https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=OrysegalOWASP - User contributions [en]2026-05-09T06:51:04ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=OWASP_Serverless_Goat&diff=246664OWASP Serverless Goat2019-01-18T06:48:58Z<p>Orysegal: minor</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Sgoatbanner.png|center|frameless|1950x1950px]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP. <br />
<br />
You can install ServerlessGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices.<br />
<br />
As serverless adoption is expected to continue growing and reach new audiences, we see the importance of education on topics such as how to build robust, secure and reliable AWS Lambda serverless applications. This project will expose developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices.<br />
<br />
OWASP ServerlessGoat is packaged as an AWS SAM application that's available for deployment through the [https://aws.amazon.com/serverless/serverlessrepo/ AWS Serverless Application Repository] - this provides three important benefits:<br />
* A single click installation process. No compilation, building or packaging required<br />
* The application uses default serverless application repository permissions (SAM policy templates), making it more realistic<br />
* The installation doesn't create custom IAM roles or resource policies on the account in which it is deployed in<br />
<br />
== Disclaimer ==<br />
OWASP does not take responsibility for the way in which any one uses the ServerlessGoat application. OWASP made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing ServerlessGoat on production accounts.<br />
<br />
== Details==<br />
The application is a service which receives a URL to a Word document (with a .doc extension - Office 97-2004), and will reply with an HTML page containing the extracted text.<br />
<br />
The vulnerabilities that are included are:<br />
* Event-data injection (SAS-01)<br />
* Insecure Serverless Deployment Configuration (SAS-03)<br />
* Over-privileged function permissions & roles (SAS-04)<br />
* Inadequate function monitoring and logging (SAS-05)<br />
* Insecure 3rd Party Dependencies (SAS-06)<br />
* Application layer Denial of Service (SAS-08)<br />
* Improper exception handling and verbose error messages (SAS-10)<br />
* Other undisclosed *critical* issues, as a bonus!<br />
<br />
==Licensing==<br />
<br />
The OWASP ServerlessGoat project is free for use. You can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
== Deployment == <br />
<br />
ServerlessGoat is a simple AWS Lambda application, which serves as a MS-Word .doc file to plain text converter service. It receives a URL to a .doc file as input, and will return the text inside the document back to the API caller. The application is packaged and published for deployment through the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless Application Repository]. Steps for deployment:<br />
# Make sure you are logged into your AWS account<br />
# Click on the following link: AWS Serverless Application Repository<br />
# Click 'Deploy'<br />
# Click 'Deploy' (again)<br />
# Wait until you see the message 'Your application has been deployed'<br />
# Click on 'View CloudFormation Stack'<br />
# Under 'Outputs' you will find the URL for the application (WebsiteURL) <br />
<br />
You can find a live version of the application hosted by PureSec in the following URL: https://www.serverless-hack.me/ <br />
<br />
== Roadmap ==<br />
* '''18-December-2018''': Initial release. Collect feedback from the public ('''done''') <br />
* '''1-January-2019''': Beta release with additional features. <br />
* '''15-January''': v1.0 official launch<br />
<br />
== Project Sponsors ==<br />
The project was initially developed by Ory Segal & Yuri Shapira @ [https://www.puresec.io/ PureSec]:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
<br />
== Cheat Sheet ==<br />
<br />
You can find a full walkthrough (with spoilers of course) in the [https://github.com/OWASP/Serverless-Goat/blob/master/LESSONS.md LESSONS.md] file in the Git repo<br />
<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
'''1-click installation''' on your own AWS account via the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless App Repository]<br />
<br />
A '''live version''' of the application is hosted by PureSec at: https://www.serverless-hack.me/ <br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]] , [https://www.puresec.io/ PureSec] ([mailto:ory.segal@owasp.org email])<br />
<br />
== Project Mailing List ==<br />
TBD<br />
== Github Repo ==<br />
[https://github.com/OWASP/Serverless-Goat Project GitHub]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Tool]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Serverless_Goat&diff=246318OWASP Serverless Goat2019-01-02T11:33:13Z<p>Orysegal: Added the link to the live version</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Sgoatbanner.png|center|frameless|1950x1950px]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP. <br />
<br />
You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices.<br />
<br />
As serverless adoption is expected to continue growing and reach new audiences, we see the importance of education on topics such as how to build robust, secure and reliable AWS Lambda serverless applications. This project will expose developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices.<br />
<br />
OWASP ServerlessGoat is packaged as an AWS SAM application that's available for deployment through the [https://aws.amazon.com/serverless/serverlessrepo/ AWS Serverless Application Repository] - this provides three important benefits:<br />
* A single click installation process. No compilation, building or packaging required<br />
* The application uses default serverless application repository permissions (SAM policy templates), making it more realistic<br />
* The installation doesn't create custom IAM roles or resource policies on the account in which it is deployed in<br />
<br />
== Disclaimer ==<br />
OWASP does not take responsibility for the way in which any one uses the ServerlessGoat application. OWASP made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing ServerlessGoat on production accounts.<br />
<br />
== Details==<br />
The application is a service which receives a URL to a Word document (with a .doc extension - Office 97-2004), and will reply with an HTML page containing the extracted text.<br />
<br />
The vulnerabilities that are included are:<br />
* Event-data injection (SAS-01)<br />
* Insecure Serverless Deployment Configuration (SAS-03)<br />
* Over-privileged function permissions & roles (SAS-04)<br />
* Inadequate function monitoring and logging (SAS-05)<br />
* Insecure 3rd Party Dependencies (SAS-06)<br />
* Application layer Denial of Service (SAS-08)<br />
* Improper exception handling and verbose error messages (SAS-10)<br />
* Other undisclosed *critical* issues, as a bonus!<br />
<br />
==Licensing==<br />
<br />
The OWASP ServerlessGoat project is free for use. You can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
== Deployment == <br />
<br />
ServerlessGoat is a simple AWS Lambda application, which serves as a MS-Word .doc file to plain text converter service. It receives a URL to a .doc file as input, and will return the text inside the document back to the API caller. The application is packaged and published for deployment through the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless Application Repository]. Steps for deployment:<br />
# Make sure you are logged into your AWS account<br />
# Click on the following link: AWS Serverless Application Repository<br />
# Click 'Deploy'<br />
# Click 'Deploy' (again)<br />
# Wait until you see the message 'Your application has been deployed'<br />
# Click on 'View CloudFormation Stack'<br />
# Under 'Outputs' you will find the URL for the application (WebsiteURL) <br />
<br />
You can find a live version of the application hosted by PureSec in the following URL: https://www.serverless-hack.me/ <br />
<br />
== Roadmap ==<br />
* '''18-December-2018''': Initial release. Collect feedback from the public ('''done''') <br />
* '''1-January-2019''': Beta release with additional features. <br />
* '''15-January''': v1.0 official launch<br />
<br />
== Project Sponsors ==<br />
The project was initially developed by Ory Segal & Yuri Shapira @ [https://www.puresec.io/ PureSec]:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
<br />
== Cheat Sheet ==<br />
<br />
You can find a full walkthrough (with spoilers of course) in the [https://github.com/OWASP/Serverless-Goat/blob/master/LESSONS.md LESSONS.md] file in the Git repo<br />
<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
'''1-click installation''' on your own AWS account via the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless App Repository]<br />
<br />
A '''live version''' of the application is hosted by PureSec at: https://www.serverless-hack.me/ <br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]] , [https://www.puresec.io/ PureSec] ([mailto:ory.segal@owasp.org email])<br />
<br />
== Project Mailing List ==<br />
TBD<br />
== Github Repo ==<br />
[https://github.com/OWASP/Serverless-Goat Project GitHub]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Tool]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Serverless_Goat&diff=246301OWASP Serverless Goat2018-12-29T13:14:57Z<p>Orysegal: </p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Sgoatbanner.png|center|frameless|1950x1950px]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP. <br />
<br />
You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices.<br />
<br />
As serverless adoption is expected to continue growing and reach new audiences, we see the importance of education on topics such as how to build robust, secure and reliable AWS Lambda serverless applications. This project will expose developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices.<br />
<br />
OWASP ServerlessGoat is packaged as an AWS SAM application that's available for deployment through the [https://aws.amazon.com/serverless/serverlessrepo/ AWS Serverless Application Repository] - this provides three important benefits:<br />
* A single click installation process. No compilation, building or packaging required<br />
* The application uses default serverless application repository permissions (SAM policy templates), making it more realistic<br />
* The installation doesn't create custom IAM roles or resource policies on the account in which it is deployed in<br />
<br />
== Disclaimer ==<br />
OWASP does not take responsibility for the way in which any one uses the ServerlessGoat application. OWASP made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing ServerlessGoat on production accounts.<br />
<br />
== Details==<br />
The application is a service which receives a URL to a Word document (with a .doc extension - Office 97-2004), and will reply with an HTML page containing the extracted text.<br />
<br />
The vulnerabilities that are included are:<br />
* Event-data injection (SAS-01)<br />
* Insecure Serverless Deployment Configuration (SAS-03)<br />
* Over-privileged function permissions & roles (SAS-04)<br />
* Inadequate function monitoring and logging (SAS-05)<br />
* Insecure 3rd Party Dependencies (SAS-06)<br />
* Application layer Denial of Service (SAS-08)<br />
* Improper exception handling and verbose error messages (SAS-10)<br />
* Other undisclosed *critical* issues, as a bonus!<br />
<br />
==Licensing==<br />
<br />
The OWASP ServerlessGoat project is free for use. You can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
== Deployment == <br />
<br />
ServerlessGoat is a simple AWS Lambda application, which serves as a MS-Word .doc file to plain text converter service. It receives a URL to a .doc file as input, and will return the text inside the document back to the API caller. The application is packaged and published for deployment through the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless Application Repository]. Steps for deployment:<br />
# Make sure you are logged into your AWS account<br />
# Click on the following link: AWS Serverless Application Repository<br />
# Click 'Deploy'<br />
# Click 'Deploy' (again)<br />
# Wait until you see the message 'Your application has been deployed'<br />
# Click on 'View CloudFormation Stack'<br />
# Under 'Outputs' you will find the URL for the application (WebsiteURL) <br />
<br />
== Roadmap ==<br />
* '''18-December-2018''': Initial release. Collect feedback from the public ('''done''') <br />
* '''1-January-2019''': Beta release with additional features. <br />
* '''15-January''': v1.0 official launch<br />
<br />
== Project Sponsors ==<br />
The project was initially developed by Ory Segal & Yuri Shapira @ [https://www.puresec.io/ PureSec]:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
<br />
== Cheat Sheet ==<br />
<br />
You can find a full walkthrough (with spoilers of course) in the [https://github.com/OWASP/Serverless-Goat/blob/master/LESSONS.md LESSONS.md] file in the Git repo<br />
<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
Deployment via the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless App Repository]<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]] , [https://www.puresec.io/ PureSec] ([mailto:ory.segal@owasp.org email])<br />
<br />
== Project Mailing List ==<br />
TBD<br />
== Github Repo ==<br />
[https://github.com/OWASP/Serverless-Goat Project GitHub]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Tool]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Serverless_Goat&diff=246300OWASP Serverless Goat2018-12-29T13:13:45Z<p>Orysegal: </p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Sgoatbanner.png|center|frameless|1500x1500px]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP. <br />
<br />
You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices.<br />
<br />
As serverless adoption is expected to continue growing and reach new audiences, we see the importance of education on topics such as how to build robust, secure and reliable AWS Lambda serverless applications. This project will expose developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices.<br />
<br />
OWASP ServerlessGoat is packaged as an AWS SAM application that's available for deployment through the [https://aws.amazon.com/serverless/serverlessrepo/ AWS Serverless Application Repository] - this provides three important benefits:<br />
* A single click installation process. No compilation, building or packaging required<br />
* The application uses default serverless application repository permissions (SAM policy templates), making it more realistic<br />
* The installation doesn't create custom IAM roles or resource policies on the account in which it is deployed in<br />
<br />
== Disclaimer ==<br />
OWASP does not take responsibility for the way in which any one uses the ServerlessGoat application. OWASP made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing ServerlessGoat on production accounts.<br />
<br />
== Details==<br />
The application is a service which receives a URL to a Word document (with a .doc extension - Office 97-2004), and will reply with an HTML page containing the extracted text.<br />
<br />
The vulnerabilities that are included are:<br />
* Event-data injection (SAS-01)<br />
* Insecure Serverless Deployment Configuration (SAS-03)<br />
* Over-privileged function permissions & roles (SAS-04)<br />
* Inadequate function monitoring and logging (SAS-05)<br />
* Insecure 3rd Party Dependencies (SAS-06)<br />
* Application layer Denial of Service (SAS-08)<br />
* Improper exception handling and verbose error messages (SAS-10)<br />
* Other undisclosed *critical* issues, as a bonus!<br />
<br />
==Licensing==<br />
<br />
The OWASP ServerlessGoat project is free for use. You can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
== Deployment == <br />
<br />
ServerlessGoat is a simple AWS Lambda application, which serves as a MS-Word .doc file to plain text converter service. It receives a URL to a .doc file as input, and will return the text inside the document back to the API caller. The application is packaged and published for deployment through the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless Application Repository]. Steps for deployment:<br />
# Make sure you are logged into your AWS account<br />
# Click on the following link: AWS Serverless Application Repository<br />
# Click 'Deploy'<br />
# Click 'Deploy' (again)<br />
# Wait until you see the message 'Your application has been deployed'<br />
# Click on 'View CloudFormation Stack'<br />
# Under 'Outputs' you will find the URL for the application (WebsiteURL) <br />
<br />
== Roadmap ==<br />
* '''18-December-2018''': Initial release. Collect feedback from the public ('''done''') <br />
* '''1-January-2019''': Beta release with additional features. <br />
* '''15-January''': v1.0 official launch<br />
<br />
== Project Sponsors ==<br />
The project was initially developed by Ory Segal & Yuri Shapira @ [https://www.puresec.io/ PureSec]:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
<br />
== Cheat Sheet ==<br />
<br />
You can find a full walkthrough (with spoilers of course) in the [https://github.com/OWASP/Serverless-Goat/blob/master/LESSONS.md LESSONS.md] file in the Git repo<br />
<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
Deployment via the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless App Repository]<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]] , [https://www.puresec.io/ PureSec] ([mailto:ory.segal@owasp.org email])<br />
<br />
== Project Mailing List ==<br />
TBD<br />
== Github Repo ==<br />
[https://github.com/OWASP/Serverless-Goat Project GitHub]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Tool]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=File:Sgoatbanner.png&diff=246299File:Sgoatbanner.png2018-12-29T13:09:42Z<p>Orysegal: </p>
<hr />
<div>Serverless Goat OWASP Banner</div>Orysegalhttps://wiki.owasp.org/index.php?title=File:ServerlessGoat-Wide-Banner.png&diff=246298File:ServerlessGoat-Wide-Banner.png2018-12-29T12:58:59Z<p>Orysegal: </p>
<hr />
<div>ServerlessGoat Banner</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Serverless_Goat&diff=246297OWASP Serverless Goat2018-12-29T12:55:56Z<p>Orysegal: Minor edits</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP. <br />
<br />
You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices.<br />
<br />
As serverless adoption is expected to continue growing and reach new audiences, we see the importance of education on topics such as how to build robust, secure and reliable AWS Lambda serverless applications. This project will expose developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices.<br />
<br />
OWASP ServerlessGoat is packaged as an AWS SAM application that's available for deployment through the [https://aws.amazon.com/serverless/serverlessrepo/ AWS Serverless Application Repository] - this provides three important benefits:<br />
* A single click installation process. No compilation, building or packaging required<br />
* The application uses default serverless application repository permissions (SAM policy templates), making it more realistic<br />
* The installation doesn't create custom IAM roles or resource policies on the account in which it is deployed in<br />
<br />
== Disclaimer ==<br />
OWASP does not take responsibility for the way in which any one uses the ServerlessGoat application. OWASP made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing ServerlessGoat on production accounts.<br />
<br />
== Details==<br />
The application is a service which receives a URL to a Word document (with a .doc extension - Office 97-2004), and will reply with an HTML page containing the extracted text.<br />
<br />
The vulnerabilities that are included are:<br />
* Event-data injection (SAS-01)<br />
* Insecure Serverless Deployment Configuration (SAS-03)<br />
* Over-privileged function permissions & roles (SAS-04)<br />
* Inadequate function monitoring and logging (SAS-05)<br />
* Insecure 3rd Party Dependencies (SAS-06)<br />
* Application layer Denial of Service (SAS-08)<br />
* Improper exception handling and verbose error messages (SAS-10)<br />
* Other undisclosed *critical* issues, as a bonus!<br />
<br />
==Licensing==<br />
<br />
The OWASP ServerlessGoat project is free for use. You can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
== Deployment == <br />
<br />
ServerlessGoat is a simple AWS Lambda application, which serves as a MS-Word .doc file to plain text converter service. It receives a URL to a .doc file as input, and will return the text inside the document back to the API caller. The application is packaged and published for deployment through the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless Application Repository]. Steps for deployment:<br />
# Make sure you are logged into your AWS account<br />
# Click on the following link: AWS Serverless Application Repository<br />
# Click 'Deploy'<br />
# Click 'Deploy' (again)<br />
# Wait until you see the message 'Your application has been deployed'<br />
# Click on 'View CloudFormation Stack'<br />
# Under 'Outputs' you will find the URL for the application (WebsiteURL) <br />
<br />
== Roadmap ==<br />
* '''18-December-2018''': Initial release. Collect feedback from the public ('''done''') <br />
* '''1-January-2019''': Beta release with additional features. <br />
* '''15-January''': v1.0 official launch<br />
<br />
== Project Sponsors ==<br />
The project was initially developed by Ory Segal & Yuri Shapira @ [https://www.puresec.io/ PureSec]:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
<br />
== Cheat Sheet ==<br />
<br />
You can find a full walkthrough (with spoilers of course) in the [https://github.com/OWASP/Serverless-Goat/blob/master/LESSONS.md LESSONS.md] file in the Git repo<br />
<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
Deployment via the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless App Repository]<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]] , [https://www.puresec.io/ PureSec] ([mailto:ory.segal@owasp.org email])<br />
<br />
== Project Mailing List ==<br />
TBD<br />
== Github Repo ==<br />
[https://github.com/OWASP/Serverless-Goat Project GitHub]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Tool]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Serverless_Goat&diff=246159OWASP Serverless Goat2018-12-19T17:08:34Z<p>Orysegal: Minor edit</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP. You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices.<br />
<br />
As serverless adoption is expected to continue growing and reach new audiences, we see the importance of education on topics such as how to build robust, secure and reliable AWS Lambda serverless applications. This project will expose developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices.<br />
<br />
There were a few key principles that we wanted to follow when designing this demo vulnerable application:<br />
* Make the project open source and free for everyone to use<br />
* Simple and straightforward deployment<br />
* Demonstrate as many serverless security bad practices as possible (we will keep adding more issues, but also hope to see community contributions)<br />
* Design the application to be realistic, and include common 'bad-practices', rather than forcing it to be vulnerable artificially<br />
<br />
Given these key principles, we chose to develop and package the application an AWS SAM application that's available for deployment through the [https://aws.amazon.com/serverless/serverlessrepo/ AWS Serverless Application Repository] - however, this meant that we had to use the supported SAM policy templates. While this decision imposes some limitations on what capabilities were available for us, it presented two important benefits:<br />
* The application uses "default" serverless application repository permissions, making it more realistic<br />
* The deployment doesn't create custom IAM roles or resource policies<br />
<br />
== Details==<br />
The application is a service which receives a URL to a Word document (with a .doc extension - Office 97-2004), and will reply with an HTML page containing the extracted text.<br />
<br />
The vulnerabilities that are included are:<br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* Insecure Serverless Deployment Configuration, leading to S3 bucket data exposure (SAS-03)<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated through CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An undisclosed *critical* issue, as a bonus!<br />
<br />
==Licensing==<br />
<br />
The OWASP ServerlessGoat project is free for use. You can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
== Deployment == <br />
<br />
ServerlessGoat is a simple AWS Lambda application, which serves as a MS-Word .doc file to plain text converter service. It receives a URL to a .doc file as input, and will return the text inside the document back to the API caller. The application is packaged and published for deployment through the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless Application Repository]. Steps for deployment:<br />
# Make sure you are logged into your AWS account<br />
# Click on the following link: AWS Serverless Application Repository<br />
# Click 'Deploy'<br />
# Click 'Deploy' (again)<br />
# Wait until you see the message 'Your application has been deployed'<br />
# Click on 'View CloudFormation Stack'<br />
# Under 'Outputs' you will find the URL for the application (WebsiteURL) <br />
<br />
== Roadmap ==<br />
* '''18-December-2018''': Initial release. Collect feedback from the public ('''done''') <br />
* '''1-January-2019''': Beta release with additional features. <br />
* '''15-January''': v1.0 official launch<br />
<br />
== Project Sponsors ==<br />
The project was initially developed by PureSec:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
<br />
== Cheat Sheet ==<br />
<br />
Note: you can find a full walkthrough (with spoilers of course) in the [https://github.com/OWASP/Serverless-Goat/blob/master/LESSONS.md LESSONS.md] file in the Git repo<br />
<br />
The following security issues exist in the application: <br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Users can invoke the API with a <code>document_url</code> parameter value containing Linux OS commands. E.g. <code>; ls -LF</code><br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* For example, invoking the API without the required parameter will return a verbose stack trace/exception<br />
* Insecure Serverless Deployment Configuration (SAS-03)<br />
* Publicly open S3 bucket (its name can be discovered from the subdomain/prefix of the URL)<br />
* The parameter <code>document_url</code> is not defined as a 'required' parameter in API gateway and can be ommitted<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* The function has CRUD permissions on the Dynamo table, which can be abused for reading sensitive data, or manipulating data<br />
* The function has FullAccess policy on the S3 bucket, leading to data tampering and data leakage, etc.<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated thro\ugh CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* The vulnerable package is <code>node-uuid</code><br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An attacker may invoke the API recursively multiple times, essentially spawning enough instances to reach the function's reserved capacity limit (which is set to 5). Recursive invocation can be done by invoking the API with itself as the `document_url` parameter (URL-encoded), which by itself calls itself (double-URL encoded), etc. (x5 times).<br />
* An undisclosed ''critical'' issue, as a bonus! <br />
<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
Deployment via the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless App Repository]<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]] , [https://www.puresec.io/ PureSec] ([mailto:ory.segal@owasp.org email])<br />
<br />
== Project Mailing List ==<br />
TBD<br />
== Github Repo ==<br />
[https://github.com/OWASP/Serverless-Goat Project GitHub]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Tool]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Serverless_Goat&diff=246152OWASP Serverless Goat2018-12-19T10:24:11Z<p>Orysegal: Minor edit</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP. You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices.<br />
<br />
As serverless adoption is expected to continue growing and reach new audiences, we see the importance of education on topics such as how to build robust, secure and reliable AWS Lambda serverless applications. This project will expose developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices.<br />
<br />
There were a few key principles that we wanted to follow when designing this demo vulnerable application:<br />
* Make the project open source and free for everyone to use<br />
* Simple and straightforward deployment<br />
* Demonstrate as many serverless security bad practices as possible (we will keep adding more issues, but also hope to see community contributions)<br />
* Design the application to be realistic, and include common 'bad-practices', rather than forcing it to be vulnerable artificially<br />
<br />
Given these key principles, we chose to develop and package the application an AWS SAM application that's available for deployment through the [https://aws.amazon.com/serverless/serverlessrepo/ AWS Serverless Application Repository] - however, this meant that we had to use the supported SAM policy templates. While this decision imposes some limitations on what capabilities were available for us, it presented two important benefits:<br />
* The application uses "default" serverless application repository permissions, making it more realistic<br />
* The deployment doesn't create custom IAM roles or resource policies<br />
<br />
== Details==<br />
The application is a service which receives a URL to a Word document (with a .doc extension - Office 97-2004), and will reply with an HTML page containing the extracted text.<br />
<br />
The vulnerabilities that are included are:<br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* Insecure Serverless Deployment Configuration, leading to S3 bucket data exposure (SAS-03)<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated through CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An undisclosed *critical* issue, as a bonus!<br />
<br />
==Licensing==<br />
<br />
The OWASP ServerlessGoat project is free for use. You can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
== Deployment == <br />
<br />
ServerlessGoat is a simple AWS Lambda application, which serves as a MS-Word .doc file to plain text converter service. It receives a URL to a .doc file as input, and will return the text inside the document back to the API caller. The application is packaged and published for deployment through the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless Application Repository]. Steps for deployment:<br />
# Make sure you are logged into your AWS account<br />
# Click on the following link: AWS Serverless Application Repository<br />
# Click 'Deploy'<br />
# Click 'Deploy' (again)<br />
# Wait until you see the message 'Your application has been deployed'<br />
# Click on 'View CloudFormation Stack'<br />
# Under 'Outputs' you will find the URL for the application (WebsiteURL) <br />
<br />
== Roadmap ==<br />
* '''18-December-2018''': Initial release. Collect feedback from the public ('''done''') <br />
* '''1-January-2019''': Beta release with additional features. <br />
* '''15-January''': v1.0 official launch<br />
<br />
== Project Sponsors ==<br />
The project was initially developed by PureSec:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
<br />
== Cheat Sheet ==<br />
<br />
Note: you can find a full walkthrough (with spoilers of course) in the [https://github.com/OWASP/Serverless-Goat/blob/master/LESSONS.md LESSONS.md] file in the Git repo<br />
<br />
The following security issues exist in the application: <br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Users can invoke the API with a <code>document_url</code> parameter value containing Linux OS commands. E.g. <code>; ls -LF</code><br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* For example, invoking the API without the required parameter will return a verbose stack trace/exception<br />
* Insecure Serverless Deployment Configuration (SAS-03)<br />
* Publicly open S3 bucket (its name can be discovered from the subdomain/prefix of the URL)<br />
* The parameter <code>document_url</code> is not defined as a 'required' parameter in API gateway and can be ommitted<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* The function has CRUD permissions on the Dynamo table, which can be abused for reading sensitive data, or manipulating data<br />
* The function has FullAccess policy on the S3 bucket, leading to data tampering and data leakage, etc.<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated thro\ugh CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* The vulnerable package is <code>node-uuid</code><br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An attacker may invoke the API recursively multiple times, essentially spawning enough instances to reach the function's reserved capacity limit (which is set to 5). Recursive invocation can be done by invoking the API with itself as the `document_url` parameter (URL-encoded), which by itself calls itself (double-URL encoded), etc. (x5 times).<br />
* An undisclosed ''critical'' issue, as a bonus! <br />
<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
Deployment via the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless App Repository]<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]] ([mailto:ory.segal@owasp.org email])<br />
<br />
== Project Mailing List ==<br />
TBD<br />
== Github Repo ==<br />
[https://github.com/OWASP/Serverless-Goat Project GitHub]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Tool]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Serverless_Goat&diff=246122OWASP Serverless Goat2018-12-18T19:21:02Z<p>Orysegal: /* Cheat Sheet */</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP. You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices.<br />
<br />
As serverless adoption is expected to continue growing and reach new audiences, we see the importance of education on topics such as how to build robust, secure and reliable AWS Lambda serverless applications. This project will expose developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices.<br />
<br />
There were a few key principles that we wanted to follow when designing this demo vulnerable application:<br />
* Make the project open source and free for everyone to use<br />
* Simple and straightforward deployment<br />
* Demonstrate as many serverless security bad practices as possible (we will keep adding more issues, but also hope to see community contributions)<br />
* Design the application to be realistic, and include common 'bad-practices', rather than forcing it to be vulnerable artificially<br />
<br />
Given these key principles, we chose to develop and package the application an AWS SAM application that's available for deployment through the [https://aws.amazon.com/serverless/serverlessrepo/ AWS Serverless Application Repository] - however, this meant that we had to use the supported SAM policy templates. While this decision imposes some limitations on what capabilities were available for us, it presented two important benefits:<br />
* The application uses "default" serverless application repository permissions, making it more realistic<br />
* The deployment doesn't create custom IAM roles or resource policies<br />
<br />
== Details==<br />
The application is a service which receives a URL to a Word document (with a .doc extension - Office 97-2004), and will reply with an HTML page containing the extracted text.<br />
<br />
The vulnerabilities that are included are:<br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* Insecure Serverless Deployment Configuration, leading to S3 bucket data exposure (SAS-03)<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated through CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An undisclosed *critical* issue, as a bonus!<br />
<br />
==Licensing==<br />
<br />
The OWASP ServerlessGoat project is free for use. You can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
== Deployment == <br />
<br />
ServerlessGoat is a simple AWS Lambda application, which serves as a MS-Word .doc file to plain text converter service. It receives a URL to a .doc file as input, and will return the text inside the document back to the API caller. The application is packaged and published for deployment through the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless Application Repository]. Steps for deployment:<br />
# Make sure you are logged into your AWS account<br />
# Click on the following link: AWS Serverless Application Repository<br />
# Click 'Deploy'<br />
# Click 'Deploy' (again)<br />
# Wait until you see the message 'Your application has been deployed'<br />
# Click on 'View CloudFormation Stack'<br />
# Under 'Outputs' you will find the URL for the application (WebsiteURL) <br />
<br />
== Roadmap ==<br />
* 18-December-2018: Initial version / Alpha release. Collect feedback from the public (done) <br />
* 1-January-2019: Beta release with additional features. <br />
* 15-January: v1.0 official launch<br />
<br />
== Project Sponsors ==<br />
The project was initially developed by PureSec:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
<br />
== Cheat Sheet ==<br />
<br />
Note: you can find a full walkthrough (with spoilers of course) in the [https://github.com/OWASP/Serverless-Goat/blob/master/LESSONS.md LESSONS.md] file in the Git repo<br />
<br />
The following security issues exist in the application: <br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Users can invoke the API with a <code>document_url</code> parameter value containing Linux OS commands. E.g. <code>; ls -LF</code><br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* For example, invoking the API without the required parameter will return a verbose stack trace/exception<br />
* Insecure Serverless Deployment Configuration (SAS-03)<br />
* Publicly open S3 bucket (its name can be discovered from the subdomain/prefix of the URL)<br />
* The parameter <code>document_url</code> is not defined as a 'required' parameter in API gateway and can be ommitted<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* The function has CRUD permissions on the Dynamo table, which can be abused for reading sensitive data, or manipulating data<br />
* The function has FullAccess policy on the S3 bucket, leading to data tampering and data leakage, etc.<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated thro\ugh CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* The vulnerable package is <code>node-uuid</code><br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An attacker may invoke the API recursively multiple times, essentially spawning enough instances to reach the function's reserved capacity limit (which is set to 5). Recursive invocation can be done by invoking the API with itself as the `document_url` parameter (URL-encoded), which by itself calls itself (double-URL encoded), etc. (x5 times).<br />
* An undisclosed ''critical'' issue, as a bonus! <br />
<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
Deployment via the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless App Repository]<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]] ([mailto:ory.segal@owasp.org email])<br />
<br />
== Project Mailing List ==<br />
TBD<br />
== Github Repo ==<br />
[https://github.com/OWASP/Serverless-Goat Project GitHub]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Tool]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Serverless_Goat&diff=246121OWASP Serverless Goat2018-12-18T19:20:05Z<p>Orysegal: minor</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP. You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices.<br />
<br />
As serverless adoption is expected to continue growing and reach new audiences, we see the importance of education on topics such as how to build robust, secure and reliable AWS Lambda serverless applications. This project will expose developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices.<br />
<br />
There were a few key principles that we wanted to follow when designing this demo vulnerable application:<br />
* Make the project open source and free for everyone to use<br />
* Simple and straightforward deployment<br />
* Demonstrate as many serverless security bad practices as possible (we will keep adding more issues, but also hope to see community contributions)<br />
* Design the application to be realistic, and include common 'bad-practices', rather than forcing it to be vulnerable artificially<br />
<br />
Given these key principles, we chose to develop and package the application an AWS SAM application that's available for deployment through the [https://aws.amazon.com/serverless/serverlessrepo/ AWS Serverless Application Repository] - however, this meant that we had to use the supported SAM policy templates. While this decision imposes some limitations on what capabilities were available for us, it presented two important benefits:<br />
* The application uses "default" serverless application repository permissions, making it more realistic<br />
* The deployment doesn't create custom IAM roles or resource policies<br />
<br />
== Details==<br />
The application is a service which receives a URL to a Word document (with a .doc extension - Office 97-2004), and will reply with an HTML page containing the extracted text.<br />
<br />
The vulnerabilities that are included are:<br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* Insecure Serverless Deployment Configuration, leading to S3 bucket data exposure (SAS-03)<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated through CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An undisclosed *critical* issue, as a bonus!<br />
<br />
==Licensing==<br />
<br />
The OWASP ServerlessGoat project is free for use. You can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
== Deployment == <br />
<br />
ServerlessGoat is a simple AWS Lambda application, which serves as a MS-Word .doc file to plain text converter service. It receives a URL to a .doc file as input, and will return the text inside the document back to the API caller. The application is packaged and published for deployment through the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless Application Repository]. Steps for deployment:<br />
# Make sure you are logged into your AWS account<br />
# Click on the following link: AWS Serverless Application Repository<br />
# Click 'Deploy'<br />
# Click 'Deploy' (again)<br />
# Wait until you see the message 'Your application has been deployed'<br />
# Click on 'View CloudFormation Stack'<br />
# Under 'Outputs' you will find the URL for the application (WebsiteURL) <br />
<br />
== Roadmap ==<br />
* 18-December-2018: Initial version / Alpha release. Collect feedback from the public (done) <br />
* 1-January-2019: Beta release with additional features. <br />
* 15-January: v1.0 official launch<br />
<br />
== Project Sponsors ==<br />
The project was initially developed by PureSec:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
<br />
== Cheat Sheet ==<br />
<br />
Note: you can find a full walkthrough (with spoilers of course) in the [LESSONS.md](https://github.com/OWASP/Serverless-Goat/blob/master/LESSONS.md) file in the Git repo<br />
<br />
The following security issues exist in the application: <br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Users can invoke the API with a <code>document_url</code> parameter value containing Linux OS commands. E.g. <code>; ls -LF</code><br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* For example, invoking the API without the required parameter will return a verbose stack trace/exception<br />
* Insecure Serverless Deployment Configuration (SAS-03)<br />
* Publicly open S3 bucket (its name can be discovered from the subdomain/prefix of the URL)<br />
* The parameter <code>document_url</code> is not defined as a 'required' parameter in API gateway and can be ommitted<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* The function has CRUD permissions on the Dynamo table, which can be abused for reading sensitive data, or manipulating data<br />
* The function has FullAccess policy on the S3 bucket, leading to data tampering and data leakage, etc.<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated thro\ugh CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* The vulnerable package is <code>node-uuid</code><br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An attacker may invoke the API recursively multiple times, essentially spawning enough instances to reach the function's reserved capacity limit (which is set to 5). Recursive invocation can be done by invoking the API with itself as the `document_url` parameter (URL-encoded), which by itself calls itself (double-URL encoded), etc. (x5 times).<br />
* An undisclosed ''critical'' issue, as a bonus! <br />
<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
Deployment via the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless App Repository]<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]] ([mailto:ory.segal@owasp.org email])<br />
<br />
== Project Mailing List ==<br />
TBD<br />
== Github Repo ==<br />
[https://github.com/OWASP/Serverless-Goat Project GitHub]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Tool]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Serverless_Goat&diff=246120OWASP Serverless Goat2018-12-18T19:19:07Z<p>Orysegal: minor edit</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP. You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices.<br />
<br />
As serverless adoption is expected to continue growing and reach new audiences, we see the importance of education on topics such as how to build robust, secure and reliable AWS Lambda serverless applications. This project will expose developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices.<br />
<br />
There were a few key principles that we wanted to follow when designing this demo vulnerable application:<br />
* Make the project open source and free for everyone to use<br />
* Simple and straightforward deployment<br />
* Demonstrate as many serverless security bad practices as possible (we will keep adding more issues, but also hope to see community contributions)<br />
* Design the application to be realistic, and include common 'bad-practices', rather than forcing it to be vulnerable artificially<br />
<br />
Given these key principles, we chose to develop and package the application an AWS SAM application that's available for deployment through the [https://aws.amazon.com/serverless/serverlessrepo/ AWS Serverless Application Repository] - however, this meant that we had to use the supported SAM policy templates. While this decision imposes some limitations on what capabilities were available for us, it presented two important benefits:<br />
* The application uses "default" serverless application repository permissions, making it more realistic<br />
* The deployment doesn't create custom IAM roles or resource policies<br />
<br />
== Details==<br />
The application is a service which receives a URL to a Word document (with a .doc extension - Office 97-2004), and will reply with an HTML page containing the extracted text.<br />
<br />
The vulnerabilities that are included are:<br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* Insecure Serverless Deployment Configuration, leading to S3 bucket data exposure (SAS-03)<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated through CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An undisclosed *critical* issue, as a bonus!<br />
<br />
==Licensing==<br />
<br />
The OWASP ServerlessGoat project is free for use. You can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
== Deployment == <br />
<br />
ServerlessGoat is a simple AWS Lambda application, which serves as a MS-Word .doc file to plain text converter service. It receives a URL to a .doc file as input, and will return the text inside the document back to the API caller. The application is packaged and published for deployment through the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless Application Repository]. Steps for deployment:<br />
# Make sure you are logged into your AWS account<br />
# Click on the following link: AWS Serverless Application Repository<br />
# Click 'Deploy'<br />
# Click 'Deploy' (again)<br />
# Wait until you see the message 'Your application has been deployed'<br />
# Click on 'View CloudFormation Stack'<br />
# Under 'Outputs' you will find the URL for the application (WebsiteURL) <br />
<br />
== Roadmap ==<br />
* 18-December-2018: Initial version / Alpha release. Collect feedback from the public (done) <br />
* 1-January-2019: Beta release with additional features. <br />
* 15-January: v1.0 official launch<br />
<br />
== Project Sponsors ==<br />
The project was initially developed by PureSec:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
<br />
== Cheat Sheet ==<br />
<br />
Note: you can find a full walkthrough (with spoilers of course) in the LESSONS.md file in the Git repo<br />
<br />
The following security issues exist in the application: <br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Users can invoke the API with a <code>document_url</code> parameter value containing Linux OS commands. E.g. <code>; ls -LF</code><br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* For example, invoking the API without the required parameter will return a verbose stack trace/exception<br />
* Insecure Serverless Deployment Configuration (SAS-03)<br />
* Publicly open S3 bucket (its name can be discovered from the subdomain/prefix of the URL)<br />
* The parameter <code>document_url</code> is not defined as a 'required' parameter in API gateway and can be ommitted<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* The function has CRUD permissions on the Dynamo table, which can be abused for reading sensitive data, or manipulating data<br />
* The function has FullAccess policy on the S3 bucket, leading to data tampering and data leakage, etc.<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated thro\ugh CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* The vulnerable package is <code>node-uuid</code><br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An attacker may invoke the API recursively multiple times, essentially spawning enough instances to reach the function's reserved capacity limit (which is set to 5). Recursive invocation can be done by invoking the API with itself as the `document_url` parameter (URL-encoded), which by itself calls itself (double-URL encoded), etc. (x5 times).<br />
* An undisclosed ''critical'' issue, as a bonus! <br />
<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
Deployment via the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless App Repository]<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]] ([mailto:ory.segal@owasp.org email])<br />
<br />
== Project Mailing List ==<br />
TBD<br />
== Github Repo ==<br />
[https://github.com/OWASP/Serverless-Goat Project GitHub]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Tool]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Serverless_Goat&diff=246119OWASP Serverless Goat2018-12-18T19:12:32Z<p>Orysegal: /* Cheat Sheet */</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP. You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices.<br />
<br />
As serverless adoption is expected to continue growing and reach new audiences, we see the importance of education on topics such as how to build robust, secure and reliable AWS Lambda serverless applications. This project will expose developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices.<br />
<br />
There were a few key principles that we wanted to follow when designing this demo vulnerable application:<br />
* Make the project open source and free for everyone to use<br />
* Simple and straightforward deployment<br />
* Demonstrate as many serverless security bad practices as possible (we will keep adding more issues, but also hope to see community contributions)<br />
* Design the application to be realistic, and include common 'bad-practices', rather than forcing it to be vulnerable artificially<br />
<br />
Given these key principles, we chose to develop and package the application an AWS SAM application that's available for deployment through the [https://aws.amazon.com/serverless/serverlessrepo/ AWS Serverless Application Repository] - however, this meant that we had to use the supported SAM policy templates. While this decision imposes some limitations on what capabilities were available for us, it presented two important benefits:<br />
* The application uses "default" serverless application repository permissions, making it more realistic<br />
* The deployment doesn't create custom IAM roles or resource policies<br />
<br />
== Details==<br />
The application is a service which receives a URL to a Word document (with a .doc extension - Office 97-2004), and will reply with an HTML page containing the extracted text.<br />
<br />
The vulnerabilities that are included are:<br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* Insecure Serverless Deployment Configuration, leading to S3 bucket data exposure (SAS-03)<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated through CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An undisclosed *critical* issue, as a bonus!<br />
<br />
==Licensing==<br />
<br />
The OWASP ServerlessGoat project is free for use. You can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
== Deployment == <br />
<br />
ServerlessGoat is a simple AWS Lambda application, which serves as a MS-Word .doc file to plain text converter service. It receives a URL to a .doc file as input, and will return the text inside the document back to the API caller. The application is packaged and published for deployment through the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless Application Repository]. Steps for deployment:<br />
# Make sure you are logged into your AWS account<br />
# Click on the following link: AWS Serverless Application Repository<br />
# Click 'Deploy'<br />
# Click 'Deploy' (again)<br />
# Wait until you see the message 'Your application has been deployed'<br />
# Click on 'View CloudFormation Stack'<br />
# Under 'Outputs' you will find the URL for the application (WebsiteURL) <br />
<br />
== Roadmap ==<br />
* 18-December-2018: Initial version / Alpha release. Collect feedback from the public <br />
* 1-January-2019: Beta release with additional features. <br />
* 15-January: v1.0 official launch<br />
<br />
== Project Sponsors ==<br />
The project was initially developed by PureSec:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
<br />
== Cheat Sheet ==<br />
<br />
Note: you can find a full walkthrough (with spoilers of course) in the LESSONS.md file in the Git repo<br />
<br />
The following security issues exist in the application: <br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Users can invoke the API with a <code>document_url</code> parameter value containing Linux OS commands. E.g. <code>; ls -LF</code><br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* For example, invoking the API without the required parameter will return a verbose stack trace/exception<br />
* Insecure Serverless Deployment Configuration (SAS-03)<br />
* Publicly open S3 bucket (its name can be discovered from the subdomain/prefix of the URL)<br />
* The parameter <code>document_url</code> is not defined as a 'required' parameter in API gateway and can be ommitted<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* The function has CRUD permissions on the Dynamo table, which can be abused for reading sensitive data, or manipulating data<br />
* The function has FullAccess policy on the S3 bucket, leading to data tampering and data leakage, etc.<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated thro\ugh CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* The vulnerable package is <code>node-uuid</code><br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An attacker may invoke the API recursively multiple times, essentially spawning enough instances to reach the function's reserved capacity limit (which is set to 5). Recursive invocation can be done by invoking the API with itself as the `document_url` parameter (URL-encoded), which by itself calls itself (double-URL encoded), etc. (x5 times).<br />
* An undisclosed ''critical'' issue, as a bonus! <br />
<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
Deployment via the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless App Repository]<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]] ([mailto:ory.segal@owasp.org email])<br />
<br />
== Project Mailing List ==<br />
TBD<br />
== Github Repo ==<br />
[https://github.com/OWASP/Serverless-Goat Project GitHub]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Tool]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Serverless_Goat&diff=246113OWASP Serverless Goat2018-12-18T13:16:53Z<p>Orysegal: /* Cheat Sheet */</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP. You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices.<br />
<br />
As serverless adoption is expected to continue growing and reach new audiences, we see the importance of education on topics such as how to build robust, secure and reliable AWS Lambda serverless applications. This project will expose developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices.<br />
<br />
There were a few key principles that we wanted to follow when designing this demo vulnerable application:<br />
* Make the project open source and free for everyone to use<br />
* Simple and straightforward deployment<br />
* Demonstrate as many serverless security bad practices as possible (we will keep adding more issues, but also hope to see community contributions)<br />
* Design the application to be realistic, and include common 'bad-practices', rather than forcing it to be vulnerable artificially<br />
<br />
Given these key principles, we chose to develop and package the application an AWS SAM application that's available for deployment through the [https://aws.amazon.com/serverless/serverlessrepo/ AWS Serverless Application Repository] - however, this meant that we had to use the supported SAM policy templates. While this decision imposes some limitations on what capabilities were available for us, it presented two important benefits:<br />
* The application uses "default" serverless application repository permissions, making it more realistic<br />
* The deployment doesn't create custom IAM roles or resource policies<br />
<br />
== Details==<br />
The application is a service which receives a URL to a Word document (with a .doc extension - Office 97-2004), and will reply with an HTML page containing the extracted text.<br />
<br />
The vulnerabilities that are included are:<br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* Insecure Serverless Deployment Configuration, leading to S3 bucket data exposure (SAS-03)<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated through CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An undisclosed *critical* issue, as a bonus!<br />
<br />
==Licensing==<br />
<br />
The OWASP ServerlessGoat project is free for use. You can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
== Deployment == <br />
<br />
ServerlessGoat is a simple AWS Lambda application, which serves as a MS-Word .doc file to plain text converter service. It receives a URL to a .doc file as input, and will return the text inside the document back to the API caller. The application is packaged and published for deployment through the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless Application Repository]. Steps for deployment:<br />
# Make sure you are logged into your AWS account<br />
# Click on the following link: AWS Serverless Application Repository<br />
# Click 'Deploy'<br />
# Click 'Deploy' (again)<br />
# Wait until you see the message 'Your application has been deployed'<br />
# Click on 'View CloudFormation Stack'<br />
# Under 'Outputs' you will find the URL for the application (WebsiteURL) <br />
<br />
== Roadmap ==<br />
* 18-December-2018: Initial version / Alpha release. Collect feedback from the public <br />
* 1-January-2019: Beta release with additional features. <br />
* 15-January: v1.0 official launch<br />
<br />
== Project Sponsors ==<br />
The project was initially developed by PureSec:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
<br />
== Cheat Sheet ==<br />
<br />
The following security issues exist in the application: <br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Users can invoke the API with a <code>document_url</code> parameter value containing Linux OS commands. E.g. <code>; ls -LF</code><br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* For example, invoking the API without the required parameter will return a verbose stack trace/exception<br />
* Insecure Serverless Deployment Configuration (SAS-03)<br />
* Publicly open S3 bucket (its name can be discovered from the subdomain/prefix of the URL)<br />
* The parameter <code>document_url</code> is not defined as a 'required' parameter in API gateway and can be ommitted<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* The function has CRUD permissions on the Dynamo table, which can be abused for reading sensitive data, or manipulating data<br />
* The function has FullAccess policy on the S3 bucket, leading to data tampering and data leakage, etc.<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated thro\ugh CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* The vulnerable package is <code>node-uuid</code><br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An attacker may invoke the API recursively multiple times, essentially spawning enough instances to reach the function's reserved capacity limit (which is set to 5). Recursive invocation can be done by invoking the API with itself as the `document_url` parameter (URL-encoded), which by itself calls itself (double-URL encoded), etc. (x5 times).<br />
* An undisclosed ''critical'' issue, as a bonus! <br />
<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
Deployment via the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless App Repository]<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]] ([mailto:ory.segal@owasp.org email])<br />
<br />
== Project Mailing List ==<br />
TBD<br />
== Github Repo ==<br />
[https://github.com/OWASP/Serverless-Goat Project GitHub]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Tool]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Serverless_Goat&diff=246112OWASP Serverless Goat2018-12-18T13:15:17Z<p>Orysegal: Minor edit</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP. You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices.<br />
<br />
As serverless adoption is expected to continue growing and reach new audiences, we see the importance of education on topics such as how to build robust, secure and reliable AWS Lambda serverless applications. This project will expose developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices.<br />
<br />
There were a few key principles that we wanted to follow when designing this demo vulnerable application:<br />
* Make the project open source and free for everyone to use<br />
* Simple and straightforward deployment<br />
* Demonstrate as many serverless security bad practices as possible (we will keep adding more issues, but also hope to see community contributions)<br />
* Design the application to be realistic, and include common 'bad-practices', rather than forcing it to be vulnerable artificially<br />
<br />
Given these key principles, we chose to develop and package the application an AWS SAM application that's available for deployment through the [https://aws.amazon.com/serverless/serverlessrepo/ AWS Serverless Application Repository] - however, this meant that we had to use the supported SAM policy templates. While this decision imposes some limitations on what capabilities were available for us, it presented two important benefits:<br />
* The application uses "default" serverless application repository permissions, making it more realistic<br />
* The deployment doesn't create custom IAM roles or resource policies<br />
<br />
== Details==<br />
The application is a service which receives a URL to a Word document (with a .doc extension - Office 97-2004), and will reply with an HTML page containing the extracted text.<br />
<br />
The vulnerabilities that are included are:<br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* Insecure Serverless Deployment Configuration, leading to S3 bucket data exposure (SAS-03)<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated through CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An undisclosed *critical* issue, as a bonus!<br />
<br />
==Licensing==<br />
<br />
The OWASP ServerlessGoat project is free for use. You can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
== Deployment == <br />
<br />
ServerlessGoat is a simple AWS Lambda application, which serves as a MS-Word .doc file to plain text converter service. It receives a URL to a .doc file as input, and will return the text inside the document back to the API caller. The application is packaged and published for deployment through the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless Application Repository]. Steps for deployment:<br />
# Make sure you are logged into your AWS account<br />
# Click on the following link: AWS Serverless Application Repository<br />
# Click 'Deploy'<br />
# Click 'Deploy' (again)<br />
# Wait until you see the message 'Your application has been deployed'<br />
# Click on 'View CloudFormation Stack'<br />
# Under 'Outputs' you will find the URL for the application (WebsiteURL) <br />
<br />
== Roadmap ==<br />
* 18-December-2018: Initial version / Alpha release. Collect feedback from the public <br />
* 1-January-2019: Beta release with additional features. <br />
* 15-January: v1.0 official launch<br />
<br />
== Project Sponsors ==<br />
The project was initially developed by PureSec:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
<br />
== Cheat Sheet ==<br />
<br />
The following security issues exist in the application: <br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Users can invoke the API with a <code>document_url</code> parameter value containing Linux OS commands. E.g. <code>; ls -LF</code><br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* For example, invoking the API without the required parameter will return a verbose stack trace/exception<br />
* Insecure Serverless Deployment Configuration (SAS-03)<br />
* Publicly open S3 bucket (its name can be discovered from the subdomain/prefix of the URL)<br />
* The parameter <code>document_url</code> is not defined as a 'required' parameter in API gateway and can be ommitted<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* The function has CRUD permissions on the Dynamo table, which can be abused for reading sensitive data, or manipulating data<br />
* The function has FullAccess policy on the S3 bucket, leading to data tampering and data leakage, etc.<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated thro\ugh CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* The vulnerable package is <code>node-uuid</code><br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An attacker may invoke the API recursively multiple times, essentially spawning enough instances to reach the function's reserved capacity limit (which is set to 5). An undisclosed ''critical'' issue, as a bonus! <br />
<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
Deployment via the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless App Repository]<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]] ([mailto:ory.segal@owasp.org email])<br />
<br />
== Project Mailing List ==<br />
TBD<br />
== Github Repo ==<br />
[https://github.com/OWASP/Serverless-Goat Project GitHub]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Tool]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Serverless_Goat&diff=246111OWASP Serverless Goat2018-12-18T13:14:40Z<p>Orysegal: Final edits for publish</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP. You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices.<br />
<br />
As serverless adoption is expected to continue growing and reach new audiences, we see the importance of education on topics such as how to build robust, secure and reliable AWS Lambda serverless applications. This project will expose developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices.<br />
<br />
There were a few key principles that we wanted to follow when designing this demo vulnerable application:<br />
* Make the project open source and free for everyone to use<br />
* Simple and straightforward deployment<br />
* Demonstrate as many serverless security bad practices as possible (we will keep adding more issues, but also hope to see community contributions)<br />
* Design the application to be realistic, and include common 'bad-practices', rather than forcing it to be vulnerable artificially<br />
<br />
Given these key principles, we chose to develop and package the application an AWS SAM application that's available for deployment through the [https://aws.amazon.com/serverless/serverlessrepo/ AWS Serverless Application Repository] - however, this meant that we had to use the supported SAM policy templates. While this decision imposes some limitations on what capabilities were available for us, it presented two important benefits:<br />
* The application uses "default" serverless application repository permissions, making it more realistic<br />
* The deployment doesn't create custom IAM roles or resource policies<br />
<br />
== Details==<br />
The application is a service which receives a URL to a Word document (with a .doc extension - Office 97-2004), and will reply with an HTML page containing the extracted text.<br />
<br />
The vulnerabilities that are included are:<br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* Insecure Serverless Deployment Configuration, leading to S3 bucket data exposure (SAS-03)<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated through CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An undisclosed *critical* issue, as a bonus!<br />
<br />
==Licensing==<br />
<br />
The OWASP ServerlessGoat project is free for use. You can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
== Deployment == <br />
<br />
ServerlessGoat is a simple AWS Lambda application, which serves as a MS-Word .doc file to plain text converter service. It receives a URL to a .doc file as input, and will return the text inside the document back to the API caller. The application is packaged and published for deployment through the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless Application Repository]. Steps for deployment:<br />
# Make sure you are logged into your AWS account<br />
# Click on the following link: AWS Serverless Application Repository<br />
# Click 'Deploy'<br />
# Click 'Deploy' (again)<br />
# Wait until you see the message 'Your application has been deployed'<br />
# Click on 'View CloudFormation Stack'<br />
# Under 'Outputs' you will find the URL for the application (WebsiteURL) <br />
<br />
== Roadmap ==<br />
* 18-December-2018: Initial version / Alpha release. Collect feedback from the public <br />
* 1-January-2019: Beta release with additional features. <br />
* 15-January: v1.0 official launch<br />
<br />
== Project Sponsors ==<br />
The project was initially developed by PureSec:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
<br />
== Cheat Sheet ==<br />
<br />
The following security issues exist in the application: <br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Users can invoke the API with a <code>document_url</code> parameter value containing Linux OS commands. E.g. <code>; ls -LF</code><br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* For example, invoking the API without the required parameter will return a verbose stack trace/exception<br />
* Insecure Serverless Deployment Configuration (SAS-03)<br />
* Publicly open S3 bucket (its name can be discovered from the subdomain/prefix of the URL)<br />
* The parameter <code>document_url</code> is not defined as a 'required' parameter in API gateway and can be ommitted<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* The function has CRUD permissions on the Dynamo table, which can be abused for reading sensitive data, or manipulating data<br />
* The function has FullAccess policy on the S3 bucket, leading to data tampering and data leakage, etc.<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated thro\ugh CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* The vulnerable package is <code>node-uuid</code><br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An attacker may invoke the API recursively multiple times, essentially spawning enough instances to reach the function's reserved capacity limit (which is set to 5). For example: <code><nowiki>https://i92uw6vw73.execute-api.us-east-1.amazonaws.com/Prod/api/convert?document_url=https%3A%2F%2Fi92uw6vw73.execute-api.us-east-1.amazonaws.com%2FProd%2Fapi%2Fconvert%3Fdocument_url%3Dhttps%253A%252F%252Fi92uw6vw73.execute-api.us-east-1.amazonaws.com%252FProd%252Fapi%252Fconvert%253Fdocument_url%253Dhttps%25253A%25252F%25252Fi92uw6vw73.execute-api.us-east-1.amazonaws.com%25252FProd%25252Fapi%25252Fconvert%25253Fdocument_url%25253Dhttps%2525253A%2525252F%2525252Fi92uw6vw73.execute-api.us-east-1.amazonaws.com%2525252FProd%2525252Fapi%2525252Fconvert%2525253Fdocument_url%2525253Dhttp%252525253A%252525252F%252525252Fwww.snee.com%252525252Fxml%252525252Fxslt%252525252Fsample.doc</nowiki></code>.<br />
* An undisclosed ''critical'' issue, as a bonus! <br />
<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
Deployment via the [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat AWS Serverless App Repository]<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]] ([mailto:ory.segal@owasp.org email])<br />
<br />
== Project Mailing List ==<br />
TBD<br />
== Github Repo ==<br />
[https://github.com/OWASP/Serverless-Goat Project GitHub]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Tool]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Serverless_Goat&diff=246103OWASP Serverless Goat2018-12-17T19:37:13Z<p>Orysegal: /* Project Sponsors */</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP. You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices.<br />
<br />
As serverless adoption is expected to continue growing and reach new audiences, we see the importance of education on topics such as how to build robust, secure and reliable AWS Lambda serverless applications. This project will expose developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices.<br />
<br />
There were a few key principles that we wanted to follow when designing this demo vulnerable application:<br />
* Make the project open source and free for everyone to use<br />
* Simple and straightforward deployment<br />
* Demonstrate as many serverless security bad practices as possible (we will keep adding more issues, but also hope to see community contributions)<br />
* Design the application to be realistic, and include common 'bad-practices', rather than forcing it to be vulnerable artificially<br />
<br />
Given these key principles, we chose to develop and package the application an AWS SAM application that's available for deployment through the [https://aws.amazon.com/serverless/serverlessrepo/ AWS Serverless Application Repository] - however, this meant that we had to use the supported SAM policy templates. While this decision imposes some limitations on what capabilities were available for us, it presented two important benefits:<br />
* The application uses "default" serverless application repository permissions, making it more realistic<br />
* The deployment doesn't create custom IAM roles or resource policies<br />
<br />
== Details==<br />
The application is a service which receives a URL to a Word document (with a .doc extension - Office 97-2004), and will reply with an HTML page containing the extracted text.<br />
<br />
=== The vulnerabilities that are included are: (* spoiler alert! *)===<br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* Insecure Serverless Deployment Configuration, leading to S3 bucket data exposure (SAS-03)<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated through CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An undisclosed *critical* issue, as a bonus!<br />
<br />
==Licensing==<br />
<br />
The OWASP ServerlessGoat project is free for use. You can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
== Roadmap ==<br />
* 18-December-2018: Initial version / Alpha release. Collect feedback from the public <br />
* 1-January-2019: Beta release with additional features. <br />
* 15-January: v1.0 official launch<br />
<br />
== Project Sponsors ==<br />
The project was initially developed by PureSec:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
TBD<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]] ([mailto:ory.segal@owasp.org email])<br />
<br />
== Project Mailing List ==<br />
TBD<br />
== Github Repo ==<br />
[https://github.com/OWASP/Serverless-Goat Project GitHub]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Tool]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Serverless_Goat&diff=246102OWASP Serverless Goat2018-12-17T19:14:44Z<p>Orysegal: /* The vulnerabilities that are included are (* spoiler alert! *) */</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP. You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices.<br />
<br />
As serverless adoption is expected to continue growing and reach new audiences, we see the importance of education on topics such as how to build robust, secure and reliable AWS Lambda serverless applications. This project will expose developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices.<br />
<br />
There were a few key principles that we wanted to follow when designing this demo vulnerable application:<br />
* Make the project open source and free for everyone to use<br />
* Simple and straightforward deployment<br />
* Demonstrate as many serverless security bad practices as possible (we will keep adding more issues, but also hope to see community contributions)<br />
* Design the application to be realistic, and include common 'bad-practices', rather than forcing it to be vulnerable artificially<br />
<br />
Given these key principles, we chose to develop and package the application an AWS SAM application that's available for deployment through the [https://aws.amazon.com/serverless/serverlessrepo/ AWS Serverless Application Repository] - however, this meant that we had to use the supported SAM policy templates. While this decision imposes some limitations on what capabilities were available for us, it presented two important benefits:<br />
* The application uses "default" serverless application repository permissions, making it more realistic<br />
* The deployment doesn't create custom IAM roles or resource policies<br />
<br />
== Details==<br />
The application is a service which receives a URL to a Word document (with a .doc extension - Office 97-2004), and will reply with an HTML page containing the extracted text.<br />
<br />
=== The vulnerabilities that are included are: (* spoiler alert! *)===<br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* Insecure Serverless Deployment Configuration, leading to S3 bucket data exposure (SAS-03)<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated through CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An undisclosed *critical* issue, as a bonus!<br />
<br />
==Licensing==<br />
<br />
The OWASP ServerlessGoat project is free for use. You can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
== Roadmap ==<br />
* 18-December-2018: Initial version / Alpha release. Collect feedback from the public <br />
* 1-January-2019: Beta release with additional features. <br />
* 15-January: v1.0 official launch<br />
<br />
== Project Sponsors ==<br />
The project was initially developed and sponsored by PureSec:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
TBD<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]] ([mailto:ory.segal@owasp.org email])<br />
<br />
== Project Mailing List ==<br />
TBD<br />
== Github Repo ==<br />
[https://github.com/OWASP/Serverless-Goat Project GitHub]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Tool]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Serverless_Goat&diff=246101OWASP Serverless Goat2018-12-17T19:02:40Z<p>Orysegal: license</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP. You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices.<br />
<br />
As serverless adoption is expected to continue growing and reach new audiences, we see the importance of education on topics such as how to build robust, secure and reliable AWS Lambda serverless applications. This project will expose developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices.<br />
<br />
There were a few key principles that we wanted to follow when designing this demo vulnerable application:<br />
* Make the project open source and free for everyone to use<br />
* Simple and straightforward deployment<br />
* Demonstrate as many serverless security bad practices as possible (we will keep adding more issues, but also hope to see community contributions)<br />
* Design the application to be realistic, and include common 'bad-practices', rather than forcing it to be vulnerable artificially<br />
<br />
Given these key principles, we chose to develop and package the application an AWS SAM application that's available for deployment through the [https://aws.amazon.com/serverless/serverlessrepo/ AWS Serverless Application Repository] - however, this meant that we had to use the supported SAM policy templates. While this decision imposes some limitations on what capabilities were available for us, it presented two important benefits:<br />
* The application uses "default" serverless application repository permissions, making it more realistic<br />
* The deployment doesn't create custom IAM roles or resource policies<br />
<br />
== Details==<br />
The application is a service which receives a URL to a Word document (with a .doc extension - Office 97-2004), and will reply with an HTML page containing the extracted text.<br />
<br />
=== The vulnerabilities that are included are (* spoiler alert! *)===<br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* Insecure Serverless Deployment Configuration, leading to S3 bucket data exposure (SAS-03)<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated through CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An undisclosed *critical* issue, as a bonus!<br />
<br />
==Licensing==<br />
<br />
The OWASP ServerlessGoat project is free for use. You can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
<br />
<br />
== Roadmap ==<br />
* 18-December-2018: Initial version / Alpha release. Collect feedback from the public <br />
* 1-January-2019: Beta release with additional features. <br />
* 15-January: v1.0 official launch<br />
<br />
== Project Sponsors ==<br />
The project was initially developed and sponsored by PureSec:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
TBD<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]] ([mailto:ory.segal@owasp.org email])<br />
<br />
== Project Mailing List ==<br />
TBD<br />
== Github Repo ==<br />
[https://github.com/OWASP/Serverless-Goat Project GitHub]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Tool]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Serverless_Goat&diff=246097OWASP Serverless Goat2018-12-17T18:20:56Z<p>Orysegal: Sponsors fix</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP. You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices.<br />
<br />
As serverless adoption is expected to continue growing and reach new audiences, we see the importance of education on topics such as how to build robust, secure and reliable AWS Lambda serverless applications. This project will expose developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices.<br />
<br />
There were a few key principles that we wanted to follow when designing this demo vulnerable application:<br />
* Make the project open source and free for everyone to use<br />
* Simple and straightforward deployment<br />
* Demonstrate as many serverless security bad practices as possible (we will keep adding more issues, but also hope to see community contributions)<br />
* Design the application to be realistic, and include common 'bad-practices', rather than forcing it to be vulnerable artificially<br />
<br />
Given these key principles, we chose to develop and package the application an AWS SAM application that's available for deployment through the [https://aws.amazon.com/serverless/serverlessrepo/ AWS Serverless Application Repository] - however, this meant that we had to use the supported SAM policy templates. While this decision imposes some limitations on what capabilities were available for us, it presented two important benefits:<br />
* The application uses "default" serverless application repository permissions, making it more realistic<br />
* The deployment doesn't create custom IAM roles or resource policies<br />
<br />
== Details==<br />
The application is a service which receives a URL to a Word document (with a .doc extension - Office 97-2004), and will reply with an HTML page containing the extracted text.<br />
<br />
=== The vulnerabilities that are included are (* spoiler alert! *)===<br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* Insecure Serverless Deployment Configuration, leading to S3 bucket data exposure (SAS-03)<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated through CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An undisclosed *critical* issue, as a bonus!<br />
<br />
==Licensing==<br />
<br />
The OWASP ServerlessGoat project is free for use. It is licensed under the MIT license. <br />
<br />
== Roadmap ==<br />
* 18-December-2018: Initial version / Alpha release. Collect feedback from the public <br />
* 1-January-2019: Beta release with additional features. <br />
* 15-January: v1.0 official launch<br />
<br />
== Project Sponsors ==<br />
The project was initially developed and sponsored by PureSec:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
TBD<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]] ([mailto:ory.segal@owasp.org email])<br />
<br />
== Project Mailing List ==<br />
TBD<br />
== Github Repo ==<br />
[https://github.com/OWASP/Serverless-Goat Project GitHub]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Tool]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Serverless_Goat&diff=246095OWASP Serverless Goat2018-12-17T17:51:04Z<p>Orysegal: initial release</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP. You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices.<br />
<br />
As serverless adoption is expected to continue growing and reach new audiences, we see the importance of education on topics such as how to build robust, secure and reliable AWS Lambda serverless applications. This project will expose developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices.<br />
<br />
There were a few key principles that we wanted to follow when designing this demo vulnerable application:<br />
* Make the project open source and free for everyone to use<br />
* Simple and straightforward deployment<br />
* Demonstrate as many serverless security bad practices as possible (we will keep adding more issues, but also hope to see community contributions)<br />
* Design the application to be realistic, and include common 'bad-practices', rather than forcing it to be vulnerable artificially<br />
<br />
Given these key principles, we chose to develop and package the application an AWS SAM application that's available for deployment through the [https://aws.amazon.com/serverless/serverlessrepo/ AWS Serverless Application Repository] - however, this meant that we had to use the supported SAM policy templates. While this decision imposes some limitations on what capabilities were available for us, it presented two important benefits:<br />
* The application uses "default" serverless application repository permissions, making it more realistic<br />
* The deployment doesn't create custom IAM roles or resource policies<br />
<br />
== Details==<br />
The application is a service which receives a URL to a Word document (with a .doc extension - Office 97-2004), and will reply with an HTML page containing the extracted text.<br />
<br />
=== The vulnerabilities that are included are (* spoiler alert! *)===<br />
* Event-data injection, leading to OS command injection (SAS-01)<br />
* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure<br />
* Insecure Serverless Deployment Configuration, leading to S3 bucket data exposure (SAS-03)<br />
* Over-privileged function permissions & roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)<br />
* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated through CloudWatch/CloudTrail)<br />
* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool<br />
* Application layer Denial of Service (SAS-08), which can be easily demonstrated<br />
* An undisclosed *critical* issue, as a bonus!<br />
<br />
==Licensing==<br />
<br />
The OWASP ServerlessGoat project is free for use. It is licensed under the MIT license. <br />
<br />
== Roadmap ==<br />
* 18-December-2018: Initial version / Alpha release. Collect feedback from the public <br />
* 1-January-2019: Beta release with additional features. <br />
* 15-January: v1.0 official launch<br />
<br />
== Project Sponsors ==<br />
The project is sponsored by:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
TBD<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]] ([mailto:ory.segal@owasp.org email])<br />
<br />
== Project Mailing List ==<br />
TBD<br />
== Github Repo ==<br />
[https://github.com/OWASP/Serverless-Goat Project GitHub]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Cloud-Native_Application_Security_Top_10&diff=243760OWASP Cloud-Native Application Security Top 102018-09-27T05:29:28Z<p>Orysegal: /* Introduction */</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, cloud functions (serverless), service meshes, micro-services, immutable infrastructure, and declarative APIs exemplify this approach. Cloud-Native Applications is a fundamentally new and exciting approach to designing and building software. However, it also raises a completely new set of security challenges. For example, when you move to a microservice model, end-to-end visibility, monitoring and detection become more complex and difficult to execute. <br />
<br />
'''Note:''' This project is a continuation of a previous project - "[https://www.puresec.io/press_releases/sas_top_10_2018_released The Serverless Security Top 10 Most Common Weaknesses Guide]", which was released on January 17th 2018 by PureSec, with collaboration of industry thought leaders from: IBM, iRobot, Denim Group, Cisco, Nordstrom, Asurion, Capital One, Microsoft, Check Point, A Cloud Guru and Cloud Academy. <br />
<br />
== Purpose ==<br />
The primary goal of this document is to provide assistance and education for organizations looking to adopt Cloud-Native Applications. The guide provides information about what are the most prominent security risks for Cloud-Native applications, the challenges involved, and how to overcome them.<br />
<br />
==Licensing==<br />
<br />
The OWASP Cloud-Native Top 10 is free for use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0). <br />
<br />
== Roadmap ==<br />
* '''29-SEP-2018''': Initial draft<br />
* '''8-NOV-2018''': Alpha release / Official public call<br />
* '''27-DEC-2019''': End of public call / Processing data collected<br />
* '''18-FEB-2019''': Release candidate for review<br />
* '''27-MAR-2019''': Official release <br />
<br />
== Project Sponsors ==<br />
The project is sponsored by:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
Possible ways to get contribute:<br />
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.<br />
* Translation efforts (later stages)<br />
* Individuals and organizations that will contribute to the project will listed on the acknowledgments page.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
TBD<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]] ([mailto:ory.segal@owasp.org email])<br />
<br />
== Project Mailing List ==<br />
[https://lists.owasp.org/mailman/listinfo/owasp-cloud-native-application-security-top-10 Mailing List]<br />
<br />
== Github Repo ==<br />
[https://github.com/OWASP/Cloud-Native-Application-Security-Top-10 Github]<br />
<br />
== Related Projects ==<br />
<br />
* [[:Category:OWASP Top Ten Project]]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Document]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[Image:Creative%20Commons.png| 90px | link=https://creativecommons.org/licenses/by-sa/3.0/| Creative Commons Attribution ShareAlike 3.0 License]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Document]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Cloud-Native_Application_Security_Top_10&diff=243729OWASP Cloud-Native Application Security Top 102018-09-26T15:32:36Z<p>Orysegal: </p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, cloud functions (serverless), service meshes, micro-services, immutable infrastructure, and declarative APIs exemplify this approach. Cloud-Native Applications is a fundamentally new and exciting approach to designing and building software. However, it also raises a completely new set of security challenges. For example, when you move to a microservice model, end-to-end visibility, monitoring and detection become more complex and difficult to execute. <br />
<br />
== Purpose ==<br />
The primary goal of this document is to provide assistance and education for organizations looking to adopt Cloud-Native Applications. The guide provides information about what are the most prominent security risks for Cloud-Native applications, the challenges involved, and how to overcome them.<br />
<br />
==Licensing==<br />
<br />
The OWASP Cloud-Native Top 10 is free for use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0). <br />
<br />
== Roadmap ==<br />
* '''29-SEP-2018''': Initial draft<br />
* '''8-NOV-2018''': Alpha release / Official public call<br />
* '''27-DEC-2019''': End of public call / Processing data collected<br />
* '''18-FEB-2019''': Release candidate for review<br />
* '''27-MAR-2019''': Official release <br />
<br />
== Project Sponsors ==<br />
The project is sponsored by:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
Possible ways to get contribute:<br />
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.<br />
* Translation efforts (later stages)<br />
* Individuals and organizations that will contribute to the project will listed on the acknowledgments page.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
TBD<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]] ([mailto:ory.segal@owasp.org email])<br />
<br />
== Project Mailing List ==<br />
[https://lists.owasp.org/mailman/listinfo/owasp-cloud-native-application-security-top-10 Mailing List]<br />
<br />
== Github Repo ==<br />
[https://github.com/OWASP/Cloud-Native-Application-Security-Top-10 Github]<br />
<br />
== Related Projects ==<br />
<br />
* [[:Category:OWASP Top Ten Project]]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Document]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[Image:Creative%20Commons.png| 90px | link=https://creativecommons.org/licenses/by-sa/3.0/| Creative Commons Attribution ShareAlike 3.0 License]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Document]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Cloud-Native_Application_Security_Top_10&diff=243694OWASP Cloud-Native Application Security Top 102018-09-25T07:48:27Z<p>Orysegal: </p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, cloud functions (serverless), service meshes, micro-services, immutable infrastructure, and declarative APIs exemplify this approach. Cloud-Native Applications is a fundamentally new and exciting approach to designing and building software. However, it also raises a completely new set of security challenges. For example, when you move to a microservice model, end-to-end visibility, monitoring and detection become more complex and difficult to execute. <br />
<br />
== Purpose ==<br />
The primary goal of this document is to provide assistance and education for organizations looking to adopt Cloud-Native Applications. The guide provides information about what are the most prominent security risks for Cloud-Native applications, the challenges involved, and how to overcome them.<br />
<br />
==Licensing==<br />
<br />
The OWASP Cloud-Native Top 10 is free for use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0). <br />
<br />
== Roadmap ==<br />
* '''29-SEP-2018''': Initial draft<br />
* '''8-NOV-2018''': Alpha release / Official public call<br />
* '''27-DEC-2019''': End of public call / Processing data collected<br />
* '''18-FEB-2019''': Release candidate for review<br />
* '''27-MAR-2019''': Official release <br />
<br />
== Project Sponsors ==<br />
The project is sponsored by:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
Possible ways to get contribute:<br />
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.<br />
* Translation efforts (later stages)<br />
* Individuals and organizations that will contribute to the project will listed on the acknowledgments page.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
TBD<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]]<br />
<br />
== Project Mailing List ==<br />
[https://lists.owasp.org/mailman/listinfo/owasp-cloud-native-application-security-top-10 Mailing List]<br />
<br />
== Github Repo ==<br />
[https://github.com/OWASP/Cloud-Native-Application-Security-Top-10 Github]<br />
<br />
== Related Projects ==<br />
<br />
* [[:Category:OWASP Top Ten Project]]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Document]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[Image:Creative%20Commons.png| 90px | link=https://creativecommons.org/licenses/by-sa/3.0/| Creative Commons Attribution ShareAlike 3.0 License]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Document]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Cloud-Native_Application_Security_Top_10&diff=243693OWASP Cloud-Native Application Security Top 102018-09-25T07:46:38Z<p>Orysegal: </p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, cloud functions (serverless), service meshes, micro-services, immutable infrastructure, and declarative APIs exemplify this approach. Cloud-Native Applications is a fundamentally new and exciting approach to designing and building software. However, it also raises a completely new set of security challenges. For example, when you move to a microservice model, end-to-end visibility, monitoring and detection become more complex and difficult to execute. <br />
<br />
== Purpose ==<br />
The primary goal of this document is to provide assistance and education for organizations looking to adopt Cloud-Native Applications. The guide provides information about what are the most prominent security risks for Cloud-Native applications, the challenges involved, and how to overcome them.<br />
<br />
==Licensing==<br />
<br />
The OWASP Cloud-Native Top 10 is free for use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0). <br />
<br />
== Roadmap ==<br />
* '''29-SEP-2018''': Initial draft<br />
* '''8-NOV-2018''': Alpha release / Official public call<br />
* '''27-DEC-2019''': End of public call / Processing data collected<br />
* '''18-FEB-2019''': Release candidate for review<br />
* '''27-MAR-2019''': Official release <br />
<br />
== Project Sponsors ==<br />
The project is sponsored by:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
Possible ways to get contribute:<br />
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.<br />
* Translation efforts (later stages)<br />
* Individuals and organizations that will contribute to the project will listed on the acknowledgments page.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
TBD<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]]<br />
<br />
== Project Mailing List ==<br />
[https://lists.owasp.org/mailman/listinfo/owasp-cloud-native-application-security-top-10 Mailing List]<br />
<br />
== Related Projects ==<br />
<br />
* [[:Category:OWASP Top Ten Project]]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Document]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[Image:Creative%20Commons.png| 90px | link=https://creativecommons.org/licenses/by-sa/3.0/| Creative Commons Attribution ShareAlike 3.0 License]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Document]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Cloud-Native_Application_Security_Top_10&diff=243659OWASP Cloud-Native Application Security Top 102018-09-24T06:16:57Z<p>Orysegal: </p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, cloud functions (serverless), service meshes, micro-services, immutable infrastructure, and declarative APIs exemplify this approach. Cloud-Native Applications is a fundamentally new and exciting approach to designing and building software. However, it also raises a completely new set of security challenges. For example, when you move to a microservice model, end-to-end visibility, monitoring and detection become more complex and difficult to execute. <br />
<br />
== Purpose ==<br />
The primary goal of this document is to provide assistance and education for organizations looking to adopt Cloud-Native Applications. The guide provides information about what are the most prominent security risks for Cloud-Native applications, the challenges involved, and how to overcome them.<br />
<br />
==Licensing==<br />
<br />
The OWASP Cloud-Native Top 10 is free for use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0). <br />
<br />
== Roadmap ==<br />
* '''29-SEP-2018''': Initial draft<br />
* '''8-NOV-2018''': Alpha release / Official public call<br />
* '''27-DEC-2019''': End of public call / Processing data collected<br />
* '''18-FEB-2019''': Release candidate for review<br />
* '''27-MAR-2019''': Official release <br />
<br />
== Project Sponsors ==<br />
The project is sponsored by:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
Possible ways to get contribute:<br />
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.<br />
* Translation efforts (later stages)<br />
* Individuals and organizations that will contribute to the project will listed on the acknowledgments page.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
TBD<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]]<br />
<br />
== Related Projects ==<br />
<br />
* [[:Category:OWASP Top Ten Project]]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Document]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[Image:Creative%20Commons.png| 90px | link=https://creativecommons.org/licenses/by-sa/3.0/| Creative Commons Attribution ShareAlike 3.0 License]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Document]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Cloud-Native_Application_Security_Top_10&diff=243620OWASP Cloud-Native Application Security Top 102018-09-22T19:58:37Z<p>Orysegal: </p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, cloud functions (serverless), service meshes, micro-services, immutable infrastructure, and declarative APIs exemplify this approach. Cloud-Native Applications is a fundamentally new and exciting approach to designing and building software. However, it also raises a completely new set of security challenges. For example, when you move to a microservice model, end-to-end visibility, monitoring and detection become more complex and difficult to execute. <br />
<br />
== Purpose ==<br />
The primary goal of this document is to provide assistance and education for organizations looking to adopt Cloud-Native Applications. The guide provides information about what are the most prominent security risks for Cloud-Native applications, the challenges involved, and how to overcome them.<br />
<br />
==Licensing==<br />
<br />
The OWASP Cloud-Native Top 10 is free for use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0). <br />
<br />
== Project Sponsors ==<br />
The project is sponsored by:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
Possible ways to get contribute:<br />
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.<br />
* Translation efforts (later stages)<br />
* Individuals and organizations that will contribute to the project will listed on the acknowledgments page.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
TBD<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]]<br />
<br />
== Related Projects ==<br />
<br />
* [[:Category:OWASP Top Ten Project]]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Document]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[Image:Creative%20Commons.png| 90px | link=https://creativecommons.org/licenses/by-sa/3.0/| Creative Commons Attribution ShareAlike 3.0 License]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Document]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Cloud-Native_Application_Security_Top_10&diff=243551OWASP Cloud-Native Application Security Top 102018-09-20T05:25:45Z<p>Orysegal: </p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, cloud functions (serverless), service meshes, micro-services, immutable infrastructure, and declarative APIs exemplify this approach. Cloud-Native Applications is a fundamentally new and exciting approach to designing and building software. However, it also raises a completely new set of security challenges. For example, when you move to a microservice model, end-to-end visibility, monitoring and detection become more complex and difficult to execute. <br />
<br />
== Purpose ==<br />
The primary goal of this document is to provide assistance and education for organizations looking to adopt Cloud-Native Applications. The guide provides information about what are the most prominent security risks for Cloud-Native applications, the challenges involved, and how to overcome them.<br />
<br />
==Licensing==<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. OWASP Cloud-Native Application Security Top 10 and any contributions are Copyright &copy; by OWASP 2018. <br />
<br />
== Project Sponsors ==<br />
The project is sponsored by:<br />
<br />
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
Possible ways to get contribute:<br />
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.<br />
* Translation efforts (later stages)<br />
* Individuals and organizations that will contribute to the project will listed on the acknowledgments page.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
TBD<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]]<br />
<br />
== Related Projects ==<br />
<br />
* [[:Category:OWASP Top Ten Project]]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Document]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[Image:Creative%20Commons.png| 90px | link=https://creativecommons.org/licenses/by-sa/3.0/| Creative Commons Attribution ShareAlike 3.0 License]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Document]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Cloud-Native_Application_Security_Top_10&diff=243550OWASP Cloud-Native Application Security Top 102018-09-20T05:25:03Z<p>Orysegal: /* Project Sponsors */</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, cloud functions (serverless), service meshes, micro-services, immutable infrastructure, and declarative APIs exemplify this approach. Cloud-Native Applications is a fundamentally new and exciting approach to designing and building software. However, it also raises a completely new set of security challenges. For example, when you move to a microservice model, end-to-end visibility, monitoring and detection become more complex and difficult to execute. <br />
<br />
== Purpose ==<br />
The primary goal of this document is to provide assistance and education for organizations looking to adopt Cloud-Native Applications. The guide provides information about what are the most prominent security risks for Cloud-Native applications, the challenges involved, and how to overcome them.<br />
<br />
==Licensing==<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. OWASP Cloud-Native Application Security Top 10 and any contributions are Copyright &copy; by OWASP 2018. <br />
<br />
== Project Sponsors ==<br />
The project is sponsored by:<br />
<br />
[https://www.puresec.io/][[File:PureSec-Logo.png|frameless]]<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
Possible ways to get contribute:<br />
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.<br />
* Translation efforts (later stages)<br />
* Individuals and organizations that will contribute to the project will listed on the acknowledgments page.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
TBD<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]]<br />
<br />
== Related Projects ==<br />
<br />
* [[:Category:OWASP Top Ten Project]]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Document]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[Image:Creative%20Commons.png| 90px | link=https://creativecommons.org/licenses/by-sa/3.0/| Creative Commons Attribution ShareAlike 3.0 License]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Document]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Cloud-Native_Application_Security_Top_10&diff=243549OWASP Cloud-Native Application Security Top 102018-09-20T05:23:44Z<p>Orysegal: /* Project Sponsors */</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, cloud functions (serverless), service meshes, micro-services, immutable infrastructure, and declarative APIs exemplify this approach. Cloud-Native Applications is a fundamentally new and exciting approach to designing and building software. However, it also raises a completely new set of security challenges. For example, when you move to a microservice model, end-to-end visibility, monitoring and detection become more complex and difficult to execute. <br />
<br />
== Purpose ==<br />
The primary goal of this document is to provide assistance and education for organizations looking to adopt Cloud-Native Applications. The guide provides information about what are the most prominent security risks for Cloud-Native applications, the challenges involved, and how to overcome them.<br />
<br />
==Licensing==<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. OWASP Cloud-Native Application Security Top 10 and any contributions are Copyright &copy; by OWASP 2018. <br />
<br />
== Project Sponsors ==<br />
The project is sponsored by:<br />
<br />
[[File:PureSec-Logo.png|frameless]]<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
Possible ways to get contribute:<br />
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.<br />
* Translation efforts (later stages)<br />
* Individuals and organizations that will contribute to the project will listed on the acknowledgments page.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
TBD<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]]<br />
<br />
== Related Projects ==<br />
<br />
* [[:Category:OWASP Top Ten Project]]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Document]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[Image:Creative%20Commons.png| 90px | link=https://creativecommons.org/licenses/by-sa/3.0/| Creative Commons Attribution ShareAlike 3.0 License]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Document]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Cloud-Native_Application_Security_Top_10&diff=243548OWASP Cloud-Native Application Security Top 102018-09-20T05:23:12Z<p>Orysegal: </p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, cloud functions (serverless), service meshes, micro-services, immutable infrastructure, and declarative APIs exemplify this approach. Cloud-Native Applications is a fundamentally new and exciting approach to designing and building software. However, it also raises a completely new set of security challenges. For example, when you move to a microservice model, end-to-end visibility, monitoring and detection become more complex and difficult to execute. <br />
<br />
== Purpose ==<br />
The primary goal of this document is to provide assistance and education for organizations looking to adopt Cloud-Native Applications. The guide provides information about what are the most prominent security risks for Cloud-Native applications, the challenges involved, and how to overcome them.<br />
<br />
==Licensing==<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. OWASP Cloud-Native Application Security Top 10 and any contributions are Copyright &copy; by OWASP 2018. <br />
<br />
== Project Sponsors ==<br />
The project is sponsored by:<br />
[[File:PureSec-Logo.png|left|frameless|puresec]]<br />
<br />
<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
Possible ways to get contribute:<br />
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.<br />
* Translation efforts (later stages)<br />
* Individuals and organizations that will contribute to the project will listed on the acknowledgments page.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
TBD<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]]<br />
<br />
== Related Projects ==<br />
<br />
* [[:Category:OWASP Top Ten Project]]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Document]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[Image:Creative%20Commons.png| 90px | link=https://creativecommons.org/licenses/by-sa/3.0/| Creative Commons Attribution ShareAlike 3.0 License]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Document]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Cloud-Native_Application_Security_Top_10&diff=243547OWASP Cloud-Native Application Security Top 102018-09-20T05:17:15Z<p>Orysegal: </p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, cloud functions (serverless), service meshes, micro-services, immutable infrastructure, and declarative APIs exemplify this approach. Cloud-Native Applications is a fundamentally new and exciting approach to designing and building software. However, it also raises a completely new set of security challenges. For example, when you move to a microservice model, end-to-end visibility, monitoring and detection become more complex and difficult to execute. <br />
<br />
== Purpose ==<br />
The primary goal of this document is to provide assistance and education for organizations looking to adopt Cloud-Native Applications. The guide provides information about what are the most prominent security risks for Cloud-Native applications, the challenges involved, and how to overcome them.<br />
<br />
==Licensing==<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. OWASP Cloud-Native Application Security Top 10 and any contributions are Copyright &copy; by OWASP 2018. <br />
<br />
== Project Sponsors ==<br />
[[File:PureSec-Logo.png|left|frameless|puresec]]<br />
<br />
<br />
<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
Possible ways to get contribute:<br />
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.<br />
* Translation efforts (later stages)<br />
* Individuals and organizations that will contribute to the project will listed on the acknowledgments page.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
TBD<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]]<br />
<br />
== Related Projects ==<br />
<br />
* [[:Category:OWASP Top Ten Project]]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Document]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[Image:Creative%20Commons.png| 90px | link=https://creativecommons.org/licenses/by-sa/3.0/| Creative Commons Attribution ShareAlike 3.0 License]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Document]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Cloud-Native_Application_Security_Top_10&diff=243546OWASP Cloud-Native Application Security Top 102018-09-20T05:15:47Z<p>Orysegal: initial modifications</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, cloud functions (serverless), service meshes, micro-services, immutable infrastructure, and declarative APIs exemplify this approach. Cloud-Native Applications is a fundamentally new and exciting approach to designing and building software. However, it also raises a completely new set of security challenges. For example, when you move to a microservice model, end-to-end visibility, monitoring and detection become more complex and difficult to execute. <br />
<br />
== Purpose ==<br />
The primary goal of this document is to provide assistance and education for organizations looking to adopt Cloud-Native Applications. The guide provides information about what are the most prominent security risks for Cloud-Native applications, the challenges involved, and how to overcome them.<br />
<br />
==Licensing==<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. OWASP Cloud-Native Application Security Top 10 and any contributions are Copyright &copy; by OWASP 2018. <br />
<br />
== Project Sponsors ==<br />
[[File:PureSec-Logo.png|left|frameless|puresec]]<br />
<br />
<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
Possible ways to get contribute:<br />
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.<br />
* Translation efforts (later stages)<br />
* Individuals and organizations that will contribute to the project will listed on the acknowledgments page.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
TBD<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Code_Project_Template]]<br />
* [[OWASP_Tool_Project_Template]]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Document]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[Image:Creative%20Commons.png| 90px | link=https://creativecommons.org/licenses/by-sa/3.0/| Creative Commons Attribution ShareAlike 3.0 License]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Document]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=File:PureSec-Logo.png&diff=243545File:PureSec-Logo.png2018-09-20T05:13:58Z<p>Orysegal: </p>
<hr />
<div>PureSec Logo</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Cloud-Native_Application_Security_Top_10&diff=243544OWASP Cloud-Native Application Security Top 102018-09-20T05:12:42Z<p>Orysegal: Initial text</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Introduction==<br />
Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, cloud functions (serverless), service meshes, micro-services, immutable infrastructure, and declarative APIs exemplify this approach. Cloud-Native Applications is a fundamentally new and exciting approach to designing and building software. However, it also raises a completely new set of security challenges. For example, when you move to a microservice model, end-to-end visibility, monitoring and detection become more complex and difficult to execute. <br />
<br />
== Purpose ==<br />
The primary goal of this document is to provide assistance and education for organizations looking to adopt Cloud-Native Applications. The guide provides information about what are the most prominent security risks for Cloud-Native applications, the challenges involved, and how to overcome them.<br />
<br />
==Licensing==<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. OWASP Cloud-Native Application Security Top 10 and any contributions are Copyright &copy; by OWASP 2018. <br />
<br />
== Project Sponsors ==<br />
<br />
<br />
==Getting Involved==<br />
You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.<br />
Possible ways to get contribute:<br />
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.<br />
* Translation efforts (later stages)<br />
* Individuals and organizations that will contribute to the project will listed on the acknowledgments page.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
TBD<br />
<br />
== Project Leader ==<br />
[[User:Orysegal|Ory Segal]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Code_Project_Template]]<br />
* [[OWASP_Tool_Project_Template]]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Document]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[Image:Creative%20Commons.png| 90px | link=https://creativecommons.org/licenses/by-sa/3.0/| Creative Commons Attribution ShareAlike 3.0 License]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Document]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=User:Orysegal&diff=243366User:Orysegal2018-09-13T18:10:31Z<p>Orysegal: </p>
<hr />
<div>[[File:Ory Segal.png|thumb]]<br />
<br />
= ABOUT =<br />
== BIO ==<br />
Ory Segal is a world-renowned expert in application security, with 20 years of experience in the field. Ory is the CTO and co-founder of PureSec (Serverless Security). Prior to PureSec, Ory was Senior Director of threat research at Akamai, where he led a team of web security and big data researchers, responsible for developing algorithms for Akamai's Kona cloud security product line. In this role, Ory research and published articles about web security, bot management, client reputation and device fingerprinting. Prior to Akamai, Ory worked at IBM as the security products architect and product manager for the market leading application security solution IBM Security AppScan (previously Watchfire/Sanctum AppScan), a product which Ory developed and contributed to since the year 2000. Ory authored 20 patents in the field of application security, static analysis, dynamic analysis, threat reputation and systems. He is currently serving as an officer of the Web Application Security Consortium (WASC), he was a member of the W3C WebAppSec working group, and was an OWASP Israel board member. Ory is a regular conference presenter and presented in conferences such as: Blackhat, RSA, OWASP AppSec, CyberTech, ServerlessDays, CodeBlue and Gartner Security Summit. <br />
<br />
== Contact ==<br />
[https://www.linkedin.com/in/orysegal/ LinkedIn]<br />
<br />
[https://twitter.com/orysegal Twitter]<br />
<br />
Email: orysegal [ at ] gmail.com<br />
<br />
== Community / Industry Contributions & Participation ==<br />
* [[WASC OWASP Web Application Firewall Evaluation Criteria Project]]<br />
* OWASP AppSec NYC: Big Data Intelligence https://www.youtube.com/watch?v=afMvndBEv-I<br />
* CWE/SANS Top 25: https://www.sans.org/top25-software-errors<br />
* WASC Static Analysis Evaluation Criteria: http://projects.webappsec.org/w/page/66094278/Static%20Analysis%20Technologies%20Evaluation%20Criteria<br />
* WASC Threat Classification (TC): http://projects.webappsec.org/w/page/13246978/Threat%20Classification<br />
* WASC Web Application Security Scanner Evaluation Criteria: http://projects.webappsec.org/w/page/13246986/Web%20Application%20Security%20Scanner%20Evaluation%20Criteria<br />
* NIST SAMATE - Software Assurance Metrics And Tool Evaluation: https://samate.nist.gov/Main_Page.html<br />
* W3C Web Application Security Working Group: https://www.w3.org/2000/09/dbwg/details?group=49309&public=1&order=org<br />
* The Ten Most Critical Risks for Serverless Applications v1.0: https://github.com/puresec/sas-top-10<br />
<br />
== Experience ==<br />
2017 - Present: CTO & co-founder at [https://www.puresec.io/ PureSec] (Serverless Security)<br />
<br />
2012 - 2017: Sr. Director, Threat Research at [https://www.akamai.com/ Akamai]<br />
<br />
2007 - 2012: Security Products Architect (AppScan) at [https://www.ibm.com/ IBM]<br />
<br />
2005 - 2007: Director of Security Research at [https://www.crunchbase.com/organization/watchfire Watchfire] (acquired by IBM)<br />
<br />
2000 - 2005: Senior Security Researcher at [https://www.crunchbase.com/organization/sanctum-inc Sanctum inc] (acquired by Watchfire)<br />
<br />
1997 - 2000: Penetration Testing Team Leader at [http://www.avnet-cyber.com/ Avnet] Cyber Security<br />
<br />
== Notable Publications ==<br />
* [https://www.puresec.io/hubfs/Apache%20OpenWhisk%20PureSec%20Security%20Advisory.pdf Apache OpenWhisk Serverless 'Action' Mutability Weakness] (advisory / whitepaper)<br />
* [https://www.puresec.io/hubfs/New%20Attack%20Vector_%20Serverless%20Crypto-Mining.pdf Serverless Crypto-Mining] (whitepaper)<br />
* [https://www.akamai.com/us/en/multimedia/documents/white-paper/passive-fingerprinting-of-http2-clients-white-paper.pdf HTTP/2.0 Passive Client Fingerprinting] (whitepaper)<br />
* [https://www.akamai.com/jp/ja/multimedia/documents/state-of-the-internet/sshowdown-exploitation-of-iot-devices-for-launching-mass-scale-attack-campaigns.pdf SSHowDowN]: Exploitation of IoT Devices for Launching Mass-Scale Attack Campaigns (whitepaper)<br />
* [https://blogs.akamai.com/2014/02/hql-statement-tampering.html HQL Statement Tampering] (advisory / whitepaper)<br />
* [http://blog.watchfire.com/wfblog/2008/06/javascript-code.html JavaScript Code Flow Manipulation] (blog/advisory)<br />
* [https://www.slideshare.net/ibmrational/a-look-at-the-prevalence-of-clientside-javascript-vulnerabilities-in-web-applications Close Encounters of the Third Kind]: A Look at the Prevalence of Client-Side JavaScript Vulnerabilities (whitepaper)<br />
* [https://www.slideshare.net/orysegal/clientside-javascript-vulnerabilities Client-Side JavaScript Vulnerabilities] (presentation)<br />
* [https://packetstormsecurity.com/files/25903/Apache.Win32.txt.html Vulnerability in Apache for Win32 batch file processing] (Remote Command Execution, advisory)<br />
* [https://packetstormsecurity.com/files/33006/msSharePointXSS.txt.html Multiple XSS vulnerabilities in Microsoft SharePoint Portal Server] (advisory)<br />
* [https://packetstormsecurity.com/files/34646/iis5x60.txt.html IIS 5.x/6.0 WebDAV (XML parser) attribute blowup DoS] (with Amit Klein)<br />
* [https://seclists.org/vuln-dev/2002/May/346 Multiple vendors web server source code disclosure (8.3 name format vulnerability - Take II)] (with Amit Klein)</div>Orysegalhttps://wiki.owasp.org/index.php?title=User:Orysegal&diff=243365User:Orysegal2018-09-13T18:09:02Z<p>Orysegal: </p>
<hr />
<div>[[File:Ory Segal.png|thumb]]<br />
<br />
= ABOUT =<br />
== BIO ==<br />
Ory Segal is a world-renowned expert in application security, with 20 years of experience in the field. Ory is the CTO and co-founder of PureSec (Serverless Security). Prior to PureSec, Ory was Senior Director of threat research at Akamai, where he led a team of web security and big data researchers, responsible for developing algorithms for Akamai's Kona cloud security product line. In this role, Ory research and published articles about web security, bot management, client reputation and device fingerprinting. Prior to Akamai, Ory worked at IBM as the security products architect and product manager for the market leading application security solution IBM Security AppScan (previously Watchfire/Sanctum AppScan), a product which Ory developed and contributed to since the year 2000. Ory authored 20 patents in the field of application security, static analysis, dynamic analysis, threat reputation and systems. He is currently serving as an officer of the Web Application Security Consortium (WASC), he was a member of the W3C WebAppSec working group, and was an OWASP Israel board member. Ory is a regular conference presenter and presented in conferences such as: Blackhat, RSA, OWASP AppSec, CyberTech, ServerlessDays, CodeBlue and Gartner Security Summit. <br />
<br />
== Contact ==<br />
[https://www.linkedin.com/in/orysegal/ LinkedIn]<br />
<br />
[https://twitter.com/orysegal Twitter]<br />
<br />
[mailto://orysegal@gmail.com Email]<br />
<br />
== Community / Industry Contributions & Participation ==<br />
* [[WASC OWASP Web Application Firewall Evaluation Criteria Project]]<br />
* OWASP AppSec NYC: Big Data Intelligence https://www.youtube.com/watch?v=afMvndBEv-I<br />
* CWE/SANS Top 25: https://www.sans.org/top25-software-errors<br />
* WASC Static Analysis Evaluation Criteria: http://projects.webappsec.org/w/page/66094278/Static%20Analysis%20Technologies%20Evaluation%20Criteria<br />
* WASC Threat Classification (TC): http://projects.webappsec.org/w/page/13246978/Threat%20Classification<br />
* WASC Web Application Security Scanner Evaluation Criteria: http://projects.webappsec.org/w/page/13246986/Web%20Application%20Security%20Scanner%20Evaluation%20Criteria<br />
* NIST SAMATE - Software Assurance Metrics And Tool Evaluation: https://samate.nist.gov/Main_Page.html<br />
* W3C Web Application Security Working Group: https://www.w3.org/2000/09/dbwg/details?group=49309&public=1&order=org<br />
* The Ten Most Critical Risks for Serverless Applications v1.0: https://github.com/puresec/sas-top-10<br />
<br />
== Experience ==<br />
2017 - Present: CTO & co-founder at [https://www.puresec.io/ PureSec] (Serverless Security)<br />
<br />
2012 - 2017: Sr. Director, Threat Research at [https://www.akamai.com/ Akamai]<br />
<br />
2007 - 2012: Security Products Architect (AppScan) at [https://www.ibm.com/ IBM]<br />
<br />
2005 - 2007: Director of Security Research at [https://www.crunchbase.com/organization/watchfire Watchfire] (acquired by IBM)<br />
<br />
2000 - 2005: Senior Security Researcher at [https://www.crunchbase.com/organization/sanctum-inc Sanctum inc] (acquired by Watchfire)<br />
<br />
1997 - 2000: Penetration Testing Team Leader at [http://www.avnet-cyber.com/ Avnet] Cyber Security<br />
<br />
== Notable Publications ==<br />
* [https://www.puresec.io/hubfs/Apache%20OpenWhisk%20PureSec%20Security%20Advisory.pdf Apache OpenWhisk Serverless 'Action' Mutability Weakness] (advisory / whitepaper)<br />
* [https://www.puresec.io/hubfs/New%20Attack%20Vector_%20Serverless%20Crypto-Mining.pdf Serverless Crypto-Mining] (whitepaper)<br />
* [https://www.akamai.com/us/en/multimedia/documents/white-paper/passive-fingerprinting-of-http2-clients-white-paper.pdf HTTP/2.0 Passive Client Fingerprinting] (whitepaper)<br />
* [https://www.akamai.com/jp/ja/multimedia/documents/state-of-the-internet/sshowdown-exploitation-of-iot-devices-for-launching-mass-scale-attack-campaigns.pdf SSHowDowN]: Exploitation of IoT Devices for Launching Mass-Scale Attack Campaigns (whitepaper)<br />
* [https://blogs.akamai.com/2014/02/hql-statement-tampering.html HQL Statement Tampering] (advisory / whitepaper)<br />
* [http://blog.watchfire.com/wfblog/2008/06/javascript-code.html JavaScript Code Flow Manipulation] (blog/advisory)<br />
* [https://www.slideshare.net/ibmrational/a-look-at-the-prevalence-of-clientside-javascript-vulnerabilities-in-web-applications Close Encounters of the Third Kind]: A Look at the Prevalence of Client-Side JavaScript Vulnerabilities (whitepaper)<br />
* [https://www.slideshare.net/orysegal/clientside-javascript-vulnerabilities Client-Side JavaScript Vulnerabilities] (presentation)<br />
* [https://packetstormsecurity.com/files/25903/Apache.Win32.txt.html Vulnerability in Apache for Win32 batch file processing] (Remote Command Execution, advisory)<br />
* [https://packetstormsecurity.com/files/33006/msSharePointXSS.txt.html Multiple XSS vulnerabilities in Microsoft SharePoint Portal Server] (advisory)<br />
* [https://packetstormsecurity.com/files/34646/iis5x60.txt.html IIS 5.x/6.0 WebDAV (XML parser) attribute blowup DoS] (with Amit Klein)<br />
* [https://seclists.org/vuln-dev/2002/May/346 Multiple vendors web server source code disclosure (8.3 name format vulnerability - Take II)] (with Amit Klein)</div>Orysegalhttps://wiki.owasp.org/index.php?title=User:Orysegal&diff=243364User:Orysegal2018-09-13T18:04:12Z<p>Orysegal: </p>
<hr />
<div>[[File:Ory Segal.png|thumb]]<br />
<br />
= ABOUT =<br />
== BIO ==<br />
Ory Segal is a world-renowned expert in application security, with 20 years of experience in the field. Ory is the CTO and co-founder of PureSec (Serverless Security). Prior to PureSec, Ory was Senior Director of threat research at Akamai, where he led a team of web security and big data researchers, responsible for developing algorithms for Akamai's Kona cloud security product line. In this role, Ory research and published articles about web security, bot management, client reputation and device fingerprinting. Prior to Akamai, Ory worked at IBM as the security products architect and product manager for the market leading application security solution IBM Security AppScan (previously Watchfire/Sanctum AppScan), a product which Ory developed and contributed to since the year 2000. Ory authored 20 patents in the field of application security, static analysis, dynamic analysis, threat reputation and systems. He is currently serving as an officer of the Web Application Security Consortium (WASC), he was a member of the W3C WebAppSec working group, and was an OWASP Israel board member. Ory is a regular conference presenter and presented in conferences such as: Blackhat, RSA, OWASP AppSec, CyberTech, ServerlessDays, CodeBlue and Gartner Security Summit, <br />
<br />
== Community / Industry Contributions & Participation ==<br />
* [[WASC OWASP Web Application Firewall Evaluation Criteria Project]]<br />
* OWASP AppSec NYC: Big Data Intelligence https://www.youtube.com/watch?v=afMvndBEv-I<br />
* CWE/SANS Top 25: https://www.sans.org/top25-software-errors<br />
* WASC Static Analysis Evaluation Criteria: http://projects.webappsec.org/w/page/66094278/Static%20Analysis%20Technologies%20Evaluation%20Criteria<br />
* WASC Threat Classification (TC): http://projects.webappsec.org/w/page/13246978/Threat%20Classification<br />
* WASC Web Application Security Scanner Evaluation Criteria: http://projects.webappsec.org/w/page/13246986/Web%20Application%20Security%20Scanner%20Evaluation%20Criteria<br />
* NIST SAMATE - Software Assurance Metrics And Tool Evaluation: https://samate.nist.gov/Main_Page.html<br />
* W3C Web Application Security Working Group: https://www.w3.org/2000/09/dbwg/details?group=49309&public=1&order=org<br />
* The Ten Most Critical Risks for Serverless Applications v1.0: https://github.com/puresec/sas-top-10<br />
<br />
== Experience ==<br />
2017 - Present: CTO & co-founder at [https://www.puresec.io/ PureSec] (Serverless Security)<br />
<br />
2012 - 2017: Sr. Director, Threat Research at [https://www.akamai.com/ Akamai]<br />
<br />
2007 - 2012: Security Products Architect (AppScan) at [https://www.ibm.com/ IBM]<br />
<br />
2005 - 2007: Director of Security Research at [https://www.crunchbase.com/organization/watchfire Watchfire] (acquired by IBM)<br />
<br />
2000 - 2005: Senior Security Researcher at [https://www.crunchbase.com/organization/sanctum-inc Sanctum inc] (acquired by Watchfire)<br />
<br />
1997 - 2000: Penetration Testing Team Leader at [http://www.avnet-cyber.com/ Avnet] Cyber Security<br />
<br />
== Notable Publications ==<br />
* [https://www.puresec.io/hubfs/Apache%20OpenWhisk%20PureSec%20Security%20Advisory.pdf Apache OpenWhisk Serverless 'Action' Mutability Weakness] (advisory / whitepaper)<br />
* [https://www.puresec.io/hubfs/New%20Attack%20Vector_%20Serverless%20Crypto-Mining.pdf Serverless Crypto-Mining] (whitepaper)<br />
* [https://www.akamai.com/us/en/multimedia/documents/white-paper/passive-fingerprinting-of-http2-clients-white-paper.pdf HTTP/2.0 Passive Client Fingerprinting] (whitepaper)<br />
* [https://www.akamai.com/jp/ja/multimedia/documents/state-of-the-internet/sshowdown-exploitation-of-iot-devices-for-launching-mass-scale-attack-campaigns.pdf SSHowDowN]: Exploitation of IoT Devices for Launching Mass-Scale Attack Campaigns (whitepaper)<br />
* [https://blogs.akamai.com/2014/02/hql-statement-tampering.html HQL Statement Tampering] (advisory / whitepaper)<br />
* [http://blog.watchfire.com/wfblog/2008/06/javascript-code.html JavaScript Code Flow Manipulation] (blog/advisory)<br />
* [https://www.slideshare.net/ibmrational/a-look-at-the-prevalence-of-clientside-javascript-vulnerabilities-in-web-applications Close Encounters of the Third Kind]: A Look at the Prevalence of Client-Side JavaScript Vulnerabilities (whitepaper)<br />
* [https://www.slideshare.net/orysegal/clientside-javascript-vulnerabilities Client-Side JavaScript Vulnerabilities] (presentation)<br />
* [https://packetstormsecurity.com/files/25903/Apache.Win32.txt.html Vulnerability in Apache for Win32 batch file processing] (Remote Command Execution, advisory)<br />
* [https://packetstormsecurity.com/files/33006/msSharePointXSS.txt.html Multiple XSS vulnerabilities in Microsoft SharePoint Portal Server] (advisory)<br />
* [https://packetstormsecurity.com/files/34646/iis5x60.txt.html IIS 5.x/6.0 WebDAV (XML parser) attribute blowup DoS] (with Amit Klein)<br />
* [https://seclists.org/vuln-dev/2002/May/346 Multiple vendors web server source code disclosure (8.3 name format vulnerability - Take II)] (with Amit Klein)</div>Orysegalhttps://wiki.owasp.org/index.php?title=User:Orysegal&diff=243363User:Orysegal2018-09-13T17:55:18Z<p>Orysegal: </p>
<hr />
<div>[[File:Ory Segal.png|thumb]]<br />
<br />
= ABOUT =<br />
== BIO ==<br />
Ory Segal is a world-renowned expert in application security, with 20 years of experience in the field. Ory is the CTO and co-founder of PureSec (Serverless Security). Prior to PureSec, Ory was Senior Director of threat research at Akamai, where he led a team of web security and big data researchers, responsible for developing algorithms for Akamai's Kona cloud security product line. In this role, Ory research and published articles about web security, bot management, client reputation and device fingerprinting. Prior to Akamai, Ory worked at IBM as the security products architect and product manager for the market leading application security solution IBM Security AppScan (previously Watchfire/Sanctum AppScan), a product which Ory developed and contributed to since the year 2000. Ory authored 20 patents in the field of application security, static analysis, dynamic analysis, threat reputation and systems. He is currently serving as an officer of the Web Application Security Consortium (WASC), he was a member of the W3C WebAppSec working group, and was an OWASP Israel board member. Ory is a regular conference presenter and presented in conferences such as: Blackhat, RSA, OWASP AppSec, CyberTech, ServerlessDays, CodeBlue and Gartner Security Summit, <br />
<br />
== Community / Industry Contributions & Participation ==<br />
* [[WASC OWASP Web Application Firewall Evaluation Criteria Project]]<br />
* OWASP AppSec NYC: Big Data Intelligence https://www.youtube.com/watch?v=afMvndBEv-I<br />
* CWE/SANS Top 25: https://www.sans.org/top25-software-errors<br />
* WASC Static Analysis Evaluation Criteria: http://projects.webappsec.org/w/page/66094278/Static%20Analysis%20Technologies%20Evaluation%20Criteria<br />
* WASC Threat Classification (TC): http://projects.webappsec.org/w/page/13246978/Threat%20Classification<br />
* WASC Web Application Security Scanner Evaluation Criteria: http://projects.webappsec.org/w/page/13246986/Web%20Application%20Security%20Scanner%20Evaluation%20Criteria<br />
* NIST SAMATE - Software Assurance Metrics And Tool Evaluation: https://samate.nist.gov/Main_Page.html<br />
* W3C Web Application Security Working Group: https://www.w3.org/2000/09/dbwg/details?group=49309&public=1&order=org<br />
* The Ten Most Critical Risks for Serverless Applications v1.0: https://github.com/puresec/sas-top-10<br />
<br />
== Experience ==<br />
2017 - Present: CTO & co-founder at [https://www.puresec.io/ PureSec] (Serverless Security)<br />
<br />
2012 - 2017: Sr. Director, Threat Research at [https://www.akamai.com/ Akamai]<br />
<br />
2007 - 2012: Security Products Architect (AppScan) at [https://www.ibm.com/ IBM]<br />
<br />
2005 - 2007: Director of Security Research at [https://www.crunchbase.com/organization/watchfire Watchfire] (acquired by IBM)<br />
<br />
2000 - 2005: Senior Security Researcher at [https://www.crunchbase.com/organization/sanctum-inc Sanctum inc] (acquired by Watchfire)<br />
<br />
1997 - 2000: Penetration Testing Team Leader at [http://www.avnet-cyber.com/ Avnet] Cyber Security<br />
<br />
== Notable Publications ==<br />
* [https://www.puresec.io/hubfs/Apache%20OpenWhisk%20PureSec%20Security%20Advisory.pdf Apache OpenWhisk Serverless 'Action' Mutability Weakness] (advisory / whitepaper)<br />
* [https://www.puresec.io/hubfs/New%20Attack%20Vector_%20Serverless%20Crypto-Mining.pdf Serverless Crypto-Mining] (whitepaper)<br />
* [https://www.akamai.com/us/en/multimedia/documents/white-paper/passive-fingerprinting-of-http2-clients-white-paper.pdf HTTP/2.0 Passive Client Fingerprinting] (whitepaper)<br />
* [https://www.akamai.com/jp/ja/multimedia/documents/state-of-the-internet/sshowdown-exploitation-of-iot-devices-for-launching-mass-scale-attack-campaigns.pdf SSHowDowN]: Exploitation of IoT Devices for Launching Mass-Scale Attack Campaigns (whitepaper)<br />
* [https://blogs.akamai.com/2014/02/hql-statement-tampering.html HQL Statement Tampering] (advisory / whitepaper)<br />
* [https://www.slideshare.net/ibmrational/a-look-at-the-prevalence-of-clientside-javascript-vulnerabilities-in-web-applications Close Encounters of the Third Kind]: A Look at the Prevalence of Client-Side JavaScript Vulnerabilities (whitepaper)<br />
* [https://www.slideshare.net/orysegal/clientside-javascript-vulnerabilities Client-Side JavaScript Vulnerabilities] (presentation)<br />
* [https://packetstormsecurity.com/files/25903/Apache.Win32.txt.html Vulnerability in Apache for Win32 batch file processing] (Remote Command Execution, advisory)<br />
* [https://packetstormsecurity.com/files/33006/msSharePointXSS.txt.html Multiple XSS vulnerabilities in Microsoft SharePoint Portal Server] (advisory)<br />
* [https://packetstormsecurity.com/files/34646/iis5x60.txt.html IIS 5.x/6.0 WebDAV (XML parser) attribute blowup DoS] (with Amit Klein)<br />
* [https://seclists.org/vuln-dev/2002/May/346 Multiple vendors web server source code disclosure (8.3 name format vulnerability - Take II)] (with Amit Klein)</div>Orysegalhttps://wiki.owasp.org/index.php?title=User:Orysegal&diff=243362User:Orysegal2018-09-13T17:36:42Z<p>Orysegal: </p>
<hr />
<div>[[File:Ory Segal.png|thumb]]<br />
<br />
= ABOUT =<br />
== BIO ==<br />
Ory Segal is a world-renowned expert in application security, with 20 years of experience in the field. Ory is the CTO and co-founder of PureSec, a start-up that enables organizations to secure serverless applications. Prior to PureSec, Ory was Senior Director of threat research at Akamai, where he led a team of web security and big data researchers, responsible for developing algorithms for Akamai's Kona cloud security product line. In this role, Ory research and published articles about web security, bot management, client reputation and device fingerprinting. Prior to Akamai, Ory worked at IBM as the security products architect and product manager for the market leading application security solution IBM Security AppScan (previously Watchfire/Sanctum AppScan), a product which Ory developed and contributed to since the year 2000. Ory authored 20 patents in the field of application security, static analysis, dynamic analysis, threat reputation and systems. He is currently serving as an officer of the Web Application Security Consortium (WASC), he was a member of the W3C WebAppSec working group, and was an OWASP Israel board member. Ory is a regular conference presenter and presented in conferences such as: Blackhat, RSA, OWASP AppSec, CyberTech, ServerlessDays, CodeBlue and Gartner Security Summit, <br />
<br />
== Community / Industry Contributions & Participation ==<br />
* [[WASC OWASP Web Application Firewall Evaluation Criteria Project]]<br />
* OWASP AppSec NYC: Big Data Intelligence https://www.youtube.com/watch?v=afMvndBEv-I<br />
* CWE/SANS Top 25: https://www.sans.org/top25-software-errors<br />
* WASC Static Analysis Evaluation Criteria: http://projects.webappsec.org/w/page/66094278/Static%20Analysis%20Technologies%20Evaluation%20Criteria<br />
* WASC Threat Classification (TC): http://projects.webappsec.org/w/page/13246978/Threat%20Classification<br />
* WASC Web Application Security Scanner Evaluation Criteria: http://projects.webappsec.org/w/page/13246986/Web%20Application%20Security%20Scanner%20Evaluation%20Criteria<br />
* NIST SAMATE - Software Assurance Metrics And Tool Evaluation: https://samate.nist.gov/Main_Page.html<br />
* W3C Web Application Security Working Group: https://www.w3.org/2000/09/dbwg/details?group=49309&public=1&order=org<br />
* The Ten Most Critical Risks for Serverless Applications v1.0: https://github.com/puresec/sas-top-10<br />
<br />
== Experience ==<br />
2017 - Present: CTO & co-founder at [https://www.puresec.io/ PureSec] (Serverless Security)<br />
<br />
2012 - 2017: Sr. Director, Threat Research at [https://www.akamai.com/ Akamai]<br />
<br />
2007 - 2012: Security Products Architect (AppScan) at [https://www.ibm.com/ IBM]<br />
<br />
2005 - 2007: Director of Security Research at [https://www.crunchbase.com/organization/watchfire Watchfire] (acquired by IBM)<br />
<br />
2000 - 2005: Senior Security Researcher at [https://www.crunchbase.com/organization/sanctum-inc Sanctum inc] (acquired by Watchfire)<br />
<br />
1997 - 2000: Penetration Testing Team Leader at [http://www.avnet-cyber.com/ Avnet] Cyber Security</div>Orysegalhttps://wiki.owasp.org/index.php?title=User:Orysegal&diff=243361User:Orysegal2018-09-13T17:27:49Z<p>Orysegal: </p>
<hr />
<div>[[File:Ory Segal.png|thumb]]<br />
<br />
= ABOUT =<br />
== BIO ==<br />
Ory Segal is a world-renowned expert in application security, with 20 years of experience in the field. Ory is the CTO and co-founder of PureSec, a start-up that enables organizations to secure serverless applications. Prior to PureSec, Ory was Senior Director of threat research at Akamai, where he led a team of web security and big data researchers, responsible for developing algorithms for Akamai's Kona cloud security product line. In this role, Ory research and published articles about web security, bot management, client reputation and device fingerprinting. Prior to Akamai, Ory worked at IBM as the security products architect and product manager for the market leading application security solution IBM Security AppScan (previously Watchfire/Sanctum AppScan), a product which Ory developed and contributed to since the year 2000. Ory authored 20 patents in the field of application security, static analysis, dynamic analysis, threat reputation and systems. He is currently serving as an officer of the Web Application Security Consortium (WASC), he was a member of the W3C WebAppSec working group, and was an OWASP Israel board member. Ory is a regular conference presenter and presented in conferences such as: Blackhat, RSA, OWASP AppSec, CyberTech, ServerlessDays, CodeBlue and Gartner Security Summit, <br />
<br />
== Community / Industry Contributions & Participation ==<br />
* [[WASC OWASP Web Application Firewall Evaluation Criteria Project]]<br />
* OWASP AppSec NYC: Big Data Intelligence https://www.youtube.com/watch?v=afMvndBEv-I<br />
* CWE/SANS Top 25: https://www.sans.org/top25-software-errors<br />
* WASC Static Analysis Evaluation Criteria: http://projects.webappsec.org/w/page/66094278/Static%20Analysis%20Technologies%20Evaluation%20Criteria<br />
* WASC Threat Classification (TC): http://projects.webappsec.org/w/page/13246978/Threat%20Classification<br />
* WASC Web Application Security Scanner Evaluation Criteria: http://projects.webappsec.org/w/page/13246986/Web%20Application%20Security%20Scanner%20Evaluation%20Criteria<br />
* NIST SAMATE - Software Assurance Metrics And Tool Evaluation: https://samate.nist.gov/Main_Page.html<br />
* W3C Web Application Security Working Group: https://www.w3.org/2000/09/dbwg/details?group=49309&public=1&order=org<br />
* The Ten Most Critical Risks for Serverless Applications v1.0: https://github.com/puresec/sas-top-10</div>Orysegalhttps://wiki.owasp.org/index.php?title=File:Ory_Segal.png&diff=243360File:Ory Segal.png2018-09-13T17:27:10Z<p>Orysegal: </p>
<hr />
<div>Ory Segal</div>Orysegalhttps://wiki.owasp.org/index.php?title=User:Orysegal&diff=243239User:Orysegal2018-09-07T16:01:00Z<p>Orysegal: Minor edits</p>
<hr />
<div>= ABOUT =<br />
== BIO ==<br />
Ory Segal is a world-renowned expert in application security, with 20 years of experience in the field. Ory is the CTO and co-founder of PureSec, a start-up that enables organizations to secure serverless applications. Prior to PureSec, Ory was Senior Director of threat research at Akamai, where he led a team of web security and big data researchers, responsible for developing algorithms for Akamai's Kona cloud security product line. In this role, Ory research and published articles about web security, bot management, client reputation and device fingerprinting. Prior to Akamai, Ory worked at IBM as the security products architect and product manager for the market leading application security solution IBM Security AppScan (previously Watchfire/Sanctum AppScan), a product which Ory developed and contributed to since the year 2000. Ory authored 20 patents in the field of application security, static analysis, dynamic analysis, threat reputation and systems. He is currently serving as an officer of the Web Application Security Consortium (WASC), he was a member of the W3C WebAppSec working group, and was an OWASP Israel board member. Ory is a regular conference presenter and presented in conferences such as: Blackhat, RSA, OWASP AppSec, CyberTech, ServerlessDays, CodeBlue and Gartner Security Summit, <br />
<br />
== Community / Industry Contributions & Participation ==<br />
* [[WASC OWASP Web Application Firewall Evaluation Criteria Project]]<br />
* OWASP AppSec NYC: Big Data Intelligence https://www.youtube.com/watch?v=afMvndBEv-I<br />
* CWE/SANS Top 25: https://www.sans.org/top25-software-errors<br />
* WASC Static Analysis Evaluation Criteria: http://projects.webappsec.org/w/page/66094278/Static%20Analysis%20Technologies%20Evaluation%20Criteria<br />
* WASC Threat Classification (TC): http://projects.webappsec.org/w/page/13246978/Threat%20Classification<br />
* WASC Web Application Security Scanner Evaluation Criteria: http://projects.webappsec.org/w/page/13246986/Web%20Application%20Security%20Scanner%20Evaluation%20Criteria<br />
* NIST SAMATE - Software Assurance Metrics And Tool Evaluation: https://samate.nist.gov/Main_Page.html<br />
* W3C Web Application Security Working Group: https://www.w3.org/2000/09/dbwg/details?group=49309&public=1&order=org<br />
* The Ten Most Critical Risks for Serverless Applications v1.0: https://github.com/puresec/sas-top-10</div>Orysegalhttps://wiki.owasp.org/index.php?title=User:Orysegal&diff=243238User:Orysegal2018-09-07T15:58:46Z<p>Orysegal: Initial page</p>
<hr />
<div>= ABOUT =<br />
== BIO ==<br />
Ory Segal is a world-renowned expert in application security, with 20 years of experience in the field. Ory is the CTO and co-founder of PureSec, a start-up that enables organizations to secure serverless applications. Prior to PureSec, Ory was Senior Director of threat research at Akamai, where he led a team of web security and big data researchers, responsible for developing algorithms for Akamai's Kona cloud security product line. In this role, Ory research and published articles about web security, bot management, client reputation and device fingerprinting. Prior to Akamai, Ory worked at IBM as the security products architect and product manager for the market leading application security solution IBM Security AppScan (previously Watchfire/Sanctum AppScan), a product which Ory developed and contributed to since the year 2000. Ory authored 20 patents in the field of application security, static analysis, dynamic analysis, threat reputation and systems. He is currently serving as an officer of the Web Application Security Consortium (WASC), he was a member of the W3C WebAppSec working group, and was an OWASP Israel board member. Ory is a regular conference presenter and presented in conferences such as: Blackhat, RSA, OWASP AppSec, CyberTech, ServerlessDays, CodeBlue and Gartner Security Summit, <br />
<br />
== Contributions ==<br />
* [[WASC OWASP Web Application Firewall Evaluation Criteria Project]]<br />
* OWASP AppSec NYC: Big Data Intelligence https://www.youtube.com/watch?v=afMvndBEv-I<br />
* CWE/SANS Top 25: https://www.sans.org/top25-software-errors<br />
* WASC Static Analysis Evaluation Criteria: http://projects.webappsec.org/w/page/66094278/Static%20Analysis%20Technologies%20Evaluation%20Criteria<br />
* WASC Threat Classification (TC): http://projects.webappsec.org/w/page/13246978/Threat%20Classification<br />
* WASC Web Application Security Scanner Evaluation Criteria: http://projects.webappsec.org/w/page/13246986/Web%20Application%20Security%20Scanner%20Evaluation%20Criteria<br />
* NIST SAMATE - Software Assurance Metrics And Tool Evaluation: https://samate.nist.gov/Main_Page.html<br />
* W3C Web Application Security Working Group: https://www.w3.org/2000/09/dbwg/details?group=49309&public=1&order=org</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_IL_Sponsorship&diff=178687OWASP IL Sponsorship2014-07-14T06:30:48Z<p>Orysegal: /* What Should You Prepare as a Sponsor */</p>
<hr />
<div>[[Category:Israel]] <br />
<br />
OWASP is an open source, non-profit organization. While our activities are free for all, we do have costs, and need your help to make our activities better. <br><br />
We are also open to any other non-financial sponsorship ideas that you may have. These are some simple ways in which you can help us: <br />
<br />
<br />
== Commercial Sponsoring an OWASP IL conference == <br />
<br />
{|<br />
|-valign="top"<br />
| OWASP Israel chapter hosts a Regional Conference once a year, usually in September or October. This year as in previous years, we are holding the Conference in partnership with the Efi Arazi Computer Science School at the the Interdisciplinary Center (IDC) Herzliya. [[Israel#Previous_OWASP_Israel_Conferences_and_Meetings|These conferences]] are always very successful and a large number of people attend.<br />
<br />
We encourage companies to sponsor our conferences and help pay for such expenses such as refreshments, photography, video etc. The conferences are not commercial and the cost goes directly to cover expenses. Since the conferences draw an increasingly large number of people, our expenses are also rising accordingly. <br />
<br />
If you or your company benefits from OWASP materials and/or conferences, we encourage you to support us! Moreover, the associated publicity and community goodwill can go a long way. We have several levels of sponsorship available, appropriate for the different organizations that wish to support our activities. Of course, if you are a Corporate Member of OWASP (at any level) and allocate a percentage (20-40%) of your membership fees to the Israel chapter, we can consider those funds as conference sponsorship. It is also possible to be creative and find non-financial ways to support us and contribute to the successful running of the conference. (If you have ideas please contact [mailto:douglen@hotmail.com AviD] directly.<br />
<br />
<br />
'''Past sponsors include Check Point, Microsoft, F5, IBM, Breach Security, Ernst & Young, Comsec, Checkmarx, Imperva, Quotium, Akamai, and many others'''<br />
<br />
| https://www.owasp.org/images/9/96/OWASP_IL_Conf_graphics_small.jpg <br />
|}<br />
<br />
<br />
<br />
=== What You Get for Sponsoring ===<br />
All sponsors, regardless of sponsorship level receive the following: <br />
<br />
* Many thanks, and hopefully a very good feeling of helping the community.<br />
<br />
* Access to all the tools, guides, and libraries OWASP makes available for everybody - if you benefit from these, support the organization! <br />
<br />
* Logo on the conference page. <br />
<br />
* In general, if there is something else specific that you may want, and is within the OWASP guidelines, please let us know.<br />
<br />
==== Platinum Sponsors (3 max) ==== <br />
<br />
* Largest booth area, where you can put up a "roll up" poster or two, and even a "pop-up" style booth (space permitting) to hand out your brochures and freebies. <br />
<br />
* Prime booth location and first choice. <br />
<br />
* Largest logo on the top of the conference page. <br />
<br />
* Logo on the chapter page for the whole year. <br />
<br />
* Recognition in all conference literature. <br />
<br />
* Explicit mention in conference Opening Speech.<br />
<br />
* Price: $2500 USD<br />
<br />
==== Gold Sponsors ====<br />
<br />
* A table top style mini booth where you can put up a "roll up" poster or two and hand out your brochures and freebies.<br />
<br />
* Good booth location and early choice. <br />
<br />
* Large logo near the top of the conference page. <br />
<br />
* Logo on the chapter page for the whole year. (??) <br />
<br />
* Recognition in all conference literature. <br />
<br />
* Collective mention in conference Opening Speech.<br />
<br />
* Price: $1800 USD<br />
<br />
==== Silver Sponsors ====<br />
<br />
* A small table top style mini booth where you can put up a "roll up" poster and hand out your brochures and freebies.<br />
<br />
* Smaller logo on the conference page. <br />
<br />
* Recognition in some conference literature. <br />
<br />
* Passive mention in conference Opening Speech. <br />
<br />
* Price: $900 USD<br />
<br />
==== Community Supporters ==== <br />
<br />
* The "Community Supporter" level of sponsorship is intended for non-profits, government offices, small startups, and other organizations with limited finances, but wish to show their support for the local OWASP chapter. <br />
<br />
* Small logo on the conference page. <br />
<br />
* Community Supporters do not get a booth or table at the sponsor's display area, but you can leave a stack of fliers or swag at a central table. <br />
<br />
* Price: $500 USD<br />
<br />
<br />
=== What You Don't Get ===<br />
* List of people registering or attending. You can collect these by yourself in the booth, for example by offering a prize for people filling in details.<br />
<br />
* A lecture for money. The conference program is strictly selected on professional terms.<br />
<br />
<br />
=== What We Need Your Money For ===<br />
<br />
OWASP is very strictly not-for-profit. We use the sponsorship funds to help make our events even more compelling to the audience while striving to make them free for participants. We want more people to come to our events so we can educate them about making applications more secure. <br />
<br />
Each year, our costs to hold the conference keep rising. Last year, the annual conference drew 50% more people than we expected, and the expenses rose accordingly. Thus we are required to raise the sponsorship fees accordingly, as compared to previous years. <br />
<br />
We use the money collected from sponsors for things such as:<br />
<br />
* '''Lecture videos''' - recording presentations enables them to be available also to people who cannot make it to the conference, and further publicize the contents of the event. <br />
<br />
* '''Venue costs''' - this year's conference is being hosted in partnership with the IDC, so we have minimal direct costs for use of the halls. However there are additional associated costs, for some of the involved logistics such as hiring required equipment. <br />
<br />
* '''Refreshments''' - we want to keep people a long time, and we certainly bring good and interesting speakers, yet we don't want people to go home when they become hungry.<br />
<br />
* '''Name tags''' - we feel that professional networking and getting to know each other is an important facet of the community, and name tags make this easier.<br />
<br />
* '''Promotion''' - Till now, our events are publicized mostly by word of mouth. We would like to get to a wider audience by advertising our events.<br />
<br />
* '''Printed Materials''' - We are not very keen on killing trees, but some people learn more from actual printed paper. We would like to hand out certain printed materials in our conferences.<br />
<br />
By the way, if you feel that you can contribute to any of these in anyway besides money, we will be happy to hear about it.<br />
<br />
<br />
=== What Should You Prepare as a Sponsor ===<br />
As a sponsor, you are not obliged to do anything. Sponsorship can be a philanthropy. However, in order to take advantage of the benefits listed above, we recommend the following:<br />
<br />
* Send us a logo file to put on the conference web page. (Note the maximum logo size according to the sponsorship level). <br />
<br />
* Prepare a roll-up type poster or equivalent for your table top booth.<br />
<br />
* Prepare brochures for handling out to conference attendees.<br />
<br />
* You might also want to hold a sweepstake between people who fill in their details in order to collect leads. We will be happy to announce the prize on the conference page. <br />
<br />
* Come 30 minutes before the conference starts to setup your booth.<br />
<br />
<br />
For further details contact [mailto:orysegal@gmail.com Ory Segal].<br />
<br />
== Not-for-Profit / Barter Sponsorship of OWASP IL Conferences ==<br />
<br />
We are happy to allow any information security related not-for-profit organization to present at our conference expo. You will get, for free, the same benefits that the commercial vendors get. The only condition is that if you hold similar events we would like to present at those events in return.<br />
<br />
We extend the same type of barter to commercial organizations that hold events. If you organize an information security related event, we would let you promote it in our expo in return for having presence in your event.<br />
<br />
Contact [mailto:douglen@hotmail.com AviD] for further details.<br />
<br />
<br />
== Hosting a meeting ==<br />
<br />
We also host regular meetings and look for companies to host or sponsor these meetings. A company that hosts such a meeting is responsible for a meeting location and the refreshments. We need a room that can host at least 150 people. Pizza and drinks are the common refreshments, but alternatives are also OK. Keep in mind that food should be Kosher.<br />
<br />
If you want to host such a meeting, contact [mailto:douglen@hotmail.com AviD].<br />
<br />
<br />
== OWASP Membership ==<br />
<br />
In addition to sponsoring OWASP Israel, you can also join OWASP as a member. For details, please refer to [http://www.owasp.org/index.php/Membership this page].<br />
<br />
<br />
[[Category:OWASP Israel Meetings]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_IL_Sponsorship&diff=178684OWASP IL Sponsorship2014-07-13T14:15:44Z<p>Orysegal: /* Commercial Sponsoring an OWASP IL conference */</p>
<hr />
<div>[[Category:Israel]] <br />
<br />
OWASP is an open source, non-profit organization. While our activities are free for all, we do have costs, and need your help to make our activities better. <br><br />
We are also open to any other non-financial sponsorship ideas that you may have. These are some simple ways in which you can help us: <br />
<br />
<br />
== Commercial Sponsoring an OWASP IL conference == <br />
<br />
{|<br />
|-valign="top"<br />
| OWASP Israel chapter hosts a Regional Conference once a year, usually in September or October. This year as in previous years, we are holding the Conference in partnership with the Efi Arazi Computer Science School at the the Interdisciplinary Center (IDC) Herzliya. [[Israel#Previous_OWASP_Israel_Conferences_and_Meetings|These conferences]] are always very successful and a large number of people attend.<br />
<br />
We encourage companies to sponsor our conferences and help pay for such expenses such as refreshments, photography, video etc. The conferences are not commercial and the cost goes directly to cover expenses. Since the conferences draw an increasingly large number of people, our expenses are also rising accordingly. <br />
<br />
If you or your company benefits from OWASP materials and/or conferences, we encourage you to support us! Moreover, the associated publicity and community goodwill can go a long way. We have several levels of sponsorship available, appropriate for the different organizations that wish to support our activities. Of course, if you are a Corporate Member of OWASP (at any level) and allocate a percentage (20-40%) of your membership fees to the Israel chapter, we can consider those funds as conference sponsorship. It is also possible to be creative and find non-financial ways to support us and contribute to the successful running of the conference. (If you have ideas please contact [mailto:douglen@hotmail.com AviD] directly.<br />
<br />
<br />
'''Past sponsors include Check Point, Microsoft, F5, IBM, Breach Security, Ernst & Young, Comsec, Checkmarx, Imperva, Quotium, Akamai, and many others'''<br />
<br />
| https://www.owasp.org/images/9/96/OWASP_IL_Conf_graphics_small.jpg <br />
|}<br />
<br />
<br />
<br />
=== What You Get for Sponsoring ===<br />
All sponsors, regardless of sponsorship level receive the following: <br />
<br />
* Many thanks, and hopefully a very good feeling of helping the community.<br />
<br />
* Access to all the tools, guides, and libraries OWASP makes available for everybody - if you benefit from these, support the organization! <br />
<br />
* Logo on the conference page. <br />
<br />
* In general, if there is something else specific that you may want, and is within the OWASP guidelines, please let us know.<br />
<br />
==== Platinum Sponsors (3 max) ==== <br />
<br />
* Largest booth area, where you can put up a "roll up" poster or two, and even a "pop-up" style booth (space permitting) to hand out your brochures and freebies. <br />
<br />
* Prime booth location and first choice. <br />
<br />
* Largest logo on the top of the conference page. <br />
<br />
* Logo on the chapter page for the whole year. <br />
<br />
* Recognition in all conference literature. <br />
<br />
* Explicit mention in conference Opening Speech.<br />
<br />
* Price: $2500 USD<br />
<br />
==== Gold Sponsors ====<br />
<br />
* A table top style mini booth where you can put up a "roll up" poster or two and hand out your brochures and freebies.<br />
<br />
* Good booth location and early choice. <br />
<br />
* Large logo near the top of the conference page. <br />
<br />
* Logo on the chapter page for the whole year. (??) <br />
<br />
* Recognition in all conference literature. <br />
<br />
* Collective mention in conference Opening Speech.<br />
<br />
* Price: $1800 USD<br />
<br />
==== Silver Sponsors ====<br />
<br />
* A small table top style mini booth where you can put up a "roll up" poster and hand out your brochures and freebies.<br />
<br />
* Smaller logo on the conference page. <br />
<br />
* Recognition in some conference literature. <br />
<br />
* Passive mention in conference Opening Speech. <br />
<br />
* Price: $900 USD<br />
<br />
==== Community Supporters ==== <br />
<br />
* The "Community Supporter" level of sponsorship is intended for non-profits, government offices, small startups, and other organizations with limited finances, but wish to show their support for the local OWASP chapter. <br />
<br />
* Small logo on the conference page. <br />
<br />
* Community Supporters do not get a booth or table at the sponsor's display area, but you can leave a stack of fliers or swag at a central table. <br />
<br />
* Price: $500 USD<br />
<br />
<br />
=== What You Don't Get ===<br />
* List of people registering or attending. You can collect these by yourself in the booth, for example by offering a prize for people filling in details.<br />
<br />
* A lecture for money. The conference program is strictly selected on professional terms.<br />
<br />
<br />
=== What We Need Your Money For ===<br />
<br />
OWASP is very strictly not-for-profit. We use the sponsorship funds to help make our events even more compelling to the audience while striving to make them free for participants. We want more people to come to our events so we can educate them about making applications more secure. <br />
<br />
Each year, our costs to hold the conference keep rising. Last year, the annual conference drew 50% more people than we expected, and the expenses rose accordingly. Thus we are required to raise the sponsorship fees accordingly, as compared to previous years. <br />
<br />
We use the money collected from sponsors for things such as:<br />
<br />
* '''Lecture videos''' - recording presentations enables them to be available also to people who cannot make it to the conference, and further publicize the contents of the event. <br />
<br />
* '''Venue costs''' - this year's conference is being hosted in partnership with the IDC, so we have minimal direct costs for use of the halls. However there are additional associated costs, for some of the involved logistics such as hiring required equipment. <br />
<br />
* '''Refreshments''' - we want to keep people a long time, and we certainly bring good and interesting speakers, yet we don't want people to go home when they become hungry.<br />
<br />
* '''Name tags''' - we feel that professional networking and getting to know each other is an important facet of the community, and name tags make this easier.<br />
<br />
* '''Promotion''' - Till now, our events are publicized mostly by word of mouth. We would like to get to a wider audience by advertising our events.<br />
<br />
* '''Printed Materials''' - We are not very keen on killing trees, but some people learn more from actual printed paper. We would like to hand out certain printed materials in our conferences.<br />
<br />
By the way, if you feel that you can contribute to any of these in anyway besides money, we will be happy to hear about it.<br />
<br />
<br />
=== What Should You Prepare as a Sponsor ===<br />
As a sponsor, you are not obliged to do anything. Sponsorship can be a philanthropy. However, in order to take advantage of the benefits listed above, we recommend the following:<br />
<br />
* Send us a logo file to put on the conference web page. (Note the maximum logo size according to the sponsorship level). <br />
<br />
* Prepare a roll-up type poster or equivalent for your table top booth.<br />
<br />
* Prepare brochures for handling out to conference attendees.<br />
<br />
* You might also want to hold a sweepstake between people who fill in their details in order to collect leads. We will be happy to announce the prize on the conference page. <br />
<br />
* Come 30 minutes before the conference starts to setup your booth.<br />
<br />
<br />
For further details contact [mailto:ofer@shezaf.com Ofer Shezaf].<br />
<br />
== Not-for-Profit / Barter Sponsorship of OWASP IL Conferences ==<br />
<br />
We are happy to allow any information security related not-for-profit organization to present at our conference expo. You will get, for free, the same benefits that the commercial vendors get. The only condition is that if you hold similar events we would like to present at those events in return.<br />
<br />
We extend the same type of barter to commercial organizations that hold events. If you organize an information security related event, we would let you promote it in our expo in return for having presence in your event.<br />
<br />
Contact [mailto:douglen@hotmail.com AviD] for further details.<br />
<br />
<br />
== Hosting a meeting ==<br />
<br />
We also host regular meetings and look for companies to host or sponsor these meetings. A company that hosts such a meeting is responsible for a meeting location and the refreshments. We need a room that can host at least 150 people. Pizza and drinks are the common refreshments, but alternatives are also OK. Keep in mind that food should be Kosher.<br />
<br />
If you want to host such a meeting, contact [mailto:douglen@hotmail.com AviD].<br />
<br />
<br />
== OWASP Membership ==<br />
<br />
In addition to sponsoring OWASP Israel, you can also join OWASP as a member. For details, please refer to [http://www.owasp.org/index.php/Membership this page].<br />
<br />
<br />
[[Category:OWASP Israel Meetings]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_IL_Sponsorship&diff=178683OWASP IL Sponsorship2014-07-13T14:14:19Z<p>Orysegal: /* Platinum Sponsors (3 max) */</p>
<hr />
<div>[[Category:Israel]] <br />
<br />
OWASP is an open source, non-profit organization. While our activities are free for all, we do have costs, and need your help to make our activities better. <br><br />
We are also open to any other non-financial sponsorship ideas that you may have. These are some simple ways in which you can help us: <br />
<br />
<br />
== Commercial Sponsoring an OWASP IL conference == <br />
<br />
{|<br />
|-valign="top"<br />
| OWASP Israel chapter hosts a Regional Conference once a year, usually in September or October. This year as in previous years, we are holding the Conference in partnership with the Efi Arazi Computer Science School at the the Interdisciplinary Center (IDC) Herzliya. [[Israel#Previous_OWASP_Israel_Conferences_and_Meetings|These conferences]] are always very successful and a large number of people attend.<br />
<br />
We encourage companies to sponsor our conferences and help pay for such expenses such as refreshments, photography, video etc. The conferences are not commercial and the cost goes directly to cover expenses. Since the conferences draw an increasingly large number of people, our expenses are also rising accordingly. <br />
<br />
If you or your company benefits from OWASP materials and/or conferences, we encourage you to support us! Moreover, the associated publicity and community goodwill can go a long way. We have several levels of sponsorship available, appropriate for the different organizations that wish to support our activities. Of course, if you are a Corporate Member of OWASP (at any level) and allocate a percentage (20-40%) of your membership fees to the Israel chapter, we can consider those funds as conference sponsorship. It is also possible to be creative and find non-financial ways to support us and contribute to the successful running of the conference. (If you have ideas please contact [mailto:douglen@hotmail.com AviD] directly.<br />
<br />
<br />
'''Past sponsors include Check Point, Microsoft, F5, IBM, Breach Security, Ernst & Young, Comsec, Checkmarx, Imperva, Quotium, Akamai, and many others'''<br />
<br />
| https://www.owasp.org/images/9/96/OWASP_IL_Conf_graphics_small.jpg <br />
|}<br />
<br />
<br />
<br />
=== What You Get for Sponsoring ===<br />
All sponsors, regardless of sponsorship level receive the following: <br />
<br />
* Many thanks, and hopefully a very good feeling of helping the community.<br />
<br />
* Access to all the tools, guides, and libraries OWASP makes available for everybody - if you benefit from these, support the organization! <br />
<br />
* Logo on the conference page. <br />
<br />
* In general, if there is something else specific that you may want, and is within the OWASP guidelines, please let us know.<br />
<br />
==== Platinum Sponsors (3 max) ==== <br />
<br />
* Largest booth area, where you can put up a "roll up" poster or two, and even a "pop-up" style booth (space permitting) to hand out your brochures and freebies. <br />
<br />
* Prime booth location and first choice. <br />
<br />
* Largest logo on the top of the conference page. <br />
<br />
* Logo on the chapter page for the whole year. <br />
<br />
* Recognition in all conference literature. <br />
<br />
* Explicit mention in conference Opening Speech.<br />
<br />
* Price: $2500 USD<br />
<br />
==== Gold Sponsors ====<br />
<br />
* A table top style mini booth where you can put up a "roll up" poster or two and hand out your brochures and freebies.<br />
<br />
* Good booth location and early choice. <br />
<br />
* Large logo near the top of the conference page. <br />
<br />
* Logo on the chapter page for the whole year. (??) <br />
<br />
* Recognition in all conference literature. <br />
<br />
* Collective mention in conference Opening Speech. <br />
<br />
==== Silver Sponsors ====<br />
<br />
* A small table top style mini booth where you can put up a "roll up" poster and hand out your brochures and freebies.<br />
<br />
* Smaller logo on the conference page. <br />
<br />
* Recognition in some conference literature. <br />
<br />
* Passive mention in conference Opening Speech. <br />
<br />
==== Community Supporters ==== <br />
<br />
* The "Community Supporter" level of sponsorship is intended for non-profits, government offices, small startups, and other organizations with limited finances, but wish to show their support for the local OWASP chapter. <br />
<br />
* Small logo on the conference page. <br />
<br />
* Community Supporters do not get a booth or table at the sponsor's display area, but you can leave a stack of fliers or swag at a central table. <br />
<br />
<br />
=== What You Don't Get ===<br />
* List of people registering or attending. You can collect these by yourself in the booth, for example by offering a prize for people filling in details.<br />
<br />
* A lecture for money. The conference program is strictly selected on professional terms.<br />
<br />
<br />
=== What We Need Your Money For ===<br />
<br />
OWASP is very strictly not-for-profit. We use the sponsorship funds to help make our events even more compelling to the audience while striving to make them free for participants. We want more people to come to our events so we can educate them about making applications more secure. <br />
<br />
Each year, our costs to hold the conference keep rising. Last year, the annual conference drew 50% more people than we expected, and the expenses rose accordingly. Thus we are required to raise the sponsorship fees accordingly, as compared to previous years. <br />
<br />
We use the money collected from sponsors for things such as:<br />
<br />
* '''Lecture videos''' - recording presentations enables them to be available also to people who cannot make it to the conference, and further publicize the contents of the event. <br />
<br />
* '''Venue costs''' - this year's conference is being hosted in partnership with the IDC, so we have minimal direct costs for use of the halls. However there are additional associated costs, for some of the involved logistics such as hiring required equipment. <br />
<br />
* '''Refreshments''' - we want to keep people a long time, and we certainly bring good and interesting speakers, yet we don't want people to go home when they become hungry.<br />
<br />
* '''Name tags''' - we feel that professional networking and getting to know each other is an important facet of the community, and name tags make this easier.<br />
<br />
* '''Promotion''' - Till now, our events are publicized mostly by word of mouth. We would like to get to a wider audience by advertising our events.<br />
<br />
* '''Printed Materials''' - We are not very keen on killing trees, but some people learn more from actual printed paper. We would like to hand out certain printed materials in our conferences.<br />
<br />
By the way, if you feel that you can contribute to any of these in anyway besides money, we will be happy to hear about it.<br />
<br />
<br />
=== What Should You Prepare as a Sponsor ===<br />
As a sponsor, you are not obliged to do anything. Sponsorship can be a philanthropy. However, in order to take advantage of the benefits listed above, we recommend the following:<br />
<br />
* Send us a logo file to put on the conference web page. (Note the maximum logo size according to the sponsorship level). <br />
<br />
* Prepare a roll-up type poster or equivalent for your table top booth.<br />
<br />
* Prepare brochures for handling out to conference attendees.<br />
<br />
* You might also want to hold a sweepstake between people who fill in their details in order to collect leads. We will be happy to announce the prize on the conference page. <br />
<br />
* Come 30 minutes before the conference starts to setup your booth.<br />
<br />
<br />
For further details contact [mailto:ofer@shezaf.com Ofer Shezaf].<br />
<br />
<br />
== Not-for-Profit / Barter Sponsorship of OWASP IL Conferences ==<br />
<br />
We are happy to allow any information security related not-for-profit organization to present at our conference expo. You will get, for free, the same benefits that the commercial vendors get. The only condition is that if you hold similar events we would like to present at those events in return.<br />
<br />
We extend the same type of barter to commercial organizations that hold events. If you organize an information security related event, we would let you promote it in our expo in return for having presence in your event.<br />
<br />
Contact [mailto:douglen@hotmail.com AviD] for further details.<br />
<br />
<br />
== Hosting a meeting ==<br />
<br />
We also host regular meetings and look for companies to host or sponsor these meetings. A company that hosts such a meeting is responsible for a meeting location and the refreshments. We need a room that can host at least 150 people. Pizza and drinks are the common refreshments, but alternatives are also OK. Keep in mind that food should be Kosher.<br />
<br />
If you want to host such a meeting, contact [mailto:douglen@hotmail.com AviD].<br />
<br />
<br />
== OWASP Membership ==<br />
<br />
In addition to sponsoring OWASP Israel, you can also join OWASP as a member. For details, please refer to [http://www.owasp.org/index.php/Membership this page].<br />
<br />
<br />
[[Category:OWASP Israel Meetings]]</div>Orysegalhttps://wiki.owasp.org/index.php?title=Template:OWASP_IL_2013_Sponsors&diff=159448Template:OWASP IL 2013 Sponsors2013-09-30T06:49:01Z<p>Orysegal: </p>
<hr />
<div>{| align="center"<br />
| &nbsp;<br />
| &nbsp;[[File:GoldIL.png]]<br />
| &nbsp;<br />
|-<br />
| &nbsp;[http://www.idc.ac.il https://www.owasp.org/images/f/f1/OWASP_IL_Sponsors_IDC_New.JPG]<br />
| &nbsp;[http://www.quotium.com https://www.owasp.org/images/5/56/LogoQuotium.png]<br />
| &nbsp;[http://www.ey.com https://www.owasp.org/images/3/34/EY-IL.jpg] <br />
|-<br />
| &nbsp;[http://www.imperva.com https://www.owasp.org/images/8/89/OWASP_IL_Sponsors_Imperva.png]<br />
| &nbsp;[http://www.trusteer.com https://www.owasp.org/images/1/1b/TrusteerIL.png]<br />
| &nbsp;[http://www.akamai.com https://www.owasp.org/images/9/93/Akamai_logoIL.gif]<br />
|-<br />
<br><br />
| &nbsp;<br />
|-<br />
| &nbsp;<br />
| &nbsp;<br />
|-<br />
|<br />
|&nbsp;&nbsp;&nbsp;[[File:SilverIL.png]]<br />
|<br />
|-<br />
| &nbsp;[http://www.appsec-labs.com https://www.owasp.org/images/2/24/AppSecLabsIL.png]<br />
| &nbsp;[http://www.Checkmarx.com https://www.owasp.org/images/a/a2/Checkmarx.jpg]<br />
|-<br />
| &nbsp;[http://www.grsee.co.il https://www.owasp.org/images/0/0d/GRSEEIL.jpg]<br />
| &nbsp; [http://www.komodosec.com/ https://www.owasp.org/images/0/03/Komodo-small.jpg]<br />
| &nbsp;<br />
|}</div>Orysegalhttps://wiki.owasp.org/index.php?title=Global_Chapter_Committee_-_Application_2&diff=55404Global Chapter Committee - Application 22009-02-24T18:10:59Z<p>Orysegal: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">[[User:Mchalmers|Matthew Chalmers]]<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|DC Chapter member, Certification Project participant, Requirements Project Interim PM, Milwaukee Chapter Leader (being organised)<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|OWASP Global Chapters Committee<br />
|}<br />
----<br />
<br />
<br />
----<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. <br />
An incomplete application will not be considered for vote.<br />
----<br />
<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS''' <br />
|- <br />
! align="center" style="background:white; color:white"|<font color="black"><br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content''' <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''1'''<br />
| style="width:20%; background:#cccccc" align="center"|Matt Tesauro<br />
| style="width:20%; background:#cccccc" align="center"|Global Projects Committee, OWASP Live CD project lead<br />
| style="width:57%; background:#cccccc" align="center"|From my interaction with him at the Portugal Summit, I'm sure he would be a great addition to the chapters committee.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''2'''<br />
| style="width:20%; background:#cccccc" align="center"|Nick Farwig, Senior Consultant, Deloitte & Touche LLP<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|I've worked with Matt as client at Rockwell Automation, and he would be a great addition to any committee.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''3'''<br />
| style="width:20%; background:#cccccc" align="center"|Ory Segal, Security Products Architect, IBM<br />
| style="width:20%; background:#cccccc" align="center"|OWASP Member, Contributor<br />
| style="width:57%; background:#cccccc" align="center"|I had the pleasure and opportunity to work with Matt (as a client) in the past. I believe he would be a valuable addition to the committee.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''4'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''5'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|}<br />
----</div>Orysegalhttps://wiki.owasp.org/index.php?title=OWASP_Israel_2008_Conference_at_the_Interdisciplinary_Center_Herzliya_(IDC)&diff=38372OWASP Israel 2008 Conference at the Interdisciplinary Center Herzliya (IDC)2008-09-04T13:06:49Z<p>Orysegal: /* Agenda */</p>
<hr />
<div>{{Template:OWASP_IL_2008_Sponsors}}<br />
<br />
== Time and Location ==<br />
<br />
The OWASP Israel 2008 conference will be held on September 14th at the Interdisciplinary Center Herzliya from 8:30 to 17:00. This time we are raising the bar and will be holding a full day '''two tracks''' event. The tracks would be split according by level: a beginners track and an experts track.<br />
<br />
You can find the IDC on<br />
[http://local.google.com/maps?f=q&hl=en&q=%D7%94%D7%9E%D7%A8%D7%9B%D7%96+%D7%94%D7%91%D7%99%D7%9F+%D7%AA%D7%97%D7%95%D7%9E%D7%99+%D7%94%D7%A8%D7%A6%D7%9C%D7%99%D7%94,+%D7%94%D7%A8%D7%A6%D7%9C%D7%99%D7%94,+Israel&sll=32.166567,34.812605&sspn=0.007974,0.019312&ie=UTF8&cd=1&geocode=FbD26gEdeo0TAg&ll=32.177047,34.835844&spn=0.007973,0.019312&z=16&iwloc=addr Google map] or use the [http://portal.idc.ac.il/he/Main/about_idc/campus_tour/Pages/MapsDirections.aspx instructions] on the IDC web site. Signs at the Campus will lead you the conference halls.<br />
<br />
== Registration ==<br />
<br />
The conference is '''free and open to all''', but please register by sending an e-mail to me at ofer@shezaf.com. We need to know how many people will arrive in order to be prepared.<br />
<br />
== Agenda ==<br />
<br />
(Not final, minor changes and additions possible)<br />
<br />
{| class="wikitable" <hiddentext>generated with [[:de:Wikipedia:Helferlein/VBA-Macro for EXCEL tableconversion]] V1.7<\hiddentext><br />
<br />
|- style="background-color:#000000;font-size:11pt;font-weight:bold;color:#FFFFFF" valign="top"<br />
<br />
| width="315" height="16" | Title<br />
<br />
| width="156" | Presentation<br />
<br />
| width="91" | Copmany<br />
|- style="background-color:#D8D8D8;font-size:11pt" valign="top"<br />
<br />
| height="15" | [[OWASP_Israel_2008_Conference_Erez_Metula|.NET Framework rootkits - backdoors inside your Framework]]<br />
<br />
| Erez Metula<br />
<br />
| 2Bsecure<br />
|- style="font-size:11pt" valign="top"<br />
<br />
| height="30" | [[OWASP_Israel_2008_Conference_Ivan_Ristic|No More Signatures: Defending Web Applications from 0-Day Attacks with ModProfiler Using Traffic Profiling]]<br />
<br />
| Ivan Ristic<br />
<br />
| Breach<br />
|- style="background-color:#D8D8D8;font-size:11pt" valign="top"<br />
<br />
| height="15" | [http://www.owasp.org/index.php/AppSecEU08_Trends_in_Web_Hacking_Incidents:_What%27s_hot_for_2008 Trends in Web Hacking: What's hot in 2008]<br />
<br />
| Ofer Shezaf<br />
<br />
| Breach<br />
|- style="font-size:11pt" valign="top"<br />
<br />
| height="30" | [[OWASP_Israel_2008_Conference_Amichai_Shulman|Web Application Security and Search Engines – Beyond Google Hacking]]<br />
<br />
| Amichai Shulman<br />
<br />
| Imperva<br />
|- style="background-color:#D8D8D8;font-size:11pt" valign="top"<br />
<br />
| height="15" | [[OWASP_Israel_2008_Conference_Yuli_Stremovsky|GreenSQL - an open source database security gateway]]<br />
<br />
| Yuli Stremovsky<br />
<br />
| &nbsp;<br />
|- style="font-size:11pt" valign="top"<br />
<br />
| height="15" | [[OWASP_Israel_2008_Conference_Alon_Roser|eVoting]]<br />
<br />
| Dr. Alon Roser<br />
<br />
| IDC<br />
|- style="background-color:#D8D8D8;font-size:11pt" valign="top"<br />
<br />
| height="15" | [[OWASP_Israel_2008_Conference_Adi_Sharabani|Black Box vs. White Box - pros and cons]]<br />
<br />
| Adi Sharabani & Yinnon Haviv<br />
<br />
| IBM<br />
|- style="font-size:11pt" valign="top"<br />
<br />
| height="15" | [[OWASP_Israel_2008_Conference_Ofer_Maor|Testing the Tester – Measuring Quality of Security Testing]]<br />
<br />
| Ofer Maor<br />
<br />
| Hacktics<br />
|- style="background-color:#D8D8D8;font-size:11pt" valign="top"<br />
<br />
| height="15" | [[OWASP_Israel_2008_Conference_Shai_Chen|Achilles’ heel – Hacking Through Java Protocols]]<br />
<br />
| Shai Chen<br />
<br />
| Hacktics<br />
|- style="font-size:11pt" valign="top"<br />
<br />
| height="15" | [[OWASP_Israel_2008_Conference_Amir_Herzberg|Defending against Phishing without Client-side Code]]<br />
<br />
| Prof. Amir Herzberg<br />
<br />
| Bar Ilan Univeristy<br />
|- style="background-color:#D8D8D8;font-size:11pt" valign="top"<br />
<br />
| height="30" | [[OWASP_Israel_2008_Conference_Ronen_Bachar|Automated Crawling & Security Analysis of Flash/Flex based Web Applications]]<br />
<br />
| Ronen Bachar<br />
<br />
| IBM<br />
|- style="font-size:11pt" valign="top"<br />
<br />
| height="15" | [[OWASP_Israel_2008_Conference_Maty_Siman|Application Security - The code analysis way]]<br />
<br />
| Maty Siman<br />
<br />
| Checkmarx<br />
|- style="background-color:#D8D8D8;font-size:11pt" valign="top"<br />
<br />
| height="15" | [[OWASP_Israel_2008_Conference_David_Movshovitz|AJAX - new technologies new threats]]<br />
<br />
| Dr. David Movshovitz<br />
<br />
| IDC<br />
|- style="font-size:11pt" valign="top"<br />
<br />
| height="16" | [[OWASP_Israel_2008_Conference_Ohad_Ben_Cohen|Korset: Code-based Intrusion Detection System for Linux]]<br />
<br />
| Ohad Ben-Cohen<br />
<br />
| &nbsp;<br />
|}<br />
<br />
Note that the [[OWASP_Israel_2008_Conference_Turbo_Talks|Turbo Talk (Rump) Session]] is still open for submissions.<br />
<br />
== Call for participation ==<br />
<br />
Being a community event, we are staring a call for involvement, which means it is the time to speak up if you want to:<br />
<br />
* [[OWASP_Israel_2008_Conference_Turbo_Talks|Turbo Talk (Rump) Session]] - a new feature in this conference, consisting of a series of 5-minute talks.<br />
: The deadline for submissions for the rump session is '''Monday, September 8, 2008'''. <br />
* [[OWASP IL Sponsorship|Call for sponsors]]<br />
* Help in organizing<br />
* Otherwise participate (plenty of time for that, but if you know you will come, speak up)<br />
<br />
'''This is also a good time to raise other ideas you have regarding the conference'''. Many of you have been to previous conferences and have great ideas, so don't be shy and speak up.<br />
<br />
== Agenda ==<br />
<br />
The [[OWASP_IL_CFP|CFP]] is underway and the program would be published by mid August. <br />
<br />
== The people behind the conference ==<br />
<br />
OWASP Israel is made by the people who contribute their time and brain to its success. The following people are working to ensure that OWASP Israel 2008 is a success.<br />
<br />
If you feel that you also can contribute or have interesting ideas regarding the conference, don't hesitate to contact me.<br />
<br />
=== Steering Committee ===<br />
<br />
The steering committee includes prominent individuals in the field of information security and help set the program for the conference:<br />
<br />
* Adi Sharabani (IBM)<br />
* Dr. David Movshovitz (Interdisciplinary Center Herzliya)<br />
* Ofer Maor (Hacktics)<br />
* Ofer Shezaf (Breach Security)<br />
* Ory Segal (IBM)<br />
* Shay Zalalichin (ComSec)<br />
* Yossi Oren (Proxy Software Systems)<br />
<br />
=== Organization Committee ===<br />
<br />
The organization committee is in charge of making this all happen:<br />
<br />
* Dr. Anat Bremler-Barr (Interdisciplinary Center Herzliya)<br />
* Daniel Kallner<br />
* Ofer Shezaf (Breach Security)<br />
* Shay Shuker<br />
<br />
<br />
~ [[User:Oshezaf|Ofer Shezaf]],Conference Chair<br/><br />
<small>[mailto:ofer@shezaf.com ofer@shezaf.com]</small><br />
<br />
[[Category:OWASP Israel 2008]]</div>Orysegal