Computer Science.<br />
<br />
'''Northern Ireland Cyber Cluster – Cyber Mixer event (23rd August)'''<br />
<br />
In combination with ISACA, BCS and CSIT, OWASP Belfast are putting on Northern Ireland Cyber Cluster – Cyber Mixer event. This event will be free to attend and provide food, drinks, and the ability to mix with the local cyber-security cluster.<br />
<br />
There'll be no presentations, no sponsors, no formality. It's simply a networking event to get to know your fellow security professionals at ISACA, BCS and CSIT over food and a few drinks.<br />
<br />
This event will be on Wednesday 23rd August in The Gallary (Dublin Road) at 6pm. You can sign-up at https://www.eventbrite.co.uk/e/northern-ireland-cyber-cluster-cyber-mixer-event-tickets-36265505102<br />
<br />
Please sign-up using the OWASP 'ticket type'.<br />
<br />
'''Please Note''': numbers are limited to 100, so we at OWASP Belfast have 25 tickets to use, so please only sign-up if you are absolutely able to make it. If you sign-up and then can't make it, please update eventbrite so that someone else from OWASP can attend.<br />
<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=231738Belfast2017-07-18T09:12:08Z<p>Gary David Robinson: Updated for August Session</p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Sponsorship Opportunities ==<br />
<br />
There are many ways you can help the OWASP Belfast Chapter spread the word about computer security and secure coding. Including the following:<br />
* If you have a room available to hold a meeting, let us know.<br />
* Companies can cover the OWASP membership costs of their employees.<br />
* Supply a speaker on a topic of interest to the OWASP Belfast members, or cover their costs to present.<br />
* Sponsor food and drink for a session.<br />
* Further sponsorship can be provided directly to the OWASP Belfast Chapter itself, using the link above. Direct sponsorship allows the OWASP Belfast Board to use the funds as needed to run events.<br />
<br />
In return for any sponsorship we can add your company to our list of sponsors on the OWASP Wiki and Meetup sites, and share communications with session attendees. Contact the OWASP Belfast Board (below) for more details.<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:siobhan.gallagher@owasp.org Siobhan Gallagher]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter August Session - Thursday, August 3 2017'''<br />
<br />
6:30pm @ Allstate NI building, Lanyon Place, Belfast<br />
<br />
https://www.meetup.com/OWASP-Belfast/events/241017867/<br />
<br />
'''Security by Design: Continuous Delivery, Integration, and Audit'''<br />
<br />
We are interrupting our summer break to take advantage of a visit by Nathan Gibson, Information Security & Privacy Professional at AllState.<br />
<br />
Nathan will be giving an session on maintaining, analyzing, confirming, and reporting on the status of required information security, compliance, and privacy controls is a difficult and significant task for software and security engineers. This talk discusses real world applications and examples for integrating Security by Design with your Continuous Deployment environment. Tools include the use of Jenkins, Chef, Metasploit, Fuzzers, vulnerability scanning (Nexpose), test driven development and system hardening.<br />
<br />
Refreshments will be provided, all are welcome. This event will contain the one session by Nathan, and there will be time for questions and discussions afterwards.<br />
<br />
'''Nathan Gibson'''<br />
<br />
Nathan is an Information Security & Privacy Professional who specializes in continuous integration, inspection, and deployment environments. He brings information security and risk management concepts into the product portfolio realization pipeline and embeds the behavior naturally into design, develop, test, and refactor pipelines as a member of the technical team.<br />
<br />
Nathan enjoys coding, studying software development methodologies, and keeping up to date on the latest information security trends and methodologies.<br />
<br />
Nathan’s professional qualifications include over 15 years experience in the industry where he has successfully managed secure information systems in dynamic, multinational environments. Nathan is experienced in all aspects of enterprise wide security with tasks ranging from governance and risk assessments through writing code and configuring systems.<br />
<br />
To compliment this background, Nathan maintains numerous certifications and academic training covering everything from governance to cryptography. He holds a Masters In Information Security and a Bachelors in Computer Science.<br />
<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=File:OWASP_Code_Review_Guide_v2.pdf&diff=231678File:OWASP Code Review Guide v2.pdf2017-07-14T10:31:30Z<p>Gary David Robinson: </p>
<hr />
<div></div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Category:OWASP_Code_Review_Project&diff=231677Category:OWASP Code Review Project2017-07-14T10:29:44Z<p>Gary David Robinson: Slight update</p>
<hr />
<div><div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<div style="border:0,margin:0;overflow: hidden;"><br />
{{OWASP Defenders}} {{OWASP Book|5691953}} <br />
<div style="margin: 5px; padding: 5px; float: left; width:70%">{{Social Media Links}} </div><br />
</div><br />
=Code Review Guide=<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==The Release Candidate for the OWASP Code Review Guide is now available!==<br />
Please forward to all the developers and development teams you know!! We would like to immediately start raising awareness about this OWASP resource. <br />
We plan to release the final version in Aug. 2017 after a public comment period ending July 31, 2017.<br />
<br />
Thank you,<br />
Larry Conklin, Gary Robinson<br />
OWASP Code Review Guides Co-Leaders<br />
<br />
==Introduction==<br />
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
Second sections deals with vulnerabilities. It is based on the poplar OWASP 2013 top 10. Here you will find most of the code examples for both on what not to do and on what to do. A word of caution on code examples; Perl is famous for its saying that there are 10,000 ways to do one thing. The same is true for C#, PHP and Java or any other computer language. Now add in "Object-Oriented Programming" and if we are using design patterns or even what designs patterns are being used and sample code becomes very “iff” in what to write. We tried to keep the sample code so code reviews can see red flags and not “do it my way or else”.<br />
<br />
The last section is the appendix. Here we have content like code reviewer check list, etc. of items that really don’t flow in book form but needed to be included to make the code review guide compete.<br />
<br />
==Review of Code Review Guide 2.0==<br />
Constructive comments on this OWASP Code Review Release Candidate should be forwarded via email to owasp-codereview-project@owasp.org. Private comments may be sent to larry.conklin@owasp.org or gary.robinson@owasp.org . All comments are welcome. All comments should indicate the specific relevant page and section.<br />
<br />
All feedback is critical to the continued success of the OWASP Code Review Guide.<br />
<br />
==Licensing==<br />
OWASP Code Review Guide is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Leader ==<br />
* Larry Conklin [mailto:larry.conklin@owasp.org]<br />
* Gary Robinson [mailto:gary.robinson@owasp.org]<br />
<br />
== Project Email ==<br />
* Project Email [mailto:owasp-codereview-project@owasp.org]<br />
<br />
==Classifications==<br />
[[File:Owasp-defenders-small.png|link=]]<br />
<br />
[[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
<br />
[[File:Project_Type_Files_DOC.jpg|link=]]<br />
<br />
== Related Projects ==<br />
<br />
OWASP Testing Guide [https://www.owasp.org/index.php/OWASP_Testing_Project]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
* [https://www.owasp.org/index.php/File:OWASP_Code_Review_Guide_v2.pdf Code Review Guide 2.0]<br />
<br />
== In Print ==<br />
Code Review Guide 2.0 will be available in Lulu in the near future.<br />
<br />
[http://www.lulu.com/content/5678680 Code Review Guide V1.1] on Lulu.<br />
|}<br />
<br />
= Acknowledgements =<br />
The OWASP Code Review project was conceived by Eoin Keary, the OWASP Dublin Founder and Chapter Lead.<br />
<br />
Code Review Mailing list[mailto:owasp-codereview-project@owasp.org]<br />
<br />
Project leaders [mailto:larry.conklin@owasp.org larry.conklin@owasp.org] or [mailto:gary.robinson@owasp.org gary.robinson@owasp.org]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Category:OWASP_Code_Review_Project&diff=231676Category:OWASP Code Review Project2017-07-14T10:28:32Z<p>Gary David Robinson: Updating link to release version</p>
<hr />
<div><div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<div style="border:0,margin:0;overflow: hidden;"><br />
{{OWASP Defenders}} {{OWASP Book|5691953}} <br />
<div style="margin: 5px; padding: 5px; float: left; width:70%">{{Social Media Links}} </div><br />
</div><br />
=Code Review Guide=<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==The Release Candidate for the OWASP Code Review Guide is now available!==<br />
Please forward to all the developers and development teams you know!! We would like to immediately start raising awareness about this OWASP resource. <br />
We plan to release the final version in Aug. 2017 after a public comment period ending July 31, 2017.<br />
<br />
Thank you,<br />
Larry Conklin, Gary Robinson<br />
OWASP Code Review Guides Co-Leaders<br />
<br />
==Introduction==<br />
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
Second sections deals with vulnerabilities. It is based on the poplar OWASP 2013 top 10. Here you will find most of the code examples for both on what not to do and on what to do. A word of caution on code examples; Perl is famous for its saying that there are 10,000 ways to do one thing. The same is true for C#, PHP and Java or any other computer language. Now add in "Object-Oriented Programming" and if we are using design patterns or even what designs patterns are being used and sample code becomes very “iff” in what to write. We tried to keep the sample code so code reviews can see red flags and not “do it my way or else”.<br />
<br />
The last section is the appendix. Here we have content like code reviewer check list, etc. of items that really don’t flow in book form but needed to be included to make the code review guide compete.<br />
<br />
==Review of Code Review Guide 2.0==<br />
Constructive comments on this OWASP Code Review Release Candidate should be forwarded via email to owasp-codereview-project@owasp.org. Private comments may be sent to larry.conklin@owasp.org or gary.robinson@owasp.org . All comments are welcome. All comments should indicate the specific relevant page and section.<br />
<br />
All feedback is critical to the continued success of the OWASP Code Review Guide.<br />
<br />
==Licensing==<br />
OWASP Code Review Guide is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Leader ==<br />
* Larry Conklin [mailto:larry.conklin@owasp.org]<br />
* Gary Robinson [mailto:gary.robinson@owasp.org]<br />
<br />
== Project Email ==<br />
* Project Email [mailto:owasp-codereview-project@owasp.org]<br />
<br />
==Classifications==<br />
[[File:Owasp-defenders-small.png|link=]]<br />
<br />
[[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
<br />
[[File:Project_Type_Files_DOC.jpg|link=]]<br />
<br />
== Related Projects ==<br />
<br />
OWASP Testing Guide [https://www.owasp.org/index.php/OWASP_Testing_Project]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
* [https://www.owasp.org/index.php/File:OWASP_Code_Review_Guide_v2.pdf Code Review Guide 2.0]<br />
<br />
== In Print ==<br />
Code Review Guide 2.0 will be available in Lulu in the near future.<br />
<br />
[http://www.lulu.com/content/5678680 Code Review Guide V1.1] on Lulu.<br />
|}<br />
<br />
= Acknowledgements =<br />
The OWASP Code Review project was conceived by Eoin Keary, the OWASP Ireland Founder and Chapter Lead.<br />
<br />
Code Review Mailing list[mailto:owasp-codereview-project@owasp.org]<br />
<br />
Project leaders [mailto:larry.conklin@owasp.org larry.conklin@owasp.org] or [mailto:gary.robinson@owasp.org gary.robinson@owasp.org]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=228716Belfast2017-04-16T19:35:05Z<p>Gary David Robinson: </p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Sponsorship Opportunities ==<br />
<br />
There are many ways you can help the OWASP Belfast Chapter spread the word about computer security and secure coding. Including the following:<br />
* If you have a room available to hold a meeting, let us know.<br />
* Companies can cover the OWASP membership costs of their employees.<br />
* Supply a speaker on a topic of interest to the OWASP Belfast members, or cover their costs to present.<br />
* Sponsor food and drink for a session.<br />
* Further sponsorship can be provided directly to the OWASP Belfast Chapter itself, using the link above. Direct sponsorship allows the OWASP Belfast Board to use the funds as needed to run events.<br />
<br />
In return for any sponsorship we can add your company to our list of sponsors on the OWASP Wiki and Meetup sites, and share communications with session attendees. Contact the OWASP Belfast Board (below) for more details.<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:siobhan.gallagher@owasp.org Siobhan Gallagher]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter Session - Monday May 8th'''<br />
<br />
6pm @ Waterfront Conference Center, Belfast<br />
<br />
https://www.meetup.com/OWASP-Belfast/events/238434511/<br />
<br />
OWASP Belfasts' May session with be held in conjunction with the Women Who Code Belfast Chapter, and will form part of the OWASP AppSec EU Conference program.<br />
<br />
'''OWASP Women in AppSec & Women Who Code: An Evening with the Pros!'''<br />
<br />
Kicking off our OWASP AppSec EU Conference in May, we are holding a youth outreach event during the day (further details on the website 2017.appsec.eu) and an evening networking/mentoring session which we are running together with Women Who Code Belfast.<br />
<br />
This joint OWASP and WWCode meetup will highlight the successes of women in the tech & security community, how to get into cyber security, and why you should care. There will be a range of talks from professionals within the industry who have come from all over Europe to attend AppSec EU, and a chance to rub shoulders with the big names in the industry. <br />
<br />
We hope to see you all there! Refreshments will be provided.<br />
<br />
YOU DO NOT NEED AN APPSEC EU CONFERENCE TICKET TO ATTEND THIS EVENT. The event is open to all and free to attend but you will need to register and places may be limited.<br />
<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=218845Belfast2016-07-12T16:01:16Z<p>Gary David Robinson: </p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Sponsorship Opportunities ==<br />
<br />
There are many ways you can help the OWASP Belfast Chapter spread the word about computer security and secure coding. Including the following:<br />
* If you have a room available to hold a meeting, let us know.<br />
* Companies can cover the OWASP membership costs of their employees.<br />
* Supply a speaker on a topic of interest to the OWASP Belfast members, or cover their costs to present.<br />
* Sponsor food and drink for a session.<br />
* Further sponsorship can be provided directly to the OWASP Belfast Chapter itself, using the link above. Direct sponsorship allows the OWASP Belfast Board to use the funds as needed to run events.<br />
<br />
In return for any sponsorship we can add your company to our list of sponsors on the OWASP Wiki and Meetup sites, and share communications with session attendees. Contact the OWASP Belfast Board (below) for more details.<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
* [mailto:siobhan.gallagher@owasp.org Siobhan Gallagher]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter Session - Monday July 18th'''<br />
<br />
6:45 PM Queens Ashby Building<br />
Stranmillis Rd, Belfast BT9 5AG, Belfast<br />
<br />
http://www.meetup.com/OWASP-Belfast/events/231770209/<br />
<br />
OWASP Belfasts' July session will be a full session on secure coding with lots of examples and some code, along with the usual pizza and beers (kindly sponsored by Vanrath).<br />
<br />
'''Rails Secure Coding - Owen Mooney'''<br />
<br />
Learn the pitfalls of secure code development with Ruby based on the experience of the edgescan development team. The workshop shall cover many of the most common application security vulnerabilities and additional considerstions for developers when building applications in Ruby for deployment to the public Internet or the cloud.This 2.5 hour workshop shall be delivered by Owen Mooney, lead developer for edgescan.com, the cloud based full stack vulnerability management SaaS. <br />
<br />
Please note that the session will begin at the earlier time of 18:45. There will be a break half way through for pizza & beers and the session will finish at 21:45. No equipment is required for attendance. <br />
<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Category:OWASP_Code_Review_Project&diff=218282Category:OWASP Code Review Project2016-06-26T09:15:01Z<p>Gary David Robinson: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Code Review Guide Project==<br />
<br />
{{OWASP Book|5678680}}<br />
<br />
==Introduction==<br />
<br />
The code review guide is currently at release version 1.1 and the second best selling OWASP book in 2008. Many positive comments have been feedback regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity. It has even inspired individuals to build tools based on its information. The combination of a book on secure code review and tools to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development.<br />
Going forward I hope to further integrate with the ASVS and other guides such as the testing and ASDR guides shall be perfromed for version 2.0.t<br />
<br />
==Alpha Release OWASP Code Review 2.0==<br />
'''OWASP Code Review Guide 2.0 Alpha release is now available.''' It is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
The document is divided into two main sections. One section covers the why (reasons for doing secure code reviews) and how. This section main focus is IT management and project leads.<br />
<br />
Second sections deals with vulnerabilities. It is based on the poplar OWASP top 10. Here you will find most of the code examples for both on what not to do and on what to do. A word of caution on code examples; Perl is famous for its saying that there are 10,000 ways to do one thing. The same is true for C#, PHP and Java or any other computer language. Now add in "Object-Oriented Programming" and if we are using design patterns or even what designs patterns are being used and sample code becomes very “iff” in what to write. We tried to keep the sample code so code reviews can see red flags and not “do it my way or else”.<br />
<br />
The last big section is the appendix. Here we have content like code reviewer list, etc. of items that really don’t flow in book form but needed to be included to make the code review guide compete.<br />
<br />
==Alpha Peer Review of Code Review Guide 2.0==<br />
We have a small amount of content that is not in the code review guide. Both Gary and I are working on completing this. One thing we have tried to do is to have the code review guide flow as a book than a collection of separate articles based on a major topic. <br />
<br />
'''Code Review Guide 2.0 needs the following to be peer reviewed:''' <br />
<br />
#Grammar, spelling.<br />
#Review content that is easily understandable, not complex to be understood and or followed. <br />
#Code is correct. <br />
#No outdated code or components. I.e code sample shows.Net, Java, PHP of release that is at least 8 years old in how current software is being written. This is very subjective; a good example is java struts where java struts 2.0 would be coded entirely different.<br />
#Missing content. Did we exclude or gloss over some content that needs to be included? We can’t include everything or we would never get done but if you feel we need to include something please ay so.<br />
#We are looking for good useable, and complete feedback.<br />
<br />
'''''On the editing process, it will be of great help if a reviewer could send of the corrected paragraph or code block along with the chapter, and page numbers. '''''<br />
<br />
Because of some unforeseen issues we are not able to provide a word document. I apologize for that, however editing the PDF is very possible and should not stop the review process.<br />
<br />
==Licensing==<br />
OWASP Code Review Guide is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the Code Review Guide? ==<br />
<br />
OWASP Code Review Guide provides:<br />
<br />
* [[OWASP Code Review Guide Table of Contents]] from v1<br />
<br />
== Project Leader ==<br />
<br />
* Larry Conklin [mailto:larry.conklin@owasp.org]<br />
* Gary Robinson [mailto:gary.robinson@owasp.org]<br />
<br />
== Related Projects ==<br />
<br />
OWASP Testing Guide [https://www.owasp.org/index.php/OWASP_Testing_Project]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
* [https://www.owasp.org/index.php/File:OWASP_CRG_BetaReview.docx Beta review version of OWASP Code Review Guide for AppSec EU 2016 Summit]<br />
* [https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf Code Review Guide V1.1]<br />
* [https://www.owasp.org/images/7/78/OWASP_AlphaRelease_CodeReviewGuide2.0.pdf Alpha Release Code Review Guide 2.0 ]<br />
* [https://www.owasp.org/index.php/File:Change_Journal.docx Word doc to track changes/additions/deletions to Alpha Release Code review Guide 2.0]<br />
<br />
== Email List ==<br />
<br />
[http://lists.owasp.org/mailman/listinfo/owasp-codereview Sign up]<br />
<br />
== News and Events ==<br />
<br />
'''''Code Review Guide 2.0 Alpha Release is now available'''''<br />
----<br />
'''OWASP New York Chapter'''<br />
'''''March 2 2016'''''<br />
<br />
First before anything else both Gary and I want to thank the '''New York OWASP Chapter''' for being willing to have a working session on reviewing the work of the Code Review Guide team. I know its much more exciting to learn new hacking techniques or procedures to prevent it. Never less reviewing the book is a very much-needed effort and Gary and I very much appreciate everyone in New York taking time to do this. <br />
<br />
I also want to give out a big shout of thanks to Ken Belva for help in pushing both Gary and myself to get the document ready for everyone. Last but not least we both also want to thank Helen Gao and Charles Beganskas.<br />
<br />
== In Print ==<br />
[http://www.lulu.com/content/5678680 Code Review Guide V1.1] on Lulu.<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
The OWASP Code Review project was conceived by Eoin Keary, the OWASP Ireland Founder and Chapter Lead. Current project leaders are Larry Conklin and Gary Robinson If you are interested in volunteering for the project, or have a comment, question, or suggestion, please drop me a line [mailto:larry.conklin@owasp.org larry.conklin@owasp.org] or [mailto:gary.robinson@owasp.org gary.robinson@owasp.org]<br />
<br />
==Get Involved==<br />
All of the OWASP Guides are living documents that will continue to change as the threat and security landscape changes.<br />
We welcome everyone to join the Code Review Guide Project and help us make this document great. The best way to get started is to subscribe to the mailing list by following the link below or contact the project leaders listed below.<br />
<br />
Please introduce yourself and ask to see if there is anything you can help with. We are always looking for new contributions. If there is a topic that you’d like to research and contribute, please let us know!<br />
<br />
Code Review Mailing list[mailto:owasp-codereview@lists.owasp.org owasp-codereview@lists.owasp.org]<br />
<br />
Project leaders [mailto:larry.conklin@owasp.org larry.conklin@owasp.org] or [mailto:gary.robinson@owasp.org gary.robinson@owasp.org]<br />
<br />
=Project About=<br />
{{:Projects/OWASP Code Review Project| Project About}}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP Project|Code Review Project]]<br />
[[Category:OWASP Document]]<br />
[[Category:OWASP Release Quality Document]]<br />
[[Category:SAMM-CR-1]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=File:OWASP_CRG_BetaReview.docx&diff=218281File:OWASP CRG BetaReview.docx2016-06-26T09:13:17Z<p>Gary David Robinson: Beta review version for OWASP AppSecEU 2016 conference summit.
Instructions for review are at the top of the document.</p>
<hr />
<div>Beta review version for OWASP AppSecEU 2016 conference summit.<br />
<br />
Instructions for review are at the top of the document.</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=217130Belfast2016-05-20T16:01:21Z<p>Gary David Robinson: </p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Sponsorship Opportunities ==<br />
<br />
There are many ways you can help the OWASP Belfast Chapter spread the word about computer security and secure coding. Including the following:<br />
* If you have a room available to hold a meeting, let us know.<br />
* Companies can cover the OWASP membership costs of their employees.<br />
* Supply a speaker on a topic of interest to the OWASP Belfast members, or cover their costs to present.<br />
* Sponsor food and drink for a session.<br />
* Further sponsorship can be provided directly to the OWASP Belfast Chapter itself, using the link above. Direct sponsorship allows the OWASP Belfast Board to use the funds as needed to run events.<br />
<br />
In return for any sponsorship we can add your company to our list of sponsors on the OWASP Wiki and Meetup sites, and share communications with session attendees. Contact the OWASP Belfast Board (below) for more details.<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
* [mailto:siobhan.gallagher@owasp.org Siobhan Gallagher]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter Session - Monday May 9th'''<br />
<br />
7:00 PM Queens Ashby Building<br />
Stranmillis Rd, Belfast BT9 5AG, Belfast<br />
<br />
Register at http://www.meetup.com/OWASP-Belfast/events/230568917/<br />
<br />
OWASP Belfasts' May session has two talks planned, along with the usual pizza and beers (kindly sponsored by Veracode).<br />
<br />
'''Secure Design'''<br />
<br />
Gary Robinson, OWASP Belfast Chapter Leader<br />
<br />
When it comes to high risk applications, secure design considerations can be included before a line of code is written. This talk will give a brief introduction to the concept of Secure Design, where it fits into the SDLC, and some of the covering principals that the industry relies upon. <br />
<br />
<br />
'''Threat detection and identification along the kill chain'''<br />
<br />
Hugh Njemanze - CEO and Founder of Anomali<br />
<br />
https://www.anomali.com/company/leadership/hugh-njemanze <br />
<br />
A brief overview of the evolution of SIEM, the emergence of Threat Intelligence feeds, and the arrival of Threat Intelligence Platforms that integrate the two with the goal of increasing the effectiveness of Cyber Security Operations.<br />
<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=OWASP_Code_review_V2_AppSecEU_Agenda&diff=216895OWASP Code review V2 AppSecEU Agenda2016-05-15T12:57:20Z<p>Gary David Robinson: Created page with "== OWASP AppSec EU 2016 Agenda == The OWASP Code Review Guide (v2) is attending the AppSec EU Project Summit in Rome during June 2016. At this summit we will be inviting par..."</p>
<hr />
<div>== OWASP AppSec EU 2016 Agenda ==<br />
<br />
The OWASP Code Review Guide (v2) is attending the AppSec EU Project Summit in Rome during June 2016. At this summit we will be inviting participants to spend some of their time to review the Beta version of the guide.<br />
<br />
High level agenda is as follows:<br />
* Copies of the guide will be available as PDF, either downloadable from the Internet, or on CD<br />
* Participants will be asked to scan the document ToC, determine a section they have experience in, and review.<br />
* Review comments will be collected and fed back into the beta review cycle.<br />
* As incentive, the Code Review Guide will bring a 10 year old Irish Whiskey, to be raffled among the participants taking part in the review.<br />
<br />
Any questions, contact the OWASP Code Review Guide leaders.</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=216027Belfast2016-04-27T08:32:30Z<p>Gary David Robinson: </p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Sponsorship Opportunities ==<br />
<br />
There are many ways you can help the OWASP Belfast Chapter spread the word about computer security and secure coding. Including the following:<br />
* If you have a room available to hold a meeting, let us know.<br />
* Companies can cover the OWASP membership costs of their employees.<br />
* Supply a speaker on a topic of interest to the OWASP Belfast members, or cover their costs to present.<br />
* Sponsor food and drink for a session.<br />
* Further sponsorship can be provided directly to the OWASP Belfast Chapter itself, using the link above. Direct sponsorship allows the OWASP Belfast Board to use the funds as needed to run events.<br />
<br />
In return for any sponsorship we can add your company to our list of sponsors on the OWASP Wiki and Meetup sites, and share communications with session attendees. Contact the OWASP Belfast Board (below) for more details.<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
* [mailto:johnathan.kuskos@owasp.org Johnathan Kuskos]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter Session - Monday May 9th'''<br />
<br />
7:00 PM Queens Ashby Building<br />
Stranmillis Rd, Belfast BT9 5AG, Belfast<br />
<br />
Register at http://www.meetup.com/OWASP-Belfast/events/230568917/<br />
<br />
OWASP Belfasts' May session has two talks planned, along with the usual pizza and beers (kindly sponsored by Veracode).<br />
<br />
'''Secure Design'''<br />
<br />
Gary Robinson, OWASP Belfast Chapter Leader<br />
<br />
When it comes to high risk applications, secure design considerations can be included before a line of code is written. This talk will give a brief introduction to the concept of Secure Design, where it fits into the SDLC, and some of the covering principals that the industry relies upon. <br />
<br />
<br />
'''Threat detection and identification along the kill chain'''<br />
<br />
Hugh Njemanze - CEO and Founder of Anomali<br />
<br />
https://www.anomali.com/company/leadership/hugh-njemanze <br />
<br />
A brief overview of the evolution of SIEM, the emergence of Threat Intelligence feeds, and the arrival of Threat Intelligence Platforms that integrate the two with the goal of increasing the effectiveness of Cyber Security Operations.<br />
<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=215846Belfast2016-04-23T09:40:25Z<p>Gary David Robinson: </p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Sponsorship Opportunities ==<br />
<br />
There are many ways you can help the OWASP Belfast Chapter spread the word about computer security and secure coding. Including the following:<br />
* If you have a room available to hold a meeting, let us know.<br />
* Companies can cover the OWASP membership costs of their employees.<br />
* Supply a speaker on a topic of interest to the OWASP Belfast members, or cover their costs to present.<br />
* Sponsor food and drink for a session.<br />
* Further sponsorship can be provided directly to the OWASP Belfast Chapter itself, using the link above. Direct sponsorship allows the OWASP Belfast Board to use the funds as needed to run events.<br />
<br />
In return for any sponsorship we can add your company to our list of sponsors on the OWASP Wiki and Meetup sites, and share communications with session attendees. Contact the OWASP Belfast Board (below) for more details.<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
* [mailto:johnathan.kuskos@owasp.org Johnathan Kuskos]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter Session - Monday May 9th'''<br />
<br />
7:00 PM Queens Ashby Building<br />
Stranmillis Rd, Belfast BT9 5AG, Belfast<br />
<br />
Register at http://www.meetup.com/OWASP-Belfast/events/230568917/<br />
<br />
OWASP Belfasts' May session has two talks planned, along with the usual pizza and beers (kindly sponsored by Veracode).<br />
<br />
'''Secure Design'''<br />
<br />
Gary Robinson, OWASP Belfast Chapter Leader<br />
<br />
When it comes to high risk applications, secure design considerations can be included before a line of code is written. This talk will give a brief introduction to the concept of Secure Design, where it fits into the SDLC, and some of the covering principals that the industry relies upon. <br />
<br />
<br />
'''Threat detection and identification along the kill chain'''<br />
<br />
Hugh Njemanze - CEO and Founder of Anomali<br />
<br />
https://www.anomali.com/company/leadership/hugh-njemanze <br />
<br />
Brief of talk TBC. <br />
<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=215845Belfast2016-04-23T09:38:08Z<p>Gary David Robinson: </p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Sponsorship Opportunities ==<br />
<br />
There are many ways you can help the OWASP Belfast Chapter spread the word about computer security and secure coding. Including the following:<br />
* If you have a room available to hold a meeting, let us know.<br />
* Companies can cover the OWASP membership costs of their employees.<br />
* Supply a speaker on a topic of interest to the OWASP Belfast members, or cover their costs to present.<br />
* Sponsor food and drink for a session.<br />
* Further sponsorship can be provided directly to the OWASP Belfast Chapter itself, using the link above. Direct sponsorship allows the OWASP Belfast Board to use the funds as needed to run events.<br />
<br />
In return for any sponsorship we can add your company to our list of sponsors on the OWASP Wiki and Meetup sites, and share communications with session attendees. Contact the OWASP Belfast Board (below) for more details.<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
* [mailto:johnathan.kuskos@owasp.org Johnathan Kuskos]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter Session - Monday May 9th'''<br />
<br />
7:00 PM Queens Ashby Building<br />
Stranmillis Rd, Belfast BT9 5AG, Belfast<br />
<br />
Register at http://www.meetup.com/OWASP-Belfast/events/230568917/<br />
<br />
OWASP Belfasts' May session has two talks planned, along with the usual pizza and beers (kindly sponsored by Veracode).<br />
<br />
'''Secure Design'''<br />
<br />
Gary Robinson, OWASP Belfast Chapter Leader<br />
<br />
When it comes to high risk applications, secure design considerations can be included before a line of code is written. This talk will give a brief introduction to the concept of Secure Design, where it fits into the SDLC, and some of the covering principals that the industry relies upon. <br />
<br />
<br />
'''Threat detection and identification along the kill chain'''<br />
<br />
ugh Njemanze - CEO and Founder of Anomali<br />
<br />
https://www.anomali.com/company/leadership/hugh-njemanze <br />
<br />
Brief of talk TBC. <br />
<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=210904Belfast2016-03-10T14:01:02Z<p>Gary David Robinson: </p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Sponsorship Opportunities ==<br />
<br />
There are many ways you can help the OWASP Belfast Chapter spread the word about computer security and secure coding. Including the following:<br />
* If you have a room available to hold a meeting, let us know.<br />
* Companies can cover the OWASP membership costs of their employees.<br />
* Supply a speaker on a topic of interest to the OWASP Belfast members, or cover their costs to present.<br />
* Sponsor food and drink for a session.<br />
* Further sponsorship can be provided directly to the OWASP Belfast Chapter itself, using the link above. Direct sponsorship allows the OWASP Belfast Board to use the funds as needed to run events.<br />
<br />
In return for any sponsorship we can add your company to our list of sponsors on the OWASP Wiki and Meetup sites, and share communications with session attendees. Contact the OWASP Belfast Board (below) for more details.<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
* [mailto:johnathan.kuskos@owasp.org Johnathan Kuskos]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter Session - Monday March 14th'''<br />
<br />
7:00 PM Queens Ashby Building<br />
Stranmillis Rd, Belfast BT9 5AG, Belfast<br />
<br />
Register at http://www.meetup.com/OWASP-Belfast/events/228894486/<br />
<br />
OWASP Belfasts' March session has two great talks planned, along with the usual pizza and beers (kindly sponsored by Vertical Structure).<br />
<br />
'''Top 10 WebHacks of 2015'''<br />
<br />
<br />
Kuskos - Threat Center Manager at Whitehat<br />
<br />
Every year the security community produces a stunning number of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, we are solely focused on new and creative methods of Web-based attack. Now in its tenth year, the Top 10 Web Hacking Techniques list encourages information sharing, provides a centralized knowledge base, and recognizes researchers who contribute excellent research. <br />
<br />
<br />
'''Open Source Security – What Security Testing Tools Miss'''<br />
<br />
Mike Pittenger - VP of Security Strategy for Blackduck<br />
<br />
Static analysis, dynamic analysis, and other testing tools are all essential weapons against adversaries. But for the 80%+ of companies worldwide that use open source software in their application development these tools are ineffective in identifying and mitigating open source security risks . This presentation will cover: <br />
• The value of static and dynamic tools, and where they best fit in the Secure Development Lifecycle <br />
• Why these tools are not useful in identifying known vulnerabilities in open source components <br />
• Controls development and security professionals can deploy to select, detect, manage and monitor open source for existing and newly disclosed vulnerabilities. <br />
<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Category:OWASP_Code_Review_Project&diff=210149Category:OWASP Code Review Project2016-03-01T07:33:51Z<p>Gary David Robinson: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Code Review Guide Project==<br />
<br />
{{OWASP Book|5678680}}<br />
<br />
==Introduction==<br />
<br />
The code review guide is currently at release version 1.1 and the second best selling OWASP book in 2008. Many positive comments have been feedback regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity. It has even inspired individuals to build tools based on its information. The combination of a book on secure code review and tools to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development.<br />
Going forward I hope to further integrate with the ASVS and other guides such as the testing and ASDR guides shall be perfromed for version 2.0.t<br />
<br />
==Alpha Release OWASP Code Review 2.0==<br />
'''OWASP Code Review Guide 2.0 Alpha release is now available.''' It is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
The document is divided into two main sections. One section covers the why (reasons for doing secure code reviews) and how. This section main focus is IT management and project leads.<br />
<br />
Second sections deals with vulnerabilities. It is based on the poplar OWASP top 10. Here you will find most of the code examples for both on what not to do and on what to do. A word of caution on code examples; Perl is famous for its saying that there are 10,000 ways to do one thing. The same is true for C#, PHP and Java or any other computer language. Now add in "Object-Oriented Programming" and if we are using design patterns or even what designs patterns are being used and sample code becomes very “iff” in what to write. We tried to keep the sample code so code reviews can see red flags and not “do it my way or else”.<br />
<br />
The last big section is the appendix. Here we have content like code reviewer list, etc. of items that really don’t flow in book form but needed to be included to make the code review guide compete.<br />
<br />
==Alpha Peer Review of Code Review Guide 2.0==<br />
We have a small amount of content that is not in the code review guide. Both Gary and I are working on completing this. One thing we have tried to do is to have the code review guide flow as a book than a collection of separate articles based on a major topic. <br />
<br />
'''Code Review Guide 2.0 needs the following to be peer reviewed:''' <br />
<br />
#Grammar, spelling.<br />
#Review content that is easily understandable, not complex to be understood and or followed. <br />
#Code is correct. <br />
#No outdated code or components. I.e code sample shows.Net, Java, PHP of release that is at least 8 years old in how current software is being written. This is very subjective; a good example is java struts where java struts 2.0 would be coded entirely different.<br />
#Missing content. Did we exclude or gloss over some content that needs to be included? We can’t include everything or we would never get done but if you feel we need to include something please ay so.<br />
#We are looking for good useable, and complete feedback.<br />
<br />
'''''On the editing process, it will be of great help if a reviewer could send of the corrected paragraph or code block along with the chapter, and page numbers. '''''<br />
<br />
Because of some unforeseen issues we are not able to provide a word document. I apologize for that, however editing the PDF is very possible and should not stop the review process.<br />
<br />
==Licensing==<br />
OWASP Code Review Guide is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the Code Review Guide? ==<br />
<br />
OWASP Code Review Guide provides:<br />
<br />
* [[OWASP Code Review Guide Table of Contents]] from v1<br />
<br />
== Project Leader ==<br />
<br />
* Larry Conklin [mailto:larry.conklin@owasp.org]<br />
* Gary Robinson [mailto:gary.robinson@owasp.org]<br />
<br />
== Related Projects ==<br />
<br />
OWASP Testing Guide [https://www.owasp.org/index.php/OWASP_Testing_Project]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
* [https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf Code Review Guide V1.1]<br />
* [https://www.owasp.org/images/7/78/OWASP_AlphaRelease_CodeReviewGuide2.0.pdf Alpha Release Code Review Guide 2.0 ]<br />
<br />
== Email List ==<br />
<br />
[http://lists.owasp.org/mailman/listinfo/owasp-codereview Sign up]<br />
<br />
== News and Events ==<br />
<br />
'''''Code Review Guide 2.0 Alpha Release is now available'''''<br />
----<br />
'''OWASP New York Chapter'''<br />
'''''March 2 2016'''''<br />
<br />
First before anything else both Gary and I want to thank the '''New York OWASP Chapter''' for being willing to have a working session on reviewing the work of the Code Review Guide team. I know its much more exciting to learn new hacking techniques or procedures to prevent it. Never less reviewing the book is a very much-needed effort and Gary and I very much appreciate everyone in New York taking time to do this. <br />
<br />
I also want to give out a big shout of thanks to Ken Belva for help in pushing both Gary and myself to get the document ready for everyone. Last but not least we both also want to thank Helen Gao and Charles Beganskas.<br />
<br />
== In Print ==<br />
[http://www.lulu.com/content/5678680 Code Review Guide V1.1] on Lulu.<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
The OWASP Code Review project was conceived by Eoin Keary, the OWASP Ireland Founder and Chapter Lead. Current project leaders are Larry Conklin and Gary Robinson If you are interested in volunteering for the project, or have a comment, question, or suggestion, please drop me a line [mailto:larry.conklin@owasp.org larry.conklin@owasp.org] or [mailto:gary.robinson@owasp.org gary.robinson@owasp.org]<br />
<br />
==Get Involved==<br />
All of the OWASP Guides are living documents that will continue to change as the threat and security landscape changes.<br />
We welcome everyone to join the Code Review Guide Project and help us make this document great. The best way to get started is to subscribe to the mailing list by following the link below or contact the project leaders listed below.<br />
<br />
Please introduce yourself and ask to see if there is anything you can help with. We are always looking for new contributions. If there is a topic that you’d like to research and contribute, please let us know!<br />
<br />
Code Review Mailing list[mailto:owasp-codereview@lists.owasp.org owasp-codereview@lists.owasp.org]<br />
<br />
Project leaders [mailto:larry.conklin@owasp.org larry.conklin@owasp.org] or [mailto:gary.robinson@owasp.org gary.robinson@owasp.org]<br />
<br />
=Project About=<br />
{{:Projects/OWASP Code Review Project| Project About}}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP Project|Code Review Project]]<br />
[[Category:OWASP Document]]<br />
[[Category:OWASP Release Quality Document]]<br />
[[Category:SAMM-CR-1]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Category:OWASP_Github_Documentation&diff=208966Category:OWASP Github Documentation2016-02-15T21:25:02Z<p>Gary David Robinson: </p>
<hr />
<div>==Proposal to transport OWASP wiki content Documentation to a centralize system==<br />
<br />
===Problem Definition===<br />
The issues that can arise from our current method of developing our various docs include:<br />
*Draft content that exists in the wiki. This may be in varying states (correct, incorrect, lousy, confused, etc.) and is visible to the internet and typically not clearly labelled as draft. Google ‘owasp purple monkey dishwasher’ for an example of a draft wiki page visible to the internet. This content also needs to get cleaned up after a project release.<br />
*Substandard descriptions/content can get into our docs. Getting people to review every line/example/diagram/appendix is difficult with a volunteer organization (as other threads have discussed)<br />
*Duplications happen, as 10 different projects create/copy/paste their definitions of topics such as XSS, SQLi, CSRF, etc. This wastes effort in an organization already constrained of active volunteers.<br />
*Content gets out-of-date. The work to create a new version of a doc project takes years.<br />
<br />
==Proposal Details==<br />
* We dump all of the content from our wiki, current docs, descriptions in code tools, etc. We put it into markup (as some projects are already doing) and add it to source code repositories.<br />
* We share doc markup files across ALL docs and code projects. For example, imagine we have a folder for SQLi. This directory contains the OWASP ‘golden source’ for SQLi definition, examples, code, tests, etc. * Repeat for all other AppSec issues (CSRF, cert pinning, etc.). We use a mechanism to ‘compile’ these markdown files into PDFs and integrate into code project HTML pages.<br />
* Similar to good coding projects, we control who can edit the files under certain directories – people we know have expertise in an area. Edits get peer reviewed before submission. Other people can suggest edits and prove their experience to the existing team to join it.<br />
*We allow anyone to ‘include’ this markup file into their project. So if the Code Review Guide wants to add a section on SQLi, and needs a definition, I don’t write it (or copy from wiki), I simply include the relevant markup file. Same for testing guide, dev guide, ZAP hints page, security shepherd info page, cheetsheet, and on and on.<br />
*We allow all of our docs, plus the wiki, plus all code projects, to dynamically use an markup file update. We make this ‘real time’. This needs an example. Say in March a massive change occurs in the world of SQLi. Right now any project that talks about SQLi would need to manually go in and update, and those updates will be of varying quality and content. If, instead, one (true) source file was update, all those other projects could spot the change and automatically rebuild themselves, meaning the next person to download a development guide PDF, or view the wiki, would get the updated SQLi information.<br />
<br />
This is a big change. This may be a controversial change. However it would greatly reduce our workload (only one markup document needs to get updated). It will also greatly reduce review tasks, as everyone is sharing core content which is reviewed once. It also improves our image to the world, as all projects have the same great descriptions and content.<br />
This change also improves our responsiveness. Imagine a heartbleed type issue being reflected in all OWASP code and documentation projects, as well as the wiki/cheetsheets, within a few days? (simply the time for the team to agree updates to the text/examples/descriptions, review, and submit)<br />
We should also make these markup files available to anyone on the internet (read only). This way the source descriptions become an OWASP resource it itself, and anyone out there needing to spread the word on AppSec has easy access to rock solid, up-to-date definitions.<br />
This changes the model, from people like myself who run ‘projects’, to smaller expert teams who know ‘technologies’ (such as SQLi or IIS secure configuration). It focuses people where they want to be on docs projects, but easily shares that knowledge across all OWASP (and more) projects. It also means there’d never be another need to clean-up the wiki – it would always be based off the markup content.<br />
<br />
Big downside: there’s a large piece of work to start it off. All content would need to get organized, put into sensible structure, converted to markdown, argued over, ‘experts’ defined and assigned, etc. I doubt this would be a volunteer effort, and may need contractor involvement. Could this be combined with the OWASP wiki redesign?<br />
<br />
==Draft Plan==<br />
<br />
==Volunteers==<br />
<br />
Gary Robinson<br />
<br />
==Participating Document Projects==<br />
<br />
Code Review Project</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=203245Belfast2015-11-09T21:49:13Z<p>Gary David Robinson: </p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Sponsorship Opportunities ==<br />
<br />
There are many ways you can help the OWASP Belfast Chapter spread the word about computer security and secure coding. Including the following:<br />
* If you have a room available to hold a meeting, let us know.<br />
* Companies can cover the OWASP membership costs of their employees.<br />
* Supply a speaker on a topic of interest to the OWASP Belfast members, or cover their costs to present.<br />
* Sponsor food and drink for a session.<br />
* Further sponsorship can be provided directly to the OWASP Belfast Chapter itself, using the link above. Direct sponsorship allows the OWASP Belfast Board to use the funds as needed to run events.<br />
<br />
In return for any sponsorship we can add your company to our list of sponsors on the OWASP Wiki and Meetup sites, and share communications with session attendees. Contact the OWASP Belfast Board (below) for more details.<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
* [mailto:johnathan.kuskos@owasp.org Johnathan Kuskos]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter Session - Wednesday November 25th'''<br />
<br />
'''Hands on Hacking with OWASP Security Shepherd'''<br />
<br />
OWASP Belfast's November session will be a presentation and hands on hacking experience with the OWASP Security Shepherd team. <br />
<br />
We are excited to have Mark and Paul, the creators of Security Shepherd, joining us for the night to talk us through the web site hacking tool that educates the user while allowing them to hack their specialized site.<br />
<br />
We will be meeting in the large lecture theatre in Queen's Ashby Building for the night. Participants should bring their laptops along as Mark and Paul talk us through the Security Shepherd tool and allow us to hack our way through it. No previous experience of hacking web sites is required (in fact the tool starts the user from basic hacks up to the most advanced).<br />
<br />
Participants without laptops can still attend and learn about the tool and hacking techniques involved. Participants can also form teams to share their laptops and hack the site faster. The session is expected to run from 6:30pm to around 8pm.<br />
<br />
Unfortunately there will not be any pizza at this session, however there will be an opportunity to socialize with Mark, Paul and the other attendees afterwards.<br />
<br />
Note: To prepare your laptop for the session, please install the Firefox browser (or Google Chrome) and a proxy such as OWASP ZAP (free) or Burp. <br />
<br />
You can RSVP for the event at the OWASP Belfast Meetup group at http://www.meetup.com/OWASP-Belfast/events/226561409/<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=203081Belfast2015-11-05T10:33:08Z<p>Gary David Robinson: </p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
* [mailto:johnathan.kuskos@owasp.org Johnathan Kuskos]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter Session - Wednesday November 25th'''<br />
<br />
'''Hands on Hacking with OWASP Security Shepherd'''<br />
<br />
OWASP Belfast's November session will be a presentation and hands on hacking experience with the OWASP Security Shepherd team. <br />
<br />
We are excited to have Mark and Paul, the creators of Security Shepherd, joining us for the night to talk us through the web site hacking tool that educates the user while allowing them to hack their specialized site.<br />
<br />
We will be meeting in the large lecture theatre in Queen's Ashby Building for the night. Participants should bring their laptops along as Mark and Paul talk us through the Security Shepherd tool and allow us to hack our way through it. No previous experience of hacking web sites is required (in fact the tool starts the user from basic hacks up to the most advanced).<br />
<br />
Participants without laptops can still attend and learn about the tool and hacking techniques involved. Participants can also form teams to share their laptops and hack the site faster. The session is expected to run from 6:30pm to around 8pm.<br />
<br />
Unfortunately there will not be any pizza at this session, however there will be an opportunity to socialize with Mark, Paul and the other attendees afterwards.<br />
<br />
Note: To prepare your laptop for the session, please install the Firefox browser (or Google Chrome) and a proxy such as OWASP ZAP (free) or Burp. <br />
<br />
You can RSVP for the event at the OWASP Belfast Meetup group at http://www.meetup.com/OWASP-Belfast/events/226561409/<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=CRV2_Forward&diff=201007CRV2 Forward2015-09-23T15:45:58Z<p>Gary David Robinson: </p>
<hr />
<div>'''The OWASP Code Review Guide:'''<br />
<br />
The OWASP Code Review guide is the result of initially contributing and leading the Testing Guide. Initially, it was thought to place Code review and testing into the same guide; it seemed like a good idea at the time. But the topic called security code review got too big and evolved into its own stand-alone guide.<br />
<br />
The Code Review guide was started in 2006 by [https://www.owasp.org/index.php/Eoin_Keary Eoin Keary]. <br />
This current version was started in April 2013 via the OWASP Project Reboot initiative.<br />
<br />
The [[OWASP Code Review team]] consists of a small, but talented, group of volunteers who should really get out more often.<br />
<br />
It is common knowledge that more secure software can be produced and developed in a more cost effective way when bugs are detected early on in the systems development life-cycle. Organizations with a proper code review functions integrated into the software development life-cycle (SDLC) produced remarkably better code from a security standpoint. Simply put "We can't hack ourselves secure". Attackers have more time to fine vulnerabilities on a system than the time allocated to a defender. Hacking our way secure amounts to a uneven battlefield; Asymmetric warfare, a loosing battle.<br />
<br />
By necessity, this guide does not cover all languages; it mainly focuses on .NET and Java, but has a little C/C++ and PHP thrown in also. However, the techniques advocated in the book can be easily adapted to almost any code environment. Fortunately, the security flaws in web applications are remarkably consistent across programming languages.<br />
<br />
Purple Monkey Dishwasher</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=200301Belfast2015-09-09T20:58:38Z<p>Gary David Robinson: </p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
* [mailto:johnathan.kuskos@owasp.org Johnathan Kuskos]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter Session - Thursday October 1st'''<br />
<br />
The next OWASP Belfast Chapter session will be taking place on Thursday 1st October at the Radisson Blu (near the GasWorks). The event is free to attend and will have a great talk on Mobile Pentesting followed by time to ask general questions and socialize.<br />
<br />
Itinerary of events:<br />
* 7:00pm - Introductions and information<br />
* 7:15pm - Mobile Pentesting presentation by Leo McCavana <br />
* 8:00pm - Discussion and socializing<br />
<br />
You can RSVP for the event at the OWASP Belfast Meetup group at http://www.meetup.com/OWASP-Belfast/events/225232883/<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=200174Belfast2015-09-07T18:17:58Z<p>Gary David Robinson: </p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
* [mailto:johnathan.kuskos@owasp.org Johnathan Kuskos]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter Session - Thursday October 1st'''<br />
<br />
The next OWASP Belfast Chapter session will be taking place on Thursday 1st October at the Radisson Blu (near the GasWorks). The event is free to attend and will have a great talk on Mobile Pentesting followed by time to ask general questions and socialize.<br />
<br />
Itinerary of events:<br />
TBD<br />
<br />
You can RSVP for the event at the OWASP Belfast Meetup group at http://www.meetup.com/OWASP-Belfast/<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=200173Belfast2015-09-07T18:16:44Z<p>Gary David Robinson: </p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter Session - Thursday October 1st'''<br />
<br />
The next OWASP Belfast Chapter session will be taking place on Thursday 1st October at the Radisson Blu (near the GasWorks). The event is free to attend and will have a great talk on Mobile Pentesting followed by time to ask general questions and socialize.<br />
<br />
Itinerary of events:<br />
TBD<br />
<br />
You can RSVP for the event at the OWASP Belfast Meetup group at http://www.meetup.com/OWASP-Belfast/<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=191413Belfast2015-03-14T14:03:13Z<p>Gary David Robinson: </p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter Session - March 2015'''<br />
<br />
The next OWASP Belfast Chapter session will be taking place on Wednesday 18th March at the Citi building, 60 Sydenham Rd (beside the Odyssey). The event is free to attend and will have 2 great talks on the current state of the security industry, and as usual pizza and soft drinks will be provided. There will also be the opportunity to avail of some free OWASP merchandise. This event will be held in association with ISACA Ireland.<br />
<br />
Itinerary of events:<br />
* 6:30pm - Mark Schloesser from Rapid7 will discuss "Conducting internet-wide research". Mark Schloesser (@repmovsb) is a security researcher at Rapid7, analyzing threats and developing countermeasures to help defenders understand and protect against the risks they face. He is deeply involved in developing open-source software and in his free time likes reverse engineering malware and botnets and participating in CTF competitions. He regularly speaks at industry events, most recently Black Hat USA and Black Hat Asia.<br />
* 7:10pm - PSNI Dective Inspector Dougie Grant will provide an update on Cyber Security Crime within Northern Ireland, the Police Service of Northern Ireland's Non-Emergency Cyber Incident Report system for businesses, and the Cyber Security Information Sharing Partnership (CISP) Northern Ireland group<br />
* 7:50pm - Discussion and debate over pizza and soft drinks<br />
<br />
You can RSVP for the event at the OWASP Belfast Meetup group at http://www.meetup.com/OWASP-Belfast/<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
OWASP Belfast would like to thank InvestNI for their sponsoring of this event and the OWASP Belfast Chapter, and Citi for the use of their venue for this event.<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=190764Belfast2015-03-04T06:59:43Z<p>Gary David Robinson: </p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter Session - March 2015'''<br />
<br />
The next OWASP Belfast Chapter session will be taking place on Wednesday 18th March at the Citi building, 60 Sydenham Rd (beside the Odyssey). The event is free to attend and will have 2 great talks on the current state of the security industry, and as usual Pizza and soft drinks will be provided. There will also be the opportunity to avail of some free OWASP merchandise. This event will be held in association with ISACA Ireland.<br />
<br />
Itinerary of events:<br />
* 6:30pm - Mark Schloesser from Rapid7 will discuss "Conducting internet-wide research". Mark Schloesser (@repmovsb) is a security researcher at Rapid7, analyzing threats and developing countermeasures to help defenders understand and protect against the risks they face. He is deeply involved in developing open-source software and in his free time likes reverse engineering malware and botnets and participating in CTF competitions. He regularly speaks at industry events, most recently Black Hat USA and Black Hat Asia.<br />
* 7:05pm - A representative of the PSNI Cyber Security Division will discuss upcoming Cyber Security initiatives specific to Northern Ireland<br />
* 7:40pm - Discussion and debate over Pizza and soft drinks<br />
<br />
You can RSVP for the event at the OWASP Belfast Meetup group at http://www.meetup.com/OWASP-Belfast/<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
OWASP Belfast would like to thank InvestNI for their sponsoring of this event and the OWASP Belfast Chapter, and Citi for the use of their venue for this event.<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=190533Belfast2015-03-02T12:07:42Z<p>Gary David Robinson: </p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter Session - March 2015'''<br />
<br />
The next OWASP Belfast Chapter session will be taking place on Wednesday 18th March at the Citi building, 60 Sydenham Rd (beside the Odyssey). The event is free to attend and will have 2 great talks on the current state of the security industry, and as usual Pizza and soft drinks will be provided. There will also be the opportunity to avail of some free OWASP merchandise. This event will be held in association with ISACA Ireland.<br />
<br />
Itinerary of events:<br />
* 6:30pm - Mark Schloesser from Rapid7 will discuss "Modern security scalability challenges". Mark Schloesser (@repmovsb) is a security researcher at Rapid7, analyzing threats and developing countermeasures to help defenders understand and protect against the risks they face. He is deeply involved in developing open-source software and in his free time likes reverse engineering malware and botnets and participating in CTF competitions. He regularly speaks at industry events, most recently Black Hat USA and Black Hat Asia.<br />
* 7:05pm - A representative of the PSNI Cyber Security Division will discuss upcoming Cyber Security initiatives specific to Northern Ireland<br />
* 7:40pm - Discussion and debate over Pizza and soft drinks<br />
<br />
You can RSVP for the event at the OWASP Belfast Meetup group at http://www.meetup.com/OWASP-Belfast/<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
OWASP Belfast would like to thank InvestNI for their sponsoring of this event and the OWASP Belfast Chapter, and Citi for the use of their venue for this event.<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=190532Belfast2015-03-02T12:02:57Z<p>Gary David Robinson: </p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter Session - March 2015'''<br />
<br />
The next OWASP Belfast Chapter session will be taking place on Wednesday 18th March at the Citi building, 60 Sydenham Rd (beside the Odyssey). The event is free to attend and will have 2 great talks on the current state of the security industry, and as usual Pizza and soft drinks will be provided. There will also be the opportunity to avail of some free OWASP merchandise. This event will be held in association with ISACA Ireland.<br />
<br />
Itinerary of events:<br />
* 6:30pm - Mark Schloesser from Rapid7 will discuss "Modern security scalability challenges"<br />
* 7:05pm - A representative of the PSNI Cyber Security Division will discuss upcoming Cyber Security initiatives specific to Northern Ireland<br />
* 7:40pm - Discussion and debate over Pizza and soft drinks<br />
<br />
You can RSVP for the event at the OWASP Belfast Meetup group at http://www.meetup.com/OWASP-Belfast/<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
OWASP Belfast would like to thank InvestNI for their sponsoring of this event and the OWASP Belfast Chapter, and Citi for the use of their venue for this event.<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=190505Belfast2015-03-01T17:17:03Z<p>Gary David Robinson: </p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter Session - March 2015'''<br />
<br />
The next OWASP Belfast Chapter session will be taking place on Wednesday 18th March at the Citi building, 60 Sydenham Rd (beside the Odyssey). The event will have 2 great talks on the current state of the security industry, and as usual Pizza and soft drinks will be provided. There will also be the opportunity to avail of some free OWASP merchandise.<br />
<br />
Itinerary of events:<br />
* 6:30pm - Mark Schloesser from Rapid7 will discuss "Modern security scalability challenges"<br />
* 7:05pm - A representative of the PSNI Cyber Security Division will discuss upcoming Cyber Security initiatives specific to Northern Ireland<br />
* 7:40pm - Discussion and debate over Pizza and soft drinks<br />
<br />
You can RSVP for the event at the OWASP Belfast Meetup group at http://www.meetup.com/OWASP-Belfast/<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
OWASP Belfast would like to thank InvestNI for their sponsoring of this event and the OWASP Belfast Chapter, and Citi for the use of their venue for this event.<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=190504Belfast2015-03-01T17:15:04Z<p>Gary David Robinson: </p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter Session - March 2015'''<br />
<br />
The next OWASP Belfast Chapter session will be taking place on Wednesday 18th March at the Citi building, 60 Sydenham Rd (beside the Odyssey). The event will have 2 great talks on the current state of the security industry, and as usual Pizza and soft drinks will be provided. There will also be the opportunity to avail of some free OWASP merchandise.<br />
<br />
Itinerary of events:<br />
* 6:30pm - Mark Schloesser from Rapid7 will discuss "Modern security scalability challenges"<br />
* 7:05pm - A representative of the PSNI Cyber Security Division will discuss upcoming Cyber Security specific to Northern Ireland<br />
* 7:40pm - Discussion and debate over Pizza and soft drinks<br />
<br />
You can RSVP for the event at the OWASP Belfast Meetup group at http://www.meetup.com/OWASP-Belfast/<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
OWASP Belfast would like to thank InvestNI for their sponsoring of this event and the OWASP Belfast Chapter, and Citi for the use of their venue for this event.<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=190503Belfast2015-03-01T17:13:50Z<p>Gary David Robinson: </p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter Session - March 2015'''<br />
<br />
The next OWASP Belfast Chapter session will be taking place on Wednesday 18th March at the Citi building, 60 Sydenham Rd (beside the Odyssey). The event will have 2 great talks on the current state of the security industry, and as usual Pizza and soft drinks will be provided. There will also be the opportunity to avail of some free OWASP merchandise.<br />
<br />
Itinerary of events:<br />
* 6:30pm - Mark Schloesser from Rapid7 will discuss "Modern security scalability challenges"<br />
* 7:05pm - A representative of the PSNI Cyber Security Division will discuss upcoming Cyber Security specific to Northern Ireland<br />
* 7:40pm - Discussion and debate over Pizza and soft drinks<br />
<br />
You can RSVP for the event at the OWASP Belfast Meetup group at http://www.meetup.com/OWASP-Belfast/<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=CRV2_CodeReviewTools&diff=190084CRV2 CodeReviewTools2015-02-22T17:10:22Z<p>Gary David Robinson: </p>
<hr />
<div><br />
<br />
== Overview ==<br />
As discussed in Code Review Guide there are many reason to automate the process of code reviews within the organization SDLC practices. We won't review all those reasons here again but we would like to share with the reader a list of the tools both commercial and open source. OWASP is vendor natural for that reason the text below is supplied by the vendors themselves unless otherwise stated. OWASP does not endorse commercial or open source tools outside of OWASP own projects.<br />
<br />
==Commercial Code Review Tools==<br />
===Crucible by Atlassian Software===<br />
* https://www.atlassian.com/software/crucible/overview<br />
====Begin Atlassian supplied description of their Code Review tool====<br />
<br />
Crucible is Atlassian’s on-premises code review solution for enterprise teams. Crucible makes it easy to review code changes, make comments and record outcomes thoroughly and efficiently. It encourages developers to carry out more code reviews – improving code quality and fostering collaboration. It is code review made easy for Subversion, CVS, Perforce and other systems.<br />
<br />
The flexible code review process allows you to configure your reviews based on workflows or participants. Whether used to perform ad-hoc reviews or in a formal process, Crucible removes the administrative overhead and enables distributive teams to work together. As reviews are inherently iterative, Crucible’s fully threaded comments let teams discuss code regardless of time and location and provide comments directly on specific source lines and files. <br />
<br />
When using Crucible, individuals can create reviews directly from the command line, build quick reviews with cut-and-paste snippets and perform one-click reviews from changesets or issues. These reviews can be carried out before check-ins, ensuring the quality of code going into production. As files are always kept up-to-date, developers do not have to worry they are reviewing code that is outdated. With the added bonus of notifications & reminders, audit trails, and reports, Crucible is here to help you produce the best source code possible.<br />
<br />
====End Atlassian supplied description of their Code Review tool====<br />
<br />
<br />
<br />
===ReviewBoard by reviewboard.org===<br />
* http://www.reviewboard.org/<br />
====Begin ReviewBoard description by Gary Robinson====<br />
ReviewBoard is a freely available (MIT license) open source tool supporting many of the review functions required for all sizes of projects, from small team projects to large company repositories. <br />
The ReviewBoard server is cross platform (runs on Python) and supports SVN, CVS, GIT, Perforce repositories, as well as integrating with your companies LDAP infastructure to control authenticated users. It allows code diffs to be submitted pre-commit and post-commit with facilities for coder documentation/annotation and integration with bug tracking software (e.g. bugzilla) to allow reviewers to have more context during the review.<br />
Code reviewers can collaborate in two ways; reviewers comments are displayed in-line in a diff viewing of the code via the web interface, and are sent via e-mail to the code submitter and other reviewers.<br />
ReviewBoard also offers to host a review tool in the cloud for a fee.<br />
<br />
====End ReviewBoard description by Gary David Robinson====</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=CRV2_SecCommsHTTPHdrs&diff=189733CRV2 SecCommsHTTPHdrs2015-02-15T17:33:35Z<p>Gary David Robinson: </p>
<hr />
<div>= This is a draft version =<br />
<br />
== Overview ==<br />
<br />
HTTP headers allow the server to dictate or advise the user agent and intermediary servers how to handle the content being provided. Some of these headers can aid a web site in securing itself; these include the standard Cache-Control headers, and newer specifications like HSTS and Content Security Policy headers.<br />
<br />
<br />
<br />
== Description ==<br />
<br />
From a security point of view controlling the HTTP headers sent with web site content can tell the users browser how to store the content, how to access further content, and how to trust various parts of the content received by the browser. <br />
<br />
Two points to note up front:<br />
<br />
# Headers can only be trusted over a HTTPS session<br />
# This section only covers HTTP response headers<br />
<br />
Without HTTPS between the web server and the users browser an attacker can modify the content or the associated headers. Thus if you were returning headers specifying that your web site should only be access over HTTPS, an attacker could remove these headers and the browser would not receive the information. A web site should not trust HTTP request headers for security decisions as there are many ways an attacker could modify these headers (or construct the whole request themselves), so there is nothing to cover for secure headers coming from the client, as they are inherently insecure. Of course the cookie header is an exception to this, but that is because our web site has set the cookie header to a random value that should only be known during the browsing session. This section will not cover the cookie header as this is covered in the session management topic.<br />
<br />
<br />
=== Caching Headers ===<br />
<br />
For business web sites that allow sensitive or confidential information to be downloaded to the client device, the caching of that sensitive data will become a security issue. A user accessing their bank account details does not want an intermediary proxy caching their web pages. A legal web site does not want copies of sensitive PDF documents stored on the laptop or smartphone disk storage, only for that device to be lost and the documents visible to an attacker.<br />
<br />
The 'Cache-Control' header tells the users browser how to handle the content being downloaded. Some browsers can interpret the header values differently thus the understood header settings to return with content that must not be cached are:<br />
<br />
Cache-Control: no-store, no-cache<br />
Pragma: no-cache<br />
Expires: 0<br />
<br />
This should be understood by all browsers (including mobile webviews) that the content being returned must not be stored to disk cache. Note that it is possible for intermediate proxies to ignore caching headers and still cache the content, which is another reason why using end-to-end HTTPS sessions is important, as the proxies will only have encrypted versions of the sensitive content.<br />
<br />
<br />
=== Content Security Policy ===<br />
<br />
Cross Site Scripting (XSS) is still one of the most frequent security issues experienced on web sites, it's A3 on the OWASP Top 10 (2013), and it covers a variety of ways attackers can bypass the browser same origin policy to trick the browsers into executing the attackers code. Content Security Policy headers are designed to allow a web site to inform the browser where scripts, frames, etc can be sourced from, and are a good way of mitigating XSS issues.<br />
<br />
The structure of the header is as follows:<br />
<br />
Content-Security-Policy: <directive> <sources><br />
<br />
Where the directive tells the browser what type of content is being controlled, and the source lists the places where the content can validly be obtained from, for example:<br />
<br />
Content-Security-Policy: script-src 'self' https://www.example.com<br />
<br />
... tells the browser that javascript code files (i.e. *.js files) can only be sourced from 'self' (i.e. the current web site, note the single quotes are necessary) or https://www.example.com. If the browser rendering the page finds javascript from some other site, it will fail to render and flag an error message to the end user. In this way the web site has prevented the attacker from injecting links to their own javascript (e.g. "<script src='http://badguy.com/bad.js'></script>").<br />
<br />
The directives controlled by the Content Security Policy include:<br />
<br />
{|<br />
|Directive<br />
|Description<br />
|-<br />
|script-src<br />
|Lists the sources where javascript files are allowed to be sourced from.<br />
|-<br />
|object-src<br />
|Lists the sources where flash and other plugin objects are allowed from. <br />
|-<br />
|frame-src<br />
|Lists the sources where frames are allowed from. <br />
|-<br />
|style-src<br />
|Lists the sources where CSS files are allowed from. <br />
|}<br />
<br />
If a directive is not specified then the default is wide open, all sources are allowed. If you do not wish to provide a directive for all options then you can specify a default-src which will then apply to all unspecified directives, for example:<br />
<br />
Content-Security-Policy: default-src 'self'<br />
<br />
... forces all scripts, frames, objects, etc to be sourced from the current web site. When specifying a URL the scheme is enforced, so stating https://www.example.com will prevent any items coming from www.example.com over HTTP (i.e. without SSL). You can also provide a wildcard on the leftmost portion of the domain, e.g. https://*.example.com. Multiple directives are separated by semi-colons, e.g.<br />
<br />
Content-Security-Policy: script-src 'self' https://www.example.com; frame-src 'self' https://frames.example.com<br />
<br />
If you wished to completely disable an option, for example you don't want any frames in your page, you can disable a directive using the 'none' keyword:<br />
<br />
Content-Security-Policy: frame-src 'none'<br />
<br />
<br />
==== Preventing Inlining ====<br />
<br />
A further feature of Content Security Policy is to tell the browser not to allow inline javascript code, or evals. As well as driving better programming practices by separating scripting code from the display markup, this option allows inline scripting to be disabled (a major vector of XSS, e.g. <script>alert(1);</script>). By providing a script-src or style-src (in the case of CSS) the Content Security Policy automatically bans inline scripts (javascript and CSS). If you wish to allow inline scripting, or inline use of the eval function (which can construct javascript) you have to explicitly specify 'unsafe-inline' or 'unsafe-eval', e.g.<br />
<br />
Content-Security-Policy: script-src 'self' 'unsafe-inline'<br />
<br />
<br />
==== Applying CSP To Web Pages ====<br />
<br />
When using Content Security Policy, note that the header has to be included in every web page. This can easily be achieved through configuration of common frameworks (e.g. mod_headers in Apache) if the policy is the same for the entire site. If the Content Security Policy header is being dynamically created for each web page, be aware that directives cannot be repeated, if the header specifies the directive the second listing will be ignored.<br />
<br />
The header varies slightly between IE and other browsers, for IE you must specify "X-Content-Security-Policy", whilst all other browsers use "Content-Security-Policy".<br />
<br />
<br />
==== Using Content Security Policy Reporting ====<br />
<br />
The Content Security Policy allows the browser to report any violations of the defined sources. The CSP header can include the "report-uri" directive as in the following:<br />
<br />
Content-Security-Policy: default-src 'self'; report-uri /csp_receiver;<br />
<br />
With this directive, if the browser experiences any page/content that violates the directive it will send a JSON report to the defined URL similar to the following:<br />
<br />
{<br />
"csp-report": {<br />
"document-uri": "https://www.example.com/default.html",<br />
"referrer": "https://www.example.com/",<br />
"blocked-uri": "https://bad.guy.com/bad_guy.js",<br />
"violated-directive": "script-src 'self' https://www.example.com",<br />
"original-policy": "script-src 'self' https://www.example.com; report-uri https://www.example.com/csp_receiver"<br />
}<br />
} <br />
<br />
This reporting feature can be used to determine any attacks occurring on your content. Also note that if you specify HTTPS in the report-uri scheme, and the receiver URI is on the current web server, the report JSON can be authenticated as the cookie will be passed over the secure session.<br />
<br />
If you simply wish to trail the CSP headers, i.e. not actually have the browser enforce the constraints encase it breaks anything, you can instead use the "Content-Security-Policy-Report-Only" header. This will tell the browser to understand the directives and monitor for policy violations, but in the case of a violation the browser will still render the page as if the header was not specified, instead it will send the JSON report. This is a great way to trail the CSP headers on live traffic to see what breaches are currently occurring, or to ensure you have configured your CSP headers before deployment. An example of this is:<br />
<br />
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp_receiver;<br />
<br />
<br />
=== HTTP Strict Transport Security ===<br />
<br />
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. When the browser receives the HSTS header it will prevent any subsequent requests from being sent over HTTP to the web site, instead only using HTTPS, for the timeframe specified in the header. It also prevents HTTPS click through prompts on browsers.<br />
<br />
Simple example, using a long (1 year) max-age:<br />
<br />
Strict-Transport-Security: max-age=31536000<br />
<br />
If all present and future subdomains will be HTTPS:<br />
<br />
Strict-Transport-Security: max-age=31536000; includeSubDomains<br />
<br />
If the site owner would like their domain to be included in the maintained by Chrome (and used by Firefox and Safari), then use:<br />
<br />
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload<br />
<br />
The 'preload' flag indicates the site owner's consent to have their domain preloaded. The site owner still needs to then go and submit the domain to the list.<br />
<br />
Use caution when setting excessively strict STS policies. Including subdomains should only be used in environments where all sites within your organization for the given domain name require ssl. Max-age limits should be carefully considered as infrequent visitors may find your site inaccessible if you relax your policy.<br />
<br />
Before enabling includeSubDomains, also consider the impact of any existing DNS CNAME records for CDNs, email services, or other 3rd party services. Since includeSubDomains will force such CNAME subdomains to https:// it's likely the browser will throw a domain-mismatch error, which is hard to reverse because of the browser caching nature of HSTS.<br />
<br />
<br />
== What to Review ==<br />
<br />
When reviewing code modules from an HTTP header security point of view, some common issues to look out for include:<br />
<br />
* Do not perform security decisions based on client request HTTP headers (apart from the cookie headers specified as HTTPOnly)<br />
* Do not trust request headers not passed over HTTPS connections.<br />
* Ensure you validate the format (length, characters, etc) of the header value before processing it.<br />
* For sensitive content, remember to specify the relevant caching headers so standard browsers do not store the content to disk. Remember, however, that non-standard browsers or intermediate proxies can ignore the caching headers, thus delivering sensitive content over HTTPS provides more protection.<br />
* Consider providing Content Security Policy headers for your site.<br />
* Ensure CSP headers are provided for all web pages, typically using web framework configuration.<br />
* Test the CSP header settings using the "Content-Security-Policy-Report-Only" header to ensure current web usage is not affected.<br />
* Include CSP header testing in testing, adding specific test cases to ensure violations are caught.<br />
* If CSP headers are being used to prevent inline XSS, do not relax other protections such as input validation or output encoding.<br />
* Note there are two ways to ensure a web sites' pages are loaded using HTTPS only:<br />
** Setting "Strict-Transport-Security" headers, which only need to be specified once per 'max-age' timeframe and is remembered by the browser for subsequent get requests<br />
** Setting CSP header to specify an HTTPS domain, e.g. "Content-Security-Policy: default-src 'self' https:", which must be specified on every page, and only affects artifacts loaded for the current page, not subsequent get requests.<br />
<br />
<br />
== References ==<br />
<br />
* https://www.owasp.org/index.php/HTTP_Strict_Transport_Security<br />
* http://content-security-policy.com/<br />
* http://www.html5rocks.com/en/tutorials/security/content-security-policy/<br />
* http://www.w3.org/TR/CSP/</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=CRV2_SecCommsHTTPHdrs&diff=189732CRV2 SecCommsHTTPHdrs2015-02-15T17:21:01Z<p>Gary David Robinson: </p>
<hr />
<div>= This is a draft version =<br />
<br />
== Overview ==<br />
<br />
HTTP headers allow the server to dictate or advise the user agent and intermediary servers how to handle the content being provided. Some of these headers can aid a web site in securing itself; these include the standard Cache-Control headers, and newer specifications like HSTS and Content Security Policy headers.<br />
<br />
<br />
<br />
== Description ==<br />
<br />
From a security point of view controlling the HTTP headers sent with web site content can tell the users browser how to store the content, how to access further content, and how to trust various parts of the content received by the browser. <br />
<br />
Two points to note up front:<br />
<br />
# Headers can only be trusted over a HTTPS session<br />
# This section only covers HTTP response headers<br />
<br />
Without HTTPS between the web server and the users browser an attacker can modify the content or the associated headers. Thus if you were returning headers specifying that your web site should only be access over HTTPS, an attacker could remove these headers and the browser would not receive the information. A web site should not trust HTTP request headers for security decisions as there are many ways an attacker could modify these headers (or construct the whole request themselves), so there is nothing to cover for secure headers coming from the client, as they are inherently insecure. Of course the cookie header is an exception to this, but that is because our web site has set the cookie header to a random value that should only be known during the browsing session. This section will not cover the cookie header as this is covered in the session management topic.<br />
<br />
<br />
=== Caching Headers ===<br />
<br />
For business web sites that allow sensitive or confidential information to be downloaded to the client device, the caching of that sensitive data will become a security issue. A user accessing their bank account details does not want an intermediary proxy caching their web pages. A legal web site does not want copies of sensitive PDF documents stored on the laptop or smartphone disk storage, only for that device to be lost and the documents visible to an attacker.<br />
<br />
The 'Cache-Control' header tells the users browser how to handle the content being downloaded. Some browsers can interpret the header values differently thus the understood header settings to return with content that must not be cached are:<br />
<br />
Cache-Control: no-store, no-cache<br />
Pragma: no-cache<br />
Expires: 0<br />
<br />
This should be understood by all browsers (including mobile webviews) that the content being returned must not be stored to disk cache. Note that it is possible for intermediate proxies to ignore caching headers and still cache the content, which is another reason why using end-to-end HTTPS sessions is important, as the proxies will only have encrypted versions of the sensitive content.<br />
<br />
<br />
=== Content Security Policy ===<br />
<br />
Cross Site Scripting (XSS) is still one of the most frequent security issues experienced on web sites, it's A3 on the OWASP Top 10 (2013), and it covers a variety of ways attackers can bypass the browser same origin policy to trick the browsers into executing the attackers code. Content Security Policy headers are designed to allow a web site to inform the browser where scripts, frames, etc can be sourced from, and are a good way of mitigating XSS issues.<br />
<br />
The structure of the header is as follows:<br />
<br />
Content-Security-Policy: <directive> <sources><br />
<br />
Where the directive tells the browser what type of content is being controlled, and the source lists the places where the content can validly be obtained from, for example:<br />
<br />
Content-Security-Policy: script-src 'self' https://www.example.com<br />
<br />
... tells the browser that javascript code files (i.e. *.js files) can only be sourced from 'self' (i.e. the current web site, note the single quotes are necessary) or https://www.example.com. If the browser rendering the page finds javascript from some other site, it will fail to render and flag an error message to the end user. In this way the web site has prevented the attacker from injecting links to their own javascript (e.g. "<script src='http://badguy.com/bad.js'></script>").<br />
<br />
The directives controlled by the Content Security Policy include:<br />
<br />
{|<br />
|Directive<br />
|Description<br />
|-<br />
|script-src<br />
|Lists the sources where javascript files are allowed to be sourced from.<br />
|-<br />
|object-src<br />
|Lists the sources where flash and other plugin objects are allowed from. <br />
|-<br />
|frame-src<br />
|Lists the sources where frames are allowed from. <br />
|-<br />
|style-src<br />
|Lists the sources where CSS files are allowed from. <br />
|}<br />
<br />
If a directive is not specified then the default is wide open, all sources are allowed. If you do not wish to provide a directive for all options then you can specify a default-src which will then apply to all unspecified directives, for example:<br />
<br />
Content-Security-Policy: default-src 'self'<br />
<br />
... forces all scripts, frames, objects, etc to be sourced from the current web site. When specifying a URL the scheme is enforced, so stating https://www.example.com will prevent any items coming from www.example.com over HTTP (i.e. without SSL). You can also provide a wildcard on the leftmost portion of the domain, e.g. https://*.example.com. Multiple directives are separated by semi-colons, e.g.<br />
<br />
Content-Security-Policy: script-src 'self' https://www.example.com; frame-src 'self' https://frames.example.com<br />
<br />
If you wished to completely disable an option, for example you don't want any frames in your page, you can disable a directive using the 'none' keyword:<br />
<br />
Content-Security-Policy: frame-src 'none'<br />
<br />
<br />
==== Preventing Inlining ====<br />
<br />
A further feature of Content Security Policy is to tell the browser not to allow inline javascript code, or evals. As well as driving better programming practices by separating scripting code from the display markup, this option allows inline scripting to be disabled (a major vector of XSS, e.g. <script>alert(1);</script>). By providing a script-src or style-src (in the case of CSS) the Content Security Policy automatically bans inline scripts (javascript and CSS). If you wish to allow inline scripting, or inline use of the eval function (which can construct javascript) you have to explicitly specify 'unsafe-inline' or 'unsafe-eval', e.g.<br />
<br />
Content-Security-Policy: script-src 'self' 'unsafe-inline'<br />
<br />
<br />
==== Applying CSP To Web Pages ====<br />
<br />
When using Content Security Policy, note that the header has to be included in every web page. This can easily be achieved through configuration of common frameworks (e.g. mod_headers in Apache) if the policy is the same for the entire site. If the Content Security Policy header is being dynamically created for each web page, be aware that directives cannot be repeated, if the header specifies the directive the second listing will be ignored.<br />
<br />
The header varies slightly between IE and other browsers, for IE you must specify "X-Content-Security-Policy", whilst all other browsers use "Content-Security-Policy".<br />
<br />
<br />
==== Using Content Security Policy Reporting ====<br />
<br />
The Content Security Policy allows the browser to report any violations of the defined sources. The CSP header can include the "report-uri" directive as in the following:<br />
<br />
Content-Security-Policy: default-src 'self'; report-uri /csp_receiver;<br />
<br />
With this directive, if the browser experiences any page/content that violates the directive it will send a JSON report to the defined URL similar to the following:<br />
<br />
{<br />
"csp-report": {<br />
"document-uri": "https://www.example.com/default.html",<br />
"referrer": "https://www.example.com/",<br />
"blocked-uri": "https://bad.guy.com/bad_guy.js",<br />
"violated-directive": "script-src 'self' https://www.example.com",<br />
"original-policy": "script-src 'self' https://www.example.com; report-uri https://www.example.com/csp_receiver"<br />
}<br />
} <br />
<br />
This reporting feature can be used to determine any attacks occurring on your content. Also note that if you specify HTTPS in the report-uri scheme, and the receiver URI is on the current web server, the report JSON can be authenticated as the cookie will be passed over the secure session.<br />
<br />
If you simply wish to trail the CSP headers, i.e. not actually have the browser enforce the constraints encase it breaks anything, you can instead use the "Content-Security-Policy-Report-Only" header. This will tell the browser to understand the directives and monitor for policy violations, but in the case of a violation the browser will still render the page as if the header was not specified, instead it will send the JSON report. This is a great way to trail the CSP headers on live traffic to see what breaches are currently occurring, or to ensure you have configured your CSP headers before deployment. An example of this is:<br />
<br />
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp_receiver;<br />
<br />
<br />
=== HTTP Strict Transport Security ===<br />
<br />
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. When the browser receives the HSTS header it will prevent any subsequent requests from being sent over HTTP to the web site, instead only using HTTPS, for the timeframe specified in the header. It also prevents HTTPS click through prompts on browsers.<br />
<br />
Simple example, using a long (1 year) max-age:<br />
<br />
Strict-Transport-Security: max-age=31536000<br />
<br />
If all present and future subdomains will be HTTPS:<br />
<br />
Strict-Transport-Security: max-age=31536000; includeSubDomains<br />
<br />
If the site owner would like their domain to be included in the maintained by Chrome (and used by Firefox and Safari), then use:<br />
<br />
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload<br />
<br />
The 'preload' flag indicates the site owner's consent to have their domain preloaded. The site owner still needs to then go and submit the domain to the list.<br />
<br />
Use caution when setting excessively strict STS policies. Including subdomains should only be used in environments where all sites within your organization for the given domain name require ssl. Max-age limits should be carefully considered as infrequent visitors may find your site inaccessible if you relax your policy.<br />
<br />
Before enabling includeSubDomains, also consider the impact of any existing DNS CNAME records for CDNs, email services, or other 3rd party services. Since includeSubDomains will force such CNAME subdomains to https:// it's likely the browser will throw a domain-mismatch error, which is hard to reverse because of the browser caching nature of HSTS.<br />
<br />
<br />
== What to Review ==<br />
<br />
When reviewing code modules from an HTTP header sercurity point of view, some common issues to look out for include:<br />
<br />
* <br />
* <br />
* <br />
<br />
<br />
== References ==<br />
<br />
* https://www.owasp.org/index.php/HTTP_Strict_Transport_Security<br />
* http://content-security-policy.com/<br />
* http://www.html5rocks.com/en/tutorials/security/content-security-policy/<br />
* http://www.w3.org/TR/CSP/</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=CRV2_SecCommsHTTPHdrs&diff=189729CRV2 SecCommsHTTPHdrs2015-02-15T16:29:00Z<p>Gary David Robinson: </p>
<hr />
<div>= This is a draft version =<br />
<br />
== Overview ==<br />
<br />
HTTP headers allow the server to dictate or advise the user agent and intermediary servers how to handle the content being provided. Some of these headers can aid a web site in securing itself; these include the standard Cache-Control headers, and newer specifications like HSTS and Content Security Policy headers.<br />
<br />
<br />
<br />
== Description ==<br />
<br />
From a security point of view controlling the HTTP headers sent with web site content can tell the users browser how to store the content, how to access further content, and how to trust various parts of the content received by the browser. <br />
<br />
Two points to note up front:<br />
<br />
# Headers can only be trusted over a HTTPS session<br />
# This section only covers HTTP response headers<br />
<br />
Without HTTPS between the web server and the users browser an attacker can modify the content or the associated headers. Thus if you were returning headers specifying that your web site should only be access over HTTPS, an attacker could remove these headers and the browser would not receive the information. A web site should not trust HTTP request headers for security decisions as there are many ways an attacker could modify these headers (or construct the whole request themselves), so there is nothing to cover for secure headers coming from the client, as they are inherently insecure. Of course the cookie header is an exception to this, but that is because our web site has set the cookie header to a random value that should only be known during the browsing session. This section will not cover the cookie header as this is covered in the session management topic.<br />
<br />
<br />
=== Caching Headers ===<br />
<br />
For business web sites that allow sensitive or confidential information to be downloaded to the client device, the caching of that sensitive data will become a security issue. A user accessing their bank account details does not want an intermediary proxy caching their web pages. A legal web site does not want copies of sensitive PDF documents stored on the laptop or smartphone disk storage, only for that device to be lost and the documents visible to an attacker.<br />
<br />
The 'Cache-Control' header tells the users browser how to handle the content being downloaded. Some browsers can interpret the header values differently thus the understood header settings to return with content that must not be cached are:<br />
<br />
Cache-Control: no-store, no-cache<br />
Pragma: no-cache<br />
Expires: 0<br />
<br />
This should be understood by all browsers (including mobile webviews) that the content being returned must not be stored to disk cache. Note that it is possible for intermediate proxies to ignore caching headers and still cache the content, which is another reason why using end-to-end HTTPS sessions is important, as the proxies will only have encrypted versions of the sensitive content.<br />
<br />
<br />
=== Content Security Policy ===<br />
<br />
Cross Site Scripting (XSS) is still one of the most frequent security issues experienced on web sites, it's A3 on the OWASP Top 10 (2013), and it covers a variety of ways attackers can bypass the browser same origin policy to trick the browsers into executing the attackers code. Content Security Policy headers are designed to allow a web site to inform the browser where scripts, frames, etc can be sourced from, and are a good way of mitigating XSS issues.<br />
<br />
The structure of the header is as follows:<br />
<br />
Content-Security-Policy: <directive> <sources><br />
<br />
Where the directive tells the browser what type of content is being controlled, and the source lists the places where the content can validly be obtained from, for example:<br />
<br />
Content-Security-Policy: script-src 'self' https://www.example.com<br />
<br />
... tells the browser that javascript code files (i.e. *.js files) can only be sourced from 'self' (i.e. the current web site, note the single quotes are necessary) or https://www.example.com. If the browser rendering the page finds javascript from some other site, it will fail to render and flag an error message to the end user. In this way the web site has prevented the attacker from injecting links to their own javascript (e.g. "<script src='http://badguy.com/bad.js'></script>").<br />
<br />
The directives controlled by the Content Security Policy include:<br />
<br />
{|<br />
|Directive<br />
|Description<br />
|-<br />
|script-src<br />
|Lists the sources where javascript files are allowed to be sourced from.<br />
|-<br />
|object-src<br />
|Lists the sources where flash and other plugin objects are allowed from. <br />
|-<br />
|frame-src<br />
|Lists the sources where frames are allowed from. <br />
|-<br />
|style-src<br />
|Lists the sources where CSS files are allowed from. <br />
|}<br />
<br />
If a directive is not specified then the default is wide open, all sources are allowed. If you do not wish to provide a directive for all options then you can specify a default-src which will then apply to all unspecified directives, for example:<br />
<br />
Content-Security-Policy: default-src 'self'<br />
<br />
... forces all scripts, frames, objects, etc to be sourced from the current web site. When specifying a URL the scheme is enforced, so stating https://www.example.com will prevent any items coming from www.example.com over HTTP (i.e. without SSL). You can also provide a wildcard on the leftmost portion of the domain, e.g. https://*.example.com. Multiple directives are separated by semi-colons, e.g.<br />
<br />
Content-Security-Policy: script-src 'self' https://www.example.com; frame-src 'self' https://frames.example.com<br />
<br />
If you wished to completely disable an option, for example you don't want any frames in your page, you can disable a directive using the 'none' keyword:<br />
<br />
Content-Security-Policy: frame-src 'none'<br />
<br />
<br />
==== Preventing Inlining ====<br />
<br />
A further feature of Content Security Policy is to tell the browser not to allow inline javascript code, or evals. As well as driving better programming practices by separating scripting code from the display markup, this option allows inline scripting to be disabled (a major vector of XSS, e.g. <script>alert(1);</script>). By providing a script-src or style-src (in the case of CSS) the Content Security Policy automatically bans inline scripts (javascript and CSS). If you wish to allow inline scripting, or inline use of the eval function (which can construct javascript) you have to explicitly specify 'unsafe-inline' or 'unsafe-eval', e.g.<br />
<br />
Content-Security-Policy: script-src 'self' 'unsafe-inline'<br />
<br />
<br />
==== Applying CSP To Web Pages ====<br />
<br />
When using Content Security Policy, note that the header has to be included in every web page. This can easily be achieved through configuration of common frameworks (e.g. mod_headers in Apache) if the policy is the same for the entire site. If the Content Security Policy header is being dynamically created for each web page, be aware that directives cannot be repeated, if the header specifies the directive the second listing will be ignored.<br />
<br />
The header varies slightly between IE and other browsers, for IE you must specify "X-Content-Security-Policy", whilst all other browsers use "Content-Security-Policy".<br />
<br />
<br />
==== Using Content Security Policy Reporting ====<br />
<br />
The Content Security Policy allows the browser to report any violations of the defined sources. The CSP header can include the "report-uri" directive as in the following:<br />
<br />
Content-Security-Policy: default-src 'self'; report-uri /csp_receiver;<br />
<br />
With this directive, if the browser experiences any page/content that violates the directive it will send a JSON report to the defined URL similar to the following:<br />
<br />
{<br />
"csp-report": {<br />
"document-uri": "https://www.example.com/default.html",<br />
"referrer": "https://www.example.com/",<br />
"blocked-uri": "https://bad.guy.com/bad_guy.js",<br />
"violated-directive": "script-src 'self' https://www.example.com",<br />
"original-policy": "script-src 'self' https://www.example.com; report-uri https://www.example.com/csp_receiver"<br />
}<br />
} <br />
<br />
This reporting feature can be used to determine any attacks occurring on your content. Also note that if you specify HTTPS in the report-uri scheme, and the receiver URI is on the current web server, the report JSON can be authenticated as the cookie will be passed over the secure session.<br />
<br />
trail...<br />
<br />
<br />
<br />
<br />
<br />
=== HTTP Strict Transport Security ===<br />
<br />
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. When the browser receives the HSTS header it will prevent any subsequent requests from being sent over HTTP to the web site, instead only using HTTPS, for the timeframe specified in the header. It also prevents HTTPS click through prompts on browsers.<br />
<br />
Simple example, using a long (1 year) max-age:<br />
<br />
Strict-Transport-Security: max-age=31536000<br />
<br />
If all present and future subdomains will be HTTPS:<br />
<br />
Strict-Transport-Security: max-age=31536000; includeSubDomains<br />
<br />
If the site owner would like their domain to be included in the maintained by Chrome (and used by Firefox and Safari), then use:<br />
<br />
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload<br />
<br />
The 'preload' flag indicates the site owner's consent to have their domain preloaded. The site owner still needs to then go and submit the domain to the list.<br />
<br />
Use caution when setting excessively strict STS policies. Including subdomains should only be used in environments where all sites within your organization for the given domain name require ssl. Max-age limits should be carefully considered as infrequent visitors may find your site inaccessible if you relax your policy.<br />
<br />
Before enabling includeSubDomains, also consider the impact of any existing DNS CNAME records for CDNs, email services, or other 3rd party services. Since includeSubDomains will force such CNAME subdomains to https:// it's likely the browser will throw a domain-mismatch error, which is hard to reverse because of the browser caching nature of HSTS.<br />
<br />
<br />
== What to Review ==<br />
<br />
When reviewing code modules from an HTTP header sercurity point of view, some common issues to look out for include:<br />
<br />
* <br />
* <br />
* <br />
<br />
<br />
== References ==<br />
<br />
* https://www.owasp.org/index.php/HTTP_Strict_Transport_Security<br />
* http://content-security-policy.com/<br />
* http://www.html5rocks.com/en/tutorials/security/content-security-policy/<br />
* http://www.w3.org/TR/CSP/</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=CRV2_SecCommsHTTPHdrs&diff=189727CRV2 SecCommsHTTPHdrs2015-02-15T16:03:22Z<p>Gary David Robinson: </p>
<hr />
<div>= This is a draft version =<br />
<br />
== Overview ==<br />
<br />
HTTP headers allow the server to dictate or advise the user agent and intermediary servers how to handle the content being provided. Some of these headers can aid a web site in securing itself; these include the standard Cache-Control headers, and newer specifications like HSTS and Content Security Policy headers.<br />
<br />
<br />
<br />
== Description ==<br />
<br />
From a security point of view controlling the HTTP headers sent with web site content can tell the users browser how to store the content, how to access further content, and how to trust various parts of the content received by the browser. <br />
<br />
Two points to note up front:<br />
<br />
# Headers can only be trusted over a HTTPS session<br />
# This section only covers HTTP response headers<br />
<br />
Without HTTPS between the web server and the users browser an attacker can modify the content or the associated headers. Thus if you were returning headers specifying that your web site should only be access over HTTPS, an attacker could remove these headers and the browser would not receive the information. A web site should not trust HTTP request headers for security decisions as there are many ways an attacker could modify these headers (or construct the whole request themselves), so there is nothing to cover for secure headers coming from the client, as they are inherently insecure. Of course the cookie header is an exception to this, but that is because our web site has set the cookie header to a random value that should only be known during the browsing session. This section will not cover the cookie header as this is covered in the session management topic.<br />
<br />
<br />
=== Caching Headers ===<br />
<br />
For business web sites that allow sensitive or confidential information to be downloaded to the client device, the caching of that sensitive data will become a security issue. A user accessing their bank account details does not want an intermediary proxy caching their web pages. A legal web site does not want copies of sensitive PDF documents stored on the laptop or smartphone disk storage, only for that device to be lost and the documents visible to an attacker.<br />
<br />
The 'Cache-Control' header tells the users browser how to handle the content being downloaded. Some browsers can interpret the header values differently thus the understood header settings to return with content that must not be cached are:<br />
<br />
Cache-Control: no-store, no-cache<br />
Pragma: no-cache<br />
Expires: 0<br />
<br />
This should be understood by all browsers (including mobile webviews) that the content being returned must not be stored to disk cache. Note that it is possible for intermediate proxies to ignore caching headers and still cache the content, which is another reason why using end-to-end HTTPS sessions is important, as the proxies will only have encrypted versions of the sensitive content.<br />
<br />
<br />
=== Content Security Policy ===<br />
<br />
Cross Site Scripting (XSS) is still one of the most frequent security issues experienced on web sites, it's A3 on the OWASP Top 10 (2013), and it covers a variety of ways attackers can bypass the browser same origin policy to trick the browsers into executing the attackers code. Content Security Policy headers are designed to allow a web site to inform the browser where scripts, frames, etc can be sourced from, and are a good way of mitigating XSS issues.<br />
<br />
The structure of the header is as follows:<br />
<br />
Content-Security-Policy: <directive> <sources><br />
<br />
Where the directive tells the browser what type of content is being controlled, and the source lists the places where the content can validly be obtained from, for example:<br />
<br />
Content-Security-Policy: script-src 'self' https://www.example.com<br />
<br />
... tells the browser that javascript code files (i.e. *.js files) can only be sourced from 'self' (i.e. the current web site, note the single quotes are necessary) or https://www.example.com. If the browser rendering the page finds javascript from some other site, it will fail to render and flag an error message to the end user. In this way the web site has prevented the attacker from injecting links to their own javascript (e.g. "<script src='http://badguy.com/bad.js'></script>").<br />
<br />
The directives controlled by the Content Security Policy include:<br />
<br />
{|<br />
|Directive<br />
|Description<br />
|-<br />
|script-src<br />
|Lists the sources where javascript files are allowed to be sourced from.<br />
|-<br />
|object-src<br />
|Lists the sources where flash and other plugin objects are allowed from. <br />
|-<br />
|frame-src<br />
|Lists the sources where frames are allowed from. <br />
|-<br />
|style-src<br />
|Lists the sources where CSS files are allowed from. <br />
|}<br />
<br />
If a directive is not specified then the default is wide open, all sources are allowed. If you do not wish to provide a directive for all options then you can specify a default-src which will then apply to all unspecified directives, for example:<br />
<br />
Content-Security-Policy: default-src 'self'<br />
<br />
... forces all scripts, frames, objects, etc to be sourced from the current web site. When specifying a URL the scheme is enforced, so stating https://www.example.com will prevent any items coming from www.example.com over HTTP (i.e. without SSL). You can also provide a wildcard on the leftmost portion of the domain, e.g. https://*.example.com. Multiple directives are separated by semi-colons, e.g.<br />
<br />
Content-Security-Policy: script-src 'self' https://www.example.com; frame-src 'self' https://frames.example.com<br />
<br />
If you wished to completely disable an option, for example you don't want any frames in your page, you can disable a directive using the 'none' keyword:<br />
<br />
Content-Security-Policy: frame-src 'none'<br />
<br />
<br />
==== Preventing Inlining ====<br />
<br />
A further feature of Content Security Policy is to tell the browser not to allow inline javascript code, or evals. As well as driving better programming practices by separating scripting code from the display markup, this option allows inline scripting to be disabled (a major vector of XSS, e.g. <script>alert(1);</script>). By providing a script-src or style-src (in the case of CSS) the Content Security Policy automatically bans inline scripts (javascript and CSS). If you wish to allow inline scripting, or inline use of the eval function (which can construct javascript) you have to explicitly specify 'unsafe-inline' or 'unsafe-eval', e.g.<br />
<br />
Content-Security-Policy: script-src 'self' 'unsafe-inline'<br />
<br />
<br />
==== Applying CSP To Web Pages ====<br />
<br />
When using Content Security Policy, note that the header has to be included in every web page. This can easily be achieved through configuration of common frameworks (e.g. mod_headers in Apache) if the policy is the same for the entire site. If the Content Security Policy header is being dynamically created for each web page, be aware that directives cannot be repeated, if the header specifies the directive the second listing will be ignored.<br />
<br />
The header varies slightly between IE and other browsers, for IE you must specify "X-Content-Security-Policy", whilst all other browsers use "Content-Security-Policy".<br />
<br />
<br />
==== Using Content Security Policy Reporting ====<br />
<br />
The Content Security Policy allows the browser to report any violations of the defined sources. The CSP header can include the "report-uri" directive as in the following:<br />
<br />
Content-Security-Policy: default-src 'self'; report-uri /csp_receiver;<br />
<br />
With this directive, if the browser experiences any page/content that violates the directive it will send a JSON report to the defined URL similar to the following:<br />
<br />
{<br />
"csp-report": {<br />
"document-uri": "https://www.example.com/default.html",<br />
"referrer": "https://www.example.com/",<br />
"blocked-uri": "https://bad.guy.com/bad_guy.js",<br />
"violated-directive": "script-src 'self' https://www.example.com",<br />
"original-policy": "script-src 'self' https://www.example.com; report-uri https://www.example.com/csp_receiver"<br />
}<br />
} <br />
<br />
This reporting feature can be used to determine any attacks occurring on your content. Also note that if you specify HTTPS in the report-uri scheme, and the <br />
<br />
=== HTTP Strict Transport Security ===<br />
<br />
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. When the browser receives the HSTS header it will prevent any subsequent requests from being sent over HTTP to the web site, instead only using HTTPS, for the timeframe specified in the header. It also prevents HTTPS click through prompts on browsers.<br />
<br />
Simple example, using a long (1 year) max-age:<br />
<br />
Strict-Transport-Security: max-age=31536000<br />
<br />
If all present and future subdomains will be HTTPS:<br />
<br />
Strict-Transport-Security: max-age=31536000; includeSubDomains<br />
<br />
If the site owner would like their domain to be included in the maintained by Chrome (and used by Firefox and Safari), then use:<br />
<br />
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload<br />
<br />
The 'preload' flag indicates the site owner's consent to have their domain preloaded. The site owner still needs to then go and submit the domain to the list.<br />
<br />
Use caution when setting excessively strict STS policies. Including subdomains should only be used in environments where all sites within your organization for the given domain name require ssl. Max-age limits should be carefully considered as infrequent visitors may find your site inaccessible if you relax your policy.<br />
<br />
Before enabling includeSubDomains, also consider the impact of any existing DNS CNAME records for CDNs, email services, or other 3rd party services. Since includeSubDomains will force such CNAME subdomains to https:// it's likely the browser will throw a domain-mismatch error, which is hard to reverse because of the browser caching nature of HSTS.<br />
<br />
<br />
== What to Review ==<br />
<br />
When reviewing code modules from an HTTP header sercurity point of view, some common issues to look out for include:<br />
<br />
* <br />
* <br />
* <br />
<br />
<br />
== References ==<br />
<br />
* https://www.owasp.org/index.php/HTTP_Strict_Transport_Security<br />
* http://content-security-policy.com/<br />
* http://www.html5rocks.com/en/tutorials/security/content-security-policy/<br />
* http://www.w3.org/TR/CSP/</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=Belfast&diff=189040Belfast2015-02-04T17:08:08Z<p>Gary David Robinson: </p>
<hr />
<div>{{Chapter Template|chaptername=Belfast|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Belfast|emailarchives=http://lists.owasp.org/pipermail/owasp-Belfast}}<br />
<br />
== OWASP Belfast Board ==<br />
<br />
The OWASP Belfast Chapter Leaders are:<br />
* [mailto:michelle.simpson@owasp.org Michelle Simpson]<br />
* [mailto:philip.okane@owasp.org Philip O'Kane]<br />
* [mailto:gary.robinson@owasp.org Gary Robinson]<br />
<br />
<br />
== About OWASP Belfast ==<br />
<br />
==== What is OWASP Belfast? ====<br />
<br />
OWASP Belfast is just one of over 100 OWASP Chapters around the world, including 4 in Ireland and 12 in the UK, where people meet to learn about and discuss software security topics. The OWASP organization also has lots of active projects that volunteers can participate in to create code and documents for the worldwide security community. The OWASP Top 10 project is the most famous of those projects.<br />
<br />
==== Who is OWASP Belfast for? ====<br />
<br />
It's for programmers, testers, students, project managers, development managers and security experts to collaborate and drive discussion on application security topics. Participation in the mailing lists and attendance at the OWASP Belfast sessions are free, in fact many of the events will provide food and drinks to attendees.<br />
<br />
==== Why be part of OWASP Belfast? ====<br />
<br />
* The community organizes sessions where experts from across the industry (and globe) give presentations and seminars about application security topics.<br />
* Attendance and participation in the community increases knowledge and skills, allowing people to stand out from the crowd.<br />
* Opportunity to network with other Software Professionals and keep in touch with job opportunities in the region.<br />
<br />
<br />
== Local News ==<br />
<br />
'''OWASP Belfast Chapter Session - March 2015'''<br />
<br />
OWASP Belfast are currently planning their next session, currently planned for 18th March 2015.<br />
<br />
Follow the OWASP Belfast Meetup group at http://www.meetup.com/OWASP-Belfast/<br />
<br />
Sign-up for the OWASP Belfast mailing list for more information about this session, and other security related topics, at http://lists.owasp.org/mailman/listinfo/owasp-Belfast<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Europe]]</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=CRV2_SecCommsHTTPHdrs&diff=188898CRV2 SecCommsHTTPHdrs2015-02-02T17:51:20Z<p>Gary David Robinson: </p>
<hr />
<div>= This is a draft version =<br />
<br />
== Overview ==<br />
<br />
HTTP headers allow the server to dictate or advise the user agent and intermediary servers how to handle the content being provided. Some of these headers can aid a web site in securing itself; these include the standard Cache-Control headers, and newer specifications like HSTS and Content Security Policy headers.<br />
<br />
<br />
<br />
== Description ==<br />
<br />
From a security point of view controlling the HTTP headers sent with web site content can tell the users browser how to store the content, how to access further content, and how to trust various parts of the content received by the browser. <br />
<br />
Two point to note up front:<br />
<br />
# Headers can only be trusted over a HTTPS session<br />
# This section only covers HTTP response headers<br />
<br />
Without HTTPS between the web server and the users browser an attacker can modify the content or the associated headers. Thus if you were returning headers specifying that your web site should only be access over HTTPS, an attacker could remove these headers and the browser would not receive the information. A web site should not trust HTTP request headers for security decisions as there are many ways an attacker could modify these headers (or construct the whole request themselves), so there is nothing to cover for secure headers coming from the client, as they are inherently insecure. Of course the cookie header is an exception to this, but that is because our web site has set the cookie header to a random value that should only be known during the browsing session. This section will not cover the cookie header as this is covered in the session management topic.<br />
<br />
<br />
=== Caching Headers ===<br />
<br />
For business web sites that allow sensitive or confidential information to be downloaded to the client device, the caching of that sensitive data will become a security issue. A user accessing their bank account details does not want an intermediary proxy caching their web pages. A legal web site does not want copies of sensitive PDF documents stored on the laptop or smartphone disk storage, only for that device to be lost and the documents visible to an attacker.<br />
<br />
The 'Cache-Control' header tells the users browser how to handle the content being downloaded. Some browsers can interpret the header values differently thus the understood header settings to return with content that must not be cached are:<br />
<br />
Cache-Control: no-store, no-cache<br />
Pragma: no-cache<br />
Expires: 0<br />
<br />
This should be understood by all browsers (including mobile webviews) that the content being returned must not be stored to disk cache. Note that it is possible for intermediate proxies to ignore caching headers and still cache the content, which is another reason why using end-to-end HTTPS sessions is important, as the proxies will only have encrypted versions of the sensitive content.<br />
<br />
<br />
=== Content Security Policy ===<br />
<br />
Cross Site Scripting (XSS) is still one of the most frequent security issue experienced on web sites, it's A3 on the OWASP Top 10 (2013), and it covers a variety of ways attackers can bypass the browser same origin policy to trick the browsers into executing the attackers code. TBD<br />
<br />
<br />
<br />
<br />
=== HTTP Strict Transport Security ===<br />
<br />
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. When the browser receives the HSTS header it will prevent any subsequent requests from being sent over HTTP to the web site, instead only using HTTPS, for the timeframe specified in the header. It also prevents HTTPS click through prompts on browsers.<br />
<br />
Simple example, using a long (1 year) max-age:<br />
<br />
Strict-Transport-Security: max-age=31536000<br />
<br />
If all present and future subdomains will be HTTPS:<br />
<br />
Strict-Transport-Security: max-age=31536000; includeSubDomains<br />
<br />
If the site owner would like their domain to be included in the maintained by Chrome (and used by Firefox and Safari), then use:<br />
<br />
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload<br />
<br />
The 'preload' flag indicates the site owner's consent to have their domain preloaded. The site owner still needs to then go and submit the domain to the list.<br />
<br />
Use caution when setting excessively strict STS policies. Including subdomains should only be used in environments where all sites within your organization for the given domain name require ssl. Max-age limits should be carefully considered as infrequent visitors may find your site inaccessible if you relax your policy.<br />
<br />
Before enabling includeSubDomains, also consider the impact of any existing DNS CNAME records for CDNs, email services, or other 3rd party services. Since includeSubDomains will force such CNAME subdomains to https:// it's likely the browser will throw a domain-mismatch error, which is hard to reverse because of the browser caching nature of HSTS.<br />
<br />
<br />
== What to Review ==<br />
<br />
When reviewing code modules from an HTTP header sercurity point of view, some common issues to look out for include:<br />
<br />
* <br />
* <br />
* <br />
<br />
<br />
== References ==<br />
<br />
* https://www.owasp.org/index.php/HTTP_Strict_Transport_Security<br />
* http://content-security-policy.com/<br />
* http://www.html5rocks.com/en/tutorials/security/content-security-policy/<br />
* http://www.w3.org/TR/CSP/</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=OWASP_Code_Review_V2_Table_of_Contents&diff=188884OWASP Code Review V2 Table of Contents2015-02-02T15:42:34Z<p>Gary David Robinson: /* HTTP Headers */</p>
<hr />
<div><br />
= '''OWASP Code Review Guide v2.0:''' =<br />
<br />
==Forward==<br />
# Author - Eoin Keary<br />
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Guide_History]]<br />
'''[[CRV2_Forward|Content here]]'''<br />
<br />
== Code Review Guide Introduction==<br />
# Author - Eoin Keary<br />
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Introduction]]<br />
'''[[CRV2_Introduction|Content here]]'''<br />
<br />
=== What is source code review and Static Analysis ===<br />
=== What is Code Review ===<br />
# Author - Zyad Mghazli, Eoin Keary<br />
# New Section<br />
''' [[CRV2_WhatIsCodeReview|Content here]]'''<br />
<br />
=== Manual Review - Pros and Cons ===<br />
# Author - Zyad Mghazli, Eoin Keary,Gary David Robinson<br />
# New Section<br />
# Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli<br />
# [[CRV2_ManualReviewProsCons|Put content here]]<br />
<br />
=== Advantages of Code Review to Development Practices ===<br />
# Author - Gary David Robinson<br />
# New Section<br />
# [[CRV2_AdvantagesToDevPractices|Put content here]]<br />
<br />
=== Why code review ===<br />
==== Scope and Objective of secure code review ====<br />
# Author - Ashish Rao<br />
# [[CRV2_WhyCodeReview|Put content here]]<br />
<br />
=== We can't hack ourselves secure ===<br />
# Author - Eoin Keary<br />
# New Section<br />
# [[CRV2_CantHackSecure|Put content here]]<br />
<br />
=== 360 Review: Coupling source code review and Testing / Hybrid Reviews===<br />
# Author - eoin Keary<br />
# New Section<br />
# [[CRV2_360Review|Put content here]]<br />
<br />
=== Can static code analyzers do it all? ===<br />
# Author - Ashish Rao<br />
# New Section<br />
# [[CRV2_CanStaticAnalyzersDoAll|Put content here]]<br />
<br />
=Methodology=<br />
===The code review approach===<br />
#Author - Johanna Curiel<br />
# [[CRV2_CodeReviewApproach|Put content here]]<br />
<br />
==== Preparation and context ====<br />
# Author - Gary David Robinson<br />
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Preparation]]<br />
# [[CRV2_PrepContext|Put content here]]<br />
<br />
====Application Threat Modeling====<br />
#Author - Larry Conklin<br />
# Previous version to be updated: [[https://www.owasp.org/OCRG1.1:Application_Threat_Modeling]]<br />
# [[CRV2_AppThreatModeling|Put content here]]<br />
<br />
====Understanding Code layout/Design/Architecture====<br />
#Author - Open<br />
# [[CRV2_CodeLayoutDesignArch|Put content here]]<br />
====Understanding Business Logic====<br />
#[[CRV2_BusinessLogic|Put content here]]<br />
<br />
===SDLC Integration===<br />
#Author - Larry Conklin<br />
# Previous version to be updated: [[https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC]]<br />
# [[CRV2_SDLCInt|Put content here]]<br />
<br />
====Deployment Models====<br />
=====Secure deployment configurations=====<br />
#Author - <br />
# [[CRV2_SecDepConfig|Put content here]]<br />
<br />
# New Section<br />
=====Metrics and code review=====<br />
#Author -Anthony.Scotka@tea.state.tx.us<br />
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Metrics]]<br />
# [[CRV2_MetricsCodeRev|Put content here]]<br />
<br />
=====Source and sink reviews=====<br />
#Author - Open<br />
# New Section<br />
# [[CRV2_SourceSinkRev|Put content here]]<br />
<br />
=====Code review Coverage=====<br />
#Author - Open<br />
#Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Coverage]]<br />
# [[CRV2_CodeRevCoverage|Put content here]]<br />
<br />
=====Design Reviews=====<br />
#Author - Ashish Rao<br />
*Why to review design?<br />
**Building security in design - secure by design principle<br />
**Design Areas to be reviewed<br />
**Common Design Flaws<br />
# [[CRV2_DesignRev|Put content here]]<br />
<br />
=====A Risk based approach to code review=====<br />
#Author - Gary David Robinson<br />
#New Section<br />
*"Doing things right or doing the right things..."<br />
**"Not all bugs are equal<br />
# [[CRV2_RiskBasedApproach|Put content here]]<br />
<br />
====Crawling code====<br />
#Author - Open<br />
# Previous version to be updated: [[https://www.owasp.org/index.php/Crawling_Code]]<br />
*API of Interest:<br />
**Java<br />
**.NET<br />
**PHP<br />
**RUBY<br />
*Frameworks:<br />
**Spring<br />
**.NET MVC<br />
**Struts<br />
**Zend<br />
#New Section<br />
*Searching for code in C/C++<br />
#Author - Gary David Robinson<br />
<br />
# [[CRV2_CrawlingCode|Put content here]]<br />
<br />
====Code reviews and Compliance====<br />
#Author -Open<br />
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]]<br />
# [[CRV2_CodeRevCompliance|Put content here]]<br />
<br />
=Reviewing by Technical Control=<br />
===Reviewing code for Authentication controls===<br />
#Author - Gary Robinson<br />
# [[CRV2_AuthControls|Put content here]]<br />
<br />
====Forgot password====<br />
#Author Abbas Naderi, Larry Conklin<br />
# [[CRV2_ForgotPassword|Put content here]]<br />
<br />
====CAPTCHA====<br />
#Author Larry Conklin, Joan Renchie<br />
'''[[CRV2_CAPTCHA|Content here]]'''<br />
<br />
====Out of Band considerations====<br />
#Author - Gary Robinson<br />
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authentication]]<br />
# [[CRV2_OutofBand|Put content here]]<br />
<br />
===Reviewing code Authorization weakness===<br />
#Author Eoin Keary .NET MVC added<br />
# [[CRV2_AuthorizationWeaknesses|Put content here]]<br />
<br />
====Checking authz upon every request====<br />
#Author - Abbas Naderi<br />
# [[CRV2_CheckAuthzEachRequest|Put content here]]<br />
<br />
====Reducing the attack surface====<br />
#Author Gary Robinson<br />
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authorization]]<br />
# [[CRV2_ReducingAttSurf|Put content here]]<br />
<br />
====SSL/TLS Implementations====<br />
#Author - Eoin Keary<br />
# [[CRV2_SSL-TLS|Put content here]]<br />
<br />
====Reviewing code for Session handling====<br />
#Author - Abbas Naderi<br />
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Session-Management]]<br />
# [[CRV2_SessionHandling|Put content here]]<br />
<br />
====Reviewing client side code====<br />
#New Section<br />
# [[CRV2_ClientSideCodeIntro|Put content here]]<br />
<br />
=====Javascript=====<br />
#Author - Abbas Naderi<br />
# [[CRV2_ClientSideCodeJScript|Put content here]]<br />
<br />
=====JSON=====<br />
#Author - Open<br />
# [[CRV2_ClientSideCodeJSon|Put content here]]<br />
<br />
=====Content Security Policy=====<br />
#Author - Open<br />
# [[CRV2_ClientSideCodeContSecPolicy|Put content here]]<br />
<br />
====="Jacking"/Framing=====<br />
#Author - Eoin Keary<br />
# [[CRV2_ClientSideCodeJackingFraming|Put content here]]<br />
<br />
=====HTML 5?=====<br />
#Author - Open<br />
# [[CRV2_ClientSideCodeHTML5|Put content here]]<br />
<br />
=====Browser Defenses=====<br />
#Author - Open<br />
# [[CRV2_ClientSideCodeBrowserDefPol|Put content here]]<br />
<br />
=====etc...=====<br />
<br />
====Review code for input validation====<br />
#Author - Open<br />
# [[CRV2_InputValIntro|Put content here]]<br />
<br />
=====Regex Gotchas=====<br />
#Author - Open<br />
#New Section<br />
# [[CRV2_InputValRegexGotchas|Put content here]]<br />
<br />
=====ESAPI=====<br />
#Author - Open<br />
#New Section<br />
# Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]]<br />
# [[CRV2_InputValESAPI|Put content here]]<br />
<br />
=====Microsoft Web Protection Library=====<br />
#Author - Michael Hidalgo<br />
#New Section<br />
# Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]]<br />
# [[CRV2_InputValMicrosoftWebProtectionLibrary|Put content here]]<br />
<br />
====Reviewing code for contextual encoding====<br />
[[Overall approach to content encoding and anti XSS]]<br />
=====HTML Attribute=====<br />
#Author - Eoin Keary<br />
# [[CRV2_ContextEncHTMLAttribute|Put content here]]<br />
<br />
=====HTML Entity=====<br />
#Author - Eoin Keary<br />
# [[CRV2_ContextEncHTMLEntity|Put content here]]<br />
<br />
=====Javascript Parameters=====<br />
#Author - Eoin Keary<br />
# [[CRV2_ContextEncJscriptParams|Put content here]]<br />
<br />
=====JQuery=====<br />
#Author - Open<br />
# [[CRV2_ContextEncJQuery|Put content here]]<br />
<br />
====Reviewing file and resource handling code====<br />
#Author - Open<br />
# [[CRV2_FileResourceHandling|Put content here]]<br />
<br />
====Resource Exhaustion - error handling====<br />
#Author - Open<br />
# [[CRV2_ResourceExhaustionErrHandling|Put content here]]<br />
<br />
=====native calls=====<br />
#Author Open<br />
# [[CRV2_ResourceExhaustionNativeCalls|Put content here]]<br />
<br />
====Reviewing Logging code - Detective Security====<br />
#Author - Gary Robinson<br />
* Where to Log<br />
* What to log<br />
* What not to log<br />
* How to log<br />
# Internal link: [[https://www.owasp.org/index.php/Logging_Cheat_Sheet]]<br />
# [[CRV2_LoggingCode|Put content here]]<br />
<br />
====Reviewing Error handling and Error messages====<br />
#Author - Gary David Robinson<br />
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Error-Handling]]<br />
# [[CRV2_ErrorHandlingMessages|Put content here]]<br />
<br />
====Reviewing Security alerts====<br />
#Author - Gary Robinson<br />
# [[CRV2_SecurityAlerts|Put content here]]<br />
<br />
====Review for active defense====<br />
#Author - Colin Watson<br />
# [[CRV2_ActiveDefense|Put content here]]<br />
<br />
====Reviewing Secure Storage====<br />
#Author - Open source<br />
# New Section<br />
# [[CRV2_SecureStorage|Put content here]]<br />
<br />
====Hashing & Salting - When, How and Where====<br />
=====Encryption=====<br />
======.NET======<br />
#Author Larry Conklin, Joan Renchie<br />
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Cryptographic_Controls]]<br />
*''Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao''<br />
'''[[CRV2_HashingandSaltingdotNet|Content here]]'''<br />
<br />
=Reviewing by Vulnerability=<br />
===Review Code for XSS===<br />
#Author Examples added by Eoin Keary<br />
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Scripting]]<br />
# In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao<br />
# [[CRV2_RevCodeXSS|Put content here]]<br />
<br />
===Persistent - The Anti pattern===<br />
#Author <br />
# [[CRV2_RevCodePersistentAntiPatternIntro|Put content here]]<br />
<br />
====.NET====<br />
#Author Johanna Curiel, Eoin Keary<br />
# [[CRV2_RevCodePersistentAntiPatterndotNet|Put content here]]<br />
<br />
====.Java====<br />
#Author Johanna Curiel<br />
# [[CRV2_RevCodePersistentAntiPatternJava|Put content here]]<br />
<br />
====PHP====<br />
#Author Abbas Naderi<br />
# [[CRV2_RevCodePersistentAntiPatternPHP|Put content here]]<br />
<br />
====Ruby====<br />
#Author Open<br />
# [[CRV2_RevCodePersistentAntiPatternRuby|Put content here]]<br />
<br />
===Reflected - The Anti pattern===<br />
# [[CRV2_RevCodeReflectedAntiPatternIntro|Put content here]]<br />
<br />
====.NET====<br />
#Author Johanna Curiel<br />
# [[CRV2_RevCodeReflectedAntiPatterndotNet|Put content here]]<br />
<br />
====.Java====<br />
#Author Johanna Curiel<br />
# [[CRV2_RevCodeReflectedAntiPatternJava|Put content here]]<br />
<br />
====PHP====<br />
#Author Abbas Naderi<br />
# [[CRV2_RevCodeReflectedAntiPatternPHP|Put content here]]<br />
<br />
====Ruby====<br />
# Author - Open<br />
# [[CRV2_RevCodeReflectedAntiPatternIRuby|Put content here]]<br />
<br />
===Stored - The Anti pattern===<br />
# Author - Johanna Curiel<br />
# [[CRV2_RevCodeStoredAntiPatternIntro|Put content here]]<br />
<br />
====.NET====<br />
#Author Johanna Curiel<br />
# [[CRV2_RevCodeStoredAntiPatterndotNET|Put content here]]<br />
<br />
====.Java====<br />
#Author Johanna Curiel<br />
# [[CRV2_RevCodeStoredAntiPatternJava|Put content here]]<br />
<br />
====PHP====<br />
#Author Johanna Curiel <br />
# [[CRV2_RevCodeStoredAntiPatternPHP|Put content here]]<br />
<br />
====Ruby====<br />
#Author - Johanna Curiel<br />
# [[CRV2_RevCodeStoredAntiPatternRuby|Put content here]]<br />
<br />
===DOM XSS ===<br />
#Author Larry Conklin<br />
# [[CRV2_DOMXSS|Put content here]]<br />
<br />
===JQuery mistakes===<br />
#Author <br />
# [[CRV2_JQueryMistakes|Put content here]]<br />
<br />
===Reviewing code for SQL Injection===<br />
#Author Gary Robinson<br />
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection]]<br />
# [[CRV2_RevCodeSQLInjection|Put content here]]<br />
<br />
====PHP====<br />
#Author - Mennouchi Islam Azeddine<br />
# [[CRV2_SQLInjPHP|Put content here]]<br />
<br />
====Java====<br />
#Author - Johanna Curiel<br />
# [[CRV2_SQLInjJava|Put content here]]<br />
<br />
====.NET====<br />
#Author - Open<br />
# [[CRV2_SQLInjdotNET|Put content here]]<br />
<br />
====HQL====<br />
#Author - Open<br />
# [[CRV2_SQLInjHQL|Put content here]]<br />
<br />
===The Anti pattern===<br />
#Author Larry Conklin<br />
#[[CRV2_AntiPattern| Content here]]<br />
https://www.owasp.org/index.php/CRV2_AntiPattern<br />
====PHP====<br />
#Author - <br />
# [[CRV2_AntiPatternPHP|Put content here]]<br />
<br />
====Java====<br />
#Author - <br />
#=> Searching for traditional SQL,JPA,JPSQL,Criteria,...<br />
# [[CRV2_AntiPatternJava|Put content here]]<br />
<br />
====.NET====<br />
#Author Open<br />
# [[CRV2_AntiPatterndotNet|Put content here]]<br />
<br />
====Ruby====<br />
#Author - Open<br />
# [[CRV2_AntiPatternRuby|Put content here]]<br />
<br />
====Cold Fusion====<br />
#Author - Open<br />
# [[CRV2_AntiPatternColdFusion|Put content here]]<br />
<br />
===Reviewing code for CSRF Issues===<br />
#Author Abbas Naderi<br />
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Request_Forgery]]<br />
# This page needs to be deleted. [[CRV2_CSRFIssues|Put content here]]<br />
<br />
===(This task has been deleted) Transactional logic / Non idempotent functions / State Changing Functions===<br />
# [[CRV2_TransLogic|Put content here]]<br />
<br />
===Reviewing code for poor logic /Business logic/Complex authorization===<br />
#Author - Open<br />
# [[CRV2_PoorLogic|Put content here]]<br />
<br />
===Reviewing Secure Communications===<br />
====.NET Config====<br />
#Author Johanna Curiel, Renchie Joan<br />
# [[CRV2_SecCommsdotNet|Put content here]]<br />
<br />
====Spring Config====<br />
#Author - Open<br />
# [[CRV2_SecCommsSpringConfig|Put content here]]<br />
<br />
====HTTP Headers====<br />
#Author Gary Robinson<br />
# [[CRV2_SecCommsHTTPHdrs|Put content here]]<br />
<br />
===Tech-Stack pitfalls===<br />
#Author Open<br />
# [[CRV2_TechStackPitfalls|Put content here]]<br />
<br />
===Framework specific Issues===<br />
====Spring====<br />
#Author - Open<br />
# [[CRV2_FrameworkSpecIssuesSpring|Put content here]]<br />
<br />
====Struts====<br />
#Author - Open<br />
# [[CRV2_FrameworkSpecIssuesStruts|Put content here]]<br />
<br />
====Drupal====<br />
#Author Open<br />
# [[CRV2_FrameworkSpecIssuesDurpal|Put content here]]<br />
<br />
====Ruby on Rails====<br />
#Author - Open<br />
# [[CRV2_FrameworkSpecIssuesROR|Put content here]]<br />
<br />
====Django====<br />
#Author Open<br />
# [[CRV2_FrameworkSpecIssuesDjango|Put content here]]<br />
<br />
====.NET Security / MVC====<br />
#Author Johanna Curiel, Eoin Keary<br />
# [[CRV2_FrameworkSpecIssuesdotNetMVC|Put content here]]<br />
<br />
====Security in ASP.NET applications====<br />
#Author Johanna Curiel<br />
# [[CRV2_FrameworkSpecIssuesASPNet|Put content here]]<br />
<br />
=====Strongly Named Assemblies=====<br />
#Author Johanna Curiel, Larry Conklin<br />
# [[CRV2_FrameworkSpecIssuesASPNetStrongAssembiles|Put content here]]<br />
<br />
======Round Tripping======<br />
# Author - Open<br />
# [[CRV2_FrameworkSpecIssuesASPNetRT|Put content here]]<br />
<br />
======How to prevent Round tripping======<br />
# Author - Open<br />
#Author Johanna Curiel<br />
# [[CRV2_FrameworkSpecIssuesASPNetRTPrevention|Put content here]]<br />
<br />
=====Setting the right Configurations=====<br />
#Author Johanna Curiel<br />
# [[CRV2_FrameworkSpecIssuesASPNetConfigs|Put content here]]<br />
<br />
=====Authentication Options=====<br />
#Author Johanna Curiel<br />
# [[CRV2_FrameworkSpecIssuesASPNetAuth|Put content here]]<br />
<br />
=====Code Review for Managed Code - .Net 1.0 and up=====<br />
#Author Johanna Curiel<br />
# [[CRV2_FrameworkSpecIssuesASPNetManagedCode|Put content here]]<br />
<br />
=====Using OWASP Top 10 as your guideline=====<br />
#Author Johanna Curiel<br />
# [[CRV2_FrameworkSpecIssuesASPTop10|Put content here]]<br />
<br />
=====Code review for Unsafe Code (C#)=====<br />
#Author Johanna Curiel<br />
# [[CRV2_FrameworkSpecIssuesASPNetUnsafeCode|Put content here]]<br />
<br />
====PHP Specific Issues====<br />
#Author Open<br />
# [[CRV2_FrameworkSpecIssuesPHP|Put content here]]<br />
<br />
====Classic ASP====<br />
#Author Johanna Curiel<br />
# [[CRV2_FrameworkSpecIssuesASPClassic|Put content here]]<br />
<br />
====C#====<br />
#Author Open<br />
# [[CRV2_FrameworkSpecIssuesCsharp|Put content here]]<br />
<br />
====C/C++====<br />
#Author Open<br />
# [[CRV2_FrameworkSpecIssuesCplusplus|Put content here]]<br />
<br />
====Objective C====<br />
#Author Open<br />
# [[CRV2_FrameworkSpecIssuesObectiveC|Put content here]]<br />
<br />
====Java====<br />
#Author Open<br />
# [[CRV2_FrameworkSpecIssuesJava|Put content here]]<br />
<br />
====Android====<br />
#Author Open<br />
# [[CRV2_FrameworkSpecIssuesAndroid|Put content here]]<br />
<br />
====Coldfusion====<br />
#Author Open<br />
# [[CRV2_FrameworkSpecIssuesColdfusion|Put content here]]<br />
<br />
====CodeIgniter====<br />
<br />
# Author Open<br />
# [[CRV2_FrameworkSpecIssuesCodeIgniter|Put content here]]<br />
<br />
=Security code review for Agile development=<br />
#Author Carlos Pantelides<br />
# [[CRV2_CodeReviewAgile|Put content here]]<br />
<br />
=Code Review Tools=<br />
https://www.owasp.org/index.php/CRV2_CodeReviewTools</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=CRV2_SecCommsHTTPHdrs&diff=188545CRV2 SecCommsHTTPHdrs2015-01-26T09:07:44Z<p>Gary David Robinson: </p>
<hr />
<div>= This is a draft version =<br />
<br />
== Overview ==<br />
<br />
HTTP headers allow the server to dictate or advise the user agent and intermediary servers how to handle the content being provided. Some of these headers can aid a web site in securing itself; these include the standard Cache-Control headers, and newer specifications like HSTS and Content Security Policy headers.<br />
<br />
<br />
<br />
== Description ==<br />
<br />
From a security point of view controlling the HTTP headers sent with web site content can tell the users browser how to store the content, how to access further content, and how to trust various parts of the content received by the browser. <br />
<br />
Two point to note up front:<br />
<br />
# Headers can only be trusted over a HTTPS session<br />
# This section only covers HTTP response headers<br />
<br />
Without HTTPS between the web server and the users browser an attacker can modify the content or the associated headers. Thus if you were returning headers specifying that your web site should only be access over HTTPS, an attacker could remove these headers and the browser would not receive the information. A web site should not trust HTTP request headers for security decisions as there are many ways an attacker could modify these headers (or construct the whole request themselves), so there is nothing to cover for secure headers coming from the client, as they are inherently insecure. Of course the cookie header is an exception to this, but that is because our web site has set the cookie header to a random value that should only be known during the browsing session. This section will not cover the cookie header as this is covered in the session management topic.<br />
<br />
For business web sites that allow sensitive or confidential information to be downloaded to the client device, the caching of that sensitive data will become a security issue. A user accessing their bank account details does not want an intermediary proxy caching their web pages. A legal web site does not want copies of sensitive PDF documents stored on the laptop or smartphone disk storage, only for that device to be lost and the documents visible to an attacker.<br />
<br />
The 'Cache-Control' header tells the users browser how to handle the content being downloaded. Some browsers can interpret the header values differently thus the understood header settings to return with content that must not be cached are:<br />
<br />
Cache-Control: no-store, no-cache<br />
Pragma: no-cache<br />
Expires: 0<br />
<br />
This should be understood by all browsers (including mobile webviews) that the content being returned must not be stored to disk cache. Note that it is possible for intermediate proxies to ignore caching headers and still cache the content, which is another reason why using end-to-end HTTPS sessions is important, as the proxies will only have encrypted versions of the sensitive content.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. When the browser receives the HSTS header it will prevent any subsequent requests from being sent over HTTP to the web site, instead only using HTTPS, for the timeframe specified in the header. It also prevents HTTPS click through prompts on browsers.<br />
<br />
Simple example, using a long (1 year) max-age:<br />
<br />
Strict-Transport-Security: max-age=31536000<br />
<br />
If all present and future subdomains will be HTTPS:<br />
<br />
Strict-Transport-Security: max-age=31536000; includeSubDomains<br />
<br />
If the site owner would like their domain to be included in the maintained by Chrome (and used by Firefox and Safari), then use:<br />
<br />
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload<br />
<br />
The `preload` flag indicates the site owner's consent to have their domain preloaded. The site owner still needs to then go and submit the domain to the list.<br />
<br />
Use caution when setting excessively strict STS policies. Including subdomains should only be used in environments where all sites within your organization for the given domain name require ssl. Max-age limits should be carefully considered as infrequent visitors may find your site inaccessible if you relax your policy.<br />
<br />
Before enabling includeSubDomains, also consider the impact of any existing DNS CNAME records for CDNs, email services, or other 3rd party services. Since includeSubDomains will force such CNAME subdomains to https:// it's likely the browser will throw a domain-mismatch error, which is hard to reverse because of the browser caching nature of HSTS.<br />
<br />
<br />
== What to Review ==<br />
<br />
When reviewing code modules from an HTTP header sercurity point of view, some common issues to look out for include:<br />
<br />
<br />
<br />
<br />
== References ==<br />
<br />
* https://www.owasp.org/index.php/HTTP_Strict_Transport_Security</div>Gary David Robinsonhttps://wiki.owasp.org/index.php?title=CRV2_SecCommsHTTPHdrs&diff=188544CRV2 SecCommsHTTPHdrs2015-01-26T08:53:45Z<p>Gary David Robinson: Created page with "= This is a draft version = == Overview == HTTP headers allow the server to dictate or advise the user agent and intermediary servers how to handle the content being provide..."</p>
<hr />
<div>= This is a draft version =<br />
<br />
== Overview ==<br />
<br />
HTTP headers allow the server to dictate or advise the user agent and intermediary servers how to handle the content being provided. Some of these headers can aid a web site in securing itself; these include the standard Cache-Control headers, and newer specifications like HSTS and Content Security Policy headers.<br />
<br />
<br />
<br />
== Description ==<br />
<br />
From a security point of view controlling the HTTP headers sent with web site content can tell the users browser how to store the content, how to access further content, and how to trust various parts of the content received by the browser. <br />
<br />
Two point to note up front:<br />
<br />
# Headers can only be trusted over a HTTPS session<br />
# This section only covers HTTP response headers<br />
<br />
Without HTTPS between the web server and the users browser an attacker can modify the content or the associated headers. Thus if you were returning headers specifying that your web site should only be access over HTTPS, an attacker could remove these headers and the browser would not receive the information. A web site should not trust HTTP request headers for security decisions as there are many ways an attacker could modify these headers (or construct the whole request themselves), so there is nothing to cover for secure headers coming from the client, as they are inherently insecure. Of course the cookie header is an exception to this, but that is because our web site has set the cookie header to a random value that should only be known during the browsing session. This section will not cover the cookie header as this is covered in the session management topic.<br />
<br />
For business web sites that allow sensitive or confidential information to be downloaded to the client device, the caching of that sensitive data will become a security issue. A user accessing their bank account details does not want an intermediary proxy caching their web pages. A legal web site does not want copies of sensitive PDF documents stored on the laptop or smartphone disk storage, only for that device to be lost and the documents visible to an attacker.<br />
<br />
The 'Cache-Control' header tells the users browser how to handle the content being downloaded. Some browsers can interpret the header values differently thus the understood header settings to return with content that must not be cached are:<br />
<br />
Cache-Control: no-store, no-cache<br />
Pragma: no-cache<br />
Expires: 0<br />
<br />
This should be understood by all browsers (including mobile webviews) that the content being returned must not be stored to disk cache. Note that it is possible for intermediate proxies to ignore caching headers and still cache the content, which is another reason why using end-to-end HTTPS sessions is important, as the proxies will only have encrypted versions of the sensitive content.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
== What to Review ==<br />
<br />
When reviewing code modules from an HTTP header sercurity point of view, some common issues to look out for include:<br />
<br />
<br />
<br />
<br />
== References ==</div>Gary David Robinson