OWASP - User contributions [en]

CSV Injection

2015-09-23T08:04:55Z

Timo.goosen: Created page with "CSV Excel Macro Injection also known as CEMI. Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many use..."

CSV Excel Macro Injection also known as CEMI.

Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel,Libre Office or Open Office.
When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed.

More info, probably first report of its kind:
*[https://hackerone.com/reports/72785 CSV Injection Hackerone]
*[http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/ CSV Vulnerabilities]

This attack exploits the trust of the user in two ways:
1. The user trusts the site that the content is coming from.
2. The user assumes that it is only a csv file and that it won't contain functions or macro's and won't care about any warnings from Excel about potential malicious
functionality in the file.

Cape Town

2015-09-14T07:44:40Z

Timo.goosen: /* Local News */

[[File:Owasp-cpt.jpg|800px|thumb|center| Logo]]

{{Chapter Template|chaptername=Cape Town|extra=The chapter leaders are [mailto:timo.goosen@owasp.org Timo Goosen]
[mailto:christo.goosen@owasp.org Christo Goosen] [mailto:liam.smit@owasp.org Liam Smit]
.|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-cape-town|emailarchives=http://lists.owasp.org/pipermail/owasp-cape-town}}
*[http://www.meetup.com/OWASP-Cape-Town-Chapter-Meetup OWASP Cape Town Chapter Meetup Group Join our meetup group]

== Local News ==

'''Meeting Location'''

Everyone is welcome to join us at our chapter meetings.

===Join Our Events===

Please join our meetup group if you would like to attend future events:
It is important to RSVP if you would like to attend, our venue is not very big.
*[http://www.meetup.com/OWASP-Cape-Town-Chapter-Meetup OWASP Cape Town Chapter Meetup Group]

====Upcoming events====
*[http://www.meetup.com/OWASP-Cape-Town-Chapter-Meetup/events/224785079/ OWASP Cape Town Chapter Meetup 9 Sept 2015 - PCI DSS for Everyone]

*[http://www.meetup.com/OWASP-Cape-Town-Chapter-Meetup/events/223959271/ 12 Aug 2015 - Intro To Metasploit]

*[http://www.meetup.com/OWASP-Cape-Town-Chapter-Meetup/events/223412637/ 8 July 2015 - Enumeration for Pentesters & Fun CTF After]

*[https://www.owasp.org/index.php/First_Official_OWASP_Cape_Town_Meeting 7 June 2015 - First Official OWASP Cape Town Meeting]

*[https://www.owasp.org/index.php/3_Jun_2015_Codebridge Codebridge 3 Jun 2015]

'''Slides'''

Slides from 1st Official OWASP Cape Town Meeting: [https://www.owasp.org/images/c/cd/Owasp-meeting1-17jun2015.pdf 1st Meeting Slides]

Slides from 2nd Meeting [https://www.owasp.org/images/6/6e/Intro_To_Enumeration_FINAL_MAIL_OUT.odp Intro To Enumeration]

Slides Intro To Metasploit [https://www.owasp.org/index.php/File:Intro_To_Metasploit_FINAL.odp Intro To Metasploit]

Slides from PCI DSS Talk [https://docs.google.com/presentation/d/1spHkDjvLA4apqKmIGrKRfNB1cMHWB8nzwjW_A3QzVTs PCI DSS]

== Local Infosec Community ==

=== Conferences ===

*[http://www.bsidescapetown.co.za/ BSIDES Cape Town]

*[https://zacon.org.za ZACON]

=== Community Meetups ===
*[https://twitter.com/0xC0FFEE_CPT 0xC0FFEE Monthly Hacker Meetup]

[[Category:OWASP Chapter]]
[[Category:Africa]]
[[Category:South Africa]]

Cape Town

2015-09-09T11:38:42Z

Timo.goosen: /* Join Our Events */

{{Chapter Template|chaptername=Cape Town|extra=The chapter leaders are [mailto:timo.goosen@owasp.org Timo Goosen]
[mailto:christo.goosen@owasp.org Christo Goosen] [mailto:liam.smit@owasp.org Liam Smit]
.|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-cape-town|emailarchives=http://lists.owasp.org/pipermail/owasp-cape-town}}
*[http://www.meetup.com/OWASP-Cape-Town-Chapter-Meetup OWASP Cape Town Chapter Meetup Group Join our meetup group]

== Local News ==

'''Meeting Location'''

Everyone is welcome to join us at our chapter meetings.

===Join Our Events===

Please join our meetup group if you would like to attend future events:
It is important to RSVP if you would like to attend, our venue is not very big.
*[http://www.meetup.com/OWASP-Cape-Town-Chapter-Meetup/events/224785079/ OWASP Cape Town Chapter Meetup 9 Sept 2015]

*[http://www.meetup.com/OWASP-Cape-Town-Chapter-Meetup OWASP Cape Town Chapter Meetup Group]

[https://www.owasp.org/index.php/3_Jun_2015_Codebridge Codebridge 3 Jun 2015]

[https://www.owasp.org/index.php/First_Official_OWASP_Cape_Town_Meeting First Official OWASP Cape Town Meeting]

'''Slides'''

Slides from 1st Official OWASP Cape Town Meeting: [https://www.owasp.org/images/c/cd/Owasp-meeting1-17jun2015.pdf 1st Meeting Slides]

Slides from 2nd Meeting [https://www.owasp.org/images/6/6e/Intro_To_Enumeration_FINAL_MAIL_OUT.odp Intro To Enumeration]

Slides Intro To Metasploit [https://www.owasp.org/index.php/File:Intro_To_Metasploit_FINAL.odp Intro To Metasploit]

[[Category:OWASP Chapter]]
[[Category:Africa]]
[[Category:South Africa]]

File:Intro To Metasploit FINAL.odp

2015-08-14T10:22:05Z

Timo.goosen: 12 Aug 2015 OWASP Cape Town Chapter Meeting Presentation

12 Aug 2015 OWASP Cape Town Chapter Meeting Presentation

OWASP Python Security Project

2015-07-17T08:29:49Z

Timo.goosen:

OWASP Education Presentation

2015-07-16T14:31:59Z

Timo.goosen: /* Chapter Presentations */

This page provide a commented overview of the OWASP presentations available.<br>
Please use the last line of the tables as template.<br>
Presentions can be tracked through:
* the [http://www.owasp.org/index.php/Category:OWASP_Presentations OWASP Presentations Category]
* [http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference Past OWASP Conference agenda's]
* From the chapter pages
Everybody is encouraged to link the presentations and add their findings on this page !
There are currently hundreds of presentations all over the OWASP web site.
If you search google with “site:owasp.org filetype:ppt” there are 166 hits. “site:owasp.org filetype:pdf” returns 76.
Feel free to “mine” them and add them to the overview.

== OWASP Education Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ OWASP Education Presentations
!width="30%" |Title
!width="40%" |Comment
!width="15%" |Level
!width="15%" |Date (2015-07-04)
|-valign="top"
|[https://www.owasp.org/index.php/Education/Free_Training Free Developer Training]|| Developer AppSec Course by [[Eoin Keary]] and [https://www.owasp.org/index.php/User:Jmanico Jim Manico] || Intermediate || 2014-04-04
|-valign="top"
|[[:Image:OWASP Overview Winter 2009v1.pptx|OWASP Overview Winter 2009]]|| Updated overview of OWASP || Novice || 2009-12-08
|-valign="top"
|[[:Image:Programa_de_Educacion_OWASP.ppt|Programa de Educacion OWASP]]|| Una introduccion a OWASP para Universidades y Centros Educativos por Fabio Cerullo|| Novice || 2009-03-20
|-valign="top"
|[[:Image:OWASP_Educational_Programme.ppt|OWASP Educational Programme]]|| An introduction to OWASP for Universities & Educational Institutions by Fabio Cerullo|| Novice || 2009-03-20
|-valign="top"
|[[:Image:OWASP Overview Summer 2009.pptx|OWASP Overview Summer 2009]]|| Recent overview of OWASP by Jeff Williams || Novice || 2009-08-25
|-valign="top"
|[[:Image:Education Module Why WebAppSec Matters.ppt|Why WebAppSec Matters]]|| This module explains why security should be considered when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:OWASP-Intro-2008-portuguese.ppt|OWASP Intro 2008 Portuguese]]|| Este módulo é uma intrudução sobre o projeto OWASP. || Novice || 2008-07-06
|-valign="top"
|[[:Image:Education Module OWASP Top 10 Introduction and Remedies.ppt|OWASP Top 10 Introduction and Remedies]]|| This module explains the OWASP Top 10 web application vulnerabilities as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:Education Module Embed within SDLC.ppt|Embed within SDLC]]|| This module explains the complete approach of Web Application Security when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:Education Module Good Secure Development Practices.ppt|Good Secure Development Practices]]|| This module explains some good secure development practices when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:Education Module Testing for Vulnerabilities.ppt|Testing for Vulnerabilities]]|| This module explains application security testing when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:Education Module Good WebAppSec Resources.ppt|Good WebAppSec Resources]]|| This module points you to some good web application security resources when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|}
,
<br>

== OWASP Project Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ OWASP Project Presentations
!width="30%" |Title
!width="40%" |Comment
!width="15%" |Level
!width="15%" |Date (yyyy-mm-dd)
|-valign="top"
|[[:Image:Germany 2008 Conference OWASP Introduction v1.pptx|OWASP Introduction]] || OWASP Overview presentation covering OWASP, project parade and OWASP near you. Given by Seba during the Germany 2008 Conference || Novice || 2008-11-25
|-valign="top"
|[[:Image:OWASP Foundation The story so far and beyond - Part 1.ppt|India08 Keynote - Part 1]] || OWASP Overview presentation. Part 1 of 2. Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16
|-valign="top"
|[[:Image:OWASP Foundation The story so far and beyond - Part 2.ppt|India08 Keynote - Part 2]] || OWASP Overview presentation. Part 2 of 2. Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16
|-valign="top"
|[[:Image:OWASP India - Tour of OWASP projects.ppt|Tour of OWASP’s projects]] || Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16
|-valign="top"
|[https://www.owasp.org/images/5/59/RISK_2008_OWASP_Introduction_v1.pptx OWASP @ RISK08 (Norway)] || OWASP introduction at Norway RISK2008 conference by Seba || Novice || 2008-04-23
|-valign="top"
|[[:Image:OWASP NY Keynote.ppt|OWASP NY Keynote by Jeff]] also available in [[:Image:20070620-FR-OWASP NY Keynote.ppt|French]]|| OWASP Overview presentation with slide "OWASP by the numbers" and slide with the sorry state of Tools (at best 45%) which caused some controverse || Novice || 2007-06-12
|-valign="top"
|[http://www.owasp.org/images/a/af/OWASP_Testing_Guide_Presentation.zip The OWASP Testing Guide (Jeff Williams)] || Overview of the OWASP Testing Guide || Novice || 2007-01-23
|-valign="top"
|[http://www.owasp.org/images/e/e9/OWASP_Testing_Guide_Presentation_EUSecWest07.zip The OWASP Testing Guide v2 EUSecWest07 (Matteo Meucci, Alberto Revelli)] || Presentation at EUSecWest07 || Intermediate || 2007-03-01
|-valign="top"
|[http://www.owasp.org/images/3/3c/OWASP_Flyer_Sep06.ppt OWASP Project Overview] || High level overview of projects and how OWASP works || Novice || 2006-09-19
|-valign="top"
|[http://www.owasp.org/images/4/49/OWASPAppSec2006Seattle_Security_Metrics.ppt The OWASP Application Security Metrics Project (Bob Austin)] || Presentation on the Application Security Metrics project || Novice || 2006-10-17
|-valign="top"
|[http://www.owasp.org/images/5/53/OWASPAppSecEU2006_CLASP_Project.ppt OWASP CLASP Project (Pravir Chandra)] || OWASP CLASP project presentation given at the 2006 European AppSec conference || Novice || 2006-05-30
|-valign="top"
|[http://www.owasp.org/images/3/30/OWASPAppSec2006Seattle_UsingSprajaxToTestAJAXSecurity.ppt Sprajax (Dan Cornell)] || OWASP Sprajax presentation given at the 2006 Seattle AppSec conference || Intermediate || 2006-10-17
|-valign="top"
|}

<br>

== OWASP Conference Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ OWASP Conference Presentations
!width="30%" | Title
!width="40%" | Comment
!width="15%" | Level
!width="15%" |Date (yyyy-mm-dd)

|-valign="top"
|[[:Image:OWASPAppSec2007Milan ModSecurityCoreRuleSet.ppt | Mod Security Core Rule Set (Ofer Shezaf)]] ||Ofer Shezaf's presentation on the Core Ruleset for the latest version of ModSecurity presented at 6th OWASP AppSec conference in Milan, Italy, in May 2007.|| Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan OWASPTestingGuide2v1.ppt | OWASP Testing Guide v2.1 (Matteo Meucci)]] ||Matteo Meucci's presentation on the OWASP Testing Guide v2 at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan CLASP.ppt | CLASP (Pravir Chandra)]] ||Pravir Chandra's presentation on the upcoming 2007 update to CLASP presented at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan AdvancedWebHacking.ppt | Advanced Web Hacking (PDP)]] ||PDPs presentation at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan XMLSecurityGatewayEvalCriteria.ppt | XML Security Gateway Evaluation Criteria (Gunnar Peterson)]] ||Gunnar Peterson's presentation about the new XML Security Gateway Evaluation Criteria project at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan TestingFlashApplications.ppt | Testing Flash Applications (Stephano Di Paolo)]] ||Stephano Di Paolo's presentation on how to test Flash applications presented at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert|| 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan OvertakingGoogleDesktop.ppt | Overtaking Google Desktop (Yair Amit)]] ||Yair Amit's presentation on XSS Flaws in Google Desktop that can be exploited through google.com presented at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan MS ACETeamAppSecfromTheCore.ppt | ACE Team Application Security from the Core (Simon Roses Femerling)]] ||Simon Roses Femerling's presentation on the Microsoft ACE team's application security process at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan Pantera.ppt | Pantera (Simon Roses Femerling)]] ||Simon Roses Femerling's presentation on the new OWASP tool Pantera at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan ProtectingWebAppsfromUniversalPDFXSS.ppt | Protecting Web applications from universal PDF XSS (Ivan Ristic)]] ||Ivan Ristic's Universal XSS PDF presentation at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan SoftwareSecurity.ppt | Software Security (Rudolph Araujo)]] ||Rudolph Araujo's presentation on Application Security best practices at the 6th OWASP AppSec conference in Milan Italy, May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan WebGoatv5.ppt | WebGoat v5 (Dave Wichers)]] ||WebGoat v5 presentation by Dave Wichers at the 6th OWASP AppSec Conference in Milan, Italy, May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan WebScarabNG.ppt | WebScarab NG (Dave Wichers)]] ||Description of the new WebScarab-NG efforts presented by Dave Wichers at the 6th OWASP AppSec conference in Milan, Italy in May 2007.|| Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan SANS SPSA Initiative.ppt | SANS SPSA Initiative (Dave Wichers)]] ||Description of the SANS Secure Coding Exam Initiative presented by Dave Wichers at the 6th OWASP AppSec conference in Milan Italy, May 2007.|| Novice || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan OWASPItalyActivities.ppt | OWASP Italy Activities (Raoul Chiesa)]] ||Raoul Chiesa's keynote for day 2 of the 6th OWASP AppSec conference on the state of application security in Italy including OWASP's activities in that country.|| Novice || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan SecurityEngineeringInVista.ppt | Security engineering in Vista (Alex Lucas)]] ||Alex Lucas' from Microsoft's keynote presentation for Day 1 of the 6th OWASP AppSec conference in Milan on the benefits of Microsoft's SDL to the security of Vista. || Intermediate || 2007-05-16
|-valign="top"
|[http://www.owasp.org/images/5/5f/OWASPAppSec2006Seattle_SecurityEngineeringInVista.ppt How the Security Development Lifecycle(SDL) Improved Windows Vista (Michael Howard)] || Michael Howard's talk on SDL from the OWASP Seattle AppSec Conference in 2006 || Intermediate || 2006-10-18
|-valign="top"
|[http://www.owasp.org/images/3/34/OWASPAppSecEU2006_Bootstrapping_the_Application_Assurance_Process.ppt Bootstrapping the Application Assurance Process (Sebastien Deleersnyder)] || Presentation given during the European 2006 AppSec conference on the application assurance process || Novice || 2006-05-30
|-valign="top"
|[http://www.owasp.org/images/8/8b/OWASPAppSecEU2006_InlineApproachforSecureSOAPRequests.ppt Inline Approach for Secure SOAP Requests and Early Validation (Mohammad Ashiqur Rahaman, Maartin Rits and Andreas Schaad SAP Research, Sophia Antipolis, France)] || Presentation given at the European 2006 AppSec conference about security and soap message structure issues || Intermediate || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt Web Application Firewalls:When Are They Useful? (Ivan Ristic)] || Presentation about Web Application Firewalls || Novice || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt HTTP Message Splitting, Smuggling and Other Animals (Amit Klein)] || A presentation about Message splitting other attacks around the HTTP protocol || Intermediate || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/f/f6/OWASPAppSec2006Seattle_WebAppForensics.ppt Web Application Incident Response & Forensics: A Whole New Ball Game! (Rohyt Belani & Chuck Willis)] || Talk about Web Application Security incident handling and forensics given at the OWASP 2006 Seattle AppSec conference || Intermediate || 2006-10-18
|-valign="top"
|[http://www.owasp.org/images/d/d2/OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10.ppt Can (Automated) Testing Tools Really Find the OWASP Top 10? (Erwin Geirnaert) ] || A talk about how automated testing tools stack up against the OWASP top 10 || Intermediate || 2006-05-30
|-valign="top"
|[http://www.owasp.org/images/2/28/OWASPAppSecEU2006_RequestRodeo.ppt RequestRodeo: Client Side Protection against Session Riding (Martin Johns / Justus Winter)] || Presentation given about how Sessions can be hi-jacked, etc... || Novice || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/6/62/OWASPAppSecEU2006_SecurityTestingthruAutomatedSWTests.ppt Security Testing through Automated Software Tests (Stephen de Vries)] || Presentation given at the 2006 EuSec conference || Intermediate || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/0/0e/AppSec2005DC-Jeremy_Poteet-In_the_Line_of_Fire.ppt In the Line of Fire: Defending Highly Visible Targets (Jeremy Poteet)] || Conference given at the 2005 DC AppSec conference || Novice || 2005-10-1
|-valign="top"
|[http://www.owasp.org/images/9/93/AppSec2005DC-Matt_Fisher-Google_Hacking_and_Worms.ppt Google Hacking and Web Application Worms (Matt Fisher)] || Talk given at the 2005 DC AppSec conference || Novice || 2005-10-01
|-valign="top"
|[http://www.owasp.org/images/0/05/AppSec2005DC-Anthony_Canike-Enterprise_AppSec_Program.ppt Establishing an Enterprise Application Security Program (Tony Canike)] || Talk given at the 2005 DC AppSec Conference || Novice || 2005-10-01
|-valign="top"
|[https://owasp.org/images/0/0d/OWASPAppSec2006Seattle_Why_AJAX_Applications_More_Likely_Insecure.ppt Why AJAX Applications Are Far More Likely To Be Insecure (And What To Do About It) (Dave Wichers)] || Dave's talk on AJAX given at the Seattle 2006 AppSec conference || Intermediate || 2006-10-01
|-valign="top"
|}

<br>

== Web Application Security Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ Web Application Security Presentations
!width="30%" |Title
!width="40%" |Comment
!width="15%" |Level
!width="15%" |Date (yyyy-mm-dd)
|-valign="top"
|[[:Image:Protecting Web Applications from Universal PDF XSS.ppt| Universal PDF XSS by Ivan Ristic]] || Protecting Web Applications from Universal PDF XSS || Intermediate || 2007-06-28
|-valign="top"
|[[:Image:IdM-OWASP.v.0.2.14.pdf|Identity Management Basics (Derek Brown)]] ||Identity Management Basics|| Novice || 2007-05-09
|-valign="top"
|[[http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt Advanced SQL Injection (Victor Chapela)] || Detailed methodology for analyzing applications for SQL injection vulnerabilities || Expert || 2005-11-04
|-valign="top"
|[[http://www.owasp.org/images/7/7d/Advanced_Topics_on_SQL_Injection_Protection.ppt Advanced Topics on SQL Injection Protection (Sam NG)] || 7 methods to prevent SQL injection attacks correctly and in a more integrated approach. Methods 1 to 3 are applicable during design or development life cycle. Method 4 is mainly from QA’s perspective. Methods 5 and 6 can be applied to production environment and are applicable even if you do not have access to or if you cannot change the source code. Other non-main stream technology are discussed in Method 7. || Intermediate || 2006-02-27
|-valign="top"
|[[http://www.owasp.org/images/d/d1/AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt Attacking Web Services (Alex Stamos)] || Web Services Introduction and Attacks || Intermediate || 2005-10-11
|-valign="top"
|[http://www.owasp.org/images/7/72/MMS_Spoofing.ppt MMS Spoofing (Matteo Meucci)] || A Case-study of a vulnerable web application || Intermediate
|-valign="top"
|[http://www.owasp.org/images/f/f9/OWASPAppSecEU2006_AJAX_Security.ppt Ajax Security (Andrew van der Stock)] || Presentation on Ajax security for OWASP AppSec Europe 2006 || Intermediate || 2006-05-30
|-valign="top"
|[http://www.owasp.org/images/3/3a/OWASPAppSec2006Seattle_Web_Services_Security.ppt Advanced Web Services Security & Hacking (Justin Derry)] || Presentation given on Webservice security at the Seattle 2006 AppSec conference || Intermediate || 2006-10-18
|-valign="top"
|[http://www.owasp.org/images/f/f6/Integration_into_the_SDLC.ppt Integration into the SDLC (Eoin Keary)] || A presentation about why and how to integrate the SDLC. || Novice || 2005-04-09
|-valign="top"
|}

<br>

== Chapter Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ Chapter Presentations
!width="30%" |Title
!width="30%" |Comment
!width="10%" |Level
!width="10%" |Month (Mon-yyyy)
!width="10%" |Chapter

|-valign="top"
|[[:Image:Common_Application_Flaws.ppt| Common Application Flaws (Brett Moore) ]] ||OWASP New Zealand chapter presentation on Common Application Flaws|| Novice/Intermediate ||November 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Time_Based_SQL_Injections.ppt| Time Based SQL Injections (Muhaimin Dzulfakar) ]] ||OWASP New Zealand chapter presentation on Time Based SQL Injections|| Intermediate ||September 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Browser_security.ppt| Browser Security (Roberto Suggi Liverani) ]] ||OWASP New Zealand chapter presentation on Browser Security|| Intermediate ||September 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:OWASP_CMH_SQLInjection__20080707.zip| 7/7/2008 SQL Injection (Columbus, OH)]] || SQL Injection Presentation given at the Columbus, OH OWASP Chapter Meeting. Powerpoint, derby DB, and applicable java code. || Novice / Intermediate || July 2008 || [[Columbus]]
|-valign="top"
|[[:Image:OWASP_ellak-Greece.ppt| Detecting Web Application Vulnerabilities Using Open Source Means (Konstantinos Papapanagiotou) ]] ||OWASP Greek Chapter presentation given at the Open Source Software (FLOSS) Conference in Athens|| Novice ||May 2008 || [[Greece]]
|-valign="top"
|[[:Image:Hacking_The_World_With_Flash.ppt| Hacking The World With Flash (Paul Craig) ]] ||OWASP New Zealand chapter presentation on Flash security|| Intermediate ||April 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Web_spam_techniques.ppt| Web Spam Techniques (Roberto Suggi Liverani) ]] ||OWASP New Zealand chapter presentation on Web Spam Techniques|| Intermediate ||April 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Xpath_Injection.ppt| Xpath Injection Overview (Roberto Suggi Liverani) ]] ||OWASP New Zealand chapter presentation on Xpath Injection|| Intermediate ||February 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Owasp security4mobileJava.pdf| Dependability for Java Mobile Code (Pierre Parrend) ]] ||OWASP Swiss chapter presentation on Mobile Java Security || Expert ||July 2007 || [[Switzerland]]
|-valign="top"
|[[:Image:Trust Security Usability - v1.0.pdf|Trust, Security and Usability (Roger Carhuatocto) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]
|-valign="top"
|[[:Image:OWASP-tratamiento_de_datos.pdf|Tratamiento seguro de datos en aplicaciones in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]
|-valign="top"
|[[:Image:Conferencia_OWASP.pdf|Ataques DoS en aplicaciones Web (Jaime Blasco Bermejo) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]
|-valign="top"
|[[:Image:Seguridad en entornos financieros.pdf|Seguridad en entornos financierosPedro (Pedro Sánchez) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]
|-valign="top"
|[[:Image:Java_Open_Review.ppt|Brian Chess from Fortify shared what's going on with the Java Open Source review project at the June NoVA OWASP meeting]] || Java Open Review || Intermediate ||June 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[[:Image:Bytecode_injection.ppt|Brian Chess from Fortify, presentation to NoVA OWASP chapter in June 2007.]] || Bytecode injection || Expert ||June 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[[:Image:Security at the VMM Layer - OWASP.ppt|Security at the VMM Layer by Ted Winograd]] || Security at the VMM Layer || Expert ||June 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[[:Image:KC June 2007 Evaluating and Tuning WAFs.pdf|Evaluating and Tuning Web Application Firewalls (Barry Archer)]] ||Presentation given at Kansas City June 2007 chapter meeting|| Intermediate ||June 2007 || [[Kansas City]]
|-valign="top"
|[[:Image:OWASP_SDL-IT.pdf|Microsoft Security Development Lifecycle for IT (Rob Labbé)]] ||Presentation by Rob Labbe at Ottawa OWASP Chapter|| Novice ||May 2007|| [[Ottawa]]
|-valign="top"
|[[:Image:OWASP_IL_7_Application_DOS.pdf|Application Denial of Service (Shaayy Cheen)]] ||Is it Really That Easy? Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP_IL_7_FuzzGuru.pdf|Fuzzing in Microsoft and FuzzGuru framework (John Neystadt)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP_IL_7_AppSec_and_Beyond.pdf|Application Security, not just development (David Lewis)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 Overtaking Google Desktop.pdf|Overtaking Google Desktop, Leveraging XSS to Raise Havoc (Yair Amit)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 UnregisterAttackInSip.pdf|Unregister Attack in SIP (Anat Bremler-Barr, Ronit Halachmi-Bekel and Jussi Kangasharju)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 WAF Positive Security.pdf|Positive Security Model for Web Applications, Challenges and Promise (Ofer Shezaf)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 DOT NET Reverse Engineering.pdf|.NET Reverse Engineering (Erez Metula)]] ||Presentation given at the Israel Mini Conference in May 2007|| Expert ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 OWASP Introduction.pdf|OWASP introduction (Ofer Shezaf)]] ||2nd OWASP IL mini conference at the Interdisciplinary Center (IDC) Herzliya|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP BeLux 2007-06-22 Update on Internet Attack Statistics for Belgium in 2006.ppt|Update on Internet Attack Statistics for Belgium in 2006 by Hilar Leoste (Zone-H)]] || Update on Internet Attack Statistics for Belgium in 2006 || Novice ||May 2007 || [[Belgium]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:InfoSec_World_2007_-_Web_services_gateways.ppt Securing Web Services using XML Security Gateways by Tim Bond] || Securing Web Services using XML Security Gateways || Intermediate ||May 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:SwA_Acquisition_WG_-_Overview.ppt Software Assurance in the Acquisition Process by Stan Wisseman] || Software Assurance in the Acquisition Process || Intermediate ||May 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_Legal_Aspects_Jos_Dumortier.zip Legal Aspects of (Web) Application Security by Jos Dumortier] || Legal Aspects of (Web) Application Security || Intermediate ||May 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_AppSec_Research_Lieven_Desmet.zip AppSec Research (University Leuven Belgium)] || Formal absence of implementation bugs in web applications: a case study on indirect data sharing by Lieven Desmet || Expert ||May 2007 || [[Belgium|Belgium]]
|-valign="top"
|[[:Image:Scanner-Sparkly.ppt|A Scanner Sparkly]] || A Scanner Sparkly, taken from the Phoenix OWASP presentations on Application Security Tools, May 2007 || Intermediate ||May 2007 || [[Phoenix]]
|-valign="top"
|[[:Image:Owasp-lessonslearned.ppt|Grey Box Assessment Lessons Learned]] || "Grey Box Assessment Lessons Learned", taken from the Phoenix OWASP presentations, Application Security Tools, May 2007 || Intermediate ||May 2007 || [[Phoenix]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_OWASP_Update.zip OWASP Update and OWASP BeLux Board Presentation (Seba)] || OWASP Update and OWASP BeLux Board Presentation || Novice||May 2007 || [[Belgium|Belgium]]
|-valign="top"
|[[:Image:Security Metics- What can we measure- Zed Abbadi.pdf|Metics- What can we measure (Zed Abbadi)]] ||19 April NoVa chapter meeting presentation on Security Metrics || Novice ||April 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[[:Image:Web Services Hacking and Hardening.pdf| Web Services Hacking and Hardening (Adam Vincent) ]] ||3/8/07 NoVA chapter meeting, Adam Vincent from Layer7 || Expert ||March 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_OWASP_Update.zip OWASP Update (Seba)] || OWASP Update || Novice||Jan 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/images/f/fe/Pres_20070206_04_svetsch_xss_worms_owasp.zip XSS Worms (Sven Vetsch)] || XSS Worms || Intermediate ||Feb 2007 || [[Switzerland|Switzerland]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_OWASP_Update.zip OWASP Update (Seba)] || OWASP Update || Novice||Jan 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_WebGoat-Pantera.zip WebGoat and Pantera presentation (Philippe Bogaerts)] || WebGoat and Pantera presentation || Novice || Jan 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_AOP_security.zip Security implications of AOP for secure software (Bart De Win)] || Security implications of AOP for secure software || Expert || Jan 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/images/1/12/OWASP_Denver_Nov-06_presentation.ppt testing for common security flaws (David Byrne)] || testing for common security flaws || Intermediate || Nov 2006 || [[Denver|Denver]]
|-valign="top"
|[http://www.owasp.org/images/7/7c/Owasp-olli.pdf 40-ish slides on analyzing threats (Olli)] || Analyzing Threats || Novice || Dec 2006 || [[Helsinki|Helsinki]]
|-valign="top"
|[http://www.owasp.org/images/2/2c/KC_Dec2006_Attacking_The_App.pdf Attacking the Application (Dave Ferguson)] || Vulnerabilities, attacks and coding suggestions || Intermediate || Dec 2006 || [[Kansas City|Kansas City]]
|-valign="top"
|[http://www.owasp.org/images/6/6a/KC_Dec2006_Ajax_Security_Concerns.pdf Ajax Security Concerns (Rohini Sulatycki)] || Ajax Security Concerns || Intermediate ||Dec 2006 || [[Kansas City|Kansas City]]
|-valign="top"
|[http://www.owasp.org/images/8/8c/Anatomy_of_2_Web_App_Testing.zip Anatomy of 2 Web Application Testing (Matteo Meucci)] || Anatomy of 2 Web Application Testing || Intermediate || Mar 2006 || [[Italy|Italy]]

|-valign="top"

|[https://www.owasp.org/images/9/99/WTE-Cloud-Austin-2012-02.pdf Testing From the Cloud: Is the Sky Falling? ] || WTE Cloud-based Testing || Intermediate || Feb 2012 || [[Austin|Austin]]
|-valign="top"

[[Category:Specification languages]]
[[Category:OWASP Education Project]]
[[Category:OWASP Presentations]]
[[Category:Chapter Resources]]

OWASP Education Presentation

2015-07-16T14:25:13Z

Timo.goosen: /* Web Application Security Presentations */

This page provide a commented overview of the OWASP presentations available.<br>
Please use the last line of the tables as template.<br>
Presentions can be tracked through:
* the [http://www.owasp.org/index.php/Category:OWASP_Presentations OWASP Presentations Category]
* [http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference Past OWASP Conference agenda's]
* From the chapter pages
Everybody is encouraged to link the presentations and add their findings on this page !
There are currently hundreds of presentations all over the OWASP web site.
If you search google with “site:owasp.org filetype:ppt” there are 166 hits. “site:owasp.org filetype:pdf” returns 76.
Feel free to “mine” them and add them to the overview.

== OWASP Education Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ OWASP Education Presentations
!width="30%" |Title
!width="40%" |Comment
!width="15%" |Level
!width="15%" |Date (2015-07-04)
|-valign="top"
|[https://www.owasp.org/index.php/Education/Free_Training Free Developer Training]|| Developer AppSec Course by [[Eoin Keary]] and [https://www.owasp.org/index.php/User:Jmanico Jim Manico] || Intermediate || 2014-04-04
|-valign="top"
|[[:Image:OWASP Overview Winter 2009v1.pptx|OWASP Overview Winter 2009]]|| Updated overview of OWASP || Novice || 2009-12-08
|-valign="top"
|[[:Image:Programa_de_Educacion_OWASP.ppt|Programa de Educacion OWASP]]|| Una introduccion a OWASP para Universidades y Centros Educativos por Fabio Cerullo|| Novice || 2009-03-20
|-valign="top"
|[[:Image:OWASP_Educational_Programme.ppt|OWASP Educational Programme]]|| An introduction to OWASP for Universities & Educational Institutions by Fabio Cerullo|| Novice || 2009-03-20
|-valign="top"
|[[:Image:OWASP Overview Summer 2009.pptx|OWASP Overview Summer 2009]]|| Recent overview of OWASP by Jeff Williams || Novice || 2009-08-25
|-valign="top"
|[[:Image:Education Module Why WebAppSec Matters.ppt|Why WebAppSec Matters]]|| This module explains why security should be considered when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:OWASP-Intro-2008-portuguese.ppt|OWASP Intro 2008 Portuguese]]|| Este módulo é uma intrudução sobre o projeto OWASP. || Novice || 2008-07-06
|-valign="top"
|[[:Image:Education Module OWASP Top 10 Introduction and Remedies.ppt|OWASP Top 10 Introduction and Remedies]]|| This module explains the OWASP Top 10 web application vulnerabilities as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:Education Module Embed within SDLC.ppt|Embed within SDLC]]|| This module explains the complete approach of Web Application Security when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:Education Module Good Secure Development Practices.ppt|Good Secure Development Practices]]|| This module explains some good secure development practices when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:Education Module Testing for Vulnerabilities.ppt|Testing for Vulnerabilities]]|| This module explains application security testing when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:Education Module Good WebAppSec Resources.ppt|Good WebAppSec Resources]]|| This module points you to some good web application security resources when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|}
,
<br>

== OWASP Project Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ OWASP Project Presentations
!width="30%" |Title
!width="40%" |Comment
!width="15%" |Level
!width="15%" |Date (yyyy-mm-dd)
|-valign="top"
|[[:Image:Germany 2008 Conference OWASP Introduction v1.pptx|OWASP Introduction]] || OWASP Overview presentation covering OWASP, project parade and OWASP near you. Given by Seba during the Germany 2008 Conference || Novice || 2008-11-25
|-valign="top"
|[[:Image:OWASP Foundation The story so far and beyond - Part 1.ppt|India08 Keynote - Part 1]] || OWASP Overview presentation. Part 1 of 2. Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16
|-valign="top"
|[[:Image:OWASP Foundation The story so far and beyond - Part 2.ppt|India08 Keynote - Part 2]] || OWASP Overview presentation. Part 2 of 2. Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16
|-valign="top"
|[[:Image:OWASP India - Tour of OWASP projects.ppt|Tour of OWASP’s projects]] || Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16
|-valign="top"
|[https://www.owasp.org/images/5/59/RISK_2008_OWASP_Introduction_v1.pptx OWASP @ RISK08 (Norway)] || OWASP introduction at Norway RISK2008 conference by Seba || Novice || 2008-04-23
|-valign="top"
|[[:Image:OWASP NY Keynote.ppt|OWASP NY Keynote by Jeff]] also available in [[:Image:20070620-FR-OWASP NY Keynote.ppt|French]]|| OWASP Overview presentation with slide "OWASP by the numbers" and slide with the sorry state of Tools (at best 45%) which caused some controverse || Novice || 2007-06-12
|-valign="top"
|[http://www.owasp.org/images/a/af/OWASP_Testing_Guide_Presentation.zip The OWASP Testing Guide (Jeff Williams)] || Overview of the OWASP Testing Guide || Novice || 2007-01-23
|-valign="top"
|[http://www.owasp.org/images/e/e9/OWASP_Testing_Guide_Presentation_EUSecWest07.zip The OWASP Testing Guide v2 EUSecWest07 (Matteo Meucci, Alberto Revelli)] || Presentation at EUSecWest07 || Intermediate || 2007-03-01
|-valign="top"
|[http://www.owasp.org/images/3/3c/OWASP_Flyer_Sep06.ppt OWASP Project Overview] || High level overview of projects and how OWASP works || Novice || 2006-09-19
|-valign="top"
|[http://www.owasp.org/images/4/49/OWASPAppSec2006Seattle_Security_Metrics.ppt The OWASP Application Security Metrics Project (Bob Austin)] || Presentation on the Application Security Metrics project || Novice || 2006-10-17
|-valign="top"
|[http://www.owasp.org/images/5/53/OWASPAppSecEU2006_CLASP_Project.ppt OWASP CLASP Project (Pravir Chandra)] || OWASP CLASP project presentation given at the 2006 European AppSec conference || Novice || 2006-05-30
|-valign="top"
|[http://www.owasp.org/images/3/30/OWASPAppSec2006Seattle_UsingSprajaxToTestAJAXSecurity.ppt Sprajax (Dan Cornell)] || OWASP Sprajax presentation given at the 2006 Seattle AppSec conference || Intermediate || 2006-10-17
|-valign="top"
|}

<br>

== OWASP Conference Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ OWASP Conference Presentations
!width="30%" | Title
!width="40%" | Comment
!width="15%" | Level
!width="15%" |Date (yyyy-mm-dd)

|-valign="top"
|[[:Image:OWASPAppSec2007Milan ModSecurityCoreRuleSet.ppt | Mod Security Core Rule Set (Ofer Shezaf)]] ||Ofer Shezaf's presentation on the Core Ruleset for the latest version of ModSecurity presented at 6th OWASP AppSec conference in Milan, Italy, in May 2007.|| Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan OWASPTestingGuide2v1.ppt | OWASP Testing Guide v2.1 (Matteo Meucci)]] ||Matteo Meucci's presentation on the OWASP Testing Guide v2 at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan CLASP.ppt | CLASP (Pravir Chandra)]] ||Pravir Chandra's presentation on the upcoming 2007 update to CLASP presented at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan AdvancedWebHacking.ppt | Advanced Web Hacking (PDP)]] ||PDPs presentation at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan XMLSecurityGatewayEvalCriteria.ppt | XML Security Gateway Evaluation Criteria (Gunnar Peterson)]] ||Gunnar Peterson's presentation about the new XML Security Gateway Evaluation Criteria project at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan TestingFlashApplications.ppt | Testing Flash Applications (Stephano Di Paolo)]] ||Stephano Di Paolo's presentation on how to test Flash applications presented at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert|| 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan OvertakingGoogleDesktop.ppt | Overtaking Google Desktop (Yair Amit)]] ||Yair Amit's presentation on XSS Flaws in Google Desktop that can be exploited through google.com presented at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan MS ACETeamAppSecfromTheCore.ppt | ACE Team Application Security from the Core (Simon Roses Femerling)]] ||Simon Roses Femerling's presentation on the Microsoft ACE team's application security process at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan Pantera.ppt | Pantera (Simon Roses Femerling)]] ||Simon Roses Femerling's presentation on the new OWASP tool Pantera at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan ProtectingWebAppsfromUniversalPDFXSS.ppt | Protecting Web applications from universal PDF XSS (Ivan Ristic)]] ||Ivan Ristic's Universal XSS PDF presentation at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan SoftwareSecurity.ppt | Software Security (Rudolph Araujo)]] ||Rudolph Araujo's presentation on Application Security best practices at the 6th OWASP AppSec conference in Milan Italy, May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan WebGoatv5.ppt | WebGoat v5 (Dave Wichers)]] ||WebGoat v5 presentation by Dave Wichers at the 6th OWASP AppSec Conference in Milan, Italy, May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan WebScarabNG.ppt | WebScarab NG (Dave Wichers)]] ||Description of the new WebScarab-NG efforts presented by Dave Wichers at the 6th OWASP AppSec conference in Milan, Italy in May 2007.|| Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan SANS SPSA Initiative.ppt | SANS SPSA Initiative (Dave Wichers)]] ||Description of the SANS Secure Coding Exam Initiative presented by Dave Wichers at the 6th OWASP AppSec conference in Milan Italy, May 2007.|| Novice || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan OWASPItalyActivities.ppt | OWASP Italy Activities (Raoul Chiesa)]] ||Raoul Chiesa's keynote for day 2 of the 6th OWASP AppSec conference on the state of application security in Italy including OWASP's activities in that country.|| Novice || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan SecurityEngineeringInVista.ppt | Security engineering in Vista (Alex Lucas)]] ||Alex Lucas' from Microsoft's keynote presentation for Day 1 of the 6th OWASP AppSec conference in Milan on the benefits of Microsoft's SDL to the security of Vista. || Intermediate || 2007-05-16
|-valign="top"
|[http://www.owasp.org/images/5/5f/OWASPAppSec2006Seattle_SecurityEngineeringInVista.ppt How the Security Development Lifecycle(SDL) Improved Windows Vista (Michael Howard)] || Michael Howard's talk on SDL from the OWASP Seattle AppSec Conference in 2006 || Intermediate || 2006-10-18
|-valign="top"
|[http://www.owasp.org/images/3/34/OWASPAppSecEU2006_Bootstrapping_the_Application_Assurance_Process.ppt Bootstrapping the Application Assurance Process (Sebastien Deleersnyder)] || Presentation given during the European 2006 AppSec conference on the application assurance process || Novice || 2006-05-30
|-valign="top"
|[http://www.owasp.org/images/8/8b/OWASPAppSecEU2006_InlineApproachforSecureSOAPRequests.ppt Inline Approach for Secure SOAP Requests and Early Validation (Mohammad Ashiqur Rahaman, Maartin Rits and Andreas Schaad SAP Research, Sophia Antipolis, France)] || Presentation given at the European 2006 AppSec conference about security and soap message structure issues || Intermediate || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt Web Application Firewalls:When Are They Useful? (Ivan Ristic)] || Presentation about Web Application Firewalls || Novice || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt HTTP Message Splitting, Smuggling and Other Animals (Amit Klein)] || A presentation about Message splitting other attacks around the HTTP protocol || Intermediate || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/f/f6/OWASPAppSec2006Seattle_WebAppForensics.ppt Web Application Incident Response & Forensics: A Whole New Ball Game! (Rohyt Belani & Chuck Willis)] || Talk about Web Application Security incident handling and forensics given at the OWASP 2006 Seattle AppSec conference || Intermediate || 2006-10-18
|-valign="top"
|[http://www.owasp.org/images/d/d2/OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10.ppt Can (Automated) Testing Tools Really Find the OWASP Top 10? (Erwin Geirnaert) ] || A talk about how automated testing tools stack up against the OWASP top 10 || Intermediate || 2006-05-30
|-valign="top"
|[http://www.owasp.org/images/2/28/OWASPAppSecEU2006_RequestRodeo.ppt RequestRodeo: Client Side Protection against Session Riding (Martin Johns / Justus Winter)] || Presentation given about how Sessions can be hi-jacked, etc... || Novice || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/6/62/OWASPAppSecEU2006_SecurityTestingthruAutomatedSWTests.ppt Security Testing through Automated Software Tests (Stephen de Vries)] || Presentation given at the 2006 EuSec conference || Intermediate || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/0/0e/AppSec2005DC-Jeremy_Poteet-In_the_Line_of_Fire.ppt In the Line of Fire: Defending Highly Visible Targets (Jeremy Poteet)] || Conference given at the 2005 DC AppSec conference || Novice || 2005-10-1
|-valign="top"
|[http://www.owasp.org/images/9/93/AppSec2005DC-Matt_Fisher-Google_Hacking_and_Worms.ppt Google Hacking and Web Application Worms (Matt Fisher)] || Talk given at the 2005 DC AppSec conference || Novice || 2005-10-01
|-valign="top"
|[http://www.owasp.org/images/0/05/AppSec2005DC-Anthony_Canike-Enterprise_AppSec_Program.ppt Establishing an Enterprise Application Security Program (Tony Canike)] || Talk given at the 2005 DC AppSec Conference || Novice || 2005-10-01
|-valign="top"
|[https://owasp.org/images/0/0d/OWASPAppSec2006Seattle_Why_AJAX_Applications_More_Likely_Insecure.ppt Why AJAX Applications Are Far More Likely To Be Insecure (And What To Do About It) (Dave Wichers)] || Dave's talk on AJAX given at the Seattle 2006 AppSec conference || Intermediate || 2006-10-01
|-valign="top"
|}

<br>

== Web Application Security Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ Web Application Security Presentations
!width="30%" |Title
!width="40%" |Comment
!width="15%" |Level
!width="15%" |Date (yyyy-mm-dd)
|-valign="top"
|[[:Image:Protecting Web Applications from Universal PDF XSS.ppt| Universal PDF XSS by Ivan Ristic]] || Protecting Web Applications from Universal PDF XSS || Intermediate || 2007-06-28
|-valign="top"
|[[:Image:IdM-OWASP.v.0.2.14.pdf|Identity Management Basics (Derek Brown)]] ||Identity Management Basics|| Novice || 2007-05-09
|-valign="top"
|[[http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt Advanced SQL Injection (Victor Chapela)] || Detailed methodology for analyzing applications for SQL injection vulnerabilities || Expert || 2005-11-04
|-valign="top"
|[[http://www.owasp.org/images/7/7d/Advanced_Topics_on_SQL_Injection_Protection.ppt Advanced Topics on SQL Injection Protection (Sam NG)] || 7 methods to prevent SQL injection attacks correctly and in a more integrated approach. Methods 1 to 3 are applicable during design or development life cycle. Method 4 is mainly from QA’s perspective. Methods 5 and 6 can be applied to production environment and are applicable even if you do not have access to or if you cannot change the source code. Other non-main stream technology are discussed in Method 7. || Intermediate || 2006-02-27
|-valign="top"
|[[http://www.owasp.org/images/d/d1/AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt Attacking Web Services (Alex Stamos)] || Web Services Introduction and Attacks || Intermediate || 2005-10-11
|-valign="top"
|[http://www.owasp.org/images/7/72/MMS_Spoofing.ppt MMS Spoofing (Matteo Meucci)] || A Case-study of a vulnerable web application || Intermediate
|-valign="top"
|[http://www.owasp.org/images/f/f9/OWASPAppSecEU2006_AJAX_Security.ppt Ajax Security (Andrew van der Stock)] || Presentation on Ajax security for OWASP AppSec Europe 2006 || Intermediate || 2006-05-30
|-valign="top"
|[http://www.owasp.org/images/3/3a/OWASPAppSec2006Seattle_Web_Services_Security.ppt Advanced Web Services Security & Hacking (Justin Derry)] || Presentation given on Webservice security at the Seattle 2006 AppSec conference || Intermediate || 2006-10-18
|-valign="top"
|[http://www.owasp.org/images/f/f6/Integration_into_the_SDLC.ppt Integration into the SDLC (Eoin Keary)] || A presentation about why and how to integrate the SDLC. || Novice || 2005-04-09
|-valign="top"
|}

<br>

== Chapter Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ Chapter Presentations
!width="30%" |Title
!width="30%" |Comment
!width="10%" |Level
!width="10%" |Month (Mon-yyyy)
!width="10%" |Chapter

|-valign="top"
|[[:Image:Common_Application_Flaws.ppt| Common Application Flaws (Brett Moore) ]] ||OWASP New Zealand chapter presentation on Common Application Flaws|| Novice/Intermediate ||November 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Time_Based_SQL_Injections.ppt| Time Based SQL Injections (Muhaimin Dzulfakar) ]] ||OWASP New Zealand chapter presentation on Time Based SQL Injections|| Intermediate ||September 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Browser_security.ppt| Browser Security (Roberto Suggi Liverani) ]] ||OWASP New Zealand chapter presentation on Browser Security|| Intermediate ||September 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:OWASP_CMH_SQLInjection__20080707.zip| 7/7/2008 SQL Injection (Columbus, OH)]] || SQL Injection Presentation given at the Columbus, OH OWASP Chapter Meeting. Powerpoint, derby DB, and applicable java code. || Novice / Intermediate || July 2008 || [[Columbus]]
|-valign="top"
|[[:Image:OWASP_ellak-Greece.ppt| Detecting Web Application Vulnerabilities Using Open Source Means (Konstantinos Papapanagiotou) ]] ||OWASP Greek Chapter presentation given at the Open Source Software (FLOSS) Conference in Athens|| Novice ||May 2008 || [[Greece]]
|-valign="top"
|[[:Image:Hacking_The_World_With_Flash.ppt| Hacking The World With Flash (Paul Craig) ]] ||OWASP New Zealand chapter presentation on Flash security|| Intermediate ||April 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Web_spam_techniques.ppt| Web Spam Techniques (Roberto Suggi Liverani) ]] ||OWASP New Zealand chapter presentation on Web Spam Techniques|| Intermediate ||April 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Xpath_Injection.ppt| Xpath Injection Overview (Roberto Suggi Liverani) ]] ||OWASP New Zealand chapter presentation on Xpath Injection|| Intermediate ||February 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Owasp security4mobileJava.pdf| Dependability for Java Mobile Code (Pierre Parrend) ]] ||OWASP Swiss chapter presentation on Mobile Java Security || Expert ||July 2007 || [[Switzerland]]
|-valign="top"
|[[:Image:Trust Security Usability - v1.0.pdf|Trust, Security and Usability (Roger Carhuatocto) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]
|-valign="top"
|[[:Image:OWASP-tratamiento_de_datos.pdf|Tratamiento seguro de datos en aplicaciones in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]
|-valign="top"
|[[:Image:Conferencia_OWASP.pdf|Ataques DoS en aplicaciones Web (Jaime Blasco Bermejo) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]
|-valign="top"
|[[:Image:Seguridad en entornos financieros.pdf|Seguridad en entornos financierosPedro (Pedro Sánchez) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]
|-valign="top"
|[[:Image:Java_Open_Review.ppt|Brian Chess from Fortify shared what's going on with the Java Open Source review project at the June NoVA OWASP meeting]] || Java Open Review || Intermediate ||June 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[[:Image:Bytecode_injection.ppt|Brian Chess from Fortify, presentation to NoVA OWASP chapter in June 2007.]] || Bytecode injection || Expert ||June 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[[:Image:Security at the VMM Layer - OWASP.ppt|Security at the VMM Layer by Ted Winograd]] || Security at the VMM Layer || Expert ||June 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[[:Image:KC June 2007 Evaluating and Tuning WAFs.pdf|Evaluating and Tuning Web Application Firewalls (Barry Archer)]] ||Presentation given at Kansas City June 2007 chapter meeting|| Intermediate ||June 2007 || [[Kansas City]]
|-valign="top"
|[[:Image:OWASP_SDL-IT.pdf|Microsoft Security Development Lifecycle for IT (Rob Labbé)]] ||Presentation by Rob Labbe at Ottawa OWASP Chapter|| Novice ||May 2007|| [[Ottawa]]
|-valign="top"
|[[:Image:OWASP_IL_7_Application_DOS.pdf|Application Denial of Service (Shaayy Cheen)]] ||Is it Really That Easy? Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP_IL_7_FuzzGuru.pdf|Fuzzing in Microsoft and FuzzGuru framework (John Neystadt)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP_IL_7_AppSec_and_Beyond.pdf|Application Security, not just development (David Lewis)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 Overtaking Google Desktop.pdf|Overtaking Google Desktop, Leveraging XSS to Raise Havoc (Yair Amit)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 UnregisterAttackInSip.pdf|Unregister Attack in SIP (Anat Bremler-Barr, Ronit Halachmi-Bekel and Jussi Kangasharju)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 WAF Positive Security.pdf|Positive Security Model for Web Applications, Challenges and Promise (Ofer Shezaf)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 DOT NET Reverse Engineering.pdf|.NET Reverse Engineering (Erez Metula)]] ||Presentation given at the Israel Mini Conference in May 2007|| Expert ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 OWASP Introduction.pdf|OWASP introduction (Ofer Shezaf)]] ||2nd OWASP IL mini conference at the Interdisciplinary Center (IDC) Herzliya|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP BeLux 2007-06-22 Update on Internet Attack Statistics for Belgium in 2006.ppt|Update on Internet Attack Statistics for Belgium in 2006 by Hilar Leoste (Zone-H)]] || Update on Internet Attack Statistics for Belgium in 2006 || Novice ||May 2007 || [[Belgium]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:InfoSec_World_2007_-_Web_services_gateways.ppt Securing Web Services using XML Security Gateways by Tim Bond] || Securing Web Services using XML Security Gateways || Intermediate ||May 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:SwA_Acquisition_WG_-_Overview.ppt Software Assurance in the Acquisition Process by Stan Wisseman] || Software Assurance in the Acquisition Process || Intermediate ||May 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_Legal_Aspects_Jos_Dumortier.zip Legal Aspects of (Web) Application Security by Jos Dumortier] || Legal Aspects of (Web) Application Security || Intermediate ||May 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_AppSec_Research_Lieven_Desmet.zip AppSec Research (University Leuven Belgium)] || Formal absence of implementation bugs in web applications: a case study on indirect data sharing by Lieven Desmet || Expert ||May 2007 || [[Belgium|Belgium]]
|-valign="top"
|[[:Image:Scanner-Sparkly.ppt|A Scanner Sparkly]] || A Scanner Sparkly, taken from the Phoenix OWASP presentations on Application Security Tools, May 2007 || Intermediate ||May 2007 || [[Phoenix]]
|-valign="top"
|[[:Image:Owasp-lessonslearned.ppt|Grey Box Assessment Lessons Learned]] || "Grey Box Assessment Lessons Learned", taken from the Phoenix OWASP presentations, Application Security Tools, May 2007 || Intermediate ||May 2007 || [[Phoenix]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_OWASP_Update.zip OWASP Update and OWASP BeLux Board Presentation (Seba)] || OWASP Update and OWASP BeLux Board Presentation || Novice||May 2007 || [[Belgium|Belgium]]
|-valign="top"
|[[:Image:Security Metics- What can we measure- Zed Abbadi.pdf|Metics- What can we measure (Zed Abbadi)]] ||19 April NoVa chapter meeting presentation on Security Metrics || Novice ||April 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[[:Image:Web Services Hacking and Hardening.pdf| Web Services Hacking and Hardening (Adam Vincent) ]] ||3/8/07 NoVA chapter meeting, Adam Vincent from Layer7 || Expert ||March 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_OWASP_Update.zip OWASP Update (Seba)] || OWASP Update || Novice||Jan 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/images/f/fe/Pres_20070206_04_svetsch_xss_worms_owasp.zip XSS Worms (Sven Vetsch)] || XSS Worms || Intermediate ||Feb 2007 || [[Switzerland|Switzerland]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_OWASP_Update.zip OWASP Update (Seba)] || OWASP Update || Novice||Jan 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_WebGoat-Pantera.zip WebGoat and Pantera presentation (Philippe Bogaerts)] || WebGoat and Pantera presentation || Novice || Jan 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_AOP_security.zip Security implications of AOP for secure software (Bart De Win)] || Security implications of AOP for secure software || Expert || Jan 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/images/1/12/OWASP_Denver_Nov-06_presentation.ppt testing for common security flaws (David Byrne)] || testing for common security flaws || Intermediate || Nov 2006 || [[Denver|Denver]]
|-valign="top"
|[http://www.owasp.org/images/7/7c/Owasp-olli.pdf 40-ish slides on analyzing threats (Olli)] || Analyzing Threats || Novice || Dec 2006 || [[Helsinki|Helsinki]]
|-valign="top"
|[http://www.owasp.org/images/2/2c/KC_Dec2006_Attacking_The_App.pdf Attacking the Application (Dave Ferguson)] || Vulnerabilities, attacks and coding suggestions || Intermediate || Dec 2006 || [[Kansas City|Kansas City]]
|-valign="top"
|[http://www.owasp.org/images/6/6a/KC_Dec2006_Ajax_Security_Concerns.pdf Ajax Security Concerns (Rohini Sulatycki)] || Ajax Security Concerns || Intermediate ||Dec 2006 || [[Kansas City|Kansas City]]
|-valign="top"
|[http://www.owasp.org/images/8/8c/Anatomy_of_2_Web_App_Testing.zip Anatomy of 2 Web Application Testing (Matteo Meucci)] || Anatomy of 2 Web Application Testing || Intermediate || Mar 2006 || [[Italy|Italy]]

|-valign="top"

|[https://www.owasp.org/images/9/99/WTE-Cloud-Austin-2012-02.pdf Testing From the Cloud: Is the Sky Falling? ] || WTE Cloud-based Testing || Intermediate || Feb 2012 || [[Austin|Austin]]
|-valign="top"

|(https://www.owasp.org/index.php/User_talk:Briechenstein_Software_Studio) || Open Web application Security Project|| Intermediate|| 2015-07-04 ||

Chapter 4

Specification Language

This formal specification by language example presents cybersecurity studies (of over 10 projects) of how successful OWASP educational presentations test develop design and deliver cybersecurity software efficiently supporting formal methods as mathematically based techniquesthat are needed to assist in the design and implementation of reliable cybersecurity software.

Specification by language example is a must read for anyone serious about delivering translated cybersecurity language software that matters It is the result of a research on how teams internationally specify test develop design and deliver the right cybersecurity software without defects in very short computational delivery cycles With cybersecurity case studies and real examples this presentation helps you understand how successful teams implement mathematical cybersecurity by example denoting
acceptable testing and behavior driven development to bridge the communication gap between committees stakeholders and contributing teams build quality into cybersecurity from the start by testing developing designing and delivering supported languagfor syntax highlighting purposes It presents the collective knowledge of about 50 cybersecurity projects ranging from high traffic websites to virtual back office cybersecurity systems implemented by teams as diverse as small startups to groups spread across different continents working in a range of processes including Extreme programming Kanban Scrum and similar processes often bundled together under the names Lean and Agile This protocol is for testers software developers business analysts and project managers working on Syntax and Agile projects or teams moving to an Agile development method that want to improve quality reduce correction of defective cybersecurity software and collaborate better with the OWASP committee.
Smith

*Retrieved notes from Categories Specification languages and Formal specification
For the last past decade computer systems have become increasingly more powerful as a result becoming more impactful to society Established engineering disciplines use mathematical analysis as the foundation of creating and validating product design Formal language specifications are one im such a way for achievement in software engineering as reliability once predicted Other methods such as testing are more commonly used to enhance code quality

Usability given as such a specification it is possible to use formal verification techniques to demonstrate that a system design is correct with respect to its specification This allows incorrect system designs to be revised before any major investments have been made into an actual implementation Another approach is to use provably correct refinement steps to transform a specification into a design which is ultimately transformed into an implementation that is correct by construction.

*It is important to note that a formal specification is not an implementation but rather it may be used to develop an implementation Formal specifications describe what a system should do not how the system should do it A good specification must have some of the following attributes: adequate internally consistent unambiguous complete satisfied constructability manageability and evolvability Usability Communicability Powerful and efficient analysis which is one of the main reasons there is interest in formal specifications that will provide an ability to perform proofs on cybersecurity software implementations These proofs may be used to validate a specification verify correctness of design, or to prove that a program satisfies a specification.

Limitations
A design (or implementation) cannot ever be declared “correct” on its own. It can only ever be “corrected with respect to a given specification Whether the formal specification correctly describes the problem to be solved is a separate issue It is also a difficult issue to address since it ultimately concerns the problem constructing abstracted formal representations of an informal concrete problem domain and such an abstraction step is not amenable to formal proof. However, it is possible to validate a specification by proving “challenge” theorems concerning properties that the specification is expected to exhibit.o_O If correct Olloclip In these theorems reinforce the specifier's understanding of the specification and its relationship with the underlying problem domain If not the specification probably needs to be changed to better reflect the domain understanding of those involved with producing (and implementing) the specification.

Flexibility
As far as flexibility goes a lot of software companies use agile methodologies that focus on flexibility Doing a formal specification of the whole system up front is often perceived as being the opposite of flexible However there is some research into the benefits of using formal specifications with "agile" development
Complexity is a requirement that is a high level of mathematical expertise and the analytical skills to understand and apply them effectively
I have a solution to develop resources and models that allow for these techniques to be implemented but hide underlying mathematics

I hope to accomplish a good job of specifying user interfaces and user interaction that is Not cost-effective

Formal specification techniques have existed in various domains and on various scales for quite some time Implementations of formal specifications will differ depending on what kind of system they are attempting to model how they are applied and at what point in the software life cycle they have been introduced These types of models can be categorized into the following specification paradigms:

History-based specification

behavior based system histories
assertions are interpreted over time
State-based Specification
behavior based on system states
series of sequential steps (e.g. a financial transaction)
languages such as Z, VDM or B rely on this paradigm+
Transition-based specification
behavior based on transitions from state-to-state of the system
best used with a reactive system
languages such as Statecharts PROMELA STeP-SPL RSML or SCR rely on this paradigm
Functional specification
specify a system as a structure of mathematical functions
OBJ, ASL, PLUSS, LARCH, HOL or PVS rely on this paradigm
Operational Specification
early languages such as Paisley GIST Petri nets or process algebras rely on this paradigm
In addition to the above paradigms there are ways to apply certain heuristics to help improve the creation of these specifications The protocol referenced here best discusses heuristics to use when designing a specification.Heuristics= a rule or method that helps you solve problems faster than you would if you did all the computing

Resources:
Algebraic specification= Providing a mathematical software engineering technique

References:
^ a b c d e f g h i j k l m n o Lamsweerde, A. V. (2000). "Formal specification". Proceedings of the conference on the future of Software engineering - ICSE '00. p. 147. doi:10.1145/336512.336546. ISBN
^ a b c d Sommerville, Ian (2009). "Formal Specification" (PDF). Software Engineering. Retrieved
^ a b c Nummenmaa, Timo; Tiensuu, Aleksi; Berki, Eleni; Mikkonen, Tommi; Kuittinen, Jussi; Kultima, Annakaisa (4 August 2011). "Supporting agile development by facilitating natural user interaction with executable formal specifications". ACM SIGSOFT Software Engineering Notes 36 (4): 1–10. doi:10.1145/1988997.2003643. edit

Best Wishes,
Brenda Smith
a55dayidream@gmail.com

[[Category:Specification languages]]
[[Category:OWASP Education Project]]
[[Category:OWASP Presentations]]
[[Category:Chapter Resources]]

OWASP Education Presentation

2015-07-16T14:24:21Z

Timo.goosen: /* OWASP Conference Presentations */

This page provide a commented overview of the OWASP presentations available.<br>
Please use the last line of the tables as template.<br>
Presentions can be tracked through:
* the [http://www.owasp.org/index.php/Category:OWASP_Presentations OWASP Presentations Category]
* [http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference Past OWASP Conference agenda's]
* From the chapter pages
Everybody is encouraged to link the presentations and add their findings on this page !
There are currently hundreds of presentations all over the OWASP web site.
If you search google with “site:owasp.org filetype:ppt” there are 166 hits. “site:owasp.org filetype:pdf” returns 76.
Feel free to “mine” them and add them to the overview.

== OWASP Education Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ OWASP Education Presentations
!width="30%" |Title
!width="40%" |Comment
!width="15%" |Level
!width="15%" |Date (2015-07-04)
|-valign="top"
|[https://www.owasp.org/index.php/Education/Free_Training Free Developer Training]|| Developer AppSec Course by [[Eoin Keary]] and [https://www.owasp.org/index.php/User:Jmanico Jim Manico] || Intermediate || 2014-04-04
|-valign="top"
|[[:Image:OWASP Overview Winter 2009v1.pptx|OWASP Overview Winter 2009]]|| Updated overview of OWASP || Novice || 2009-12-08
|-valign="top"
|[[:Image:Programa_de_Educacion_OWASP.ppt|Programa de Educacion OWASP]]|| Una introduccion a OWASP para Universidades y Centros Educativos por Fabio Cerullo|| Novice || 2009-03-20
|-valign="top"
|[[:Image:OWASP_Educational_Programme.ppt|OWASP Educational Programme]]|| An introduction to OWASP for Universities & Educational Institutions by Fabio Cerullo|| Novice || 2009-03-20
|-valign="top"
|[[:Image:OWASP Overview Summer 2009.pptx|OWASP Overview Summer 2009]]|| Recent overview of OWASP by Jeff Williams || Novice || 2009-08-25
|-valign="top"
|[[:Image:Education Module Why WebAppSec Matters.ppt|Why WebAppSec Matters]]|| This module explains why security should be considered when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:OWASP-Intro-2008-portuguese.ppt|OWASP Intro 2008 Portuguese]]|| Este módulo é uma intrudução sobre o projeto OWASP. || Novice || 2008-07-06
|-valign="top"
|[[:Image:Education Module OWASP Top 10 Introduction and Remedies.ppt|OWASP Top 10 Introduction and Remedies]]|| This module explains the OWASP Top 10 web application vulnerabilities as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:Education Module Embed within SDLC.ppt|Embed within SDLC]]|| This module explains the complete approach of Web Application Security when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:Education Module Good Secure Development Practices.ppt|Good Secure Development Practices]]|| This module explains some good secure development practices when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:Education Module Testing for Vulnerabilities.ppt|Testing for Vulnerabilities]]|| This module explains application security testing when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:Education Module Good WebAppSec Resources.ppt|Good WebAppSec Resources]]|| This module points you to some good web application security resources when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|}
,
<br>

== OWASP Project Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ OWASP Project Presentations
!width="30%" |Title
!width="40%" |Comment
!width="15%" |Level
!width="15%" |Date (yyyy-mm-dd)
|-valign="top"
|[[:Image:Germany 2008 Conference OWASP Introduction v1.pptx|OWASP Introduction]] || OWASP Overview presentation covering OWASP, project parade and OWASP near you. Given by Seba during the Germany 2008 Conference || Novice || 2008-11-25
|-valign="top"
|[[:Image:OWASP Foundation The story so far and beyond - Part 1.ppt|India08 Keynote - Part 1]] || OWASP Overview presentation. Part 1 of 2. Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16
|-valign="top"
|[[:Image:OWASP Foundation The story so far and beyond - Part 2.ppt|India08 Keynote - Part 2]] || OWASP Overview presentation. Part 2 of 2. Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16
|-valign="top"
|[[:Image:OWASP India - Tour of OWASP projects.ppt|Tour of OWASP’s projects]] || Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16
|-valign="top"
|[https://www.owasp.org/images/5/59/RISK_2008_OWASP_Introduction_v1.pptx OWASP @ RISK08 (Norway)] || OWASP introduction at Norway RISK2008 conference by Seba || Novice || 2008-04-23
|-valign="top"
|[[:Image:OWASP NY Keynote.ppt|OWASP NY Keynote by Jeff]] also available in [[:Image:20070620-FR-OWASP NY Keynote.ppt|French]]|| OWASP Overview presentation with slide "OWASP by the numbers" and slide with the sorry state of Tools (at best 45%) which caused some controverse || Novice || 2007-06-12
|-valign="top"
|[http://www.owasp.org/images/a/af/OWASP_Testing_Guide_Presentation.zip The OWASP Testing Guide (Jeff Williams)] || Overview of the OWASP Testing Guide || Novice || 2007-01-23
|-valign="top"
|[http://www.owasp.org/images/e/e9/OWASP_Testing_Guide_Presentation_EUSecWest07.zip The OWASP Testing Guide v2 EUSecWest07 (Matteo Meucci, Alberto Revelli)] || Presentation at EUSecWest07 || Intermediate || 2007-03-01
|-valign="top"
|[http://www.owasp.org/images/3/3c/OWASP_Flyer_Sep06.ppt OWASP Project Overview] || High level overview of projects and how OWASP works || Novice || 2006-09-19
|-valign="top"
|[http://www.owasp.org/images/4/49/OWASPAppSec2006Seattle_Security_Metrics.ppt The OWASP Application Security Metrics Project (Bob Austin)] || Presentation on the Application Security Metrics project || Novice || 2006-10-17
|-valign="top"
|[http://www.owasp.org/images/5/53/OWASPAppSecEU2006_CLASP_Project.ppt OWASP CLASP Project (Pravir Chandra)] || OWASP CLASP project presentation given at the 2006 European AppSec conference || Novice || 2006-05-30
|-valign="top"
|[http://www.owasp.org/images/3/30/OWASPAppSec2006Seattle_UsingSprajaxToTestAJAXSecurity.ppt Sprajax (Dan Cornell)] || OWASP Sprajax presentation given at the 2006 Seattle AppSec conference || Intermediate || 2006-10-17
|-valign="top"
|}

<br>

== OWASP Conference Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ OWASP Conference Presentations
!width="30%" | Title
!width="40%" | Comment
!width="15%" | Level
!width="15%" |Date (yyyy-mm-dd)

|-valign="top"
|[[:Image:OWASPAppSec2007Milan ModSecurityCoreRuleSet.ppt | Mod Security Core Rule Set (Ofer Shezaf)]] ||Ofer Shezaf's presentation on the Core Ruleset for the latest version of ModSecurity presented at 6th OWASP AppSec conference in Milan, Italy, in May 2007.|| Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan OWASPTestingGuide2v1.ppt | OWASP Testing Guide v2.1 (Matteo Meucci)]] ||Matteo Meucci's presentation on the OWASP Testing Guide v2 at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan CLASP.ppt | CLASP (Pravir Chandra)]] ||Pravir Chandra's presentation on the upcoming 2007 update to CLASP presented at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan AdvancedWebHacking.ppt | Advanced Web Hacking (PDP)]] ||PDPs presentation at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan XMLSecurityGatewayEvalCriteria.ppt | XML Security Gateway Evaluation Criteria (Gunnar Peterson)]] ||Gunnar Peterson's presentation about the new XML Security Gateway Evaluation Criteria project at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan TestingFlashApplications.ppt | Testing Flash Applications (Stephano Di Paolo)]] ||Stephano Di Paolo's presentation on how to test Flash applications presented at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert|| 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan OvertakingGoogleDesktop.ppt | Overtaking Google Desktop (Yair Amit)]] ||Yair Amit's presentation on XSS Flaws in Google Desktop that can be exploited through google.com presented at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan MS ACETeamAppSecfromTheCore.ppt | ACE Team Application Security from the Core (Simon Roses Femerling)]] ||Simon Roses Femerling's presentation on the Microsoft ACE team's application security process at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan Pantera.ppt | Pantera (Simon Roses Femerling)]] ||Simon Roses Femerling's presentation on the new OWASP tool Pantera at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan ProtectingWebAppsfromUniversalPDFXSS.ppt | Protecting Web applications from universal PDF XSS (Ivan Ristic)]] ||Ivan Ristic's Universal XSS PDF presentation at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan SoftwareSecurity.ppt | Software Security (Rudolph Araujo)]] ||Rudolph Araujo's presentation on Application Security best practices at the 6th OWASP AppSec conference in Milan Italy, May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan WebGoatv5.ppt | WebGoat v5 (Dave Wichers)]] ||WebGoat v5 presentation by Dave Wichers at the 6th OWASP AppSec Conference in Milan, Italy, May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan WebScarabNG.ppt | WebScarab NG (Dave Wichers)]] ||Description of the new WebScarab-NG efforts presented by Dave Wichers at the 6th OWASP AppSec conference in Milan, Italy in May 2007.|| Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan SANS SPSA Initiative.ppt | SANS SPSA Initiative (Dave Wichers)]] ||Description of the SANS Secure Coding Exam Initiative presented by Dave Wichers at the 6th OWASP AppSec conference in Milan Italy, May 2007.|| Novice || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan OWASPItalyActivities.ppt | OWASP Italy Activities (Raoul Chiesa)]] ||Raoul Chiesa's keynote for day 2 of the 6th OWASP AppSec conference on the state of application security in Italy including OWASP's activities in that country.|| Novice || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan SecurityEngineeringInVista.ppt | Security engineering in Vista (Alex Lucas)]] ||Alex Lucas' from Microsoft's keynote presentation for Day 1 of the 6th OWASP AppSec conference in Milan on the benefits of Microsoft's SDL to the security of Vista. || Intermediate || 2007-05-16
|-valign="top"
|[http://www.owasp.org/images/5/5f/OWASPAppSec2006Seattle_SecurityEngineeringInVista.ppt How the Security Development Lifecycle(SDL) Improved Windows Vista (Michael Howard)] || Michael Howard's talk on SDL from the OWASP Seattle AppSec Conference in 2006 || Intermediate || 2006-10-18
|-valign="top"
|[http://www.owasp.org/images/3/34/OWASPAppSecEU2006_Bootstrapping_the_Application_Assurance_Process.ppt Bootstrapping the Application Assurance Process (Sebastien Deleersnyder)] || Presentation given during the European 2006 AppSec conference on the application assurance process || Novice || 2006-05-30
|-valign="top"
|[http://www.owasp.org/images/8/8b/OWASPAppSecEU2006_InlineApproachforSecureSOAPRequests.ppt Inline Approach for Secure SOAP Requests and Early Validation (Mohammad Ashiqur Rahaman, Maartin Rits and Andreas Schaad SAP Research, Sophia Antipolis, France)] || Presentation given at the European 2006 AppSec conference about security and soap message structure issues || Intermediate || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt Web Application Firewalls:When Are They Useful? (Ivan Ristic)] || Presentation about Web Application Firewalls || Novice || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt HTTP Message Splitting, Smuggling and Other Animals (Amit Klein)] || A presentation about Message splitting other attacks around the HTTP protocol || Intermediate || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/f/f6/OWASPAppSec2006Seattle_WebAppForensics.ppt Web Application Incident Response & Forensics: A Whole New Ball Game! (Rohyt Belani & Chuck Willis)] || Talk about Web Application Security incident handling and forensics given at the OWASP 2006 Seattle AppSec conference || Intermediate || 2006-10-18
|-valign="top"
|[http://www.owasp.org/images/d/d2/OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10.ppt Can (Automated) Testing Tools Really Find the OWASP Top 10? (Erwin Geirnaert) ] || A talk about how automated testing tools stack up against the OWASP top 10 || Intermediate || 2006-05-30
|-valign="top"
|[http://www.owasp.org/images/2/28/OWASPAppSecEU2006_RequestRodeo.ppt RequestRodeo: Client Side Protection against Session Riding (Martin Johns / Justus Winter)] || Presentation given about how Sessions can be hi-jacked, etc... || Novice || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/6/62/OWASPAppSecEU2006_SecurityTestingthruAutomatedSWTests.ppt Security Testing through Automated Software Tests (Stephen de Vries)] || Presentation given at the 2006 EuSec conference || Intermediate || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/0/0e/AppSec2005DC-Jeremy_Poteet-In_the_Line_of_Fire.ppt In the Line of Fire: Defending Highly Visible Targets (Jeremy Poteet)] || Conference given at the 2005 DC AppSec conference || Novice || 2005-10-1
|-valign="top"
|[http://www.owasp.org/images/9/93/AppSec2005DC-Matt_Fisher-Google_Hacking_and_Worms.ppt Google Hacking and Web Application Worms (Matt Fisher)] || Talk given at the 2005 DC AppSec conference || Novice || 2005-10-01
|-valign="top"
|[http://www.owasp.org/images/0/05/AppSec2005DC-Anthony_Canike-Enterprise_AppSec_Program.ppt Establishing an Enterprise Application Security Program (Tony Canike)] || Talk given at the 2005 DC AppSec Conference || Novice || 2005-10-01
|-valign="top"
|[https://owasp.org/images/0/0d/OWASPAppSec2006Seattle_Why_AJAX_Applications_More_Likely_Insecure.ppt Why AJAX Applications Are Far More Likely To Be Insecure (And What To Do About It) (Dave Wichers)] || Dave's talk on AJAX given at the Seattle 2006 AppSec conference || Intermediate || 2006-10-01
|-valign="top"
|}

<br>

== Web Application Security Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ Web Application Security Presentations
!width="30%" |Title
!width="40%" |Comment
!width="15%" |Level
!width="15%" |Date (yyyy-mm-dd)
|-valign="top"
|[[:Image:Protecting Web Applications from Universal PDF XSS.ppt| Universal PDF XSS by Ivan Ristic]] || Protecting Web Applications from Universal PDF XSS || Intermediate || 2007-06-28
|-valign="top"
|[[:Image:IdM-OWASP.v.0.2.14.pdf|Identity Management Basics (Derek Brown)]] ||Identity Management Basics|| Novice || 2007-05-09
|-valign="top"
|[[http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt Advanced SQL Injection (Victor Chapela)] || Detailed methodology for analyzing applications for SQL injection vulnerabilities || Expert || 2005-11-04
|-valign="top"
|[[http://www.owasp.org/images/7/7d/Advanced_Topics_on_SQL_Injection_Protection.ppt Advanced Topics on SQL Injection Protection (Sam NG)] || 7 methods to prevent SQL injection attacks correctly and in a more integrated approach. Methods 1 to 3 are applicable during design or development life cycle. Method 4 is mainly from QA’s perspective. Methods 5 and 6 can be applied to production environment and are applicable even if you do not have access to or if you cannot change the source code. Other non-main stream technology are discussed in Method 7. || Intermediate || 2006-02-27
|-valign="top"
|[[http://www.owasp.org/images/d/d1/AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt Attacking Web Services (Alex Stamos)] || Web Services Introduction and Attacks || Intermediate || 2005-10-11
|-valign="top"
|[http://www.owasp.org/images/7/72/MMS_Spoofing.ppt MMS Spoofing (Matteo Meucci)] || A Case-study of a vulnerable web application || Intermediate
|-valign="top"
|[http://www.owasp.org/images/f/f9/OWASPAppSecEU2006_AJAX_Security.ppt Ajax Security (Andrew van der Stock)] || Presentation on Ajax security for OWASP AppSec Europe 2006 || Intermediate || 2006-05-30
|-valign="top"
|[http://www.owasp.org/images/3/3a/OWASPAppSec2006Seattle_Web_Services_Security.ppt Advanced Web Services Security & Hacking (Justin Derry)] || Presentation given on Webservice security at the Seattle 2006 AppSec conference || Intermediate || 2006-10-18
|-valign="top"
|[http://www.owasp.org/images/f/f6/Integration_into_the_SDLC.ppt Integration into the SDLC (Eoin Keary)] || A presentation about why and how to integrate the SDLC. || Novice || 2005-04-09
|-valign="top"
|[[ (https://www.owasp.org/index.php/User_talk:Briechenstein_Software_Studio || Intermediate || 2015-07-04
|}

<br>

== Chapter Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ Chapter Presentations
!width="30%" |Title
!width="30%" |Comment
!width="10%" |Level
!width="10%" |Month (Mon-yyyy)
!width="10%" |Chapter

|-valign="top"
|[[:Image:Common_Application_Flaws.ppt| Common Application Flaws (Brett Moore) ]] ||OWASP New Zealand chapter presentation on Common Application Flaws|| Novice/Intermediate ||November 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Time_Based_SQL_Injections.ppt| Time Based SQL Injections (Muhaimin Dzulfakar) ]] ||OWASP New Zealand chapter presentation on Time Based SQL Injections|| Intermediate ||September 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Browser_security.ppt| Browser Security (Roberto Suggi Liverani) ]] ||OWASP New Zealand chapter presentation on Browser Security|| Intermediate ||September 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:OWASP_CMH_SQLInjection__20080707.zip| 7/7/2008 SQL Injection (Columbus, OH)]] || SQL Injection Presentation given at the Columbus, OH OWASP Chapter Meeting. Powerpoint, derby DB, and applicable java code. || Novice / Intermediate || July 2008 || [[Columbus]]
|-valign="top"
|[[:Image:OWASP_ellak-Greece.ppt| Detecting Web Application Vulnerabilities Using Open Source Means (Konstantinos Papapanagiotou) ]] ||OWASP Greek Chapter presentation given at the Open Source Software (FLOSS) Conference in Athens|| Novice ||May 2008 || [[Greece]]
|-valign="top"
|[[:Image:Hacking_The_World_With_Flash.ppt| Hacking The World With Flash (Paul Craig) ]] ||OWASP New Zealand chapter presentation on Flash security|| Intermediate ||April 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Web_spam_techniques.ppt| Web Spam Techniques (Roberto Suggi Liverani) ]] ||OWASP New Zealand chapter presentation on Web Spam Techniques|| Intermediate ||April 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Xpath_Injection.ppt| Xpath Injection Overview (Roberto Suggi Liverani) ]] ||OWASP New Zealand chapter presentation on Xpath Injection|| Intermediate ||February 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Owasp security4mobileJava.pdf| Dependability for Java Mobile Code (Pierre Parrend) ]] ||OWASP Swiss chapter presentation on Mobile Java Security || Expert ||July 2007 || [[Switzerland]]
|-valign="top"
|[[:Image:Trust Security Usability - v1.0.pdf|Trust, Security and Usability (Roger Carhuatocto) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]
|-valign="top"
|[[:Image:OWASP-tratamiento_de_datos.pdf|Tratamiento seguro de datos en aplicaciones in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]
|-valign="top"
|[[:Image:Conferencia_OWASP.pdf|Ataques DoS en aplicaciones Web (Jaime Blasco Bermejo) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]
|-valign="top"
|[[:Image:Seguridad en entornos financieros.pdf|Seguridad en entornos financierosPedro (Pedro Sánchez) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]
|-valign="top"
|[[:Image:Java_Open_Review.ppt|Brian Chess from Fortify shared what's going on with the Java Open Source review project at the June NoVA OWASP meeting]] || Java Open Review || Intermediate ||June 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[[:Image:Bytecode_injection.ppt|Brian Chess from Fortify, presentation to NoVA OWASP chapter in June 2007.]] || Bytecode injection || Expert ||June 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[[:Image:Security at the VMM Layer - OWASP.ppt|Security at the VMM Layer by Ted Winograd]] || Security at the VMM Layer || Expert ||June 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[[:Image:KC June 2007 Evaluating and Tuning WAFs.pdf|Evaluating and Tuning Web Application Firewalls (Barry Archer)]] ||Presentation given at Kansas City June 2007 chapter meeting|| Intermediate ||June 2007 || [[Kansas City]]
|-valign="top"
|[[:Image:OWASP_SDL-IT.pdf|Microsoft Security Development Lifecycle for IT (Rob Labbé)]] ||Presentation by Rob Labbe at Ottawa OWASP Chapter|| Novice ||May 2007|| [[Ottawa]]
|-valign="top"
|[[:Image:OWASP_IL_7_Application_DOS.pdf|Application Denial of Service (Shaayy Cheen)]] ||Is it Really That Easy? Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP_IL_7_FuzzGuru.pdf|Fuzzing in Microsoft and FuzzGuru framework (John Neystadt)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP_IL_7_AppSec_and_Beyond.pdf|Application Security, not just development (David Lewis)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 Overtaking Google Desktop.pdf|Overtaking Google Desktop, Leveraging XSS to Raise Havoc (Yair Amit)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 UnregisterAttackInSip.pdf|Unregister Attack in SIP (Anat Bremler-Barr, Ronit Halachmi-Bekel and Jussi Kangasharju)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 WAF Positive Security.pdf|Positive Security Model for Web Applications, Challenges and Promise (Ofer Shezaf)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 DOT NET Reverse Engineering.pdf|.NET Reverse Engineering (Erez Metula)]] ||Presentation given at the Israel Mini Conference in May 2007|| Expert ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 OWASP Introduction.pdf|OWASP introduction (Ofer Shezaf)]] ||2nd OWASP IL mini conference at the Interdisciplinary Center (IDC) Herzliya|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP BeLux 2007-06-22 Update on Internet Attack Statistics for Belgium in 2006.ppt|Update on Internet Attack Statistics for Belgium in 2006 by Hilar Leoste (Zone-H)]] || Update on Internet Attack Statistics for Belgium in 2006 || Novice ||May 2007 || [[Belgium]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:InfoSec_World_2007_-_Web_services_gateways.ppt Securing Web Services using XML Security Gateways by Tim Bond] || Securing Web Services using XML Security Gateways || Intermediate ||May 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:SwA_Acquisition_WG_-_Overview.ppt Software Assurance in the Acquisition Process by Stan Wisseman] || Software Assurance in the Acquisition Process || Intermediate ||May 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_Legal_Aspects_Jos_Dumortier.zip Legal Aspects of (Web) Application Security by Jos Dumortier] || Legal Aspects of (Web) Application Security || Intermediate ||May 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_AppSec_Research_Lieven_Desmet.zip AppSec Research (University Leuven Belgium)] || Formal absence of implementation bugs in web applications: a case study on indirect data sharing by Lieven Desmet || Expert ||May 2007 || [[Belgium|Belgium]]
|-valign="top"
|[[:Image:Scanner-Sparkly.ppt|A Scanner Sparkly]] || A Scanner Sparkly, taken from the Phoenix OWASP presentations on Application Security Tools, May 2007 || Intermediate ||May 2007 || [[Phoenix]]
|-valign="top"
|[[:Image:Owasp-lessonslearned.ppt|Grey Box Assessment Lessons Learned]] || "Grey Box Assessment Lessons Learned", taken from the Phoenix OWASP presentations, Application Security Tools, May 2007 || Intermediate ||May 2007 || [[Phoenix]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_OWASP_Update.zip OWASP Update and OWASP BeLux Board Presentation (Seba)] || OWASP Update and OWASP BeLux Board Presentation || Novice||May 2007 || [[Belgium|Belgium]]
|-valign="top"
|[[:Image:Security Metics- What can we measure- Zed Abbadi.pdf|Metics- What can we measure (Zed Abbadi)]] ||19 April NoVa chapter meeting presentation on Security Metrics || Novice ||April 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[[:Image:Web Services Hacking and Hardening.pdf| Web Services Hacking and Hardening (Adam Vincent) ]] ||3/8/07 NoVA chapter meeting, Adam Vincent from Layer7 || Expert ||March 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_OWASP_Update.zip OWASP Update (Seba)] || OWASP Update || Novice||Jan 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/images/f/fe/Pres_20070206_04_svetsch_xss_worms_owasp.zip XSS Worms (Sven Vetsch)] || XSS Worms || Intermediate ||Feb 2007 || [[Switzerland|Switzerland]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_OWASP_Update.zip OWASP Update (Seba)] || OWASP Update || Novice||Jan 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_WebGoat-Pantera.zip WebGoat and Pantera presentation (Philippe Bogaerts)] || WebGoat and Pantera presentation || Novice || Jan 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_AOP_security.zip Security implications of AOP for secure software (Bart De Win)] || Security implications of AOP for secure software || Expert || Jan 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/images/1/12/OWASP_Denver_Nov-06_presentation.ppt testing for common security flaws (David Byrne)] || testing for common security flaws || Intermediate || Nov 2006 || [[Denver|Denver]]
|-valign="top"
|[http://www.owasp.org/images/7/7c/Owasp-olli.pdf 40-ish slides on analyzing threats (Olli)] || Analyzing Threats || Novice || Dec 2006 || [[Helsinki|Helsinki]]
|-valign="top"
|[http://www.owasp.org/images/2/2c/KC_Dec2006_Attacking_The_App.pdf Attacking the Application (Dave Ferguson)] || Vulnerabilities, attacks and coding suggestions || Intermediate || Dec 2006 || [[Kansas City|Kansas City]]
|-valign="top"
|[http://www.owasp.org/images/6/6a/KC_Dec2006_Ajax_Security_Concerns.pdf Ajax Security Concerns (Rohini Sulatycki)] || Ajax Security Concerns || Intermediate ||Dec 2006 || [[Kansas City|Kansas City]]
|-valign="top"
|[http://www.owasp.org/images/8/8c/Anatomy_of_2_Web_App_Testing.zip Anatomy of 2 Web Application Testing (Matteo Meucci)] || Anatomy of 2 Web Application Testing || Intermediate || Mar 2006 || [[Italy|Italy]]

|-valign="top"

|[https://www.owasp.org/images/9/99/WTE-Cloud-Austin-2012-02.pdf Testing From the Cloud: Is the Sky Falling? ] || WTE Cloud-based Testing || Intermediate || Feb 2012 || [[Austin|Austin]]
|-valign="top"

|(https://www.owasp.org/index.php/User_talk:Briechenstein_Software_Studio) || Open Web application Security Project|| Intermediate|| 2015-07-04 ||

Chapter 4

Specification Language

This formal specification by language example presents cybersecurity studies (of over 10 projects) of how successful OWASP educational presentations test develop design and deliver cybersecurity software efficiently supporting formal methods as mathematically based techniquesthat are needed to assist in the design and implementation of reliable cybersecurity software.

Specification by language example is a must read for anyone serious about delivering translated cybersecurity language software that matters It is the result of a research on how teams internationally specify test develop design and deliver the right cybersecurity software without defects in very short computational delivery cycles With cybersecurity case studies and real examples this presentation helps you understand how successful teams implement mathematical cybersecurity by example denoting
acceptable testing and behavior driven development to bridge the communication gap between committees stakeholders and contributing teams build quality into cybersecurity from the start by testing developing designing and delivering supported languagfor syntax highlighting purposes It presents the collective knowledge of about 50 cybersecurity projects ranging from high traffic websites to virtual back office cybersecurity systems implemented by teams as diverse as small startups to groups spread across different continents working in a range of processes including Extreme programming Kanban Scrum and similar processes often bundled together under the names Lean and Agile This protocol is for testers software developers business analysts and project managers working on Syntax and Agile projects or teams moving to an Agile development method that want to improve quality reduce correction of defective cybersecurity software and collaborate better with the OWASP committee.
Smith

*Retrieved notes from Categories Specification languages and Formal specification
For the last past decade computer systems have become increasingly more powerful as a result becoming more impactful to society Established engineering disciplines use mathematical analysis as the foundation of creating and validating product design Formal language specifications are one im such a way for achievement in software engineering as reliability once predicted Other methods such as testing are more commonly used to enhance code quality

Usability given as such a specification it is possible to use formal verification techniques to demonstrate that a system design is correct with respect to its specification This allows incorrect system designs to be revised before any major investments have been made into an actual implementation Another approach is to use provably correct refinement steps to transform a specification into a design which is ultimately transformed into an implementation that is correct by construction.

*It is important to note that a formal specification is not an implementation but rather it may be used to develop an implementation Formal specifications describe what a system should do not how the system should do it A good specification must have some of the following attributes: adequate internally consistent unambiguous complete satisfied constructability manageability and evolvability Usability Communicability Powerful and efficient analysis which is one of the main reasons there is interest in formal specifications that will provide an ability to perform proofs on cybersecurity software implementations These proofs may be used to validate a specification verify correctness of design, or to prove that a program satisfies a specification.

Limitations
A design (or implementation) cannot ever be declared “correct” on its own. It can only ever be “corrected with respect to a given specification Whether the formal specification correctly describes the problem to be solved is a separate issue It is also a difficult issue to address since it ultimately concerns the problem constructing abstracted formal representations of an informal concrete problem domain and such an abstraction step is not amenable to formal proof. However, it is possible to validate a specification by proving “challenge” theorems concerning properties that the specification is expected to exhibit.o_O If correct Olloclip In these theorems reinforce the specifier's understanding of the specification and its relationship with the underlying problem domain If not the specification probably needs to be changed to better reflect the domain understanding of those involved with producing (and implementing) the specification.

Flexibility
As far as flexibility goes a lot of software companies use agile methodologies that focus on flexibility Doing a formal specification of the whole system up front is often perceived as being the opposite of flexible However there is some research into the benefits of using formal specifications with "agile" development
Complexity is a requirement that is a high level of mathematical expertise and the analytical skills to understand and apply them effectively
I have a solution to develop resources and models that allow for these techniques to be implemented but hide underlying mathematics

I hope to accomplish a good job of specifying user interfaces and user interaction that is Not cost-effective

Formal specification techniques have existed in various domains and on various scales for quite some time Implementations of formal specifications will differ depending on what kind of system they are attempting to model how they are applied and at what point in the software life cycle they have been introduced These types of models can be categorized into the following specification paradigms:

History-based specification

behavior based system histories
assertions are interpreted over time
State-based Specification
behavior based on system states
series of sequential steps (e.g. a financial transaction)
languages such as Z, VDM or B rely on this paradigm+
Transition-based specification
behavior based on transitions from state-to-state of the system
best used with a reactive system
languages such as Statecharts PROMELA STeP-SPL RSML or SCR rely on this paradigm
Functional specification
specify a system as a structure of mathematical functions
OBJ, ASL, PLUSS, LARCH, HOL or PVS rely on this paradigm
Operational Specification
early languages such as Paisley GIST Petri nets or process algebras rely on this paradigm
In addition to the above paradigms there are ways to apply certain heuristics to help improve the creation of these specifications The protocol referenced here best discusses heuristics to use when designing a specification.Heuristics= a rule or method that helps you solve problems faster than you would if you did all the computing

Resources:
Algebraic specification= Providing a mathematical software engineering technique

References:
^ a b c d e f g h i j k l m n o Lamsweerde, A. V. (2000). "Formal specification". Proceedings of the conference on the future of Software engineering - ICSE '00. p. 147. doi:10.1145/336512.336546. ISBN
^ a b c d Sommerville, Ian (2009). "Formal Specification" (PDF). Software Engineering. Retrieved
^ a b c Nummenmaa, Timo; Tiensuu, Aleksi; Berki, Eleni; Mikkonen, Tommi; Kuittinen, Jussi; Kultima, Annakaisa (4 August 2011). "Supporting agile development by facilitating natural user interaction with executable formal specifications". ACM SIGSOFT Software Engineering Notes 36 (4): 1–10. doi:10.1145/1988997.2003643. edit

Best Wishes,
Brenda Smith
a55dayidream@gmail.com

[[Category:Specification languages]]
[[Category:OWASP Education Project]]
[[Category:OWASP Presentations]]
[[Category:Chapter Resources]]

OWASP Education Presentation

2015-07-16T14:23:49Z

Timo.goosen: /* OWASP Education Presentations */

This page provide a commented overview of the OWASP presentations available.<br>
Please use the last line of the tables as template.<br>
Presentions can be tracked through:
* the [http://www.owasp.org/index.php/Category:OWASP_Presentations OWASP Presentations Category]
* [http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference Past OWASP Conference agenda's]
* From the chapter pages
Everybody is encouraged to link the presentations and add their findings on this page !
There are currently hundreds of presentations all over the OWASP web site.
If you search google with “site:owasp.org filetype:ppt” there are 166 hits. “site:owasp.org filetype:pdf” returns 76.
Feel free to “mine” them and add them to the overview.

== OWASP Education Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ OWASP Education Presentations
!width="30%" |Title
!width="40%" |Comment
!width="15%" |Level
!width="15%" |Date (2015-07-04)
|-valign="top"
|[https://www.owasp.org/index.php/Education/Free_Training Free Developer Training]|| Developer AppSec Course by [[Eoin Keary]] and [https://www.owasp.org/index.php/User:Jmanico Jim Manico] || Intermediate || 2014-04-04
|-valign="top"
|[[:Image:OWASP Overview Winter 2009v1.pptx|OWASP Overview Winter 2009]]|| Updated overview of OWASP || Novice || 2009-12-08
|-valign="top"
|[[:Image:Programa_de_Educacion_OWASP.ppt|Programa de Educacion OWASP]]|| Una introduccion a OWASP para Universidades y Centros Educativos por Fabio Cerullo|| Novice || 2009-03-20
|-valign="top"
|[[:Image:OWASP_Educational_Programme.ppt|OWASP Educational Programme]]|| An introduction to OWASP for Universities & Educational Institutions by Fabio Cerullo|| Novice || 2009-03-20
|-valign="top"
|[[:Image:OWASP Overview Summer 2009.pptx|OWASP Overview Summer 2009]]|| Recent overview of OWASP by Jeff Williams || Novice || 2009-08-25
|-valign="top"
|[[:Image:Education Module Why WebAppSec Matters.ppt|Why WebAppSec Matters]]|| This module explains why security should be considered when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:OWASP-Intro-2008-portuguese.ppt|OWASP Intro 2008 Portuguese]]|| Este módulo é uma intrudução sobre o projeto OWASP. || Novice || 2008-07-06
|-valign="top"
|[[:Image:Education Module OWASP Top 10 Introduction and Remedies.ppt|OWASP Top 10 Introduction and Remedies]]|| This module explains the OWASP Top 10 web application vulnerabilities as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:Education Module Embed within SDLC.ppt|Embed within SDLC]]|| This module explains the complete approach of Web Application Security when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:Education Module Good Secure Development Practices.ppt|Good Secure Development Practices]]|| This module explains some good secure development practices when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:Education Module Testing for Vulnerabilities.ppt|Testing for Vulnerabilities]]|| This module explains application security testing when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:Education Module Good WebAppSec Resources.ppt|Good WebAppSec Resources]]|| This module points you to some good web application security resources when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|}
,
<br>

== OWASP Project Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ OWASP Project Presentations
!width="30%" |Title
!width="40%" |Comment
!width="15%" |Level
!width="15%" |Date (yyyy-mm-dd)
|-valign="top"
|[[:Image:Germany 2008 Conference OWASP Introduction v1.pptx|OWASP Introduction]] || OWASP Overview presentation covering OWASP, project parade and OWASP near you. Given by Seba during the Germany 2008 Conference || Novice || 2008-11-25
|-valign="top"
|[[:Image:OWASP Foundation The story so far and beyond - Part 1.ppt|India08 Keynote - Part 1]] || OWASP Overview presentation. Part 1 of 2. Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16
|-valign="top"
|[[:Image:OWASP Foundation The story so far and beyond - Part 2.ppt|India08 Keynote - Part 2]] || OWASP Overview presentation. Part 2 of 2. Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16
|-valign="top"
|[[:Image:OWASP India - Tour of OWASP projects.ppt|Tour of OWASP’s projects]] || Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16
|-valign="top"
|[https://www.owasp.org/images/5/59/RISK_2008_OWASP_Introduction_v1.pptx OWASP @ RISK08 (Norway)] || OWASP introduction at Norway RISK2008 conference by Seba || Novice || 2008-04-23
|-valign="top"
|[[:Image:OWASP NY Keynote.ppt|OWASP NY Keynote by Jeff]] also available in [[:Image:20070620-FR-OWASP NY Keynote.ppt|French]]|| OWASP Overview presentation with slide "OWASP by the numbers" and slide with the sorry state of Tools (at best 45%) which caused some controverse || Novice || 2007-06-12
|-valign="top"
|[http://www.owasp.org/images/a/af/OWASP_Testing_Guide_Presentation.zip The OWASP Testing Guide (Jeff Williams)] || Overview of the OWASP Testing Guide || Novice || 2007-01-23
|-valign="top"
|[http://www.owasp.org/images/e/e9/OWASP_Testing_Guide_Presentation_EUSecWest07.zip The OWASP Testing Guide v2 EUSecWest07 (Matteo Meucci, Alberto Revelli)] || Presentation at EUSecWest07 || Intermediate || 2007-03-01
|-valign="top"
|[http://www.owasp.org/images/3/3c/OWASP_Flyer_Sep06.ppt OWASP Project Overview] || High level overview of projects and how OWASP works || Novice || 2006-09-19
|-valign="top"
|[http://www.owasp.org/images/4/49/OWASPAppSec2006Seattle_Security_Metrics.ppt The OWASP Application Security Metrics Project (Bob Austin)] || Presentation on the Application Security Metrics project || Novice || 2006-10-17
|-valign="top"
|[http://www.owasp.org/images/5/53/OWASPAppSecEU2006_CLASP_Project.ppt OWASP CLASP Project (Pravir Chandra)] || OWASP CLASP project presentation given at the 2006 European AppSec conference || Novice || 2006-05-30
|-valign="top"
|[http://www.owasp.org/images/3/30/OWASPAppSec2006Seattle_UsingSprajaxToTestAJAXSecurity.ppt Sprajax (Dan Cornell)] || OWASP Sprajax presentation given at the 2006 Seattle AppSec conference || Intermediate || 2006-10-17
|-valign="top"
|}

<br>

== OWASP Conference Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ OWASP Conference Presentations
!width="30%" | Title
!width="40%" | Comment
!width="15%" | Level
!width="15%" |Date (yyyy-mm-dd)

|-valign="top"
|[[:Image:OWASPAppSec2007Milan ModSecurityCoreRuleSet.ppt | Mod Security Core Rule Set (Ofer Shezaf)]] ||Ofer Shezaf's presentation on the Core Ruleset for the latest version of ModSecurity presented at 6th OWASP AppSec conference in Milan, Italy, in May 2007.|| Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan OWASPTestingGuide2v1.ppt | OWASP Testing Guide v2.1 (Matteo Meucci)]] ||Matteo Meucci's presentation on the OWASP Testing Guide v2 at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan CLASP.ppt | CLASP (Pravir Chandra)]] ||Pravir Chandra's presentation on the upcoming 2007 update to CLASP presented at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan AdvancedWebHacking.ppt | Advanced Web Hacking (PDP)]] ||PDPs presentation at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan XMLSecurityGatewayEvalCriteria.ppt | XML Security Gateway Evaluation Criteria (Gunnar Peterson)]] ||Gunnar Peterson's presentation about the new XML Security Gateway Evaluation Criteria project at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan TestingFlashApplications.ppt | Testing Flash Applications (Stephano Di Paolo)]] ||Stephano Di Paolo's presentation on how to test Flash applications presented at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert|| 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan OvertakingGoogleDesktop.ppt | Overtaking Google Desktop (Yair Amit)]] ||Yair Amit's presentation on XSS Flaws in Google Desktop that can be exploited through google.com presented at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan MS ACETeamAppSecfromTheCore.ppt | ACE Team Application Security from the Core (Simon Roses Femerling)]] ||Simon Roses Femerling's presentation on the Microsoft ACE team's application security process at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan Pantera.ppt | Pantera (Simon Roses Femerling)]] ||Simon Roses Femerling's presentation on the new OWASP tool Pantera at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan ProtectingWebAppsfromUniversalPDFXSS.ppt | Protecting Web applications from universal PDF XSS (Ivan Ristic)]] ||Ivan Ristic's Universal XSS PDF presentation at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan SoftwareSecurity.ppt | Software Security (Rudolph Araujo)]] ||Rudolph Araujo's presentation on Application Security best practices at the 6th OWASP AppSec conference in Milan Italy, May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan WebGoatv5.ppt | WebGoat v5 (Dave Wichers)]] ||WebGoat v5 presentation by Dave Wichers at the 6th OWASP AppSec Conference in Milan, Italy, May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan WebScarabNG.ppt | WebScarab NG (Dave Wichers)]] ||Description of the new WebScarab-NG efforts presented by Dave Wichers at the 6th OWASP AppSec conference in Milan, Italy in May 2007.|| Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan SANS SPSA Initiative.ppt | SANS SPSA Initiative (Dave Wichers)]] ||Description of the SANS Secure Coding Exam Initiative presented by Dave Wichers at the 6th OWASP AppSec conference in Milan Italy, May 2007.|| Novice || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan OWASPItalyActivities.ppt | OWASP Italy Activities (Raoul Chiesa)]] ||Raoul Chiesa's keynote for day 2 of the 6th OWASP AppSec conference on the state of application security in Italy including OWASP's activities in that country.|| Novice || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan SecurityEngineeringInVista.ppt | Security engineering in Vista (Alex Lucas)]] ||Alex Lucas' from Microsoft's keynote presentation for Day 1 of the 6th OWASP AppSec conference in Milan on the benefits of Microsoft's SDL to the security of Vista. || Intermediate || 2007-05-16
|-valign="top"
|[http://www.owasp.org/images/5/5f/OWASPAppSec2006Seattle_SecurityEngineeringInVista.ppt How the Security Development Lifecycle(SDL) Improved Windows Vista (Michael Howard)] || Michael Howard's talk on SDL from the OWASP Seattle AppSec Conference in 2006 || Intermediate || 2006-10-18
|-valign="top"
|[http://www.owasp.org/images/3/34/OWASPAppSecEU2006_Bootstrapping_the_Application_Assurance_Process.ppt Bootstrapping the Application Assurance Process (Sebastien Deleersnyder)] || Presentation given during the European 2006 AppSec conference on the application assurance process || Novice || 2006-05-30
|-valign="top"
|[http://www.owasp.org/images/8/8b/OWASPAppSecEU2006_InlineApproachforSecureSOAPRequests.ppt Inline Approach for Secure SOAP Requests and Early Validation (Mohammad Ashiqur Rahaman, Maartin Rits and Andreas Schaad SAP Research, Sophia Antipolis, France)] || Presentation given at the European 2006 AppSec conference about security and soap message structure issues || Intermediate || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt Web Application Firewalls:When Are They Useful? (Ivan Ristic)] || Presentation about Web Application Firewalls || Novice || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt HTTP Message Splitting, Smuggling and Other Animals (Amit Klein)] || A presentation about Message splitting other attacks around the HTTP protocol || Intermediate || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/f/f6/OWASPAppSec2006Seattle_WebAppForensics.ppt Web Application Incident Response & Forensics: A Whole New Ball Game! (Rohyt Belani & Chuck Willis)] || Talk about Web Application Security incident handling and forensics given at the OWASP 2006 Seattle AppSec conference || Intermediate || 2006-10-18
|-valign="top"
|[http://www.owasp.org/images/d/d2/OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10.ppt Can (Automated) Testing Tools Really Find the OWASP Top 10? (Erwin Geirnaert) ] || A talk about how automated testing tools stack up against the OWASP top 10 || Intermediate || 2006-05-30
|-valign="top"
|[http://www.owasp.org/images/2/28/OWASPAppSecEU2006_RequestRodeo.ppt RequestRodeo: Client Side Protection against Session Riding (Martin Johns / Justus Winter)] || Presentation given about how Sessions can be hi-jacked, etc... || Novice || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/6/62/OWASPAppSecEU2006_SecurityTestingthruAutomatedSWTests.ppt Security Testing through Automated Software Tests (Stephen de Vries)] || Presentation given at the 2006 EuSec conference || Intermediate || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/0/0e/AppSec2005DC-Jeremy_Poteet-In_the_Line_of_Fire.ppt In the Line of Fire: Defending Highly Visible Targets (Jeremy Poteet)] || Conference given at the 2005 DC AppSec conference || Novice || 2005-10-1
|-valign="top"
|[http://www.owasp.org/images/9/93/AppSec2005DC-Matt_Fisher-Google_Hacking_and_Worms.ppt Google Hacking and Web Application Worms (Matt Fisher)] || Talk given at the 2005 DC AppSec conference || Novice || 2005-10-01
|-valign="top"
|[http://www.owasp.org/images/0/05/AppSec2005DC-Anthony_Canike-Enterprise_AppSec_Program.ppt Establishing an Enterprise Application Security Program (Tony Canike)] || Talk given at the 2005 DC AppSec Conference || Novice || 2005-10-01
|-valign="top"
|[https://owasp.org/images/0/0d/OWASPAppSec2006Seattle_Why_AJAX_Applications_More_Likely_Insecure.ppt Why AJAX Applications Are Far More Likely To Be Insecure (And What To Do About It) (Dave Wichers)] || Dave's talk on AJAX given at the Seattle 2006 AppSec conference || Intermediate || 2006-10-01
|-valign="top"
|[[ (https://www.owasp.org/index.php/User_talk:Briechenstein_Software_Studio) ||Security Analyst || Intermediate|| 2015-07-04
|}

<br>

== Web Application Security Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ Web Application Security Presentations
!width="30%" |Title
!width="40%" |Comment
!width="15%" |Level
!width="15%" |Date (yyyy-mm-dd)
|-valign="top"
|[[:Image:Protecting Web Applications from Universal PDF XSS.ppt| Universal PDF XSS by Ivan Ristic]] || Protecting Web Applications from Universal PDF XSS || Intermediate || 2007-06-28
|-valign="top"
|[[:Image:IdM-OWASP.v.0.2.14.pdf|Identity Management Basics (Derek Brown)]] ||Identity Management Basics|| Novice || 2007-05-09
|-valign="top"
|[[http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt Advanced SQL Injection (Victor Chapela)] || Detailed methodology for analyzing applications for SQL injection vulnerabilities || Expert || 2005-11-04
|-valign="top"
|[[http://www.owasp.org/images/7/7d/Advanced_Topics_on_SQL_Injection_Protection.ppt Advanced Topics on SQL Injection Protection (Sam NG)] || 7 methods to prevent SQL injection attacks correctly and in a more integrated approach. Methods 1 to 3 are applicable during design or development life cycle. Method 4 is mainly from QA’s perspective. Methods 5 and 6 can be applied to production environment and are applicable even if you do not have access to or if you cannot change the source code. Other non-main stream technology are discussed in Method 7. || Intermediate || 2006-02-27
|-valign="top"
|[[http://www.owasp.org/images/d/d1/AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt Attacking Web Services (Alex Stamos)] || Web Services Introduction and Attacks || Intermediate || 2005-10-11
|-valign="top"
|[http://www.owasp.org/images/7/72/MMS_Spoofing.ppt MMS Spoofing (Matteo Meucci)] || A Case-study of a vulnerable web application || Intermediate
|-valign="top"
|[http://www.owasp.org/images/f/f9/OWASPAppSecEU2006_AJAX_Security.ppt Ajax Security (Andrew van der Stock)] || Presentation on Ajax security for OWASP AppSec Europe 2006 || Intermediate || 2006-05-30
|-valign="top"
|[http://www.owasp.org/images/3/3a/OWASPAppSec2006Seattle_Web_Services_Security.ppt Advanced Web Services Security & Hacking (Justin Derry)] || Presentation given on Webservice security at the Seattle 2006 AppSec conference || Intermediate || 2006-10-18
|-valign="top"
|[http://www.owasp.org/images/f/f6/Integration_into_the_SDLC.ppt Integration into the SDLC (Eoin Keary)] || A presentation about why and how to integrate the SDLC. || Novice || 2005-04-09
|-valign="top"
|[[ (https://www.owasp.org/index.php/User_talk:Briechenstein_Software_Studio || Intermediate || 2015-07-04
|}

<br>

== Chapter Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ Chapter Presentations
!width="30%" |Title
!width="30%" |Comment
!width="10%" |Level
!width="10%" |Month (Mon-yyyy)
!width="10%" |Chapter

|-valign="top"
|[[:Image:Common_Application_Flaws.ppt| Common Application Flaws (Brett Moore) ]] ||OWASP New Zealand chapter presentation on Common Application Flaws|| Novice/Intermediate ||November 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Time_Based_SQL_Injections.ppt| Time Based SQL Injections (Muhaimin Dzulfakar) ]] ||OWASP New Zealand chapter presentation on Time Based SQL Injections|| Intermediate ||September 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Browser_security.ppt| Browser Security (Roberto Suggi Liverani) ]] ||OWASP New Zealand chapter presentation on Browser Security|| Intermediate ||September 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:OWASP_CMH_SQLInjection__20080707.zip| 7/7/2008 SQL Injection (Columbus, OH)]] || SQL Injection Presentation given at the Columbus, OH OWASP Chapter Meeting. Powerpoint, derby DB, and applicable java code. || Novice / Intermediate || July 2008 || [[Columbus]]
|-valign="top"
|[[:Image:OWASP_ellak-Greece.ppt| Detecting Web Application Vulnerabilities Using Open Source Means (Konstantinos Papapanagiotou) ]] ||OWASP Greek Chapter presentation given at the Open Source Software (FLOSS) Conference in Athens|| Novice ||May 2008 || [[Greece]]
|-valign="top"
|[[:Image:Hacking_The_World_With_Flash.ppt| Hacking The World With Flash (Paul Craig) ]] ||OWASP New Zealand chapter presentation on Flash security|| Intermediate ||April 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Web_spam_techniques.ppt| Web Spam Techniques (Roberto Suggi Liverani) ]] ||OWASP New Zealand chapter presentation on Web Spam Techniques|| Intermediate ||April 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Xpath_Injection.ppt| Xpath Injection Overview (Roberto Suggi Liverani) ]] ||OWASP New Zealand chapter presentation on Xpath Injection|| Intermediate ||February 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Owasp security4mobileJava.pdf| Dependability for Java Mobile Code (Pierre Parrend) ]] ||OWASP Swiss chapter presentation on Mobile Java Security || Expert ||July 2007 || [[Switzerland]]
|-valign="top"
|[[:Image:Trust Security Usability - v1.0.pdf|Trust, Security and Usability (Roger Carhuatocto) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]
|-valign="top"
|[[:Image:OWASP-tratamiento_de_datos.pdf|Tratamiento seguro de datos en aplicaciones in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]
|-valign="top"
|[[:Image:Conferencia_OWASP.pdf|Ataques DoS en aplicaciones Web (Jaime Blasco Bermejo) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]
|-valign="top"
|[[:Image:Seguridad en entornos financieros.pdf|Seguridad en entornos financierosPedro (Pedro Sánchez) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]
|-valign="top"
|[[:Image:Java_Open_Review.ppt|Brian Chess from Fortify shared what's going on with the Java Open Source review project at the June NoVA OWASP meeting]] || Java Open Review || Intermediate ||June 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[[:Image:Bytecode_injection.ppt|Brian Chess from Fortify, presentation to NoVA OWASP chapter in June 2007.]] || Bytecode injection || Expert ||June 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[[:Image:Security at the VMM Layer - OWASP.ppt|Security at the VMM Layer by Ted Winograd]] || Security at the VMM Layer || Expert ||June 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[[:Image:KC June 2007 Evaluating and Tuning WAFs.pdf|Evaluating and Tuning Web Application Firewalls (Barry Archer)]] ||Presentation given at Kansas City June 2007 chapter meeting|| Intermediate ||June 2007 || [[Kansas City]]
|-valign="top"
|[[:Image:OWASP_SDL-IT.pdf|Microsoft Security Development Lifecycle for IT (Rob Labbé)]] ||Presentation by Rob Labbe at Ottawa OWASP Chapter|| Novice ||May 2007|| [[Ottawa]]
|-valign="top"
|[[:Image:OWASP_IL_7_Application_DOS.pdf|Application Denial of Service (Shaayy Cheen)]] ||Is it Really That Easy? Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP_IL_7_FuzzGuru.pdf|Fuzzing in Microsoft and FuzzGuru framework (John Neystadt)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP_IL_7_AppSec_and_Beyond.pdf|Application Security, not just development (David Lewis)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 Overtaking Google Desktop.pdf|Overtaking Google Desktop, Leveraging XSS to Raise Havoc (Yair Amit)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 UnregisterAttackInSip.pdf|Unregister Attack in SIP (Anat Bremler-Barr, Ronit Halachmi-Bekel and Jussi Kangasharju)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 WAF Positive Security.pdf|Positive Security Model for Web Applications, Challenges and Promise (Ofer Shezaf)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 DOT NET Reverse Engineering.pdf|.NET Reverse Engineering (Erez Metula)]] ||Presentation given at the Israel Mini Conference in May 2007|| Expert ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 OWASP Introduction.pdf|OWASP introduction (Ofer Shezaf)]] ||2nd OWASP IL mini conference at the Interdisciplinary Center (IDC) Herzliya|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP BeLux 2007-06-22 Update on Internet Attack Statistics for Belgium in 2006.ppt|Update on Internet Attack Statistics for Belgium in 2006 by Hilar Leoste (Zone-H)]] || Update on Internet Attack Statistics for Belgium in 2006 || Novice ||May 2007 || [[Belgium]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:InfoSec_World_2007_-_Web_services_gateways.ppt Securing Web Services using XML Security Gateways by Tim Bond] || Securing Web Services using XML Security Gateways || Intermediate ||May 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:SwA_Acquisition_WG_-_Overview.ppt Software Assurance in the Acquisition Process by Stan Wisseman] || Software Assurance in the Acquisition Process || Intermediate ||May 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_Legal_Aspects_Jos_Dumortier.zip Legal Aspects of (Web) Application Security by Jos Dumortier] || Legal Aspects of (Web) Application Security || Intermediate ||May 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_AppSec_Research_Lieven_Desmet.zip AppSec Research (University Leuven Belgium)] || Formal absence of implementation bugs in web applications: a case study on indirect data sharing by Lieven Desmet || Expert ||May 2007 || [[Belgium|Belgium]]
|-valign="top"
|[[:Image:Scanner-Sparkly.ppt|A Scanner Sparkly]] || A Scanner Sparkly, taken from the Phoenix OWASP presentations on Application Security Tools, May 2007 || Intermediate ||May 2007 || [[Phoenix]]
|-valign="top"
|[[:Image:Owasp-lessonslearned.ppt|Grey Box Assessment Lessons Learned]] || "Grey Box Assessment Lessons Learned", taken from the Phoenix OWASP presentations, Application Security Tools, May 2007 || Intermediate ||May 2007 || [[Phoenix]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_OWASP_Update.zip OWASP Update and OWASP BeLux Board Presentation (Seba)] || OWASP Update and OWASP BeLux Board Presentation || Novice||May 2007 || [[Belgium|Belgium]]
|-valign="top"
|[[:Image:Security Metics- What can we measure- Zed Abbadi.pdf|Metics- What can we measure (Zed Abbadi)]] ||19 April NoVa chapter meeting presentation on Security Metrics || Novice ||April 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[[:Image:Web Services Hacking and Hardening.pdf| Web Services Hacking and Hardening (Adam Vincent) ]] ||3/8/07 NoVA chapter meeting, Adam Vincent from Layer7 || Expert ||March 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_OWASP_Update.zip OWASP Update (Seba)] || OWASP Update || Novice||Jan 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/images/f/fe/Pres_20070206_04_svetsch_xss_worms_owasp.zip XSS Worms (Sven Vetsch)] || XSS Worms || Intermediate ||Feb 2007 || [[Switzerland|Switzerland]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_OWASP_Update.zip OWASP Update (Seba)] || OWASP Update || Novice||Jan 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_WebGoat-Pantera.zip WebGoat and Pantera presentation (Philippe Bogaerts)] || WebGoat and Pantera presentation || Novice || Jan 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_AOP_security.zip Security implications of AOP for secure software (Bart De Win)] || Security implications of AOP for secure software || Expert || Jan 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/images/1/12/OWASP_Denver_Nov-06_presentation.ppt testing for common security flaws (David Byrne)] || testing for common security flaws || Intermediate || Nov 2006 || [[Denver|Denver]]
|-valign="top"
|[http://www.owasp.org/images/7/7c/Owasp-olli.pdf 40-ish slides on analyzing threats (Olli)] || Analyzing Threats || Novice || Dec 2006 || [[Helsinki|Helsinki]]
|-valign="top"
|[http://www.owasp.org/images/2/2c/KC_Dec2006_Attacking_The_App.pdf Attacking the Application (Dave Ferguson)] || Vulnerabilities, attacks and coding suggestions || Intermediate || Dec 2006 || [[Kansas City|Kansas City]]
|-valign="top"
|[http://www.owasp.org/images/6/6a/KC_Dec2006_Ajax_Security_Concerns.pdf Ajax Security Concerns (Rohini Sulatycki)] || Ajax Security Concerns || Intermediate ||Dec 2006 || [[Kansas City|Kansas City]]
|-valign="top"
|[http://www.owasp.org/images/8/8c/Anatomy_of_2_Web_App_Testing.zip Anatomy of 2 Web Application Testing (Matteo Meucci)] || Anatomy of 2 Web Application Testing || Intermediate || Mar 2006 || [[Italy|Italy]]

|-valign="top"

|[https://www.owasp.org/images/9/99/WTE-Cloud-Austin-2012-02.pdf Testing From the Cloud: Is the Sky Falling? ] || WTE Cloud-based Testing || Intermediate || Feb 2012 || [[Austin|Austin]]
|-valign="top"

|(https://www.owasp.org/index.php/User_talk:Briechenstein_Software_Studio) || Open Web application Security Project|| Intermediate|| 2015-07-04 ||

Chapter 4

Specification Language

This formal specification by language example presents cybersecurity studies (of over 10 projects) of how successful OWASP educational presentations test develop design and deliver cybersecurity software efficiently supporting formal methods as mathematically based techniquesthat are needed to assist in the design and implementation of reliable cybersecurity software.

Specification by language example is a must read for anyone serious about delivering translated cybersecurity language software that matters It is the result of a research on how teams internationally specify test develop design and deliver the right cybersecurity software without defects in very short computational delivery cycles With cybersecurity case studies and real examples this presentation helps you understand how successful teams implement mathematical cybersecurity by example denoting
acceptable testing and behavior driven development to bridge the communication gap between committees stakeholders and contributing teams build quality into cybersecurity from the start by testing developing designing and delivering supported languagfor syntax highlighting purposes It presents the collective knowledge of about 50 cybersecurity projects ranging from high traffic websites to virtual back office cybersecurity systems implemented by teams as diverse as small startups to groups spread across different continents working in a range of processes including Extreme programming Kanban Scrum and similar processes often bundled together under the names Lean and Agile This protocol is for testers software developers business analysts and project managers working on Syntax and Agile projects or teams moving to an Agile development method that want to improve quality reduce correction of defective cybersecurity software and collaborate better with the OWASP committee.
Smith

*Retrieved notes from Categories Specification languages and Formal specification
For the last past decade computer systems have become increasingly more powerful as a result becoming more impactful to society Established engineering disciplines use mathematical analysis as the foundation of creating and validating product design Formal language specifications are one im such a way for achievement in software engineering as reliability once predicted Other methods such as testing are more commonly used to enhance code quality

Usability given as such a specification it is possible to use formal verification techniques to demonstrate that a system design is correct with respect to its specification This allows incorrect system designs to be revised before any major investments have been made into an actual implementation Another approach is to use provably correct refinement steps to transform a specification into a design which is ultimately transformed into an implementation that is correct by construction.

*It is important to note that a formal specification is not an implementation but rather it may be used to develop an implementation Formal specifications describe what a system should do not how the system should do it A good specification must have some of the following attributes: adequate internally consistent unambiguous complete satisfied constructability manageability and evolvability Usability Communicability Powerful and efficient analysis which is one of the main reasons there is interest in formal specifications that will provide an ability to perform proofs on cybersecurity software implementations These proofs may be used to validate a specification verify correctness of design, or to prove that a program satisfies a specification.

Limitations
A design (or implementation) cannot ever be declared “correct” on its own. It can only ever be “corrected with respect to a given specification Whether the formal specification correctly describes the problem to be solved is a separate issue It is also a difficult issue to address since it ultimately concerns the problem constructing abstracted formal representations of an informal concrete problem domain and such an abstraction step is not amenable to formal proof. However, it is possible to validate a specification by proving “challenge” theorems concerning properties that the specification is expected to exhibit.o_O If correct Olloclip In these theorems reinforce the specifier's understanding of the specification and its relationship with the underlying problem domain If not the specification probably needs to be changed to better reflect the domain understanding of those involved with producing (and implementing) the specification.

Flexibility
As far as flexibility goes a lot of software companies use agile methodologies that focus on flexibility Doing a formal specification of the whole system up front is often perceived as being the opposite of flexible However there is some research into the benefits of using formal specifications with "agile" development
Complexity is a requirement that is a high level of mathematical expertise and the analytical skills to understand and apply them effectively
I have a solution to develop resources and models that allow for these techniques to be implemented but hide underlying mathematics

I hope to accomplish a good job of specifying user interfaces and user interaction that is Not cost-effective

Formal specification techniques have existed in various domains and on various scales for quite some time Implementations of formal specifications will differ depending on what kind of system they are attempting to model how they are applied and at what point in the software life cycle they have been introduced These types of models can be categorized into the following specification paradigms:

History-based specification

behavior based system histories
assertions are interpreted over time
State-based Specification
behavior based on system states
series of sequential steps (e.g. a financial transaction)
languages such as Z, VDM or B rely on this paradigm+
Transition-based specification
behavior based on transitions from state-to-state of the system
best used with a reactive system
languages such as Statecharts PROMELA STeP-SPL RSML or SCR rely on this paradigm
Functional specification
specify a system as a structure of mathematical functions
OBJ, ASL, PLUSS, LARCH, HOL or PVS rely on this paradigm
Operational Specification
early languages such as Paisley GIST Petri nets or process algebras rely on this paradigm
In addition to the above paradigms there are ways to apply certain heuristics to help improve the creation of these specifications The protocol referenced here best discusses heuristics to use when designing a specification.Heuristics= a rule or method that helps you solve problems faster than you would if you did all the computing

Resources:
Algebraic specification= Providing a mathematical software engineering technique

References:
^ a b c d e f g h i j k l m n o Lamsweerde, A. V. (2000). "Formal specification". Proceedings of the conference on the future of Software engineering - ICSE '00. p. 147. doi:10.1145/336512.336546. ISBN
^ a b c d Sommerville, Ian (2009). "Formal Specification" (PDF). Software Engineering. Retrieved
^ a b c Nummenmaa, Timo; Tiensuu, Aleksi; Berki, Eleni; Mikkonen, Tommi; Kuittinen, Jussi; Kultima, Annakaisa (4 August 2011). "Supporting agile development by facilitating natural user interaction with executable formal specifications". ACM SIGSOFT Software Engineering Notes 36 (4): 1–10. doi:10.1145/1988997.2003643. edit

Best Wishes,
Brenda Smith
a55dayidream@gmail.com

[[Category:Specification languages]]
[[Category:OWASP Education Project]]
[[Category:OWASP Presentations]]
[[Category:Chapter Resources]]

OWASP Education Presentation

2015-07-16T14:23:29Z

Timo.goosen: /* OWASP Project Presentations */

This page provide a commented overview of the OWASP presentations available.<br>
Please use the last line of the tables as template.<br>
Presentions can be tracked through:
* the [http://www.owasp.org/index.php/Category:OWASP_Presentations OWASP Presentations Category]
* [http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference Past OWASP Conference agenda's]
* From the chapter pages
Everybody is encouraged to link the presentations and add their findings on this page !
There are currently hundreds of presentations all over the OWASP web site.
If you search google with “site:owasp.org filetype:ppt” there are 166 hits. “site:owasp.org filetype:pdf” returns 76.
Feel free to “mine” them and add them to the overview.

== OWASP Education Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ OWASP Education Presentations
!width="30%" |Title
!width="40%" |Comment
!width="15%" |Level
!width="15%" |Date (2015-07-04)
|-valign="top"
|[https://www.owasp.org/index.php/Education/Free_Training Free Developer Training]|| Developer AppSec Course by [[Eoin Keary]] and [https://www.owasp.org/index.php/User:Jmanico Jim Manico] || Intermediate || 2014-04-04
|-valign="top"
|[[:Image:OWASP Overview Winter 2009v1.pptx|OWASP Overview Winter 2009]]|| Updated overview of OWASP || Novice || 2009-12-08
|-valign="top"
|[[:Image:Programa_de_Educacion_OWASP.ppt|Programa de Educacion OWASP]]|| Una introduccion a OWASP para Universidades y Centros Educativos por Fabio Cerullo|| Novice || 2009-03-20
|-valign="top"
|[[:Image:OWASP_Educational_Programme.ppt|OWASP Educational Programme]]|| An introduction to OWASP for Universities & Educational Institutions by Fabio Cerullo|| Novice || 2009-03-20
|-valign="top"
|[[:Image:OWASP Overview Summer 2009.pptx|OWASP Overview Summer 2009]]|| Recent overview of OWASP by Jeff Williams || Novice || 2009-08-25
|-valign="top"
|[[:Image:Education Module Why WebAppSec Matters.ppt|Why WebAppSec Matters]]|| This module explains why security should be considered when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:OWASP-Intro-2008-portuguese.ppt|OWASP Intro 2008 Portuguese]]|| Este módulo é uma intrudução sobre o projeto OWASP. || Novice || 2008-07-06
|-valign="top"
|[[:Image:Education Module OWASP Top 10 Introduction and Remedies.ppt|OWASP Top 10 Introduction and Remedies]]|| This module explains the OWASP Top 10 web application vulnerabilities as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:Education Module Embed within SDLC.ppt|Embed within SDLC]]|| This module explains the complete approach of Web Application Security when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:Education Module Good Secure Development Practices.ppt|Good Secure Development Practices]]|| This module explains some good secure development practices when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:Education Module Testing for Vulnerabilities.ppt|Testing for Vulnerabilities]]|| This module explains application security testing when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[:Image:Education Module Good WebAppSec Resources.ppt|Good WebAppSec Resources]]|| This module points you to some good web application security resources when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01
|-valign="top"
|[[ (https://www.owasp.org/index.php/User_talk:Briechenstein_Software_Studio) || OWASP Education Presentation|| Intermediate || 2015-07-04
|}
,
<br>

== OWASP Project Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ OWASP Project Presentations
!width="30%" |Title
!width="40%" |Comment
!width="15%" |Level
!width="15%" |Date (yyyy-mm-dd)
|-valign="top"
|[[:Image:Germany 2008 Conference OWASP Introduction v1.pptx|OWASP Introduction]] || OWASP Overview presentation covering OWASP, project parade and OWASP near you. Given by Seba during the Germany 2008 Conference || Novice || 2008-11-25
|-valign="top"
|[[:Image:OWASP Foundation The story so far and beyond - Part 1.ppt|India08 Keynote - Part 1]] || OWASP Overview presentation. Part 1 of 2. Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16
|-valign="top"
|[[:Image:OWASP Foundation The story so far and beyond - Part 2.ppt|India08 Keynote - Part 2]] || OWASP Overview presentation. Part 2 of 2. Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16
|-valign="top"
|[[:Image:OWASP India - Tour of OWASP projects.ppt|Tour of OWASP’s projects]] || Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16
|-valign="top"
|[https://www.owasp.org/images/5/59/RISK_2008_OWASP_Introduction_v1.pptx OWASP @ RISK08 (Norway)] || OWASP introduction at Norway RISK2008 conference by Seba || Novice || 2008-04-23
|-valign="top"
|[[:Image:OWASP NY Keynote.ppt|OWASP NY Keynote by Jeff]] also available in [[:Image:20070620-FR-OWASP NY Keynote.ppt|French]]|| OWASP Overview presentation with slide "OWASP by the numbers" and slide with the sorry state of Tools (at best 45%) which caused some controverse || Novice || 2007-06-12
|-valign="top"
|[http://www.owasp.org/images/a/af/OWASP_Testing_Guide_Presentation.zip The OWASP Testing Guide (Jeff Williams)] || Overview of the OWASP Testing Guide || Novice || 2007-01-23
|-valign="top"
|[http://www.owasp.org/images/e/e9/OWASP_Testing_Guide_Presentation_EUSecWest07.zip The OWASP Testing Guide v2 EUSecWest07 (Matteo Meucci, Alberto Revelli)] || Presentation at EUSecWest07 || Intermediate || 2007-03-01
|-valign="top"
|[http://www.owasp.org/images/3/3c/OWASP_Flyer_Sep06.ppt OWASP Project Overview] || High level overview of projects and how OWASP works || Novice || 2006-09-19
|-valign="top"
|[http://www.owasp.org/images/4/49/OWASPAppSec2006Seattle_Security_Metrics.ppt The OWASP Application Security Metrics Project (Bob Austin)] || Presentation on the Application Security Metrics project || Novice || 2006-10-17
|-valign="top"
|[http://www.owasp.org/images/5/53/OWASPAppSecEU2006_CLASP_Project.ppt OWASP CLASP Project (Pravir Chandra)] || OWASP CLASP project presentation given at the 2006 European AppSec conference || Novice || 2006-05-30
|-valign="top"
|[http://www.owasp.org/images/3/30/OWASPAppSec2006Seattle_UsingSprajaxToTestAJAXSecurity.ppt Sprajax (Dan Cornell)] || OWASP Sprajax presentation given at the 2006 Seattle AppSec conference || Intermediate || 2006-10-17
|-valign="top"
|}

<br>

== OWASP Conference Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ OWASP Conference Presentations
!width="30%" | Title
!width="40%" | Comment
!width="15%" | Level
!width="15%" |Date (yyyy-mm-dd)

|-valign="top"
|[[:Image:OWASPAppSec2007Milan ModSecurityCoreRuleSet.ppt | Mod Security Core Rule Set (Ofer Shezaf)]] ||Ofer Shezaf's presentation on the Core Ruleset for the latest version of ModSecurity presented at 6th OWASP AppSec conference in Milan, Italy, in May 2007.|| Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan OWASPTestingGuide2v1.ppt | OWASP Testing Guide v2.1 (Matteo Meucci)]] ||Matteo Meucci's presentation on the OWASP Testing Guide v2 at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan CLASP.ppt | CLASP (Pravir Chandra)]] ||Pravir Chandra's presentation on the upcoming 2007 update to CLASP presented at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan AdvancedWebHacking.ppt | Advanced Web Hacking (PDP)]] ||PDPs presentation at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan XMLSecurityGatewayEvalCriteria.ppt | XML Security Gateway Evaluation Criteria (Gunnar Peterson)]] ||Gunnar Peterson's presentation about the new XML Security Gateway Evaluation Criteria project at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan TestingFlashApplications.ppt | Testing Flash Applications (Stephano Di Paolo)]] ||Stephano Di Paolo's presentation on how to test Flash applications presented at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert|| 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan OvertakingGoogleDesktop.ppt | Overtaking Google Desktop (Yair Amit)]] ||Yair Amit's presentation on XSS Flaws in Google Desktop that can be exploited through google.com presented at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan MS ACETeamAppSecfromTheCore.ppt | ACE Team Application Security from the Core (Simon Roses Femerling)]] ||Simon Roses Femerling's presentation on the Microsoft ACE team's application security process at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan Pantera.ppt | Pantera (Simon Roses Femerling)]] ||Simon Roses Femerling's presentation on the new OWASP tool Pantera at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan ProtectingWebAppsfromUniversalPDFXSS.ppt | Protecting Web applications from universal PDF XSS (Ivan Ristic)]] ||Ivan Ristic's Universal XSS PDF presentation at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan SoftwareSecurity.ppt | Software Security (Rudolph Araujo)]] ||Rudolph Araujo's presentation on Application Security best practices at the 6th OWASP AppSec conference in Milan Italy, May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan WebGoatv5.ppt | WebGoat v5 (Dave Wichers)]] ||WebGoat v5 presentation by Dave Wichers at the 6th OWASP AppSec Conference in Milan, Italy, May 2007. || Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan WebScarabNG.ppt | WebScarab NG (Dave Wichers)]] ||Description of the new WebScarab-NG efforts presented by Dave Wichers at the 6th OWASP AppSec conference in Milan, Italy in May 2007.|| Intermediate || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan SANS SPSA Initiative.ppt | SANS SPSA Initiative (Dave Wichers)]] ||Description of the SANS Secure Coding Exam Initiative presented by Dave Wichers at the 6th OWASP AppSec conference in Milan Italy, May 2007.|| Novice || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan OWASPItalyActivities.ppt | OWASP Italy Activities (Raoul Chiesa)]] ||Raoul Chiesa's keynote for day 2 of the 6th OWASP AppSec conference on the state of application security in Italy including OWASP's activities in that country.|| Novice || 2007-05-16
|-valign="top"
|[[:Image:OWASPAppSec2007Milan SecurityEngineeringInVista.ppt | Security engineering in Vista (Alex Lucas)]] ||Alex Lucas' from Microsoft's keynote presentation for Day 1 of the 6th OWASP AppSec conference in Milan on the benefits of Microsoft's SDL to the security of Vista. || Intermediate || 2007-05-16
|-valign="top"
|[http://www.owasp.org/images/5/5f/OWASPAppSec2006Seattle_SecurityEngineeringInVista.ppt How the Security Development Lifecycle(SDL) Improved Windows Vista (Michael Howard)] || Michael Howard's talk on SDL from the OWASP Seattle AppSec Conference in 2006 || Intermediate || 2006-10-18
|-valign="top"
|[http://www.owasp.org/images/3/34/OWASPAppSecEU2006_Bootstrapping_the_Application_Assurance_Process.ppt Bootstrapping the Application Assurance Process (Sebastien Deleersnyder)] || Presentation given during the European 2006 AppSec conference on the application assurance process || Novice || 2006-05-30
|-valign="top"
|[http://www.owasp.org/images/8/8b/OWASPAppSecEU2006_InlineApproachforSecureSOAPRequests.ppt Inline Approach for Secure SOAP Requests and Early Validation (Mohammad Ashiqur Rahaman, Maartin Rits and Andreas Schaad SAP Research, Sophia Antipolis, France)] || Presentation given at the European 2006 AppSec conference about security and soap message structure issues || Intermediate || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt Web Application Firewalls:When Are They Useful? (Ivan Ristic)] || Presentation about Web Application Firewalls || Novice || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt HTTP Message Splitting, Smuggling and Other Animals (Amit Klein)] || A presentation about Message splitting other attacks around the HTTP protocol || Intermediate || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/f/f6/OWASPAppSec2006Seattle_WebAppForensics.ppt Web Application Incident Response & Forensics: A Whole New Ball Game! (Rohyt Belani & Chuck Willis)] || Talk about Web Application Security incident handling and forensics given at the OWASP 2006 Seattle AppSec conference || Intermediate || 2006-10-18
|-valign="top"
|[http://www.owasp.org/images/d/d2/OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10.ppt Can (Automated) Testing Tools Really Find the OWASP Top 10? (Erwin Geirnaert) ] || A talk about how automated testing tools stack up against the OWASP top 10 || Intermediate || 2006-05-30
|-valign="top"
|[http://www.owasp.org/images/2/28/OWASPAppSecEU2006_RequestRodeo.ppt RequestRodeo: Client Side Protection against Session Riding (Martin Johns / Justus Winter)] || Presentation given about how Sessions can be hi-jacked, etc... || Novice || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/6/62/OWASPAppSecEU2006_SecurityTestingthruAutomatedSWTests.ppt Security Testing through Automated Software Tests (Stephen de Vries)] || Presentation given at the 2006 EuSec conference || Intermediate || 2006-05-31
|-valign="top"
|[http://www.owasp.org/images/0/0e/AppSec2005DC-Jeremy_Poteet-In_the_Line_of_Fire.ppt In the Line of Fire: Defending Highly Visible Targets (Jeremy Poteet)] || Conference given at the 2005 DC AppSec conference || Novice || 2005-10-1
|-valign="top"
|[http://www.owasp.org/images/9/93/AppSec2005DC-Matt_Fisher-Google_Hacking_and_Worms.ppt Google Hacking and Web Application Worms (Matt Fisher)] || Talk given at the 2005 DC AppSec conference || Novice || 2005-10-01
|-valign="top"
|[http://www.owasp.org/images/0/05/AppSec2005DC-Anthony_Canike-Enterprise_AppSec_Program.ppt Establishing an Enterprise Application Security Program (Tony Canike)] || Talk given at the 2005 DC AppSec Conference || Novice || 2005-10-01
|-valign="top"
|[https://owasp.org/images/0/0d/OWASPAppSec2006Seattle_Why_AJAX_Applications_More_Likely_Insecure.ppt Why AJAX Applications Are Far More Likely To Be Insecure (And What To Do About It) (Dave Wichers)] || Dave's talk on AJAX given at the Seattle 2006 AppSec conference || Intermediate || 2006-10-01
|-valign="top"
|[[ (https://www.owasp.org/index.php/User_talk:Briechenstein_Software_Studio) ||Security Analyst || Intermediate|| 2015-07-04
|}

<br>

== Web Application Security Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ Web Application Security Presentations
!width="30%" |Title
!width="40%" |Comment
!width="15%" |Level
!width="15%" |Date (yyyy-mm-dd)
|-valign="top"
|[[:Image:Protecting Web Applications from Universal PDF XSS.ppt| Universal PDF XSS by Ivan Ristic]] || Protecting Web Applications from Universal PDF XSS || Intermediate || 2007-06-28
|-valign="top"
|[[:Image:IdM-OWASP.v.0.2.14.pdf|Identity Management Basics (Derek Brown)]] ||Identity Management Basics|| Novice || 2007-05-09
|-valign="top"
|[[http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt Advanced SQL Injection (Victor Chapela)] || Detailed methodology for analyzing applications for SQL injection vulnerabilities || Expert || 2005-11-04
|-valign="top"
|[[http://www.owasp.org/images/7/7d/Advanced_Topics_on_SQL_Injection_Protection.ppt Advanced Topics on SQL Injection Protection (Sam NG)] || 7 methods to prevent SQL injection attacks correctly and in a more integrated approach. Methods 1 to 3 are applicable during design or development life cycle. Method 4 is mainly from QA’s perspective. Methods 5 and 6 can be applied to production environment and are applicable even if you do not have access to or if you cannot change the source code. Other non-main stream technology are discussed in Method 7. || Intermediate || 2006-02-27
|-valign="top"
|[[http://www.owasp.org/images/d/d1/AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt Attacking Web Services (Alex Stamos)] || Web Services Introduction and Attacks || Intermediate || 2005-10-11
|-valign="top"
|[http://www.owasp.org/images/7/72/MMS_Spoofing.ppt MMS Spoofing (Matteo Meucci)] || A Case-study of a vulnerable web application || Intermediate
|-valign="top"
|[http://www.owasp.org/images/f/f9/OWASPAppSecEU2006_AJAX_Security.ppt Ajax Security (Andrew van der Stock)] || Presentation on Ajax security for OWASP AppSec Europe 2006 || Intermediate || 2006-05-30
|-valign="top"
|[http://www.owasp.org/images/3/3a/OWASPAppSec2006Seattle_Web_Services_Security.ppt Advanced Web Services Security & Hacking (Justin Derry)] || Presentation given on Webservice security at the Seattle 2006 AppSec conference || Intermediate || 2006-10-18
|-valign="top"
|[http://www.owasp.org/images/f/f6/Integration_into_the_SDLC.ppt Integration into the SDLC (Eoin Keary)] || A presentation about why and how to integrate the SDLC. || Novice || 2005-04-09
|-valign="top"
|[[ (https://www.owasp.org/index.php/User_talk:Briechenstein_Software_Studio || Intermediate || 2015-07-04
|}

<br>

== Chapter Presentations ==
{|class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"
|+ Chapter Presentations
!width="30%" |Title
!width="30%" |Comment
!width="10%" |Level
!width="10%" |Month (Mon-yyyy)
!width="10%" |Chapter

|-valign="top"
|[[:Image:Common_Application_Flaws.ppt| Common Application Flaws (Brett Moore) ]] ||OWASP New Zealand chapter presentation on Common Application Flaws|| Novice/Intermediate ||November 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Time_Based_SQL_Injections.ppt| Time Based SQL Injections (Muhaimin Dzulfakar) ]] ||OWASP New Zealand chapter presentation on Time Based SQL Injections|| Intermediate ||September 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Browser_security.ppt| Browser Security (Roberto Suggi Liverani) ]] ||OWASP New Zealand chapter presentation on Browser Security|| Intermediate ||September 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:OWASP_CMH_SQLInjection__20080707.zip| 7/7/2008 SQL Injection (Columbus, OH)]] || SQL Injection Presentation given at the Columbus, OH OWASP Chapter Meeting. Powerpoint, derby DB, and applicable java code. || Novice / Intermediate || July 2008 || [[Columbus]]
|-valign="top"
|[[:Image:OWASP_ellak-Greece.ppt| Detecting Web Application Vulnerabilities Using Open Source Means (Konstantinos Papapanagiotou) ]] ||OWASP Greek Chapter presentation given at the Open Source Software (FLOSS) Conference in Athens|| Novice ||May 2008 || [[Greece]]
|-valign="top"
|[[:Image:Hacking_The_World_With_Flash.ppt| Hacking The World With Flash (Paul Craig) ]] ||OWASP New Zealand chapter presentation on Flash security|| Intermediate ||April 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Web_spam_techniques.ppt| Web Spam Techniques (Roberto Suggi Liverani) ]] ||OWASP New Zealand chapter presentation on Web Spam Techniques|| Intermediate ||April 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Xpath_Injection.ppt| Xpath Injection Overview (Roberto Suggi Liverani) ]] ||OWASP New Zealand chapter presentation on Xpath Injection|| Intermediate ||February 2008 || [[New Zealand]]
|-valign="top"
|[[:Image:Owasp security4mobileJava.pdf| Dependability for Java Mobile Code (Pierre Parrend) ]] ||OWASP Swiss chapter presentation on Mobile Java Security || Expert ||July 2007 || [[Switzerland]]
|-valign="top"
|[[:Image:Trust Security Usability - v1.0.pdf|Trust, Security and Usability (Roger Carhuatocto) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]
|-valign="top"
|[[:Image:OWASP-tratamiento_de_datos.pdf|Tratamiento seguro de datos en aplicaciones in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]
|-valign="top"
|[[:Image:Conferencia_OWASP.pdf|Ataques DoS en aplicaciones Web (Jaime Blasco Bermejo) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]
|-valign="top"
|[[:Image:Seguridad en entornos financieros.pdf|Seguridad en entornos financierosPedro (Pedro Sánchez) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]
|-valign="top"
|[[:Image:Java_Open_Review.ppt|Brian Chess from Fortify shared what's going on with the Java Open Source review project at the June NoVA OWASP meeting]] || Java Open Review || Intermediate ||June 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[[:Image:Bytecode_injection.ppt|Brian Chess from Fortify, presentation to NoVA OWASP chapter in June 2007.]] || Bytecode injection || Expert ||June 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[[:Image:Security at the VMM Layer - OWASP.ppt|Security at the VMM Layer by Ted Winograd]] || Security at the VMM Layer || Expert ||June 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[[:Image:KC June 2007 Evaluating and Tuning WAFs.pdf|Evaluating and Tuning Web Application Firewalls (Barry Archer)]] ||Presentation given at Kansas City June 2007 chapter meeting|| Intermediate ||June 2007 || [[Kansas City]]
|-valign="top"
|[[:Image:OWASP_SDL-IT.pdf|Microsoft Security Development Lifecycle for IT (Rob Labbé)]] ||Presentation by Rob Labbe at Ottawa OWASP Chapter|| Novice ||May 2007|| [[Ottawa]]
|-valign="top"
|[[:Image:OWASP_IL_7_Application_DOS.pdf|Application Denial of Service (Shaayy Cheen)]] ||Is it Really That Easy? Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP_IL_7_FuzzGuru.pdf|Fuzzing in Microsoft and FuzzGuru framework (John Neystadt)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP_IL_7_AppSec_and_Beyond.pdf|Application Security, not just development (David Lewis)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 Overtaking Google Desktop.pdf|Overtaking Google Desktop, Leveraging XSS to Raise Havoc (Yair Amit)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 UnregisterAttackInSip.pdf|Unregister Attack in SIP (Anat Bremler-Barr, Ronit Halachmi-Bekel and Jussi Kangasharju)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 WAF Positive Security.pdf|Positive Security Model for Web Applications, Challenges and Promise (Ofer Shezaf)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 DOT NET Reverse Engineering.pdf|.NET Reverse Engineering (Erez Metula)]] ||Presentation given at the Israel Mini Conference in May 2007|| Expert ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP IL 7 OWASP Introduction.pdf|OWASP introduction (Ofer Shezaf)]] ||2nd OWASP IL mini conference at the Interdisciplinary Center (IDC) Herzliya|| Intermediate ||May 2007 || [[Israel]]
|-valign="top"
|[[:Image:OWASP BeLux 2007-06-22 Update on Internet Attack Statistics for Belgium in 2006.ppt|Update on Internet Attack Statistics for Belgium in 2006 by Hilar Leoste (Zone-H)]] || Update on Internet Attack Statistics for Belgium in 2006 || Novice ||May 2007 || [[Belgium]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:InfoSec_World_2007_-_Web_services_gateways.ppt Securing Web Services using XML Security Gateways by Tim Bond] || Securing Web Services using XML Security Gateways || Intermediate ||May 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:SwA_Acquisition_WG_-_Overview.ppt Software Assurance in the Acquisition Process by Stan Wisseman] || Software Assurance in the Acquisition Process || Intermediate ||May 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_Legal_Aspects_Jos_Dumortier.zip Legal Aspects of (Web) Application Security by Jos Dumortier] || Legal Aspects of (Web) Application Security || Intermediate ||May 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_AppSec_Research_Lieven_Desmet.zip AppSec Research (University Leuven Belgium)] || Formal absence of implementation bugs in web applications: a case study on indirect data sharing by Lieven Desmet || Expert ||May 2007 || [[Belgium|Belgium]]
|-valign="top"
|[[:Image:Scanner-Sparkly.ppt|A Scanner Sparkly]] || A Scanner Sparkly, taken from the Phoenix OWASP presentations on Application Security Tools, May 2007 || Intermediate ||May 2007 || [[Phoenix]]
|-valign="top"
|[[:Image:Owasp-lessonslearned.ppt|Grey Box Assessment Lessons Learned]] || "Grey Box Assessment Lessons Learned", taken from the Phoenix OWASP presentations, Application Security Tools, May 2007 || Intermediate ||May 2007 || [[Phoenix]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_OWASP_Update.zip OWASP Update and OWASP BeLux Board Presentation (Seba)] || OWASP Update and OWASP BeLux Board Presentation || Novice||May 2007 || [[Belgium|Belgium]]
|-valign="top"
|[[:Image:Security Metics- What can we measure- Zed Abbadi.pdf|Metics- What can we measure (Zed Abbadi)]] ||19 April NoVa chapter meeting presentation on Security Metrics || Novice ||April 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[[:Image:Web Services Hacking and Hardening.pdf| Web Services Hacking and Hardening (Adam Vincent) ]] ||3/8/07 NoVA chapter meeting, Adam Vincent from Layer7 || Expert ||March 2007 || [[Virginia (Northern Virginia)]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_OWASP_Update.zip OWASP Update (Seba)] || OWASP Update || Novice||Jan 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/images/f/fe/Pres_20070206_04_svetsch_xss_worms_owasp.zip XSS Worms (Sven Vetsch)] || XSS Worms || Intermediate ||Feb 2007 || [[Switzerland|Switzerland]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_OWASP_Update.zip OWASP Update (Seba)] || OWASP Update || Novice||Jan 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_WebGoat-Pantera.zip WebGoat and Pantera presentation (Philippe Bogaerts)] || WebGoat and Pantera presentation || Novice || Jan 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_AOP_security.zip Security implications of AOP for secure software (Bart De Win)] || Security implications of AOP for secure software || Expert || Jan 2007 || [[Belgium|Belgium]]
|-valign="top"
|[http://www.owasp.org/images/1/12/OWASP_Denver_Nov-06_presentation.ppt testing for common security flaws (David Byrne)] || testing for common security flaws || Intermediate || Nov 2006 || [[Denver|Denver]]
|-valign="top"
|[http://www.owasp.org/images/7/7c/Owasp-olli.pdf 40-ish slides on analyzing threats (Olli)] || Analyzing Threats || Novice || Dec 2006 || [[Helsinki|Helsinki]]
|-valign="top"
|[http://www.owasp.org/images/2/2c/KC_Dec2006_Attacking_The_App.pdf Attacking the Application (Dave Ferguson)] || Vulnerabilities, attacks and coding suggestions || Intermediate || Dec 2006 || [[Kansas City|Kansas City]]
|-valign="top"
|[http://www.owasp.org/images/6/6a/KC_Dec2006_Ajax_Security_Concerns.pdf Ajax Security Concerns (Rohini Sulatycki)] || Ajax Security Concerns || Intermediate ||Dec 2006 || [[Kansas City|Kansas City]]
|-valign="top"
|[http://www.owasp.org/images/8/8c/Anatomy_of_2_Web_App_Testing.zip Anatomy of 2 Web Application Testing (Matteo Meucci)] || Anatomy of 2 Web Application Testing || Intermediate || Mar 2006 || [[Italy|Italy]]

|-valign="top"

|[https://www.owasp.org/images/9/99/WTE-Cloud-Austin-2012-02.pdf Testing From the Cloud: Is the Sky Falling? ] || WTE Cloud-based Testing || Intermediate || Feb 2012 || [[Austin|Austin]]
|-valign="top"

|(https://www.owasp.org/index.php/User_talk:Briechenstein_Software_Studio) || Open Web application Security Project|| Intermediate|| 2015-07-04 ||

Chapter 4

Specification Language

This formal specification by language example presents cybersecurity studies (of over 10 projects) of how successful OWASP educational presentations test develop design and deliver cybersecurity software efficiently supporting formal methods as mathematically based techniquesthat are needed to assist in the design and implementation of reliable cybersecurity software.

Specification by language example is a must read for anyone serious about delivering translated cybersecurity language software that matters It is the result of a research on how teams internationally specify test develop design and deliver the right cybersecurity software without defects in very short computational delivery cycles With cybersecurity case studies and real examples this presentation helps you understand how successful teams implement mathematical cybersecurity by example denoting
acceptable testing and behavior driven development to bridge the communication gap between committees stakeholders and contributing teams build quality into cybersecurity from the start by testing developing designing and delivering supported languagfor syntax highlighting purposes It presents the collective knowledge of about 50 cybersecurity projects ranging from high traffic websites to virtual back office cybersecurity systems implemented by teams as diverse as small startups to groups spread across different continents working in a range of processes including Extreme programming Kanban Scrum and similar processes often bundled together under the names Lean and Agile This protocol is for testers software developers business analysts and project managers working on Syntax and Agile projects or teams moving to an Agile development method that want to improve quality reduce correction of defective cybersecurity software and collaborate better with the OWASP committee.
Smith

*Retrieved notes from Categories Specification languages and Formal specification
For the last past decade computer systems have become increasingly more powerful as a result becoming more impactful to society Established engineering disciplines use mathematical analysis as the foundation of creating and validating product design Formal language specifications are one im such a way for achievement in software engineering as reliability once predicted Other methods such as testing are more commonly used to enhance code quality

Usability given as such a specification it is possible to use formal verification techniques to demonstrate that a system design is correct with respect to its specification This allows incorrect system designs to be revised before any major investments have been made into an actual implementation Another approach is to use provably correct refinement steps to transform a specification into a design which is ultimately transformed into an implementation that is correct by construction.

*It is important to note that a formal specification is not an implementation but rather it may be used to develop an implementation Formal specifications describe what a system should do not how the system should do it A good specification must have some of the following attributes: adequate internally consistent unambiguous complete satisfied constructability manageability and evolvability Usability Communicability Powerful and efficient analysis which is one of the main reasons there is interest in formal specifications that will provide an ability to perform proofs on cybersecurity software implementations These proofs may be used to validate a specification verify correctness of design, or to prove that a program satisfies a specification.

Limitations
A design (or implementation) cannot ever be declared “correct” on its own. It can only ever be “corrected with respect to a given specification Whether the formal specification correctly describes the problem to be solved is a separate issue It is also a difficult issue to address since it ultimately concerns the problem constructing abstracted formal representations of an informal concrete problem domain and such an abstraction step is not amenable to formal proof. However, it is possible to validate a specification by proving “challenge” theorems concerning properties that the specification is expected to exhibit.o_O If correct Olloclip In these theorems reinforce the specifier's understanding of the specification and its relationship with the underlying problem domain If not the specification probably needs to be changed to better reflect the domain understanding of those involved with producing (and implementing) the specification.

Flexibility
As far as flexibility goes a lot of software companies use agile methodologies that focus on flexibility Doing a formal specification of the whole system up front is often perceived as being the opposite of flexible However there is some research into the benefits of using formal specifications with "agile" development
Complexity is a requirement that is a high level of mathematical expertise and the analytical skills to understand and apply them effectively
I have a solution to develop resources and models that allow for these techniques to be implemented but hide underlying mathematics

I hope to accomplish a good job of specifying user interfaces and user interaction that is Not cost-effective

Formal specification techniques have existed in various domains and on various scales for quite some time Implementations of formal specifications will differ depending on what kind of system they are attempting to model how they are applied and at what point in the software life cycle they have been introduced These types of models can be categorized into the following specification paradigms:

History-based specification

behavior based system histories
assertions are interpreted over time
State-based Specification
behavior based on system states
series of sequential steps (e.g. a financial transaction)
languages such as Z, VDM or B rely on this paradigm+
Transition-based specification
behavior based on transitions from state-to-state of the system
best used with a reactive system
languages such as Statecharts PROMELA STeP-SPL RSML or SCR rely on this paradigm
Functional specification
specify a system as a structure of mathematical functions
OBJ, ASL, PLUSS, LARCH, HOL or PVS rely on this paradigm
Operational Specification
early languages such as Paisley GIST Petri nets or process algebras rely on this paradigm
In addition to the above paradigms there are ways to apply certain heuristics to help improve the creation of these specifications The protocol referenced here best discusses heuristics to use when designing a specification.Heuristics= a rule or method that helps you solve problems faster than you would if you did all the computing

Resources:
Algebraic specification= Providing a mathematical software engineering technique

References:
^ a b c d e f g h i j k l m n o Lamsweerde, A. V. (2000). "Formal specification". Proceedings of the conference on the future of Software engineering - ICSE '00. p. 147. doi:10.1145/336512.336546. ISBN
^ a b c d Sommerville, Ian (2009). "Formal Specification" (PDF). Software Engineering. Retrieved
^ a b c Nummenmaa, Timo; Tiensuu, Aleksi; Berki, Eleni; Mikkonen, Tommi; Kuittinen, Jussi; Kultima, Annakaisa (4 August 2011). "Supporting agile development by facilitating natural user interaction with executable formal specifications". ACM SIGSOFT Software Engineering Notes 36 (4): 1–10. doi:10.1145/1988997.2003643. edit

Best Wishes,
Brenda Smith
a55dayidream@gmail.com

[[Category:Specification languages]]
[[Category:OWASP Education Project]]
[[Category:OWASP Presentations]]
[[Category:Chapter Resources]]

Cape Town

2015-07-09T11:09:05Z

Timo.goosen: /* Join Our Events */

{{Chapter Template|chaptername=Cape Town|extra=The chapter leaders are [mailto:timo.goosen@owasp.org Timo Goosen]
[mailto:christo.goosen@owasp.org Christo Goosen]
.|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-cape-town|emailarchives=http://lists.owasp.org/pipermail/owasp-cape-town}}
*[http://www.meetup.com/OWASP-Cape-Town-Chapter-Meetup OWASP Cape Town Chapter Meetup Group Join our meetup group]

== Local News ==

'''Meeting Location'''

Everyone is welcome to join us at our chapter meetings.

===Join Our Events===

Please join our meetup group if you would like to attend future events:
It is important to RSVP if you would like to attend, our venue is not very big.
*[http://www.meetup.com/OWASP-Cape-Town-Chapter-Meetup OWASP Cape Town Chapter Meetup Group]

[https://www.owasp.org/index.php/3_Jun_2015_Codebridge Codebridge 3 Jun 2015]

[https://www.owasp.org/index.php/First_Official_OWASP_Cape_Town_Meeting First Official OWASP Cape Town Meeting]

'''Slides'''

Slides from 1st Official OWASP Cape Town Meeting: [https://www.owasp.org/images/c/cd/Owasp-meeting1-17jun2015.pdf 1st Meeting Slides]

Slides from 2nd Meeting [https://www.owasp.org/images/6/6e/Intro_To_Enumeration_FINAL_MAIL_OUT.odp Intro To Enumeration]

[[Category:OWASP Chapter]]
[[Category:Africa]]
[[Category:South Africa]]

Cape Town

2015-07-09T11:08:21Z

Timo.goosen: /* Local News */

{{Chapter Template|chaptername=Cape Town|extra=The chapter leaders are [mailto:timo.goosen@owasp.org Timo Goosen]
[mailto:christo.goosen@owasp.org Christo Goosen]
.|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-cape-town|emailarchives=http://lists.owasp.org/pipermail/owasp-cape-town}}
*[http://www.meetup.com/OWASP-Cape-Town-Chapter-Meetup OWASP Cape Town Chapter Meetup Group Join our meetup group]

== Local News ==

'''Meeting Location'''

Everyone is welcome to join us at our chapter meetings.

===Join Our Events===

Please join our meetup group if you would like to attend future events:
It is important to RSVP if you would like to attend, our venue is not very big.
*[http://www.meetup.com/OWASP-Cape-Town-Chapter-Meetup OWASP Cape Town Chapter Meetup Group]

[https://www.owasp.org/index.php/3_Jun_2015_Codebridge Codebridge 3 Jun 2015]

[https://www.owasp.org/index.php/First_Official_OWASP_Cape_Town_Meeting First Official OWASP Cape Town Meeting]

Slides from 1st Official OWASP Cape Town Meeting: [https://www.owasp.org/images/c/cd/Owasp-meeting1-17jun2015.pdf 1st Meeting Slides]
Slides from 2nd Meeting [https://www.owasp.org/images/6/6e/Intro_To_Enumeration_FINAL_MAIL_OUT.odp Intro To Enumeration]

[[Category:OWASP Chapter]]
[[Category:Africa]]
[[Category:South Africa]]

File:Intro To Enumeration FINAL MAIL OUT.odp

2015-07-09T10:59:29Z

Timo.goosen: Slides from 8 July 2015 Cape Town Chapter meeting.

Slides from 8 July 2015 Cape Town Chapter meeting.

OWASP Python Security Project

2015-07-06T16:52:32Z

Timo.goosen: /* Quick Download */

File:OWASP PYSEC FLYER.pdf

2015-07-06T16:51:18Z

Timo.goosen: Flyer for OWASP Python Security

Flyer for OWASP Python Security

OWASP Python Security Project

2015-07-06T16:48:54Z

Timo.goosen: /* Classifications */

OWASP Python Security Project

2015-07-06T16:48:23Z

Timo.goosen: /* Classifications */

OWASP Python Security Project

2015-07-06T16:44:46Z

Timo.goosen: /* Detect and Respond to Attacks from Within the Application */

OWASP Python Security Project

2015-07-06T16:42:44Z

Timo.goosen: /* Overview */

OWASP Python Security Project

2015-07-06T16:42:13Z

Timo.goosen: /* In Print */

OWASP Python Security Project

2015-07-06T16:41:55Z

Timo.goosen: /* Media */

OWASP Python Security Project

2015-07-06T16:40:19Z

Timo.goosen: /* Detection Points */

OWASP Python Security Project

2015-07-06T16:39:23Z

Timo.goosen: /* Acknowledgements */

OWASP Python Security Project

2015-07-06T16:38:04Z

Timo.goosen: /* Past activities */

=Main=

<div style="width:100%;height:120px;border:0,margin:0;overflow: hidden;"></div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;"></div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Python Security Project ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

== Introduction ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

Security in python: white-box analysis, structural and functional analysis
Security of python: black-box analysis, identify and address security-related issues
Security with python: develop security hardened python suitable for high-risk and high-security environments

== Detect and Respond to Attacks from Within the Application ==

=== Detection ===
AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.
=== Response===
AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.
===Defending the Application===
An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.

==Licensing==

License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
This license is a community friendly license as recommended by OWASP.
You can read more here:
*[https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]

== What is the Python Security Project? ==

== Overview ==

[[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]

[https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf 12-page US Letter booklet]

== Project Founder ==

* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* OWASP AppSensor Guide v2.0.1 EN
** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Hard copy]
* OWASP AppSensor Reference Implementation
** [https://github.com/jtmelton/appsensor v2 Code]

== Code Repository ==
* OWASP Python Security Github https://github.com/ebranca/owasp-pysec/ (Current)

== In Print ==

[[File:AppSensor2_small.jpg|link=]]

The [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html AppSensor Guide] and [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html CISO Briefing] can be purchased at cost as a print on demand books.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Acknowledgements =

== Volunteers ==

All OWASP projects rely on the voluntary efforts of people in the software development and information security sectors. They have contributed their time and energy to make suggestions, provide feedback, write, review and edit documentation, give encouragement, make introductions, produce demonstration code, promote the concept, and provide OWASP support. They participated via the project’s mailing lists, by developing code, by updating the wiki, by undertaking research studies, and through contributions during the AppSensor working session at the OWASP Summit 2011 in Portugal and the AppSensor Summit at AppSec USA 2011. Without all their efforts, the project would not have progressed to this point, and this guide would not have been completed.

{| cellpadding="2"
|-
| width="200" align="left" valign="top" |

*Josh Amishav-Zlatin
*Ryan Barnett
*Simon Bennetts
*Joe Bernik
*Rex Booth
*Luke Briner
*Rauf Butt
*Juan C Calderon
*Fabio Cerullo
*Marc Chisinevski
*Robert Chojnacki
*Michael Coates
*Dinis Cruz
*August Detlefsen
*Ryan Dewhurst

| width="200" align="left" valign="top" |

*Sean Fay
*Timo Goosen
*Dennis Groves
*Randy Janida
*Chetan Karande
*Eoin Keary
*Alex Lauerman
*Junior Lazuardi
*Benjamin-Hugo LeBlanc
*Jason Li
*Manuel López Arredondo
*Bob Maier
*Jim Manico
*Sherif Mansour Farag
*John Melton

| width="200" align="left" valign="top" |

*Mark Miller
*Craig Munson
*Louis Nadeau
*Giri Nambari
*Erlend Oftedal
*Jay Reynolds
*Chris Schmidt
*Sahil Shah
*Eric Sheridan
*John Steven
*Raphael Taban
*Alex Thissen
*Don Thomas
*Christopher Tidball
*Kevin W Wall
*Colin Watson
*Mehmet Yilmaz

|}

==OWASP Summer of Code 2008==
The AppSensor Project was initially supported by the [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008 OWASP Summer of Code 2008], leading to the publication of the book AppSensor v1.1.

==Google Summer of Code 2012==
Additional development work on [http://www.google-melange.com/gsoc/project/google/gsoc2012/edil/60002 SOAP web services] was kindly supported by the [http://www.google-melange.com/gsoc/program/home/google/gsoc2012 Google Summer of Code 2012].

== Other Acknowledgements ==
The project has also benefitted greatly from the generous contribution of time and effort by many volunteers in the OWASP community including those listed above, and contributors to the OWASP ESAPI project, members of the former OWASP Global Projects Committee, the OWASP Board, OWASP staff and support from the OWASP Project Reboot initiative. The v2 code and documentation were conceived during the AppSensor Summit held during AppSec USA 2011 in Minneapolis.

= Road Map and Getting Involved =

Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project General project]
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-dev Code development]

== Current activities ==

=== Technical Roadmap ===

* [https://github.com/ebranca/owasp-pysec/blob/master/doc/ROADMAP.txt Technical Roadmap or TODO on github]

=== General Roadmap ===

"- Set up website with wiki

- Configure mailing list

- Configure github account and create code structure

- Create Project presentation and pamphlet

- Publish initial batch of documents on python security issues and possible mitigations with code examples

- Create python secure coding area

- Introduce project to OWASP Chapters

- Publish initial version of python secure coding manual

- Publish hardened version of python coded for security purposes

- Document usage of code security policies and call whitelisting

- Document usage of message deduplication and data storage in hash rings

- Document usage of ESAPI-extended security checks, including but not limited to controls applied to python internal calls, strings, processes, permissions, and low level kernel calls

- Create initial documentation of base libraries and modules

- Release library to customizec and integrate OpenSSL and cURL

- Release utility for SSL analysis of HTTPS communication over SSL

- Release utility for SSL analysis of FTPS/FTPES communication over SSL

- Release utility for analysis of POPS/IMAPS/SMTPS connections over SSL

- Release of utility for archival of SSL certificates and CRLs

- Release utility for PE extraction and hash generation from web files

- Release update version of ""OWASP-ESAPI-python"""

= Detection Points =

Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.

'''[http://www.owasp.org/index.php/AppSensor_DetectionPoints Detailed Detection Point Information Here] '''

'''[http://www.owasp.org/index.php/AppSensor_ResponseActions Response Action Information Here]'''

'''Summary of Information'''
'''Detection Categories:'''

RE - Request

AE - Authentication

SE - Session

ACE - Access Control

IE - Input

EE - Encoding

CIE - Command Injection

FIO - File IO

HT - Honey Trap

UT - User Trend

STE - System Trend

RP - Reputation

'''Signature Based Event Titles'''

ID Event

RE1 Unexpected HTTP Command

RE2 Attempt to Invoke Unsupported HTTP Method

RE3 GET When Expecting POST

RE4 POST When Expecting GET

RE5 Additional/Duplicated Data in Request

RE6 Data Missing from Request

RE7 Unexpected Quantity of Characters in Parameter

RE8 Unexpected Type of Characters in Parameter

AE1 Use Of Multiple Usernames

AE2 Multiple Failed Passwords

AE3 High Rate of Login Attempts

AE4 Unexpected Quantity of Characters in Username

AE5 Unexpected Quantity of Characters in Password

AE6 Unexpected Type of Character in Username

AE7 Unexpected Type of Character in Password

AE8 Providing Only the Username

AE9 Providing Only the Password

AE10 Adding POST Variable

AE11 Missing POST Variable

AE12 Utilization of Common Usernames

SE1 Modifying Existing Cookie

SE2 Adding New Cookie

SE3 Deleting Existing Cookie

SE4 Substituting Another User's Valid Session ID or Cookie

SE5 Source IP Address Changes During Session

SE6 Change Of User Agent Mid Session

ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt

ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt

ACE3 Force Browsing Attempt

ACE4 Evading Presentation Access Control Through Custom POST

IE1 Cross Site Scripting Attempt

IE2 Violation of Implemented White Lists

IE3 Violation Of Implemented Black Lists

IE4 Violation of Input Data Integrity

IE5 Violation of Stored Business Data Integrity

IE6 Violation of Security Log Integrity

EE1 Double Encoded Character

EE2 Unexpected Encoding Used

CIE1 Blacklist Inspection for Common SQL Injection Values

CIE2 Detect Abnormal Quantity of Returned Records

CIE3 Null Byte Character in File Request

CIE4 Carriage Return or Line Feed Character In File Request

FIO1 Detect Large Individual File

FIO2 Detect Large Number of File Uploads

HT1 Alteration to Honey Trap Data

HT2 Honey Trap Resource Requested

HT3 Honey Trap Data Used

'''Behavior Based Event Titles'''<br>

UT1 Irregular Use of Application

UT2 Speed of Application Use

UT3 Frequency of Site Use

UT4 Frequency of Feature Use

STE1 High Number of Logouts Across The Site

STE2 High Number of Logins Across The Site

STE3 Significant Change in Usage of Same Transaction Across The Site

RP1 Suspicious or Disallowed User IP Address

RP2 Suspicious External User Behavior

RP3 Suspicious Client-Side Behavior

RP4 Change to Environment Threat Level

= Media =

== Introductory Briefings ==

{|
| align="center" valign="top" | Developers
|
| align="center" valign="top" | Architects
|
| align="center" valign="top" | CISOs
|-
| width="200" align="left" valign="top" | [[File:Appsensor-developer-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf]]
| width="20" |
| width="200" align="left" valign="top" | [[File:Appsensor_crosstalk_small.jpg|link=http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf]]
| width="20" |
| width="200" align="center" valign="top" | [[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]
|}

The CISO briefing is also available to [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html buy at cost in print].

== AppSensor Website ==

[[File:Appsensor-website-large.jpg|link=http://appsensor.org/]]

[http://appsensor.org/ http://appsensor.org/]

== Code ==

*v2 [https://github.com/jtmelton/appsensor Github Code]
* (LEGACY) v1 [http://code.google.com/p/appsensor/ Google Code]

== AppSensor Guide ==

* OWASP AppSensor Guide
** v2.0 EN
*** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
*** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
*** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Print on demand at cost hard copy]
** v1.1 EN
*** [https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf PDF]
*** [https://www.owasp.org/images/b/b0/OWASP_AppSensor_Beta_1.1.doc DOC]

== Presentations ==

[http://www.brighttalk.com/webcast/20680 Automated Application Defenses to Thwart Advanced Attackers (Slides & Audio)]

July, 2010 - OWASP London (UK) - [http://www.owasp.org/index.php/File:Owasp-london-20100715-appsensor-3.pdf Real Time Application Attack Detection and Response with OWASP AppSensor]

June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application

June, 2010 - Video presentation - [http://michael-coates.blogspot.com/2010/06/online-presentation-thursday-automated.html Automated Application Defenses to Thwart Advanced Attackers]

November, 2009 - AppSec DC - [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf Defend Yourself: Integrating Real Time Defenses into Online Applications]

May, 2009 - [http://www.owasp.org/download/jmanico/owasp_podcast_51.mp3 OWASP Podcast #51 ]

May, 2009 - AppSec EU Poland - [https://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx Real Time Defenses against Application Worms and Malicious Attackers]

November, 2008 - [https://www.owasp.org/images/7/77/Presentation_AppSensor.ppt OWASP Summit Portugal 2008 PPT]

==Video Demos of AppSensor==

[http://www.youtube.com/watch?v=8ItfuwvLxRk Detecting Multiple Attacks & Logging Out Attacker]

[http://www.youtube.com/watch?v=CekUMk_VRV8 Detecting XSS Probes]

[http://www.youtube.com/watch?v=LfD4y67qdWE Detecting URL Tampering]

[http://www.youtube.com/watch?v=1D6nTlmYjhY Detecting Verb Tampering]

==Source Documents / Artwork==

* Guide
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc Word (content only)], DOC 11Mb
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/appsensor-guide-2v0-owasp.zip Word, images, Lulu covers, diagrams], ZIP 96Mb
* Introduction for Developers
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-a4.zip A4 Illustrator and PDF exports], ZIP 19Mb
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-usletter.zip US letter Illustrator and PDF exports], ZIP 19Mb
* Poster
** [https://www.owasp.org/index.php/File:Owasp-appsensor-poster-a1.zip A1 Illustrator and PDF export] ZIP, 18Mb

= Project Approach =
{{:Projects/OWASP_Python_Security_Project | Project Approach}}

}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|AppSensor Project]] [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:SAMM-EH-3]] [[Category:SAMM-SA-2]]

OWASP Python Security Project

2015-07-06T16:37:38Z

Timo.goosen: /* Code Roadmap */

=Main=

<div style="width:100%;height:120px;border:0,margin:0;overflow: hidden;"></div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;"></div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Python Security Project ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

== Introduction ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

Security in python: white-box analysis, structural and functional analysis
Security of python: black-box analysis, identify and address security-related issues
Security with python: develop security hardened python suitable for high-risk and high-security environments

== Detect and Respond to Attacks from Within the Application ==

=== Detection ===
AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.
=== Response===
AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.
===Defending the Application===
An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.

==Licensing==

License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
This license is a community friendly license as recommended by OWASP.
You can read more here:
*[https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]

== What is the Python Security Project? ==

== Overview ==

[[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]

[https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf 12-page US Letter booklet]

== Project Founder ==

* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* OWASP AppSensor Guide v2.0.1 EN
** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Hard copy]
* OWASP AppSensor Reference Implementation
** [https://github.com/jtmelton/appsensor v2 Code]

== Code Repository ==
* OWASP Python Security Github https://github.com/ebranca/owasp-pysec/ (Current)

== In Print ==

[[File:AppSensor2_small.jpg|link=]]

The [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html AppSensor Guide] and [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html CISO Briefing] can be purchased at cost as a print on demand books.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Acknowledgements =

== Volunteers ==

All OWASP projects rely on the voluntary efforts of people in the software development and information security sectors. They have contributed their time and energy to make suggestions, provide feedback, write, review and edit documentation, give encouragement, make introductions, produce demonstration code, promote the concept, and provide OWASP support. They participated via the project’s mailing lists, by developing code, by updating the wiki, by undertaking research studies, and through contributions during the AppSensor working session at the OWASP Summit 2011 in Portugal and the AppSensor Summit at AppSec USA 2011. Without all their efforts, the project would not have progressed to this point, and this guide would not have been completed.

{| cellpadding="2"
|-
| width="200" align="left" valign="top" |

*Josh Amishav-Zlatin
*Ryan Barnett
*Simon Bennetts
*Joe Bernik
*Rex Booth
*Luke Briner
*Rauf Butt
*Juan C Calderon
*Fabio Cerullo
*Marc Chisinevski
*Robert Chojnacki
*Michael Coates
*Dinis Cruz
*August Detlefsen
*Ryan Dewhurst

| width="200" align="left" valign="top" |

*Sean Fay
*Timo Goosen
*Dennis Groves
*Randy Janida
*Chetan Karande
*Eoin Keary
*Alex Lauerman
*Junior Lazuardi
*Benjamin-Hugo LeBlanc
*Jason Li
*Manuel López Arredondo
*Bob Maier
*Jim Manico
*Sherif Mansour Farag
*John Melton

| width="200" align="left" valign="top" |

*Mark Miller
*Craig Munson
*Louis Nadeau
*Giri Nambari
*Erlend Oftedal
*Jay Reynolds
*Chris Schmidt
*Sahil Shah
*Eric Sheridan
*John Steven
*Raphael Taban
*Alex Thissen
*Don Thomas
*Christopher Tidball
*Kevin W Wall
*Colin Watson
*Mehmet Yilmaz

|}

==OWASP Summer of Code 2008==
The AppSensor Project was initially supported by the [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008 OWASP Summer of Code 2008], leading to the publication of the book AppSensor v1.1.

==Google Summer of Code 2012==
Additional development work on [http://www.google-melange.com/gsoc/project/google/gsoc2012/edil/60002 SOAP web services] was kindly supported by the [http://www.google-melange.com/gsoc/program/home/google/gsoc2012 Google Summer of Code 2012].

== Other Acknowledgements ==
The project has also benefitted greatly from the generous contribution of time and effort by many volunteers in the OWASP community including those listed above, and contributors to the OWASP ESAPI project, members of the former OWASP Global Projects Committee, the OWASP Board, OWASP staff and support from the OWASP Project Reboot initiative. The v2 code and documentation were conceived during the AppSensor Summit held during AppSec USA 2011 in Minneapolis.

= Road Map and Getting Involved =

Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project General project]
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-dev Code development]

== Current activities ==

=== Technical Roadmap ===

* [https://github.com/ebranca/owasp-pysec/blob/master/doc/ROADMAP.txt Technical Roadmap or TODO on github]

=== General Roadmap ===

"- Set up website with wiki

- Configure mailing list

- Configure github account and create code structure

- Create Project presentation and pamphlet

- Publish initial batch of documents on python security issues and possible mitigations with code examples

- Create python secure coding area

- Introduce project to OWASP Chapters

- Publish initial version of python secure coding manual

- Publish hardened version of python coded for security purposes

- Document usage of code security policies and call whitelisting

- Document usage of message deduplication and data storage in hash rings

- Document usage of ESAPI-extended security checks, including but not limited to controls applied to python internal calls, strings, processes, permissions, and low level kernel calls

- Create initial documentation of base libraries and modules

- Release library to customizec and integrate OpenSSL and cURL

- Release utility for SSL analysis of HTTPS communication over SSL

- Release utility for SSL analysis of FTPS/FTPES communication over SSL

- Release utility for analysis of POPS/IMAPS/SMTPS connections over SSL

- Release of utility for archival of SSL certificates and CRLs

- Release utility for PE extraction and hash generation from web files

- Release update version of ""OWASP-ESAPI-python"""

== Past activities ==

'''June 2015''' Final release v2.1.0 code

'''April 2015''' CISO Briefing booklet published

'''February 2015''' Introduction for Developers flyer published

'''January 2015''' Final release v2.0.0 code

'''May 2014''' Finalisation and publication of the AppSensor Guide v2.0

'''November, 2013''' - AppSensor 2.0 hackathon, and document writing & review at AppSecUSA 2013, New York

'''2012-2013''' - Active Development of next AppSensor book

'''September, 2011''' - AppSensor Summit at AppSec USA 2011, Minneapolis

'''September, 2010''' - Presented at AppSecUSA [http://www.slideshare.net/michael_coates/real-time-application-defenses-the-reality-of-appsensor-esapi-5181743 slides]

'''June, 2010''' - Active ESAPI Integration Underway

'''November, 2009''' [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf OWASP DC, November 2009]

'''2009''' v1.2 in the works, demo application in development

'''May, 2009''' - AppSec EU Poland - Presentation ([http://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx PPT]) ([http://blip.tv/file/2198771 Video])

'''January, 2009''' - v1.1 Released - Beta Status

'''November, 2008''' - AppSensor Talk at OWASP Portugal

'''November, 2008''' - v1.0 Released - Beta Status

'''April 16, 2008''' - Project Begins

= Detection Points =

Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.

'''[http://www.owasp.org/index.php/AppSensor_DetectionPoints Detailed Detection Point Information Here] '''

'''[http://www.owasp.org/index.php/AppSensor_ResponseActions Response Action Information Here]'''

'''Summary of Information'''
'''Detection Categories:'''

RE - Request

AE - Authentication

SE - Session

ACE - Access Control

IE - Input

EE - Encoding

CIE - Command Injection

FIO - File IO

HT - Honey Trap

UT - User Trend

STE - System Trend

RP - Reputation

'''Signature Based Event Titles'''

ID Event

RE1 Unexpected HTTP Command

RE2 Attempt to Invoke Unsupported HTTP Method

RE3 GET When Expecting POST

RE4 POST When Expecting GET

RE5 Additional/Duplicated Data in Request

RE6 Data Missing from Request

RE7 Unexpected Quantity of Characters in Parameter

RE8 Unexpected Type of Characters in Parameter

AE1 Use Of Multiple Usernames

AE2 Multiple Failed Passwords

AE3 High Rate of Login Attempts

AE4 Unexpected Quantity of Characters in Username

AE5 Unexpected Quantity of Characters in Password

AE6 Unexpected Type of Character in Username

AE7 Unexpected Type of Character in Password

AE8 Providing Only the Username

AE9 Providing Only the Password

AE10 Adding POST Variable

AE11 Missing POST Variable

AE12 Utilization of Common Usernames

SE1 Modifying Existing Cookie

SE2 Adding New Cookie

SE3 Deleting Existing Cookie

SE4 Substituting Another User's Valid Session ID or Cookie

SE5 Source IP Address Changes During Session

SE6 Change Of User Agent Mid Session

ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt

ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt

ACE3 Force Browsing Attempt

ACE4 Evading Presentation Access Control Through Custom POST

IE1 Cross Site Scripting Attempt

IE2 Violation of Implemented White Lists

IE3 Violation Of Implemented Black Lists

IE4 Violation of Input Data Integrity

IE5 Violation of Stored Business Data Integrity

IE6 Violation of Security Log Integrity

EE1 Double Encoded Character

EE2 Unexpected Encoding Used

CIE1 Blacklist Inspection for Common SQL Injection Values

CIE2 Detect Abnormal Quantity of Returned Records

CIE3 Null Byte Character in File Request

CIE4 Carriage Return or Line Feed Character In File Request

FIO1 Detect Large Individual File

FIO2 Detect Large Number of File Uploads

HT1 Alteration to Honey Trap Data

HT2 Honey Trap Resource Requested

HT3 Honey Trap Data Used

'''Behavior Based Event Titles'''<br>

UT1 Irregular Use of Application

UT2 Speed of Application Use

UT3 Frequency of Site Use

UT4 Frequency of Feature Use

STE1 High Number of Logouts Across The Site

STE2 High Number of Logins Across The Site

STE3 Significant Change in Usage of Same Transaction Across The Site

RP1 Suspicious or Disallowed User IP Address

RP2 Suspicious External User Behavior

RP3 Suspicious Client-Side Behavior

RP4 Change to Environment Threat Level

= Media =

== Introductory Briefings ==

{|
| align="center" valign="top" | Developers
|
| align="center" valign="top" | Architects
|
| align="center" valign="top" | CISOs
|-
| width="200" align="left" valign="top" | [[File:Appsensor-developer-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf]]
| width="20" |
| width="200" align="left" valign="top" | [[File:Appsensor_crosstalk_small.jpg|link=http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf]]
| width="20" |
| width="200" align="center" valign="top" | [[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]
|}

The CISO briefing is also available to [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html buy at cost in print].

== AppSensor Website ==

[[File:Appsensor-website-large.jpg|link=http://appsensor.org/]]

[http://appsensor.org/ http://appsensor.org/]

== Code ==

*v2 [https://github.com/jtmelton/appsensor Github Code]
* (LEGACY) v1 [http://code.google.com/p/appsensor/ Google Code]

== AppSensor Guide ==

* OWASP AppSensor Guide
** v2.0 EN
*** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
*** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
*** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Print on demand at cost hard copy]
** v1.1 EN
*** [https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf PDF]
*** [https://www.owasp.org/images/b/b0/OWASP_AppSensor_Beta_1.1.doc DOC]

== Presentations ==

[http://www.brighttalk.com/webcast/20680 Automated Application Defenses to Thwart Advanced Attackers (Slides & Audio)]

July, 2010 - OWASP London (UK) - [http://www.owasp.org/index.php/File:Owasp-london-20100715-appsensor-3.pdf Real Time Application Attack Detection and Response with OWASP AppSensor]

June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application

June, 2010 - Video presentation - [http://michael-coates.blogspot.com/2010/06/online-presentation-thursday-automated.html Automated Application Defenses to Thwart Advanced Attackers]

November, 2009 - AppSec DC - [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf Defend Yourself: Integrating Real Time Defenses into Online Applications]

May, 2009 - [http://www.owasp.org/download/jmanico/owasp_podcast_51.mp3 OWASP Podcast #51 ]

May, 2009 - AppSec EU Poland - [https://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx Real Time Defenses against Application Worms and Malicious Attackers]

November, 2008 - [https://www.owasp.org/images/7/77/Presentation_AppSensor.ppt OWASP Summit Portugal 2008 PPT]

==Video Demos of AppSensor==

[http://www.youtube.com/watch?v=8ItfuwvLxRk Detecting Multiple Attacks & Logging Out Attacker]

[http://www.youtube.com/watch?v=CekUMk_VRV8 Detecting XSS Probes]

[http://www.youtube.com/watch?v=LfD4y67qdWE Detecting URL Tampering]

[http://www.youtube.com/watch?v=1D6nTlmYjhY Detecting Verb Tampering]

==Source Documents / Artwork==

* Guide
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc Word (content only)], DOC 11Mb
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/appsensor-guide-2v0-owasp.zip Word, images, Lulu covers, diagrams], ZIP 96Mb
* Introduction for Developers
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-a4.zip A4 Illustrator and PDF exports], ZIP 19Mb
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-usletter.zip US letter Illustrator and PDF exports], ZIP 19Mb
* Poster
** [https://www.owasp.org/index.php/File:Owasp-appsensor-poster-a1.zip A1 Illustrator and PDF export] ZIP, 18Mb

= Project Approach =
{{:Projects/OWASP_Python_Security_Project | Project Approach}}

}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|AppSensor Project]] [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:SAMM-EH-3]] [[Category:SAMM-SA-2]]

OWASP Python Security Project

2015-07-06T16:36:25Z

Timo.goosen: /* Current activities */

=Main=

<div style="width:100%;height:120px;border:0,margin:0;overflow: hidden;"></div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;"></div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Python Security Project ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

== Introduction ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

Security in python: white-box analysis, structural and functional analysis
Security of python: black-box analysis, identify and address security-related issues
Security with python: develop security hardened python suitable for high-risk and high-security environments

== Detect and Respond to Attacks from Within the Application ==

=== Detection ===
AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.
=== Response===
AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.
===Defending the Application===
An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.

==Licensing==

License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
This license is a community friendly license as recommended by OWASP.
You can read more here:
*[https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]

== What is the Python Security Project? ==

== Overview ==

[[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]

[https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf 12-page US Letter booklet]

== Project Founder ==

* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* OWASP AppSensor Guide v2.0.1 EN
** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Hard copy]
* OWASP AppSensor Reference Implementation
** [https://github.com/jtmelton/appsensor v2 Code]

== Code Repository ==
* OWASP Python Security Github https://github.com/ebranca/owasp-pysec/ (Current)

== In Print ==

[[File:AppSensor2_small.jpg|link=]]

The [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html AppSensor Guide] and [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html CISO Briefing] can be purchased at cost as a print on demand books.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Acknowledgements =

== Volunteers ==

All OWASP projects rely on the voluntary efforts of people in the software development and information security sectors. They have contributed their time and energy to make suggestions, provide feedback, write, review and edit documentation, give encouragement, make introductions, produce demonstration code, promote the concept, and provide OWASP support. They participated via the project’s mailing lists, by developing code, by updating the wiki, by undertaking research studies, and through contributions during the AppSensor working session at the OWASP Summit 2011 in Portugal and the AppSensor Summit at AppSec USA 2011. Without all their efforts, the project would not have progressed to this point, and this guide would not have been completed.

{| cellpadding="2"
|-
| width="200" align="left" valign="top" |

*Josh Amishav-Zlatin
*Ryan Barnett
*Simon Bennetts
*Joe Bernik
*Rex Booth
*Luke Briner
*Rauf Butt
*Juan C Calderon
*Fabio Cerullo
*Marc Chisinevski
*Robert Chojnacki
*Michael Coates
*Dinis Cruz
*August Detlefsen
*Ryan Dewhurst

| width="200" align="left" valign="top" |

*Sean Fay
*Timo Goosen
*Dennis Groves
*Randy Janida
*Chetan Karande
*Eoin Keary
*Alex Lauerman
*Junior Lazuardi
*Benjamin-Hugo LeBlanc
*Jason Li
*Manuel López Arredondo
*Bob Maier
*Jim Manico
*Sherif Mansour Farag
*John Melton

| width="200" align="left" valign="top" |

*Mark Miller
*Craig Munson
*Louis Nadeau
*Giri Nambari
*Erlend Oftedal
*Jay Reynolds
*Chris Schmidt
*Sahil Shah
*Eric Sheridan
*John Steven
*Raphael Taban
*Alex Thissen
*Don Thomas
*Christopher Tidball
*Kevin W Wall
*Colin Watson
*Mehmet Yilmaz

|}

==OWASP Summer of Code 2008==
The AppSensor Project was initially supported by the [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008 OWASP Summer of Code 2008], leading to the publication of the book AppSensor v1.1.

==Google Summer of Code 2012==
Additional development work on [http://www.google-melange.com/gsoc/project/google/gsoc2012/edil/60002 SOAP web services] was kindly supported by the [http://www.google-melange.com/gsoc/program/home/google/gsoc2012 Google Summer of Code 2012].

== Other Acknowledgements ==
The project has also benefitted greatly from the generous contribution of time and effort by many volunteers in the OWASP community including those listed above, and contributors to the OWASP ESAPI project, members of the former OWASP Global Projects Committee, the OWASP Board, OWASP staff and support from the OWASP Project Reboot initiative. The v2 code and documentation were conceived during the AppSensor Summit held during AppSec USA 2011 in Minneapolis.

= Road Map and Getting Involved =

Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project General project]
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-dev Code development]

== Current activities ==

=== Technical Roadmap ===

* [https://github.com/ebranca/owasp-pysec/blob/master/doc/ROADMAP.txt Technical Roadmap or TODO on github]

=== General Roadmap ===

"- Set up website with wiki

- Configure mailing list

- Configure github account and create code structure

- Create Project presentation and pamphlet

- Publish initial batch of documents on python security issues and possible mitigations with code examples

- Create python secure coding area

- Introduce project to OWASP Chapters

- Publish initial version of python secure coding manual

- Publish hardened version of python coded for security purposes

- Document usage of code security policies and call whitelisting

- Document usage of message deduplication and data storage in hash rings

- Document usage of ESAPI-extended security checks, including but not limited to controls applied to python internal calls, strings, processes, permissions, and low level kernel calls

- Create initial documentation of base libraries and modules

- Release library to customizec and integrate OpenSSL and cURL

- Release utility for SSL analysis of HTTPS communication over SSL

- Release utility for SSL analysis of FTPS/FTPES communication over SSL

- Release utility for analysis of POPS/IMAPS/SMTPS connections over SSL

- Release of utility for archival of SSL certificates and CRLs

- Release utility for PE extraction and hash generation from web files

- Release update version of ""OWASP-ESAPI-python"""

== Code Roadmap ==

=== Q4 2015 (2.0) ===
* <strike>Jan - v 2.0.0 final release </strike> -> DONE

=== Q4 2014 (2.0) ===
* <strike>Oct - v 2.0.0 release candidate</strike> -> DONE
* <strike>Jan 2015 (delay due to bug) - v 2.0.0 final </strike> -> DONE
* <strike>Additional unit tests</strike> -> DONE
* <strike>Move appsensor.org site over from static html to python</strike> -> NOT NECESSARY
* <strike>Finish up user documentation at appsensor.org</strike> -> DONE

=== June 2015 (2.1) ===
* <strike>Add at least 1 attack emitter for DEVOPS visualization (JMX -> SNMP, syslog, SNMP, .. something)</strike> ([https://github.com/jtmelton/appsensor/issues/19 github issue]) -> DONE
* <strike>Sample application / demo</strike> ([https://github.com/jtmelton/appsensor/issues/9 github issue]) -> DONE
* <strike>Finish up developer documentation on github and appsensor.org</strike> ([https://github.com/jtmelton/appsensor/issues/12 github issue]) -> DONE
* <strike>Preparation for GSOC 2015 submission</strike> -> DONE - see [[GSoC2015_Ideas]] - Update - OWASP not selected

=== September 2015 (2.2) ===
* First version of administration UI for appsensor (monitoring UI) (github issues [https://github.com/jtmelton/appsensor/issues/10 here] and [https://github.com/jtmelton/appsensor/issues/11 here])

=== January 2016 (2.3) ===
* Get CI server (cloudbees?) setup ([https://github.com/jtmelton/appsensor/issues/15 github issue])
* Video demo of setting up appsensor (screen capture) (related to sample apps)
* New detection point implementations ([https://github.com/jtmelton/appsensor/issues/8 github issue])
* AOP examples of detection point implementations

=== May 2016 (2.4) ===
* Trend monitoring implementation ([https://github.com/jtmelton/appsensor/issues/6 github issue])
* Additional integrations for reporting (graphite, ganglia -> see list supported by codahale metrics)

== Past activities ==

'''June 2015''' Final release v2.1.0 code

'''April 2015''' CISO Briefing booklet published

'''February 2015''' Introduction for Developers flyer published

'''January 2015''' Final release v2.0.0 code

'''May 2014''' Finalisation and publication of the AppSensor Guide v2.0

'''November, 2013''' - AppSensor 2.0 hackathon, and document writing & review at AppSecUSA 2013, New York

'''2012-2013''' - Active Development of next AppSensor book

'''September, 2011''' - AppSensor Summit at AppSec USA 2011, Minneapolis

'''September, 2010''' - Presented at AppSecUSA [http://www.slideshare.net/michael_coates/real-time-application-defenses-the-reality-of-appsensor-esapi-5181743 slides]

'''June, 2010''' - Active ESAPI Integration Underway

'''November, 2009''' [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf OWASP DC, November 2009]

'''2009''' v1.2 in the works, demo application in development

'''May, 2009''' - AppSec EU Poland - Presentation ([http://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx PPT]) ([http://blip.tv/file/2198771 Video])

'''January, 2009''' - v1.1 Released - Beta Status

'''November, 2008''' - AppSensor Talk at OWASP Portugal

'''November, 2008''' - v1.0 Released - Beta Status

'''April 16, 2008''' - Project Begins

= Detection Points =

Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.

'''[http://www.owasp.org/index.php/AppSensor_DetectionPoints Detailed Detection Point Information Here] '''

'''[http://www.owasp.org/index.php/AppSensor_ResponseActions Response Action Information Here]'''

'''Summary of Information'''
'''Detection Categories:'''

RE - Request

AE - Authentication

SE - Session

ACE - Access Control

IE - Input

EE - Encoding

CIE - Command Injection

FIO - File IO

HT - Honey Trap

UT - User Trend

STE - System Trend

RP - Reputation

'''Signature Based Event Titles'''

ID Event

RE1 Unexpected HTTP Command

RE2 Attempt to Invoke Unsupported HTTP Method

RE3 GET When Expecting POST

RE4 POST When Expecting GET

RE5 Additional/Duplicated Data in Request

RE6 Data Missing from Request

RE7 Unexpected Quantity of Characters in Parameter

RE8 Unexpected Type of Characters in Parameter

AE1 Use Of Multiple Usernames

AE2 Multiple Failed Passwords

AE3 High Rate of Login Attempts

AE4 Unexpected Quantity of Characters in Username

AE5 Unexpected Quantity of Characters in Password

AE6 Unexpected Type of Character in Username

AE7 Unexpected Type of Character in Password

AE8 Providing Only the Username

AE9 Providing Only the Password

AE10 Adding POST Variable

AE11 Missing POST Variable

AE12 Utilization of Common Usernames

SE1 Modifying Existing Cookie

SE2 Adding New Cookie

SE3 Deleting Existing Cookie

SE4 Substituting Another User's Valid Session ID or Cookie

SE5 Source IP Address Changes During Session

SE6 Change Of User Agent Mid Session

ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt

ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt

ACE3 Force Browsing Attempt

ACE4 Evading Presentation Access Control Through Custom POST

IE1 Cross Site Scripting Attempt

IE2 Violation of Implemented White Lists

IE3 Violation Of Implemented Black Lists

IE4 Violation of Input Data Integrity

IE5 Violation of Stored Business Data Integrity

IE6 Violation of Security Log Integrity

EE1 Double Encoded Character

EE2 Unexpected Encoding Used

CIE1 Blacklist Inspection for Common SQL Injection Values

CIE2 Detect Abnormal Quantity of Returned Records

CIE3 Null Byte Character in File Request

CIE4 Carriage Return or Line Feed Character In File Request

FIO1 Detect Large Individual File

FIO2 Detect Large Number of File Uploads

HT1 Alteration to Honey Trap Data

HT2 Honey Trap Resource Requested

HT3 Honey Trap Data Used

'''Behavior Based Event Titles'''<br>

UT1 Irregular Use of Application

UT2 Speed of Application Use

UT3 Frequency of Site Use

UT4 Frequency of Feature Use

STE1 High Number of Logouts Across The Site

STE2 High Number of Logins Across The Site

STE3 Significant Change in Usage of Same Transaction Across The Site

RP1 Suspicious or Disallowed User IP Address

RP2 Suspicious External User Behavior

RP3 Suspicious Client-Side Behavior

RP4 Change to Environment Threat Level

= Media =

== Introductory Briefings ==

{|
| align="center" valign="top" | Developers
|
| align="center" valign="top" | Architects
|
| align="center" valign="top" | CISOs
|-
| width="200" align="left" valign="top" | [[File:Appsensor-developer-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf]]
| width="20" |
| width="200" align="left" valign="top" | [[File:Appsensor_crosstalk_small.jpg|link=http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf]]
| width="20" |
| width="200" align="center" valign="top" | [[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]
|}

The CISO briefing is also available to [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html buy at cost in print].

== AppSensor Website ==

[[File:Appsensor-website-large.jpg|link=http://appsensor.org/]]

[http://appsensor.org/ http://appsensor.org/]

== Code ==

*v2 [https://github.com/jtmelton/appsensor Github Code]
* (LEGACY) v1 [http://code.google.com/p/appsensor/ Google Code]

== AppSensor Guide ==

* OWASP AppSensor Guide
** v2.0 EN
*** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
*** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
*** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Print on demand at cost hard copy]
** v1.1 EN
*** [https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf PDF]
*** [https://www.owasp.org/images/b/b0/OWASP_AppSensor_Beta_1.1.doc DOC]

== Presentations ==

[http://www.brighttalk.com/webcast/20680 Automated Application Defenses to Thwart Advanced Attackers (Slides & Audio)]

July, 2010 - OWASP London (UK) - [http://www.owasp.org/index.php/File:Owasp-london-20100715-appsensor-3.pdf Real Time Application Attack Detection and Response with OWASP AppSensor]

June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application

June, 2010 - Video presentation - [http://michael-coates.blogspot.com/2010/06/online-presentation-thursday-automated.html Automated Application Defenses to Thwart Advanced Attackers]

November, 2009 - AppSec DC - [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf Defend Yourself: Integrating Real Time Defenses into Online Applications]

May, 2009 - [http://www.owasp.org/download/jmanico/owasp_podcast_51.mp3 OWASP Podcast #51 ]

May, 2009 - AppSec EU Poland - [https://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx Real Time Defenses against Application Worms and Malicious Attackers]

November, 2008 - [https://www.owasp.org/images/7/77/Presentation_AppSensor.ppt OWASP Summit Portugal 2008 PPT]

==Video Demos of AppSensor==

[http://www.youtube.com/watch?v=8ItfuwvLxRk Detecting Multiple Attacks & Logging Out Attacker]

[http://www.youtube.com/watch?v=CekUMk_VRV8 Detecting XSS Probes]

[http://www.youtube.com/watch?v=LfD4y67qdWE Detecting URL Tampering]

[http://www.youtube.com/watch?v=1D6nTlmYjhY Detecting Verb Tampering]

==Source Documents / Artwork==

* Guide
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc Word (content only)], DOC 11Mb
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/appsensor-guide-2v0-owasp.zip Word, images, Lulu covers, diagrams], ZIP 96Mb
* Introduction for Developers
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-a4.zip A4 Illustrator and PDF exports], ZIP 19Mb
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-usletter.zip US letter Illustrator and PDF exports], ZIP 19Mb
* Poster
** [https://www.owasp.org/index.php/File:Owasp-appsensor-poster-a1.zip A1 Illustrator and PDF export] ZIP, 18Mb

= Project Approach =
{{:Projects/OWASP_Python_Security_Project | Project Approach}}

}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|AppSensor Project]] [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:SAMM-EH-3]] [[Category:SAMM-SA-2]]

OWASP Python Security Project

2015-07-06T16:34:53Z

Timo.goosen: /* Road Map and Getting Involved */

=Main=

<div style="width:100%;height:120px;border:0,margin:0;overflow: hidden;"></div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;"></div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Python Security Project ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

== Introduction ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

Security in python: white-box analysis, structural and functional analysis
Security of python: black-box analysis, identify and address security-related issues
Security with python: develop security hardened python suitable for high-risk and high-security environments

== Detect and Respond to Attacks from Within the Application ==

=== Detection ===
AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.
=== Response===
AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.
===Defending the Application===
An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.

==Licensing==

License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
This license is a community friendly license as recommended by OWASP.
You can read more here:
*[https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]

== What is the Python Security Project? ==

== Overview ==

[[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]

[https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf 12-page US Letter booklet]

== Project Founder ==

* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* OWASP AppSensor Guide v2.0.1 EN
** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Hard copy]
* OWASP AppSensor Reference Implementation
** [https://github.com/jtmelton/appsensor v2 Code]

== Code Repository ==
* OWASP Python Security Github https://github.com/ebranca/owasp-pysec/ (Current)

== In Print ==

[[File:AppSensor2_small.jpg|link=]]

The [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html AppSensor Guide] and [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html CISO Briefing] can be purchased at cost as a print on demand books.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Acknowledgements =

== Volunteers ==

All OWASP projects rely on the voluntary efforts of people in the software development and information security sectors. They have contributed their time and energy to make suggestions, provide feedback, write, review and edit documentation, give encouragement, make introductions, produce demonstration code, promote the concept, and provide OWASP support. They participated via the project’s mailing lists, by developing code, by updating the wiki, by undertaking research studies, and through contributions during the AppSensor working session at the OWASP Summit 2011 in Portugal and the AppSensor Summit at AppSec USA 2011. Without all their efforts, the project would not have progressed to this point, and this guide would not have been completed.

{| cellpadding="2"
|-
| width="200" align="left" valign="top" |

*Josh Amishav-Zlatin
*Ryan Barnett
*Simon Bennetts
*Joe Bernik
*Rex Booth
*Luke Briner
*Rauf Butt
*Juan C Calderon
*Fabio Cerullo
*Marc Chisinevski
*Robert Chojnacki
*Michael Coates
*Dinis Cruz
*August Detlefsen
*Ryan Dewhurst

| width="200" align="left" valign="top" |

*Sean Fay
*Timo Goosen
*Dennis Groves
*Randy Janida
*Chetan Karande
*Eoin Keary
*Alex Lauerman
*Junior Lazuardi
*Benjamin-Hugo LeBlanc
*Jason Li
*Manuel López Arredondo
*Bob Maier
*Jim Manico
*Sherif Mansour Farag
*John Melton

| width="200" align="left" valign="top" |

*Mark Miller
*Craig Munson
*Louis Nadeau
*Giri Nambari
*Erlend Oftedal
*Jay Reynolds
*Chris Schmidt
*Sahil Shah
*Eric Sheridan
*John Steven
*Raphael Taban
*Alex Thissen
*Don Thomas
*Christopher Tidball
*Kevin W Wall
*Colin Watson
*Mehmet Yilmaz

|}

==OWASP Summer of Code 2008==
The AppSensor Project was initially supported by the [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008 OWASP Summer of Code 2008], leading to the publication of the book AppSensor v1.1.

==Google Summer of Code 2012==
Additional development work on [http://www.google-melange.com/gsoc/project/google/gsoc2012/edil/60002 SOAP web services] was kindly supported by the [http://www.google-melange.com/gsoc/program/home/google/gsoc2012 Google Summer of Code 2012].

== Other Acknowledgements ==
The project has also benefitted greatly from the generous contribution of time and effort by many volunteers in the OWASP community including those listed above, and contributors to the OWASP ESAPI project, members of the former OWASP Global Projects Committee, the OWASP Board, OWASP staff and support from the OWASP Project Reboot initiative. The v2 code and documentation were conceived during the AppSensor Summit held during AppSec USA 2011 in Minneapolis.

= Road Map and Getting Involved =

Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project General project]
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-dev Code development]

== Current activities ==

=== Technical Roadmap ===

* [https://github.com/ebranca/owasp-pysec/blob/master/doc/ROADMAP.txt Technical Roadmap or TODO on github]

=== v2 Code ===

The current code being worked on is located on [https://github.com/jtmelton/appsensor GitHub]

The code has been fully rewritten.
v2.0.0 final was released in late January 2015.
v2.1.0 final was released in June 2015.

The main reason for the rewrite was to allow a client-server style model as opposed to requiring AppSensor be fully embedded in the application. You can now have a central server collecting events from multiple applications and performing analysis. These front-end applications can be in any language as long as they speak rest/soap. There's been a host of other changes, but this was the primary one. A number of starter ideas for coding, user interface and documentation have been outlined via the mailing list at [http://lists.owasp.org/pipermail/owasp-appsensor-project/2014-March/000682.html 17th March 2014].

if you want to work on ANYTHING, please let jtmelton[@]gmail.com know.

== Code Roadmap ==

=== Q4 2015 (2.0) ===
* <strike>Jan - v 2.0.0 final release </strike> -> DONE

=== Q4 2014 (2.0) ===
* <strike>Oct - v 2.0.0 release candidate</strike> -> DONE
* <strike>Jan 2015 (delay due to bug) - v 2.0.0 final </strike> -> DONE
* <strike>Additional unit tests</strike> -> DONE
* <strike>Move appsensor.org site over from static html to python</strike> -> NOT NECESSARY
* <strike>Finish up user documentation at appsensor.org</strike> -> DONE

=== June 2015 (2.1) ===
* <strike>Add at least 1 attack emitter for DEVOPS visualization (JMX -> SNMP, syslog, SNMP, .. something)</strike> ([https://github.com/jtmelton/appsensor/issues/19 github issue]) -> DONE
* <strike>Sample application / demo</strike> ([https://github.com/jtmelton/appsensor/issues/9 github issue]) -> DONE
* <strike>Finish up developer documentation on github and appsensor.org</strike> ([https://github.com/jtmelton/appsensor/issues/12 github issue]) -> DONE
* <strike>Preparation for GSOC 2015 submission</strike> -> DONE - see [[GSoC2015_Ideas]] - Update - OWASP not selected

=== September 2015 (2.2) ===
* First version of administration UI for appsensor (monitoring UI) (github issues [https://github.com/jtmelton/appsensor/issues/10 here] and [https://github.com/jtmelton/appsensor/issues/11 here])

=== January 2016 (2.3) ===
* Get CI server (cloudbees?) setup ([https://github.com/jtmelton/appsensor/issues/15 github issue])
* Video demo of setting up appsensor (screen capture) (related to sample apps)
* New detection point implementations ([https://github.com/jtmelton/appsensor/issues/8 github issue])
* AOP examples of detection point implementations

=== May 2016 (2.4) ===
* Trend monitoring implementation ([https://github.com/jtmelton/appsensor/issues/6 github issue])
* Additional integrations for reporting (graphite, ganglia -> see list supported by codahale metrics)

== Past activities ==

'''June 2015''' Final release v2.1.0 code

'''April 2015''' CISO Briefing booklet published

'''February 2015''' Introduction for Developers flyer published

'''January 2015''' Final release v2.0.0 code

'''May 2014''' Finalisation and publication of the AppSensor Guide v2.0

'''November, 2013''' - AppSensor 2.0 hackathon, and document writing & review at AppSecUSA 2013, New York

'''2012-2013''' - Active Development of next AppSensor book

'''September, 2011''' - AppSensor Summit at AppSec USA 2011, Minneapolis

'''September, 2010''' - Presented at AppSecUSA [http://www.slideshare.net/michael_coates/real-time-application-defenses-the-reality-of-appsensor-esapi-5181743 slides]

'''June, 2010''' - Active ESAPI Integration Underway

'''November, 2009''' [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf OWASP DC, November 2009]

'''2009''' v1.2 in the works, demo application in development

'''May, 2009''' - AppSec EU Poland - Presentation ([http://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx PPT]) ([http://blip.tv/file/2198771 Video])

'''January, 2009''' - v1.1 Released - Beta Status

'''November, 2008''' - AppSensor Talk at OWASP Portugal

'''November, 2008''' - v1.0 Released - Beta Status

'''April 16, 2008''' - Project Begins

= Detection Points =

Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.

'''[http://www.owasp.org/index.php/AppSensor_DetectionPoints Detailed Detection Point Information Here] '''

'''[http://www.owasp.org/index.php/AppSensor_ResponseActions Response Action Information Here]'''

'''Summary of Information'''
'''Detection Categories:'''

RE - Request

AE - Authentication

SE - Session

ACE - Access Control

IE - Input

EE - Encoding

CIE - Command Injection

FIO - File IO

HT - Honey Trap

UT - User Trend

STE - System Trend

RP - Reputation

'''Signature Based Event Titles'''

ID Event

RE1 Unexpected HTTP Command

RE2 Attempt to Invoke Unsupported HTTP Method

RE3 GET When Expecting POST

RE4 POST When Expecting GET

RE5 Additional/Duplicated Data in Request

RE6 Data Missing from Request

RE7 Unexpected Quantity of Characters in Parameter

RE8 Unexpected Type of Characters in Parameter

AE1 Use Of Multiple Usernames

AE2 Multiple Failed Passwords

AE3 High Rate of Login Attempts

AE4 Unexpected Quantity of Characters in Username

AE5 Unexpected Quantity of Characters in Password

AE6 Unexpected Type of Character in Username

AE7 Unexpected Type of Character in Password

AE8 Providing Only the Username

AE9 Providing Only the Password

AE10 Adding POST Variable

AE11 Missing POST Variable

AE12 Utilization of Common Usernames

SE1 Modifying Existing Cookie

SE2 Adding New Cookie

SE3 Deleting Existing Cookie

SE4 Substituting Another User's Valid Session ID or Cookie

SE5 Source IP Address Changes During Session

SE6 Change Of User Agent Mid Session

ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt

ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt

ACE3 Force Browsing Attempt

ACE4 Evading Presentation Access Control Through Custom POST

IE1 Cross Site Scripting Attempt

IE2 Violation of Implemented White Lists

IE3 Violation Of Implemented Black Lists

IE4 Violation of Input Data Integrity

IE5 Violation of Stored Business Data Integrity

IE6 Violation of Security Log Integrity

EE1 Double Encoded Character

EE2 Unexpected Encoding Used

CIE1 Blacklist Inspection for Common SQL Injection Values

CIE2 Detect Abnormal Quantity of Returned Records

CIE3 Null Byte Character in File Request

CIE4 Carriage Return or Line Feed Character In File Request

FIO1 Detect Large Individual File

FIO2 Detect Large Number of File Uploads

HT1 Alteration to Honey Trap Data

HT2 Honey Trap Resource Requested

HT3 Honey Trap Data Used

'''Behavior Based Event Titles'''<br>

UT1 Irregular Use of Application

UT2 Speed of Application Use

UT3 Frequency of Site Use

UT4 Frequency of Feature Use

STE1 High Number of Logouts Across The Site

STE2 High Number of Logins Across The Site

STE3 Significant Change in Usage of Same Transaction Across The Site

RP1 Suspicious or Disallowed User IP Address

RP2 Suspicious External User Behavior

RP3 Suspicious Client-Side Behavior

RP4 Change to Environment Threat Level

= Media =

== Introductory Briefings ==

{|
| align="center" valign="top" | Developers
|
| align="center" valign="top" | Architects
|
| align="center" valign="top" | CISOs
|-
| width="200" align="left" valign="top" | [[File:Appsensor-developer-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf]]
| width="20" |
| width="200" align="left" valign="top" | [[File:Appsensor_crosstalk_small.jpg|link=http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf]]
| width="20" |
| width="200" align="center" valign="top" | [[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]
|}

The CISO briefing is also available to [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html buy at cost in print].

== AppSensor Website ==

[[File:Appsensor-website-large.jpg|link=http://appsensor.org/]]

[http://appsensor.org/ http://appsensor.org/]

== Code ==

*v2 [https://github.com/jtmelton/appsensor Github Code]
* (LEGACY) v1 [http://code.google.com/p/appsensor/ Google Code]

== AppSensor Guide ==

* OWASP AppSensor Guide
** v2.0 EN
*** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
*** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
*** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Print on demand at cost hard copy]
** v1.1 EN
*** [https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf PDF]
*** [https://www.owasp.org/images/b/b0/OWASP_AppSensor_Beta_1.1.doc DOC]

== Presentations ==

[http://www.brighttalk.com/webcast/20680 Automated Application Defenses to Thwart Advanced Attackers (Slides & Audio)]

July, 2010 - OWASP London (UK) - [http://www.owasp.org/index.php/File:Owasp-london-20100715-appsensor-3.pdf Real Time Application Attack Detection and Response with OWASP AppSensor]

June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application

June, 2010 - Video presentation - [http://michael-coates.blogspot.com/2010/06/online-presentation-thursday-automated.html Automated Application Defenses to Thwart Advanced Attackers]

November, 2009 - AppSec DC - [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf Defend Yourself: Integrating Real Time Defenses into Online Applications]

May, 2009 - [http://www.owasp.org/download/jmanico/owasp_podcast_51.mp3 OWASP Podcast #51 ]

May, 2009 - AppSec EU Poland - [https://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx Real Time Defenses against Application Worms and Malicious Attackers]

November, 2008 - [https://www.owasp.org/images/7/77/Presentation_AppSensor.ppt OWASP Summit Portugal 2008 PPT]

==Video Demos of AppSensor==

[http://www.youtube.com/watch?v=8ItfuwvLxRk Detecting Multiple Attacks & Logging Out Attacker]

[http://www.youtube.com/watch?v=CekUMk_VRV8 Detecting XSS Probes]

[http://www.youtube.com/watch?v=LfD4y67qdWE Detecting URL Tampering]

[http://www.youtube.com/watch?v=1D6nTlmYjhY Detecting Verb Tampering]

==Source Documents / Artwork==

* Guide
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc Word (content only)], DOC 11Mb
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/appsensor-guide-2v0-owasp.zip Word, images, Lulu covers, diagrams], ZIP 96Mb
* Introduction for Developers
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-a4.zip A4 Illustrator and PDF exports], ZIP 19Mb
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-usletter.zip US letter Illustrator and PDF exports], ZIP 19Mb
* Poster
** [https://www.owasp.org/index.php/File:Owasp-appsensor-poster-a1.zip A1 Illustrator and PDF export] ZIP, 18Mb

= Project Approach =
{{:Projects/OWASP_Python_Security_Project | Project Approach}}

}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|AppSensor Project]] [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:SAMM-EH-3]] [[Category:SAMM-SA-2]]

OWASP Python Security Project

2015-07-06T16:33:11Z

Timo.goosen: /* Project About */

=Main=

<div style="width:100%;height:120px;border:0,margin:0;overflow: hidden;"></div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;"></div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Python Security Project ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

== Introduction ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

Security in python: white-box analysis, structural and functional analysis
Security of python: black-box analysis, identify and address security-related issues
Security with python: develop security hardened python suitable for high-risk and high-security environments

== Detect and Respond to Attacks from Within the Application ==

=== Detection ===
AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.
=== Response===
AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.
===Defending the Application===
An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.

==Licensing==

License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
This license is a community friendly license as recommended by OWASP.
You can read more here:
*[https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]

== What is the Python Security Project? ==

== Overview ==

[[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]

[https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf 12-page US Letter booklet]

== Project Founder ==

* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* OWASP AppSensor Guide v2.0.1 EN
** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Hard copy]
* OWASP AppSensor Reference Implementation
** [https://github.com/jtmelton/appsensor v2 Code]

== Code Repository ==
* OWASP Python Security Github https://github.com/ebranca/owasp-pysec/ (Current)

== In Print ==

[[File:AppSensor2_small.jpg|link=]]

The [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html AppSensor Guide] and [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html CISO Briefing] can be purchased at cost as a print on demand books.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Acknowledgements =

== Volunteers ==

All OWASP projects rely on the voluntary efforts of people in the software development and information security sectors. They have contributed their time and energy to make suggestions, provide feedback, write, review and edit documentation, give encouragement, make introductions, produce demonstration code, promote the concept, and provide OWASP support. They participated via the project’s mailing lists, by developing code, by updating the wiki, by undertaking research studies, and through contributions during the AppSensor working session at the OWASP Summit 2011 in Portugal and the AppSensor Summit at AppSec USA 2011. Without all their efforts, the project would not have progressed to this point, and this guide would not have been completed.

{| cellpadding="2"
|-
| width="200" align="left" valign="top" |

*Josh Amishav-Zlatin
*Ryan Barnett
*Simon Bennetts
*Joe Bernik
*Rex Booth
*Luke Briner
*Rauf Butt
*Juan C Calderon
*Fabio Cerullo
*Marc Chisinevski
*Robert Chojnacki
*Michael Coates
*Dinis Cruz
*August Detlefsen
*Ryan Dewhurst

| width="200" align="left" valign="top" |

*Sean Fay
*Timo Goosen
*Dennis Groves
*Randy Janida
*Chetan Karande
*Eoin Keary
*Alex Lauerman
*Junior Lazuardi
*Benjamin-Hugo LeBlanc
*Jason Li
*Manuel López Arredondo
*Bob Maier
*Jim Manico
*Sherif Mansour Farag
*John Melton

| width="200" align="left" valign="top" |

*Mark Miller
*Craig Munson
*Louis Nadeau
*Giri Nambari
*Erlend Oftedal
*Jay Reynolds
*Chris Schmidt
*Sahil Shah
*Eric Sheridan
*John Steven
*Raphael Taban
*Alex Thissen
*Don Thomas
*Christopher Tidball
*Kevin W Wall
*Colin Watson
*Mehmet Yilmaz

|}

==OWASP Summer of Code 2008==
The AppSensor Project was initially supported by the [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008 OWASP Summer of Code 2008], leading to the publication of the book AppSensor v1.1.

==Google Summer of Code 2012==
Additional development work on [http://www.google-melange.com/gsoc/project/google/gsoc2012/edil/60002 SOAP web services] was kindly supported by the [http://www.google-melange.com/gsoc/program/home/google/gsoc2012 Google Summer of Code 2012].

== Other Acknowledgements ==
The project has also benefitted greatly from the generous contribution of time and effort by many volunteers in the OWASP community including those listed above, and contributors to the OWASP ESAPI project, members of the former OWASP Global Projects Committee, the OWASP Board, OWASP staff and support from the OWASP Project Reboot initiative. The v2 code and documentation were conceived during the AppSensor Summit held during AppSec USA 2011 in Minneapolis.

= Road Map and Getting Involved =

Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project General project]
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-dev Code development]

== Current activities ==

=== Non code ===

* Update AppSensor Guide to keep in step with code changes and improvements to ideas ([http://lists.owasp.org/pipermail/owasp-appsensor-project/2015-February/000855.html see discussion and editable list of changes])
* Create demo
* Develop training materials

=== v2 Code ===

The current code being worked on is located on [https://github.com/jtmelton/appsensor GitHub]

The code has been fully rewritten.
v2.0.0 final was released in late January 2015.
v2.1.0 final was released in June 2015.

The main reason for the rewrite was to allow a client-server style model as opposed to requiring AppSensor be fully embedded in the application. You can now have a central server collecting events from multiple applications and performing analysis. These front-end applications can be in any language as long as they speak rest/soap. There's been a host of other changes, but this was the primary one. A number of starter ideas for coding, user interface and documentation have been outlined via the mailing list at [http://lists.owasp.org/pipermail/owasp-appsensor-project/2014-March/000682.html 17th March 2014].

if you want to work on ANYTHING, please let jtmelton[@]gmail.com know.

== Code Roadmap ==

=== Q4 2015 (2.0) ===
* <strike>Jan - v 2.0.0 final release </strike> -> DONE

=== Q4 2014 (2.0) ===
* <strike>Oct - v 2.0.0 release candidate</strike> -> DONE
* <strike>Jan 2015 (delay due to bug) - v 2.0.0 final </strike> -> DONE
* <strike>Additional unit tests</strike> -> DONE
* <strike>Move appsensor.org site over from static html to python</strike> -> NOT NECESSARY
* <strike>Finish up user documentation at appsensor.org</strike> -> DONE

=== June 2015 (2.1) ===
* <strike>Add at least 1 attack emitter for DEVOPS visualization (JMX -> SNMP, syslog, SNMP, .. something)</strike> ([https://github.com/jtmelton/appsensor/issues/19 github issue]) -> DONE
* <strike>Sample application / demo</strike> ([https://github.com/jtmelton/appsensor/issues/9 github issue]) -> DONE
* <strike>Finish up developer documentation on github and appsensor.org</strike> ([https://github.com/jtmelton/appsensor/issues/12 github issue]) -> DONE
* <strike>Preparation for GSOC 2015 submission</strike> -> DONE - see [[GSoC2015_Ideas]] - Update - OWASP not selected

=== September 2015 (2.2) ===
* First version of administration UI for appsensor (monitoring UI) (github issues [https://github.com/jtmelton/appsensor/issues/10 here] and [https://github.com/jtmelton/appsensor/issues/11 here])

=== January 2016 (2.3) ===
* Get CI server (cloudbees?) setup ([https://github.com/jtmelton/appsensor/issues/15 github issue])
* Video demo of setting up appsensor (screen capture) (related to sample apps)
* New detection point implementations ([https://github.com/jtmelton/appsensor/issues/8 github issue])
* AOP examples of detection point implementations

=== May 2016 (2.4) ===
* Trend monitoring implementation ([https://github.com/jtmelton/appsensor/issues/6 github issue])
* Additional integrations for reporting (graphite, ganglia -> see list supported by codahale metrics)

== Past activities ==

'''June 2015''' Final release v2.1.0 code

'''April 2015''' CISO Briefing booklet published

'''February 2015''' Introduction for Developers flyer published

'''January 2015''' Final release v2.0.0 code

'''May 2014''' Finalisation and publication of the AppSensor Guide v2.0

'''November, 2013''' - AppSensor 2.0 hackathon, and document writing & review at AppSecUSA 2013, New York

'''2012-2013''' - Active Development of next AppSensor book

'''September, 2011''' - AppSensor Summit at AppSec USA 2011, Minneapolis

'''September, 2010''' - Presented at AppSecUSA [http://www.slideshare.net/michael_coates/real-time-application-defenses-the-reality-of-appsensor-esapi-5181743 slides]

'''June, 2010''' - Active ESAPI Integration Underway

'''November, 2009''' [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf OWASP DC, November 2009]

'''2009''' v1.2 in the works, demo application in development

'''May, 2009''' - AppSec EU Poland - Presentation ([http://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx PPT]) ([http://blip.tv/file/2198771 Video])

'''January, 2009''' - v1.1 Released - Beta Status

'''November, 2008''' - AppSensor Talk at OWASP Portugal

'''November, 2008''' - v1.0 Released - Beta Status

'''April 16, 2008''' - Project Begins

= Detection Points =

Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.

'''[http://www.owasp.org/index.php/AppSensor_DetectionPoints Detailed Detection Point Information Here] '''

'''[http://www.owasp.org/index.php/AppSensor_ResponseActions Response Action Information Here]'''

'''Summary of Information'''
'''Detection Categories:'''

RE - Request

AE - Authentication

SE - Session

ACE - Access Control

IE - Input

EE - Encoding

CIE - Command Injection

FIO - File IO

HT - Honey Trap

UT - User Trend

STE - System Trend

RP - Reputation

'''Signature Based Event Titles'''

ID Event

RE1 Unexpected HTTP Command

RE2 Attempt to Invoke Unsupported HTTP Method

RE3 GET When Expecting POST

RE4 POST When Expecting GET

RE5 Additional/Duplicated Data in Request

RE6 Data Missing from Request

RE7 Unexpected Quantity of Characters in Parameter

RE8 Unexpected Type of Characters in Parameter

AE1 Use Of Multiple Usernames

AE2 Multiple Failed Passwords

AE3 High Rate of Login Attempts

AE4 Unexpected Quantity of Characters in Username

AE5 Unexpected Quantity of Characters in Password

AE6 Unexpected Type of Character in Username

AE7 Unexpected Type of Character in Password

AE8 Providing Only the Username

AE9 Providing Only the Password

AE10 Adding POST Variable

AE11 Missing POST Variable

AE12 Utilization of Common Usernames

SE1 Modifying Existing Cookie

SE2 Adding New Cookie

SE3 Deleting Existing Cookie

SE4 Substituting Another User's Valid Session ID or Cookie

SE5 Source IP Address Changes During Session

SE6 Change Of User Agent Mid Session

ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt

ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt

ACE3 Force Browsing Attempt

ACE4 Evading Presentation Access Control Through Custom POST

IE1 Cross Site Scripting Attempt

IE2 Violation of Implemented White Lists

IE3 Violation Of Implemented Black Lists

IE4 Violation of Input Data Integrity

IE5 Violation of Stored Business Data Integrity

IE6 Violation of Security Log Integrity

EE1 Double Encoded Character

EE2 Unexpected Encoding Used

CIE1 Blacklist Inspection for Common SQL Injection Values

CIE2 Detect Abnormal Quantity of Returned Records

CIE3 Null Byte Character in File Request

CIE4 Carriage Return or Line Feed Character In File Request

FIO1 Detect Large Individual File

FIO2 Detect Large Number of File Uploads

HT1 Alteration to Honey Trap Data

HT2 Honey Trap Resource Requested

HT3 Honey Trap Data Used

'''Behavior Based Event Titles'''<br>

UT1 Irregular Use of Application

UT2 Speed of Application Use

UT3 Frequency of Site Use

UT4 Frequency of Feature Use

STE1 High Number of Logouts Across The Site

STE2 High Number of Logins Across The Site

STE3 Significant Change in Usage of Same Transaction Across The Site

RP1 Suspicious or Disallowed User IP Address

RP2 Suspicious External User Behavior

RP3 Suspicious Client-Side Behavior

RP4 Change to Environment Threat Level

= Media =

== Introductory Briefings ==

{|
| align="center" valign="top" | Developers
|
| align="center" valign="top" | Architects
|
| align="center" valign="top" | CISOs
|-
| width="200" align="left" valign="top" | [[File:Appsensor-developer-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf]]
| width="20" |
| width="200" align="left" valign="top" | [[File:Appsensor_crosstalk_small.jpg|link=http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf]]
| width="20" |
| width="200" align="center" valign="top" | [[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]
|}

The CISO briefing is also available to [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html buy at cost in print].

== AppSensor Website ==

[[File:Appsensor-website-large.jpg|link=http://appsensor.org/]]

[http://appsensor.org/ http://appsensor.org/]

== Code ==

*v2 [https://github.com/jtmelton/appsensor Github Code]
* (LEGACY) v1 [http://code.google.com/p/appsensor/ Google Code]

== AppSensor Guide ==

* OWASP AppSensor Guide
** v2.0 EN
*** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
*** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
*** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Print on demand at cost hard copy]
** v1.1 EN
*** [https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf PDF]
*** [https://www.owasp.org/images/b/b0/OWASP_AppSensor_Beta_1.1.doc DOC]

== Presentations ==

[http://www.brighttalk.com/webcast/20680 Automated Application Defenses to Thwart Advanced Attackers (Slides & Audio)]

July, 2010 - OWASP London (UK) - [http://www.owasp.org/index.php/File:Owasp-london-20100715-appsensor-3.pdf Real Time Application Attack Detection and Response with OWASP AppSensor]

June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application

June, 2010 - Video presentation - [http://michael-coates.blogspot.com/2010/06/online-presentation-thursday-automated.html Automated Application Defenses to Thwart Advanced Attackers]

November, 2009 - AppSec DC - [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf Defend Yourself: Integrating Real Time Defenses into Online Applications]

May, 2009 - [http://www.owasp.org/download/jmanico/owasp_podcast_51.mp3 OWASP Podcast #51 ]

May, 2009 - AppSec EU Poland - [https://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx Real Time Defenses against Application Worms and Malicious Attackers]

November, 2008 - [https://www.owasp.org/images/7/77/Presentation_AppSensor.ppt OWASP Summit Portugal 2008 PPT]

==Video Demos of AppSensor==

[http://www.youtube.com/watch?v=8ItfuwvLxRk Detecting Multiple Attacks & Logging Out Attacker]

[http://www.youtube.com/watch?v=CekUMk_VRV8 Detecting XSS Probes]

[http://www.youtube.com/watch?v=LfD4y67qdWE Detecting URL Tampering]

[http://www.youtube.com/watch?v=1D6nTlmYjhY Detecting Verb Tampering]

==Source Documents / Artwork==

* Guide
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc Word (content only)], DOC 11Mb
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/appsensor-guide-2v0-owasp.zip Word, images, Lulu covers, diagrams], ZIP 96Mb
* Introduction for Developers
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-a4.zip A4 Illustrator and PDF exports], ZIP 19Mb
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-usletter.zip US letter Illustrator and PDF exports], ZIP 19Mb
* Poster
** [https://www.owasp.org/index.php/File:Owasp-appsensor-poster-a1.zip A1 Illustrator and PDF export] ZIP, 18Mb

= Project Approach =
{{:Projects/OWASP_Python_Security_Project | Project Approach}}

}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|AppSensor Project]] [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:SAMM-EH-3]] [[Category:SAMM-SA-2]]

OWASP Python Security Project

2015-07-06T16:32:25Z

Timo.goosen: /* Project About */

=Main=

<div style="width:100%;height:120px;border:0,margin:0;overflow: hidden;"></div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;"></div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Python Security Project ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

== Introduction ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

Security in python: white-box analysis, structural and functional analysis
Security of python: black-box analysis, identify and address security-related issues
Security with python: develop security hardened python suitable for high-risk and high-security environments

== Detect and Respond to Attacks from Within the Application ==

=== Detection ===
AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.
=== Response===
AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.
===Defending the Application===
An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.

==Licensing==

License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
This license is a community friendly license as recommended by OWASP.
You can read more here:
*[https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]

== What is the Python Security Project? ==

== Overview ==

[[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]

[https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf 12-page US Letter booklet]

== Project Founder ==

* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* OWASP AppSensor Guide v2.0.1 EN
** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Hard copy]
* OWASP AppSensor Reference Implementation
** [https://github.com/jtmelton/appsensor v2 Code]

== Code Repository ==
* OWASP Python Security Github https://github.com/ebranca/owasp-pysec/ (Current)

== In Print ==

[[File:AppSensor2_small.jpg|link=]]

The [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html AppSensor Guide] and [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html CISO Briefing] can be purchased at cost as a print on demand books.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Acknowledgements =

== Volunteers ==

All OWASP projects rely on the voluntary efforts of people in the software development and information security sectors. They have contributed their time and energy to make suggestions, provide feedback, write, review and edit documentation, give encouragement, make introductions, produce demonstration code, promote the concept, and provide OWASP support. They participated via the project’s mailing lists, by developing code, by updating the wiki, by undertaking research studies, and through contributions during the AppSensor working session at the OWASP Summit 2011 in Portugal and the AppSensor Summit at AppSec USA 2011. Without all their efforts, the project would not have progressed to this point, and this guide would not have been completed.

{| cellpadding="2"
|-
| width="200" align="left" valign="top" |

*Josh Amishav-Zlatin
*Ryan Barnett
*Simon Bennetts
*Joe Bernik
*Rex Booth
*Luke Briner
*Rauf Butt
*Juan C Calderon
*Fabio Cerullo
*Marc Chisinevski
*Robert Chojnacki
*Michael Coates
*Dinis Cruz
*August Detlefsen
*Ryan Dewhurst

| width="200" align="left" valign="top" |

*Sean Fay
*Timo Goosen
*Dennis Groves
*Randy Janida
*Chetan Karande
*Eoin Keary
*Alex Lauerman
*Junior Lazuardi
*Benjamin-Hugo LeBlanc
*Jason Li
*Manuel López Arredondo
*Bob Maier
*Jim Manico
*Sherif Mansour Farag
*John Melton

| width="200" align="left" valign="top" |

*Mark Miller
*Craig Munson
*Louis Nadeau
*Giri Nambari
*Erlend Oftedal
*Jay Reynolds
*Chris Schmidt
*Sahil Shah
*Eric Sheridan
*John Steven
*Raphael Taban
*Alex Thissen
*Don Thomas
*Christopher Tidball
*Kevin W Wall
*Colin Watson
*Mehmet Yilmaz

|}

==OWASP Summer of Code 2008==
The AppSensor Project was initially supported by the [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008 OWASP Summer of Code 2008], leading to the publication of the book AppSensor v1.1.

==Google Summer of Code 2012==
Additional development work on [http://www.google-melange.com/gsoc/project/google/gsoc2012/edil/60002 SOAP web services] was kindly supported by the [http://www.google-melange.com/gsoc/program/home/google/gsoc2012 Google Summer of Code 2012].

== Other Acknowledgements ==
The project has also benefitted greatly from the generous contribution of time and effort by many volunteers in the OWASP community including those listed above, and contributors to the OWASP ESAPI project, members of the former OWASP Global Projects Committee, the OWASP Board, OWASP staff and support from the OWASP Project Reboot initiative. The v2 code and documentation were conceived during the AppSensor Summit held during AppSec USA 2011 in Minneapolis.

= Road Map and Getting Involved =

Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project General project]
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-dev Code development]

== Current activities ==

=== Non code ===

* Update AppSensor Guide to keep in step with code changes and improvements to ideas ([http://lists.owasp.org/pipermail/owasp-appsensor-project/2015-February/000855.html see discussion and editable list of changes])
* Create demo
* Develop training materials

=== v2 Code ===

The current code being worked on is located on [https://github.com/jtmelton/appsensor GitHub]

The code has been fully rewritten.
v2.0.0 final was released in late January 2015.
v2.1.0 final was released in June 2015.

The main reason for the rewrite was to allow a client-server style model as opposed to requiring AppSensor be fully embedded in the application. You can now have a central server collecting events from multiple applications and performing analysis. These front-end applications can be in any language as long as they speak rest/soap. There's been a host of other changes, but this was the primary one. A number of starter ideas for coding, user interface and documentation have been outlined via the mailing list at [http://lists.owasp.org/pipermail/owasp-appsensor-project/2014-March/000682.html 17th March 2014].

if you want to work on ANYTHING, please let jtmelton[@]gmail.com know.

== Code Roadmap ==

=== Q4 2015 (2.0) ===
* <strike>Jan - v 2.0.0 final release </strike> -> DONE

=== Q4 2014 (2.0) ===
* <strike>Oct - v 2.0.0 release candidate</strike> -> DONE
* <strike>Jan 2015 (delay due to bug) - v 2.0.0 final </strike> -> DONE
* <strike>Additional unit tests</strike> -> DONE
* <strike>Move appsensor.org site over from static html to python</strike> -> NOT NECESSARY
* <strike>Finish up user documentation at appsensor.org</strike> -> DONE

=== June 2015 (2.1) ===
* <strike>Add at least 1 attack emitter for DEVOPS visualization (JMX -> SNMP, syslog, SNMP, .. something)</strike> ([https://github.com/jtmelton/appsensor/issues/19 github issue]) -> DONE
* <strike>Sample application / demo</strike> ([https://github.com/jtmelton/appsensor/issues/9 github issue]) -> DONE
* <strike>Finish up developer documentation on github and appsensor.org</strike> ([https://github.com/jtmelton/appsensor/issues/12 github issue]) -> DONE
* <strike>Preparation for GSOC 2015 submission</strike> -> DONE - see [[GSoC2015_Ideas]] - Update - OWASP not selected

=== September 2015 (2.2) ===
* First version of administration UI for appsensor (monitoring UI) (github issues [https://github.com/jtmelton/appsensor/issues/10 here] and [https://github.com/jtmelton/appsensor/issues/11 here])

=== January 2016 (2.3) ===
* Get CI server (cloudbees?) setup ([https://github.com/jtmelton/appsensor/issues/15 github issue])
* Video demo of setting up appsensor (screen capture) (related to sample apps)
* New detection point implementations ([https://github.com/jtmelton/appsensor/issues/8 github issue])
* AOP examples of detection point implementations

=== May 2016 (2.4) ===
* Trend monitoring implementation ([https://github.com/jtmelton/appsensor/issues/6 github issue])
* Additional integrations for reporting (graphite, ganglia -> see list supported by codahale metrics)

== Past activities ==

'''June 2015''' Final release v2.1.0 code

'''April 2015''' CISO Briefing booklet published

'''February 2015''' Introduction for Developers flyer published

'''January 2015''' Final release v2.0.0 code

'''May 2014''' Finalisation and publication of the AppSensor Guide v2.0

'''November, 2013''' - AppSensor 2.0 hackathon, and document writing & review at AppSecUSA 2013, New York

'''2012-2013''' - Active Development of next AppSensor book

'''September, 2011''' - AppSensor Summit at AppSec USA 2011, Minneapolis

'''September, 2010''' - Presented at AppSecUSA [http://www.slideshare.net/michael_coates/real-time-application-defenses-the-reality-of-appsensor-esapi-5181743 slides]

'''June, 2010''' - Active ESAPI Integration Underway

'''November, 2009''' [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf OWASP DC, November 2009]

'''2009''' v1.2 in the works, demo application in development

'''May, 2009''' - AppSec EU Poland - Presentation ([http://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx PPT]) ([http://blip.tv/file/2198771 Video])

'''January, 2009''' - v1.1 Released - Beta Status

'''November, 2008''' - AppSensor Talk at OWASP Portugal

'''November, 2008''' - v1.0 Released - Beta Status

'''April 16, 2008''' - Project Begins

= Detection Points =

Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.

'''[http://www.owasp.org/index.php/AppSensor_DetectionPoints Detailed Detection Point Information Here] '''

'''[http://www.owasp.org/index.php/AppSensor_ResponseActions Response Action Information Here]'''

'''Summary of Information'''
'''Detection Categories:'''

RE - Request

AE - Authentication

SE - Session

ACE - Access Control

IE - Input

EE - Encoding

CIE - Command Injection

FIO - File IO

HT - Honey Trap

UT - User Trend

STE - System Trend

RP - Reputation

'''Signature Based Event Titles'''

ID Event

RE1 Unexpected HTTP Command

RE2 Attempt to Invoke Unsupported HTTP Method

RE3 GET When Expecting POST

RE4 POST When Expecting GET

RE5 Additional/Duplicated Data in Request

RE6 Data Missing from Request

RE7 Unexpected Quantity of Characters in Parameter

RE8 Unexpected Type of Characters in Parameter

AE1 Use Of Multiple Usernames

AE2 Multiple Failed Passwords

AE3 High Rate of Login Attempts

AE4 Unexpected Quantity of Characters in Username

AE5 Unexpected Quantity of Characters in Password

AE6 Unexpected Type of Character in Username

AE7 Unexpected Type of Character in Password

AE8 Providing Only the Username

AE9 Providing Only the Password

AE10 Adding POST Variable

AE11 Missing POST Variable

AE12 Utilization of Common Usernames

SE1 Modifying Existing Cookie

SE2 Adding New Cookie

SE3 Deleting Existing Cookie

SE4 Substituting Another User's Valid Session ID or Cookie

SE5 Source IP Address Changes During Session

SE6 Change Of User Agent Mid Session

ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt

ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt

ACE3 Force Browsing Attempt

ACE4 Evading Presentation Access Control Through Custom POST

IE1 Cross Site Scripting Attempt

IE2 Violation of Implemented White Lists

IE3 Violation Of Implemented Black Lists

IE4 Violation of Input Data Integrity

IE5 Violation of Stored Business Data Integrity

IE6 Violation of Security Log Integrity

EE1 Double Encoded Character

EE2 Unexpected Encoding Used

CIE1 Blacklist Inspection for Common SQL Injection Values

CIE2 Detect Abnormal Quantity of Returned Records

CIE3 Null Byte Character in File Request

CIE4 Carriage Return or Line Feed Character In File Request

FIO1 Detect Large Individual File

FIO2 Detect Large Number of File Uploads

HT1 Alteration to Honey Trap Data

HT2 Honey Trap Resource Requested

HT3 Honey Trap Data Used

'''Behavior Based Event Titles'''<br>

UT1 Irregular Use of Application

UT2 Speed of Application Use

UT3 Frequency of Site Use

UT4 Frequency of Feature Use

STE1 High Number of Logouts Across The Site

STE2 High Number of Logins Across The Site

STE3 Significant Change in Usage of Same Transaction Across The Site

RP1 Suspicious or Disallowed User IP Address

RP2 Suspicious External User Behavior

RP3 Suspicious Client-Side Behavior

RP4 Change to Environment Threat Level

= Media =

== Introductory Briefings ==

{|
| align="center" valign="top" | Developers
|
| align="center" valign="top" | Architects
|
| align="center" valign="top" | CISOs
|-
| width="200" align="left" valign="top" | [[File:Appsensor-developer-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf]]
| width="20" |
| width="200" align="left" valign="top" | [[File:Appsensor_crosstalk_small.jpg|link=http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf]]
| width="20" |
| width="200" align="center" valign="top" | [[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]
|}

The CISO briefing is also available to [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html buy at cost in print].

== AppSensor Website ==

[[File:Appsensor-website-large.jpg|link=http://appsensor.org/]]

[http://appsensor.org/ http://appsensor.org/]

== Code ==

*v2 [https://github.com/jtmelton/appsensor Github Code]
* (LEGACY) v1 [http://code.google.com/p/appsensor/ Google Code]

== AppSensor Guide ==

* OWASP AppSensor Guide
** v2.0 EN
*** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
*** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
*** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Print on demand at cost hard copy]
** v1.1 EN
*** [https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf PDF]
*** [https://www.owasp.org/images/b/b0/OWASP_AppSensor_Beta_1.1.doc DOC]

== Presentations ==

[http://www.brighttalk.com/webcast/20680 Automated Application Defenses to Thwart Advanced Attackers (Slides & Audio)]

July, 2010 - OWASP London (UK) - [http://www.owasp.org/index.php/File:Owasp-london-20100715-appsensor-3.pdf Real Time Application Attack Detection and Response with OWASP AppSensor]

June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application

June, 2010 - Video presentation - [http://michael-coates.blogspot.com/2010/06/online-presentation-thursday-automated.html Automated Application Defenses to Thwart Advanced Attackers]

November, 2009 - AppSec DC - [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf Defend Yourself: Integrating Real Time Defenses into Online Applications]

May, 2009 - [http://www.owasp.org/download/jmanico/owasp_podcast_51.mp3 OWASP Podcast #51 ]

May, 2009 - AppSec EU Poland - [https://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx Real Time Defenses against Application Worms and Malicious Attackers]

November, 2008 - [https://www.owasp.org/images/7/77/Presentation_AppSensor.ppt OWASP Summit Portugal 2008 PPT]

==Video Demos of AppSensor==

[http://www.youtube.com/watch?v=8ItfuwvLxRk Detecting Multiple Attacks & Logging Out Attacker]

[http://www.youtube.com/watch?v=CekUMk_VRV8 Detecting XSS Probes]

[http://www.youtube.com/watch?v=LfD4y67qdWE Detecting URL Tampering]

[http://www.youtube.com/watch?v=1D6nTlmYjhY Detecting Verb Tampering]

==Source Documents / Artwork==

* Guide
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc Word (content only)], DOC 11Mb
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/appsensor-guide-2v0-owasp.zip Word, images, Lulu covers, diagrams], ZIP 96Mb
* Introduction for Developers
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-a4.zip A4 Illustrator and PDF exports], ZIP 19Mb
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-usletter.zip US letter Illustrator and PDF exports], ZIP 19Mb
* Poster
** [https://www.owasp.org/index.php/File:Owasp-appsensor-poster-a1.zip A1 Illustrator and PDF export] ZIP, 18Mb

= Project About =
{{:Projects/OWASP_Python_Security_Project | Project Approach}}

}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|AppSensor Project]] [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:SAMM-EH-3]] [[Category:SAMM-SA-2]]

OWASP Python Security Project

2015-07-06T16:31:38Z

Timo.goosen: /* Project Founder */

=Main=

<div style="width:100%;height:120px;border:0,margin:0;overflow: hidden;"></div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;"></div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Python Security Project ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

== Introduction ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

Security in python: white-box analysis, structural and functional analysis
Security of python: black-box analysis, identify and address security-related issues
Security with python: develop security hardened python suitable for high-risk and high-security environments

== Detect and Respond to Attacks from Within the Application ==

=== Detection ===
AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.
=== Response===
AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.
===Defending the Application===
An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.

==Licensing==

License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
This license is a community friendly license as recommended by OWASP.
You can read more here:
*[https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]

== What is the Python Security Project? ==

== Overview ==

[[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]

[https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf 12-page US Letter booklet]

== Project Founder ==

* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* OWASP AppSensor Guide v2.0.1 EN
** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Hard copy]
* OWASP AppSensor Reference Implementation
** [https://github.com/jtmelton/appsensor v2 Code]

== Code Repository ==
* OWASP Python Security Github https://github.com/ebranca/owasp-pysec/ (Current)

== In Print ==

[[File:AppSensor2_small.jpg|link=]]

The [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html AppSensor Guide] and [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html CISO Briefing] can be purchased at cost as a print on demand books.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Acknowledgements =

== Volunteers ==

All OWASP projects rely on the voluntary efforts of people in the software development and information security sectors. They have contributed their time and energy to make suggestions, provide feedback, write, review and edit documentation, give encouragement, make introductions, produce demonstration code, promote the concept, and provide OWASP support. They participated via the project’s mailing lists, by developing code, by updating the wiki, by undertaking research studies, and through contributions during the AppSensor working session at the OWASP Summit 2011 in Portugal and the AppSensor Summit at AppSec USA 2011. Without all their efforts, the project would not have progressed to this point, and this guide would not have been completed.

{| cellpadding="2"
|-
| width="200" align="left" valign="top" |

*Josh Amishav-Zlatin
*Ryan Barnett
*Simon Bennetts
*Joe Bernik
*Rex Booth
*Luke Briner
*Rauf Butt
*Juan C Calderon
*Fabio Cerullo
*Marc Chisinevski
*Robert Chojnacki
*Michael Coates
*Dinis Cruz
*August Detlefsen
*Ryan Dewhurst

| width="200" align="left" valign="top" |

*Sean Fay
*Timo Goosen
*Dennis Groves
*Randy Janida
*Chetan Karande
*Eoin Keary
*Alex Lauerman
*Junior Lazuardi
*Benjamin-Hugo LeBlanc
*Jason Li
*Manuel López Arredondo
*Bob Maier
*Jim Manico
*Sherif Mansour Farag
*John Melton

| width="200" align="left" valign="top" |

*Mark Miller
*Craig Munson
*Louis Nadeau
*Giri Nambari
*Erlend Oftedal
*Jay Reynolds
*Chris Schmidt
*Sahil Shah
*Eric Sheridan
*John Steven
*Raphael Taban
*Alex Thissen
*Don Thomas
*Christopher Tidball
*Kevin W Wall
*Colin Watson
*Mehmet Yilmaz

|}

==OWASP Summer of Code 2008==
The AppSensor Project was initially supported by the [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008 OWASP Summer of Code 2008], leading to the publication of the book AppSensor v1.1.

==Google Summer of Code 2012==
Additional development work on [http://www.google-melange.com/gsoc/project/google/gsoc2012/edil/60002 SOAP web services] was kindly supported by the [http://www.google-melange.com/gsoc/program/home/google/gsoc2012 Google Summer of Code 2012].

== Other Acknowledgements ==
The project has also benefitted greatly from the generous contribution of time and effort by many volunteers in the OWASP community including those listed above, and contributors to the OWASP ESAPI project, members of the former OWASP Global Projects Committee, the OWASP Board, OWASP staff and support from the OWASP Project Reboot initiative. The v2 code and documentation were conceived during the AppSensor Summit held during AppSec USA 2011 in Minneapolis.

= Road Map and Getting Involved =

Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project General project]
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-dev Code development]

== Current activities ==

=== Non code ===

* Update AppSensor Guide to keep in step with code changes and improvements to ideas ([http://lists.owasp.org/pipermail/owasp-appsensor-project/2015-February/000855.html see discussion and editable list of changes])
* Create demo
* Develop training materials

=== v2 Code ===

The current code being worked on is located on [https://github.com/jtmelton/appsensor GitHub]

The code has been fully rewritten.
v2.0.0 final was released in late January 2015.
v2.1.0 final was released in June 2015.

The main reason for the rewrite was to allow a client-server style model as opposed to requiring AppSensor be fully embedded in the application. You can now have a central server collecting events from multiple applications and performing analysis. These front-end applications can be in any language as long as they speak rest/soap. There's been a host of other changes, but this was the primary one. A number of starter ideas for coding, user interface and documentation have been outlined via the mailing list at [http://lists.owasp.org/pipermail/owasp-appsensor-project/2014-March/000682.html 17th March 2014].

if you want to work on ANYTHING, please let jtmelton[@]gmail.com know.

== Code Roadmap ==

=== Q4 2015 (2.0) ===
* <strike>Jan - v 2.0.0 final release </strike> -> DONE

=== Q4 2014 (2.0) ===
* <strike>Oct - v 2.0.0 release candidate</strike> -> DONE
* <strike>Jan 2015 (delay due to bug) - v 2.0.0 final </strike> -> DONE
* <strike>Additional unit tests</strike> -> DONE
* <strike>Move appsensor.org site over from static html to python</strike> -> NOT NECESSARY
* <strike>Finish up user documentation at appsensor.org</strike> -> DONE

=== June 2015 (2.1) ===
* <strike>Add at least 1 attack emitter for DEVOPS visualization (JMX -> SNMP, syslog, SNMP, .. something)</strike> ([https://github.com/jtmelton/appsensor/issues/19 github issue]) -> DONE
* <strike>Sample application / demo</strike> ([https://github.com/jtmelton/appsensor/issues/9 github issue]) -> DONE
* <strike>Finish up developer documentation on github and appsensor.org</strike> ([https://github.com/jtmelton/appsensor/issues/12 github issue]) -> DONE
* <strike>Preparation for GSOC 2015 submission</strike> -> DONE - see [[GSoC2015_Ideas]] - Update - OWASP not selected

=== September 2015 (2.2) ===
* First version of administration UI for appsensor (monitoring UI) (github issues [https://github.com/jtmelton/appsensor/issues/10 here] and [https://github.com/jtmelton/appsensor/issues/11 here])

=== January 2016 (2.3) ===
* Get CI server (cloudbees?) setup ([https://github.com/jtmelton/appsensor/issues/15 github issue])
* Video demo of setting up appsensor (screen capture) (related to sample apps)
* New detection point implementations ([https://github.com/jtmelton/appsensor/issues/8 github issue])
* AOP examples of detection point implementations

=== May 2016 (2.4) ===
* Trend monitoring implementation ([https://github.com/jtmelton/appsensor/issues/6 github issue])
* Additional integrations for reporting (graphite, ganglia -> see list supported by codahale metrics)

== Past activities ==

'''June 2015''' Final release v2.1.0 code

'''April 2015''' CISO Briefing booklet published

'''February 2015''' Introduction for Developers flyer published

'''January 2015''' Final release v2.0.0 code

'''May 2014''' Finalisation and publication of the AppSensor Guide v2.0

'''November, 2013''' - AppSensor 2.0 hackathon, and document writing & review at AppSecUSA 2013, New York

'''2012-2013''' - Active Development of next AppSensor book

'''September, 2011''' - AppSensor Summit at AppSec USA 2011, Minneapolis

'''September, 2010''' - Presented at AppSecUSA [http://www.slideshare.net/michael_coates/real-time-application-defenses-the-reality-of-appsensor-esapi-5181743 slides]

'''June, 2010''' - Active ESAPI Integration Underway

'''November, 2009''' [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf OWASP DC, November 2009]

'''2009''' v1.2 in the works, demo application in development

'''May, 2009''' - AppSec EU Poland - Presentation ([http://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx PPT]) ([http://blip.tv/file/2198771 Video])

'''January, 2009''' - v1.1 Released - Beta Status

'''November, 2008''' - AppSensor Talk at OWASP Portugal

'''November, 2008''' - v1.0 Released - Beta Status

'''April 16, 2008''' - Project Begins

= Detection Points =

Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.

'''[http://www.owasp.org/index.php/AppSensor_DetectionPoints Detailed Detection Point Information Here] '''

'''[http://www.owasp.org/index.php/AppSensor_ResponseActions Response Action Information Here]'''

'''Summary of Information'''
'''Detection Categories:'''

RE - Request

AE - Authentication

SE - Session

ACE - Access Control

IE - Input

EE - Encoding

CIE - Command Injection

FIO - File IO

HT - Honey Trap

UT - User Trend

STE - System Trend

RP - Reputation

'''Signature Based Event Titles'''

ID Event

RE1 Unexpected HTTP Command

RE2 Attempt to Invoke Unsupported HTTP Method

RE3 GET When Expecting POST

RE4 POST When Expecting GET

RE5 Additional/Duplicated Data in Request

RE6 Data Missing from Request

RE7 Unexpected Quantity of Characters in Parameter

RE8 Unexpected Type of Characters in Parameter

AE1 Use Of Multiple Usernames

AE2 Multiple Failed Passwords

AE3 High Rate of Login Attempts

AE4 Unexpected Quantity of Characters in Username

AE5 Unexpected Quantity of Characters in Password

AE6 Unexpected Type of Character in Username

AE7 Unexpected Type of Character in Password

AE8 Providing Only the Username

AE9 Providing Only the Password

AE10 Adding POST Variable

AE11 Missing POST Variable

AE12 Utilization of Common Usernames

SE1 Modifying Existing Cookie

SE2 Adding New Cookie

SE3 Deleting Existing Cookie

SE4 Substituting Another User's Valid Session ID or Cookie

SE5 Source IP Address Changes During Session

SE6 Change Of User Agent Mid Session

ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt

ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt

ACE3 Force Browsing Attempt

ACE4 Evading Presentation Access Control Through Custom POST

IE1 Cross Site Scripting Attempt

IE2 Violation of Implemented White Lists

IE3 Violation Of Implemented Black Lists

IE4 Violation of Input Data Integrity

IE5 Violation of Stored Business Data Integrity

IE6 Violation of Security Log Integrity

EE1 Double Encoded Character

EE2 Unexpected Encoding Used

CIE1 Blacklist Inspection for Common SQL Injection Values

CIE2 Detect Abnormal Quantity of Returned Records

CIE3 Null Byte Character in File Request

CIE4 Carriage Return or Line Feed Character In File Request

FIO1 Detect Large Individual File

FIO2 Detect Large Number of File Uploads

HT1 Alteration to Honey Trap Data

HT2 Honey Trap Resource Requested

HT3 Honey Trap Data Used

'''Behavior Based Event Titles'''<br>

UT1 Irregular Use of Application

UT2 Speed of Application Use

UT3 Frequency of Site Use

UT4 Frequency of Feature Use

STE1 High Number of Logouts Across The Site

STE2 High Number of Logins Across The Site

STE3 Significant Change in Usage of Same Transaction Across The Site

RP1 Suspicious or Disallowed User IP Address

RP2 Suspicious External User Behavior

RP3 Suspicious Client-Side Behavior

RP4 Change to Environment Threat Level

= Media =

== Introductory Briefings ==

{|
| align="center" valign="top" | Developers
|
| align="center" valign="top" | Architects
|
| align="center" valign="top" | CISOs
|-
| width="200" align="left" valign="top" | [[File:Appsensor-developer-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf]]
| width="20" |
| width="200" align="left" valign="top" | [[File:Appsensor_crosstalk_small.jpg|link=http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf]]
| width="20" |
| width="200" align="center" valign="top" | [[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]
|}

The CISO briefing is also available to [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html buy at cost in print].

== AppSensor Website ==

[[File:Appsensor-website-large.jpg|link=http://appsensor.org/]]

[http://appsensor.org/ http://appsensor.org/]

== Code ==

*v2 [https://github.com/jtmelton/appsensor Github Code]
* (LEGACY) v1 [http://code.google.com/p/appsensor/ Google Code]

== AppSensor Guide ==

* OWASP AppSensor Guide
** v2.0 EN
*** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
*** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
*** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Print on demand at cost hard copy]
** v1.1 EN
*** [https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf PDF]
*** [https://www.owasp.org/images/b/b0/OWASP_AppSensor_Beta_1.1.doc DOC]

== Presentations ==

[http://www.brighttalk.com/webcast/20680 Automated Application Defenses to Thwart Advanced Attackers (Slides & Audio)]

July, 2010 - OWASP London (UK) - [http://www.owasp.org/index.php/File:Owasp-london-20100715-appsensor-3.pdf Real Time Application Attack Detection and Response with OWASP AppSensor]

June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application

June, 2010 - Video presentation - [http://michael-coates.blogspot.com/2010/06/online-presentation-thursday-automated.html Automated Application Defenses to Thwart Advanced Attackers]

November, 2009 - AppSec DC - [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf Defend Yourself: Integrating Real Time Defenses into Online Applications]

May, 2009 - [http://www.owasp.org/download/jmanico/owasp_podcast_51.mp3 OWASP Podcast #51 ]

May, 2009 - AppSec EU Poland - [https://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx Real Time Defenses against Application Worms and Malicious Attackers]

November, 2008 - [https://www.owasp.org/images/7/77/Presentation_AppSensor.ppt OWASP Summit Portugal 2008 PPT]

==Video Demos of AppSensor==

[http://www.youtube.com/watch?v=8ItfuwvLxRk Detecting Multiple Attacks & Logging Out Attacker]

[http://www.youtube.com/watch?v=CekUMk_VRV8 Detecting XSS Probes]

[http://www.youtube.com/watch?v=LfD4y67qdWE Detecting URL Tampering]

[http://www.youtube.com/watch?v=1D6nTlmYjhY Detecting Verb Tampering]

==Source Documents / Artwork==

* Guide
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc Word (content only)], DOC 11Mb
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/appsensor-guide-2v0-owasp.zip Word, images, Lulu covers, diagrams], ZIP 96Mb
* Introduction for Developers
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-a4.zip A4 Illustrator and PDF exports], ZIP 19Mb
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-usletter.zip US letter Illustrator and PDF exports], ZIP 19Mb
* Poster
** [https://www.owasp.org/index.php/File:Owasp-appsensor-poster-a1.zip A1 Illustrator and PDF export] ZIP, 18Mb

= Project About =
{{:Projects/OWASP_AppSensor_Project | Project About}}

}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|AppSensor Project]] [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:SAMM-EH-3]] [[Category:SAMM-SA-2]]

OWASP Python Security Project

2015-07-06T16:31:12Z

Timo.goosen: /* Reference Implementation */

=Main=

<div style="width:100%;height:120px;border:0,margin:0;overflow: hidden;"></div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;"></div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Python Security Project ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

== Introduction ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

Security in python: white-box analysis, structural and functional analysis
Security of python: black-box analysis, identify and address security-related issues
Security with python: develop security hardened python suitable for high-risk and high-security environments

== Detect and Respond to Attacks from Within the Application ==

=== Detection ===
AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.
=== Response===
AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.
===Defending the Application===
An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.

==Licensing==

License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
This license is a community friendly license as recommended by OWASP.
You can read more here:
*[https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]

== What is the Python Security Project? ==

== Overview ==

[[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]

[https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf 12-page US Letter booklet]

== Project Founder ==

* [https://www.owasp.org/index.php/User:MichaelCoates Michael Coates] [mailto:michael.coates@owasp.org @]

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* OWASP AppSensor Guide v2.0.1 EN
** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Hard copy]
* OWASP AppSensor Reference Implementation
** [https://github.com/jtmelton/appsensor v2 Code]

== Code Repository ==
* OWASP Python Security Github https://github.com/ebranca/owasp-pysec/ (Current)

== In Print ==

[[File:AppSensor2_small.jpg|link=]]

The [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html AppSensor Guide] and [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html CISO Briefing] can be purchased at cost as a print on demand books.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Acknowledgements =

== Volunteers ==

All OWASP projects rely on the voluntary efforts of people in the software development and information security sectors. They have contributed their time and energy to make suggestions, provide feedback, write, review and edit documentation, give encouragement, make introductions, produce demonstration code, promote the concept, and provide OWASP support. They participated via the project’s mailing lists, by developing code, by updating the wiki, by undertaking research studies, and through contributions during the AppSensor working session at the OWASP Summit 2011 in Portugal and the AppSensor Summit at AppSec USA 2011. Without all their efforts, the project would not have progressed to this point, and this guide would not have been completed.

{| cellpadding="2"
|-
| width="200" align="left" valign="top" |

*Josh Amishav-Zlatin
*Ryan Barnett
*Simon Bennetts
*Joe Bernik
*Rex Booth
*Luke Briner
*Rauf Butt
*Juan C Calderon
*Fabio Cerullo
*Marc Chisinevski
*Robert Chojnacki
*Michael Coates
*Dinis Cruz
*August Detlefsen
*Ryan Dewhurst

| width="200" align="left" valign="top" |

*Sean Fay
*Timo Goosen
*Dennis Groves
*Randy Janida
*Chetan Karande
*Eoin Keary
*Alex Lauerman
*Junior Lazuardi
*Benjamin-Hugo LeBlanc
*Jason Li
*Manuel López Arredondo
*Bob Maier
*Jim Manico
*Sherif Mansour Farag
*John Melton

| width="200" align="left" valign="top" |

*Mark Miller
*Craig Munson
*Louis Nadeau
*Giri Nambari
*Erlend Oftedal
*Jay Reynolds
*Chris Schmidt
*Sahil Shah
*Eric Sheridan
*John Steven
*Raphael Taban
*Alex Thissen
*Don Thomas
*Christopher Tidball
*Kevin W Wall
*Colin Watson
*Mehmet Yilmaz

|}

==OWASP Summer of Code 2008==
The AppSensor Project was initially supported by the [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008 OWASP Summer of Code 2008], leading to the publication of the book AppSensor v1.1.

==Google Summer of Code 2012==
Additional development work on [http://www.google-melange.com/gsoc/project/google/gsoc2012/edil/60002 SOAP web services] was kindly supported by the [http://www.google-melange.com/gsoc/program/home/google/gsoc2012 Google Summer of Code 2012].

== Other Acknowledgements ==
The project has also benefitted greatly from the generous contribution of time and effort by many volunteers in the OWASP community including those listed above, and contributors to the OWASP ESAPI project, members of the former OWASP Global Projects Committee, the OWASP Board, OWASP staff and support from the OWASP Project Reboot initiative. The v2 code and documentation were conceived during the AppSensor Summit held during AppSec USA 2011 in Minneapolis.

= Road Map and Getting Involved =

Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project General project]
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-dev Code development]

== Current activities ==

=== Non code ===

* Update AppSensor Guide to keep in step with code changes and improvements to ideas ([http://lists.owasp.org/pipermail/owasp-appsensor-project/2015-February/000855.html see discussion and editable list of changes])
* Create demo
* Develop training materials

=== v2 Code ===

The current code being worked on is located on [https://github.com/jtmelton/appsensor GitHub]

The code has been fully rewritten.
v2.0.0 final was released in late January 2015.
v2.1.0 final was released in June 2015.

The main reason for the rewrite was to allow a client-server style model as opposed to requiring AppSensor be fully embedded in the application. You can now have a central server collecting events from multiple applications and performing analysis. These front-end applications can be in any language as long as they speak rest/soap. There's been a host of other changes, but this was the primary one. A number of starter ideas for coding, user interface and documentation have been outlined via the mailing list at [http://lists.owasp.org/pipermail/owasp-appsensor-project/2014-March/000682.html 17th March 2014].

if you want to work on ANYTHING, please let jtmelton[@]gmail.com know.

== Code Roadmap ==

=== Q4 2015 (2.0) ===
* <strike>Jan - v 2.0.0 final release </strike> -> DONE

=== Q4 2014 (2.0) ===
* <strike>Oct - v 2.0.0 release candidate</strike> -> DONE
* <strike>Jan 2015 (delay due to bug) - v 2.0.0 final </strike> -> DONE
* <strike>Additional unit tests</strike> -> DONE
* <strike>Move appsensor.org site over from static html to python</strike> -> NOT NECESSARY
* <strike>Finish up user documentation at appsensor.org</strike> -> DONE

=== June 2015 (2.1) ===
* <strike>Add at least 1 attack emitter for DEVOPS visualization (JMX -> SNMP, syslog, SNMP, .. something)</strike> ([https://github.com/jtmelton/appsensor/issues/19 github issue]) -> DONE
* <strike>Sample application / demo</strike> ([https://github.com/jtmelton/appsensor/issues/9 github issue]) -> DONE
* <strike>Finish up developer documentation on github and appsensor.org</strike> ([https://github.com/jtmelton/appsensor/issues/12 github issue]) -> DONE
* <strike>Preparation for GSOC 2015 submission</strike> -> DONE - see [[GSoC2015_Ideas]] - Update - OWASP not selected

=== September 2015 (2.2) ===
* First version of administration UI for appsensor (monitoring UI) (github issues [https://github.com/jtmelton/appsensor/issues/10 here] and [https://github.com/jtmelton/appsensor/issues/11 here])

=== January 2016 (2.3) ===
* Get CI server (cloudbees?) setup ([https://github.com/jtmelton/appsensor/issues/15 github issue])
* Video demo of setting up appsensor (screen capture) (related to sample apps)
* New detection point implementations ([https://github.com/jtmelton/appsensor/issues/8 github issue])
* AOP examples of detection point implementations

=== May 2016 (2.4) ===
* Trend monitoring implementation ([https://github.com/jtmelton/appsensor/issues/6 github issue])
* Additional integrations for reporting (graphite, ganglia -> see list supported by codahale metrics)

== Past activities ==

'''June 2015''' Final release v2.1.0 code

'''April 2015''' CISO Briefing booklet published

'''February 2015''' Introduction for Developers flyer published

'''January 2015''' Final release v2.0.0 code

'''May 2014''' Finalisation and publication of the AppSensor Guide v2.0

'''November, 2013''' - AppSensor 2.0 hackathon, and document writing & review at AppSecUSA 2013, New York

'''2012-2013''' - Active Development of next AppSensor book

'''September, 2011''' - AppSensor Summit at AppSec USA 2011, Minneapolis

'''September, 2010''' - Presented at AppSecUSA [http://www.slideshare.net/michael_coates/real-time-application-defenses-the-reality-of-appsensor-esapi-5181743 slides]

'''June, 2010''' - Active ESAPI Integration Underway

'''November, 2009''' [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf OWASP DC, November 2009]

'''2009''' v1.2 in the works, demo application in development

'''May, 2009''' - AppSec EU Poland - Presentation ([http://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx PPT]) ([http://blip.tv/file/2198771 Video])

'''January, 2009''' - v1.1 Released - Beta Status

'''November, 2008''' - AppSensor Talk at OWASP Portugal

'''November, 2008''' - v1.0 Released - Beta Status

'''April 16, 2008''' - Project Begins

= Detection Points =

Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.

'''[http://www.owasp.org/index.php/AppSensor_DetectionPoints Detailed Detection Point Information Here] '''

'''[http://www.owasp.org/index.php/AppSensor_ResponseActions Response Action Information Here]'''

'''Summary of Information'''
'''Detection Categories:'''

RE - Request

AE - Authentication

SE - Session

ACE - Access Control

IE - Input

EE - Encoding

CIE - Command Injection

FIO - File IO

HT - Honey Trap

UT - User Trend

STE - System Trend

RP - Reputation

'''Signature Based Event Titles'''

ID Event

RE1 Unexpected HTTP Command

RE2 Attempt to Invoke Unsupported HTTP Method

RE3 GET When Expecting POST

RE4 POST When Expecting GET

RE5 Additional/Duplicated Data in Request

RE6 Data Missing from Request

RE7 Unexpected Quantity of Characters in Parameter

RE8 Unexpected Type of Characters in Parameter

AE1 Use Of Multiple Usernames

AE2 Multiple Failed Passwords

AE3 High Rate of Login Attempts

AE4 Unexpected Quantity of Characters in Username

AE5 Unexpected Quantity of Characters in Password

AE6 Unexpected Type of Character in Username

AE7 Unexpected Type of Character in Password

AE8 Providing Only the Username

AE9 Providing Only the Password

AE10 Adding POST Variable

AE11 Missing POST Variable

AE12 Utilization of Common Usernames

SE1 Modifying Existing Cookie

SE2 Adding New Cookie

SE3 Deleting Existing Cookie

SE4 Substituting Another User's Valid Session ID or Cookie

SE5 Source IP Address Changes During Session

SE6 Change Of User Agent Mid Session

ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt

ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt

ACE3 Force Browsing Attempt

ACE4 Evading Presentation Access Control Through Custom POST

IE1 Cross Site Scripting Attempt

IE2 Violation of Implemented White Lists

IE3 Violation Of Implemented Black Lists

IE4 Violation of Input Data Integrity

IE5 Violation of Stored Business Data Integrity

IE6 Violation of Security Log Integrity

EE1 Double Encoded Character

EE2 Unexpected Encoding Used

CIE1 Blacklist Inspection for Common SQL Injection Values

CIE2 Detect Abnormal Quantity of Returned Records

CIE3 Null Byte Character in File Request

CIE4 Carriage Return or Line Feed Character In File Request

FIO1 Detect Large Individual File

FIO2 Detect Large Number of File Uploads

HT1 Alteration to Honey Trap Data

HT2 Honey Trap Resource Requested

HT3 Honey Trap Data Used

'''Behavior Based Event Titles'''<br>

UT1 Irregular Use of Application

UT2 Speed of Application Use

UT3 Frequency of Site Use

UT4 Frequency of Feature Use

STE1 High Number of Logouts Across The Site

STE2 High Number of Logins Across The Site

STE3 Significant Change in Usage of Same Transaction Across The Site

RP1 Suspicious or Disallowed User IP Address

RP2 Suspicious External User Behavior

RP3 Suspicious Client-Side Behavior

RP4 Change to Environment Threat Level

= Media =

== Introductory Briefings ==

{|
| align="center" valign="top" | Developers
|
| align="center" valign="top" | Architects
|
| align="center" valign="top" | CISOs
|-
| width="200" align="left" valign="top" | [[File:Appsensor-developer-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf]]
| width="20" |
| width="200" align="left" valign="top" | [[File:Appsensor_crosstalk_small.jpg|link=http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf]]
| width="20" |
| width="200" align="center" valign="top" | [[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]
|}

The CISO briefing is also available to [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html buy at cost in print].

== AppSensor Website ==

[[File:Appsensor-website-large.jpg|link=http://appsensor.org/]]

[http://appsensor.org/ http://appsensor.org/]

== Code ==

*v2 [https://github.com/jtmelton/appsensor Github Code]
* (LEGACY) v1 [http://code.google.com/p/appsensor/ Google Code]

== AppSensor Guide ==

* OWASP AppSensor Guide
** v2.0 EN
*** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
*** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
*** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Print on demand at cost hard copy]
** v1.1 EN
*** [https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf PDF]
*** [https://www.owasp.org/images/b/b0/OWASP_AppSensor_Beta_1.1.doc DOC]

== Presentations ==

[http://www.brighttalk.com/webcast/20680 Automated Application Defenses to Thwart Advanced Attackers (Slides & Audio)]

July, 2010 - OWASP London (UK) - [http://www.owasp.org/index.php/File:Owasp-london-20100715-appsensor-3.pdf Real Time Application Attack Detection and Response with OWASP AppSensor]

June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application

June, 2010 - Video presentation - [http://michael-coates.blogspot.com/2010/06/online-presentation-thursday-automated.html Automated Application Defenses to Thwart Advanced Attackers]

November, 2009 - AppSec DC - [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf Defend Yourself: Integrating Real Time Defenses into Online Applications]

May, 2009 - [http://www.owasp.org/download/jmanico/owasp_podcast_51.mp3 OWASP Podcast #51 ]

May, 2009 - AppSec EU Poland - [https://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx Real Time Defenses against Application Worms and Malicious Attackers]

November, 2008 - [https://www.owasp.org/images/7/77/Presentation_AppSensor.ppt OWASP Summit Portugal 2008 PPT]

==Video Demos of AppSensor==

[http://www.youtube.com/watch?v=8ItfuwvLxRk Detecting Multiple Attacks & Logging Out Attacker]

[http://www.youtube.com/watch?v=CekUMk_VRV8 Detecting XSS Probes]

[http://www.youtube.com/watch?v=LfD4y67qdWE Detecting URL Tampering]

[http://www.youtube.com/watch?v=1D6nTlmYjhY Detecting Verb Tampering]

==Source Documents / Artwork==

* Guide
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc Word (content only)], DOC 11Mb
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/appsensor-guide-2v0-owasp.zip Word, images, Lulu covers, diagrams], ZIP 96Mb
* Introduction for Developers
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-a4.zip A4 Illustrator and PDF exports], ZIP 19Mb
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-usletter.zip US letter Illustrator and PDF exports], ZIP 19Mb
* Poster
** [https://www.owasp.org/index.php/File:Owasp-appsensor-poster-a1.zip A1 Illustrator and PDF export] ZIP, 18Mb

= Project About =
{{:Projects/OWASP_AppSensor_Project | Project About}}

}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|AppSensor Project]] [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:SAMM-EH-3]] [[Category:SAMM-SA-2]]

OWASP Python Security Project

2015-07-06T16:30:59Z

Timo.goosen: /* Licensing */

=Main=

<div style="width:100%;height:120px;border:0,margin:0;overflow: hidden;"></div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;"></div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Python Security Project ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

== Introduction ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

Security in python: white-box analysis, structural and functional analysis
Security of python: black-box analysis, identify and address security-related issues
Security with python: develop security hardened python suitable for high-risk and high-security environments

== Detect and Respond to Attacks from Within the Application ==

=== Detection ===
AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.
=== Response===
AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.
===Defending the Application===
An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.

==Licensing==

License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
This license is a community friendly license as recommended by OWASP.
You can read more here:
*[https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]

=== Reference Implementation ===
The reference implementation is licensed under the [http://opensource.org/licenses/MIT MIT License], which is a permissive (commercial-friendly) license only requiring you to include a copy of the license upon distribution or copying.

© OWASP Foundation

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Python Security Project? ==

== Overview ==

[[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]

[https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf 12-page US Letter booklet]

== Project Founder ==

* [https://www.owasp.org/index.php/User:MichaelCoates Michael Coates] [mailto:michael.coates@owasp.org @]

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* OWASP AppSensor Guide v2.0.1 EN
** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Hard copy]
* OWASP AppSensor Reference Implementation
** [https://github.com/jtmelton/appsensor v2 Code]

== Code Repository ==
* OWASP Python Security Github https://github.com/ebranca/owasp-pysec/ (Current)

== In Print ==

[[File:AppSensor2_small.jpg|link=]]

The [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html AppSensor Guide] and [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html CISO Briefing] can be purchased at cost as a print on demand books.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Acknowledgements =

== Volunteers ==

All OWASP projects rely on the voluntary efforts of people in the software development and information security sectors. They have contributed their time and energy to make suggestions, provide feedback, write, review and edit documentation, give encouragement, make introductions, produce demonstration code, promote the concept, and provide OWASP support. They participated via the project’s mailing lists, by developing code, by updating the wiki, by undertaking research studies, and through contributions during the AppSensor working session at the OWASP Summit 2011 in Portugal and the AppSensor Summit at AppSec USA 2011. Without all their efforts, the project would not have progressed to this point, and this guide would not have been completed.

{| cellpadding="2"
|-
| width="200" align="left" valign="top" |

*Josh Amishav-Zlatin
*Ryan Barnett
*Simon Bennetts
*Joe Bernik
*Rex Booth
*Luke Briner
*Rauf Butt
*Juan C Calderon
*Fabio Cerullo
*Marc Chisinevski
*Robert Chojnacki
*Michael Coates
*Dinis Cruz
*August Detlefsen
*Ryan Dewhurst

| width="200" align="left" valign="top" |

*Sean Fay
*Timo Goosen
*Dennis Groves
*Randy Janida
*Chetan Karande
*Eoin Keary
*Alex Lauerman
*Junior Lazuardi
*Benjamin-Hugo LeBlanc
*Jason Li
*Manuel López Arredondo
*Bob Maier
*Jim Manico
*Sherif Mansour Farag
*John Melton

| width="200" align="left" valign="top" |

*Mark Miller
*Craig Munson
*Louis Nadeau
*Giri Nambari
*Erlend Oftedal
*Jay Reynolds
*Chris Schmidt
*Sahil Shah
*Eric Sheridan
*John Steven
*Raphael Taban
*Alex Thissen
*Don Thomas
*Christopher Tidball
*Kevin W Wall
*Colin Watson
*Mehmet Yilmaz

|}

==OWASP Summer of Code 2008==
The AppSensor Project was initially supported by the [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008 OWASP Summer of Code 2008], leading to the publication of the book AppSensor v1.1.

==Google Summer of Code 2012==
Additional development work on [http://www.google-melange.com/gsoc/project/google/gsoc2012/edil/60002 SOAP web services] was kindly supported by the [http://www.google-melange.com/gsoc/program/home/google/gsoc2012 Google Summer of Code 2012].

== Other Acknowledgements ==
The project has also benefitted greatly from the generous contribution of time and effort by many volunteers in the OWASP community including those listed above, and contributors to the OWASP ESAPI project, members of the former OWASP Global Projects Committee, the OWASP Board, OWASP staff and support from the OWASP Project Reboot initiative. The v2 code and documentation were conceived during the AppSensor Summit held during AppSec USA 2011 in Minneapolis.

= Road Map and Getting Involved =

Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project General project]
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-dev Code development]

== Current activities ==

=== Non code ===

* Update AppSensor Guide to keep in step with code changes and improvements to ideas ([http://lists.owasp.org/pipermail/owasp-appsensor-project/2015-February/000855.html see discussion and editable list of changes])
* Create demo
* Develop training materials

=== v2 Code ===

The current code being worked on is located on [https://github.com/jtmelton/appsensor GitHub]

The code has been fully rewritten.
v2.0.0 final was released in late January 2015.
v2.1.0 final was released in June 2015.

The main reason for the rewrite was to allow a client-server style model as opposed to requiring AppSensor be fully embedded in the application. You can now have a central server collecting events from multiple applications and performing analysis. These front-end applications can be in any language as long as they speak rest/soap. There's been a host of other changes, but this was the primary one. A number of starter ideas for coding, user interface and documentation have been outlined via the mailing list at [http://lists.owasp.org/pipermail/owasp-appsensor-project/2014-March/000682.html 17th March 2014].

if you want to work on ANYTHING, please let jtmelton[@]gmail.com know.

== Code Roadmap ==

=== Q4 2015 (2.0) ===
* <strike>Jan - v 2.0.0 final release </strike> -> DONE

=== Q4 2014 (2.0) ===
* <strike>Oct - v 2.0.0 release candidate</strike> -> DONE
* <strike>Jan 2015 (delay due to bug) - v 2.0.0 final </strike> -> DONE
* <strike>Additional unit tests</strike> -> DONE
* <strike>Move appsensor.org site over from static html to python</strike> -> NOT NECESSARY
* <strike>Finish up user documentation at appsensor.org</strike> -> DONE

=== June 2015 (2.1) ===
* <strike>Add at least 1 attack emitter for DEVOPS visualization (JMX -> SNMP, syslog, SNMP, .. something)</strike> ([https://github.com/jtmelton/appsensor/issues/19 github issue]) -> DONE
* <strike>Sample application / demo</strike> ([https://github.com/jtmelton/appsensor/issues/9 github issue]) -> DONE
* <strike>Finish up developer documentation on github and appsensor.org</strike> ([https://github.com/jtmelton/appsensor/issues/12 github issue]) -> DONE
* <strike>Preparation for GSOC 2015 submission</strike> -> DONE - see [[GSoC2015_Ideas]] - Update - OWASP not selected

=== September 2015 (2.2) ===
* First version of administration UI for appsensor (monitoring UI) (github issues [https://github.com/jtmelton/appsensor/issues/10 here] and [https://github.com/jtmelton/appsensor/issues/11 here])

=== January 2016 (2.3) ===
* Get CI server (cloudbees?) setup ([https://github.com/jtmelton/appsensor/issues/15 github issue])
* Video demo of setting up appsensor (screen capture) (related to sample apps)
* New detection point implementations ([https://github.com/jtmelton/appsensor/issues/8 github issue])
* AOP examples of detection point implementations

=== May 2016 (2.4) ===
* Trend monitoring implementation ([https://github.com/jtmelton/appsensor/issues/6 github issue])
* Additional integrations for reporting (graphite, ganglia -> see list supported by codahale metrics)

== Past activities ==

'''June 2015''' Final release v2.1.0 code

'''April 2015''' CISO Briefing booklet published

'''February 2015''' Introduction for Developers flyer published

'''January 2015''' Final release v2.0.0 code

'''May 2014''' Finalisation and publication of the AppSensor Guide v2.0

'''November, 2013''' - AppSensor 2.0 hackathon, and document writing & review at AppSecUSA 2013, New York

'''2012-2013''' - Active Development of next AppSensor book

'''September, 2011''' - AppSensor Summit at AppSec USA 2011, Minneapolis

'''September, 2010''' - Presented at AppSecUSA [http://www.slideshare.net/michael_coates/real-time-application-defenses-the-reality-of-appsensor-esapi-5181743 slides]

'''June, 2010''' - Active ESAPI Integration Underway

'''November, 2009''' [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf OWASP DC, November 2009]

'''2009''' v1.2 in the works, demo application in development

'''May, 2009''' - AppSec EU Poland - Presentation ([http://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx PPT]) ([http://blip.tv/file/2198771 Video])

'''January, 2009''' - v1.1 Released - Beta Status

'''November, 2008''' - AppSensor Talk at OWASP Portugal

'''November, 2008''' - v1.0 Released - Beta Status

'''April 16, 2008''' - Project Begins

= Detection Points =

Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.

'''[http://www.owasp.org/index.php/AppSensor_DetectionPoints Detailed Detection Point Information Here] '''

'''[http://www.owasp.org/index.php/AppSensor_ResponseActions Response Action Information Here]'''

'''Summary of Information'''
'''Detection Categories:'''

RE - Request

AE - Authentication

SE - Session

ACE - Access Control

IE - Input

EE - Encoding

CIE - Command Injection

FIO - File IO

HT - Honey Trap

UT - User Trend

STE - System Trend

RP - Reputation

'''Signature Based Event Titles'''

ID Event

RE1 Unexpected HTTP Command

RE2 Attempt to Invoke Unsupported HTTP Method

RE3 GET When Expecting POST

RE4 POST When Expecting GET

RE5 Additional/Duplicated Data in Request

RE6 Data Missing from Request

RE7 Unexpected Quantity of Characters in Parameter

RE8 Unexpected Type of Characters in Parameter

AE1 Use Of Multiple Usernames

AE2 Multiple Failed Passwords

AE3 High Rate of Login Attempts

AE4 Unexpected Quantity of Characters in Username

AE5 Unexpected Quantity of Characters in Password

AE6 Unexpected Type of Character in Username

AE7 Unexpected Type of Character in Password

AE8 Providing Only the Username

AE9 Providing Only the Password

AE10 Adding POST Variable

AE11 Missing POST Variable

AE12 Utilization of Common Usernames

SE1 Modifying Existing Cookie

SE2 Adding New Cookie

SE3 Deleting Existing Cookie

SE4 Substituting Another User's Valid Session ID or Cookie

SE5 Source IP Address Changes During Session

SE6 Change Of User Agent Mid Session

ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt

ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt

ACE3 Force Browsing Attempt

ACE4 Evading Presentation Access Control Through Custom POST

IE1 Cross Site Scripting Attempt

IE2 Violation of Implemented White Lists

IE3 Violation Of Implemented Black Lists

IE4 Violation of Input Data Integrity

IE5 Violation of Stored Business Data Integrity

IE6 Violation of Security Log Integrity

EE1 Double Encoded Character

EE2 Unexpected Encoding Used

CIE1 Blacklist Inspection for Common SQL Injection Values

CIE2 Detect Abnormal Quantity of Returned Records

CIE3 Null Byte Character in File Request

CIE4 Carriage Return or Line Feed Character In File Request

FIO1 Detect Large Individual File

FIO2 Detect Large Number of File Uploads

HT1 Alteration to Honey Trap Data

HT2 Honey Trap Resource Requested

HT3 Honey Trap Data Used

'''Behavior Based Event Titles'''<br>

UT1 Irregular Use of Application

UT2 Speed of Application Use

UT3 Frequency of Site Use

UT4 Frequency of Feature Use

STE1 High Number of Logouts Across The Site

STE2 High Number of Logins Across The Site

STE3 Significant Change in Usage of Same Transaction Across The Site

RP1 Suspicious or Disallowed User IP Address

RP2 Suspicious External User Behavior

RP3 Suspicious Client-Side Behavior

RP4 Change to Environment Threat Level

= Media =

== Introductory Briefings ==

{|
| align="center" valign="top" | Developers
|
| align="center" valign="top" | Architects
|
| align="center" valign="top" | CISOs
|-
| width="200" align="left" valign="top" | [[File:Appsensor-developer-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf]]
| width="20" |
| width="200" align="left" valign="top" | [[File:Appsensor_crosstalk_small.jpg|link=http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf]]
| width="20" |
| width="200" align="center" valign="top" | [[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]
|}

The CISO briefing is also available to [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html buy at cost in print].

== AppSensor Website ==

[[File:Appsensor-website-large.jpg|link=http://appsensor.org/]]

[http://appsensor.org/ http://appsensor.org/]

== Code ==

*v2 [https://github.com/jtmelton/appsensor Github Code]
* (LEGACY) v1 [http://code.google.com/p/appsensor/ Google Code]

== AppSensor Guide ==

* OWASP AppSensor Guide
** v2.0 EN
*** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
*** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
*** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Print on demand at cost hard copy]
** v1.1 EN
*** [https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf PDF]
*** [https://www.owasp.org/images/b/b0/OWASP_AppSensor_Beta_1.1.doc DOC]

== Presentations ==

[http://www.brighttalk.com/webcast/20680 Automated Application Defenses to Thwart Advanced Attackers (Slides & Audio)]

July, 2010 - OWASP London (UK) - [http://www.owasp.org/index.php/File:Owasp-london-20100715-appsensor-3.pdf Real Time Application Attack Detection and Response with OWASP AppSensor]

June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application

June, 2010 - Video presentation - [http://michael-coates.blogspot.com/2010/06/online-presentation-thursday-automated.html Automated Application Defenses to Thwart Advanced Attackers]

November, 2009 - AppSec DC - [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf Defend Yourself: Integrating Real Time Defenses into Online Applications]

May, 2009 - [http://www.owasp.org/download/jmanico/owasp_podcast_51.mp3 OWASP Podcast #51 ]

May, 2009 - AppSec EU Poland - [https://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx Real Time Defenses against Application Worms and Malicious Attackers]

November, 2008 - [https://www.owasp.org/images/7/77/Presentation_AppSensor.ppt OWASP Summit Portugal 2008 PPT]

==Video Demos of AppSensor==

[http://www.youtube.com/watch?v=8ItfuwvLxRk Detecting Multiple Attacks & Logging Out Attacker]

[http://www.youtube.com/watch?v=CekUMk_VRV8 Detecting XSS Probes]

[http://www.youtube.com/watch?v=LfD4y67qdWE Detecting URL Tampering]

[http://www.youtube.com/watch?v=1D6nTlmYjhY Detecting Verb Tampering]

==Source Documents / Artwork==

* Guide
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc Word (content only)], DOC 11Mb
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/appsensor-guide-2v0-owasp.zip Word, images, Lulu covers, diagrams], ZIP 96Mb
* Introduction for Developers
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-a4.zip A4 Illustrator and PDF exports], ZIP 19Mb
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-usletter.zip US letter Illustrator and PDF exports], ZIP 19Mb
* Poster
** [https://www.owasp.org/index.php/File:Owasp-appsensor-poster-a1.zip A1 Illustrator and PDF export] ZIP, 18Mb

= Project About =
{{:Projects/OWASP_AppSensor_Project | Project About}}

}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|AppSensor Project]] [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:SAMM-EH-3]] [[Category:SAMM-SA-2]]

OWASP Python Security Project

2015-07-06T16:30:31Z

Timo.goosen: /* Licensing */

=Main=

<div style="width:100%;height:120px;border:0,margin:0;overflow: hidden;"></div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;"></div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Python Security Project ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

== Introduction ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

Security in python: white-box analysis, structural and functional analysis
Security of python: black-box analysis, identify and address security-related issues
Security with python: develop security hardened python suitable for high-risk and high-security environments

== Detect and Respond to Attacks from Within the Application ==

=== Detection ===
AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.
=== Response===
AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.
===Defending the Application===
An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.

==Licensing==

License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
This license is a community friendly license as reccomded by OWASP. You can read more here:
*[https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]

=== Reference Implementation ===
The reference implementation is licensed under the [http://opensource.org/licenses/MIT MIT License], which is a permissive (commercial-friendly) license only requiring you to include a copy of the license upon distribution or copying.

© OWASP Foundation

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Python Security Project? ==

== Overview ==

[[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]

[https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf 12-page US Letter booklet]

== Project Founder ==

* [https://www.owasp.org/index.php/User:MichaelCoates Michael Coates] [mailto:michael.coates@owasp.org @]

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* OWASP AppSensor Guide v2.0.1 EN
** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Hard copy]
* OWASP AppSensor Reference Implementation
** [https://github.com/jtmelton/appsensor v2 Code]

== Code Repository ==
* OWASP Python Security Github https://github.com/ebranca/owasp-pysec/ (Current)

== In Print ==

[[File:AppSensor2_small.jpg|link=]]

The [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html AppSensor Guide] and [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html CISO Briefing] can be purchased at cost as a print on demand books.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Acknowledgements =

== Volunteers ==

All OWASP projects rely on the voluntary efforts of people in the software development and information security sectors. They have contributed their time and energy to make suggestions, provide feedback, write, review and edit documentation, give encouragement, make introductions, produce demonstration code, promote the concept, and provide OWASP support. They participated via the project’s mailing lists, by developing code, by updating the wiki, by undertaking research studies, and through contributions during the AppSensor working session at the OWASP Summit 2011 in Portugal and the AppSensor Summit at AppSec USA 2011. Without all their efforts, the project would not have progressed to this point, and this guide would not have been completed.

{| cellpadding="2"
|-
| width="200" align="left" valign="top" |

*Josh Amishav-Zlatin
*Ryan Barnett
*Simon Bennetts
*Joe Bernik
*Rex Booth
*Luke Briner
*Rauf Butt
*Juan C Calderon
*Fabio Cerullo
*Marc Chisinevski
*Robert Chojnacki
*Michael Coates
*Dinis Cruz
*August Detlefsen
*Ryan Dewhurst

| width="200" align="left" valign="top" |

*Sean Fay
*Timo Goosen
*Dennis Groves
*Randy Janida
*Chetan Karande
*Eoin Keary
*Alex Lauerman
*Junior Lazuardi
*Benjamin-Hugo LeBlanc
*Jason Li
*Manuel López Arredondo
*Bob Maier
*Jim Manico
*Sherif Mansour Farag
*John Melton

| width="200" align="left" valign="top" |

*Mark Miller
*Craig Munson
*Louis Nadeau
*Giri Nambari
*Erlend Oftedal
*Jay Reynolds
*Chris Schmidt
*Sahil Shah
*Eric Sheridan
*John Steven
*Raphael Taban
*Alex Thissen
*Don Thomas
*Christopher Tidball
*Kevin W Wall
*Colin Watson
*Mehmet Yilmaz

|}

==OWASP Summer of Code 2008==
The AppSensor Project was initially supported by the [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008 OWASP Summer of Code 2008], leading to the publication of the book AppSensor v1.1.

==Google Summer of Code 2012==
Additional development work on [http://www.google-melange.com/gsoc/project/google/gsoc2012/edil/60002 SOAP web services] was kindly supported by the [http://www.google-melange.com/gsoc/program/home/google/gsoc2012 Google Summer of Code 2012].

== Other Acknowledgements ==
The project has also benefitted greatly from the generous contribution of time and effort by many volunteers in the OWASP community including those listed above, and contributors to the OWASP ESAPI project, members of the former OWASP Global Projects Committee, the OWASP Board, OWASP staff and support from the OWASP Project Reboot initiative. The v2 code and documentation were conceived during the AppSensor Summit held during AppSec USA 2011 in Minneapolis.

= Road Map and Getting Involved =

Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project General project]
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-dev Code development]

== Current activities ==

=== Non code ===

* Update AppSensor Guide to keep in step with code changes and improvements to ideas ([http://lists.owasp.org/pipermail/owasp-appsensor-project/2015-February/000855.html see discussion and editable list of changes])
* Create demo
* Develop training materials

=== v2 Code ===

The current code being worked on is located on [https://github.com/jtmelton/appsensor GitHub]

The code has been fully rewritten.
v2.0.0 final was released in late January 2015.
v2.1.0 final was released in June 2015.

The main reason for the rewrite was to allow a client-server style model as opposed to requiring AppSensor be fully embedded in the application. You can now have a central server collecting events from multiple applications and performing analysis. These front-end applications can be in any language as long as they speak rest/soap. There's been a host of other changes, but this was the primary one. A number of starter ideas for coding, user interface and documentation have been outlined via the mailing list at [http://lists.owasp.org/pipermail/owasp-appsensor-project/2014-March/000682.html 17th March 2014].

if you want to work on ANYTHING, please let jtmelton[@]gmail.com know.

== Code Roadmap ==

=== Q4 2015 (2.0) ===
* <strike>Jan - v 2.0.0 final release </strike> -> DONE

=== Q4 2014 (2.0) ===
* <strike>Oct - v 2.0.0 release candidate</strike> -> DONE
* <strike>Jan 2015 (delay due to bug) - v 2.0.0 final </strike> -> DONE
* <strike>Additional unit tests</strike> -> DONE
* <strike>Move appsensor.org site over from static html to python</strike> -> NOT NECESSARY
* <strike>Finish up user documentation at appsensor.org</strike> -> DONE

=== June 2015 (2.1) ===
* <strike>Add at least 1 attack emitter for DEVOPS visualization (JMX -> SNMP, syslog, SNMP, .. something)</strike> ([https://github.com/jtmelton/appsensor/issues/19 github issue]) -> DONE
* <strike>Sample application / demo</strike> ([https://github.com/jtmelton/appsensor/issues/9 github issue]) -> DONE
* <strike>Finish up developer documentation on github and appsensor.org</strike> ([https://github.com/jtmelton/appsensor/issues/12 github issue]) -> DONE
* <strike>Preparation for GSOC 2015 submission</strike> -> DONE - see [[GSoC2015_Ideas]] - Update - OWASP not selected

=== September 2015 (2.2) ===
* First version of administration UI for appsensor (monitoring UI) (github issues [https://github.com/jtmelton/appsensor/issues/10 here] and [https://github.com/jtmelton/appsensor/issues/11 here])

=== January 2016 (2.3) ===
* Get CI server (cloudbees?) setup ([https://github.com/jtmelton/appsensor/issues/15 github issue])
* Video demo of setting up appsensor (screen capture) (related to sample apps)
* New detection point implementations ([https://github.com/jtmelton/appsensor/issues/8 github issue])
* AOP examples of detection point implementations

=== May 2016 (2.4) ===
* Trend monitoring implementation ([https://github.com/jtmelton/appsensor/issues/6 github issue])
* Additional integrations for reporting (graphite, ganglia -> see list supported by codahale metrics)

== Past activities ==

'''June 2015''' Final release v2.1.0 code

'''April 2015''' CISO Briefing booklet published

'''February 2015''' Introduction for Developers flyer published

'''January 2015''' Final release v2.0.0 code

'''May 2014''' Finalisation and publication of the AppSensor Guide v2.0

'''November, 2013''' - AppSensor 2.0 hackathon, and document writing & review at AppSecUSA 2013, New York

'''2012-2013''' - Active Development of next AppSensor book

'''September, 2011''' - AppSensor Summit at AppSec USA 2011, Minneapolis

'''September, 2010''' - Presented at AppSecUSA [http://www.slideshare.net/michael_coates/real-time-application-defenses-the-reality-of-appsensor-esapi-5181743 slides]

'''June, 2010''' - Active ESAPI Integration Underway

'''November, 2009''' [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf OWASP DC, November 2009]

'''2009''' v1.2 in the works, demo application in development

'''May, 2009''' - AppSec EU Poland - Presentation ([http://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx PPT]) ([http://blip.tv/file/2198771 Video])

'''January, 2009''' - v1.1 Released - Beta Status

'''November, 2008''' - AppSensor Talk at OWASP Portugal

'''November, 2008''' - v1.0 Released - Beta Status

'''April 16, 2008''' - Project Begins

= Detection Points =

Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.

'''[http://www.owasp.org/index.php/AppSensor_DetectionPoints Detailed Detection Point Information Here] '''

'''[http://www.owasp.org/index.php/AppSensor_ResponseActions Response Action Information Here]'''

'''Summary of Information'''
'''Detection Categories:'''

RE - Request

AE - Authentication

SE - Session

ACE - Access Control

IE - Input

EE - Encoding

CIE - Command Injection

FIO - File IO

HT - Honey Trap

UT - User Trend

STE - System Trend

RP - Reputation

'''Signature Based Event Titles'''

ID Event

RE1 Unexpected HTTP Command

RE2 Attempt to Invoke Unsupported HTTP Method

RE3 GET When Expecting POST

RE4 POST When Expecting GET

RE5 Additional/Duplicated Data in Request

RE6 Data Missing from Request

RE7 Unexpected Quantity of Characters in Parameter

RE8 Unexpected Type of Characters in Parameter

AE1 Use Of Multiple Usernames

AE2 Multiple Failed Passwords

AE3 High Rate of Login Attempts

AE4 Unexpected Quantity of Characters in Username

AE5 Unexpected Quantity of Characters in Password

AE6 Unexpected Type of Character in Username

AE7 Unexpected Type of Character in Password

AE8 Providing Only the Username

AE9 Providing Only the Password

AE10 Adding POST Variable

AE11 Missing POST Variable

AE12 Utilization of Common Usernames

SE1 Modifying Existing Cookie

SE2 Adding New Cookie

SE3 Deleting Existing Cookie

SE4 Substituting Another User's Valid Session ID or Cookie

SE5 Source IP Address Changes During Session

SE6 Change Of User Agent Mid Session

ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt

ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt

ACE3 Force Browsing Attempt

ACE4 Evading Presentation Access Control Through Custom POST

IE1 Cross Site Scripting Attempt

IE2 Violation of Implemented White Lists

IE3 Violation Of Implemented Black Lists

IE4 Violation of Input Data Integrity

IE5 Violation of Stored Business Data Integrity

IE6 Violation of Security Log Integrity

EE1 Double Encoded Character

EE2 Unexpected Encoding Used

CIE1 Blacklist Inspection for Common SQL Injection Values

CIE2 Detect Abnormal Quantity of Returned Records

CIE3 Null Byte Character in File Request

CIE4 Carriage Return or Line Feed Character In File Request

FIO1 Detect Large Individual File

FIO2 Detect Large Number of File Uploads

HT1 Alteration to Honey Trap Data

HT2 Honey Trap Resource Requested

HT3 Honey Trap Data Used

'''Behavior Based Event Titles'''<br>

UT1 Irregular Use of Application

UT2 Speed of Application Use

UT3 Frequency of Site Use

UT4 Frequency of Feature Use

STE1 High Number of Logouts Across The Site

STE2 High Number of Logins Across The Site

STE3 Significant Change in Usage of Same Transaction Across The Site

RP1 Suspicious or Disallowed User IP Address

RP2 Suspicious External User Behavior

RP3 Suspicious Client-Side Behavior

RP4 Change to Environment Threat Level

= Media =

== Introductory Briefings ==

{|
| align="center" valign="top" | Developers
|
| align="center" valign="top" | Architects
|
| align="center" valign="top" | CISOs
|-
| width="200" align="left" valign="top" | [[File:Appsensor-developer-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf]]
| width="20" |
| width="200" align="left" valign="top" | [[File:Appsensor_crosstalk_small.jpg|link=http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf]]
| width="20" |
| width="200" align="center" valign="top" | [[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]
|}

The CISO briefing is also available to [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html buy at cost in print].

== AppSensor Website ==

[[File:Appsensor-website-large.jpg|link=http://appsensor.org/]]

[http://appsensor.org/ http://appsensor.org/]

== Code ==

*v2 [https://github.com/jtmelton/appsensor Github Code]
* (LEGACY) v1 [http://code.google.com/p/appsensor/ Google Code]

== AppSensor Guide ==

* OWASP AppSensor Guide
** v2.0 EN
*** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
*** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
*** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Print on demand at cost hard copy]
** v1.1 EN
*** [https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf PDF]
*** [https://www.owasp.org/images/b/b0/OWASP_AppSensor_Beta_1.1.doc DOC]

== Presentations ==

[http://www.brighttalk.com/webcast/20680 Automated Application Defenses to Thwart Advanced Attackers (Slides & Audio)]

July, 2010 - OWASP London (UK) - [http://www.owasp.org/index.php/File:Owasp-london-20100715-appsensor-3.pdf Real Time Application Attack Detection and Response with OWASP AppSensor]

June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application

June, 2010 - Video presentation - [http://michael-coates.blogspot.com/2010/06/online-presentation-thursday-automated.html Automated Application Defenses to Thwart Advanced Attackers]

November, 2009 - AppSec DC - [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf Defend Yourself: Integrating Real Time Defenses into Online Applications]

May, 2009 - [http://www.owasp.org/download/jmanico/owasp_podcast_51.mp3 OWASP Podcast #51 ]

May, 2009 - AppSec EU Poland - [https://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx Real Time Defenses against Application Worms and Malicious Attackers]

November, 2008 - [https://www.owasp.org/images/7/77/Presentation_AppSensor.ppt OWASP Summit Portugal 2008 PPT]

==Video Demos of AppSensor==

[http://www.youtube.com/watch?v=8ItfuwvLxRk Detecting Multiple Attacks & Logging Out Attacker]

[http://www.youtube.com/watch?v=CekUMk_VRV8 Detecting XSS Probes]

[http://www.youtube.com/watch?v=LfD4y67qdWE Detecting URL Tampering]

[http://www.youtube.com/watch?v=1D6nTlmYjhY Detecting Verb Tampering]

==Source Documents / Artwork==

* Guide
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc Word (content only)], DOC 11Mb
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/appsensor-guide-2v0-owasp.zip Word, images, Lulu covers, diagrams], ZIP 96Mb
* Introduction for Developers
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-a4.zip A4 Illustrator and PDF exports], ZIP 19Mb
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-usletter.zip US letter Illustrator and PDF exports], ZIP 19Mb
* Poster
** [https://www.owasp.org/index.php/File:Owasp-appsensor-poster-a1.zip A1 Illustrator and PDF export] ZIP, 18Mb

= Project About =
{{:Projects/OWASP_AppSensor_Project | Project About}}

}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|AppSensor Project]] [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:SAMM-EH-3]] [[Category:SAMM-SA-2]]

OWASP Python Security Project

2015-07-06T16:25:45Z

Timo.goosen:

=Main=

<div style="width:100%;height:120px;border:0,margin:0;overflow: hidden;"></div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;"></div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Python Security Project ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

== Introduction ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

Security in python: white-box analysis, structural and functional analysis
Security of python: black-box analysis, identify and address security-related issues
Security with python: develop security hardened python suitable for high-risk and high-security environments

== Detect and Respond to Attacks from Within the Application ==

=== Detection ===
AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.
=== Response===
AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.
===Defending the Application===
An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.

==Licensing==
OWASP AppSensor is free to use.

=== Reference Implementation ===
The reference implementation is licensed under the [http://opensource.org/licenses/MIT MIT License], which is a permissive (commercial-friendly) license only requiring you to include a copy of the license upon distribution or copying.

© OWASP Foundation

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Python Security Project? ==

== Overview ==

[[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]

[https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf 12-page US Letter booklet]

== Project Founder ==

* [https://www.owasp.org/index.php/User:MichaelCoates Michael Coates] [mailto:michael.coates@owasp.org @]

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* OWASP AppSensor Guide v2.0.1 EN
** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Hard copy]
* OWASP AppSensor Reference Implementation
** [https://github.com/jtmelton/appsensor v2 Code]

== Code Repository ==
* OWASP Python Security Github https://github.com/ebranca/owasp-pysec/ (Current)

== In Print ==

[[File:AppSensor2_small.jpg|link=]]

The [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html AppSensor Guide] and [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html CISO Briefing] can be purchased at cost as a print on demand books.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Acknowledgements =

== Volunteers ==

All OWASP projects rely on the voluntary efforts of people in the software development and information security sectors. They have contributed their time and energy to make suggestions, provide feedback, write, review and edit documentation, give encouragement, make introductions, produce demonstration code, promote the concept, and provide OWASP support. They participated via the project’s mailing lists, by developing code, by updating the wiki, by undertaking research studies, and through contributions during the AppSensor working session at the OWASP Summit 2011 in Portugal and the AppSensor Summit at AppSec USA 2011. Without all their efforts, the project would not have progressed to this point, and this guide would not have been completed.

{| cellpadding="2"
|-
| width="200" align="left" valign="top" |

*Josh Amishav-Zlatin
*Ryan Barnett
*Simon Bennetts
*Joe Bernik
*Rex Booth
*Luke Briner
*Rauf Butt
*Juan C Calderon
*Fabio Cerullo
*Marc Chisinevski
*Robert Chojnacki
*Michael Coates
*Dinis Cruz
*August Detlefsen
*Ryan Dewhurst

| width="200" align="left" valign="top" |

*Sean Fay
*Timo Goosen
*Dennis Groves
*Randy Janida
*Chetan Karande
*Eoin Keary
*Alex Lauerman
*Junior Lazuardi
*Benjamin-Hugo LeBlanc
*Jason Li
*Manuel López Arredondo
*Bob Maier
*Jim Manico
*Sherif Mansour Farag
*John Melton

| width="200" align="left" valign="top" |

*Mark Miller
*Craig Munson
*Louis Nadeau
*Giri Nambari
*Erlend Oftedal
*Jay Reynolds
*Chris Schmidt
*Sahil Shah
*Eric Sheridan
*John Steven
*Raphael Taban
*Alex Thissen
*Don Thomas
*Christopher Tidball
*Kevin W Wall
*Colin Watson
*Mehmet Yilmaz

|}

==OWASP Summer of Code 2008==
The AppSensor Project was initially supported by the [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008 OWASP Summer of Code 2008], leading to the publication of the book AppSensor v1.1.

==Google Summer of Code 2012==
Additional development work on [http://www.google-melange.com/gsoc/project/google/gsoc2012/edil/60002 SOAP web services] was kindly supported by the [http://www.google-melange.com/gsoc/program/home/google/gsoc2012 Google Summer of Code 2012].

== Other Acknowledgements ==
The project has also benefitted greatly from the generous contribution of time and effort by many volunteers in the OWASP community including those listed above, and contributors to the OWASP ESAPI project, members of the former OWASP Global Projects Committee, the OWASP Board, OWASP staff and support from the OWASP Project Reboot initiative. The v2 code and documentation were conceived during the AppSensor Summit held during AppSec USA 2011 in Minneapolis.

= Road Map and Getting Involved =

Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project General project]
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-dev Code development]

== Current activities ==

=== Non code ===

* Update AppSensor Guide to keep in step with code changes and improvements to ideas ([http://lists.owasp.org/pipermail/owasp-appsensor-project/2015-February/000855.html see discussion and editable list of changes])
* Create demo
* Develop training materials

=== v2 Code ===

The current code being worked on is located on [https://github.com/jtmelton/appsensor GitHub]

The code has been fully rewritten.
v2.0.0 final was released in late January 2015.
v2.1.0 final was released in June 2015.

The main reason for the rewrite was to allow a client-server style model as opposed to requiring AppSensor be fully embedded in the application. You can now have a central server collecting events from multiple applications and performing analysis. These front-end applications can be in any language as long as they speak rest/soap. There's been a host of other changes, but this was the primary one. A number of starter ideas for coding, user interface and documentation have been outlined via the mailing list at [http://lists.owasp.org/pipermail/owasp-appsensor-project/2014-March/000682.html 17th March 2014].

if you want to work on ANYTHING, please let jtmelton[@]gmail.com know.

== Code Roadmap ==

=== Q4 2015 (2.0) ===
* <strike>Jan - v 2.0.0 final release </strike> -> DONE

=== Q4 2014 (2.0) ===
* <strike>Oct - v 2.0.0 release candidate</strike> -> DONE
* <strike>Jan 2015 (delay due to bug) - v 2.0.0 final </strike> -> DONE
* <strike>Additional unit tests</strike> -> DONE
* <strike>Move appsensor.org site over from static html to python</strike> -> NOT NECESSARY
* <strike>Finish up user documentation at appsensor.org</strike> -> DONE

=== June 2015 (2.1) ===
* <strike>Add at least 1 attack emitter for DEVOPS visualization (JMX -> SNMP, syslog, SNMP, .. something)</strike> ([https://github.com/jtmelton/appsensor/issues/19 github issue]) -> DONE
* <strike>Sample application / demo</strike> ([https://github.com/jtmelton/appsensor/issues/9 github issue]) -> DONE
* <strike>Finish up developer documentation on github and appsensor.org</strike> ([https://github.com/jtmelton/appsensor/issues/12 github issue]) -> DONE
* <strike>Preparation for GSOC 2015 submission</strike> -> DONE - see [[GSoC2015_Ideas]] - Update - OWASP not selected

=== September 2015 (2.2) ===
* First version of administration UI for appsensor (monitoring UI) (github issues [https://github.com/jtmelton/appsensor/issues/10 here] and [https://github.com/jtmelton/appsensor/issues/11 here])

=== January 2016 (2.3) ===
* Get CI server (cloudbees?) setup ([https://github.com/jtmelton/appsensor/issues/15 github issue])
* Video demo of setting up appsensor (screen capture) (related to sample apps)
* New detection point implementations ([https://github.com/jtmelton/appsensor/issues/8 github issue])
* AOP examples of detection point implementations

=== May 2016 (2.4) ===
* Trend monitoring implementation ([https://github.com/jtmelton/appsensor/issues/6 github issue])
* Additional integrations for reporting (graphite, ganglia -> see list supported by codahale metrics)

== Past activities ==

'''June 2015''' Final release v2.1.0 code

'''April 2015''' CISO Briefing booklet published

'''February 2015''' Introduction for Developers flyer published

'''January 2015''' Final release v2.0.0 code

'''May 2014''' Finalisation and publication of the AppSensor Guide v2.0

'''November, 2013''' - AppSensor 2.0 hackathon, and document writing & review at AppSecUSA 2013, New York

'''2012-2013''' - Active Development of next AppSensor book

'''September, 2011''' - AppSensor Summit at AppSec USA 2011, Minneapolis

'''September, 2010''' - Presented at AppSecUSA [http://www.slideshare.net/michael_coates/real-time-application-defenses-the-reality-of-appsensor-esapi-5181743 slides]

'''June, 2010''' - Active ESAPI Integration Underway

'''November, 2009''' [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf OWASP DC, November 2009]

'''2009''' v1.2 in the works, demo application in development

'''May, 2009''' - AppSec EU Poland - Presentation ([http://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx PPT]) ([http://blip.tv/file/2198771 Video])

'''January, 2009''' - v1.1 Released - Beta Status

'''November, 2008''' - AppSensor Talk at OWASP Portugal

'''November, 2008''' - v1.0 Released - Beta Status

'''April 16, 2008''' - Project Begins

= Detection Points =

Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.

'''[http://www.owasp.org/index.php/AppSensor_DetectionPoints Detailed Detection Point Information Here] '''

'''[http://www.owasp.org/index.php/AppSensor_ResponseActions Response Action Information Here]'''

'''Summary of Information'''
'''Detection Categories:'''

RE - Request

AE - Authentication

SE - Session

ACE - Access Control

IE - Input

EE - Encoding

CIE - Command Injection

FIO - File IO

HT - Honey Trap

UT - User Trend

STE - System Trend

RP - Reputation

'''Signature Based Event Titles'''

ID Event

RE1 Unexpected HTTP Command

RE2 Attempt to Invoke Unsupported HTTP Method

RE3 GET When Expecting POST

RE4 POST When Expecting GET

RE5 Additional/Duplicated Data in Request

RE6 Data Missing from Request

RE7 Unexpected Quantity of Characters in Parameter

RE8 Unexpected Type of Characters in Parameter

AE1 Use Of Multiple Usernames

AE2 Multiple Failed Passwords

AE3 High Rate of Login Attempts

AE4 Unexpected Quantity of Characters in Username

AE5 Unexpected Quantity of Characters in Password

AE6 Unexpected Type of Character in Username

AE7 Unexpected Type of Character in Password

AE8 Providing Only the Username

AE9 Providing Only the Password

AE10 Adding POST Variable

AE11 Missing POST Variable

AE12 Utilization of Common Usernames

SE1 Modifying Existing Cookie

SE2 Adding New Cookie

SE3 Deleting Existing Cookie

SE4 Substituting Another User's Valid Session ID or Cookie

SE5 Source IP Address Changes During Session

SE6 Change Of User Agent Mid Session

ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt

ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt

ACE3 Force Browsing Attempt

ACE4 Evading Presentation Access Control Through Custom POST

IE1 Cross Site Scripting Attempt

IE2 Violation of Implemented White Lists

IE3 Violation Of Implemented Black Lists

IE4 Violation of Input Data Integrity

IE5 Violation of Stored Business Data Integrity

IE6 Violation of Security Log Integrity

EE1 Double Encoded Character

EE2 Unexpected Encoding Used

CIE1 Blacklist Inspection for Common SQL Injection Values

CIE2 Detect Abnormal Quantity of Returned Records

CIE3 Null Byte Character in File Request

CIE4 Carriage Return or Line Feed Character In File Request

FIO1 Detect Large Individual File

FIO2 Detect Large Number of File Uploads

HT1 Alteration to Honey Trap Data

HT2 Honey Trap Resource Requested

HT3 Honey Trap Data Used

'''Behavior Based Event Titles'''<br>

UT1 Irregular Use of Application

UT2 Speed of Application Use

UT3 Frequency of Site Use

UT4 Frequency of Feature Use

STE1 High Number of Logouts Across The Site

STE2 High Number of Logins Across The Site

STE3 Significant Change in Usage of Same Transaction Across The Site

RP1 Suspicious or Disallowed User IP Address

RP2 Suspicious External User Behavior

RP3 Suspicious Client-Side Behavior

RP4 Change to Environment Threat Level

= Media =

== Introductory Briefings ==

{|
| align="center" valign="top" | Developers
|
| align="center" valign="top" | Architects
|
| align="center" valign="top" | CISOs
|-
| width="200" align="left" valign="top" | [[File:Appsensor-developer-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf]]
| width="20" |
| width="200" align="left" valign="top" | [[File:Appsensor_crosstalk_small.jpg|link=http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf]]
| width="20" |
| width="200" align="center" valign="top" | [[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]
|}

The CISO briefing is also available to [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html buy at cost in print].

== AppSensor Website ==

[[File:Appsensor-website-large.jpg|link=http://appsensor.org/]]

[http://appsensor.org/ http://appsensor.org/]

== Code ==

*v2 [https://github.com/jtmelton/appsensor Github Code]
* (LEGACY) v1 [http://code.google.com/p/appsensor/ Google Code]

== AppSensor Guide ==

* OWASP AppSensor Guide
** v2.0 EN
*** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
*** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
*** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Print on demand at cost hard copy]
** v1.1 EN
*** [https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf PDF]
*** [https://www.owasp.org/images/b/b0/OWASP_AppSensor_Beta_1.1.doc DOC]

== Presentations ==

[http://www.brighttalk.com/webcast/20680 Automated Application Defenses to Thwart Advanced Attackers (Slides & Audio)]

July, 2010 - OWASP London (UK) - [http://www.owasp.org/index.php/File:Owasp-london-20100715-appsensor-3.pdf Real Time Application Attack Detection and Response with OWASP AppSensor]

June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application

June, 2010 - Video presentation - [http://michael-coates.blogspot.com/2010/06/online-presentation-thursday-automated.html Automated Application Defenses to Thwart Advanced Attackers]

November, 2009 - AppSec DC - [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf Defend Yourself: Integrating Real Time Defenses into Online Applications]

May, 2009 - [http://www.owasp.org/download/jmanico/owasp_podcast_51.mp3 OWASP Podcast #51 ]

May, 2009 - AppSec EU Poland - [https://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx Real Time Defenses against Application Worms and Malicious Attackers]

November, 2008 - [https://www.owasp.org/images/7/77/Presentation_AppSensor.ppt OWASP Summit Portugal 2008 PPT]

==Video Demos of AppSensor==

[http://www.youtube.com/watch?v=8ItfuwvLxRk Detecting Multiple Attacks & Logging Out Attacker]

[http://www.youtube.com/watch?v=CekUMk_VRV8 Detecting XSS Probes]

[http://www.youtube.com/watch?v=LfD4y67qdWE Detecting URL Tampering]

[http://www.youtube.com/watch?v=1D6nTlmYjhY Detecting Verb Tampering]

==Source Documents / Artwork==

* Guide
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc Word (content only)], DOC 11Mb
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/appsensor-guide-2v0-owasp.zip Word, images, Lulu covers, diagrams], ZIP 96Mb
* Introduction for Developers
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-a4.zip A4 Illustrator and PDF exports], ZIP 19Mb
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-usletter.zip US letter Illustrator and PDF exports], ZIP 19Mb
* Poster
** [https://www.owasp.org/index.php/File:Owasp-appsensor-poster-a1.zip A1 Illustrator and PDF export] ZIP, 18Mb

= Project About =
{{:Projects/OWASP_AppSensor_Project | Project About}}

}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|AppSensor Project]] [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:SAMM-EH-3]] [[Category:SAMM-SA-2]]

OWASP Python Security Project

2015-07-06T16:24:22Z

Timo.goosen: /* Project About */

=Main=

<div style="width:100%;height:120px;border:0,margin:0;overflow: hidden;"></div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;"></div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Python Security Project ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

== Introduction ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

Security in python: white-box analysis, structural and functional analysis
Security of python: black-box analysis, identify and address security-related issues
Security with python: develop security hardened python suitable for high-risk and high-security environments

== Detect and Respond to Attacks from Within the Application ==

=== Detection ===
AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.
=== Response===
AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.
===Defending the Application===
An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.

==Licensing==
OWASP AppSensor is free to use.

=== Guide ===
The guide is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

=== Reference Implementation ===
The reference implementation is licensed under the [http://opensource.org/licenses/MIT MIT License], which is a permissive (commercial-friendly) license only requiring you to include a copy of the license upon distribution or copying.

© OWASP Foundation

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Python Security Project? ==

== Overview ==

[[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]

[https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf 12-page US Letter booklet]

== Project Founder ==

* [https://www.owasp.org/index.php/User:MichaelCoates Michael Coates] [mailto:michael.coates@owasp.org @]

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* OWASP AppSensor Guide v2.0.1 EN
** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Hard copy]
* OWASP AppSensor Reference Implementation
** [https://github.com/jtmelton/appsensor v2 Code]

== Code Repository ==
* AppSensor v2 https://github.com/jtmelton/appsensor (Current)
* Note: LEGACY AppSensor v1 https://code.google.com/p/appsensor/

== In Print ==

[[File:AppSensor2_small.jpg|link=]]

The [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html AppSensor Guide] and [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html CISO Briefing] can be purchased at cost as a print on demand books.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Acknowledgements =

== Volunteers ==

All OWASP projects rely on the voluntary efforts of people in the software development and information security sectors. They have contributed their time and energy to make suggestions, provide feedback, write, review and edit documentation, give encouragement, make introductions, produce demonstration code, promote the concept, and provide OWASP support. They participated via the project’s mailing lists, by developing code, by updating the wiki, by undertaking research studies, and through contributions during the AppSensor working session at the OWASP Summit 2011 in Portugal and the AppSensor Summit at AppSec USA 2011. Without all their efforts, the project would not have progressed to this point, and this guide would not have been completed.

{| cellpadding="2"
|-
| width="200" align="left" valign="top" |

*Josh Amishav-Zlatin
*Ryan Barnett
*Simon Bennetts
*Joe Bernik
*Rex Booth
*Luke Briner
*Rauf Butt
*Juan C Calderon
*Fabio Cerullo
*Marc Chisinevski
*Robert Chojnacki
*Michael Coates
*Dinis Cruz
*August Detlefsen
*Ryan Dewhurst

| width="200" align="left" valign="top" |

*Sean Fay
*Timo Goosen
*Dennis Groves
*Randy Janida
*Chetan Karande
*Eoin Keary
*Alex Lauerman
*Junior Lazuardi
*Benjamin-Hugo LeBlanc
*Jason Li
*Manuel López Arredondo
*Bob Maier
*Jim Manico
*Sherif Mansour Farag
*John Melton

| width="200" align="left" valign="top" |

*Mark Miller
*Craig Munson
*Louis Nadeau
*Giri Nambari
*Erlend Oftedal
*Jay Reynolds
*Chris Schmidt
*Sahil Shah
*Eric Sheridan
*John Steven
*Raphael Taban
*Alex Thissen
*Don Thomas
*Christopher Tidball
*Kevin W Wall
*Colin Watson
*Mehmet Yilmaz

|}

==OWASP Summer of Code 2008==
The AppSensor Project was initially supported by the [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008 OWASP Summer of Code 2008], leading to the publication of the book AppSensor v1.1.

==Google Summer of Code 2012==
Additional development work on [http://www.google-melange.com/gsoc/project/google/gsoc2012/edil/60002 SOAP web services] was kindly supported by the [http://www.google-melange.com/gsoc/program/home/google/gsoc2012 Google Summer of Code 2012].

== Other Acknowledgements ==
The project has also benefitted greatly from the generous contribution of time and effort by many volunteers in the OWASP community including those listed above, and contributors to the OWASP ESAPI project, members of the former OWASP Global Projects Committee, the OWASP Board, OWASP staff and support from the OWASP Project Reboot initiative. The v2 code and documentation were conceived during the AppSensor Summit held during AppSec USA 2011 in Minneapolis.

= Road Map and Getting Involved =

Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project General project]
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-dev Code development]

== Current activities ==

=== Non code ===

* Update AppSensor Guide to keep in step with code changes and improvements to ideas ([http://lists.owasp.org/pipermail/owasp-appsensor-project/2015-February/000855.html see discussion and editable list of changes])
* Create demo
* Develop training materials

=== v2 Code ===

The current code being worked on is located on [https://github.com/jtmelton/appsensor GitHub]

The code has been fully rewritten.
v2.0.0 final was released in late January 2015.
v2.1.0 final was released in June 2015.

The main reason for the rewrite was to allow a client-server style model as opposed to requiring AppSensor be fully embedded in the application. You can now have a central server collecting events from multiple applications and performing analysis. These front-end applications can be in any language as long as they speak rest/soap. There's been a host of other changes, but this was the primary one. A number of starter ideas for coding, user interface and documentation have been outlined via the mailing list at [http://lists.owasp.org/pipermail/owasp-appsensor-project/2014-March/000682.html 17th March 2014].

if you want to work on ANYTHING, please let jtmelton[@]gmail.com know.

== Code Roadmap ==

=== Q4 2015 (2.0) ===
* <strike>Jan - v 2.0.0 final release </strike> -> DONE

=== Q4 2014 (2.0) ===
* <strike>Oct - v 2.0.0 release candidate</strike> -> DONE
* <strike>Jan 2015 (delay due to bug) - v 2.0.0 final </strike> -> DONE
* <strike>Additional unit tests</strike> -> DONE
* <strike>Move appsensor.org site over from static html to python</strike> -> NOT NECESSARY
* <strike>Finish up user documentation at appsensor.org</strike> -> DONE

=== June 2015 (2.1) ===
* <strike>Add at least 1 attack emitter for DEVOPS visualization (JMX -> SNMP, syslog, SNMP, .. something)</strike> ([https://github.com/jtmelton/appsensor/issues/19 github issue]) -> DONE
* <strike>Sample application / demo</strike> ([https://github.com/jtmelton/appsensor/issues/9 github issue]) -> DONE
* <strike>Finish up developer documentation on github and appsensor.org</strike> ([https://github.com/jtmelton/appsensor/issues/12 github issue]) -> DONE
* <strike>Preparation for GSOC 2015 submission</strike> -> DONE - see [[GSoC2015_Ideas]] - Update - OWASP not selected

=== September 2015 (2.2) ===
* First version of administration UI for appsensor (monitoring UI) (github issues [https://github.com/jtmelton/appsensor/issues/10 here] and [https://github.com/jtmelton/appsensor/issues/11 here])

=== January 2016 (2.3) ===
* Get CI server (cloudbees?) setup ([https://github.com/jtmelton/appsensor/issues/15 github issue])
* Video demo of setting up appsensor (screen capture) (related to sample apps)
* New detection point implementations ([https://github.com/jtmelton/appsensor/issues/8 github issue])
* AOP examples of detection point implementations

=== May 2016 (2.4) ===
* Trend monitoring implementation ([https://github.com/jtmelton/appsensor/issues/6 github issue])
* Additional integrations for reporting (graphite, ganglia -> see list supported by codahale metrics)

== Past activities ==

'''June 2015''' Final release v2.1.0 code

'''April 2015''' CISO Briefing booklet published

'''February 2015''' Introduction for Developers flyer published

'''January 2015''' Final release v2.0.0 code

'''May 2014''' Finalisation and publication of the AppSensor Guide v2.0

'''November, 2013''' - AppSensor 2.0 hackathon, and document writing & review at AppSecUSA 2013, New York

'''2012-2013''' - Active Development of next AppSensor book

'''September, 2011''' - AppSensor Summit at AppSec USA 2011, Minneapolis

'''September, 2010''' - Presented at AppSecUSA [http://www.slideshare.net/michael_coates/real-time-application-defenses-the-reality-of-appsensor-esapi-5181743 slides]

'''June, 2010''' - Active ESAPI Integration Underway

'''November, 2009''' [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf OWASP DC, November 2009]

'''2009''' v1.2 in the works, demo application in development

'''May, 2009''' - AppSec EU Poland - Presentation ([http://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx PPT]) ([http://blip.tv/file/2198771 Video])

'''January, 2009''' - v1.1 Released - Beta Status

'''November, 2008''' - AppSensor Talk at OWASP Portugal

'''November, 2008''' - v1.0 Released - Beta Status

'''April 16, 2008''' - Project Begins

= Detection Points =

Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.

'''[http://www.owasp.org/index.php/AppSensor_DetectionPoints Detailed Detection Point Information Here] '''

'''[http://www.owasp.org/index.php/AppSensor_ResponseActions Response Action Information Here]'''

'''Summary of Information'''
'''Detection Categories:'''

RE - Request

AE - Authentication

SE - Session

ACE - Access Control

IE - Input

EE - Encoding

CIE - Command Injection

FIO - File IO

HT - Honey Trap

UT - User Trend

STE - System Trend

RP - Reputation

'''Signature Based Event Titles'''

ID Event

RE1 Unexpected HTTP Command

RE2 Attempt to Invoke Unsupported HTTP Method

RE3 GET When Expecting POST

RE4 POST When Expecting GET

RE5 Additional/Duplicated Data in Request

RE6 Data Missing from Request

RE7 Unexpected Quantity of Characters in Parameter

RE8 Unexpected Type of Characters in Parameter

AE1 Use Of Multiple Usernames

AE2 Multiple Failed Passwords

AE3 High Rate of Login Attempts

AE4 Unexpected Quantity of Characters in Username

AE5 Unexpected Quantity of Characters in Password

AE6 Unexpected Type of Character in Username

AE7 Unexpected Type of Character in Password

AE8 Providing Only the Username

AE9 Providing Only the Password

AE10 Adding POST Variable

AE11 Missing POST Variable

AE12 Utilization of Common Usernames

SE1 Modifying Existing Cookie

SE2 Adding New Cookie

SE3 Deleting Existing Cookie

SE4 Substituting Another User's Valid Session ID or Cookie

SE5 Source IP Address Changes During Session

SE6 Change Of User Agent Mid Session

ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt

ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt

ACE3 Force Browsing Attempt

ACE4 Evading Presentation Access Control Through Custom POST

IE1 Cross Site Scripting Attempt

IE2 Violation of Implemented White Lists

IE3 Violation Of Implemented Black Lists

IE4 Violation of Input Data Integrity

IE5 Violation of Stored Business Data Integrity

IE6 Violation of Security Log Integrity

EE1 Double Encoded Character

EE2 Unexpected Encoding Used

CIE1 Blacklist Inspection for Common SQL Injection Values

CIE2 Detect Abnormal Quantity of Returned Records

CIE3 Null Byte Character in File Request

CIE4 Carriage Return or Line Feed Character In File Request

FIO1 Detect Large Individual File

FIO2 Detect Large Number of File Uploads

HT1 Alteration to Honey Trap Data

HT2 Honey Trap Resource Requested

HT3 Honey Trap Data Used

'''Behavior Based Event Titles'''<br>

UT1 Irregular Use of Application

UT2 Speed of Application Use

UT3 Frequency of Site Use

UT4 Frequency of Feature Use

STE1 High Number of Logouts Across The Site

STE2 High Number of Logins Across The Site

STE3 Significant Change in Usage of Same Transaction Across The Site

RP1 Suspicious or Disallowed User IP Address

RP2 Suspicious External User Behavior

RP3 Suspicious Client-Side Behavior

RP4 Change to Environment Threat Level

= Media =

== Introductory Briefings ==

{|
| align="center" valign="top" | Developers
|
| align="center" valign="top" | Architects
|
| align="center" valign="top" | CISOs
|-
| width="200" align="left" valign="top" | [[File:Appsensor-developer-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf]]
| width="20" |
| width="200" align="left" valign="top" | [[File:Appsensor_crosstalk_small.jpg|link=http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf]]
| width="20" |
| width="200" align="center" valign="top" | [[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]
|}

The CISO briefing is also available to [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html buy at cost in print].

== AppSensor Website ==

[[File:Appsensor-website-large.jpg|link=http://appsensor.org/]]

[http://appsensor.org/ http://appsensor.org/]

== Code ==

*v2 [https://github.com/jtmelton/appsensor Github Code]
* (LEGACY) v1 [http://code.google.com/p/appsensor/ Google Code]

== AppSensor Guide ==

* OWASP AppSensor Guide
** v2.0 EN
*** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
*** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
*** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Print on demand at cost hard copy]
** v1.1 EN
*** [https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf PDF]
*** [https://www.owasp.org/images/b/b0/OWASP_AppSensor_Beta_1.1.doc DOC]

== Presentations ==

[http://www.brighttalk.com/webcast/20680 Automated Application Defenses to Thwart Advanced Attackers (Slides & Audio)]

July, 2010 - OWASP London (UK) - [http://www.owasp.org/index.php/File:Owasp-london-20100715-appsensor-3.pdf Real Time Application Attack Detection and Response with OWASP AppSensor]

June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application

June, 2010 - Video presentation - [http://michael-coates.blogspot.com/2010/06/online-presentation-thursday-automated.html Automated Application Defenses to Thwart Advanced Attackers]

November, 2009 - AppSec DC - [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf Defend Yourself: Integrating Real Time Defenses into Online Applications]

May, 2009 - [http://www.owasp.org/download/jmanico/owasp_podcast_51.mp3 OWASP Podcast #51 ]

May, 2009 - AppSec EU Poland - [https://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx Real Time Defenses against Application Worms and Malicious Attackers]

November, 2008 - [https://www.owasp.org/images/7/77/Presentation_AppSensor.ppt OWASP Summit Portugal 2008 PPT]

==Video Demos of AppSensor==

[http://www.youtube.com/watch?v=8ItfuwvLxRk Detecting Multiple Attacks & Logging Out Attacker]

[http://www.youtube.com/watch?v=CekUMk_VRV8 Detecting XSS Probes]

[http://www.youtube.com/watch?v=LfD4y67qdWE Detecting URL Tampering]

[http://www.youtube.com/watch?v=1D6nTlmYjhY Detecting Verb Tampering]

==Source Documents / Artwork==

* Guide
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc Word (content only)], DOC 11Mb
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/appsensor-guide-2v0-owasp.zip Word, images, Lulu covers, diagrams], ZIP 96Mb
* Introduction for Developers
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-a4.zip A4 Illustrator and PDF exports], ZIP 19Mb
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-usletter.zip US letter Illustrator and PDF exports], ZIP 19Mb
* Poster
** [https://www.owasp.org/index.php/File:Owasp-appsensor-poster-a1.zip A1 Illustrator and PDF export] ZIP, 18Mb

= Project About =
{{:Projects/OWASP_AppSensor_Project | Project About}}

}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|AppSensor Project]] [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:SAMM-EH-3]] [[Category:SAMM-SA-2]]

OWASP Python Security Project

2015-07-06T16:24:04Z

Timo.goosen: /* Main */

=Main=

<div style="width:100%;height:120px;border:0,margin:0;overflow: hidden;"></div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;"></div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Python Security Project ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

== Introduction ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

Security in python: white-box analysis, structural and functional analysis
Security of python: black-box analysis, identify and address security-related issues
Security with python: develop security hardened python suitable for high-risk and high-security environments

== Detect and Respond to Attacks from Within the Application ==

=== Detection ===
AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.
=== Response===
AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.
===Defending the Application===
An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.

==Licensing==
OWASP AppSensor is free to use.

=== Guide ===
The guide is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

=== Reference Implementation ===
The reference implementation is licensed under the [http://opensource.org/licenses/MIT MIT License], which is a permissive (commercial-friendly) license only requiring you to include a copy of the license upon distribution or copying.

© OWASP Foundation

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Python Security Project? ==

== Overview ==

[[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]

[https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf 12-page US Letter booklet]

== Project Founder ==

* [https://www.owasp.org/index.php/User:MichaelCoates Michael Coates] [mailto:michael.coates@owasp.org @]

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* OWASP AppSensor Guide v2.0.1 EN
** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Hard copy]
* OWASP AppSensor Reference Implementation
** [https://github.com/jtmelton/appsensor v2 Code]

== Code Repository ==
* AppSensor v2 https://github.com/jtmelton/appsensor (Current)
* Note: LEGACY AppSensor v1 https://code.google.com/p/appsensor/

== In Print ==

[[File:AppSensor2_small.jpg|link=]]

The [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html AppSensor Guide] and [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html CISO Briefing] can be purchased at cost as a print on demand books.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Acknowledgements =

== Volunteers ==

All OWASP projects rely on the voluntary efforts of people in the software development and information security sectors. They have contributed their time and energy to make suggestions, provide feedback, write, review and edit documentation, give encouragement, make introductions, produce demonstration code, promote the concept, and provide OWASP support. They participated via the project’s mailing lists, by developing code, by updating the wiki, by undertaking research studies, and through contributions during the AppSensor working session at the OWASP Summit 2011 in Portugal and the AppSensor Summit at AppSec USA 2011. Without all their efforts, the project would not have progressed to this point, and this guide would not have been completed.

{| cellpadding="2"
|-
| width="200" align="left" valign="top" |

*Josh Amishav-Zlatin
*Ryan Barnett
*Simon Bennetts
*Joe Bernik
*Rex Booth
*Luke Briner
*Rauf Butt
*Juan C Calderon
*Fabio Cerullo
*Marc Chisinevski
*Robert Chojnacki
*Michael Coates
*Dinis Cruz
*August Detlefsen
*Ryan Dewhurst

| width="200" align="left" valign="top" |

*Sean Fay
*Timo Goosen
*Dennis Groves
*Randy Janida
*Chetan Karande
*Eoin Keary
*Alex Lauerman
*Junior Lazuardi
*Benjamin-Hugo LeBlanc
*Jason Li
*Manuel López Arredondo
*Bob Maier
*Jim Manico
*Sherif Mansour Farag
*John Melton

| width="200" align="left" valign="top" |

*Mark Miller
*Craig Munson
*Louis Nadeau
*Giri Nambari
*Erlend Oftedal
*Jay Reynolds
*Chris Schmidt
*Sahil Shah
*Eric Sheridan
*John Steven
*Raphael Taban
*Alex Thissen
*Don Thomas
*Christopher Tidball
*Kevin W Wall
*Colin Watson
*Mehmet Yilmaz

|}

==OWASP Summer of Code 2008==
The AppSensor Project was initially supported by the [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008 OWASP Summer of Code 2008], leading to the publication of the book AppSensor v1.1.

==Google Summer of Code 2012==
Additional development work on [http://www.google-melange.com/gsoc/project/google/gsoc2012/edil/60002 SOAP web services] was kindly supported by the [http://www.google-melange.com/gsoc/program/home/google/gsoc2012 Google Summer of Code 2012].

== Other Acknowledgements ==
The project has also benefitted greatly from the generous contribution of time and effort by many volunteers in the OWASP community including those listed above, and contributors to the OWASP ESAPI project, members of the former OWASP Global Projects Committee, the OWASP Board, OWASP staff and support from the OWASP Project Reboot initiative. The v2 code and documentation were conceived during the AppSensor Summit held during AppSec USA 2011 in Minneapolis.

= Road Map and Getting Involved =

Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project General project]
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-dev Code development]

== Current activities ==

=== Non code ===

* Update AppSensor Guide to keep in step with code changes and improvements to ideas ([http://lists.owasp.org/pipermail/owasp-appsensor-project/2015-February/000855.html see discussion and editable list of changes])
* Create demo
* Develop training materials

=== v2 Code ===

The current code being worked on is located on [https://github.com/jtmelton/appsensor GitHub]

The code has been fully rewritten.
v2.0.0 final was released in late January 2015.
v2.1.0 final was released in June 2015.

The main reason for the rewrite was to allow a client-server style model as opposed to requiring AppSensor be fully embedded in the application. You can now have a central server collecting events from multiple applications and performing analysis. These front-end applications can be in any language as long as they speak rest/soap. There's been a host of other changes, but this was the primary one. A number of starter ideas for coding, user interface and documentation have been outlined via the mailing list at [http://lists.owasp.org/pipermail/owasp-appsensor-project/2014-March/000682.html 17th March 2014].

if you want to work on ANYTHING, please let jtmelton[@]gmail.com know.

== Code Roadmap ==

=== Q4 2015 (2.0) ===
* <strike>Jan - v 2.0.0 final release </strike> -> DONE

=== Q4 2014 (2.0) ===
* <strike>Oct - v 2.0.0 release candidate</strike> -> DONE
* <strike>Jan 2015 (delay due to bug) - v 2.0.0 final </strike> -> DONE
* <strike>Additional unit tests</strike> -> DONE
* <strike>Move appsensor.org site over from static html to python</strike> -> NOT NECESSARY
* <strike>Finish up user documentation at appsensor.org</strike> -> DONE

=== June 2015 (2.1) ===
* <strike>Add at least 1 attack emitter for DEVOPS visualization (JMX -> SNMP, syslog, SNMP, .. something)</strike> ([https://github.com/jtmelton/appsensor/issues/19 github issue]) -> DONE
* <strike>Sample application / demo</strike> ([https://github.com/jtmelton/appsensor/issues/9 github issue]) -> DONE
* <strike>Finish up developer documentation on github and appsensor.org</strike> ([https://github.com/jtmelton/appsensor/issues/12 github issue]) -> DONE
* <strike>Preparation for GSOC 2015 submission</strike> -> DONE - see [[GSoC2015_Ideas]] - Update - OWASP not selected

=== September 2015 (2.2) ===
* First version of administration UI for appsensor (monitoring UI) (github issues [https://github.com/jtmelton/appsensor/issues/10 here] and [https://github.com/jtmelton/appsensor/issues/11 here])

=== January 2016 (2.3) ===
* Get CI server (cloudbees?) setup ([https://github.com/jtmelton/appsensor/issues/15 github issue])
* Video demo of setting up appsensor (screen capture) (related to sample apps)
* New detection point implementations ([https://github.com/jtmelton/appsensor/issues/8 github issue])
* AOP examples of detection point implementations

=== May 2016 (2.4) ===
* Trend monitoring implementation ([https://github.com/jtmelton/appsensor/issues/6 github issue])
* Additional integrations for reporting (graphite, ganglia -> see list supported by codahale metrics)

== Past activities ==

'''June 2015''' Final release v2.1.0 code

'''April 2015''' CISO Briefing booklet published

'''February 2015''' Introduction for Developers flyer published

'''January 2015''' Final release v2.0.0 code

'''May 2014''' Finalisation and publication of the AppSensor Guide v2.0

'''November, 2013''' - AppSensor 2.0 hackathon, and document writing & review at AppSecUSA 2013, New York

'''2012-2013''' - Active Development of next AppSensor book

'''September, 2011''' - AppSensor Summit at AppSec USA 2011, Minneapolis

'''September, 2010''' - Presented at AppSecUSA [http://www.slideshare.net/michael_coates/real-time-application-defenses-the-reality-of-appsensor-esapi-5181743 slides]

'''June, 2010''' - Active ESAPI Integration Underway

'''November, 2009''' [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf OWASP DC, November 2009]

'''2009''' v1.2 in the works, demo application in development

'''May, 2009''' - AppSec EU Poland - Presentation ([http://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx PPT]) ([http://blip.tv/file/2198771 Video])

'''January, 2009''' - v1.1 Released - Beta Status

'''November, 2008''' - AppSensor Talk at OWASP Portugal

'''November, 2008''' - v1.0 Released - Beta Status

'''April 16, 2008''' - Project Begins

= Detection Points =

Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.

'''[http://www.owasp.org/index.php/AppSensor_DetectionPoints Detailed Detection Point Information Here] '''

'''[http://www.owasp.org/index.php/AppSensor_ResponseActions Response Action Information Here]'''

'''Summary of Information'''
'''Detection Categories:'''

RE - Request

AE - Authentication

SE - Session

ACE - Access Control

IE - Input

EE - Encoding

CIE - Command Injection

FIO - File IO

HT - Honey Trap

UT - User Trend

STE - System Trend

RP - Reputation

'''Signature Based Event Titles'''

ID Event

RE1 Unexpected HTTP Command

RE2 Attempt to Invoke Unsupported HTTP Method

RE3 GET When Expecting POST

RE4 POST When Expecting GET

RE5 Additional/Duplicated Data in Request

RE6 Data Missing from Request

RE7 Unexpected Quantity of Characters in Parameter

RE8 Unexpected Type of Characters in Parameter

AE1 Use Of Multiple Usernames

AE2 Multiple Failed Passwords

AE3 High Rate of Login Attempts

AE4 Unexpected Quantity of Characters in Username

AE5 Unexpected Quantity of Characters in Password

AE6 Unexpected Type of Character in Username

AE7 Unexpected Type of Character in Password

AE8 Providing Only the Username

AE9 Providing Only the Password

AE10 Adding POST Variable

AE11 Missing POST Variable

AE12 Utilization of Common Usernames

SE1 Modifying Existing Cookie

SE2 Adding New Cookie

SE3 Deleting Existing Cookie

SE4 Substituting Another User's Valid Session ID or Cookie

SE5 Source IP Address Changes During Session

SE6 Change Of User Agent Mid Session

ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt

ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt

ACE3 Force Browsing Attempt

ACE4 Evading Presentation Access Control Through Custom POST

IE1 Cross Site Scripting Attempt

IE2 Violation of Implemented White Lists

IE3 Violation Of Implemented Black Lists

IE4 Violation of Input Data Integrity

IE5 Violation of Stored Business Data Integrity

IE6 Violation of Security Log Integrity

EE1 Double Encoded Character

EE2 Unexpected Encoding Used

CIE1 Blacklist Inspection for Common SQL Injection Values

CIE2 Detect Abnormal Quantity of Returned Records

CIE3 Null Byte Character in File Request

CIE4 Carriage Return or Line Feed Character In File Request

FIO1 Detect Large Individual File

FIO2 Detect Large Number of File Uploads

HT1 Alteration to Honey Trap Data

HT2 Honey Trap Resource Requested

HT3 Honey Trap Data Used

'''Behavior Based Event Titles'''<br>

UT1 Irregular Use of Application

UT2 Speed of Application Use

UT3 Frequency of Site Use

UT4 Frequency of Feature Use

STE1 High Number of Logouts Across The Site

STE2 High Number of Logins Across The Site

STE3 Significant Change in Usage of Same Transaction Across The Site

RP1 Suspicious or Disallowed User IP Address

RP2 Suspicious External User Behavior

RP3 Suspicious Client-Side Behavior

RP4 Change to Environment Threat Level

= Media =

== Introductory Briefings ==

{|
| align="center" valign="top" | Developers
|
| align="center" valign="top" | Architects
|
| align="center" valign="top" | CISOs
|-
| width="200" align="left" valign="top" | [[File:Appsensor-developer-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf]]
| width="20" |
| width="200" align="left" valign="top" | [[File:Appsensor_crosstalk_small.jpg|link=http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf]]
| width="20" |
| width="200" align="center" valign="top" | [[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]
|}

The CISO briefing is also available to [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html buy at cost in print].

== AppSensor Website ==

[[File:Appsensor-website-large.jpg|link=http://appsensor.org/]]

[http://appsensor.org/ http://appsensor.org/]

== Code ==

*v2 [https://github.com/jtmelton/appsensor Github Code]
* (LEGACY) v1 [http://code.google.com/p/appsensor/ Google Code]

== AppSensor Guide ==

* OWASP AppSensor Guide
** v2.0 EN
*** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
*** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
*** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Print on demand at cost hard copy]
** v1.1 EN
*** [https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf PDF]
*** [https://www.owasp.org/images/b/b0/OWASP_AppSensor_Beta_1.1.doc DOC]

== Presentations ==

[http://www.brighttalk.com/webcast/20680 Automated Application Defenses to Thwart Advanced Attackers (Slides & Audio)]

July, 2010 - OWASP London (UK) - [http://www.owasp.org/index.php/File:Owasp-london-20100715-appsensor-3.pdf Real Time Application Attack Detection and Response with OWASP AppSensor]

June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application

June, 2010 - Video presentation - [http://michael-coates.blogspot.com/2010/06/online-presentation-thursday-automated.html Automated Application Defenses to Thwart Advanced Attackers]

November, 2009 - AppSec DC - [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf Defend Yourself: Integrating Real Time Defenses into Online Applications]

May, 2009 - [http://www.owasp.org/download/jmanico/owasp_podcast_51.mp3 OWASP Podcast #51 ]

May, 2009 - AppSec EU Poland - [https://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx Real Time Defenses against Application Worms and Malicious Attackers]

November, 2008 - [https://www.owasp.org/images/7/77/Presentation_AppSensor.ppt OWASP Summit Portugal 2008 PPT]

==Video Demos of AppSensor==

[http://www.youtube.com/watch?v=8ItfuwvLxRk Detecting Multiple Attacks & Logging Out Attacker]

[http://www.youtube.com/watch?v=CekUMk_VRV8 Detecting XSS Probes]

[http://www.youtube.com/watch?v=LfD4y67qdWE Detecting URL Tampering]

[http://www.youtube.com/watch?v=1D6nTlmYjhY Detecting Verb Tampering]

==Source Documents / Artwork==

* Guide
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc Word (content only)], DOC 11Mb
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/appsensor-guide-2v0-owasp.zip Word, images, Lulu covers, diagrams], ZIP 96Mb
* Introduction for Developers
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-a4.zip A4 Illustrator and PDF exports], ZIP 19Mb
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-usletter.zip US letter Illustrator and PDF exports], ZIP 19Mb
* Poster
** [https://www.owasp.org/index.php/File:Owasp-appsensor-poster-a1.zip A1 Illustrator and PDF export] ZIP, 18Mb

= Project About =
{{:Projects/OWASP_AppSensor_Project | Project About}}

}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|AppSensor Project]] [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:SAMM-EH-3]] [[Category:SAMM-SA-2]]

=Project About=
{{:Projects/OWASP_Python_Security_Project}}

[[Category:OWASP Project]]

OWASP Python Security Project

2015-07-06T16:21:54Z

Timo.goosen: /* Main */

=Main=

<div style="width:100%;height:120px;border:0,margin:0;overflow: hidden;"></div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;"></div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Python Security Project ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

== Introduction ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

Security in python: white-box analysis, structural and functional analysis
Security of python: black-box analysis, identify and address security-related issues
Security with python: develop security hardened python suitable for high-risk and high-security environments

== Detect and Respond to Attacks from Within the Application ==

=== Detection ===
AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.
=== Response===
AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.
===Defending the Application===
An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.

==Licensing==
OWASP AppSensor is free to use.

=== Guide ===
The guide is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

=== Reference Implementation ===
The reference implementation is licensed under the [http://opensource.org/licenses/MIT MIT License], which is a permissive (commercial-friendly) license only requiring you to include a copy of the license upon distribution or copying.

© OWASP Foundation

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Python Security Project? ==

== Overview ==

[[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]

[https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf 12-page US Letter booklet]

== Project Founder ==

* [https://www.owasp.org/index.php/User:MichaelCoates Michael Coates] [mailto:michael.coates@owasp.org @]

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]

== Related Projects ==

* [[:Category:OWASP_ModSecurity_Core_Rule_Set_Project|OWASP ModSecurity Core Rule Set]]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* OWASP AppSensor Guide v2.0.1 EN
** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Hard copy]
* OWASP AppSensor Reference Implementation
** [https://github.com/jtmelton/appsensor v2 Code]

== News and Events ==

* [9 June 2015] AppSensor Code v2.1.0 [https://github.com/jtmelton/appsensor/releases/tag/v2.1.0 released]
* [20 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - Code
* [19 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - Documentation
* [09 Apr 2015] [https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf CISO Briefing] booklet published
* [22 Feb 2015] Proposal for [https://www.owasp.org/index.php/GSoC2015_Ideas#OWASP_AppSensor Google Summer of Code 2015]
* [13 Feb 2015] [https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf Introduction for Developers] flyer published
* [13 Feb 2015] AppSensor project awarded OWASP flagship status
* [28 Jan 2015] AppSensor Code v2.0.0 final [https://github.com/jtmelton/appsensor/releases/tag/v2.0.0 released]
* [18 Sep 2014] Guide book giveaway and signing at [http://2014.appsecusa.org/2014/ AppSecUSA 2014]
* [17 Sep 2014] Presentation at [http://www.meetup.com/London-API-Group/events/200768922/ London API Group]
* [12 Sep 2014] [http://appsensor.org/ AppSensor website] launched

== Code Repository ==
* AppSensor v2 https://github.com/jtmelton/appsensor (Current)
* Note: LEGACY AppSensor v1 https://code.google.com/p/appsensor/

== In Print ==

[[File:AppSensor2_small.jpg|link=]]

The [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html AppSensor Guide] and [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html CISO Briefing] can be purchased at cost as a print on demand books.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Acknowledgements =

== Volunteers ==

All OWASP projects rely on the voluntary efforts of people in the software development and information security sectors. They have contributed their time and energy to make suggestions, provide feedback, write, review and edit documentation, give encouragement, make introductions, produce demonstration code, promote the concept, and provide OWASP support. They participated via the project’s mailing lists, by developing code, by updating the wiki, by undertaking research studies, and through contributions during the AppSensor working session at the OWASP Summit 2011 in Portugal and the AppSensor Summit at AppSec USA 2011. Without all their efforts, the project would not have progressed to this point, and this guide would not have been completed.

{| cellpadding="2"
|-
| width="200" align="left" valign="top" |

*Josh Amishav-Zlatin
*Ryan Barnett
*Simon Bennetts
*Joe Bernik
*Rex Booth
*Luke Briner
*Rauf Butt
*Juan C Calderon
*Fabio Cerullo
*Marc Chisinevski
*Robert Chojnacki
*Michael Coates
*Dinis Cruz
*August Detlefsen
*Ryan Dewhurst

| width="200" align="left" valign="top" |

*Sean Fay
*Timo Goosen
*Dennis Groves
*Randy Janida
*Chetan Karande
*Eoin Keary
*Alex Lauerman
*Junior Lazuardi
*Benjamin-Hugo LeBlanc
*Jason Li
*Manuel López Arredondo
*Bob Maier
*Jim Manico
*Sherif Mansour Farag
*John Melton

| width="200" align="left" valign="top" |

*Mark Miller
*Craig Munson
*Louis Nadeau
*Giri Nambari
*Erlend Oftedal
*Jay Reynolds
*Chris Schmidt
*Sahil Shah
*Eric Sheridan
*John Steven
*Raphael Taban
*Alex Thissen
*Don Thomas
*Christopher Tidball
*Kevin W Wall
*Colin Watson
*Mehmet Yilmaz

|}

==OWASP Summer of Code 2008==
The AppSensor Project was initially supported by the [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008 OWASP Summer of Code 2008], leading to the publication of the book AppSensor v1.1.

==Google Summer of Code 2012==
Additional development work on [http://www.google-melange.com/gsoc/project/google/gsoc2012/edil/60002 SOAP web services] was kindly supported by the [http://www.google-melange.com/gsoc/program/home/google/gsoc2012 Google Summer of Code 2012].

== Other Acknowledgements ==
The project has also benefitted greatly from the generous contribution of time and effort by many volunteers in the OWASP community including those listed above, and contributors to the OWASP ESAPI project, members of the former OWASP Global Projects Committee, the OWASP Board, OWASP staff and support from the OWASP Project Reboot initiative. The v2 code and documentation were conceived during the AppSensor Summit held during AppSec USA 2011 in Minneapolis.

= Road Map and Getting Involved =

Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project General project]
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-dev Code development]

== Current activities ==

=== Non code ===

* Update AppSensor Guide to keep in step with code changes and improvements to ideas ([http://lists.owasp.org/pipermail/owasp-appsensor-project/2015-February/000855.html see discussion and editable list of changes])
* Create demo
* Develop training materials

=== v2 Code ===

The current code being worked on is located on [https://github.com/jtmelton/appsensor GitHub]

The code has been fully rewritten.
v2.0.0 final was released in late January 2015.
v2.1.0 final was released in June 2015.

The main reason for the rewrite was to allow a client-server style model as opposed to requiring AppSensor be fully embedded in the application. You can now have a central server collecting events from multiple applications and performing analysis. These front-end applications can be in any language as long as they speak rest/soap. There's been a host of other changes, but this was the primary one. A number of starter ideas for coding, user interface and documentation have been outlined via the mailing list at [http://lists.owasp.org/pipermail/owasp-appsensor-project/2014-March/000682.html 17th March 2014].

if you want to work on ANYTHING, please let jtmelton[@]gmail.com know.

== Code Roadmap ==

=== Q4 2015 (2.0) ===
* <strike>Jan - v 2.0.0 final release </strike> -> DONE

=== Q4 2014 (2.0) ===
* <strike>Oct - v 2.0.0 release candidate</strike> -> DONE
* <strike>Jan 2015 (delay due to bug) - v 2.0.0 final </strike> -> DONE
* <strike>Additional unit tests</strike> -> DONE
* <strike>Move appsensor.org site over from static html to python</strike> -> NOT NECESSARY
* <strike>Finish up user documentation at appsensor.org</strike> -> DONE

=== June 2015 (2.1) ===
* <strike>Add at least 1 attack emitter for DEVOPS visualization (JMX -> SNMP, syslog, SNMP, .. something)</strike> ([https://github.com/jtmelton/appsensor/issues/19 github issue]) -> DONE
* <strike>Sample application / demo</strike> ([https://github.com/jtmelton/appsensor/issues/9 github issue]) -> DONE
* <strike>Finish up developer documentation on github and appsensor.org</strike> ([https://github.com/jtmelton/appsensor/issues/12 github issue]) -> DONE
* <strike>Preparation for GSOC 2015 submission</strike> -> DONE - see [[GSoC2015_Ideas]] - Update - OWASP not selected

=== September 2015 (2.2) ===
* First version of administration UI for appsensor (monitoring UI) (github issues [https://github.com/jtmelton/appsensor/issues/10 here] and [https://github.com/jtmelton/appsensor/issues/11 here])

=== January 2016 (2.3) ===
* Get CI server (cloudbees?) setup ([https://github.com/jtmelton/appsensor/issues/15 github issue])
* Video demo of setting up appsensor (screen capture) (related to sample apps)
* New detection point implementations ([https://github.com/jtmelton/appsensor/issues/8 github issue])
* AOP examples of detection point implementations

=== May 2016 (2.4) ===
* Trend monitoring implementation ([https://github.com/jtmelton/appsensor/issues/6 github issue])
* Additional integrations for reporting (graphite, ganglia -> see list supported by codahale metrics)

== Past activities ==

'''June 2015''' Final release v2.1.0 code

'''April 2015''' CISO Briefing booklet published

'''February 2015''' Introduction for Developers flyer published

'''January 2015''' Final release v2.0.0 code

'''May 2014''' Finalisation and publication of the AppSensor Guide v2.0

'''November, 2013''' - AppSensor 2.0 hackathon, and document writing & review at AppSecUSA 2013, New York

'''2012-2013''' - Active Development of next AppSensor book

'''September, 2011''' - AppSensor Summit at AppSec USA 2011, Minneapolis

'''September, 2010''' - Presented at AppSecUSA [http://www.slideshare.net/michael_coates/real-time-application-defenses-the-reality-of-appsensor-esapi-5181743 slides]

'''June, 2010''' - Active ESAPI Integration Underway

'''November, 2009''' [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf OWASP DC, November 2009]

'''2009''' v1.2 in the works, demo application in development

'''May, 2009''' - AppSec EU Poland - Presentation ([http://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx PPT]) ([http://blip.tv/file/2198771 Video])

'''January, 2009''' - v1.1 Released - Beta Status

'''November, 2008''' - AppSensor Talk at OWASP Portugal

'''November, 2008''' - v1.0 Released - Beta Status

'''April 16, 2008''' - Project Begins

= Detection Points =

Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.

'''[http://www.owasp.org/index.php/AppSensor_DetectionPoints Detailed Detection Point Information Here] '''

'''[http://www.owasp.org/index.php/AppSensor_ResponseActions Response Action Information Here]'''

'''Summary of Information'''
'''Detection Categories:'''

RE - Request

AE - Authentication

SE - Session

ACE - Access Control

IE - Input

EE - Encoding

CIE - Command Injection

FIO - File IO

HT - Honey Trap

UT - User Trend

STE - System Trend

RP - Reputation

'''Signature Based Event Titles'''

ID Event

RE1 Unexpected HTTP Command

RE2 Attempt to Invoke Unsupported HTTP Method

RE3 GET When Expecting POST

RE4 POST When Expecting GET

RE5 Additional/Duplicated Data in Request

RE6 Data Missing from Request

RE7 Unexpected Quantity of Characters in Parameter

RE8 Unexpected Type of Characters in Parameter

AE1 Use Of Multiple Usernames

AE2 Multiple Failed Passwords

AE3 High Rate of Login Attempts

AE4 Unexpected Quantity of Characters in Username

AE5 Unexpected Quantity of Characters in Password

AE6 Unexpected Type of Character in Username

AE7 Unexpected Type of Character in Password

AE8 Providing Only the Username

AE9 Providing Only the Password

AE10 Adding POST Variable

AE11 Missing POST Variable

AE12 Utilization of Common Usernames

SE1 Modifying Existing Cookie

SE2 Adding New Cookie

SE3 Deleting Existing Cookie

SE4 Substituting Another User's Valid Session ID or Cookie

SE5 Source IP Address Changes During Session

SE6 Change Of User Agent Mid Session

ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt

ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt

ACE3 Force Browsing Attempt

ACE4 Evading Presentation Access Control Through Custom POST

IE1 Cross Site Scripting Attempt

IE2 Violation of Implemented White Lists

IE3 Violation Of Implemented Black Lists

IE4 Violation of Input Data Integrity

IE5 Violation of Stored Business Data Integrity

IE6 Violation of Security Log Integrity

EE1 Double Encoded Character

EE2 Unexpected Encoding Used

CIE1 Blacklist Inspection for Common SQL Injection Values

CIE2 Detect Abnormal Quantity of Returned Records

CIE3 Null Byte Character in File Request

CIE4 Carriage Return or Line Feed Character In File Request

FIO1 Detect Large Individual File

FIO2 Detect Large Number of File Uploads

HT1 Alteration to Honey Trap Data

HT2 Honey Trap Resource Requested

HT3 Honey Trap Data Used

'''Behavior Based Event Titles'''<br>

UT1 Irregular Use of Application

UT2 Speed of Application Use

UT3 Frequency of Site Use

UT4 Frequency of Feature Use

STE1 High Number of Logouts Across The Site

STE2 High Number of Logins Across The Site

STE3 Significant Change in Usage of Same Transaction Across The Site

RP1 Suspicious or Disallowed User IP Address

RP2 Suspicious External User Behavior

RP3 Suspicious Client-Side Behavior

RP4 Change to Environment Threat Level

= Media =

== Introductory Briefings ==

{|
| align="center" valign="top" | Developers
|
| align="center" valign="top" | Architects
|
| align="center" valign="top" | CISOs
|-
| width="200" align="left" valign="top" | [[File:Appsensor-developer-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf]]
| width="20" |
| width="200" align="left" valign="top" | [[File:Appsensor_crosstalk_small.jpg|link=http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf]]
| width="20" |
| width="200" align="center" valign="top" | [[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]
|}

The CISO briefing is also available to [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html buy at cost in print].

== AppSensor Website ==

[[File:Appsensor-website-large.jpg|link=http://appsensor.org/]]

[http://appsensor.org/ http://appsensor.org/]

== Code ==

*v2 [https://github.com/jtmelton/appsensor Github Code]
* (LEGACY) v1 [http://code.google.com/p/appsensor/ Google Code]

== AppSensor Guide ==

* OWASP AppSensor Guide
** v2.0 EN
*** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
*** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
*** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Print on demand at cost hard copy]
** v1.1 EN
*** [https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf PDF]
*** [https://www.owasp.org/images/b/b0/OWASP_AppSensor_Beta_1.1.doc DOC]

== Presentations ==

[http://www.brighttalk.com/webcast/20680 Automated Application Defenses to Thwart Advanced Attackers (Slides & Audio)]

July, 2010 - OWASP London (UK) - [http://www.owasp.org/index.php/File:Owasp-london-20100715-appsensor-3.pdf Real Time Application Attack Detection and Response with OWASP AppSensor]

June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application

June, 2010 - Video presentation - [http://michael-coates.blogspot.com/2010/06/online-presentation-thursday-automated.html Automated Application Defenses to Thwart Advanced Attackers]

November, 2009 - AppSec DC - [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf Defend Yourself: Integrating Real Time Defenses into Online Applications]

May, 2009 - [http://www.owasp.org/download/jmanico/owasp_podcast_51.mp3 OWASP Podcast #51 ]

May, 2009 - AppSec EU Poland - [https://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx Real Time Defenses against Application Worms and Malicious Attackers]

November, 2008 - [https://www.owasp.org/images/7/77/Presentation_AppSensor.ppt OWASP Summit Portugal 2008 PPT]

==Video Demos of AppSensor==

[http://www.youtube.com/watch?v=8ItfuwvLxRk Detecting Multiple Attacks & Logging Out Attacker]

[http://www.youtube.com/watch?v=CekUMk_VRV8 Detecting XSS Probes]

[http://www.youtube.com/watch?v=LfD4y67qdWE Detecting URL Tampering]

[http://www.youtube.com/watch?v=1D6nTlmYjhY Detecting Verb Tampering]

==Source Documents / Artwork==

* Guide
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc Word (content only)], DOC 11Mb
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/appsensor-guide-2v0-owasp.zip Word, images, Lulu covers, diagrams], ZIP 96Mb
* Introduction for Developers
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-a4.zip A4 Illustrator and PDF exports], ZIP 19Mb
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-usletter.zip US letter Illustrator and PDF exports], ZIP 19Mb
* Poster
** [https://www.owasp.org/index.php/File:Owasp-appsensor-poster-a1.zip A1 Illustrator and PDF export] ZIP, 18Mb

= Project About =
{{:Projects/OWASP_AppSensor_Project | Project About}}

}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|AppSensor Project]] [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:SAMM-EH-3]] [[Category:SAMM-SA-2]]

=Project About=
{{:Projects/OWASP_Python_Security_Project}}

[[Category:OWASP Project]]

OWASP Python Security Project

2015-07-06T16:17:03Z

Timo.goosen: /* Main */

=Main=

<div style="width:100%;height:120px;border:0,margin:0;overflow: hidden;"></div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;"></div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Python Security Project ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

== Introduction ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

Security in python: white-box analysis, structural and functional analysis
Security of python: black-box analysis, identify and address security-related issues
Security with python: develop security hardened python suitable for high-risk and high-security environments

== Detect and Respond to Attacks from Within the Application ==

=== Detection ===
AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.
=== Response===
AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.
===Defending the Application===
An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.

==Citations==

* [http://www.crosstalkonline.org/ CrossTalk], The Journal of Defense Software Engineering
** Creating Attack-Aware Software Applications with Real Time Defenses, Vol. 24, No. 5, Sep/Oct 2011

* Norwegian University of Science and Technology in Tronheim
** [http://ntnu.diva-portal.org/smash/record.jsf?pid=diva2:566091 AppSensor: Attack-Aware Applications Compared Against a Web Application Firewall and an Intrusion Detection System], Thomassen P, 2012

*US Department of Homeland Security
** [https://buildsecurityin.us-cert.gov/swa/topics/resilient-software/ Resilient Software]
** [https://buildsecurityin.us-cert.gov/swa/resources Software Assurance Resources]

==Licensing==
OWASP AppSensor is free to use.

=== Guide ===
The guide is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

=== Reference Implementation ===
The reference implementation is licensed under the [http://opensource.org/licenses/MIT MIT License], which is a permissive (commercial-friendly) license only requiring you to include a copy of the license upon distribution or copying.

© OWASP Foundation

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is AppSensor? ==

Detect and respond to attacks from within the application. This project includes both a well documented idea (the Guide) and a reference implementation (the Code).

== Intro for Developers ==

[[File:Appsensor-developer-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf]]

[https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf Two-sided US Letter or A4]

== AppSensor Website ==

[[File:Appsensor-website-small.jpg|link=http://appsensor.org/]]

See the [http://appsensor.org/ new AppSensor website] for an introduction and quick start instructions.

== Overview ==

[[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]

[https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf 12-page US Letter booklet]

== Project Founder ==

* [https://www.owasp.org/index.php/User:MichaelCoates Michael Coates] [mailto:michael.coates@owasp.org @]

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Dennis_Groves Dennis Groves] [mailto:dennis.groves@owasp.org @]
* [https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:john.melton@owasp.org @]
* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:colin.watson@owasp.org @]

== Related Projects ==

* [[:Category:OWASP_ModSecurity_Core_Rule_Set_Project|OWASP ModSecurity Core Rule Set]]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* OWASP AppSensor Guide v2.0.1 EN
** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Hard copy]
* OWASP AppSensor Reference Implementation
** [https://github.com/jtmelton/appsensor v2 Code]

== News and Events ==

* [9 June 2015] AppSensor Code v2.1.0 [https://github.com/jtmelton/appsensor/releases/tag/v2.1.0 released]
* [20 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - Code
* [19 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - Documentation
* [09 Apr 2015] [https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf CISO Briefing] booklet published
* [22 Feb 2015] Proposal for [https://www.owasp.org/index.php/GSoC2015_Ideas#OWASP_AppSensor Google Summer of Code 2015]
* [13 Feb 2015] [https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf Introduction for Developers] flyer published
* [13 Feb 2015] AppSensor project awarded OWASP flagship status
* [28 Jan 2015] AppSensor Code v2.0.0 final [https://github.com/jtmelton/appsensor/releases/tag/v2.0.0 released]
* [18 Sep 2014] Guide book giveaway and signing at [http://2014.appsecusa.org/2014/ AppSecUSA 2014]
* [17 Sep 2014] Presentation at [http://www.meetup.com/London-API-Group/events/200768922/ London API Group]
* [12 Sep 2014] [http://appsensor.org/ AppSensor website] launched

== Code Repository ==
* AppSensor v2 https://github.com/jtmelton/appsensor (Current)
* Note: LEGACY AppSensor v1 https://code.google.com/p/appsensor/

== In Print ==

[[File:AppSensor2_small.jpg|link=]]

The [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html AppSensor Guide] and [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html CISO Briefing] can be purchased at cost as a print on demand books.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Acknowledgements =

== Volunteers ==

All OWASP projects rely on the voluntary efforts of people in the software development and information security sectors. They have contributed their time and energy to make suggestions, provide feedback, write, review and edit documentation, give encouragement, make introductions, produce demonstration code, promote the concept, and provide OWASP support. They participated via the project’s mailing lists, by developing code, by updating the wiki, by undertaking research studies, and through contributions during the AppSensor working session at the OWASP Summit 2011 in Portugal and the AppSensor Summit at AppSec USA 2011. Without all their efforts, the project would not have progressed to this point, and this guide would not have been completed.

{| cellpadding="2"
|-
| width="200" align="left" valign="top" |

*Josh Amishav-Zlatin
*Ryan Barnett
*Simon Bennetts
*Joe Bernik
*Rex Booth
*Luke Briner
*Rauf Butt
*Juan C Calderon
*Fabio Cerullo
*Marc Chisinevski
*Robert Chojnacki
*Michael Coates
*Dinis Cruz
*August Detlefsen
*Ryan Dewhurst

| width="200" align="left" valign="top" |

*Sean Fay
*Timo Goosen
*Dennis Groves
*Randy Janida
*Chetan Karande
*Eoin Keary
*Alex Lauerman
*Junior Lazuardi
*Benjamin-Hugo LeBlanc
*Jason Li
*Manuel López Arredondo
*Bob Maier
*Jim Manico
*Sherif Mansour Farag
*John Melton

| width="200" align="left" valign="top" |

*Mark Miller
*Craig Munson
*Louis Nadeau
*Giri Nambari
*Erlend Oftedal
*Jay Reynolds
*Chris Schmidt
*Sahil Shah
*Eric Sheridan
*John Steven
*Raphael Taban
*Alex Thissen
*Don Thomas
*Christopher Tidball
*Kevin W Wall
*Colin Watson
*Mehmet Yilmaz

|}

==OWASP Summer of Code 2008==
The AppSensor Project was initially supported by the [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008 OWASP Summer of Code 2008], leading to the publication of the book AppSensor v1.1.

==Google Summer of Code 2012==
Additional development work on [http://www.google-melange.com/gsoc/project/google/gsoc2012/edil/60002 SOAP web services] was kindly supported by the [http://www.google-melange.com/gsoc/program/home/google/gsoc2012 Google Summer of Code 2012].

== Other Acknowledgements ==
The project has also benefitted greatly from the generous contribution of time and effort by many volunteers in the OWASP community including those listed above, and contributors to the OWASP ESAPI project, members of the former OWASP Global Projects Committee, the OWASP Board, OWASP staff and support from the OWASP Project Reboot initiative. The v2 code and documentation were conceived during the AppSensor Summit held during AppSec USA 2011 in Minneapolis.

= Road Map and Getting Involved =

Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project General project]
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-dev Code development]

== Current activities ==

=== Non code ===

* Update AppSensor Guide to keep in step with code changes and improvements to ideas ([http://lists.owasp.org/pipermail/owasp-appsensor-project/2015-February/000855.html see discussion and editable list of changes])
* Create demo
* Develop training materials

=== v2 Code ===

The current code being worked on is located on [https://github.com/jtmelton/appsensor GitHub]

The code has been fully rewritten.
v2.0.0 final was released in late January 2015.
v2.1.0 final was released in June 2015.

The main reason for the rewrite was to allow a client-server style model as opposed to requiring AppSensor be fully embedded in the application. You can now have a central server collecting events from multiple applications and performing analysis. These front-end applications can be in any language as long as they speak rest/soap. There's been a host of other changes, but this was the primary one. A number of starter ideas for coding, user interface and documentation have been outlined via the mailing list at [http://lists.owasp.org/pipermail/owasp-appsensor-project/2014-March/000682.html 17th March 2014].

if you want to work on ANYTHING, please let jtmelton[@]gmail.com know.

== Code Roadmap ==

=== Q4 2015 (2.0) ===
* <strike>Jan - v 2.0.0 final release </strike> -> DONE

=== Q4 2014 (2.0) ===
* <strike>Oct - v 2.0.0 release candidate</strike> -> DONE
* <strike>Jan 2015 (delay due to bug) - v 2.0.0 final </strike> -> DONE
* <strike>Additional unit tests</strike> -> DONE
* <strike>Move appsensor.org site over from static html to python</strike> -> NOT NECESSARY
* <strike>Finish up user documentation at appsensor.org</strike> -> DONE

=== June 2015 (2.1) ===
* <strike>Add at least 1 attack emitter for DEVOPS visualization (JMX -> SNMP, syslog, SNMP, .. something)</strike> ([https://github.com/jtmelton/appsensor/issues/19 github issue]) -> DONE
* <strike>Sample application / demo</strike> ([https://github.com/jtmelton/appsensor/issues/9 github issue]) -> DONE
* <strike>Finish up developer documentation on github and appsensor.org</strike> ([https://github.com/jtmelton/appsensor/issues/12 github issue]) -> DONE
* <strike>Preparation for GSOC 2015 submission</strike> -> DONE - see [[GSoC2015_Ideas]] - Update - OWASP not selected

=== September 2015 (2.2) ===
* First version of administration UI for appsensor (monitoring UI) (github issues [https://github.com/jtmelton/appsensor/issues/10 here] and [https://github.com/jtmelton/appsensor/issues/11 here])

=== January 2016 (2.3) ===
* Get CI server (cloudbees?) setup ([https://github.com/jtmelton/appsensor/issues/15 github issue])
* Video demo of setting up appsensor (screen capture) (related to sample apps)
* New detection point implementations ([https://github.com/jtmelton/appsensor/issues/8 github issue])
* AOP examples of detection point implementations

=== May 2016 (2.4) ===
* Trend monitoring implementation ([https://github.com/jtmelton/appsensor/issues/6 github issue])
* Additional integrations for reporting (graphite, ganglia -> see list supported by codahale metrics)

== Past activities ==

'''June 2015''' Final release v2.1.0 code

'''April 2015''' CISO Briefing booklet published

'''February 2015''' Introduction for Developers flyer published

'''January 2015''' Final release v2.0.0 code

'''May 2014''' Finalisation and publication of the AppSensor Guide v2.0

'''November, 2013''' - AppSensor 2.0 hackathon, and document writing & review at AppSecUSA 2013, New York

'''2012-2013''' - Active Development of next AppSensor book

'''September, 2011''' - AppSensor Summit at AppSec USA 2011, Minneapolis

'''September, 2010''' - Presented at AppSecUSA [http://www.slideshare.net/michael_coates/real-time-application-defenses-the-reality-of-appsensor-esapi-5181743 slides]

'''June, 2010''' - Active ESAPI Integration Underway

'''November, 2009''' [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf OWASP DC, November 2009]

'''2009''' v1.2 in the works, demo application in development

'''May, 2009''' - AppSec EU Poland - Presentation ([http://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx PPT]) ([http://blip.tv/file/2198771 Video])

'''January, 2009''' - v1.1 Released - Beta Status

'''November, 2008''' - AppSensor Talk at OWASP Portugal

'''November, 2008''' - v1.0 Released - Beta Status

'''April 16, 2008''' - Project Begins

= Detection Points =

Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.

'''[http://www.owasp.org/index.php/AppSensor_DetectionPoints Detailed Detection Point Information Here] '''

'''[http://www.owasp.org/index.php/AppSensor_ResponseActions Response Action Information Here]'''

'''Summary of Information'''
'''Detection Categories:'''

RE - Request

AE - Authentication

SE - Session

ACE - Access Control

IE - Input

EE - Encoding

CIE - Command Injection

FIO - File IO

HT - Honey Trap

UT - User Trend

STE - System Trend

RP - Reputation

'''Signature Based Event Titles'''

ID Event

RE1 Unexpected HTTP Command

RE2 Attempt to Invoke Unsupported HTTP Method

RE3 GET When Expecting POST

RE4 POST When Expecting GET

RE5 Additional/Duplicated Data in Request

RE6 Data Missing from Request

RE7 Unexpected Quantity of Characters in Parameter

RE8 Unexpected Type of Characters in Parameter

AE1 Use Of Multiple Usernames

AE2 Multiple Failed Passwords

AE3 High Rate of Login Attempts

AE4 Unexpected Quantity of Characters in Username

AE5 Unexpected Quantity of Characters in Password

AE6 Unexpected Type of Character in Username

AE7 Unexpected Type of Character in Password

AE8 Providing Only the Username

AE9 Providing Only the Password

AE10 Adding POST Variable

AE11 Missing POST Variable

AE12 Utilization of Common Usernames

SE1 Modifying Existing Cookie

SE2 Adding New Cookie

SE3 Deleting Existing Cookie

SE4 Substituting Another User's Valid Session ID or Cookie

SE5 Source IP Address Changes During Session

SE6 Change Of User Agent Mid Session

ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt

ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt

ACE3 Force Browsing Attempt

ACE4 Evading Presentation Access Control Through Custom POST

IE1 Cross Site Scripting Attempt

IE2 Violation of Implemented White Lists

IE3 Violation Of Implemented Black Lists

IE4 Violation of Input Data Integrity

IE5 Violation of Stored Business Data Integrity

IE6 Violation of Security Log Integrity

EE1 Double Encoded Character

EE2 Unexpected Encoding Used

CIE1 Blacklist Inspection for Common SQL Injection Values

CIE2 Detect Abnormal Quantity of Returned Records

CIE3 Null Byte Character in File Request

CIE4 Carriage Return or Line Feed Character In File Request

FIO1 Detect Large Individual File

FIO2 Detect Large Number of File Uploads

HT1 Alteration to Honey Trap Data

HT2 Honey Trap Resource Requested

HT3 Honey Trap Data Used

'''Behavior Based Event Titles'''<br>

UT1 Irregular Use of Application

UT2 Speed of Application Use

UT3 Frequency of Site Use

UT4 Frequency of Feature Use

STE1 High Number of Logouts Across The Site

STE2 High Number of Logins Across The Site

STE3 Significant Change in Usage of Same Transaction Across The Site

RP1 Suspicious or Disallowed User IP Address

RP2 Suspicious External User Behavior

RP3 Suspicious Client-Side Behavior

RP4 Change to Environment Threat Level

= Media =

== Introductory Briefings ==

{|
| align="center" valign="top" | Developers
|
| align="center" valign="top" | Architects
|
| align="center" valign="top" | CISOs
|-
| width="200" align="left" valign="top" | [[File:Appsensor-developer-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf]]
| width="20" |
| width="200" align="left" valign="top" | [[File:Appsensor_crosstalk_small.jpg|link=http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf]]
| width="20" |
| width="200" align="center" valign="top" | [[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]
|}

The CISO briefing is also available to [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html buy at cost in print].

== AppSensor Website ==

[[File:Appsensor-website-large.jpg|link=http://appsensor.org/]]

[http://appsensor.org/ http://appsensor.org/]

== Code ==

*v2 [https://github.com/jtmelton/appsensor Github Code]
* (LEGACY) v1 [http://code.google.com/p/appsensor/ Google Code]

== AppSensor Guide ==

* OWASP AppSensor Guide
** v2.0 EN
*** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
*** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
*** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Print on demand at cost hard copy]
** v1.1 EN
*** [https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf PDF]
*** [https://www.owasp.org/images/b/b0/OWASP_AppSensor_Beta_1.1.doc DOC]

== Presentations ==

[http://www.brighttalk.com/webcast/20680 Automated Application Defenses to Thwart Advanced Attackers (Slides & Audio)]

July, 2010 - OWASP London (UK) - [http://www.owasp.org/index.php/File:Owasp-london-20100715-appsensor-3.pdf Real Time Application Attack Detection and Response with OWASP AppSensor]

June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application

June, 2010 - Video presentation - [http://michael-coates.blogspot.com/2010/06/online-presentation-thursday-automated.html Automated Application Defenses to Thwart Advanced Attackers]

November, 2009 - AppSec DC - [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf Defend Yourself: Integrating Real Time Defenses into Online Applications]

May, 2009 - [http://www.owasp.org/download/jmanico/owasp_podcast_51.mp3 OWASP Podcast #51 ]

May, 2009 - AppSec EU Poland - [https://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx Real Time Defenses against Application Worms and Malicious Attackers]

November, 2008 - [https://www.owasp.org/images/7/77/Presentation_AppSensor.ppt OWASP Summit Portugal 2008 PPT]

==Video Demos of AppSensor==

[http://www.youtube.com/watch?v=8ItfuwvLxRk Detecting Multiple Attacks & Logging Out Attacker]

[http://www.youtube.com/watch?v=CekUMk_VRV8 Detecting XSS Probes]

[http://www.youtube.com/watch?v=LfD4y67qdWE Detecting URL Tampering]

[http://www.youtube.com/watch?v=1D6nTlmYjhY Detecting Verb Tampering]

==Source Documents / Artwork==

* Guide
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc Word (content only)], DOC 11Mb
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/appsensor-guide-2v0-owasp.zip Word, images, Lulu covers, diagrams], ZIP 96Mb
* Introduction for Developers
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-a4.zip A4 Illustrator and PDF exports], ZIP 19Mb
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-usletter.zip US letter Illustrator and PDF exports], ZIP 19Mb
* Poster
** [https://www.owasp.org/index.php/File:Owasp-appsensor-poster-a1.zip A1 Illustrator and PDF export] ZIP, 18Mb

= Project About =
{{:Projects/OWASP_AppSensor_Project | Project About}}

}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|AppSensor Project]] [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:SAMM-EH-3]] [[Category:SAMM-SA-2]]

=Project About=
{{:Projects/OWASP_Python_Security_Project}}

[[Category:OWASP Project]]

OWASP Python Security Project

2015-07-06T16:15:26Z

Timo.goosen: /* Main */

=Main=

<div style="width:100%;height:120px;border:0,margin:0;overflow: hidden;">[[File:Appsensor-header.jpg|link=]]</div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=OWASP_Project_Stages#tab=Flagship_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Python Security Project ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

== Introduction ==

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

Security in python: white-box analysis, structural and functional analysis
Security of python: black-box analysis, identify and address security-related issues
Security with python: develop security hardened python suitable for high-risk and high-security environments

== Detect and Respond to Attacks from Within the Application ==

=== Detection ===
AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.
=== Response===
AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.
===Defending the Application===
An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.

==Citations==

* [http://www.crosstalkonline.org/ CrossTalk], The Journal of Defense Software Engineering
** Creating Attack-Aware Software Applications with Real Time Defenses, Vol. 24, No. 5, Sep/Oct 2011

* Norwegian University of Science and Technology in Tronheim
** [http://ntnu.diva-portal.org/smash/record.jsf?pid=diva2:566091 AppSensor: Attack-Aware Applications Compared Against a Web Application Firewall and an Intrusion Detection System], Thomassen P, 2012

*US Department of Homeland Security
** [https://buildsecurityin.us-cert.gov/swa/topics/resilient-software/ Resilient Software]
** [https://buildsecurityin.us-cert.gov/swa/resources Software Assurance Resources]

==Licensing==
OWASP AppSensor is free to use.

=== Guide ===
The guide is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

=== Reference Implementation ===
The reference implementation is licensed under the [http://opensource.org/licenses/MIT MIT License], which is a permissive (commercial-friendly) license only requiring you to include a copy of the license upon distribution or copying.

© OWASP Foundation

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is AppSensor? ==

Detect and respond to attacks from within the application. This project includes both a well documented idea (the Guide) and a reference implementation (the Code).

== Intro for Developers ==

[[File:Appsensor-developer-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf]]

[https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf Two-sided US Letter or A4]

== AppSensor Website ==

[[File:Appsensor-website-small.jpg|link=http://appsensor.org/]]

See the [http://appsensor.org/ new AppSensor website] for an introduction and quick start instructions.

== Overview ==

[[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]

[https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf 12-page US Letter booklet]

== Project Founder ==

* [https://www.owasp.org/index.php/User:MichaelCoates Michael Coates] [mailto:michael.coates@owasp.org @]

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Dennis_Groves Dennis Groves] [mailto:dennis.groves@owasp.org @]
* [https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:john.melton@owasp.org @]
* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:colin.watson@owasp.org @]

== Related Projects ==

* [[:Category:OWASP_ModSecurity_Core_Rule_Set_Project|OWASP ModSecurity Core Rule Set]]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* OWASP AppSensor Guide v2.0.1 EN
** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Hard copy]
* OWASP AppSensor Reference Implementation
** [https://github.com/jtmelton/appsensor v2 Code]

== News and Events ==

* [9 June 2015] AppSensor Code v2.1.0 [https://github.com/jtmelton/appsensor/releases/tag/v2.1.0 released]
* [20 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - Code
* [19 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - Documentation
* [09 Apr 2015] [https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf CISO Briefing] booklet published
* [22 Feb 2015] Proposal for [https://www.owasp.org/index.php/GSoC2015_Ideas#OWASP_AppSensor Google Summer of Code 2015]
* [13 Feb 2015] [https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf Introduction for Developers] flyer published
* [13 Feb 2015] AppSensor project awarded OWASP flagship status
* [28 Jan 2015] AppSensor Code v2.0.0 final [https://github.com/jtmelton/appsensor/releases/tag/v2.0.0 released]
* [18 Sep 2014] Guide book giveaway and signing at [http://2014.appsecusa.org/2014/ AppSecUSA 2014]
* [17 Sep 2014] Presentation at [http://www.meetup.com/London-API-Group/events/200768922/ London API Group]
* [12 Sep 2014] [http://appsensor.org/ AppSensor website] launched

== Code Repository ==
* AppSensor v2 https://github.com/jtmelton/appsensor (Current)
* Note: LEGACY AppSensor v1 https://code.google.com/p/appsensor/

== In Print ==

[[File:AppSensor2_small.jpg|link=]]

The [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html AppSensor Guide] and [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html CISO Briefing] can be purchased at cost as a print on demand books.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Acknowledgements =

== Volunteers ==

All OWASP projects rely on the voluntary efforts of people in the software development and information security sectors. They have contributed their time and energy to make suggestions, provide feedback, write, review and edit documentation, give encouragement, make introductions, produce demonstration code, promote the concept, and provide OWASP support. They participated via the project’s mailing lists, by developing code, by updating the wiki, by undertaking research studies, and through contributions during the AppSensor working session at the OWASP Summit 2011 in Portugal and the AppSensor Summit at AppSec USA 2011. Without all their efforts, the project would not have progressed to this point, and this guide would not have been completed.

{| cellpadding="2"
|-
| width="200" align="left" valign="top" |

*Josh Amishav-Zlatin
*Ryan Barnett
*Simon Bennetts
*Joe Bernik
*Rex Booth
*Luke Briner
*Rauf Butt
*Juan C Calderon
*Fabio Cerullo
*Marc Chisinevski
*Robert Chojnacki
*Michael Coates
*Dinis Cruz
*August Detlefsen
*Ryan Dewhurst

| width="200" align="left" valign="top" |

*Sean Fay
*Timo Goosen
*Dennis Groves
*Randy Janida
*Chetan Karande
*Eoin Keary
*Alex Lauerman
*Junior Lazuardi
*Benjamin-Hugo LeBlanc
*Jason Li
*Manuel López Arredondo
*Bob Maier
*Jim Manico
*Sherif Mansour Farag
*John Melton

| width="200" align="left" valign="top" |

*Mark Miller
*Craig Munson
*Louis Nadeau
*Giri Nambari
*Erlend Oftedal
*Jay Reynolds
*Chris Schmidt
*Sahil Shah
*Eric Sheridan
*John Steven
*Raphael Taban
*Alex Thissen
*Don Thomas
*Christopher Tidball
*Kevin W Wall
*Colin Watson
*Mehmet Yilmaz

|}

==OWASP Summer of Code 2008==
The AppSensor Project was initially supported by the [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008 OWASP Summer of Code 2008], leading to the publication of the book AppSensor v1.1.

==Google Summer of Code 2012==
Additional development work on [http://www.google-melange.com/gsoc/project/google/gsoc2012/edil/60002 SOAP web services] was kindly supported by the [http://www.google-melange.com/gsoc/program/home/google/gsoc2012 Google Summer of Code 2012].

== Other Acknowledgements ==
The project has also benefitted greatly from the generous contribution of time and effort by many volunteers in the OWASP community including those listed above, and contributors to the OWASP ESAPI project, members of the former OWASP Global Projects Committee, the OWASP Board, OWASP staff and support from the OWASP Project Reboot initiative. The v2 code and documentation were conceived during the AppSensor Summit held during AppSec USA 2011 in Minneapolis.

= Road Map and Getting Involved =

Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project General project]
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-dev Code development]

== Current activities ==

=== Non code ===

* Update AppSensor Guide to keep in step with code changes and improvements to ideas ([http://lists.owasp.org/pipermail/owasp-appsensor-project/2015-February/000855.html see discussion and editable list of changes])
* Create demo
* Develop training materials

=== v2 Code ===

The current code being worked on is located on [https://github.com/jtmelton/appsensor GitHub]

The code has been fully rewritten.
v2.0.0 final was released in late January 2015.
v2.1.0 final was released in June 2015.

The main reason for the rewrite was to allow a client-server style model as opposed to requiring AppSensor be fully embedded in the application. You can now have a central server collecting events from multiple applications and performing analysis. These front-end applications can be in any language as long as they speak rest/soap. There's been a host of other changes, but this was the primary one. A number of starter ideas for coding, user interface and documentation have been outlined via the mailing list at [http://lists.owasp.org/pipermail/owasp-appsensor-project/2014-March/000682.html 17th March 2014].

if you want to work on ANYTHING, please let jtmelton[@]gmail.com know.

== Code Roadmap ==

=== Q4 2015 (2.0) ===
* <strike>Jan - v 2.0.0 final release </strike> -> DONE

=== Q4 2014 (2.0) ===
* <strike>Oct - v 2.0.0 release candidate</strike> -> DONE
* <strike>Jan 2015 (delay due to bug) - v 2.0.0 final </strike> -> DONE
* <strike>Additional unit tests</strike> -> DONE
* <strike>Move appsensor.org site over from static html to python</strike> -> NOT NECESSARY
* <strike>Finish up user documentation at appsensor.org</strike> -> DONE

=== June 2015 (2.1) ===
* <strike>Add at least 1 attack emitter for DEVOPS visualization (JMX -> SNMP, syslog, SNMP, .. something)</strike> ([https://github.com/jtmelton/appsensor/issues/19 github issue]) -> DONE
* <strike>Sample application / demo</strike> ([https://github.com/jtmelton/appsensor/issues/9 github issue]) -> DONE
* <strike>Finish up developer documentation on github and appsensor.org</strike> ([https://github.com/jtmelton/appsensor/issues/12 github issue]) -> DONE
* <strike>Preparation for GSOC 2015 submission</strike> -> DONE - see [[GSoC2015_Ideas]] - Update - OWASP not selected

=== September 2015 (2.2) ===
* First version of administration UI for appsensor (monitoring UI) (github issues [https://github.com/jtmelton/appsensor/issues/10 here] and [https://github.com/jtmelton/appsensor/issues/11 here])

=== January 2016 (2.3) ===
* Get CI server (cloudbees?) setup ([https://github.com/jtmelton/appsensor/issues/15 github issue])
* Video demo of setting up appsensor (screen capture) (related to sample apps)
* New detection point implementations ([https://github.com/jtmelton/appsensor/issues/8 github issue])
* AOP examples of detection point implementations

=== May 2016 (2.4) ===
* Trend monitoring implementation ([https://github.com/jtmelton/appsensor/issues/6 github issue])
* Additional integrations for reporting (graphite, ganglia -> see list supported by codahale metrics)

== Past activities ==

'''June 2015''' Final release v2.1.0 code

'''April 2015''' CISO Briefing booklet published

'''February 2015''' Introduction for Developers flyer published

'''January 2015''' Final release v2.0.0 code

'''May 2014''' Finalisation and publication of the AppSensor Guide v2.0

'''November, 2013''' - AppSensor 2.0 hackathon, and document writing & review at AppSecUSA 2013, New York

'''2012-2013''' - Active Development of next AppSensor book

'''September, 2011''' - AppSensor Summit at AppSec USA 2011, Minneapolis

'''September, 2010''' - Presented at AppSecUSA [http://www.slideshare.net/michael_coates/real-time-application-defenses-the-reality-of-appsensor-esapi-5181743 slides]

'''June, 2010''' - Active ESAPI Integration Underway

'''November, 2009''' [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf OWASP DC, November 2009]

'''2009''' v1.2 in the works, demo application in development

'''May, 2009''' - AppSec EU Poland - Presentation ([http://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx PPT]) ([http://blip.tv/file/2198771 Video])

'''January, 2009''' - v1.1 Released - Beta Status

'''November, 2008''' - AppSensor Talk at OWASP Portugal

'''November, 2008''' - v1.0 Released - Beta Status

'''April 16, 2008''' - Project Begins

= Detection Points =

Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.

'''[http://www.owasp.org/index.php/AppSensor_DetectionPoints Detailed Detection Point Information Here] '''

'''[http://www.owasp.org/index.php/AppSensor_ResponseActions Response Action Information Here]'''

'''Summary of Information'''
'''Detection Categories:'''

RE - Request

AE - Authentication

SE - Session

ACE - Access Control

IE - Input

EE - Encoding

CIE - Command Injection

FIO - File IO

HT - Honey Trap

UT - User Trend

STE - System Trend

RP - Reputation

'''Signature Based Event Titles'''

ID Event

RE1 Unexpected HTTP Command

RE2 Attempt to Invoke Unsupported HTTP Method

RE3 GET When Expecting POST

RE4 POST When Expecting GET

RE5 Additional/Duplicated Data in Request

RE6 Data Missing from Request

RE7 Unexpected Quantity of Characters in Parameter

RE8 Unexpected Type of Characters in Parameter

AE1 Use Of Multiple Usernames

AE2 Multiple Failed Passwords

AE3 High Rate of Login Attempts

AE4 Unexpected Quantity of Characters in Username

AE5 Unexpected Quantity of Characters in Password

AE6 Unexpected Type of Character in Username

AE7 Unexpected Type of Character in Password

AE8 Providing Only the Username

AE9 Providing Only the Password

AE10 Adding POST Variable

AE11 Missing POST Variable

AE12 Utilization of Common Usernames

SE1 Modifying Existing Cookie

SE2 Adding New Cookie

SE3 Deleting Existing Cookie

SE4 Substituting Another User's Valid Session ID or Cookie

SE5 Source IP Address Changes During Session

SE6 Change Of User Agent Mid Session

ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt

ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt

ACE3 Force Browsing Attempt

ACE4 Evading Presentation Access Control Through Custom POST

IE1 Cross Site Scripting Attempt

IE2 Violation of Implemented White Lists

IE3 Violation Of Implemented Black Lists

IE4 Violation of Input Data Integrity

IE5 Violation of Stored Business Data Integrity

IE6 Violation of Security Log Integrity

EE1 Double Encoded Character

EE2 Unexpected Encoding Used

CIE1 Blacklist Inspection for Common SQL Injection Values

CIE2 Detect Abnormal Quantity of Returned Records

CIE3 Null Byte Character in File Request

CIE4 Carriage Return or Line Feed Character In File Request

FIO1 Detect Large Individual File

FIO2 Detect Large Number of File Uploads

HT1 Alteration to Honey Trap Data

HT2 Honey Trap Resource Requested

HT3 Honey Trap Data Used

'''Behavior Based Event Titles'''<br>

UT1 Irregular Use of Application

UT2 Speed of Application Use

UT3 Frequency of Site Use

UT4 Frequency of Feature Use

STE1 High Number of Logouts Across The Site

STE2 High Number of Logins Across The Site

STE3 Significant Change in Usage of Same Transaction Across The Site

RP1 Suspicious or Disallowed User IP Address

RP2 Suspicious External User Behavior

RP3 Suspicious Client-Side Behavior

RP4 Change to Environment Threat Level

= Media =

== Introductory Briefings ==

{|
| align="center" valign="top" | Developers
|
| align="center" valign="top" | Architects
|
| align="center" valign="top" | CISOs
|-
| width="200" align="left" valign="top" | [[File:Appsensor-developer-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf]]
| width="20" |
| width="200" align="left" valign="top" | [[File:Appsensor_crosstalk_small.jpg|link=http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf]]
| width="20" |
| width="200" align="center" valign="top" | [[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]
|}

The CISO briefing is also available to [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html buy at cost in print].

== AppSensor Website ==

[[File:Appsensor-website-large.jpg|link=http://appsensor.org/]]

[http://appsensor.org/ http://appsensor.org/]

== Code ==

*v2 [https://github.com/jtmelton/appsensor Github Code]
* (LEGACY) v1 [http://code.google.com/p/appsensor/ Google Code]

== AppSensor Guide ==

* OWASP AppSensor Guide
** v2.0 EN
*** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
*** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
*** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Print on demand at cost hard copy]
** v1.1 EN
*** [https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf PDF]
*** [https://www.owasp.org/images/b/b0/OWASP_AppSensor_Beta_1.1.doc DOC]

== Presentations ==

[http://www.brighttalk.com/webcast/20680 Automated Application Defenses to Thwart Advanced Attackers (Slides & Audio)]

July, 2010 - OWASP London (UK) - [http://www.owasp.org/index.php/File:Owasp-london-20100715-appsensor-3.pdf Real Time Application Attack Detection and Response with OWASP AppSensor]

June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application

June, 2010 - Video presentation - [http://michael-coates.blogspot.com/2010/06/online-presentation-thursday-automated.html Automated Application Defenses to Thwart Advanced Attackers]

November, 2009 - AppSec DC - [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf Defend Yourself: Integrating Real Time Defenses into Online Applications]

May, 2009 - [http://www.owasp.org/download/jmanico/owasp_podcast_51.mp3 OWASP Podcast #51 ]

May, 2009 - AppSec EU Poland - [https://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx Real Time Defenses against Application Worms and Malicious Attackers]

November, 2008 - [https://www.owasp.org/images/7/77/Presentation_AppSensor.ppt OWASP Summit Portugal 2008 PPT]

==Video Demos of AppSensor==

[http://www.youtube.com/watch?v=8ItfuwvLxRk Detecting Multiple Attacks & Logging Out Attacker]

[http://www.youtube.com/watch?v=CekUMk_VRV8 Detecting XSS Probes]

[http://www.youtube.com/watch?v=LfD4y67qdWE Detecting URL Tampering]

[http://www.youtube.com/watch?v=1D6nTlmYjhY Detecting Verb Tampering]

==Source Documents / Artwork==

* Guide
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc Word (content only)], DOC 11Mb
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/appsensor-guide-2v0-owasp.zip Word, images, Lulu covers, diagrams], ZIP 96Mb
* Introduction for Developers
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-a4.zip A4 Illustrator and PDF exports], ZIP 19Mb
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-usletter.zip US letter Illustrator and PDF exports], ZIP 19Mb
* Poster
** [https://www.owasp.org/index.php/File:Owasp-appsensor-poster-a1.zip A1 Illustrator and PDF export] ZIP, 18Mb

= Project About =
{{:Projects/OWASP_AppSensor_Project | Project About}}

}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|AppSensor Project]] [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:SAMM-EH-3]] [[Category:SAMM-SA-2]]

=Project About=
{{:Projects/OWASP_Python_Security_Project}}

[[Category:OWASP Project]]

Authentication Cheat Sheet

2015-06-07T11:53:15Z

Timo.goosen: /* Validation */

__NOTOC__
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
= Introduction =
__TOC__{{TOC hidden}}

'''Authentication''' is the process of verification that an individual,entity or website is who it claims to be. Authentication in the context of web applications is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know. Another form of Authentication is Knowledged Based Authentication.

'''Session Management''' is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.

= Authentication General Guidelines =

== User IDs ==

Make sure your usernames/userids are case insensitive. Regardless, it would be very strange for user 'smith' and user 'Smith' to be different users. Could result in serious confusion.

=== Email address as a User ID ===

Many sites use email addresses as a user id, which is a good mechanism for ensuring a unique identifier for each user without adding the burden of remembering a new username.
However, many web applications do not treat email addresses correctly due to common misconceptions about what constitutes a valid address.

Specifically, it is completely valid to have an mailbox address which:
* Is case sensitive in the local-part
* Has non-alphanumeric characters in the local-part (including + and '''@''')
* Has zero or more labels (though zero is admittedly not going to occur)

The local-part is the part of the mailbox address to the left of the rightmost @ character.
The domain is the part of the mailbox address to the right of the rightmost @ character and consists of zero or more labels joined by a period character.

At the time of writing, RFC 5321 is the current standard defining SMTP and what constitutes a valid mailbox address.

==== Validation ====
Many web applications contain computationally expensive and inaccurate regular expressions that attempt to validate email addresses.

Recent changes to the landscape mean that the number of false-negatives will increase, particularly due to:
* Increased popularity of sub-addressing by providers such as Gmail (commonly using <tt>+</tt> as a token in the local-part to affect delivery)
* New gTLDs with long names (many regular expressions check the number and length of each label in the domain)

Following RFC 5321, best practice for validating an email address would be to:
* Check for presence of at least one <tt>@</tt> symbol in the address
* Ensure the local-part is no longer than 64 octets
* Ensure the domain is no longer than 255 octets
* Ensure the address is deliverable

To ensure an address is deliverable, the only way to check this is to send the user an email and have the user take action to confirm receipt.
Beyond confirming that the email address is valid and deliverable, this also provides a positive acknowledgement that the user has access to the mailbox and is likely to be authorised to use it. This does not mean that other users cannot access this mailbox, for example when the user makes use of a service that generates a throw away email address.

==== Address Normalisation ====
As the local-part of email addresses are, in fact - case sensitive, it is important to store and compare email addresses correctly.
To normalise an email address input, you would convert the domain part ONLY to lowercase.

Unfortunately this does and will make input harder to normalise and correctly match to a users intent.

It is reasonable to only accept one unique capitalisation of an otherwise identical address, however in this case it is critical to:
* Store the user-part as provided and verified by user verification
* Perform comparisons by <tt>lowercase(provided)==lowercase(persisted)</tt>

== Implement Proper Password Strength Controls ==

A key concern when using passwords for authentication is password strength. A "strong" password policy makes it difficult or even improbable for one to guess the password through either manual or automated means. The following characteristics define a strong password:

=== Password Length ===

Longer passwords provide a greater combination of characters and consequently make it more difficult for an attacker to guess.

* '''Minimum''' length of the passwords should be '''enforced''' by the application.
** Passwords '''shorter than 10 characters''' are considered to be weak ([http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf]).

While minimum length enforcement may cause problems with memorizing passwords among some users, applications should encourage them to set ''passphrases'' (sentences or combination of words) that can be much longer than typical passwords and yet much easier to remember.

* '''Maximum''' password length should not be set '''too low''', as it will prevent users from creating passphrases. Typical maximum length is 128 characters.
** Passphrases shorter than 20 characters are usually considered weak if they only consist of lower case Latin characters.

* Every character counts!!
**Make sure that every character the user types in is actually included in the password. We've seen systems that truncate the password at a length shorter than what the user provided (e.g., truncated at 15 characters when they entered 20).
**This is usually handled by setting the length of ALL password input fields to be exactly the same length as the maximum length password. This is particularly important if your max password length is short, like 20-30 characters.

=== Password Complexity ===

Applications should enforce password complexity rules to discourage easy to guess passwords. Password mechanisms should allow virtually any character the user can type to be part of their password, including the space character. Passwords should, obviously, be case sensitive in order to increase their complexity. Occasionally, we find systems where passwords aren't case sensitive, frequently due to legacy system issues like old mainframes that didn't have case sensitive passwords.

The password change mechanism should require a minimum level of complexity that makes sense for the application and its user population. For example:

*Password must meet at least 3 out of the following 4 complexity rules
**at least 1 uppercase character (A-Z)
**at least 1 lowercase character (a-z)
**at least 1 digit (0-9)
**at least 1 [[Password special characters|special character (punctuation)]] — do not forget to treat space as special characters too
*at least 10 characters
*at most 128 characters
*not more than 2 identical characters in a row (e.g., 111 not allowed)

As application's require more complex password policies, they need to be very clear about what these policies are.
*The required policy needs to be explicitly stated on the password change page
** be sure to list every special character you allow, so it's obvious to the user

Recommendation:
* Ideally, the application would indicate to the user as they type in their new password how much of the complexity policy their new password meets
**In fact, the submit button should be grayed out until the new password meets the complexity policy and the 2nd copy of the new password matches the 1st. This will make it far easier for the user to understand and comply with your complexity policy.

Regardless of how the UI behaves, when a user submits their password change request:
*If the new password doesn't comply with the complexity policy, the error message should describe EVERY complexity rule that the new password does not comply with, not just the 1st rule it doesn't comply with

Changing passwords should be EASY, not a hunt in the dark.

== Implement Secure Password Recovery Mechanism ==

It is common for an application to have a mechanism that provides a means for a user to gain access to their account in the event they forget their password. Please see [[Forgot Password Cheat Sheet]] for details on this feature.

== Store Passwords in a Secure Fashion ==

It is critical for a application to store a password using the right cryptographic technique. Please see [[Password Storage Cheat Sheet]] for details on this feature.

== Transmit Passwords Only Over TLS ==

See: [[Transport Layer Protection Cheat Sheet]]

The login page and all subsequent authenticated pages must be exclusively accessed over TLS. The initial login page, referred to as the "login landing page", must be served over TLS. Failure to utilize TLS for the login landing page allows an attacker to modify the login form action, causing the user's credentials to be posted to an arbitrary location. Failure to utilize TLS for authenticated pages after the login enables an attacker to view the unencrypted session ID and compromise the user's authenticated session.

== Require Re-authentication for Sensitive Features ==

In order to mitigate CSRF and session hijacking, it's important to require the current credentials for an account before updating sensitive account information such as the user's password, user's email, or before sensitive transactions, such as shipping a purchase to a new address. Without this countermeasure, an attacker may be able to execute sensitive transactions through a CSRF or XSS attack without needing to know the user's current credentials. Additionally, an attacker may get temporary physical access to a user's browser or steal their session ID to take over the user's session.

== Utilize Multi-Factor Authentication ==

Multi-factor authentication (MFA) is using more than one authentication factor to logon or process a transaction:

*Something you know (account details or passwords)
*Something you have (tokens or mobile phones)
*Something you are (biometrics)

Authentication schemes such as One Time Passwords (OTP) implemented using a hardware token can also be key in fighting attacks such as CSRF and client-side malware. A number of hardware tokens suitable for MFA are available in the market that allow good integration with web applications. See: [http://en.wikipedia.org/wiki/Security_token].

=== SSL Client Authentication ===

SSL Client Authentication, also known as two-way SSL authentication, consists of both, browser and server, sending their respective SSL certificates during the TLS handshake process. Just as you can validate the authenticity of a server by using the certificate and asking a well known Certificate Authority (CA) if the certificate is valid, the server can authenticate the user by receiving a certificate from the client and validating against a third party CA or its own CA. To do this, the server must provide the user with a certificate generated specifically for him, assigning values to the subject so that these can be used to determine what user the certificate should validate. The user installs the certificate on a browser and now uses it for the website.

It is a good idea to do this when:

*It is acceptable (or even preferred) that the user only has access to the website from only a single computer/browser.
*The user is not easily scared by the process of installing SSL certificates on his browser or there will be someone, probably from IT support, that will do this for the user.
*The website requires an extra step of security.
*It is also a good thing to use when the website is for an intranet of a company or organization.

It is generally not a good idea to use this method for widely and publicly available websites that will have an average user. For example, it wouldn't be a good idea to implement this for a website like Facebook. While this technique can prevent the user from having to type a password (thus protecting against an average keylogger from stealing it), it is still considered a good idea to consider using both a password and SSL client authentication combined.

For more information, see: [http://publib.boulder.ibm.com/infocenter/tivihelp/v5r1/index.jsp?topic=%2Fcom.ibm.itim.infocenter.doc%2Fcpt%2Fcpt_ic_security_ssl_authent2way.html] or [http://www.codeproject.com/Articles/326574/An-Introduction-to-Mutual-SSL-Authentication]

== Authentication and Error Messages ==

Incorrectly implemented error messages in the case of authentication functionality can be used for the purposes of user ID and password enumeration. An application should respond (both HTTP and HTML) in a generic manner.

==== Authentication Responses ====

An application should respond with a generic error message regardless of whether the user ID or password was incorrect. It should also give no indication to the status of an existing account.

==== Incorrect Response Examples ====

*"Login for User foo: invalid password"
*"Login failed, invalid user ID"
*"Login failed; account disabled"
*"Login failed; this user is not active"

==== Correct Response Example ====

*"Login failed; Invalid userID or password"

The correct response does not indicate if the user ID or password is the incorrect parameter and hence inferring a valid user ID.

==== Error Codes and URLs ====

The application may return a different HTTP Error code depending on the authentication attempt response. It may respond with a 200 for a positive result and a 403 for a negative result. Even though a generic error page is shown to a user, the HTTP response code may differ which can leak information about whether the account is valid or not.

== Prevent Brute-Force Attacks ==

If an attacker is able to guess passwords without the account becoming disabled due to failed authentication attempts, the attacker has an opportunity to continue with a brute force attack until the account is compromised. Automating brute-force/password guessing attacks on web applications is a trivial challenge. Password lockout mechanisms should be employed that lock out an account if more than a preset number of unsuccessful login attempts are made. Password lockout mechanisms have a logical weakness. An attacker that undertakes a large number of authentication attempts on known account names can produce a result that locks out entire blocks of user accounts. Given that the intent of a password lockout system is to protect from brute-force attacks, a sensible strategy is to lockout accounts for a period of time (e.g., 20 minutes). This significantly slows down attackers, while allowing the accounts to reopen automatically for legitimate users.

Also, multi-factor authentication is a very powerful deterrent when trying to prevent brute force attacks since the credentials are a moving target. When multi-factor is implemented and active, account lockout may no longer be necessary.

= Use of authentication protocols that require no password =

While authentication through a user/password combination and using multi-factor authentication is considered generally secure, there are use cases where it isn't considered the best option or even safe. An example of this are third party applications that desire connecting to the web application, either from a mobile device, another website, desktop or other situations. When this happens, it is NOT considered safe to allow the third party application to store the user/password combo, since then it extends the attack surface into their hands, where it isn't in your control. For this, and other use cases, there are several authentication protocols that can protect you from exposing your users' data to attackers.

== OAuth ==

Open Authorization (OAuth) is a protocol that allows an application to authenticate against a server as a user, without requiring passwords or any third party server that acts as an identity provider. It uses a token generated by the server, and provides how the authorization flows most occur, so that a client, such as a mobile application, can tell the server what user is using the service.

The recommendation is to use and implement OAuth 1.0a or OAuth 2.0, since the very first version (OAuth1.0) has been found to be vulnerable to session fixation.

OAuth 2.0 relies on HTTPS for security and is currently used and implemented by API's from companies such as Facebook, Google, Twitter and Microsoft. OAuth1.0a is more difficult to use because it requires the use of cryptographic libraries for digital signatures, however does not rely on HTTPS for security and can therefore be more suited for higher risk transactions.

== OpenId ==

OpenId is an HTTP-based protocol that uses identity providers to validate that a user is who he says he is. It is a very simple protocol which allows a service provider initiated way for single sign-on (SSO). This allows the user to re-use a single identity given to a trusted OpenId identity provider and be the same user in multiple websites, without the need to provide any website the password, except for the OpenId identity provider.

Due to its simplicity and that it provides protection of passwords, OpenId has been well adopted. Some of the well known identity providers for OpenId are Stack Exchange, Google, Facebook and Yahoo!

For non-enterprise environment, OpenId is considered a secure and often better choice, as long as the identity provider is of trust.

== SAML ==

Security Assertion Markup Language (SAML) is often considered to compete with OpenId. The most recommended version is 2.0, since it is very feature complete and provides a strong security. Like with OpenId, SAML uses identity providers, but unlike it, it is XML-based and provides more flexibility. SAML is based on browser redirects which send XML data. Unlike SAML, it isn't only initiated by a service provider, but it can also be initiated from the identity provider. This allows the user to navigate through different portals while still being authenticated without having to do anything, making the process transparent.

While OpenId has taken most of the consumer market, SAML is often the choice for enterprise applications. The reason for this is often that there are few OpenId identity providers which are considered of enterprise class (meaning that the way they validate the user identity doesn't have high standards required for enterprise identity). It is more common to see SAML being used inside of intranet websites, sometimes even using a server from the intranet as the identity provider.

In the past few years, applications like SAP ERP and SharePoint (SharePoint by using Active Directory Federation Services 2.0) have decided to use SAML 2.0 authentication as an often preferred method for single sign-on implementations whenever enterprise federation is required for web services and web applications.

== FIDO ==
The Fast Identity Online (FIDO) Alliance has created two protocols to facilitate online authentication : the Universal Authentication Framework (UAF) protocol and the Universal Second Factor (U2F) protocol. While UAF focuses on passwordless authentication, U2F allows the addition of a second factor to existing password-based authentication. Both protocols are based on a public key cryptography challenge-response model.

UAF takes advantage of existing security technologies present on devices for authentication including fingerprint sensors, cameras(face biometrics), microphones(voice biometrics), Trusted Execution Environments(TEEs), Secure Elements(SEs) and others. The protocol is designed to plug-in these device capabilities into a common authentication framework. UAF works with both native applications and web applications.

U2F augments password-based authentication using a hardware token (typically USB) that stores cryptographic authentication keys and uses them for signing. The user can use the same token as a second factor for multiple applications. U2F works with web applications. It provides '''protection against phishing''' by using the URL of the website to lookup the stored authentication key.

= Session Management General Guidelines =

Session management is directly related to authentication. The '''Session Management General Guidelines''' previously available on this OWASP Authentication Cheat Sheet have been integrated into the [[Session Management Cheat Sheet]].

= Password Managers =

Password managers are programs, browser plugins or web services that automate management of large number of different credentials, including memorizing and filling-in, generating random passwords on different sites etc. The web application can help password managers by:

* using standard HTML forms for username and password input,
* not disabling copy and paste on HTML form fields,
* allowing very long passwords,
* not using multi-stage login schemes (username on first screen, then password),
* not using highly scripted (JavaScript) authentication schemes.

= Authors and Primary Editors =

Eoin Keary eoinkeary[at]owasp.org

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== Other Cheatsheets ==

{{Cheatsheet_Navigation_Body}}

|}

[[Category:Cheatsheets]]

Authentication Cheat Sheet

2015-06-07T11:20:17Z

Timo.goosen:

__NOTOC__
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
= Introduction =
__TOC__{{TOC hidden}}

'''Authentication''' is the process of verification that an individual,entity or website is who it claims to be. Authentication in the context of web applications is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know. Another form of Authentication is Knowledged Based Authentication.

'''Session Management''' is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.

= Authentication General Guidelines =

== User IDs ==

Make sure your usernames/userids are case insensitive. Regardless, it would be very strange for user 'smith' and user 'Smith' to be different users. Could result in serious confusion.

=== Email address as a User ID ===

Many sites use email addresses as a user id, which is a good mechanism for ensuring a unique identifier for each user without adding the burden of remembering a new username.
However, many web applications do not treat email addresses correctly due to common misconceptions about what constitutes a valid address.

Specifically, it is completely valid to have an mailbox address which:
* Is case sensitive in the local-part
* Has non-alphanumeric characters in the local-part (including + and '''@''')
* Has zero or more labels (though zero is admittedly not going to occur)

The local-part is the part of the mailbox address to the left of the rightmost @ character.
The domain is the part of the mailbox address to the right of the rightmost @ character and consists of zero or more labels joined by a period character.

At the time of writing, RFC 5321 is the current standard defining SMTP and what constitutes a valid mailbox address.

==== Validation ====
Many web applications contain computationally expensive and inaccurate regular expressions that attempt to validate email addresses.

Recent changes to the landscape mean that the number of false-negatives will increase, particularly due to:
* Increased popularity of sub-addressing by providers such as Gmail (commonly using <tt>+</tt> as a token in the local-part to affect delivery)
* New gTLDs with long names (many regular expressions check the number and length of each label in the domain)

Following RFC 5321, best practice for validating an email address would be to:
* Check for presence of at least one <tt>@</tt> symbol in the address
* Ensure the local-part is no longer than 64 octets
* Ensure the domain is no longer than 255 octets
* Ensure the address is deliverable

To ensure an address is deliverable, the only way to check this is to send the user an email and have the user take action to confirm receipt.
Beyond confirming that the email address is valid and deliverable, this also provides a positive acknowledgement that the user has access to the mailbox and is likely to be authorised to use it.

==== Address Normalisation ====
As the local-part of email addresses are, in fact - case sensitive, it is important to store and compare email addresses correctly.
To normalise an email address input, you would convert the domain part ONLY to lowercase.

Unfortunately this does and will make input harder to normalise and correctly match to a users intent.

It is reasonable to only accept one unique capitalisation of an otherwise identical address, however in this case it is critical to:
* Store the user-part as provided and verified by user verification
* Perform comparisons by <tt>lowercase(provided)==lowercase(persisted)</tt>

== Implement Proper Password Strength Controls ==

A key concern when using passwords for authentication is password strength. A "strong" password policy makes it difficult or even improbable for one to guess the password through either manual or automated means. The following characteristics define a strong password:

=== Password Length ===

Longer passwords provide a greater combination of characters and consequently make it more difficult for an attacker to guess.

* '''Minimum''' length of the passwords should be '''enforced''' by the application.
** Passwords '''shorter than 10 characters''' are considered to be weak ([http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf]).

While minimum length enforcement may cause problems with memorizing passwords among some users, applications should encourage them to set ''passphrases'' (sentences or combination of words) that can be much longer than typical passwords and yet much easier to remember.

* '''Maximum''' password length should not be set '''too low''', as it will prevent users from creating passphrases. Typical maximum length is 128 characters.
** Passphrases shorter than 20 characters are usually considered weak if they only consist of lower case Latin characters.

* Every character counts!!
**Make sure that every character the user types in is actually included in the password. We've seen systems that truncate the password at a length shorter than what the user provided (e.g., truncated at 15 characters when they entered 20).
**This is usually handled by setting the length of ALL password input fields to be exactly the same length as the maximum length password. This is particularly important if your max password length is short, like 20-30 characters.

=== Password Complexity ===

Applications should enforce password complexity rules to discourage easy to guess passwords. Password mechanisms should allow virtually any character the user can type to be part of their password, including the space character. Passwords should, obviously, be case sensitive in order to increase their complexity. Occasionally, we find systems where passwords aren't case sensitive, frequently due to legacy system issues like old mainframes that didn't have case sensitive passwords.

The password change mechanism should require a minimum level of complexity that makes sense for the application and its user population. For example:

*Password must meet at least 3 out of the following 4 complexity rules
**at least 1 uppercase character (A-Z)
**at least 1 lowercase character (a-z)
**at least 1 digit (0-9)
**at least 1 [[Password special characters|special character (punctuation)]] — do not forget to treat space as special characters too
*at least 10 characters
*at most 128 characters
*not more than 2 identical characters in a row (e.g., 111 not allowed)

As application's require more complex password policies, they need to be very clear about what these policies are.
*The required policy needs to be explicitly stated on the password change page
** be sure to list every special character you allow, so it's obvious to the user

Recommendation:
* Ideally, the application would indicate to the user as they type in their new password how much of the complexity policy their new password meets
**In fact, the submit button should be grayed out until the new password meets the complexity policy and the 2nd copy of the new password matches the 1st. This will make it far easier for the user to understand and comply with your complexity policy.

Regardless of how the UI behaves, when a user submits their password change request:
*If the new password doesn't comply with the complexity policy, the error message should describe EVERY complexity rule that the new password does not comply with, not just the 1st rule it doesn't comply with

Changing passwords should be EASY, not a hunt in the dark.

== Implement Secure Password Recovery Mechanism ==

It is common for an application to have a mechanism that provides a means for a user to gain access to their account in the event they forget their password. Please see [[Forgot Password Cheat Sheet]] for details on this feature.

== Store Passwords in a Secure Fashion ==

It is critical for a application to store a password using the right cryptographic technique. Please see [[Password Storage Cheat Sheet]] for details on this feature.

== Transmit Passwords Only Over TLS ==

See: [[Transport Layer Protection Cheat Sheet]]

The login page and all subsequent authenticated pages must be exclusively accessed over TLS. The initial login page, referred to as the "login landing page", must be served over TLS. Failure to utilize TLS for the login landing page allows an attacker to modify the login form action, causing the user's credentials to be posted to an arbitrary location. Failure to utilize TLS for authenticated pages after the login enables an attacker to view the unencrypted session ID and compromise the user's authenticated session.

== Require Re-authentication for Sensitive Features ==

In order to mitigate CSRF and session hijacking, it's important to require the current credentials for an account before updating sensitive account information such as the user's password, user's email, or before sensitive transactions, such as shipping a purchase to a new address. Without this countermeasure, an attacker may be able to execute sensitive transactions through a CSRF or XSS attack without needing to know the user's current credentials. Additionally, an attacker may get temporary physical access to a user's browser or steal their session ID to take over the user's session.

== Utilize Multi-Factor Authentication ==

Multi-factor authentication (MFA) is using more than one authentication factor to logon or process a transaction:

*Something you know (account details or passwords)
*Something you have (tokens or mobile phones)
*Something you are (biometrics)

Authentication schemes such as One Time Passwords (OTP) implemented using a hardware token can also be key in fighting attacks such as CSRF and client-side malware. A number of hardware tokens suitable for MFA are available in the market that allow good integration with web applications. See: [http://en.wikipedia.org/wiki/Security_token].

=== SSL Client Authentication ===

SSL Client Authentication, also known as two-way SSL authentication, consists of both, browser and server, sending their respective SSL certificates during the TLS handshake process. Just as you can validate the authenticity of a server by using the certificate and asking a well known Certificate Authority (CA) if the certificate is valid, the server can authenticate the user by receiving a certificate from the client and validating against a third party CA or its own CA. To do this, the server must provide the user with a certificate generated specifically for him, assigning values to the subject so that these can be used to determine what user the certificate should validate. The user installs the certificate on a browser and now uses it for the website.

It is a good idea to do this when:

*It is acceptable (or even preferred) that the user only has access to the website from only a single computer/browser.
*The user is not easily scared by the process of installing SSL certificates on his browser or there will be someone, probably from IT support, that will do this for the user.
*The website requires an extra step of security.
*It is also a good thing to use when the website is for an intranet of a company or organization.

It is generally not a good idea to use this method for widely and publicly available websites that will have an average user. For example, it wouldn't be a good idea to implement this for a website like Facebook. While this technique can prevent the user from having to type a password (thus protecting against an average keylogger from stealing it), it is still considered a good idea to consider using both a password and SSL client authentication combined.

For more information, see: [http://publib.boulder.ibm.com/infocenter/tivihelp/v5r1/index.jsp?topic=%2Fcom.ibm.itim.infocenter.doc%2Fcpt%2Fcpt_ic_security_ssl_authent2way.html] or [http://www.codeproject.com/Articles/326574/An-Introduction-to-Mutual-SSL-Authentication]

== Authentication and Error Messages ==

Incorrectly implemented error messages in the case of authentication functionality can be used for the purposes of user ID and password enumeration. An application should respond (both HTTP and HTML) in a generic manner.

==== Authentication Responses ====

An application should respond with a generic error message regardless of whether the user ID or password was incorrect. It should also give no indication to the status of an existing account.

==== Incorrect Response Examples ====

*"Login for User foo: invalid password"
*"Login failed, invalid user ID"
*"Login failed; account disabled"
*"Login failed; this user is not active"

==== Correct Response Example ====

*"Login failed; Invalid userID or password"

The correct response does not indicate if the user ID or password is the incorrect parameter and hence inferring a valid user ID.

==== Error Codes and URLs ====

The application may return a different HTTP Error code depending on the authentication attempt response. It may respond with a 200 for a positive result and a 403 for a negative result. Even though a generic error page is shown to a user, the HTTP response code may differ which can leak information about whether the account is valid or not.

== Prevent Brute-Force Attacks ==

If an attacker is able to guess passwords without the account becoming disabled due to failed authentication attempts, the attacker has an opportunity to continue with a brute force attack until the account is compromised. Automating brute-force/password guessing attacks on web applications is a trivial challenge. Password lockout mechanisms should be employed that lock out an account if more than a preset number of unsuccessful login attempts are made. Password lockout mechanisms have a logical weakness. An attacker that undertakes a large number of authentication attempts on known account names can produce a result that locks out entire blocks of user accounts. Given that the intent of a password lockout system is to protect from brute-force attacks, a sensible strategy is to lockout accounts for a period of time (e.g., 20 minutes). This significantly slows down attackers, while allowing the accounts to reopen automatically for legitimate users.

Also, multi-factor authentication is a very powerful deterrent when trying to prevent brute force attacks since the credentials are a moving target. When multi-factor is implemented and active, account lockout may no longer be necessary.

= Use of authentication protocols that require no password =

While authentication through a user/password combination and using multi-factor authentication is considered generally secure, there are use cases where it isn't considered the best option or even safe. An example of this are third party applications that desire connecting to the web application, either from a mobile device, another website, desktop or other situations. When this happens, it is NOT considered safe to allow the third party application to store the user/password combo, since then it extends the attack surface into their hands, where it isn't in your control. For this, and other use cases, there are several authentication protocols that can protect you from exposing your users' data to attackers.

== OAuth ==

Open Authorization (OAuth) is a protocol that allows an application to authenticate against a server as a user, without requiring passwords or any third party server that acts as an identity provider. It uses a token generated by the server, and provides how the authorization flows most occur, so that a client, such as a mobile application, can tell the server what user is using the service.

The recommendation is to use and implement OAuth 1.0a or OAuth 2.0, since the very first version (OAuth1.0) has been found to be vulnerable to session fixation.

OAuth 2.0 relies on HTTPS for security and is currently used and implemented by API's from companies such as Facebook, Google, Twitter and Microsoft. OAuth1.0a is more difficult to use because it requires the use of cryptographic libraries for digital signatures, however does not rely on HTTPS for security and can therefore be more suited for higher risk transactions.

== OpenId ==

OpenId is an HTTP-based protocol that uses identity providers to validate that a user is who he says he is. It is a very simple protocol which allows a service provider initiated way for single sign-on (SSO). This allows the user to re-use a single identity given to a trusted OpenId identity provider and be the same user in multiple websites, without the need to provide any website the password, except for the OpenId identity provider.

Due to its simplicity and that it provides protection of passwords, OpenId has been well adopted. Some of the well known identity providers for OpenId are Stack Exchange, Google, Facebook and Yahoo!

For non-enterprise environment, OpenId is considered a secure and often better choice, as long as the identity provider is of trust.

== SAML ==

Security Assertion Markup Language (SAML) is often considered to compete with OpenId. The most recommended version is 2.0, since it is very feature complete and provides a strong security. Like with OpenId, SAML uses identity providers, but unlike it, it is XML-based and provides more flexibility. SAML is based on browser redirects which send XML data. Unlike SAML, it isn't only initiated by a service provider, but it can also be initiated from the identity provider. This allows the user to navigate through different portals while still being authenticated without having to do anything, making the process transparent.

While OpenId has taken most of the consumer market, SAML is often the choice for enterprise applications. The reason for this is often that there are few OpenId identity providers which are considered of enterprise class (meaning that the way they validate the user identity doesn't have high standards required for enterprise identity). It is more common to see SAML being used inside of intranet websites, sometimes even using a server from the intranet as the identity provider.

In the past few years, applications like SAP ERP and SharePoint (SharePoint by using Active Directory Federation Services 2.0) have decided to use SAML 2.0 authentication as an often preferred method for single sign-on implementations whenever enterprise federation is required for web services and web applications.

== FIDO ==
The Fast Identity Online (FIDO) Alliance has created two protocols to facilitate online authentication : the Universal Authentication Framework (UAF) protocol and the Universal Second Factor (U2F) protocol. While UAF focuses on passwordless authentication, U2F allows the addition of a second factor to existing password-based authentication. Both protocols are based on a public key cryptography challenge-response model.

UAF takes advantage of existing security technologies present on devices for authentication including fingerprint sensors, cameras(face biometrics), microphones(voice biometrics), Trusted Execution Environments(TEEs), Secure Elements(SEs) and others. The protocol is designed to plug-in these device capabilities into a common authentication framework. UAF works with both native applications and web applications.

U2F augments password-based authentication using a hardware token (typically USB) that stores cryptographic authentication keys and uses them for signing. The user can use the same token as a second factor for multiple applications. U2F works with web applications. It provides '''protection against phishing''' by using the URL of the website to lookup the stored authentication key.

= Session Management General Guidelines =

Session management is directly related to authentication. The '''Session Management General Guidelines''' previously available on this OWASP Authentication Cheat Sheet have been integrated into the [[Session Management Cheat Sheet]].

= Password Managers =

Password managers are programs, browser plugins or web services that automate management of large number of different credentials, including memorizing and filling-in, generating random passwords on different sites etc. The web application can help password managers by:

* using standard HTML forms for username and password input,
* not disabling copy and paste on HTML form fields,
* allowing very long passwords,
* not using multi-stage login schemes (username on first screen, then password),
* not using highly scripted (JavaScript) authentication schemes.

= Authors and Primary Editors =

Eoin Keary eoinkeary[at]owasp.org

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== Other Cheatsheets ==

{{Cheatsheet_Navigation_Body}}

|}

[[Category:Cheatsheets]]

Cape Town

2015-06-05T08:44:47Z

Timo.goosen:

Cape Town

2015-06-05T08:44:15Z

Timo.goosen:

Cape Town

2015-06-05T08:43:36Z

Timo.goosen: /* Local News */

Cape Town

2015-06-05T08:43:02Z

Timo.goosen:

Cape Town

2015-06-05T08:42:18Z

Timo.goosen:

Cape Town

2015-06-04T10:28:54Z

Timo.goosen:

Cape Town

2015-06-03T11:03:59Z

Timo.goosen:

{{Chapter Template|chaptername=Cape Town|extra=The chapter leaders are [mailto:Timo.Goosen@ Timo Goosen]
[mailto:Christo.Goosen@ Christo Goosen]
[mailto:Johan.Snyman@ Johan Snyman]
.|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southafrica|emailarchives=http://lists.owasp.org/pipermail/owasp-cape-town}}

== Local News ==

'''Meeting Location'''

Everyone is welcome to join us at our chapter meetings.

[[Category:OWASP Chapter]]
[[Category:Africa]]
[[Category:South Africa]]

Secure Configuration Guide

2015-03-12T14:53:36Z

Timo.goosen: /* 6. Crypto misconfiguration */

Welcome on the page of Secure Configuration Guide!

Project description is available here: https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide

When editing the page, please follow the page structure, described in [[Template:OWASP Secure Configuration Guide]]

= Table of Contents =

== 1. Introduction ==

'''1.1. The OWASP Secure Configuration Guide'''

'''1.2. Misconfiguration. Defender's point'''

'''1.3. Misconfiguration. Attacker's point'''

== 2. Web servers misconfiguration ==

'''[[SCG_WS_Apache|2.1. Apache]]'''

'''[[SCG_WS_IIS|2.2. IIS]]'''

'''[[SCG_WS_nginx|2.3. nginx]]'''

'''[[SCG_WS_GWS|2.4. GWS]]'''

'''[[SCG_WS_IBM|2.5. IBM HTTP Server]]'''

'''[[SCG_WS_LIGHTTPD|2.6 lighttpd]]'''

'''[[SCG_WS_OPENBSD_HTTPD|2.7 New OpenBSD HTTPD Webserver]]'''

== 3. Application servers misconfiguration ==

'''[[SCG_AS_Tomcat|3.1. Apache Tomcat]]'''

'''[[SCG_AS_Borland|3.2. Borland Enterprise Server]]'''

'''[[SCG_AS_ColdFusion|3.3. ColdFusion]]'''

'''[[SCG_AS_WebSphere|3.4. IBM WebSphere Application Server]]'''

'''[[SCG_AS_JBoss|3.5. JBoss Enterprise Application Platform]]'''

'''[[SCG_AS_Jetty|3.6. Jetty]]'''

'''[[SCG_AS_NetWeaver|3.7. SAP NetWeaver Application Server]]'''

'''[[SCG_AS_Oracle|3.8. Oracle Application Server]]'''

'''[[SCG_AS_WebLogic|3.9. Oracle WebLogic Server]]'''

'''[[SCG_AS_GlassFish|3.10. Oracle GlassFish Server]]'''

== 4. Web frameworks misconfiguration ==

'''[[SCG_WF_Struts|4.1. Apache Struts]]'''

'''[[SCG_WF_ASPNET|4.2. ASP.NET]]'''

'''[[SCG_WF_CakePHP|4.3. CakePHP]]'''

'''[[SCG_WF_CodeIgniter|4.4. CodeIgniter]]'''

'''[[SCG_WF_Django|4.5. Django]]'''

'''[[SCG_WF_Lithium|4.6. Lithium]]'''

'''[[SCG_WF_Rails|4.7. Ruby on Rails]]'''

'''[[SCG_WF_Spring|4.8. Spring]]'''

'''[[SCG_WF_Symfony|4.9. Symfony]]'''

'''[[SCG_WF_Zend|4.10. Zend]]'''

== 5. CMS misconfiguration ==

'''[[SCG_CMS_Bitrix|5.1. Bitrix]]'''

'''[[SCG_CMS_Drupal|5.2. Drupal]]'''

'''[[SCG_CMS_Joomla|5.3. Joomla]]'''

'''[[SCG_CMS_Magento|5.4. Magento]]'''

'''[[SCG_CMS_OpenCart|5.5. OpenCart]]'''

'''[[SCG_CMS_phpBB|5.6. phpBB]]'''

'''[[SCG_CMS_Shopify|5.7. Shopify]]'''

'''[[SCG_CMS_TYPO3|5.8. TYPO3]]'''

'''[[SCG_CMS_vBulletin|5.9. vBulletin]]'''

'''[[SCG_CMS_Wordpress|5.10. Wordpress]]'''

== 6. Crypto misconfiguration ==

'''Hardening'''
*[https://bettercrypto.org/static/applied-crypto-hardening.pdf Applied Crypto Hardening General Hardening]

'''Testing Crypto Config'''
*[https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29 Testing for SSL-TLS OWASP-CM-001]
*[https://www.digicert.com/help/ Digicert Testing Suite]
*[https://www.ssllabs.com/ssltest/index.html SSL Labs SSL Test]

== 7. Services ==

'''7.1. VNC''' - srsly.de ;)

'''SSH'''

'''RDP'''

'''7.2 to be complemented later'''

== 8. Devices ==

'''[[SCG_D_BIGIP|8.1. BIG-IP]]'''

'''8.2. Routers'''

'''8.3. Firewalls '''

'''8.4. to be complemented later'''

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

Secure Configuration Guide

2015-03-12T14:43:38Z

Timo.goosen: /* 6. Crypto misconfiguration */

Welcome on the page of Secure Configuration Guide!

Project description is available here: https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide

When editing the page, please follow the page structure, described in [[Template:OWASP Secure Configuration Guide]]

= Table of Contents =

== 1. Introduction ==

'''1.1. The OWASP Secure Configuration Guide'''

'''1.2. Misconfiguration. Defender's point'''

'''1.3. Misconfiguration. Attacker's point'''

== 2. Web servers misconfiguration ==

'''[[SCG_WS_Apache|2.1. Apache]]'''

'''[[SCG_WS_IIS|2.2. IIS]]'''

'''[[SCG_WS_nginx|2.3. nginx]]'''

'''[[SCG_WS_GWS|2.4. GWS]]'''

'''[[SCG_WS_IBM|2.5. IBM HTTP Server]]'''

'''[[SCG_WS_LIGHTTPD|2.6 lighttpd]]'''

'''[[SCG_WS_OPENBSD_HTTPD|2.7 New OpenBSD HTTPD Webserver]]'''

== 3. Application servers misconfiguration ==

'''[[SCG_AS_Tomcat|3.1. Apache Tomcat]]'''

'''[[SCG_AS_Borland|3.2. Borland Enterprise Server]]'''

'''[[SCG_AS_ColdFusion|3.3. ColdFusion]]'''

'''[[SCG_AS_WebSphere|3.4. IBM WebSphere Application Server]]'''

'''[[SCG_AS_JBoss|3.5. JBoss Enterprise Application Platform]]'''

'''[[SCG_AS_Jetty|3.6. Jetty]]'''

'''[[SCG_AS_NetWeaver|3.7. SAP NetWeaver Application Server]]'''

'''[[SCG_AS_Oracle|3.8. Oracle Application Server]]'''

'''[[SCG_AS_WebLogic|3.9. Oracle WebLogic Server]]'''

'''[[SCG_AS_GlassFish|3.10. Oracle GlassFish Server]]'''

== 4. Web frameworks misconfiguration ==

'''[[SCG_WF_Struts|4.1. Apache Struts]]'''

'''[[SCG_WF_ASPNET|4.2. ASP.NET]]'''

'''[[SCG_WF_CakePHP|4.3. CakePHP]]'''

'''[[SCG_WF_CodeIgniter|4.4. CodeIgniter]]'''

'''[[SCG_WF_Django|4.5. Django]]'''

'''[[SCG_WF_Lithium|4.6. Lithium]]'''

'''[[SCG_WF_Rails|4.7. Ruby on Rails]]'''

'''[[SCG_WF_Spring|4.8. Spring]]'''

'''[[SCG_WF_Symfony|4.9. Symfony]]'''

'''[[SCG_WF_Zend|4.10. Zend]]'''

== 5. CMS misconfiguration ==

'''[[SCG_CMS_Bitrix|5.1. Bitrix]]'''

'''[[SCG_CMS_Drupal|5.2. Drupal]]'''

'''[[SCG_CMS_Joomla|5.3. Joomla]]'''

'''[[SCG_CMS_Magento|5.4. Magento]]'''

'''[[SCG_CMS_OpenCart|5.5. OpenCart]]'''

'''[[SCG_CMS_phpBB|5.6. phpBB]]'''

'''[[SCG_CMS_Shopify|5.7. Shopify]]'''

'''[[SCG_CMS_TYPO3|5.8. TYPO3]]'''

'''[[SCG_CMS_vBulletin|5.9. vBulletin]]'''

'''[[SCG_CMS_Wordpress|5.10. Wordpress]]'''

== 6. Crypto misconfiguration ==

The most comprehensive guide found so far:

*[https://bettercrypto.org/static/applied-crypto-hardening.pdf Applied Crypto Hardening]

== 7. Services ==

'''7.1. VNC''' - srsly.de ;)

'''SSH'''

'''RDP'''

'''7.2 to be complemented later'''

== 8. Devices ==

'''[[SCG_D_BIGIP|8.1. BIG-IP]]'''

'''8.2. Routers'''

'''8.3. Firewalls '''

'''8.4. to be complemented later'''

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]