OWASP - User contributions [en]

Projects Reboot 2012

2012-09-24T23:47:20Z

Rahimjina:

'''Welcome the the OWASP Project Reboot Page:
'''

''What is the OWASP Project ReBoot initiative?''

OWASP needs to refresh, revitalize & update its projects. We need to make the software development community more aware of our efforts and demonstrate the foundations library of solutions & guidance designed to help with the secure application development lifecycle.

The proposal for this initiative is here:

'''[https://docs.google.com/a/owasp.org/file/d/0B5Z9zE0hx0LNSUZvOWVKd1JRWnlVaGJMcjB3SEN3Zw/edit Project Re-Boot Proposal]'''

'''Project Lead''': Eoin Keary 
'''Proposal Approval Team''': Jim Manico, Rahim Jina, Tom Brennan,... 
[[Reboot_Review_Criteria]] (For review team)

Board Approval can be seen here:
[https://www.owasp.org/index.php/May_14,2012]

To that end we have a budget to fund various project related activities. We hope putting some financial support behind projects will re-energise our community and hopefully deliver some great high quality material which can be used to support software developers and testers for years to come: 

'''Current Submissions''' 
'''[[OWASP Application Security Guide For CISOs]]''' - Selected for Reboot 
'''[[OWASP Development Guide]]''' - Selected for Reboot 
'''[[OWASP Zed Attack Proxy Reboot2012|Zed Attack Proxy]]''' - Selected for Reboot 
'''[[OWASP WebGoat Reboot2012|OWASP WebGoat]]''' 
'''[[OWASP AppSensor]]''' 
'''[[OWASP Mobile Project]]''' - Selected for Reboot 
'''[[OWASP_Portuguese_Project_Proposal | OWASP Portuguese Language Project]]''' 
'''[[OWASP_Application_Testing_guide_v4]]''' 
'''[[OWASP_ESAPI_Reboot2012 | OWASP ESAPI]]''' 
'''[[OWASP_Eliminate_Vulnerable_Code_Reboot | OWASP Eliminate Vulnerable Code Project]]''' 
'''[[OWASP_Code_Review_Guide_Reboot]]'''
 

'''Key Dates:''' 
'''Submission closing date''': July 30th 2012 
'''First round of proposal selection''': 15 June 2012 
'''Second round of proposal selection''': 10 Aug 2012 

----

'''First Round Decisions''' 
The following table shows to votes submitted by reviewers. 1 is first preference, 2 is second preference and so on..
'''Any Outstanding / additional proposals shall be voted on during the second round of proposal selection (10/8/2012).'''

<table border="1" width="50%">
<tr>
<td>Proposal</td>
<td>Tom</td>
<td>Jim</td>
<td>Rahim</td>
<td>Eoin</td>
</tr>
<tr>
<td>OWASP Development Guide</td>
<td>1</td>
<td>1</td>
<td>PI-1 PII-1</td>
<td>2</td>
</tr>
<tr>
<td>OWASP CISO Guide</td>
<td>2</td>
<td>7</td>
<td>PI-2 PII-3</td>
<td>1</td>
</tr>
<tr>
<td>OWASP Mobile Project</td>
<td>1</td>
<td>4</td>
<td>PI-4 PII-4</td>
<td>4</td>
</tr>
<tr>
<td>OWASP WebGoat PHP</td>
<td>2</td>
<td>6</td>
<td>PI-6 PII-10</td>
<td>6</td>
</tr>
<tr>
<td>OWASP Zed Attack Proxy</td>
<td>1</td>
<td>3</td>
<td>PI-3 PII-6</td>
<td>3</td>
</tr>
<tr>
<td>OWASP AppSensor</td>
<td>1</td>
<td>5</td>
<td>PI-5 PII-7</td>
<td>5</td>
</tr>
<tr>
<td>OWASP Testing Guide</td>
<td>1</td>
<td>2</td>
<td>PII-2</td>
<td></td>
</tr>
<tr>
<td>OWASP ESAPI</td>
<td>1</td>
<td>10</td>
<td>PII-5</td>
<td></td>
</tr>
<tr>
<td>OWASP_Eliminate_Vulnerable_Code</td>
<td>3</td>
<td>9</td>
<td>PII-8</td>
<td></td>
</tr>
<tr>
<td>OWASP Portuguese Language Project</td>
<td>1</td>
<td>8</td>
<td>PII-9</td>
<td></td>
</tr>
</table>

'''Projects selected via first round of review''': 
#'''OWASP Development Guide''': Funding Amount: $5000 initial funding
#'''OWASP CISO Guide''': Funding Amount: $5000 initial funding
#'''OWASP Zed Attack Proxy''': Funding Amount: $5000 initial funding
#'''OWASP Mobile Project''': Funding Amount: $5000 initial funding

----

'''Activity types''': 

'''Type 1''': Update, rewrite & complete guides or tools. 
This "type" is aimed at both existing and new tools or guides which require development effort to update, augment, rewrite, develop in order to achieve a high quality release quality product. 

Examples: 
#"Mini" Project based summits: Expenses associated with getting global workshops, with the aim of releasing a new version of a project. 
#Paying contributors for their time and effort. 
#Paying for user guides etc to be professionally developed (technical writing etc). 

'''Type 2''': Market, Training, Awareness, increase adoption. 
Existing, healthy robust tools and guides can utilise Type 2 activities to help with creating awareness and increasing adoption of that project. 

Examples: 
#Assisting with expenses associated with marketing a project. 
#Costs facilitating OWASP project focused training and awareness events 

'''How are we going to fund this??''' 
We are requesting all OWASP chapters which are in a healthy financial position to pledge 25% of their chapters funds to pay for this initiative. 
[https://www.surveymonkey.com/s/OWASP-REBOOT Pledge some chapter funds here]

Donate $1.00 to help save a current or future software application [http://www.firstgiving.com/fundraiser/projectreboot/owasp-project-reboot Click Here]

The Foundation shall also support this initiative with additional funding. 
The goal is to accumulate a budget of $100K which shall be appointed to projects undergoing this reboot. 

[https://docs.google.com/a/owasp.org/spreadsheet/pub?hl=en_US&hl=en_US&key=0Atu4kyR3ljftdEdQWTczbUxoMUFnWmlTODZ2ZFZvaXc&output=html - Chapter Funds]

'''Can I apply for this Reboot?''' 
You certainly can, assuming you are an OWASP member. 
If you feel your project is ready or has potential you can apply for the reboot programme. 

'''How does funding work?''' 
'''Type 1''': Funding can be applied for as required if travel/mini summit etc is to be expensed as part of the reboot. Development activities; payment to contributors shall be at 50% and 100% milestones. 
Milestones are agreed prior to project reboot initiation. 
Once the 50% milestone is reached the work done to date shall be reviewed by a member of the [https://www.owasp.org/index.php/Category:Global_Projects_Committee - GPC] and also another nominated OWASP reviewer (generally an OWASP leader). 

'''Type 2''': Funding is supplied as required. Items to be funded are agreed prior to reboot initiation. 
Invoices for the required services are sent directly to the foundation for payment.

'''How do I apply?'''
Send in a proposal with the following information:

# Project name and description. Including reboot project lead and any team members.
# Re boot type (Type 1 or Type 2)
# Goals of the reboot
# Timeline for the 50% milestone and the 100% milestone. Suggested milestone reviewers (Generally OWASP Leaders or other industry experts)
# Budget required and how you shall spend it.

Want to support this initiative or learn more? Contact [mailto:eoin.keary@owasp.org Eoin Keary]

Projects Reboot 2012

2012-06-19T16:56:07Z

Rahimjina:

'''Welcome the the OWASP Project Reboot Page:
'''

''What is the OWASP Project ReBoot initiative?''

OWASP needs to refresh, revitalize & update its projects. We need to make the software development community more aware of our efforts and demonstrate the foundations library of solutions & guidance designed to help with the secure application development lifecycle.

The proposal for this initiative is here:

'''[https://docs.google.com/a/owasp.org/file/d/0B5Z9zE0hx0LNSUZvOWVKd1JRWnlVaGJMcjB3SEN3Zw/edit Project Re-Boot Proposal]'''

'''Project Lead''': Eoin Keary 
'''Proposal Approval Team''': Jim Manico, Rahim Jina, Tom Brennan,... 

Board Approval can be seen here:
[https://www.owasp.org/index.php/May_14,2012]

To that end we have a budget to fund various project related activities. We hope putting some financial support behind projects will re-energise our community and hopefully deliver some great high quality material which can be used to support software developers and testers for years to come: 

'''Current Submissions''' 
'''[[OWASP Application Security Guide For CISOs]]''' - Selected for Reboot 
'''[[OWASP Development Guide]]''' - Selected for Reboot 
'''[[OWASP Zed Attack Proxy Reboot2012|Zed Attack Proxy]]''' - Selected for Reboot 
'''[[OWASP WebGoat Reboot2012|OWASP WebGoat]]''' 
'''[[OWASP Cheat Sheets]]''' 
'''[[OWASP AppSensor]]''' 
'''[[OWASP Mobile Project]]''' - Selected for Reboot 
'''[[OWASP_Portuguese_Project_Proposal | OWASP Portuguese Language Project]]''' 
 

'''Key Dates:''' 
'''Submission closing date''': July 30th 2012 
'''First round of proposal selection''': 15 June 2012 
'''Second round of proposal selection''': 10 Aug 2012 

----

'''First Round Decisions''' 
The following table shows to votes submitted by reviewers. 1 is first preference, 2 is second preference and so on..
'''Any Outstanding / additional proposals shall be voted on during the second round of proposal selection (10/8/2012).'''

<table border="1" width="50%">
<tr>
<td>Proposal</td>
<td>Tom</td>
<td>Jim</td>
<td>Rahim</td>
<td>Eoin</td>
</tr>
<tr>
<td>OWASP Development Guide</td>
<td>1</td>
<td>2</td>
<td>1</td>
<td>2</td>
</tr>
<tr>
<td>OWASP CISO Guide</td>
<td>2</td>
<td>1</td>
<td>2</td>
<td>1</td>
</tr>
<tr>
<td>OWASP Mobile Project</td>
<td>3</td>
<td></td>
<td>4</td>
<td>4</td>
</tr>
<tr>
<td>OWASP WebGoat PHP</td>
<td>4</td>
<td>4</td>
<td>6</td>
<td>6</td>
</tr>
<tr>
<td>OWASP Zed Attack Proxy</td>
<td>5</td>
<td>3</td>
<td>3</td>
<td>3</td>
</tr>
<tr>
<td>OWASP AppSensor</td>
<td>6</td>
<td></td>
<td>5</td>
<td>5</td>
</tr>
</table>

'''Projects selected via first round of review''': 
#'''OWASP Development Guide''': Funding Amount: $$$
#'''OWASP CISO Guide''': Funding Amount: $$$
#'''OWASP Zed Attack Proxy''': Funding Amount: $$$
#'''OWASP Mobile Project''': Funding Amount: $$$

Funding for each of the selected projects above shall be communicated to project leaders once determined.

----

'''Activity types''': 

'''Type 1''': Update, rewrite & complete guides or tools. 
This "type" is aimed at both existing and new tools or guides which require development effort to update, augment, rewrite, develop in order to achieve a high quality release quality product. 

Examples: 
#"Mini" Project based summits: Expenses associated with getting global workshops, with the aim of releasing a new version of a project. 
#Paying contributors for their time and effort. 
#Paying for user guides etc to be professionally developed (technical writing etc). 

'''Type 2''': Market, Training, Awareness, increase adoption. 
Existing, healthy robust tools and guides can utilise Type 2 activities to help with creating awareness and increasing adoption of that project. 

Examples: 
#Assisting with expenses associated with marketing a project. 
#Costs facilitating OWASP project focused training and awareness events 

'''How are we going to fund this??''' 
We are requesting all OWASP chapters which are in a healthy financial position to pledge 25% of their chapters funds to pay for this initiative. 
[https://www.surveymonkey.com/s/OWASP-REBOOT Pledge some chapter funds here]

Donate $1.00 to help save a current or future software application [http://www.firstgiving.com/fundraiser/projectreboot/owasp-project-reboot Click Here]

The Foundation shall also support this initiative with additional funding. 
The goal is to accumulate a budget of $100K which shall be appointed to projects undergoing this reboot. 

[https://docs.google.com/a/owasp.org/spreadsheet/pub?hl=en_US&hl=en_US&key=0Atu4kyR3ljftdEdQWTczbUxoMUFnWmlTODZ2ZFZvaXc&output=html - Chapter Funds]

'''Can I apply for this Reboot?''' 
You certainly can, assuming you are an OWASP member. 
If you feel your project is ready or has potential you can apply for the reboot programme. 

'''How does funding work?''' 
'''Type 1''': Funding can be applied for as required if travel/mini summit etc is to be expensed as part of the reboot. Development activities; payment to contributors shall be at 50% and 100% milestones. 
Milestones are agreed prior to project reboot initiation. 
Once the 50% milestone is reached the work done to date shall be reviewed by a member of the [https://www.owasp.org/index.php/Category:Global_Projects_Committee - GPC] and also another nominated OWASP reviewer (generally an OWASP leader). 

'''Type 2''': Funding is supplied as required. Items to be funded are agreed prior to reboot initiation. 
Invoices for the required services are sent directly to the foundation for payment.

'''How do I apply?'''
Send in a proposal with the following information:

# Project name and description. Including reboot project lead and any team members.
# Re boot type (Type 1 or Type 2)
# Goals of the reboot
# Timeline for the 50% milestone and the 100% milestone. Suggested milestone reviewers (Generally OWASP Leaders or other industry experts)
# Budget required and how you shall spend it.

Want to support this initiative or learn more? Contact [mailto:eoin.keary@owasp.org Eoin Keary]

Scareware Traversing the World via Ireland

2010-07-21T19:14:07Z

Rahimjina: Created page with 'In 2008, a dedicated group of security professionals came together to set up IRISS-CERT, Ireland's first CSIRT, to provide a range of free services to Irish businesses and consum…'

In 2008, a dedicated group of security professionals came together to set up IRISS-CERT, Ireland's first CSIRT, to provide a range of free services to Irish businesses and consumers in relation to information security issues. The aim is to help counter the security threats posed to both the Irish businesses and the Irish Internet space.

Throughout the first two years, IRISS-CERT has notified and helped many website owners detect, clean or restore their sites after a compromise.

In July 2009, several Irish websites were attacked and had malware code injected into them. These (compromised) websites redirected end-users to malicious websites, which subsequently served malware to anyone who was browsing the original legitimate sites. The notification of this compromise (to IRISS CERT) resulted in me beginning the on-duty Incident Handler, initiating the Incident Handling Process to examine the issue.

Mark will summarise this aforementioned attack and briefly include other types of attacks that IRISS-CERT have seen. He will primarily focus on the process as laid out in his GIAC GCIH Gold Paper. The investigation into the July 2009 attack and the associated complex infrastructure prompted the research paper.

The talk will cover the various stages of the Incident Handling Process explaining how they pertain to both the web application exploit and the associated scareware installation.

By discussing these attacks, the talk should enable both companies and volunteer organisations to improve Incident Handling efforts when responding to Web Application attacks.

OWASP IRELAND 2010

2010-07-21T19:13:19Z

Rahimjina:

[[Image:Dublin2010.gif]] 

 

Welcome to the Irish OWASP Application Security Conference! 

Its Ireland's turn again on '''September 17, 2010'''

 

'''September 17th 2010''': OWASP will hold its second Irish Application Security conference in Dublin University, Trinity College, Dublin, Ireland.

The conference consists of an intensive day of talks/presentations and discussion with 2 different tracks focusing on the causes and trends in web application insecurity.

'''[http://www.owasp.org/index.php/OWASP_IRELAND_2010#Training Training]: (16th September 2010)''' '''''Secure Application Development: Writing secure code (and testing it)''''' training is to be delivered on the 16 September, following the very successful model delivered in 2009 (see more details below)

 

For more details please contact: Eoin.Keary 'at' owasp.org

== Conference Location ==

[[Image:AppSecIreland09 Dublin.JPG|www.tcd.ie]]

 

== Event Sponsorship ==

OWASP is providing sponsors exclusive access to its audience in Dublin, Ireland through a limited number of Expo floor slots, providing a focused setting for potential customers. The conference is expected to draw 150 - 200 technologists who will be looking for ways to spend their remaining 2010 budget and planning for 2010/11. Financial Services, Media, Pharmaceuticals, Government, Healthcare, Technology, and many other verticals will be represented. Sponsorship details are available here:  Please review or sponsorship proposal: [http://www.owasp.org/images/c/c8/OWASP_sponsorship_Master.pdf Click_here]
<center>
 
</center>
=== Sponsors ===

'''Silver Sponsors'''
<center>
[[Image:Cenzic small 2.GIF]]
</center><center>
'''CENZIC''' - Cenzic provides software and SaaS solutions for dynamic, black box testing of Web applications to protect Websites against hacker attacks.Built from the ground up on a completely different technology backbone than its competitors, Cenzic goes beyond signature-based tools to find more "real" vulnerabilities. To request a free demo please visit http://www.cenzic.com 

 
</center><center>[[Image:Veracode logo 2color small.JPG]]</center><center>
'''Veracode''' is the world’s leader in cloud-based application risk management. With patented binary code analysis, dynamic Web assessments, and partner or Veracode-delivered manual penetration testing, combined with developer e-learning and access to open source security ratings, Veracode SecurityReview® allows customers to independently verify application security in both internally developed applications and third-party software without requiring source code or expensive tools. Veracode provides the most simple, complete and accurate way to implement security best practices, reduce operational cost and comply with internal security policies or external standards such as OWASP Top 10, CWE/SANS Top 25 and PCI. Veracode works with global organizations across multiple vertical industries including Barclays PLC, California Public Employees’ Retirement System (CalPERS), Computershare, and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com http://www.veracode.com/
</center>
 
<center>[[Image:FORTIFY_LOGO_MED.jpg]]</center>
<center>
'''Fortify® Software''' is the leader in the emerging category of Software Security Assurance (SSA). Fortify's SSA products and services protect companies from the threats posed by security flaws in business-critical software applications and result in applications that are inherently more secure and impervious to attack. Our solutions help identify and resolve critical application vulnerabilities in less time and at lower cost. http://www.fortify.com
</center>

=== Supported by ===
<center>
[[Image:Irisss small.jpg]] [[Image:IISF.jpg]] [[Image:Iia-logo-small.jpg]][[Image:DG horiz col.gif]]
</center>
== Agenda and Presentations - September 17 ==

The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing pannel discussions back in the main auditorium both days.

{| class="FCK__ShowTableBorders" style="width: 80%" align="center" border="0"
|-
! align="center" colspan="3" | [http://www.tcd.ie/Maps/map.php?q=hamilton+building Hamilton Building, TCD] - September 17, 2010
|-
| style="background: #7b8abd; width: 10%" |
| style="background: #bc857a; width: 40%" | Track 1: Synge Theatre
| style="background: #bca57a; width: 40%" | Track 2: Salmon Theatre
|-
| style="background: #7b8abd; width: 10%" | 08:00-09:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Registration and Coffee
|-
| style="background: #7b8abd; width: 10%" | 09:00 - 09:10
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" | Welcome to OWASP Ireland 2010 Conference
'''''[[User:EoinKeary|Eoin Keary]], [http://ie.linkedin.com/in/fcerullo Fabio Cerullo] & Rahim Jina'''  '''OWASP Ireland Board''''' '''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 09:15 - 10:15
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" | '''Keynote: "Application Security in the Real World"''' - Considerations for AppSec in non-security companies.
'''''[[John Viega|John Viega ]] '''''Executive Vice President, Perimeter E-Security

'''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 10:20 - 10:40
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" |
OWASP "State of the Nation"

[[User:EoinKeary|'''Eoin Keary''']]& [[User:Dinis Cruz|'''Dinis Cruz''']]

''OWASP Global board members''

|-
| style="background: #7b8abd; width: 10%" | 10:45 - 11:10
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Break - Expo
|-
| style="background: #7b8abd; width: 10%" | 11:10 - 11:45
| style="background: #bc857a; width: 40%" align="left" |
"Testing the Enterprise E-mail Security - from Software to Cloud-based Services" [[User:Dr. Marian Ventuneac|'''Dr. Marian Ventuneac''']]

| style="background: #bca57a; width: 40%" align="left" |
"Counter Intelligence as Defense: Integrating predictive and proactive attack knowledge as a wall of defense"

 [[User:FredDonovan|'''Fred Donovan''']]

|-
| style="background: #7b8abd; width: 10%" | 11:50 - 12:30
| style="background: #bc857a; width: 40%" align="left" |
"The Evolution of Security Testing: Testing the Resiliency of Security" 

[[David Stubley|'''David Stubley''']] (GIAC)

| style="background: #bca57a; width: 40%" align="left" |
[[Path to a Secure Application|"Path to a Secure Application"]]
 [[User:RyanBerg|'''Ryan Berg''']] IBM

|-
| style="background: #7b8abd; width: 10%" | 12:40 - 13:10
| style="background: #bc857a; width: 40%" align="left" |
"Smart Phones with Dumb Apps"

[[Dan Cornell|'''Dan Cornell''']]  Principal of [http://www.denimgroup.com Denim Group], Ltd.

| style="background: #bca57a; width: 40%" align="left" |
"Technology and Business Risk Management: How Application Security Fits In!

[[User:Peter Perfetti|'''Peter Perfetti''']]

|-
| style="background: #7b8abd; width: 10%" | 13:10 - 14:10
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Lunch - [http://www.tcd.ie/Maps/map.php?q=dining+hall TCD Dining Hall], buffet Lunch
|-
| style="background: #7b8abd; width: 10%" | 1410 - 15:00
| style="background: #c2c2c2; width: 80%" align="center" colspan="2" | '''Keynote: "The changing face of cryptography"'''
'''''[[User:Professor Fred Piper|Professor Fred Piper]]''''', BSc, PhD (London), ARCS, DIC, CEng, CMath, FIEE, FIMA, BCS, CISSP, CISM. 

'''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 15:10 - 15:50
| style="background: #bc857a; width: 40%" align="left" |
"Microsoft's Security Development Lifecycle for Agile Development"

[[Nick Coblentz|'''Nick Coblentz''']] AT&T Consulting

| style="background: #bca57a; width: 40%" align="left" |
[[The Real appsec pentest|"The "Real" Application Security Pentest."]] 

[[Rory Alsop|'''Rory Alsop''']]& [[Rory McCune|'''Rory McCune''']]

|-
| style="background: #7b8abd; width: 10%" | 16:00 - 16:40
| style="background: #bc857a; width: 40%" align="left" |
"How to Defend Fragile Web Applications"

[[Vinay Bansal, Martin Nystrom|'''Vinay Bansal, Martin Nystrom''']] Cisco systems

| style="background: #bca57a; width: 40%" align="left" |
[[Scareware Traversing the World via Ireland|"Scareware Traversing the World via Ireland"]] 

[[User:Mark Hillick|'''Mark Hillick''']]

|-
| style="background: #7b8abd; width: 10%" | 16:50 - 17:50
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" |
'''Keynote: "Hackers and Hollywood: The Implications of the Popular Media Representation of Computer Hacking"'''

'''''[[User:Damian Gordon|Damian Gordon]]''''' Phd, School of Computing Dublin Institute of Technology.

'''''Location: Joly Theatre'''''

|-
| style="background: #7b8abd; width: 10%" | 17:50 - 18:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Wrap-Up
|-
| style="background: #7b8abd; width: 10%" | 18:00-21:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | OWASP Social Gathering
|}

= Training =

We intend to hold some application security training on the 16/09/2010 the day prior to the event. This can be booked when booking a ticket to the event. '''Fee: €495'''

== '''Secure Application Development: Writing secure code (and testing it)''' ==

'''Trainers''':

[[User:EoinKeary|'''Eoin Keary''' ]] Senior Manager, Ernst & Young, OWASP Board Member

'''Rahim Jina''' Senior Consultant, Ernst & Young, OWASP Ireland chapter board.

 

'''Abstract''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.

Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25.  The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.

This course includes coverage of the following areas:

*Unvalidated Input
*Injection Flaws 
*Cross-Site Scriping
*CSRF
*Authentication & Session Management
*Access control & Authorisation
*Broken Caching
*Error Handling
*Cryptography
*Resource Management
*Rich Internet Applications & Webservices
*The Secure SDLC

 '''Hands on'''

To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., WebGoat etc) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises.

'''Audience'''

Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner

'''Level'''

Intermediate

'''Prerequisite'''

Basic knowledge of a web programming language like Java or .NET recommended but not required. 

Bringing your own windows based laptop is recommended so you can participate in the hands on exercises.

'''Duration'''

Full day - 8 Hours 

= Venue =

Trinity College, Dublin [http://www.tcd.ie/Maps/map.php?q=hamilton+building Map of hamilton Building Location]

[http://www.tcd.ie/Maps/map.php?q=dining+hall Dining Hall location]

= Transportation =

=== By Air ===

 Fly to Dublin Airport: http://www.dublinairport.com/ A taxi or bus can take you into Dublin city. (€30 - Taxi) (€10 - Bus) 

=== Public Transport ===

= Accommodation =

Please see here if you wish to stay within the grounds of Trinity College: http://www.owasp.org/images/2/20/TCD_Tariff_2009.pdf

'''Hotels Surrounding Trinity College:'''

http://maps.google.com/maps?near=Dame+Street,+College+Green,+Dublin+2,+Ireland+(Trinity+College+Campus)&geocode=Cfm6cyTmqt_IFev1LQMdLZCg_yFJu3aKhBD7GA&q=hotels&f=l&dq=Trinity+College+loc:+Dublin+Ireland&sll=53.341482,-6.258302&sspn=0.012043,0.037637&ie=UTF8&ei=U6TMSZSzKpSw2QLG_-CUCA&attrid=1036f063d3d0dafc_&ll=53.343711,-6.254568&spn=0.012042,0.037637&z=15

= Registration =

'''The fee for this conference is : '''''Standard''': €150 Euro '''OWASP Members''': €100 Euro

'''Training: '''€495 '''Membership of OWASP is not required to attend the event.''' 

'''Note''': To save on processing expenses, all fees paid for the OWASP conference are non-refundable. OWASP can accommodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

'''Cvent Registration Link: [http://guest.cvent.com/i.aspx?4W%2cM3%2c679c382d-35c2-4815-a399-c2c3a95ebfd7 Click-Here]'''

= Conference Committee =

'''2010 Ireland Planning Committee Chair''':

Eoin Keary - eoin.keary 'at' owasp.org

 

Fabio Cerullo  - fcerullo 'at' owasp.org

Rahim Jina - rahim.jina 'at' owasp.org

= Call for Papers =

The Conference will consist of two tracks covering both technical and risk management topics.

'''We are seeking presentations on any of the following topics:'''

*Web Services and Application Security
*Common Application related Threats and Risks
*Business Risks with Application Security
*Vulnerability Research in Application Security
*Web Application Penetration Testing
*OWASP Tools and Projects
*Secure Coding/Development Practices
*Technology specific presentations on security such as AJAX, XML, etc.
*Anything else relating to OWASP and Application Security.

The call for papers/presentations is out. The official closing date for receiving a synopsis of the presentation is June 10th, 2010. Announcements on selected candidates will be provided the first week of July 2010. Complete presentations will need to be submitted by the 2nd of August 2010.

All presenters will receive free invitation to the conference, food and refreshments.

'''For some speakers, OWASP will cover some of the travel costs associated with coming to the conference.'''

 

'''Please submit your presentation topics and an abstract of up to 500 words to Eoin Keary''' <mailto: Eoin.keary@owasp.org>

User:Mark Hillick

2010-07-21T13:02:44Z

Rahimjina: Created page with 'Mark is a founding member of IRISS-CERT (www.iriss.ie). Mark has been a volunteer Incident Handler with IRISS-CERT since its foundation in 2008. He has been a member of the Owa…'

Mark is a founding member of IRISS-CERT (www.iriss.ie). Mark has been a volunteer Incident Handler with IRISS-CERT since its foundation in 2008.

He has been a member of the Owasp Ireland chapter for the last two years and has presented on both setting up a CSIRT and on implementing WAF solutions.

Mark currently works with the Application & Networking Team for Citrix Systems, where he concentrates on supporting and advising Citrix’s biggest blue-chip customers across many industries.He has previously worked for 10 years with Allied Irish Banks as the lead for the Internet Infrastructure team and configured far too many firewalls!

From reading Mathematics at university, to collecting GIAC certifications, he's spent far too many hours studying and would prefer to be doing some form of water-sport :) Mark is currently preparing for the GIAC GSE with SANS.

Scareware Traversing the World via a Web App Exploit

2010-07-21T13:02:26Z

OWASP IRELAND 2010

2010-07-21T13:01:47Z

Rahimjina:

[[Image:Dublin2010.gif]] 

 

Welcome to the Irish OWASP Application Security Conference! 

Its Ireland's turn again on '''September 17, 2010'''

 

'''September 17th 2010''': OWASP will hold its second Irish Application Security conference in Dublin University, Trinity College, Dublin, Ireland.

The conference consists of an intensive day of talks/presentations and discussion with 2 different tracks focusing on the causes and trends in web application insecurity.

'''[http://www.owasp.org/index.php/OWASP_IRELAND_2010#Training Training]: (16th September 2010)''' '''''Secure Application Development: Writing secure code (and testing it)''''' training is to be delivered on the 16 September, following the very successful model delivered in 2009 (see more details below)

 

For more details please contact: Eoin.Keary 'at' owasp.org

== Conference Location ==

[[Image:AppSecIreland09 Dublin.JPG|www.tcd.ie]]

 

== Event Sponsorship ==

OWASP is providing sponsors exclusive access to its audience in Dublin, Ireland through a limited number of Expo floor slots, providing a focused setting for potential customers. The conference is expected to draw 150 - 200 technologists who will be looking for ways to spend their remaining 2010 budget and planning for 2010/11. Financial Services, Media, Pharmaceuticals, Government, Healthcare, Technology, and many other verticals will be represented. Sponsorship details are available here:  Please review or sponsorship proposal: [http://www.owasp.org/images/c/c8/OWASP_sponsorship_Master.pdf Click_here]
<center>
 
</center>
=== Sponsors ===

'''Silver Sponsors'''
<center>
[[Image:Cenzic small 2.GIF]]
</center><center>
'''CENZIC''' - Cenzic provides software and SaaS solutions for dynamic, black box testing of Web applications to protect Websites against hacker attacks.Built from the ground up on a completely different technology backbone than its competitors, Cenzic goes beyond signature-based tools to find more "real" vulnerabilities. To request a free demo please visit http://www.cenzic.com 

 
</center><center>[[Image:Veracode logo 2color small.JPG]]</center><center>
'''Veracode''' is the world’s leader in cloud-based application risk management. With patented binary code analysis, dynamic Web assessments, and partner or Veracode-delivered manual penetration testing, combined with developer e-learning and access to open source security ratings, Veracode SecurityReview® allows customers to independently verify application security in both internally developed applications and third-party software without requiring source code or expensive tools. Veracode provides the most simple, complete and accurate way to implement security best practices, reduce operational cost and comply with internal security policies or external standards such as OWASP Top 10, CWE/SANS Top 25 and PCI. Veracode works with global organizations across multiple vertical industries including Barclays PLC, California Public Employees’ Retirement System (CalPERS), Computershare, and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com http://www.veracode.com/
</center>
 
<center>[[Image:FORTIFY_LOGO_MED.jpg]]</center>
<center>
'''Fortify® Software''' is the leader in the emerging category of Software Security Assurance (SSA). Fortify's SSA products and services protect companies from the threats posed by security flaws in business-critical software applications and result in applications that are inherently more secure and impervious to attack. Our solutions help identify and resolve critical application vulnerabilities in less time and at lower cost. http://www.fortify.com
</center>

=== Supported by ===
<center>
[[Image:Irisss small.jpg]] [[Image:IISF.jpg]] [[Image:Iia-logo-small.jpg]][[Image:DG horiz col.gif]]
</center>
== Agenda and Presentations - September 17 ==

The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing pannel discussions back in the main auditorium both days.

{| class="FCK__ShowTableBorders" style="width: 80%" align="center" border="0"
|-
! align="center" colspan="3" | [http://www.tcd.ie/Maps/map.php?q=hamilton+building Hamilton Building, TCD] - September 17, 2010
|-
| style="background: #7b8abd; width: 10%" |
| style="background: #bc857a; width: 40%" | Track 1: Synge Theatre
| style="background: #bca57a; width: 40%" | Track 2: Salmon Theatre
|-
| style="background: #7b8abd; width: 10%" | 08:00-09:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Registration and Coffee
|-
| style="background: #7b8abd; width: 10%" | 09:00 - 09:10
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" | Welcome to OWASP Ireland 2010 Conference
'''''[[User:EoinKeary|Eoin Keary]], [http://ie.linkedin.com/in/fcerullo Fabio Cerullo] & Rahim Jina'''  '''OWASP Ireland Board''''' '''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 09:15 - 10:15
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" | '''Keynote: "Application Security in the Real World"''' - Considerations for AppSec in non-security companies.
'''''[[John Viega|John Viega ]] '''''Executive Vice President, Perimeter E-Security

'''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 10:20 - 10:40
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" |
OWASP "State of the Nation"

[[User:EoinKeary|'''Eoin Keary''']]& [[User:Dinis Cruz|'''Dinis Cruz''']]

''OWASP Global board members''

|-
| style="background: #7b8abd; width: 10%" | 10:45 - 11:10
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Break - Expo
|-
| style="background: #7b8abd; width: 10%" | 11:10 - 11:45
| style="background: #bc857a; width: 40%" align="left" |
"Testing the Enterprise E-mail Security - from Software to Cloud-based Services" [[User:Dr. Marian Ventuneac|'''Dr. Marian Ventuneac''']]

| style="background: #bca57a; width: 40%" align="left" |
"Counter Intelligence as Defense: Integrating predictive and proactive attack knowledge as a wall of defense"

 [[User:FredDonovan|'''Fred Donovan''']]

|-
| style="background: #7b8abd; width: 10%" | 11:50 - 12:30
| style="background: #bc857a; width: 40%" align="left" |
"The Evolution of Security Testing: Testing the Resiliency of Security" 

[[David Stubley|'''David Stubley''']] (GIAC)

| style="background: #bca57a; width: 40%" align="left" |
[[Path to a Secure Application|"Path to a Secure Application"]]
 [[User:RyanBerg|'''Ryan Berg''']] IBM

|-
| style="background: #7b8abd; width: 10%" | 12:40 - 13:10
| style="background: #bc857a; width: 40%" align="left" |
"Smart Phones with Dumb Apps"

[[Dan Cornell|'''Dan Cornell''']]  Principal of [http://www.denimgroup.com Denim Group], Ltd.

| style="background: #bca57a; width: 40%" align="left" |
"Technology and Business Risk Management: How Application Security Fits In!

[[User:Peter Perfetti|'''Peter Perfetti''']]

|-
| style="background: #7b8abd; width: 10%" | 13:10 - 14:10
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Lunch - [http://www.tcd.ie/Maps/map.php?q=dining+hall TCD Dining Hall], buffet Lunch
|-
| style="background: #7b8abd; width: 10%" | 1410 - 15:00
| style="background: #c2c2c2; width: 80%" align="center" colspan="2" | '''Keynote: "The changing face of cryptography"'''
'''''[[User:Professor Fred Piper|Professor Fred Piper]]''''', BSc, PhD (London), ARCS, DIC, CEng, CMath, FIEE, FIMA, BCS, CISSP, CISM. 

'''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 15:10 - 15:50
| style="background: #bc857a; width: 40%" align="left" |
"Microsoft's Security Development Lifecycle for Agile Development"

[[Nick Coblentz|'''Nick Coblentz''']] AT&T Consulting

| style="background: #bca57a; width: 40%" align="left" |
[[The Real appsec pentest|"The "Real" Application Security Pentest."]] 

[[Rory Alsop|'''Rory Alsop''']]& [[Rory McCune|'''Rory McCune''']]

|-
| style="background: #7b8abd; width: 10%" | 16:00 - 16:40
| style="background: #bc857a; width: 40%" align="left" |
"How to Defend Fragile Web Applications"

[[Vinay Bansal, Martin Nystrom|'''Vinay Bansal, Martin Nystrom''']] Cisco systems

| style="background: #bca57a; width: 40%" align="left" |
[[Scareware Traversing the World via a Web App Exploit|"Scareware Traversing the World via a Web App Exploit"]] 

[[User:Mark Hillick|'''Mark Hillick''']]

|-
| style="background: #7b8abd; width: 10%" | 16:50 - 17:50
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" |
'''Keynote: "Hackers and Hollywood: The Implications of the Popular Media Representation of Computer Hacking"'''

'''''[[User:Damian Gordon|Damian Gordon]]''''' Phd, School of Computing Dublin Institute of Technology.

'''''Location: Joly Theatre'''''

|-
| style="background: #7b8abd; width: 10%" | 17:50 - 18:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Wrap-Up
|-
| style="background: #7b8abd; width: 10%" | 18:00-21:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | OWASP Social Gathering
|}

= Training =

We intend to hold some application security training on the 16/09/2010 the day prior to the event. This can be booked when booking a ticket to the event. '''Fee: €495'''

== '''Secure Application Development: Writing secure code (and testing it)''' ==

'''Trainers''':

[[User:EoinKeary|'''Eoin Keary''' ]] Senior Manager, Ernst & Young, OWASP Board Member

'''Rahim Jina''' Senior Consultant, Ernst & Young, OWASP Ireland chapter board.

 

'''Abstract''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.

Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25.  The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.

This course includes coverage of the following areas:

*Unvalidated Input
*Injection Flaws 
*Cross-Site Scriping
*CSRF
*Authentication & Session Management
*Access control & Authorisation
*Broken Caching
*Error Handling
*Cryptography
*Resource Management
*Rich Internet Applications & Webservices
*The Secure SDLC

 '''Hands on'''

To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., WebGoat etc) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises.

'''Audience'''

Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner

'''Level'''

Intermediate

'''Prerequisite'''

Basic knowledge of a web programming language like Java or .NET recommended but not required. 

Bringing your own windows based laptop is recommended so you can participate in the hands on exercises.

'''Duration'''

Full day - 8 Hours 

= Venue =

Trinity College, Dublin [http://www.tcd.ie/Maps/map.php?q=hamilton+building Map of hamilton Building Location]

[http://www.tcd.ie/Maps/map.php?q=dining+hall Dining Hall location]

= Transportation =

=== By Air ===

 Fly to Dublin Airport: http://www.dublinairport.com/ A taxi or bus can take you into Dublin city. (€30 - Taxi) (€10 - Bus) 

=== Public Transport ===

= Accommodation =

Please see here if you wish to stay within the grounds of Trinity College: http://www.owasp.org/images/2/20/TCD_Tariff_2009.pdf

'''Hotels Surrounding Trinity College:'''

http://maps.google.com/maps?near=Dame+Street,+College+Green,+Dublin+2,+Ireland+(Trinity+College+Campus)&geocode=Cfm6cyTmqt_IFev1LQMdLZCg_yFJu3aKhBD7GA&q=hotels&f=l&dq=Trinity+College+loc:+Dublin+Ireland&sll=53.341482,-6.258302&sspn=0.012043,0.037637&ie=UTF8&ei=U6TMSZSzKpSw2QLG_-CUCA&attrid=1036f063d3d0dafc_&ll=53.343711,-6.254568&spn=0.012042,0.037637&z=15

= Registration =

'''The fee for this conference is : '''''Standard''': €150 Euro '''OWASP Members''': €100 Euro

'''Training: '''€495 '''Membership of OWASP is not required to attend the event.''' 

'''Note''': To save on processing expenses, all fees paid for the OWASP conference are non-refundable. OWASP can accommodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

'''Cvent Registration Link: [http://guest.cvent.com/i.aspx?4W%2cM3%2c679c382d-35c2-4815-a399-c2c3a95ebfd7 Click-Here]'''

= Conference Committee =

'''2010 Ireland Planning Committee Chair''':

Eoin Keary - eoin.keary 'at' owasp.org

 

Fabio Cerullo  - fcerullo 'at' owasp.org

Rahim Jina - rahim.jina 'at' owasp.org

= Call for Papers =

The Conference will consist of two tracks covering both technical and risk management topics.

'''We are seeking presentations on any of the following topics:'''

*Web Services and Application Security
*Common Application related Threats and Risks
*Business Risks with Application Security
*Vulnerability Research in Application Security
*Web Application Penetration Testing
*OWASP Tools and Projects
*Secure Coding/Development Practices
*Technology specific presentations on security such as AJAX, XML, etc.
*Anything else relating to OWASP and Application Security.

The call for papers/presentations is out. The official closing date for receiving a synopsis of the presentation is June 10th, 2010. Announcements on selected candidates will be provided the first week of July 2010. Complete presentations will need to be submitted by the 2nd of August 2010.

All presenters will receive free invitation to the conference, food and refreshments.

'''For some speakers, OWASP will cover some of the travel costs associated with coming to the conference.'''

 

'''Please submit your presentation topics and an abstract of up to 500 words to Eoin Keary''' <mailto: Eoin.keary@owasp.org>

OWASP IRELAND 2010

2010-07-21T13:00:47Z

Rahimjina:

[[Image:Dublin2010.gif]] 

 

Welcome to the Irish OWASP Application Security Conference! 

Its Ireland's turn again on '''September 17, 2010'''

 

'''September 17th 2010''': OWASP will hold its second Irish Application Security conference in Dublin University, Trinity College, Dublin, Ireland.

The conference consists of an intensive day of talks/presentations and discussion with 2 different tracks focusing on the causes and trends in web application insecurity.

'''[http://www.owasp.org/index.php/OWASP_IRELAND_2010#Training Training]: (16th September 2010)''' '''''Secure Application Development: Writing secure code (and testing it)''''' training is to be delivered on the 16 September, following the very successful model delivered in 2009 (see more details below)

 

For more details please contact: Eoin.Keary 'at' owasp.org

== Conference Location ==

[[Image:AppSecIreland09 Dublin.JPG|www.tcd.ie]]

 

== Event Sponsorship ==

OWASP is providing sponsors exclusive access to its audience in Dublin, Ireland through a limited number of Expo floor slots, providing a focused setting for potential customers. The conference is expected to draw 150 - 200 technologists who will be looking for ways to spend their remaining 2010 budget and planning for 2010/11. Financial Services, Media, Pharmaceuticals, Government, Healthcare, Technology, and many other verticals will be represented. Sponsorship details are available here:  Please review or sponsorship proposal: [http://www.owasp.org/images/c/c8/OWASP_sponsorship_Master.pdf Click_here]
<center>
 
</center>
=== Sponsors ===

'''Silver Sponsors'''
<center>
[[Image:Cenzic small 2.GIF]]
</center><center>
'''CENZIC''' - Cenzic provides software and SaaS solutions for dynamic, black box testing of Web applications to protect Websites against hacker attacks.Built from the ground up on a completely different technology backbone than its competitors, Cenzic goes beyond signature-based tools to find more "real" vulnerabilities. To request a free demo please visit http://www.cenzic.com 

 
</center><center>[[Image:Veracode logo 2color small.JPG]]</center><center>
'''Veracode''' is the world’s leader in cloud-based application risk management. With patented binary code analysis, dynamic Web assessments, and partner or Veracode-delivered manual penetration testing, combined with developer e-learning and access to open source security ratings, Veracode SecurityReview® allows customers to independently verify application security in both internally developed applications and third-party software without requiring source code or expensive tools. Veracode provides the most simple, complete and accurate way to implement security best practices, reduce operational cost and comply with internal security policies or external standards such as OWASP Top 10, CWE/SANS Top 25 and PCI. Veracode works with global organizations across multiple vertical industries including Barclays PLC, California Public Employees’ Retirement System (CalPERS), Computershare, and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com http://www.veracode.com/
</center>
 
<center>[[Image:FORTIFY_LOGO_MED.jpg]]</center>
<center>
'''Fortify® Software''' is the leader in the emerging category of Software Security Assurance (SSA). Fortify's SSA products and services protect companies from the threats posed by security flaws in business-critical software applications and result in applications that are inherently more secure and impervious to attack. Our solutions help identify and resolve critical application vulnerabilities in less time and at lower cost. http://www.fortify.com
</center>

=== Supported by ===
<center>
[[Image:Irisss small.jpg]] [[Image:IISF.jpg]] [[Image:Iia-logo-small.jpg]][[Image:DG horiz col.gif]]
</center>
== Agenda and Presentations - September 17 ==

The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing pannel discussions back in the main auditorium both days.

{| class="FCK__ShowTableBorders" style="width: 80%" align="center" border="0"
|-
! align="center" colspan="3" | [http://www.tcd.ie/Maps/map.php?q=hamilton+building Hamilton Building, TCD] - September 17, 2010
|-
| style="background: #7b8abd; width: 10%" |
| style="background: #bc857a; width: 40%" | Track 1: Synge Theatre
| style="background: #bca57a; width: 40%" | Track 2: Salmon Theatre
|-
| style="background: #7b8abd; width: 10%" | 08:00-09:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Registration and Coffee
|-
| style="background: #7b8abd; width: 10%" | 09:00 - 09:10
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" | Welcome to OWASP Ireland 2010 Conference
'''''[[User:EoinKeary|Eoin Keary]], [http://ie.linkedin.com/in/fcerullo Fabio Cerullo] & Rahim Jina'''  '''OWASP Ireland Board''''' '''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 09:15 - 10:15
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" | '''Keynote: "Application Security in the Real World"''' - Considerations for AppSec in non-security companies.
'''''[[John Viega|John Viega ]] '''''Executive Vice President, Perimeter E-Security

'''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 10:20 - 10:40
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" |
OWASP "State of the Nation"

[[User:EoinKeary|'''Eoin Keary''']]& [[User:Dinis Cruz|'''Dinis Cruz''']]

''OWASP Global board members''

|-
| style="background: #7b8abd; width: 10%" | 10:45 - 11:10
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Break - Expo
|-
| style="background: #7b8abd; width: 10%" | 11:10 - 11:45
| style="background: #bc857a; width: 40%" align="left" |
"Testing the Enterprise E-mail Security - from Software to Cloud-based Services" [[User:Dr. Marian Ventuneac|'''Dr. Marian Ventuneac''']]

| style="background: #bca57a; width: 40%" align="left" |
"Counter Intelligence as Defense: Integrating predictive and proactive attack knowledge as a wall of defense"

 [[User:FredDonovan|'''Fred Donovan''']]

|-
| style="background: #7b8abd; width: 10%" | 11:50 - 12:30
| style="background: #bc857a; width: 40%" align="left" |
"The Evolution of Security Testing: Testing the Resiliency of Security" 

[[David Stubley|'''David Stubley''']] (GIAC)

| style="background: #bca57a; width: 40%" align="left" |
[[Path to a Secure Application|"Path to a Secure Application"]]
 [[User:RyanBerg|'''Ryan Berg''']] IBM

|-
| style="background: #7b8abd; width: 10%" | 12:40 - 13:10
| style="background: #bc857a; width: 40%" align="left" |
"Smart Phones with Dumb Apps"

[[Dan Cornell|'''Dan Cornell''']]  Principal of [http://www.denimgroup.com Denim Group], Ltd.

| style="background: #bca57a; width: 40%" align="left" |
"Technology and Business Risk Management: How Application Security Fits In!

[[User:Peter Perfetti|'''Peter Perfetti''']]

|-
| style="background: #7b8abd; width: 10%" | 13:10 - 14:10
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Lunch - [http://www.tcd.ie/Maps/map.php?q=dining+hall TCD Dining Hall], buffet Lunch
|-
| style="background: #7b8abd; width: 10%" | 1410 - 15:00
| style="background: #c2c2c2; width: 80%" align="center" colspan="2" | '''Keynote: "The changing face of cryptography"'''
'''''[[User:Professor Fred Piper|Professor Fred Piper]]''''', BSc, PhD (London), ARCS, DIC, CEng, CMath, FIEE, FIMA, BCS, CISSP, CISM. 

'''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 15:10 - 15:50
| style="background: #bc857a; width: 40%" align="left" |
"Microsoft's Security Development Lifecycle for Agile Development"

[[Nick Coblentz|'''Nick Coblentz''']] AT&T Consulting

| style="background: #bca57a; width: 40%" align="left" |
[[The Real appsec pentest|"The "real" application security pentest."]] 

[[Rory Alsop|'''Rory Alsop''']]& [[Rory McCune|'''Rory McCune''']]

|-
| style="background: #7b8abd; width: 10%" | 16:00 - 16:40
| style="background: #bc857a; width: 40%" align="left" |
"How to Defend Fragile Web Applications"

[[Vinay Bansal, Martin Nystrom|'''Vinay Bansal, Martin Nystrom''']] Cisco systems

| style="background: #bca57a; width: 40%" align="left" |
[[Scareware Traversing the World via a Web App Exploit|"Scareware Traversing the World via a Web App Exploit"]] 

[[User:Mark Hillick|'''Mark Hillick''']]

|-
| style="background: #7b8abd; width: 10%" | 16:50 - 17:50
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" |
'''Keynote: "Hackers and Hollywood: The Implications of the Popular Media Representation of Computer Hacking"'''

'''''[[User:Damian Gordon|Damian Gordon]]''''' Phd, School of Computing Dublin Institute of Technology.

'''''Location: Joly Theatre'''''

|-
| style="background: #7b8abd; width: 10%" | 17:50 - 18:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Wrap-Up
|-
| style="background: #7b8abd; width: 10%" | 18:00-21:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | OWASP Social Gathering
|}

= Training =

We intend to hold some application security training on the 16/09/2010 the day prior to the event. This can be booked when booking a ticket to the event. '''Fee: €495'''

== '''Secure Application Development: Writing secure code (and testing it)''' ==

'''Trainers''':

[[User:EoinKeary|'''Eoin Keary''' ]] Senior Manager, Ernst & Young, OWASP Board Member

'''Rahim Jina''' Senior Consultant, Ernst & Young, OWASP Ireland chapter board.

 

'''Abstract''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.

Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25.  The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.

This course includes coverage of the following areas:

*Unvalidated Input
*Injection Flaws 
*Cross-Site Scriping
*CSRF
*Authentication & Session Management
*Access control & Authorisation
*Broken Caching
*Error Handling
*Cryptography
*Resource Management
*Rich Internet Applications & Webservices
*The Secure SDLC

 '''Hands on'''

To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., WebGoat etc) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises.

'''Audience'''

Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner

'''Level'''

Intermediate

'''Prerequisite'''

Basic knowledge of a web programming language like Java or .NET recommended but not required. 

Bringing your own windows based laptop is recommended so you can participate in the hands on exercises.

'''Duration'''

Full day - 8 Hours 

= Venue =

Trinity College, Dublin [http://www.tcd.ie/Maps/map.php?q=hamilton+building Map of hamilton Building Location]

[http://www.tcd.ie/Maps/map.php?q=dining+hall Dining Hall location]

= Transportation =

=== By Air ===

 Fly to Dublin Airport: http://www.dublinairport.com/ A taxi or bus can take you into Dublin city. (€30 - Taxi) (€10 - Bus) 

=== Public Transport ===

= Accommodation =

Please see here if you wish to stay within the grounds of Trinity College: http://www.owasp.org/images/2/20/TCD_Tariff_2009.pdf

'''Hotels Surrounding Trinity College:'''

http://maps.google.com/maps?near=Dame+Street,+College+Green,+Dublin+2,+Ireland+(Trinity+College+Campus)&geocode=Cfm6cyTmqt_IFev1LQMdLZCg_yFJu3aKhBD7GA&q=hotels&f=l&dq=Trinity+College+loc:+Dublin+Ireland&sll=53.341482,-6.258302&sspn=0.012043,0.037637&ie=UTF8&ei=U6TMSZSzKpSw2QLG_-CUCA&attrid=1036f063d3d0dafc_&ll=53.343711,-6.254568&spn=0.012042,0.037637&z=15

= Registration =

'''The fee for this conference is : '''''Standard''': €150 Euro '''OWASP Members''': €100 Euro

'''Training: '''€495 '''Membership of OWASP is not required to attend the event.''' 

'''Note''': To save on processing expenses, all fees paid for the OWASP conference are non-refundable. OWASP can accommodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

'''Cvent Registration Link: [http://guest.cvent.com/i.aspx?4W%2cM3%2c679c382d-35c2-4815-a399-c2c3a95ebfd7 Click-Here]'''

= Conference Committee =

'''2010 Ireland Planning Committee Chair''':

Eoin Keary - eoin.keary 'at' owasp.org

 

Fabio Cerullo  - fcerullo 'at' owasp.org

Rahim Jina - rahim.jina 'at' owasp.org

= Call for Papers =

The Conference will consist of two tracks covering both technical and risk management topics.

'''We are seeking presentations on any of the following topics:'''

*Web Services and Application Security
*Common Application related Threats and Risks
*Business Risks with Application Security
*Vulnerability Research in Application Security
*Web Application Penetration Testing
*OWASP Tools and Projects
*Secure Coding/Development Practices
*Technology specific presentations on security such as AJAX, XML, etc.
*Anything else relating to OWASP and Application Security.

The call for papers/presentations is out. The official closing date for receiving a synopsis of the presentation is June 10th, 2010. Announcements on selected candidates will be provided the first week of July 2010. Complete presentations will need to be submitted by the 2nd of August 2010.

All presenters will receive free invitation to the conference, food and refreshments.

'''For some speakers, OWASP will cover some of the travel costs associated with coming to the conference.'''

 

'''Please submit your presentation topics and an abstract of up to 500 words to Eoin Keary''' <mailto: Eoin.keary@owasp.org>

Path to a Secure Application

2010-07-21T12:59:45Z

Rahimjina: Created page with 'Regardless of the software development process, agile or waterfall, XP, being used, it is critical to understand how to implement security into this to eliminiate security vulner…'

Regardless of the software development process, agile or waterfall, XP,
being used, it is critical to understand how to implement security into
this to eliminiate security vulnerabilities before a hacker does. The best
place to do this is while the application is being built and not after the
application has already been put into production. This presentation will
outline the people, process, and technologies that can and should be
leveraged to bring security closer to where the problem first gets
introduced, in development.

OWASP IRELAND 2010

2010-07-21T12:58:43Z

Rahimjina:

[[Image:Dublin2010.gif]] 

 

Welcome to the Irish OWASP Application Security Conference! 

Its Ireland's turn again on '''September 17, 2010'''

 

'''September 17th 2010''': OWASP will hold its second Irish Application Security conference in Dublin University, Trinity College, Dublin, Ireland.

The conference consists of an intensive day of talks/presentations and discussion with 2 different tracks focusing on the causes and trends in web application insecurity.

'''[http://www.owasp.org/index.php/OWASP_IRELAND_2010#Training Training]: (16th September 2010)''' '''''Secure Application Development: Writing secure code (and testing it)''''' training is to be delivered on the 16 September, following the very successful model delivered in 2009 (see more details below)

 

For more details please contact: Eoin.Keary 'at' owasp.org

== Conference Location ==

[[Image:AppSecIreland09 Dublin.JPG|www.tcd.ie]]

 

== Event Sponsorship ==

OWASP is providing sponsors exclusive access to its audience in Dublin, Ireland through a limited number of Expo floor slots, providing a focused setting for potential customers. The conference is expected to draw 150 - 200 technologists who will be looking for ways to spend their remaining 2010 budget and planning for 2010/11. Financial Services, Media, Pharmaceuticals, Government, Healthcare, Technology, and many other verticals will be represented. Sponsorship details are available here:  Please review or sponsorship proposal: [http://www.owasp.org/images/c/c8/OWASP_sponsorship_Master.pdf Click_here]
<center>
 
</center>
=== Sponsors ===

'''Silver Sponsors'''
<center>
[[Image:Cenzic small 2.GIF]]
</center><center>
'''CENZIC''' - Cenzic provides software and SaaS solutions for dynamic, black box testing of Web applications to protect Websites against hacker attacks.Built from the ground up on a completely different technology backbone than its competitors, Cenzic goes beyond signature-based tools to find more "real" vulnerabilities. To request a free demo please visit http://www.cenzic.com 

 
</center><center>[[Image:Veracode logo 2color small.JPG]]</center><center>
'''Veracode''' is the world’s leader in cloud-based application risk management. With patented binary code analysis, dynamic Web assessments, and partner or Veracode-delivered manual penetration testing, combined with developer e-learning and access to open source security ratings, Veracode SecurityReview® allows customers to independently verify application security in both internally developed applications and third-party software without requiring source code or expensive tools. Veracode provides the most simple, complete and accurate way to implement security best practices, reduce operational cost and comply with internal security policies or external standards such as OWASP Top 10, CWE/SANS Top 25 and PCI. Veracode works with global organizations across multiple vertical industries including Barclays PLC, California Public Employees’ Retirement System (CalPERS), Computershare, and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com http://www.veracode.com/
</center>
 
<center>[[Image:FORTIFY_LOGO_MED.jpg]]</center>
<center>
'''Fortify® Software''' is the leader in the emerging category of Software Security Assurance (SSA). Fortify's SSA products and services protect companies from the threats posed by security flaws in business-critical software applications and result in applications that are inherently more secure and impervious to attack. Our solutions help identify and resolve critical application vulnerabilities in less time and at lower cost. http://www.fortify.com
</center>

=== Supported by ===
<center>
[[Image:Irisss small.jpg]] [[Image:IISF.jpg]] [[Image:Iia-logo-small.jpg]][[Image:DG horiz col.gif]]
</center>
== Agenda and Presentations - September 17 ==

The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing pannel discussions back in the main auditorium both days.

{| class="FCK__ShowTableBorders" style="width: 80%" align="center" border="0"
|-
! align="center" colspan="3" | [http://www.tcd.ie/Maps/map.php?q=hamilton+building Hamilton Building, TCD] - September 17, 2010
|-
| style="background: #7b8abd; width: 10%" |
| style="background: #bc857a; width: 40%" | Track 1: Synge Theatre
| style="background: #bca57a; width: 40%" | Track 2: Salmon Theatre
|-
| style="background: #7b8abd; width: 10%" | 08:00-09:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Registration and Coffee
|-
| style="background: #7b8abd; width: 10%" | 09:00 - 09:10
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" | Welcome to OWASP Ireland 2010 Conference
'''''[[User:EoinKeary|Eoin Keary]], [http://ie.linkedin.com/in/fcerullo Fabio Cerullo] & Rahim Jina'''  '''OWASP Ireland Board''''' '''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 09:15 - 10:15
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" | '''Keynote: "Application Security in the Real World"''' - Considerations for AppSec in non-security companies.
'''''[[John Viega|John Viega ]] '''''Executive Vice President, Perimeter E-Security

'''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 10:20 - 10:40
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" |
OWASP "State of the Nation"

[[User:EoinKeary|'''Eoin Keary''']]& [[User:Dinis Cruz|'''Dinis Cruz''']]

''OWASP Global board members''

|-
| style="background: #7b8abd; width: 10%" | 10:45 - 11:10
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Break - Expo
|-
| style="background: #7b8abd; width: 10%" | 11:10 - 11:45
| style="background: #bc857a; width: 40%" align="left" |
"Testing the Enterprise E-mail Security - from Software to Cloud-based Services" [[User:Dr. Marian Ventuneac|'''Dr. Marian Ventuneac''']]

| style="background: #bca57a; width: 40%" align="left" |
"Counter Intelligence as Defense: Integrating predictive and proactive attack knowledge as a wall of defense"

 [[User:FredDonovan|'''Fred Donovan''']]

|-
| style="background: #7b8abd; width: 10%" | 11:50 - 12:30
| style="background: #bc857a; width: 40%" align="left" |
"The Evolution of Security Testing: Testing the Resiliency of Security" 

[[David Stubley|'''David Stubley''']] (GIAC)

| style="background: #bca57a; width: 40%" align="left" |
[[Path to a Secure Application|"Path to a Secure Application"]]
 [[User:RyanBerg|'''Ryan Berg''']] IBM

|-
| style="background: #7b8abd; width: 10%" | 12:40 - 13:10
| style="background: #bc857a; width: 40%" align="left" |
"Smart Phones with Dumb Apps"

[[Dan Cornell|'''Dan Cornell''']]  Principal of [http://www.denimgroup.com Denim Group], Ltd.

| style="background: #bca57a; width: 40%" align="left" |
"Technology and Business Risk Management: How Application Security Fits In!

[[User:Peter Perfetti|'''Peter Perfetti''']]

|-
| style="background: #7b8abd; width: 10%" | 13:10 - 14:10
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Lunch - [http://www.tcd.ie/Maps/map.php?q=dining+hall TCD Dining Hall], buffet Lunch
|-
| style="background: #7b8abd; width: 10%" | 1410 - 15:00
| style="background: #c2c2c2; width: 80%" align="center" colspan="2" | '''Keynote: "The changing face of cryptography"'''
'''''[[User:Professor Fred Piper|Professor Fred Piper]]''''', BSc, PhD (London), ARCS, DIC, CEng, CMath, FIEE, FIMA, BCS, CISSP, CISM. 

'''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 15:10 - 15:50
| style="background: #bc857a; width: 40%" align="left" |
"Microsoft's Security Development Lifecycle for Agile Development"

[[Nick Coblentz|'''Nick Coblentz''']] AT&T Consulting

| style="background: #bca57a; width: 40%" align="left" |
[[The Real appsec pentest|"The "real" application security pentest."]] 

[[Rory Alsop|'''Rory Alsop''']]& [[Rory McCune|'''Rory McCune''']]

|-
| style="background: #7b8abd; width: 10%" | 16:00 - 16:40
| style="background: #bc857a; width: 40%" align="left" |
"How to Defend Fragile Web Applications"

[[Vinay Bansal, Martin Nystrom|'''Vinay Bansal, Martin Nystrom''']] Cisco systems

| style="background: #bca57a; width: 40%" align="left" |
[[Scareware Traversing the World via a Web App Exploit|"Scareware Traversing the World via a Web App Exploit"]] 

[[Mark Hillick|'''Mark Hillick''']]

|-
| style="background: #7b8abd; width: 10%" | 16:50 - 17:50
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" |
'''Keynote: "Hackers and Hollywood: The Implications of the Popular Media Representation of Computer Hacking"'''

'''''[[User:Damian Gordon|Damian Gordon]]''''' Phd, School of Computing Dublin Institute of Technology.

'''''Location: Joly Theatre'''''

|-
| style="background: #7b8abd; width: 10%" | 17:50 - 18:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Wrap-Up
|-
| style="background: #7b8abd; width: 10%" | 18:00-21:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | OWASP Social Gathering
|}

= Training =

We intend to hold some application security training on the 16/09/2010 the day prior to the event. This can be booked when booking a ticket to the event. '''Fee: €495'''

== '''Secure Application Development: Writing secure code (and testing it)''' ==

'''Trainers''':

[[User:EoinKeary|'''Eoin Keary''' ]] Senior Manager, Ernst & Young, OWASP Board Member

'''Rahim Jina''' Senior Consultant, Ernst & Young, OWASP Ireland chapter board.

 

'''Abstract''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.

Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25.  The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.

This course includes coverage of the following areas:

*Unvalidated Input
*Injection Flaws 
*Cross-Site Scriping
*CSRF
*Authentication & Session Management
*Access control & Authorisation
*Broken Caching
*Error Handling
*Cryptography
*Resource Management
*Rich Internet Applications & Webservices
*The Secure SDLC

 '''Hands on'''

To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., WebGoat etc) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises.

'''Audience'''

Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner

'''Level'''

Intermediate

'''Prerequisite'''

Basic knowledge of a web programming language like Java or .NET recommended but not required. 

Bringing your own windows based laptop is recommended so you can participate in the hands on exercises.

'''Duration'''

Full day - 8 Hours 

= Venue =

Trinity College, Dublin [http://www.tcd.ie/Maps/map.php?q=hamilton+building Map of hamilton Building Location]

[http://www.tcd.ie/Maps/map.php?q=dining+hall Dining Hall location]

= Transportation =

=== By Air ===

 Fly to Dublin Airport: http://www.dublinairport.com/ A taxi or bus can take you into Dublin city. (€30 - Taxi) (€10 - Bus) 

=== Public Transport ===

= Accommodation =

Please see here if you wish to stay within the grounds of Trinity College: http://www.owasp.org/images/2/20/TCD_Tariff_2009.pdf

'''Hotels Surrounding Trinity College:'''

http://maps.google.com/maps?near=Dame+Street,+College+Green,+Dublin+2,+Ireland+(Trinity+College+Campus)&geocode=Cfm6cyTmqt_IFev1LQMdLZCg_yFJu3aKhBD7GA&q=hotels&f=l&dq=Trinity+College+loc:+Dublin+Ireland&sll=53.341482,-6.258302&sspn=0.012043,0.037637&ie=UTF8&ei=U6TMSZSzKpSw2QLG_-CUCA&attrid=1036f063d3d0dafc_&ll=53.343711,-6.254568&spn=0.012042,0.037637&z=15

= Registration =

'''The fee for this conference is : '''''Standard''': €150 Euro '''OWASP Members''': €100 Euro

'''Training: '''€495 '''Membership of OWASP is not required to attend the event.''' 

'''Note''': To save on processing expenses, all fees paid for the OWASP conference are non-refundable. OWASP can accommodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

'''Cvent Registration Link: [http://guest.cvent.com/i.aspx?4W%2cM3%2c679c382d-35c2-4815-a399-c2c3a95ebfd7 Click-Here]'''

= Conference Committee =

'''2010 Ireland Planning Committee Chair''':

Eoin Keary - eoin.keary 'at' owasp.org

 

Fabio Cerullo  - fcerullo 'at' owasp.org

Rahim Jina - rahim.jina 'at' owasp.org

= Call for Papers =

The Conference will consist of two tracks covering both technical and risk management topics.

'''We are seeking presentations on any of the following topics:'''

*Web Services and Application Security
*Common Application related Threats and Risks
*Business Risks with Application Security
*Vulnerability Research in Application Security
*Web Application Penetration Testing
*OWASP Tools and Projects
*Secure Coding/Development Practices
*Technology specific presentations on security such as AJAX, XML, etc.
*Anything else relating to OWASP and Application Security.

The call for papers/presentations is out. The official closing date for receiving a synopsis of the presentation is June 10th, 2010. Announcements on selected candidates will be provided the first week of July 2010. Complete presentations will need to be submitted by the 2nd of August 2010.

All presenters will receive free invitation to the conference, food and refreshments.

'''For some speakers, OWASP will cover some of the travel costs associated with coming to the conference.'''

 

'''Please submit your presentation topics and an abstract of up to 500 words to Eoin Keary''' <mailto: Eoin.keary@owasp.org>

Scarewaretraversingtheworld

2010-07-21T12:50:55Z

OWASP IRELAND 2010

2010-07-21T12:50:22Z

Rahimjina:

[[Image:Dublin2010.gif]] 

 

Welcome to the Irish OWASP Application Security Conference! 

Its Ireland's turn again on '''September 17, 2010'''

 

'''September 17th 2010''': OWASP will hold its second Irish Application Security conference in Dublin University, Trinity College, Dublin, Ireland.

The conference consists of an intensive day of talks/presentations and discussion with 2 different tracks focusing on the causes and trends in web application insecurity.

'''[http://www.owasp.org/index.php/OWASP_IRELAND_2010#Training Training]: (16th September 2010)''' '''''Secure Application Development: Writing secure code (and testing it)''''' training is to be delivered on the 16 September, following the very successful model delivered in 2009 (see more details below)

 

For more details please contact: Eoin.Keary 'at' owasp.org

== Conference Location ==

[[Image:AppSecIreland09 Dublin.JPG|www.tcd.ie]]

 

== Event Sponsorship ==

OWASP is providing sponsors exclusive access to its audience in Dublin, Ireland through a limited number of Expo floor slots, providing a focused setting for potential customers. The conference is expected to draw 150 - 200 technologists who will be looking for ways to spend their remaining 2010 budget and planning for 2010/11. Financial Services, Media, Pharmaceuticals, Government, Healthcare, Technology, and many other verticals will be represented. Sponsorship details are available here:  Please review or sponsorship proposal: [http://www.owasp.org/images/c/c8/OWASP_sponsorship_Master.pdf Click_here]
<center>
 
</center>
=== Sponsors ===

'''Silver Sponsors'''
<center>
[[Image:Cenzic small 2.GIF]]
</center><center>
'''CENZIC''' - Cenzic provides software and SaaS solutions for dynamic, black box testing of Web applications to protect Websites against hacker attacks.Built from the ground up on a completely different technology backbone than its competitors, Cenzic goes beyond signature-based tools to find more "real" vulnerabilities. To request a free demo please visit http://www.cenzic.com 

 
</center><center>[[Image:Veracode logo 2color small.JPG]]</center><center>
'''Veracode''' is the world’s leader in cloud-based application risk management. With patented binary code analysis, dynamic Web assessments, and partner or Veracode-delivered manual penetration testing, combined with developer e-learning and access to open source security ratings, Veracode SecurityReview® allows customers to independently verify application security in both internally developed applications and third-party software without requiring source code or expensive tools. Veracode provides the most simple, complete and accurate way to implement security best practices, reduce operational cost and comply with internal security policies or external standards such as OWASP Top 10, CWE/SANS Top 25 and PCI. Veracode works with global organizations across multiple vertical industries including Barclays PLC, California Public Employees’ Retirement System (CalPERS), Computershare, and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com http://www.veracode.com/
</center>
 
<center>[[Image:FORTIFY_LOGO_MED.jpg]]</center>
<center>
'''Fortify® Software''' is the leader in the emerging category of Software Security Assurance (SSA). Fortify's SSA products and services protect companies from the threats posed by security flaws in business-critical software applications and result in applications that are inherently more secure and impervious to attack. Our solutions help identify and resolve critical application vulnerabilities in less time and at lower cost. http://www.fortify.com
</center>

=== Supported by ===
<center>
[[Image:Irisss small.jpg]] [[Image:IISF.jpg]] [[Image:Iia-logo-small.jpg]][[Image:DG horiz col.gif]]
</center>
== Agenda and Presentations - September 17 ==

The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing pannel discussions back in the main auditorium both days.

{| class="FCK__ShowTableBorders" style="width: 80%" align="center" border="0"
|-
! align="center" colspan="3" | [http://www.tcd.ie/Maps/map.php?q=hamilton+building Hamilton Building, TCD] - September 17, 2010
|-
| style="background: #7b8abd; width: 10%" |
| style="background: #bc857a; width: 40%" | Track 1: Synge Theatre
| style="background: #bca57a; width: 40%" | Track 2: Salmon Theatre
|-
| style="background: #7b8abd; width: 10%" | 08:00-09:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Registration and Coffee
|-
| style="background: #7b8abd; width: 10%" | 09:00 - 09:10
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" | Welcome to OWASP Ireland 2010 Conference
'''''[[User:EoinKeary|Eoin Keary]], [http://ie.linkedin.com/in/fcerullo Fabio Cerullo] & Rahim Jina'''  '''OWASP Ireland Board''''' '''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 09:15 - 10:15
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" | '''Keynote: "Application Security in the Real World"''' - Considerations for AppSec in non-security companies.
'''''[[John Viega|John Viega ]] '''''Executive Vice President, Perimeter E-Security

'''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 10:20 - 10:40
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" |
OWASP "State of the Nation"

[[User:EoinKeary|'''Eoin Keary''']]& [[User:Dinis Cruz|'''Dinis Cruz''']]

''OWASP Global board members''

|-
| style="background: #7b8abd; width: 10%" | 10:45 - 11:10
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Break - Expo
|-
| style="background: #7b8abd; width: 10%" | 11:10 - 11:45
| style="background: #bc857a; width: 40%" align="left" |
"Testing the Enterprise E-mail Security - from Software to Cloud-based Services" [[User:Dr. Marian Ventuneac|'''Dr. Marian Ventuneac''']]

| style="background: #bca57a; width: 40%" align="left" |
"Counter Intelligence as Defense: Integrating predictive and proactive attack knowledge as a wall of defense"

 [[User:FredDonovan|'''Fred Donovan''']]

|-
| style="background: #7b8abd; width: 10%" | 11:50 - 12:30
| style="background: #bc857a; width: 40%" align="left" |
"The Evolution of Security Testing: Testing the Resiliency of Security" 

[[David Stubley|'''David Stubley''']] (GIAC)

| style="background: #bca57a; width: 40%" align="left" |
"Path to a Secure Application"

 [[User:RyanBerg|'''Ryan Berg''']] IBM

|-
| style="background: #7b8abd; width: 10%" | 12:40 - 13:10
| style="background: #bc857a; width: 40%" align="left" |
"Smart Phones with Dumb Apps"

[[Dan Cornell|'''Dan Cornell''']]  Principal of [http://www.denimgroup.com Denim Group], Ltd.

| style="background: #bca57a; width: 40%" align="left" |
"Technology and Business Risk Management: How Application Security Fits In!

[[User:Peter Perfetti|'''Peter Perfetti''']]

|-
| style="background: #7b8abd; width: 10%" | 13:10 - 14:10
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Lunch - [http://www.tcd.ie/Maps/map.php?q=dining+hall TCD Dining Hall], buffet Lunch
|-
| style="background: #7b8abd; width: 10%" | 1410 - 15:00
| style="background: #c2c2c2; width: 80%" align="center" colspan="2" | '''Keynote: "The changing face of cryptography"'''
'''''[[User:Professor Fred Piper|Professor Fred Piper]]''''', BSc, PhD (London), ARCS, DIC, CEng, CMath, FIEE, FIMA, BCS, CISSP, CISM. 

'''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 15:10 - 15:50
| style="background: #bc857a; width: 40%" align="left" |
"Microsoft's Security Development Lifecycle for Agile Development"

[[Nick Coblentz|'''Nick Coblentz''']] AT&T Consulting

| style="background: #bca57a; width: 40%" align="left" |
[[The Real appsec pentest|"The "real" application security pentest."]] 

[[Rory Alsop|'''Rory Alsop''']]& [[Rory McCune|'''Rory McCune''']]

|-
| style="background: #7b8abd; width: 10%" | 16:00 - 16:40
| style="background: #bc857a; width: 40%" align="left" |
"How to Defend Fragile Web Applications"

[[Vinay Bansal, Martin Nystrom|'''Vinay Bansal, Martin Nystrom''']] Cisco systems

| style="background: #bca57a; width: 40%" align="left" |
[[Scarewaretraversingtheworld|"Scareware Traversing the World via a Web App Exploit"]] 

[[MarkHillick|'''Mark Hillick''']]

|-
| style="background: #7b8abd; width: 10%" | 16:50 - 17:50
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" |
'''Keynote: "Hackers and Hollywood: The Implications of the Popular Media Representation of Computer Hacking"'''

'''''[[User:Damian Gordon|Damian Gordon]]''''' Phd, School of Computing Dublin Institute of Technology.

'''''Location: Joly Theatre'''''

|-
| style="background: #7b8abd; width: 10%" | 17:50 - 18:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Wrap-Up
|-
| style="background: #7b8abd; width: 10%" | 18:00-21:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | OWASP Social Gathering
|}

= Training =

We intend to hold some application security training on the 16/09/2010 the day prior to the event. This can be booked when booking a ticket to the event. '''Fee: €495'''

== '''Secure Application Development: Writing secure code (and testing it)''' ==

'''Trainers''':

[[User:EoinKeary|'''Eoin Keary''' ]] Senior Manager, Ernst & Young, OWASP Board Member

'''Rahim Jina''' Senior Consultant, Ernst & Young, OWASP Ireland chapter board.

 

'''Abstract''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.

Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25.  The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.

This course includes coverage of the following areas:

*Unvalidated Input
*Injection Flaws 
*Cross-Site Scriping
*CSRF
*Authentication & Session Management
*Access control & Authorisation
*Broken Caching
*Error Handling
*Cryptography
*Resource Management
*Rich Internet Applications & Webservices
*The Secure SDLC

 '''Hands on'''

To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., WebGoat etc) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises.

'''Audience'''

Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner

'''Level'''

Intermediate

'''Prerequisite'''

Basic knowledge of a web programming language like Java or .NET recommended but not required. 

Bringing your own windows based laptop is recommended so you can participate in the hands on exercises.

'''Duration'''

Full day - 8 Hours 

= Venue =

Trinity College, Dublin [http://www.tcd.ie/Maps/map.php?q=hamilton+building Map of hamilton Building Location]

[http://www.tcd.ie/Maps/map.php?q=dining+hall Dining Hall location]

= Transportation =

=== By Air ===

 Fly to Dublin Airport: http://www.dublinairport.com/ A taxi or bus can take you into Dublin city. (€30 - Taxi) (€10 - Bus) 

=== Public Transport ===

= Accommodation =

Please see here if you wish to stay within the grounds of Trinity College: http://www.owasp.org/images/2/20/TCD_Tariff_2009.pdf

'''Hotels Surrounding Trinity College:'''

http://maps.google.com/maps?near=Dame+Street,+College+Green,+Dublin+2,+Ireland+(Trinity+College+Campus)&geocode=Cfm6cyTmqt_IFev1LQMdLZCg_yFJu3aKhBD7GA&q=hotels&f=l&dq=Trinity+College+loc:+Dublin+Ireland&sll=53.341482,-6.258302&sspn=0.012043,0.037637&ie=UTF8&ei=U6TMSZSzKpSw2QLG_-CUCA&attrid=1036f063d3d0dafc_&ll=53.343711,-6.254568&spn=0.012042,0.037637&z=15

= Registration =

'''The fee for this conference is : '''''Standard''': €150 Euro '''OWASP Members''': €100 Euro

'''Training: '''€495 '''Membership of OWASP is not required to attend the event.''' 

'''Note''': To save on processing expenses, all fees paid for the OWASP conference are non-refundable. OWASP can accommodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

'''Cvent Registration Link: [http://guest.cvent.com/i.aspx?4W%2cM3%2c679c382d-35c2-4815-a399-c2c3a95ebfd7 Click-Here]'''

= Conference Committee =

'''2010 Ireland Planning Committee Chair''':

Eoin Keary - eoin.keary 'at' owasp.org

 

Fabio Cerullo  - fcerullo 'at' owasp.org

Rahim Jina - rahim.jina 'at' owasp.org

= Call for Papers =

The Conference will consist of two tracks covering both technical and risk management topics.

'''We are seeking presentations on any of the following topics:'''

*Web Services and Application Security
*Common Application related Threats and Risks
*Business Risks with Application Security
*Vulnerability Research in Application Security
*Web Application Penetration Testing
*OWASP Tools and Projects
*Secure Coding/Development Practices
*Technology specific presentations on security such as AJAX, XML, etc.
*Anything else relating to OWASP and Application Security.

The call for papers/presentations is out. The official closing date for receiving a synopsis of the presentation is June 10th, 2010. Announcements on selected candidates will be provided the first week of July 2010. Complete presentations will need to be submitted by the 2nd of August 2010.

All presenters will receive free invitation to the conference, food and refreshments.

'''For some speakers, OWASP will cover some of the travel costs associated with coming to the conference.'''

 

'''Please submit your presentation topics and an abstract of up to 500 words to Eoin Keary''' <mailto: Eoin.keary@owasp.org>

User:FredDonovan

2010-07-21T12:39:32Z

Rahimjina: Created page with 'Fred's career encompasses application security research and the founding of Attack Logic, a U.S. based AppSec consultancy. He spent 3 years as a private researcher in the field …'

Fred's career encompasses application security research and the founding of Attack Logic, a U.S. based AppSec consultancy. He spent 3 years as a private researcher in the field of InfoSec and for the past 10 years has provided executive level IT services to public and private firms. Application Security has been his exclusive focus for the past 7.
He is a regular guest lecturer and speaker at Universities, Conferences, and professional organizations. Mr. Donovan is alumni of the University of Missouri -- Columbia (Mizzou) and the American Military University (AMU). He currently splits time between New York and Nebraska. When asked who he is, Fred will say he is "a father of 4 and a friend and brother to many"

OWASP IRELAND 2010

2010-07-21T12:38:27Z

Rahimjina:

[[Image:Dublin2010.gif]] 

 

Welcome to the Irish OWASP Application Security Conference! 

Its Ireland's turn again on '''September 17, 2010'''

 

'''September 17th 2010''': OWASP will hold its second Irish Application Security conference in Dublin University, Trinity College, Dublin, Ireland.

The conference consists of an intensive day of talks/presentations and discussion with 2 different tracks focusing on the causes and trends in web application insecurity.

'''[http://www.owasp.org/index.php/OWASP_IRELAND_2010#Training Training]: (16th September 2010)''' '''''Secure Application Development: Writing secure code (and testing it)''''' training is to be delivered on the 16 September, following the very successful model delivered in 2009 (see more details below)

 

For more details please contact: Eoin.Keary 'at' owasp.org

== Conference Location ==

[[Image:AppSecIreland09 Dublin.JPG|www.tcd.ie]]

 

== Event Sponsorship ==

OWASP is providing sponsors exclusive access to its audience in Dublin, Ireland through a limited number of Expo floor slots, providing a focused setting for potential customers. The conference is expected to draw 150 - 200 technologists who will be looking for ways to spend their remaining 2010 budget and planning for 2010/11. Financial Services, Media, Pharmaceuticals, Government, Healthcare, Technology, and many other verticals will be represented. Sponsorship details are available here:  Please review or sponsorship proposal: [http://www.owasp.org/images/c/c8/OWASP_sponsorship_Master.pdf Click_here]
<center>
 
</center>
=== Sponsors ===

'''Silver Sponsors'''
<center>
[[Image:Cenzic small 2.GIF]]
</center><center>
'''CENZIC''' - Cenzic provides software and SaaS solutions for dynamic, black box testing of Web applications to protect Websites against hacker attacks.Built from the ground up on a completely different technology backbone than its competitors, Cenzic goes beyond signature-based tools to find more "real" vulnerabilities. To request a free demo please visit http://www.cenzic.com 

 
</center><center>[[Image:Veracode logo 2color small.JPG]]</center><center>
'''Veracode''' is the world’s leader in cloud-based application risk management. With patented binary code analysis, dynamic Web assessments, and partner or Veracode-delivered manual penetration testing, combined with developer e-learning and access to open source security ratings, Veracode SecurityReview® allows customers to independently verify application security in both internally developed applications and third-party software without requiring source code or expensive tools. Veracode provides the most simple, complete and accurate way to implement security best practices, reduce operational cost and comply with internal security policies or external standards such as OWASP Top 10, CWE/SANS Top 25 and PCI. Veracode works with global organizations across multiple vertical industries including Barclays PLC, California Public Employees’ Retirement System (CalPERS), Computershare, and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com http://www.veracode.com/
</center>
 
<center>[[Image:FORTIFY_LOGO_MED.jpg]]</center>
<center>
'''Fortify® Software''' is the leader in the emerging category of Software Security Assurance (SSA). Fortify's SSA products and services protect companies from the threats posed by security flaws in business-critical software applications and result in applications that are inherently more secure and impervious to attack. Our solutions help identify and resolve critical application vulnerabilities in less time and at lower cost. http://www.fortify.com
</center>

=== Supported by ===
<center>
[[Image:Irisss small.jpg]] [[Image:IISF.jpg]] [[Image:Iia-logo-small.jpg]][[Image:DG horiz col.gif]]
</center>
== Agenda and Presentations - September 17 ==

The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing pannel discussions back in the main auditorium both days.

{| class="FCK__ShowTableBorders" style="width: 80%" align="center" border="0"
|-
! align="center" colspan="3" | [http://www.tcd.ie/Maps/map.php?q=hamilton+building Hamilton Building, TCD] - September 17, 2010
|-
| style="background: #7b8abd; width: 10%" |
| style="background: #bc857a; width: 40%" | Track 1: Synge Theatre
| style="background: #bca57a; width: 40%" | Track 2: Salmon Theatre
|-
| style="background: #7b8abd; width: 10%" | 08:00-09:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Registration and Coffee
|-
| style="background: #7b8abd; width: 10%" | 09:00 - 09:10
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" | Welcome to OWASP Ireland 2010 Conference
'''''[[User:EoinKeary|Eoin Keary]], [http://ie.linkedin.com/in/fcerullo Fabio Cerullo] & Rahim Jina'''  '''OWASP Ireland Board''''' '''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 09:15 - 10:15
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" | '''Keynote: "Application Security in the Real World"''' - Considerations for AppSec in non-security companies.
'''''[[John Viega|John Viega ]] '''''Executive Vice President, Perimeter E-Security

'''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 10:20 - 10:40
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" |
OWASP "State of the Nation"

[[User:EoinKeary|'''Eoin Keary''']]& [[User:Dinis Cruz|'''Dinis Cruz''']]

''OWASP Global board members''

|-
| style="background: #7b8abd; width: 10%" | 10:45 - 11:10
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Break - Expo
|-
| style="background: #7b8abd; width: 10%" | 11:10 - 11:45
| style="background: #bc857a; width: 40%" align="left" |
"Testing the Enterprise E-mail Security - from Software to Cloud-based Services" [[User:Dr. Marian Ventuneac|'''Dr. Marian Ventuneac''']]

| style="background: #bca57a; width: 40%" align="left" |
"Counter Intelligence as Defense: Integrating predictive and proactive attack knowledge as a wall of defense"

 [[User:FredDonovan|'''Fred Donovan''']]

|-
| style="background: #7b8abd; width: 10%" | 11:50 - 12:30
| style="background: #bc857a; width: 40%" align="left" |
"The Evolution of Security Testing: Testing the Resiliency of Security" 

[[David Stubley|'''David Stubley''']] (GIAC)

| style="background: #bca57a; width: 40%" align="left" |
"Path to a Secure Application"

 [[User:RyanBerg|'''Ryan Berg''']] IBM

|-
| style="background: #7b8abd; width: 10%" | 12:40 - 13:10
| style="background: #bc857a; width: 40%" align="left" |
"Smart Phones with Dumb Apps"

[[Dan Cornell|'''Dan Cornell''']]  Principal of [http://www.denimgroup.com Denim Group], Ltd.

| style="background: #bca57a; width: 40%" align="left" |
"Technology and Business Risk Management: How Application Security Fits In!

[[User:Peter Perfetti|'''Peter Perfetti''']]

|-
| style="background: #7b8abd; width: 10%" | 13:10 - 14:10
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Lunch - [http://www.tcd.ie/Maps/map.php?q=dining+hall TCD Dining Hall], buffet Lunch
|-
| style="background: #7b8abd; width: 10%" | 1410 - 15:00
| style="background: #c2c2c2; width: 80%" align="center" colspan="2" | '''Keynote: "The changing face of cryptography"'''
'''''[[User:Professor Fred Piper|Professor Fred Piper]]''''', BSc, PhD (London), ARCS, DIC, CEng, CMath, FIEE, FIMA, BCS, CISSP, CISM. 

'''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 15:10 - 15:50
| style="background: #bc857a; width: 40%" align="left" |
"Microsoft's Security Development Lifecycle for Agile Development"

[[Nick Coblentz|'''Nick Coblentz''']] AT&T Consulting

| style="background: #bca57a; width: 40%" align="left" |
[[The Real appsec pentest|"The "real" application security pentest."]] 

[[Rory Alsop|'''Rory Alsop''']]& [[Rory McCune|'''Rory McCune''']]

|-
| style="background: #7b8abd; width: 10%" | 16:00 - 16:40
| style="background: #bc857a; width: 40%" align="left" |
"How to Defend Fragile Web Applications"

[[Vinay Bansal, Martin Nystrom|'''Vinay Bansal, Martin Nystrom''']] Cisco systems

| style="background: #bca57a; width: 40%" align="left" |
 

|-
| style="background: #7b8abd; width: 10%" | 16:50 - 17:50
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" |
'''Keynote: "Hackers and Hollywood: The Implications of the Popular Media Representation of Computer Hacking"'''

'''''[[User:Damian Gordon|Damian Gordon]]''''' Phd, School of Computing Dublin Institute of Technology.

'''''Location: Joly Theatre'''''

|-
| style="background: #7b8abd; width: 10%" | 17:50 - 18:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Wrap-Up
|-
| style="background: #7b8abd; width: 10%" | 18:00-21:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | OWASP Social Gathering
|}

= Training =

We intend to hold some application security training on the 16/09/2010 the day prior to the event. This can be booked when booking a ticket to the event. '''Fee: €495'''

== '''Secure Application Development: Writing secure code (and testing it)''' ==

'''Trainers''':

[[User:EoinKeary|'''Eoin Keary''' ]] Senior Manager, Ernst & Young, OWASP Board Member

'''Rahim Jina''' Senior Consultant, Ernst & Young, OWASP Ireland chapter board.

 

'''Abstract''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.

Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25.  The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.

This course includes coverage of the following areas:

*Unvalidated Input
*Injection Flaws 
*Cross-Site Scriping
*CSRF
*Authentication & Session Management
*Access control & Authorisation
*Broken Caching
*Error Handling
*Cryptography
*Resource Management
*Rich Internet Applications & Webservices
*The Secure SDLC

 '''Hands on'''

To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., WebGoat etc) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises.

'''Audience'''

Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner

'''Level'''

Intermediate

'''Prerequisite'''

Basic knowledge of a web programming language like Java or .NET recommended but not required. 

Bringing your own windows based laptop is recommended so you can participate in the hands on exercises.

'''Duration'''

Full day - 8 Hours 

= Venue =

Trinity College, Dublin [http://www.tcd.ie/Maps/map.php?q=hamilton+building Map of hamilton Building Location]

[http://www.tcd.ie/Maps/map.php?q=dining+hall Dining Hall location]

= Transportation =

=== By Air ===

 Fly to Dublin Airport: http://www.dublinairport.com/ A taxi or bus can take you into Dublin city. (€30 - Taxi) (€10 - Bus) 

=== Public Transport ===

= Accommodation =

Please see here if you wish to stay within the grounds of Trinity College: http://www.owasp.org/images/2/20/TCD_Tariff_2009.pdf

'''Hotels Surrounding Trinity College:'''

http://maps.google.com/maps?near=Dame+Street,+College+Green,+Dublin+2,+Ireland+(Trinity+College+Campus)&geocode=Cfm6cyTmqt_IFev1LQMdLZCg_yFJu3aKhBD7GA&q=hotels&f=l&dq=Trinity+College+loc:+Dublin+Ireland&sll=53.341482,-6.258302&sspn=0.012043,0.037637&ie=UTF8&ei=U6TMSZSzKpSw2QLG_-CUCA&attrid=1036f063d3d0dafc_&ll=53.343711,-6.254568&spn=0.012042,0.037637&z=15

= Registration =

'''The fee for this conference is : '''''Standard''': €150 Euro '''OWASP Members''': €100 Euro

'''Training: '''€495 '''Membership of OWASP is not required to attend the event.''' 

'''Note''': To save on processing expenses, all fees paid for the OWASP conference are non-refundable. OWASP can accommodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

'''Cvent Registration Link: [http://guest.cvent.com/i.aspx?4W%2cM3%2c679c382d-35c2-4815-a399-c2c3a95ebfd7 Click-Here]'''

= Conference Committee =

'''2010 Ireland Planning Committee Chair''':

Eoin Keary - eoin.keary 'at' owasp.org

 

Fabio Cerullo  - fcerullo 'at' owasp.org

Rahim Jina - rahim.jina 'at' owasp.org

= Call for Papers =

The Conference will consist of two tracks covering both technical and risk management topics.

'''We are seeking presentations on any of the following topics:'''

*Web Services and Application Security
*Common Application related Threats and Risks
*Business Risks with Application Security
*Vulnerability Research in Application Security
*Web Application Penetration Testing
*OWASP Tools and Projects
*Secure Coding/Development Practices
*Technology specific presentations on security such as AJAX, XML, etc.
*Anything else relating to OWASP and Application Security.

The call for papers/presentations is out. The official closing date for receiving a synopsis of the presentation is June 10th, 2010. Announcements on selected candidates will be provided the first week of July 2010. Complete presentations will need to be submitted by the 2nd of August 2010.

All presenters will receive free invitation to the conference, food and refreshments.

'''For some speakers, OWASP will cover some of the travel costs associated with coming to the conference.'''

 

'''Please submit your presentation topics and an abstract of up to 500 words to Eoin Keary''' <mailto: Eoin.keary@owasp.org>

OWASP IRELAND 2010

2010-07-15T12:41:06Z

Rahimjina:

[[Image:Dublin2010.gif]] 

 

Welcome to the Irish OWASP Application Security Conference! 

Its Ireland's turn again on '''September 17, 2010'''

 

'''September 17th 2010''': OWASP will hold its second Irish Application Security conference in Dublin University, Trinity College, Dublin, Ireland.

The conference consists of an intensive day of talks/presentations and discussion with 2 different tracks focusing on the causes and trends in web application insecurity.

'''[http://www.owasp.org/index.php/OWASP_IRELAND_2010#Training Training]: (16th September 2010)''' '''''Secure Application Development: Writing secure code (and testing it)''''' training is to be delivered on the 16 September, following the very successful model delivered in 2009 (see more details below)

 

For more details please contact: Eoin.Keary 'at' owasp.org

== Conference Location ==

[[Image:AppSecIreland09 Dublin.JPG|www.tcd.ie]]

 

== Event Sponsorship ==

OWASP is providing sponsors exclusive access to its audience in Dublin, Ireland through a limited number of Expo floor slots, providing a focused setting for potential customers. The conference is expected to draw 150 - 200 technologists who will be looking for ways to spend their remaining 2010 budget and planning for 2010/11. Financial Services, Media, Pharmaceuticals, Government, Healthcare, Technology, and many other verticals will be represented. Sponsorship details are available here:  Please review or sponsorship proposal: [http://www.owasp.org/images/c/c8/OWASP_sponsorship_Master.pdf Click_here]
<center>
 
</center>
=== Sponsors ===

'''Silver Sponsors'''
<center>
[[Image:Cenzic small 2.GIF]]
</center><center>
'''CENZIC''' - Cenzic provides software and SaaS solutions for dynamic, black box testing of Web applications to protect Websites against hacker attacks.Built from the ground up on a completely different technology backbone than its competitors, Cenzic goes beyond signature-based tools to find more "real" vulnerabilities. To request a free demo please visit http://www.cenzic.com 

 
</center><center>[[Image:Veracode logo 2color small.JPG]]</center><center>
'''Veracode''' is the world’s leader in cloud-based application risk management. With patented binary code analysis, dynamic Web assessments, and partner or Veracode-delivered manual penetration testing, combined with developer e-learning and access to open source security ratings, Veracode SecurityReview® allows customers to independently verify application security in both internally developed applications and third-party software without requiring source code or expensive tools. Veracode provides the most simple, complete and accurate way to implement security best practices, reduce operational cost and comply with internal security policies or external standards such as OWASP Top 10, CWE/SANS Top 25 and PCI. Veracode works with global organizations across multiple vertical industries including Barclays PLC, California Public Employees’ Retirement System (CalPERS), Computershare, and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com http://www.veracode.com/
</center>
 
<center>[[Image:FORTIFY_LOGO_MED.jpg]]</center>
<center>
'''Fortify® Software''' is the leader in the emerging category of Software Security Assurance (SSA). Fortify's SSA products and services protect companies from the threats posed by security flaws in business-critical software applications and result in applications that are inherently more secure and impervious to attack. Our solutions help identify and resolve critical application vulnerabilities in less time and at lower cost. http://www.fortify.com
</center>

=== Supported by ===
<center>
[[Image:Irisss small.jpg]] [[Image:IISF.jpg]] [[Image:Iia-logo-small.jpg]][[Image:DG horiz col.gif]]
</center>
== Agenda and Presentations - September 17 ==

The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing pannel discussions back in the main auditorium both days.

{| class="FCK__ShowTableBorders" style="width: 80%" align="center" border="0"
|-
! align="center" colspan="3" | [http://www.tcd.ie/Maps/map.php?q=hamilton+building Hamilton Building, TCD] - September 17, 2010
|-
| style="background: #7b8abd; width: 10%" |
| style="background: #bc857a; width: 40%" | Track 1: Synge Theatre
| style="background: #bca57a; width: 40%" | Track 2: Salmon Theatre
|-
| style="background: #7b8abd; width: 10%" | 08:00-09:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Registration and Coffee
|-
| style="background: #7b8abd; width: 10%" | 09:00 - 09:10
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" | Welcome to OWASP Ireland 2010 Conference
'''''[[User:EoinKeary|Eoin Keary]], [http://ie.linkedin.com/in/fcerullo Fabio Cerullo] & Rahim Jina'''  '''OWASP Ireland Board''''' '''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 09:15 - 10:15
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" | '''Keynote: "Application Security in the Real World"''' - Considerations for AppSec in non-security companies.
'''''[[John Viega|John Viega ]] '''''Executive Vice President, Perimeter E-Security

'''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 10:20 - 10:40
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" |
OWASP "State of the Nation"

[[User:EoinKeary|'''Eoin Keary''']]& [[User:Dinis Cruz|'''Dinis Cruz''']]

''OWASP Global board members''

|-
| style="background: #7b8abd; width: 10%" | 10:45 - 11:10
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Break - Expo
|-
| style="background: #7b8abd; width: 10%" | 11:10 - 11:45
| style="background: #bc857a; width: 40%" align="left" |
"Testing the Enterprise E-mail Security - from Software to Cloud-based Services" [[User:Dr. Marian Ventuneac|'''Dr. Marian Ventuneac''']]

| style="background: #bca57a; width: 40%" align="left" |
"Setting up a Security Development Lifecycle for the first time"

 [[User:SebastienGioria|'''Sébastien Gioria''']]

|-
| style="background: #7b8abd; width: 10%" | 11:50 - 12:30
| style="background: #bc857a; width: 40%" align="left" |
"The Evolution of Security Testing: Testing the Resiliency of Security" 

[[David Stubley|'''David Stubley''']] (GIAC)

| style="background: #bca57a; width: 40%" align="left" |
"Path to a Secure Application"

 [[User:RyanBerg|'''Ryan Berg''']] IBM

|-
| style="background: #7b8abd; width: 10%" | 12:40 - 13:10
| style="background: #bc857a; width: 40%" align="left" |
"Smart Phones with Dumb Apps"

[[Dan Cornell|'''Dan Cornell''']]  Principal of [http://www.denimgroup.com Denim Group], Ltd.

| style="background: #bca57a; width: 40%" align="left" |
"Technology and Business Risk Management: How Application Security Fits In!

[[User:Peter Perfetti|'''Peter Perfetti''']]

|-
| style="background: #7b8abd; width: 10%" | 13:10 - 14:10
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Lunch - [http://www.tcd.ie/Maps/map.php?q=dining+hall TCD Dining Hall], buffet Lunch
|-
| style="background: #7b8abd; width: 10%" | 1410 - 15:00
| style="background: #c2c2c2; width: 80%" align="center" colspan="2" | '''Keynote: "The changing face of cryptography"'''
'''''[[User:Professor Fred Piper|Professor Fred Piper]]''''', BSc, PhD (London), ARCS, DIC, CEng, CMath, FIEE, FIMA, BCS, CISSP, CISM. 

'''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 15:10 - 15:50
| style="background: #bc857a; width: 40%" align="left" |
"Microsoft's Security Development Lifecycle for Agile Development"

[[Nick Coblentz|'''Nick Coblentz''']] AT&T Consulting

| style="background: #bca57a; width: 40%" align="left" |
[[The Real appsec pentest|"The "real" application security pentest."]] 

[[Rory Alsop|'''Rory Alsop''']]& [[Rory McCune|'''Rory McCune''']]

|-
| style="background: #7b8abd; width: 10%" | 16:00 - 16:40
| style="background: #bc857a; width: 40%" align="left" |
"How to Defend Fragile Web Applications"

[[Vinay Bansal, Martin Nystrom|'''Vinay Bansal, Martin Nystrom''']] Cisco systems

| style="background: #bca57a; width: 40%" align="left" |
 

|-
| style="background: #7b8abd; width: 10%" | 16:50 - 17:50
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" |
'''Keynote: "Hackers and Hollywood: The Implications of the Popular Media Representation of Computer Hacking"'''

'''''[[User:Damian Gordon|Damian Gordon]]''''' Phd, School of Computing Dublin Institute of Technology.

'''''Location: Joly Theatre'''''

|-
| style="background: #7b8abd; width: 10%" | 17:50 - 18:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Wrap-Up
|-
| style="background: #7b8abd; width: 10%" | 18:00-21:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | OWASP Social Gathering
|}

= Training =

We intend to hold some application security training on the 16/09/2010 the day prior to the event. This can be booked when booking a ticket to the event. '''Fee: €495'''

== '''Secure Application Development: Writing secure code (and testing it)''' ==

'''Trainers''':

[[User:EoinKeary|'''Eoin Keary''' ]] Senior Manager, Ernst & Young, OWASP Board Member

'''Rahim Jina''' Senior Consultant, Ernst & Young, OWASP Ireland chapter board.

 

'''Abstract''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.

Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25.  The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.

This course includes coverage of the following areas:

*Unvalidated Input
*Injection Flaws 
*Cross-Site Scriping
*CSRF
*Authentication & Session Management
*Access control & Authorisation
*Broken Caching
*Error Handling
*Cryptography
*Resource Management
*Rich Internet Applications & Webservices
*The Secure SDLC

 '''Hands on'''

To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., WebGoat etc) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises.

'''Audience'''

Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner

'''Level'''

Intermediate

'''Prerequisite'''

Basic knowledge of a web programming language like Java or .NET recommended but not required. 

Bringing your own windows based laptop is recommended so you can participate in the hands on exercises.

'''Duration'''

Full day - 8 Hours 

= Venue =

Trinity College, Dublin [http://www.tcd.ie/Maps/map.php?q=hamilton+building Map of hamilton Building Location]

[http://www.tcd.ie/Maps/map.php?q=dining+hall Dining Hall location]

= Transportation =

=== By Air ===

 Fly to Dublin Airport: http://www.dublinairport.com/ A taxi or bus can take you into Dublin city. (€30 - Taxi) (€10 - Bus) 

=== Public Transport ===

= Accommodation =

Please see here if you wish to stay within the grounds of Trinity College: http://www.owasp.org/images/2/20/TCD_Tariff_2009.pdf

'''Hotels Surrounding Trinity College:'''

http://maps.google.com/maps?near=Dame+Street,+College+Green,+Dublin+2,+Ireland+(Trinity+College+Campus)&geocode=Cfm6cyTmqt_IFev1LQMdLZCg_yFJu3aKhBD7GA&q=hotels&f=l&dq=Trinity+College+loc:+Dublin+Ireland&sll=53.341482,-6.258302&sspn=0.012043,0.037637&ie=UTF8&ei=U6TMSZSzKpSw2QLG_-CUCA&attrid=1036f063d3d0dafc_&ll=53.343711,-6.254568&spn=0.012042,0.037637&z=15

= Registration =

'''The fee for this conference is : '''''Standard''': €150 Euro '''OWASP Members''': €100 Euro

'''Training: '''€495 '''Membership of OWASP is not required to attend the event.''' 

'''Note''': To save on processing expenses, all fees paid for the OWASP conference are non-refundable. OWASP can accommodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

'''Cvent Registration Link: [http://guest.cvent.com/i.aspx?4W%2cM3%2c679c382d-35c2-4815-a399-c2c3a95ebfd7 Click-Here]'''

= Conference Committee =

'''2010 Ireland Planning Committee Chair''':

Eoin Keary - eoin.keary 'at' owasp.org

 

Fabio Cerullo  - fcerullo 'at' owasp.org

Rahim Jina - rahim.jina 'at' owasp.org

= Call for Papers =

The Conference will consist of two tracks covering both technical and risk management topics.

'''We are seeking presentations on any of the following topics:'''

*Web Services and Application Security
*Common Application related Threats and Risks
*Business Risks with Application Security
*Vulnerability Research in Application Security
*Web Application Penetration Testing
*OWASP Tools and Projects
*Secure Coding/Development Practices
*Technology specific presentations on security such as AJAX, XML, etc.
*Anything else relating to OWASP and Application Security.

The call for papers/presentations is out. The official closing date for receiving a synopsis of the presentation is June 10th, 2010. Announcements on selected candidates will be provided the first week of July 2010. Complete presentations will need to be submitted by the 2nd of August 2010.

All presenters will receive free invitation to the conference, food and refreshments.

'''For some speakers, OWASP will cover some of the travel costs associated with coming to the conference.'''

 

'''Please submit your presentation topics and an abstract of up to 500 words to Eoin Keary''' <mailto: Eoin.keary@owasp.org>

User:RyanBerg

2010-07-15T12:33:42Z

Rahimjina: Created page with 'Ryan Berg, Senior Architect Security Research, IBM. Ryan Berg was a Co-Founder and Chief Scientist for Ounce Labs prior to its' acquisition by IBM in 2009. In addition to advanc…'

Ryan Berg, Senior Architect Security Research, IBM.

Ryan Berg was a Co-Founder and Chief Scientist for Ounce Labs prior to its'
acquisition by IBM in 2009. In addition to advancing the state of the art
in application security technologies, Ryan is also a popular speaker,
instructor, and author, in the fields of security, risk management, and
secure development processes. He holds patents and has patents pending in
multi-language security assessment, kernel-level security, intermediary
security assessment language, and secure remote communication protocols.
Prior to Ounce, Ryan co-founded Qiave Technologies, a pioneer in
kernel-level security, which later sold to WatchGuard Technologies in
October of 2000. In the late 1990’s, Ryan also designed and developed the
infrastructure for GTE Internetworking/Genuity’s appliance-based managed
firewall and security services.

OWASP IRELAND 2010

2010-07-15T12:32:41Z

Rahimjina:

[[Image:Dublin2010.gif]] 

 

Welcome to the Irish OWASP Application Security Conference! 

Its Ireland's turn again on '''September 17, 2010'''

 

'''September 17th 2010''': OWASP will hold its second Irish Application Security conference in Dublin University, Trinity College, Dublin, Ireland.

The conference consists of an intensive day of talks/presentations and discussion with 2 different tracks focusing on the causes and trends in web application insecurity.

'''[http://www.owasp.org/index.php/OWASP_IRELAND_2010#Training Training]: (16th September 2010)''' '''''Secure Application Development: Writing secure code (and testing it)''''' training is to be delivered on the 16 September, following the very successful model delivered in 2009 (see more details below)

 

For more details please contact: Eoin.Keary 'at' owasp.org

== Conference Location ==

[[Image:AppSecIreland09 Dublin.JPG|www.tcd.ie]]

 

== Event Sponsorship ==

OWASP is providing sponsors exclusive access to its audience in Dublin, Ireland through a limited number of Expo floor slots, providing a focused setting for potential customers. The conference is expected to draw 150 - 200 technologists who will be looking for ways to spend their remaining 2010 budget and planning for 2010/11. Financial Services, Media, Pharmaceuticals, Government, Healthcare, Technology, and many other verticals will be represented. Sponsorship details are available here:  Please review or sponsorship proposal: [http://www.owasp.org/images/c/c8/OWASP_sponsorship_Master.pdf Click_here]
<center>
 
</center>
=== Sponsors ===

'''Silver Sponsors'''
<center>
[[Image:Cenzic small 2.GIF]]
</center><center>
'''CENZIC''' - Cenzic provides software and SaaS solutions for dynamic, black box testing of Web applications to protect Websites against hacker attacks.Built from the ground up on a completely different technology backbone than its competitors, Cenzic goes beyond signature-based tools to find more "real" vulnerabilities. To request a free demo please visit http://www.cenzic.com 

 
</center><center>[[Image:Veracode logo 2color small.JPG]]</center><center>
'''Veracode''' is the world’s leader in cloud-based application risk management. With patented binary code analysis, dynamic Web assessments, and partner or Veracode-delivered manual penetration testing, combined with developer e-learning and access to open source security ratings, Veracode SecurityReview® allows customers to independently verify application security in both internally developed applications and third-party software without requiring source code or expensive tools. Veracode provides the most simple, complete and accurate way to implement security best practices, reduce operational cost and comply with internal security policies or external standards such as OWASP Top 10, CWE/SANS Top 25 and PCI. Veracode works with global organizations across multiple vertical industries including Barclays PLC, California Public Employees’ Retirement System (CalPERS), Computershare, and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com http://www.veracode.com/
</center>
 
<center>[[Image:FORTIFY_LOGO_MED.jpg]]</center>
<center>
'''Fortify® Software''' is the leader in the emerging category of Software Security Assurance (SSA). Fortify's SSA products and services protect companies from the threats posed by security flaws in business-critical software applications and result in applications that are inherently more secure and impervious to attack. Our solutions help identify and resolve critical application vulnerabilities in less time and at lower cost. http://www.fortify.com
</center>

=== Supported by ===
<center>
[[Image:Irisss small.jpg]] [[Image:IISF.jpg]] [[Image:Iia-logo-small.jpg]][[Image:DG horiz col.gif]]
</center>
== Agenda and Presentations - September 17 ==

The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing pannel discussions back in the main auditorium both days.

{| class="FCK__ShowTableBorders" style="width: 80%" align="center" border="0"
|-
! align="center" colspan="3" | [http://www.tcd.ie/Maps/map.php?q=hamilton+building Hamilton Building, TCD] - September 17, 2010
|-
| style="background: #7b8abd; width: 10%" |
| style="background: #bc857a; width: 40%" | Track 1: Synge Theatre
| style="background: #bca57a; width: 40%" | Track 2: Salmon Theatre
|-
| style="background: #7b8abd; width: 10%" | 08:00-09:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Registration and Coffee
|-
| style="background: #7b8abd; width: 10%" | 09:00 - 09:10
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" | Welcome to OWASP Ireland 2010 Conference
'''''[[User:EoinKeary|Eoin Keary]], [http://ie.linkedin.com/in/fcerullo Fabio Cerullo] & Rahim Jina'''  '''OWASP Ireland Board''''' '''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 09:15 - 10:15
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" | '''Keynote: "Application Security in the Real World"''' - Considerations for AppSec in non-security companies.
'''''[[John Viega|John Viega ]] '''''Executive Vice President, Perimeter E-Security

'''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 10:20 - 10:40
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" |
OWASP "State of the Nation"

[[User:EoinKeary|'''Eoin Keary''']]& [[User:Dinis Cruz|'''Dinis Cruz''']]

''OWASP Global board members''

|-
| style="background: #7b8abd; width: 10%" | 10:45 - 11:10
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Break - Expo
|-
| style="background: #7b8abd; width: 10%" | 11:10 - 11:45
| style="background: #bc857a; width: 40%" align="left" |
"Testing the Enterprise E-mail Security - from Software to Cloud-based Services" [[User:Dr. Marian Ventuneac|'''Dr. Marian Ventuneac''']]

| style="background: #bca57a; width: 40%" align="left" |
"Setting up a Security Development Lifecycle for the first time"

 [[User:SebastienGioria|'''Sébastien Gioria''']]

|-
| style="background: #7b8abd; width: 10%" | 11:50 - 12:30
| style="background: #bc857a; width: 40%" align="left" |
"The Evolution of Security Testing: Testing the Resiliency of Security" 

[[David Stubley|'''David Stubley''']] (GIAC)

| style="background: #bca57a; width: 40%" align="left" |
"Path to a Secure Application"

 [[User:RyanBerg|'''Ryan Berg''']]

|-
| style="background: #7b8abd; width: 10%" | 12:40 - 13:10
| style="background: #bc857a; width: 40%" align="left" |
"Smart Phones with Dumb Apps"

[[Dan Cornell|'''Dan Cornell''']]  Principal of [http://www.denimgroup.com Denim Group], Ltd.

| style="background: #bca57a; width: 40%" align="left" |
"Technology and Business Risk Management: How Application Security Fits In!

[[User:Peter Perfetti|'''Peter Perfetti''']]

|-
| style="background: #7b8abd; width: 10%" | 13:10 - 14:10
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Lunch - [http://www.tcd.ie/Maps/map.php?q=dining+hall TCD Dining Hall], buffet Lunch
|-
| style="background: #7b8abd; width: 10%" | 1410 - 15:00
| style="background: #c2c2c2; width: 80%" align="center" colspan="2" | '''Keynote: "The changing face of cryptography"'''
'''''[[User:Professor Fred Piper|Professor Fred Piper]]''''', BSc, PhD (London), ARCS, DIC, CEng, CMath, FIEE, FIMA, BCS, CISSP, CISM. 

'''Location: Joly Theatre'''

|-
| style="background: #7b8abd; width: 10%" | 15:10 - 15:50
| style="background: #bc857a; width: 40%" align="left" |
"Microsoft's Security Development Lifecycle for Agile Development"

[[Nick Coblentz|'''Nick Coblentz''']] AT&T Consulting

| style="background: #bca57a; width: 40%" align="left" |
[[The Real appsec pentest|"The "real" application security pentest."]] 

[[Rory Alsop|'''Rory Alsop''']]& [[Rory McCune|'''Rory McCune''']]

|-
| style="background: #7b8abd; width: 10%" | 16:00 - 16:40
| style="background: #bc857a; width: 40%" align="left" |
"How to Defend Fragile Web Applications"

[[Vinay Bansal, Martin Nystrom|'''Vinay Bansal, Martin Nystrom''']] Cisco systems

| style="background: #bca57a; width: 40%" align="left" |
 

|-
| style="background: #7b8abd; width: 10%" | 16:50 - 17:50
| style="background: #f2f2f2; width: 80%" align="center" colspan="2" |
'''Keynote: "Hackers and Hollywood: The Implications of the Popular Media Representation of Computer Hacking"'''

'''''[[User:Damian Gordon|Damian Gordon]]''''' Phd, School of Computing Dublin Institute of Technology.

'''''Location: Joly Theatre'''''

|-
| style="background: #7b8abd; width: 10%" | 17:50 - 18:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | Wrap-Up
|-
| style="background: #7b8abd; width: 10%" | 18:00-21:00
| style="background: #c2c2c2; width: 80%" align="left" colspan="2" | OWASP Social Gathering
|}

= Training =

We intend to hold some application security training on the 16/09/2010 the day prior to the event. This can be booked when booking a ticket to the event. '''Fee: €495'''

== '''Secure Application Development: Writing secure code (and testing it)''' ==

'''Trainers''':

[[User:EoinKeary|'''Eoin Keary''' ]] Senior Manager, Ernst & Young, OWASP Board Member

'''Rahim Jina''' Senior Consultant, Ernst & Young, OWASP Ireland chapter board.

 

'''Abstract''' Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.

Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25.  The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.

This course includes coverage of the following areas:

*Unvalidated Input
*Injection Flaws 
*Cross-Site Scriping
*CSRF
*Authentication & Session Management
*Access control & Authorisation
*Broken Caching
*Error Handling
*Cryptography
*Resource Management
*Rich Internet Applications & Webservices
*The Secure SDLC

 '''Hands on'''

To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., WebGoat etc) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises.

'''Audience'''

Developers who want to understand the most common web application security flaws, and how to avoid them and code in a secure manner

'''Level'''

Intermediate

'''Prerequisite'''

Basic knowledge of a web programming language like Java or .NET recommended but not required. 

Bringing your own windows based laptop is recommended so you can participate in the hands on exercises.

'''Duration'''

Full day - 8 Hours 

= Venue =

Trinity College, Dublin [http://www.tcd.ie/Maps/map.php?q=hamilton+building Map of hamilton Building Location]

[http://www.tcd.ie/Maps/map.php?q=dining+hall Dining Hall location]

= Transportation =

=== By Air ===

 Fly to Dublin Airport: http://www.dublinairport.com/ A taxi or bus can take you into Dublin city. (€30 - Taxi) (€10 - Bus) 

=== Public Transport ===

= Accommodation =

Please see here if you wish to stay within the grounds of Trinity College: http://www.owasp.org/images/2/20/TCD_Tariff_2009.pdf

'''Hotels Surrounding Trinity College:'''

http://maps.google.com/maps?near=Dame+Street,+College+Green,+Dublin+2,+Ireland+(Trinity+College+Campus)&geocode=Cfm6cyTmqt_IFev1LQMdLZCg_yFJu3aKhBD7GA&q=hotels&f=l&dq=Trinity+College+loc:+Dublin+Ireland&sll=53.341482,-6.258302&sspn=0.012043,0.037637&ie=UTF8&ei=U6TMSZSzKpSw2QLG_-CUCA&attrid=1036f063d3d0dafc_&ll=53.343711,-6.254568&spn=0.012042,0.037637&z=15

= Registration =

'''The fee for this conference is : '''''Standard''': €150 Euro '''OWASP Members''': €100 Euro

'''Training: '''€495 '''Membership of OWASP is not required to attend the event.''' 

'''Note''': To save on processing expenses, all fees paid for the OWASP conference are non-refundable. OWASP can accommodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

'''Cvent Registration Link: [http://guest.cvent.com/i.aspx?4W%2cM3%2c679c382d-35c2-4815-a399-c2c3a95ebfd7 Click-Here]'''

= Conference Committee =

'''2010 Ireland Planning Committee Chair''':

Eoin Keary - eoin.keary 'at' owasp.org

 

Fabio Cerullo  - fcerullo 'at' owasp.org

Rahim Jina - rahim.jina 'at' owasp.org

= Call for Papers =

The Conference will consist of two tracks covering both technical and risk management topics.

'''We are seeking presentations on any of the following topics:'''

*Web Services and Application Security
*Common Application related Threats and Risks
*Business Risks with Application Security
*Vulnerability Research in Application Security
*Web Application Penetration Testing
*OWASP Tools and Projects
*Secure Coding/Development Practices
*Technology specific presentations on security such as AJAX, XML, etc.
*Anything else relating to OWASP and Application Security.

The call for papers/presentations is out. The official closing date for receiving a synopsis of the presentation is June 10th, 2010. Announcements on selected candidates will be provided the first week of July 2010. Complete presentations will need to be submitted by the 2nd of August 2010.

All presenters will receive free invitation to the conference, food and refreshments.

'''For some speakers, OWASP will cover some of the travel costs associated with coming to the conference.'''

 

'''Please submit your presentation topics and an abstract of up to 500 words to Eoin Keary''' <mailto: Eoin.keary@owasp.org>

OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Rahim Jina Curriculum

2010-04-03T22:18:16Z

Rahimjina:

= Rahim Jina =
* Rahim graduated in 2002 from Trinity College Dublin, with a degree in Information & Communications Technology, specialising in Computer Security & Mobile Communications. In 2006, Rahim completed an MSc in Security & Forensic Computing from Dublin City University.
* Rahim joined Ernst & Young's Risk Advisory Services in September 2006 and is now a senior IT security consultant.

Project Information:template Code Review Project

2008-12-03T17:03:37Z

Rahimjina:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP Code Review Project V1.1'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The code review guide is currently at version RC 2.0 and the second best selling OWASP book. I have received many positive comments regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity. It has even inspired individuals to build tools based on its information and I have convinced such people (Alessio Marziali) to open source their tool and make it an OWASP project. The combination of a book on secure code review and a tool to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development. Proposal: I am proposing that I improve the code review guide from a number of aspects. This should place the guide as a de facto secure code review guide in the application security industry.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:eoin.keary(at)owasp.org '''Eoin Keary''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-codereview '''Mailing List/Subscribe''']
[mailto:owasp-codereview(at)lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:rahim.jina(at)ie.ey.com '''Rahim Jina'''] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Rahim Jina Curriculum|Curriculum]]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:psatishkumar(at)gmail.com '''P.Satish Kumar'''] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Rahim Jina Curriculum|Curriculum]]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member [mailto:jeff.williams(at)owasp.org '''Jeff Williams''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [https://www.owasp.org/images/5/59/Code_Review_Eoin.pptx OWASP Code Review's PowerPoint Presentation]
* [[:OWASP Code Review Guide Table of Contents|Code Review Guide Table of Contents]] 
* [http://www.lulu.com/content/1415989 Code Review Guide (RC2) Book] 
* (If appropriate, links to be added)
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''RELATED PROJECTS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://www.cyphersec.com/software_archive/CodeCrawler.rar OWASP Code Crawler Project] 
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#OWASP Code review guide, V1.1|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' (To update) --------- [[Project Information:template Code Review Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template Code Review Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template Code Review Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Code Review Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- Which status has been reached? '''Release''' '''Season of Code - 2008''' --------- [[Project Information:template Code Review Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Code Review Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Code Review Project - Final Review - OWASP Board Member - G|See/Edit: Final Review/Board Member (G)]]
|-
|}

Project Information:template Code Review Project - Final Review - First Reviewer - D

2008-12-03T17:00:06Z

Rahimjina:

[[Project Information:template Code Review Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#OWASP Code review guide, V1.1|OWASP Code Review Guide V1.1 Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP Code review guide, V1.1|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"| Code review guide has now achieved release quality. All objectives have been accomplished.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP Code review guide, V1.1|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"| The guide is now 100% complete
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Please do use the right hand side column to provide advice and make work suggestions.
| colspan="2" style="width:75%; background:#cccccc" align="left"| Review points and comments have been provided directly to the author/editor.
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"| Alpha Quality status reached.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"| Beta Quality status reached.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"| Release Quality status reached.
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. Please do use the right hand side column to provide advice and make work suggestions.
| colspan="2" style="width:75%; background:#cccccc" align="left"| N/A
|}

Project Information:template Code Review Project - Final Review - First Reviewer - D

2008-11-02T20:36:06Z

Rahimjina:

[[Project Information:template Code Review Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#OWASP Code review guide, V1.1|OWASP Code Review Guide V1.1 Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP Code review guide, V1.1|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"| Code review guide has now achieved release quality. All objectives have been accomplished.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP Code review guide, V1.1|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"| The guide is 99.5% complete (.5% for final corrections and formatting issues)
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Please do use the right hand side column to provide advice and make work suggestions.
| colspan="2" style="width:75%; background:#cccccc" align="left"| Review points and comments have been provided directly to the author/editor.
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. Please do use the right hand side column to provide advice and make work suggestions.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Project Information:template Code Review Project

2008-11-02T20:29:03Z

Rahimjina:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP Code Review Project V1.1'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The code review guide is currently at version RC 2.0 and the second best selling OWASP book. I have received many positive comments regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity. It has even inspired individuals to build tools based on its information and I have convinced such people (Alessio Marziali) to open source their tool and make it an OWASP project. The combination of a book on secure code review and a tool to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development. Proposal: I am proposing that I improve the code review guide from a number of aspects. This should place the guide as a de facto secure code review guide in the application security industry.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:eoin.keary(at)owasp.org '''Eoin Keary''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-codereview '''Mailing List/Subscribe''']
[mailto:owasp-codereview(at)lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:rahim.jina(at)ie.ey.com '''Rahim Jina'''] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Rahim Jina Curriculum|Curriculum]]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:psatishkumar(at)gmail.com '''P.Satish Kumar'''] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Rahim Jina Curriculum|Curriculum]]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member [mailto:jeff.williams(at)owasp.org '''Jeff Williams''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [[:OWASP Code Review Guide Table of Contents|Code Review Guide Table of Contents]] 
* [http://www.lulu.com/content/1415989 Code Review Guide (RC2) Book] 
* (If appropriate, links to be added)
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''RELATED PROJECTS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://www.cyphersec.com/software_archive/CodeCrawler.rar OWASP Code Crawler Project] 
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#OWASP Code review guide, V1.1|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' (To update) --------- [[Project Information:template Code Review Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template Code Review Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template Code Review Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Code Review Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Code Review Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Code Review Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Code Review Project - Final Review - OWASP Board Member - G|See/Edit: Final Review/Board Member (G)]]
|-
|}

Reviewing Code for Race Conditions

2008-10-22T20:32:23Z

Rahimjina:

[[OWASP Code Review Guide Table of Contents]]__TOC__

== Introduction ==
Race Conditions occur when a piece of code does not work as it is supposed to (like many security issues). They are the result of an unexpected ordering of events which can result in the finite state machine of the code to transition to a undefined state and also give rise to contention of more than one thread of execution over the same resource. Multiple threads of execution acting or manipulating the same area in memory or persisted data which gives rise to integrity issues.

==How they work:==
With competing tasks manipulating the same resource we can easily get a race condition as the resource is not in step-lock or utilises a token based multi-use system such as semaphores.

Say we have two processes (Thread 1, T1) and (Thread 2, T2).
The code in question adds 10 to an integer X. The initial value of X is 5.

X = X + 10

So with no controls surrounding this code in a multithreaded environment we get the following problem:

T1 places X into a register in thread 1
T2 places X into a register in thread 2
T1 adds 10 to the value in T1's register resulting in 15
T2 adds 10 to the value in T2's register resulting in 15
T1 saves the register value (15) into X.
T1 saves the register value (15) into X.

The value should actually be 25 as each thread added 10 to the initial value of 5. But the actual value is 15 due to T2 not letting T1 save into X before it takes a value of X for its addition.

==How to locate the potentially vulnerable code==

===.NET===
Look for code which used multithreaded environments:

Keywords such as:
Thread
System.Threading
ThreadPool
System.Threading.Interlocked

===Java===
java.lang.Thread
start()
stop()
destroy()
init()
synchronized
wait()
notify()
notifyAll()

===Classic ASP===
Notice multithreading is not directly supported feature of classic ASP so this kind of race conditions could be present only when using COM objects.

==Vulnerable Patterns for Race Conditions==

Static methods (One per class, not one per object) are an issue particularly if there is a shared state among multiple threads.
For example in Apache struts static members should not be used to store information relating to a particular request. The same instance of a class can be used by multiple threads and the value of the static member can not be guaranteed.

Instances of classes do not need to be thread safe as one is made per operation/request. Static states must be thread safe.

#References to static variables, these much be thread locked.
#Releasing a lock in places other then finally{} may cause issues
#Static methods that alter static state

==Related Articles==

http://msdn2.microsoft.com/en-us/library/f857xew0(vs.71).aspx

[[Category:OWASP Code Review Project]]
[[Category:Data Integrity|TOCTTOU]]

Reviewing Code for Session Integrity issues

2008-10-22T20:30:58Z

Rahimjina:

[[OWASP Code Review Guide Table of Contents]]__TOC__
==Introduction==
Cookies can be used to maintain a session state. This identifies a user whilst in the middle of using the application. Session ID's are a popular method of identifying a user. A "secure" session ID should be at least 128 bits in length and sufficiently random.
Cookies can also be used to identify a user but care must be taken in using cookies. Generally it is not recommended to implement a SSO (Single Sign on) solution using cookies; they were never intended for such use. Persistent cookies are stored on a user hard disk and are valid depending on the expiry date defined in the cookie. The following are pointers when reviewing cookie related code.

==How to locate the potentially vulnerable code==
If the cookie object is being set with various attributes apart from the session ID check the cookie is set only to transmit over HTTPS/SSL.
In Java this is performed by the method:

cookie.setSecure() (Java)
cookie.secure = secure; (.NET)
Response.Cookies("CookieKey").Secure = True (Classic ASP)

==HTTP Only Cookie==
This is adhered to in IE6 and above.
HTTP Only cookie is meant to provide protection against XSS by not letting client side scripts access the cookie. It's a step in the right direction but not a silver bullet.

cookie.HttpOnly = true (C#)

Here cookie should only be accessible via ASP.NET.

Notice HTTPOnly property is not supported in Classic ASP pages.

==Limiting Cookie Domain==
Ensure cookies are limited to a domain such as example.com; therefore the cookie is associated to example.com. If the cookie is associated with other domains the following code performs this:

Response.Cookies["domain"].Domain = "support.example.com"; (C#)
Response.Cookies("domain").Domain = "support.example.com" (Classic ASP)

During the review, if the cookie is assigned to more than one domain make note of it and query why this is the case.

==Displaying Data to user from Cookie==

Make sure that data being displayed to a user from a cookie is HTML encoded. This mitigates some forms of Cross Site Scripting.

LabelX.Text = Server.HtmlEncode(Request.Cookies["userName"].Value); (C#)
Response.Write Server.HtmlEncode (Request.Cookies("userName")) (Classic ASP)

==Session Tracking/Management Techniques==
=== HTML Hidden Field ===
The HTML Hidden field could be used to perform session tracking. Upon each HTTP POST request the hidden field is passed to the server identifying the user. It would be in the form of

<INPUT TYPE="hidden" NAME="user"VALUE="User001928394857738000094857hfduekjkksowie039848jej393">

Server-side code is used to perform validation on the VALUE in order to ensure the used is valid. This approach can only be used for POST/Form requests.

=== URL Rewriting ===
URL rewriting approaches session tracking by appending a unique id pertaining to the user at the end of the URL.

<A HREF="/smackmenow.htm?user=User001928394857738000094857hfduekjkksowie039848jej393">Click Here</A>

==Leading Practice Patterns for Session Management/Integrity==
HTTPOnly Cookie:
Prevents cookie access via client side script. Not all browsers support such a directive.

'''Valid Session checking''':

Upon any HTTP request the framework should check if the user pertaining to the HTTP request (via session ID) is valid.

'''Successful Authentication''':

Upon a successful login the user should be issued a new session identifier. The old session ID should be invalidated. This prevents session fixation attacks and the same browser also sharing the same session ID in a multi user environment. Some times the session ID is per browser and the session remains valid while the browser is alive.

'''Logout''':
This also leads to the idea of why a logout button is so important. The logout button should invalidate the users session ID when it is selected.

==Related Articles==

[[:Category:OWASP_Cookies_Database|OWASP cookies database]] 
http://msdn2.microsoft.com/en-us/library/ms533046.aspx 
http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/servlet/http/Cookie.html

[[Category:OWASP Code Review Project]]
[[Category:Session Management]]

Reviewing Code for Logging Issues

2008-10-20T21:18:49Z

Rahimjina:

[[OWASP Code Review Guide Table of Contents]]__TOC__
=== In Brief===
Logging is the recording of information into storage that details who performed what and when they did it (like an audit trail). This can also cover debug messages implemented during development as well as any messages reflecting problems or states within the application. It should be an audit of everything that the business deems important to track about the applications use. Logging provides a detective method to ensure that the other security mechanisms being used are performing correctly. 

There are three categories of logs; application, operation system and security software. While the general principles are similar for all logging needs, the practices stated in this document are especially applicable to application logs. 

A good logging strategy should include log generation, storage, protection, analysis and reporting. 

====Log Generation====
Logging should be at least done at the following events: 

'''Authentication''': Successful and unsuccessful attempts. 
'''Authorization requests'''. 
'''Data manipulation''': Any (CUD) Create, Update, Delete actions performed on the application. 
'''Session activity''': Termination/Logout events. 

The application should have the ability to detect and record possible malicious use, such as events that cause unexpected errors or defy the state model of the application, for example, users who attempt to get access to data that they shouldn’t, and incoming data that does not meet validation rules or has been tampered with. In general, it should detect any error condition which could not occur without an attempt by the user to circumvent the application logic. 

Logging should give us the information required to form a proper audit trail of a user's actions. 
Leading from this, the date/time actions were performed would be useful, but make sure the application uses a clock that is synched to a common time source.
Logging functionality should not log any personal or sensitive data pertaining to the user of function at hand that is being recorded; an example of this is if your application is accepting HTTP GET the payload is in the URL and the GET shall be logged. This may result in logging sensitive data. 

Logging should follow best practice regarding data validation;
maximum length of information, malicious characters…. 
We should ensure that logging functionality only logs messages of a reasonable length and that this length is enforced. 
Never log user input directly; validate, then log.

====Log Storage====
In order to preserve log entries and keep the sizes of log files manageable, log rotation is recommend. Log rotation means closing a log file and opening a new one when the first file is considered to be either complete or becoming too big. Log rotation is typically performed according to a schedule (e.g. daily) or when a file reaches a certain size. 

====Log Protection====
Because logs contain records of user account and other sensitive information, they need to be protected from breaches of their confidentiality, integrity and availability, the triad of information security. 

====Log Analysis and Reporting====
Log analysis is the studying of log entries to identify events of interest or suppress log entries for insignificant events. Log reporting is the displaying of log analysis.
Although these are normally the responsibilities of the system administrator, an application must generate logs that are consistent and contains info that will allow the administrator to prioritize the records. 

Common open source logging solutions: 

Log4J: http://logging.apache.org/log4j/docs/index.html

Log4net: http://logging.apache.org/log4net/

Commons Logging: http://jakarta.apache.org/commons/logging/index.html
 

In Tomcat(5.5), if no custom logger is defined (log4J) then everything is logged via Commons Logging and ultimately ends up in catalina.out. 
catalina.out grows endlessly and does not recycle/rollover. Log4J provides “Rollover” functionality, which limits the size of the log. Log4J also gives the option to specify “appenders” which can redirect the log data to other destinations such as a port, syslog or even a database or JMS.

The parts of log4J which should be considered apart from the actual data being logged by the application are contained in the log4j.properties file:

#
# Configures Log4j as the Tomcat system logger
#

#
# Configure the logger to output info level messages into a rolling log file.
#
log4j.rootLogger=INFO, R

#
# To continue using the "catalina.out" file (which grows forever),
# comment out the above line and uncomment the next.
#
#log4j.rootLogger=ERROR, A1

#
# Configuration for standard output ("catalina.out").
#
log4j.appender.A1=org.apache.log4j.ConsoleAppender
log4j.appender.A1.layout=org.apache.log4j.PatternLayout
#
# Print the date in ISO 8601 format
#
log4j.appender.A1.layout.ConversionPattern=%d [%t] %-5p %c - %m%n

#
# Configuration for a rolling log file ("tomcat.log").
#
log4j.appender.R=org.apache.log4j.DailyRollingFileAppender
log4j.appender.R.DatePattern='.'yyyy-MM-dd
#
# Edit the next line to point to your logs directory.
# The last part of the name is the log file name.
#
log4j.appender.R.File=/usr/local/tomcat/logs/tomcat.log
log4j.appender.R.layout=org.apache.log4j.PatternLayout
#
# Print the date in ISO 8601 format
#
log4j.appender.R.layout.ConversionPattern=%d [%t] %-5p %c - %m%n

#
# Application logging options
#
#log4j.logger.org.apache=DEBUG
#log4j.logger.org.apache=INFO
#log4j.logger.org.apache.struts=DEBUG
#log4j.logger.org.apache.struts=INFO

=== Vulnerable patterns examples for Logging===

====.NET====
The following are issues one may look out for or question the development/deployment team.
Logging and auditing are detective methods of fraud prevention. They are much overlooked in the industry, which enables attackers to continue to attack/commit fraud without being detected.

They cover Windows and .NET issues:
'''Check that:'''
#Windows native log puts a timestamp on all log entries.
#GMT is set as the default time.
#The Windows operating system can be configured to use network timeservers.
#By default the event log will show: Name of the computer that generated the event; The application in the source field of the viewer. Additional information such as request identifier,username,and destination should be included in the body of the error event.
#No sensitive or business critical information is sent to the application logs.
#Application logs are not located in the web root directory.
#Log policy allows different levels of log severity.

===== Writing to the Event Log=====
In the course of reviewing .NET code ensure that calls the EventLog object do not provide any confidential information.

EventLog.WriteEntry( "<password>",EventLogEntryType.Information);

====Classic ASP====
You can add events to Web server Log or Windows log, for Web Server Log use
Response.AppendToLog("Error in Processing")

This is the common way of adding entries to the Windows event log.
Const EVENT_SUCCESS = 0
Set objShell = Wscript.CreateObject("Wscript.Shell")
objShell.LogEvent EVENT_SUCCESS, _
"Payroll application successfully installed."

Notice all the previous bullets for ASP.NET are pretty much applicable for classic ASP as well.

[[Category:OWASP Code Review Project]]

Reviewing code for Cross-Site Request Forgery issues

2008-10-20T21:01:41Z

Rahimjina:

[[OWASP Code Review Guide Table of Contents]]__TOC__

==Overview==
[[CSRF]] is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attackers choosing. A successful CSRF exploit can compromise end user data and operation in the case of a normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
[[Category:FIXME|I took this from the testing section and modified it a little, but I need someone to revise this to a good definition of CSRF that I can use on each of the pages]]

==Related Security Activities==

===Description of CSRF Vulnerabilities===

See the OWASP article on [[CSRF]] Vulnerabilities.

===How to Test for CSRF Vulnerabilities===

See the [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing for CSRF |Test for CSRF]] Vulnerabilities.
[[Category:FIXME|I think both the Introduction and How They Work sections here need to be deleted, since this is duplicate information]]

== Introduction ==
CSRF is not the same as XSS (Cross Site Scripting) which forces malicious content to be served by a trusted website to an unsuspecting victim. Injected Text is treated as executable by the browser hence running script. Used in Phishing, Trojan upload, Browser vulnerability weakness attacks…..

Cross-Site Request Forgery (CSRF) (C-SURF) (Confused-Deputy) attacks are considered useful if the attacker knows the target is authenticated to a web based system. They only work if the target is logged into the system and therefore, have a small attack footprint. Other logical weaknesses also need to be present such as no transaction authorization required by the user.

In effect CSRF attacks are used by an attacker to make a target system perform a function (Funds Transfer, Form submission etc..) via the targets browser without knowledge of the target user, at least until the unauthorized function has been committed. A primary target is the exploitation of “ease of use” features on web applications (One-click purchase) for example.

[[Category:FIXME|Can this whole introduction be deleted?]]

==How they work:==

[[Category:FIXME|Can this section be deleted? This information is covered in the ASDR, using a different example]]
CSRF attacks work by sending a rogue HTTP request from an authenticated user's browser to the application, which then commits a transaction without authorization given by the target user.
As long as the user is authenticated and a meaningful HTTP request is sent by the users browser to a target application, the application does not know if the origin of the request is a valid transaction or a link clicked by the user (that was say, in an email) while the user is authenticated to the applications.
So, for example, using CSRF an attacker makes the victim perform actions that they didn't intend to, such as logout, purchase item, change account information, or any other function provided by the vulnerable website.

An Example below of a HTTP POST to a ticket vendor to purchase a number of tickets.

POST http://TicketMeister.com/Buy_ticket.htm HTTP/1.1
Host: ticketmeister
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O;) Firefox/1.4.1
Cookie: JSPSESSIONID=34JHURHD894LOP04957HR49I3JE383940123K
ticketId=ATHX1138&to=PO BOX 1198 DUBLIN 2&amount=10&date=11042008

The response of the vendor is to acknowledge the purchase of the tickets:

HTTP/1.0 200 OK
Date: Fri, 02 May 2008 10:01:20 GMT
Server: IBM_HTTP_Server
Content-Type: text/xml;charset=ISO-8859-1
Content-Language: en-US
X-Cache: MISS from app-proxy-2.proxy.ie
Connection: close

<?xml version="1.0" encoding="ISO-8859-1"?>
<pge_data> Ticket Purchased, Thank you for your custom.
</pge_data>

==How to locate the potentially vulnerable code==
This issue is simple to detect, but there may be compensating controls around the functionality of the application which may alert the user to a CSRF attempt.
As long as the application accepts a well formed HTTP request and the request adheres to some business logic of the application CSRF shall work (From now on we assume the target user is logged into the system to be attacked).

By checking the page rendering we need to see if any unique identifiers are appended to the links rendered by the application in the user's browser. If there is no unique identifier relating to each HTTP request to tie a HTTP request to the user we are vulnerable.
Session ID is ''not enough'' as the session ID shall be sent anyway if a user clicks on a rogue link as the user is authenticated already.

===Transaction Drive Thru'===

==== An eye for an eye, A request for a request====
When an HTTP request is received by the application, one should examine the business logic to assess when a transaction request is sent to the application that the application does not simply execute, but responds to the request with another request for the user's password.

Line

1 String actionType = Request.getParameter("Action");
2 if(actionType.equalsIgnoreCase("BuyStuff"){
4 Response.add("Please enter your password");
5 return Response;
6 }

In the above pseudo code, we would examine if an HTTP request to commit a transaction is received, and if the application responds to the user request for a confirmation (in this case re-enter a password).

The Flow below depicts the logic behind anti-CSRF transaction management:

[[image:CSRF-Flow.GIF]]

==Vulnerable Patterns for CSRF==
'''Any application that accepts HTTP requests from an authenticated user without having some control to verify that the HTTP request is unique to the user's session.''' (Nearly all web applications!!). Session ID is not in scope here as the rogue HTTP request shall also contain a valid session ID, as the user is authenticated already.

==Good Patterns & procedures to prevent CSRF==
So checking if the request has a valid session cookie is not enough, we need check if a unique identifier is sent with every HTTP request sent to the application.
''CSRF requests WON'T have this valid unique identifier''.
The reason CSRF requests won't have this unique request identifier is the unique ID is rendered as a hidden field on the page and is appended to the HTTP request once a link/button press is selected. The attacker will have no knowledge of this unique ID as it is random and rendered dynamically per link, per page.

#A list is complied prior to delivering the page to the user. The list contains all valid unique IDs generated for all links on a given page. The unique ID could be derived from a secure random generator such as SecureRandom for J2EE.
#A unique ID is appended to each link/form on the requested page prior to being displayed to the user.
#Maintaining a list of unique IDs in the user session, the application checks if the unique ID passed with the HTTP request is valid for a given request.
#If the unique ID is not present, terminate the user session and display an error to the user.

===User Interaction===
Upon committing to a transaction such as fund transfer display an additional decision to the user such as a requirement for ones password to be entered and verified prior to the transaction taking place.
CSRF attacker would not know the password of the user and therefore the transaction could not be committed via a stealth CSRF attack.

==Related Articles==
[[CSRF Guard]]

[[Category:OWASP Code Review Project]]
[[Category:Identity Theft]]

Reviewing Code for Cross-site scripting

2008-10-19T17:45:22Z

Rahimjina:

[[OWASP Code Review Guide Table of Contents]]

==Overview==
Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates, without validating or encoding it.
[[Category:FIXME|Is this a good short description of this?]]

==Related Security Activities==

===Description of Cross-site Scripting Vulnerabilities===

See the OWASP article on [[Cross-site Scripting (XSS)]] Vulnerabilities.

===How to Avoid Cross-site scripting Vulnerabilities===

See the [[:Category:OWASP Guide Project|OWASP Development Guide]] article on [[Phishing]].

See the [[:Category:OWASP Guide Project|OWASP Development Guide]] article on [[Data Validation]].

===How to Test for Cross-site scripting Vulnerabilities===

See the [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing for Cross site scripting|Test for Cross site scripting]] Vulnerabilities.

==Vulnerable Code example==
If the text inputted by the user is reflected back and has not been data validated, the browser shall interpret the inputted script as part of the mark up, and execute the code accordingly.

To mitigate this type of vulnerability we need to perform a number of security tasks in our code:

# Validate data
# Encode unsafe output

import org.apache.struts.action.*;
import org.apache.commons.beanutils.BeanUtils;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public final class InsertEmployeeAction extends Action {

public ActionForward execute(ActionMapping mapping, ActionForm form,
HttpServletRequest request, HttpServletResponse response) throws Exception{

// Setting up objects and vairables.

Obj1 service = new Obj1();
ObjForm objForm = (ObjForm) form;
InfoADT adt = new InfoADT ();
BeanUtils.copyProperties(adt, objForm);

String searchQuery = objForm.getqueryString();
String payload = objForm.getPayLoad();
try {
service.doWork(adt); / /do something with the data
ActionMessages messages = new ActionMessages();
ActionMessage message = new ActionMessage("success", adt.getName() );
messages.add( ActionMessages.GLOBAL_MESSAGE, message );
saveMessages( request, messages );
request.setAttribute("Record", adt);
return (mapping.findForward("success"));
}
catch( DatabaseException de )
{
ActionErrors errors = new ActionErrors();
ActionError error = new ActionError("error.employee.databaseException" + “Payload: “+payload);
errors.add( ActionErrors.GLOBAL_ERROR, error );
saveErrors( request, errors );
return (mapping.findForward("error: "+ searchQuery));
}
}
}

The text above shows some common mistakes in the development of this struts action class.
First, the data passed in the HttpServletRequest is placed into a parameter without being data validated.

Focusing on XSS we can see that this action class returns a message, ActionMessage, if the function is successful.
If an error the code in the Try/Catch block is executed, the data contained in the HttpServletRequest is returned to the user, unvalidated and exactly in the format in which the user inputted it.

import java.io.*;
import javax.servlet.http.*;
import javax.servlet.*;

public class HelloServlet extends HttpServlet
{
public void doGet (HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException
{

String input = req.getHeader(“USERINPUT”);

PrintWriter out = res.getWriter();
out.println(input); // echo User input.
out.close();
}
}

Following is a second example of an XSS vulnerable function. Echoing un-validated user input back to the browser would give a nice large vulnerability footprint.

.NET Example (ASP.NET version 1.1 ASP.NET version 2.0):

The server side code for a VB.NET application may have similar functionality

' SearchResult.aspx.vb
Imports System
Imports System.Web
Imports System.Web.UI
Imports System.Web.UI.WebControls

Public Class SearchPage Inherits System.Web.UI.Page

Protected txtInput As TextBox
Protected cmdSearch As Button
Protected lblResult As Label Protected

Sub cmdSearch _Click(Source As Object, _ e As EventArgs)

// Do Search…..
// …………

lblResult.Text="You Searched for: " & txtInput.Text

// Display Search Results…..
// …………

End Sub
End Class

This is a VB.NET example of a vulnerable piece of search functionality which echoes back the data inputted by the user. To mitigate against this, we need proper data validation and in the case of stored XSS attacks we need to encode known bad input (as mentioned before).

'''Classic ASP Example''' 
Classic ASP is also XSS prone, just as like most Web technologies.
<pre>
<%
...
Response.Write "<div class='label'>Please confirm your data</div> "
Response.Write "Name: " & Request.Form("UserFullName")
...
%>
</pre>

==Protecting against XSS==
In the .NET framework there are some in-built security functions which can assist in data validation and HTML encoding, namely, ASP.NET 1.1 '''request validation '''feature and '''HttpUtility.HtmlEncode'''.

Microsoft in their wisdom state that you should not rely solely on ASP.NET request validation
and that it should be used in conjunction with your own data validation, such as regular expressions (mentioned below).

The request validation feature is disabled on an individual page by specifying in the page directive

'''<%@ Page validateRequest="false" %>'''

or by setting '''ValidateRequest="false"''' on the '''@ Pages''' element.

or in the '''web.config''' file:

You can disable request validation by adding a

<'''pages'''> element with '''validateRequest="false"'''

So when reviewing code make sure the validateRequest directive is enabled and if not, investigate what method of data validation is being used, if any.
Check that ASP.NET Request validation Is enabled in '''Machine.config'''
Request validation is enabled by ASP.NET by default. You can see the following default setting in the '''Machine.config''' file.

'''<pages validateRequest="true" ... /> '''

HTML Encoding:

Content to be displayed can easily be encoded using the HtmlEncode function. This is done by calling:

'''Server.HtmlEncode(string)'''

Using the html encoder example for a form:

Text Box: <%@ Page Language="C#" ValidateRequest="false" %>

<script runat="server">
void searchBtn _Click(object sender, EventArgs e) {
Response.Write(HttpUtility.HtmlEncode(inputTxt.Text)); }
</script>
<html>
<body>
<form id="form1" runat="server">
<div>
<asp:TextBox ID="inputTxt" Runat="server" TextMode="MultiLine" Width="382px" Height="152px">
</asp:TextBox>
<asp:Button ID="searchBtn" Runat="server" Text="Submit" OnClick=" searchBtn _Click" />
</div>
</form>
</body>
</html>

For Classic ASP pages the encoding function is used pretty much the same as in ASP.NET

Response.Write Server.HtmlEncode(inputTxt.Text)

'''Stored Cross Site Script:'''
Using Html encoding to encode potentially unsafe output.:

Malicious script can be stored/persisted in a database and shall not execute until retrieved by a user. This can also be the case in bulletin boards and some early web email clients. This incubated attack can sit dormant for a long period of time until a user decides to view the page where the injected script is present. At this point the script shall execute on the users browser:

The original source of input for the injected script may be from another vulnerable application, which is common in enterprise architectures. Therefore the application at hand may have good input data validation but the data persisted may not have been entered via this application per se, but via another application.

In this case we cannot be 100% sure the data to be displayed to the user is 100% safe (as it could of found its way in via another path in the enterprise).
The approach to mitigate against this si to ensure the data sent to the browser is not going to be interpreted by the browser as mark-up and should be treated as user data.

We encode known bad to mitigate against this “enemy within”. This in effect assures that the browser interprets any special characters as data and markup.
How is this done?
HTML encoding usually means '''<''' becomes '''&lt;''', '''>''' becomes '''&gt;''', '''&''' becomes '''&amp;''', and '''"''' becomes '''&quot;'''.

From To

<      &lt;

>      &gt;

(      &#40;

)      &#41;

#      &#35;

&      &amp;

"      &quot;

So, for example, the text <script> would be displayed as <script> but on viewing the markup it would be represented by &lt;script&gt;

[[Category:OWASP Code Review Project]]

Reviewing Code for Data Validation

2008-10-19T12:17:03Z

Rahimjina:

[[OWASP Code Review Guide Table of Contents]]__TOC__

One key area in web application security is the validation of data inputted from an external source. Many application exploits are derived from weak input validation on behalf of the application. Weak data validation gives the attacker the opportunity to make the application perform some functionality which it is not meant to do.

==Related Security Activities==

===How to Avoid Cross-site scripting Vulnerabilities===

See the [[:Category:OWASP Guide Project|OWASP Development Guide]] article on [[Data Validation]].

==Canonicalization of input ==

Input can be encoded to a format that can still be interpreted correctly by the application but may not be an obvious avenue of attack.

The encoding of ASCII to Unicode is another method of bypassing input validation. Applications rarely test for Unicode exploits and hence provides the attacker a route of attack.

The issue to remember here is that the application is safe if Unicode representation or other malformed representation is input. The application responds correctly and recognises all possible representations of invalid characters.

Example:

The ASCII: <script>

''(If we simply block “<” and “>” characters the other representations below shall pass data validation and execute).''

URL encoded: %3C%73%63%72%69%70%74%3E

Unicode Encoded: &#60&#115&#99&#114&#105&#112&#116&#62

The OWASP Development Guide delves much more into this subject.

==Data validation strategy ==

A general rule is to accept only “'''Known Good'''” characters, i.e. the characters that are to be expected. If this cannot be done the next strongest strategy is “'''Known bad'''”, where we reject all known bad characters. The issue with this is that today’s known bad list may expand tomorrow as new technologies are added to the enterprise infrastructure.

There are a number of models to think about when designing a data validation strategy, which are listed from the strongest to the weakest as follows.

# '''Exact Match''' (Constrain)
# '''Known Good''' (Accept)
# '''Reject Known bad''' (Reject)
# '''Encode Known bad''' (Sanitise)

In addition there must be a check for maximum length of any input received from an external source, such as a downstream service/computer or a user at a web browser.

'''Rejected Data must not be persisted to the data store unless it is sanitised. This is a common mistake to log erroneous data but that may be what the attacker wishes your application to do.'''

* '''Exact Match''': (preferred method) Only accept values from a finite list of known values.
e.g.: A Radio button component on a Web page has 3 settings (A, B, C). Only one of those three settings must be accepted (A or B or C). Any other value must be rejected.

* '''Known Good''': If we do not have a finite list of all the possible values that can be entered into the system, we use the known good approach.
e.g.: an email address, we know it shall contain one and only one @. It may also have one or more full stops “.”. The rest of the information can be anything from [a-z] or [A-Z] or [0-9] and some other characters such as “_ “or “–“, so we let these ranges in and define a maximum length for the address.

* '''Reject Known bad''': We have a list of known bad values we do not wish to be entered into the system. This occurs on free form text areas and areas where a user may write a note. The weakness of this model is that today known bad may not be sufficient for tomorrow.

* '''Encode Known Bad''': This is the weakest approach. This approach accepts all input but HTML encodes any characters within a certain character range. HTML encoding is done so if the input needs to be redisplayed the browser shall not interpret the text as script, but the text looks the same as what the user originally typed.

'''HTML-encoding and URL-encoding user input when writing back to the client'''. In this case, the assumption is that no input is treated as HTML and all output is written back in a protected form. This is sanitisation in action.

==Good Patterns for Data validation ==

===Data Validation examples ===

A good example of a pattern for data validation to prevent OS injection in PHP applications would be as follows:

$string = preg_replace("/[^a-zA-Z0-9]/", "", $string);

This code above would replace any non alphanumeric characters with “”.
'''preg_grep()''' could also be used for a '''''True''''' or '''''False''''' result. This would enable us to let “'''''only known good'''''” characters into the application.

Using regular expressions is a common method of restricting input character types.
A common mistake in the development of regular expressions is not escaping characters, which are interpreted as control characters, or not validating all avenues of input.

Examples of regular expression are as follows:

http://www.regxlib.com/CheatSheet.aspx

^[a-zA-Z]+$ Alpha characters only, a to z and A to Z (RegEx is case sensitive).
^[0-9]+$ Numeric only (0 to 9).
[abcde] Matches any single character specified in set
[^abcde] Matches any single character not specified in set

===Framework Example:(Struts 1.2) ===
In the J2EE world the struts framework (1.1) contains a utility called the commons validator. This enables us to do two things.

# Enables us to have a central area for data validation.
# Provides us with a data validation framework.

What to look for when examining struts is as follows:

The struts-config.xml file must contain the following:


<plug-in className="org.apache.struts.validator.ValidatorPlugIn">
<set-property property="pathnames" value="/technology/WEB-INF/
validator-rules.xml, /WEB-INF/validation.xml"/>
</plug-in>

This tells the framework to load the validator plug-in. It also loads the property files defined by the comma-separated list. By default a developer would add regular expressions for the defined fields in the validation.xml file.

Next we look at the form beans for the application. In struts, form beans are on the server side and encapsulate the information sent to the application via a HTTP form.
We can have concrete form beans (built in code by developers) or dynamic form beans. Here is a concrete bean below:

package com.pcs.necronomicon
import org.apache.struts.validator.ValidatorForm;
public class LogonForm extends ValidatorForm {
private String username;
private String password;
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
}

Note the LoginForm extends the ValidatorForm, this is a must as the parent class (ValidatorForm) has a validate method which is called automatically and calls the rules defined in validation.xml

Now to be assured that this form bean is being called we look at the struts-config.xml file:
It should have something like the following:

<form-beans>
<form-bean name="logonForm"
type=" com.pcs.necronomicon.LogonForm"/>
</form-beans>

Next we look at the validation.xml file. It should contain something similar to the following:

<form-validation>
<formset>
<form name="logonForm">
<field property="'''username'''"
depends="'''required'''">
<arg0 key="prompt.username"/>
</field>
</form>
</formset>
</form-validation>

Note the same name in the validation.xml, the struts-config.xml, this is an important relationship and is case sensitive.

The field “username” is also case sensitive and refers to the String username in the LoginForm class.

The “depends” directive dictates that the parameter is required. If this is blank the error defined in '''Application.properties'''. This configuration file contains error messages among other things. It is also a good place to look for information leakage issues:

# Error messages for Validator framework validations
errors.required={0} is required.
errors.minlength={0} cannot be less than {1} characters.
errors.maxlength={0} cannot be greater than {2} characters.
errors.invalid={0} is invalid.
errors.byte={0} must be a byte.
errors.short={0} must be a short.
errors.integer={0} must be an integer.
errors.long={0} must be a long.0.
errors.float={0} must be a float.
errors.double={0} must be a double.
errors.date={0} is not a date.
errors.range={0} is not in the range {1} through {2}.
errors.creditcard={0} is not a valid credit card number.
errors.email={0} is an invalid e-mail address.
prompt.username = User Name is required.

The error defined by arg0, prompt.username is displayed as an alert box by the struts framework to the user.
The developer would need to take this a step further by validating the input via regular expression:
<field property="username"
depends="required,mask">
<arg0 key="prompt.username"/>
<var>
<var-name>mask</var-name>
<var-value>^[0-9a-zA-Z]*$</var-value>
</var>
</field>
</form>
</formset>
</form-validation>

Here we have added the Mask directive, this specifies a variable <nowiki><var></nowiki> and a regular expression.
Any input into the username field which has anything other than A to Z, a to z or 0 to 9 shall cause an error to be thrown. The most common issue with this type of development is either the developer forgetting to validate all fields or a complete form.
The other thing to look for is incorrect regular expressions, so learn those RegEx’s kids!!!

We also need to check if the JSP pages have been linked up to the validation.xml finctionaltiy. This is done by <html:javascript> custom tag being included in the JSP as follows:

<html:javascript formName="logonForm" dynamicJavascript="true" staticJavascript="true" />

===Framework example:(.NET)===
The ASP .NET framework contains a validator framework, which has made input validation easier and less error prone than in the past.
The validation solution for .NET also has client and server side functionality akin to Struts (J2EE).
What is a validator? According to the Microsoft (MSDN) definition it is as follows:

"A validator is a control that checks one input control for a specific type of error condition and displays a description of that problem."

The main point to take out of this from a code review perspective is that one validator does one type of function. If we need to do a number of different checks on our input we need to use more than one validator.

The .NET solution contains a number of controls out of the box:
* ''RequiredFieldValidator'' – Makes the associated input control a required field.
* ''CompareValidator'' – Compares the value entered by the user into an input control with the value entered into another input control or a constant value.
* ''RangeValidator'' – Checks if the value of an input control is within a defined range of values.
* ''RegularExpressionValidator'' – Checks user input against a regular expression.

The following is an example web page (.aspx) containing validation:

<html>
<head>
<title>Validate me baby!</title>
</head>
<body>
<asp:ValidationSummary runat=server HeaderText="There were errors on the page:" />
<form runat=server>
Please enter your User Id
<tr>
<td>
<asp:RequiredFieldValidator runat=server
ControlToValidate=Name ErrorMessage="User ID is required."> *
</asp:RequiredFieldValidator>
</td>
<td>User ID:</td>
<td><input type=text runat=server id=Name></td>
<asp:RegularExpressionValidator runat=server display=dynamic
controltovalidate="Name"
errormessage="ID must be 6-8 letters."
validationexpression="[a-zA-Z0-9]{6,8}" />
</tr>
<input type=submit runat=server id=SubmitMe value=Submit>
</form>
</body>
</html>

Remember to check to regular expressions so they are sufficient to protect the application. The “runat” directive means this code is executed at the server prior to being sent to client. When this is displayed to a users' browser the code is simply HTML.

=== Example: Classic ASP ===
There is not built-in validation in classic ASP pages, however you can use regular expressions to accomplish the task, here is an example or a function with regular expressions to validate a US Zip code

Public Function IsZipCode (ByVal Text)
Dim re
set re = new RegExp
re.Pattern = "^\d{5}$"
IsZipCode = re.Test(Text)
End Function

==Length Checking==

Another issue to consider is input length validation. If the input is limited by length this reduces the size of the script that can be injected into the web app.

Many web applications use operating system features and external programs to perform their functions. When a web application passes information from an HTTP request through as part of an external request, it must be carefully data validated for content and min/max length. Without data validation the attacker can inject Meta characters, malicious commands, or command modifiers, masquerading as legitimate information and the web application will blindly pass these on to the external system for execution.

Checking for minimum and maximum length is of paramount importance, even if the code base is not vulnerable to buffer overflow attacks.

If a logging mechanism is employed to log all data used in a particular transaction we need to ensure that the payload received is not so big that it may affect the logging mechanism.
If the log file is sent a very large payload it may crash. Or if it is sent a very large payload repeatedly, the hard disk of the app server may fill causing a denial of service. This type of attack can be used to recycle the log file, hence removing the audit trail.
If string parsing is performed on the payload received by the application and an extremely large string is sent repeatedly to the application, the CPU cycles used by the application to parse the payload may cause service degradation or even denial of service.

==Never Rely on Client-Side Data Validation ==

''Client-side validation can always be bypassed.''
''Server-side code should perform its own validation. What if an attacker bypasses your client, or shuts off your client-side script routines, for example, by disabling JavaScript? ''
''Use client-side validation to help reduce the number of round trips to the server but do not rely on it for security.''
'''Remember: Data validation must be always done on the server side.'''
'''A code review focuses on server side code. Any client side security code is not and cannot be considered security.'''

Data validation of parameter names:

When data is passed to a method of a web application via HTTP the payload is passed in a “key-value” pair such as
'' UserId =3o1nk395y''
'' password=letMeIn123''

Previously we talked about input validation of the payload (parameter value) being passed to the application. But we also may need to check that the parameter name (''UserId'',''password'' from above) have not been tampered with.
Invalid parameter names may cause the application to crash or act in an unexpected way.
The best approach is “Exact Match” as mentioned previously.

==Web services data validation==

The recommended input validation technique for web services is to use a schema. A schema is a “map” of all the allowable values that each parameter can take for a given web service method.
When a SOAP message is received by the web services handler, the schema pertaining to the method being called is “run over” the message to validate the content of the soap message.
There are two types of web service communication methods; XML-IN/XML-OUT and REST (Representational State Transfer).
XML-IN/XML-OUT means that the request is in the form of a SOAP message and the reply is also SOAP. REST web services accept a URI request (Non XML) but return a XML reply. REST only supports a point-to-point solution wherein SOAP chain of communication may have multiple nodes prior to the final destination of the request.
Validating REST web services input is the same as validating a GET request. Validating an XML request is best done with a schema.

<?xml version="1.0"?>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://server.test.com" targetNamespace="http://server.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
<xsd:complexType name="AddressIn">
<xsd:sequence>
<xsd:element name="addressLine1" type="HundredANumeric" nillable="true"/>
<xsd:element name="addressLine2" type="HundredANumeric" nillable="true"/>
<xsd:element name="county" type="TenANumeric" nillable="false"/>
<xsd:element name="town" type="TenANumeric" nillable="true"/>
<xsd:element name="userId" type="TenANumeric" nillable="false"/>
</xsd:sequence>
</xsd:complexType>
<xsd:simpleType name="HundredANumeric">
'''<xsd:restriction base="xsd:string">'''
<xsd:minLength value="1"/>
<xsd:maxLength value="100"/>
<xsd:pattern value="[a-zA-Z0-9]"/>
</xsd:restriction>
</xsd:simpleType>
<xsd:simpleType name="TenANumeric">
'''<xsd:restriction base="xsd:string">'''
<xsd:minLength value="1"/>
<xsd:maxLength value="10"/>
<xsd:pattern value="[a-zA-Z0-9]"/>
</xsd:restriction>
</xsd:simpleType>
</xsd:schema>

Here we have a schema for an object called AddressIn. Each of the elements have restrictions applied to them and the restrictions (in red) define what valid characters can be inputted into each of the elements.
What we need to look for is that each of the elements have a restriction applied to them, as opposed to the simple type definition such as '''xsd:string'''.
This schema also has the <xsd:sequence> tag applied to enforce the sequence of the data that is to be received.

==Vulnerable code and the associated fix==

Example one - Perl

The following snippet of Perl code demonstrates code which is vulnerable to XSS.

#!/usr/bin/perl
use CGI;
my $cgi = CGI->new();
my $value = $cgi->param('value');
print $cgi->header();
print "You entered $value";

The code blindly accepts and data supplied in the parameter labeled 'value'. To add to this
problem of accepting data with no validation, the code will display the inputted data to the user.
If you have read this far into the paper I hope the light bulb is now flashing above your head
with the realisation that this particular vulnerability would allow a Reflected XSS attack to occur.

The 'value' parameter should validate the supplied data and only print data which has been
'cleaned' by the validation filter. There are multiple options available with Perl to validate
this parameter correctly. Firstly a simple and crude filter is shown below:

$value =~ s/[^A-Za-z0-9 ]*/ /g;

This will restrict the data in the parameter to uppercase, lowercase, spaces and numbers only.
This of course removes the dangerous characters we have associated with XSS such as < and >.

A second option would be to use the HTML::Entities module for Perl which will force HTML
encoding on the inputted data. I have changed the code to incorporate the HTML::Entities
module and given an example out the encoding in action.

#!/usr/bin/perl
use CGI;
use HTML::Entities;
my $cgi = CGI->new();
my $value = $cgi->param('value');
print $cgi->header();
print "You entered ", HTML::Entities::encode($value);

If the data provided was <nowiki><SCRIPT>alert(“XSS”)</SCRIPT></nowiki> the HTML::Entities module would
produce the following output:

&lt;SCRIPT&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;

This would remove the threat posed by the original input.

'''Example two - PHP'''

PHP allows users to create dynamic web pages quite easily and this led to many implementations of PHP which lacked any security thought.

The example provided below shows very simple PHP message board which has been setup without sufficient data validation.

<form>
<input type="text" name="inputs"> 
<input type="submit">
</form>
<?php
if (isset($_GET['inputs']))
{
$fp = fopen('./inputs.txt', 'a');
fwrite($fp, "{$_GET['inputs']} ");
fclose($fp);
}
readfile('./inputs.txt');
?>

You can see that this simple form takes the user inputs and writes it to the file named inputs.txt.

This file is then used to write the message to the message board for other users to see. The
danger posed by this form should be clear straight away, the initial input is not subject to any
kind of validation and is presented to other users as malicious code.

This could have been avoided by implementing simple validation techniques. PHP allows the developer to use the htmlentities() function. I have added the htmlentities() to the form:

<form>
<input type="text" name="inputs"> 
<input type="submit">
</form>
<?php
if (isset($_GET['inputs']))
{
$message = htmlentities($_GET['inputs']);
$fp = fopen('./inputs.txt', 'a');
fwrite($fp, "$inputs ");
fclose($fp);
}
readfile('./inputs.txt');
?>

The addition is simple but the benefits gained can be substantial. The messageboard now has some protection against any script code that could have been entered by a malicious user. The code will now be HTML entity encoded by the htmlentities() function.

'''Example three – Classic ASP'''
Just like in PHP, ASP pages allow dynamic content creation, so for a XSS vulnerable code like the following:

Response.Write "Please confirm your name is " & Request.Form("UserFullName")

We will user HTMLEncode Built-in function in the following way

Response.Write "Please confirm your name is " & Server.HTMLEncode (Request.Form("UserFullName"))

'''Example four – JavaScript'''
The fourth and final example we will look at is JavaScript code, again we will show a vulnerable piece of code and then the same code with data validation in place.

We will observe some vulnerable JavaScript which takes the users name from the URL and used this to create a welcome message.

The vulnerable script is displayed below:

<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT>

The problem with this script was discussed earlier, there is no validation of the value provide for “name=”.

I have fixed the script below using a very simple validation technique.

<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
var name=document.URL.substring(pos,document.URL.length);
if (name.match(/^[a-zA-Z]$/))
{
document.write(name);
}
else
{
window.alert("Invalid input!");
}
</SCRIPT>

The 3rd line of the script ensures that the characters are restricted to uppercase, and lowercase for the user name. Should the value provided violate this, an invalid input error will be returned to the user.

[[Category:OWASP Code Review Project]]

Reviewing Code for SQL Injection

2008-10-15T21:09:48Z

Rahimjina:

[[OWASP Code Review Guide Table of Contents]]__TOC__

== Overview ==

A [[SQL injection]] attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.
SQL injection attacks are a type of [[Top 10 2007-Injection Flaws | injection attack]], in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

==Related Security Activities==

===Description of SQL Injection Vulnerabilities===

See the OWASP article on [[SQL Injection]] Vulnerabilities.

See the OWASP article on [[Blind_SQL_Injection]] Vulnerabilities.

===How to Avoid SQL Injection Vulnerabilities===

See the [[:Category:OWASP Guide Project|OWASP Development Guide]] article on how to [[Guide to SQL Injection | Avoid SQL Injection]] Vulnerabilities.

===How to Test for SQL Injection Vulnerabilities===

See the [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing for SQL Injection|Test for SQL Injection]] Vulnerabilities.

== How to locate potentially vulnerable code ==

A secure way to build SQL statements is to construct all queries with PreparedStatement instead of Statement and/or to use parameterized stored procedures.
Parameterized stored procedures are compiled before user input is added, making it impossible for a hacker to modify the actual SQL statement.

The account used to make the database connection must have “Least privilege.” If the application only requires read access then the account must be given read access only.

Avoid disclosing error information: Weak error handling is a great way for an attacker to profile SQL injection attacks. Uncaught SQL errors normally give too much information to the user and contain things like table names and procedure names.

== Best practices when dealing with DB’s ==

Use Database stored procedures, but even stored procedures can be vulnerable.
Use parameterized queries instead of dynamic SQL statements.
Data validate all external input:
Ensure that all SQL statements recognize user inputs as variables, and that statements are precompiled before the actual inputs are substituted for the variables in Java.

== SQL Injection Example: ==

<pre>

String DRIVER = "com.ora.jdbc.Driver";

String DataURL = "jdbc:db://localhost:5112/users";

String LOGIN = "admin";

String PASSWORD = "admin123";

Class.forName(DRIVER);

//Make connection to DB
Connection connection = DriverManager.getConnection(DataURL, LOGIN, PASSWORD);

String Username = request.getParameter("USER"); // From HTTP request

String Password = request.getParameter("PASSWORD"); // From HTTP request

int iUserID = -1;

String sLoggedUser = "";

String sel = "SELECT User_id, Username FROM USERS WHERE Username = '" +Username + "' AND Password = '" + Password + "'";

Statement selectStatement = connection.createStatement ();
ResultSet resultSet = selectStatement.executeQuery(sel);

if (resultSet.next()) {

iUserID = resultSet.getInt(1);
sLoggedUser = resultSet.getString(2);
}

PrintWriter writer = response.getWriter ();

if (iUserID >= 0) {
writer.println ("User logged in: " + sLoggedUser);
} else {

writer.println ("Access Denied!")
}

</pre>

When SQL statements are dynamically created as software executes, there is an opportunity for a
security breach as the input data can truncate or malform or even expand the original SQL query!

Firstly the request.getParameter retrieves the data for the SQL query directly from the HTTP request without any data validation (Min/Max length, Permitted characters, Malicious characters). This error gives rise to the ability to input SQL as the payload and alter the functionality in the statement.

The application places the payload directly into the statement causing the SQL vulnerability:

String sel = "SELECT User_id, Username FROM USERS WHERE Username = '" Username + "' AND Password = '" + Password + "'";

== .NET ==

Parameter collections such as SqlParameterCollection provide type checking and length validation. If you use a parameters collection, input is treated as a literal value, and SQL Server does not treat it as executable code and therefore the payload can not be injected. Using a parameters collection lets you enforce type and length checks. Values outside of the range trigger an exception. Make sure you handle the exception correctly.
Example of the SqlParameterCollection:

<pre>

using System.Data;

using System.Data.SqlClient;

using (SqlConnection conn = new SqlConnection(connectionString))
{
DataSet dataObj = new DataSet();

SqlDataAdapter sqlAdapter = new SqlDataAdapter( "StoredProc", conn);

sqlAdapter.SelectCommand.CommandType = CommandType.StoredProcedure;

//specify param type

sqlAdapter.SelectCommand.Parameters.Add("@usrId", SqlDbType.VarChar, 15);

sqlAdapter.SelectCommand.Parameters["@usrId "].Value = UID.Text; // Add data from user

sqlAdapter.Fill(dataObj); // populate and execute proc

}

</pre>

'''Stored procedures don’t always protect against SQL injection:'''

<pre>

CREATE PROCEDURE dbo.RunAnyQuery
@parameter NVARCHAR(50)

AS
EXEC sp_executesql @parameter
GO

</pre>

The above procedure shall execute any SQL you pass to it. The directive sp_executesql is a system stored procedure in Microsoft® SQL Server™

Lets pass it.

<pre>

DROP TABLE ORDERS;

</pre>

Guess what happens? So we must be careful of not falling into the “We’re secure, we are using stored procedures” trap!

== Classic ASP ==
For this technology you can use parameterized queries to avoid Sql injection attacks. Here is a good example:
<pre>
<%
option explicit
dim conn, cmd, recordset, iTableIdValue

'Create Connection
set conn=server.createObject("ADODB.Connection")
conn.open "DNS=LOCAL"

'Create Command
set cmd = server.createobject("ADODB.Command")
With cmd
.activeconnection=conn
.commandtext="Select * from DataTable where Id = @Parameter"
'Create the parameter and set its value to 1
.Parameters.Append .CreateParameter("@Parameter", adInteger, adParamInput, , 1)
End With
'Get the information in a RecordSet
set recordset = server.createobject("ADODB.Recordset")
recordset.Open cmd, conn
'....
'Do whatever is needed with the information
'....
'Do clean up
recordset.Close
conn.Close
set recordset = nothing
set cmd = nothing
set conn = nothing
%>
</pre>

Notice that this is Sql Server Specific code if you would use a ODBC/Jet connection to another DB which ISAM supports parameterized queries you should change your query to the following:

cmd.commandtext="Select * from DataTable where Id = ?"

Finally there is always a way of doing things '''wrong''' you can '''(but should not)''' do the following:

cmd.commandtext="Select * from DataTable where Id = " & Request.QueryString("Parameter")

[[Category:OWASP Code Review Project]]

Reviewing Code for OS Injection

2008-10-14T19:10:08Z

Rahimjina:

[[OWASP Code Review Guide Table of Contents]]__TOC__

== Introduction ==

Injection flaws allow attackers to pass malicious code through a web application to another sub system.
Depending on the subsystem, different types of injection attack can be performed:
RDBMS: SQL Injection
WebBrowser/Appserver: SQL Injection
OS-shell: Operating system commands Calling external applications from your application.

OS Commanding is one of the attack classes that fall into [http://www.webappsec.org/projects/threat/classes/os_commanding.shtml Injection Flaws]. In other classifications, it is placed in [http://www.fortify.com/vulncat/index.html Input Validation and Representation] category, [[Top_10_2007-A2|OS Commanding]] threat class or defined as [http://cwe.mitre.org/data/definitions/77.html Failure to Sanitize Data into Control Plane] weakness and [http://capec.mitre.org/data/definitions/6.html Argument Injection] attack pattern enumeration. OS Commanding happens when an application accepts untrusted/insecure input and passes it to external applications (either as the application name itself or arguments) without validation or a proper escaping.

==How to locate the potentially vulnerable code ==

Many developers believe text fields are the only areas for data validation. This is an incorrect assumption. Any external input must be data validated:

Text fields, List boxes, radio buttons, check boxes, cookies, HTTP header data, HTTP post data, hidden fields, parameter names and parameter values.
… This is not an exhaustive list.

“Process to process” or “entity-to-entity” communication must be investigated also. Any code that communicates with an upstream or downstream process and accepts input from it must be reviewed.

All injection flaws are input-validation errors. The presence of an injection flaw is an indication of incorrect data validation on the input received from an external source outside the boundary of trust, which gets more blurred every year.

Basically for this type of vulnerability we need to find all input streams into the application. This can be from a users browser, CLI or fat client but also from upstream processes that “feed” our application.

An example would be to search the code base for the use of API’s or packages that are normally used for communication purposes.

The '''java.io''', '''java.sql''', '''java.net''', '''java.rmi''', '''java.xml''' packages are all used for application communication. Searching for methods from those packages in the code base can yield results. A less “scientific” method is to search for common keywords such as “UserID”, “LoginID” or “Password”.

== Vulnerable Patterns for OS injection ==
What we should be looking for are relationships between the application and the operating system; the application-utilising functions of the underlying operating system.

In Java using the Runtime object, '''java.lang.Runtime''' does this.
In .NET calls such as '''System.Diagnostics.Process.Start '''are used to call underlying OS functions.
In PHP we may look for calls such as '''exec()''' or '''passthru()'''.

'''Example''':

We have a class that eventually gets input from the user via a HTTP request.
This class is used to execute some native exe on the application server and return a result.

public class DoStuff {
public string executeCommand(String userName)
{ try {
String myUid = userName;
Runtime rt = Runtime.getRuntime();
rt.exec("'''''cmd.exe /C''''' doStuff.exe " +”-“ +myUid); // Call exe with userID
}catch(Exception e)
{
e.printStackTrace();
}
}
}

The method executeCommand calls '''''doStuff.exe''''' (utilizing cmd.exe) via the '''''java.lang.runtime''''' static method '''''getRuntime()'''''. The parameter passed is not validated in any way in this class. We are assuming that the data has not been data validated prior to calling this method. ''Transactional analysis should have encountered any data validation prior to this point.''
Inputting “Joe69” would result in the following MS DOS command:
'''''doStuff.exe –Joe69'''''
Lets say we input '''''Joe69 & netstat –a''''' we would get the following response:
The exe doStuff would execute passing in the User Id Joe69, but then the dos command '''''netstat''''' would be called. How this works is the passing of the parameter “&” into the application, which in turn is used as a command appender in MS DOS and hence the command after the & character is executed.

This wouldn't be true, if the code above was written as (here we assume that '''''doStuff.exe''''' doesn't act as an command interpreter, such as cmd.exe or /bin/sh);

public class DoStuff {
public string executeCommand(String userName)
{ try {
String myUid = userName;
Runtime rt = Runtime.getRuntime();
rt.exec("doStuff.exe " +”-“ +myUid); // Call exe with userID
}catch(Exception e)
{
e.printStackTrace();
}
}
}

Why? From [http://java.sun.com/j2se/1.5.0/docs/api/java/lang/Runtime.html Java 2 documentation];

'' ... More precisely, the given command string is broken into tokens using a StringTokenizer created by the call new StringTokenizer(command) with no further modification of the character categories. The tokens produced by the tokenizer are then placed in the new string array cmdarray, in the same order ... ''

So the produced array contains the executable (the first item) to call and its arguments (the rest of the arguments). So, unless the first item to be called is an application which parses the arguments and interprets them and further call other external applications according to them, it wouldn't be possible to execute '''''netstat''''' in the above code snippet. Such a first item to be called would be '''''cmd.exe''''' in Windows boxes or '''''sh''''' in Unix-like boxes.

Most of the out-of-box source code/assembly analyzers would (and some wouldn't!) flag a ''Command Execution'' issue when they encounter the dangerous APIs; '''''System.Diagnostics.Process.Start''''', '''''java.lang.Runtime.exec'''''. However, obviously, the calculated risk should differ. In the first example, the "command injection" is there, whereas, in the second one without any validation nor escaping what can be called as "argument injection" vulnerability exists. So, sure the risk is still there but the severity depends on the command being called. So, the issue needs analysis.

UNIX:

An attacker might insert the string '''“; cat /etc/hosts”''' and the contents of the UNIX hosts file might be exposed to the attacker if the command is executed through a shell such as /bin/bash or /bin/sh.

.NET Example:
namespace ExternalExecution
{
class CallExternal
{
static void Main(string[] args)
{
String arg1=args[0];
System.Diagnostics.Process.Start("doStuff.exe", arg1);
}
}
}

Yet again there is no data validation to speak of here, assuming that there is no upstream validation occurring in another class.

Classic ASP Example:
<pre>
<%
option explicit
dim wshell
set wshell = CreateObject("WScript.Shell")
wshell.run "c:\file.bat " & Request.Form("Args")
set wshell = nothing
%>
</pre>

These attacks include calls to the operating system via system calls, the use of external programs via shell commands, as well as calls to backend databases via SQL (i.e. SQL injection). Complete scripts written in Perl, Python, shell, bat and other languages can be injected into poorly designed web applications and executed.

==Good Patterns & procedures to prevent OS injection==

See the Data Validation section.

==Related Articles==
[[Command Injection]]

[[Interpreter Injection]]

[[Category:OWASP Code Review Project]]
[[Category:Input Validation]]

Reviewing Code for Buffer Overruns and Overflows

2008-10-14T18:58:38Z

Rahimjina:

[[OWASP Code Review Guide Table of Contents]]__TOC__

==The Buffer ==

A Buffer is an amount of contiguous memory set aside for storing information. Example: A program has to remember certain things, like what your shopping cart contains or what data was inputted prior to the current operation. This information is stored in memory in a buffer.

==Related Security Activities==

===Description of Buffer Overflow===

See the OWASP article on [[Buffer_overflow_attack|Buffer Overflow]] Attacks.

See the OWASP article on [[Buffer_Overflow|Buffer Overflow]] Vulnerabilities.

===How to Avoid Buffer Overflow Vulnerabilities===

See the [[:Category:OWASP Guide Project|OWASP Development Guide]] article on how to [[Buffer_Overflows|Avoid Buffer Overflow]] Vulnerabilities.

===How to Test for Buffer Overflow Vulnerabilities===

See the [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing_for_Buffer_Overflow|Test for Buffer Overflow]] Vulnerabilities.

==How to locate the potentially vulnerable code==

In locating potentially vulnerable code from a buffer overflow standpoint, one should look for particular signatures such as:

'''Arrays''':
int x[20];
int y[20][5];
int x[20][5][3];

'''Format Strings:'''
printf() ,fprintf(), sprintf(), snprintf().
%x, %s, %n, %d, %u, %c, %f

'''Over flows:'''

strcpy (), strcat (), sprintf (), vsprintf ()

==Vulnerable Patterns for buffer overflows==

===‘Vanilla’ buffer overflow: ===

Example: A program might want to keep track of the days of the week (7). The programmer tells the computer to store a space for 7 numbers. This is an example of a buffer. But what happens if an attempt to add 8 numbers is performed?
Languages such as C and C++ do not perform bounds checking and therefore if the program is written in such a language the 8th piece of data would overwrite the program space of the next program in memory would result in data corruption.
This can cause the program to crash at a minimum or a carefully crafted overflow can cause malicious code to be executed, as the overflow payload is actual code.

void copyData(char *userId) {
char smallBuffer['''10''']; // size of 10
'''strcpy'''(smallBuffer, userId);
}
int main(int argc, char *argv[]) {
char *userId = "'''01234567890'''"; // Payload of 11
copyData (userId); // this shall cause a buffer overload
}

Buffer overflows are the result of stuffing more code into a buffer than it is meant to hold.

===The Format String: ===
A format function is a function within the ANSI C specification. It can be used to tailor primitive C data types to human readable form. They are used in nearly all C programs to output information, print error messages, or process strings.

Some format parameters:

%x hexadecimal (unsigned int)
%s string ((const) (unsigned) char *)
%n number of bytes written so far, (* int)
%d decimal (int)
%u unsigned decimal (unsigned int)

Example:

printf ("Hello: %s\n", a273150);

The %s in this case ensures that the parameter (a273150) is printed as a string.

Through supplying the format string to the format function we are able
to control the behaviour of it. So supplying input as a format string makes our application do things it's not meant to! What exactly are we able to make the application do?

===Crashing an application: ===

printf (User_Input);

If we supply %x (hex unsigned int) as the input, the '''printf''' function shall expect to find an integer relating to that format string, but no argument exists. This can not be detected at compile time. At runtime this issue shall surface.

===Walking the stack: ===
For every % in the argument the printf function finds it assumes that there is an associated value on the stack. In this way the function walks the stack downwards reading the corresponding values from the stack and printing them to the user.

Using format strings we can execute some invalid pointer access by using a format string such as:

printf ("%s%s%s%s%s%s%s%s%s%s%s%s");

Worse again is using the '''%n''' directive in '''printf()'''. This directive takes an '''int*''' and '''writes''' the number of bytes so far to that location.

Where to look for this potential vulnerability. This issue is prevalent with the '''printf()''' family of functions, '''printf(),fprintf(), sprintf(), snprintf().''' Also '''syslog()''' (writes system log information) and setproctitle(''const char *fmt'', ''...''); (which sets the string used to display process identifier information).

===Integer overflows: ===

#include <stdio.h>

int main(void){
int val;
val = 0x7fffffff; /* 2147483647*/
printf("val = %d (0x%x)\n", val, val);
printf("val + 1 = %d (0x%x)\n", val + 1 , val + 1); /*Overflow the int*/
return 0;
}

The binary representation of 0x7fffffff is 1111111111111111111111111111111; this integer is initialised with the highest positive value a signed long integer can hold.

Here when we add 1 to the hex value of 0x7fffffff the value of the integer overflows and goes to a negative number (0x7fffffff + 1 = 80000000)
In decimal this is (-2147483648). Think of the problems this may cause!!
Compilers will not detect this and the application will not notice this issue.

We get these issues when we use signed integers in comparisons or in arithmetic and also when comparing signed integers with unsigned integers.

Example:

int myArray[100];

int fillArray(int v1, int v2){
if(v2 > sizeof(myArray) / sizeof(int)){
return -1; /* Too Big !! */
}
myArray [v2] = v1;
return 0;
}

Here if v2 is a massive negative number so the '''''if '''''condition shall pass. This condition checks to see if v2 is bigger than the array size.
The line '''myArray[v2] = v1''' assigns the value v1 to a location out of the bounds of the array causing unexpected results.

== Good Patterns & procedures to prevent buffer overflows: ==

Example:

void copyData(char *userId) {
char smallBuffer[10]; // size of 10
strncpy(smallBuffer, userId, 10); // only copy first 10 elements
smallBuffer[9] = 0; // Make sure it is terminated.
}

int main(int argc, char *argv[]) {
char *userId = "01234567890"; // Payload of 11
copyData (userId); // this shall cause a buffer overload
}

The code above is not vulnerable to buffer overflow as the copy functionality uses a specified length, 10.

C library functions such as '''strcpy (), strcat (), sprintf ()''' and '''vsprintf ()''' operate on null terminated strings and perform no bounds checking. '''gets ()''' is another function that reads input (into a buffer) from stdin until a terminating newline or EOF (End of File) is found. The '''scanf ()''' family of functions also may result in buffer overflows.

Using strncpy(), strncat(), snprintf(), and fgets() all mitigate this problem by specifying the maximum string length. The details are slightly different and thus understanding their implications is required.

Always check the bounds of an array before writing it to a buffer.

The Microsoft C runtime also provides additional versions of many functions with an _s suffix (strcpy_s, strcat_s, sprintf_s). These functions perform additional checks for error conditions and call an error handler on failure. (See [http://msdn2.microsoft.com/en-us/library/8ef0s5kh(VS.80).aspx Security Enhancements in the CRT])

==.NET & Java ==

C# or C++ code in the .NET framework can be immune to buffer overflows if the code is ''managed''. Managed code is code executed by a .NET virtual machine, such as Microsoft's. Before the code is run, the Intermediate Language is compiled into native code. The managed execution environments own runtime-aware complier performs the compilation; therefore the managed execution environment can guarantee what the code is going to do. The Java development language also does not suffer from buffer overflows; as long as native methods or system calls are not invoked, buffer overflows are not an issue. Finally ASP pages are also immune to buffer overflows due to Integer Overflow checks performed by the VBScript interpreter while executing the code.

[[Category:OWASP Code Review Project]]

Codereview-Cryptography

2008-10-13T20:14:34Z

Rahimjina:

[[OWASP Code Review Guide Table of Contents]]__TOC__

== Introduction ==

There are two types of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files [1]. Developers are at the forefront of deciding which category a particular application resides in. Cryptography provides for security of data at rest (via encryption), enforcement of data integrity (via hashing/digesting), and non-repudiation of data (via signing). As a result, the coding in a secure manner of any of the above cryptographic processes within source code must conform in principle to the use of standard cryptographically secure algorithms with strong key sizes.

The use of non-standard cryptographic algorithms, custom implementation of cryptography (standard & non-standard) algorithms, use of standard algorithms which are cryptographically insecure (e.g. DES), and the implementation of insecure keys can weaken the overall security posture of any application. Implementation of the aforementioned methods, enables the use of known cryptanalytic tools & techniques to decrypt sensitive data.

== Related Security Activities ==

[[Guide to Cryptography]] 
[[Using the Java Cryptographic Extensions]]

== Use of Standard Cryptographic Libraries ==

As a general recommendation, there is strong reasoning behind not creating custom cryptographic libraries and algorithms. There is a huge distinction between groups, organisations and individuals developing cryptographic algorithms and those that implement cryptography either in software or in hardware.

=== .NET and C/C++ (Win32) ===

For .NET code, class libraries and implementations within System.Security.Cryptography should be used [2]. This namespace within .NET aims to provide a number of wrappers that do not require proficient knowledge of cryptography in order to use it [3].

For C/C++ code running on Win32 platforms, the CryptoAPI is recommended [2]. This has been an integral component for any Visual C++ developer's toolkit prior to the release of the latest replacement with Windows Vista. The CryptoAPI today offers an original benchmark for what will become legacy applications.

=== Classic ASP ===
Classic ASP pages do not have direct access to cryptographic functions so the only way is to create COM wrapper in Visual C++ or Visual Basic implementing calls to DPAPI or CryptoAPI, then call it from ASP pages using the '''Server.CreateObject''' method.

=== Java ===

The Java Cryptography Extension (JCE) [5] was introduced as an optional package in the Java 2 SDK and has since been included with J2SE 1.4 and later versions. When implementing code in this language, the use of a library that is a provider of the JCE is recommended. Sun provides a list of companies that act as Cryptographic Service Providers and/or offer clean room implementations of the Java Cryptography Extension [6].

== Vulnerable Patterns Examples for Cryptography ==

A secure way to implement robust encryption mechanisms within source code is by implementing FIPS[7] compliant algorithms with the use of the Microsoft Data Protection API (DPAPI)[4] or the Java Cryptography Extension (JCE)[5]. The following should be identified when establishing your cryptographic code strategy: 

<ul>
<li>Standard Algorithms
<li>Strong Algorithms
<li>Strong Key Sizes
</ul>
 
Additionally, all sensitive data that the application handles should be identified and encryption should be enforced. This includes user sensitive data, configuration data, etc. Specifically, presence of the following identifies issues with Cryptographic Code: 

'''.NET''' 
Check for examples for Cryptography in the MSDN Library [http://msdn.microsoft.com/en-us/library/aa480479.aspx#pagpractices0002_cryptography Security Practices: .NET Framework 2.0 Security Practices at a Glance]

<ol>
<li>Check that the Data Protection API (DPAPI) is being used
<li>Verify no proprietary algorithms are being used
<li>Check that RNGCryptoServiceProvider is used for PRNG
<li>Verify key length is at least 128 bits
</ol>

'''Classic ASP''' 
Perform all of these checks on the COM wrapper as ASP does not have direct access to cryptographic functions
<ol>
<li>Check that the Data Protection API (DPAPI) or CryptoAPI is being used into COM object
<li>Verify no proprietary algorithms are being used
<li>Check that RNGCryptoServiceProvider is used for PRNG
<li>Verify key length is at least 128 bits
</ol>

'''Java''' 
<ol>
<li>Check that the Java Cryptography Extension (JCE) is being used
<li>Verify no proprietary algorithms are being used
<li>Check that SecureRandom (or similar) is used for PRNG
<li>Verify key length is at least 128 bits
</ol>

'''Bad Practice: Use of Insecure Cryptographic Algorithms>>'''

The following algorithms are cryptographically insecure: DES and SHA-0. Below outlines a cryptographic implementation of DES (available per [[Using the Java Cryptographic Extensions]]): 

<pre>
package org.owasp.crypto;

import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.Cipher;

import java.security.NoSuchAlgorithmException;
import java.security.InvalidKeyException;
import java.security.InvalidAlgorithmParameterException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.BadPaddingException;
import javax.crypto.IllegalBlockSizeException;

import sun.misc.BASE64Encoder;

/**
* @author Joe Prasanna Kumar
* This program provides the following cryptographic functionalities
* 1. Encryption using DES
* 2. Decryption using DES
*
* The following modes of DES encryption are supported by SUNJce provider
* 1. ECB (Electronic code Book) - Every plaintext block is encrypted separately
* 2. CBC (Cipher Block Chaining) - Every plaintext block is XORed with the previous ciphertext block
* 3. PCBC (Propogating Cipher Block Chaining) -
* 4. CFB (Cipher Feedback Mode) - The previous ciphertext block is encrypted and this enciphered block is XORed with the plaintext block to produce the corresponding ciphertext block
* 5. OFB (Output Feedback Mode) -
*
* High Level Algorithm :
* 1. Generate a DES key
* 2. Create the Cipher (Specify the Mode and Padding)
* 3. To Encrypt : Initialize the Cipher for Encryption
* 4. To Decrypt : Initialize the Cipher for Decryption
*
* Need for Padding :
* Block ciphers operates on data blocks on fixed size n.
* Since the data to be encrypted might not always be a multiple of n, the remainder of the bits are padded.
* PKCS#5 Padding is what will be used in this program
*
*/

public class DES {
public static void main(String[] args) {

String strDataToEncrypt = new String();
String strCipherText = new String();
String strDecryptedText = new String();

try{
/**
* Step 1. Generate a DES key using KeyGenerator
*
*/
KeyGenerator keyGen = KeyGenerator.getInstance("DES");
SecretKey secretKey = keyGen.generateKey();

/**
* Step2. Create a Cipher by specifying the following parameters
* a. Algorithm name - here it is DES
* b. Mode - here it is CBC
* c. Padding - PKCS5Padding
*/

Cipher desCipher = Cipher.getInstance("DES/CBC/PKCS5Padding");

/**
* Step 3. Initialize the Cipher for Encryption
*/

desCipher.init(Cipher.ENCRYPT_MODE,secretKey);

/**
* Step 4. Encrypt the Data
* 1. Declare / Initialize the Data. Here the data is of type String
* 2. Convert the Input Text to Bytes
* 3. Encrypt the bytes using doFinal method
*/
strDataToEncrypt = "Hello World of Encryption using DES ";
byte[] byteDataToEncrypt = strDataToEncrypt.getBytes();
byte[] byteCipherText = desCipher.doFinal(byteDataToEncrypt);
strCipherText = new BASE64Encoder().encode(byteCipherText);
System.out.println("Cipher Text generated using DES with CBC mode and PKCS5 Padding is " +strCipherText);

/**
* Step 5. Decrypt the Data
* 1. Initialize the Cipher for Decryption
* 2. Decrypt the cipher bytes using doFinal method
*/
desCipher.init(Cipher.DECRYPT_MODE,secretKey,desCipher.getParameters());
//desCipher.init(Cipher.DECRYPT_MODE,secretKey);
byte[] byteDecryptedText = desCipher.doFinal(byteCipherText);
strDecryptedText = new String(byteDecryptedText);
System.out.println(" Decrypted Text message is " +strDecryptedText);
}

catch (NoSuchAlgorithmException noSuchAlgo)
{
System.out.println(" No Such Algorithm exists " + noSuchAlgo);
}

catch (NoSuchPaddingException noSuchPad)
{
System.out.println(" No Such Padding exists " + noSuchPad);
}

catch (InvalidKeyException invalidKey)
{
System.out.println(" Invalid Key " + invalidKey);
}

catch (BadPaddingException badPadding)
{
System.out.println(" Bad Padding " + badPadding);
}

catch (IllegalBlockSizeException illegalBlockSize)
{
System.out.println(" Illegal Block Size " + illegalBlockSize);
}

catch (InvalidAlgorithmParameterException invalidParam)
{
System.out.println(" Invalid Parameter " + invalidParam);
}
}

}
</pre>

Additionally, SHA-1 and MD5 should be avoided in new applications moving forward.

== Good Patterns Examples for Cryptography ==

'''Good Practice: Use Strong Entropy>>''' 
The following source code outlines secure key generation per use of strong entropy (available per [[Using the Java Cryptographic Extensions]]): 
<pre>
package org.owasp.java.crypto;

import java.security.SecureRandom;
import java.security.NoSuchAlgorithmException;

import sun.misc.BASE64Encoder;

/**
* @author Joe Prasanna Kumar
* This program provides the functionality for Generating a Secure Random Number.
*
* There are 2 ways to generate a Random number through SecureRandom.
* 1. By calling nextBytes method to generate Random Bytes
* 2. Using setSeed(byte[]) to reseed a Random object
*
*/

public class SecureRandomGen {

/**
* @param args
*/
public static void main(String[] args) {
try {
// Initialize a secure random number generator
SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");

// Method 1 - Calling nextBytes method to generate Random Bytes
byte[] bytes = new byte[512];
secureRandom.nextBytes(bytes);

// Printing the SecureRandom number by calling secureRandom.nextDouble()
System.out.println(" Secure Random # generated by calling nextBytes() is " + secureRandom.nextDouble());

// Method 2 - Using setSeed(byte[]) to reseed a Random object
int seedByteCount = 10;
byte[] seed = secureRandom.generateSeed(seedByteCount);

// TBR System.out.println(" Seed value is " + new BASE64Encoder().encode(seed));

secureRandom.setSeed(seed);

System.out.println(" Secure Random # generated using setSeed(byte[]) is " + secureRandom.nextDouble());

} catch (NoSuchAlgorithmException noSuchAlgo)
{
System.out.println(" No Such Algorithm exists " + noSuchAlgo);
}
}

}</pre>

'''Good Practice: Use Strong Algorithms>>'''

Below illustrates the implementation of AES (available per [[Using the Java Cryptographic Extensions]]):

<pre>
package org.owasp.java.crypto;

import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.Cipher;

import java.security.NoSuchAlgorithmException;
import java.security.InvalidKeyException;
import java.security.InvalidAlgorithmParameterException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.BadPaddingException;
import javax.crypto.IllegalBlockSizeException;

import sun.misc.BASE64Encoder;

/**
* @author Joe Prasanna Kumar
* This program provides the following cryptographic functionalities
* 1. Encryption using AES
* 2. Decryption using AES
*
* High Level Algorithm :
* 1. Generate a DES key (specify the Key size during this phase)
* 2. Create the Cipher
* 3. To Encrypt : Initialize the Cipher for Encryption
* 4. To Decrypt : Initialize the Cipher for Decryption
*
*
*/

public class AES {
public static void main(String[] args) {

String strDataToEncrypt = new String();
String strCipherText = new String();
String strDecryptedText = new String();

try{
/**
* Step 1. Generate an AES key using KeyGenerator
* Initialize the keysize to 128
*
*/
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(128);
SecretKey secretKey = keyGen.generateKey();

/**
* Step2. Create a Cipher by specifying the following parameters
* a. Algorithm name - here it is AES
*/

Cipher aesCipher = Cipher.getInstance("AES");

/**
* Step 3. Initialize the Cipher for Encryption
*/

aesCipher.init(Cipher.ENCRYPT_MODE,secretKey);

/**
* Step 4. Encrypt the Data
* 1. Declare / Initialize the Data. Here the data is of type String
* 2. Convert the Input Text to Bytes
* 3. Encrypt the bytes using doFinal method
*/
strDataToEncrypt = "Hello World of Encryption using AES ";
byte[] byteDataToEncrypt = strDataToEncrypt.getBytes();
byte[] byteCipherText = aesCipher.doFinal(byteDataToEncrypt);
strCipherText = new BASE64Encoder().encode(byteCipherText);
System.out.println("Cipher Text generated using AES is " +strCipherText);

/**
* Step 5. Decrypt the Data
* 1. Initialize the Cipher for Decryption
* 2. Decrypt the cipher bytes using doFinal method
*/
aesCipher.init(Cipher.DECRYPT_MODE,secretKey,aesCipher.getParameters());
byte[] byteDecryptedText = aesCipher.doFinal(byteCipherText);
strDecryptedText = new String(byteDecryptedText);
System.out.println(" Decrypted Text message is " +strDecryptedText);
}

catch (NoSuchAlgorithmException noSuchAlgo)
{
System.out.println(" No Such Algorithm exists " + noSuchAlgo);
}

catch (NoSuchPaddingException noSuchPad)
{
System.out.println(" No Such Padding exists " + noSuchPad);
}

catch (InvalidKeyException invalidKey)
{
System.out.println(" Invalid Key " + invalidKey);
}

catch (BadPaddingException badPadding)
{
System.out.println(" Bad Padding " + badPadding);
}

catch (IllegalBlockSizeException illegalBlockSize)
{
System.out.println(" Illegal Block Size " + illegalBlockSize);
}

catch (InvalidAlgorithmParameterException invalidParam)
{
System.out.println(" Invalid Parameter " + invalidParam);
}
}

}</pre>

== Laws and Regulations on Cryptography ==

There are a number of countries in which encryption is outlawed. As a result, the development or use of applications that deploy cryptographic processes could have an impact depending on location. The following crypto law survey attempts to give an overview on the current state of affairs regarding cryptography on a per-country basis [8]

== Design and Implementation ==

=== Specification Definitions ===

Any code implementing cryptographic processes and algorithms should be audited against a set of specifications. This will have as an objective to capture the level of security the software is attempting to meet and thus offer a measure point with regards to the cryptography used.

=== Level of Code Quality ===

Cryptographic code written or used should be of the highest level in terms of implementation. This should include simplicity, assertions, unit testing, as well as modularization.

=== Side Channel and Protocol attacks ===

As an algorithm is static in nature, its use over a communication medium constitutes a protocol. Thus issues relating to timeouts, how a message is received and over what channel should be considered.

== References ==

[1] Bruce Schneier, Applied Cryptography, John Wiley & Sons, 2nd edition, 1996.

[2] Michael Howard, Steve Lipner, The Security Development Lifecycle, 2006, pp. 251 - 258

[3] .NET Framework Developer's Guide, Cryptographic Services, http://msdn2.microsoft.com/en-us/library/93bskf9z.aspx

[4] Microsoft Developer Network, Windows Data Protection, http://msdn2.microsoft.com/en-us/library/ms995355.aspx

[5] Sun Developer Network, Java Cryptography Extension, http://java.sun.com/products/jce/

[6] Sun Developer Network, Cryptographic Service Providers and Clean Room Implementations, http://java.sun.com/products/jce/jce122_providers.html

[7] Federal Information Processing Standards, http://csrc.nist.gov/publications/fips/

[8] Bert-Jaap Koops, Crypto Law Survey, 2007, http://rechten.uvt.nl/koops/cryptolaw/

Codereview-Deployment

2008-10-13T19:59:16Z

Rahimjina:

[[OWASP Code Review Guide Table of Contents]]__TOC__

=== Secure application deployment ===
Another important thing to be aware of is when you receive the code: make sure it is identical in deployment layout to what would go to production. Having well-written code is a great start, but deploying that great code in unprotected folders on the application server is not a great idea.
Attackers do code reviews also, and what better than to code review the potential target application.

Outside of the actual code to review, one must examine if the deployment of a web application is within a secure environment.
Having secure code but the environment upon which the code resides is a lost cause.
Accessing resources directly must be controlled within the environment;

Areas such as configuration files, directories, & resources which need authorisation need to be secured on the host so that direct access to such artifacts is disallowed.

For example: try in “'''''Google'''''”:
http://www.google.com/search?q=%0D%0Aintitle%3Aindex.of+WEB-INF

This lists exposed “''Web-Inf''” directories on WebSphere®, Tomcat and other app servers.

''The WEB-INF directory tree contains web application classes, pre-compiled JSP files, server side libraries, session information and files such as '''web.xml''' and '''webapp.properties'''. ''

So be sure the code base is identical to production. Ensuring that we have a “''secure code environment''” is also an important part of an application secure code inspection.

The code may be “bullet proof” but if it is accessible to a user this may cause other problems. Remember the developer is not the only one to perform code reviews, attackers also do this. The only visible surface that a user should see are the “suggestions” rendered by the browser upon receiving the HTML from the backend server. Any request to the backend server outside the strict context of the application should be refused and not be visible. Generally think of ''“That which is not explicitly granted is denied”''.

Example of the Tomcat web.xml to prevent directory indexing:

<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>readonly</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>

So to deny access to all directories we put:

<Directory />
Order Deny,Allow
Deny from All
</Directory>

And then override this for the directories we require access to:

Also in Apache HTTP server to ensure directories like WEB-INF and META-INF are protected the following should be added to the ''httpd.conf'', the main configuration file for the Apache web server

<Directory /usr/users/*/public_html>
Order Deny,Allow
Allow from all
</Directory>
<Directory /usr/local/httpd>
Order Deny,Allow
Allow from all
</Directory>

On Apache servers, if we wish to specify permissions for a directory and subdirectories we add a '''''.htaccess''''' file.

To protect the .htaccess file itself we place:

<Files .htaccess>
order allow,deny
deny from all
</Files>

To stop directory indexing we place the following directive into the .htaccess file:
'''IndexIgnore *'''
The * is a wildcard to prevent all files from being indexed.
[[Category:OWASP Code Review Project]]

== Protecting JSP pages ==

If using the Struts framework we do not want users access any JSP page directly. Accessing the JSP directly without going through the request processor can enable the attacker to view any server-side code in the JSP.
Let's say initial page can is a HTML document, so the HTTP GET from the browser retrieves this page. Any subsequent page must go through the framework.
Add the following lines to the '''web.xml''' file to prevent users from accessing any JSP page directly:

<web-app>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>no_access</web-resource-name>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
...
</web-app>

With this directive in '''web.xml''' a HTTP request for a JSP page directly will fail.
[[Category:OWASP Code Review Project]]

==Protecting ASP Pages==
For classic ASP pages there is no way to configure this kind of protection using a configuration file, rather all this kind of configurations can only be only done though IIS console, thus, out of the scope of this document.

== A clean environment ==

When reviewing the environment we must see if the directories contain any artifacts from development. These files may not be referenced in any way and hence the application server gives no protection to them. Files such as .'''bak, .old, .tmp''' etc should be removed as they may contain source code.

Source code should not go into production directories. The compiled class files are all that is required in most cases. All source code should be removed and only the “executables” should remain.

No development tools should be present in a production environment. For example a Java application should only need a JRE (Java Runtime Environment) and not a JDK (Java Development Kit) to function.

Test and debug code should be removed from all source code and configuration files. Even commented-out code should be removed as a precaution. Test code can contain backdoors that circumvent the workflow in the application and at worst contain valid authentication credentials or account details.

Comments on code and Meta tags pertaining to the IDE used or technology used to develop the application should be removed. Some comments can divulge important information regarding bugs in code or pointers to functionality. This is particularly important with server side code such as JSP and ASP files.

A copyright and confidentiality statement should be at the top of every file. This mitigates any confusion regarding who owns the code. This may seem trivial but it is important to state who owns the code.

To sum up, code review includes looking at the configuration of the application server and not just the code. Knowledge of the server in question is important and information is easily available on the web.

[[Category:OWASP Code Review Project]]

Codereview-Error-Handling

2008-10-13T19:50:34Z

Rahimjina:

[[OWASP Code Review Guide Table of Contents]]__TOC__
[[Category:OWASP Code Review Project]]

==Error Handling==

Error Handling is important in a number of ways. It may effect the state of the application, or leak system information to a user. The initial failure to cause the error may cause the application be traverse into an insecure state.
Weak error handling also aids the attacker as the errors returned may assist them in constructing correct attack vectors. A generic error page for most errors is recommended when developing code. This approach makes it more difficult for attackers to identify signatures of potentially successful attacks. There are methods which can circumvent systems with leading practice error handling semantics which should be kept in mind; Attacks such as blind SQL injection using booleanization or response time characteristics can be used to address such generic responses.

The other key area relating to error handling is the premise of "fail securely". Errors induced should not leave the application in an insecure state. Resources should be locked down and released, sessions terminated (if required) and calculations or business logic should be halted (depending on the type of error of course).

An important aspect of secure application development is to prevent information leakage. Error messages give an attacker great insight into the inner workings of an application.

The purpose of reviewing the Error Handling code is to assure the application fails safely under all possible error conditions, expected and unexpected. No sensitive information is presented to the user when an error occurs.

For example, SQL injection is much tougher to successfully execute without some healthy error messages. It lessens the attack footprint, and an attacker would have to resort to use “blind SQL injection” which is more difficult and time consuming.

A well-planned error/exception handling strategy is important for three reasons:

# Good error handling does not give an attacker any information which is a means to an end, attacking the application
# A proper centralised error strategy is easier to maintain and reduces the chance of any uncaught errors “Bubbling up” to the front end of an application.
# Information leakage can lead to social engineering exploits.

Some development languages provide checked exceptions, which means that the compiler shall complain if an exception for a particular API call is not caught. Java and C# are good examples of this.
Languages like C++ and C do not provide this safety net. Languages with checked exception handling still are prone to information leakage as not all types of errors are checked for.

When an exception or error is thrown we also need to log this occurrence. Sometimes this is due to bad development, but it can be the result of an attack or some other service your application relies on failing.

All code paths that can cause an exception to be thrown should check for success in order for the exception not to be thrown.

To avoid a NullPointerException we should check is the object being accessed is not null.

===Error Handling Should Be Centralised===

When reviewing code it is recommended to assess the commonality within the application from a error/exception handling perspective.
Frameworks have error handling resources which can be exploited to assist in secure programming and such resources within the framework should be reviewed to assess if the error handling is "wired-up" correctly.

A generic error page should be used for all exceptions if possible. This prevents the attacker identifying internal
responses to error states. This also makes it more difficult for automated tools to identify successful attacks.

===Declarative Exception Handling===

<exception key=”bank.error.nowonga”
path=”/NoWonga.jsp”
type=”mybank.account.NoCashException”/>

This could be found in the struts-config.xml file, a key file when reviewing the wired-up struts environment

'''Java Servlets and JSP'''

Specification can be done in ''web.xml'' in order to handle unhandled exceptions. When Unhandled exceptions occur but not caught in code the user is forwarded to a generic error page:

<error-page>
<exception-type>UnhandledException</exception-type>
<location>GenericError.jsp</location>
</error-page>

Also in the case of HTTP 404 or HTTP 500 errors during the review you may find:

<error-page>
<error-code>500</error-code>
<location>GenericError.jsp</location>
</error-page>

===Failing Securely===
Types of errors:
The result of business logic conditions not being met.
The result of the environment wherein the business logic resides fails.
The result of upstream or downstream systems upon which the application depends fail.
Technical hardware / physical failure

A failure is never expected but they do occur such like much in life.
In the event of a failure it is important not to leave the "doors" of the application open and they keys to other "rooms" within the application sitting on the table.
In the course of a logical workflow, which is designed based upon requirements, errors may occur which can be programmatically handled such as a connection pool not being available or a down stream server not being contactable.

Such areas of failure should be examined during the course of the code review. It should be examined if all resources should be released in the case of a failure and during the thread of execution if there is any potential for resource leakage, resources being memory, connection pools, file handles etc.

The review of code should also include pinpointing areas where the user session should be terminated or invalidated. Sometimes errors may occur which do not make any logical sense from a business logic perspective or a technical standpoint;

Eg: "A logged in user looking to access an account which is not registered to that user and such data could not be inputted in the normal fashion."

Such conditions reflect possible malicious activity. Here we should review if the code is in any way defensive and kills the users session object and forwards the user to the login page. (Keep in mind that the session object should be examined upon every HTTP request)

===Information burial===

Swallowing exceptions into an empty catch() block is not advised as an audit trail of the cause of the exception would be incomplete.

==Generic error messages==

We should use a localized description string in every exception, a friendly error reason such as “System Error – Please try again later”. When the user sees an error message, it will be derived from this description string of the exception that was thrown, and never from the exception class which may contain a stack trace, line number where the error occurred, class name or method name.

Do not expose sensitive information in exception messages. Information such as paths on the local file system is considered privileged information; any internal system information should be hidden from the user. As mentioned before an attacker could use this information to gather private user information from the application or components that make up the app.

Don’t put people’s names or any internal contact information in error messages. Don’t put any “human” information, which would lead to a level of familiarity and a social engineering exploit.

==How to locate the potentially vulnerable code==

===JAVA===

In Java we have the concept of an error object; the Exception object.
This lives in the Java package java.lang and is derived from the Throwable object.
Exceptions are thrown when an abnormal occurrence has occurred. Another object derived from Throwable is the Error object, which is thrown when something more serious occurs.

Information leakage can occur when developers use some exception methods, which ‘bubble’ to the user UI due to a poor error handling strategy.
The methods are as follows:
printStackTrace()
getStackTrace()

Also important to know is that the output of these methods is printed in System console, the same as System.out.println(e) where e is an Exception. Be sure to not redirect the outputStream to PrintWriter object of JSP, by convention called "out". Ex. printStackTrace(out);

Also another object to look at is the java.lang.system package:

setErr() and the System.err field.

===.NET===

In .NET a System.Exception object exists. Commonly used child objects such as ApplicationException and SystemException are used.
It is not recommended that you throw or catch a SystemException this is thrown by runtime.

When an error occurs, either the system or the currently executing application reports it by throwing an exception containing information about the error, similar to java. Once thrown, an exception is handled by the application or by the default exception handler.
This Exception object contains similar methods to the java implementation such as:

StackTrace
Source
Message
HelpLink

In .NET we need to look at the error handling strategy from the point of view of global error handling and the handling of unexpected errors. This can be done in many ways and this article is not an exhaustive list.
Firstly, an Error Event is thrown when an unhandled exception is thrown. This is part of the TemplateControl class.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemWebUITemplateControlClassErrorTopic.asp

==Error handling can be done in three ways in .NET==

*In the web.config file's customErrors section.
*In the global.asax file's Application_Error sub.
*On the aspx or associated codebehind page in the Page_Error sub

The order of error handling events in .NET is as follows:
# On the Page in the Page_Error sub.
# The global.asax Application_Error sub
# The web.config file

It is recommended to look in these areas to understand the error strategy of the application.

===Classic ASP===
Unlike Java and .NET, classic ASP pages do not have structured error handling in try-catch blocks. Instead they have an specific object called "err". This make error handling in a classic ASP pages hard to do and prone to design errors on error handlers, causing race conditions and information leakage. Also, as ASP uses VBScript (a subtract of Visual Basic), sentences like "On Error GoTo label" are not available.

==Vulnerable Patterns for Error Handling==

===Page_Error===

Page_Error is page level handling which is run on the server side.
Below is an example but the error information is a little too informative and hence bad practice.

'''FIXME: code formatting'''

<nowiki>

<script language="C#" runat="server">

Sub Page_Error(Source As Object, E As EventArgs)

Dim message As String = "<h1>" & Request.Url.ToString()& "</h1>" &

"<pre>" & Server.GetLastError().ToString()& "</pre>"

Response.Write(message) // display message

End Sub

</script>

</nowiki>

The red text in the example above has a number of issues:
Firstly it redisplays the HTTP request to the user in the form of Request.Url.ToString() Assuming there has been no data validation prior to this point we are vulnerable to cross site scripting attacks!! Secondly the error message and stack trace is displayed to the user using Server.GetLastError().ToString() which divulges internal information regarding the application.

After the Page_Error is called, the Application_Error sub is called:

===Global.asax===

When an error occurs, the Application_Error sub is called. In this method we can
log the error and redirect to another page.

<%@ Import Namespace="System.Diagnostics" %>
<script language="C#" runat="server">
void Application_Error(Object sender, EventArgs e) {
String Message = "\n\nURL: http://localhost/" + Request.Path
+ "\n\nMESSAGE:\n " + Server.GetLastError().Message
+ "\n\nSTACK TRACE:\n" + Server.GetLastError().StackTrace;
// Insert into Event Log
EventLog Log = new EventLog();
Log.Source = LogName;
Log.WriteEntry(Message, EventLogEntryType.Error);
Server.Redirect(Error.htm) // this shall also clear the error
}
</script>

Above is an example of code in Global.asax and the Application_Error method.
The error is logged and then the user is redirected. Unvalidated parameters are being
logged here in the form of Request.Path. Care must be taken not to log or redisplay
unvalidated input from any external source.

===Web.config===
Web.config has a custom errors tag which can be used to handle errors. This is called last and if Page_error or Application_error is called and has functionality, that functionality shall be executed first. As long as the previous two handling mechanisms do not redirect or clear (Response.Redirect or a Server.ClearError), this will be called and you shall be forwarded to the page defined in web.config.

<customErrors defaultRedirect="error.html" mode="On|Off|RemoteOnly">
<error statusCode="statuscode" redirect="url"/>
</customErrors>

The “On" directive means that custom errors are enabled. If no defaultRedirect is specified, users see a generic error.
The "Off" directive means that custom errors are disabled. This allows the displaying of detailed errors.
"RemoteOnly" specifies that custom errors are shown only to remote clients, and ASP.NET errors are shown to the local host. This is the default.

<customErrors mode="On" defaultRedirect="error.html">
<error statusCode="500" redirect="err500.aspx"/>
<error statusCode="404" redirect="notHere.aspx"/>
<error statusCode="403" redirect="notAuthz.aspx"/>
</customErrors>

== Leading practice for Error Handling ==

===Try & Catch (Java/ .NET)===

Code that might throw exceptions should be in a ''try'' block and code that handles exceptions in a ''catch'' block.
The catch block is a series of statements beginning with the keyword catch, followed by an exception type and an action to be taken. These are very similar in Java and .NET

Example:

Java Try-Catch:

public class DoStuff {
public static void Main() {
try {
StreamReader sr = File.OpenText("stuff.txt");
Console.WriteLine("Reading line {0}", sr.ReadLine());
}
catch(Exception e) {
Console.WriteLine("An error occurred. Please leave to room”);
logerror(“Error: “, e);
}
}
}

.NET try – catch

public void run() {
while (!stop) {
try {

// Perform work here

} catch (Throwable t) {
// Log the exception and continue
WriteToUser(“An Error has occurred, put the kettle on”);
logger.log(Level.SEVERE, "Unexception exception", t);
}
}
}

In general, it is best practice to catch a specific type of exception rather than use the basic catch(Exception) or catch(Throwable) statement in the case of Java.

In classic ASP there are 2 ways to do error handling, the first is using the err object with an On Error Resume Next

Public Function IsInteger (ByVal Number)
Dim Res, tNumber
Number = Trim(Number)
tNumber=Number
On Error Resume Next 'If an error occurs continue execution
Number = CInt(Number) 'if Number is a alphanumeric string a Type Mismatch error will occur
Res = (err.number = 0) 'If there are no errors then return true
On Error GoTo 0 'If an error occurs stop execution and display error
re.Pattern = "^[\+\-]? *\d+$" 'only one +/- and digits are allowed
IsInteger = re.Test(tNumber) And Res
End Function

The second is using an error handler on an error page, to use this method please go to the following URL:
http://support.microsoft.com/kb/299981

Dim ErrObj
set ErrObj = Server.GetLastError()
'Now use ErrObj as the regular err object

===Releasing resources and good housekeeping===

If the language in question has a ''finally'' method, use it. The finally method is guaranteed to always be called. The finally method can be used to release resources referenced by the method that threw the exception. This is very important. An example would be if a method gained a database connection from a pool of connections, and an exception occurred without finally, the connection object shall not be returned to the pool for some time (until the timeout). This can lead to pool exhaustion. finally() is called even if no exception is thrown.

try {
System.out.println("Entering try statement");
out = new PrintWriter(new FileWriter("OutFile.txt"));
//Do Stuff….

} catch (Exception e) {
System.err.println("Error occurred!”);

} catch (IOException e) {
System.err.println("Input exception ");

} finally {

if (out != null) {
out.close(); // RELEASE RESOURCES
}
}

A Java example showing finally() being used to release system resources.

'''Classic ASP''' 
For Classic ASP pages it is recommended to enclose all the cleaning in a function and call it into an error handling statement after an "On Error Resume Next".

===Centralised exception handling (Struts Example)===

Building an infrastructure for consistent error reporting proves more difficult than error handling.
Struts provides the ActionMessages and ActionErrors classes for maintaining a stack of error messages to be reported, which can be used with JSP tags like <html: error> to display these error messages to the user.

To report a different severity of a message in a different manner (like error, warning, or information) the following tasks are required:

* Register, instantiate the errors under the appropriate severity
* Identify these messages and show them in a constant manner.

Struts ActionErrors class makes error handling quite easy:

ActionErrors errors = new ActionErrors()
errors.add("fatal", new ActionError("...."));
errors.add("error", new ActionError("...."));
errors.add("warning", new ActionError("...."));
errors.add("information", new ActionError("...."));
saveErrors(request,errors); // Important to do this

Now we have added the errors we display them by using tags in the HTML page.

<logic:messagePresent property="error">
<html:messages property="error" id="errMsg" >
<bean:write name="errMsg"/>
</html:messages>
</logic:messagePresent >

'''Classic ASP''' 
For classic ASP pages you need to do some IIS configuration, follow the same link for more information http://support.microsoft.com/kb/299981

[[Category:OWASP Code Review Project]]

Codereview-Input Validation

2008-10-11T14:48:52Z

Rahimjina:

[[Category:OWASP Code Review Project]]
[[OWASP Code Review Guide Table of Contents]]__TOC__
==Introduction==
Input validation is one of the most effective application security technical controls. It can mitigate numerous vulnerabilities (but not all). Input validation is more than checking form field values. The chapter of transactional analysis talks about this.

===Data Validation===
All external input to the system shall undergo input validation. The validation rules are defined by the business requirements for the application. If possible an exact match validator should be implemented. Exact match only permits data that conforms to an expected value. A "Known good" approach (white-list) is a little weaker but more flexible are common. Known good only permits characters/ASCII ranges defined within a white-list. Such a range is defined by the business requirements of the input field. The other approaches to data validation are "known bad" which is a black list of "bad characters" - not future proof and would need maintenance. "Encode bad" would be very weak as it would simply encode characters considered "bad" to a format which is deemed not to affect the functionality of the application.

===Business Validation===

Business validation is concerned with business logic. An understanding of the business logic is required prior to reviewing the code which performs such logic. Business validation could be used to limit the value range or a transaction inputted by a user or reject input which does not make too much business sense.
Reviewing code for business validation can also include rounding errors or floating point issues which may give rise to issues such as integer overflows which can dramatically damage the bottom line.
===Canonicalization===
Canonicalization is the process by which various equivalent forms of a name can be resolved to a single standard name, or the "canonical" name.
===References===
[[Reviewing_Code_for_Data_Validation|Reviewing code for Data Validation]]

Codereview-Session-Management

2008-10-11T14:43:17Z

Rahimjina:

==Introduction==
[[OWASP Code Review Guide Table of Contents]]__TOC__
[[Category:OWASP Code Review Project]]

==Related Security Activities==

===Description of Session Management Vulnerabilities===

See the OWASP articles on [[:Category:Session Management Vulnerability|Session Management Vulnerabilities]].

===Description of Session Management Countermeasures===

See the OWASP articles on [[:Category:Session Management|Session Management Countermeasures]].

===How to Avoid Session Management Vulnerabilities===

See the [[:Category:OWASP Guide Project|OWASP Development Guide]] article on how to [[Session Management|Avoid Session Management]] Vulnerabilities.

===How to Test for Session Management Vulnerabilities===

See the [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing for Session Management Schema|Test for Session Management]] Vulnerabilities.

==Description==

Session management from a code review perspective should focus on the creation, renewal, and destruction of a users' session throughout the application.
The code review process should ensure the following:

'''Session ID:'''
*Authenticated users have a robust and cryptographically secure association with their session.
*The session identifier (Session ID) shoud not be predictable and generation of such should be left to the underlying framework. The development effort to produce a session with sufficient entropy is subject to errors and best left to tried and trusted methods.

'''Authorization:'''
*Applications enforce authorization checks
*Applications should check if the session is valid prior to servicing any user requests. The user's session object may also hold authorization data.
**Session ID should be applied to a new user upon successful authentication.
**Reviewing the code to identify where sessions are created and invalidated is important.
**Sessions may need to be terminated upon authorization failures. If a logical condition exists which is not possible, unless the state transition is circumvented or an obvious attempt to escalate privileges, a session should be terminated.

'''Session Transport'''
*Applications avoid or prevent common web attacks, such as replay, request forging and man-in-the-middle.
Session identifiers should be passed to the user in a secure manner such as not using HTTP GET with the session ID being placed in the query string. Such data (query string) is logged in web server logs.
**Cookie transport should be performed over a secure channel. Review the code in relation to cookie manipulation. Verify is the secure flag is set. This prevents the cookie being transported over a non secure channel.

'''Session lifecycle'''
*Session Timeout - Sessions should have a defined inactivity timeout and also in some cases a session hard-limit. The code review should examine such session settings. They may be defined in configuration files or in the code itself. Hard limits shall kill a session regardless of session activity.
**The log-out commands must do more that simply kill the browser. Review the code to verify that log-out commands invalidate the session on the server.

===Related Vulnerabilities===

*[[Reviewing Code for Data Validation]]
*[[Reviewing code for XSS issues]]
*[[Reviewing Code for Authorization Issues]]
*[[Reviewing Code for Authentication]]
*[[Reviewing Code for Session Integrity issues]]

Codereview-Authorization

2008-10-11T14:39:15Z

Rahimjina:

[[OWASP Code Review Guide Table of Contents]]__TOC__
[[Category:OWASP Code Review Project]]

==Introduction==
Authorization issues cover a wide array of layers in a web application; from the functional authorization of a user to gain access to a particular function of the application is at the application layer to the Database access authorization and least privilege issues at the persistence layer.
So what to look for when performing a code review? From an attack perspective the most common issues are a result of curiosity and also exploitation of vulnerabilities such as SQL injection.
'''Example''':
A Database account used by an application with system/admin access upon which the application was vulnerable to SQL injection would result in a higher degree of impact rather than the same vulnerable application with a least privilege database account.

Authorisation is key in multiuser environments where user data should be segregated. Different clients/users should not see other clients' data (Horizontal authorisation). Authorisation can also be used to restrict functionality to a subset of users. "Super users" would have extra admin functionality that a "regular user" would not have access to (Vertical authorisation).

Authorisation is a very bespoke area in application development. It can be implemented via a lookup table in a users' session which is loaded upon successful authentication. It could be a real-time interrogation of a backend LDAP or database system upon each request.

==How to locate the potentially vulnerable code ==
Business logic errors are key areas in which to look for authorization errors.
Areas wherein authorization-checks are performed are worth looking at.
Logical conditional cases are areas for examination, such as malformed logic:

if user.equals("NormalUser"){
grantUser(Normal_Permissions);
}else{ //user must be admin/super
grantUser("Super_Persmissions);
}

For classic ASP pages, authorization is usually performed using include files that contain the access control validation and restrictions. So you usually will look for something like
<pre></pre>

We have an additional issue in this sentence a Information disclosure as the inc file might be called directly and disclose application functionality as ASP code will not be executed given that Inc extension is not recognized.

== Vulnerable Patterns for Authorization issues ==
One area of examination is to see if the authorization model simply relies on not displaying certain functions which the user has not authorization to use, security by obscurity in effect.
If a crawl can be performed on the application, links may be discovered which are not on the users GUI. Simple HTTP Get requests can uncover "Hidden" links.
Obviously a map on the server-side should be used to see if one is authorized to perform a task and we should not rely on the GUI "hiding" buttons and links.

So disabling buttons on the client due to the authorization level of user shall not prevent the user from executing the action relating to the button.

document.form.adminfunction.disabled=true;

<form action="./doAdminFunction.asp">

By simply saving the page locally and editing the disabled=true to disabled=false and adding the absolute form action one can proceed to activate the disabled button.

== HotSpots ==

'''The Database:''' The account used by the application to access the database. Ensure least privilege is in effect.

'''ASP.NET:''' (web.config)

The <authorization> element controls ASP.NET URL authorization and the accessibility to gain access to specific folders, pages and resources by users/web clients.
Make sure that only authenticated users are authorized to see/visit certain pages.
<system.web>
<authorization>
<deny users="?"/> <-- Anonymous users are denied access. Users must be authenticated.
</authorization>
</system.web>

The roleManager Element in ASP.NET 2.0 is used to assist in managing roles within the framework. It assists the developer as not as much bespoke code needs to be developed.
In web.config, to see if it is enabled check:

<system.web>
..........
<roleManager enabled="true|false" <providers>...</providers> </roleManager>
..........
</system.web>

'''Apache 1.3'''

In Apache 1.3 there is a file called httpd. Access control can be implemented from here in the form of the ''Allow'' and ''Deny'' directives.
''allow from address'' is the usage where address is the IP address or domain name to apply access to.
Note this granularity is host level granularity.

deny from 124.20.0.249 denies access to that IP.

Order ensures that the 'order'of access is observed.

Order Deny,Allow
Deny from all
Allow from owasp.org

Above, all is denied apart from owasp.org

To move the authorization to the user level in apache we can use the ''Satisfy'' directive.

==Good Example==
Check authorisation upon every user request.

String action = request.getParameter("action")
if (action == "doStuff"){
boolean permit = session.authTable.isAuthorised(action); // check table if authoirsed to do action
}
if (permit){
doStuff();
}else{
throw new (InvalidRequestException("Unauthorised request"); // inform user of no authorisation
session.invalidate(); // Kill session
}

=== Authorisation being performed upon all requests from external entities ===
[[Image:Authorisation.jpg]]

==Bad Example==

Building the GUI based on the users authorisation. "If he cant see the control we wont be able to use it"
- Common enough error. If a user has the URL the functionality can still be called. This is due to no authorisation check being performed upon every HTTP request.

==Related Vulnerabilities==

*[[Reviewing Code for OS Injection]]
Operating System injection can be used to totally ignore authorisation constraints. Access to the underlying host is a key objective of system breach. The application is simply a conduit for access to data.

*[[Reviewing Code for SQL Injection]]
SQL injection can be used to circumvent authorisation. Again, systems are breached to obtain underlying data, they are not breached for the applications themselves. SQL injection is in essence accessing the data via an "out of band" channel not intended by the application.

*[[Reviewing Code for Data Validation]]
The root of all evil - Need we say more :)

*[[Reviewing The Secure Code Environment]]
Insecure class files, folders in deployment may be used to attack an application outside the actual application itself.

*[[Reviewing Code for Session Integrity issues]]
Impersonation can obviously be used to gain unauthorised privilege.

*[[Reviewing Code for Race Conditions]]
In a multi user, multi-threaded environment thread safety is important as one may obtain another individuals session in error.

[[Category:OWASP Code Review Project]]
[[Category:Authorization]]

Codereview-Authentication

2008-10-06T21:24:38Z

Rahimjina:

[[OWASP Code Review Guide Table of Contents]]__TOC__
[[Category:OWASP Code Review Project]]

==Introduction==
“Who are you?” Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a username and password.

Depending on your requirements, there are several available authentication mechanisms to choose from. If they are not correctly chosen and implemented, the authentication mechanism can expose vulnerabilities that attackers can exploit to gain access to your system.

The following discusses aspects of source code relating to weak authentication functionality.
This could be due to flawed implementation or broken business logic:
Authentication is a key line of defence in protecting non-public data, sensitive functionality.

===Weak Passwords and password functionality===

Password strength should be enforced upon a user setting/selecting ones password. Passwords should be complex in composition.
Such checks should be done on the backend/server side of the application upon an attempt to submit a new password.

====Bad Example====
Simply checking that a password is not NULL is not sufficient:

String password = request.getParameter("Password");
if (password == Null)
{throw InvalidPasswordException()
}

====Good Example====

Passwords should be checked for the following composition or a variance of such

at least: 1 Upper character (A-Z)
at least: 1 Lower character (a-z)
at least: 1 digit (0-9)
at least one special character (!"£$%&...)

a defined minimum length (8 chars)
a defined maximum length (as with all external input)

no contiguous characters (123abcd)
not more than 2 identical characters in a row (1111)

Such rules should be looked for in code and used as soon as the http request is received.
The rules can be complex RegEx expressions or logical code statements:

if password.RegEx([a-z])
and password.RegEx([A-Z])
and password.RegEx([0-9])
and password.RegEx({8-30})
and password.RexEX([!"£$%^&*()])
return true;
else
return false;

(?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;'?/>.<,]).*$

=== '''.NET Authentication controls''' ===
In the .NET, there is Authentication tags in the configuration file.

The <'''authentication'''> element configures the authentication mode that your applications use.

<'''authentication'''>

The appropriate authentication mode depends on how your application or Web
service has been designed. The default Machine.config setting applies a secure
Windows authentication default as shown below.

''' authentication Attributes:mode="[Windows|Forms|Passport|None]" '''

<authentication mode="Windows" />

''' Forms Authentication Guidelines '''
To use Forms authentication, set mode=“Forms” on the <authentication> element.
Next, configure Forms authentication using the child <forms> element. The
following fragment shows a secure <forms> authentication element configuration:

<authentication mode="Forms">
<forms loginUrl="Restricted\login.aspx" Login page in an SSL protected folder
protection="All" Privacy and integrity
requireSSL="true" Prevents cookie being sent over http
timeout="10" Limited session lifetime
name="AppNameCookie" Unique per-application name
path="/FormsAuth" and path
slidingExpiration="true" > Sliding session lifetime
</forms>
</authentication>

Use the following recommendations to improve Forms authentication security:
* Partition your Web site.
* Set protection=“All”.
* Use small cookie time-out values.
* Consider using a fixed expiration period.
* Use SSL with Forms authentication.
* If you do not use SSL, set slidingExpiration = “false”.
* Do not use the <credentials> element on production servers.
* Configure the <machineKey> element.
* Use unique cookie names and paths.

For classic ASP pages, authentication is usually performed manually by including the user information in session variables after validation against a DB, so you can look for something like:
Session ("UserId") = UserName
Session ("Roles") = UserRoles

====Cookieless Forms authentication====
Authentication tickets in forms are by default stored in cookies. (Authentication tickets are used to remember if the user has authenticated to the system) Such as a unique id in the cookie og the HTTP header. Other methods to preserve authentication in the stateless HTTP protocol. The directive ''cookieless'' can define thet type of authentication ticket to be used.

Types of cookieless values on the <forms> element:

* UseCookies – specifies that cookie tickets will always be used.
* UseUri – indicates that cookie tickets will never be used.
* AutoDetect – cookie tickets are not used if device does not support such; if the device profile supports cookies, a probing function is used to determine if cookies are enabled.
* UseDeviceProfile – the default setting if not defined; uses cookie-based authentication tickets only if the device profile supports cookies. A probing function is not used.

cookieless="UseUri" : What may be found in the <forms> element above

When we talk about probing we are refering to the user agent directive in the HTTP header. This can inform ASP.NET is cookies are supported.

===Vulnerabilities related to authentication ===

There are many issues relating to authentication which utilise form fields. Inadequate field validation can give rise to the following issues:

*[[Reviewing Code for SQL Injection]]
SQL injection can be used to bypass authentication functionality and even add a malicious user to a system for future use.
*[[Reviewing Code for Data Validation]]
Data validation of all external input must be performed. This also goes for authentication fields.
*[[Reviewing code for XSS issues]]
Cross site scripting can be used on the authentication page to perform identity theft, Phishing, and session hijacking attacks.
*[[Reviewing Code for Error Handling]]
Bad/weak error handling can be used to establish the internal workings of the authentication functionality such as giving insight into the database structure, insight into valid and invalid user ID's, etc.
*[[Reviewing Code for Authentication]]

[[Category:OWASP Code Review Project]]

Searching for Code in J2EE/Java

2008-10-06T21:13:01Z

Rahimjina:

[[OWASP Code Review Guide Table of Contents]]
== Searching for key indicators ==
The basis of the code review is to locate and analyse areas of code which may have application security implications.
Assuming the code reviewer has a thorough understanding of the code, what it is intended to do and the context upon which it is to be used, firstly one needs to sweep the code base for areas of interest.

This can be done by performing a text search on the code base looking for keywords relating to API's and functions.
Below is a guide for .NET framework 1.1 & 2.0

=== Searching for code in .NET ===

Firstly one needs to be familiar with the tools one can use in order to perform text searching following on from this one need to know what to look for.

In this section we will assume you have a copy of Visual Studio (VS) .NET at hand. VS has two types of search "'''Find in Files'''" and a cmd line tool called '''Findstr'''

The test search tools in XP is not great in my experience and if one has to use this make sure SP2 in installed as it works better.
To start off one should scan thorough the code looking for common patterns or keywords such as "User", "Password", "Pswd", "Key", "Http", etc...
This can be done using the "Find in Files" tool in VS or using findstring as follows:

[Find In Files HERE]

'''findstr /s /m /i /d:c:\projects\codebase\sec "http" *.*'''

====Http Request Strings====
Requests from external sources are obviously a key area of a secure code review. We need to ensure that all HTTP requests received are data validated for composition, max and min length and if the data falls with the realms of the parameter white-list.
Bottom-line is this is a key area to look at and ensure security is enabled.

request.accepttypes
request.browser
request.files
request.headers
request.httpmethod
request.item
request.querystring
request.form
request.cookies
request.certificate
request.rawurl
request.servervariables
request.url
request.urlreferrer
request.useragent
request.userlanguages
request.IsSecureConnection
request.TotalBytes
request.BinaryRead
InputStream
HiddenField.Value
TextBox.Text
recordSet

====HTML Output====
Here we are looking for responses to the client. Responses which go unvalidated or which echo external input without data validation are key areas to examine. Many client side attacks result from poor response validation. XSS relies on this somewhat.

response.write
<% =
HttpUtility
HtmlEncode
UrlEncode
innerText
innerHTML

====SQL & Database====
Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determine if the application is vulnerable to SQL injection. One aspect of this is to verify that the code uses either ''SqlParameter'', ''OleDbParameter'', or ''OdbcParameter''(System.Data.SqlClient). These are typed and treat parameters as the literal value and not executable code in the database.

exec sp_executesql
execute sp_executesql
select from
Insert
update
delete from where
delete
exec sp_
execute sp_
exec xp_
execute sp_
exec @
execute @
executestatement
executeSQL
setfilter
executeQuery
GetQueryResultInXML
adodb
sqloledb
sql server
driver
Server.CreateObject
.Provider
.Open
ADODB.recordset
New OleDbConnection
ExecuteReader
DataSource
SqlCommand
Microsoft.Jet
SqlDataReader
ExecuteReader
GetString
SqlDataAdapter
CommandType
StoredProcedure
System.Data.sql

====Cookies====
Cookie manipulation can be key to various application security exploits such as session hijacking/fixation and parameter manipulation. One should examine any code relating to cookie functionality as this would have a bearing on session security.
System.Net.Cookie
[[HTTPOnly]]
document.cookie

==== HTML Tags====
Many of the HTML tags below can be used for client side attacks such as cross site scripting. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display and use of such tags within a web application.

HtmlEncode
URLEncode
<applet>
<frameset>
<embed>
<frame>
<html>
<iframe>
<img>
<style>
<layer>
<ilayer>
<meta>
<object>
<body>
<frame security
<iframe security

====Input Controls====
The input controls below are server classes used to produce and display web application form fields. Looking for such references helps locate entry points into the application.

system.web.ui.htmlcontrols.htmlinputhidden
system.web.ui.webcontrols.hiddenfield
system.web.ui.webcontrols.hyperlink
system.web.ui.webcontrols.textbox
system.web.ui.webcontrols.label
system.web.ui.webcontrols.linkbutton
system.web.ui.webcontrols.listbox
system.web.ui.webcontrols.checkboxlist
system.web.ui.webcontrols.dropdownlist

====web.config====
The .NET Framework relies on .config files to define configuration settings. The .config files are text-based XML files. Many .config files can, and typically do, exist on a single system. Web applications refer to a web.config file located in the application’s root directory. For ASP.NET applications, web.config contains information about most aspects of the application’s operation.

requestEncoding
responseEncoding
trace
authorization
compilation
CustomErrors
httpCookies
httpHandlers
httpRuntime
sessionState
maxRequestLength
debug
forms protection
appSettings
ConfigurationSettings
appSettings
connectionStrings
authentication mode
allow
deny
credentials
identity impersonate
timeout
remote

====global.asax====
Each application has its own Global.asax if one is required. Global.asax sets the event code and values for an application using scripts. One must ensure that application variables do not contain sensitive information, as they are accessible to the whole application and to all users within it.

Application_OnAuthenticateRequest
Application_OnAuthorizeRequest
Session_OnStart
Session_OnEnd

====Logging====
Logging can be a source of information leakage. It is important to examine all calls to the logging subsystem and to determine if any sensitive information is being logged. Common mistakes are logging userID in conjunction with passwords within the authentication functionality or logging database requests which may contains sensitive data.

log4net
Console.WriteLine
System.Diagnostics.Debug
System.Diagnostics.Trace

====Machine.config====
Its important that many variables in machine.config can be overridden in the web.config file for a particular application.

validateRequest
enableViewState
enableViewStateMac

====Threads and Concurrency====
Locating code that contains multithreaded functions. Concurrency issues can result in race conditions which may result in security vulnerabilities. The Thread keyword is where new threads objects are created. Code that uses static global variables which hold sensitive security information may cause session issues. Code that uses static constructors may also cause issues between threads. Not synchronizing the Dispose method may cause issues if a number of threads call Dispose at the same time, this may cause resource release issues.

Thread
Dispose

====Class Design====
Public and Sealed relate to the design at class level. Classes which are not intended to be derived from should be sealed. Make sure all class fields are Public for a reason. Don't expose anything you don't need to.

Public
Sealed

====Reflection, Serialization====
Code may be generated dynamically at runtime. Code that is generated dynamically as a function of external input may give rise to issues. If your code contains sensitive data does it need to be serialized.

Serializable
AllowPartiallyTrustedCallersAttribute
GetObjectData
StrongNameIdentityPermission
StrongNameIdentity
System.Reflection

====Exceptions & Errors====
Ensure that the catch blocks do not leak information to the user in the case of an exception. Ensure when dealing with resources that the finally block is used. Having trace enabled is not great from an information leakage perspective. Ensure customised errors are properly implemented.

catch{
Finally
trace enabled
customErrors mode

====Crypto====
If cryptography is used then is a strong enough cipher used i.e. AES or 3DES. What size key is used, the larger the better. Where is hashing performed? Are passwords that are being persisted hashed? They should be.
How are random numbers generated? Is the PRNG "random enough"?

RNGCryptoServiceProvider
SHA
MD5
base64
xor
DES
RC2
System.Random
Random
System.Security.Cryptography

====Storage====
If storing sensitive data in memory recommend one uses the following.

SecureString
ProtectedMemory

====Authorization, Assert & Revert====
Bypassing the code access security permission? Not a good idea. Also below is a list of potentially dangerous permissions such as calling unmanaged code, outside the CLR.

.RequestMinimum
.RequestOptional
Assert
Debug.Assert
CodeAccessPermission
ReflectionPermission.MemberAccess
SecurityPermission.ControlAppDomain
SecurityPermission.UnmanagedCode
SecurityPermission.SkipVerification
SecurityPermission.ControlEvidence
SecurityPermission.SerializationFormatter
SecurityPermission.ControlPrincipal
SecurityPermission.ControlDomainPolicy
SecurityPermission.ControlPolicy

====Legacy methods====
printf
strcpy

=== Searching for code in J2EE/Java ===

====Input and Output Streams====
These are used to read data into ones application. They may be potential entry points into an application. The entry points may be from an external source and must be investigated. These may also be used in path traversal attacks or DoS attacks.

Java.io
java.util.zip
java.util.jar
FileInputStream
ObjectInputStream
FilterInputStream
PipedInputStream
SequenceInputStream
StringBufferInputStream
BufferedReader
ByteArrayInputStream
CharArrayReader
File
ObjectInputStream
PipedInputStream
StreamTokenizer
getResourceAsStream
java.io.FileReader
java.io.FileWriter
java.io.RandomAccessFile
java.io.File
java.io.FileOutputStream
mkdir
renameTo

====Servlets====
These API calls may be avenues for parameter, header, URL & cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as many of such API's obtain the parameters directly from HTTP requests.
javax.servlet.
getParameterNames
getParameterValues
getParameter
getParameterMap
getScheme
getProtocol
getContentType
getServerName
getRemoteAddr
getRemoteHost
getRealPath
getLocalName
getAttribute
getAttributeNames
getLocalAddr
getAuthType
getRemoteUser
getCookies
isSecure
HttpServletRequest
getQueryString
getHeaderNames
getHeaders
getPrincipal
getUserPrincipal
isUserInRole
getInputStream
getOutputStream
getWriter
addCookie
addHeader
setHeader
setAttribute
putValue
javax.servlet.http.Cookie
getName
getPath
getDomain
getComment
getMethod
getPath
getReader
getRealPath
getRequestURI
getRequestURL
getServerName
getValue
getValueNames
getRequestedSessionId

'''Cross site scripting'''
javax.servlet.ServletOutputStream.print
javax.servlet.jsp.JspWriter.print
java.io.PrintWriter.print

'''Response Splitting'''
javax.servlet.http.HttpServletResponse.sendRedirect
Response.setHeader

'''Redirection'''
sendRedirect
setStatus
addHeader

====SQL & Database====
Searching for Java Database related code this list should help you pinpoint classes/methods which are involved in the persistence layer of the application being reviewed.
jdbc
executeQuery
select
insert
update
delete
execute
executestatement
createStatement
java.sql.ResultSet.getString
java.sql.ResultSet.getObject
java.sql.Statement.executeUpdate
java.sql.Statement.executeQuery
java.sql.Statement.execute
java.sql.Statement.addBatch
java.sql.Connection.prepareStatement
java.sql.Connection.prepareCall

====SSL====

Looking for code which utilises SSL as a medium for point to point encryption. The following fragments should indicate where SSL functionality has been developed.

com.sun.net.ssl
SSLContext
SSLSocketFactory
TrustManagerFactory
HttpsURLConnection
KeyManagerFactory

====Session Management====
getSession
invalidate
getId

====Data Validation====

====Legacy Interaction====
Here we may be vulnerable to command injection attacks or OS injection attacks. Java linking to the native OS can cause serious issues and potentially give rise to total server compromise.

java.lang.Runtime.exec
java.lang.Runtime.getRuntime

====Logging====
We may come across some information leakage by examining code below contained in ones application.

java.io.PrintStream.write
log4j
jLo
Lumberjack
MonoLog
qflog
just4log
log4Ant
JDLabAgent

====Architectural Analysis====
If we can identify major architectural components within that application (right away) it can help narrow our search, and we can then look for known vulnerabilities in those components and frameworks:

### Ajax
XMLHTTP
### Struts
org.apache.struts
### Spring
org.springframework
### Java Server Faces (JSF)
import javax.faces
### Hibernate
import org.hibernate
### Castor
org.exolab.castor
### JAXB
javax.xml
### JMS
JMS

=== Searching for code in Classic ASP ===

====Inputs====
Request
Request.QueryString
Request.Form
Request.ServerVariables
Query_String
hidden
include
.inc

====Output====
Response.Write
Response.BinaryWrite
<%=

====Cookies====
.cookies

====Error Handling====
err.
Server.GetLastError
On Error Resume Next
On Error GoTo 0

====Information in URL====
location.href
location.replace
method="GET"

====Database====
commandText
select from
update
insert into
delete from where
exec
execute
.execute
.open
ADODB.
commandtype
ICommand
IRowSet

====Session====
session.timeout
session.abandon
session.removeall

====DoS Prevention====
server.ScriptTimeout
IsClientConnected

====Logging====
WriteEntry

====Redirection====
Response.AddHeader
Response.AppendHeader
Response.Redirect
Response.Status
Response.StatusCode
Server.Transfer
Server.Execute

===Generic keywords===
Developers say the darnedest things in their source code. Look for the following keywords as pointers to possible software vulnerabilities:

Hack
Kludge
Bypass
Steal
Stolen
Divert
Broke
Trick
Fix
ToDo

===Web 2.0===

====Ajax and JavaScript====
Look for Ajax usage, and possible JavaScript issues:

eval(
document.cookie
document.referrer
document.attachEvent
document.body
document.body.innerHtml
document.body.innerText
document.close
document.create
document.createElement
document.execCommand
document.forms[0].action
document.location
document.open
document.URL
document.URLUnencoded
document.write
document.writeln
location.hash
location.href
location.search
window.alert
window.attachEvent
window.createRequest
window.execScript
window.location
window.open
window.navigate
window.setInterval
window.setTimeout
XMLHTTP
[[Category:OWASP Code Review Project]]

Crawling Code

2008-09-13T14:22:59Z

Rahimjina:

[[OWASP Code Review Guide Table of Contents]]__TOC__
===Crawing Code===
Crawling code is the practice of scanning a code base of the review target in question. It is, in effect, looking for key pointers wherein a possible security vulnerability might reside. Certain API's are related to interfacing to the external world or file IO or user management which are key areas for an attacker to focus on. In crawling code we look for API relating to these areas. We also need to look for business logic areas which may cause security issues but generally these are bespoke methods which have bespoke names and can not be detected directly, even though we may touch on certain methods due to their relationship with a certain key API.

Also we need to look for common issues relating to a specific language; issues that may not be *security* related but which may affect the stability/availability of the application in the case of extraordinary circumstances. Other issues when performing a code review are areas such a simple copyright notice in order to protect ones intellectual property.

Crawling code can be done manually or in an automated fashion using automated tools. Tools as simple as grep or wingrep can be used. Other tools are available which would search for key words relating to a specific programming language.

The following sections shall cover the function of crawing code for Java/J2EE, .NET and Classic ASP.
This section is best used in conjunction with the [[Transaction_Analysis|transactional analysis]] section also detailed in this guide.

[[Category:OWASP Code Review Project]]

OWASP EU Summit 2008 Paid Participants

2008-09-12T13:02:35Z

Rahimjina:

== Provisory list of 'expenses paid' participants ==

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECTED CONFERENCE PAID ATTENDEES AND/OR SPEAKERS - NEEDS OWASP BOARD CONFIRMATION'''
|-
| style="width:20%; background:#b3b3b3" align="center"|'''NAME'''
| style="width:26%; background:#b3b3b3" align="center"|'''POSITION/REASON OF ATTENDANCE'''
| style="width:15%; background:#b3b3b3" align="center"|'''COUNTRY'''
| style="width:15%; background:#b3b3b3" align="center"|'''DEPARTURE (AIRPORT/CITY)'''
| style="width:12%; background:#b3b3b3" align="center"|'''DATE OF ARRIVAL'''
| style="width:12%; background:#b3b3b3" align="center"|'''DATE OF DEPARTURE'''
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP BOARD MEMBERS & EMPLOYEES'''
|-
| style="width:20%; background:#cccccc" align="center"|Jeff Williams
| style="width:26%; background:#cccccc" align="center"|Board, Chair, Wiki, Management
| style="width:15%; background:#cccccc" align="center"|USA
| style="width:15%; background:#cccccc" align="center"|Washington, D.C.
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Dave Wichers
| style="width:26%; background:#cccccc" align="center"|Board, Conferences, Financials
| style="width:15%; background:#cccccc" align="center"|USA
| style="width:15%; background:#cccccc" align="center"|Washington, D.C.
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Dinis Cruz
| style="width:26%; background:#cccccc" align="center"|Board, Firehose of Ideas and Money spender
| style="width:15%; background:#cccccc" align="center"|UK
| style="width:15%; background:#cccccc" align="center"|London
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Tom Brennan
| style="width:26%; background:#cccccc" align="center"|Board, OWASP Governance
| style="width:15%; background:#cccccc" align="center"|USA
| style="width:15%; background:#cccccc" align="center"|New York, NY
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Sebastien Deleersnyder
| style="width:26%; background:#cccccc" align="center"|Board, OWASP Chapters and Projects
| style="width:15%; background:#cccccc" align="center"|Belgium
| style="width:15%; background:#cccccc" align="center"|?
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Paulo Coimbra
| style="width:26%; background:#cccccc" align="center"|Employee, Project Manager
| style="width:15%; background:#cccccc" align="center"|UK
| style="width:15%; background:#cccccc" align="center"|London
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Kate Hartmann
| style="width:26%; background:#cccccc" align="center"|Employee, Operations Director
| style="width:15%; background:#cccccc" align="center"|USA
| style="width:15%; background:#cccccc" align="center"|Washington, D.C.
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP SUMMER OF CODE 2008 PROJECT LEADERS & REVIEWERS'''
|-
| style="width:20%; background:#cccccc" align="center"|Achim Hoffmann
| style="width:26%; background:#cccccc" align="center"|Reviewer, OWASP Skavenger Project, OWASP w3af Project
| style="width:15%; background:#cccccc" align="center"|Germany
| style="width:15%; background:#cccccc" align="center"|Frankfurt or Munich
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Alexander Fry
| style="width:26%; background:#cccccc" align="center"|Reviewer, OWASP Source Code Review OWASP Projects OWASP Teachable Static Analysis Workbench OWASP WeBekci Project
| style="width:15%; background:#cccccc" align="center"|USA
| style="width:15%; background:#cccccc" align="center"|Washington, D.C. (IAD)
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Arshan Dabirsiaghi
| style="width:26%; background:#cccccc" align="center"|Project leader, OWASP AntiSamy Project
| style="width:15%; background:#cccccc" align="center"|USA
| style="width:15%; background:#cccccc" align="center"|Baltimore, MD
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Andrew Petukhov
| style="width:26%; background:#cccccc" align="center"|Project leader, OWASP Access Control Rules Tester Project
| style="width:15%; background:#cccccc" align="center"|Russia
| style="width:15%; background:#cccccc" align="center"|Moscow
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Dmitry Kozlov
| style="width:26%; background:#cccccc" align="center"|Project leader, OWASP Teachable Static Analysis, OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project
| style="width:15%; background:#cccccc" align="center"|Russia
| style="width:15%; background:#cccccc" align="center"|Moscow
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Arturo Alberto Busleiman
| style="width:26%; background:#cccccc" align="center"|Project leader, OWASP Enigform and mod_Openpgp
| style="width:15%; background:#cccccc" align="center"|Argentina
| style="width:15%; background:#cccccc" align="center"|?
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|

|-
| style="width:20%; background:#cccccc" align="center"|Carlo Pelliccioni
| style="width:26%; background:#cccccc" align="center"|Project leader, OWASP Backend Security Project
| style="width:15%; background:#cccccc" align="center"|Italy
| style="width:15%; background:#cccccc" align="center"|Rome (FCO)
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Eduardo Vianna de Camargo Neves
| style="width:26%; background:#cccccc" align="center"|Project leader, OWASP Positive Security
| style="width:15%; background:#cccccc" align="center"|Brazil
| style="width:15%; background:#cccccc" align="center"|Curitiba (CWB)
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Wagner Elias
| style="width:26%; background:#cccccc" align="center"|Reviwer, OWASP Positive Security
| style="width:15%; background:#cccccc" align="center"|Brazil
| style="width:15%; background:#cccccc" align="center"|São Paulo(GRU)
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Eoin Keary
| style="width:26%; background:#cccccc" align="center"|Project leader, OWASP Code Review Guide, Chapter Leader
| style="width:15%; background:#cccccc" align="center"|Ireland
| style="width:15%; background:#cccccc" align="center"|Dublin (DUB)
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Rahim Jina
| style="width:26%; background:#cccccc" align="center"|Reviewer, OWASP Code Review Guide
| style="width:15%; background:#cccccc" align="center"|Ireland
| style="width:15%; background:#cccccc" align="center"|Dublin (DUB)
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Esteban Ribicic
| style="width:26%; background:#cccccc" align="center"|Reviewer, OWASP Backend Security Project OWASP Classic ASP Security Project OWASP AntiSamy .NET OWASP Interceptor Project - 2008 Update
| style="width:15%; background:#cccccc" align="center"|Croatia
| style="width:15%; background:#cccccc" align="center"|Wien
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Fabio Cerullo
| style="width:26%; background:#cccccc" align="center"|Reviewer, OWASP Internationalization Guidelines Project OWASP Spanish Project
| style="width:15%; background:#cccccc" align="center"|Ireland
| style="width:15%; background:#cccccc" align="center"|Dublin (DUB)
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Frederick Donovan
| style="width:26%; background:#cccccc" align="center"|Reviewer, OWASP Application Security Desk Reference (ASDR)
| style="width:15%; background:#cccccc" align="center"|United States
| style="width:15%; background:#cccccc" align="center"|?
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Heiko Webers
| style="width:26%; background:#cccccc" align="center"|Project leader, OWASP Ruby on Rails Security Project
| style="width:15%; background:#cccccc" align="center"|Germany
| style="width:15%; background:#cccccc" align="center"|Frankfurt
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Anthony Shireman
| style="width:26%; background:#cccccc" align="center"|Project reviewer, OWASP Ruby on Rails Security Project
| style="width:15%; background:#cccccc" align="center"|USA
| style="width:15%; background:#cccccc" align="center"|Portland, OR (PDX)
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Kevin Fuller
| style="width:26%; background:#cccccc" align="center"|Reviewer, OWASP Testing Guide v3 OWASP SQL Injector Benchmarking Project (SQLiBENCH)
| style="width:15%; background:#cccccc" align="center"|USA
| style="width:15%; background:#cccccc" align="center"|Sacramento Ca
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Leonardo Cavallari Militelli
| style="width:26%; background:#cccccc" align="center"|Project leader, OWASP Application Security Desk Reference (ASDR)
| style="width:15%; background:#cccccc" align="center"|Brazil
| style="width:15%; background:#cccccc" align="center"|Sao Paulo (GRU)
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Mark Roxberry
| style="width:26%; background:#cccccc" align="center"|Leader, OWASP .NET Project
| style="width:15%; background:#cccccc" align="center"|USA
| style="width:15%; background:#cccccc" align="center"|?
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Matt Tesauro
| style="width:26%; background:#cccccc" align="center"|Project Leader, OWASP Live CD 2008
| style="width:15%; background:#cccccc" align="center"|USA
| style="width:15%; background:#cccccc" align="center"|Austin, TX or Dallas, TX
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Matteo Meucci
| style="width:26%; background:#cccccc" align="center"|Project Leader, OWASP Testing Guide
| style="width:15%; background:#cccccc" align="center"|Italy
| style="width:15%; background:#cccccc" align="center"|Rome
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Matthias Rohr
| style="width:26%; background:#cccccc" align="center"|Project leader, OWASP Skavenger Project
| style="width:15%; background:#cccccc" align="center"|Germany
| style="width:15%; background:#cccccc" align="center"|?
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Michael Coates
| style="width:26%; background:#cccccc" align="center"|Project leader, OWASP AppSensor
| style="width:15%; background:#cccccc" align="center"|USA
| style="width:15%; background:#cccccc" align="center"|Chicago
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Justin Derry
| style="width:26%; background:#cccccc" align="center"|Project leader, OWASP Interceptor, Brisbane Chapter Leader, Asia Pacific Conference Chair
| style="width:15%; background:#cccccc" align="center"|Australia
| style="width:15%; background:#cccccc" align="center"|Bejing China
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Nam Nguyen
| style="width:26%; background:#cccccc" align="center"|Reviewer, OWASP Testing Guide v3, Python Static Analysis, OWASP Education
| style="width:15%; background:#cccccc" align="center"|Vietnam
| style="width:15%; background:#cccccc" align="center"|Ho Chi Minh City
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|P.Satish Kumar
| style="width:26%; background:#cccccc" align="center"|Reviewer, OWASP Code Review Guide
| style="width:15%; background:#cccccc" align="center"|India
| style="width:15%; background:#cccccc" align="center"|Hyderabad/Mumbai/Chennai
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Paolo Perego
| style="width:26%; background:#cccccc" align="center"|Project Leader, OWASP Orizon Project
| style="width:15%; background:#cccccc" align="center"|Italy
| style="width:15%; background:#cccccc" align="center"|?
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Parvathy Iyer
| style="width:26%; background:#cccccc" align="center"|OWASP Corporate Application Security Guide
| style="width:15%; background:#cccccc" align="center"|USA
| style="width:15%; background:#cccccc" align="center"|Newark (New Jersey)or Newyork (Newyork city)
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Pierre Parrend
| style="width:26%; background:#cccccc" align="center"|Reviewer, OWASP OpenSign Server Project OWASP Application Security Verification Standard
| style="width:15%; background:#cccccc" align="center"|France
| style="width:15%; background:#cccccc" align="center"|?
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Stephen Craig Evans
| style="width:26%; background:#cccccc" align="center"|Project leader, OWASP Securing WebGoat using ModSecurity
| style="width:15%; background:#cccccc" align="center"|Singapore
| style="width:15%; background:#cccccc" align="center"|Singapore
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Jason Li
| style="width:26%; background:#cccccc" align="center"|Project leader, OWASP JSP Testing Tool
| style="width:15%; background:#cccccc" align="center"|USA
| style="width:15%; background:#cccccc" align="center"|Baltimore
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Gandhi Aryavalli Sriranga Narasimha
| style="width:26%; background:#cccccc" align="center"|Reviewer, OWASP Application Security Desk Reference (ASDR)
| style="width:15%; background:#cccccc" align="center"|India
| style="width:15%; background:#cccccc" align="center"|Bangalore
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Rodrigo Marcos
| style="width:26%; background:#cccccc" align="center"|Reviewer, OWASP Internationalization Guidelines Project OWASP Spanish Project
| style="width:15%; background:#cccccc" align="center"|UK
| style="width:15%; background:#cccccc" align="center"|London
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Marcin Wielgoszewski
| style="width:26%; background:#cccccc" align="center"|Reviewer, OWASP AntiSamy.NET
| style="width:15%; background:#cccccc" align="center"|USA
| style="width:15%; background:#cccccc" align="center"|New York, NY
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|James Walden
| style="width:26%; background:#cccccc" align="center"|Project Leader, OWASP Source Code Review OWASP Projects
| style="width:15%; background:#cccccc" align="center"|USA
| style="width:15%; background:#cccccc" align="center"|Cincinnati, OH
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:26%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP SUMMER OF CODE 2008 SPECIAL PROJECT CONTRIBUTORS'''
|-
| style="width:20%; background:#cccccc" align="center"|Daniele Bellucci
| style="width:26%; background:#cccccc" align="center"|OWASP Backend Security Project contributor
| style="width:15%; background:#cccccc" align="center"|?
| style="width:15%; background:#cccccc" align="center"|?
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:26%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP SUMMER OF CODE 2008/LOGISTICS'''
|-
| style="width:20%; background:#cccccc" align="center"|Sarah Cruz
| style="width:26%; background:#cccccc" align="center"|Project leader, Graphic Design
| style="width:15%; background:#cccccc" align="center"|UK
| style="width:15%; background:#cccccc" align="center"|London
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:26%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP SPRING OF CODE 2007 PROJECT LEADERS & REVIEWERS'''
|-
| style="width:20%; background:#cccccc" align="center"|Joshua Perrymon
| style="width:26%; background:#cccccc" align="center"|Project Leader, OWASP LiveCD, OWASP Phishing Framework, Alabama Chapter Lead
| style="width:15%; background:#cccccc" align="center"|USA
| style="width:15%; background:#cccccc" align="center"|Birmingham,AL
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Brad Causey
| style="width:26%; background:#cccccc" align="center"|Project Reviewer, OWASP Phishing Framework, Alabama Chapter VP
| style="width:15%; background:#cccccc" align="center"|USA
| style="width:15%; background:#cccccc" align="center"|Birmingham,AL
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP AUTUMN OF CODE 2006 PROJECT LEADERS & REVIEWERS'''
|-
| style="width:20%; background:#cccccc" align="center"|Rogan Dawes
| style="width:26%; background:#cccccc" align="center"|Project leader, WebScarab-NG
| style="width:15%; background:#cccccc" align="center"|South Africa
| style="width:15%; background:#cccccc" align="center"|Johannesburg, South Africa
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Simon Roses Femerling
| style="width:26%; background:#cccccc" align="center"|Project leader, OWASP Pantera
| style="width:15%; background:#cccccc" align="center"|Spain
| style="width:15%; background:#cccccc" align="center"|?
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:26%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''ACTIVE PROJECT LEADERS (NOT CURRENTLY PARTICIPATING ON SOC 08)'''
|-
| style="width:20%; background:#cccccc" align="center"|Alex Smolen
| style="width:26%; background:#cccccc" align="center"| Project leader, .NET ESAPI
| style="width:15%; background:#cccccc" align="center"|USA
| style="width:15%; background:#cccccc" align="center"|?
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:26%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''ACTIVE CHAPTER LEADERS (NOT CURRENTLY PARTICIPATING ON SOC 08)'''
|-
| style="width:20%; background:#cccccc" align="center"|Steve Antoniewicz
| style="width:26%; background:#cccccc" align="center"|Chapter Board Member, NY/NJ Metro
| style="width:15%; background:#cccccc" align="center"|USA
| style="width:15%; background:#cccccc" align="center"|?
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Kuai Hinojosa
| style="width:26%; background:#cccccc" align="center"|Chapter leader, Twin-Cities
| style="width:15%; background:#cccccc" align="center"|USA
| style="width:15%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Jim Manico
| style="width:26%; background:#cccccc" align="center"|Chapter leader/founder, Hawaii
| style="width:15%; background:#cccccc" align="center"|Hawaii, USA
| style="width:15%; background:#cccccc" align="center"|Anahola, Island of Kauai
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Rex Booth
| style="width:26%; background:#cccccc" align="center"|Chapter leader, Washington DC
| style="width:15%; background:#cccccc" align="center"|USA
| style="width:15%; background:#cccccc" align="center"|Washington DC
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Andrzej Targosz
| style="width:26%; background:#cccccc" align="center"|Chapter leader, Poland
| style="width:15%; background:#cccccc" align="center"|Poland
| style="width:15%; background:#cccccc" align="center"|Cracow
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Dhruv Soi
| style="width:26%; background:#cccccc" align="center"|Chapter Board Member, New Delhi
| style="width:15%; background:#cccccc" align="center"|India
| style="width:15%; background:#cccccc" align="center"|New Delhi, India
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Bedirhan Urgun
| style="width:26%; background:#cccccc" align="center"|Chapter Leader, Turkiye
| style="width:15%; background:#cccccc" align="center"|Turkey
| style="width:15%; background:#cccccc" align="center"|Istanbul
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:26%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''SIGNIFICANT PAST OWASP CONTRIBUTOR (NOT ALREADY COVERED BY ONE OF THE ABOVE CATEGORIES)'''
|-
| style="width:20%; background:#cccccc" align="center"|David Rook
| style="width:26%; background:#cccccc" align="center"|Code Review Guide Contributor, Irish Chapter Contributor
| style="width:15%; background:#cccccc" align="center"|Ireland
| style="width:15%; background:#cccccc" align="center"|Dublin (DUB)
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|''''KEY INDUSTRY PLAYERS' INVITED TO THE WORKING SESSIONS (NOT ALREADY COVERED BY ONE OF THE ABOVE CATEGORIES)'''
|-
| style="width:20%; background:#cccccc" align="center"|Colin Watson
| style="width:26%; background:#cccccc" align="center"|OWASP Awards Contributor
| style="width:15%; background:#cccccc" align="center"|UK
| style="width:15%; background:#cccccc" align="center"|London
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|?
| style="width:26%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
| style="width:12%; background:#cccccc" align="center"|
|-
|}

The Owasp Code Review Top 9

2008-08-26T22:03:41Z

Rahimjina:

[[OWASP Code Review Guide Table of Contents]]__TOC__
[[Category:OWASP Code Review Project]]

== Preface ==
In this section, we will try to organize the most critical security flaws you can find during a code review in order to have a finite set of categories to evaluate the whole code review process.

''needs more details here''

== The 9 flaw categories ==
In term of source code security, source code vulnerabilities can be managed in million of ways.

Source code vulnerabilities must reflect Owasp Top 10 recommendations. Applications are made of source so, in some way source code flaws can be re conducted to flaws in application.

The following seventh family will be included as default library in Owasp Orizon Project v1.0 that will be released in October 2008.

''needs more details here''

Here you can find the nine source code flaw categories:

* Input validation
* Source code design
* Information leakage and improper error handling
* Direct object reference
* Resource usage
* API usage
* Best practices violation
* Weak Session Management
* Using HTTP GET query strings

As you may see 3 categories out of 9 are equals to the correspondent Owasp Top 10 key point.

Let's go more in detail going deeper in describing the source code flaw categories.

=== Input validation ===
This flaw categories is the source code counterpart of the Owasp Top 10 A1 category.

The check's families contained in this category are all the ones tied to the missing validation of input data submitted by user and that they will reflect in a Owasp Top 10 A1 violation.

In this category the follow security flaw family are contained:
* Input validation
** Cross site scripting
** SQL Injection
** XPATH Injection
** LDAP Injection
** Cross site request forgery
** Buffer overflow
** Format bug
=== Source code design ===
Security in source code starts from design and from the choices made before starting coding using the editor you like most.

In the source code design flaw categories, you can find security check families tied to scope and source code organization.

* Source code design
** Insecure field scope
** Insecure method scope
** Insecure class modifiers
** Unused external references
** Redundant code

=== Information leakage and improper error handling ===
This category meets the correspondent Owasp Top 10 one. It will contain security check families about how source code manage errors, exception, logging and sensitive information.

The following families are present:
* Information leakage and improper error handling
** Unhandled exception
** Routine return value usage
** NULL Pointer dereference
** Insecure logging

=== Direct object reference ===
Also this category is the same as the one stated in the Owasp Top 10 project.
It refers to the attacker's capability to interact with application internals supplying an ad hoc crafted parameter.

The families contained in this category are:
* Direct object reference
** Direct reference to database data
** Direct reference to filesystem
** Direct reference to memory

=== Resource usage ===
This category is related to all the unsafe ways a source code can request operating system managed resources. Most of the vulnerability families here contained, if exploited, will result in a some kind of denial of service.

Resources can be:
* filesystem objects
* memory
* CPU
* network bandwidth

Given such category, the families that can be included are:
* Resource usage
** Insecure file creation
** Insecure file modifying
** Insecure file deletion
** Race condition
** Memory leak
** Unsafe process creation

=== API usage ===
This section is about APIs provided by the system or by the framework in use that can be used in a malicious way.
In this category you can find:
* insecure database calls
* insecure random number creation
* improper memory management calls
* insecure HTTP session handling
* insecure strings manipulation

=== Best practices violation ===
The last category is about all miscellaneous security violation that doesn't fit in the previous ones.
Most, but not all, of these categories contain warning-only source code best practices.

This category includes:
* insecure memory pointer usage
** NULL pointer dereference
** pointer arithmetic
** variable aliasing
* unsafe variable initialization
* missing comments and source code documentation

=== Weak Session Management ===

* Not invalidating session upon an error occurring
* Not checking for valid sessions upon HTTP request

=== Using HTTP GET query strings ===

* Passing sensitive data over URL /querystring

Code Auditor Workbench Tool

2008-08-26T22:01:46Z

Rahimjina:

Following this thread [http://lists.owasp.org/pipermail/owasp-testing/2007-January/001324.html Code Review project and Code-Scanning-Tool(s)] here are some ideas of what such tool could do:

My conjecture is that static analysis only goes so-far in terms of
helping in a audit. It's nice, it's flashy, it's expensive, SPI, Fortify
and the like are spending millions investing in the technology, it looks
good to managers (I just bought a 60k security tool for my coders, I'm a
cool manager it's all secure now!) - but it's not the static analysis
portion of a review that will help me secure a system. (Sure, it helps
me find low hanging fruit, but not the real interesting stuff).

Please tell me what static code review tool will bark at me if I forget
to add my custom authentication function or functions (which is most
common) at the top of each JSP? Not many do stuff like that well.

Also, most Java code audits that I am a part of is done by a team of 2
of more coders. (In fact, I say never do at a code review alone! Bring
your friends!)

So my vision is having some kind of web 2.0-like mashup:
# integrated IM
# integrated commenting system
# code demarcation/labeling tool
# a built in programmable checklist (like, this JSP needs to be "checked" for manual review of input validation, authentication, access control, or my applet checklist would be (no business logic, no protected information, etc) - the checklist changes depending on what I'm auditing. Cost limitations almost always necessitate I limit scope of my audit.
# integrated documentation features so I can build my audit documentation "on the fly" during the audit process within the workbench in a Wiki-fashion so the whole team could work on the doc together at the same time. (For example, this feature would automatically create shell documentation every time I label code as a "critical" problem.
# It would be nice if this workbench could import reports from those static analyzers (but they have a history of not playing well with the other tools)
# Lately I've been asked to create system documentation during the audit process (can you believe that some very large systems that I audit have no system documentation? oh my! shocking!) so perhaps enhanced technical documentation functionality would help.

Tool Deployment Model

2008-08-26T22:00:27Z

Rahimjina:

Deploying code review tools to developers helps the throughput of a code review team by helping to identify and hopefully remove most of the common and simple coding mistakes prior to a security consultant viewing the code.
 
This methodology improves developer knowledge and also the security consultant can spend time looking for more abstract vulnerabilities.
[[Category:OWASP Code Review Project]]

Education and cultural change

2008-08-26T21:59:52Z

Rahimjina:

Educating developers to write secure code is the paramount goal of a secure code review. Taking code review from this standpoint is the only way to promote and improve code quality. Part of the education process is to empower developers with the knowledge in order to write better code.
 
This can be done by providing developers with a controlled set of rules which the developer can compare their code to. Automated tools provide this functionality and also help reducing the overhead from a time perspective. A developer can check his/her code using a tool without much initial knowledge of the security concerns pertaining to their task at hand. Also running a tool to assess the code if a fairly painless task once the developer becomes familiar with the tool(s).
[[Category:OWASP Code Review Project]]

Automated Code Review

2008-08-26T21:58:02Z

Rahimjina: Review

[[OWASP Code Review Guide Table of Contents]]__TOC__

==Preface==

While manual code reviews can find security flaws in code, they suffer from two problems. Manual code reviews are slow, covering 100-200 lines per hour on average. Also, there are hundreds of security flaws to look for in code, while humans can only keep about seven items in memory at once. Source code analysis tools can search a program for hundreds of different security flaws at once at a rate far greater than any human can review code. However, these tools don't eliminate the need for a human reviewer, as they produce both false positive and false negative results.

== '''Reasons for using automated tools:''' ==

In large scale code review operations for enterprises such that the volume of code is enormous automated code review techniques can assist in improving the throughput of the code review process.

== '''Education and cultural change:''' ==

Educating developers to write secure code is the paramount goal of a secure code review. Taking code review from this standpoint is the only way to promote and improve code quality. Part of the education process is to empower developers with the knowledge in order to write better code.

This can be done by providing developers with a controlled set of rules which the developer can compare their code to. Automated tools provide this functionality and also help reducing the overhead from a time perspective. A developer can check his/her code using a tool without much initial knowledge of the security concerns pertaining to their task at hand.
Also running a tool to assess the code is a fairly painless task once the developer becomes familiar with the tool(s).

== '''Tool Deployment model:''' ==

Deploying code review tools to developers helps the throughput of a code review team by helping to identify and hopefully remove most of the common and simple coding mistakes prior to a security consultant viewing the code.

This methodology improves developer knowledge and also the security consultant can spend time looking for more abstract vulnerabilities.

[[Category:OWASP Code Review Project]]

Shared Objects

2008-08-26T21:50:50Z

Rahimjina: Review

[[OWASP Code Review Guide Table of Contents]]__TOC__

Shared Objects are designed to store up to 100kb of data relating to a users session.
They are dependent on host and domain name and SWF movie name.

They are stored in binary format and are not cross-domain by default.
Shared objects are not automatically transmitted to the server unless requested by the application.

It is worth noting that they are also stored outside the web browser cache:

C:\Documents and Settings\<USER>\Application Data\Macromedia\Flash Player\#Shared Objects\<randomstring>\<domain>
In the case of cleaning the browser cache Flash sharedobjects survive such an action.

Shared objects are handled by the Flash application and not the clients' web browser.

SandBox Security Model

2008-08-26T21:49:52Z

Rahimjina: Review

[[OWASP Code Review Guide Table of Contents]]__TOC__

'''Flash player assigns SWF files to sandboxes based on their origin'''

'''Internet SWF files sandboxed based on origin domains'''
'''Domain:'''
- Any two SWF files can interact together within the same sandbox.
- Explicit permission is required to interact with objects in other sandboxes.

'''Local'''

'''local-with-filesystem (default)'''
- The file system can read from local files only

'''local-with-networking'''
- Interact with other local-with-networking SWF files

'''local-trusted'''
- Can read from Local files, communicate to any server and access any SWF file.

“The sandbox defines a limited space in which a Macromedia Flash movie
running within the Macromedia Flash Player is allowed to operate. Its primary
purpose is to ensure the integrity and security of the client’s machine, and as
well as security of any Macromedia Flash movies running in the player.”

Cross Domain Permissions:
A Macromedia Flash movie playing on a web browser is not allowed access that is outside the exact domain from which is originated.
This is defined in the cross-domain policy file crossdomain.xml.
Policy files are used by Flash to permit Flash to load data from servers other than its native domain.
If a SWF file wishes to communicate with remote servers it must be granted explicit permission:

<cross-domain-policy>
<allow-access-from domain="example.domain.com"/>
</cross-domain-policy>

The API call System.security.loadPolicyFile(url) loads a cross domain policy from a specified URL which may be different from the crossdomain.xml file

'''Accessing JavaScript:'''

A parameter called allowScriptAccess governs if the Flash object has access to external scripts
It can have three possible values: '''never, same domain, always'''

<object id="flash007">
<param name=movie value="bigmovie.swf">
<embed AllowScriptAccess="'''always'''" name='flash007' src="bigmovie.swf" type="application/x-shockwave-flash">
</embed>
</object>

Reviewing MySQL Security

2008-08-26T21:48:04Z

Rahimjina: Review

[[OWASP Code Review Guide Table of Contents]]__TOC__
==Introduction==

As part of the code review you may need to step outside the code review box to assess the security of a database such as MySQL.
The following covers areas which could be looked at:

===Privileges===
'''Grant_priv''': Allows users to grant privileges to other users. This should be appropriately restricted to the DBA and Data (Table) owners.

Select * from user
where Grant_priv = 'Y';

Select * from db
where Grant_priv = 'Y';

Select * from host
where Grant_priv = 'Y';

Select * from tables_priv
where Table_priv = 'Grant';

'''Alter_priv''':Determine who has access to make changes to the database structure (alter privilege) at a global, database and table.

Select * from user
where Alter_priv = 'Y';

Select * from db
where Alter _priv = 'Y';

Select * from host
where Alter_priv = 'Y';

Select * from tables_priv
where Table_priv = 'Alter';

====mysqld configuration file====

Check for the following:

a)skip-grant-tables
b)safe-show-database
c)safe-user-create

'''a)'''This option causes the server not to use the privilege system at all. All users have full access to all tables
'''b)'''When the '''SHOW DATABASES''' command is executed it returns only those databases for which the user has some kind of privilege. Default since MySQL v4.0.2.
'''c)'''With this enabled a user can't create new users with the GRANT command as long as the user does not have the '''INSERT''' privilege for the '''mysql.user table'''.

====User privileges====
Here we can check which users have access to perform potentially malicious actions on the database. "Least privilege" is the key point here:

Select * from user where
Select_priv = 'Y' or Insert_priv = 'Y'
or Update_priv = 'Y' or Delete_priv = 'Y'
or Create_priv = 'Y' or Drop_priv = 'Y'
or Reload_priv = 'Y' or Shutdown_priv = 'Y'
or Process_priv = 'Y' or File_priv = 'Y'
or Grant_priv = 'Y' or References_priv = ‘Y'
or Index_priv = 'Y' or Alter_priv = 'Y';

Select * from host
where Select_priv = 'Y' or Insert_priv = 'Y'
or Create_priv = 'Y' or Drop_priv = 'Y'
or Index_priv = 'Y' or Alter_priv = 'Y';
or Grant_priv = 'Y' or References_priv = ‘Y'
or Update_priv = 'Y' or Delete_priv = 'Y'

Select * from db
where Select_priv = 'Y' or Insert_priv = 'Y'
or Grant_priv = 'Y' or References_priv = ‘Y'
or Update_priv = 'Y' or Delete_priv = 'Y'
or Create_priv = 'Y' or Drop_priv = 'Y'
or Index_priv = 'Y' or Alter_priv = 'Y';

===Default MySQL accounts===
The default account in MySQl is "root"/"root@localhost" with a blank password. We can check if the root account exists by:

SELECT User, Host
FROM user
WHERE User = 'root';

===Remote Access===
MySQL by default listens on port 3306. If the app server is on localhost also we can disable this port by adding
'''skip-networking''' to the [mysqld] in the my.cnf file.

[[Category:OWASP Code Review Project]]
[[Category:MySQL security]]

Strings and Integers

2008-08-26T21:46:45Z

Rahimjina: Review

==Introduction:==

Strings are not a defined Type in C or C++ but simply a contiguous array of characters terminated by a null (\0) character
The length of the string is the amount of characters which precede the null character.
C++ does contain template classes which address this feature of the programming language: '''std::basic_string''' and '''std::string''' These classes address some security issues but not all.

'''|W|E|L|C|O|M|E|\0|'''

==Common String Errors==
Common string errors can be related to mistakes in implementation which may cause drastic security and availability issues.
C/C++ do not have the comfort other programming languages provide such as Java and C# .NET relating to buffer overflows and such due to a String Type not being defined.

Common issues include:
#Input validation errors
#Unbounded Errors
#Truncation issues
#Out-of-bounds writes
#String Termination Errors
#Off-by-one errors`

Some of the issues mentioned above have been covered in the "Reviewing Code for Buffer Overruns and Overflows" section previously in this guide.

===Unbounded Errors===
====String Copies====

Occur when data is copied from a unbounded source to a fixed length character array

void main(void) {
char Name[10];
puts("Enter your name:");
gets(Name); <-- Here the name input by the user can be of arbitrary length over running the Name array.
...
}

====String Termination Errors====
Failure to properly terminate strings with a null can result in system failure

int main(int argc, char* argv[]) {
char a[16];
char b[16];
char c[32];
strncpy(a, "0123456789abcdef", sizeof(a));
strncpy(b, "0123456789abcdef", sizeof(b));
strncpy(c, a, sizeof(c));
}

It is recommended that it should be verified that the following is used:
strncpy() instead of strcpy()
snprintf() instead of sprintf()
fgets() instead of gets()

====Off by one error====
(Looping through arrays should be looped in a n-1 manner as we must remember arrays and vectors start as 0. This is not specific to C/C++ but Java and C# also.)

Off-by-one errors are common to looping functionality wherein a looping functionality is performed on an object in order to manipulate the contents of an object such as copy or add information.
The off-by-one error is a result of an error on the loop counting functionality.

for (i = 0; i < 5; i++) {
/* Do Stuff */
}
Here i starts with a value of 0, it then increments to 1, then 2,3 & 4. When i reaches 5 then the condition i<5 is false and the loop terminates.

If the condition was set such that i<=5 (less than or equal to 5) the loop wont terminate until i reaches 6 which may not be what is intended.

Also counting from 1 instead of 0 can cause similar issues as there would be one less iterations. Both of these issues relate to a off-by-one error where the loop either under or over counts.

===Issues with Integers===
====Integer Overflows====
When an integer is increased beyond its maximum range or decreased below its minimum value overflows occur.
Overflows can be signed or unsigned. Signed when the overflow carries over to the sign bit unsigned when the value being intended to be represented in no longer represented correctly.

int x;
x = INT_MAX; // 2,147,483,647
x++;
''Here x would have the value of -2,147,483,648 after the increment''

It is important when reviewing the code that some measure should be implemented such that the overflow does not occur. This is not the same as relying on the value "never going to reach this value (2,147,483,647)".
This may be done by some supporting logic or a post increment check.

unsigned int y;
y = UINT_MAX; // 4,294,967,295;
y++;
''Here y would have a value of 0 after the increment''

Also here we can see the result of an unsigned int being incremented which loops the integer back to the value 0
As before this should also be examined to see if there are any compensating controls to prevent this from happening.

====Integer conversion====
When converting from a signed to an unsigned integer care must also be taken to prevent a representation error.

int x = -3;
unsigned short y;
y = x;
''Here y would have the value of 65533 due to the loopback effect of the conversion from signed to unsigned.''