https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=RsnakeOWASP - User contributions [en]2026-05-22T00:09:34ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide&diff=187063Application Security Program Quick Start Guide2014-12-15T17:50:47Z<p>Rsnake: /* The Application Security Program Quick Start Guide */</p>
<hr />
<div>__NOTOC__<br />
<br />
{| width="100%" cellspacing="0" cellpadding="10"<br />
|- valign="top"<br />
| width="70%" style="background:#d9e9f9" |<br />
<br />
= The Application Security Program Quick Start Guide =<br />
<br />
=== Preface ===<br />
<br />
This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program1. The intended goal of the AppSec program is to implement measures throughout the code’s life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.<br />
<br />
The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.<br />
<br />
A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to:<br />
#The number of vulnerabilities present in an application<br />
#The time to fix vulnerabilities<br />
#The remediation rate of vulnerabilities<br />
#The time vulnerabilities remain open<br />
<br />
The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.<br />
<br />
=== Audience ===<br />
The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.<br />
<br />
== [[Day 1]] == <br />
''''' **Key Activities: ''''' <br />
*Management<br />
*Security<br />
*IT Ops<br />
*Engineering Groups (inc. QA)/Development<br />
<br />
== [[Day 2]] ==<br />
''''' **Key Activities: ''''' <br />
*Asset Discovery <br />
*Asset Risk Prioritization<br />
*Communication Plan<br />
== [[Day 3]] ==<br />
''''' **Key Activities: ''''' <br />
*Vulnerability Assessments <br />
*Vulnerability delivery <br />
== [[Day 4]] == <br />
''''' **Key Activities: ''''' <br />
*Measured Metrics <br />
== [[Day 5]] ==<br />
''''' **Key activities: ''''' <br />
*Compensating Controls <br />
*Mitigating Controls <br />
*Remediation Prioritization<br />
<br />
== Conclusion ==<br />
Setting up an effective application security program does require commitment from all elements of the business, and a clear understanding of what resources need to be protected and what level of risk is acceptable. However, given that information, setting up an application security program need not be confusing, difficult, or complex. The keys to success involve planning, making key financial decisions, ensuring all roles and responsibilities are clearly assigned and that all stakeholders within the organization know what to expect.<br />
<br />
== Licensing ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].<br />
You are free to: <br />
*Share — copy and redistribute the material in any medium or format <br />
*Adapt — remix, transform, and build upon the material for non-commercial use<br />
<br />
The licensor cannot revoke these freedoms as long as you follow the license terms.<br />
<br />
| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |<br />
<br />
<br />
| width="30%" style="background:#eeeeee" |<br />
<br />
=Credits =<br />
<br />
== Project lead and authors ==<br />
<br />
* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]<br />
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]<br />
* [[User:Rsnake| '''Robert Hansen''']]<br />
* [[User:Jerryhoff|'''Jerry Hoff''']]<br />
<br />
== Other contributors ==<br />
<br />
Co-authors, contributors and reviewers:<br />
<br />
* [[User: MattJohansen| '''Matt Johansen''']]<br />
<br />
= Further Information =<br />
<br />
== Application Security Program Quick Start Guide ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is also available as<br />
* [https://www.owasp.org/index.php/File:PlaceHolder.pdf Free downloadable PDF] <br />
<br />
<br />
For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]<br />
<br />
<br />
|}</div>Rsnakehttps://wiki.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide&diff=187062Application Security Program Quick Start Guide2014-12-15T17:50:08Z<p>Rsnake: /* The Application Security Program Quick Start Guide */</p>
<hr />
<div>__NOTOC__<br />
<br />
{| width="100%" cellspacing="0" cellpadding="10"<br />
|- valign="top"<br />
| width="70%" style="background:#d9e9f9" |<br />
<br />
= The Application Security Program Quick Start Guide =<br />
<br />
=== Preface ===<br />
<br />
This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program1. The intended goal of the AppSec program is to implement measures throughout the code’s life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.<br />
<br />
The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.<br />
<br />
A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to:<br />
#The number of vulnerabilities present in an application<br />
#The time to fix vulnerabilities<br />
#The remediation rate of vulnerabilities<br />
#The time vulnerabilities remain open<br />
<br />
The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.<br />
<br />
=== Audience ===<br />
The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.<br />
<br />
== [[Day 1]] == <br />
''''' **Key Activities: ''''' <br />
*Management<br />
*Security<br />
*IT Ops<br />
*Engineering Groups (inc. QA)/Development<br />
<br />
== [[Day 2]] ==<br />
''''' **Key Activities: ''''' <br />
*Asset Discovery <br />
*Asset Risk Prioritization<br />
*Communication Plan<br />
== [[Day 3]] ==<br />
''''' **Key Activities: ''''' <br />
*Vulnerability Assessments <br />
*Vulnerability delivery <br />
== [[Day 4]] == <br />
''''' **Key Activities: ''''' <br />
*Measured Metrics <br />
== [[Day 5]] ==<br />
''''' **Key activities: ''''' <br />
*Compensating Controls <br />
*Mitigating Controls <br />
*Remediation Prioritization<br />
<br />
<br />
== Conclusion ==<br />
Setting up an effective application security program does require commitment from all elements of the business, and a clear understanding of what resources need to be protected and what level of risk is acceptable. However, given that information, setting up an application security program need not be confusing, difficult, or complex. The keys to success involve planning, making key financial decisions, ensuring all roles and responsibilities are clearly assigned and that all stakeholders within the organization know what to expect.<br />
<br />
== Licensing ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].<br />
You are free to: <br />
*Share — copy and redistribute the material in any medium or format <br />
*Adapt — remix, transform, and build upon the material for non-commercial use<br />
<br />
The licensor cannot revoke these freedoms as long as you follow the license terms.<br />
<br />
| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |<br />
<br />
<br />
| width="30%" style="background:#eeeeee" |<br />
<br />
=Credits =<br />
<br />
== Project lead and authors ==<br />
<br />
* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]<br />
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]<br />
* [[User:Rsnake| '''Robert Hansen''']]<br />
* [[User:Jerryhoff|'''Jerry Hoff''']]<br />
<br />
== Other contributors ==<br />
<br />
Co-authors, contributors and reviewers:<br />
<br />
* [[User: MattJohansen| '''Matt Johansen''']]<br />
<br />
= Further Information =<br />
<br />
== Application Security Program Quick Start Guide ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is also available as<br />
* [https://www.owasp.org/index.php/File:PlaceHolder.pdf Free downloadable PDF] <br />
<br />
<br />
For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]<br />
<br />
<br />
<br />
<br />
|}</div>Rsnakehttps://wiki.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide&diff=187061Application Security Program Quick Start Guide2014-12-15T17:49:19Z<p>Rsnake: /* The Application Security Program Quick Start Guide */</p>
<hr />
<div>__NOTOC__<br />
<br />
{| width="100%" cellspacing="0" cellpadding="10"<br />
|- valign="top"<br />
| width="70%" style="background:#d9e9f9" |<br />
<br />
= The Application Security Program Quick Start Guide =<br />
<br />
=== Preface ===<br />
<br />
This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program1. The intended goal of the AppSec program is to implement measures throughout the code’s life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.<br />
<br />
The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.<br />
<br />
A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to:<br />
#The number of vulnerabilities present in an application<br />
#The time to fix vulnerabilities<br />
#The remediation rate of vulnerabilities<br />
#The time vulnerabilities remain open<br />
<br />
The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.<br />
<br />
=== Audience ===<br />
The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.<br />
<br />
== [[Day 1]] == <br />
''''' **Key Activities: ''''' <br />
*Management<br />
*Security<br />
*IT Ops<br />
*Engineering Groups (inc. QA)/Development<br />
<br />
== [[Day 2]] ==<br />
''''' **Key Activities: ''''' <br />
*Asset Discovery <br />
*Asset Risk Prioritization<br />
*Communication Plan<br />
== [[Day 3]] ==<br />
''''' **Key Activities: ''''' <br />
*Vulnerability Assessments <br />
*Vulnerability delivery <br />
== [[Day 4]] == <br />
''''' **Key Activities: ''''' <br />
*Measured Metrics <br />
== [[Day 5]] ==<br />
''''' **Key activities: ''''' <br />
*Compensating Controls <br />
*Mitigating Controls <br />
*Remediation Prioritization<br />
<br />
== Licensing ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].<br />
You are free to: <br />
*Share — copy and redistribute the material in any medium or format <br />
*Adapt — remix, transform, and build upon the material for non-commercial use<br />
<br />
The licensor cannot revoke these freedoms as long as you follow the license terms.<br />
<br />
| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |<br />
<br />
<br />
| width="30%" style="background:#eeeeee" |<br />
<br />
=Credits =<br />
<br />
== Project lead and authors ==<br />
<br />
* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]<br />
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]<br />
* [[User:Rsnake| '''Robert Hansen''']]<br />
* [[User:Jerryhoff|'''Jerry Hoff''']]<br />
<br />
== Other contributors ==<br />
<br />
Co-authors, contributors and reviewers:<br />
<br />
* [[User: MattJohansen| '''Matt Johansen''']]<br />
<br />
= Further Information =<br />
<br />
== Application Security Program Quick Start Guide ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is also available as<br />
* [https://www.owasp.org/index.php/File:PlaceHolder.pdf Free downloadable PDF] <br />
<br />
<br />
For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]<br />
<br />
<br />
<br />
<br />
|}</div>Rsnakehttps://wiki.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide&diff=187060Application Security Program Quick Start Guide2014-12-15T17:48:55Z<p>Rsnake: /* Contents */</p>
<hr />
<div>__NOTOC__<br />
<br />
{| width="100%" cellspacing="0" cellpadding="10"<br />
|- valign="top"<br />
| width="70%" style="background:#d9e9f9" |<br />
<br />
= The Application Security Program Quick Start Guide =<br />
<br />
Placeholder<br />
<br />
=== Preface ===<br />
<br />
This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program1. The intended goal of the AppSec program is to implement measures throughout the code’s life-cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.<br />
<br />
The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.<br />
<br />
A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to:<br />
#The number of vulnerabilities present in an application<br />
#The time to fix vulnerabilities<br />
#The remediation rate of vulnerabilities<br />
#The time vulnerabilities remain open<br />
<br />
The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas.<br />
<br />
=== Audience ===<br />
The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.<br />
<br />
== [[Day 1]] == <br />
''''' **Key Activities: ''''' <br />
*Management<br />
*Security<br />
*IT Ops<br />
*Engineering Groups (inc. QA)/Development<br />
<br />
== [[Day 2]] ==<br />
''''' **Key Activities: ''''' <br />
*Asset Discovery <br />
*Asset Risk Prioritization<br />
*Communication Plan<br />
== [[Day 3]] ==<br />
''''' **Key Activities: ''''' <br />
*Vulnerability Assessments <br />
*Vulnerability delivery <br />
== [[Day 4]] == <br />
''''' **Key Activities: ''''' <br />
*Measured Metrics <br />
== [[Day 5]] ==<br />
''''' **Key activities: ''''' <br />
*Compensating Controls <br />
*Mitigating Controls <br />
*Remediation Prioritization<br />
<br />
== Licensing ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].<br />
You are free to: <br />
*Share — copy and redistribute the material in any medium or format <br />
*Adapt — remix, transform, and build upon the material for non-commercial use<br />
<br />
The licensor cannot revoke these freedoms as long as you follow the license terms.<br />
<br />
| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |<br />
<br />
<br />
| width="30%" style="background:#eeeeee" |<br />
<br />
=Credits =<br />
<br />
== Project lead and authors ==<br />
<br />
* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]<br />
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]<br />
* [[User:Rsnake| '''Robert Hansen''']]<br />
* [[User:Jerryhoff|'''Jerry Hoff''']]<br />
<br />
== Other contributors ==<br />
<br />
Co-authors, contributors and reviewers:<br />
<br />
* [[User: MattJohansen| '''Matt Johansen''']]<br />
<br />
= Further Information =<br />
<br />
== Application Security Program Quick Start Guide ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is also available as<br />
* [https://www.owasp.org/index.php/File:PlaceHolder.pdf Free downloadable PDF] <br />
<br />
<br />
For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]<br />
<br />
<br />
<br />
<br />
|}</div>Rsnakehttps://wiki.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide&diff=187059Application Security Program Quick Start Guide2014-12-15T17:46:02Z<p>Rsnake: /* Day 1 */</p>
<hr />
<div>__NOTOC__<br />
<br />
{| width="100%" cellspacing="0" cellpadding="10"<br />
|- valign="top"<br />
| width="70%" style="background:#d9e9f9" |<br />
<br />
= The Application Security Program Quick Start Guide =<br />
<br />
Placeholder<br />
<br />
== Contents ==<br />
<br />
<br />
* Preface<br />
** [[AppSec Quick Start Guide: About this guide|About this guide]]<br />
** [[AppSec Quick Start Guide: Audience|Audience]]<br />
<br />
== [[Day 1]] == <br />
''''' **Key Activities: ''''' <br />
*Management<br />
*Security<br />
*IT Ops<br />
*Engineering Groups (inc. QA)/Development<br />
<br />
== [[Day 2]] ==<br />
''''' **Key Activities: ''''' <br />
*Asset Discovery <br />
*Asset Risk Prioritization<br />
*Communication Plan<br />
== [[Day 3]] ==<br />
''''' **Key Activities: ''''' <br />
*Vulnerability Assessments <br />
*Vulnerability delivery <br />
== [[Day 4]] == <br />
''''' **Key Activities: ''''' <br />
*Measured Metrics <br />
== [[Day 5]] ==<br />
''''' **Key activities: ''''' <br />
*Compensating Controls <br />
*Mitigating Controls <br />
*Remediation Prioritization<br />
<br />
== Licensing ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].<br />
You are free to: <br />
*Share — copy and redistribute the material in any medium or format <br />
*Adapt — remix, transform, and build upon the material for non-commercial use<br />
<br />
The licensor cannot revoke these freedoms as long as you follow the license terms.<br />
<br />
| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |<br />
<br />
<br />
| width="30%" style="background:#eeeeee" |<br />
<br />
=Credits =<br />
<br />
== Project lead and authors ==<br />
<br />
* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]<br />
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]<br />
* [[User:Rsnake| '''Robert Hansen''']]<br />
* [[User:Jerryhoff|'''Jerry Hoff''']]<br />
<br />
== Other contributors ==<br />
<br />
Co-authors, contributors and reviewers:<br />
<br />
* [[User: MattJohansen| '''Matt Johansen''']]<br />
<br />
= Further Information =<br />
<br />
== Application Security Program Quick Start Guide ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is also available as<br />
* [https://www.owasp.org/index.php/File:PlaceHolder.pdf Free downloadable PDF] <br />
<br />
<br />
For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]<br />
<br />
<br />
<br />
<br />
|}</div>Rsnakehttps://wiki.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide&diff=187058Application Security Program Quick Start Guide2014-12-15T17:45:07Z<p>Rsnake: /* Day 1 */</p>
<hr />
<div>__NOTOC__<br />
<br />
{| width="100%" cellspacing="0" cellpadding="10"<br />
|- valign="top"<br />
| width="70%" style="background:#d9e9f9" |<br />
<br />
= The Application Security Program Quick Start Guide =<br />
<br />
Placeholder<br />
<br />
== Contents ==<br />
<br />
<br />
* Preface<br />
** [[AppSec Quick Start Guide: About this guide|About this guide]]<br />
** [[AppSec Quick Start Guide: Audience|Audience]]<br />
<br />
== [[Day 1]] == <br />
*Evaluation <br />
*Management<br />
*Security<br />
*IT Ops<br />
*Engineering Groups (inc. QA)/Development<br />
<br />
== [[Day 2]] ==<br />
''''' **Key Activities: ''''' <br />
*Asset Discovery <br />
*Asset Risk Prioritization<br />
*Communication Plan<br />
== [[Day 3]] ==<br />
''''' **Key Activities: ''''' <br />
*Vulnerability Assessments <br />
*Vulnerability delivery <br />
== [[Day 4]] == <br />
''''' **Key Activities: ''''' <br />
*Measured Metrics <br />
== [[Day 5]] ==<br />
''''' **Key activities: ''''' <br />
*Compensating Controls <br />
*Mitigating Controls <br />
*Remediation Prioritization<br />
<br />
== Licensing ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].<br />
You are free to: <br />
*Share — copy and redistribute the material in any medium or format <br />
*Adapt — remix, transform, and build upon the material for non-commercial use<br />
<br />
The licensor cannot revoke these freedoms as long as you follow the license terms.<br />
<br />
| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |<br />
<br />
<br />
| width="30%" style="background:#eeeeee" |<br />
<br />
=Credits =<br />
<br />
== Project lead and authors ==<br />
<br />
* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]<br />
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]<br />
* [[User:Rsnake| '''Robert Hansen''']]<br />
* [[User:Jerryhoff|'''Jerry Hoff''']]<br />
<br />
== Other contributors ==<br />
<br />
Co-authors, contributors and reviewers:<br />
<br />
* [[User: MattJohansen| '''Matt Johansen''']]<br />
<br />
= Further Information =<br />
<br />
== Application Security Program Quick Start Guide ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is also available as<br />
* [https://www.owasp.org/index.php/File:PlaceHolder.pdf Free downloadable PDF] <br />
<br />
<br />
For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]<br />
<br />
<br />
<br />
<br />
|}</div>Rsnakehttps://wiki.owasp.org/index.php?title=Day_1&diff=187057Day 12014-12-15T17:44:24Z<p>Rsnake: Created page with "== Key Activities == === Evaluation === *Dedicate time to understanding the “lay of the land” and the key players, along with their objectives and motivations. *Spend time..."</p>
<hr />
<div>== Key Activities ==<br />
=== Evaluation ===<br />
*Dedicate time to understanding the “lay of the land” and the key players, along with their objectives and motivations.<br />
*Spend time with the parts of the organization that you are least familiar with.<br />
*Identify the security mandate as defined by the business/management.<br />
*Identify how IT Operations align with the security mandate.<br />
*Be alert to your existing biases.<br />
<br />
== Key Questions ==<br />
<br />
=== Management ===<br />
'''''Has the business defined an internal security mandate?'''''<br />
Business drivers may originate from legal or industry compliance obligations, internal policy, or customer or partner<br />
requirements. All actions and activities in the Application Security program should tie back to specific business<br />
obligations. If there is no business mandate, a case must be made to the business that an application security program is necessary. There are a number of industry statistical reports and benchmarks available that address what other, similar organizations have implemented and why.<br />
<br />
'''''What are the current and planned human and financial resources dedicated to Application Security?'''''<br />
If resources are currently dedicated to ensuring the integrity of applications, examine the current allocation of those resources against their outcomes. The goal is to ensure that in a world of limited resources, each activity is measured for actual efficacy.<br />
<br />
If there are few or no resources allocated to ensuring the integrity of applications, the case must be made by<br />
leveraging data relevant to the organization that can be quantified in financial terms. Building a formal business case is the most effective way to approach the problem. The case must address the needs as they apply to existing business objectives. This is not the time for expounding on the virtues of security. You must translate the business benefit of reallocating financial resources. Simply asking for X number of dollars to reduce Y number of vulnerabilities is typically ineffective.<br />
<br />
'''''What are the IT & Business priorities?'''''<br />
IT is both an enabler and supporter of the business. Security is no different in this respect; however, it has the added challenge of needing to be transparent where it can be, and be a part of the ordinary workflow, or be perceived as a roadblock. Once the business priorities have been identified, the application security goals must be aligned with<br />
those priorities. If the business priorities are to release new functionality at a rapid pace, then application testing must keep pace; if the priorities are to maintain the user experience over a long period of time, a pplication testing must be rigorous before the user is ever exposed to the application.<br />
<br />
=== Security ===<br />
'''''What is the overall security budget and the priorities of that budget?'''''<br />
'''''What percentage of that budget is allocated to Application Security?'''''<br />
Most departments will feel under budget to some degree. Examine the overall security budget (including cyberinsurance<br />
budget if possible, as it likely falls outside of the security budget) to understand what receives financial priority and how the Application Security program could benefit from those activities. If there is significant spend on security infrastructure, ensure that they are leveraging controls to protect applications -- for example, alerting on the lack or improper use of security headers.<br />
<br />
'''''Which of your assets are most frequently attacked?'''''<br />
Not all attacks are equal, and not all attacks are opportunistic. Careful examination of attack frequency and velocity<br />
can identify the assets requiring additional testing to ensure resiliency. Often, low(er) priority assets will be targeted for exploitation as they tend not be as resilient to attacks.<br />
<br />
'''''What security tools and/or services do you as a company currently own/use?'''''<br />
Query other parts of the security organization to understand what tools and services they already have access to. Software and services are often bundled in contracts but not used as they were not the primary purpose for purchase.<br />
If the QA team already has access to security tools that were bundled as part of their QA software acquisition there are opportunities to leverage that existing financial commitment and even allow for native integration.<br />
<br />
=== IT Operations ===<br />
'''''What are your assets?'''''<br />
Include assets you own and assets hosted or owned by third parties. Unknown or unmanaged assets cannot be protected. It is also difficult to fix issues if the person or team responsible for those assets is unknown. Developing an accurate and update-to-date asset inventory can be challenging, however, for the purpose of this exercise we will be focusing on web-based assets. The narrowed scope can be aggressively targeted and maintained.<br />
<br />
'''''How are web assets isolated and distributed throughout the infrastructure?'''''<br />
If an attacker were able to compromise a machine (say a webserver, or a database server) what would prevent them from pivoting and hacking into other nearby machines? Are they physically isolated, logically isolated, or do they share similar credentials, etc?<br />
<br />
'''''How frequently do you perform network and server vulnerability scans?'''''<br />
Addressing web application vulnerabilities on a server that never patches its operating system is a waste of resources. Understand how often infrastructure is assessed and patched – this should match or exceed the pac e of attack frequency.<br />
<br />
'''''What is your tolerance around production safety?'''''<br />
Some environments are more sensitive to production testing, as there is always some likelihood of impact; the goal is to get the likelihood of impact as close to zero as possible. As the likelihood of impact approaches zero, the frequency of testing should be increased. Ultimately, production systems are the primary targets of our adversaries – they should be tested as often as possible; at a minimum, at least as frequently as the application itself is changed or updated.<br />
<br />
=== Engineering Groups (including QA and Software Development) ===<br />
'''''According to the software development group’s understanding of the current processes, whose responsibility is application security?'''''<br />
Security lives in our corporate cultures and psyche. Developers are ultimately responsible for their code; understand<br />
whether they also believe they are responsible for the integrity of that code. Security is not the sole responsibility of either the developer community or the security department. Foster a healthy environment of mutual responsibility and accountability from all stakeholders. Begin by sharing information in a non-aggressive manner.<br />
<br />
'''''Where does Security fit into the software development lifecycle?'''''<br />
If a development lifecycle does not exist, the first priority is to demonstrate the business value of having a defined process. Most organizations will have some process in place, even if it is an immature one. The absence of a development process could also prove to be an opportunity to ensure security is built into a process from the start.<br />
<br />
Roughly, the steps to building or updating software can be generalized as:<br />
#Planning / Analysis<br />
#Design<br />
#Implementation<br />
#Testing<br />
#Maintain<br />
#Decommission<br />
<br />
Let’s break down each step and discuss basic security activities that are often considered to reduce risk.<br />
<br />
'''Planning / Analysis:''' Ensure business analysts and stakeholders have considered and can detail the security needs and risk tolerance of an application. This may reference internal data classification policies to describe the data sensitivity. Threat modeling may also help clarify the potential threat agents who may be motivated to attack the proposed application.<br />
<br />
'''Design:''' A security architecture review may reveal security design flaws in key areas such as authentication, access control, or separation of concerns, and of course may identify missing categorical security controls.<br />
<br />
'''Implementation:''' The implementation process normally consists of the coding and development of the overall architecture design formulated in the previous phase. Developers should be receiving continuous security feedback to ensure all security issues are being identified and mitigated in conformance with the organization’s risk tolerance.<br />
<br />
'''Testing:''' Testing should include security tests as well as functional tests. Areas of concentration should be on vulnerabilities that would not have been uncovered during the implementation phase, such as business logic vulnerabilities.<br />
<br />
'''Maintenance:''' Once the application is promoted to production, continuous testing of security issues should be ongoing throughout the life of the application. As vulnerability vectors and attacks evolve, the application should be tested to ensure defensibility against these new attacks.<br />
<br />
<br />
'''''How are software defects documented, trended, and prioritized?'''''<br />
The key to adoption of an Application Security program is alignment with and transparency to current workflows. Identify how application defects are documented, trended and prioritized, and plan to insert the application security defects into these existing documents and processes.<br />
<br />
'''''Are developers encouraged to develop secure code?'''''<br />
Positive incentive programs foster ownership and accountability for output. Corporate culture varies from each organization; tapping into that culture to offer incentives for producing rugged code will create a natural momentum for finding and fixing security issues. Some cultures will value access to otherwise less accessible personnel, such as lunch with the CTO; others will be motivated by gifts that they might not have purchased for themselves, such as a robotics kit. Take the time to understand the culture of your organization and tap into the inherent desire most people have to be rewarded. Remember that money does not motivate everyone, and can even be demotivating in some cases.<br />
<br />
'''''Are abuse and misuse cases part of test scripts?'''''<br />
Test scripts are often developed for the sole purpose of ensuring the application performs the intended functionality.<br />
Introduce test scripts that could identify the misuse of intended functionality, such as the ability to execute similar functionality a user should not be able to access.<br />
<br />
'''''Is everyone in the organization expected to have general software security knowledge or is there a team/individual<br />
tasked with being the "Security Deputy"?''''<br />
Security deputy programs are a good approach to disseminating application security information to non-security<br />
focused departments; they also have the added bonus of fostering a two-way relationship.<br />
<br />
Implement a deputy program that:<br />
*is focused on the goals of the application developers and application security testers<br />
*is aimed at achieving results beyond simple security awareness<br />
*can address the points throughout the development cycle where vulnerabilities are introduced – at the time the code is written</div>Rsnakehttps://wiki.owasp.org/index.php?title=Day_2&diff=187056Day 22014-12-15T17:28:40Z<p>Rsnake: </p>
<hr />
<div>== Key Activities ==<br />
*Become intimately familiar with what you are meant to protect and at what level.<br />
*Define processes, procedures, and checklists to align assessment strategies to business needs.<br />
*Effectively communicate the introduction and goals of the Application Security assessment program.<br />
*Provide a single point of contact for the program.<br />
<br />
== Asset Discovery ==<br />
*Gather Internal, External and Hosted IP ranges.<br />
*Catalogue known domains and subdomains.<br />
*Identify asset meta-data locations. (CMDBs, GRCs, etc.).<br />
*Identify site owners, where those are not already known.<br />
*Gather assessment credentials, including multiple roles for horizontal and vertical testing.<br />
*Identify the rate of application change (e.g. monthly, weekly, etc.…)<br />
<br />
== Asset Risk Prioritization ==<br />
*Develop or leverage existing methodology for stack ranking the value of your assets to the business based on<br />
impact to confidentiality, integrity and availability (C.I.A.). (See: [http://csrc.nist.gov/publications/fips/fips199/FIPSPUB-199-final.pdf])<br />
<br />
POTENTIAL IMPACT<br />
<br />
{| class="wikitable" style="color:black; background-color:#C1D9DD;" cellpadding="10"<br />
!SECURITY OBJECTIVE<br />
!LOW<br />
!MODERATE<br />
!HIGH<br />
|-<br />
|Confidentiality<br />
Preserving authorized restrictions on information<br />
access and disclosure, including means for protecting<br />
personal privacy and proprietary information. [44 U.S.C., SEC. 3542]<br />
|The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.<br />
|The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.<br />
|The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.<br />
|-<br />
|Integrity<br />
Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation<br />
and authenticity. [44 U.S.C., SEC. 3542]<br />
|The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.<br />
|The unauthorized modification or destruction of information could be expected to have a serious adverse effect on<br />
organizational operations, organizational assets, or individuals.<br />
|The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.<br />
|-<br />
|Availability<br />
Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542]<br />
|The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.<br />
|The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.<br />
|The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.<br />
|}<br />
<br />
*Map asset criticality against attacker profiles with use of a GRC (Governance Risk Management and Compliance) tool if available, or using an information asset register such as the University of Oxford Information Asset Register Tool<br />
<br />
For example:<br />
#Tier 1 = Targeted Govt./State sponsor.<br />
#Tier 2 = Hactivism<br />
#Tier 3 = Random Opportunistic<br />
<br />
*Implement ISO 17799: Asset Management or similar standard to improve governance of application assets.<br />
<br />
== Communication Plan ==<br />
*Set expectations of assessment program for all interested parties.<br />
*Alert Operations team of upcoming activities.<br />
*Gather written buy-in from application stakeholders for the assessment activities.<br />
*Develop, publish, and maintain comprehensive application security and privacy standards, policies, procedures and guidelines and enforce these in compliance with relevant global regulations and standards.<br />
*Define, document and share application business continuity and incident response plan. (Business Continuity Plan Resources: ITIL, COBIT, NIST)</div>Rsnakehttps://wiki.owasp.org/index.php?title=Day_2&diff=187055Day 22014-12-15T17:28:08Z<p>Rsnake: </p>
<hr />
<div>== Key Activities ==<br />
*Become intimately familiar with what you are meant to protect and at what level.<br />
*Define processes, procedures, and checklists to align assessment strategies to business needs.<br />
*Effectively communicate the introduction and goals of the Application Security assessment program.<br />
*Provide a single point of contact for the program.<br />
<br />
== Asset Discovery ==<br />
*Gather Internal, External and Hosted IP ranges.<br />
*Catalogue known domains and subdomains.<br />
*Identify asset meta-data locations. (CMDBs, GRCs, etc.).<br />
*Identify site owners, where those are not already known.<br />
*Gather assessment credentials, including multiple roles for horizontal and vertical testing.<br />
*Identify the rate of application change (e.g. monthly, weekly, etc.…)<br />
<br />
== Asset Risk Prioritization ==<br />
*Develop or leverage existing methodology for stack ranking the value of your assets to the business based on<br />
impact to confidentiality, integrity and availability (C.I.A.). (See: [http://csrc.nist.gov/publications/fips/fips199/FIPSPUB-199-final.pdf])<br />
<br />
POTENTIAL IMPACT<br />
<br />
{| class="wikitable" style="color:black; background-color:#C1D9DD;" cellpadding="10"<br />
!SECURITY OBJECTIVE<br />
!LOW<br />
!MODERATE<br />
!HIGH<br />
|-<br />
|Confidentiality<br />
Preserving authorized restrictions on information<br />
access and disclosure, including means for protecting<br />
personal privacy and proprietary information. [44 U.S.C., SEC. 3542]<br />
|The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.<br />
|The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.<br />
|The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.<br />
|-<br />
|Integrity<br />
Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation<br />
and authenticity. [44 U.S.C., SEC. 3542]<br />
|The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.<br />
|The unauthorized modification or destruction of information could be expected to have a serious adverse effect on<br />
organizational operations, organizational assets, or individuals.<br />
|The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.<br />
|-<br />
|Availability<br />
Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542]<br />
|The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.<br />
|The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.<br />
|The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.<br />
|}<br />
<br />
*Map asset criticality against attacker profiles with use of a GRC (Governance Risk Management and Compliance) tool if available, or using an information asset register such as the University of Oxford Information Asset Register Tool<br />
<br />
For example:<br />
**Tier 1 = Targeted Govt./State sponsor.<br />
**Tier 2 = Hactivism<br />
**Tier 3 = Random Opportunistic<br />
<br />
*Implement ISO 17799: Asset Management or similar standard to improve governance of application assets.<br />
<br />
== Communication Plan ==<br />
*Set expectations of assessment program for all interested parties.<br />
*Alert Operations team of upcoming activities.<br />
*Gather written buy-in from application stakeholders for the assessment activities.<br />
*Develop, publish, and maintain comprehensive application security and privacy standards, policies, procedures and guidelines and enforce these in compliance with relevant global regulations and standards.<br />
*Define, document and share application business continuity and incident response plan. (Business Continuity Plan Resources: ITIL, COBIT, NIST)</div>Rsnakehttps://wiki.owasp.org/index.php?title=Day_2&diff=187054Day 22014-12-15T17:27:51Z<p>Rsnake: </p>
<hr />
<div>== Key Activities ==<br />
*Become intimately familiar with what you are meant to protect and at what level.<br />
*Define processes, procedures, and checklists to align assessment strategies to business needs.<br />
*Effectively communicate the introduction and goals of the Application Security assessment program.<br />
*Provide a single point of contact for the program.<br />
<br />
== Asset Discovery ==<br />
*Gather Internal, External and Hosted IP ranges.<br />
*Catalogue known domains and subdomains.<br />
*Identify asset meta-data locations. (CMDBs, GRCs, etc.).<br />
*Identify site owners, where those are not already known.<br />
*Gather assessment credentials, including multiple roles for horizontal and vertical testing.<br />
*Identify the rate of application change (e.g. monthly, weekly, etc.…)<br />
<br />
== Asset Risk Prioritization ==<br />
*Develop or leverage existing methodology for stack ranking the value of your assets to the business based on<br />
impact to confidentiality, integrity and availability (C.I.A.). (See: [http://csrc.nist.gov/publications/fips/fips199/FIPSPUB-199-final.pdf])<br />
<br />
POTENTIAL IMPACT<br />
<br />
{| class="wikitable" style="color:black; background-color:#C1D9DD;" cellpadding="10"<br />
!SECURITY OBJECTIVE<br />
!LOW<br />
!MODERATE<br />
!HIGH<br />
|-<br />
|Confidentiality<br />
Preserving authorized restrictions on information<br />
access and disclosure, including means for protecting<br />
personal privacy and proprietary information. [44 U.S.C., SEC. 3542]<br />
|The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.<br />
|The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.<br />
|The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.<br />
|-<br />
|Integrity<br />
Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation<br />
and authenticity. [44 U.S.C., SEC. 3542]<br />
|The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.<br />
|The unauthorized modification or destruction of information could be expected to have a serious adverse effect on<br />
organizational operations, organizational assets, or individuals.<br />
|The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.<br />
|-<br />
|Availability<br />
Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542]<br />
|The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.<br />
|The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.<br />
|The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.<br />
|}<br />
<br />
*Map asset criticality against attacker profiles with use of a GRC* (Governance Risk Management and Compliance) tool if available, or using an information asset register such as the University of Oxford Information Asset Register Tool<br />
<br />
For example:<br />
**Tier 1 = Targeted Govt./State sponsor.<br />
**Tier 2 = Hactivism<br />
**Tier 3 = Random Opportunistic<br />
<br />
*Implement ISO 17799: Asset Management or similar standard to improve governance of application assets.<br />
<br />
== Communication Plan ==<br />
*Set expectations of assessment program for all interested parties.<br />
*Alert Operations team of upcoming activities.<br />
*Gather written buy-in from application stakeholders for the assessment activities.<br />
*Develop, publish, and maintain comprehensive application security and privacy standards, policies, procedures and guidelines and enforce these in compliance with relevant global regulations and standards.<br />
*Define, document and share application business continuity and incident response plan. (Business Continuity Plan Resources: ITIL, COBIT, NIST)</div>Rsnakehttps://wiki.owasp.org/index.php?title=Day_2&diff=187053Day 22014-12-15T17:26:18Z<p>Rsnake: Created page with "== Key Activities == *Become intimately familiar with what you are meant to protect and at what level. *Define processes, procedures, and checklists to align assessment strate..."</p>
<hr />
<div>== Key Activities ==<br />
*Become intimately familiar with what you are meant to protect and at what level.<br />
*Define processes, procedures, and checklists to align assessment strategies to business needs.<br />
*Effectively communicate the introduction and goals of the Application Security assessment program.<br />
*Provide a single point of contact for the program.<br />
<br />
== Asset Discovery ==<br />
*Gather Internal, External and Hosted IP ranges.<br />
*Catalogue known domains and subdomains.<br />
*Identify asset meta-data locations. (CMDBs, GRCs, etc.).<br />
*Identify site owners, where those are not already known.<br />
*Gather assessment credentials, including multiple roles for horizontal and vertical testing.<br />
*Identify the rate of application change (e.g. monthly, weekly, etc.…)<br />
<br />
== Asset Risk Prioritization ==<br />
*Develop or leverage existing methodology for stack ranking the value of your assets to the business based on<br />
impact to confidentiality, integrity and availability (C.I.A.). (See: [http://csrc.nist.gov/publications/fips/fips199/FIPSPUB-199-final.pdf])<br />
<br />
POTENTIAL IMPACT<br />
<br />
{| class="wikitable" style="color:black; background-color:#C1D9DD;" cellpadding="10"<br />
!SECURITY OBJECTIVE<br />
!LOW<br />
!MODERATE<br />
!HIGH<br />
|-<br />
|Confidentiality<br />
Preserving authorized restrictions on information<br />
access and disclosure, including means for protecting<br />
personal privacy and proprietary information. [44 U.S.C., SEC. 3542]<br />
|The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.<br />
|The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.<br />
|The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.<br />
|-<br />
|Integrity<br />
Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation<br />
and authenticity. [44 U.S.C., SEC. 3542]<br />
|The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.<br />
|The unauthorized modification or destruction of information could be expected to have a serious adverse effect on<br />
organizational operations, organizational assets, or individuals.<br />
|The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.<br />
|-<br />
|Availability<br />
Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542]<br />
|The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.<br />
|The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.<br />
|The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.<br />
|}<br />
<br />
*Map asset criticality against attacker profiles with use of a GRC* (Governance Risk Management and Compliance)<br />
tool if available, or using an information asset register such as the University of Oxford Information Asset Register<br />
Tool<br />
<br />
For example:<br />
*Tier 1 = Targeted Govt./State sponsor.<br />
*Tier 2 = Hactivism<br />
*Tier 3 = Random Opportunistic<br />
<br />
*Implement ISO 17799: Asset Management or similar standard to improve governance of application assets.<br />
<br />
== Communication Plan ==<br />
*Set expectations of assessment program for all interested parties.<br />
*Alert Operations team of upcoming activities.<br />
*Gather written buy-in from application stakeholders for the assessment activities.<br />
*Develop, publish, and maintain comprehensive application security and privacy standards, policies, procedures and<br />
guidelines and enforce these in compliance with relevant global regulations and standards.<br />
*Define, document and share application business continuity and incident response plan. (Business Continuity Plan Resources: ITIL, COBIT, NIST)</div>Rsnakehttps://wiki.owasp.org/index.php?title=Day_3&diff=187052Day 32014-12-15T17:18:16Z<p>Rsnake: Created page with "== Key Activities == *Measure current vulnerability posture. *Initiate vulnerability testing. *Triage vulnerabilities. == Vulnerability Assessments == To determine what sor..."</p>
<hr />
<div>== Key Activities == <br />
*Measure current vulnerability posture.<br />
*Initiate vulnerability testing.<br />
*Triage vulnerabilities.<br />
<br />
== Vulnerability Assessments == <br />
To determine what sort of vulnerability assessment is most appropriate, consider your current status and resources:<br />
<br />
{| class="wikitable" style="color:black; background-color:#C1D9DD;" cellpadding="10"<br />
!Scenario<br />
!Appropriate Assessments<br />
|-<br />
|Resources and support for immediate unlimited continuous assessments<br />
|Perform assessments across all discovered assets<br />
|-<br />
|Limited resources or appetite for unlimited continuous assessments<br />
|At a minimum frequency of testing should keep or exceed rate of change in asset<br />
|-<br />
|Application currently exist in production environment:<br />
|Begin dynamic* assessments for these existing applications<br />
|-<br />
|Source Code of your application(s) is available on the internet (Freely available, stolen, etc.)<br />
|Begin Static Analysis assessments<br />
|-<br />
|Business is subject to compliance mandate requiring Static Analysis<br />
|Begin Static Analysis assessments<br />
|-<br />
|New development project of an application Begin Static Analysis assessments<br />
|Dynamic assessments completed and application security program in continuous improvement cycle<br />
|-<br />
|Begin Static Analysis assessments<br />
|Begin Dynamic Analysis in QA/Staging<br />
|}<br />
<br />
Other scenarios to consider Static Analysis as the first assessment type or in parallel with Dynamic Analysis:<br />
*High developer attrition rate<br />
*Known internal bad actors<br />
*Disgruntled current or former employee with access to source code<br />
*Outsourced code<br />
<br />
== Static Analysis ==<br />
Static Code Analysis (also known as Source Code Analysis or Static Application Security Testing (SAST)) is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within ‘static’ (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.<br />
<br />
== Dynamic Analysis == <br />
Dynamic Application Security Testing (DAST), also referred to as “black-box” testing, identifies vulnerabilities in running web applications – testing of the application from the outside in.<br />
<br />
== Vulnerability delivery == <br />
To deliver valuable vulnerability information to your business, you must:<br />
*Document vulnerability delegation and vulnerability lifecycle process<br />
*Feed issues into existing tracking systems where possible to preserve the existing workflow<br />
*Triage vulnerabilities prior to feeding them into your defect management systems<br />
*Ensure only true positives are fed to development teams<br />
*Track re-testing of vulnerabilities via new incident/ticket or update existing incident/ticket.<br />
*Define which issues are important to the business<br />
*Create a baseline of the issues that are important to the business<br />
*Align vulnerability remediation strategy with loss exposure versus resources available to fix<br />
*Create a knowledge base of common issues and their solutions<br />
*Dedicate resource(s) to developer interactions, including educating developers on security topics<br />
*Publish aggregate metrics internally<br />
*Match or outpace release cycles in detecting and responding to vulnerabilities.</div>Rsnakehttps://wiki.owasp.org/index.php?title=Day_4&diff=186912Day 42014-12-12T16:29:15Z<p>Rsnake: </p>
<hr />
<div>= Key Activities ==<br />
*Measure and improve assessment service delivery.<br />
<br />
== Measured Metrics ==<br />
* Compare against industry metrics and interdepartmental metrics.<br />
* Compare behaviors to measured metrics to identify which initiatives drive improvement of metrics and security program.<br />
== Metric Definition ==<br />
<br />
{| class="wikitable" style="color:black; background-color:#C1D9DD;" cellpadding="10"<br />
!Metric<br />
!Definition<br />
|-<br />
|Number of Vulnerabilities <br />
|The total count of vulnerabilities during the analysis period; valuable as a metric over time. Time Open This value represents the number of partial days since the vulnerability was opened as of the specific evaluation date. It only includes open vulnerabilities and not vulnerabilities that were closed. It is computed as the evaluation date less the open date for the vulnerability.<br />
|-<br />
|Time-to-Fix <br />
|The Time-to-Fix is the number of partial days required to close a vulnerability. It is based on the vulnerabilities that were closed during the analysis period.<br />
|-<br />
|Remediation Rate<br />
|The Remediation Rate is the ratio of the number of vulnerabilities closed over the number of vulnerabilities opened over a given period of time. A vulnerability is considered closed if it closed during the analysis period. A vulnerability is considered open if it was open at some time during the analysis period. Therefore, vulnerability could be counted as open and closed.<br />
|-<br />
|Vulnerability Class<br />
|Likelihood Vulnerability Class Likelihood is the percentage of active applications that have at least one open vulnerability in a given vulnerability class over a given period of time. It is determined by counting the number of applications that have at least one open vulnerability in a given vulnerability class over the number of active applications.<br />
|}</div>Rsnakehttps://wiki.owasp.org/index.php?title=Day_4&diff=186910Day 42014-12-12T16:25:10Z<p>Rsnake: Created page with "= Key Activities == *Measure and improve assessment service delivery. == Measured Metrics == * Compare against industry metrics and interdepartmental metrics. * Compare behav..."</p>
<hr />
<div>= Key Activities ==<br />
*Measure and improve assessment service delivery.<br />
<br />
== Measured Metrics ==<br />
* Compare against industry metrics and interdepartmental metrics.<br />
* Compare behaviors to measured metrics to identify which initiatives drive improvement of metrics and security program.<br />
== Metric Definition ==<br />
<br />
{| class="wikitable" style="color:black; background-color:#000011;" cellpadding="10"<br />
|Number of Vulnerabilities <br />
|The total count of vulnerabilities during the analysis period; valuable as a metric over time. Time Open This value represents the number of partial days since the vulnerability was opened as of the specific evaluation date. It only includes open vulnerabilities and not vulnerabilities that were closed. It is computed as the evaluation date less the open date for the vulnerability.<br />
|-<br />
|Time-to-Fix <br />
|The Time-to-Fix is the number of partial days required to close a vulnerability. It is based on the vulnerabilities that were closed during the analysis period.<br />
|-<br />
|Remediation Rate<br />
|The Remediation Rate is the ratio of the number of vulnerabilities closed over the number of vulnerabilities opened over a given period of time. A vulnerability is considered closed if it closed during the analysis period. A vulnerability is considered open if it was open at some time during the analysis period. Therefore, vulnerability could be counted as open and closed.<br />
|-<br />
|Vulnerability Class<br />
|Likelihood Vulnerability Class Likelihood is the percentage of active applications that have at least one open vulnerability in a given vulnerability class over a given period of time. It is determined by counting the number of applications that have at least one open vulnerability in a given vulnerability class over the number of active applications.<br />
|}</div>Rsnakehttps://wiki.owasp.org/index.php?title=Day_5&diff=186908Day 52014-12-12T16:20:26Z<p>Rsnake: </p>
<hr />
<div>== Key activities ==<br />
*Implement compensating controls & mitigation controls<br />
*Remediation Prioritization<br />
<br />
== Compensating Controls ==<br />
*Implement compensating controls to limit the likelihood of successful attacks; for example, deploy web application firewalls (WAFs) that inspect all traffic flowing to the web application for common web application attacks.<br />
<br />
== Mitigating Controls ==<br />
*Implement mitigating controls to discover and prevent mistakes that may lead to the introduction of vulnerabilities; for example, Control 6 of the CSIS 20 Critical Security Controls – Application Software Security. Build security into the development life cycle.<br />
<br />
== Remediation Prioritization ==<br />
*Implement remediation prioritization driven by financial calculations. Compare the cost of fixing specific</div>Rsnakehttps://wiki.owasp.org/index.php?title=Day_5&diff=186907Day 52014-12-12T16:20:15Z<p>Rsnake: Created page with "== Key activities == *Implement compensating controls & mitigation controls *Remediation Prioritization == Compensating Controls == *Implement compensating controls to limit..."</p>
<hr />
<div>== Key activities ==<br />
*Implement compensating controls & mitigation controls<br />
*Remediation Prioritization<br />
<br />
== Compensating Controls ==<br />
*Implement compensating controls to limit the likelihood of successful attacks; for example, deploy web application firewalls (WAFs) that inspect all traffic flowing to the web application for common web application attacks.<br />
<br />
== Mitigating Controls ==<br />
*Implement mitigating controls to discover and prevent mistakes that may lead to the introduction of vulnerabilities; for example, Control 6 of the CSIS 20 Critical Security Controls – Application Software Security. Build security into the development lifecycle.<br />
<br />
== Remediation Prioritization ==<br />
*Implement remediation prioritization driven by financial calculations. Compare the cost of fixing specific</div>Rsnakehttps://wiki.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide&diff=186906Application Security Program Quick Start Guide2014-12-12T16:20:03Z<p>Rsnake: /* The Application Security Program Quick Start Guide */</p>
<hr />
<div>__NOTOC__<br />
<br />
{| width="100%" cellspacing="0" cellpadding="10"<br />
|- valign="top"<br />
| width="70%" style="background:#d9e9f9" |<br />
<br />
= The Application Security Program Quick Start Guide =<br />
<br />
Placeholder<br />
<br />
== Contents ==<br />
<br />
<br />
* Preface<br />
** [[AppSec Quick Start Guide: About this guide|About this guide]]<br />
** [[AppSec Quick Start Guide: Audience|Audience]]<br />
<br />
== [[Day 1]] ==<br />
[[''''' **Key Activities: ''''']] <br />
***Evaluation <br />
''''' *Key Questions: ''''' <br />
*Management<br />
*Security<br />
*IT Ops<br />
*Engineering Groups (inc. QA)/Development <br />
== [[Day 2]] ==<br />
''''' **Key Activities: ''''' <br />
*Asset Discovery <br />
*Asset Risk Prioritization<br />
*Communication Plan<br />
== [[Day 3]] ==<br />
''''' **Key Activities: ''''' <br />
*Vulnerability Assessments <br />
*Vulnerability delivery <br />
== [[Day 4]] == <br />
''''' **Key Activities: ''''' <br />
*Measured Metrics <br />
== [[Day 5]] ==<br />
''''' **Key activities: ''''' <br />
*Compensating Controls <br />
*Mitigating Controls <br />
*Remediation Prioritization<br />
<br />
== Licensing ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].<br />
You are free to: <br />
*Share — copy and redistribute the material in any medium or format <br />
*Adapt — remix, transform, and build upon the material for non-commercial use<br />
<br />
The licensor cannot revoke these freedoms as long as you follow the license terms.<br />
<br />
| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |<br />
<br />
<br />
| width="30%" style="background:#eeeeee" |<br />
<br />
=Credits =<br />
<br />
== Project lead and authors ==<br />
<br />
* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]<br />
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]<br />
* [[User:Rsnake| '''Robert Hansen''']]<br />
* [[User:Jerryhoff|'''Jerry Hoff''']]<br />
<br />
== Other contributors ==<br />
<br />
Co-authors, contributors and reviewers:<br />
<br />
* [[User: MattJohansen| '''Matt Johansen''']]<br />
<br />
= Further Information =<br />
<br />
== Application Security Program Quick Start Guide ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is also available as<br />
* [https://www.owasp.org/index.php/File:PlaceHolder.pdf Free downloadable PDF] <br />
<br />
<br />
For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]<br />
<br />
<br />
<br />
<br />
|}</div>Rsnakehttps://wiki.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide&diff=186904Application Security Program Quick Start Guide2014-12-12T16:19:34Z<p>Rsnake: /* The Application Security Program Quick Start Guide */</p>
<hr />
<div>__NOTOC__<br />
<br />
{| width="100%" cellspacing="0" cellpadding="10"<br />
|- valign="top"<br />
| width="70%" style="background:#d9e9f9" |<br />
<br />
= The Application Security Program Quick Start Guide =<br />
<br />
Placeholder<br />
<br />
== Contents ==<br />
<br />
<br />
* Preface<br />
** [[AppSec Quick Start Guide: About this guide|About this guide]]<br />
** [[AppSec Quick Start Guide: Audience|Audience]]<br />
<br />
[[Day 1]]<br />
[[''''' **Key Activities: ''''']] <br />
***Evaluation <br />
''''' *Key Questions: ''''' <br />
*Management<br />
*Security<br />
*IT Ops<br />
*Engineering Groups (inc. QA)/Development <br />
[[Day 2]]<br />
''''' **Key Activities: ''''' <br />
*Asset Discovery <br />
*Asset Risk Prioritization<br />
*Communication Plan<br />
[[Day 3]]<br />
''''' **Key Activities: ''''' <br />
*Vulnerability Assessments <br />
*Vulnerability delivery <br />
[[Day 4]] <br />
''''' **Key Activities: ''''' <br />
*Measured Metrics <br />
== [[Day 5]] ==<br />
''''' **Key activities: ''''' <br />
*Compensating Controls <br />
*Mitigating Controls <br />
*Remediation Prioritization<br />
<br />
== Licensing ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].<br />
You are free to: <br />
*Share — copy and redistribute the material in any medium or format <br />
*Adapt — remix, transform, and build upon the material for non-commercial use<br />
<br />
The licensor cannot revoke these freedoms as long as you follow the license terms.<br />
<br />
| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |<br />
<br />
<br />
| width="30%" style="background:#eeeeee" |<br />
<br />
=Credits =<br />
<br />
== Project lead and authors ==<br />
<br />
* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]<br />
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]<br />
* [[User:Rsnake| '''Robert Hansen''']]<br />
* [[User:Jerryhoff|'''Jerry Hoff''']]<br />
<br />
== Other contributors ==<br />
<br />
Co-authors, contributors and reviewers:<br />
<br />
* [[User: MattJohansen| '''Matt Johansen''']]<br />
<br />
= Further Information =<br />
<br />
== Application Security Program Quick Start Guide ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is also available as<br />
* [https://www.owasp.org/index.php/File:PlaceHolder.pdf Free downloadable PDF] <br />
<br />
<br />
For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]<br />
<br />
<br />
<br />
<br />
|}</div>Rsnakehttps://wiki.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide&diff=186903Application Security Program Quick Start Guide2014-12-12T16:18:24Z<p>Rsnake: /* The Application Security Program Quick Start Guide */</p>
<hr />
<div>__NOTOC__<br />
<br />
{| width="100%" cellspacing="0" cellpadding="10"<br />
|- valign="top"<br />
| width="70%" style="background:#d9e9f9" |<br />
<br />
= The Application Security Program Quick Start Guide =<br />
<br />
Placeholder<br />
<br />
== Contents ==<br />
<br />
<br />
* Preface<br />
** [[AppSec Quick Start Guide: About this guide|About this guide]]<br />
** [[AppSec Quick Start Guide: Audience|Audience]]<br />
<br />
[[Day 1]]<br />
[[''''' **Key Activities: ''''']] <br />
***Evaluation <br />
''''' *Key Questions: ''''' <br />
*Management<br />
*Security<br />
*IT Ops<br />
*Engineering Groups (inc. QA)/Development <br />
[[Day 2]]<br />
''''' **Key Activities: ''''' <br />
*Asset Discovery <br />
*Asset Risk Prioritization<br />
*Communication Plan<br />
[[Day 3]]<br />
''''' **Key Activities: ''''' <br />
*Vulnerability Assessments <br />
*Vulnerability delivery <br />
[[Day 4]] <br />
''''' **Key Activities: ''''' <br />
*Measured Metrics <br />
[[*Day 5]]<br />
''''' **Key activities: ''''' <br />
*Compensating Controls <br />
*Mitigating Controls <br />
*Remediation Prioritization<br />
<br />
== Licensing ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].<br />
You are free to: <br />
*Share — copy and redistribute the material in any medium or format <br />
*Adapt — remix, transform, and build upon the material for non-commercial use<br />
<br />
The licensor cannot revoke these freedoms as long as you follow the license terms.<br />
<br />
| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |<br />
<br />
<br />
| width="30%" style="background:#eeeeee" |<br />
<br />
=Credits =<br />
<br />
== Project lead and authors ==<br />
<br />
* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]<br />
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]<br />
* [[User:Rsnake| '''Robert Hansen''']]<br />
* [[User:Jerryhoff|'''Jerry Hoff''']]<br />
<br />
== Other contributors ==<br />
<br />
Co-authors, contributors and reviewers:<br />
<br />
* [[User: MattJohansen| '''Matt Johansen''']]<br />
<br />
= Further Information =<br />
<br />
== Application Security Program Quick Start Guide ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is also available as<br />
* [https://www.owasp.org/index.php/File:PlaceHolder.pdf Free downloadable PDF] <br />
<br />
<br />
For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]<br />
<br />
<br />
<br />
<br />
|}</div>Rsnakehttps://wiki.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide&diff=186893Application Security Program Quick Start Guide2014-12-12T16:11:25Z<p>Rsnake: /* Contents */</p>
<hr />
<div>__NOTOC__<br />
<br />
{| width="100%" cellspacing="0" cellpadding="10"<br />
|- valign="top"<br />
| width="70%" style="background:#d9e9f9" |<br />
<br />
= The Application Security Program Quick Start Guide =<br />
<br />
Placeholder<br />
<br />
== Contents ==<br />
<br />
<br />
* Preface<br />
** [[AppSec Quick Start Guide: About this guide|About this guide]]<br />
** [[AppSec Quick Start Guide: Audience|Audience]]<br />
<br />
*Day 1<br />
[[''''' **Key Activities: ''''']] <br />
***Evaluation <br />
''''' *Key Questions: ''''' <br />
*Management<br />
*Security<br />
*IT Ops<br />
*Engineering Groups (inc. QA)/Development <br />
''' *Day 2'''<br />
''''' **Key Activities: ''''' <br />
*Asset Discovery <br />
*Asset Risk Prioritization<br />
*Communication Plan<br />
''' *Day 3'''<br />
''''' **Key Activities: ''''' <br />
*Vulnerability Assessments <br />
*Vulnerability delivery <br />
''' *Day 4''' <br />
''''' **Key Activities: ''''' <br />
*Measured Metrics <br />
''' [[*Day 5]]'''<br />
''''' **Key activities: ''''' <br />
*Compensating Controls <br />
*Mitigating Controls <br />
*Remediation Prioritization<br />
<br />
== Licensing ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].<br />
You are free to: <br />
*Share — copy and redistribute the material in any medium or format <br />
*Adapt — remix, transform, and build upon the material for non-commercial use<br />
<br />
The licensor cannot revoke these freedoms as long as you follow the license terms.<br />
<br />
| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |<br />
<br />
<br />
| width="30%" style="background:#eeeeee" |<br />
<br />
=Credits =<br />
<br />
== Project lead and authors ==<br />
<br />
* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]<br />
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]<br />
* [[User:Rsnake| '''Robert Hansen''']]<br />
* [[User:Jerryhoff|'''Jerry Hoff''']]<br />
<br />
== Other contributors ==<br />
<br />
Co-authors, contributors and reviewers:<br />
<br />
* [[User: MattJohansen| '''Matt Johansen''']]<br />
<br />
= Further Information =<br />
<br />
== Application Security Program Quick Start Guide ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is also available as<br />
* [https://www.owasp.org/index.php/File:PlaceHolder.pdf Free downloadable PDF] <br />
<br />
<br />
For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]<br />
<br />
<br />
<br />
<br />
|}</div>Rsnakehttps://wiki.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide&diff=186889Application Security Program Quick Start Guide2014-12-12T16:05:18Z<p>Rsnake: /* Contents */</p>
<hr />
<div>__NOTOC__<br />
<br />
{| width="100%" cellspacing="0" cellpadding="10"<br />
|- valign="top"<br />
| width="70%" style="background:#d9e9f9" |<br />
<br />
= The Application Security Program Quick Start Guide =<br />
<br />
Placeholder<br />
<br />
== Contents ==<br />
<br />
<br />
* Preface<br />
** [[AppSec Quick Start Guide: About this guide|About this guide]]<br />
** [[AppSec Quick Start Guide: Audience|Audience]]<br />
<br />
*Day 1<br />
[[''''' **Key Activities: ''''']] <br />
***Evaluation <br />
''''' *Key Questions: ''''' <br />
*Management<br />
*Security<br />
*IT Ops<br />
*Engineering Groups (inc. QA)/Development <br />
''' *Day 2'''<br />
''''' **Key Activities: ''''' <br />
*Asset Discovery <br />
*Asset Risk Prioritization<br />
*Communication Plan<br />
''' *Day 3'''<br />
''''' **Key Activities: ''''' <br />
*Vulnerability Assessments <br />
*Vulnerability delivery <br />
''' *Day 4''' <br />
''''' **Key Activities: ''''' <br />
*Measured Metrics <br />
[[''' *Day 5''']] <br />
''''' **Key activities: ''''' <br />
*Compensating Controls <br />
*Mitigating Controls <br />
*Remediation Prioritization<br />
<br />
== Licensing ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].<br />
You are free to: <br />
*Share — copy and redistribute the material in any medium or format <br />
*Adapt — remix, transform, and build upon the material for non-commercial use<br />
<br />
The licensor cannot revoke these freedoms as long as you follow the license terms.<br />
<br />
| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |<br />
<br />
<br />
| width="30%" style="background:#eeeeee" |<br />
<br />
=Credits =<br />
<br />
== Project lead and authors ==<br />
<br />
* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]<br />
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]<br />
* [[User:Rsnake| '''Robert Hansen''']]<br />
* [[User:Jerryhoff|'''Jerry Hoff''']]<br />
<br />
== Other contributors ==<br />
<br />
Co-authors, contributors and reviewers:<br />
<br />
* [[User: MattJohansen| '''Matt Johansen''']]<br />
<br />
= Further Information =<br />
<br />
== Application Security Program Quick Start Guide ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is also available as<br />
* [https://www.owasp.org/index.php/File:PlaceHolder.pdf Free downloadable PDF] <br />
<br />
<br />
For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]<br />
<br />
<br />
<br />
<br />
|}</div>Rsnakehttps://wiki.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide&diff=186888Application Security Program Quick Start Guide2014-12-12T15:58:59Z<p>Rsnake: /* Other contributors */</p>
<hr />
<div>__NOTOC__<br />
<br />
{| width="100%" cellspacing="0" cellpadding="10"<br />
|- valign="top"<br />
| width="70%" style="background:#d9e9f9" |<br />
<br />
= The Application Security Program Quick Start Guide =<br />
<br />
Placeholder<br />
<br />
== Contents ==<br />
<br />
<br />
* Preface<br />
** [[AppSec Quick Start Guide: About this guide|About this guide]]<br />
** [[AppSec Quick Start Guide: Audience|Audience]]<br />
<br />
*Day 1<br />
[[''''' **Key Activities: ''''']] <br />
***Evaluation <br />
''''' *Key Questions: ''''' <br />
*Management<br />
*Security<br />
*IT Ops<br />
*Engineering Groups (inc. QA)/Development <br />
''' *Day 2'''<br />
''''' **Key Activities: ''''' <br />
*Asset Discovery <br />
*Asset Risk Prioritization<br />
*Communication Plan<br />
''' *Day 3'''<br />
''''' **Key Activities: ''''' <br />
*Vulnerability Assessments <br />
*Vulnerability delivery <br />
''' *Day 4''' <br />
''''' **Key Activities: ''''' <br />
*Measured Metrics <br />
''' *Day 5''' <br />
''''' **Key activities: ''''' <br />
*Compensating Controls <br />
*Mitigating Controls <br />
*Remediation Prioritization <br />
<br />
<br />
== Licensing ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].<br />
You are free to: <br />
*Share — copy and redistribute the material in any medium or format <br />
*Adapt — remix, transform, and build upon the material for non-commercial use<br />
<br />
The licensor cannot revoke these freedoms as long as you follow the license terms.<br />
<br />
| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |<br />
<br />
<br />
| width="30%" style="background:#eeeeee" |<br />
<br />
=Credits =<br />
<br />
== Project lead and authors ==<br />
<br />
* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]<br />
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]<br />
* [[User:Rsnake| '''Robert Hansen''']]<br />
* [[User:Jerryhoff|'''Jerry Hoff''']]<br />
<br />
== Other contributors ==<br />
<br />
Co-authors, contributors and reviewers:<br />
<br />
* [[User: MattJohansen| '''Matt Johansen''']]<br />
<br />
= Further Information =<br />
<br />
== Application Security Program Quick Start Guide ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is also available as<br />
* [https://www.owasp.org/index.php/File:PlaceHolder.pdf Free downloadable PDF] <br />
<br />
<br />
For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]<br />
<br />
<br />
<br />
<br />
|}</div>Rsnakehttps://wiki.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide&diff=186887Application Security Program Quick Start Guide2014-12-12T15:58:46Z<p>Rsnake: /* Project lead and authors */</p>
<hr />
<div>__NOTOC__<br />
<br />
{| width="100%" cellspacing="0" cellpadding="10"<br />
|- valign="top"<br />
| width="70%" style="background:#d9e9f9" |<br />
<br />
= The Application Security Program Quick Start Guide =<br />
<br />
Placeholder<br />
<br />
== Contents ==<br />
<br />
<br />
* Preface<br />
** [[AppSec Quick Start Guide: About this guide|About this guide]]<br />
** [[AppSec Quick Start Guide: Audience|Audience]]<br />
<br />
*Day 1<br />
[[''''' **Key Activities: ''''']] <br />
***Evaluation <br />
''''' *Key Questions: ''''' <br />
*Management<br />
*Security<br />
*IT Ops<br />
*Engineering Groups (inc. QA)/Development <br />
''' *Day 2'''<br />
''''' **Key Activities: ''''' <br />
*Asset Discovery <br />
*Asset Risk Prioritization<br />
*Communication Plan<br />
''' *Day 3'''<br />
''''' **Key Activities: ''''' <br />
*Vulnerability Assessments <br />
*Vulnerability delivery <br />
''' *Day 4''' <br />
''''' **Key Activities: ''''' <br />
*Measured Metrics <br />
''' *Day 5''' <br />
''''' **Key activities: ''''' <br />
*Compensating Controls <br />
*Mitigating Controls <br />
*Remediation Prioritization <br />
<br />
<br />
== Licensing ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].<br />
You are free to: <br />
*Share — copy and redistribute the material in any medium or format <br />
*Adapt — remix, transform, and build upon the material for non-commercial use<br />
<br />
The licensor cannot revoke these freedoms as long as you follow the license terms.<br />
<br />
| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |<br />
<br />
<br />
| width="30%" style="background:#eeeeee" |<br />
<br />
=Credits =<br />
<br />
== Project lead and authors ==<br />
<br />
* [[User:Gabrielgumbs| '''Gabriel Gumbs''']]<br />
* [[User:JeremiahGrossman| '''Jeremiah Grossman''']]<br />
* [[User:Rsnake| '''Robert Hansen''']]<br />
* [[User:Jerryhoff|'''Jerry Hoff''']]<br />
<br />
== Other contributors ==<br />
<br />
Co-authors, contributors and reviewers:<br />
<br />
* [[User: MattJohansen| MattJohansen]]<br />
<br />
<br />
<br />
= Further Information =<br />
<br />
== Application Security Program Quick Start Guide ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is also available as<br />
* [https://www.owasp.org/index.php/File:PlaceHolder.pdf Free downloadable PDF] <br />
<br />
<br />
For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]<br />
<br />
<br />
<br />
<br />
|}</div>Rsnakehttps://wiki.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide&diff=186886Application Security Program Quick Start Guide2014-12-12T15:58:20Z<p>Rsnake: /* Project lead and authors */</p>
<hr />
<div>__NOTOC__<br />
<br />
{| width="100%" cellspacing="0" cellpadding="10"<br />
|- valign="top"<br />
| width="70%" style="background:#d9e9f9" |<br />
<br />
= The Application Security Program Quick Start Guide =<br />
<br />
Placeholder<br />
<br />
== Contents ==<br />
<br />
<br />
* Preface<br />
** [[AppSec Quick Start Guide: About this guide|About this guide]]<br />
** [[AppSec Quick Start Guide: Audience|Audience]]<br />
<br />
*Day 1<br />
[[''''' **Key Activities: ''''']] <br />
***Evaluation <br />
''''' *Key Questions: ''''' <br />
*Management<br />
*Security<br />
*IT Ops<br />
*Engineering Groups (inc. QA)/Development <br />
''' *Day 2'''<br />
''''' **Key Activities: ''''' <br />
*Asset Discovery <br />
*Asset Risk Prioritization<br />
*Communication Plan<br />
''' *Day 3'''<br />
''''' **Key Activities: ''''' <br />
*Vulnerability Assessments <br />
*Vulnerability delivery <br />
''' *Day 4''' <br />
''''' **Key Activities: ''''' <br />
*Measured Metrics <br />
''' *Day 5''' <br />
''''' **Key activities: ''''' <br />
*Compensating Controls <br />
*Mitigating Controls <br />
*Remediation Prioritization <br />
<br />
<br />
== Licensing ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].<br />
You are free to: <br />
*Share — copy and redistribute the material in any medium or format <br />
*Adapt — remix, transform, and build upon the material for non-commercial use<br />
<br />
The licensor cannot revoke these freedoms as long as you follow the license terms.<br />
<br />
| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |<br />
<br />
<br />
| width="30%" style="background:#eeeeee" |<br />
<br />
=Credits =<br />
<br />
== Project lead and authors ==<br />
<br />
* [[User:Gabrielgumbs|GabrielGumbs]]<br />
* [[User:JeremiahGrossman| JeremiahGrossman]]<br />
* [[User:Rsnake| '''Robert Hansen''']]<br />
* [[User:Jerryhoff|'''Jerry Hoff''']]<br />
<br />
== Other contributors ==<br />
<br />
Co-authors, contributors and reviewers:<br />
<br />
* [[User: MattJohansen| MattJohansen]]<br />
<br />
<br />
<br />
= Further Information =<br />
<br />
== Application Security Program Quick Start Guide ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is also available as<br />
* [https://www.owasp.org/index.php/File:PlaceHolder.pdf Free downloadable PDF] <br />
<br />
<br />
For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]<br />
<br />
<br />
<br />
<br />
|}</div>Rsnakehttps://wiki.owasp.org/index.php?title=User:Rsnake&diff=186885User:Rsnake2014-12-12T15:57:50Z<p>Rsnake: Created page with "Hello there! This is RSnake. Yup, it's me."</p>
<hr />
<div>Hello there! This is RSnake. Yup, it's me.</div>Rsnakehttps://wiki.owasp.org/index.php?title=Application_Security_Program_Quick_Start_Guide&diff=186884Application Security Program Quick Start Guide2014-12-12T15:57:13Z<p>Rsnake: /* Project lead and authors */</p>
<hr />
<div>__NOTOC__<br />
<br />
{| width="100%" cellspacing="0" cellpadding="10"<br />
|- valign="top"<br />
| width="70%" style="background:#d9e9f9" |<br />
<br />
= The Application Security Program Quick Start Guide =<br />
<br />
Placeholder<br />
<br />
== Contents ==<br />
<br />
<br />
* Preface<br />
** [[AppSec Quick Start Guide: About this guide|About this guide]]<br />
** [[AppSec Quick Start Guide: Audience|Audience]]<br />
<br />
*Day 1<br />
[[''''' **Key Activities: ''''']] <br />
***Evaluation <br />
''''' *Key Questions: ''''' <br />
*Management<br />
*Security<br />
*IT Ops<br />
*Engineering Groups (inc. QA)/Development <br />
''' *Day 2'''<br />
''''' **Key Activities: ''''' <br />
*Asset Discovery <br />
*Asset Risk Prioritization<br />
*Communication Plan<br />
''' *Day 3'''<br />
''''' **Key Activities: ''''' <br />
*Vulnerability Assessments <br />
*Vulnerability delivery <br />
''' *Day 4''' <br />
''''' **Key Activities: ''''' <br />
*Measured Metrics <br />
''' *Day 5''' <br />
''''' **Key activities: ''''' <br />
*Compensating Controls <br />
*Mitigating Controls <br />
*Remediation Prioritization <br />
<br />
<br />
== Licensing ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license].<br />
You are free to: <br />
*Share — copy and redistribute the material in any medium or format <br />
*Adapt — remix, transform, and build upon the material for non-commercial use<br />
<br />
The licensor cannot revoke these freedoms as long as you follow the license terms.<br />
<br />
| width="100" style="max-height:200px;overflow:hidden;background:#fff;margin:0;padding:0;" cellpadding="0" |<br />
<br />
<br />
| width="30%" style="background:#eeeeee" |<br />
<br />
=Credits =<br />
<br />
== Project lead and authors ==<br />
<br />
* [[User:Gabrielgumbs|GabrielGumbs]]<br />
* [[User:JeremiahGrossman| JeremiahGrossman]]<br />
* [[User:RSnake| '''Robert Hansen''']]<br />
* [[User:Jerryhoff|'''Jerry Hoff''']]<br />
<br />
== Other contributors ==<br />
<br />
Co-authors, contributors and reviewers:<br />
<br />
* [[User: MattJohansen| MattJohansen]]<br />
<br />
<br />
<br />
= Further Information =<br />
<br />
== Application Security Program Quick Start Guide ==<br />
<br />
The OWASP Application Security Program Quick Start Guide is also available as<br />
* [https://www.owasp.org/index.php/File:PlaceHolder.pdf Free downloadable PDF] <br />
<br />
<br />
For full information about the Application Security Program Quick Start Guide, including mailing list details, the forward plan, how to contribute, the project status, and alternative media, see the project page:<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project The Application Security Program Quick Start Guide Project Page]<br />
<br />
<br />
<br />
<br />
|}</div>Rsnakehttps://wiki.owasp.org/index.php?title=Robert_%22RSnake%22_Hansen_(SecTheory)&diff=134863Robert "RSnake" Hansen (SecTheory)2012-08-27T17:48:20Z<p>Rsnake: Updates</p>
<hr />
<div>'''Robert Hansen (OWASP 2.0 guide contributor, OWASP AppSec US ’08 speaker)'''<br />
<br />
Robert "RSnake" Hansen (CISSP) is the Chief Executive Officer of Falling Rock Networks. Falling Rock Networks creates next generation super-secure OS/Webserver stacks. Robert has been working with web application security since the mid 90’s, beginning his career in banner click fraud detection at ValueClick. Robert has worked for Cable & Wireless heading up managed security services, and at eBay as Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-cross-site scripting, and anti-virus strategies. Robert also sits on the technical advisory board of Lockify. Before Falling Rock Networks and SecTheory, Robert’s career fluctuated from Sr. Security Architect to Director of Product Management for a publicly traded Real Estate company, giving him a great breath of knowledge of the entire security landscape. Robert now focuses on upcoming threats, detection circumvention and next generation security theory. Robert is probably best known for founding the web application security lab at ha.ckers.org and is more popularly known as “RSnake.” Robert is a member of WASC, IACSP, and ISSA, and contributed to the OWASP 2.0 guide.<br />
<br />
Robert is formally an OWASP Connections Committee member and a current member of the Blackhat security conference speaker committee, the "Hack in the Box" speaker committee and the World OWASP/LASCON speaker committee. Robert is a co-author of the authoritative book “XSS Exploits: Cross Site Scripting Attacks and Defense” (Syngress) and of "Detecting Malice" (eBook).</div>Rsnakehttps://wiki.owasp.org/index.php?title=Global_Conferences_Committee_-_Application_10&diff=109985Global Conferences Committee - Application 102011-05-04T17:25:39Z<p>Rsnake: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]] <br />
<br />
----<br />
<br />
{| border="0" align="center" style="width:100%"<br />
|-<br />
! align="center" style="background:#4058A0; color:white" colspan="2" | <font color="white">'''COMMITTEE APPLICATION FORM'''</font><br />
|-<br />
| align="center" style="width:25%; background:#7B8ABD" | '''Applicant's Name''' <br />
| align="left" style="width:85%; background:#cccccc" colspan="1" | <font color="black">Josh Sokol</font><br />
|-<br />
| align="center" style="width:25%; background:#7B8ABD" | '''Current and past OWASP Roles''' <br />
| align="left" style="width:85%; background:#cccccc" colspan="1" | Austin OWASP President, LASCON Co-Chair, Austin OWASP Vice President<br />
|-<br />
| align="center" style="width:25%; background:#7B8ABD" | '''Committee Applying for''' <br />
| align="left" style="width:85%; background:#cccccc" colspan="1" | Global Conferences Committee<br />
|}<br />
<br />
----<br />
<br />
<br> <br />
<br />
----<br />
<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. An incomplete application will not be considered for vote. <br />
<br />
----<br />
<br />
<br> <br />
<br />
----<br />
<br />
{| border="0" align="center" style="width:100%"<br />
|-<br />
! align="center" style="background:#4058A0; color:white" colspan="8" | <font color="white">'''COMMITTEE RECOMMENDATIONS'''</font><br />
|-<br />
! align="center" style="background:white; color:white" | <font color="black"></font><br />
! align="center" style="background:#7B8ABD; color:white" | <font color="black">'''Who Recommends/Name'''</font><br />
! align="center" style="background:#7B8ABD; color:white" | <font color="black">'''Role in OWASP'''</font><br />
! align="center" style="background:#7B8ABD; color:white" | <font color="black">'''Recommendation Content'''</font><br />
|-<br />
| align="center" style="width:3%; background:#cccccc" | '''1''' <br />
| align="center" style="width:20%; background:#cccccc" | James Wickett<br />
| align="center" style="width:20%; background:#cccccc" | VP&nbsp;of Austin OWASP&nbsp;Chapter<br />
| align="center" style="width:57%; background:#cccccc" | Josh is a hard worker and has led the OWASP&nbsp;Austin chapter for 2010 and 2011. &nbsp;Josh has been an instrumental part of the chapter even before that time and has served in many capacities to make OWASP&nbsp;successful in Austin--from communication to members to arranging food for events to speaking at meetings. &nbsp;I&nbsp;highly recommend Josh and I&nbsp;know that he would make a good addition to the committee. &nbsp;<br />
|-<br />
| align="center" style="width:3%; background:#cccccc" | '''2''' <br />
| align="center" style="width:20%; background:#cccccc" | Brad Causey<br />
| align="center" style="width:20%; background:#cccccc" | GPC Member<br />
| align="center" style="width:57%; background:#cccccc" | I've enjoyed working with Josh on each of my multiple occasions visiting the Austin, TX Chapter. It seems like everything Josh touches, is done exquisitely. OWASP would be well served by adding Josh to it's list of global leaders.<br />
|-<br />
| align="center" style="width:3%; background:#cccccc" | '''3''' <br />
| align="center" style="width:20%; background:#cccccc" | Robert Hansen<br />
| align="center" style="width:20%; background:#cccccc" | Ex-Connections Committee Member<br />
| align="center" style="width:57%; background:#cccccc" | Josh has been working with the Austin OWASP Chapter for the past couple of years and has provided immeasurable assistance to the chapter in drumming up membership, getting top-notch presenters, and generally supporting our activities. He is a stand up person and is amongst the smartest security people I know. I think he would be an excellent fit for the OWASP Global Conferences Committee role and he has my highest recommendation for this position. <br />
|-<br />
| align="center" style="width:3%; background:#cccccc" | '''4''' <br />
| align="center" style="width:20%; background:#cccccc" | <br />
| align="center" style="width:20%; background:#cccccc" | <br />
| align="center" style="width:57%; background:#cccccc" | <br />
|-<br />
| align="center" style="width:3%; background:#cccccc" | '''5''' <br />
| align="center" style="width:20%; background:#cccccc" | <br />
| align="center" style="width:20%; background:#cccccc" | <br />
| align="center" style="width:57%; background:#cccccc" | <br />
|}<br />
<br />
----</div>Rsnakehttps://wiki.owasp.org/index.php?title=Global_Chapter_Committee_-_Application_6&diff=99590Global Chapter Committee - Application 62011-01-10T17:16:41Z<p>Rsnake: </p>
<hr />
<div>{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Ofer Maor<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|OWASP Israel Chapter Leader<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Global Chapters Committee<br />
|}<br />
----<br />
<br />
<br />
----<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. <br />
An incomplete application will not be considered for vote.<br />
----<br />
<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS''' <br />
|- <br />
! align="center" style="background:white; color:white"|<font color="black"><br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content''' <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''1'''<br />
| style="width:20%; background:#cccccc" align="center"| Mark Bristow<br />
| style="width:20%; background:#cccccc" align="center"| Global Conferences Committee Chair, AppSec DC Organizer, OWASP DC Lead<br />
| style="width:57%; background:#cccccc" align="center"| Ofer has been doing an excellent job in promoting OWASP in the vibrant Israeli government, security, and development community. His energy and insights would make a great addition to the committee.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''2'''<br />
| style="width:20%; background:#cccccc" align="center"| Robert "RSnake" Hansen<br />
| style="width:20%; background:#cccccc" align="center"| Global Connections Committee, Board of Austin OWASP<br />
| style="width:57%; background:#cccccc" align="center"| Ofer is one of the most knowledgeable people in OWASP around detection and penetration testing. I see no reason he couldn't help organize the chapters. I, for one, welcome his expertise.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''3'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''4'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''5'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|}</div>Rsnakehttps://wiki.owasp.org/index.php?title=Global_Membership_Committee_-_Application_3&diff=99589Global Membership Committee - Application 32011-01-10T17:15:14Z<p>Rsnake: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Ofer Maor<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|OWASP Israel Chapter Leader<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|OWASP Global Membership Committee.<br />
|}<br />
----<br />
<br />
<br />
----<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. <br />
An incomplete application will not be considered for vote.<br />
----<br />
<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS''' <br />
|- <br />
! align="center" style="background:white; color:white"|<font color="black"><br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content''' <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''1'''<br />
| style="width:20%; background:#cccccc" align="center"| Mark Bristow<br />
| style="width:20%; background:#cccccc" align="center"| Global Conferences Committee Chair, AppSec DC Organizer, OWASP DC Lead<br />
| style="width:57%; background:#cccccc" align="center"| Ofer has been doing an excellent job in promoting OWASP in the vibrant Israeli government, security, and development community. His energy and insights would make a great addition to the committee.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''2'''<br />
| style="width:20%; background:#cccccc" align="center"| Robert "RSnake" Hansen<br />
| style="width:20%; background:#cccccc" align="center"| Global Connections Committee, Board of Austin OWASP<br />
| style="width:57%; background:#cccccc" align="center"| Ofer is one of the most knowledgeable people in OWASP around detection and penetration testing. I see no reason he couldn't help recruit more people into OWASP, leading by example.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''3'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''4'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''5'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|}<br />
----</div>Rsnakehttps://wiki.owasp.org/index.php?title=OWASP_Connections_Committee&diff=75503OWASP Connections Committee2009-12-26T16:33:30Z<p>Rsnake: /* Committee Members */</p>
<hr />
<div>===About the OWASP Connections Committee (OCC)===<br />
The OWASP Connections Committee was created during the OWASP AppSec DC 2009 conference<br />
<br />
===Responsibilities===<br />
* Make connections between the OWASP Community and the materials it creates<br />
* Handle PR and promotion of OWASP foundation, projects and events<br />
* Manage OWASP Newsletters<br />
* Manage OWASP 'collaboration tools': LinkedIn, Twitter feeds, etc...<br />
** Manage the WIKI account creation authorization process<br />
* Handle issues related to the OWASP Community and its leaders<br />
* Expand OWASP range to include other non-'Web Application Security' groups, namely Developers<br />
* Help OWASP to have further participation at non-OWASP conferences<br />
* Manager participation at OWASP conferences and chapters of 'special' speakers and groups<br />
* Work with the OWASP Website project, and help to restructure the current website around its target audience (or maybe help to create a new 'user-focused' OWASP website )<br />
<br />
===Committee Members===<br />
* Lorna Alamri<br />
* Robert Hansen, (RSnake)<br />
* Dinis Cruz<br />
* Tom Brennan<br />
* Justin Clarke</div>Rsnakehttps://wiki.owasp.org/index.php?title=7th_OWASP_AppSec_Conference_-_San_Jose_2007_/_OWASP_Leaders_Meeting_-_Nov_14_6pm&diff=233957th OWASP AppSec Conference - San Jose 2007 / OWASP Leaders Meeting - Nov 14 6pm2007-11-13T19:32:39Z<p>Rsnake: /* Attendees */</p>
<hr />
<div>This page contains the agenda for the OWASP Leaders meeting that will occur during the next OWASP conference in San Jose (see its [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda|Agenda]] for more details<br />
<br />
<br />
== Items to discuss ==<br />
<br />
* OWASP Internal Structure<br />
* OWASP 2008 (blueprint)<br />
* OotM - OWASP on the Move<br />
* Next SpoC<br />
* OWASP Books<br />
* 2008 NYC OWASP CON Update<br />
<br />
<br />
== Attendees ==<br />
<br />
* Dinis Cruz<br />
* Ofer Shezaf<br />
* Jeff Williams<br />
* Dave Wichers<br />
* Tom Brennan<br />
* Robert "RSnake" Hansen<br />
** If your attending, update the wiki so we have a head count for the RSVP</div>Rsnakehttps://wiki.owasp.org/index.php?title=Cross_Site_Scripting_Flaw&diff=7088Cross Site Scripting Flaw2006-07-04T00:04:25Z<p>Rsnake: </p>
<hr />
<div>==Description==<br />
Cross-site scripting (sometimes referred to as XSS) vulnerabilities occur when an attacker uses a web application to send malicious code, generally in the form of a script, to a different end user. These flaws are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating it.<br />
<br />
An attacker can use cross site scripting to send malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.<br />
<br />
XSS attacks can generally be categorized into two categories: stored and reflected. Stored attacks are those where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Reflected attacks are those where the injected code is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other web server. When a user is tricked into clicking on a malicious link or submitting a specially crafted form, the injected code travels to the vulnerable web server, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a ‘trusted’ server.<br />
<br />
The consequence of an XSS attack is the same regardless of whether it is stored or reflected. The difference is in how the payload arrives at the server. Do not be fooled into thinking that a “read only” or “brochureware” site is not vulnerable to serious reflected XSS attacks. XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account. Other damaging attacks include the disclosure of end user files, installation of Trojan horse programs, redirecting the user to some other page or site, and modifying presentation of content. An XSS vulnerability allowing an attacker to modify a press release or news item could affect a company’s stock price or lessen consumer confidence. An XSS vulnerability on a pharmaceutical site could allow an attacker to modify dosage information resulting in an overdose.<br />
<br />
Attackers frequently use a variety of methods to encode the malicious portion of the tag, such as using Unicode, so the request is less suspicious looking to the user. There are hundreds of variants of these attacks, including versions that do not even require any < > symbols. For this reason, attempting to “filter out” these scripts is not likely to succeed. Instead we recommend validating input against a rigorous positive specification of what is expected. XSS attacks usually come in the form of embedded JavaScript. However, any embedded active content is a potential source of danger, including: ActiveX (OLE), VBscript, Shockwave, Flash and more.<br />
<br />
XSS issues can also be present in the underlying web and application servers as well. Most web and application servers generate simple web pages to display in the case of various errors, such as a 404 ‘page not found’ or a 500 ‘internal server error.’ If these pages reflect back any information from the user’s request, such as the URL they were trying to access, they may be vulnerable to a reflected XSS attack.<br />
<br />
The likelihood that a site contains XSS vulnerabilities is extremely high. There are a wide variety of ways to trick web applications into relaying malicious scripts. Developers that attempt to filter out the malicious parts of these requests are very likely to overlook possible attacks or encodings. Finding these flaws is not tremendously difficult for attackers, as all they need is a browser and some time. There are numerous free tools available that help hackers find these flaws as well as carefully craft and inject XSS attacks into a target site.<br />
<br />
==Environments Affected==<br />
<br />
All web servers, application servers, and web application environments are susceptible to cross site scripting. <br />
<br />
==Examples and References==<br />
* The Cross Site Scripting FAQ: http://www.cgisecurity.com/articles/xss-faq.shtml <br />
* XSS Cheat Sheet: http://ha.ckers.org/xss.html<br />
* CERT Advisory on Malicious HTML Tags: http://www.cert.org/advisories/CA-2000-02.html <br />
* CERT “Understanding Malicious Content Mitigation” http://www.cert.org/tech_tips/malicious_code_mitigation.html <br />
* Cross-Site Scripting Security Exposure Executive Summary: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/ExSumCS.asp <br />
* Understanding the cause and effect of CSS Vulnerabilities: http://www.technicalinfo.net/papers/CSS.html <br />
* OWASP Guide to Building Secure Web Applications and Web Services, Chapter 8: Data Validation http://www.owasp.org/documentation/guide.html <br />
* How to Build an HTTP Request Validation Engine (J2EE validation with Stinger) http://www.owasp.org/columns/jeffwilliams/jeffwilliams2 <br />
* Have Your Cake and Eat it Too (.NET validation) http://www.owasp.org/columns/jpoteet/jpoteet2 <br />
<br />
==How to Determine If You Are Vulnerable==<br />
XSS flaws can be difficult to identify and remove from a web application. The best way to find flaws is to perform a security review of the code and search for all places where input from an HTTP request could possibly make its way into the HTML output. Note that a variety of different HTML tags can be used to transmit a malicious JavaScript. Nessus, Nikto, and some other available tools can help scan a website for these flaws, but can only scratch the surface. If one part of a website is vulnerable, there is a high likelihood that there are other problems as well.<br />
<br />
==How to Protect Yourself==<br />
<br />
The best way to protect a web application from XSS attacks is ensure that your application performs validation of all headers, cookies, query strings, form fields, and hidden fields (i.e., all parameters) against a rigorous specification of what should be allowed. The validation should not attempt to identify active content and remove, filter, or sanitize it. There are too many types of active content and too many ways of encoding it to get around filters for such content. We strongly recommend a ‘positive’ security policy that specifies what is allowed. ‘Negative’ or attack signature based policies are difficult to maintain and are likely to be incomplete.<br />
<br />
Encoding user supplied output can also defeat XSS vulnerabilities by preventing inserted scripts from being transmitted to users in an executable form. Applications can gain significant protection from javascript based attacks by converting the following characters in all generated output to the appropriate HTML entity encoding:<br />
<br />
[[Image:Toptena45.jpg|none|300px]]<br />
<br />
The [[:Category:OWASP Filters Project|OWASP Filters project]] is producing reusable components in several languages to help prevent many forms of parameter tampering, including the injection of XSS attacks. OWASP has also released [[OWASP CodeSeeker Project|CodeSeeker]], an application level firewall. In addition, the [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]] training program has lessons on Cross Site Scripting and data encoding.<br />
<br />
==Categories==<br />
<br />
[[Category:OWASP Top Ten Project]]<br />
<br />
__NOEDITSECTION__</div>Rsnake