OWASP - User contributions [en]

OWASP PHP Security Project

2014-02-28T07:41:26Z

Zakiakhmad: /* Major Contributors */

= Main =
[[File:Small-phpsec.png]]
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP PHP Security Project==
OWASP PHP Security Project is an effort by a group of PHP developers in securing PHP web applications, using a collection of decoupled flexible secure PHP libraries, as well as a collection of PHP tools.

[https://github.com/owasp/phpsec/ GitHub Repo]

==What is PHPSEC?==
On top of a collcetion of libraries and tools, PHPSEC contains a sample framework to demonstrate proper usage of the tools and libraries, as well as guidelining new PHP projects. It can also be easily merged with existing PHP code, because it is both decoupled and flexible. Proper usage of PHPSEC will result in the target system being much more secure.

==Why PHPSEC?==
PHPSEC is suitable for three group of developers:

* Framework Developers can use the libraries and tools to strengthen their framework security
* PHP Application Developers can use the library and tools to enhance their application security
* New PHP Developers can use the tools and libraries to create secure applications from scratch

==Project leader==

[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

==Major Contributors==
*Rahul Chaudhary
*Abhishek Das
*Shivam Dixit
*Achim
*[[User:Zakiakhmad|Zaki Akhmad]]
*Minhaz
*Paulo Guerreiro

==Libraries Offered==
* Basic Password Library
* Advance Password Library
* User Library and Management
* Crypto Library
* Password Library
* Database Library
* Download Manager Library
* HTTP Library
* Tainted Library
* Logs Library
* Session Library
* Core Library
* Scanner Tool

==Tools Offered==
* XSS Resolver
* SQL Injection Detector
* Taint Tracker

==Damages Mitigated==
* Brute Force Attacks
* Cross-site Scripting(XSS) Attacks
* SQL Injection Attacks
* Session Fixation, Session Hijacking, Session Guessing
* Encrypting sensitive information in configuration files
* Replacement of native PHP's faulty functions
* A secure PRNG (Pseudorandom number generator)
* Secure implementation of "remember-me" and "temporary password" features
* Capability to mark/disallow suspicious strings

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* [http://github.com/OWASP/phpsec/archive/master.zip OWASP PHPSec project]

== Website ==

http://phpsec.owasp.org/

== News and Events ==
[http://appsecusa2013.sched.org/event/4a0421d19aad48a7fbe35ec97899936c#.UoI2Jfmfhv8 Visit us at OWASP APPSEC conference November 2013]
==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

= Project About =
{{:Projects/OWASP_PHP_Security_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

OWASP Vulnerable Web Applications Directory Project

2013-10-21T08:00:12Z

Zakiakhmad: /* Others */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Vulnerable Web Applications Directory Project==

The OWASP Vulnerable Web Applications Directory Project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available.

==Introduction==

Select from the above tabs to view all of the:
* On-Line applications
* Off-Line applications
* Virtual Machines and ISO images

==Description==

The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of all known vulnerable web applications currently available. These vulnerable web applications can be used by web developers, security auditors and penetration testers to put in practice their knowledge and skills during training sessions (and especially afterwards), as well as to test at any time the multiple hacking tools and offensive techniques available, in preparation for their next real-world engagement.

The main goal of VWAD is to provide a list of vulnerable web applications available to security professionals for hacking and offensive activities, so that they can attack realistic web environments... without going to jail :)

The vulnerable web applications have been classified in three categories: On-Line, Off-Line, and VMs/ISOs. Each list has been ordered alphabetically.

An initial list that inspired this project was maintained till the end on 2013 at: http://blog.taddong.com/2011/10/hacking-vulnerable-web-applications.html.

==Licensing==
OWASP Vulnerable Web Applications Directory Projects is free to use. It is licensed under the Apache 2.0 License, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is VWAD? ==

OWASP VWAD provides:

* A list of all known vulnerable web applications.

== Presentation ==

Interview with [http://trustedsoftwarealliance.com/2013/10/18/simon-bennetts-the-owasp-web-applications-vulnerability-project/ Simon Bennetts – The OWASP Web Applications Vulnerability Project ].

== Project Leaders ==

*[mailto:raul@raulsiles.com Raul Siles]
*[[User:Simon Bennetts|Simon Bennetts]]

== Related Projects ==

* N/A

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* N/A - The project is self contained on the wiki.

== News and Events ==
* [16 Oct 2013] Project created.

== In Print ==
N/A

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=On-Line apps=

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Author
! scope="col" | Notes
|-
| [http://testphp.vulnweb.com Acuart]
| PHP
| Acunetix
| Art shopping
|-
| [http://testaspnet.vulnweb.com/ Acublog]
| .NET
| Acunetix
| Blog
|-
| [http://testasp.vulnweb.com/ Acuforum]
| ASP
| Acunetix
| Forum
|-
| [http://demo.testfire.net/ Altoro Mutual]
|
| IBM/Watchfire
| (jsmith/Demo1234)
|-
| [http://crackme.cenzic.com/ Crack Me Bank]
|
| Cenzic
|
|-
| [http://enigmagroup.org/ Enigma Group]
|
| Enigma Group
|
|-
| [http://google-gruyere.appspot.com/ Gruyere]
| Python
| Google
|
|-
| [http://hackademic1.teilar.gr Hackademic Challenges Project]
| PHP - Joomla
| OWASP
|
|-
| [http://pctechtips.org/hacker-challenge-pwn3d-the-login-form/ Hacker Challenge]
|
| PCTechtips
|
|-
| [https://www.hacking-lab.com/events/registerform.html?eventid=245 Hacking Lab]
|
| Hacking Lab
|
|-
| [https://hack.me Hack.me]
|
| eLearnSecurity
| Beta
|-
| [http://www.hackthissite.org HackThisSite]
|
| HackThisSite
| Basic & Realistic (web) Missions
|-
| [http://hackxor.sourceforge.net/cgi-bin/index.pl hackxor]
|
|
| First 2 levels online (algo/smurf), rest offline
|-
| [http://pentesteracademylab.appspot.com Pentester Academy]
|
|
|
|-
| [http://vicnum.ciphertechs.com Vicnum Project]
| Perl & PHP
|
|
|-
| [http://www.webscantest.com Web Scanner Test Site]
|
| NTOSpider
| (testuser/testpass)
|-
| [http://blasze.com/xsstestsuite/ XSS Test Suite]
|
|
|
|-
| [http://zero.webappsecurity.com/ Zero Bank]
|
| HP/SpiDynamics
| (admin/admin)
|-
|}

Please add any new apps in alphabetic order, correct mistakes or just comment on this page if you dont have write access to this wiki.

= Off-Line apps =

Vulnerable applications that have to be downloaded and used locally:

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Other links
! scope="col" | Author
! scope="col" | Notes
|-
| [http://www.badstore.net/ BadStore]
| Perl(CGI)
|
|
|
|-
| [http://code.google.com/p/bodgeit/ BodgeIt Store ]
| Java
| [http://code.google.com/p/bodgeit/downloads/list download]
|
|
|-
| [http://sechow.com/bricks/index.html Bricks ]
| PHP
| [http://sechow.com/bricks/download.html download] [http://sechow.com/bricks/docs/ docs]
| OWASP
|
|-
| [http://sourceforge.net/projects/thebutterflytmp/files/ButterFly%20Project/ Butterfly Security Project]
| PHP
| [http://sourceforge.net/projects/thebutterflytmp/files/ download]
|
| Last updated in 2008
|-
| [http://www.itsecgames.com/ bWAPP ]
| PHP
| [http://sourceforge.net/projects/bwapp/files/ download] [http://itsecgames.blogspot.be/2013/01/bwapp-installation.html docs]
|
|
|-
| [https://github.com/fridaygoldsmith/bwa_cyclone_transfers Cyclone Transfers ]
| Ruby on Rails
|
|
|
|-
| [http://www.dvwa.co.uk/ Damn Vulnerable Web Application - DVWA ]
| PHP
| [http://code.google.com/p/dvwa/downloads/list download]
| RandomStorm
|
|-
| [http://dvws.secureideas.net/ Damn Vulnerable Web Services - DVWS ]
| PHP
| [http://dvws.secureideas.net/downloads/files/dvws.tgz download]
| Secure Ideas
|
|-
| [http://google-gruyere.appspot.com/ Gruyere ]
| Python
| [http://google-gruyere.appspot.com/gruyere-code.zip download]
| Google
|
|-
| [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project Hackademic Challenges Project ]
| PHP
| [https://code.google.com/p/owasp-hackademic-challenges/ download]
| OWASP
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx Hacme Bank - Android]
|
|
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx Hacme Bank ]
| .NET
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacme-bank.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx Hacme Books ]
| Java
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmebooks.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx Hacme Casino ]
| Ruby on Rails
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacme-casino.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx Hacme Shipping ]
| ColdFusion
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmeshipping.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx Hacme Travel ]
| C++
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmetravel.aspx download]
| McAfee / Foundstone
|
|-
| [http://hackxor.sourceforge.net/cgi-bin/index.pl hackxor]
|
|
|
| First 2 levels online, rest offline
|-
| [http://sourceforge.net/projects/lampsecurity/ LampSecurity]
| PHP
|
|
|
|-
| [http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 Mutillidae ]
| PHP
| [http://www.irongeek.com/mutillidae/ download]
|
|
|-
| [https://owasp.codeplex.com/ .NET Goat ]
| C#
| [https://owasp.codeplex.com/SourceControl/list/changesets# download]
| OWASP
|
|-
| [http://peruggia.sourceforge.net/ Peruggia ]
| PHP
| [http://sourceforge.net/projects/peruggia/files/ download]
|
|
|-
| [https://code.google.com/p/puzzlemall/ Puzzlemall ]
| Java
| [https://code.google.com/p/puzzlemall/downloads/list download] [https://code.google.com/p/puzzlemall/downloads/list docs]
|
|
|-
| [https://www.owasp.org/index.php/OWASP_Rails_Goat_Project Rails Goat ]
| Ruby on Rails
| [https://github.com/OWASP/railsgoat/archive/master.zip download] [http://railsgoat.cktricky.com/getting_started.html docs]
| OWASP
|
|-
| [http://suif.stanford.edu/%7Elivshits/securibench/ SecuriBench]
| Java
|
| Stanford
|
|-
| [http://suif.stanford.edu/%7Elivshits/work/securibench-micro/ SecuriBench Micro]
| Java
| [http://suif.stanford.edu/~livshits/securibench/download.html download]
| Stanford
|
|-
| [https://github.com/Audi-1/sqli-labs SQLI-labs]
| PHP
| [https://github.com/Audi-1/sqli-labs/archive/master.zip download] [http://dummy2dummies.blogspot.com/ blog]
|
|
|-
| [https://github.com/SpiderLabs/SQLol SQLol ]
| PHP
| [https://github.com/SpiderLabs/SQLol/archive/master.zip download]
|
|
|-
| [https://github.com/SpiderLabs/SQLol SQLol ]
| PHP
| [https://github.com/SpiderLabs/SQLol/archive/master.zip download]
|
|
|-
| [https://github.com/sakti/twitterlike twitterlike ]
| PHP
| [https://github.com/sakti/twitterlike git repository]
| Sakti Dwi Cahyono
|
|-
| [http://www.nth-dimension.org.uk/blog.php?id=88 VulnApp ]
| .NET
| [http://projects.nth-dimension.org.uk/dir?d=VulnApp CVS download] [http://projects.nth-dimension.org.uk/rptview?rn=6 vulns]
|
|
|-
| [http://exploit.co.il/hacking/exploit-kb-vulnerable-web-app/ Vulnerable Web App]
|
|
| Exploit.co.il
|
|-
| [https://github.com/adamdoupe/WackoPicko WackoPicko ]
| PHP
| [https://github.com/adamdoupe/WackoPicko/zipball/master download] [http://cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf whitepaper]
|
|
|-
| [https://code.google.com/p/wavsep/ Wavsep - Web Application Vulnerability Scanner Evaluation Project ]
| Java
| [https://code.google.com/p/wavsep/downloads/list download] [https://code.google.com/p/wavsep/downloads/list docs]
|
|
|-
| [https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project WebGoat ]
| Java
| [http://code.google.com/p/webgoat/downloads/list download] [https://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents guide]
| OWASP
|
|-
| [https://owasp.codeplex.com/ WebGoat.NET]
| C#
| [https://owasp.codeplex.com/SourceControl/list/changesets# download]
| OWASP
|
|-
| [https://code.google.com/p/wivet/ WIVET - Web Input Vector Extractor Teaser]
|
| [http://www.webguvenligi.org/projeler/wivet download] [https://code.google.com/p/wivet/downloads/list?can=1&q= tests]
|
|
|-
|}

Please add any new apps in alphabetic order, correct mistakes or just comment on this page if you dont have write access to this wiki.

The following apps are quite old and appear not to be maintained - as such they are probably less useful.

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Other links
! scope="col" | Author
! scope="col" | Notes
|-
| [http://www.mavensecurity.com/webmaven WebMaven/Buggy Bank]
|
|
|
|
|-
| [https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project Insecure Web App Project ]
| Java
| [http://sourceforge.net/projects/insecurewebapp/files/ download]
| OWASP
|
|-
| [http://www.owasp.org/index.php/Owasp_SiteGenerator SiteGenerator]
| ASP.NET
|
| OWASP
|
|-
|}

= Virtual Machines or ISOs =

VMs which contain multiple vulnerable applications:

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Other links
! scope="col" | Author
! scope="col" | Notes
|-
| [http://www.badstore.net/ BadStore ]
| ISO
| [http://www.badstore.net/register.htm download]
|
|
|-
| [http://sourceforge.net/projects/bwapp/files/bee-box/ Bee-Box ]
| bWAPP VMware
|
|
|
|-
| [http://code.google.com/p/owaspbwa/wiki/ProjectSummary Broken Web Applications Project (BWA) ]
| VMware
| [http://code.google.com/p/owaspbwa/wiki/Downloads download]
| OWASP
|
|-
| [https://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/ Drunk Admin Web Hacking Challenge ]
| VMware
| [http://bechtsoudis.com/data/challenges/drunk_admin_hacking_challenge.zip download]
|
|
|-
| [http://exploit.co.il/projects/vuln-web-app/ Exploit.co.il Vuln Web App ]
| VMware
| [http://sourceforge.net/projects/exploitcoilvuln/files/ download]
|
|
|-
| [http://sourceforge.net/projects/null-gameover/ GameOver ]
| VMware
| [http://sourceforge.net/projects/null-gameover/files/ download]
|
|
|-
| [http://hackxor.sourceforge.net/cgi-bin/index.pl Hackxor ]
| VMware
| [http://sourceforge.net/projects/hackxor/files/ download] [http://hackxor.sourceforge.net/cgi-bin/hints.pl hints&tips]
|
|
|-
| [http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja-sec-com/ Hacme Bank Prebuilt VM ]
| VMware
| [http://dc121.4shared.com/download/wwPhUxMQ/hackme_bank_vm_Ninja-Sec.zip download]
|
|
|-
| [http://www.kioptrix.com/blog/?p=604 Kioptrix4 ]
| VMware & Hyper-V
| [http://www.kioptrix.com/dlvm/Kioptrix4_vmware.rar download]
|
|
|-
| [http://sourceforge.net/projects/lampsecurity/ LAMPSecurity ]
| VMware
| [http://sourceforge.net/projects/lampsecurity/files/ download] [http://sourceforge.net/projects/lampsecurity/files/Documentation/ doc]
|
|
|-
| [http://blog.metasploit.com/2010/05/introducing-metasploitable.html Metasploitable ]
| VMware
| [http://updates.metasploit.com/data/Metasploitable.zip.torrent download] [http://www.metasploit.com/learn-more/how-do-i-use-it/test-lab.jsp doc]
|
|
|-
| [https://community.rapid7.com/docs/DOC-1875 Metasploitable 2 ]
| VMware
| [https://sourceforge.net/projects/metasploitable/files/Metasploitable2/ download]
|
|
|-
| [http://www.bonsai-sec.com/en/research/moth.php Moth ]
| VMware
| [http://sourceforge.net/projects/w3af/files/moth/moth/ download]
|
|
|-
| [https://www.pentesterlab.com/exercises/ PentesterLab - The Exercises ]
| ISO & PDF
|
|
|
|-
| [http://phdays.blogspot.com.es/2012/05/once-again-about-remote-banking.html PHDays I-Bank ]
| VMware
| [http://downloads.phdays.com/phdays_ibank_vm.zip download]
|
|
|-
| [http://www.samurai-wtf.org/ Samurai WTF ]
| ISO - list
| [http://sourceforge.net/projects/samurai/files/ download]
|
|
|-
| [http://sg6-labs.blogspot.com/2007/12/secgame-1-sauron.html Sauron ]
| Quemu
| [http://sg6-labs.blogspot.com/search/label/SecGame solutions]
|
|
|-
| [http://sourceforge.net/projects/virtualhacking/ Virtual Hacking Lab ]
| ZIP
| [http://sourceforge.net/projects/virtualhacking/files/ download]
|
|
|-
| [http://www.mavensecurity.com/web_security_dojo/ Web Security Dojo ]
| VMware, VirtualBox
| [http://sourceforge.net/projects/websecuritydojo/files/ download]
|
|
|}

Please add any new apps in alphabetic order, correct mistakes or just comment on this page if you dont have write access to this wiki.

The following apps are quite old and appear not to be maintained - as such they are probably less useful.

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Other links
! scope="col" | Author
! scope="col" | Notes
|-
|-
| [http://www.metasploit.com/learn-more/how-do-i-use-it/test-lab.jsp UltimateLAMP ]
| VMware
| [http://ronaldbradford.com/tmp/UltimateLAMP-0.2.zip download]
|
|
|}

= Acknowledgements =
==Volunteers==
VWAD is developed by a worldwide team of volunteers. The primary contributors to date have been:

*[mailto:raul@raulsiles.com Raul Siles]
*[[User:Simon Bennetts|Simon Bennetts]]

==Others==
* [[User:Zakiakhmad|Zaki Akhmad]]

==On-line resources used==
* [http://blog.taddong.com/2011/10/hacking-vulnerable-web-applications.html Hacking Vulnerable Web Applications Without Going To Jail]
* [http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/ Vulnerable Web Applications for learning]
* [http://code.google.com/p/owaspbwa/wiki/UserGuide OWASP BWA User Guide]

= Road Map and Getting Involved =
As of October 15, 2013, the priorities are:
* Document all known Vulnerable Web Applications
* Publicise
* Keep up to date
* Please add a more robust/descriptive roadmap.

Involvement in the development and promotion of the OWASP Vulnerable Web Applications Directory Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Update the wiki with any missing apps

=Project About=
{{:Projects/OWASP_Vulnerable_Web_Applications_Directory_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Document]]

OWASP Vulnerable Web Applications Directory Project

2013-10-21T07:47:25Z

Zakiakhmad: /* Others */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Vulnerable Web Applications Directory Project==

The OWASP Vulnerable Web Applications Directory Project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available.

==Introduction==

Select from the above tabs to view all of the:
* On-Line applications
* Off-Line applications
* Virtual Machines and ISO images

==Description==

The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of all known vulnerable web applications currently available. These vulnerable web applications can be used by web developers, security auditors and penetration testers to put in practice their knowledge and skills during training sessions (and especially afterwards), as well as to test at any time the multiple hacking tools and offensive techniques available, in preparation for their next real-world engagement.

The main goal of VWAD is to provide a list of vulnerable web applications available to security professionals for hacking and offensive activities, so that they can attack realistic web environments... without going to jail :)

The vulnerable web applications have been classified in three categories: On-Line, Off-Line, and VMs/ISOs. Each list has been ordered alphabetically.

An initial list that inspired this project was maintained till the end on 2013 at: http://blog.taddong.com/2011/10/hacking-vulnerable-web-applications.html.

==Licensing==
OWASP Vulnerable Web Applications Directory Projects is free to use. It is licensed under the Apache 2.0 License, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is VWAD? ==

OWASP VWAD provides:

* A list of all known vulnerable web applications.

== Presentation ==

Interview with [http://trustedsoftwarealliance.com/2013/10/18/simon-bennetts-the-owasp-web-applications-vulnerability-project/ Simon Bennetts – The OWASP Web Applications Vulnerability Project ].

== Project Leaders ==

*[mailto:raul@raulsiles.com Raul Siles]
*[[User:Simon Bennetts|Simon Bennetts]]

== Related Projects ==

* N/A

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* N/A - The project is self contained on the wiki.

== News and Events ==
* [16 Oct 2013] Project created.

== In Print ==
N/A

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=On-Line apps=

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Author
! scope="col" | Notes
|-
| [http://testphp.vulnweb.com Acuart]
| PHP
| Acunetix
| Art shopping
|-
| [http://testaspnet.vulnweb.com/ Acublog]
| .NET
| Acunetix
| Blog
|-
| [http://testasp.vulnweb.com/ Acuforum]
| ASP
| Acunetix
| Forum
|-
| [http://demo.testfire.net/ Altoro Mutual]
|
| IBM/Watchfire
| (jsmith/Demo1234)
|-
| [http://crackme.cenzic.com/ Crack Me Bank]
|
| Cenzic
|
|-
| [http://enigmagroup.org/ Enigma Group]
|
| Enigma Group
|
|-
| [http://google-gruyere.appspot.com/ Gruyere]
| Python
| Google
|
|-
| [http://hackademic1.teilar.gr Hackademic Challenges Project]
| PHP - Joomla
| OWASP
|
|-
| [http://pctechtips.org/hacker-challenge-pwn3d-the-login-form/ Hacker Challenge]
|
| PCTechtips
|
|-
| [https://www.hacking-lab.com/events/registerform.html?eventid=245 Hacking Lab]
|
| Hacking Lab
|
|-
| [https://hack.me Hack.me]
|
| eLearnSecurity
| Beta
|-
| [http://www.hackthissite.org HackThisSite]
|
| HackThisSite
| Basic & Realistic (web) Missions
|-
| [http://hackxor.sourceforge.net/cgi-bin/index.pl hackxor]
|
|
| First 2 levels online (algo/smurf), rest offline
|-
| [http://pentesteracademylab.appspot.com Pentester Academy]
|
|
|
|-
| [http://vicnum.ciphertechs.com Vicnum Project]
| Perl & PHP
|
|
|-
| [http://www.webscantest.com Web Scanner Test Site]
|
| NTOSpider
| (testuser/testpass)
|-
| [http://blasze.com/xsstestsuite/ XSS Test Suite]
|
|
|
|-
| [http://zero.webappsecurity.com/ Zero Bank]
|
| HP/SpiDynamics
| (admin/admin)
|-
|}

Please add any new apps in alphabetic order, correct mistakes or just comment on this page if you dont have write access to this wiki.

= Off-Line apps =

Vulnerable applications that have to be downloaded and used locally:

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Other links
! scope="col" | Author
! scope="col" | Notes
|-
| [http://www.badstore.net/ BadStore]
| Perl(CGI)
|
|
|
|-
| [http://code.google.com/p/bodgeit/ BodgeIt Store ]
| Java
| [http://code.google.com/p/bodgeit/downloads/list download]
|
|
|-
| [http://sechow.com/bricks/index.html Bricks ]
| PHP
| [http://sechow.com/bricks/download.html download] [http://sechow.com/bricks/docs/ docs]
| OWASP
|
|-
| [http://sourceforge.net/projects/thebutterflytmp/files/ButterFly%20Project/ Butterfly Security Project]
| PHP
| [http://sourceforge.net/projects/thebutterflytmp/files/ download]
|
| Last updated in 2008
|-
| [http://www.itsecgames.com/ bWAPP ]
| PHP
| [http://sourceforge.net/projects/bwapp/files/ download] [http://itsecgames.blogspot.be/2013/01/bwapp-installation.html docs]
|
|
|-
| [https://github.com/fridaygoldsmith/bwa_cyclone_transfers Cyclone Transfers ]
| Ruby on Rails
|
|
|
|-
| [http://www.dvwa.co.uk/ Damn Vulnerable Web Application - DVWA ]
| PHP
| [http://code.google.com/p/dvwa/downloads/list download]
| RandomStorm
|
|-
| [http://dvws.secureideas.net/ Damn Vulnerable Web Services - DVWS ]
| PHP
| [http://dvws.secureideas.net/downloads/files/dvws.tgz download]
| Secure Ideas
|
|-
| [http://google-gruyere.appspot.com/ Gruyere ]
| Python
| [http://google-gruyere.appspot.com/gruyere-code.zip download]
| Google
|
|-
| [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project Hackademic Challenges Project ]
| PHP
| [https://code.google.com/p/owasp-hackademic-challenges/ download]
| OWASP
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx Hacme Bank - Android]
|
|
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx Hacme Bank ]
| .NET
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacme-bank.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx Hacme Books ]
| Java
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmebooks.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx Hacme Casino ]
| Ruby on Rails
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacme-casino.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx Hacme Shipping ]
| ColdFusion
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmeshipping.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx Hacme Travel ]
| C++
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmetravel.aspx download]
| McAfee / Foundstone
|
|-
| [http://hackxor.sourceforge.net/cgi-bin/index.pl hackxor]
|
|
|
| First 2 levels online, rest offline
|-
| [http://sourceforge.net/projects/lampsecurity/ LampSecurity]
| PHP
|
|
|
|-
| [http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 Mutillidae ]
| PHP
| [http://www.irongeek.com/mutillidae/ download]
|
|
|-
| [https://owasp.codeplex.com/ .NET Goat ]
| C#
| [https://owasp.codeplex.com/SourceControl/list/changesets# download]
| OWASP
|
|-
| [http://peruggia.sourceforge.net/ Peruggia ]
| PHP
| [http://sourceforge.net/projects/peruggia/files/ download]
|
|
|-
| [https://code.google.com/p/puzzlemall/ Puzzlemall ]
| Java
| [https://code.google.com/p/puzzlemall/downloads/list download] [https://code.google.com/p/puzzlemall/downloads/list docs]
|
|
|-
| [https://www.owasp.org/index.php/OWASP_Rails_Goat_Project Rails Goat ]
| Ruby on Rails
| [https://github.com/OWASP/railsgoat/archive/master.zip download] [http://railsgoat.cktricky.com/getting_started.html docs]
| OWASP
|
|-
| [http://suif.stanford.edu/%7Elivshits/securibench/ SecuriBench]
| Java
|
| Stanford
|
|-
| [http://suif.stanford.edu/%7Elivshits/work/securibench-micro/ SecuriBench Micro]
| Java
| [http://suif.stanford.edu/~livshits/securibench/download.html download]
| Stanford
|
|-
| [https://github.com/Audi-1/sqli-labs SQLI-labs]
| PHP
| [https://github.com/Audi-1/sqli-labs/archive/master.zip download] [http://dummy2dummies.blogspot.com/ blog]
|
|
|-
| [https://github.com/SpiderLabs/SQLol SQLol ]
| PHP
| [https://github.com/SpiderLabs/SQLol/archive/master.zip download]
|
|
|-
| [https://github.com/SpiderLabs/SQLol SQLol ]
| PHP
| [https://github.com/SpiderLabs/SQLol/archive/master.zip download]
|
|
|-
| [https://github.com/sakti/twitterlike twitterlike ]
| PHP
| [https://github.com/sakti/twitterlike git repository]
| Sakti Dwi Cahyono
|
|-
| [http://www.nth-dimension.org.uk/blog.php?id=88 VulnApp ]
| .NET
| [http://projects.nth-dimension.org.uk/dir?d=VulnApp CVS download] [http://projects.nth-dimension.org.uk/rptview?rn=6 vulns]
|
|
|-
| [http://exploit.co.il/hacking/exploit-kb-vulnerable-web-app/ Vulnerable Web App]
|
|
| Exploit.co.il
|
|-
| [https://github.com/adamdoupe/WackoPicko WackoPicko ]
| PHP
| [https://github.com/adamdoupe/WackoPicko/zipball/master download] [http://cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf whitepaper]
|
|
|-
| [https://code.google.com/p/wavsep/ Wavsep - Web Application Vulnerability Scanner Evaluation Project ]
| Java
| [https://code.google.com/p/wavsep/downloads/list download] [https://code.google.com/p/wavsep/downloads/list docs]
|
|
|-
| [https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project WebGoat ]
| Java
| [http://code.google.com/p/webgoat/downloads/list download] [https://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents guide]
| OWASP
|
|-
| [https://owasp.codeplex.com/ WebGoat.NET]
| C#
| [https://owasp.codeplex.com/SourceControl/list/changesets# download]
| OWASP
|
|-
| [https://code.google.com/p/wivet/ WIVET - Web Input Vector Extractor Teaser]
|
| [http://www.webguvenligi.org/projeler/wivet download] [https://code.google.com/p/wivet/downloads/list?can=1&q= tests]
|
|
|-
|}

Please add any new apps in alphabetic order, correct mistakes or just comment on this page if you dont have write access to this wiki.

The following apps are quite old and appear not to be maintained - as such they are probably less useful.

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Other links
! scope="col" | Author
! scope="col" | Notes
|-
| [http://www.mavensecurity.com/webmaven WebMaven/Buggy Bank]
|
|
|
|
|-
| [https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project Insecure Web App Project ]
| Java
| [http://sourceforge.net/projects/insecurewebapp/files/ download]
| OWASP
|
|-
| [http://www.owasp.org/index.php/Owasp_SiteGenerator SiteGenerator]
| ASP.NET
|
| OWASP
|
|-
|}

= Virtual Machines or ISOs =

VMs which contain multiple vulnerable applications:

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Other links
! scope="col" | Author
! scope="col" | Notes
|-
| [http://www.badstore.net/ BadStore ]
| ISO
| [http://www.badstore.net/register.htm download]
|
|
|-
| [http://sourceforge.net/projects/bwapp/files/bee-box/ Bee-Box ]
| bWAPP VMware
|
|
|
|-
| [http://code.google.com/p/owaspbwa/wiki/ProjectSummary Broken Web Applications Project (BWA) ]
| VMware
| [http://code.google.com/p/owaspbwa/wiki/Downloads download]
| OWASP
|
|-
| [https://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/ Drunk Admin Web Hacking Challenge ]
| VMware
| [http://bechtsoudis.com/data/challenges/drunk_admin_hacking_challenge.zip download]
|
|
|-
| [http://exploit.co.il/projects/vuln-web-app/ Exploit.co.il Vuln Web App ]
| VMware
| [http://sourceforge.net/projects/exploitcoilvuln/files/ download]
|
|
|-
| [http://sourceforge.net/projects/null-gameover/ GameOver ]
| VMware
| [http://sourceforge.net/projects/null-gameover/files/ download]
|
|
|-
| [http://hackxor.sourceforge.net/cgi-bin/index.pl Hackxor ]
| VMware
| [http://sourceforge.net/projects/hackxor/files/ download] [http://hackxor.sourceforge.net/cgi-bin/hints.pl hints&tips]
|
|
|-
| [http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja-sec-com/ Hacme Bank Prebuilt VM ]
| VMware
| [http://dc121.4shared.com/download/wwPhUxMQ/hackme_bank_vm_Ninja-Sec.zip download]
|
|
|-
| [http://www.kioptrix.com/blog/?p=604 Kioptrix4 ]
| VMware & Hyper-V
| [http://www.kioptrix.com/dlvm/Kioptrix4_vmware.rar download]
|
|
|-
| [http://sourceforge.net/projects/lampsecurity/ LAMPSecurity ]
| VMware
| [http://sourceforge.net/projects/lampsecurity/files/ download] [http://sourceforge.net/projects/lampsecurity/files/Documentation/ doc]
|
|
|-
| [http://blog.metasploit.com/2010/05/introducing-metasploitable.html Metasploitable ]
| VMware
| [http://updates.metasploit.com/data/Metasploitable.zip.torrent download] [http://www.metasploit.com/learn-more/how-do-i-use-it/test-lab.jsp doc]
|
|
|-
| [https://community.rapid7.com/docs/DOC-1875 Metasploitable 2 ]
| VMware
| [https://sourceforge.net/projects/metasploitable/files/Metasploitable2/ download]
|
|
|-
| [http://www.bonsai-sec.com/en/research/moth.php Moth ]
| VMware
| [http://sourceforge.net/projects/w3af/files/moth/moth/ download]
|
|
|-
| [https://www.pentesterlab.com/exercises/ PentesterLab - The Exercises ]
| ISO & PDF
|
|
|
|-
| [http://phdays.blogspot.com.es/2012/05/once-again-about-remote-banking.html PHDays I-Bank ]
| VMware
| [http://downloads.phdays.com/phdays_ibank_vm.zip download]
|
|
|-
| [http://www.samurai-wtf.org/ Samurai WTF ]
| ISO - list
| [http://sourceforge.net/projects/samurai/files/ download]
|
|
|-
| [http://sg6-labs.blogspot.com/2007/12/secgame-1-sauron.html Sauron ]
| Quemu
| [http://sg6-labs.blogspot.com/search/label/SecGame solutions]
|
|
|-
| [http://sourceforge.net/projects/virtualhacking/ Virtual Hacking Lab ]
| ZIP
| [http://sourceforge.net/projects/virtualhacking/files/ download]
|
|
|-
| [http://www.mavensecurity.com/web_security_dojo/ Web Security Dojo ]
| VMware, VirtualBox
| [http://sourceforge.net/projects/websecuritydojo/files/ download]
|
|
|}

Please add any new apps in alphabetic order, correct mistakes or just comment on this page if you dont have write access to this wiki.

The following apps are quite old and appear not to be maintained - as such they are probably less useful.

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Other links
! scope="col" | Author
! scope="col" | Notes
|-
|-
| [http://www.metasploit.com/learn-more/how-do-i-use-it/test-lab.jsp UltimateLAMP ]
| VMware
| [http://ronaldbradford.com/tmp/UltimateLAMP-0.2.zip download]
|
|
|}

= Acknowledgements =
==Volunteers==
VWAD is developed by a worldwide team of volunteers. The primary contributors to date have been:

*[mailto:raul@raulsiles.com Raul Siles]
*[[User:Simon Bennetts|Simon Bennetts]]

==Others==
* [[User:Zakiakhmad]]

==On-line resources used==
* [http://blog.taddong.com/2011/10/hacking-vulnerable-web-applications.html Hacking Vulnerable Web Applications Without Going To Jail]
* [http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/ Vulnerable Web Applications for learning]
* [http://code.google.com/p/owaspbwa/wiki/UserGuide OWASP BWA User Guide]

= Road Map and Getting Involved =
As of October 15, 2013, the priorities are:
* Document all known Vulnerable Web Applications
* Publicise
* Keep up to date
* Please add a more robust/descriptive roadmap.

Involvement in the development and promotion of the OWASP Vulnerable Web Applications Directory Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Update the wiki with any missing apps

=Project About=
{{:Projects/OWASP_Vulnerable_Web_Applications_Directory_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Document]]

OWASP Vulnerable Web Applications Directory Project

2013-10-21T07:46:00Z

Zakiakhmad: /* Off-Line apps */ add twitterlike application which has sqli vulnerability

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Vulnerable Web Applications Directory Project==

The OWASP Vulnerable Web Applications Directory Project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available.

==Introduction==

Select from the above tabs to view all of the:
* On-Line applications
* Off-Line applications
* Virtual Machines and ISO images

==Description==

The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of all known vulnerable web applications currently available. These vulnerable web applications can be used by web developers, security auditors and penetration testers to put in practice their knowledge and skills during training sessions (and especially afterwards), as well as to test at any time the multiple hacking tools and offensive techniques available, in preparation for their next real-world engagement.

The main goal of VWAD is to provide a list of vulnerable web applications available to security professionals for hacking and offensive activities, so that they can attack realistic web environments... without going to jail :)

The vulnerable web applications have been classified in three categories: On-Line, Off-Line, and VMs/ISOs. Each list has been ordered alphabetically.

An initial list that inspired this project was maintained till the end on 2013 at: http://blog.taddong.com/2011/10/hacking-vulnerable-web-applications.html.

==Licensing==
OWASP Vulnerable Web Applications Directory Projects is free to use. It is licensed under the Apache 2.0 License, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is VWAD? ==

OWASP VWAD provides:

* A list of all known vulnerable web applications.

== Presentation ==

Interview with [http://trustedsoftwarealliance.com/2013/10/18/simon-bennetts-the-owasp-web-applications-vulnerability-project/ Simon Bennetts – The OWASP Web Applications Vulnerability Project ].

== Project Leaders ==

*[mailto:raul@raulsiles.com Raul Siles]
*[[User:Simon Bennetts|Simon Bennetts]]

== Related Projects ==

* N/A

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* N/A - The project is self contained on the wiki.

== News and Events ==
* [16 Oct 2013] Project created.

== In Print ==
N/A

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=On-Line apps=

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Author
! scope="col" | Notes
|-
| [http://testphp.vulnweb.com Acuart]
| PHP
| Acunetix
| Art shopping
|-
| [http://testaspnet.vulnweb.com/ Acublog]
| .NET
| Acunetix
| Blog
|-
| [http://testasp.vulnweb.com/ Acuforum]
| ASP
| Acunetix
| Forum
|-
| [http://demo.testfire.net/ Altoro Mutual]
|
| IBM/Watchfire
| (jsmith/Demo1234)
|-
| [http://crackme.cenzic.com/ Crack Me Bank]
|
| Cenzic
|
|-
| [http://enigmagroup.org/ Enigma Group]
|
| Enigma Group
|
|-
| [http://google-gruyere.appspot.com/ Gruyere]
| Python
| Google
|
|-
| [http://hackademic1.teilar.gr Hackademic Challenges Project]
| PHP - Joomla
| OWASP
|
|-
| [http://pctechtips.org/hacker-challenge-pwn3d-the-login-form/ Hacker Challenge]
|
| PCTechtips
|
|-
| [https://www.hacking-lab.com/events/registerform.html?eventid=245 Hacking Lab]
|
| Hacking Lab
|
|-
| [https://hack.me Hack.me]
|
| eLearnSecurity
| Beta
|-
| [http://www.hackthissite.org HackThisSite]
|
| HackThisSite
| Basic & Realistic (web) Missions
|-
| [http://hackxor.sourceforge.net/cgi-bin/index.pl hackxor]
|
|
| First 2 levels online (algo/smurf), rest offline
|-
| [http://pentesteracademylab.appspot.com Pentester Academy]
|
|
|
|-
| [http://vicnum.ciphertechs.com Vicnum Project]
| Perl & PHP
|
|
|-
| [http://www.webscantest.com Web Scanner Test Site]
|
| NTOSpider
| (testuser/testpass)
|-
| [http://blasze.com/xsstestsuite/ XSS Test Suite]
|
|
|
|-
| [http://zero.webappsecurity.com/ Zero Bank]
|
| HP/SpiDynamics
| (admin/admin)
|-
|}

Please add any new apps in alphabetic order, correct mistakes or just comment on this page if you dont have write access to this wiki.

= Off-Line apps =

Vulnerable applications that have to be downloaded and used locally:

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Other links
! scope="col" | Author
! scope="col" | Notes
|-
| [http://www.badstore.net/ BadStore]
| Perl(CGI)
|
|
|
|-
| [http://code.google.com/p/bodgeit/ BodgeIt Store ]
| Java
| [http://code.google.com/p/bodgeit/downloads/list download]
|
|
|-
| [http://sechow.com/bricks/index.html Bricks ]
| PHP
| [http://sechow.com/bricks/download.html download] [http://sechow.com/bricks/docs/ docs]
| OWASP
|
|-
| [http://sourceforge.net/projects/thebutterflytmp/files/ButterFly%20Project/ Butterfly Security Project]
| PHP
| [http://sourceforge.net/projects/thebutterflytmp/files/ download]
|
| Last updated in 2008
|-
| [http://www.itsecgames.com/ bWAPP ]
| PHP
| [http://sourceforge.net/projects/bwapp/files/ download] [http://itsecgames.blogspot.be/2013/01/bwapp-installation.html docs]
|
|
|-
| [https://github.com/fridaygoldsmith/bwa_cyclone_transfers Cyclone Transfers ]
| Ruby on Rails
|
|
|
|-
| [http://www.dvwa.co.uk/ Damn Vulnerable Web Application - DVWA ]
| PHP
| [http://code.google.com/p/dvwa/downloads/list download]
| RandomStorm
|
|-
| [http://dvws.secureideas.net/ Damn Vulnerable Web Services - DVWS ]
| PHP
| [http://dvws.secureideas.net/downloads/files/dvws.tgz download]
| Secure Ideas
|
|-
| [http://google-gruyere.appspot.com/ Gruyere ]
| Python
| [http://google-gruyere.appspot.com/gruyere-code.zip download]
| Google
|
|-
| [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project Hackademic Challenges Project ]
| PHP
| [https://code.google.com/p/owasp-hackademic-challenges/ download]
| OWASP
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx Hacme Bank - Android]
|
|
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx Hacme Bank ]
| .NET
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacme-bank.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx Hacme Books ]
| Java
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmebooks.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx Hacme Casino ]
| Ruby on Rails
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacme-casino.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx Hacme Shipping ]
| ColdFusion
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmeshipping.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx Hacme Travel ]
| C++
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmetravel.aspx download]
| McAfee / Foundstone
|
|-
| [http://hackxor.sourceforge.net/cgi-bin/index.pl hackxor]
|
|
|
| First 2 levels online, rest offline
|-
| [http://sourceforge.net/projects/lampsecurity/ LampSecurity]
| PHP
|
|
|
|-
| [http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 Mutillidae ]
| PHP
| [http://www.irongeek.com/mutillidae/ download]
|
|
|-
| [https://owasp.codeplex.com/ .NET Goat ]
| C#
| [https://owasp.codeplex.com/SourceControl/list/changesets# download]
| OWASP
|
|-
| [http://peruggia.sourceforge.net/ Peruggia ]
| PHP
| [http://sourceforge.net/projects/peruggia/files/ download]
|
|
|-
| [https://code.google.com/p/puzzlemall/ Puzzlemall ]
| Java
| [https://code.google.com/p/puzzlemall/downloads/list download] [https://code.google.com/p/puzzlemall/downloads/list docs]
|
|
|-
| [https://www.owasp.org/index.php/OWASP_Rails_Goat_Project Rails Goat ]
| Ruby on Rails
| [https://github.com/OWASP/railsgoat/archive/master.zip download] [http://railsgoat.cktricky.com/getting_started.html docs]
| OWASP
|
|-
| [http://suif.stanford.edu/%7Elivshits/securibench/ SecuriBench]
| Java
|
| Stanford
|
|-
| [http://suif.stanford.edu/%7Elivshits/work/securibench-micro/ SecuriBench Micro]
| Java
| [http://suif.stanford.edu/~livshits/securibench/download.html download]
| Stanford
|
|-
| [https://github.com/Audi-1/sqli-labs SQLI-labs]
| PHP
| [https://github.com/Audi-1/sqli-labs/archive/master.zip download] [http://dummy2dummies.blogspot.com/ blog]
|
|
|-
| [https://github.com/SpiderLabs/SQLol SQLol ]
| PHP
| [https://github.com/SpiderLabs/SQLol/archive/master.zip download]
|
|
|-
| [https://github.com/SpiderLabs/SQLol SQLol ]
| PHP
| [https://github.com/SpiderLabs/SQLol/archive/master.zip download]
|
|
|-
| [https://github.com/sakti/twitterlike twitterlike ]
| PHP
| [https://github.com/sakti/twitterlike git repository]
| Sakti Dwi Cahyono
|
|-
| [http://www.nth-dimension.org.uk/blog.php?id=88 VulnApp ]
| .NET
| [http://projects.nth-dimension.org.uk/dir?d=VulnApp CVS download] [http://projects.nth-dimension.org.uk/rptview?rn=6 vulns]
|
|
|-
| [http://exploit.co.il/hacking/exploit-kb-vulnerable-web-app/ Vulnerable Web App]
|
|
| Exploit.co.il
|
|-
| [https://github.com/adamdoupe/WackoPicko WackoPicko ]
| PHP
| [https://github.com/adamdoupe/WackoPicko/zipball/master download] [http://cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf whitepaper]
|
|
|-
| [https://code.google.com/p/wavsep/ Wavsep - Web Application Vulnerability Scanner Evaluation Project ]
| Java
| [https://code.google.com/p/wavsep/downloads/list download] [https://code.google.com/p/wavsep/downloads/list docs]
|
|
|-
| [https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project WebGoat ]
| Java
| [http://code.google.com/p/webgoat/downloads/list download] [https://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents guide]
| OWASP
|
|-
| [https://owasp.codeplex.com/ WebGoat.NET]
| C#
| [https://owasp.codeplex.com/SourceControl/list/changesets# download]
| OWASP
|
|-
| [https://code.google.com/p/wivet/ WIVET - Web Input Vector Extractor Teaser]
|
| [http://www.webguvenligi.org/projeler/wivet download] [https://code.google.com/p/wivet/downloads/list?can=1&q= tests]
|
|
|-
|}

Please add any new apps in alphabetic order, correct mistakes or just comment on this page if you dont have write access to this wiki.

The following apps are quite old and appear not to be maintained - as such they are probably less useful.

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Other links
! scope="col" | Author
! scope="col" | Notes
|-
| [http://www.mavensecurity.com/webmaven WebMaven/Buggy Bank]
|
|
|
|
|-
| [https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project Insecure Web App Project ]
| Java
| [http://sourceforge.net/projects/insecurewebapp/files/ download]
| OWASP
|
|-
| [http://www.owasp.org/index.php/Owasp_SiteGenerator SiteGenerator]
| ASP.NET
|
| OWASP
|
|-
|}

= Virtual Machines or ISOs =

VMs which contain multiple vulnerable applications:

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Other links
! scope="col" | Author
! scope="col" | Notes
|-
| [http://www.badstore.net/ BadStore ]
| ISO
| [http://www.badstore.net/register.htm download]
|
|
|-
| [http://sourceforge.net/projects/bwapp/files/bee-box/ Bee-Box ]
| bWAPP VMware
|
|
|
|-
| [http://code.google.com/p/owaspbwa/wiki/ProjectSummary Broken Web Applications Project (BWA) ]
| VMware
| [http://code.google.com/p/owaspbwa/wiki/Downloads download]
| OWASP
|
|-
| [https://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/ Drunk Admin Web Hacking Challenge ]
| VMware
| [http://bechtsoudis.com/data/challenges/drunk_admin_hacking_challenge.zip download]
|
|
|-
| [http://exploit.co.il/projects/vuln-web-app/ Exploit.co.il Vuln Web App ]
| VMware
| [http://sourceforge.net/projects/exploitcoilvuln/files/ download]
|
|
|-
| [http://sourceforge.net/projects/null-gameover/ GameOver ]
| VMware
| [http://sourceforge.net/projects/null-gameover/files/ download]
|
|
|-
| [http://hackxor.sourceforge.net/cgi-bin/index.pl Hackxor ]
| VMware
| [http://sourceforge.net/projects/hackxor/files/ download] [http://hackxor.sourceforge.net/cgi-bin/hints.pl hints&tips]
|
|
|-
| [http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja-sec-com/ Hacme Bank Prebuilt VM ]
| VMware
| [http://dc121.4shared.com/download/wwPhUxMQ/hackme_bank_vm_Ninja-Sec.zip download]
|
|
|-
| [http://www.kioptrix.com/blog/?p=604 Kioptrix4 ]
| VMware & Hyper-V
| [http://www.kioptrix.com/dlvm/Kioptrix4_vmware.rar download]
|
|
|-
| [http://sourceforge.net/projects/lampsecurity/ LAMPSecurity ]
| VMware
| [http://sourceforge.net/projects/lampsecurity/files/ download] [http://sourceforge.net/projects/lampsecurity/files/Documentation/ doc]
|
|
|-
| [http://blog.metasploit.com/2010/05/introducing-metasploitable.html Metasploitable ]
| VMware
| [http://updates.metasploit.com/data/Metasploitable.zip.torrent download] [http://www.metasploit.com/learn-more/how-do-i-use-it/test-lab.jsp doc]
|
|
|-
| [https://community.rapid7.com/docs/DOC-1875 Metasploitable 2 ]
| VMware
| [https://sourceforge.net/projects/metasploitable/files/Metasploitable2/ download]
|
|
|-
| [http://www.bonsai-sec.com/en/research/moth.php Moth ]
| VMware
| [http://sourceforge.net/projects/w3af/files/moth/moth/ download]
|
|
|-
| [https://www.pentesterlab.com/exercises/ PentesterLab - The Exercises ]
| ISO & PDF
|
|
|
|-
| [http://phdays.blogspot.com.es/2012/05/once-again-about-remote-banking.html PHDays I-Bank ]
| VMware
| [http://downloads.phdays.com/phdays_ibank_vm.zip download]
|
|
|-
| [http://www.samurai-wtf.org/ Samurai WTF ]
| ISO - list
| [http://sourceforge.net/projects/samurai/files/ download]
|
|
|-
| [http://sg6-labs.blogspot.com/2007/12/secgame-1-sauron.html Sauron ]
| Quemu
| [http://sg6-labs.blogspot.com/search/label/SecGame solutions]
|
|
|-
| [http://sourceforge.net/projects/virtualhacking/ Virtual Hacking Lab ]
| ZIP
| [http://sourceforge.net/projects/virtualhacking/files/ download]
|
|
|-
| [http://www.mavensecurity.com/web_security_dojo/ Web Security Dojo ]
| VMware, VirtualBox
| [http://sourceforge.net/projects/websecuritydojo/files/ download]
|
|
|}

Please add any new apps in alphabetic order, correct mistakes or just comment on this page if you dont have write access to this wiki.

The following apps are quite old and appear not to be maintained - as such they are probably less useful.

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Other links
! scope="col" | Author
! scope="col" | Notes
|-
|-
| [http://www.metasploit.com/learn-more/how-do-i-use-it/test-lab.jsp UltimateLAMP ]
| VMware
| [http://ronaldbradford.com/tmp/UltimateLAMP-0.2.zip download]
|
|
|}

= Acknowledgements =
==Volunteers==
VWAD is developed by a worldwide team of volunteers. The primary contributors to date have been:

*[mailto:raul@raulsiles.com Raul Siles]
*[[User:Simon Bennetts|Simon Bennetts]]

==Others==
*

==On-line resources used==
* [http://blog.taddong.com/2011/10/hacking-vulnerable-web-applications.html Hacking Vulnerable Web Applications Without Going To Jail]
* [http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/ Vulnerable Web Applications for learning]
* [http://code.google.com/p/owaspbwa/wiki/UserGuide OWASP BWA User Guide]

= Road Map and Getting Involved =
As of October 15, 2013, the priorities are:
* Document all known Vulnerable Web Applications
* Publicise
* Keep up to date
* Please add a more robust/descriptive roadmap.

Involvement in the development and promotion of the OWASP Vulnerable Web Applications Directory Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Update the wiki with any missing apps

=Project About=
{{:Projects/OWASP_Vulnerable_Web_Applications_Directory_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Document]]

OWASP Code Review V2 Table of Contents

2013-08-16T08:25:26Z

Zakiakhmad: /* CodeIgniter */

= '''OWASP Code Review Guide v2.0:''' =

==Forward==
# Author - Eoin Keary
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Guide_History]]
'''[[CRV2_Forward|Content here]]'''

== Code Review Guide Introduction==
# Author - Eoin Keary
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Introduction]]
'''[[CRV2_Introduction|Content here]]'''

=== What is source code review and Static Analysis ===
=== What is Code Review ===
# Author - Zyad Mghazli
# New Section
''' [[CRV2_WhatIsCodeReview|Content here]]'''

=== Manual Review - Pros and Cons ===
# Author - Ashish Rao
# New Section
# Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli
# [[CRV2_ManualReviewProsCons|Put content here]]

=== Advantages of Code Review to Development Practices ===
# Author - Gary David Robinson
# New Section
# [[CRV2_AdvantagesToDevPractices|Put content here]]

=== Why code review ===
==== Scope and Objective of secure code review ====
# Author - Ashish Rao
# [[CRV2_WhyCodeReview|Put content here]]

=== We can't hack ourselves secure ===
# Author - Prathamesh Mhatre
# New Section
# [[CRV2_CantHackSecure|Put content here]]

=== 360 Review: Coupling source code review and Testing / Hybrid Reviews===
# Author - Ashish Rao
# New Section
# [[CRV2_360Review|Put content here]]

=== Can static code analyzers do it all? ===
# Author - Ashish Rao
# New Section
# [[CRV2_CanStaticAnalyzersDoAll|Put content here]]

=Methodology=
===The code review approach===
#Author - Prathamesh Mhatre
# [[CRV2_CodeReviewApproach|Put content here]]

==== Preparation and context ====
# Author - Open
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Preparation]]
# [[CRV2_PrepContext|Put content here]]

====Application Threat Modeling====
#Author - Andy, Renchie Joan
# Previous version to be updated: [[https://www.owasp.org/OCRG1.1:Application_Threat_Modeling]]
# [[CRV2_AppThreatModeling|Put content here]]

====Understanding Code layout/Design/Architecture====
#Author - Ashish Rao
# [[CRV2_CodeLayoutDesignArch|Put content here]]

===SDLC Integration===
#Author - Andy, Ashish Rao
# Previous version to be updated: [[https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC]]
# [[CRV2_SDLCInt|Put content here]]

====Deployment Models====
=====Secure deployment configurations=====
#Author - Ashish Rao
# [[CRV2_SecDepConfig|Put content here]]

# New Section
=====Metrics and code review=====
#Author - Andy
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Metrics]]
# [[CRV2_MetricsCodeRev|Put content here]]

=====Source and sink reviews=====
#Author - Ashish Rao
# New Section
# [[CRV2_SourceSinkRev|Put content here]]

=====Code review Coverage=====
#Author - Open
#Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Coverage]]
# [[CRV2_CodeRevCoverage|Put content here]]

=====Design Reviews=====
#Author - Ashish Rao
*Why to review design?
**Building security in design - secure by design principle
**Design Areas to be reviewed
**Common Design Flaws
# [[CRV2_DesignRev|Put content here]]

=====A Risk based approach to code review=====
#Author - Renchie Joan
#New Section
*"Doing things right or doing the right things..."
**"Not all bugs are equal
# [[CRV2_RiskBasedApproach|Put content here]]

====Crawling code====
#Author - Abbas Naderi
# Previous version to be updated: [[https://www.owasp.org/index.php/Crawling_Code]]
*API of Interest:
**Java
**.NET
**PHP
**RUBY
*Frameworks:
**Spring
**.NET MVC
**Structs
**Zend
#New Section
*Searching for code in C/C++
#Author - Gary David Robinson

# [[CRV2_CrawlingCode|Put content here]]

====Code reviews and Compliance====
#Author -Manual Harti
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]]
# [[CRV2_CodeRevCompliance|Put content here]]

=Reviewing by Technical Control=
===Reviewing code for Authentication controls===
#Author - Anand Prakash, Joan Renchie
# [[CRV2_AuthControls|Put content here]]

====Forgot password====
#Author Abbas Naderi
# [[CRV2_ForgotPassword|Put content here]]

====Authentication====
#Author - Anand Prakash, Joan Renchie
# [[CRV2_Authentication|Put content here]]

====CAPTCHA====
#Author Larry Conklin, Joan Renchie
'''[[CRV2_CAPTCHA|Content here]]'''

====Out of Band considerations====
#Author - Open
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authentication]]
# [[CRV2_OutofBand|Put content here]]

===Reviewing code Authorization weakness===
#Author Ashish Rao (Eoin Keary .NET MVC added)
# [[CRV2_AuthorizationWeaknesses|Put content here]]

====Checking authz upon every request====
#Author - Abbas Naderi, Joan Renchie
# [[CRV2_CheckAuthzEachRequest|Put content here]]

====Reducing the attack surface====
#Author Chris Berberich
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authorization]]
# [[CRV2_ReducingAttSurf|Put content here]]

====SSL/TLS Implementations====
#Author - Eoin Keary
# [[CRV2_SSL-TLS|Put content here]]

====Reviewing code for Session handling====
#Author - Palak Gohil, Abbas Naderi
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Session-Management]]
# [[CRV2_SessionHandling|Put content here]]

====Reviewing client side code====
#New Section
# [[CRV2_ClientSideCodeIntro|Put content here]]

=====Javascript=====
#Author - Abbas Naderi
# [[CRV2_ClientSideCodeJScript|Put content here]]

=====JSON=====
#Author - Open
# [[CRV2_ClientSideCodeJSon|Put content here]]

=====Content Security Policy=====
#Author - Open
# [[CRV2_ClientSideCodeContSecPolicy|Put content here]]

====="Jacking"/Framing=====
#Author - Abbas Naderi
# [[CRV2_ClientSideCodeJackingFraming|Put content here]]

=====HTML 5?=====
#Author - Sebastien Gioria
# [[CRV2_ClientSideCodeHTML5|Put content here]]

=====Browser Defenses policy=====
#Author - Open
# [[CRV2_ClientSideCodeBrowserDefPol|Put content here]]

=====etc...=====

====Review code for input validation====
#Author - Open
# [[CRV2_InputValIntro|Put content here]]

=====Regex Gotchas=====
#Author - Abbas Naderi
#New Section
# [[CRV2_InputValRegexGotchas|Put content here]]

=====ESAPI=====
#Author - Abbas Naderi
#New Section
# Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]]
# [[CRV2_InputValESAPI|Put content here]]

====Reviewing code for contextual encoding====
=====HTML Attribute=====
#Author - Shenai Silva
# [[CRV2_ContextEncHTMLAttribute|Put content here]]

=====HTML Entity=====
#Author - Shenai Silva
# [[CRV2_ContextEncHTMLEntity|Put content here]]

=====Javascript Parameters=====
#Author - Open
# [[CRV2_ContextEncJscriptParams|Put content here]]

=====JQuery=====
#Author - Abbas Naderi
# [[CRV2_ContextEncJQuery|Put content here]]

====Reviewing file and resource handling code====
#Author - Open
# [[CRV2_FileResourceHandling|Put content here]]

====Resource Exhaustion - error handling====
#Author - Abbas Naderi
# [[CRV2_ResourceExhaustionErrHandling|Put content here]]

=====native calls=====
#Author Abbas Naderi
# [[CRV2_ResourceExhaustionNativeCalls|Put content here]]

====Reviewing Logging code - Detective Security====
#Author - Palak Gohil
* Where to Log
* What to log
* What not to log
* How to log
# Internal link: [[https://www.owasp.org/index.php/Logging_Cheat_Sheet]]
# [[CRV2_LoggingCode|Put content here]]

====Reviewing Error handling and Error messages====
#Author - Gary David Robinson
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Error-Handling]]
# [[CRV2_ErrorHandlingMessages|Put content here]]

====Reviewing Security alerts====
#Author - Open
# [[CRV2_SecurityAlerts|Put content here]]

====Review for active defense====
#Author - Colin Watson
# [[CRV2_ActiveDefense|Put content here]]

====Reviewing Secure Storage====
#Author - Azzeddine Ramrami
# New Section
# [[CRV2_SecureStorage|Put content here]]

====Hashing & Salting - When, How and Where====
=====Encrpyption=====
======.NET======
#Author Larry Conklin, Joan Renchie
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Cryptographic_Controls]]
*''Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao''
'''[[CRV2_HashingandSaltingdotNet|Content here]]'''

=Reviewing by Vulnerability=
===Review Code for XSS===
#Author Palak Gohil, Anand Prakash (Examples added by Eoin Keary)
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Scripting]]
# In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao
# [[CRV2_RevCodeXSS|Put content here]]

===Persistent - The Anti pattern===
#Author Abbas Naderi
# [[CRV2_RevCodePersistentAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan, Larry Conklin
# [[CRV2_RevCodePersistentAntiPatterndotNet|Put content here]]

====.Java====
#Author Palak Gohil
# [[CRV2_RevCodePersistentAntiPatternJava|Put content here]]

====PHP====
#Author Mohammed Damavandi, Abbas Naderi
# [[CRV2_RevCodePersistentAntiPatternPHP|Put content here]]

====Ruby====
#Author Chris Berberich
# [[CRV2_RevCodePersistentAntiPatternRuby|Put content here]]

===Reflected - The Anti pattern===
# [[CRV2_RevCodeReflectedAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_RevCodeReflectedAntiPatterndotNet|Put content here]]

====.Java====
#Author Palak Gohil
# [[CRV2_RevCodeReflectedAntiPatternJava|Put content here]]

====PHP====
#Author Mohammed Damavandi, Abbas Naderi
# [[CRV2_RevCodeReflectedAntiPatternPHP|Put content here]]

====Ruby====
# Author - Open
# [[CRV2_RevCodeReflectedAntiPatternIRuby|Put content here]]

===Stored - The Anti pattern===
# Author - Open
# [[CRV2_RevCodeStoredAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_RevCodeStoredAntiPatterndotNET|Put content here]]

====.Java====
#Author Palak Gohil
# [[CRV2_RevCodeStoredAntiPatternJava|Put content here]]

====PHP====
#Author Mohammed Damavandi, Abbas Naderi
# [[CRV2_RevCodeStoredAntiPatternPHP|Put content here]]

====Ruby====
#Author - Open
# [[CRV2_RevCodeStoredAntiPatternRuby|Put content here]]

===DOM XSS ===
#Author Larry Conklin
# [[CRV2_DOMXSS|Put content here]]

===JQuery mistakes===
#Author Shenal Silva
# [[CRV2_JQueryMistakes|Put content here]]

===Reviewing code for SQL Injection===
#Author Palak Gohil, Renchie Joan
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection]]
# [[CRV2_RevCodeSQLInjection|Put content here]]

====PHP====
#Author - Mennouchi Islam Azeddine
# [[CRV2_SQLInjPHP|Put content here]]

====Java====
#Author - Open
# [[CRV2_SQLInjJava|Put content here]]

====.NET====
#Author - Mennouchi Islam Azeddine
# [[CRV2_SQLInjdotNET|Put content here]]

====HQL====
#Author - Open
# [[CRV2_SQLInjHQL|Put content here]]

===The Anti pattern===
#Author Larry Conklin
#[[CRV2_AntiPattern| Content here]]
https://www.owasp.org/index.php/CRV2_AntiPattern
====PHP====
#Author - Mohammad Damavandi, Abbas Naderi
# [[CRV2_AntiPatternPHP|Put content here]]

====Java====
#Author - Palak Gohil
#=> Searching for traditional SQL,JPA,JPSQL,Criteria,...
# [[CRV2_AntiPatternJava|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan,Larry Conklin
# [[CRV2_AntiPatterndotNet|Put content here]]

====Ruby====
#Author - Open
# [[CRV2_AntiPatternRuby|Put content here]]

====Cold Fusion====
#Author - Open
# [[CRV2_AntiPatternColdFusion|Put content here]]

===Reviewing code for CSRF Issues===
#Author Palak Gohil,Anand Prakash, Abbas Naderi
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Request_Forgery]]
# [[CRV2_CSRFIssues|Put content here]]

===Transactional logic / Non idempotent functions / State Changing Functions===
#Author Abbas Naderi
# [[CRV2_TransLogic|Put content here]]

===Reviewing code for poor logic /Business logic/Complex authorization===
#Author - Sam Denard
# [[CRV2_PoorLogic|Put content here]]

===Reviewing Secure Communications===
====.NET Config====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_SecCommsdotNet|Put content here]]

====Spring Config====
#Author - Open
# [[CRV2_SecCommsSpringConfig|Put content here]]

====HTTP Headers====
#Author Gregory Disney, Abbas Naderi
# [[CRV2_SecCommsHTTPHdrs|Put content here]]

=====CSP=====
#Author Gregory Disney
# [[CRV2_SecCommsHTTPHdrsCSP|Put content here]]

=====HSTS=====
#Author Abbas Naderi
# [[CRV2_SecCommsHTTPHSTS|Put content here]]

===Tech-Stack pitfalls===
#Author Gregory Disney
# [[CRV2_TechStackPitfalls|Put content here]]

===Framework specific Issues===
====Spring====
#Author - Open
# [[CRV2_FrameworkSpecIssuesSpring|Put content here]]

====Structs====
#Author - Open
# [[CRV2_FrameworkSpecIssuesStructs|Put content here]]

====Drupal====
#Author Gregory Disney
# [[CRV2_FrameworkSpecIssuesDurpal|Put content here]]

====Ruby on Rails====
#Author - Open
# [[CRV2_FrameworkSpecIssuesROR|Put content here]]

====Django====
#Author Gregory Disney
# [[CRV2_FrameworkSpecIssuesDjango|Put content here]]

====.NET Security / MVC====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesdotNetMVC|Put content here]]

====Security in ASP.NET applications====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNet|Put content here]]

=====Strongly Named Assemblies=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetStrongAssembiles|Put content here]]

======Round Tripping======
# Author - Open
# [[CRV2_FrameworkSpecIssuesASPNetRT|Put content here]]

======How to prevent Round tripping======
# Author - Open
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetRTPrevention|Put content here]]

=====Setting the right Configurations=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetConfigs|Put content here]]

=====Authentication Options=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetAuth|Put content here]]

=====Code Review for Managed Code - .Net 1.0 and up=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetManagedCode|Put content here]]

=====Using OWASP Top 10 as your guideline=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPTop10|Put content here]]

=====Code review for Unsafe Code (C#)=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetUnsafeCode|Put content here]]

====PHP Specific Issues====
#Author Mohammad Damavandi, Abbas Naderi
# [[CRV2_FrameworkSpecIssuesPHP|Put content here]]

====Classic ASP====
#Author Johanna Curiel
# [[CRV2_FrameworkSpecIssuesASPClassic|Put content here]]

====C#====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesCsharp|Put content here]]

====C/C++====
#Author Gary David Robinson
# [[CRV2_FrameworkSpecIssuesCplusplus|Put content here]]

====Objective C====
#Author Open
# [[CRV2_FrameworkSpecIssuesObectiveC|Put content here]]

====Java====
#Author Palak Gohil
# [[CRV2_FrameworkSpecIssuesJava|Put content here]]

====Android====
#Author Open
# [[CRV2_FrameworkSpecIssuesAndroid|Put content here]]

====Coldfusion====
#Author Open
# [[CRV2_FrameworkSpecIssuesColdfusion|Put content here]]

====CodeIgniter====

# Author [[User:Zakiakhmad]]
# [[CRV2_FrameworkSpecIssuesCodeIgniter|Put content here]]

=Security code review for Agile development=
#Author Carlos Pantelides
# [[CRV2_CodeReviewAgile|Put content here]]

=Willing to review drafts=
#Terry Nerpester
#Larry Conklin
#Gary David Robinson
#Simon Whittaker
#Jason Johnson
#Carlos Pantelides

OWASP Code Review V2 Table of Contents

2013-08-16T08:24:57Z

Zakiakhmad: /* CodeIgniter */

= '''OWASP Code Review Guide v2.0:''' =

==Forward==
# Author - Eoin Keary
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Guide_History]]
'''[[CRV2_Forward|Content here]]'''

== Code Review Guide Introduction==
# Author - Eoin Keary
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Introduction]]
'''[[CRV2_Introduction|Content here]]'''

=== What is source code review and Static Analysis ===
=== What is Code Review ===
# Author - Zyad Mghazli
# New Section
''' [[CRV2_WhatIsCodeReview|Content here]]'''

=== Manual Review - Pros and Cons ===
# Author - Ashish Rao
# New Section
# Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli
# [[CRV2_ManualReviewProsCons|Put content here]]

=== Advantages of Code Review to Development Practices ===
# Author - Gary David Robinson
# New Section
# [[CRV2_AdvantagesToDevPractices|Put content here]]

=== Why code review ===
==== Scope and Objective of secure code review ====
# Author - Ashish Rao
# [[CRV2_WhyCodeReview|Put content here]]

=== We can't hack ourselves secure ===
# Author - Prathamesh Mhatre
# New Section
# [[CRV2_CantHackSecure|Put content here]]

=== 360 Review: Coupling source code review and Testing / Hybrid Reviews===
# Author - Ashish Rao
# New Section
# [[CRV2_360Review|Put content here]]

=== Can static code analyzers do it all? ===
# Author - Ashish Rao
# New Section
# [[CRV2_CanStaticAnalyzersDoAll|Put content here]]

=Methodology=
===The code review approach===
#Author - Prathamesh Mhatre
# [[CRV2_CodeReviewApproach|Put content here]]

==== Preparation and context ====
# Author - Open
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Preparation]]
# [[CRV2_PrepContext|Put content here]]

====Application Threat Modeling====
#Author - Andy, Renchie Joan
# Previous version to be updated: [[https://www.owasp.org/OCRG1.1:Application_Threat_Modeling]]
# [[CRV2_AppThreatModeling|Put content here]]

====Understanding Code layout/Design/Architecture====
#Author - Ashish Rao
# [[CRV2_CodeLayoutDesignArch|Put content here]]

===SDLC Integration===
#Author - Andy, Ashish Rao
# Previous version to be updated: [[https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC]]
# [[CRV2_SDLCInt|Put content here]]

====Deployment Models====
=====Secure deployment configurations=====
#Author - Ashish Rao
# [[CRV2_SecDepConfig|Put content here]]

# New Section
=====Metrics and code review=====
#Author - Andy
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Metrics]]
# [[CRV2_MetricsCodeRev|Put content here]]

=====Source and sink reviews=====
#Author - Ashish Rao
# New Section
# [[CRV2_SourceSinkRev|Put content here]]

=====Code review Coverage=====
#Author - Open
#Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Coverage]]
# [[CRV2_CodeRevCoverage|Put content here]]

=====Design Reviews=====
#Author - Ashish Rao
*Why to review design?
**Building security in design - secure by design principle
**Design Areas to be reviewed
**Common Design Flaws
# [[CRV2_DesignRev|Put content here]]

=====A Risk based approach to code review=====
#Author - Renchie Joan
#New Section
*"Doing things right or doing the right things..."
**"Not all bugs are equal
# [[CRV2_RiskBasedApproach|Put content here]]

====Crawling code====
#Author - Abbas Naderi
# Previous version to be updated: [[https://www.owasp.org/index.php/Crawling_Code]]
*API of Interest:
**Java
**.NET
**PHP
**RUBY
*Frameworks:
**Spring
**.NET MVC
**Structs
**Zend
#New Section
*Searching for code in C/C++
#Author - Gary David Robinson

# [[CRV2_CrawlingCode|Put content here]]

====Code reviews and Compliance====
#Author -Manual Harti
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]]
# [[CRV2_CodeRevCompliance|Put content here]]

=Reviewing by Technical Control=
===Reviewing code for Authentication controls===
#Author - Anand Prakash, Joan Renchie
# [[CRV2_AuthControls|Put content here]]

====Forgot password====
#Author Abbas Naderi
# [[CRV2_ForgotPassword|Put content here]]

====Authentication====
#Author - Anand Prakash, Joan Renchie
# [[CRV2_Authentication|Put content here]]

====CAPTCHA====
#Author Larry Conklin, Joan Renchie
'''[[CRV2_CAPTCHA|Content here]]'''

====Out of Band considerations====
#Author - Open
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authentication]]
# [[CRV2_OutofBand|Put content here]]

===Reviewing code Authorization weakness===
#Author Ashish Rao (Eoin Keary .NET MVC added)
# [[CRV2_AuthorizationWeaknesses|Put content here]]

====Checking authz upon every request====
#Author - Abbas Naderi, Joan Renchie
# [[CRV2_CheckAuthzEachRequest|Put content here]]

====Reducing the attack surface====
#Author Chris Berberich
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authorization]]
# [[CRV2_ReducingAttSurf|Put content here]]

====SSL/TLS Implementations====
#Author - Eoin Keary
# [[CRV2_SSL-TLS|Put content here]]

====Reviewing code for Session handling====
#Author - Palak Gohil, Abbas Naderi
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Session-Management]]
# [[CRV2_SessionHandling|Put content here]]

====Reviewing client side code====
#New Section
# [[CRV2_ClientSideCodeIntro|Put content here]]

=====Javascript=====
#Author - Abbas Naderi
# [[CRV2_ClientSideCodeJScript|Put content here]]

=====JSON=====
#Author - Open
# [[CRV2_ClientSideCodeJSon|Put content here]]

=====Content Security Policy=====
#Author - Open
# [[CRV2_ClientSideCodeContSecPolicy|Put content here]]

====="Jacking"/Framing=====
#Author - Abbas Naderi
# [[CRV2_ClientSideCodeJackingFraming|Put content here]]

=====HTML 5?=====
#Author - Sebastien Gioria
# [[CRV2_ClientSideCodeHTML5|Put content here]]

=====Browser Defenses policy=====
#Author - Open
# [[CRV2_ClientSideCodeBrowserDefPol|Put content here]]

=====etc...=====

====Review code for input validation====
#Author - Open
# [[CRV2_InputValIntro|Put content here]]

=====Regex Gotchas=====
#Author - Abbas Naderi
#New Section
# [[CRV2_InputValRegexGotchas|Put content here]]

=====ESAPI=====
#Author - Abbas Naderi
#New Section
# Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]]
# [[CRV2_InputValESAPI|Put content here]]

====Reviewing code for contextual encoding====
=====HTML Attribute=====
#Author - Shenai Silva
# [[CRV2_ContextEncHTMLAttribute|Put content here]]

=====HTML Entity=====
#Author - Shenai Silva
# [[CRV2_ContextEncHTMLEntity|Put content here]]

=====Javascript Parameters=====
#Author - Open
# [[CRV2_ContextEncJscriptParams|Put content here]]

=====JQuery=====
#Author - Abbas Naderi
# [[CRV2_ContextEncJQuery|Put content here]]

====Reviewing file and resource handling code====
#Author - Open
# [[CRV2_FileResourceHandling|Put content here]]

====Resource Exhaustion - error handling====
#Author - Abbas Naderi
# [[CRV2_ResourceExhaustionErrHandling|Put content here]]

=====native calls=====
#Author Abbas Naderi
# [[CRV2_ResourceExhaustionNativeCalls|Put content here]]

====Reviewing Logging code - Detective Security====
#Author - Palak Gohil
* Where to Log
* What to log
* What not to log
* How to log
# Internal link: [[https://www.owasp.org/index.php/Logging_Cheat_Sheet]]
# [[CRV2_LoggingCode|Put content here]]

====Reviewing Error handling and Error messages====
#Author - Gary David Robinson
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Error-Handling]]
# [[CRV2_ErrorHandlingMessages|Put content here]]

====Reviewing Security alerts====
#Author - Open
# [[CRV2_SecurityAlerts|Put content here]]

====Review for active defense====
#Author - Colin Watson
# [[CRV2_ActiveDefense|Put content here]]

====Reviewing Secure Storage====
#Author - Azzeddine Ramrami
# New Section
# [[CRV2_SecureStorage|Put content here]]

====Hashing & Salting - When, How and Where====
=====Encrpyption=====
======.NET======
#Author Larry Conklin, Joan Renchie
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Cryptographic_Controls]]
*''Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao''
'''[[CRV2_HashingandSaltingdotNet|Content here]]'''

=Reviewing by Vulnerability=
===Review Code for XSS===
#Author Palak Gohil, Anand Prakash (Examples added by Eoin Keary)
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Scripting]]
# In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao
# [[CRV2_RevCodeXSS|Put content here]]

===Persistent - The Anti pattern===
#Author Abbas Naderi
# [[CRV2_RevCodePersistentAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan, Larry Conklin
# [[CRV2_RevCodePersistentAntiPatterndotNet|Put content here]]

====.Java====
#Author Palak Gohil
# [[CRV2_RevCodePersistentAntiPatternJava|Put content here]]

====PHP====
#Author Mohammed Damavandi, Abbas Naderi
# [[CRV2_RevCodePersistentAntiPatternPHP|Put content here]]

====Ruby====
#Author Chris Berberich
# [[CRV2_RevCodePersistentAntiPatternRuby|Put content here]]

===Reflected - The Anti pattern===
# [[CRV2_RevCodeReflectedAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_RevCodeReflectedAntiPatterndotNet|Put content here]]

====.Java====
#Author Palak Gohil
# [[CRV2_RevCodeReflectedAntiPatternJava|Put content here]]

====PHP====
#Author Mohammed Damavandi, Abbas Naderi
# [[CRV2_RevCodeReflectedAntiPatternPHP|Put content here]]

====Ruby====
# Author - Open
# [[CRV2_RevCodeReflectedAntiPatternIRuby|Put content here]]

===Stored - The Anti pattern===
# Author - Open
# [[CRV2_RevCodeStoredAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_RevCodeStoredAntiPatterndotNET|Put content here]]

====.Java====
#Author Palak Gohil
# [[CRV2_RevCodeStoredAntiPatternJava|Put content here]]

====PHP====
#Author Mohammed Damavandi, Abbas Naderi
# [[CRV2_RevCodeStoredAntiPatternPHP|Put content here]]

====Ruby====
#Author - Open
# [[CRV2_RevCodeStoredAntiPatternRuby|Put content here]]

===DOM XSS ===
#Author Larry Conklin
# [[CRV2_DOMXSS|Put content here]]

===JQuery mistakes===
#Author Shenal Silva
# [[CRV2_JQueryMistakes|Put content here]]

===Reviewing code for SQL Injection===
#Author Palak Gohil, Renchie Joan
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection]]
# [[CRV2_RevCodeSQLInjection|Put content here]]

====PHP====
#Author - Mennouchi Islam Azeddine
# [[CRV2_SQLInjPHP|Put content here]]

====Java====
#Author - Open
# [[CRV2_SQLInjJava|Put content here]]

====.NET====
#Author - Mennouchi Islam Azeddine
# [[CRV2_SQLInjdotNET|Put content here]]

====HQL====
#Author - Open
# [[CRV2_SQLInjHQL|Put content here]]

===The Anti pattern===
#Author Larry Conklin
#[[CRV2_AntiPattern| Content here]]
https://www.owasp.org/index.php/CRV2_AntiPattern
====PHP====
#Author - Mohammad Damavandi, Abbas Naderi
# [[CRV2_AntiPatternPHP|Put content here]]

====Java====
#Author - Palak Gohil
#=> Searching for traditional SQL,JPA,JPSQL,Criteria,...
# [[CRV2_AntiPatternJava|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan,Larry Conklin
# [[CRV2_AntiPatterndotNet|Put content here]]

====Ruby====
#Author - Open
# [[CRV2_AntiPatternRuby|Put content here]]

====Cold Fusion====
#Author - Open
# [[CRV2_AntiPatternColdFusion|Put content here]]

===Reviewing code for CSRF Issues===
#Author Palak Gohil,Anand Prakash, Abbas Naderi
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Request_Forgery]]
# [[CRV2_CSRFIssues|Put content here]]

===Transactional logic / Non idempotent functions / State Changing Functions===
#Author Abbas Naderi
# [[CRV2_TransLogic|Put content here]]

===Reviewing code for poor logic /Business logic/Complex authorization===
#Author - Sam Denard
# [[CRV2_PoorLogic|Put content here]]

===Reviewing Secure Communications===
====.NET Config====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_SecCommsdotNet|Put content here]]

====Spring Config====
#Author - Open
# [[CRV2_SecCommsSpringConfig|Put content here]]

====HTTP Headers====
#Author Gregory Disney, Abbas Naderi
# [[CRV2_SecCommsHTTPHdrs|Put content here]]

=====CSP=====
#Author Gregory Disney
# [[CRV2_SecCommsHTTPHdrsCSP|Put content here]]

=====HSTS=====
#Author Abbas Naderi
# [[CRV2_SecCommsHTTPHSTS|Put content here]]

===Tech-Stack pitfalls===
#Author Gregory Disney
# [[CRV2_TechStackPitfalls|Put content here]]

===Framework specific Issues===
====Spring====
#Author - Open
# [[CRV2_FrameworkSpecIssuesSpring|Put content here]]

====Structs====
#Author - Open
# [[CRV2_FrameworkSpecIssuesStructs|Put content here]]

====Drupal====
#Author Gregory Disney
# [[CRV2_FrameworkSpecIssuesDurpal|Put content here]]

====Ruby on Rails====
#Author - Open
# [[CRV2_FrameworkSpecIssuesROR|Put content here]]

====Django====
#Author Gregory Disney
# [[CRV2_FrameworkSpecIssuesDjango|Put content here]]

====.NET Security / MVC====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesdotNetMVC|Put content here]]

====Security in ASP.NET applications====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNet|Put content here]]

=====Strongly Named Assemblies=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetStrongAssembiles|Put content here]]

======Round Tripping======
# Author - Open
# [[CRV2_FrameworkSpecIssuesASPNetRT|Put content here]]

======How to prevent Round tripping======
# Author - Open
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetRTPrevention|Put content here]]

=====Setting the right Configurations=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetConfigs|Put content here]]

=====Authentication Options=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetAuth|Put content here]]

=====Code Review for Managed Code - .Net 1.0 and up=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetManagedCode|Put content here]]

=====Using OWASP Top 10 as your guideline=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPTop10|Put content here]]

=====Code review for Unsafe Code (C#)=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetUnsafeCode|Put content here]]

====PHP Specific Issues====
#Author Mohammad Damavandi, Abbas Naderi
# [[CRV2_FrameworkSpecIssuesPHP|Put content here]]

====Classic ASP====
#Author Johanna Curiel
# [[CRV2_FrameworkSpecIssuesASPClassic|Put content here]]

====C#====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesCsharp|Put content here]]

====C/C++====
#Author Gary David Robinson
# [[CRV2_FrameworkSpecIssuesCplusplus|Put content here]]

====Objective C====
#Author Open
# [[CRV2_FrameworkSpecIssuesObectiveC|Put content here]]

====Java====
#Author Palak Gohil
# [[CRV2_FrameworkSpecIssuesJava|Put content here]]

====Android====
#Author Open
# [[CRV2_FrameworkSpecIssuesAndroid|Put content here]]

====Coldfusion====
#Author Open
# [[CRV2_FrameworkSpecIssuesColdfusion|Put content here]]

====CodeIgniter====

# Author [[User:Zakiakhmad]]
# [[CRV2_FrameworkSpecIssuesCodeIgniter]]|Put content here]]

=Security code review for Agile development=
#Author Carlos Pantelides
# [[CRV2_CodeReviewAgile|Put content here]]

=Willing to review drafts=
#Terry Nerpester
#Larry Conklin
#Gary David Robinson
#Simon Whittaker
#Jason Johnson
#Carlos Pantelides

OWASP Code Review V2 Table of Contents

2013-08-16T08:24:31Z

Zakiakhmad: /* CodeIgniter */

= '''OWASP Code Review Guide v2.0:''' =

==Forward==
# Author - Eoin Keary
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Guide_History]]
'''[[CRV2_Forward|Content here]]'''

== Code Review Guide Introduction==
# Author - Eoin Keary
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Introduction]]
'''[[CRV2_Introduction|Content here]]'''

=== What is source code review and Static Analysis ===
=== What is Code Review ===
# Author - Zyad Mghazli
# New Section
''' [[CRV2_WhatIsCodeReview|Content here]]'''

=== Manual Review - Pros and Cons ===
# Author - Ashish Rao
# New Section
# Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli
# [[CRV2_ManualReviewProsCons|Put content here]]

=== Advantages of Code Review to Development Practices ===
# Author - Gary David Robinson
# New Section
# [[CRV2_AdvantagesToDevPractices|Put content here]]

=== Why code review ===
==== Scope and Objective of secure code review ====
# Author - Ashish Rao
# [[CRV2_WhyCodeReview|Put content here]]

=== We can't hack ourselves secure ===
# Author - Prathamesh Mhatre
# New Section
# [[CRV2_CantHackSecure|Put content here]]

=== 360 Review: Coupling source code review and Testing / Hybrid Reviews===
# Author - Ashish Rao
# New Section
# [[CRV2_360Review|Put content here]]

=== Can static code analyzers do it all? ===
# Author - Ashish Rao
# New Section
# [[CRV2_CanStaticAnalyzersDoAll|Put content here]]

=Methodology=
===The code review approach===
#Author - Prathamesh Mhatre
# [[CRV2_CodeReviewApproach|Put content here]]

==== Preparation and context ====
# Author - Open
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Preparation]]
# [[CRV2_PrepContext|Put content here]]

====Application Threat Modeling====
#Author - Andy, Renchie Joan
# Previous version to be updated: [[https://www.owasp.org/OCRG1.1:Application_Threat_Modeling]]
# [[CRV2_AppThreatModeling|Put content here]]

====Understanding Code layout/Design/Architecture====
#Author - Ashish Rao
# [[CRV2_CodeLayoutDesignArch|Put content here]]

===SDLC Integration===
#Author - Andy, Ashish Rao
# Previous version to be updated: [[https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC]]
# [[CRV2_SDLCInt|Put content here]]

====Deployment Models====
=====Secure deployment configurations=====
#Author - Ashish Rao
# [[CRV2_SecDepConfig|Put content here]]

# New Section
=====Metrics and code review=====
#Author - Andy
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Metrics]]
# [[CRV2_MetricsCodeRev|Put content here]]

=====Source and sink reviews=====
#Author - Ashish Rao
# New Section
# [[CRV2_SourceSinkRev|Put content here]]

=====Code review Coverage=====
#Author - Open
#Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Coverage]]
# [[CRV2_CodeRevCoverage|Put content here]]

=====Design Reviews=====
#Author - Ashish Rao
*Why to review design?
**Building security in design - secure by design principle
**Design Areas to be reviewed
**Common Design Flaws
# [[CRV2_DesignRev|Put content here]]

=====A Risk based approach to code review=====
#Author - Renchie Joan
#New Section
*"Doing things right or doing the right things..."
**"Not all bugs are equal
# [[CRV2_RiskBasedApproach|Put content here]]

====Crawling code====
#Author - Abbas Naderi
# Previous version to be updated: [[https://www.owasp.org/index.php/Crawling_Code]]
*API of Interest:
**Java
**.NET
**PHP
**RUBY
*Frameworks:
**Spring
**.NET MVC
**Structs
**Zend
#New Section
*Searching for code in C/C++
#Author - Gary David Robinson

# [[CRV2_CrawlingCode|Put content here]]

====Code reviews and Compliance====
#Author -Manual Harti
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]]
# [[CRV2_CodeRevCompliance|Put content here]]

=Reviewing by Technical Control=
===Reviewing code for Authentication controls===
#Author - Anand Prakash, Joan Renchie
# [[CRV2_AuthControls|Put content here]]

====Forgot password====
#Author Abbas Naderi
# [[CRV2_ForgotPassword|Put content here]]

====Authentication====
#Author - Anand Prakash, Joan Renchie
# [[CRV2_Authentication|Put content here]]

====CAPTCHA====
#Author Larry Conklin, Joan Renchie
'''[[CRV2_CAPTCHA|Content here]]'''

====Out of Band considerations====
#Author - Open
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authentication]]
# [[CRV2_OutofBand|Put content here]]

===Reviewing code Authorization weakness===
#Author Ashish Rao (Eoin Keary .NET MVC added)
# [[CRV2_AuthorizationWeaknesses|Put content here]]

====Checking authz upon every request====
#Author - Abbas Naderi, Joan Renchie
# [[CRV2_CheckAuthzEachRequest|Put content here]]

====Reducing the attack surface====
#Author Chris Berberich
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authorization]]
# [[CRV2_ReducingAttSurf|Put content here]]

====SSL/TLS Implementations====
#Author - Eoin Keary
# [[CRV2_SSL-TLS|Put content here]]

====Reviewing code for Session handling====
#Author - Palak Gohil, Abbas Naderi
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Session-Management]]
# [[CRV2_SessionHandling|Put content here]]

====Reviewing client side code====
#New Section
# [[CRV2_ClientSideCodeIntro|Put content here]]

=====Javascript=====
#Author - Abbas Naderi
# [[CRV2_ClientSideCodeJScript|Put content here]]

=====JSON=====
#Author - Open
# [[CRV2_ClientSideCodeJSon|Put content here]]

=====Content Security Policy=====
#Author - Open
# [[CRV2_ClientSideCodeContSecPolicy|Put content here]]

====="Jacking"/Framing=====
#Author - Abbas Naderi
# [[CRV2_ClientSideCodeJackingFraming|Put content here]]

=====HTML 5?=====
#Author - Sebastien Gioria
# [[CRV2_ClientSideCodeHTML5|Put content here]]

=====Browser Defenses policy=====
#Author - Open
# [[CRV2_ClientSideCodeBrowserDefPol|Put content here]]

=====etc...=====

====Review code for input validation====
#Author - Open
# [[CRV2_InputValIntro|Put content here]]

=====Regex Gotchas=====
#Author - Abbas Naderi
#New Section
# [[CRV2_InputValRegexGotchas|Put content here]]

=====ESAPI=====
#Author - Abbas Naderi
#New Section
# Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]]
# [[CRV2_InputValESAPI|Put content here]]

====Reviewing code for contextual encoding====
=====HTML Attribute=====
#Author - Shenai Silva
# [[CRV2_ContextEncHTMLAttribute|Put content here]]

=====HTML Entity=====
#Author - Shenai Silva
# [[CRV2_ContextEncHTMLEntity|Put content here]]

=====Javascript Parameters=====
#Author - Open
# [[CRV2_ContextEncJscriptParams|Put content here]]

=====JQuery=====
#Author - Abbas Naderi
# [[CRV2_ContextEncJQuery|Put content here]]

====Reviewing file and resource handling code====
#Author - Open
# [[CRV2_FileResourceHandling|Put content here]]

====Resource Exhaustion - error handling====
#Author - Abbas Naderi
# [[CRV2_ResourceExhaustionErrHandling|Put content here]]

=====native calls=====
#Author Abbas Naderi
# [[CRV2_ResourceExhaustionNativeCalls|Put content here]]

====Reviewing Logging code - Detective Security====
#Author - Palak Gohil
* Where to Log
* What to log
* What not to log
* How to log
# Internal link: [[https://www.owasp.org/index.php/Logging_Cheat_Sheet]]
# [[CRV2_LoggingCode|Put content here]]

====Reviewing Error handling and Error messages====
#Author - Gary David Robinson
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Error-Handling]]
# [[CRV2_ErrorHandlingMessages|Put content here]]

====Reviewing Security alerts====
#Author - Open
# [[CRV2_SecurityAlerts|Put content here]]

====Review for active defense====
#Author - Colin Watson
# [[CRV2_ActiveDefense|Put content here]]

====Reviewing Secure Storage====
#Author - Azzeddine Ramrami
# New Section
# [[CRV2_SecureStorage|Put content here]]

====Hashing & Salting - When, How and Where====
=====Encrpyption=====
======.NET======
#Author Larry Conklin, Joan Renchie
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Cryptographic_Controls]]
*''Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao''
'''[[CRV2_HashingandSaltingdotNet|Content here]]'''

=Reviewing by Vulnerability=
===Review Code for XSS===
#Author Palak Gohil, Anand Prakash (Examples added by Eoin Keary)
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Scripting]]
# In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao
# [[CRV2_RevCodeXSS|Put content here]]

===Persistent - The Anti pattern===
#Author Abbas Naderi
# [[CRV2_RevCodePersistentAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan, Larry Conklin
# [[CRV2_RevCodePersistentAntiPatterndotNet|Put content here]]

====.Java====
#Author Palak Gohil
# [[CRV2_RevCodePersistentAntiPatternJava|Put content here]]

====PHP====
#Author Mohammed Damavandi, Abbas Naderi
# [[CRV2_RevCodePersistentAntiPatternPHP|Put content here]]

====Ruby====
#Author Chris Berberich
# [[CRV2_RevCodePersistentAntiPatternRuby|Put content here]]

===Reflected - The Anti pattern===
# [[CRV2_RevCodeReflectedAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_RevCodeReflectedAntiPatterndotNet|Put content here]]

====.Java====
#Author Palak Gohil
# [[CRV2_RevCodeReflectedAntiPatternJava|Put content here]]

====PHP====
#Author Mohammed Damavandi, Abbas Naderi
# [[CRV2_RevCodeReflectedAntiPatternPHP|Put content here]]

====Ruby====
# Author - Open
# [[CRV2_RevCodeReflectedAntiPatternIRuby|Put content here]]

===Stored - The Anti pattern===
# Author - Open
# [[CRV2_RevCodeStoredAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_RevCodeStoredAntiPatterndotNET|Put content here]]

====.Java====
#Author Palak Gohil
# [[CRV2_RevCodeStoredAntiPatternJava|Put content here]]

====PHP====
#Author Mohammed Damavandi, Abbas Naderi
# [[CRV2_RevCodeStoredAntiPatternPHP|Put content here]]

====Ruby====
#Author - Open
# [[CRV2_RevCodeStoredAntiPatternRuby|Put content here]]

===DOM XSS ===
#Author Larry Conklin
# [[CRV2_DOMXSS|Put content here]]

===JQuery mistakes===
#Author Shenal Silva
# [[CRV2_JQueryMistakes|Put content here]]

===Reviewing code for SQL Injection===
#Author Palak Gohil, Renchie Joan
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection]]
# [[CRV2_RevCodeSQLInjection|Put content here]]

====PHP====
#Author - Mennouchi Islam Azeddine
# [[CRV2_SQLInjPHP|Put content here]]

====Java====
#Author - Open
# [[CRV2_SQLInjJava|Put content here]]

====.NET====
#Author - Mennouchi Islam Azeddine
# [[CRV2_SQLInjdotNET|Put content here]]

====HQL====
#Author - Open
# [[CRV2_SQLInjHQL|Put content here]]

===The Anti pattern===
#Author Larry Conklin
#[[CRV2_AntiPattern| Content here]]
https://www.owasp.org/index.php/CRV2_AntiPattern
====PHP====
#Author - Mohammad Damavandi, Abbas Naderi
# [[CRV2_AntiPatternPHP|Put content here]]

====Java====
#Author - Palak Gohil
#=> Searching for traditional SQL,JPA,JPSQL,Criteria,...
# [[CRV2_AntiPatternJava|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan,Larry Conklin
# [[CRV2_AntiPatterndotNet|Put content here]]

====Ruby====
#Author - Open
# [[CRV2_AntiPatternRuby|Put content here]]

====Cold Fusion====
#Author - Open
# [[CRV2_AntiPatternColdFusion|Put content here]]

===Reviewing code for CSRF Issues===
#Author Palak Gohil,Anand Prakash, Abbas Naderi
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Request_Forgery]]
# [[CRV2_CSRFIssues|Put content here]]

===Transactional logic / Non idempotent functions / State Changing Functions===
#Author Abbas Naderi
# [[CRV2_TransLogic|Put content here]]

===Reviewing code for poor logic /Business logic/Complex authorization===
#Author - Sam Denard
# [[CRV2_PoorLogic|Put content here]]

===Reviewing Secure Communications===
====.NET Config====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_SecCommsdotNet|Put content here]]

====Spring Config====
#Author - Open
# [[CRV2_SecCommsSpringConfig|Put content here]]

====HTTP Headers====
#Author Gregory Disney, Abbas Naderi
# [[CRV2_SecCommsHTTPHdrs|Put content here]]

=====CSP=====
#Author Gregory Disney
# [[CRV2_SecCommsHTTPHdrsCSP|Put content here]]

=====HSTS=====
#Author Abbas Naderi
# [[CRV2_SecCommsHTTPHSTS|Put content here]]

===Tech-Stack pitfalls===
#Author Gregory Disney
# [[CRV2_TechStackPitfalls|Put content here]]

===Framework specific Issues===
====Spring====
#Author - Open
# [[CRV2_FrameworkSpecIssuesSpring|Put content here]]

====Structs====
#Author - Open
# [[CRV2_FrameworkSpecIssuesStructs|Put content here]]

====Drupal====
#Author Gregory Disney
# [[CRV2_FrameworkSpecIssuesDurpal|Put content here]]

====Ruby on Rails====
#Author - Open
# [[CRV2_FrameworkSpecIssuesROR|Put content here]]

====Django====
#Author Gregory Disney
# [[CRV2_FrameworkSpecIssuesDjango|Put content here]]

====.NET Security / MVC====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesdotNetMVC|Put content here]]

====Security in ASP.NET applications====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNet|Put content here]]

=====Strongly Named Assemblies=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetStrongAssembiles|Put content here]]

======Round Tripping======
# Author - Open
# [[CRV2_FrameworkSpecIssuesASPNetRT|Put content here]]

======How to prevent Round tripping======
# Author - Open
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetRTPrevention|Put content here]]

=====Setting the right Configurations=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetConfigs|Put content here]]

=====Authentication Options=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetAuth|Put content here]]

=====Code Review for Managed Code - .Net 1.0 and up=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetManagedCode|Put content here]]

=====Using OWASP Top 10 as your guideline=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPTop10|Put content here]]

=====Code review for Unsafe Code (C#)=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetUnsafeCode|Put content here]]

====PHP Specific Issues====
#Author Mohammad Damavandi, Abbas Naderi
# [[CRV2_FrameworkSpecIssuesPHP|Put content here]]

====Classic ASP====
#Author Johanna Curiel
# [[CRV2_FrameworkSpecIssuesASPClassic|Put content here]]

====C#====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesCsharp|Put content here]]

====C/C++====
#Author Gary David Robinson
# [[CRV2_FrameworkSpecIssuesCplusplus|Put content here]]

====Objective C====
#Author Open
# [[CRV2_FrameworkSpecIssuesObectiveC|Put content here]]

====Java====
#Author Palak Gohil
# [[CRV2_FrameworkSpecIssuesJava|Put content here]]

====Android====
#Author Open
# [[CRV2_FrameworkSpecIssuesAndroid|Put content here]]

====Coldfusion====
#Author Open
# [[CRV2_FrameworkSpecIssuesColdfusion|Put content here]]

====CodeIgniter====

# [[User:Zakiakhmad]]
# [[CRV2_FrameworkSpecIssuesCodeIgniter]]|Put content here]]

=Security code review for Agile development=
#Author Carlos Pantelides
# [[CRV2_CodeReviewAgile|Put content here]]

=Willing to review drafts=
#Terry Nerpester
#Larry Conklin
#Gary David Robinson
#Simon Whittaker
#Jason Johnson
#Carlos Pantelides

OWASP Code Review V2 Table of Contents

2013-08-16T08:23:59Z

Zakiakhmad: /* Coldfusion */

= '''OWASP Code Review Guide v2.0:''' =

==Forward==
# Author - Eoin Keary
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Guide_History]]
'''[[CRV2_Forward|Content here]]'''

== Code Review Guide Introduction==
# Author - Eoin Keary
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Introduction]]
'''[[CRV2_Introduction|Content here]]'''

=== What is source code review and Static Analysis ===
=== What is Code Review ===
# Author - Zyad Mghazli
# New Section
''' [[CRV2_WhatIsCodeReview|Content here]]'''

=== Manual Review - Pros and Cons ===
# Author - Ashish Rao
# New Section
# Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli
# [[CRV2_ManualReviewProsCons|Put content here]]

=== Advantages of Code Review to Development Practices ===
# Author - Gary David Robinson
# New Section
# [[CRV2_AdvantagesToDevPractices|Put content here]]

=== Why code review ===
==== Scope and Objective of secure code review ====
# Author - Ashish Rao
# [[CRV2_WhyCodeReview|Put content here]]

=== We can't hack ourselves secure ===
# Author - Prathamesh Mhatre
# New Section
# [[CRV2_CantHackSecure|Put content here]]

=== 360 Review: Coupling source code review and Testing / Hybrid Reviews===
# Author - Ashish Rao
# New Section
# [[CRV2_360Review|Put content here]]

=== Can static code analyzers do it all? ===
# Author - Ashish Rao
# New Section
# [[CRV2_CanStaticAnalyzersDoAll|Put content here]]

=Methodology=
===The code review approach===
#Author - Prathamesh Mhatre
# [[CRV2_CodeReviewApproach|Put content here]]

==== Preparation and context ====
# Author - Open
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Preparation]]
# [[CRV2_PrepContext|Put content here]]

====Application Threat Modeling====
#Author - Andy, Renchie Joan
# Previous version to be updated: [[https://www.owasp.org/OCRG1.1:Application_Threat_Modeling]]
# [[CRV2_AppThreatModeling|Put content here]]

====Understanding Code layout/Design/Architecture====
#Author - Ashish Rao
# [[CRV2_CodeLayoutDesignArch|Put content here]]

===SDLC Integration===
#Author - Andy, Ashish Rao
# Previous version to be updated: [[https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC]]
# [[CRV2_SDLCInt|Put content here]]

====Deployment Models====
=====Secure deployment configurations=====
#Author - Ashish Rao
# [[CRV2_SecDepConfig|Put content here]]

# New Section
=====Metrics and code review=====
#Author - Andy
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Metrics]]
# [[CRV2_MetricsCodeRev|Put content here]]

=====Source and sink reviews=====
#Author - Ashish Rao
# New Section
# [[CRV2_SourceSinkRev|Put content here]]

=====Code review Coverage=====
#Author - Open
#Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Coverage]]
# [[CRV2_CodeRevCoverage|Put content here]]

=====Design Reviews=====
#Author - Ashish Rao
*Why to review design?
**Building security in design - secure by design principle
**Design Areas to be reviewed
**Common Design Flaws
# [[CRV2_DesignRev|Put content here]]

=====A Risk based approach to code review=====
#Author - Renchie Joan
#New Section
*"Doing things right or doing the right things..."
**"Not all bugs are equal
# [[CRV2_RiskBasedApproach|Put content here]]

====Crawling code====
#Author - Abbas Naderi
# Previous version to be updated: [[https://www.owasp.org/index.php/Crawling_Code]]
*API of Interest:
**Java
**.NET
**PHP
**RUBY
*Frameworks:
**Spring
**.NET MVC
**Structs
**Zend
#New Section
*Searching for code in C/C++
#Author - Gary David Robinson

# [[CRV2_CrawlingCode|Put content here]]

====Code reviews and Compliance====
#Author -Manual Harti
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]]
# [[CRV2_CodeRevCompliance|Put content here]]

=Reviewing by Technical Control=
===Reviewing code for Authentication controls===
#Author - Anand Prakash, Joan Renchie
# [[CRV2_AuthControls|Put content here]]

====Forgot password====
#Author Abbas Naderi
# [[CRV2_ForgotPassword|Put content here]]

====Authentication====
#Author - Anand Prakash, Joan Renchie
# [[CRV2_Authentication|Put content here]]

====CAPTCHA====
#Author Larry Conklin, Joan Renchie
'''[[CRV2_CAPTCHA|Content here]]'''

====Out of Band considerations====
#Author - Open
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authentication]]
# [[CRV2_OutofBand|Put content here]]

===Reviewing code Authorization weakness===
#Author Ashish Rao (Eoin Keary .NET MVC added)
# [[CRV2_AuthorizationWeaknesses|Put content here]]

====Checking authz upon every request====
#Author - Abbas Naderi, Joan Renchie
# [[CRV2_CheckAuthzEachRequest|Put content here]]

====Reducing the attack surface====
#Author Chris Berberich
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authorization]]
# [[CRV2_ReducingAttSurf|Put content here]]

====SSL/TLS Implementations====
#Author - Eoin Keary
# [[CRV2_SSL-TLS|Put content here]]

====Reviewing code for Session handling====
#Author - Palak Gohil, Abbas Naderi
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Session-Management]]
# [[CRV2_SessionHandling|Put content here]]

====Reviewing client side code====
#New Section
# [[CRV2_ClientSideCodeIntro|Put content here]]

=====Javascript=====
#Author - Abbas Naderi
# [[CRV2_ClientSideCodeJScript|Put content here]]

=====JSON=====
#Author - Open
# [[CRV2_ClientSideCodeJSon|Put content here]]

=====Content Security Policy=====
#Author - Open
# [[CRV2_ClientSideCodeContSecPolicy|Put content here]]

====="Jacking"/Framing=====
#Author - Abbas Naderi
# [[CRV2_ClientSideCodeJackingFraming|Put content here]]

=====HTML 5?=====
#Author - Sebastien Gioria
# [[CRV2_ClientSideCodeHTML5|Put content here]]

=====Browser Defenses policy=====
#Author - Open
# [[CRV2_ClientSideCodeBrowserDefPol|Put content here]]

=====etc...=====

====Review code for input validation====
#Author - Open
# [[CRV2_InputValIntro|Put content here]]

=====Regex Gotchas=====
#Author - Abbas Naderi
#New Section
# [[CRV2_InputValRegexGotchas|Put content here]]

=====ESAPI=====
#Author - Abbas Naderi
#New Section
# Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]]
# [[CRV2_InputValESAPI|Put content here]]

====Reviewing code for contextual encoding====
=====HTML Attribute=====
#Author - Shenai Silva
# [[CRV2_ContextEncHTMLAttribute|Put content here]]

=====HTML Entity=====
#Author - Shenai Silva
# [[CRV2_ContextEncHTMLEntity|Put content here]]

=====Javascript Parameters=====
#Author - Open
# [[CRV2_ContextEncJscriptParams|Put content here]]

=====JQuery=====
#Author - Abbas Naderi
# [[CRV2_ContextEncJQuery|Put content here]]

====Reviewing file and resource handling code====
#Author - Open
# [[CRV2_FileResourceHandling|Put content here]]

====Resource Exhaustion - error handling====
#Author - Abbas Naderi
# [[CRV2_ResourceExhaustionErrHandling|Put content here]]

=====native calls=====
#Author Abbas Naderi
# [[CRV2_ResourceExhaustionNativeCalls|Put content here]]

====Reviewing Logging code - Detective Security====
#Author - Palak Gohil
* Where to Log
* What to log
* What not to log
* How to log
# Internal link: [[https://www.owasp.org/index.php/Logging_Cheat_Sheet]]
# [[CRV2_LoggingCode|Put content here]]

====Reviewing Error handling and Error messages====
#Author - Gary David Robinson
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Error-Handling]]
# [[CRV2_ErrorHandlingMessages|Put content here]]

====Reviewing Security alerts====
#Author - Open
# [[CRV2_SecurityAlerts|Put content here]]

====Review for active defense====
#Author - Colin Watson
# [[CRV2_ActiveDefense|Put content here]]

====Reviewing Secure Storage====
#Author - Azzeddine Ramrami
# New Section
# [[CRV2_SecureStorage|Put content here]]

====Hashing & Salting - When, How and Where====
=====Encrpyption=====
======.NET======
#Author Larry Conklin, Joan Renchie
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Cryptographic_Controls]]
*''Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao''
'''[[CRV2_HashingandSaltingdotNet|Content here]]'''

=Reviewing by Vulnerability=
===Review Code for XSS===
#Author Palak Gohil, Anand Prakash (Examples added by Eoin Keary)
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Scripting]]
# In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao
# [[CRV2_RevCodeXSS|Put content here]]

===Persistent - The Anti pattern===
#Author Abbas Naderi
# [[CRV2_RevCodePersistentAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan, Larry Conklin
# [[CRV2_RevCodePersistentAntiPatterndotNet|Put content here]]

====.Java====
#Author Palak Gohil
# [[CRV2_RevCodePersistentAntiPatternJava|Put content here]]

====PHP====
#Author Mohammed Damavandi, Abbas Naderi
# [[CRV2_RevCodePersistentAntiPatternPHP|Put content here]]

====Ruby====
#Author Chris Berberich
# [[CRV2_RevCodePersistentAntiPatternRuby|Put content here]]

===Reflected - The Anti pattern===
# [[CRV2_RevCodeReflectedAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_RevCodeReflectedAntiPatterndotNet|Put content here]]

====.Java====
#Author Palak Gohil
# [[CRV2_RevCodeReflectedAntiPatternJava|Put content here]]

====PHP====
#Author Mohammed Damavandi, Abbas Naderi
# [[CRV2_RevCodeReflectedAntiPatternPHP|Put content here]]

====Ruby====
# Author - Open
# [[CRV2_RevCodeReflectedAntiPatternIRuby|Put content here]]

===Stored - The Anti pattern===
# Author - Open
# [[CRV2_RevCodeStoredAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_RevCodeStoredAntiPatterndotNET|Put content here]]

====.Java====
#Author Palak Gohil
# [[CRV2_RevCodeStoredAntiPatternJava|Put content here]]

====PHP====
#Author Mohammed Damavandi, Abbas Naderi
# [[CRV2_RevCodeStoredAntiPatternPHP|Put content here]]

====Ruby====
#Author - Open
# [[CRV2_RevCodeStoredAntiPatternRuby|Put content here]]

===DOM XSS ===
#Author Larry Conklin
# [[CRV2_DOMXSS|Put content here]]

===JQuery mistakes===
#Author Shenal Silva
# [[CRV2_JQueryMistakes|Put content here]]

===Reviewing code for SQL Injection===
#Author Palak Gohil, Renchie Joan
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection]]
# [[CRV2_RevCodeSQLInjection|Put content here]]

====PHP====
#Author - Mennouchi Islam Azeddine
# [[CRV2_SQLInjPHP|Put content here]]

====Java====
#Author - Open
# [[CRV2_SQLInjJava|Put content here]]

====.NET====
#Author - Mennouchi Islam Azeddine
# [[CRV2_SQLInjdotNET|Put content here]]

====HQL====
#Author - Open
# [[CRV2_SQLInjHQL|Put content here]]

===The Anti pattern===
#Author Larry Conklin
#[[CRV2_AntiPattern| Content here]]
https://www.owasp.org/index.php/CRV2_AntiPattern
====PHP====
#Author - Mohammad Damavandi, Abbas Naderi
# [[CRV2_AntiPatternPHP|Put content here]]

====Java====
#Author - Palak Gohil
#=> Searching for traditional SQL,JPA,JPSQL,Criteria,...
# [[CRV2_AntiPatternJava|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan,Larry Conklin
# [[CRV2_AntiPatterndotNet|Put content here]]

====Ruby====
#Author - Open
# [[CRV2_AntiPatternRuby|Put content here]]

====Cold Fusion====
#Author - Open
# [[CRV2_AntiPatternColdFusion|Put content here]]

===Reviewing code for CSRF Issues===
#Author Palak Gohil,Anand Prakash, Abbas Naderi
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Request_Forgery]]
# [[CRV2_CSRFIssues|Put content here]]

===Transactional logic / Non idempotent functions / State Changing Functions===
#Author Abbas Naderi
# [[CRV2_TransLogic|Put content here]]

===Reviewing code for poor logic /Business logic/Complex authorization===
#Author - Sam Denard
# [[CRV2_PoorLogic|Put content here]]

===Reviewing Secure Communications===
====.NET Config====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_SecCommsdotNet|Put content here]]

====Spring Config====
#Author - Open
# [[CRV2_SecCommsSpringConfig|Put content here]]

====HTTP Headers====
#Author Gregory Disney, Abbas Naderi
# [[CRV2_SecCommsHTTPHdrs|Put content here]]

=====CSP=====
#Author Gregory Disney
# [[CRV2_SecCommsHTTPHdrsCSP|Put content here]]

=====HSTS=====
#Author Abbas Naderi
# [[CRV2_SecCommsHTTPHSTS|Put content here]]

===Tech-Stack pitfalls===
#Author Gregory Disney
# [[CRV2_TechStackPitfalls|Put content here]]

===Framework specific Issues===
====Spring====
#Author - Open
# [[CRV2_FrameworkSpecIssuesSpring|Put content here]]

====Structs====
#Author - Open
# [[CRV2_FrameworkSpecIssuesStructs|Put content here]]

====Drupal====
#Author Gregory Disney
# [[CRV2_FrameworkSpecIssuesDurpal|Put content here]]

====Ruby on Rails====
#Author - Open
# [[CRV2_FrameworkSpecIssuesROR|Put content here]]

====Django====
#Author Gregory Disney
# [[CRV2_FrameworkSpecIssuesDjango|Put content here]]

====.NET Security / MVC====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesdotNetMVC|Put content here]]

====Security in ASP.NET applications====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNet|Put content here]]

=====Strongly Named Assemblies=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetStrongAssembiles|Put content here]]

======Round Tripping======
# Author - Open
# [[CRV2_FrameworkSpecIssuesASPNetRT|Put content here]]

======How to prevent Round tripping======
# Author - Open
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetRTPrevention|Put content here]]

=====Setting the right Configurations=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetConfigs|Put content here]]

=====Authentication Options=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetAuth|Put content here]]

=====Code Review for Managed Code - .Net 1.0 and up=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetManagedCode|Put content here]]

=====Using OWASP Top 10 as your guideline=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPTop10|Put content here]]

=====Code review for Unsafe Code (C#)=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetUnsafeCode|Put content here]]

====PHP Specific Issues====
#Author Mohammad Damavandi, Abbas Naderi
# [[CRV2_FrameworkSpecIssuesPHP|Put content here]]

====Classic ASP====
#Author Johanna Curiel
# [[CRV2_FrameworkSpecIssuesASPClassic|Put content here]]

====C#====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesCsharp|Put content here]]

====C/C++====
#Author Gary David Robinson
# [[CRV2_FrameworkSpecIssuesCplusplus|Put content here]]

====Objective C====
#Author Open
# [[CRV2_FrameworkSpecIssuesObectiveC|Put content here]]

====Java====
#Author Palak Gohil
# [[CRV2_FrameworkSpecIssuesJava|Put content here]]

====Android====
#Author Open
# [[CRV2_FrameworkSpecIssuesAndroid|Put content here]]

====Coldfusion====
#Author Open
# [[CRV2_FrameworkSpecIssuesColdfusion|Put content here]]

====CodeIgniter====

# [[Zakiakhmad]]
# [[CRV2_FrameworkSpecIssuesCodeIgniter]]|Put content here]]

=Security code review for Agile development=
#Author Carlos Pantelides
# [[CRV2_CodeReviewAgile|Put content here]]

=Willing to review drafts=
#Terry Nerpester
#Larry Conklin
#Gary David Robinson
#Simon Whittaker
#Jason Johnson
#Carlos Pantelides

OWASP Code Review V2 Table of Contents

2013-08-16T08:06:46Z

Zakiakhmad: /* Reviewing by Techincal Control */

= '''OWASP Code Review Guide v2.0:''' =

==Forward==
# Author - Eoin Keary
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Guide_History]]
'''[[CRV2_Forward|Content here]]'''

== Code Review Guide Introduction==
# Author - Eoin Keary
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Introduction]]
'''[[CRV2_Introduction|Content here]]'''

=== What is source code review and Static Analysis ===
=== What is Code Review ===
# Author - Zyad Mghazli
# New Section
''' [[CRV2_WhatIsCodeReview|Content here]]'''

=== Manual Review - Pros and Cons ===
# Author - Ashish Rao
# New Section
# Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli
# [[CRV2_ManualReviewProsCons|Put content here]]

=== Advantages of Code Review to Development Practices ===
# Author - Gary David Robinson
# New Section
# [[CRV2_AdvantagesToDevPractices|Put content here]]

=== Why code review ===
==== Scope and Objective of secure code review ====
# Author - Ashish Rao
# [[CRV2_WhyCodeReview|Put content here]]

=== We can't hack ourselves secure ===
# Author - Prathamesh Mhatre
# New Section
# [[CRV2_CantHackSecure|Put content here]]

=== 360 Review: Coupling source code review and Testing / Hybrid Reviews===
# Author - Ashish Rao
# New Section
# [[CRV2_360Review|Put content here]]

=== Can static code analyzers do it all? ===
# Author - Ashish Rao
# New Section
# [[CRV2_CanStaticAnalyzersDoAll|Put content here]]

=Methodology=
===The code review approach===
#Author - Prathamesh Mhatre
# [[CRV2_CodeReviewApproach|Put content here]]

==== Preparation and context ====
# Author - Open
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Preparation]]
# [[CRV2_PrepContext|Put content here]]

====Application Threat Modeling====
#Author - Andy, Renchie Joan
# Previous version to be updated: [[https://www.owasp.org/OCRG1.1:Application_Threat_Modeling]]
# [[CRV2_AppThreatModeling|Put content here]]

====Understanding Code layout/Design/Architecture====
#Author - Ashish Rao
# [[CRV2_CodeLayoutDesignArch|Put content here]]

===SDLC Integration===
#Author - Andy, Ashish Rao
# Previous version to be updated: [[https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC]]
# [[CRV2_SDLCInt|Put content here]]

====Deployment Models====
=====Secure deployment configurations=====
#Author - Ashish Rao
# [[CRV2_SecDepConfig|Put content here]]

# New Section
=====Metrics and code review=====
#Author - Andy
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Metrics]]
# [[CRV2_MetricsCodeRev|Put content here]]

=====Source and sink reviews=====
#Author - Ashish Rao
# New Section
# [[CRV2_SourceSinkRev|Put content here]]

=====Code review Coverage=====
#Author - Open
#Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Coverage]]
# [[CRV2_CodeRevCoverage|Put content here]]

=====Design Reviews=====
#Author - Ashish Rao
*Why to review design?
**Building security in design - secure by design principle
**Design Areas to be reviewed
**Common Design Flaws
# [[CRV2_DesignRev|Put content here]]

=====A Risk based approach to code review=====
#Author - Renchie Joan
#New Section
*"Doing things right or doing the right things..."
**"Not all bugs are equal
# [[CRV2_RiskBasedApproach|Put content here]]

====Crawling code====
#Author - Abbas Naderi
# Previous version to be updated: [[https://www.owasp.org/index.php/Crawling_Code]]
*API of Interest:
**Java
**.NET
**PHP
**RUBY
*Frameworks:
**Spring
**.NET MVC
**Structs
**Zend
#New Section
*Searching for code in C/C++
#Author - Gary David Robinson

# [[CRV2_CrawlingCode|Put content here]]

====Code reviews and Compliance====
#Author -Manual Harti
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]]
# [[CRV2_CodeRevCompliance|Put content here]]

=Reviewing by Technical Control=
===Reviewing code for Authentication controls===
#Author - Anand Prakash, Joan Renchie
# [[CRV2_AuthControls|Put content here]]

====Forgot password====
#Author Abbas Naderi
# [[CRV2_ForgotPassword|Put content here]]

====Authentication====
#Author - Anand Prakash, Joan Renchie
# [[CRV2_Authentication|Put content here]]

====CAPTCHA====
#Author Larry Conklin, Joan Renchie
'''[[CRV2_CAPTCHA|Content here]]'''

====Out of Band considerations====
#Author - Open
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authentication]]
# [[CRV2_OutofBand|Put content here]]

===Reviewing code Authorization weakness===
#Author Ashish Rao (Eoin Keary .NET MVC added)
# [[CRV2_AuthorizationWeaknesses|Put content here]]

====Checking authz upon every request====
#Author - Abbas Naderi, Joan Renchie
# [[CRV2_CheckAuthzEachRequest|Put content here]]

====Reducing the attack surface====
#Author Chris Berberich
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authorization]]
# [[CRV2_ReducingAttSurf|Put content here]]

====SSL/TLS Implementations====
#Author - Eoin Keary
# [[CRV2_SSL-TLS|Put content here]]

====Reviewing code for Session handling====
#Author - Palak Gohil, Abbas Naderi
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Session-Management]]
# [[CRV2_SessionHandling|Put content here]]

====Reviewing client side code====
#New Section
# [[CRV2_ClientSideCodeIntro|Put content here]]

=====Javascript=====
#Author - Abbas Naderi
# [[CRV2_ClientSideCodeJScript|Put content here]]

=====JSON=====
#Author - Open
# [[CRV2_ClientSideCodeJSon|Put content here]]

=====Content Security Policy=====
#Author - Open
# [[CRV2_ClientSideCodeContSecPolicy|Put content here]]

====="Jacking"/Framing=====
#Author - Abbas Naderi
# [[CRV2_ClientSideCodeJackingFraming|Put content here]]

=====HTML 5?=====
#Author - Sebastien Gioria
# [[CRV2_ClientSideCodeHTML5|Put content here]]

=====Browser Defenses policy=====
#Author - Open
# [[CRV2_ClientSideCodeBrowserDefPol|Put content here]]

=====etc...=====

====Review code for input validation====
#Author - Open
# [[CRV2_InputValIntro|Put content here]]

=====Regex Gotchas=====
#Author - Abbas Naderi
#New Section
# [[CRV2_InputValRegexGotchas|Put content here]]

=====ESAPI=====
#Author - Abbas Naderi
#New Section
# Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]]
# [[CRV2_InputValESAPI|Put content here]]

====Reviewing code for contextual encoding====
=====HTML Attribute=====
#Author - Shenai Silva
# [[CRV2_ContextEncHTMLAttribute|Put content here]]

=====HTML Entity=====
#Author - Shenai Silva
# [[CRV2_ContextEncHTMLEntity|Put content here]]

=====Javascript Parameters=====
#Author - Open
# [[CRV2_ContextEncJscriptParams|Put content here]]

=====JQuery=====
#Author - Abbas Naderi
# [[CRV2_ContextEncJQuery|Put content here]]

====Reviewing file and resource handling code====
#Author - Open
# [[CRV2_FileResourceHandling|Put content here]]

====Resource Exhaustion - error handling====
#Author - Abbas Naderi
# [[CRV2_ResourceExhaustionErrHandling|Put content here]]

=====native calls=====
#Author Abbas Naderi
# [[CRV2_ResourceExhaustionNativeCalls|Put content here]]

====Reviewing Logging code - Detective Security====
#Author - Palak Gohil
* Where to Log
* What to log
* What not to log
* How to log
# Internal link: [[https://www.owasp.org/index.php/Logging_Cheat_Sheet]]
# [[CRV2_LoggingCode|Put content here]]

====Reviewing Error handling and Error messages====
#Author - Gary David Robinson
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Error-Handling]]
# [[CRV2_ErrorHandlingMessages|Put content here]]

====Reviewing Security alerts====
#Author - Open
# [[CRV2_SecurityAlerts|Put content here]]

====Review for active defense====
#Author - Colin Watson
# [[CRV2_ActiveDefense|Put content here]]

====Reviewing Secure Storage====
#Author - Azzeddine Ramrami
# New Section
# [[CRV2_SecureStorage|Put content here]]

====Hashing & Salting - When, How and Where====
=====Encrpyption=====
======.NET======
#Author Larry Conklin, Joan Renchie
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Cryptographic_Controls]]
*''Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao''
'''[[CRV2_HashingandSaltingdotNet|Content here]]'''

=Reviewing by Vulnerability=
===Review Code for XSS===
#Author Palak Gohil, Anand Prakash (Examples added by Eoin Keary)
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Scripting]]
# In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao
# [[CRV2_RevCodeXSS|Put content here]]

===Persistent - The Anti pattern===
#Author Abbas Naderi
# [[CRV2_RevCodePersistentAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan, Larry Conklin
# [[CRV2_RevCodePersistentAntiPatterndotNet|Put content here]]

====.Java====
#Author Palak Gohil
# [[CRV2_RevCodePersistentAntiPatternJava|Put content here]]

====PHP====
#Author Mohammed Damavandi, Abbas Naderi
# [[CRV2_RevCodePersistentAntiPatternPHP|Put content here]]

====Ruby====
#Author Chris Berberich
# [[CRV2_RevCodePersistentAntiPatternRuby|Put content here]]

===Reflected - The Anti pattern===
# [[CRV2_RevCodeReflectedAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_RevCodeReflectedAntiPatterndotNet|Put content here]]

====.Java====
#Author Palak Gohil
# [[CRV2_RevCodeReflectedAntiPatternJava|Put content here]]

====PHP====
#Author Mohammed Damavandi, Abbas Naderi
# [[CRV2_RevCodeReflectedAntiPatternPHP|Put content here]]

====Ruby====
# Author - Open
# [[CRV2_RevCodeReflectedAntiPatternIRuby|Put content here]]

===Stored - The Anti pattern===
# Author - Open
# [[CRV2_RevCodeStoredAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_RevCodeStoredAntiPatterndotNET|Put content here]]

====.Java====
#Author Palak Gohil
# [[CRV2_RevCodeStoredAntiPatternJava|Put content here]]

====PHP====
#Author Mohammed Damavandi, Abbas Naderi
# [[CRV2_RevCodeStoredAntiPatternPHP|Put content here]]

====Ruby====
#Author - Open
# [[CRV2_RevCodeStoredAntiPatternRuby|Put content here]]

===DOM XSS ===
#Author Larry Conklin
# [[CRV2_DOMXSS|Put content here]]

===JQuery mistakes===
#Author Shenal Silva
# [[CRV2_JQueryMistakes|Put content here]]

===Reviewing code for SQL Injection===
#Author Palak Gohil, Renchie Joan
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection]]
# [[CRV2_RevCodeSQLInjection|Put content here]]

====PHP====
#Author - Mennouchi Islam Azeddine
# [[CRV2_SQLInjPHP|Put content here]]

====Java====
#Author - Open
# [[CRV2_SQLInjJava|Put content here]]

====.NET====
#Author - Mennouchi Islam Azeddine
# [[CRV2_SQLInjdotNET|Put content here]]

====HQL====
#Author - Open
# [[CRV2_SQLInjHQL|Put content here]]

===The Anti pattern===
#Author Larry Conklin
#[[CRV2_AntiPattern| Content here]]
https://www.owasp.org/index.php/CRV2_AntiPattern
====PHP====
#Author - Mohammad Damavandi, Abbas Naderi
# [[CRV2_AntiPatternPHP|Put content here]]

====Java====
#Author - Palak Gohil
#=> Searching for traditional SQL,JPA,JPSQL,Criteria,...
# [[CRV2_AntiPatternJava|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan,Larry Conklin
# [[CRV2_AntiPatterndotNet|Put content here]]

====Ruby====
#Author - Open
# [[CRV2_AntiPatternRuby|Put content here]]

====Cold Fusion====
#Author - Open
# [[CRV2_AntiPatternColdFusion|Put content here]]

===Reviewing code for CSRF Issues===
#Author Palak Gohil,Anand Prakash, Abbas Naderi
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Request_Forgery]]
# [[CRV2_CSRFIssues|Put content here]]

===Transactional logic / Non idempotent functions / State Changing Functions===
#Author Abbas Naderi
# [[CRV2_TransLogic|Put content here]]

===Reviewing code for poor logic /Business logic/Complex authorization===
#Author - Sam Denard
# [[CRV2_PoorLogic|Put content here]]

===Reviewing Secure Communications===
====.NET Config====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_SecCommsdotNet|Put content here]]

====Spring Config====
#Author - Open
# [[CRV2_SecCommsSpringConfig|Put content here]]

====HTTP Headers====
#Author Gregory Disney, Abbas Naderi
# [[CRV2_SecCommsHTTPHdrs|Put content here]]

=====CSP=====
#Author Gregory Disney
# [[CRV2_SecCommsHTTPHdrsCSP|Put content here]]

=====HSTS=====
#Author Abbas Naderi
# [[CRV2_SecCommsHTTPHSTS|Put content here]]

===Tech-Stack pitfalls===
#Author Gregory Disney
# [[CRV2_TechStackPitfalls|Put content here]]

===Framework specific Issues===
====Spring====
#Author - Open
# [[CRV2_FrameworkSpecIssuesSpring|Put content here]]

====Structs====
#Author - Open
# [[CRV2_FrameworkSpecIssuesStructs|Put content here]]

====Drupal====
#Author Gregory Disney
# [[CRV2_FrameworkSpecIssuesDurpal|Put content here]]

====Ruby on Rails====
#Author - Open
# [[CRV2_FrameworkSpecIssuesROR|Put content here]]

====Django====
#Author Gregory Disney
# [[CRV2_FrameworkSpecIssuesDjango|Put content here]]

====.NET Security / MVC====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesdotNetMVC|Put content here]]

====Security in ASP.NET applications====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNet|Put content here]]

=====Strongly Named Assemblies=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetStrongAssembiles|Put content here]]

======Round Tripping======
# Author - Open
# [[CRV2_FrameworkSpecIssuesASPNetRT|Put content here]]

======How to prevent Round tripping======
# Author - Open
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetRTPrevention|Put content here]]

=====Setting the right Configurations=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetConfigs|Put content here]]

=====Authentication Options=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetAuth|Put content here]]

=====Code Review for Managed Code - .Net 1.0 and up=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetManagedCode|Put content here]]

=====Using OWASP Top 10 as your guideline=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPTop10|Put content here]]

=====Code review for Unsafe Code (C#)=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetUnsafeCode|Put content here]]

====PHP Specific Issues====
#Author Mohammad Damavandi, Abbas Naderi
# [[CRV2_FrameworkSpecIssuesPHP|Put content here]]

====Classic ASP====
#Author Johanna Curiel
# [[CRV2_FrameworkSpecIssuesASPClassic|Put content here]]

====C#====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesCsharp|Put content here]]

====C/C++====
#Author Gary David Robinson
# [[CRV2_FrameworkSpecIssuesCplusplus|Put content here]]

====Objective C====
#Author Open
# [[CRV2_FrameworkSpecIssuesObectiveC|Put content here]]

====Java====
#Author Palak Gohil
# [[CRV2_FrameworkSpecIssuesJava|Put content here]]

====Android====
#Author Open
# [[CRV2_FrameworkSpecIssuesAndroid|Put content here]]

====Coldfusion====
#Author Open
# [[CRV2_FrameworkSpecIssuesColdfusion|Put content here]]

=Security code review for Agile development=
#Author Carlos Pantelides
# [[CRV2_CodeReviewAgile|Put content here]]

=Willing to review drafts=
#Terry Nerpester
#Larry Conklin
#Gary David Robinson
#Simon Whittaker
#Jason Johnson
#Carlos Pantelides

Blind SQL Injection

2013-07-19T04:33:21Z

Zakiakhmad: /* References */

{{Template:Attack}}
[[Category:OWASP ASDR Project]]
[[Category:Security Focus Area]]
__NOTOC__
 

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==
Blind SQL (Structured Query Language) injection is a type of [[SQL Injection]] attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query's syntax is incorrect. Blind SQL injection is nearly identical to normal [[SQL Injection]], the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible. .

==Threat Modeling==
Same as for [[SQL Injection]]

==Risk Factors==
Same as for [[SQL Injection]]

==Examples ==
An attacker may verify whether a sent request returned true or false in a few ways:

===Content-based===
Using a simple page, which displays an article with given ID as the parameter, the attacker may perform a couple of simple tests to determine if the page is vulnerable to SQL Injection attacks.

Example URL:
<pre>
http://newspaper.com/items.php?id=2
</pre>
sends the following query to the database:
<pre>
SELECT title, description, body FROM items WHERE ID = 2
</prE>
The attacker may then try to inject a query that returns 'false':
<pre>
http://newspaper.com/items.php?id=2 and 1=2
</pre>
Now the SQL query should looks like this:
<pre>
SELECT title, description, body FROM items WHERE ID = 2 and 1=2
</pre>
If the web application is vulnerable to SQL Injection, then it probably will not return anything. To make sure, the attacker will inject a query that will return 'true':
<pre>
http://newspaper.com/items.php?id=2 and 1=1
</pre>
If the content of the page that returns 'true' is different than that of the page that returns 'false', then the attacker is able to distinguish when the executed query returns true or false.

Once this has been verified, the only limitations are privileges set up by the database administrator, different SQL syntax, and the attacker's imagination.

===Time-based===

This type of blind SQL injection relies on the database pausing for a specified amount of time, then returning the results, indicating successful SQL query executing. Using this method, an attacker enumerates each letter of the desired piece of data using the following logic:

If the first letter of the first database's name is an 'A', wait for 10 seconds.

If the first letter of the first database's name is an 'B', wait for 10 seconds. etc.

'''Microsoft SQL Server'''
<pre>
http://www.site.com/vulnerable.php?id=1' waitfor delay '00:00:10'--
</pre>

'''MySQL'''
<pre>
SELECT IF(expression, true, false)
</pre>
Using some time-taking operation e.g. BENCHMARK(), will delay server
responses if the expression is True.

<pre>BENCHMARK(5000000,ENCODE('MSG','by 5 seconds'))</pre> - will execute the ENCODE function 5000000 times.

Depending on the database server's performance and load, it should
take just a moment to finish this operation. The important thing is,
from the attacker's point of view, to specify a high-enough number of BENCHMARK()
function repetitions to affect the database
response time in a noticeable way.

Example combination of both queries:
<pre>
1 UNION SELECT IF(SUBSTRING(user_password,1,1) = CHAR(50),BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')),null) FROM users WHERE user_id = 1;
</pre>
If the database response took a long time, we may expect that the first user password character with user_id = 1 is character '2'.
<pre>
(CHAR(50) == '2')
</pre>
Using this method for the rest of characters, it's possible to enumerate entire passwords stored in the database. This method works even when the attacker injects the SQL queries and the content of the vulnerable page doesn't change.

Obviously, in this example, the names of the tables and the number of columns was specified. However, it's possible to guess them or check with a trial and error method.

Databases other than MySQL also have time-based functions which allow them to be used for time-based attacks:
* MS SQL 'WAIT FOR DELAY '0:0:10''
* PostgreSQL - pg_sleep()

Conducting Blind_SQL_Injection attacks manually is very time consuming, but there are a lot of tools which automate this process. One of them is SQLMap (http://sqlmap.org/) partly developed within OWASP grant program. On the other hand, tools of this kind are very sensitive to even small deviations from the rule. This includes:

* scanning other website clusters, where clocks are not ideally synchronized,
* WWW services where argument acquiring method was changed, e.g. from /index.php?ID=10 to /ID,10

===Remote Database Fingerprinting===

If the attacker is able to determine when his query returns True or False, then he may fingerprint the RDBMS. This will make the whole attack much easier. If the time-based approach is used, this helps determine what type of database is in use. Another popular methods to do this is to call functions which will return the current date. MySQL, MSSQL, and Oracle have different functions for that, respectively ''now()'', ''getdate()'', and ''sysdate()''.

==Related [[Threat Agents]]==
Same as for [[SQL Injection]]

==Related [[Attacks]]==
* [[Blind_XPath_Injection]]
* [[SQL_Injection]]
* [[XPATH_Injection]]
* [[LDAP_injection]]
* [[Server-Side_Includes_%28SSI%29_Injection]]

==Related [[Vulnerabilities]]==
* [[Injection_problem]]

==Related [[Controls]]==
* [[:Category:Input Validation]]

See the [[:Category:OWASP Guide Project|OWASP Development Guide]] article on how to [[Guide to SQL Injection | Avoid SQL Injection]] Vulnerabilities.
 See the OWASP [[SQL Injection Prevention Cheat Sheet]].

See the [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Reviewing Code for SQL Injection|Review Code for SQL Injection]] Vulnerabilities.

See the [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing for SQL Injection (OWASP-DV-005)|Test for SQL Injection]] Vulnerabilities.

==References==
* http://www.cgisecurity.com/questions/blindsql.shtml
* http://www.imperva.com/application_defense_center/white_papers/blind_sql_server_injection.html
* http://www.securitydocs.com/library/2651
* http://seclists.org/bugtraq/2005/Feb/0288.html
* http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/

'''Online Resources'''
* [http://www.nccgroup.com/Libraries/Document_Downloads/more__Advanced_SQL_Injection.sflb.ashx more Advanced SQL Injection] - by NGS
* [http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-hotchkies/bh-us-04-hotchkies.pdf Blind SQL Injection Automation Techniques] - Black Hat Pdf
* [http://seclists.org/lists/bugtraq/2005/Feb/0288.html Blind Sql-Injection in MySQL Databases]
* [http://www.cgisecurity.com/questions/blindsql.shtml Cgisecurity.com: What is Blind SQL Injection?]
* Kevin Spett from SPI Dynamics: http://www.net-security.org/dl/articles/Blind_SQLInjection.pdf
* http://www.imperva.com/resources/whitepapers.asp?t=ADC
* [https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt Advanced SQL Injection]

'''Tools'''
* [http://www.sqlpowerinjector.com/ SQL Power Injector]
* [http://www.0x90.org/releases/absinthe/ Absinthe :: Automated Blind SQL Injection] // ver1.3.1
* [http://www.securiteam.com/tools/5IP0L20I0E.html SQLBrute - Multi Threaded Blind SQL Injection Bruteforcer] in Python
* [[:Category:OWASP_SQLiX_Project|SQLiX - SQL Injection Scanner]] in Perl
* [http://sqlmap.org/ sqlmap, automatic SQL injection tool] in Python
* [https://code.google.com/p/bsqlbf-v2/ bsqlbf, a blind SQL injection tool] in Perl

[[Category:Injection]]
[[Category: Attack]]

Blind SQL Injection

2013-07-19T04:32:55Z

Zakiakhmad: /* Time-based */ Change sqlmap URL

{{Template:Attack}}
[[Category:OWASP ASDR Project]]
[[Category:Security Focus Area]]
__NOTOC__
 

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==
Blind SQL (Structured Query Language) injection is a type of [[SQL Injection]] attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query's syntax is incorrect. Blind SQL injection is nearly identical to normal [[SQL Injection]], the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible. .

==Threat Modeling==
Same as for [[SQL Injection]]

==Risk Factors==
Same as for [[SQL Injection]]

==Examples ==
An attacker may verify whether a sent request returned true or false in a few ways:

===Content-based===
Using a simple page, which displays an article with given ID as the parameter, the attacker may perform a couple of simple tests to determine if the page is vulnerable to SQL Injection attacks.

Example URL:
<pre>
http://newspaper.com/items.php?id=2
</pre>
sends the following query to the database:
<pre>
SELECT title, description, body FROM items WHERE ID = 2
</prE>
The attacker may then try to inject a query that returns 'false':
<pre>
http://newspaper.com/items.php?id=2 and 1=2
</pre>
Now the SQL query should looks like this:
<pre>
SELECT title, description, body FROM items WHERE ID = 2 and 1=2
</pre>
If the web application is vulnerable to SQL Injection, then it probably will not return anything. To make sure, the attacker will inject a query that will return 'true':
<pre>
http://newspaper.com/items.php?id=2 and 1=1
</pre>
If the content of the page that returns 'true' is different than that of the page that returns 'false', then the attacker is able to distinguish when the executed query returns true or false.

Once this has been verified, the only limitations are privileges set up by the database administrator, different SQL syntax, and the attacker's imagination.

===Time-based===

This type of blind SQL injection relies on the database pausing for a specified amount of time, then returning the results, indicating successful SQL query executing. Using this method, an attacker enumerates each letter of the desired piece of data using the following logic:

If the first letter of the first database's name is an 'A', wait for 10 seconds.

If the first letter of the first database's name is an 'B', wait for 10 seconds. etc.

'''Microsoft SQL Server'''
<pre>
http://www.site.com/vulnerable.php?id=1' waitfor delay '00:00:10'--
</pre>

'''MySQL'''
<pre>
SELECT IF(expression, true, false)
</pre>
Using some time-taking operation e.g. BENCHMARK(), will delay server
responses if the expression is True.

<pre>BENCHMARK(5000000,ENCODE('MSG','by 5 seconds'))</pre> - will execute the ENCODE function 5000000 times.

Depending on the database server's performance and load, it should
take just a moment to finish this operation. The important thing is,
from the attacker's point of view, to specify a high-enough number of BENCHMARK()
function repetitions to affect the database
response time in a noticeable way.

Example combination of both queries:
<pre>
1 UNION SELECT IF(SUBSTRING(user_password,1,1) = CHAR(50),BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')),null) FROM users WHERE user_id = 1;
</pre>
If the database response took a long time, we may expect that the first user password character with user_id = 1 is character '2'.
<pre>
(CHAR(50) == '2')
</pre>
Using this method for the rest of characters, it's possible to enumerate entire passwords stored in the database. This method works even when the attacker injects the SQL queries and the content of the vulnerable page doesn't change.

Obviously, in this example, the names of the tables and the number of columns was specified. However, it's possible to guess them or check with a trial and error method.

Databases other than MySQL also have time-based functions which allow them to be used for time-based attacks:
* MS SQL 'WAIT FOR DELAY '0:0:10''
* PostgreSQL - pg_sleep()

Conducting Blind_SQL_Injection attacks manually is very time consuming, but there are a lot of tools which automate this process. One of them is SQLMap (http://sqlmap.org/) partly developed within OWASP grant program. On the other hand, tools of this kind are very sensitive to even small deviations from the rule. This includes:

* scanning other website clusters, where clocks are not ideally synchronized,
* WWW services where argument acquiring method was changed, e.g. from /index.php?ID=10 to /ID,10

===Remote Database Fingerprinting===

If the attacker is able to determine when his query returns True or False, then he may fingerprint the RDBMS. This will make the whole attack much easier. If the time-based approach is used, this helps determine what type of database is in use. Another popular methods to do this is to call functions which will return the current date. MySQL, MSSQL, and Oracle have different functions for that, respectively ''now()'', ''getdate()'', and ''sysdate()''.

==Related [[Threat Agents]]==
Same as for [[SQL Injection]]

==Related [[Attacks]]==
* [[Blind_XPath_Injection]]
* [[SQL_Injection]]
* [[XPATH_Injection]]
* [[LDAP_injection]]
* [[Server-Side_Includes_%28SSI%29_Injection]]

==Related [[Vulnerabilities]]==
* [[Injection_problem]]

==Related [[Controls]]==
* [[:Category:Input Validation]]

See the [[:Category:OWASP Guide Project|OWASP Development Guide]] article on how to [[Guide to SQL Injection | Avoid SQL Injection]] Vulnerabilities.
 See the OWASP [[SQL Injection Prevention Cheat Sheet]].

See the [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Reviewing Code for SQL Injection|Review Code for SQL Injection]] Vulnerabilities.

See the [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing for SQL Injection (OWASP-DV-005)|Test for SQL Injection]] Vulnerabilities.

==References==
* http://www.cgisecurity.com/questions/blindsql.shtml
* http://www.imperva.com/application_defense_center/white_papers/blind_sql_server_injection.html
* http://www.securitydocs.com/library/2651
* http://seclists.org/bugtraq/2005/Feb/0288.html
* http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/

'''Online Resources'''
* [http://www.nccgroup.com/Libraries/Document_Downloads/more__Advanced_SQL_Injection.sflb.ashx more Advanced SQL Injection] - by NGS
* [http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-hotchkies/bh-us-04-hotchkies.pdf Blind SQL Injection Automation Techniques] - Black Hat Pdf
* [http://seclists.org/lists/bugtraq/2005/Feb/0288.html Blind Sql-Injection in MySQL Databases]
* [http://www.cgisecurity.com/questions/blindsql.shtml Cgisecurity.com: What is Blind SQL Injection?]
* Kevin Spett from SPI Dynamics: http://www.net-security.org/dl/articles/Blind_SQLInjection.pdf
* http://www.imperva.com/resources/whitepapers.asp?t=ADC
* [https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt Advanced SQL Injection]

'''Tools'''
* [http://www.sqlpowerinjector.com/ SQL Power Injector]
* [http://www.0x90.org/releases/absinthe/ Absinthe :: Automated Blind SQL Injection] // ver1.3.1
* [http://www.securiteam.com/tools/5IP0L20I0E.html SQLBrute - Multi Threaded Blind SQL Injection Bruteforcer] in Python
* [[:Category:OWASP_SQLiX_Project|SQLiX - SQL Injection Scanner]] in Perl
* [http://sqlmap.sourceforge.net sqlmap, automatic SQL injection tool] in Python
* [https://code.google.com/p/bsqlbf-v2/ bsqlbf, a blind SQL injection tool] in Perl

[[Category:Injection]]
[[Category: Attack]]

Top 10 2013/ProjectMethodology

2013-03-27T07:33:20Z

Zakiakhmad: /* FAQ */

=Goal=
'''The goal of this page is to provide the baseline of knowledge to begin a thoughtful conversation of enhancements and changes to continue growing the OWASP top 10.'''

=About=

This page is intended to provide greater clarity on the development methodology of the OWASP Top 10. This page provides information on the data sources used as input to the top 10, the current development processes, suggestions to improve involvement and participation, and also an FAQ to cover common questions & concerns.

This is a wiki and editable by anyone with an OWASP account. Please constructively contribute to the conversation. Additional discussions should also take place within the [https://lists.owasp.org/mailman/listinfo/Owasp-topten OWASP top 10 mailing list].

=Current Methodology=
The 2010 and later versions of OWASP Top 10 are organized based on the [[OWASP_Risk_Rating_Methodology]], adjusted for the fact that the Top 10 is independent of any particular system. This adjusted methodology is documented in the OWASP Top 10 for 2010 here: [[Top_10_2010-Notes_About_Risk]].

This resulted in 4 risk factors used to calculate the order of the Top 10, 3 Likelihood Factors and 1 Impact Factor. These factors are:
* Likelihood of an Application Having that Vulnerability (Prevalence)
* Likelihood of an Attacker Discovering that Vulnerability (Detectability)
* Likelihood of An Attacker Successfully Exploiting that Vulnerability (Exploitability)
* Typical Technical Impact if that Vulnerability is Successfully Exploited (Impact)
Each of these factors is scored on a scale from 1 through 3, except for XSS, which has a prevalence of 4

The Top 10 uses data sources provided by a variety of companies (see [[Top_10_2013/ProjectMethodology#Current_Data_Sources sources]]) to calculate Vulnerability Prevalence. We would love to use similar data to help calculate the scores for the other risk factors if that data is available (which is one of the improvement suggestions recommended below).

The process for producing an update to the OWASP Top 10 is generally as follows:
# Collect prevalence data from data suppliers.
# Rank prevalence data for each supplier and then aggregate the results to create an overall prevalence ranking for this update to the Top 10.
# Determine the values of the other risk factors based on professional opinion. (This step not done prior to 2010)
#* Adjustments are sometimes done based on professional opinion (like adding CSRF in 2007, and Vulnerable Libraries in 2013)
# Calculate the Top 10 order
# Write a Draft/Release Candidate
# For 2010, a Draft was reviewed by the Data Contributors and other members of the OWASP Community, and the core commenters/contributors to the Release Candidate and Final Release were acknowledged here: [[Top_10_2010-Introduction]] (About 15 individuals/groups)
#* Note, for 2013 this internal project review step was eliminated in order to get the release candidate out for public comment faster
# Publish Release Candidate for public comment (Prior to 2010 there was no release candidate, just a final release)
# Accept comments during a comment period
# Interact with comment providers to update the Top 10
# Publish all provided comments
# Publish a Final Release

This certainly doesn't cover every nuance of what it takes to produce the Top 10. For example, one of the most common comments is "Why don't you combine these two items into one to make room for my favorite Risk?". Like combining XSS into Injection, since XSS is really just a client side injection issue. The goal of the OWASP Top 10 is to raise awareness of the most important Risks, not to include every possible Risk we can stuff into the Top 10. So, in some cases, we've kept related issues separate to try to increase awareness of each issue. But there is always debate as to what's best, which is clearly subjective. In the 2013 release candidate, we combined cryptographic storage and communications into a single category, and then pulled use of known vulnerable libraries out of the Security Misconfiguration category in order to bring more attention to the use of Known Vulnerable Libraries since we believe this is an extremely important issue that deserves more attention as the use of libraries becomes more and more prevalent. In past updates, to make room for new issues, we dropped the least important issues, like error handling and denial of service, which some people agreed with, but others did not.

In 2010, the Release Candidate process worked like this:
# It was open for public comment for several months
# Dave Wichers, primarily, interacted via email with each comment provider to address their comments or provide rationale as to why no change was thought to be most appropriate.
# All provided comments were published at:
#* [http://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 - 2010 Public Comments], and
#* [http://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf Kai Jendrian's Top 10 - 2010 Comments]
# The final version was published.

In 2013, the process is currently like so:
# Public comment period of Release Candidate is currently from February through end of March 2013. (This can be extended if necessary)
# We were planning on following the same process as for 2010 to complete the Top 10, but clearly the OWASP Community wants to get more heavily involved in producing the Final Release, which is great.
# So, at this point, the process for completing the 2013 Top 10 is TBD, subject to your input/suggestions.

=Current Prevalence Data Sources=
* Aspect Security
* HP (Results for both Fortify and WebInspect)
* Minded Security - [http://blog.mindedsecurity.com/2013/02/real-life-vulnerabilities-statistics.html Statistics]
* Softtek
* Trustwave Spiderlabs - [http://www2.trustwave.com/rs/trustwave/images/2013-Global-Security-Report.pdf Statistics]
* Veracode – [http://info.veracode.com/rs/veracode/images/VERACODE-SOSS-V4.PDF Statistics]
* WhiteHat Security – [https://www.whitehatsec.com/home/resource/stats.html Statistics]

If you would like to contribute your vulnerability statistics to the OWASP Top 10 project, please send your data to: dave.wichers@owasp.org. Please indicate if its OK for OWASP to publish this raw data. If you have already published this data, please provide us a link to the public posting.

Note: In the first version of the Top 10 in 2003, we started with the MITRE CVE data, and each update expanded the number of prevalence data contributors. Unfortunately, the CVE data for 2011/2012 wasn't available for the 2013 release, which is why its not included this year.

=Suggested Enhancements=
Note: This is a wiki - please add new suggestions into this page.

# Use a public wiki or [http://code.google.com/p/owasptop10/issues/list google issues] to capture feedback - mailing lists are tough and things get lost
# Use a public wiki to allow for public edits, not just feedback. These edits will all be tracked with rollback capabilities for editing and will allow the history of Top 10 edit history to be "public" for maximum "open" and "visibility".
# Establish a Top 10 panel to evaluate and make final decisions on inclusion & ranking
#* Not feasible for everyone to vote on every item
#* A diverse panel representing various verticals (vendor, enterprise, offense/defense, etc)
# Additional data sources could be considered (please add links)
#* WASC [http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database Web Hacking Incident Database]
#** [https://www.google.com/fusiontables/DataSource?snapid=S91371616ef WHID Top Attack Methods for 2012]
#** [https://www.google.com/fusiontables/DataSource?snapid=S91371786H4 WHID Top App Weaknesses for 2012]
#* Firehosts Web Application Attack Reports
#** [http://www.firehost.com/company/newsroom/web-application-attack-report-fourth-quarter-2012 Web Application Attack Report for Q4 2012]
#* Imperva's Web Application Attack Reports
#** [http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed3.pdf Web Application Attack Report for Q3 2012]
#* Prolexic Attack Report
#** [http://www.prolexic.com/pdf/Prolexic_Q212_Attack_Report_071212.pdf DDoS Attack Report for Q2 2012]
# Additional reports could be considered:
#* Annual Symantec Internet Threat Reports
#* Datalossdb
#* IBM XForce threat reports
#* Akamai State of the Internet Reports
# Public forum to brainstorm and discuss key topics
# Remove corporate logos from the Top Ten PDF and provide a "Who we are" link similar to Apache for maximum vendor neutrality: http://hadoop.apache.org/who.html

=FAQ=

1. The Three Cycle Reasons. Why OWASP Top 10 is release every three year cycle?
: Here are the reasons:
: a) The field does evolve pretty quick but Top 10 risks not substantially change every single year. Release every year is too much.
: b) It takes a lot of work to produce OWASP Top 10 update and spacing it out balances between the effort to produce and the amount of change when its updated.
: c) Lots of organizations, tools, etc, organize to the OWASP Top 10. So if it was published every single year, then everyone that chooses to align themselves to each update would have to do that work every year.
2. ...

Top 10 2013/ProjectMethodology

2013-03-27T07:31:36Z

Zakiakhmad: /* FAQ */

=Goal=
'''The goal of this page is to provide the baseline of knowledge to begin a thoughtful conversation of enhancements and changes to continue growing the OWASP top 10.'''

=About=

This page is intended to provide greater clarity on the development methodology of the OWASP Top 10. This page provides information on the data sources used as input to the top 10, the current development processes, suggestions to improve involvement and participation, and also an FAQ to cover common questions & concerns.

This is a wiki and editable by anyone with an OWASP account. Please constructively contribute to the conversation. Additional discussions should also take place within the [https://lists.owasp.org/mailman/listinfo/Owasp-topten OWASP top 10 mailing list].

=Current Methodology=
The 2010 and later versions of OWASP Top 10 are organized based on the [[OWASP_Risk_Rating_Methodology]], adjusted for the fact that the Top 10 is independent of any particular system. This adjusted methodology is documented in the OWASP Top 10 for 2010 here: [[Top_10_2010-Notes_About_Risk]].

This resulted in 4 risk factors used to calculate the order of the Top 10, 3 Likelihood Factors and 1 Impact Factor. These factors are:
* Likelihood of an Application Having that Vulnerability (Prevalence)
* Likelihood of an Attacker Discovering that Vulnerability (Detectability)
* Likelihood of An Attacker Successfully Exploiting that Vulnerability (Exploitability)
* Typical Technical Impact if that Vulnerability is Successfully Exploited (Impact)
Each of these factors is scored on a scale from 1 through 3, except for XSS, which has a prevalence of 4

The Top 10 uses data sources provided by a variety of companies (see [[Top_10_2013/ProjectMethodology#Current_Data_Sources sources]]) to calculate Vulnerability Prevalence. We would love to use similar data to help calculate the scores for the other risk factors if that data is available (which is one of the improvement suggestions recommended below).

The process for producing an update to the OWASP Top 10 is generally as follows:
# Collect prevalence data from data suppliers.
# Rank prevalence data for each supplier and then aggregate the results to create an overall prevalence ranking for this update to the Top 10.
# Determine the values of the other risk factors based on professional opinion. (This step not done prior to 2010)
#* Adjustments are sometimes done based on professional opinion (like adding CSRF in 2007, and Vulnerable Libraries in 2013)
# Calculate the Top 10 order
# Write a Draft/Release Candidate
# For 2010, a Draft was reviewed by the Data Contributors and other members of the OWASP Community, and the core commenters/contributors to the Release Candidate and Final Release were acknowledged here: [[Top_10_2010-Introduction]] (About 15 individuals/groups)
#* Note, for 2013 this internal project review step was eliminated in order to get the release candidate out for public comment faster
# Publish Release Candidate for public comment (Prior to 2010 there was no release candidate, just a final release)
# Accept comments during a comment period
# Interact with comment providers to update the Top 10
# Publish all provided comments
# Publish a Final Release

This certainly doesn't cover every nuance of what it takes to produce the Top 10. For example, one of the most common comments is "Why don't you combine these two items into one to make room for my favorite Risk?". Like combining XSS into Injection, since XSS is really just a client side injection issue. The goal of the OWASP Top 10 is to raise awareness of the most important Risks, not to include every possible Risk we can stuff into the Top 10. So, in some cases, we've kept related issues separate to try to increase awareness of each issue. But there is always debate as to what's best, which is clearly subjective. In the 2013 release candidate, we combined cryptographic storage and communications into a single category, and then pulled use of known vulnerable libraries out of the Security Misconfiguration category in order to bring more attention to the use of Known Vulnerable Libraries since we believe this is an extremely important issue that deserves more attention as the use of libraries becomes more and more prevalent. In past updates, to make room for new issues, we dropped the least important issues, like error handling and denial of service, which some people agreed with, but others did not.

In 2010, the Release Candidate process worked like this:
# It was open for public comment for several months
# Dave Wichers, primarily, interacted via email with each comment provider to address their comments or provide rationale as to why no change was thought to be most appropriate.
# All provided comments were published at:
#* [http://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 - 2010 Public Comments], and
#* [http://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf Kai Jendrian's Top 10 - 2010 Comments]
# The final version was published.

In 2013, the process is currently like so:
# Public comment period of Release Candidate is currently from February through end of March 2013. (This can be extended if necessary)
# We were planning on following the same process as for 2010 to complete the Top 10, but clearly the OWASP Community wants to get more heavily involved in producing the Final Release, which is great.
# So, at this point, the process for completing the 2013 Top 10 is TBD, subject to your input/suggestions.

=Current Prevalence Data Sources=
* Aspect Security
* HP (Results for both Fortify and WebInspect)
* Minded Security - [http://blog.mindedsecurity.com/2013/02/real-life-vulnerabilities-statistics.html Statistics]
* Softtek
* Trustwave Spiderlabs - [http://www2.trustwave.com/rs/trustwave/images/2013-Global-Security-Report.pdf Statistics]
* Veracode – [http://info.veracode.com/rs/veracode/images/VERACODE-SOSS-V4.PDF Statistics]
* WhiteHat Security – [https://www.whitehatsec.com/home/resource/stats.html Statistics]

If you would like to contribute your vulnerability statistics to the OWASP Top 10 project, please send your data to: dave.wichers@owasp.org. Please indicate if its OK for OWASP to publish this raw data. If you have already published this data, please provide us a link to the public posting.

Note: In the first version of the Top 10 in 2003, we started with the MITRE CVE data, and each update expanded the number of prevalence data contributors. Unfortunately, the CVE data for 2011/2012 wasn't available for the 2013 release, which is why its not included this year.

=Suggested Enhancements=
Note: This is a wiki - please add new suggestions into this page.

# Use a public wiki or [http://code.google.com/p/owasptop10/issues/list google issues] to capture feedback - mailing lists are tough and things get lost
# Use a public wiki to allow for public edits, not just feedback. These edits will all be tracked with rollback capabilities for editing and will allow the history of Top 10 edit history to be "public" for maximum "open" and "visibility".
# Establish a Top 10 panel to evaluate and make final decisions on inclusion & ranking
#* Not feasible for everyone to vote on every item
#* A diverse panel representing various verticals (vendor, enterprise, offense/defense, etc)
# Additional data sources could be considered (please add links)
#* WASC [http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database Web Hacking Incident Database]
#** [https://www.google.com/fusiontables/DataSource?snapid=S91371616ef WHID Top Attack Methods for 2012]
#** [https://www.google.com/fusiontables/DataSource?snapid=S91371786H4 WHID Top App Weaknesses for 2012]
#* Firehosts Web Application Attack Reports
#** [http://www.firehost.com/company/newsroom/web-application-attack-report-fourth-quarter-2012 Web Application Attack Report for Q4 2012]
#* Imperva's Web Application Attack Reports
#** [http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed3.pdf Web Application Attack Report for Q3 2012]
#* Prolexic Attack Report
#** [http://www.prolexic.com/pdf/Prolexic_Q212_Attack_Report_071212.pdf DDoS Attack Report for Q2 2012]
# Additional reports could be considered:
#* Annual Symantec Internet Threat Reports
#* Datalossdb
#* IBM XForce threat reports
#* Akamai State of the Internet Reports
# Public forum to brainstorm and discuss key topics
# Remove corporate logos from the Top Ten PDF and provide a "Who we are" link similar to Apache for maximum vendor neutrality: http://hadoop.apache.org/who.html

=FAQ=

# The Three Cycle Reasons. Why OWASP Top 10 is release every three year cycle?
Here are the reasons:
a) The field does evolve pretty quick but Top 10 risks not substantially change every single year. Release every year is too much. 
b) It takes a lot of work to produce OWASP Top 10 update and spacing it out balances between the effort to produce and the amount of change when its updated. 
c) Lots of organizations, tools, etc, organize to the OWASP Top 10. So if it was published every single year, then everyone that chooses to align themselves to each update would have to do that work every year. 
# ...

Top 10 2013/ProjectMethodology

2013-03-27T07:31:08Z

Zakiakhmad: /* FAQ */

=Goal=
'''The goal of this page is to provide the baseline of knowledge to begin a thoughtful conversation of enhancements and changes to continue growing the OWASP top 10.'''

=About=

This page is intended to provide greater clarity on the development methodology of the OWASP Top 10. This page provides information on the data sources used as input to the top 10, the current development processes, suggestions to improve involvement and participation, and also an FAQ to cover common questions & concerns.

This is a wiki and editable by anyone with an OWASP account. Please constructively contribute to the conversation. Additional discussions should also take place within the [https://lists.owasp.org/mailman/listinfo/Owasp-topten OWASP top 10 mailing list].

=Current Methodology=
The 2010 and later versions of OWASP Top 10 are organized based on the [[OWASP_Risk_Rating_Methodology]], adjusted for the fact that the Top 10 is independent of any particular system. This adjusted methodology is documented in the OWASP Top 10 for 2010 here: [[Top_10_2010-Notes_About_Risk]].

This resulted in 4 risk factors used to calculate the order of the Top 10, 3 Likelihood Factors and 1 Impact Factor. These factors are:
* Likelihood of an Application Having that Vulnerability (Prevalence)
* Likelihood of an Attacker Discovering that Vulnerability (Detectability)
* Likelihood of An Attacker Successfully Exploiting that Vulnerability (Exploitability)
* Typical Technical Impact if that Vulnerability is Successfully Exploited (Impact)
Each of these factors is scored on a scale from 1 through 3, except for XSS, which has a prevalence of 4

The Top 10 uses data sources provided by a variety of companies (see [[Top_10_2013/ProjectMethodology#Current_Data_Sources sources]]) to calculate Vulnerability Prevalence. We would love to use similar data to help calculate the scores for the other risk factors if that data is available (which is one of the improvement suggestions recommended below).

The process for producing an update to the OWASP Top 10 is generally as follows:
# Collect prevalence data from data suppliers.
# Rank prevalence data for each supplier and then aggregate the results to create an overall prevalence ranking for this update to the Top 10.
# Determine the values of the other risk factors based on professional opinion. (This step not done prior to 2010)
#* Adjustments are sometimes done based on professional opinion (like adding CSRF in 2007, and Vulnerable Libraries in 2013)
# Calculate the Top 10 order
# Write a Draft/Release Candidate
# For 2010, a Draft was reviewed by the Data Contributors and other members of the OWASP Community, and the core commenters/contributors to the Release Candidate and Final Release were acknowledged here: [[Top_10_2010-Introduction]] (About 15 individuals/groups)
#* Note, for 2013 this internal project review step was eliminated in order to get the release candidate out for public comment faster
# Publish Release Candidate for public comment (Prior to 2010 there was no release candidate, just a final release)
# Accept comments during a comment period
# Interact with comment providers to update the Top 10
# Publish all provided comments
# Publish a Final Release

This certainly doesn't cover every nuance of what it takes to produce the Top 10. For example, one of the most common comments is "Why don't you combine these two items into one to make room for my favorite Risk?". Like combining XSS into Injection, since XSS is really just a client side injection issue. The goal of the OWASP Top 10 is to raise awareness of the most important Risks, not to include every possible Risk we can stuff into the Top 10. So, in some cases, we've kept related issues separate to try to increase awareness of each issue. But there is always debate as to what's best, which is clearly subjective. In the 2013 release candidate, we combined cryptographic storage and communications into a single category, and then pulled use of known vulnerable libraries out of the Security Misconfiguration category in order to bring more attention to the use of Known Vulnerable Libraries since we believe this is an extremely important issue that deserves more attention as the use of libraries becomes more and more prevalent. In past updates, to make room for new issues, we dropped the least important issues, like error handling and denial of service, which some people agreed with, but others did not.

In 2010, the Release Candidate process worked like this:
# It was open for public comment for several months
# Dave Wichers, primarily, interacted via email with each comment provider to address their comments or provide rationale as to why no change was thought to be most appropriate.
# All provided comments were published at:
#* [http://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 - 2010 Public Comments], and
#* [http://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf Kai Jendrian's Top 10 - 2010 Comments]
# The final version was published.

In 2013, the process is currently like so:
# Public comment period of Release Candidate is currently from February through end of March 2013. (This can be extended if necessary)
# We were planning on following the same process as for 2010 to complete the Top 10, but clearly the OWASP Community wants to get more heavily involved in producing the Final Release, which is great.
# So, at this point, the process for completing the 2013 Top 10 is TBD, subject to your input/suggestions.

=Current Prevalence Data Sources=
* Aspect Security
* HP (Results for both Fortify and WebInspect)
* Minded Security - [http://blog.mindedsecurity.com/2013/02/real-life-vulnerabilities-statistics.html Statistics]
* Softtek
* Trustwave Spiderlabs - [http://www2.trustwave.com/rs/trustwave/images/2013-Global-Security-Report.pdf Statistics]
* Veracode – [http://info.veracode.com/rs/veracode/images/VERACODE-SOSS-V4.PDF Statistics]
* WhiteHat Security – [https://www.whitehatsec.com/home/resource/stats.html Statistics]

If you would like to contribute your vulnerability statistics to the OWASP Top 10 project, please send your data to: dave.wichers@owasp.org. Please indicate if its OK for OWASP to publish this raw data. If you have already published this data, please provide us a link to the public posting.

Note: In the first version of the Top 10 in 2003, we started with the MITRE CVE data, and each update expanded the number of prevalence data contributors. Unfortunately, the CVE data for 2011/2012 wasn't available for the 2013 release, which is why its not included this year.

=Suggested Enhancements=
Note: This is a wiki - please add new suggestions into this page.

# Use a public wiki or [http://code.google.com/p/owasptop10/issues/list google issues] to capture feedback - mailing lists are tough and things get lost
# Use a public wiki to allow for public edits, not just feedback. These edits will all be tracked with rollback capabilities for editing and will allow the history of Top 10 edit history to be "public" for maximum "open" and "visibility".
# Establish a Top 10 panel to evaluate and make final decisions on inclusion & ranking
#* Not feasible for everyone to vote on every item
#* A diverse panel representing various verticals (vendor, enterprise, offense/defense, etc)
# Additional data sources could be considered (please add links)
#* WASC [http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database Web Hacking Incident Database]
#** [https://www.google.com/fusiontables/DataSource?snapid=S91371616ef WHID Top Attack Methods for 2012]
#** [https://www.google.com/fusiontables/DataSource?snapid=S91371786H4 WHID Top App Weaknesses for 2012]
#* Firehosts Web Application Attack Reports
#** [http://www.firehost.com/company/newsroom/web-application-attack-report-fourth-quarter-2012 Web Application Attack Report for Q4 2012]
#* Imperva's Web Application Attack Reports
#** [http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed3.pdf Web Application Attack Report for Q3 2012]
#* Prolexic Attack Report
#** [http://www.prolexic.com/pdf/Prolexic_Q212_Attack_Report_071212.pdf DDoS Attack Report for Q2 2012]
# Additional reports could be considered:
#* Annual Symantec Internet Threat Reports
#* Datalossdb
#* IBM XForce threat reports
#* Akamai State of the Internet Reports
# Public forum to brainstorm and discuss key topics
# Remove corporate logos from the Top Ten PDF and provide a "Who we are" link similar to Apache for maximum vendor neutrality: http://hadoop.apache.org/who.html

=FAQ=
# The Three Cycle Reasons. Why OWASP Top 10 is release every three year cycle?
:Here are the reasons:
a) The field does evolve pretty quick but Top 10 risks not substantially change every single year. Release every year is too much. 
b) It takes a lot of work to produce OWASP Top 10 update and spacing it out balances between the effort to produce and the amount of change when its updated. 
c) Lots of organizations, tools, etc, organize to the OWASP Top 10. So if it was published every single year, then everyone that chooses to align themselves to each update would have to do that work every year. 
# ...

Top 10 2013/ProjectMethodology

2013-03-27T07:30:38Z

Zakiakhmad: /* FAQ */

=Goal=
'''The goal of this page is to provide the baseline of knowledge to begin a thoughtful conversation of enhancements and changes to continue growing the OWASP top 10.'''

=About=

This page is intended to provide greater clarity on the development methodology of the OWASP Top 10. This page provides information on the data sources used as input to the top 10, the current development processes, suggestions to improve involvement and participation, and also an FAQ to cover common questions & concerns.

This is a wiki and editable by anyone with an OWASP account. Please constructively contribute to the conversation. Additional discussions should also take place within the [https://lists.owasp.org/mailman/listinfo/Owasp-topten OWASP top 10 mailing list].

=Current Methodology=
The 2010 and later versions of OWASP Top 10 are organized based on the [[OWASP_Risk_Rating_Methodology]], adjusted for the fact that the Top 10 is independent of any particular system. This adjusted methodology is documented in the OWASP Top 10 for 2010 here: [[Top_10_2010-Notes_About_Risk]].

This resulted in 4 risk factors used to calculate the order of the Top 10, 3 Likelihood Factors and 1 Impact Factor. These factors are:
* Likelihood of an Application Having that Vulnerability (Prevalence)
* Likelihood of an Attacker Discovering that Vulnerability (Detectability)
* Likelihood of An Attacker Successfully Exploiting that Vulnerability (Exploitability)
* Typical Technical Impact if that Vulnerability is Successfully Exploited (Impact)
Each of these factors is scored on a scale from 1 through 3, except for XSS, which has a prevalence of 4

The Top 10 uses data sources provided by a variety of companies (see [[Top_10_2013/ProjectMethodology#Current_Data_Sources sources]]) to calculate Vulnerability Prevalence. We would love to use similar data to help calculate the scores for the other risk factors if that data is available (which is one of the improvement suggestions recommended below).

The process for producing an update to the OWASP Top 10 is generally as follows:
# Collect prevalence data from data suppliers.
# Rank prevalence data for each supplier and then aggregate the results to create an overall prevalence ranking for this update to the Top 10.
# Determine the values of the other risk factors based on professional opinion. (This step not done prior to 2010)
#* Adjustments are sometimes done based on professional opinion (like adding CSRF in 2007, and Vulnerable Libraries in 2013)
# Calculate the Top 10 order
# Write a Draft/Release Candidate
# For 2010, a Draft was reviewed by the Data Contributors and other members of the OWASP Community, and the core commenters/contributors to the Release Candidate and Final Release were acknowledged here: [[Top_10_2010-Introduction]] (About 15 individuals/groups)
#* Note, for 2013 this internal project review step was eliminated in order to get the release candidate out for public comment faster
# Publish Release Candidate for public comment (Prior to 2010 there was no release candidate, just a final release)
# Accept comments during a comment period
# Interact with comment providers to update the Top 10
# Publish all provided comments
# Publish a Final Release

This certainly doesn't cover every nuance of what it takes to produce the Top 10. For example, one of the most common comments is "Why don't you combine these two items into one to make room for my favorite Risk?". Like combining XSS into Injection, since XSS is really just a client side injection issue. The goal of the OWASP Top 10 is to raise awareness of the most important Risks, not to include every possible Risk we can stuff into the Top 10. So, in some cases, we've kept related issues separate to try to increase awareness of each issue. But there is always debate as to what's best, which is clearly subjective. In the 2013 release candidate, we combined cryptographic storage and communications into a single category, and then pulled use of known vulnerable libraries out of the Security Misconfiguration category in order to bring more attention to the use of Known Vulnerable Libraries since we believe this is an extremely important issue that deserves more attention as the use of libraries becomes more and more prevalent. In past updates, to make room for new issues, we dropped the least important issues, like error handling and denial of service, which some people agreed with, but others did not.

In 2010, the Release Candidate process worked like this:
# It was open for public comment for several months
# Dave Wichers, primarily, interacted via email with each comment provider to address their comments or provide rationale as to why no change was thought to be most appropriate.
# All provided comments were published at:
#* [http://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 - 2010 Public Comments], and
#* [http://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf Kai Jendrian's Top 10 - 2010 Comments]
# The final version was published.

In 2013, the process is currently like so:
# Public comment period of Release Candidate is currently from February through end of March 2013. (This can be extended if necessary)
# We were planning on following the same process as for 2010 to complete the Top 10, but clearly the OWASP Community wants to get more heavily involved in producing the Final Release, which is great.
# So, at this point, the process for completing the 2013 Top 10 is TBD, subject to your input/suggestions.

=Current Prevalence Data Sources=
* Aspect Security
* HP (Results for both Fortify and WebInspect)
* Minded Security - [http://blog.mindedsecurity.com/2013/02/real-life-vulnerabilities-statistics.html Statistics]
* Softtek
* Trustwave Spiderlabs - [http://www2.trustwave.com/rs/trustwave/images/2013-Global-Security-Report.pdf Statistics]
* Veracode – [http://info.veracode.com/rs/veracode/images/VERACODE-SOSS-V4.PDF Statistics]
* WhiteHat Security – [https://www.whitehatsec.com/home/resource/stats.html Statistics]

If you would like to contribute your vulnerability statistics to the OWASP Top 10 project, please send your data to: dave.wichers@owasp.org. Please indicate if its OK for OWASP to publish this raw data. If you have already published this data, please provide us a link to the public posting.

Note: In the first version of the Top 10 in 2003, we started with the MITRE CVE data, and each update expanded the number of prevalence data contributors. Unfortunately, the CVE data for 2011/2012 wasn't available for the 2013 release, which is why its not included this year.

=Suggested Enhancements=
Note: This is a wiki - please add new suggestions into this page.

# Use a public wiki or [http://code.google.com/p/owasptop10/issues/list google issues] to capture feedback - mailing lists are tough and things get lost
# Use a public wiki to allow for public edits, not just feedback. These edits will all be tracked with rollback capabilities for editing and will allow the history of Top 10 edit history to be "public" for maximum "open" and "visibility".
# Establish a Top 10 panel to evaluate and make final decisions on inclusion & ranking
#* Not feasible for everyone to vote on every item
#* A diverse panel representing various verticals (vendor, enterprise, offense/defense, etc)
# Additional data sources could be considered (please add links)
#* WASC [http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database Web Hacking Incident Database]
#** [https://www.google.com/fusiontables/DataSource?snapid=S91371616ef WHID Top Attack Methods for 2012]
#** [https://www.google.com/fusiontables/DataSource?snapid=S91371786H4 WHID Top App Weaknesses for 2012]
#* Firehosts Web Application Attack Reports
#** [http://www.firehost.com/company/newsroom/web-application-attack-report-fourth-quarter-2012 Web Application Attack Report for Q4 2012]
#* Imperva's Web Application Attack Reports
#** [http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed3.pdf Web Application Attack Report for Q3 2012]
#* Prolexic Attack Report
#** [http://www.prolexic.com/pdf/Prolexic_Q212_Attack_Report_071212.pdf DDoS Attack Report for Q2 2012]
# Additional reports could be considered:
#* Annual Symantec Internet Threat Reports
#* Datalossdb
#* IBM XForce threat reports
#* Akamai State of the Internet Reports
# Public forum to brainstorm and discuss key topics
# Remove corporate logos from the Top Ten PDF and provide a "Who we are" link similar to Apache for maximum vendor neutrality: http://hadoop.apache.org/who.html

=FAQ=
# The Three Cycle Reasons. Why OWASP Top 10 is release every three year cycle?
: Here are the reasons:
a) The field does evolve pretty quick but Top 10 risks not substantially change every single year. Release every year is too much.
b) It takes a lot of work to produce OWASP Top 10 update and spacing it out balances between the effort to produce and the amount of change when its updated.
c) Lots of organizations, tools, etc, organize to the OWASP Top 10. So if it was published every single year, then everyone that chooses to align themselves to each update would have to do that work every year.
# ...

Top 10 2013/ProjectMethodology

2013-03-27T07:29:15Z

Zakiakhmad: /* FAQ */

=Goal=
'''The goal of this page is to provide the baseline of knowledge to begin a thoughtful conversation of enhancements and changes to continue growing the OWASP top 10.'''

=About=

This page is intended to provide greater clarity on the development methodology of the OWASP Top 10. This page provides information on the data sources used as input to the top 10, the current development processes, suggestions to improve involvement and participation, and also an FAQ to cover common questions & concerns.

This is a wiki and editable by anyone with an OWASP account. Please constructively contribute to the conversation. Additional discussions should also take place within the [https://lists.owasp.org/mailman/listinfo/Owasp-topten OWASP top 10 mailing list].

=Current Methodology=
The 2010 and later versions of OWASP Top 10 are organized based on the [[OWASP_Risk_Rating_Methodology]], adjusted for the fact that the Top 10 is independent of any particular system. This adjusted methodology is documented in the OWASP Top 10 for 2010 here: [[Top_10_2010-Notes_About_Risk]].

This resulted in 4 risk factors used to calculate the order of the Top 10, 3 Likelihood Factors and 1 Impact Factor. These factors are:
* Likelihood of an Application Having that Vulnerability (Prevalence)
* Likelihood of an Attacker Discovering that Vulnerability (Detectability)
* Likelihood of An Attacker Successfully Exploiting that Vulnerability (Exploitability)
* Typical Technical Impact if that Vulnerability is Successfully Exploited (Impact)
Each of these factors is scored on a scale from 1 through 3, except for XSS, which has a prevalence of 4

The Top 10 uses data sources provided by a variety of companies (see [[Top_10_2013/ProjectMethodology#Current_Data_Sources sources]]) to calculate Vulnerability Prevalence. We would love to use similar data to help calculate the scores for the other risk factors if that data is available (which is one of the improvement suggestions recommended below).

The process for producing an update to the OWASP Top 10 is generally as follows:
# Collect prevalence data from data suppliers.
# Rank prevalence data for each supplier and then aggregate the results to create an overall prevalence ranking for this update to the Top 10.
# Determine the values of the other risk factors based on professional opinion. (This step not done prior to 2010)
#* Adjustments are sometimes done based on professional opinion (like adding CSRF in 2007, and Vulnerable Libraries in 2013)
# Calculate the Top 10 order
# Write a Draft/Release Candidate
# For 2010, a Draft was reviewed by the Data Contributors and other members of the OWASP Community, and the core commenters/contributors to the Release Candidate and Final Release were acknowledged here: [[Top_10_2010-Introduction]] (About 15 individuals/groups)
#* Note, for 2013 this internal project review step was eliminated in order to get the release candidate out for public comment faster
# Publish Release Candidate for public comment (Prior to 2010 there was no release candidate, just a final release)
# Accept comments during a comment period
# Interact with comment providers to update the Top 10
# Publish all provided comments
# Publish a Final Release

This certainly doesn't cover every nuance of what it takes to produce the Top 10. For example, one of the most common comments is "Why don't you combine these two items into one to make room for my favorite Risk?". Like combining XSS into Injection, since XSS is really just a client side injection issue. The goal of the OWASP Top 10 is to raise awareness of the most important Risks, not to include every possible Risk we can stuff into the Top 10. So, in some cases, we've kept related issues separate to try to increase awareness of each issue. But there is always debate as to what's best, which is clearly subjective. In the 2013 release candidate, we combined cryptographic storage and communications into a single category, and then pulled use of known vulnerable libraries out of the Security Misconfiguration category in order to bring more attention to the use of Known Vulnerable Libraries since we believe this is an extremely important issue that deserves more attention as the use of libraries becomes more and more prevalent. In past updates, to make room for new issues, we dropped the least important issues, like error handling and denial of service, which some people agreed with, but others did not.

In 2010, the Release Candidate process worked like this:
# It was open for public comment for several months
# Dave Wichers, primarily, interacted via email with each comment provider to address their comments or provide rationale as to why no change was thought to be most appropriate.
# All provided comments were published at:
#* [http://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 - 2010 Public Comments], and
#* [http://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf Kai Jendrian's Top 10 - 2010 Comments]
# The final version was published.

In 2013, the process is currently like so:
# Public comment period of Release Candidate is currently from February through end of March 2013. (This can be extended if necessary)
# We were planning on following the same process as for 2010 to complete the Top 10, but clearly the OWASP Community wants to get more heavily involved in producing the Final Release, which is great.
# So, at this point, the process for completing the 2013 Top 10 is TBD, subject to your input/suggestions.

=Current Prevalence Data Sources=
* Aspect Security
* HP (Results for both Fortify and WebInspect)
* Minded Security - [http://blog.mindedsecurity.com/2013/02/real-life-vulnerabilities-statistics.html Statistics]
* Softtek
* Trustwave Spiderlabs - [http://www2.trustwave.com/rs/trustwave/images/2013-Global-Security-Report.pdf Statistics]
* Veracode – [http://info.veracode.com/rs/veracode/images/VERACODE-SOSS-V4.PDF Statistics]
* WhiteHat Security – [https://www.whitehatsec.com/home/resource/stats.html Statistics]

If you would like to contribute your vulnerability statistics to the OWASP Top 10 project, please send your data to: dave.wichers@owasp.org. Please indicate if its OK for OWASP to publish this raw data. If you have already published this data, please provide us a link to the public posting.

Note: In the first version of the Top 10 in 2003, we started with the MITRE CVE data, and each update expanded the number of prevalence data contributors. Unfortunately, the CVE data for 2011/2012 wasn't available for the 2013 release, which is why its not included this year.

=Suggested Enhancements=
Note: This is a wiki - please add new suggestions into this page.

# Use a public wiki or [http://code.google.com/p/owasptop10/issues/list google issues] to capture feedback - mailing lists are tough and things get lost
# Use a public wiki to allow for public edits, not just feedback. These edits will all be tracked with rollback capabilities for editing and will allow the history of Top 10 edit history to be "public" for maximum "open" and "visibility".
# Establish a Top 10 panel to evaluate and make final decisions on inclusion & ranking
#* Not feasible for everyone to vote on every item
#* A diverse panel representing various verticals (vendor, enterprise, offense/defense, etc)
# Additional data sources could be considered (please add links)
#* WASC [http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database Web Hacking Incident Database]
#** [https://www.google.com/fusiontables/DataSource?snapid=S91371616ef WHID Top Attack Methods for 2012]
#** [https://www.google.com/fusiontables/DataSource?snapid=S91371786H4 WHID Top App Weaknesses for 2012]
#* Firehosts Web Application Attack Reports
#** [http://www.firehost.com/company/newsroom/web-application-attack-report-fourth-quarter-2012 Web Application Attack Report for Q4 2012]
#* Imperva's Web Application Attack Reports
#** [http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed3.pdf Web Application Attack Report for Q3 2012]
#* Prolexic Attack Report
#** [http://www.prolexic.com/pdf/Prolexic_Q212_Attack_Report_071212.pdf DDoS Attack Report for Q2 2012]
# Additional reports could be considered:
#* Annual Symantec Internet Threat Reports
#* Datalossdb
#* IBM XForce threat reports
#* Akamai State of the Internet Reports
# Public forum to brainstorm and discuss key topics
# Remove corporate logos from the Top Ten PDF and provide a "Who we are" link similar to Apache for maximum vendor neutrality: http://hadoop.apache.org/who.html

=FAQ=
# The Three Cycle Reasons. Why OWASP Top 10 is release every three year cycle?
: Here are three reasons why OWASP release its Top 10 every three year:
##The field does evolve pretty quick but Top 10 risks not substantially change every single year. Release every year is too much.
## It takes a lot of work to produce OWASP Top 10 update and spacing it out balances between the effort to produce and the amount of change when its updated.
## Lots of organizations, tools, etc, organize to the OWASP Top 10. So if it was published every single year, then everyone that chooses to align themselves to each update would have to do that work every year.
# ...

Top 10 2013/ProjectMethodology

2013-03-27T07:28:54Z

Zakiakhmad: /* FAQ */ Add why three year cycles reasons

=Goal=
'''The goal of this page is to provide the baseline of knowledge to begin a thoughtful conversation of enhancements and changes to continue growing the OWASP top 10.'''

=About=

This page is intended to provide greater clarity on the development methodology of the OWASP Top 10. This page provides information on the data sources used as input to the top 10, the current development processes, suggestions to improve involvement and participation, and also an FAQ to cover common questions & concerns.

This is a wiki and editable by anyone with an OWASP account. Please constructively contribute to the conversation. Additional discussions should also take place within the [https://lists.owasp.org/mailman/listinfo/Owasp-topten OWASP top 10 mailing list].

=Current Methodology=
The 2010 and later versions of OWASP Top 10 are organized based on the [[OWASP_Risk_Rating_Methodology]], adjusted for the fact that the Top 10 is independent of any particular system. This adjusted methodology is documented in the OWASP Top 10 for 2010 here: [[Top_10_2010-Notes_About_Risk]].

This resulted in 4 risk factors used to calculate the order of the Top 10, 3 Likelihood Factors and 1 Impact Factor. These factors are:
* Likelihood of an Application Having that Vulnerability (Prevalence)
* Likelihood of an Attacker Discovering that Vulnerability (Detectability)
* Likelihood of An Attacker Successfully Exploiting that Vulnerability (Exploitability)
* Typical Technical Impact if that Vulnerability is Successfully Exploited (Impact)
Each of these factors is scored on a scale from 1 through 3, except for XSS, which has a prevalence of 4

The Top 10 uses data sources provided by a variety of companies (see [[Top_10_2013/ProjectMethodology#Current_Data_Sources sources]]) to calculate Vulnerability Prevalence. We would love to use similar data to help calculate the scores for the other risk factors if that data is available (which is one of the improvement suggestions recommended below).

The process for producing an update to the OWASP Top 10 is generally as follows:
# Collect prevalence data from data suppliers.
# Rank prevalence data for each supplier and then aggregate the results to create an overall prevalence ranking for this update to the Top 10.
# Determine the values of the other risk factors based on professional opinion. (This step not done prior to 2010)
#* Adjustments are sometimes done based on professional opinion (like adding CSRF in 2007, and Vulnerable Libraries in 2013)
# Calculate the Top 10 order
# Write a Draft/Release Candidate
# For 2010, a Draft was reviewed by the Data Contributors and other members of the OWASP Community, and the core commenters/contributors to the Release Candidate and Final Release were acknowledged here: [[Top_10_2010-Introduction]] (About 15 individuals/groups)
#* Note, for 2013 this internal project review step was eliminated in order to get the release candidate out for public comment faster
# Publish Release Candidate for public comment (Prior to 2010 there was no release candidate, just a final release)
# Accept comments during a comment period
# Interact with comment providers to update the Top 10
# Publish all provided comments
# Publish a Final Release

This certainly doesn't cover every nuance of what it takes to produce the Top 10. For example, one of the most common comments is "Why don't you combine these two items into one to make room for my favorite Risk?". Like combining XSS into Injection, since XSS is really just a client side injection issue. The goal of the OWASP Top 10 is to raise awareness of the most important Risks, not to include every possible Risk we can stuff into the Top 10. So, in some cases, we've kept related issues separate to try to increase awareness of each issue. But there is always debate as to what's best, which is clearly subjective. In the 2013 release candidate, we combined cryptographic storage and communications into a single category, and then pulled use of known vulnerable libraries out of the Security Misconfiguration category in order to bring more attention to the use of Known Vulnerable Libraries since we believe this is an extremely important issue that deserves more attention as the use of libraries becomes more and more prevalent. In past updates, to make room for new issues, we dropped the least important issues, like error handling and denial of service, which some people agreed with, but others did not.

In 2010, the Release Candidate process worked like this:
# It was open for public comment for several months
# Dave Wichers, primarily, interacted via email with each comment provider to address their comments or provide rationale as to why no change was thought to be most appropriate.
# All provided comments were published at:
#* [http://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 - 2010 Public Comments], and
#* [http://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf Kai Jendrian's Top 10 - 2010 Comments]
# The final version was published.

In 2013, the process is currently like so:
# Public comment period of Release Candidate is currently from February through end of March 2013. (This can be extended if necessary)
# We were planning on following the same process as for 2010 to complete the Top 10, but clearly the OWASP Community wants to get more heavily involved in producing the Final Release, which is great.
# So, at this point, the process for completing the 2013 Top 10 is TBD, subject to your input/suggestions.

=Current Prevalence Data Sources=
* Aspect Security
* HP (Results for both Fortify and WebInspect)
* Minded Security - [http://blog.mindedsecurity.com/2013/02/real-life-vulnerabilities-statistics.html Statistics]
* Softtek
* Trustwave Spiderlabs - [http://www2.trustwave.com/rs/trustwave/images/2013-Global-Security-Report.pdf Statistics]
* Veracode – [http://info.veracode.com/rs/veracode/images/VERACODE-SOSS-V4.PDF Statistics]
* WhiteHat Security – [https://www.whitehatsec.com/home/resource/stats.html Statistics]

If you would like to contribute your vulnerability statistics to the OWASP Top 10 project, please send your data to: dave.wichers@owasp.org. Please indicate if its OK for OWASP to publish this raw data. If you have already published this data, please provide us a link to the public posting.

Note: In the first version of the Top 10 in 2003, we started with the MITRE CVE data, and each update expanded the number of prevalence data contributors. Unfortunately, the CVE data for 2011/2012 wasn't available for the 2013 release, which is why its not included this year.

=Suggested Enhancements=
Note: This is a wiki - please add new suggestions into this page.

# Use a public wiki or [http://code.google.com/p/owasptop10/issues/list google issues] to capture feedback - mailing lists are tough and things get lost
# Use a public wiki to allow for public edits, not just feedback. These edits will all be tracked with rollback capabilities for editing and will allow the history of Top 10 edit history to be "public" for maximum "open" and "visibility".
# Establish a Top 10 panel to evaluate and make final decisions on inclusion & ranking
#* Not feasible for everyone to vote on every item
#* A diverse panel representing various verticals (vendor, enterprise, offense/defense, etc)
# Additional data sources could be considered (please add links)
#* WASC [http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database Web Hacking Incident Database]
#** [https://www.google.com/fusiontables/DataSource?snapid=S91371616ef WHID Top Attack Methods for 2012]
#** [https://www.google.com/fusiontables/DataSource?snapid=S91371786H4 WHID Top App Weaknesses for 2012]
#* Firehosts Web Application Attack Reports
#** [http://www.firehost.com/company/newsroom/web-application-attack-report-fourth-quarter-2012 Web Application Attack Report for Q4 2012]
#* Imperva's Web Application Attack Reports
#** [http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed3.pdf Web Application Attack Report for Q3 2012]
#* Prolexic Attack Report
#** [http://www.prolexic.com/pdf/Prolexic_Q212_Attack_Report_071212.pdf DDoS Attack Report for Q2 2012]
# Additional reports could be considered:
#* Annual Symantec Internet Threat Reports
#* Datalossdb
#* IBM XForce threat reports
#* Akamai State of the Internet Reports
# Public forum to brainstorm and discuss key topics
# Remove corporate logos from the Top Ten PDF and provide a "Who we are" link similar to Apache for maximum vendor neutrality: http://hadoop.apache.org/who.html

=FAQ=
# The Three Cycle Reasons. Why OWASP Top 10 is release every three year cycle?
: Here are three reasons why OWASP release its Top 10 every three year:
: #The field does evolve pretty quick but Top 10 risks not substantially change every single year. Release every year is too much.
: # It takes a lot of work to produce OWASP Top 10 update and spacing it out balances between the effort to produce and the amount of change when its updated.
: # Lots of organizations, tools, etc, organize to the OWASP Top 10. So if it was published every single year, then everyone that chooses to align themselves to each update would have to do that work every year.
# ...

Category:OWASP Video

2013-01-09T06:14:39Z

Zakiakhmad: /* OWASP Summit 2011 */ add my youtube collection

<div style="font-size:7pt;">
<div align="center">

<openx></openx>

Disclaimer: Banner ads are not endorsements, and reflect the messages of the advertiser only. | [https://www.owasp.org/index.php/Advertising More Information]</div></div>

== Welcome to the OWASP Video Collection ==

OWASP attempts to make videos of presentations made by our members and at our conferences concerning application security whenever possible. The slides for most of these presentations are available, linked to the conference agendas (please link them if possible!).

== Videos ==
{{Social Media Links}}

=== OWASP AppSecUSA 2011 ===
[http://2011.appsecusa.org/schedule.html#slides_video Videos and Slides]

=== OWASP Summit 2011 ===
OWASP Summit 2011 Vimeo videos are available at
* [http://vimeo.com/channels/owaspsummit http://vimeo.com/channels/owaspsummit].
* http://www.vimeo.com/25335824
* [http://www.youtube.com/watch?v=GRWCgbZF3_g Chapter Leader Session]
* [http://www.youtube.com/watch?v=O0eD-CeQld4 Browser Security]
* [http://www.youtube.com/watch?v=ZB2JM4xgtBQ ESAPI]
* [http://www.youtube.com/watch?v=w6nuPCxCyC8 Governance Session #1]
* [http://www.youtube.com/watch?v=6HnA3NY7gR0 Governance Session #2]
* [http://www.youtube.com/watch?v=VKrxVTenV7I Mobile Security]
* [http://www.youtube.com/watch?v=RStrwZGgz0U Wrap Up Session #1]
* [http://www.youtube.com/watch?v=_pV8RvaBIfg Wrap Up Session #2]

===OWASP Appsec Tutorial Series===
OWASP Appsec Tutorial Series [https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series Click Here]

===OWASP Appsec DC 2010===
OWASP Appsec DC 2010 [http://vimeo.com/groups/asdc10/videos/sort:plays Click Here]

===OWASP USA 2010===
OWASP USA 2010 [http://vimeo.com/user4863863/videos/sort:plays Click Here]

===OWASP EU 2010===
OWASP Stockholm Sweden 2010 [http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden#tab=June_23 Click Here] and [http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden#tab=June_24 Click Here]

=== OWASP FROC 2010 ===
FROC 2010 - [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2010#tab=Agenda Click Here]

=== OWASP USA 2009 ===
APPSEC DC 2009 - [http://www.owasp.org/index.php/OWASP_AppSec_DC_2009_Schedule#tab=Talks_11.2F12 Click Here]

=== OWASP EU ===
OWASP EU 2009 - [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland#tab=Conference_-_May_13 Here] and [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland#tab=Conference_-_May_14 Here]

=== OWASP Israel 2008 ===
[https://www.owasp.org/index.php/OWASP_Israel_2008_Conference_at_the_Interdisciplinary_Center_Herzliya_(IDC) Click Here]

=== OWASP USA 2008 ===
[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Click Here]

=== SnowFROC ===
;[http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009#Agenda_and_Presentations:_5_March_2009 OWASP SnowFROC from Denver, CO 2009]

=== OWASP Minneapolis/St. Paul (OWASP MSP) ===

Presentations from the [[Minneapolis St Paul | OWASP Minneapolis-St. Paul (OWASP MSP) chapter]] events hosted in the Twin Cities area of Minnesota are now on their own page. Please visit [[OWASPMSP_Videos]] page for links to them. Some of the presenters include Pravir Chandra, Bruce Schneier, Jeremiah Grossman, Ryan Barnett, and many others.

=== Black Hat 2006 ===

'''From Black Hat 2006:'''

;[http://video.google.com/videoplay?docid=941077664562737284&q=owasp Dinis Cruz @ BlackHat 2006 with FSTV]
:Dinis Cruz, leader of the OWASP.NET project joins us to talk about .NET, web security tools, the future of OWASP, and Open Source Software. OWASP - 30 min - Aug 30, 2006

=== AppSec Washington 2005 ===

'''From the [[AppSec_Washington_2005/Agenda | 2nd U.S. OWASP Conference held Oct 11-12, 2005]] - Day 1:'''

;[http://video.google.com/videoplay?docid=-2481289516847680871&q=owasp OWASP_Intro_DaveWichers_Key_JoeJarzombek_RonRoss.mp4]
:OWASP Intro: Dave Wichers - Key Note Day 1: Joe Jarzombek - Dir. of Software Assurance - DHS - Software Assurance: Considerations for Advancing a National Strategy to Secure Cyberspace & Ron Ross -FISMA Project Lead - NIST - Status of the Federal Information Security Management Act (FISMA) Project. OWASP - 2 hr 7 min - Oct 11, 2005

;[http://video.google.com/videoplay?docid=3853779542023264815&q=owasp OWASP_JackDanahy_The_Business_Case_for_Software_Security_Assurance.mp4]
:OWASP Jack Danahy - The Business Case for Software Security Assurance. OWASP - 1 hr 2 min - Oct 11, 2005

;[http://video.google.com/videoplay?docid=5758230888370998733&q=owasp OWASP_ArianEvans_Tools_SurveyProject.mp4]
:OWASP Arian Evans - The OWASP Tools Survey Project. OWASP - 1 hr 18 min - Oct 11, 2005

;[http://video.google.com/videoplay?docid=-2492965730809426450&q=owasp OWASP_DinizCruz_Rooting_the_CLR.mp4]
:OWASP Diniz Cruz - Rooting the CLR. OWASP - 1 hr 22 min - Oct 11, 2005

;[http://video.google.com/videoplay?docid=-5233500471539001436&q=owasp OWASP_PaulBlack_RickKuhn.mp4]
:OWASP Paul Black - NIST - Developing a Reference Dataset & Rick Kuhn - NIST - Software Fault Interactions. OWASP - 1 hr 9 min - Oct 11, 2005

;[http://video.google.com/videoplay?docid=4473926180612118549&q=owasp OWASP_AlexSmolen_Application_Logic_Defense.mp4]
:OWASP Alex Smolen - Application Logic Defense. OWASP - 36 min - Oct 11, 2005

;[http://video.google.com/videoplay?docid=4379894308228900017&q=owasp OWASP_DanielCuthbert_Evolution_WebAppPenTest.mp4]
:OWASP Daniel Cuthbert - OWASP Testing Guide Lead - The Evolution Web App Pen Testing. OWASP - 1 hr 11 min - Oct 11, 2005

'''The [[AppSec_Washington_2005/Agenda | 2nd U.S. OWASP Conference]] Day 2:'''

;[http://video.google.com/videoplay?docid=-9110574247136866679&q=owasp OWASP_IraWinkler_Secrets_of_Superspies.mp4]
:OWASP Ira Winkler - Keynote Day 2: Secrets of Superspies & Jeremy Poteet - In the Line of Fire: Defending Highly Visible Targets. OWASP - 2 hr 2 min - Oct 12, 2005

;[http://video.google.com/videoplay?docid=-5332911124544076749&q=owasp OWASP_JeffWilliams_OWASP_Guide_and_Membership.mp4]
:OWASP Jeff Williams - OWASP Development Guide and OWASP Membership Plan. OWASP - 1 hr 12 min - Oct 12, 2005

;[http://video.google.com/videoplay?docid=7947858567235952851&q=owasp OWASP_DinizCruz_DotNet_Tools_Project.mp4]
:OWASP Diniz Cruz - The .Net Tools Project. OWASP - 1 hr 15 min - Oct 12, 2005

;[http://video.google.com/videoplay?docid=2018648061521175729&q=owasp OWASP_MattFisher_WormsNowTargetingWebApps.mp4]
:OWASP Matt Fisher - Worms Now Targeting Web Applications. OWASP - 49 min - Oct 12, 2005

;[http://video.google.com/videoplay?docid=8437304318271455155&q=owasp OWASP_RoganDawes_AdvancedFeaturesofWebScarab.mp4]
:OWASP Rogan Dawes - Advanced Features of OWASP WebScarab. OWASP - 1 hr 24 min - Oct 12, 2005

;[http://video.google.com/videoplay?docid=-2492965730809426450&q=owasp OWASP_JohnSteven_Building_a_Scalable_Software_Security_Practice.mp4]
:OWASP John Steven - Building a Scalable Software Security Practice. OWASP - 1 hr 19 min - Oct 12, 2005

;[http://video.google.com/videoplay?docid=-1807054604513842127&q=owasp OWASP_GunnerPeterson_IntegratingIdentityServicesintoWebApps.mp4]
:OWASP Gunnar Peterson - Integrating Identity Services into Web Apps. OWASP - 35 min - Oct 12, 2005

Indonesia

2012-11-21T08:54:36Z

Zakiakhmad:

{{Chapter Template|chaptername=Indonesia|extra=The chapter leader is [mailto:za@owasp.org Zaki Akhmad]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Indonesia|emailarchives=http://lists.owasp.org/pipermail/owasp-Indonesia}}

__NOTOC__

= Beranda =
Salam,

Selamat datang di halaman OWASP Indonesia! OWASP Indonesia merupakan salah satu ''chapter'' OWASP yang tersebar di berbagai belahan dunia. OWASP sendiri merupakan organisasi nirlaba yang fokus pada keamanan aplikasi dan web. Kehadiran OWASP Indonesia diharapkan mampu memberikan kontribusi dalam meningkatkan keamanan aplikasi & web yang ada di Indonesia.

Selamat mengeksplorasi lebih jauh OWASP Indonesia dengan membuka tab-tab yang ada di halaman ini.

= Tentang =
=== Sejarah ===
OWASP Indonesia berdiri pada tanggal 11 Juli 2007. Chapter ini pertama kali dipimpin oleh Azwar Rosyadi. Selanjutnya Azwar Rosyadi tak lagi aktif di OWASP Indonesia. Sejak Desember 2008, [[User:Zakiakhmad|Zaki Akhmad]] berinisiatif memimpin chapter ini.

=== Aktivitas ===
Hingga saat ini belum dilaksanakan pertemuan rutin. Aktivitas OWASP Indonesia baru sebatas dilakukan di milis saja. Pada Agustus 2010, Tedi Heriyanto berinisiatif mengkoordinir penerjemahan presentasi OWASP Top 10 ke Bahasa Indonesia.

= Agenda =
=== Perpanjang Domain OWASP.or.id ===
Domain OWASP.or.id telah diperpanjang hingga akhir tahun 2013. Sejauh ini server OWASP.or.id baru mencermin materi video AppSec. Apakah Anda memiliki ide agar domain ini tidak percuma diperpanjang?

=== Situs OWASP.or.id ===
Januari 2012. Saat ini OWASP Indonesia memiliki situs dengan domain [http://owasp.or.id OWASP.or.id]. Situs ini masih dalam tahap pengembangan namun sudah bisa diakses. Untuk sementara situs ini menyediakan materi-materi OWASP. Diharapkan dengan menyediakan akses lokal, materi-materi OWASP dapat lebih mudah diakses dari Indonesia.

=== Indonesia Internet Security Forum 2011 ===
Desember 2011. OWASP Indonesia akan menjadi salah satu panelis dalam acara Indonesia Internet Security Forum 2011 (IISF 2011). Acara ini akan dilaksanakan pada hari Rabu, 14 Desember 2011. Detail acara dapat dilihat pada [http://aptika.kominfo.go.id/registration/IISF2011 http://aptika.kominfo.go.id/registration/IISF2011] , atau akses berkas [[File:Agenda_IISF_Tentative_20111203.pdf]] agenda.

=== IASA Business Architecture Summit 2011 ===
Charles Lim, dari SGU, akan memberikan presentasi mengenai OWASP Top 10 dalam acara IASA Business Architecture Summit 2011. Acara akan dilaksanakan pada hari Kamis, 1 Desember 2011, pukul 14.30 - 15.00, di Hotel Sahid, Jakarta.

==== Arsip ====

=== SGU menjadi OWASP University Supporter ===
[[File:SGU_OWASPUniversitySupporter.jpg|right|300px|thumb|SGU - OWASP University Supporter]]
Pada hari Senin 25 April 2011, telah dilakukan penandatanganan MoU antara SGU dengan OWASP Indonesia. SGU saat ini telah menjadi OWASP University Supporter. SGU menjadi universitas di Indonesia yang pertama menjadi OWASP University Supporter.

=== Kopi Darat, Maret 2011 ===
Jakarta, 21 Februari 2011, rencananya pada hari Kamis 24 Maret 2011 di Senayan City akan diadakan kopi darat dengan agenda: perkenalan, rencana OWASP Indonesia, dan cerita dari OWASP Global Summit 2011.

=== Blog OWASP Indonesia ===
Jakarta, 25 Februari 2011, dibuat blog OWASP Indonesia di [http://owaspid.blogspot.com http://owaspid.blogspot.com] sebagai salah satu cara berkomunikasi dengan komunitas OWASP Indonesia.

=== Hasil Kopi Darat 23 Februari 2011===
Jakarta, 23 Februari 2011, kopi darat OWASP Indonesia dihadiri oleh Charles dan Zaki. Dilakukan pembicaraan mengenai rencana SGU menjadi OWASP University Supporter dan berbagi cerita dari OWASP Global Summit 2011.

=== Kopi Darat, Februari 2011 ===
Jakarta, 18 Februari 2011, akan diadakan kopi darat pada hari Rabu 23 Februari 2011 di Senayan City dengan agenda: SGU menjadi OWASP University Supporter dan cerita dari OWASP Global Summit 2011.

=== Partisipasi di OWASP Summit 2011 ===
Jakarta, 8 Februari 2011, Zaki dengan dukungan dari OWASP, akhirnya berangkat ke Lisbon, Portugal, untuk ikut berpartisipasi di OWASP Summit 2011.

===SGU Mengajukan Diri sebagai OWASP University Supporter===
Jakarta, 28 Januari 2011, [http://www.sgu.ac.id SGU (Swiss German University)] melalui Charles Lim mengajukan diri untuk menjadi OWASP University Supporter.

=== Penerjemahan Situs OWASP.org ===
Jakarta, 18 Januari 2011, menurut Anda perlukah situs OWASP.org diterjemahkan ke Bahasa Indonesia? Bagi mereka yang memiliki batasan bahasa, hal ini bisa bermanfaat.

=== Penerjemahan OWASP Top 10 ===

Jakarta, 17 Januari 2011, Berangkat dari inisiatif TH, baru saja diselesaikan proyek penerjemahan dokumentasi OWASP Top 10 ke bahasa Indonesia. Berikut ini adalah dokumen OWASP Top 10 yang sudah diterjemahken ke Bahasa Indonesia.

* [[File:OWASP_Top_10_-_2010_FINAL_Indonesia_v1.0.1.pdf]] OWASP Top 10 2010 Final Indonesia v1.0.1 (RC).

= Penerjemahan =
* OWASP ASVS
* [[File:OWASP_Top_10_-_2010_FINAL_Indonesia_v1.0.1.pdf]] OWASP Top 10 2010 dalam Bahasa Indonesia

= Kontribusi =

= Lain-lain =
=== ISO DVD/CD OWASP ===

Live-DVD/CD OWASP sangat membantu dalam mempelajari web application/database security. ISO Live-DVD/CD OWASP dapat diunduh di:

* [http://nebula.indocisc.co.id/~za Cermin di IIX]

Atau jika mengalami kesulitan mengunduh, silakan kontak [mailto:za@owasp.org Zaki Akhmad] disertai nama dan alamat jelas untuk dapat dikirimkan Live-DVD/CD OWASP.

= Media Sosial =
=== Milis ===

OWASP telah menyediakan milis OWASP Indonesia di mail server-nya. Untuk bergabung dapat mengirimkan email kosong ke [mailto:owasp-indonesia-subscribe@lists.owasp.org alamat ini]. Lalu ikuti instruksi berikutnya yang dikirim via email. Untuk arsip milis bisa diakses di [https://lists.owasp.org/pipermail/owasp-indonesia halaman ini].

=== Twitter ===
Silakan ikuti akun twitter [http://twitter.com/#!/owaspid @owaspid] untuk berita-berita seputar OWASP Indonesia.

<headertabs/>

[[Category:OWASP Chapter]]
[[Category:Indonesia]]
[[Category:Asia]]

Indonesia

2012-11-21T08:53:31Z

Zakiakhmad:

{{Chapter Template|chaptername=Indonesia|extra=The chapter leader is [mailto:za@owasp.org Zaki Akhmad]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Indonesia|emailarchives=http://lists.owasp.org/pipermail/owasp-Indonesia}}

__NOTOC__

= Beranda =
Salam,

Selamat datang di halaman OWASP Indonesia! OWASP Indonesia merupakan salah satu ''chapter'' OWASP yang tersebar di berbagai belahan dunia. OWASP sendiri merupakan organisasi nirlaba yang fokus pada keamanan aplikasi dan web. Kehadiran OWASP Indonesia diharapkan mampu memberikan kontribusi dalam meningkatkan keamanan aplikasi & web yang ada di Indonesia.

Selamat mengeksplorasi lebih jauh OWASP Indonesia dengan membuka tab-tab yang ada di halaman ini.

= Tentang =
=== Sejarah ===
OWASP Indonesia berdiri pada tanggal 11 Juli 2007. Chapter ini pertama kali dipimpin oleh Azwar Rosyadi. Selanjutnya Azwar Rosyadi tak lagi aktif di OWASP Indonesia. Sejak Desember 2008, [[User:Zakiakhmad|Zaki Akhmad]] berinisiatif memimpin chapter ini.

=== Aktivitas ===
Hingga saat ini belum dilaksanakan pertemuan rutin. Aktivitas OWASP Indonesia baru sebatas dilakukan di milis saja. Pada Agustus 2010, Tedi Heriyanto berinisiatif mengkoordinir penerjemahan presentasi OWASP Top 10 ke Bahasa Indonesia.

= Agenda =
=== Perpanjang Domain OWASP.or.id ===
Domain OWASP.or.id telah diperpanjang hingga akhir tahun 2013. Sejauh ini server OWASP.or.id baru mencermin materi video AppSec. Apakah Anda memiliki ide agar domain ini tidak percuma diperpanjang?

=== Situs OWASP.or.id ===
Januari 2012. Saat ini OWASP Indonesia memiliki situs dengan domain [http://owasp.or.id OWASP.or.id]. Situs ini masih dalam tahap pengembangan namun sudah bisa diakses. Untuk sementara situs ini menyediakan materi-materi OWASP. Diharapkan dengan menyediakan akses lokal, materi-materi OWASP dapat lebih mudah diakses dari Indonesia.

=== Indonesia Internet Security Forum 2011 ===
Desember 2011. OWASP Indonesia akan menjadi salah satu panelis dalam acara Indonesia Internet Security Forum 2011 (IISF 2011). Acara ini akan dilaksanakan pada hari Rabu, 14 Desember 2011. Detail acara dapat dilihat pada [http://aptika.kominfo.go.id/registration/IISF2011 http://aptika.kominfo.go.id/registration/IISF2011] , atau akses berkas [[File:Agenda_IISF_Tentative_20111203.pdf]] agenda.

=== IASA Business Architecture Summit 2011 ===
Charles Lim, dari SGU, akan memberikan presentasi mengenai OWASP Top 10 dalam acara IASA Business Architecture Summit 2011. Acara akan dilaksanakan pada hari Kamis, 1 Desember 2011, pukul 14.30 - 15.00, di Hotel Sahid, Jakarta.

==== Arsip ====

=== SGU menjadi OWASP University Supporter ===
[[File:SGU_OWASPUniversitySupporter.jpg|right|300px|thumb|SGU - OWASP University Supporter]]
Pada hari Senin 25 April 2011, telah dilakukan penandatanganan MoU antara SGU dengan OWASP Indonesia. SGU saat ini telah menjadi OWASP University Supporter. SGU menjadi universitas di Indonesia yang pertama menjadi OWASP University Supporter.

=== Kopi Darat, Maret 2011 ===
Jakarta, 21 Februari 2011, rencananya pada hari Kamis 24 Maret 2011 di Senayan City akan diadakan kopi darat dengan agenda: perkenalan, rencana OWASP Indonesia, dan cerita dari OWASP Global Summit 2011.

=== Blog OWASP Indonesia ===
Jakarta, 25 Februari 2011, dibuat blog OWASP Indonesia di [http://owaspid.blogspot.com http://owaspid.blogspot.com] sebagai salah satu cara berkomunikasi dengan komunitas OWASP Indonesia.

=== Hasil Kopi Darat 23 Februari 2011===
Jakarta, 23 Februari 2011, kopi darat OWASP Indonesia dihadiri oleh Charles dan Zaki. Dilakukan pembicaraan mengenai rencana SGU menjadi OWASP University Supporter dan berbagi cerita dari OWASP Global Summit 2011.

=== Kopi Darat, Februari 2011 ===
Jakarta, 18 Februari 2011, akan diadakan kopi darat pada hari Rabu 23 Februari 2011 di Senayan City dengan agenda: SGU menjadi OWASP University Supporter dan cerita dari OWASP Global Summit 2011.

=== Partisipasi di OWASP Summit 2011 ===
Jakarta, 8 Februari 2011, Zaki dengan dukungan dari OWASP, akhirnya berangkat ke Lisbon, Portugal, untuk ikut berpartisipasi di OWASP Summit 2011.

===SGU Mengajukan Diri sebagai OWASP University Supporter===
Jakarta, 28 Januari 2011, [http://www.sgu.ac.id SGU (Swiss German University)] melalui Charles Lim mengajukan diri untuk menjadi OWASP University Supporter.

=== Penerjemahan Situs OWASP.org ===
Jakarta, 18 Januari 2011, menurut Anda perlukah situs OWASP.org diterjemahkan ke Bahasa Indonesia? Bagi mereka yang memiliki batasan bahasa, hal ini bisa bermanfaat.

=== Penerjemahan OWASP Top 10 ===

Jakarta, 17 Januari 2011, Berangkat dari inisiatif TH, baru saja diselesaikan proyek penerjemahan dokumentasi OWASP Top 10 ke bahasa Indonesia. Berikut ini adalah dokumen OWASP Top 10 yang sudah diterjemahken ke Bahasa Indonesia.

* [[File:OWASP_Top_10_-_2010_FINAL_Indonesia_v1.0.1.pdf]] OWASP Top 10 2010 Final Indonesia v1.0.1 (RC).

= Lokalisasi =
* OWASP ASVS ''(dalam proses penerjemahan)''
* [[File:OWASP_Top_10_-_2010_FINAL_Indonesia_v1.0.1.pdf]] OWASP Top 10 2010 dalam Bahasa Indonesia

= Kontribusi =

= Lain-lain =
=== ISO DVD/CD OWASP ===

Live-DVD/CD OWASP sangat membantu dalam mempelajari web application/database security. ISO Live-DVD/CD OWASP dapat diunduh di:

* [http://nebula.indocisc.co.id/~za Cermin di IIX]

Atau jika mengalami kesulitan mengunduh, silakan kontak [mailto:za@owasp.org Zaki Akhmad] disertai nama dan alamat jelas untuk dapat dikirimkan Live-DVD/CD OWASP.

= Media Sosial =
=== Milis ===

OWASP telah menyediakan milis OWASP Indonesia di mail server-nya. Untuk bergabung dapat mengirimkan email kosong ke [mailto:owasp-indonesia-subscribe@lists.owasp.org alamat ini]. Lalu ikuti instruksi berikutnya yang dikirim via email. Untuk arsip milis bisa diakses di [https://lists.owasp.org/pipermail/owasp-indonesia halaman ini].

=== Twitter ===
Silakan ikuti akun twitter [http://twitter.com/#!/owaspid @owaspid] untuk berita-berita seputar OWASP Indonesia.

<headertabs/>

[[Category:OWASP Chapter]]
[[Category:Indonesia]]
[[Category:Asia]]

Indonesia

2012-11-21T08:53:01Z

Zakiakhmad:

{{Chapter Template|chaptername=Indonesia|extra=The chapter leader is [mailto:za@owasp.org Zaki Akhmad]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Indonesia|emailarchives=http://lists.owasp.org/pipermail/owasp-Indonesia}}

__NOTOC__

= Beranda =
Salam,

Selamat datang di halaman OWASP Indonesia! OWASP Indonesia merupakan salah satu ''chapter'' OWASP yang tersebar di berbagai belahan dunia. OWASP sendiri merupakan organisasi nirlaba yang fokus pada keamanan aplikasi dan web. Kehadiran OWASP Indonesia diharapkan mampu memberikan kontribusi dalam meningkatkan keamanan aplikasi & web yang ada di Indonesia.

Selamat mengeksplorasi lebih jauh OWASP Indonesia dengan membuka tab-tab yang ada di halaman ini.

= Tentang =
=== Sejarah ===
OWASP Indonesia berdiri pada tanggal 11 Juli 2007. Chapter ini pertama kali dipimpin oleh Azwar Rosyadi. Selanjutnya Azwar Rosyadi tak lagi aktif di OWASP Indonesia. Sejak Desember 2008, [[User:Zakiakhmad|Zaki Akhmad]] berinisiatif memimpin chapter ini.

=== Aktivitas ===
Hingga saat ini belum dilaksanakan pertemuan rutin. Aktivitas OWASP Indonesia baru sebatas dilakukan di milis saja. Pada Agustus 2010, Tedi Heriyanto berinisiatif mengkoordinir penerjemahan presentasi OWASP Top 10 ke Bahasa Indonesia.

= Agenda =
=== Perpanjang Domain OWASP.or.id ====
Domain OWASP.or.id telah diperpanjang hingga akhir tahun 2013. Sejauh ini server OWASP.or.id baru mencermin materi video AppSec. Apakah Anda memiliki ide agar domain ini tidak percuma diperpanjang?

=== Situs OWASP.or.id ===
Januari 2012. Saat ini OWASP Indonesia memiliki situs dengan domain [http://owasp.or.id OWASP.or.id]. Situs ini masih dalam tahap pengembangan namun sudah bisa diakses. Untuk sementara situs ini menyediakan materi-materi OWASP. Diharapkan dengan menyediakan akses lokal, materi-materi OWASP dapat lebih mudah diakses dari Indonesia.

=== Indonesia Internet Security Forum 2011 ===
Desember 2011. OWASP Indonesia akan menjadi salah satu panelis dalam acara Indonesia Internet Security Forum 2011 (IISF 2011). Acara ini akan dilaksanakan pada hari Rabu, 14 Desember 2011. Detail acara dapat dilihat pada [http://aptika.kominfo.go.id/registration/IISF2011 http://aptika.kominfo.go.id/registration/IISF2011] , atau akses berkas [[File:Agenda_IISF_Tentative_20111203.pdf]] agenda.

=== IASA Business Architecture Summit 2011 ===
Charles Lim, dari SGU, akan memberikan presentasi mengenai OWASP Top 10 dalam acara IASA Business Architecture Summit 2011. Acara akan dilaksanakan pada hari Kamis, 1 Desember 2011, pukul 14.30 - 15.00, di Hotel Sahid, Jakarta.

==== Arsip ====

=== SGU menjadi OWASP University Supporter ===
[[File:SGU_OWASPUniversitySupporter.jpg|right|300px|thumb|SGU - OWASP University Supporter]]
Pada hari Senin 25 April 2011, telah dilakukan penandatanganan MoU antara SGU dengan OWASP Indonesia. SGU saat ini telah menjadi OWASP University Supporter. SGU menjadi universitas di Indonesia yang pertama menjadi OWASP University Supporter.

=== Kopi Darat, Maret 2011 ===
Jakarta, 21 Februari 2011, rencananya pada hari Kamis 24 Maret 2011 di Senayan City akan diadakan kopi darat dengan agenda: perkenalan, rencana OWASP Indonesia, dan cerita dari OWASP Global Summit 2011.

=== Blog OWASP Indonesia ===
Jakarta, 25 Februari 2011, dibuat blog OWASP Indonesia di [http://owaspid.blogspot.com http://owaspid.blogspot.com] sebagai salah satu cara berkomunikasi dengan komunitas OWASP Indonesia.

=== Hasil Kopi Darat 23 Februari 2011===
Jakarta, 23 Februari 2011, kopi darat OWASP Indonesia dihadiri oleh Charles dan Zaki. Dilakukan pembicaraan mengenai rencana SGU menjadi OWASP University Supporter dan berbagi cerita dari OWASP Global Summit 2011.

=== Kopi Darat, Februari 2011 ===
Jakarta, 18 Februari 2011, akan diadakan kopi darat pada hari Rabu 23 Februari 2011 di Senayan City dengan agenda: SGU menjadi OWASP University Supporter dan cerita dari OWASP Global Summit 2011.

=== Partisipasi di OWASP Summit 2011 ===
Jakarta, 8 Februari 2011, Zaki dengan dukungan dari OWASP, akhirnya berangkat ke Lisbon, Portugal, untuk ikut berpartisipasi di OWASP Summit 2011.

===SGU Mengajukan Diri sebagai OWASP University Supporter===
Jakarta, 28 Januari 2011, [http://www.sgu.ac.id SGU (Swiss German University)] melalui Charles Lim mengajukan diri untuk menjadi OWASP University Supporter.

=== Penerjemahan Situs OWASP.org ===
Jakarta, 18 Januari 2011, menurut Anda perlukah situs OWASP.org diterjemahkan ke Bahasa Indonesia? Bagi mereka yang memiliki batasan bahasa, hal ini bisa bermanfaat.

=== Penerjemahan OWASP Top 10 ===

Jakarta, 17 Januari 2011, Berangkat dari inisiatif TH, baru saja diselesaikan proyek penerjemahan dokumentasi OWASP Top 10 ke bahasa Indonesia. Berikut ini adalah dokumen OWASP Top 10 yang sudah diterjemahken ke Bahasa Indonesia.

* [[File:OWASP_Top_10_-_2010_FINAL_Indonesia_v1.0.1.pdf]] OWASP Top 10 2010 Final Indonesia v1.0.1 (RC).

= Lokalisasi =
* OWASP ASVS ''(dalam proses penerjemahan)''
* [[File:OWASP_Top_10_-_2010_FINAL_Indonesia_v1.0.1.pdf]] OWASP Top 10 2010 dalam Bahasa Indonesia

= Kontribusi =

= Lain-lain =
=== ISO DVD/CD OWASP ===

Live-DVD/CD OWASP sangat membantu dalam mempelajari web application/database security. ISO Live-DVD/CD OWASP dapat diunduh di:

* [http://nebula.indocisc.co.id/~za Cermin di IIX]

Atau jika mengalami kesulitan mengunduh, silakan kontak [mailto:za@owasp.org Zaki Akhmad] disertai nama dan alamat jelas untuk dapat dikirimkan Live-DVD/CD OWASP.

= Media Sosial =
=== Milis ===

OWASP telah menyediakan milis OWASP Indonesia di mail server-nya. Untuk bergabung dapat mengirimkan email kosong ke [mailto:owasp-indonesia-subscribe@lists.owasp.org alamat ini]. Lalu ikuti instruksi berikutnya yang dikirim via email. Untuk arsip milis bisa diakses di [https://lists.owasp.org/pipermail/owasp-indonesia halaman ini].

=== Twitter ===
Silakan ikuti akun twitter [http://twitter.com/#!/owaspid @owaspid] untuk berita-berita seputar OWASP Indonesia.

<headertabs/>

[[Category:OWASP Chapter]]
[[Category:Indonesia]]
[[Category:Asia]]

OWTGv4 Contributors list

2012-09-06T07:04:38Z

Zakiakhmad:

'''Contributors team:''' 
> Matteo Meucci 
> Pavol Luptak 
> Marco Morana 
> Giorgio Fedon 
> Stefano Di Paola 
> Gianrico Ingrosso 
> Giuseppe Bonfà 
> Roberto Suggi Liverani 
> Robert Smith 
> Andrew Muller 
> Robert Winkel 
> tripurari rai 
> Thomas Ryan 
> tim bertels 
> Cecil Su 
> Aung KhAnt 
> Norbert Szetei 
> michael.boman 
> Wagner Elias 
> Kevin Horvat 
> Juan Galiana Lara 
> Kenan Gursoy 
> Jason Flood 
> Javier Marcos de Prado 
> Sumit Siddharth 
> Mike Hryekewicz 
> psiinon 
> Ray Schippers 
> Raul Siles 
> Jayanta Karmakar 
> Brad Causey 
> Vicente Aguilera 
> Ismael Gonçalves 
> David Fern 
> Tom Eston 
> Kevin Horvath 
> Rick.Mitchell 
> Eduardo Castellanos 
> Simone Onofri 
> Harword Sheen 
> Amro AlOlaqi 
> Suhas Desai 
> Ryan Dewhurst 
> Zaki Akhmad 

 
'''Reviewers team:''' 
 
> Paolo Perego 
> Daniel Cuthbert 
> Matthew Churcher 
> Lode Vanstechelman 
> Sebastien Gioria 
> Antonio Fontes

OWASP Testing Guide v4 Table of Contents

2012-09-06T07:03:56Z

Zakiakhmad: Fix the ToC formatting

__NOTOC__

'''This is DRAFT of the table of content of the New Testing Guide v4.''' 
 You can download the stable version [http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf here] 

Back to the OWASP Testing Guide Project:
http://www.owasp.org/index.php/OWASP_Testing_Project

'''Updated: 31st August 2012'''

[[ OWTGv4 Contributors list|'''Contributors List]]

----

The following are the main improvements we have to realize: 

(1) - Add new testing techniques and OWASP Top10 update: 
- Testing for HTTP Verb tampering 
- Testing for HTTP Parameter Pollutions 
- Testing for URL Redirection 
- Testing for Insecure Direct Object References 
- Testing for Insecure Cryptographic Storage 
- Testing for Failure to Restrict URL Access 
- Testing for Insufficient Transport Layer Protection 
- Testing for Unvalidated Redirects and Forwards. 
 
(2) - Review and improve all the sections in v3, 
 
(3) - Create a more readable guide, eliminating some sections that are not
really useful, Rationalize some sections as Session Management Testing.

(4) Pavol says: - add new opensource testing tools that appeared during last 3 years
(and are missing in the OWASP Testing Guide v3)

- add few useful and life-scenarios of possible
vulnerabilities in Bussiness Logic Testing (many testers have no idea what
vulnerabilities in Business Logic exactly mean)

- "Brute force testing" of "session ID" is missing in "Session Management
Testing", describe other tools for Session ID entropy analysis
(e.g. Stompy)

- in "Data Validation Testing" describe some basic obfuscation methods for
malicious code injection including the statements how it is possible to
detect it (web application obfuscation is quite succesfull in bypassing
many data validation controls)

- split the phase Logout and Browser Cache Management" into two sections
 
The following is a DRAFT of the Toc based on the feedback already received.

== Table of Contents ==

==[[Testing Guide Foreword|Foreword by OWASP Chair]]==
[To review--> OWASP Chair]

==[[Testing Guide Frontispiece |1. Frontispiece]]==
[To review--> Mat]

'''[[Testing Guide Frontispiece|1.1 About the OWASP Testing Guide Project]]'''
[To review--> Mat]

'''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]'''
[To review--> ]

==[[Testing Guide Introduction|2. Introduction]]==

'''2.1 The OWASP Testing Project'''

'''2.2 Principles of Testing'''

'''2.3 Testing Techniques Explained'''

2.4 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Security requirements test derivation],[https://www.owasp.org/index.php/Testing_Guide_Introduction#Functional_and_Non_Functional_Test_Requirements functional and non functional test requirements], and [https://www.owasp.org/index.php/Testing_Guide_Introduction#Test_Cases_Through_Use_and_Misuse_Cases test cases through use and misuse cases]

2.5 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Test_Data_Analysis_and_Reporting Security test data analysis and reporting: root cause identification and business/role case test data reporting]

==[[The OWASP Testing Framework|3. The OWASP Testing Framework]]==

'''3.1. Overview'''

'''3.2. Phase 1: Before Development Begins '''

'''3.3. Phase 2: During Definition and Design'''

'''3.4. Phase 3: During Development'''

'''3.5. Phase 4: During Deployment'''

'''3.6. Phase 5: Maintenance and Operations'''

'''3.7. A Typical SDLC Testing Workflow '''

==[[Web Application Penetration Testing |4. Web Application Penetration Testing ]]==

[[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']] [To review--> Mat]

[[Testing Checklist| 4.1.1 Testing Checklist]] [To review at the end of brainstorming --> Mat]

[[Testing: Information Gathering|'''4.2 Information Gathering ''']] [To review--> contributor here]

[[Testing for configuration management|'''4.3 Configuration and Deploy Management Testing ''']]

Infrastructure Configuration management weakness 
Application Configuration management weakness 
File extensions handling 
Old, backup and unreferenced files 
Access to Admin interfaces 
Bad HTTP Methods enabled, [new] 
Informative Error Messages 
Database credentials/connection strings available 

[[Testing for authentication|'''4.4 Authentication Testing ''']]

Credentials transport over an unencrypted channel [Robert Winkel] 
User enumeration (also Guessable user account) [Robert Winkel] 
Default passwords [Robert Winkel] 
Weak lock out mechanism [New! - Robert Winkel] 
Account lockout DoS [New! - Robert Winkel] 
Bypassing authentication schema 
Directory traversal/file include 
Vulnerable remember password [Robert Winkel] 
Browser cache weakness [New!] 
Weak password policy [New! - Robert Winkel] 
Weak username policy [New! - Robert Winkel] 
Weak security question/answer [New! - Robert Winkel] 
Failure to restrict access to authenticated resource [New!] 
Weak password change function [New! - Robert Winkel] 
Testing for CAPTCHA 

[[Testing for Session Management|'''4.5 Session Management Testing''']]

Bypassing Session Management Schema 
Weak Session Token 
Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity 
Exposed sensitive session variables 
CSRF 
Session passed over http [New!] 
Session token within URL [New!] 
Session Fixation 
Session token not removed on server after logout [New!] 
Persistent session token [New!] 
Session token not restrcited properly (such as domain or path not set properly) [New!] 
Logout function not properly implemented 

[[Testing for Authorization|'''4.6 Authorization Testing''']]

Bypassing authorization schema 
Privilege Escalation 
Insecure Direct Object References 
Failure to Restrict access to authorized resource [New!] 

[[Testing for business logic (OWASP-BL-001)|'''4.7 Business Logic Testing (OWASP-BL-001)''']] [To review--> contributor here]
Business Logic 

[[Testing for Data Validation|'''4.8 Data Validation Testing''']]

Reflected XSS 
Stored XSS 
HTTP Verb Tampering [Brad Causey] 
HTTP Parameter pollution [Brad Causey] 
Unvalidated Redirects and Forwards [Brad Causey] 
SQL Injection [Brad Causey] 
LDAP Injection 
ORM Injection 
XML Injection 
SSI Injection 
XPath Injection 
SOAP Injection 
IMAP/SMTP Injection 
Code Injection 
OS Commanding 
Buffer overflow 
Incubated vulnerability 
HTTP Splitting/Smuggling 

[[Testing for Data Encryption (New!)]]

Application did not use encryption 
Weak SSL/TSL Ciphers, Insufficient 
Transport Layer Protection 
Cacheable HTTPS Response 
Cache directives insecure 
Insecure Cryptographic Storage [mainly CR Guide] 
Sensitive information sent via unencrypted
channels 

[[ XML Interpreter? (New!)]]

Weak XML Structure
XML content-level
WS HTTP GET parameters/REST
WS Naughty SOAP attachments
WS Replay Testing

[[ Client Side Testing (New!) ]]

DOM XSS 
Cross Site Flashing 
ClickHijacking 

==[[Writing Reports: value the real risk |5. Writing Reports: value the real risk ]]==

[[How to value the real risk |5.1 How to value the real risk]] [To review--> contributor here]

[[How to write the report of the testing |5.2 How to write the report of the testing]] [To review--> contributor here]

==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==

* Black Box Testing Tools [To review--> Amro. We need only tools fo webapp testing]

==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
* Whitepapers [To review--> contributor here]
* Books [To review--> contributor here]
* Useful Websites [To review--> contributor here]

==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==

* Fuzz Categories [To review--> contributor here]

==[[OWASP Testing Guide Appendix D: Encoded Injection | Appendix D: Encoded Injection]]==

[To review--> contributor here]

----

[[Category:OWASP Testing Project]]

Projects/OWASP Secure Coding Practices - Quick Reference Guide

2012-05-23T09:05:41Z

Zakiakhmad:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude>
| project_name = OWASP Secure Coding Practices - Quick Reference Guide
| project_home_page = :OWASP Secure Coding Practices - Quick Reference Guide

| project_description =

This document provides a quick high level reference for secure coding practices. It is technology agnostic and defines a set of general software security coding practices, in a checklist format, that can be integrated into the development lifecycle. Implementation of these practices will mitigate most common software vulnerabilities.

| project_license = [http://creativecommons.org/licenses/by-sa/3.0/ '''Creative Commons Attribution Share Alike 3.0''']

| leader_name1 = Keith Turpin
| leader_email1 = keith.turpin@owasp.org
| leader_username1 = Keith Turpin

| contributor_name1 = Dan Kranz
| contributor_email1 =
| contributor_username1 =

| contributor_name2 = Walt Pietrowski
| contributor_email2 =
| contributor_username2 =

| contributor_name3 = Catherine Spencer
| contributor_email3 =
| contributor_username3 =

| contributor_name4 = Caleb McGary
| contributor_email4 = Caleb.mcgary@gmail.com
| contributor_username4 =

| contributor_name5 = Jim Manico
| contributor_email5 = jim.manico@owasp.org
| contributor_username5 = Jmanico

| contributor_name6 = Brad Causey
| contributor_email6 = bradcausey@owasp.org
| contributor_username6 = Bradcausey

| contributor_name7 = Ludovic Petit
| contributor_email7 = ludovic.petit@owasp.org
| contributor_username7 = Ludovic Petit

| contributor_name8 = Michael V. Scovetta
| contributor_email8 = michael.scovetta@gmail.com
| contributor_username8 =

| contributor_name9 = Jason Coleman
| contributor_email9 =
| contributor_username9 =

| contributor_name10 = Tarcizio Vieira Neto
| contributor_email10 =
| contributor_username10 =

| contributor_name11 = OWASP Korea chapter
| contributor_email11 =
| contributor_username11 =

| pamphlet_link = http://www.owasp.org/images/3/35/Flyer_Secure_Coding_Practices_Quick_Reference_Guide_V2.pdf

| presentation_link = https://www.owasp.org/images/f/fd/Secure_Coding_Practices_Quick_Ref_6.ppt

| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-secure-coding-practices

| project_road_map = http://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Roadmap

| links_url1 = http://vimeo.com/17018329
| links_name1 = Video - Keith Turpin presenting the Quick Reference Guide on OWASP AppSec USA 2010

| links_url2 = https://www.owasp.org/images/b/b3/OWASP_SCP_v1.3_pt-BR.pdf
| links_name2 = SCP v2 > Brazilian Portuguese Translation > PDF file

| links_url3 = https://www.owasp.org/images/6/6d/OWASP_SCP_v1.3_pt-PT.pdf
| links_name3 = SCP v2 > Portugal Portuguese Translation > PDF file

| links_url4 = https://www.owasp.org/images/8/8e/2011%EB%85%846%EC%9B%94_OWASP_%EC%8B%9C%ED%81%90%EC%96%B4%EC%BD%94%EB%94%A9%EA%B7%9C%EC%B9%99_v2_KOR.pdf
| links_name4 = SCP v2 > Korean Translation > PDF file

| links_url5 = http://www.owasp.org/images/c/c8/OWASP_SCP_Quick_Reference_Guide_SPA.doc
| links_name5 = SCP v2 > Spanish Translation > doc file

| links_url6 = http://www.owasp.org/images/5/54/Secure_Coding_Practices_Quick_Ref_5.ppt
| links_name6 = Slide - Presented by Keith Turpin on OWASP AppSec USA 2010

| release_1 = SCP v1

| release_2 = SCP v1.1

| release_3 = SCP v2

| release_4 =

| project_about_page = Projects/OWASP Secure Coding Practices - Quick Reference Guide
}}

Projects/OWASP Secure Coding Practices - Quick Reference Guide

2012-05-23T09:04:06Z

Zakiakhmad:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude>
| project_name = OWASP Secure Coding Practices - Quick Reference Guide
| project_home_page = :OWASP Secure Coding Practices - Quick Reference Guide

| project_description =

This document provides a quick high level reference for secure coding practices. It is technology agnostic and defines a set of general software security coding practices, in a checklist format, that can be integrated into the development lifecycle. Implementation of these practices will mitigate most common software vulnerabilities.

| project_license = [http://creativecommons.org/licenses/by-sa/3.0/ '''Creative Commons Attribution Share Alike 3.0''']

| leader_name1 = Keith Turpin
| leader_email1 = keith.turpin@owasp.org
| leader_username1 = Keith Turpin

| contributor_name1 = Dan Kranz
| contributor_email1 =
| contributor_username1 =

| contributor_name2 = Walt Pietrowski
| contributor_email2 =
| contributor_username2 =

| contributor_name3 = Catherine Spencer
| contributor_email3 =
| contributor_username3 =

| contributor_name4 = Caleb McGary
| contributor_email4 = Caleb.mcgary@gmail.com
| contributor_username4 =

| contributor_name5 = Jim Manico
| contributor_email5 = jim.manico@owasp.org
| contributor_username5 = Jmanico

| contributor_name6 = Brad Causey
| contributor_email6 = bradcausey@owasp.org
| contributor_username6 = Bradcausey

| contributor_name7 = Ludovic Petit
| contributor_email7 = ludovic.petit@owasp.org
| contributor_username7 = Ludovic Petit

| contributor_name8 = Michael V. Scovetta
| contributor_email8 = michael.scovetta@gmail.com
| contributor_username8 =

| contributor_name9 = Jason Coleman
| contributor_email9 =
| contributor_username9 =

| contributor_name10 = Tarcizio Vieira Neto
| contributor_email10 =
| contributor_username10 =

| contributor_name11 = OWASP Korea chapter
| contributor_email11 =
| contributor_username11 =

| pamphlet_link = http://www.owasp.org/images/3/35/Flyer_Secure_Coding_Practices_Quick_Reference_Guide_V2.pdf

| presentation_link = https://www.owasp.org/images/f/fd/Secure_Coding_Practices_Quick_Ref_6.ppt

| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-secure-coding-practices

| project_road_map = http://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Roadmap

| links_url0 = http://www.owasp.org/images/5/54/Secure_Coding_Practices_Quick_Ref_5.ppt
| links_name0 = Slide - Presented by Keith Turpin on OWASP AppSec USA 2010

| links_url1 = http://vimeo.com/17018329
| links_name1 = Video - Keith Turpin presenting the Quick Reference Guide on OWASP AppSec USA 2010

| links_url2 = https://www.owasp.org/images/b/b3/OWASP_SCP_v1.3_pt-BR.pdf
| links_name2 = SCP v2 > Brazilian Portuguese Translation > PDF file

| links_url3 = https://www.owasp.org/images/6/6d/OWASP_SCP_v1.3_pt-PT.pdf
| links_name3 = SCP v2 > Portugal Portuguese Translation > PDF file

| links_url4 = https://www.owasp.org/images/8/8e/2011%EB%85%846%EC%9B%94_OWASP_%EC%8B%9C%ED%81%90%EC%96%B4%EC%BD%94%EB%94%A9%EA%B7%9C%EC%B9%99_v2_KOR.pdf
| links_name4 = SCP v2 > Korean Translation > PDF file

| links_url5 = http://www.owasp.org/images/c/c8/OWASP_SCP_Quick_Reference_Guide_SPA.doc
| links_name5 = SCP v2 > Spanish Translation > doc file

| release_1 = SCP v1

| release_2 = SCP v1.1

| release_3 = SCP v2

| release_4 =

| project_about_page = Projects/OWASP Secure Coding Practices - Quick Reference Guide
}}

Category:Summit 2011 OWASP Secure Coding Workshop Track

2012-05-23T08:55:35Z

Zakiakhmad: /* Resources */

=[[Image:T._secure_coding.jpg]]=

The track seeks to add to OWASP's cache of "secure code". Facilitators will chose a focus for each of the track's sub-sections addressing a "development scenario" developers consistently face in each application they build. Each sub-section aims to deliver secure functionality or code useful in helping developers build security into their application when addressing that development scenario even if it delivers only "code snippets". Two principals govern this track:

<UL>
<LI>All track participants will support analysis, design, implementation, and testing activities for each section
<LI>Each track sub-section should deliver design and implementation useful as a leave-behind, for building security into applications
</UL>

The first implementation of this track aims to deliver only code snippets because track organizers want freedom to select topics beyond what already exists in secure programming toolkits, if necessary. For those familiar with OWASP's [http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API ESAPI], the track will seek to:

<UL>
<LI>Use existing ESAPI (or other OWASP project) material where appropriate
<LI>Roll-up and contribute back to OWASP projects, all applicable code developed during this track
</UL>

Track sub-sections regarding "input validation" and AppSensor represent two OWASP project targets we've already included focus on.

Our goal will be to extend the practice of "building security into applications" without a preference for whether or not the application
exists in a calcified form of maintenance or whether it's being developed in a green-field manner. Summarizing: the objective of each sub-section is to make our technology better not necessarily to raise awareness of its existence.

== Facilitation ==

A set of facilitators, each with both a security and development background, will take turns leading their chosen focus. Facilitators will come prepared with their sub-section problem definition, session goals, and supporting material. Do not expect the facilitator to lead a lecture. Rather, expect the facilitator to come with a skeleton analysis of the development scenario and framework for analyzing the security challenge.

Expect facilitators to divide their sub-section into a list of goals for the development scenario. Facilitators will break the goal into intermediate objectives and will either delegate these objectives to participants or help to direct the conversation across contexts for participants. For example: during a sub-section on persistence frameworks, the facilitator may present risks associated with configuring and implementing auto-binding in a particular framework, then direct snippet implementation on other persistence frameworks, owned and implemented by participants themselves.

== Participants ==

Participants will be expected to arrive with at least a conversational understanding (preferably experience) in the sub-topic area. They will be expected to contribute to analysis, design, implementation, and/or testing. Track participants will need to self-police each sub-section. If
things get too introductory and forward progress stalls, participants can help a lagging participant "Get up to speed" with the rest of the session quickly in a side conversation/demo/hand-holding exercise.

== Sub-Sections (Topic Areas) ==
'''[http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Applying_ESAPI_Input_Validation 1. Applying ESAPI Input Validation]'''
*Serial Decomp: Decode, canonicalize, filter 
*Structured data (SSN, CC, etc.) 
*Unstructured data (comments, blogs, etc.) 
*Other input exaples (ws-, database, etc.) 
'''2. Defining AppSensor Sensors for:''' 
*Forced Browsing 
*Request Velocity 
*Unexpected encodings 
*Impersonation (Sudden user switch) 
'''3. Managing Sessions''' 
*Across requests 
*Across containers 
*Invalidating sessions (Timeout, attack event, logout) 
*Invalidating sessions (across containers, SSO token invalidation, user termination) 
'''[http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Protecting_Information_Stored_Client-Side 4. Protecting Information Stored Client-Side]''' 
*Threat Modeling the problem 
*Protecting theft and re-playability of application-specific info (on client & in flight) 
*Protecting theft and re-playability of session-specific info (in flight) 
*Protecting session-specific information from attack on the client 
'''[http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Protecting_Against_CSRF 5. Protecting against CSRF]''' 
*Hygiene: Discuss/show frames-busting, cross-domain policy; Discuss referrer and other red herrings 
*Tokens (crafting, scoping, and checking) 
*Discussions, techniques on scale 
*Discussions, techniquest on CAPTCHA, re-auth, etc. 
'''[http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Providing_Access_to_Persisted_Data 6. Providing Access to Persisted Data]''' 
*Controlling visibility of tables by role 
*Providing access to safe SQL-like query through DAO layer 
*Discussions, techniques for providing secure'auto-wiring' / marshaling 
*Encoding and canonicalization for storage (or alternatively: Security concerns with heirarchical caching and object pooling) 
== Resources ==
GITHUB will allow us to share track code pretty rapidly. Find code-based resources associated with this track here:

[https://code.google.com/p/secure-coding-workshop/ "Secure Coding Workshop (Google Code)" ] 
[https://github.com/jsteven/OWASP-Secure-Coding-Workshop "Secure Coding Workshop (Github)" ]

[[Category:Summit_2011_Tracks]]

Category:Summit 2011 OWASP Secure Coding Workshop Track

2012-05-23T08:55:19Z

Zakiakhmad: /* Resources */

=[[Image:T._secure_coding.jpg]]=

The track seeks to add to OWASP's cache of "secure code". Facilitators will chose a focus for each of the track's sub-sections addressing a "development scenario" developers consistently face in each application they build. Each sub-section aims to deliver secure functionality or code useful in helping developers build security into their application when addressing that development scenario even if it delivers only "code snippets". Two principals govern this track:

<UL>
<LI>All track participants will support analysis, design, implementation, and testing activities for each section
<LI>Each track sub-section should deliver design and implementation useful as a leave-behind, for building security into applications
</UL>

The first implementation of this track aims to deliver only code snippets because track organizers want freedom to select topics beyond what already exists in secure programming toolkits, if necessary. For those familiar with OWASP's [http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API ESAPI], the track will seek to:

<UL>
<LI>Use existing ESAPI (or other OWASP project) material where appropriate
<LI>Roll-up and contribute back to OWASP projects, all applicable code developed during this track
</UL>

Track sub-sections regarding "input validation" and AppSensor represent two OWASP project targets we've already included focus on.

Our goal will be to extend the practice of "building security into applications" without a preference for whether or not the application
exists in a calcified form of maintenance or whether it's being developed in a green-field manner. Summarizing: the objective of each sub-section is to make our technology better not necessarily to raise awareness of its existence.

== Facilitation ==

A set of facilitators, each with both a security and development background, will take turns leading their chosen focus. Facilitators will come prepared with their sub-section problem definition, session goals, and supporting material. Do not expect the facilitator to lead a lecture. Rather, expect the facilitator to come with a skeleton analysis of the development scenario and framework for analyzing the security challenge.

Expect facilitators to divide their sub-section into a list of goals for the development scenario. Facilitators will break the goal into intermediate objectives and will either delegate these objectives to participants or help to direct the conversation across contexts for participants. For example: during a sub-section on persistence frameworks, the facilitator may present risks associated with configuring and implementing auto-binding in a particular framework, then direct snippet implementation on other persistence frameworks, owned and implemented by participants themselves.

== Participants ==

Participants will be expected to arrive with at least a conversational understanding (preferably experience) in the sub-topic area. They will be expected to contribute to analysis, design, implementation, and/or testing. Track participants will need to self-police each sub-section. If
things get too introductory and forward progress stalls, participants can help a lagging participant "Get up to speed" with the rest of the session quickly in a side conversation/demo/hand-holding exercise.

== Sub-Sections (Topic Areas) ==
'''[http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Applying_ESAPI_Input_Validation 1. Applying ESAPI Input Validation]'''
*Serial Decomp: Decode, canonicalize, filter 
*Structured data (SSN, CC, etc.) 
*Unstructured data (comments, blogs, etc.) 
*Other input exaples (ws-, database, etc.) 
'''2. Defining AppSensor Sensors for:''' 
*Forced Browsing 
*Request Velocity 
*Unexpected encodings 
*Impersonation (Sudden user switch) 
'''3. Managing Sessions''' 
*Across requests 
*Across containers 
*Invalidating sessions (Timeout, attack event, logout) 
*Invalidating sessions (across containers, SSO token invalidation, user termination) 
'''[http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Protecting_Information_Stored_Client-Side 4. Protecting Information Stored Client-Side]''' 
*Threat Modeling the problem 
*Protecting theft and re-playability of application-specific info (on client & in flight) 
*Protecting theft and re-playability of session-specific info (in flight) 
*Protecting session-specific information from attack on the client 
'''[http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Protecting_Against_CSRF 5. Protecting against CSRF]''' 
*Hygiene: Discuss/show frames-busting, cross-domain policy; Discuss referrer and other red herrings 
*Tokens (crafting, scoping, and checking) 
*Discussions, techniques on scale 
*Discussions, techniquest on CAPTCHA, re-auth, etc. 
'''[http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Providing_Access_to_Persisted_Data 6. Providing Access to Persisted Data]''' 
*Controlling visibility of tables by role 
*Providing access to safe SQL-like query through DAO layer 
*Discussions, techniques for providing secure'auto-wiring' / marshaling 
*Encoding and canonicalization for storage (or alternatively: Security concerns with heirarchical caching and object pooling) 
== Resources ==
GITHUB will allow us to share track code pretty rapidly. Find code-based resources associated with this track here:

[https://code.google.com/p/secure-coding-workshop/ "Secure Coding Workshop (Google Code)" ]
[https://github.com/jsteven/OWASP-Secure-Coding-Workshop "Secure Coding Workshop (Github)" ]

[[Category:Summit_2011_Tracks]]

Web Service Security Cheat Sheet

2012-05-11T10:28:41Z

Zakiakhmad: /* Authors and Primary Editors */

= Introduction =

This article is focused on providing guidance to securing web services and preventing web services related attacks. Please notice that due to the difference of implementation between different frameworks, this cheat sheet is kept at a high level.

== Transport Confidentiality ==

Transport confidentiality protects against eavesdropping and man-in-the-middle attacks against web service communications to/from the server.

'''Rule''' - All communication with and between web services containing sensitive features, an authenticated session, or transfer of sensitive data must be encrypted using well configured TLS. This is recommended even if the messages themselves are encrypted because SSL/TLS provides numerous benefits beyond traffic confidentiality including integrity protection, replay defenses, and server authentication. For more information on how to do this properly see the [[Transport Layer Protection Cheat Sheet]].

== Server Authentication ==

'''Rule''' - SSL/TLS must be used to authenticate the service provider to the service consumer. The service consumer should verify the server certificate is issued by a trusted provider, is not expired, is not revoked, matches the domain name of the service, and that the server has proven that it has the private key associated with the public key certificate (by properly signing something or successfully decrypting something encrypted with the associated public key).

== User Authentication ==

User authentication verifies the identity of the user or the system trying to connect to the service. Such authentication is usually a function of the container of the web service.

'''Rule''' - If used, Basic Authentication must be conducted over SSL, but Basic Authentication is not recommended.

'''Rule''' - Client Certificate Authentication using SSL is a strong form of authentication that is recommended.

== Transport Encoding ==

SOAP encoding styles are meant to move data between software objects into XML format and back again.

'''Rule''' - Enforce the same encoding style between the client and the server.

== Message Integrity ==

This is for data at rest. Integrity of data in transit can easily be provided by SSL/TLS.

When using public key cryptography, encryption does guarantee confidentiality but it does not guarantee integrity since the receiver's public key is public. For the same reason, encryption does not ensure the identity of the sender.

'''Rule '''- For XML data, use XML digital signatures to provide message integrity using the sender's private key. This signature can be validated by the recipient using the sender’s digital certificate (public key).

== Message Confidentiality ==

Data elements meant to be kept confidential must be encrypted using a strong encryption cipher with an adequate key length to deter brute forcing.

'''Rule''' - Messages containing sensitive data must be encrypted using a strong encryption cipher. This could be transport encryption or message encryption.

'''Rule''' - Messages containing sensitive data that must remain encrypted at rest after receipt must be encrypted with strong data encryption, not just transport encryption.

== Authorization ==

Web services need to authorize web service clients the same way web applications authorize users. A web service needs to make sure a web service client is authorized to: perform a certain action (coarse-grained); on the requested data (fine-grained).

'''Rule''' - A web service should authorize its clients whether they have access to the method in question. Following authentication, the web service should check the privileges of the requesting entity whether they have access to the requested resource. This should be done on every request.

'''Rule''' - Ensure access to administration and management functions within the Web Service Application is limited to web service administrators. Ideally, any administrative capabilities would be in an application that is completely separate from the web services being managed by these capabilities, thus completely separating normal users from these sensitive functions.

== Schema Validation ==

Schema validation enforces constraints and syntax defined by the schema.

'''Rule''' - Web services must validate SOAP payloads against their associated XML schema definition (XSD).

'''Rule''' - The XSD defined for a SOAP web service should, at a minimum, define the maximum length and character set of every parameter allowed to pass into and out of the web service.

'''Rule''' - The XSD defined for a SOAP web service should define strong (ideally white list) validation patterns for all fixed format parameters (e.g., zip codes, phone numbers, list values, etc.).

== Content Validation ==

'''Rule''' - Like any web application, web services need to validate input before consuming it. Content validation for XML input should include:

*Validation against malformed XML entities
*Validation against XML Bomb attacks
*Validating inputs using a strong white list
*Validating against external entity attacks

== Output Encoding ==

Web services need to ensure that output sent to clients is encoded to be consumed as data and not as scripts. This gets pretty important when web service clients use the output to render HTML pages either directly or indirectly using AJAX objects.

'''Rule''' - All the rules of output encoding applies as per [[XSS (Cross Site Scripting) Prevention Cheat Sheet]] .

== Virus Protection ==

SOAP provides the ability to attach files and document to SOAP messages. This gives the opportunity for hackers to attach viruses and malware to these SOAP messages.

'''Rule''' - Ensure Virus Scanning technology is installed and preferably inline so files and attachments could be checked before being saved on disk.
'''Rule''' - Ensure Virus Scanning technology is regularly updated with the latest virus definitions / rules.

== Message Size ==

Web services like web applications could be a target for DOS attacks by automatically sending the web services thousands of large size SOAP messages. This either cripples the application making it unable to respond to legitimate messages or it could take it down entirely.

'''Rule''' - SOAP Messages size should be limited to an appropriate size limit. Larger size limit (or no limit at all) increases the chances of a successful DoS attack.

== Availability ==

=== Message Throughput ===

Throughput represents the number of web service requests served during a specific amount of time.

'''Rule''' - Configuration should be optimized for maximum message throughput to avoid running into DoS-like situations.

=== XML Denial of Service Protection ===

XML Denial of Service is probably the most serious attack against web services. So the web service must provide the following validation:

'''Rule''' - Validation against recursive payloads

'''Rule''' - Validation against oversized payloads

'''Rule''' - Protection against XML entity expansion

'''Rule''' - Validating against overlong element names. If you are working with SOAP-based Web Services, the element names are those SOAP Actions.

This protection should be provided by your XML parser/schema validator. To verify, build test cases to make sure your parser to resistant to these types of attacks.

== Endpoint Security Profile ==

'''Rule''' - Web services must be compliant with Web Services-Interoperability (WS-I) Basic Profile at minimum.

= Authors and Primary Editors =

Gunnar Peterson 
[mailto:sherif.koussa@owasp.org Sherif Koussa] 
[mailto:dave.wichers@owasp.org Dave Wichers] 
[mailto:jim@owasp.org Jim Manico]

= Related Pages =
{{Cheatsheet_Navigation}}
[[Category:Cheatsheets]]

Web Service Security Cheat Sheet

2012-05-11T10:24:02Z

Zakiakhmad: /* Authors and Primary Editors */

Web Service Security Cheat Sheet

2012-05-11T10:12:35Z

Zakiakhmad: /* Transport Confidentiality */

= Introduction =

This article is focused on providing guidance to securing web services and preventing web services related attacks. Please notice that due to the difference of implementation between different frameworks, this cheat sheet is kept at a high level.

== Transport Confidentiality ==

Transport confidentiality protects against eavesdropping and man-in-the-middle attacks against web service communications to/from the server.

'''Rule''' - All communication with and between web services containing sensitive features, an authenticated session, or transfer of sensitive data must be encrypted using well configured TLS. This is recommended even if the messages themselves are encrypted because SSL/TLS provides numerous benefits beyond traffic confidentiality including integrity protection, replay defenses, and server authentication. For more information on how to do this properly see the [[Transport Layer Protection Cheat Sheet]].

== Server Authentication ==

'''Rule''' - SSL/TLS must be used to authenticate the service provider to the service consumer. The service consumer should verify the server certificate is issued by a trusted provider, is not expired, is not revoked, matches the domain name of the service, and that the server has proven that it has the private key associated with the public key certificate (by properly signing something or successfully decrypting something encrypted with the associated public key).

== User Authentication ==

User authentication verifies the identity of the user or the system trying to connect to the service. Such authentication is usually a function of the container of the web service.

'''Rule''' - If used, Basic Authentication must be conducted over SSL, but Basic Authentication is not recommended.

'''Rule''' - Client Certificate Authentication using SSL is a strong form of authentication that is recommended.

== Transport Encoding ==

SOAP encoding styles are meant to move data between software objects into XML format and back again.

'''Rule''' - Enforce the same encoding style between the client and the server.

== Message Integrity ==

This is for data at rest. Integrity of data in transit can easily be provided by SSL/TLS.

When using public key cryptography, encryption does guarantee confidentiality but it does not guarantee integrity since the receiver's public key is public. For the same reason, encryption does not ensure the identity of the sender.

'''Rule '''- For XML data, use XML digital signatures to provide message integrity using the sender's private key. This signature can be validated by the recipient using the sender’s digital certificate (public key).

== Message Confidentiality ==

Data elements meant to be kept confidential must be encrypted using a strong encryption cipher with an adequate key length to deter brute forcing.

'''Rule''' - Messages containing sensitive data must be encrypted using a strong encryption cipher. This could be transport encryption or message encryption.

'''Rule''' - Messages containing sensitive data that must remain encrypted at rest after receipt must be encrypted with strong data encryption, not just transport encryption.

== Authorization ==

Web services need to authorize web service clients the same way web applications authorize users. A web service needs to make sure a web service client is authorized to: perform a certain action (coarse-grained); on the requested data (fine-grained).

'''Rule''' - A web service should authorize its clients whether they have access to the method in question. Following authentication, the web service should check the privileges of the requesting entity whether they have access to the requested resource. This should be done on every request.

'''Rule''' - Ensure access to administration and management functions within the Web Service Application is limited to web service administrators. Ideally, any administrative capabilities would be in an application that is completely separate from the web services being managed by these capabilities, thus completely separating normal users from these sensitive functions.

== Schema Validation ==

Schema validation enforces constraints and syntax defined by the schema.

'''Rule''' - Web services must validate SOAP payloads against their associated XML schema definition (XSD).

'''Rule''' - The XSD defined for a SOAP web service should, at a minimum, define the maximum length and character set of every parameter allowed to pass into and out of the web service.

'''Rule''' - The XSD defined for a SOAP web service should define strong (ideally white list) validation patterns for all fixed format parameters (e.g., zip codes, phone numbers, list values, etc.).

== Content Validation ==

'''Rule''' - Like any web application, web services need to validate input before consuming it. Content validation for XML input should include:

*Validation against malformed XML entities
*Validation against XML Bomb attacks
*Validating inputs using a strong white list
*Validating against external entity attacks

== Output Encoding ==

Web services need to ensure that output sent to clients is encoded to be consumed as data and not as scripts. This gets pretty important when web service clients use the output to render HTML pages either directly or indirectly using AJAX objects.

'''Rule''' - All the rules of output encoding applies as per [[XSS (Cross Site Scripting) Prevention Cheat Sheet]] .

== Virus Protection ==

SOAP provides the ability to attach files and document to SOAP messages. This gives the opportunity for hackers to attach viruses and malware to these SOAP messages.

'''Rule''' - Ensure Virus Scanning technology is installed and preferably inline so files and attachments could be checked before being saved on disk.
'''Rule''' - Ensure Virus Scanning technology is regularly updated with the latest virus definitions / rules.

== Message Size ==

Web services like web applications could be a target for DOS attacks by automatically sending the web services thousands of large size SOAP messages. This either cripples the application making it unable to respond to legitimate messages or it could take it down entirely.

'''Rule''' - SOAP Messages size should be limited to an appropriate size limit. Larger size limit (or no limit at all) increases the chances of a successful DoS attack.

== Availability ==

=== Message Throughput ===

Throughput represents the number of web service requests served during a specific amount of time.

'''Rule''' - Configuration should be optimized for maximum message throughput to avoid running into DoS-like situations.

=== XML Denial of Service Protection ===

XML Denial of Service is probably the most serious attack against web services. So the web service must provide the following validation:

'''Rule''' - Validation against recursive payloads

'''Rule''' - Validation against oversized payloads

'''Rule''' - Protection against XML entity expansion

'''Rule''' - Validating against overlong element names. If you are working with SOAP-based Web Services, the element names are those SOAP Actions.

This protection should be provided by your XML parser/schema validator. To verify, build test cases to make sure your parser to resistant to these types of attacks.

== Endpoint Security Profile ==

'''Rule''' - Web services must be compliant with Web Services-Interoperability (WS-I) Basic Profile at minimum.

= Authors and Primary Editors =

Gunnar Peterson - 
Sherif Koussa - sherif.koussa[at]owasp.org 
Dave Wichers - dave.wichers[at]owasp.org 
Jim Manico - jim[at]owasp.org 

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]]

Web Services

2012-05-11T10:02:25Z

Zakiakhmad:

[[Guide Table of Contents|Development Guide Table of Contents]]

__TOC__

''This section of the Development Guide details the common issues facing Web services developers, and methods to address common issues. Due to the space limitations, it cannot look at all of the surrounding issues in great detail, since each of them deserves a separate book of its own. Instead, an attempt is made to steer the reader to the appropriate usage patterns, and warn about potential roadblocks on the way.''

Web Services have received a lot of press, and with that comes a great deal of confusion over what they really are. Some are heralding Web Services as the biggest technology breakthrough since the web itself; others are more skeptical that they are nothing more than evolved web applications. In either case, the issues of web application security apply to web services just as they do to web applications.

== What are Web Services? ==

Suppose you were making an application that you wanted other applications to be able to communicate with. For example, your Java application has stock information updated every 5 minutes and you would like other applications, ones that may not even exist yet, to be able to use the data.

One way you can do this is to serialize your Java objects and send them over the wire to the application that requests them. The problem with this approach is that a C# application would not be able to use these objects because it serializes and deserializes objects differently than Java.

Another approach you could take is to send a text file filled with data to the application that requests it. This is better because a C# application could read the data. But this has another flaw: Lets assume your stock application is not the only one the C# application needs to interact with. Maybe it needs weather data, local restaurant data, movie data, etc. If every one of these applications uses its own unique file format, it would take considerable research to get the C# application to a working state.

The solution to both of these problems is to send a standard file format. A format that any application can use, regardless of the data being transported. Web Services are this solution. They let any application communicate with any other application without having to consider the language it was developed in or the format of the data.

At the simplest level, web services can be seen as a specialized web application that differs mainly at the presentation tier level. While web applications typically are HTML-based, web services are XML-based. Interactive users for B2C (business to consumer) transactions normally access web applications, while web services are employed as building blocks by other web applications for forming B2B (business to business) chains using the so-called SOA model. Web services typically present a public functional interface, callable in a programmatic fashion, while web applications tend to deal with a richer set of features and are content-driven in most cases.

== Securing Web Services ==

Web services, like other distributed applications, require protection at multiple levels:

*SOAP messages that are sent on the wire should be delivered confidentially and without tampering

*The server needs to be confident who it is talking to and what the clients are entitled to

*The clients need to know that they are talking to the right server, and not a phishing site (see the Phishing chapter for more information)

*System message logs should contain sufficient information to reliably reconstruct the chain of events and track those back to the authenticated callers

Correspondingly, the high-level approaches to solutions, discussed in the following sections, are valid for pretty much any distributed application, with some variations in the implementation details.

The good news for Web Services developers is that these are infrastructure-level tasks, so, theoretically, it is only the system administrators who should be worrying about these issues. However, for a number of reasons discussed later in this chapter, WS developers usually have to be at least aware of all these risks, and oftentimes they still have to resort to manually coding or tweaking the protection components.

== Communication security ==

There is a commonly cited statement, and even more often implemented approach "We are using SSL to protect all communication, we are secure". At the same time, there have been so many articles published on the topic of "channel security vs. token security" that it hardly makes sense to repeat those arguments here. Therefore, listed below is just a brief rundown of most common pitfalls when using channel security alone:

*It provides only "point-to-point" security

Any communication with multiple "hops" requires establishing separate channels (and trusts) between each communicating node along the way. There is also a subtle issue of trust transitivity, as trusts between node pairs {A,B} and {B,C} do not automatically imply {A,C} trust relationship.

*Storage issue

After messages are received on the server (even if it is not the intended recipient), they exist in the clear-text form, at least temporarily. Storing the transmitted information at the intermediate aggravates the problem or destination servers in log files (where it can be browsed by anybody) and local caches.

*Lack of interoperability

While SSL provides a standard mechanism for transport protection, applications then have to utilize highly proprietary mechanisms for transmitting credentials, ensuring freshness, integrity, and confidentiality of data sent over the secure channel. Using a different server, which is semantically equivalent, but accepts a different format of the same credentials, would require altering the client and prevent forming automatic B2B service chains.

Standards-based token protection in many cases provides a superior alternative for message-oriented Web Service SOAP communication model.

That said the reality is that the most Web Services today are still protected by some form of channel security mechanism, which alone might suffice for a simple internal application. However, one should clearly realize the limitations of such approach, and make conscious trade-offs at the design time, whether channel, token, or combined protection would work better for each specific case.

== Passing credentials ==

In order to enable credentials exchange and authentication for Web Services, their developers must address the following issues.

First, since SOAP messages are XML-based, all passed credentials have to be converted to text format. This is not a problem for username/password types of credentials, but binary ones (like X.509 certificates or Kerberos tokens) require converting them into text prior to sending and unambiguously restoring them upon receiving, which is usually done via a procedure called Base64 encoding and decoding.

Second, passing credentials carries an inherited risk of their disclosure, either by sniffing them during the wire transmission, or by analyzing the server logs. Therefore, things like passwords and private keys need to be either encrypted, or just never sent "in the clear". Usual ways to avoid sending sensitive credentials are using cryptographic hashing and/or signatures.

== Ensuring message freshness ==

Even a valid message may present a danger if it is utilized in a "replay attack". i.e. it is sent multiple times to the server to make it repeat the requested operation. This may be achieved by capturing an entire message, even if it is sufficiently protected against tampering, since it is the message itself that is used for attack now (see the XML Injection section of the Interpreter Injection chapter).

Usual means to protect against replayed messages is either using unique identifiers (nonces) on messages and keeping track of processed ones, or using a relatively short validity time window. In the Web Services world, information about the message creation time is usually communicated by inserting timestamps, which may just tell the instant the message was created, or have additional information, like its expiration time, or certain conditions.

The latter solution, although easier to implement, requires clock synchronization and is sensitive to server time skew, whereas server or clients' clocks drift too much, preventing timely message delivery, although this usually does not present significant problems with modern-day computers. A greater issue lies with message queuing at the servers, where messages may be expiring while waiting to be processed in the queue of an especially busy or non-responsive server.

== Protecting message integrity ==

When a message is received by a web service, it must always ask two questions: ¿whether I trust the caller?, ¿whether it created this message ?. Assuming that the caller trust has been established one way or another, the server has to be assured that the message it is looking at was indeed issued by the caller, and not altered along the way (intentionally or not). This may affect technical qualities of a SOAP message, such as the message's timestamp, or business content, such as the amount to be withdrawn from the bank account. Obviously, neither change should go undetected by the server.

In communication protocols, there are usually some mechanisms like checksum applied to ensure packet's integrity. This would not be sufficient, however, in the realm of publicly exposed Web Services, since checksums (or digests, their cryptographic equivalents) are easily replaceable and cannot be reliably tracked back to the issuer. The required association may be established by utilizing HMAC, or by combining message digests with either cryptographic signatures or with secret key-encryption (assuming the keys are only known to the two communicating parties) to ensure that any change will immediately result in a cryptographic error.

== Protecting message confidentiality ==

Oftentimes, it is not sufficient to ensure the integrity; in many cases it is also desirable that nobody can see the data that is passed around and/or stored locally. It may apply to the entire message being processed, or only to certain parts of it; In either case, some type of encryption is required to conceal the content. Normally, symmetric encryption algorithms are used to encrypt bulk data, since it is significantly faster than the asymmetric ones. Asymmetric encryption is then applied to protect the symmetric session keys, which, in many implementations, are valid for one communication only and are subsequently discarded.

Applying encryption requires conducting an extensive setup work, since the communicating parties now have to be aware of which keys they can trust, deal with certificate and key validation, and know which keys should be used for communication.

In many cases, encryption is combined with signatures to provide both integrity and confidentiality. Normally, signing keys are different from the encrypting ones, primarily because of their different lifecycles, signing keys are permanently associated with their owners, while encryption keys may be invalidated after the message exchange. Another reason may be separation of business responsibilities - the signing authority (and the corresponding key) may belong to one department or person, while encryption keys are generated by the server controlled by members of IT department.

== Access control ==

After the message has been received and successfully validated, the server must decide:

*Does it know who is requesting the operation (Identification)

*Does it trust the caller's identity claim (Authentication)

*Does it allow the caller to perform this operation (Authorization)

There is not much WS-specific activity that takes place at this stage, just several new ways of passing the credentials for authentication. Most often, authorization (or entitlement) tasks occur completely outside of the Web Service implementation, at the Policy Server that protects the whole domain.

There is another significant problem here, the traditional HTTP firewalls do not help at stopping attacks at the Web Services. An organization would need an XML/SOAP firewall, which is capable of conducting application-level analysis of the web server's traffic and make intelligent decision about passing SOAP messages to their destination. The reader would need to refer to other books and publications on this very important topic, as it is impossible to cover it within just one chapter.

== Audit ==

A common task, typically required from the audits, is reconstructing the chain of events that led to a certain problem. Normally, this would be achieved by saving server logs in a secure location, available only to the IT administrators and system auditors, in order to create what is commonly referred to as "audit trail". Web Services are no exception to this practice, and follow the general approach of other types of Web Applications.

Another auditing goal is non-repudiation, meaning that a message can be verifiably traced back to the caller. Following the standard legal practice, electronic documents now require some form of an "electronic signature", but its definition is extremely broad and can mean practically anything, in many cases, entering your name and birthday qualifies as an e-signature.

As far as the WS are concerned, such level of protection would be insufficient and easily forgeable. The standard practice is to require cryptographic digital signatures over any content that has to be legally binding, if a document with such a signature is saved in the audit log, it can be reliably traced to the owner of the signing key

== Web Services Security Hierarchy ==

Technically speaking, Web Services themselves are very simple and versatile, XML-based communication, described by an XML-based grammar, called Web Services Description Language (WSDL, see http://www.w3.org/TR/2005/WD-wsdl20-20050510), which binds abstract service interfaces, consisting of messages, expressed as XML Schema, and operations, to the underlying wire format. Although it is by no means a requirement, the format of choice is currently SOAP over HTTP. This means that Web Service interfaces are described in terms of the incoming and outgoing SOAP messages, transmitted over HTTP protocol.

=== Standards committees ===

Before reviewing the individual standards, it is worth taking a brief look at the organizations which are developing and promoting them. There are quite a few industry-wide groups and consortiums working in this area, most important of which are listed below.

W3C (see http://www.w3.org) is the most well known industry group, which owns many Web-related standards and develops them in Working Group format. Of particular interest to this chapter are XML Schema, SOAP, XML-dsig, XML-enc, and WSDL standards (called recommendations in the W3C's jargon).

OASIS (see http://www.oasis-open.org) mostly deals with Web Service-specific standards, not necessarily security-related. It also operates on a committee basis, forming so-called Technical Committees (TC) for the standards that it is going to be developing. Of interest for this discussion, OASIS owns WS-Security and SAML standards.

Web Services Interoperability Organization (WS-I, see http://www.ws-i.org/) was formed to promote a general framework for interoperable Web Services. Mostly its work consists of taking other broadly accepted standards, and developing so-called profiles, or sets of requirements for conforming Web Service implementations. In particular, its Basic Security Profile (BSP) relies on the OASIS' WS-Security standard and specifies sets of optional and required security features in Web Services that claim interoperability.

Liberty Alliance (LA, see http://projectliberty.org) consortium was formed to develop and promote an interoperable Identity Federation framework. Although this framework is not strictly Web Service-specific, but rather general, it is important for this topic because of its close relation with the SAML standard developed by OASIS.

Besides the previously listed organizations, there are other industry associations, both permanently established and short-lived, which push forward various Web Service security activities. They are usually made up of software industry's leading companies, such as Microsoft, IBM, Verisign, BEA, Sun, and others, that join them to work on a particular issue or proposal. Results of these joint activities, once they reach certain maturity, are often submitted to standardizations committees as a basis for new industry standards.

== SOAP ==

Simple Object Access Protocol (SOAP, see http://www.w3.org/TR/2003/REC-soap12-part1-20030624/) provides an XML-based framework for exchanging structured and typed information between peer services. This information, formatted into Header and Body, can theoretically be transmitted over a number of transport protocols, but only HTTP binding has been formally defined and is in active use today. SOAP provides for Remote Procedure Call-style (RPC) interactions, similar to remote function calls, and Document-style communication, with message contents based exclusively on XML Schema definitions in the Web Service's WSDL. Invocation results may be optionally returned in the response message, or a Fault may be raised, which is roughly equivalent to using exceptions in traditional programming languages.

SOAP protocol, while defining the communication framework, provides no help in terms of securing message exchanges, the communications must either happen over secure channels, or use protection mechanisms described later in this chapter.

=== XML security specifications (XML-dsig & Encryption) ===

XML Signature (XML-dsig, see http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/), and XML Encryption (XML-enc, see http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/) add cryptographic protection to plain XML documents. These specifications add integrity, message and signer authentication, as well as support for encryption/decryption of whole XML documents or only of some elements inside them.

The real value of those standards comes from the highly flexible framework developed to reference the data being processed (both internal and external relative to the XML document), refer to the secret keys and key pairs, and to represent results of signing/encrypting operations as XML, which is added to/substituted in the original document.

However, by themselves, XML-dsig and XML-enc do not solve the problem of securing SOAP-based Web Service interactions, since the client and service first have to agree on the order of those operations, where to look for the signature, how to retrieve cryptographic tokens, which message elements should be signed and encrypted, how long a message is considered to be valid, and so on. These issues are addressed by the higher-level specifications, reviewed in the following sections.

=== Security specifications ===

In addition to the above standards, there is a broad set of security-related specifications being currently developed for various aspects of Web Service operations.

One of them is SAML, which defines how identity, attribute, and authorization assertions should be exchanged among participating services in a secure and interoperable way.

A broad consortium, headed by Microsoft and IBM, with the input from Verisign, RSA Security, and other participants, developed a family of specifications, collectively known as "Web Services Roadmap". Its foundation, WS-Security, has been submitted to OASIS and became an OASIS standard in 2004. Other important specifications from this family are still found in different development stages, and plans for their submission have not yet been announced, although they cover such important issues as security policies (WS-Policy et al), trust issues and security token exchange (WS-Trust), establishing context for secure conversation (WS-SecureConversation). One of the specifications in this family, WS-Federation, directly competes with the work being done by the LA consortium, and, although it is supposed to be incorporated into the Longhorn release of Windows, its future is not clear at the moment, since it has been significantly delayed and presently does not have industry momentum behind it.

== WS-Security Standard ==

WS-Security specification (WSS) was originally developed by Microsoft, IBM, and Verisign as part of a "Roadmap", which was later renamed to Web Services Architecture, or WSA. WSS served as the foundation for all other specifications in this domain, creating a basic infrastructure for developing message-based security exchange. Because of its importance for establishing interoperable Web Services, it was submitted to OASIS and, after undergoing the required committee process, became an officially accepted standard. Current version is 1.1, and it was released on February 17, 2006. 

The protocol is currently officially called WSS and developed via committee in Oasis-Open. 

=== Organization of the standard ===

The WSS standard itself deals with several core security areas, leaving many details to so-called profile documents. The core areas, broadly defined by the standard, are:

*Ways to add security headers (WSSE Header) to SOAP Envelopes

*Attachment of security tokens and credentials to the message

*Inserting a timestamp

*Signing the message

*Encrypting the message

*Extensibility

Flexibility of the WS-Security standard lies in its extensibility, so that it remains adaptable to new types of security tokens and protocols that are being developed. This flexibility is achieved by defining additional profiles for inserting new types of security tokens into the WSS framework. While the signing and encrypting parts of the standards are not expected to require significant changes (only when the underlying XML-dsig and XML-enc are updated), the types of tokens, passed in WSS messages, and ways of attaching them to the message may vary substantially. At the high level the WSS standard defines three types of security tokens, attachable to a WSS Header: Username/password, Binary, and XML tokens. Each of those types is further specified in one (or more) profile document, which defines additional tokens' attributes and elements, needed to represent a particular type of security token.

[[Image:WSS Specification Hierarchy.gif|Figure 4: WSS specification hierarchy]]

=== Purpose ===

The primary goal of the WSS standard is providing tools for message-level communication protection, whereas each message represents an isolated piece of information, carrying enough security data to verify all important message properties, such as: authenticity, integrity, freshness, and to initiate decryption of any encrypted message parts. This concept is a stark contrast to the traditional channel security, which methodically applies pre-negotiated security context to the whole stream, as opposed to the selective process of securing individual messages in WSS. In the Roadmap, that type of service is eventually expected to be provided by implementations of standards like WS-SecureConversation.

From the beginning, the WSS standard was conceived as a message-level toolkit for securely delivering data for higher level protocols. Those protocols, based on the standards like WS-Policy, WS-Trust, and Liberty Alliance, rely on the transmitted tokens to implement access control policies, token exchange, and other types of protection and integration. However, taken alone, the WSS standard does not mandate any specific security properties, and an ad-hoc application of its constructs can lead to subtle security vulnerabilities and hard to detect problems, as is also discussed in later sections of this chapter.

== WS-Security Building Blocks ==

The WSS standard actually consists of a number of documents, one core document, which defines how security headers may be included into SOAP envelope and describes all high-level blocks, which must be present in a valid security header. Profile documents have the dual task of extending definitions for the token types they are dealing with, providing additional attributes, elements, as well as defining relationships left out of the core specification, such as using attachments.

Core WSS 1.1 specification, located at http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf, defines several types of security tokens (discussed later in this section: see 0), ways to reference them, timestamps, and ways to apply XML-dsig and XML-enc in the security headers, see the XML Dsig section for more details about their general structure.

Associated specifications are:

*Username token profile 1.1, located at http://www.oasis-open.org/committees/download.php/16782/wss-v1.1-spec-os-UsernameTokenProfile.pdf, which adds various password-related extensions to the basic UsernameToken from the core specification

*X.509 token profile 1.1, located at http://www.oasis-open.org/committees/download.php/16785/wss-v1.1-spec-os-x509TokenProfile.pdf which specifies, how X.509 certificates may be passed in the BinarySecurityToken, specified by the core document

*SAML Token profile 1.1, located at http://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf that specifies how XML-based SAML tokens can be inserted into WSS headers.

*Kerberos Token Profile 1.1, located at http://www.oasis-open.org/committees/download.php/16788/wss-v1.1-spec-os-KerberosTokenProfile.pdf that defines how to encode Kerberos tickets and attach them to SOAP messages.

*Rights Expression Language (REL) Token Profile 1.1, located at http://www.oasis-open.org/committees/download.php/16687/oasis-wss-rel-token-profile-1.1.pdf that describes the use of ISO/IEC 21000-5 Rights Expressions with respect to the WS-Security specification.

*SOAP with Attachments (SWA) Profile 1.1, located at http://www.oasis-open.org/committees/download.php/16672/wss-v1.1-spec-os-SwAProfile.pdf that describes how to use WSS-Sec with SOAP Messages with Attachments.

=== How data is passed ===

WSS security specification deals with two distinct types of data: security information, which includes security tokens, signatures, digests, etc; and message data, i.e. everything else that is passed in the SOAP message. Being an XML-based standard, WSS works with textual information grouped into XML elements. Any binary data, such as cryptographic signatures or Kerberos tokens, has to go through a special transform, called Base64 encoding/decoding, which provides straightforward conversion from binary to ASCII formats and back. The example below demonstrates how binary data looks like in the encoded format:

 

''cCBDQTAeFw0wNDA1MTIxNjIzMDRaFw0wNTA1MTIxNjIzMDRaMG8xCz''

 

After encoding a binary element, an attribute with the algorithm's identifier is added to the XML element carrying the data, so that the receiver would know to apply the correct decoder to read it. These identifiers are defined in the WSS specification documents.

=== Security header's structure ===

A security header in a message is used as a sort of an envelope around a letter, it seals and protects the letter, but does not care about its content. This "indifference" works in the other direction as well, as the letter (SOAP message) should not know, nor should it care about its envelope (WSS Header), since the different units of information, carried on the envelope and in the letter, are presumably targeted at different people or applications.

A SOAP Header may actually contain multiple security headers, as long as they are addressed to different actors (for SOAP 1.1), or roles (for SOAP 1.2). Their contents may also be referring to each other, but such references present a very complicated logistical problem for determining the proper order of decryptions/signature verifications, and should generally be avoided. WSS security header itself has a loose structure, as the specification itself does not require any elements to be present; so, the minimalist header with an empty message will look like:

 

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">

</wsse:Security>
</soap:Header>
<soap:Body>

</soap:Body>
</soap:Envelope>

 

However, to be useful, it must carry some information, which is going to help securing the message. It means including one or more security tokens (see 0) with references, XML Signature, and XML Encryption elements, if the message is signed and/or encrypted. So, a typical header will look more like the following picture:

 

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="aXhOJ5">MIICtzCCAi...
</wsse:BinarySecurityToken>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#aXhOJ5" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</dsig:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>Nb0Mf...</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#aDNa2iD"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<wsse:SecurityTokenReference wsu:Id="aZG0sG">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID" wsu:Id="a2tv1Uz"> 1106844369755</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
<saml:Assertion AssertionID="1106844369755" IssueInstant="2005-01-27T16:46:09.755Z" Issuer="www.my.com" MajorVersion="1" MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
...
</saml:Assertion>
<wsu:Timestamp wsu:Id="afc6fbe-a7d8-fbf3-9ac4-f884f435a9c1">
<wsu:Created>2005-01-27T16:46:10Z</wsu:Created>
<wsu:Expires>2005-01-27T18:46:10Z</wsu:Expires>
</wsu:Timestamp>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="sb738c7">
<dsig:SignedInfo Id="obLkHzaCOrAW4kxC9az0bLA22">
...
<dsig:Reference URI="#s91397860">
...
<dsig:DigestValue>5R3GSp+OOn17lSdE0knq4GXqgYM=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue Id="a9utKU9UZk">LIkagbCr5bkXLs8l...</dsig:SignatureValue>
<dsig:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#aXhOJ5" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</dsig:KeyInfo>
</dsig:Signature>
</wsse:Security>
</soap:Header>
<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="s91397860">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="aDNa2iD" Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<xenc:CipherData>
<xenc:CipherValue>XFM4J6C...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>

=== Types of tokens ===

A WSS Header may have the following types of security tokens in it:

*Username token

Defines mechanisms to pass username and, optionally, a password - the latter is described in the username profile document. Unless the whole token is encrypted, a message which includes a clear-text password should always be transmitted via a secured channel. In situations where the target Web Service has access to clear-text passwords for verification (this might not be possible with LDAP or some other user directories, which do not return clear-text passwords), using a hashed version with nonce and a timestamp is generally preferable. The profile document defines an unambiguous algorithm for producing password hash:

Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )

*Binary token

They are used to convey binary data, such as X.509 certificates, in a text-encoded format, Base64 by default. The core specification defines BinarySecurityToken element, while profile documents specify additional attributes and sub-elements to handle attachment of various tokens. Presently, both the X.509 and the Kerberos profiles have been adopted.

 

<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="aXhOJ5">
MIICtzCCAi...
</wsse:BinarySecurityToken>

 

*XML token

These are meant for any kind of XML-based tokens, but primarily, for SAML assertions. The core specification merely mentions the possibility of inserting such tokens, leaving all details to the profile documents. At the moment, SAML 1.1 profile has been accepted by OASIS.

 

<saml:Assertion AssertionID="1106844369755" IssueInstant="2005-01-27T16:46:09.755Z" Issuer="www.my.com" MajorVersion="1" MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
...
</saml:Assertion>

 

Although technically it is not a security token, a Timestamp element may be inserted into a security header to ensure message's freshness. See the further reading section for a design pattern on this.

=== Referencing message parts ===

In order to retrieve security tokens, passed in the message, or to identify signed and encrypted message parts, the core specification adopts usage of a special attribute, wsu:Id. The only requirement on this attribute is that the values of such IDs should be unique within the scope of XML document where they are defined. Its application has a significant advantage for the intermediate processors, as it does not require understanding of the message's XML Schema. Unfortunately, XML Signature and Encryption specifications do not allow for attribute extensibility (i.e. they have closed schema), so, when trying to locate signature or encryption elements, local IDs of the Signature and Encryption elements must be considered first.

WSS core specification also defines a general mechanism for referencing security tokens via SecurityTokenReference element. An example of such element, referring to a SAML assertion in the same header, is provided below:

 

<wsse:SecurityTokenReference wsu:Id="aZG0sGbRpXLySzgM1X6aSjg22">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID" wsu:Id="a2tv1Uz">
1106844369755
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>

 

As this element was designed to refer to pretty much any possible token type (including encryption keys, certificates, SAML assertions, etc) both internal and external to the WSS Header, it is enormously complicated. The specification recommends using two of its possible four reference types: Direct References (by URI) and Key Identifiers (some kind of token identifier). Profile documents (SAML, X.509 for instance) provide additional extensions to these mechanisms to take advantage of specific qualities of different token types.

== Communication Protection Mechanisms ==

As was already explained earlier (see 0), channel security, while providing important services, is not a panacea, as it does not solve many of the issues facing Web Service developers. WSS helps addressing some of them at the SOAP message level, using the mechanisms described in the sections below.

=== Integrity ===

WSS specification makes use of the XML-dsig standard to ensure message integrity, restricting its functionality in certain cases; for instance, only explicitly referenced elements can be signed (i.e. no Embedding or Embedded signature modes are allowed). Prior to signing an XML document, a transformation is required to create its canonical representation, taking into account the fact that XML documents can be represented in a number of semantically equivalent ways. There are two main transformations defined by the XML Digital Signature WG at W3C, Inclusive and Exclusive Canonicalization Transforms (C14N and EXC-C14N), which differ in the way namespace declarations are processed. The WSS core specification specifically recommends using EXC-C14N, as it allows copying signed XML content into other documents without invalidating the signature.

In order to provide a uniform way of addressing signed tokens, WSS adds a Security Token Reference (STR) Dereference Transform option, which is comparable with dereferencing a pointer to an object of specific data type in programming languages. Similarly, in addition to the XML Signature-defined ways of addressing signing keys, WSS allows for references to signing security tokens through the STR mechanism (explained in 0), extended by token profiles to accommodate specific token types. A typical signature example is shown in an earlier sample in the section 0.

Typically, an XML signature is applied to secure elements such as SOAP Body and the timestamp, as well as any user credentials, passed in the request. There is an interesting twist when a particular element is both signed and encrypted, since these operations may follow (even repeatedly) in any order, and knowledge of their ordering is required for signature verification. To address this issue, the WSS core specification requires that each new element is pre-pended to the security header, thus defining the "natural" order of operations. A particularly nasty problem arises when there are several security headers in a single SOAP message, using overlapping signature and encryption blocks, as there is nothing in this case that would point to the right order of operations.

=== Confidentiality ===

For its confidentiality protection, WSS relies on yet another standard, XML Encryption. Similarly to XML-dsig, this standard operates on selected elements of the SOAP message, but it then replaces the encrypted element's data with a <xenc:EncryptedData> sub-element carrying the encrypted bytes. For encryption efficiency, the specification recommends using a unique key, which is then encrypted by the recipient's public key and pre-pended to the security header in a <xenc:EncryptedKey> element. A SOAP message with encrypted body is shown in the section 0.

=== Freshness ===

SOAP messages' freshness is addressed via timestamp mechanism, each security header may contain just one such element, which states, in UTC time and using the UTC time format, creation and expiration moments of the security header. It is important to realize that the timestamp is applied to the WSS Header, not to the SOAP message itself, since the latter may contain multiple security headers, each with a different timestamp. There is an unresolved problem with this "single timestampt" approach, since, once the timestamp is created and signed, it is impossible to update it without breaking existing signatures, even in case of a legitimate change in the WSS Header.

<wsu:Timestamp wsu:Id="afc6fbe-a7d8-fbf3-9ac4-f884f435a9c1">
<wsu:Created>2005-01-27T16:46:10Z</wsu:Created>
<wsu:Expires>2005-01-27T18:46:10Z</wsu:Expires>
</wsu:Timestamp>

If a timestamp is included in a message, it is typically signed to prevent tampering and replay attacks. There is no mechanism foreseen to address clock synchronization issue (which, as was already point out earlier, is generally not an issue in modern day systems), this has to be addressed out-of-band as far as the WSS mechanics is concerned. See the further reading section for a design pattern addressing this issue.

== Access Control Mechanisms ==

When it comes to access control decisions, Web Services do not offer specific protection mechanisms by themselves, they just have the means to carry the tokens and data payloads in a secure manner between source and destination SOAP endpoints.

For more complete description of access control tasks, please, refer to other sections of this Development Guide.

=== Identification ===

Identification represents a claim to have certain identity, which is expressed by attaching certain information to the message. This can be a username, an SAML assertion, a Kerberos ticket, or any other piece of information, from which the service can infer who the caller claims to be.

WSS represents a very good way to convey this information, as it defines an extensible mechanism for attaching various token types to a message (see 0). It is the receiver's job to extract the attached token and figure out which identity it carries, or to reject the message if it can find no acceptable token in it.

=== Authentication ===

Authentication can come in two flavors: credentials verification or token validation. The subtle difference between the two is that tokens are issued after some kind of authentication has already happened prior to the current invocation, and they usually contain user's identity along with the proof of its integrity.

WSS offers support for a number of standard authentication protocols by defining binding mechanism for transmitting protocol-specific tokens and reliably linking them to the sender. However, the mechanics of proof that the caller is who he claims to be is completely at the Web Service's discretion. Whether it takes the supplied username and password's hash and checks it against the backend user store, or extracts subject name from the X.509 certificate used for signing the message, verifies the certificate chain and looks up the user in its store, at the moment, there are no requirements or standards which would dictate that it should be done one way or another.

=== Authorization ===

XACML may be used for expressing authorization rules, but its usage is not Web Service-specific, it has much broader scope. So, whatever policy or role-based authorization mechanism the host server already has in place will most likely be utilized to protect the deployed Web Services deployed as well.

Depending on the implementation, there may be several layers of authorization involved at the server. For instance, JSRs 224 (JAX-RPC 2.0) and 109 (Implementing Enterprise Web Services), which define Java binding for Web Services, specify implementing Web Services in J2EE containers. This means that when a Web Service is accessed, there will be a URL authorization check executed by the J2EE container, followed by a check at the Web Service layer for the Web Service-specific resource. Granularity of such checks is implementation-specific and is not dictated by any standards. In the Windows universe it happens in a similar fashion, since IIS is going to execute its access checks on the incoming HTTP calls before they reach the ASP.NET runtime, where SOAP message is going to be further decomposed and analyzed.

=== Policy Agreement ===

Normally, Web Services communication is based on the endpoint's public interface, defined in its WSDL file. This descriptor has sufficient details to express SOAP binding requirements, but it does not define any security parameters, leaving Web Service developers struggling to find out-of-band mechanisms to determine the endpoint's security requirements.

To make up for these shortcomings, WS-Policy specification was conceived as a mechanism for expressing complex policy requirements and qualities, sort of WSDL on steroids. Through the published policy SOAP endpoints can advertise their security requirements, and their clients can apply appropriate measures of message protection to construct the requests. The general WS-Policy specification (actually comprised of three separate documents) also has extensions for specific policy types, one of them,  for security, WS-SecurityPolicy.

If the requestor does not possess the required tokens, it can try obtaining them via trust mechanism, using WS-Trust-enabled services, which are called to securely exchange various token types for the requested identity.

[[Image:Using Trust Service.gif|Figure 5. Using Trust service]]

Unfortunately, both WS-Policy and WS-Trust specifications have not been submitted for standardization to public bodies, and their development is progressing via private collaboration of several companies, although it was opened up for other participants as well. As a positive factor, there have been several interoperability events conducted for these specifications, so the development process of these critical links in the Web Services' security infrastructure is not a complete black box.

== Forming Web Service Chains ==

Many existing or planned implementations of SOA or B2B systems rely on dynamic chains of Web Services for accomplishing various business specific tasks, from taking the orders through manufacturing and up to the distribution process.

[[Image:Service Chain.gif|Figure 6: Service chain]]

This is in theory. In practice, there are a lot of obstacles hidden among the way, and one of the major ones among them, security concerns about publicly exposing processing functions to intra- or Internet-based clients.

Here are just a few of the issues that hamper Web Services interaction, incompatible authentication and authorization models for users, amount of trust between services themselves and ways of establishing such trust, maintaining secure connections, and synchronization of user directories or otherwise exchanging users' attributes. These issues will be briefly tackled in the following paragraphs.

=== Incompatible user access control models ===

As explained earlier, in section 0, Web Services themselves do not include separate extensions for access control, relying instead on the existing security framework. What they do provide, however, are mechanisms for discovering and describing security requirements of a SOAP service (via WS-Policy), and for obtaining appropriate security credentials via WS-Trust based services.

=== Service trust ===

In order to establish mutual trust between client and service, they have to satisfy each other's policy requirements. A simple and popular model is mutual certificate authentication via SSL, but it is not scalable for open service models, and supports only one authentication type. Services that require more flexibility have to use pretty much the same access control mechanisms as with users to establish each other's identities prior to engaging in a conversation.

=== Secure connections ===

Once trust is established it would be impractical to require its confirmation on each interaction. Instead, a secure client-server link is formed and maintained the entire time a client's session is active. Again, the most popular mechanism today for maintaining such link is SSL, but it is not a Web Service-specific mechanism, and it has a number of shortcomings when applied to SOAP communication, as explained in 0.

=== Synchronization of user directories ===

This is a very acute problem when dealing with cross-domain applications, as users' population tends to change frequently among different domains. So, how does a service in domain B decide whether it is going to trust user's claim that he has been already authenticated in domain A? There exist different aspects of this problem. First, a common SSO mechanism, which implies that a user is known in both domains (through synchronization, or by some other means), and authentication tokens from one domain are acceptable in another. In Web Services world, this would be accomplished by passing around a SAML or Kerberos token for a user.

=== Domain federation ===

Another aspect of the problem is when users are not shared across domains, but merely the fact that a user with certain ID has successfully authenticated in another domain, as would be the case with several large corporations, which would like to form a partnership, but would be reluctant to share customers' details. The decision to accept this request is then based on the inter-domain procedures, establishing special trust relationships and allowing for exchanging such opaque tokens, which would be an example of Federation relationships. Of those efforts, most notable example is Liberty Alliance project, which is now being used as a basis for SAML 2.0 specifications. The work in this area is still far from being completed, and most of the existing deployments are nothing more than POC or internal pilot projects than to real cross-companies deployments, although LA's website does list some case studies of large-scale projects.

== Available Implementations ==

It is important to realize from the beginning that no security standard by itself is going to provide security to the message exchanges, it is the installed implementations, which will be assessing conformance of the incoming SOAP messages to the applicable standards, as well as appropriately securing the outgoing messages.

=== .NET Web Service Extensions ===

Since new standards are being developed at a rather quick pace, .NET platform is not trying to catch up immediately, but uses Web Service Extensions (WSE) instead. WSE, currently at the version 2.0, adds development and runtime support for the latest Web Service security standards to the platform and development tools, even while they are still "work in progress". Once standards mature, their support is incorporated into new releases of the .NET platform, which is what is going to happen when .NET 2.0 finally sees the world. The next release of WSE, 3.0, is going to coincide with VS.2005 release and will take advantages of the latest innovations of .NET 2.0 platform in messaging and Web Application areas.

Considering that Microsoft is one of the most active players in the Web Service security area and recognizing its influence in the industry, its WSE implementation is probably one of the most complete and up to date, and it is strongly advisable to run at least a quick interoperability check with WSE-secured .NET Web Service clients. If you have a Java-based Web Service, and the interoperability is a requirement (which is usually the case), in addition to the questions of security testing one needs to keep in mind the basic interoperability between Java and .NET Web Service data structures.

This is especially important since current versions of .NET Web Service tools frequently do not cleanly handle WS-Security's and related XML schemas as published by OASIS, so some creativity on the part of a Web Service designer is needed. That said, WSE package itself contains very rich and well-structured functionality, which can be utilized both with ASP.NET-based and standalone Web Service clients to check incoming SOAP messages and secure outgoing ones at the infrastructure level, relieving Web Service programmers from knowing these details. Among other things, WSE 2.0 supports the most recent set of WS-Policy and WS-Security profiles, providing for basic message security and WS-Trust with WS-SecureConversation. Those are needed for establishing secure exchanges and sessions - similar to what SSL does at the transport level, but applied to message-based communication.

=== Java toolkits ===

Most of the publicly available Java toolkits work at the level of XML security, i.e. XML-dsig and XML-enc, such as IBM's XML Security Suite and Apache's XML Security Java project. Java's JSR 105 and JSR 106 (still not finalized) define Java bindings for signatures and encryption, which will allow plugging the implementations as JCA providers once work on those JSRs is completed.

Moving one level up, to address Web Services themselves, the picture becomes muddier, at the moment, there are many implementations in various stages of incompleteness. For instance, Apache is currently working on the WSS4J project, which is moving rather slowly, and there is commercial software package from Phaos (now owned by Oracle), which suffers from a lot of implementation problems.

A popular choice among Web Service developers today is Sun's JWSDP, which includes support for Web Service security. However, its support for Web Service security specifications in the version 1.5 is only limited to implementation of the core WSS standard with username and X.509 certificate profiles. Security features are implemented as part of the JAX-RPC framework and configuration-driven, which allows for clean separation from the Web Service's implementation.

=== Hardware, software systems ===

This category includes complete systems, rather than toolkits or frameworks. On one hand, they usually provide rich functionality right off the shelf, on the other hand, its usage model is rigidly constrained by the solution's architecture and implementation. This is in contrast to the toolkits, which do not provide any services by themselves, but handing system developers necessary tools to include the desired Web Service security features in their products' or to shoot themselves in the foot by applying them inappropriately.

These systems can be used at the infrastructure layer to verify incoming messages against the effective policy, check signatures, tokens, etc, before passing them on to the target Web Service. When applied to the outgoing SOAP messages, they act as a proxy, now altering the messages to decorate with the required security elements, sign and/or encrypt them.

Software systems are characterized by significant configuration flexibility, but comparatively slow processing. On the bright side, they often provide high level of integration with the existing enterprise infrastructure, relying on the back-end user and policy stores to look at the credentials, extracted from the WSS header, from the broader perspective. An example of such service is TransactionMinder from the former Netegrity, a Policy Enforcement Point for Web Services behind it, layered on top of the Policy Server, which makes policy decisions by checking the extracted credentials against the configured stores and policies.

For hardware systems, performance is the key, they have already broken gigabyte processing threshold, and allow for real-time processing of huge documents, decorated according to the variety of the latest Web Service security standards, not only WSS. The usage simplicity is another attractive point of those systems - in the most trivial cases, the hardware box may be literally dropped in, plugged, and be used right away. These qualities come with a price, however, this performance and simplicity can be achieved as long as the user stays within the pre-configured confines of the hardware box. The moment he tries to integrate with the back-end stores via callbacks (for those solutions that have this capability, since not all of them do), most of the advantages are lost. As an example of such hardware device, Layer 7 Technologies provides a scalable SecureSpan Networking Gateway, which acts both as the inbound firewall and the outbound proxy to handle XML traffic in real time.

== Problems ==

As is probably clear from the previous sections, Web Services are still experiencing a lot of turbulence, and it will take a while before they can really catch on. Here is a brief look at what problems surround currently existing security standards and their implementations.

=== Immaturity of the standards ===

Most of the standards are either very recent (couple years old at most), or still being developed. Although standards development is done in committees, which, presumably, reduces risks by going through an exhaustive reviewing and commenting process, some error scenarios still slip in periodically, as no theory can possibly match the testing resulting from pounding by thousands of developers working in the real field.

Additionally, it does not help that for political reasons some of these standards are withheld from public process, which is the case with many standards from the WSA arena (see 0), or that some of the efforts are duplicated, as was the case with LA and WS-Federation specifications.

=== Performance ===

XML parsing is a slow task, which is an accepted reality, and SOAP processing slows it down even more. Now, with expensive cryptographic and textual conversion operations thrown into the mix, these tasks become a performance bottleneck, even with the latest crypto- and XML-processing hardware solutions offered today. All of the products currently on the market are facing this issue, and they are trying to resolve it with varying degrees of success.

Hardware solutions, while substantially (by orders of magnitude) improving the performance, cannot always be used as an optimal solution, as they cannot be easily integrated with the already existing back-end software infrastructure, at least, not without making performance sacrifices. Another consideration whether hardware-based systems are the right solution, they are usually highly specialized in what they are doing, while modern Application Servers and security frameworks can usually offer a much greater variety of protection mechanisms, protecting not only Web Services, but also other deployed applications in a uniform and consistent way.

=== Complexity and interoperability ===

As could be deduced from the previous sections, Web Service security standards are fairly complex, and have very steep learning curve associated with them. Most of the current products, dealing with Web Service security, suffer from very mediocre usability due to the complexity of the underlying infrastructure. Configuring all different policies, identities, keys, and protocols takes a lot of time and good understanding of the involved technologies, as most of the times errors that end users are seeing have very cryptic and misleading descriptions.

In order to help administrators and reduce security risks from service misconfigurations, many companies develop policy templates, which group together best practices for protecting incoming and outgoing SOAP messages. Unfortunately, this work is not currently on the radar of any of the standard's bodies, so it appears unlikely that such templates will be released for public use any time soon. Closest to this effort may be WS-I's Basic Security Profile (BSP), which tries to define the rules for better interoperability among Web Services, using a subset of common security features from various security standards like WSS. However, this work is not aimed at supplying the administrators with ready for deployment security templates matching the most popular business use cases, but rather at establishing the least common denominator.

=== Key management ===

Key management usually lies at the foundation of any other security activity, as most protection mechanisms rely on cryptographic keys one way or another. While Web Services have XKMS protocol for key distribution, local key management still presents a huge challenge in most cases, since PKI mechanism has a lot of well-documented deployment and usability issues. Those systems that opt to use homegrown mechanisms for key management run significant risks in many cases, since questions of storing, updating, and recovering secret and private keys more often than not are not adequately addressed in such solutions.

== Further Reading ==

*SearchSOA, SOA needs practical operational governance, Toufic Boubez

http://searchsoa.techtarget.com/news/interview/0,289202,sid26_gci1288649,00.html?track=NL-110&ad=618937&asrc=EM_NLN_2827289&uid=4724698

*Whitepaper: Securing XML Web Services: XML Firewalls and XML VPNs

http://forms.layer7tech.com/content/Download?docid=1114&docname=Securing%20XML%20Web%20Services:%20SSL,%20XML%20Firewalling,%20and%20Beyond

*eBizQ, The Challenges of SOA Security, Peter Schooff

http://www.ebizq.net/blogs/news_security/2008/01/the_complexity_of_soa_security.php

*Piliptchouk, D., WS-Security in the Enterprise, O'Reilly ONJava

http://www.onjava.com/pub/a/onjava/2005/02/09/wssecurity.html

http://www.onjava.com/pub/a/onjava/2005/03/30/wssecurity2.html

*WS-Security OASIS site

http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss

*Microsoft, ''What's new with WSE 3.0''

http://msdn.microsoft.com/webservices/webservices/building/wse/default.aspx?pull=/library/en-us/dnwse/html/newwse3.asp

*Eoin Keary, Preventing DOS attacks on web services

https://www.threatsandcountermeasures.com/wiki/default.aspx/ThreatsAndCountermeasuresCommunityKB.PreventingDOSAttacksOnWebServices 

== Reference ==

[[Guide Table of Contents|Development Guide Table of Contents]]

[[Category:FIXME|broken link]] [[Category:OWASP_Guide_Project]] [[Category:Web_Services]]

Tips for using the project's requirements, use-cases, and user stories

2012-04-19T04:48:04Z

Zakiakhmad:

This project attempts to present a choice of potential requirements. Pick what you need, improve what you pick, and don't worry about the rest.

Some of the "requirements" are designed to stimulate questions. For example, the "compliance with existing contracts" isn't a security requirement per se, but if your organization has a contract in-place dictating certain requirements, you probably ought to figure that out. The classic example is your company's contract with your Acquiring Bank if you're accepting credit cards. In addition to being compelled to comply with PCI-DSS standards, you may also be compelled to ask the shopper to identify whether their card is debit or credit etc.

That's not a big security requirement, '''HOWEVER''' if you fail to identify that early, what are the odds that you'll shoehorn it in '''SECURELY''' at a later time?

Other tips:

# Understanding the requirements is the key to success. If YOU don't understand them and can't explain WHY they're needed, you're doomed.
# Examples are being collected to help you achieve and communicate understanding. Look here: [[Useful links to real-world examples of failed web security]] and if you've got better examples, please add them
# Overall the project is vendor, platform, and language-agnostic. Some requirements specific to various scenarios are accumulating haphazardly here: [[Other really good requirements that aren't generic enough to be part of the project but that might be what you're looking for in YOUR environment]]

Tips for using the project's requirements, use-cases, and user stories

2012-04-19T04:47:28Z

Zakiakhmad:

Projects/OWASP Application Security Requirements Project

2012-04-19T03:06:25Z

Zakiakhmad:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude>
| project_name = OWASP Application Security Requirements Project
| project_home_page = :Category:OWASP Application Security Requirements Project
| project_description =
*The intent of this project is to assemble a useful base of generic/common web application security requirements that could be used in most projects.
*The product of this project is intended to help all involved in web application security, whether it is project management, risk assessment, software development, testing, etc.
*The reason d'etre of this project is that, whilst security requirements are sometimes well captured and clearly defined, there are other times when they are not, for any number of reasons.

| project_license = [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution ShareAlike 3.0 license]

| leader_name1 = Luis Martinez Bacha
| leader_email1 = luismartinezbacha@owasp.org
| leader_username1 = Luis_Armando_Martinez_Bacha

| contributor_name1 = Zaki Akhmad
| contributor_email1 = za@owasp.org
| contributor_username1 = Zakiakhmad

| contributor_name[1-10] = Zaki Akhmad
| contributor_email[1-10] = za@owasp.org
| contributor_username[1-10] = Zakiakhmad

| pamphlet_link =

| presentation_link =

| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-appsec-requirements

| project_road_map =
 
# Identify taxonomy/categorization and prioritize
# Identify industry standards for requirements definition
# Define detailed work plan
# Define requirements according to plan
# Publish first draft
# Get feedback and adjust plan

| links_url1 = https://www.owasp.org/index.php/High_Level_Requirements_Categories
| links_name1 = High Level Requirements Categories

| links_url2 = https://www.owasp.org/index.php/Tips_for_using_the_project%27s_requirements,_use-cases,_and_user_stories
| links_name2 = Tips for using the project's requirements, use-cases, and user stories

| links_url3 = https://www.owasp.org/index.php/Other_really_good_requirements_that_aren%27t_generic_enough_to_be_part_of_the_project_but_that_might_be_what_you%27re_looking_for_in_YOUR_environment
| links_name3 = Other really good requirements that aren't generic enough to be part of the project but that might be what you're looking for in YOUR environment

| links_url4 =
| links_name4 =

| links_url[5-10] =
| links_name[5-10] =

| release_1 =
| release_2 =
| release_3 =
| release_4 =


| project_about_page = Projects/OWASP Application Security Requirements Project

}}

Projects/OWASP Application Security Requirements Project

2012-04-19T03:05:51Z

Zakiakhmad:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude>
| project_name = OWASP Application Security Requirements Project
| project_home_page = :Category:OWASP Application Security Requirements Project
| project_description =
*The intent of this project is to assemble a useful base of generic/common web application security requirements that could be used in most projects.
*The product of this project is intended to help all involved in web application security, whether it is project management, risk assessment, software development, testing, etc.
*The reason d'etre of this project is that, whilst security requirements are sometimes well captured and clearly defined, there are other times when they are not, for any number of reasons.

| project_license = [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution ShareAlike 3.0 license]

| leader_name1 = Luis Martinez Bacha
| leader_email1 = luismartinezbacha@owasp.org
| leader_username1 = Luis_Armando_Martinez_Bacha

| contributor_name1 = Zaki Akhmad
| contributor_email1 = za@owasp.org
| contributor_username1 = Zakiakhmad

| contributor_name[1-10] = Zaki Akhmad
| contributor_email[1-10] = za@owasp.org
| contributor_username[1-10] = Zakiakhmad

| pamphlet_link =

| presentation_link =

| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-appsec-requirements

| project_road_map =

# Identify taxonomy/categorization and prioritize
# Identify industry standards for requirements definition
# Define detailed work plan
# Define requirements according to plan
# Publish first draft
# Get feedback and adjust plan

| links_url1 = https://www.owasp.org/index.php/High_Level_Requirements_Categories
| links_name1 = High Level Requirements Categories

| links_url2 = https://www.owasp.org/index.php/Tips_for_using_the_project%27s_requirements,_use-cases,_and_user_stories
| links_name2 = Tips for using the project's requirements, use-cases, and user stories

| links_url3 = https://www.owasp.org/index.php/Other_really_good_requirements_that_aren%27t_generic_enough_to_be_part_of_the_project_but_that_might_be_what_you%27re_looking_for_in_YOUR_environment
| links_name3 = Other really good requirements that aren't generic enough to be part of the project but that might be what you're looking for in YOUR environment

| links_url4 =
| links_name4 =

| links_url[5-10] =
| links_name[5-10] =

| release_1 =
| release_2 =
| release_3 =
| release_4 =


| project_about_page = Projects/OWASP Application Security Requirements Project

}}

Projects/OWASP Application Security Requirements Project

2012-04-19T02:59:26Z

Zakiakhmad:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude>
| project_name = OWASP Application Security Requirements Project
| project_home_page = :Category:OWASP Application Security Requirements Project
| project_description =
*The intent of this project is to assemble a useful base of generic/common web application security requirements that could be used in most projects.
*The product of this project is intended to help all involved in web application security, whether it is project management, risk assessment, software development, testing, etc.
*The reason d'etre of this project is that, whilst security requirements are sometimes well captured and clearly defined, there are other times when they are not, for any number of reasons.

| project_license = [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution ShareAlike 3.0 license]

| leader_name1 = Luis Martinez Bacha
| leader_email1 = luismartinezbacha@owasp.org
| leader_username1 = Luis_Armando_Martinez_Bacha

| contributor_name1 = Zaki Akhmad
| contributor_email1 = za@owasp.org
| contributor_username1 = Zakiakhmad

| contributor_name[1-10] = Zaki Akhmad
| contributor_email[1-10] = za@owasp.org
| contributor_username[1-10] = Zakiakhmad

| pamphlet_link =

| presentation_link =

| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-appsec-requirements

| project_road_map =

| links_url1 = https://www.owasp.org/index.php/High_Level_Requirements_Categories
| links_name1 = High Level Requirements Categories

| links_url2 = https://www.owasp.org/index.php/Tips_for_using_the_project%27s_requirements,_use-cases,_and_user_stories
| links_name2 = Tips for using the project's requirements, use-cases, and user stories

| links_url3 = https://www.owasp.org/index.php/Other_really_good_requirements_that_aren%27t_generic_enough_to_be_part_of_the_project_but_that_might_be_what_you%27re_looking_for_in_YOUR_environment
| links_name3 = Other really good requirements that aren't generic enough to be part of the project but that might be what you're looking for in YOUR environment

| links_url4 =
| links_name4 =

| links_url[5-10] =
| links_name[5-10] =

| release_1 =
| release_2 =
| release_3 =
| release_4 =


| project_about_page = Projects/OWASP Application Security Requirements Project

}}

AppSecAsiaPac2012

2012-04-13T08:30:50Z

Zakiakhmad:

__NOTOC__
[[File:Twitter_followus.jpg]]'''[https://twitter.com/#!/AppSecAsia Follow us] or tweet about us using the hashtag #appsecasia'''

{| border="0" align="center" style="width: 100%;"
|-
| style="width: 75%; background: none repeat scroll 0% 0% rgb(255, 255, 255);" |
[[File:Owasp appsecAsia2012ConfBanner.jpg]]
| style="width: 25%; background: none repeat scroll 0% 0% rgb(255, 255, 255);" |
[[File:RegisterForAppsec.png|link=http://www.regonline.com/appsecapac2012]]
|}
=Welcome=

{{Social Media Links}}



{| border="0" cellpadding="15" align="center" class="FCK__ShowTableBorders" style="width: 100%;"
|-
| style="width: 35%; background: none repeat scroll 0% 0% rgb(255, 255, 255); color: black;" |
<center>[[File:Owaspconf2012_small320w.jpg]]</center>

 
 
'''Welcome to the OWASP 2012 Appsec Asia Pacific Conference.'''

The event is being held in Sydney, Australia from the 11th to the 14th of April 2012 at the Four Points Sheraton Darling Harbour.

The conference consists of 2 days of world class training by OWASP instructor's followed by 2 days of quality presentations and keynotes from industry leaders, OWASP projects and industry consultants. In previous years the OWASP Asia Pacific conference has been rated as one of the "must attend" events of the year, with the conference always filling up quickly.
 

'''Who should attend this conference:'''

* Application Developers, Testers, Quality Assurance Team Members
* Chief Information Officers, Security Officers, Technology Officers
* Security Managers and Staff
* Executives, Managers and staff responsible for IT Security Governance
* IT Professionals interested in Improving Information Security
 

'''Conference Highlights:'''

* Alastair MacGibbon: Keynote Presentation (more information available on "Speakers" Tab)
* Jacob West (Fortify - HP): Keynote Presentation (more information available on "Speakers" Tab)
* Industry Leading training - Exploiting Web Applications with Samurai-WTF
* Industry Panel from Finance and Insurance Sectors
* Networking Opportunities to meet peers and other developers
* Gain access to resources within OWASP projects as well as leading vendors
 
[[File:RegisterForAppsec.png|link=http://www.regonline.com/appsecapac2012]]

| style="width: 20%; background: none repeat scroll 0% 0% rgb(255, 255, 255);" |
<center>'''Thank you to all of our supporters!'''</center>
 
<h2><center>Diamond & Platinum Sponsors</center></h2>

<center>[[File:Fortify HP logo.png|link=http://www.fortify.com]]</center>

<h2><center>Gold & Silver Sponsors</center></h2>

<center>[[File:AppsecureLogo.jpg|link=http://www.appsecure.com/]]</center> 

<center>[[File:CS-LogoWeb.png|link=http://www.contentsecurity.com.au/]]</center> 

<center>[[File:GASystems-logo.jpg|link=http://www.gasystems.com.au/]]</center> 

<center>[[File:Imperva 312x54.jpg|link=http://www.imperva.com/]]</center> 

<center>[[File:Ionize75H.jpg‎|link=http://www.ionize.com.au/]]</center> 

<center>[[File:SPL-LOGO-LARGE.png|link=http://www.trustwave.com/]]</center> 

<h2><center> Associations & Supporters</center></h2>
We are proudly supported by the following Industry Associations and Media outlets.

<center>[[File:Auscert-Header-logo.gif|link=http://www.auscert.org.au/]]</center>

<center>[[File:AisaLogo.png|link=http://www.aisa.org.au/]]</center>

|}

=Registration Costs=

{{:AppSecAsiaPac2012/Register}}

=Training=

{{:AppSecAsiaPac2012/Training}}

= Conference Schedule=

'''[https://www.surveymonkey.com/s/Australia2012_Talk40 Click here to take event survey] or click on the talk titles below to rate that individual talk.'''

{| border="0" align="center" class="FCK__ShowTableBorders" style="width: 85%;"
|-
| align="center" colspan="4" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | '''Conference Day 1 - Friday - April 13th''' 
 
|-
|align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | ''(Time Allocated)''
| align="center" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Track 1 - Detect''' (Grand Ballroom 2)
| align="center" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | '''Track 2 - Protect''' (Grand Ballroom 3)
| align="center" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" | '''Track 3 - Leadership & OWASP''' (Grand Ballroom 1)
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''7:30 - 8:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Conference Registration Open - Coffee & Tea Available '''
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''8:30-8:40 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Conference Opening - Appsec Asia 2012'''
Speakers: Conference Committee Chair - Mr. Justin Derry
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''8:40-9:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''[https://www.surveymonkey.com/s/Australia2012_Talk1 KeyNote: Presentation]'''
Speaker: Alastair MacGibbon
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''9:30-9:40 AM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''9:40-10:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''[https://www.surveymonkey.com/s/Australia2012_Talk2 KeyNote: Software Security Goes Mobile]'''
Speaker: Jacob West
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''10:30-11:00 AM''
 
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Morning Tea - Provided for attendees in main EXPO & Conference Hall - Ground Level'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''11:00-11:50 AM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk37 You can't filter the stupid!]'''
 Speakers: Charles Henderson & Daniel Crowley
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk8 Advanced Mobile Application Code Review Techniques]'''
 Speakers: Prashant Vema & Dinesh Shetty
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk14 Effective Software Development in a PCI-DSS Environment]'''
 Speaker: Bruce Ashton
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''11:50-12:00 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''12:00-12:50 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk35 The risks that Pen Tests don't find]'''
 Speaker: Gary Gaskell
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk28 Rethinking Web Application Architecture for Cloud]'''
 Speaker: Arshad Noor
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk22 OWASP Project - Secure Coding Practices Quick Reference Guide]'''
 Speaker: Justin Clarke
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''12:50-1:30 PM''
 
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Lunch - Provided for attendees in main Expo & Conference Hall - Ground Level'''
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''1:30-2:20 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk20 Overcoming the Quality vs Quantity Problem in Software Security Testing]'''
 Speaker: Rafal Los
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk18 Mobile Security on iOS and Andriod]'''
 Speaker: Mike Park
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk34 Effective Education Programs using OWASP]'''
 Speaker: Sandeep Nain
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''2:20-2:30 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''2:30-3:20 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk25 Pen Testing Mobile Applications]'''
 Speaker: Tony Liu & Rainman Wu
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk10 Application Security Logging & Monitoring, The Next Frontier]'''
 Speaker: Peter Freiberg
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk19 Modern Software Security Assurance with OpenSAMM]'''
 Speaker: Pravir Chandra
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''3:30-4:00 PM''
 
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Afternoon Tea - Provided for attendees in EXPO & Conference Hall - Ground Level'''
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''4:00-4:50 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk15 Harder, Better, Faster, Stronger (SQLi)]'''
 Speakers: Luke Jahnke & Louis Nyffenegger
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk30 Securing the SSL Channel against Man-in-the-middle Attacks]'''
 Speaker: Tobias Gondrom
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk23 OWASP Project - ZED Attack Proxy]'''
 Speaker: Simon Bennetts
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''4:50-5:00 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''5:00-5:30 PM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''[https://www.surveymonkey.com/s/Australia2012_Talk7 Panel Discussion - Application Security Trends in 2012]'''
Moderator: Christian Frichot, Panelists: Rafal Los, Charles Henderson, Pravir Chandra & Jeremiah Grossman
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''5:30-6:30 PM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''OWASP - Afternoon Networking Event - Ground Floor - Four Points Sheraton'''
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''6:30 - 10:00 PM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''OWASP - Gala Dinner - Grand Ballroom. (Inclusive in Conference Fee) [https://www.surveymonkey.com/s/Australia2012_Talk3 Speaker: Tammy Wolffs - Director, Cyber Security at Department of Broadband, Communications and the Digital Economy]'''
|}

'''[https://www.surveymonkey.com/s/Australia2012_Talk40 Click here to take event survey] or click on the talk titles below to rate that individual talk.'''

{| border="0" align="center" class="FCK__ShowTableBorders" style="width: 85%;"
|-
| align="center" colspan="4" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | '''Conference Day 2 - Saturday- April 14th''' 
 
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | ''(Time Allocated)''
| align="center" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Track 1 - Detect''' (Grand Ballroom 2)
| align="center" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | '''Track 2 - Protect''' (Grand Ballroom 3)
| align="center" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" | '''Track 3 - Leadership & OWASP''' (Grand Ballroom 1)
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''7:30 - 8:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Conference Registration Open - Coffee & Tea Available '''
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''8:30-8:40 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Conference Day 2 Update- Appsec Asia 2012'''
Speakers: Conference Committee Chair - Mr Justin Derry
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''8:40-9:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''[https://www.surveymonkey.com/s/Australia2012_Talk6 KeyNote: Presentation]'''
Speaker: Jeremiah Grossman
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''9:30-9:40 AM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''9:40-10:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''[https://www.surveymonkey.com/s/Australia2012_Talk4 KeyNote: OWASP Foundation Update]'''
Speakers: Justin Searle and Justin Clarke
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''10:30-11:00 AM''
 
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Morning Tea - Provided for attendees in main EXPO & Conference Hall - Ground Level'''
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''11:00-11:50 AM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk26 Pentesting iOS Applications]'''
 Speaker: Jason Haddix
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk24 Password Less Authentication & Authorization & Payments]'''
 Speaker: Srikar Sagi
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk13 De-Anonymizing Anonymous]'''
 Speaker: Wayne O'Young
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''11:50-12:00 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''12:00-12:50 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk17 HTTP Fingerprinting - Next Generation]'''
 Speaker: Eldar Marcussen
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk36 Web Crypto for the Developer who has better things to do]'''
 Speaker: Adrian Hayes
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk33 Static Code Analysis & Governance]'''
 Speaker: Jonathan Carter
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''12:50-1:30 PM''
 
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Lunch - Provided for attendees in main Expo & Conference Hall - Ground Level'''
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''1:30-2:20 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk31 Shake Hooves with BeEF]'''
 Speaker: Christian Frichot
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk12 Data Breaches - When Application Security Goes Wrong]'''
 Speaker: Mark Goudie
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" | SPONSOR PRESENTATION  '''[https://www.surveymonkey.com/s/Australia2012_Talk38 Next Generation WAF]'''
 Speaker: GA Systems
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''2:20-2:30 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''2:30-3:20 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk27 Pentesting Smart Grid Web Apps]'''
 Speaker: Justin Searle
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk16 How MITM Proxy has been slaying SSL Dragons]'''
 Speaker: Jim Cheetham
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" | SPONSOR PRESENTATION  '''[https://www.surveymonkey.com/s/Australia2012_Talk39 Click here to give feedback]'''
 Speaker: Trustwave Spiderlabs
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''3:20-3:30 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''3:30-4:20 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk29 Rise of the Planet of the Anonymous]'''
 Speaker: Errazudin Ishak
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''[https://www.surveymonkey.com/s/Australia2012_Talk9 Anatomy of a Logic Flaw]'''
 Speakers: Charles Henderson & Daniel Crowley
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" | SPONSOR PRESENTATION  '''[https://www.surveymonkey.com/s/Australia2012_Talk5 Websense]'''
 Speaker: Content Security
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''4:20-4:30 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''4:30-5:00 PM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''[https://www.surveymonkey.com/s/Australia2012_Talk40 OWASP Appsec Asia 2012 - Conference Wrap Up]'''
Speakers: OWASP Appsec Asia Conference Committee
|-
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''5:00-6:00 PM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''OWASP Sponsor - Afternoon Networking Event - TBA'''
|}



=Keynote Speakers=

'''In alphabetical order:'''

==Alastair MacGibbon==
Alastair MacGibbon is an internationally-respected authority on cybercrime, including Internet fraud, consumer victimisation and a range of Internet security and safety issues. He is the managing partner of Surete Group, a consultancy dealing with improved customer retention for Internet companies by increasing trust and reducing negative user experiences. Prior to this for almost 5 years Alastair headed Trust & Safety at eBay Australia and later eBay Asia Pacific. He was a Federal Agent with the Australian Federal Police for 15 years, his final assignment as the founding Director of the Australian High Tech Crime Centre.

==Jacob West==
Jacob West is Director, Software Security Research for the Enterprise Security Products division of Hewlett-Packard. West is a world-recognized expert on software security and brings a technical understanding of the languages and frameworks used to build software together with extensive knowledge about how real-world systems fail. In 2007, he co-authored the book "Secure Programming with Static Analysis" with colleague and Fortify founder Brian Chess. Today, the book remains the only comprehensive guide to static analysis and how developers can use it to avoid the most prevalent and dangerous vulnerabilities in code. West is a frequent speaker at industry events, including RSA Conference, Black Hat, Defcon, OWASP, and many others. A graduate of the University of California, Berkeley, West holds dual-degrees in Computer Science and French and resides in San Francisco, California.

==Dr. Jason Smith from CERT Australia==
Dr Jason Smith is an assistant director at the national CERT, CERT Australia, which is part of the Attorney-General's Department. He is an experienced cyber security researcher and consultant, having provided consultancy services over the last decade on information infrastructure protection to government and critical infrastructure utilities.

Since joining government Jason has been involved in the development and execution national scale cyber exercises and the advanced cyber security training for control systems conducted by the US Department of Homeland Security.

Jason holds a degree in software engineering and data communications, a PhD in information security and is an Adjunct Associate Professor at the Queensland University of Technology.

[http://www.cert.gov.au/ About CERT Australia]

==Jeremiah Grossman==
Jeremiah Grossman is the Founder and CTO of WhiteHat Security, where he is responsible for Web security R&D and industry outreach. Mr. Grossman has written dozens of articles, white papers, and is a published author. His work has been featured in the Wall Street Journal, NY Times and many other mainstream media outlets. As a well-known security expert and industry veteran, Mr. Grossman has been a guest speaker on five continents at hundreds of events including BlackHat, RSA, ISSA, and others. He has been invited to guest lecture at top universities such as UC Berkeley, Stanford, Harvard, UoW Madison, UCLA, and Carnegie Mellon. Mr. Grossman is also a co-founder of the Web Application Security Consortium (WASC) and previously named one of InfoWorld's Top 25 CTOs. Before founding WhiteHat, Mr. Grossman was an information security officer at Yahoo!

Mr. Grossman was recently a speaker at TEDxMaui. [http://tedxmaui.com/2011/12/30/speaker-spotlight-jeremiah-grossman/ Learn more here.]

=Track Session Speakers=

{{:AppSecAsiaPac2012/Talks}}

=Sponsors=

The Conference Committee is excited to announce that the conference has been openly supported by the following vendors and associations. Without the great support of these companies and organisations the 2012 event would not be what it is today.

<h2>Diamond & Platinum Sponsors</h2>
The OWASP Conference 2012, welcomes our sponsors for Diamond and Platinum. There are still spaces available for sponsorship, but it's closing fast.

More information is available on our sponsorship packages by viewing the sponsor pack [[File:AppSec AsiaPac 2012 Sponsorship.pdf]]. Contact our Committee for more information.

[[File:Fortify HP logo.png|link=http://www.fortify.com]]

<h2>Gold & Silver Sponsors</h2>
The OWASP Conference 2012, welcomes our sponsors for Gold and Silver. The conference still has availability for other Gold and Silver sponsors.

[[File:AppsecureTransLogo.png|link=http://www.appsecure.com/]]
[[File:Imperva 312x54.jpg|link=http://www.imperva.com/]]
[[File:Ionize75H.jpg‎|link=http://www.ionize.com.au/]]
[[File:CS-LogoWeb.png|link=http://www.contentsecurity.com.au/]]
[[File:Trustwave small.png|link=http://www.trustwave.com/]]

<h2> Associations & Supporters</h2>
We are proudly supported by the following Industry Associations and Media outlets.

[[File:Auscert-Header-logo.gif|link=http://www.auscert.org.au/]]
[[File:AisaLogo.png|link=http://www.aisa.org.au/]]

=Chapters Workshop=

{{:AppSecAsiaPac2012/Chapters_Workshop}}

=Venue=

We're excited to announce that the location of the OWASP Conference for Appsec Asia 2012 will be held at:

'''Four Points Sheraton, Darling Harbour''' 
161 Sussex Street 
Sydney, New South Wales 2000 
Australia 
 

The facility provides hotel rooms and conference facilities, OWASP has secured cheap room rates directly in the hotel for the duration of the event.

If you don't know your way around Sydney, here's the Google Maps link to the Hotel.

http://maps.google.com.au/maps/place?q=Four+Points+by+Sheraton+Sydney,+Sussex+Street,+Sydney,+New+South+Wales&hl=en&cid=7369128618339939693

[[File:FourPointsSheratonDarlingHarbour.jpg]]
 

We are using both the Ground and upper levels. The majority of the event will be held on the ground level, including all breaks etc. Attendees will find the registration and conference desk located at the Ground level near Hotel Reception. (You're not going to get lost, as we take up most of the ground level for this event.)

Further details about venue locations will be posted when they become available.

=Travel and Accommodations=
For assistance with any of the items below, feel free to utilize OWASP's preferred travel agency: 
Segale Travel Service contact information is: +1-800-841-2276 
Sr. Travel Consultants: 
[mailto:mariam@segaletravel.com Maria Martinez]...ext 524 
[mailto:linnv@segaletravel.com Linn Vander Molen]...ext 520

Additionally, the [mailto:appsecasia2012@owasp.org Conference Planning Team] is available to answer any questions!

==Accommodation==

We've been able to arrange for accommodation within the Four Points Sheraton Hotel(where the training and conference will be held) for attendees. These rooms have been allocated at a special rate, and available strictly for a limited time. To book these rooms at the special rate, you need to use the booking link shown below. These rooms are available one night either side of the event ensuring that if you are travelling interstate or international it's easy to find a room at a good rate. The room rate allocated for the event is $200 AUD Inclusive per night.

'''Four Points Sheraton, Darling Harbour''' 
161 Sussex Street 
Sydney, New South Wales 2000 
Australia 
 

'''[http://www.starwoodmeeting.com/Book/OWASP http://www.starwoodmeeting.com/Book/OWASP]'''

==Travel Domestic==

The OWASP Conference is to be held in Sydney at the Darling Harbour precinct. Hotel Location, http://maps.google.com.au/maps/place?q=Four+Points+by+Sheraton+Sydney,+Sussex+Street,+Sydney,+New+South+Wales&hl=en&cid=7369128618339939693

==International Travel==

The Sydney International Airport is located adjacent to the Domestic terminal. Similar taxi fares to the city and hotel venue apply.
If you are travelling by train, you can ride the train from the International terminal all the way to the Town Hall station as above.

==Airport Transportation==

*Any major Airline carrier will fly you into Sydney Airport, from here, you can take a Taxi (Approx $35-40 AUD).
*[http://www.kst.com.au KST Sydney Airport Shuttle] -- $18AUD oneway/ $32AUD roundtrip
* Another option is the train from the Airport, which you can ride all the way into the closest station which is Town Hall. From this stop the hotel is a small downhill walk (no more then 5-10mins) from the station.

==Driving Instructions==

''From Sydney Airport (South)''

Travel along Southern Cross Drive and take the South Dowling Street exit.

Turn right onto Dacey Avenue.

At the second set of traffic lights turn left onto Anzac Parade.

Follow Anzac Parade past Moore Park on your right; Anzac Parade will become Flinders Street.

Turn left onto Oxford Street and follow to Liverpool Street; Hyde Park will be on your right.

Continue along Liverpool Street and turn right onto Kent Street.

Travel five blocks and turn left onto Erskine Street.

Immediately turn left again onto Sussex Street. The hotel will be on your right.

''From East''

Proceed along New South Head Road. Continue onto William Street and then onto Park Street; Hyde Park will be on your right.

Proceed along Park Street as it becomes Druitt Street and turn right onto Kent Street.

Travel approximately three blocks and turn left onto Erskine Street.

Immediately turn left again onto Sussex Street. The hotel will be on your right.

''From West''

Proceed along the Western Distributor towards the city taking the City North exit followed by the Sussex Street South Exit.

Turn right onto Sussex Street, the hotel will be on your right.

''From North''

Take the Pacific Highway/Warringah Highway and proceed over the Sydney Harbour Bridge.

Take the York street exit off the bridge and continue along before turning right into Erskine Street .

Proceed approximately three blocks before turning left into Sussex Street. The hotel will be on your right.

=Contact Us=

Justin Derry - Planning Committee Co-Chair 
Andrew van der Stock - Planning Committee Co-Chair 
Christian Frichot - Planning Committee Member 
Andrew Mueller - Planning Committee Member 
Mohd Fazli Azran - Global Conference Committee Liaison 
Sarah Baso - OWASP Operational Support 

If you are interested in helping out with this conference or have any questions, please contact us at: appsecasia2012@owasp.org

=Archives=

*[https://www.owasp.org/index.php/AppSecAsiaPac2012/CFP Call for Papers]
*[[Speaker Agreement]]
*[https://www.owasp.org/index.php/AppSecAsiaPac2012/CFT Call for Trainers]
*[https://www.owasp.org/images/8/80/APAC2012_Training_Instructor_Agreement.pdf Training Instructor Agreement]
*Information about the [https://www.owasp.org/index.php/AppSecAsiaPac2012/OWASP_Track OWASP Track]



<headertabs />

Projects/OWASP Mobile Security Project - Security Testing

2012-04-09T07:49:42Z

Zakiakhmad: /* Network Traffic Analysis */

== Mobile Security Testing ==

A major priority of the OWASP Mobile Security Project is to help standardize and disseminate mobile application testing methodologies. While specific techniques exist for individual platforms, the general "mobile" threat model can be used to create a generic testing methodology.

The below outline describes a general mobile application assessment methodology.

# Dynamic Analysis
## Debug the running app (on device or in emulator)
## Analyze network traffic
## Analyze remote services (HTTP/SOAP/etc)
# Static Analysis
## Get Application
### Extract application from device
### Receive application package from developers
## Source Code Review
## Reverse Engineering
## Disassembly
## Patching

== Testing Tools ==

=== Network Traffic Analysis ===

* [http://intrepidusgroup.com/insight/mallory/ Mallory] - Mallory is an open source transparent tcp/udp proxy that allows a tester to step through network traffic bytes at a time. Mallory is designed to function as a network gateway, thus facillitating the testing of embedded devices and applications that cannot easily be proxified.
* [http://mitmproxy.org/index.html mitmproxy]

=== Disassembly Tools & Resources ===

Disassembling applications provides a wealth of information for a security researcher. Platform differences lead to different toolsets for investigation of application internals.

==== Android ====

[http://code.google.com/p/smali/ smali/basksmali] - smali and baksmali are an assembler/disassembler pair that can be used to analyze the Dalvik byte code of an Android application. 

[http://jack-mannino.blogspot.com/2010/09/reversing-android-apps-101.html Reversing Android Apps 101] - Blog post describing the process of disassembling / reversing Android applications

==== RIM ====

TBD

==== iOS ====

''(This page is a work in progress so check back regularly...)''

The approach is somewhat different (in comparison to others platforms) when carrying out dynamic and static analysis on iOS applications. One approach is to become a registered Apple Developer to gain access to the goodness that is Xcode, Simulator, etc. and the other is jail breaking your phone. We will look at this from the perspective of being a registered Apple Developer for and using Apple's Simulator for now. You will need to be running a recent version of Snow Leopard to carry out testing using this route.

'''Methodology'''

First download the iOS Software Development Kit - inside this contains Xcode, the iPhone and iPad simulators and some other goodies.

Using Mallory with airbase-ng.

... TO DO.

'''Tool dump''':

* Charles Proxy - transparent proxy tool even with cert support.
* otool - Mach-O Object file reader. Use to disassemble and inspect iOS applications
* class-dump-x - read class declarations and structs
* clang analyzer - static analysis for C, C++, and Objective-C source code
* Instruments - the sysinternals for Mac OS X
* Shark - analyze assembly level operations
* Mallory - to perform MiTM on iOS applications
* IDA Pro - Commercial disassembler and debugger.
* Hex Rays Decompiler - IDA Pro plug-in for decompilation of ARM assembly

Projects/OWASP Mobile Security Project - Security Testing

2012-04-09T07:48:55Z

Zakiakhmad: /* Network Traffic Analysis */

Projects/OWASP Mobile Security Project - Security Testing

2012-04-09T06:12:18Z

Zakiakhmad: /* Mobile Security Testing */

== Mobile Security Testing ==

A major priority of the OWASP Mobile Security Project is to help standardize and disseminate mobile application testing methodologies. While specific techniques exist for individual platforms, the general "mobile" threat model can be used to create a generic testing methodology.

The below outline describes a general mobile application assessment methodology.

# Dynamic Analysis
## Debug the running app (on device or in emulator)
## Analyze network traffic
## Analyze remote services (HTTP/SOAP/etc)
# Static Analysis
## Get Application
### Extract application from device
### Receive application package from developers
## Source Code Review
## Reverse Engineering
## Disassembly
## Patching

== Testing Tools ==

=== Network Traffic Analysis ===

[http://intrepidusgroup.com/insight/mallory/ Mallory] - Mallory is an open source transparent tcp/udp proxy that allows a tester to step through network traffic bytes at a time. Mallory is designed to function as a network gateway, thus facillitating the testing of embedded devices and applications that cannot easily be proxified.

=== Disassembly Tools & Resources ===

Disassembling applications provides a wealth of information for a security researcher. Platform differences lead to different toolsets for investigation of application internals.

==== Android ====

[http://code.google.com/p/smali/ smali/basksmali] - smali and baksmali are an assembler/disassembler pair that can be used to analyze the Dalvik byte code of an Android application. 

[http://jack-mannino.blogspot.com/2010/09/reversing-android-apps-101.html Reversing Android Apps 101] - Blog post describing the process of disassembling / reversing Android applications

==== RIM ====

TBD

==== iOS ====

''(This page is a work in progress so check back regularly...)''

The approach is somewhat different (in comparison to others platforms) when carrying out dynamic and static analysis on iOS applications. One approach is to become a registered Apple Developer to gain access to the goodness that is Xcode, Simulator, etc. and the other is jail breaking your phone. We will look at this from the perspective of being a registered Apple Developer for and using Apple's Simulator for now. You will need to be running a recent version of Snow Leopard to carry out testing using this route.

'''Methodology'''

First download the iOS Software Development Kit - inside this contains Xcode, the iPhone and iPad simulators and some other goodies.

Using Mallory with airbase-ng.

... TO DO.

'''Tool dump''':

* Charles Proxy - transparent proxy tool even with cert support.
* otool - Mach-O Object file reader. Use to disassemble and inspect iOS applications
* class-dump-x - read class declarations and structs
* clang analyzer - static analysis for C, C++, and Objective-C source code
* Instruments - the sysinternals for Mac OS X
* Shark - analyze assembly level operations
* Mallory - to perform MiTM on iOS applications
* IDA Pro - Commercial disassembler and debugger.
* Hex Rays Decompiler - IDA Pro plug-in for decompilation of ARM assembly

AppSecAsiaPac2012

2012-04-02T09:56:12Z

Zakiakhmad:

__NOTOC__
{| border="0" align="center" style="width: 100%;"
|-
| style="width: 75%; background: none repeat scroll 0% 0% rgb(255, 255, 255);" |
[[File:Owasp appsecAsia2012ConfBanner.jpg]]
| style="width: 25%; background: none repeat scroll 0% 0% rgb(255, 255, 255);" |
[[File:RegisterForAppsec.png|link=http://www.regonline.com/appsecapac2012]]
|}
=Welcome=

{{Social Media Links}}



{| border="0" cellpadding="15" align="center" class="FCK__ShowTableBorders" style="width: 100%;"
|-
| style="width: 35%; background: none repeat scroll 0% 0% rgb(255, 255, 255); color: black;" |
<center>[[File:Owaspconf2012_small320w.jpg]]</center>

 
 
'''Welcome to the OWASP 2012 Appsec Asia Pacific Conference.'''

The event is being held in Sydney, Australia from the 11th to the 14th of April 2012 at the Four Points Sheraton Darling Harbour.

The conference consists of 2 days of world class training by OWASP instructor's followed by 2 days of quality presentations and keynotes from industry leaders, OWASP projects and industry consultants. In previous years the OWASP Asia Pacific conference has been rated as one of the "must attend" events of the year, with the conference always filling up quickly.
 

'''Who should attend this conference:'''

* Application Developers, Testers, Quality Assurance Team Members
* Chief Information Officers, Security Officers, Technology Officers
* Security Managers and Staff
* Executives, Managers and staff responsible for IT Security Governance
* IT Professionals interested in Improving Information Security
 

'''Conference Highlights:'''

* Alastair MacGibbon: Keynote Presentation (more information available on "Speakers" Tab)
* Jacob West (Fortify - HP): Keynote Presentation (more information available on "Speakers" Tab)
* Industry Leading training - Exploiting Web Applications with Samurai-WTF
* Industry Panel from Finance and Insurance Sectors
* Networking Opportunities to meet peers and other developers
* Gain access to resources within OWASP projects as well as leading vendors
 
[[File:RegisterForAppsec.png|link=http://www.regonline.com/appsecapac2012]]

| style="width: 20%; background: none repeat scroll 0% 0% rgb(255, 255, 255);" |
<center>'''Thank you to all of our supporters!'''</center>
 
<h2><center>Diamond & Platinum Sponsors</center></h2>

<center>[[File:Fortify HP logo.png|link=http://www.fortify.com]]</center>

<h2><center>Gold & Silver Sponsors</center></h2>

<center>[[File:AppsecureLogo.jpg|link=http://www.appsecure.com/]]</center> 

<center>[[File:CS-LogoWeb.png|link=http://www.contentsecurity.com.au/]]</center> 

<center>[[File:GASystems-logo.jpg|link=http://www.gasystems.com.au/]]</center> 

<center>[[File:Imperva 312x54.jpg|link=http://www.imperva.com/]]</center> 

<center>[[File:Ionize75H.jpg‎|link=http://www.ionize.com.au/]]</center> 

<center>[[File:SPL-LOGO-LARGE.png|link=http://www.trustwave.com/]]</center> 

<h2><center> Associations & Supporters</center></h2>
We are proudly supported by the following Industry Associations and Media outlets.

<center>[[File:Auscert-Header-logo.gif|link=http://www.auscert.org.au/]]</center>

<center>[[File:AisaLogo.png|link=http://www.aisa.org.au/]]</center>

|}

=Registration Costs=

{{:AppSecAsiaPac2012/Register}}

=Training=

{{:AppSecAsiaPac2012/Training}}

= Conference Schedule=

NOTE: Conference is scheduled to change as required by the conference committee, check back for updates prior to the conference.


{| border="0" align="center" class="FCK__ShowTableBorders" style="width: 75%;"
|-
| align="center" colspan="4" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | '''Conference Day 1 - Friday - April 13th''' 
 
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | ''(Time Allocated)''
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Track 1 - Detect''' (Grand Ballroom 1 & 2)
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | '''Track 2 - Protect''' (Grand Ballroom 3)
| style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" | '''Track 3 - Leadership & OWASP''' (Wharf & Bridge Rooms Level 1)
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''7:30 - 8:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Conference Registration Open - Coffee & Tea Available '''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''8:30-8:40 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Conference Opening - Appsec Asia 2012'''
Speakers: Conference Committee Chair - Mr Justin Derry
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''8:40-9:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''KeyNote: Presentation'''
Speaker: Alastair MacGibbon
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''9:30-9:40 AM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''9:40-10:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''KeyNote: Presentation'''
Speaker:Jacob West
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''10:30-11:00 AM''
 
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Morning Tea - Provided for attendees in main EXPO & Conference Hall - Ground Level'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''11:00-11:50 AM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: You can't filter the stupid!'''
 Speakers: Charles Henderson & David Byrne
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Advanced Mobile Application Code Review Techniques'''
 Speaker: Prashant Vema & Dinesh Shetty
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: Effective Software Development in a PCI-DSS Environment'''
 Speaker: Bruce Ashton
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''11:50-12:00 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''12:00-12:50 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Testing from the Cloud. Is the Sky Falling?'''
 Speaker: Matt Tesauro
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Rethinking Web Application Architecture for Cloud'''
 Speaker: Arshad Noor
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: OWASP Project - Secure Coding Practices Quick Reference Guide'''
 Speaker: Justin Clarke
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''12:50-1:30 PM''
 
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Lunch - Provided for attendees in main Expo & Conference Hall - Ground Level'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''1:30-2:20 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Overcoming the Quality vs Quantity Problem in Software Security Testing'''
 Speaker: Rafal Los
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Mobile Security on iOS and Andriod'''
 Speaker: Mike Park (Trustwave)
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: De-Anonymizing Anonymous'''
 Speaker: Wayne O'Young
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''2:20-2:30 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''2:30-3:20 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Pen Testing Mobile Applications'''
 Speaker: Frank Fan
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Application Security Logging & Monitoring, The Next Frontier'''
 Speaker: Peter Freiberg
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: Modern Software Security Assurance with OpenSAMM'''
 Speaker: Pravir Chandra
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''3:30-4:00 PM''
 
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Afternoon Tea - Provided for attendees in EXPO & Conference Hall - Ground Level'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''4:00-4:50 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Harder, Better, Faster, Stronger (SQLi)'''
 Speakers: Luke Jahnke & Louis Nyffenegger
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Securing the SSL Channel against Man-in-the-middle Attacks'''
 Speaker: Tobias Gondrom
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: The risks that Pen Tests don't find'''
 Speaker: Gary Gaskell
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''4:50-5:00 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''5:00-5:30 PM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Panel Discussion - Application Security Trends in 2012'''
Panelists: To be Announced
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''5:30-6:30 PM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''OWASP - Afternoon Networking Event - Ground Floor - Four Points Sheraton'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''6:30 - 10:00 PM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''OWASP - Gala Dinner - Grand Ballroom. (Inclusive in Conference Fee) - Speaker: Sabeena Oberoi - Assistant Secretary Cyber Security and Asia Pacific Engagement.'''
|}

{| border="0" align="center" class="FCK__ShowTableBorders" style="width: 75%;"
|-
| align="center" colspan="4" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | '''Conference Day 2 - Saturday- April 14th''' 
 
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | ''(Time Allocated)''
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Track 1 - Detect''' (Grand Ballroom 1 & 2)
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | '''Track 2 - Protect''' (Grand Ballroom 3)
| style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" | '''Track 3 - Leadership & OWASP''' (Wharf & Bridge Rooms Level 1)
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''7:30 - 8:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Conference Registration Open - Coffee & Tea Available '''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''8:30-8:40 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Conference Day 2 Update- Appsec Asia 2012'''
Speakers: Conference Committee Chair - Mr Justin Derry
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''8:40-9:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''KeyNote: Presentation'''
Speaker: Jeremiah Grossman
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''9:30-9:40 AM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''9:40-10:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''KeyNote: Presentation'''
Speaker: Dr Jason Smith
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''10:30-11:00 AM''
 
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Morning Tea - Provided for attendees in main EXPO & Conference Hall - Ground Level'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''11:00-11:50 AM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation:Pentesting iOS Applications:'''
 Speaker:Jason Haddix
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Password Less Authentication & Authorization & Payments'''
 Speaker: Srikar Sagi
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: [[OWASP_Zed_Attack_Proxy_Project OWASP Project - Zed Attack Proxy (ZAP)]]'''
 Speaker: Simon Bennetts
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''11:50-12:00 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''12:00-12:50 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: HTTP Fingerprinting - Next Generation'''
 Speaker: Eldar Marcussen
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Web Crypto for the Developer who has better things to do.'''
 Speaker: Adrian Hayes
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: Static Code Analysis & Governance'''
 Speaker: Jonathan Carter
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''12:50-1:30 PM''
 
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Lunch - Provided for attendees in main Expo & Conference Hall - Ground Level'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''1:30-2:20 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Shake Hooves with BeEF'''
 Speaker: Christian Frichot
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Software Security Goes Mobile'''
 Speakers: Jacob West
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: Data Breaches - When Application Security Goes Wrong'''
 Speaker: Mark Goudie
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''2:20-2:30 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''2:30-3:20 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Pentesting Smart Grid Web Apps'''
 Speaker: Justin Searle
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Breaking is Easy, Preventing is Hard'''
 Speakers: Matias Madou
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: How MITM Proxy has been slaying SSL Dragons'''
 Speaker: Jim Cheetham
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''3:20-3:30 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''3:30-4:20 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Rise of the Planet of the Anonymous'''
 Speaker: Errazudin Ishak
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Anatomy of a Logic Flaw'''
 Speakers: Charles Henderson & David Byrne
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: DSD - Cyber Security Australia'''
 Speaker: Chris Clarke - Cyber Security Analyst
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''4:20-4:30 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''4:30-5:00 PM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''OWASP Appsec Asia 2012 - Conference Wrap Up'''
Speakers: OWASP Board, OWASP Appsec Asia Conference Committee
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''5:00-6:00 PM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''OWASP Sponsor - Afternoon Networking Event - TBA'''
|}



=Keynote Speakers=

'''In alphabetical order:'''

==Alastair MacGibbon==
Alastair MacGibbon is an internationally-respected authority on cybercrime, including Internet fraud, consumer victimisation and a range of Internet security and safety issues. He is the managing partner of Surete Group, a consultancy dealing with improved customer retention for Internet companies by increasing trust and reducing negative user experiences. Prior to this for almost 5 years Alastair headed Trust & Safety at eBay Australia and later eBay Asia Pacific. He was a Federal Agent with the Australian Federal Police for 15 years, his final assignment as the founding Director of the Australian High Tech Crime Centre.

==Jacob West==
Jacob West is Director, Software Security Research for the Enterprise Security Products division of Hewlett-Packard. West is a world-recognized expert on software security and brings a technical understanding of the languages and frameworks used to build software together with extensive knowledge about how real-world systems fail. In 2007, he co-authored the book "Secure Programming with Static Analysis" with colleague and Fortify founder Brian Chess. Today, the book remains the only comprehensive guide to static analysis and how developers can use it to avoid the most prevalent and dangerous vulnerabilities in code. West is a frequent speaker at industry events, including RSA Conference, Black Hat, Defcon, OWASP, and many others. A graduate of the University of California, Berkeley, West holds dual-degrees in Computer Science and French and resides in San Francisco, California.

==Dr. Jason Smith from CERT Australia==
Dr Jason Smith is an assistant director at the national CERT, CERT Australia, which is part of the Attorney-General's Department. He is an experienced cyber security researcher and consultant, having provided consultancy services over the last decade on information infrastructure protection to government and critical infrastructure utilities.

Since joining government Jason has been involved in the development and execution national scale cyber exercises and the advanced cyber security training for control systems conducted by the US Department of Homeland Security.

Jason holds a degree in software engineering and data communications, a PhD in information security and is an Adjunct Associate Professor at the Queensland University of Technology.

[http://www.cert.gov.au/ About CERT Australia]

==Jeremiah Grossman==
Jeremiah Grossman is the Founder and CTO of WhiteHat Security, where he is responsible for Web security R&D and industry outreach. Mr. Grossman has written dozens of articles, white papers, and is a published author. His work has been featured in the Wall Street Journal, NY Times and many other mainstream media outlets. As a well-known security expert and industry veteran, Mr. Grossman has been a guest speaker on five continents at hundreds of events including BlackHat, RSA, ISSA, and others. He has been invited to guest lecture at top universities such as UC Berkeley, Stanford, Harvard, UoW Madison, UCLA, and Carnegie Mellon. Mr. Grossman is also a co-founder of the Web Application Security Consortium (WASC) and previously named one of InfoWorld's Top 25 CTOs. Before founding WhiteHat, Mr. Grossman was an information security officer at Yahoo!

Mr. Grossman was recently a speaker at TEDxMaui. [http://tedxmaui.com/2011/12/30/speaker-spotlight-jeremiah-grossman/ Learn more here.]

=Track Session Speakers=

{{:AppSecAsiaPac2012/Talks}}

=Sponsors=

The Conference Committee is excited to announce that the conference has been openly supported by the following vendors and associations. Without the great support of these companies and organisations the 2012 event would not be what it is today.

<h2>Diamond & Platinum Sponsors</h2>
The OWASP Conference 2012, welcomes our sponsors for Diamond and Platinum. There are still spaces available for sponsorship, but it's closing fast.

More information is available on our sponsorship packages by viewing the sponsor pack [[File:AppSec AsiaPac 2012 Sponsorship.pdf]]. Contact our Committee for more information.

[[File:Fortify HP logo.png|link=http://www.fortify.com]]

<h2>Gold & Silver Sponsors</h2>
The OWASP Conference 2012, welcomes our sponsors for Gold and Silver. The conference still has availability for other Gold and Silver sponsors.

[[File:AppsecureTransLogo.png|link=http://www.appsecure.com/]]
[[File:Imperva 312x54.jpg|link=http://www.imperva.com/]]
[[File:Ionize75H.jpg‎|link=http://www.ionize.com.au/]]
[[File:CS-LogoWeb.png|link=http://www.contentsecurity.com.au/]]
[[File:Trustwave small.png|link=http://www.trustwave.com/]]

<h2> Associations & Supporters</h2>
We are proudly supported by the following Industry Associations and Media outlets.

[[File:Auscert-Header-logo.gif|link=http://www.auscert.org.au/]]
[[File:AisaLogo.png|link=http://www.aisa.org.au/]]

=Chapters Workshop=

{{:AppSecAsiaPac2012/Chapters_Workshop}}

=Venue=

We're excited to announce that the location of the OWASP Conference for Appsec Asia 2012 will be held at:

'''Four Points Sheraton, Darling Harbour''' 
161 Sussex Street 
Sydney, New South Wales 2000 
Australia 
 

The facility provides hotel rooms and conference facilities, OWASP has secured cheap room rates directly in the hotel for the duration of the event.

If you don't know your way around Sydney, here's the Google Maps link to the Hotel.

http://maps.google.com.au/maps/place?q=Four+Points+by+Sheraton+Sydney,+Sussex+Street,+Sydney,+New+South+Wales&hl=en&cid=7369128618339939693

[[File:FourPointsSheratonDarlingHarbour.jpg]]
 

We are using both the Ground and upper levels. The majority of the event will be held on the ground level, including all breaks etc. Attendees will find the registration and conference desk located at the Ground level near Hotel Reception. (You're not going to get lost, as we take up most of the ground level for this event.)

Further details about venue locations will be posted when they become available.

=Travel and Accommodations=
For assistance with any of the items below, feel free to utilize OWASP's preferred travel agency: 
Segale Travel Service contact information is: +1-800-841-2276 
Sr. Travel Consultants: 
[mailto:mariam@segaletravel.com Maria Martinez]...ext 524 
[mailto:linnv@segaletravel.com Linn Vander Molen]...ext 520

Additionally, the [mailto:appsecasia2012@owasp.org Conference Planning Team] is available to answer any questions!

==Accommodation==

We've been able to arrange for accommodation within the Four Points Sheraton Hotel(where the training and conference will be held) for attendees. These rooms have been allocated at a special rate, and available strictly for a limited time. To book these rooms at the special rate, you need to use the booking link shown below. These rooms are available one night either side of the event ensuring that if you are travelling interstate or international it's easy to find a room at a good rate. The room rate allocated for the event is $200 AUD Inclusive per night.

'''Four Points Sheraton, Darling Harbour''' 
161 Sussex Street 
Sydney, New South Wales 2000 
Australia 
 

'''[http://www.starwoodmeeting.com/Book/OWASP http://www.starwoodmeeting.com/Book/OWASP]'''

==Travel Domestic==

The OWASP Conference is to be held in Sydney at the Darling Harbour precinct. Hotel Location, http://maps.google.com.au/maps/place?q=Four+Points+by+Sheraton+Sydney,+Sussex+Street,+Sydney,+New+South+Wales&hl=en&cid=7369128618339939693

==International Travel==

The Sydney International Airport is located adjacent to the Domestic terminal. Similar taxi fares to the city and hotel venue apply.
If you are travelling by train, you can ride the train from the International terminal all the way to the Town Hall station as above.

==Airport Transportation==

*Any major Airline carrier will fly you into Sydney Airport, from here, you can take a Taxi (Approx $35-40 AUD).
*[http://www.kst.com.au KST Sydney Airport Shuttle] -- $18AUD oneway/ $32AUD roundtrip
* Another option is the train from the Airport, which you can ride all the way into the closest station which is Town Hall. From this stop the hotel is a small downhill walk (no more then 5-10mins) from the station.

==Driving Instructions==

''From Sydney Airport (South)''

Travel along Southern Cross Drive and take the South Dowling Street exit.

Turn right onto Dacey Avenue.

At the second set of traffic lights turn left onto Anzac Parade.

Follow Anzac Parade past Moore Park on your right; Anzac Parade will become Flinders Street.

Turn left onto Oxford Street and follow to Liverpool Street; Hyde Park will be on your right.

Continue along Liverpool Street and turn right onto Kent Street.

Travel five blocks and turn left onto Erskine Street.

Immediately turn left again onto Sussex Street. The hotel will be on your right.

''From East''

Proceed along New South Head Road. Continue onto William Street and then onto Park Street; Hyde Park will be on your right.

Proceed along Park Street as it becomes Druitt Street and turn right onto Kent Street.

Travel approximately three blocks and turn left onto Erskine Street.

Immediately turn left again onto Sussex Street. The hotel will be on your right.

''From West''

Proceed along the Western Distributor towards the city taking the City North exit followed by the Sussex Street South Exit.

Turn right onto Sussex Street, the hotel will be on your right.

''From North''

Take the Pacific Highway/Warringah Highway and proceed over the Sydney Harbour Bridge.

Take the York street exit off the bridge and continue along before turning right into Erskine Street .

Proceed approximately three blocks before turning left into Sussex Street. The hotel will be on your right.

=Contact Us=

Justin Derry - Planning Committee Co-Chair 
Andrew van der Stock - Planning Committee Co-Chair 
Christian Frichot - Planning Committee Member 
Andrew Mueller - Planning Committee Member 
Mohd Fazli Azran - Global Conference Committee Liaison 
Sarah Baso - OWASP Operational Support 

If you are interested in helping out with this conference or have any questions, please contact us at: appsecasia2012@owasp.org

=Archives=

*[https://www.owasp.org/index.php/AppSecAsiaPac2012/CFP Call for Papers]
*[[Speaker Agreement]]
*[https://www.owasp.org/index.php/AppSecAsiaPac2012/CFT Call for Trainers]
*[https://www.owasp.org/images/8/80/APAC2012_Training_Instructor_Agreement.pdf Training Instructor Agreement]
*Information about the [https://www.owasp.org/index.php/AppSecAsiaPac2012/OWASP_Track OWASP Track]



<headertabs />

AppSecAsiaPac2012

2012-04-02T09:49:21Z

Zakiakhmad:

__NOTOC__
{| border="0" align="center" style="width: 100%;"
|-
| style="width: 75%; background: none repeat scroll 0% 0% rgb(255, 255, 255);" |
[[File:Owasp appsecAsia2012ConfBanner.jpg]]
| style="width: 25%; background: none repeat scroll 0% 0% rgb(255, 255, 255);" |
[[File:RegisterForAppsec.png|link=http://www.regonline.com/appsecapac2012]]
|}
=Welcome=

{{Social Media Links}}



{| border="0" cellpadding="15" align="center" class="FCK__ShowTableBorders" style="width: 100%;"
|-
| style="width: 35%; background: none repeat scroll 0% 0% rgb(255, 255, 255); color: black;" |
<center>[[File:Owaspconf2012_small320w.jpg]]</center>

 
 
'''Welcome to the OWASP 2012 Appsec Asia Pacific Conference.'''

The event is being held in Sydney, Australia from the 11th to the 14th of April 2012 at the Four Points Sheraton Darling Harbour.

The conference consists of 2 days of world class training by OWASP instructor's followed by 2 days of quality presentations and keynotes from industry leaders, OWASP projects and industry consultants. In previous years the OWASP Asia Pacific conference has been rated as one of the "must attend" events of the year, with the conference always filling up quickly.
 

'''Who should attend this conference:'''

* Application Developers, Testers, Quality Assurance Team Members
* Chief Information Officers, Security Officers, Technology Officers
* Security Managers and Staff
* Executives, Managers and staff responsible for IT Security Governance
* IT Professionals interested in Improving Information Security
 

'''Conference Highlights:'''

* Alastair MacGibbon: Keynote Presentation (more information available on "Speakers" Tab)
* Jacob West (Fortify - HP): Keynote Presentation (more information available on "Speakers" Tab)
* Industry Leading training - Exploiting Web Applications with Samurai-WTF
* Industry Panel from Finance and Insurance Sectors
* Networking Opportunities to meet peers and other developers
* Gain access to resources within OWASP projects as well as leading vendors
 
[[File:RegisterForAppsec.png|link=http://www.regonline.com/appsecapac2012]]

| style="width: 20%; background: none repeat scroll 0% 0% rgb(255, 255, 255);" |
<center>'''Thank you to all of our supporters!'''</center>
 
<h2><center>Diamond & Platinum Sponsors</center></h2>

<center>[[File:Fortify HP logo.png|link=http://www.fortify.com]]</center>

<h2><center>Gold & Silver Sponsors</center></h2>

<center>[[File:AppsecureLogo.jpg|link=http://www.appsecure.com/]]</center> 

<center>[[File:CS-LogoWeb.png|link=http://www.contentsecurity.com.au/]]</center> 

<center>[[File:GASystems-logo.jpg|link=http://www.gasystems.com.au/]]</center> 

<center>[[File:Imperva 312x54.jpg|link=http://www.imperva.com/]]</center> 

<center>[[File:Ionize75H.jpg‎|link=http://www.ionize.com.au/]]</center> 

<center>[[File:SPL-LOGO-LARGE.png|link=http://www.trustwave.com/]]</center> 

<h2><center> Associations & Supporters</center></h2>
We are proudly supported by the following Industry Associations and Media outlets.

<center>[[File:Auscert-Header-logo.gif|link=http://www.auscert.org.au/]]</center>

<center>[[File:AisaLogo.png|link=http://www.aisa.org.au/]]</center>

|}

=Registration Costs=

{{:AppSecAsiaPac2012/Register}}

=Training=

{{:AppSecAsiaPac2012/Training}}

= Conference Schedule=

NOTE: Conference is scheduled to change as required by the conference committee, check back for updates prior to the conference.


{| border="0" align="center" class="FCK__ShowTableBorders" style="width: 75%;"
|-
| align="center" colspan="4" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | '''Conference Day 1 - Friday - April 13th''' 
 
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | ''(Time Allocated)''
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Track 1 - Detect''' (Grand Ballroom 1 & 2)
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | '''Track 2 - Protect''' (Grand Ballroom 3)
| style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" | '''Track 3 - Leadership & OWASP''' (Wharf & Bridge Rooms Level 1)
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''7:30 - 8:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Conference Registration Open - Coffee & Tea Available '''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''8:30-8:40 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Conference Opening - Appsec Asia 2012'''
Speakers: Conference Committee Chair - Mr Justin Derry
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''8:40-9:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''KeyNote: Presentation'''
Speaker: Alastair MacGibbon
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''9:30-9:40 AM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''9:40-10:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''KeyNote: Presentation'''
Speaker:Jacob West
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''10:30-11:00 AM''
 
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Morning Tea - Provided for attendees in main EXPO & Conference Hall - Ground Level'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''11:00-11:50 AM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: You can't filter the stupid!'''
 Speakers: Charles Henderson & David Byrne
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Advanced Mobile Application Code Review Techniques'''
 Speaker: Prashant Vema & Dinesh Shetty
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: Effective Software Development in a PCI-DSS Environment'''
 Speaker: Bruce Ashton
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''11:50-12:00 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''12:00-12:50 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Testing from the Cloud. Is the Sky Falling?'''
 Speaker: Matt Tesauro
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Rethinking Web Application Architecture for Cloud'''
 Speaker: Arshad Noor
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: OWASP Project - Secure Coding Practices Quick Reference Guide'''
 Speaker: Justin Clarke
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''12:50-1:30 PM''
 
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Lunch - Provided for attendees in main Expo & Conference Hall - Ground Level'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''1:30-2:20 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Overcoming the Quality vs Quantity Problem in Software Security Testing'''
 Speaker: Rafal Los
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Mobile Security on iOS and Andriod'''
 Speaker: Mike Park (Trustwave)
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: De-Anonymizing Anonymous'''
 Speaker: Wayne O'Young
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''2:20-2:30 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''2:30-3:20 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Pen Testing Mobile Applications'''
 Speaker: Frank Fan
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Application Security Logging & Monitoring, The Next Frontier'''
 Speaker: Peter Freiberg
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: Modern Software Security Assurance with OpenSAMM'''
 Speaker: Pravir Chandra
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''3:30-4:00 PM''
 
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Afternoon Tea - Provided for attendees in EXPO & Conference Hall - Ground Level'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''4:00-4:50 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Harder, Better, Faster, Stronger (SQLi)'''
 Speakers: Luke Jahnke & Louis Nyffenegger
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Securing the SSL Channel against Man-in-the-middle Attacks'''
 Speaker: Tobias Gondrom
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: The risks that Pen Tests don't find'''
 Speaker: Gary Gaskell
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''4:50-5:00 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''5:00-5:30 PM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Panel Discussion - Application Security Trends in 2012'''
Panelists: To be Announced
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''5:30-6:30 PM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''OWASP - Afternoon Networking Event - Ground Floor - Four Points Sheraton'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''6:30 - 10:00 PM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''OWASP - Gala Dinner - Grand Ballroom. (Inclusive in Conference Fee) - Speaker: Sabeena Oberoi - Assistant Secretary Cyber Security and Asia Pacific Engagement.'''
|}

{| border="0" align="center" class="FCK__ShowTableBorders" style="width: 75%;"
|-
| align="center" colspan="4" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | '''Conference Day 2 - Saturday- April 14th''' 
 
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | ''(Time Allocated)''
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Track 1 - Detect''' (Grand Ballroom 1 & 2)
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | '''Track 2 - Protect''' (Grand Ballroom 3)
| style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" | '''Track 3 - Leadership & OWASP''' (Wharf & Bridge Rooms Level 1)
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''7:30 - 8:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Conference Registration Open - Coffee & Tea Available '''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''8:30-8:40 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Conference Day 2 Update- Appsec Asia 2012'''
Speakers: Conference Committee Chair - Mr Justin Derry
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''8:40-9:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''KeyNote: Presentation'''
Speaker: Jeremiah Grossman
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''9:30-9:40 AM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''9:40-10:30 AM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''KeyNote: Presentation'''
Speaker: Dr Jason Smith
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''10:30-11:00 AM''
 
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Morning Tea - Provided for attendees in main EXPO & Conference Hall - Ground Level'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''11:00-11:50 AM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation:Pentesting iOS Applications:'''
 Speaker:Jason Haddix
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Password Less Authentication & Authorization & Payments'''
 Speaker: Srikar Sagi
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: [[https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project OWASP Project - Zed Attack Proxy (ZAP)]]'''
 Speaker: Simon Bennetts
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''11:50-12:00 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''12:00-12:50 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: HTTP Fingerprinting - Next Generation'''
 Speaker: Eldar Marcussen
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Web Crypto for the Developer who has better things to do.'''
 Speaker: Adrian Hayes
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: Static Code Analysis & Governance'''
 Speaker: Jonathan Carter
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''12:50-1:30 PM''
 
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Lunch - Provided for attendees in main Expo & Conference Hall - Ground Level'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''1:30-2:20 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Shake Hooves with BeEF'''
 Speaker: Christian Frichot
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Software Security Goes Mobile'''
 Speakers: Jacob West
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: Data Breaches - When Application Security Goes Wrong'''
 Speaker: Mark Goudie
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''2:20-2:30 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''2:30-3:20 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Pentesting Smart Grid Web Apps'''
 Speaker: Justin Searle
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Breaking is Easy, Preventing is Hard'''
 Speakers: Matias Madou
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: How MITM Proxy has been slaying SSL Dragons'''
 Speaker: Jim Cheetham
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''3:20-3:30 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''3:30-4:20 PM''
 
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Rise of the Planet of the Anonymous'''
 Speaker: Errazudin Ishak
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Anatomy of a Logic Flaw'''
 Speakers: Charles Henderson & David Byrne
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: DSD - Cyber Security Australia'''
 Speaker: Chris Clarke - Cyber Security Analyst
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''4:20-4:30 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''4:30-5:00 PM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''OWASP Appsec Asia 2012 - Conference Wrap Up'''
Speakers: OWASP Board, OWASP Appsec Asia Conference Committee
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''5:00-6:00 PM''
 
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''OWASP Sponsor - Afternoon Networking Event - TBA'''
|}



=Keynote Speakers=

'''In alphabetical order:'''

==Alastair MacGibbon==
Alastair MacGibbon is an internationally-respected authority on cybercrime, including Internet fraud, consumer victimisation and a range of Internet security and safety issues. He is the managing partner of Surete Group, a consultancy dealing with improved customer retention for Internet companies by increasing trust and reducing negative user experiences. Prior to this for almost 5 years Alastair headed Trust & Safety at eBay Australia and later eBay Asia Pacific. He was a Federal Agent with the Australian Federal Police for 15 years, his final assignment as the founding Director of the Australian High Tech Crime Centre.

==Jacob West==
Jacob West is Director, Software Security Research for the Enterprise Security Products division of Hewlett-Packard. West is a world-recognized expert on software security and brings a technical understanding of the languages and frameworks used to build software together with extensive knowledge about how real-world systems fail. In 2007, he co-authored the book "Secure Programming with Static Analysis" with colleague and Fortify founder Brian Chess. Today, the book remains the only comprehensive guide to static analysis and how developers can use it to avoid the most prevalent and dangerous vulnerabilities in code. West is a frequent speaker at industry events, including RSA Conference, Black Hat, Defcon, OWASP, and many others. A graduate of the University of California, Berkeley, West holds dual-degrees in Computer Science and French and resides in San Francisco, California.

==Dr. Jason Smith from CERT Australia==
Dr Jason Smith is an assistant director at the national CERT, CERT Australia, which is part of the Attorney-General's Department. He is an experienced cyber security researcher and consultant, having provided consultancy services over the last decade on information infrastructure protection to government and critical infrastructure utilities.

Since joining government Jason has been involved in the development and execution national scale cyber exercises and the advanced cyber security training for control systems conducted by the US Department of Homeland Security.

Jason holds a degree in software engineering and data communications, a PhD in information security and is an Adjunct Associate Professor at the Queensland University of Technology.

[http://www.cert.gov.au/ About CERT Australia]

==Jeremiah Grossman==
Jeremiah Grossman is the Founder and CTO of WhiteHat Security, where he is responsible for Web security R&D and industry outreach. Mr. Grossman has written dozens of articles, white papers, and is a published author. His work has been featured in the Wall Street Journal, NY Times and many other mainstream media outlets. As a well-known security expert and industry veteran, Mr. Grossman has been a guest speaker on five continents at hundreds of events including BlackHat, RSA, ISSA, and others. He has been invited to guest lecture at top universities such as UC Berkeley, Stanford, Harvard, UoW Madison, UCLA, and Carnegie Mellon. Mr. Grossman is also a co-founder of the Web Application Security Consortium (WASC) and previously named one of InfoWorld's Top 25 CTOs. Before founding WhiteHat, Mr. Grossman was an information security officer at Yahoo!

Mr. Grossman was recently a speaker at TEDxMaui. [http://tedxmaui.com/2011/12/30/speaker-spotlight-jeremiah-grossman/ Learn more here.]

=Track Session Speakers=

{{:AppSecAsiaPac2012/Talks}}

=Sponsors=

The Conference Committee is excited to announce that the conference has been openly supported by the following vendors and associations. Without the great support of these companies and organisations the 2012 event would not be what it is today.

<h2>Diamond & Platinum Sponsors</h2>
The OWASP Conference 2012, welcomes our sponsors for Diamond and Platinum. There are still spaces available for sponsorship, but it's closing fast.

More information is available on our sponsorship packages by viewing the sponsor pack [[File:AppSec AsiaPac 2012 Sponsorship.pdf]]. Contact our Committee for more information.

[[File:Fortify HP logo.png|link=http://www.fortify.com]]

<h2>Gold & Silver Sponsors</h2>
The OWASP Conference 2012, welcomes our sponsors for Gold and Silver. The conference still has availability for other Gold and Silver sponsors.

[[File:AppsecureTransLogo.png|link=http://www.appsecure.com/]]
[[File:Imperva 312x54.jpg|link=http://www.imperva.com/]]
[[File:Ionize75H.jpg‎|link=http://www.ionize.com.au/]]
[[File:CS-LogoWeb.png|link=http://www.contentsecurity.com.au/]]
[[File:Trustwave small.png|link=http://www.trustwave.com/]]

<h2> Associations & Supporters</h2>
We are proudly supported by the following Industry Associations and Media outlets.

[[File:Auscert-Header-logo.gif|link=http://www.auscert.org.au/]]
[[File:AisaLogo.png|link=http://www.aisa.org.au/]]

=Chapters Workshop=

{{:AppSecAsiaPac2012/Chapters_Workshop}}

=Venue=

We're excited to announce that the location of the OWASP Conference for Appsec Asia 2012 will be held at:

'''Four Points Sheraton, Darling Harbour''' 
161 Sussex Street 
Sydney, New South Wales 2000 
Australia 
 

The facility provides hotel rooms and conference facilities, OWASP has secured cheap room rates directly in the hotel for the duration of the event.

If you don't know your way around Sydney, here's the Google Maps link to the Hotel.

http://maps.google.com.au/maps/place?q=Four+Points+by+Sheraton+Sydney,+Sussex+Street,+Sydney,+New+South+Wales&hl=en&cid=7369128618339939693

[[File:FourPointsSheratonDarlingHarbour.jpg]]
 

We are using both the Ground and upper levels. The majority of the event will be held on the ground level, including all breaks etc. Attendees will find the registration and conference desk located at the Ground level near Hotel Reception. (You're not going to get lost, as we take up most of the ground level for this event.)

Further details about venue locations will be posted when they become available.

=Travel and Accommodations=
For assistance with any of the items below, feel free to utilize OWASP's preferred travel agency: 
Segale Travel Service contact information is: +1-800-841-2276 
Sr. Travel Consultants: 
[mailto:mariam@segaletravel.com Maria Martinez]...ext 524 
[mailto:linnv@segaletravel.com Linn Vander Molen]...ext 520

Additionally, the [mailto:appsecasia2012@owasp.org Conference Planning Team] is available to answer any questions!

==Accommodation==

We've been able to arrange for accommodation within the Four Points Sheraton Hotel(where the training and conference will be held) for attendees. These rooms have been allocated at a special rate, and available strictly for a limited time. To book these rooms at the special rate, you need to use the booking link shown below. These rooms are available one night either side of the event ensuring that if you are travelling interstate or international it's easy to find a room at a good rate. The room rate allocated for the event is $200 AUD Inclusive per night.

'''Four Points Sheraton, Darling Harbour''' 
161 Sussex Street 
Sydney, New South Wales 2000 
Australia 
 

'''[http://www.starwoodmeeting.com/Book/OWASP http://www.starwoodmeeting.com/Book/OWASP]'''

==Travel Domestic==

The OWASP Conference is to be held in Sydney at the Darling Harbour precinct. Hotel Location, http://maps.google.com.au/maps/place?q=Four+Points+by+Sheraton+Sydney,+Sussex+Street,+Sydney,+New+South+Wales&hl=en&cid=7369128618339939693

==International Travel==

The Sydney International Airport is located adjacent to the Domestic terminal. Similar taxi fares to the city and hotel venue apply.
If you are travelling by train, you can ride the train from the International terminal all the way to the Town Hall station as above.

==Airport Transportation==

*Any major Airline carrier will fly you into Sydney Airport, from here, you can take a Taxi (Approx $35-40 AUD).
*[http://www.kst.com.au KST Sydney Airport Shuttle] -- $18AUD oneway/ $32AUD roundtrip
* Another option is the train from the Airport, which you can ride all the way into the closest station which is Town Hall. From this stop the hotel is a small downhill walk (no more then 5-10mins) from the station.

==Driving Instructions==

''From Sydney Airport (South)''

Travel along Southern Cross Drive and take the South Dowling Street exit.

Turn right onto Dacey Avenue.

At the second set of traffic lights turn left onto Anzac Parade.

Follow Anzac Parade past Moore Park on your right; Anzac Parade will become Flinders Street.

Turn left onto Oxford Street and follow to Liverpool Street; Hyde Park will be on your right.

Continue along Liverpool Street and turn right onto Kent Street.

Travel five blocks and turn left onto Erskine Street.

Immediately turn left again onto Sussex Street. The hotel will be on your right.

''From East''

Proceed along New South Head Road. Continue onto William Street and then onto Park Street; Hyde Park will be on your right.

Proceed along Park Street as it becomes Druitt Street and turn right onto Kent Street.

Travel approximately three blocks and turn left onto Erskine Street.

Immediately turn left again onto Sussex Street. The hotel will be on your right.

''From West''

Proceed along the Western Distributor towards the city taking the City North exit followed by the Sussex Street South Exit.

Turn right onto Sussex Street, the hotel will be on your right.

''From North''

Take the Pacific Highway/Warringah Highway and proceed over the Sydney Harbour Bridge.

Take the York street exit off the bridge and continue along before turning right into Erskine Street .

Proceed approximately three blocks before turning left into Sussex Street. The hotel will be on your right.

=Contact Us=

Justin Derry - Planning Committee Co-Chair 
Andrew van der Stock - Planning Committee Co-Chair 
Christian Frichot - Planning Committee Member 
Andrew Mueller - Planning Committee Member 
Mohd Fazli Azran - Global Conference Committee Liaison 
Sarah Baso - OWASP Operational Support 

If you are interested in helping out with this conference or have any questions, please contact us at: appsecasia2012@owasp.org

=Archives=

*[https://www.owasp.org/index.php/AppSecAsiaPac2012/CFP Call for Papers]
*[[Speaker Agreement]]
*[https://www.owasp.org/index.php/AppSecAsiaPac2012/CFT Call for Trainers]
*[https://www.owasp.org/images/8/80/APAC2012_Training_Instructor_Agreement.pdf Training Instructor Agreement]
*Information about the [https://www.owasp.org/index.php/AppSecAsiaPac2012/OWASP_Track OWASP Track]



<headertabs />

Man vs. Code

2012-03-08T08:22:18Z

Zakiakhmad:

'''UPDATE: I have proposed a "Sticky" Marking When Smart Highlighting enhancement to the Notepad++ team: when one is selecting a word character-by-character, allow one to do this multiple times, without clearing the previous selected (and now smart-highlighted) sets of words. Then, clear all marks when double click on any other word. Double-click smart-highlighting functionality remains the same as it was before. This allows one to follow variable assignments through the code more easily. This change allows one to select the original variable, then select a new variable that the old variable is now assigned to, and so on. If you're interested in the details contact mike.boberski@owasp.org. If you'd like an already built version with the changes to copy over after you've installed, you can find it [http://www.owasp.org/index.php/File:Notepad%2B%2B.zip here]'''

[[Image:Man-v-code.gif|right]]
Tools such as source code review tools are expensive. Let me rephrase. They cost as much as a house! Feeling like you just stepped into a survivalist reality show, after being asked to perform a review using for example [http://www.owasp.org/index.php/ASVS OWASP ASVS]? You need tools, and you need them now. You also need tools more useful than for example RATS (Rough Auditing Tool for Security).

Tools such as RATS even if their rules are beefed up are still not a fast way to do a code review. If you accept the premise that when performing a code review, one should do at least a minimal check for both false positives and false negatives, then regardless of tool, you still need to go through each and every source file even if only for a cursory inspection. This is where source code review tools shine, their IDE-like GUIs allow you to jump through the code interactively in a very efficient way. This is why tools such as RATS are pretty much useless. You need to be able to easily jump through the code and follow data from sources to sinks a lot more than you need an initial count of some huge number of potential findings!

With the above in mind, here's one way to fashion a basic, efficient source code review tool (in this case, for PHP source) using a little bit of research and some freely-available tools in perhaps unexpected ways. The basic idea is to use Notepad++ and Its “User Defined Language” Feature. It can be downloaded here: http://notepad-plus.sourceforge.net So, go and do that. The ability to define one’s language using Notepad++ configuration interfaces, its syntax highlighting, and the ability to highlight variables throughout by default after selecting them, provides the basis for a way to search file-by-file for security-related flaws. E.g. create a new “PHP 4, 5 SCA” language. You'll also want to use a grep tool and also open up the PHP web site so you can search for function/language definitions http://us2.php.net/manual/en/ Also, install the “Explorer” plugin (copy to its plugins directory, download from http://sourceforge.net/project/showfiles.php?group_id=189927&package_id=223667 then enable it using the “Plugins” menu

Then, based on looking for function and other keywords related to input, SQL, sessions, URLs, files, etc. one can mine documents for relevant keywords, e.g.:

* http://us2.php.net/manual/en/reserved.variables.php
* http://us2.php.net/manual/en/book.mysql.php
* http://us2.php.net/manual/en/book.hash.php
* http://us2.php.net/manual/en/refs.fileprocess.file.php
* http://us2.php.net/manual/en/book.mail.php
* http://us2.php.net/manual/en/book.session.php
* http://us2.php.net/manual/en/features.cookies.php
* http://us2.php.net/manual/en/ref.url.php
* Chris Shiflett, Essential PHP Security (O’Reilly Media, Inc., 2005).
* http://www.fortify.com/vulncat/en/vulncat/index.html

Next, configure Notepad++ to create a new PHP static analysis language:

Select “View” menu, then “User Define Dialog” menu item, then “Dock” button

Ext:
*Set to php (no period!)

Folder & Default
* Font name – Consolas

Keywords Lists - Use your research here!

1st Group - Use this to find potential problems
* Foreground color – red
* Background color – white
* Font style - bold
* Prefix mode – make sure this is set (checked)

PHP Example:
* $GLOBALS $_SERVER $_GET $_POST $_FILES $_REQUEST $_SESSION $_ENV $_COOKIE $php_errormsg $HTTP_RAW_POST_DATA $http_response_header $argc $argv mysql_ hash_ basename chgrp chmod chown clearstatcache copy delete dirname disk_free_space disk_total_space diskfreespace fclose feof fflush fgetc fgetcsv fgets fgetss file_exists file_get_contents file_put_contents file fileatime filectime filegroup fileinode filemtime fileowner fileperms filesize filetype flock fnmatch fopen fpassthru fputcsv fputs fread fscanf fseek fstat ftell ftruncate fwrite glob is_dir is_executable is_file is_link is_readable is_uploaded_file is_writable is_writeable lchgrp lchown link linkinfo lstat mkdir move_uploaded_file parse_ini_file parse_ini_string pathinfo pclose popen readfile readlink realpath rename rewind rmdir set_file_buffer stat symlink tempnam tmpfile touch umask unlink mail session_ setcookie setrawcookie header ob_ output_ base64_ get_headers get_meta_tags http_build_query parse_url rawurlecode urldecode urlencode ini_set error_log allow_url_fopen disable_functions display_errors enable_dl error_reporting file_uploads log_errors magic_quotes_gpc memory_limit open_basedir register_globals safe_mode eval exec file file_get_contents fopen include passthru phpinfo popen preg_replace proc_open readfile require shell_exec system $password mcrypt_ return echo <?php <? md5 ldap_ @ trigger_error print error_reporting display_errors <form Ajax.Request preg_replace htmlspecialchars hidden <input rand srand mt_srand mt_rand file extract href mysqli

NSS (v3.12.4) Example:

* NSS_GetClientAuthData NSS_SetDomesticPolicy NSS_SetExportPolicy NSS_SetFrancePolicy NSSSSL_VersionCheck SSL_AuthCertificate SSL_AuthCertificateHook SSL_BadCertHook SSL_CertDBHandleSet SSL_CipherPolicyGet SSL_CipherPolicySet SSL_CipherPrefGet SSL_CipherPrefGetDefault SSL_CipherPrefSet SSL_CipherPrefSetDefault SSL_ClearSessionCache SSL_ConfigMPServerSIDCache SSL_ConfigSecureServer SSL_ConfigServerSessionIDCache SSL_DataPending SSL_ForceHandshake SSL_ForceHandshakeWithTimeout SSL_GetChannelInfo SSL_GetCipherSuiteInfo SSL_GetClientAuthDataHook SSL_GetMaxServerCacheLocks SSL_GetSessionID SSL_GetStatistics SSL_HandshakeCallback SSL_ImportFD SSL_InheritMPServerSIDCache SSL_InvalidateSession SSL_LocalCertificate SSL_OptionGet SSL_OptionGetDefault SSL_OptionSet SSL_OptionSetDefault SSL_PeerCertificate SSL_PreencryptedFileToStream SSL_PreencryptedStreamToFile SSL_ReHandshake SSL_ReHandshakeWithTimeout SSL_ResetHandshake SSL_RestartHandshakeAfterCertReq SSL_RestartHandshakeAfterServerCert SSL_RevealCert SSL_RevealPinArg SSL_RevealURL SSL_SecurityStatus SSL_SetMaxServerCacheLocks SSL_SetPKCS11PinArg SSL_SetSockPeerID SSL_SetURL SSL_ShutdownServerSessionIDCache SSL_Enable SSL_EnableCipher SSL_EnableDefault SSL_RedoHandshake SSL_SetPolicy CERT_AddCertToListTail CERT_AddExtension CERT_AddOCSPAcceptableResponses CERT_AddOKDomainName CERT_AddRDN CERT_AsciiToName CERT_CacheCRL CERT_CertChainFromCert CERT_CertListFromCert CERT_CertTimesValid CERT_ChangeCertTrust CERT_CheckCertValidTimes CERT_CheckCertUsage CERT_CompareName CERT_CompareValidityTimes CERT_CompleteCRLDecodeEntries CERT_ConvertAndDecodeCertificate CERT_CopyName CERT_CopyRDN CERT_CreateAVA CERT_CreateCertificate CERT_CreateCertificateRequest CERT_CreateName CERT_CreateOCSPCertID CERT_CreateOCSPRequest CERT_CreateRDN CERT_CreateSubjectCertList CERT_CreateValidity CERT_CRLCacheRefreshIssuer CERT_DecodeAltNameExtension CERT_DecodeAuthInfoAccessExtension CERT_DecodeAuthKeyID CERT_DecodeAVAValue CERT_DecodeBasicConstraintValue CERT_DecodeCertFromPackage CERT_DecodeCertificatePoliciesExtension CERT_DecodeCertPackage CERT_DecodeCRLDistributionPoints CERT_DecodeDERCrl CERT_DecodeDERCrlWithFlags CERT_DecodeGeneralName CERT_DecodeNameConstraintsExtension CERT_DecodeOCSPResponse CERT_DecodeOidSequence CERT_DecodePrivKeyUsagePeriodExtension CERT_DecodeTrustString CERT_DecodeUserNotice CERT_DerNameToAscii CERT_DestroyCertArray CERT_DestroyCertificate CERT_DestroyCertificateList CERT_DestroyCertificatePoliciesExtension CERT_DestroyCertificateRequest CERT_DestroyCertList CERT_DestroyName CERT_DestroyOCSPCertID CERT_DestroyOCSPRequest CERT_DestroyOCSPResponse CERT_DestroyOidSequence CERT_DestroyUserNotice CERT_DestroyValidity CERT_DupCertificate CERT_DupCertList CERT_EnableOCSPChecking CERT_EncodeAltNameExtension CERT_EncodeAndAddBitStrExtension CERT_EncodeAuthKeyID CERT_EncodeBasicConstraintValue CERT_EncodeCRLDistributionPoints CERT_EncodeGeneralName CERT_EncodeOCSPRequest CERT_ExtractPublicKey CERT_FindCertByName CERT_FilterCertListByCANames CERT_FilterCertListByUsage CERT_FilterCertListForUserCerts CERT_FindCertByDERCert CERT_FindCertByIssuerAndSN CERT_FindCertByNickname CERT_FindCertByNicknameOrEmailAddr CERT_FindCertBySubjectKeyID CERT_FindCertExtension CERT_FindCertIssuer CERT_FindKeyUsageExtension CERT_FindSMimeProfile CERT_FindSubjectKeyIDExtension CERT_FindUserCertByUsage CERT_FindUserCertsByUsage CERT_FinishCertificateRequestAttributes CERT_FinishExtensions CERT_FormatName CERT_FreeDistNames CERT_FreeNicknames CERT_GetAVATag CERT_GetCertChainFromCert CERT_GetCertEmailAddress CERT_GetCertificateNames CERT_GetCertificateRequestExtensions CERT_GetCertIssuerAndSN CERT_GetCertNicknames CERT_GetCertTrust CERT_GetCertUid CERT_GetCommonName CERT_GetCountryName CERT_GetDBContentVersion CERT_GetDefaultCertDB CERT_GetDomainComponentName CERT_GetFirstEmailAddress CERT_GetLocalityName CERT_GetNextEmailAddress CERT_GetNextGeneralName CERT_GetNextNameConstraint CERT_GetOCSPResponseStatus CERT_GetOCSPStatusForCertID CERT_GetOidString CERT_GetOrgName CERT_GetOrgUnitName CERT_GetOCSPAuthorityInfoAccessLocation CERT_GetPrevGeneralName CERT_GetPrevNameConstraint CERT_GetSlopTime CERT_GetSSLCACerts CERT_GetStateName CERT_GenTime2FormattedAscii CERT_Hexify CERT_ImportCAChain CERT_ImportCerts CERT_IsRootDERCert CERT_IsUserCert CERT_KeyFromDERCrl CERT_MakeCANickname CERT_MergeExtensions CERT_NameToAscii CERT_NewCertList CERT_NicknameStringsFromCertList CERT_OpenCertDBFilename CERT_RemoveCertListNode CERT_RFC1485_EscapeAndQuote CERT_SaveSMimeProfile CERT_SetSlopTime CERT_StartCertExtensions CERT_StartCertificateRequestAttributes CERT_StartCRLEntryExtensions CERT_StartCRLExtensions CERT_UncacheCRL CERT_VerifyCertName CERT_VerifyCACertForUsage CERT_VerifyCert CERT_VerifyCertificate CERT_VerifyCertificateNow CERT_VerifyCertNow CERT_VerifyOCSPResponseSignature CERT_VerifySignedData CERT_VerifySignedDataWithPublicKey CERT_VerifySignedDataWithPublicKeyInfo NSS_CmpCertChainWCANames NSS_FindCertKEAType PK11_AlgtagToMechanism PK11_Authenticate PK11_BlockData PK11_ChangePW PK11_CheckUserPassword PK11_CipherOp PK11_CloneContext PK11_ConfigurePKCS11 PK11_ConvertSessionPrivKeyToTokenPrivKey PK11_ConvertSessionSymKeyToTokenSymKey PK11_CopyTokenPrivKeyToSessionPrivKey PK11_CreateContextBySymKey PK11_CreateDigestContext PK11_CreatePBEAlgorithmID PK11_DeleteTokenPrivateKey PK11_DeleteTokenPublicKey PK11_DeleteTokenSymKey PK11_Derive PK11_DeriveWithFlags PK11_DeriveWithFlagsPerm PK11_DestroyContext PK11_DestroyGenericObject PK11_DestroyGenericObjects PK11_DestroyObject PK11_DestroyTokenObject PK11_DigestBegin PK11_DigestKey PK11_DigestOp PK11_DigestFinal PK11_DoesMechanism PK11_ExportEncryptedPrivateKeyInfo PK11_ExportEncryptedPrivKeyInfo PK11_ExportPrivateKeyInfo PK11_Finalize PK11_FindBestKEAMatch PK11_FindCertAndKeyByRecipientList PK11_FindCertAndKeyByRecipientListNew PK11_FindCertByIssuerAndSN PK11_FindCertFromDERCert PK11_FindCertFromNickname PK11_FindCertInSlot PK11_FindGenericObjects PK11_FindFixedKey PK11_FindKeyByAnyCert PK11_FindKeyByDERCert PK11_FindPrivateKeyFromCert PK11_FindSlotByName PK11_FindSlotsByNames PK11_FortezzaHasKEA PK11_FortezzaMapSig PK11_FreeSlot PK11_FreeSlotList PK11_FreeSlotListElement PK11_FreeSymKey PK11_GenerateFortezzaIV PK11_GenerateKeyPair PK11_GenerateKeyPairWithFlags PK11_GenerateNewParam PK11_GenerateRandom PK11_GenerateRandomOnSlot PK11_GetAllTokens PK11_GetBestKeyLength PK11_GetBestSlot PK11_GetBestSlotMultiple PK11_GetBestWrapMechanism PK11_GetBlockSize PK11_GetCertFromPrivateKey PK11_GetCurrentWrapIndex PK11_GetDefaultArray PK11_GetDefaultFlags PK11_GetDisabledReason PK11_GetFirstSafe PK11_GetInternalKeySlot PK11_GetInternalSlot PK11_GetKeyGen PK11_GetKeyLength PK11_GetKeyStrength PK11_GetMechanism PK11_GetMinimumPwdLength PK11_GetModInfo PK11_GetModule PK11_GetModuleID PK11_GetNextGenericObject PK11_GetNextSafe PK11_GetNextSymKey PK11_GetPadMechanism PK11_GetPBEIV PK11_GetPQGParamsFromPrivateKey PK11_GetPrevGenericObject PK11_GetPrivateKeyNickname PK11_GetPrivateModulusLen PK11_GetPublicKeyNickname PK11_GetSlotFromKey PK11_GetSlotFromPrivateKey PK11_GetSlotID PK11_GetSlotInfo PK11_GetSlotName PK11_GetSlotSeries PK11_GetSymKeyNickname PK11_GetSymKeyType PK11_GetSymKeyUserData PK11_GetTokenInfo PK11_GetTokenName PK11_GetWindow PK11_GetWrapKey PK11_HashBuf PK11_HasRootCerts PK11_ImportCert PK11_ImportCertForKeyToSlot PK11_ImportCRL PK11_ImportDERCert PK11_ImportDERPrivateKeyInfoAndReturnKey PK11_ImportEncryptedPrivateKeyInfo PK11_ImportPrivateKeyInfo PK11_ImportPrivateKeyInfoAndReturnKey PK11_ImportPublicKey PK11_ImportSymKeyWithFlags PK11_InitPin PK11_IsFIPS PK11_IsDisabled PK11_IsFriendly PK11_IsHW PK11_IsInternal PK11_IsPresent PK11_IsReadOnly PK11_IVFromParam PK11_KeyGen PK11_LinkGenericObject PK11_ListCerts PK11_ListFixedKeysInSlot PK11_ListPrivKeysInSlot PK11_ListPublicKeysInSlot PK11_LoadPrivKey PK11_LogoutAll PK11_MakeKEAPubKey PK11_MapPBEMechanismToCryptoMechanism PK11_MapSignKeyType PK11_MechanismToAlgtag PK11_MoveSymKey PK11_NeedLogin PK11_NeedUserInit PK11_ParamFromIV PK11_ParamFromAlgid PK11_ParamToAlgid PK11_PBEKeyGen PK11_PrivDecryptPKCS1 PK11_ProtectedAuthenticationPath PK11_PubDecryptRaw PK11_PubDerive PK11_PubDeriveWithKDF PK11_PubEncryptPKCS1 PK11_PubEncryptRaw PK11_PubUnwrapSymKey PK11_PubUnwrapSymKeyWithFlags PK11_PubUnwrapSymKeyWithFlagsPerm PK11_PubWrapSymKey PK11_RandomUpdate PK11_ReadRawAttribute PK11_ReferenceSymKey PK11_ResetToken PK11_RestoreContext PK11_SaveContext PK11_SaveContextAlloc PK11_SetFortezzaHack PK11_SetPasswordFunc PK11_SetPrivateKeyNickname PK11_SetPublicKeyNickname PK11_SetSlotPWValues PK11_SetSymKeyNickname PK11_SetSymKeyUserData PK11_SetWrapKey PK11_Sign PK11_SignatureLen PK11_SymKeyFromHandle PK11_TokenExists PK11_TokenKeyGen PK11_TokenKeyGenWithFlags PK11_TokenRefresh PK11_TraverseCertsForNicknameInSlot PK11_TraverseCertsForSubjectInSlot PK11_TraverseSlotCerts PK11_UnlinkGenericObject PK11_UnwrapSymKey PK11_UnwrapSymKeyWithFlags PK11_UnwrapSymKeyWithFlagsPerm PK11_UpdateSlotAttribute PK11_UserEnableSlot PK11_UserDisableSlot PK11_Verify PK11_VerifyKeyOK PK11_WaitForTokenEvent PK11_WrapSymKey PK11SDR_Encrypt PK11SDR_Decrypt SEC_DeletePermCertificate SEC_DeletePermCRL SEC_DerSignData SEC_DestroyCrl SEC_FindCrlByDERCert SEC_FindCrlByName SEC_LookupCrls SEC_NewCrl SEC_QuickDERDecodeItem SECKEY_CacheStaticFlags SECKEY_ConvertToPublicKey SECKEY_CopyPrivateKey SECKEY_CopyPublicKey SECKEY_CopySubjectPublicKeyInfo SECKEY_CreateDHPrivateKey SECKEY_CreateECPrivateKey SECKEY_CreateSubjectPublicKeyInfo SECKEY_DecodeDERSubjectPublicKeyInfo SECKEY_DestroyPrivateKey SECKEY_DestroyPublicKeyList SECKEY_DestroySubjectPublicKeyInfo SECKEY_GetPublicKeyType SECKEY_PublicKeyStrengthInBits SECKEY_SignatureLen ATOB_AsciiToData ATOB_ConvertAsciiToItem BTOA_ConvertItemToAscii BTOA_DataToAscii DER_AsciiToTime DER_DecodeTimeChoice DER_Encode DER_EncodeTimeChoice DER_GeneralizedTimeToTime DER_GetInteger DER_Lengths DER_TimeToUTCTime DER_UTCDayToAscii DER_UTCTimeToAscii DER_UTCTimeToTime DSAU_DecodeDerSig DSAU_DecodeDerSigToLen DSAU_EncodeDerSig DSAU_EncodeDerSigWithLen HASH_Begin HASH_Clone HASH_Create HASH_Destroy HASH_End HASH_GetHashObject HASH_GetHashObjectByOidTag HASH_GetHashTypeByOidTag HASH_HashBuf HASH_ResultLen HASH_ResultLenByOidTag HASH_ResultLenContext HASH_Update NSS_Init NSS_Initialize NSS_InitReadWrite NSS_IsInitialized NSS_NoDBInit NSS_PutEnv NSS_RegisterShutdown NSS_Shutdown NSS_UnregisterShutdown NSS_VersionCheck NSSBase64_DecodeBuffer NSSBase64Decoder_Create NSSBase64Decoder_Destroy NSSBase64Decoder_Update NSSBase64_EncodeItem NSSBase64Encoder_Create NSSBase64Encoder_Destroy NSSBase64Encoder_Update NSSRWLock_Destroy NSSRWLock_HaveWriteLock NSSRWLock_LockRead NSSRWLock_LockWrite NSSRWLock_New NSSRWLock_UnlockRead NSSRWLock_UnlockWrite NSSSMIME_VersionCheck PORT_Alloc PORT_ArenaAlloc PORT_ArenaGrow PORT_ArenaMark PORT_ArenaRelease PORT_ArenaStrdup PORT_ArenaUnmark PORT_ArenaZAlloc PORT_Free PORT_FreeArena PORT_GetError PORT_NewArena PORT_Realloc PORT_SetError PORT_SetUCS2_ASCIIConversionFunction PORT_SetUCS2_UTF8ConversionFunction PORT_SetUCS4_UTF8ConversionFunction PORT_Strdup PORT_UCS2_ASCIIConversion PORT_UCS2_UTF8Conversion PORT_ZAlloc PORT_ZFree RSA_FormatBlock SEC_ASN1Decode SEC_ASN1DecodeInteger SEC_ASN1DecodeItem SEC_ASN1DecoderAbort SEC_ASN1DecoderClearFilterProc SEC_ASN1DecoderClearNotifyProc SEC_ASN1DecoderFinish SEC_ASN1DecoderSetFilterProc SEC_ASN1DecoderSetNotifyProc SEC_ASN1DecoderStart SEC_ASN1DecoderUpdate SEC_ASN1Encode SEC_ASN1EncodeInteger SEC_ASN1EncodeItem SEC_ASN1EncoderAbort SEC_ASN1EncoderClearNotifyProc SEC_ASN1EncoderClearStreaming SEC_ASN1EncoderClearTakeFromBuf SEC_ASN1EncoderFinish SEC_ASN1EncoderSetNotifyProc SEC_ASN1EncoderSetStreaming SEC_ASN1EncoderSetTakeFromBuf SEC_ASN1EncoderStart SEC_ASN1EncoderUpdate SEC_ASN1EncodeUnsignedInteger SEC_ASN1LengthLength SEC_DupCrl SEC_GetSignatureAlgorithmOidTag SEC_PKCS5GetCryptoAlgorithm SEC_PKCS5GetKeyLength SEC_PKCS5GetPBEAlgorithm SEC_PKCS5IsAlgorithmPBEAlg SEC_RegisterDefaultHttpClient SEC_SignData SECITEM_AllocItem SECITEM_ArenaDupItem SECITEM_CompareItem SECITEM_CopyItem SECITEM_DupItem SECITEM_FreeItem SECITEM_ItemsAreEqual SECITEM_ZfreeItem SECKEY_CopyEncryptedPrivateKeyInfo SECKEY_CopyPrivateKeyInfo SECKEY_CreateRSAPrivateKey SECKEY_DestroyEncryptedPrivateKeyInfo SECKEY_DestroyPrivateKeyInfo SECKEY_DestroyPublicKey SECKEY_PublicKeyStrength SECKEY_UpdateCertPQG SECMOD_AddNewModule SECMOD_AddNewModuleEx SECMOD_CancelWait SECMOD_CanDeleteInternalModule SECMOD_CreateModule SECMOD_DeleteModule SECMOD_FindModule SECMOD_FindSlot SECMOD_FreeModuleSpecList SECMOD_GetDBModuleList SECMOD_GetDeadModuleList SECMOD_GetModuleSpecList SECMOD_HasRemovableSlots SECMOD_IsModulePresent SECMOD_LoadModule SECMOD_LoadUserModule SECMOD_LookupSlot SECMOD_PubCipherFlagstoInternal SECMOD_PubMechFlagstoInternal SECMOD_UnloadUserModule SECMOD_UpdateModule SECMOD_UpdateSlotList SECMOD_WaitForAnyTokenEvent SECOID_AddEntry SECOID_CompareAlgorithmID SECOID_CopyAlgorithmID SECOID_DestroyAlgorithmID SECOID_FindOID SECOID_FindOIDByTag SECOID_FindOIDTag SECOID_FindOIDTagDescription SECOID_GetAlgorithmTag SECOID_SetAlgorithmID SGN_Begin SGN_CompareDigestInfo SGN_CopyDigestInfo SGN_CreateDigestInfo SGN_DestroyContext SGN_DestroyDigestInfo SGN_Digest SGN_End SGN_NewContext SGN_Update VFY_Begin VFY_CreateContext VFY_DestroyContext VFY_End VFY_Update VFY_VerifyData VFY_VerifyDigest NSS_CMSContentInfo_GetBulkKey NSS_CMSContentInfo_GetBulkKeySize NSS_CMSContentInfo_GetContent NSS_CMSContentInfo_GetContentEncAlgTag NSS_CMSContentInfo_GetContentTypeTag NSS_CMSContentInfo_SetBulkKey NSS_CMSContentInfo_SetContent NSS_CMSContentInfo_SetContent_Data NSS_CMSContentInfo_SetContentEncAlg NSS_CMSContentInfo_SetContent_DigestedData NSS_CMSContentInfo_SetContent_EncryptedData NSS_CMSContentInfo_SetContent_EnvelopedData NSS_CMSContentInfo_SetContent_SignedData NSS_CMSDecoder_Cancel NSS_CMSDecoder_Finish NSS_CMSDecoder_Start NSS_CMSDecoder_Update NSS_CMSDigestContext_Cancel NSS_CMSDigestContext_FinishMultiple NSS_CMSDigestContext_FinishSingle NSS_CMSDigestContext_StartMultiple NSS_CMSDigestContext_StartSingle NSS_CMSDigestContext_Update NSS_CMSDigestedData_Create NSS_CMSDigestedData_Destroy NSS_CMSDigestedData_GetContentInfo NSS_CMSDEREncode NSS_CMSEncoder_Cancel NSS_CMSEncoder_Finish NSS_CMSEncoder_Start NSS_CMSEncoder_Update NSS_CMSEncryptedData_Create NSS_CMSEncryptedData_Destroy NSS_CMSEncryptedData_GetContentInfo NSS_CMSEnvelopedData_AddRecipient NSS_CMSEnvelopedData_Create NSS_CMSEnvelopedData_Destroy NSS_CMSEnvelopedData_GetContentInfo NSS_CMSMessage_ContentLevel NSS_CMSMessage_ContentLevelCount NSS_CMSMessage_Copy NSS_CMSMessage_Create NSS_CMSMessage_CreateFromDER NSS_CMSMessage_Destroy NSS_CMSMessage_GetContent NSS_CMSMessage_GetContentInfo NSS_CMSMessage_IsEncrypted NSS_CMSMessage_IsSigned NSS_CMSRecipientInfo_Create NSS_CMSRecipientInfo_CreateFromDER NSS_CMSRecipientInfo_CreateNew NSS_CMSRecipientInfo_CreateWithSubjKeyID NSS_CMSRecipientInfo_CreateWithSubjKeyIDFromCert NSS_CMSRecipientInfo_Destroy NSS_CMSRecipientInfo_Encode NSS_CMSRecipientInfo_GetCertAndKey NSS_CMSRecipientInfo_UnwrapBulkKey NSS_CMSRecipientInfo_WrapBulkKey NSS_CMSSignedData_AddCertChain NSS_CMSSignedData_AddCertList NSS_CMSSignedData_AddCertificate NSS_CMSSignedData_AddDigest NSS_CMSSignedData_AddSignerInfo NSS_CMSSignedData_Create NSS_CMSSignedData_CreateCertsOnly NSS_CMSSignedData_Destroy NSS_CMSSignedData_GetContentInfo NSS_CMSSignedData_GetDigestAlgs NSS_CMSSignedData_GetSignerInfo NSS_CMSSignedData_HasDigests NSS_CMSSignedData_ImportCerts NSS_CMSSignedData_SetDigests NSS_CMSSignedData_SetDigestValue NSS_CMSSignedData_SignerInfoCount NSS_CMSSignedData_VerifyCertsOnly NSS_CMSSignedData_VerifySignerInfo NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs NSS_CMSSignerInfo_AddSMIMECaps NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs NSS_CMSSignerInfo_AddSigningTime NSS_CMSSignerInfo_Create NSS_CMSSignerInfo_CreateWithSubjKeyID NSS_CMSSignerInfo_Destroy NSS_CMSSignerInfo_GetCertList NSS_CMSSignerInfo_GetSignerCommonName NSS_CMSSignerInfo_GetSignerEmailAddress NSS_CMSSignerInfo_GetSigningCertificate NSS_CMSSignerInfo_GetSigningTime NSS_CMSSignerInfo_GetVerificationStatus NSS_CMSSignerInfo_GetVersion NSS_CMSSignerInfo_IncludeCerts NSS_CMSUtil_VerificationStatusToString NSS_SMIMESignerInfo_SaveSMIMEProfile NSS_SMIMEUtil_FindBulkAlgForRecipients SEC_PKCS7AddCertificate SEC_PKCS7AddRecipient SEC_PKCS7AddSigningTime SEC_PKCS7ContainsCertsOrCrls SEC_PKCS7ContentIsEncrypted SEC_PKCS7ContentIsSigned SEC_PKCS7ContentType SEC_PKCS7CopyContentInfo SEC_PKCS7CreateCertsOnly SEC_PKCS7CreateData SEC_PKCS7CreateEncryptedData SEC_PKCS7CreateEnvelopedData SEC_PKCS7CreateSignedData SEC_PKCS7DecodeItem SEC_PKCS7DecoderAbort SEC_PKCS7DecoderFinish SEC_PKCS7DecoderStart SEC_PKCS7DecoderUpdate SEC_PKCS7DecryptContents SEC_PKCS7DestroyContentInfo SEC_PKCS7Encode SEC_PKCS7EncodeItem SEC_PKCS7EncoderAbort SEC_PKCS7EncoderFinish SEC_PKCS7EncoderStart SEC_PKCS7EncoderUpdate SEC_PKCS7GetCertificateList SEC_PKCS7GetContent SEC_PKCS7GetEncryptionAlgorithm SEC_PKCS7GetSignerCommonName SEC_PKCS7GetSignerEmailAddress SEC_PKCS7GetSigningTime SEC_PKCS7IncludeCertChain SEC_PKCS7IsContentEmpty SEC_PKCS7SetContent SEC_PKCS7VerifyDetachedSignature SEC_PKCS7VerifySignature SECMIME_DecryptionAllowed SEC_PKCS12AddCertAndKey SEC_PKCS12AddPasswordIntegrity SEC_PKCS12CreateExportContext SEC_PKCS12CreatePasswordPrivSafe SEC_PKCS12CreateUnencryptedSafe SEC_PKCS12DecoderFinish SEC_PKCS12DecoderGetCerts SEC_PKCS12DecoderImportBags SEC_PKCS12DecoderIterateInit SEC_PKCS12DecoderIterateNext SEC_PKCS12DecoderSetTargetTokenCAs SEC_PKCS12DecoderStart SEC_PKCS12DecoderUpdate SEC_PKCS12DecoderValidateBags SEC_PKCS12DecoderVerify SEC_PKCS12DestroyExportContext SEC_PKCS12EnableCipher SEC_PKCS12Encode SEC_PKCS12IsEncryptionAllowed

2nd Group – Use this to highlight fixes
* Foreground color – green
* Font style - bold
* Background color – white
* Prefix mode – make sure this is set (checked)
* mysql_real_escape_string

Comment & Number
* Comment line
* Foreground color – light grey
* Treat keyword as symbol
* // #

Comment Block
* Foreground color – light grey
* Treat keyword as symbol
* Comment open - /*
* Comment close - */

Save As
* PHP4, 5 SCA

Then, when one opens a file using the new "language", starting from the suspected highlighted finding, one can double click on the parameters and return values of suspect functions, then keep selecting variables and return values as you trace through the code, using the highlighting all instances function and so on to expidite your review.

Here it is in action:

[[Image:Npp-eg.JPG]]

[[Category:OWASP Application Security Verification Standard Project]]
[[Category:How To]]

Man vs. Code

2012-03-08T08:21:20Z

Zakiakhmad:

'''UPDATE: I have proposed a "Sticky" Marking When Smart Highlighting enhancement to the Notepad++ team: when one is selecting a word character-by-character, allow one to do this multiple times, without clearing the previous selected (and now smart-highlighted) sets of words. Then, clear all marks when double click on any other word. Double-click smart-highlighting functionality remains the same as it was before. This allows one to follow variable assignments through the code more easily. This change allows one to select the original variable, then select a new variable that the old variable is now assigned to, and so on. If you're interested in the details contact mike.boberski@owasp.org. If you'd like an already built version with the changes to copy over after you've installed, you can find it [http://www.owasp.org/index.php/File:Notepad%2B%2B.zip here]'''

[[Image:Man-v-code.gif|right]]
Tools such as source code review tools are expensive. Let me rephrase. They cost as much as a house! Feeling like you just stepped into a survivalist reality show, after being asked to perform a review using for example [http://www.owasp.org/index.php/ASVS OWASP ASVS]? You need tools, and you need them now. You also need tools more useful than for example RATS (Rough Auditing Tool for Security).

Tools such as RATS even if their rules are beefed up are still not a fast way to do a code review. If you accept the premise that when performing a code review, one should do at least a minimal check for both false positives and false negatives, then regardless of tool, you still need to go through each and every source file even if only for a cursory inspection. This is where source code review tools shine, their IDE-like GUIs allow you to jump through the code interactively in a very efficient way. This is why tools such as RATS are pretty much useless. You need to be able to easily jump through the code and follow data from sources to sinks a lot more than you need an initial count of some huge number of potential findings!

With the above in mind, here's one way to fashion a basic, efficient source code review tool (in this case, for PHP source) using a little bit of research and some freely-available tools in perhaps unexpected ways. The basic idea is to use Notepad++ and Its “User Defined Language” Feature. It can be downloaded here: http://notepad-plus.sourceforge.net So, go and do that. The ability to define one’s language using Notepad++ configuration interfaces, its syntax highlighting, and the ability to highlight variables throughout by default after selecting them, provides the basis for a way to search file-by-file for security-related flaws. E.g. create a new “PHP 4, 5 SCA” language. You'll also want to use a grep tool and also open up the PHP web site so you can search for function/language definitions http://us2.php.net/manual/en/ Also, install the “Explorer” plugin (copy to its plugins directory, download from http://sourceforge.net/project/showfiles.php?group_id=189927&package_id=223667 then enable it using the “Plugins” menu

Then, based on looking for function and other keywords related to input, SQL, sessions, URLs, files, etc. one can mine documents for relevant keywords, e.g.:

* http://us2.php.net/manual/en/reserved.variables.php
* http://us2.php.net/manual/en/book.mysql.php
* http://us2.php.net/manual/en/book.hash.php
* http://us2.php.net/manual/en/refs.fileprocess.file.php
* http://us2.php.net/manual/en/book.mail.php
* http://us2.php.net/manual/en/book.session.php
* http://us2.php.net/manual/en/features.cookies.php
* http://us2.php.net/manual/en/ref.url.php
* Chris Shiflett, Essential PHP Security (O’Reilly Media, Inc., 2005).
* http://www.fortify.com/vulncat/en/vulncat/index.html

Next, configure Notepad++ to create a new PHP static analysis language:

Select “View” menu, then “User Define Dialog” menu item, then “Dock” button

Ext:
*Set to php (no period!)

Folder & Default
* Font name – Consolas

Keywords Lists - Use your research here!

1st Group - Use this to find potential problems
* Foreground color – red
* Background color – white
* Font style - bold
* Prefix mode – make sure this is set (checked)

PHP Example:
<pre>
$GLOBALS $_SERVER $_GET $_POST $_FILES $_REQUEST $_SESSION $_ENV $_COOKIE $php_errormsg $HTTP_RAW_POST_DATA $http_response_header $argc $argv mysql_ hash_ basename chgrp chmod chown clearstatcache copy delete dirname disk_free_space disk_total_space diskfreespace fclose feof fflush fgetc fgetcsv fgets fgetss file_exists file_get_contents file_put_contents file fileatime filectime filegroup fileinode filemtime fileowner fileperms filesize filetype flock fnmatch fopen fpassthru fputcsv fputs fread fscanf fseek fstat ftell ftruncate fwrite glob is_dir is_executable is_file is_link is_readable is_uploaded_file is_writable is_writeable lchgrp lchown link linkinfo lstat mkdir move_uploaded_file parse_ini_file parse_ini_string pathinfo pclose popen readfile readlink realpath rename rewind rmdir set_file_buffer stat symlink tempnam tmpfile touch umask unlink mail session_ setcookie setrawcookie header ob_ output_ base64_ get_headers get_meta_tags http_build_query parse_url rawurlecode urldecode urlencode ini_set error_log allow_url_fopen disable_functions display_errors enable_dl error_reporting file_uploads log_errors magic_quotes_gpc memory_limit open_basedir register_globals safe_mode eval exec file file_get_contents fopen include passthru phpinfo popen preg_replace proc_open readfile require shell_exec system $password mcrypt_ return echo <?php <? md5 ldap_ @ trigger_error print error_reporting display_errors <form Ajax.Request preg_replace htmlspecialchars hidden <input rand srand mt_srand mt_rand file extract href mysqli
</pre>

NSS (v3.12.4) Example:

* NSS_GetClientAuthData NSS_SetDomesticPolicy NSS_SetExportPolicy NSS_SetFrancePolicy NSSSSL_VersionCheck SSL_AuthCertificate SSL_AuthCertificateHook SSL_BadCertHook SSL_CertDBHandleSet SSL_CipherPolicyGet SSL_CipherPolicySet SSL_CipherPrefGet SSL_CipherPrefGetDefault SSL_CipherPrefSet SSL_CipherPrefSetDefault SSL_ClearSessionCache SSL_ConfigMPServerSIDCache SSL_ConfigSecureServer SSL_ConfigServerSessionIDCache SSL_DataPending SSL_ForceHandshake SSL_ForceHandshakeWithTimeout SSL_GetChannelInfo SSL_GetCipherSuiteInfo SSL_GetClientAuthDataHook SSL_GetMaxServerCacheLocks SSL_GetSessionID SSL_GetStatistics SSL_HandshakeCallback SSL_ImportFD SSL_InheritMPServerSIDCache SSL_InvalidateSession SSL_LocalCertificate SSL_OptionGet SSL_OptionGetDefault SSL_OptionSet SSL_OptionSetDefault SSL_PeerCertificate SSL_PreencryptedFileToStream SSL_PreencryptedStreamToFile SSL_ReHandshake SSL_ReHandshakeWithTimeout SSL_ResetHandshake SSL_RestartHandshakeAfterCertReq SSL_RestartHandshakeAfterServerCert SSL_RevealCert SSL_RevealPinArg SSL_RevealURL SSL_SecurityStatus SSL_SetMaxServerCacheLocks SSL_SetPKCS11PinArg SSL_SetSockPeerID SSL_SetURL SSL_ShutdownServerSessionIDCache SSL_Enable SSL_EnableCipher SSL_EnableDefault SSL_RedoHandshake SSL_SetPolicy CERT_AddCertToListTail CERT_AddExtension CERT_AddOCSPAcceptableResponses CERT_AddOKDomainName CERT_AddRDN CERT_AsciiToName CERT_CacheCRL CERT_CertChainFromCert CERT_CertListFromCert CERT_CertTimesValid CERT_ChangeCertTrust CERT_CheckCertValidTimes CERT_CheckCertUsage CERT_CompareName CERT_CompareValidityTimes CERT_CompleteCRLDecodeEntries CERT_ConvertAndDecodeCertificate CERT_CopyName CERT_CopyRDN CERT_CreateAVA CERT_CreateCertificate CERT_CreateCertificateRequest CERT_CreateName CERT_CreateOCSPCertID CERT_CreateOCSPRequest CERT_CreateRDN CERT_CreateSubjectCertList CERT_CreateValidity CERT_CRLCacheRefreshIssuer CERT_DecodeAltNameExtension CERT_DecodeAuthInfoAccessExtension CERT_DecodeAuthKeyID CERT_DecodeAVAValue CERT_DecodeBasicConstraintValue CERT_DecodeCertFromPackage CERT_DecodeCertificatePoliciesExtension CERT_DecodeCertPackage CERT_DecodeCRLDistributionPoints CERT_DecodeDERCrl CERT_DecodeDERCrlWithFlags CERT_DecodeGeneralName CERT_DecodeNameConstraintsExtension CERT_DecodeOCSPResponse CERT_DecodeOidSequence CERT_DecodePrivKeyUsagePeriodExtension CERT_DecodeTrustString CERT_DecodeUserNotice CERT_DerNameToAscii CERT_DestroyCertArray CERT_DestroyCertificate CERT_DestroyCertificateList CERT_DestroyCertificatePoliciesExtension CERT_DestroyCertificateRequest CERT_DestroyCertList CERT_DestroyName CERT_DestroyOCSPCertID CERT_DestroyOCSPRequest CERT_DestroyOCSPResponse CERT_DestroyOidSequence CERT_DestroyUserNotice CERT_DestroyValidity CERT_DupCertificate CERT_DupCertList CERT_EnableOCSPChecking CERT_EncodeAltNameExtension CERT_EncodeAndAddBitStrExtension CERT_EncodeAuthKeyID CERT_EncodeBasicConstraintValue CERT_EncodeCRLDistributionPoints CERT_EncodeGeneralName CERT_EncodeOCSPRequest CERT_ExtractPublicKey CERT_FindCertByName CERT_FilterCertListByCANames CERT_FilterCertListByUsage CERT_FilterCertListForUserCerts CERT_FindCertByDERCert CERT_FindCertByIssuerAndSN CERT_FindCertByNickname CERT_FindCertByNicknameOrEmailAddr CERT_FindCertBySubjectKeyID CERT_FindCertExtension CERT_FindCertIssuer CERT_FindKeyUsageExtension CERT_FindSMimeProfile CERT_FindSubjectKeyIDExtension CERT_FindUserCertByUsage CERT_FindUserCertsByUsage CERT_FinishCertificateRequestAttributes CERT_FinishExtensions CERT_FormatName CERT_FreeDistNames CERT_FreeNicknames CERT_GetAVATag CERT_GetCertChainFromCert CERT_GetCertEmailAddress CERT_GetCertificateNames CERT_GetCertificateRequestExtensions CERT_GetCertIssuerAndSN CERT_GetCertNicknames CERT_GetCertTrust CERT_GetCertUid CERT_GetCommonName CERT_GetCountryName CERT_GetDBContentVersion CERT_GetDefaultCertDB CERT_GetDomainComponentName CERT_GetFirstEmailAddress CERT_GetLocalityName CERT_GetNextEmailAddress CERT_GetNextGeneralName CERT_GetNextNameConstraint CERT_GetOCSPResponseStatus CERT_GetOCSPStatusForCertID CERT_GetOidString CERT_GetOrgName CERT_GetOrgUnitName CERT_GetOCSPAuthorityInfoAccessLocation CERT_GetPrevGeneralName CERT_GetPrevNameConstraint CERT_GetSlopTime CERT_GetSSLCACerts CERT_GetStateName CERT_GenTime2FormattedAscii CERT_Hexify CERT_ImportCAChain CERT_ImportCerts CERT_IsRootDERCert CERT_IsUserCert CERT_KeyFromDERCrl CERT_MakeCANickname CERT_MergeExtensions CERT_NameToAscii CERT_NewCertList CERT_NicknameStringsFromCertList CERT_OpenCertDBFilename CERT_RemoveCertListNode CERT_RFC1485_EscapeAndQuote CERT_SaveSMimeProfile CERT_SetSlopTime CERT_StartCertExtensions CERT_StartCertificateRequestAttributes CERT_StartCRLEntryExtensions CERT_StartCRLExtensions CERT_UncacheCRL CERT_VerifyCertName CERT_VerifyCACertForUsage CERT_VerifyCert CERT_VerifyCertificate CERT_VerifyCertificateNow CERT_VerifyCertNow CERT_VerifyOCSPResponseSignature CERT_VerifySignedData CERT_VerifySignedDataWithPublicKey CERT_VerifySignedDataWithPublicKeyInfo NSS_CmpCertChainWCANames NSS_FindCertKEAType PK11_AlgtagToMechanism PK11_Authenticate PK11_BlockData PK11_ChangePW PK11_CheckUserPassword PK11_CipherOp PK11_CloneContext PK11_ConfigurePKCS11 PK11_ConvertSessionPrivKeyToTokenPrivKey PK11_ConvertSessionSymKeyToTokenSymKey PK11_CopyTokenPrivKeyToSessionPrivKey PK11_CreateContextBySymKey PK11_CreateDigestContext PK11_CreatePBEAlgorithmID PK11_DeleteTokenPrivateKey PK11_DeleteTokenPublicKey PK11_DeleteTokenSymKey PK11_Derive PK11_DeriveWithFlags PK11_DeriveWithFlagsPerm PK11_DestroyContext PK11_DestroyGenericObject PK11_DestroyGenericObjects PK11_DestroyObject PK11_DestroyTokenObject PK11_DigestBegin PK11_DigestKey PK11_DigestOp PK11_DigestFinal PK11_DoesMechanism PK11_ExportEncryptedPrivateKeyInfo PK11_ExportEncryptedPrivKeyInfo PK11_ExportPrivateKeyInfo PK11_Finalize PK11_FindBestKEAMatch PK11_FindCertAndKeyByRecipientList PK11_FindCertAndKeyByRecipientListNew PK11_FindCertByIssuerAndSN PK11_FindCertFromDERCert PK11_FindCertFromNickname PK11_FindCertInSlot PK11_FindGenericObjects PK11_FindFixedKey PK11_FindKeyByAnyCert PK11_FindKeyByDERCert PK11_FindPrivateKeyFromCert PK11_FindSlotByName PK11_FindSlotsByNames PK11_FortezzaHasKEA PK11_FortezzaMapSig PK11_FreeSlot PK11_FreeSlotList PK11_FreeSlotListElement PK11_FreeSymKey PK11_GenerateFortezzaIV PK11_GenerateKeyPair PK11_GenerateKeyPairWithFlags PK11_GenerateNewParam PK11_GenerateRandom PK11_GenerateRandomOnSlot PK11_GetAllTokens PK11_GetBestKeyLength PK11_GetBestSlot PK11_GetBestSlotMultiple PK11_GetBestWrapMechanism PK11_GetBlockSize PK11_GetCertFromPrivateKey PK11_GetCurrentWrapIndex PK11_GetDefaultArray PK11_GetDefaultFlags PK11_GetDisabledReason PK11_GetFirstSafe PK11_GetInternalKeySlot PK11_GetInternalSlot PK11_GetKeyGen PK11_GetKeyLength PK11_GetKeyStrength PK11_GetMechanism PK11_GetMinimumPwdLength PK11_GetModInfo PK11_GetModule PK11_GetModuleID PK11_GetNextGenericObject PK11_GetNextSafe PK11_GetNextSymKey PK11_GetPadMechanism PK11_GetPBEIV PK11_GetPQGParamsFromPrivateKey PK11_GetPrevGenericObject PK11_GetPrivateKeyNickname PK11_GetPrivateModulusLen PK11_GetPublicKeyNickname PK11_GetSlotFromKey PK11_GetSlotFromPrivateKey PK11_GetSlotID PK11_GetSlotInfo PK11_GetSlotName PK11_GetSlotSeries PK11_GetSymKeyNickname PK11_GetSymKeyType PK11_GetSymKeyUserData PK11_GetTokenInfo PK11_GetTokenName PK11_GetWindow PK11_GetWrapKey PK11_HashBuf PK11_HasRootCerts PK11_ImportCert PK11_ImportCertForKeyToSlot PK11_ImportCRL PK11_ImportDERCert PK11_ImportDERPrivateKeyInfoAndReturnKey PK11_ImportEncryptedPrivateKeyInfo PK11_ImportPrivateKeyInfo PK11_ImportPrivateKeyInfoAndReturnKey PK11_ImportPublicKey PK11_ImportSymKeyWithFlags PK11_InitPin PK11_IsFIPS PK11_IsDisabled PK11_IsFriendly PK11_IsHW PK11_IsInternal PK11_IsPresent PK11_IsReadOnly PK11_IVFromParam PK11_KeyGen PK11_LinkGenericObject PK11_ListCerts PK11_ListFixedKeysInSlot PK11_ListPrivKeysInSlot PK11_ListPublicKeysInSlot PK11_LoadPrivKey PK11_LogoutAll PK11_MakeKEAPubKey PK11_MapPBEMechanismToCryptoMechanism PK11_MapSignKeyType PK11_MechanismToAlgtag PK11_MoveSymKey PK11_NeedLogin PK11_NeedUserInit PK11_ParamFromIV PK11_ParamFromAlgid PK11_ParamToAlgid PK11_PBEKeyGen PK11_PrivDecryptPKCS1 PK11_ProtectedAuthenticationPath PK11_PubDecryptRaw PK11_PubDerive PK11_PubDeriveWithKDF PK11_PubEncryptPKCS1 PK11_PubEncryptRaw PK11_PubUnwrapSymKey PK11_PubUnwrapSymKeyWithFlags PK11_PubUnwrapSymKeyWithFlagsPerm PK11_PubWrapSymKey PK11_RandomUpdate PK11_ReadRawAttribute PK11_ReferenceSymKey PK11_ResetToken PK11_RestoreContext PK11_SaveContext PK11_SaveContextAlloc PK11_SetFortezzaHack PK11_SetPasswordFunc PK11_SetPrivateKeyNickname PK11_SetPublicKeyNickname PK11_SetSlotPWValues PK11_SetSymKeyNickname PK11_SetSymKeyUserData PK11_SetWrapKey PK11_Sign PK11_SignatureLen PK11_SymKeyFromHandle PK11_TokenExists PK11_TokenKeyGen PK11_TokenKeyGenWithFlags PK11_TokenRefresh PK11_TraverseCertsForNicknameInSlot PK11_TraverseCertsForSubjectInSlot PK11_TraverseSlotCerts PK11_UnlinkGenericObject PK11_UnwrapSymKey PK11_UnwrapSymKeyWithFlags PK11_UnwrapSymKeyWithFlagsPerm PK11_UpdateSlotAttribute PK11_UserEnableSlot PK11_UserDisableSlot PK11_Verify PK11_VerifyKeyOK PK11_WaitForTokenEvent PK11_WrapSymKey PK11SDR_Encrypt PK11SDR_Decrypt SEC_DeletePermCertificate SEC_DeletePermCRL SEC_DerSignData SEC_DestroyCrl SEC_FindCrlByDERCert SEC_FindCrlByName SEC_LookupCrls SEC_NewCrl SEC_QuickDERDecodeItem SECKEY_CacheStaticFlags SECKEY_ConvertToPublicKey SECKEY_CopyPrivateKey SECKEY_CopyPublicKey SECKEY_CopySubjectPublicKeyInfo SECKEY_CreateDHPrivateKey SECKEY_CreateECPrivateKey SECKEY_CreateSubjectPublicKeyInfo SECKEY_DecodeDERSubjectPublicKeyInfo SECKEY_DestroyPrivateKey SECKEY_DestroyPublicKeyList SECKEY_DestroySubjectPublicKeyInfo SECKEY_GetPublicKeyType SECKEY_PublicKeyStrengthInBits SECKEY_SignatureLen ATOB_AsciiToData ATOB_ConvertAsciiToItem BTOA_ConvertItemToAscii BTOA_DataToAscii DER_AsciiToTime DER_DecodeTimeChoice DER_Encode DER_EncodeTimeChoice DER_GeneralizedTimeToTime DER_GetInteger DER_Lengths DER_TimeToUTCTime DER_UTCDayToAscii DER_UTCTimeToAscii DER_UTCTimeToTime DSAU_DecodeDerSig DSAU_DecodeDerSigToLen DSAU_EncodeDerSig DSAU_EncodeDerSigWithLen HASH_Begin HASH_Clone HASH_Create HASH_Destroy HASH_End HASH_GetHashObject HASH_GetHashObjectByOidTag HASH_GetHashTypeByOidTag HASH_HashBuf HASH_ResultLen HASH_ResultLenByOidTag HASH_ResultLenContext HASH_Update NSS_Init NSS_Initialize NSS_InitReadWrite NSS_IsInitialized NSS_NoDBInit NSS_PutEnv NSS_RegisterShutdown NSS_Shutdown NSS_UnregisterShutdown NSS_VersionCheck NSSBase64_DecodeBuffer NSSBase64Decoder_Create NSSBase64Decoder_Destroy NSSBase64Decoder_Update NSSBase64_EncodeItem NSSBase64Encoder_Create NSSBase64Encoder_Destroy NSSBase64Encoder_Update NSSRWLock_Destroy NSSRWLock_HaveWriteLock NSSRWLock_LockRead NSSRWLock_LockWrite NSSRWLock_New NSSRWLock_UnlockRead NSSRWLock_UnlockWrite NSSSMIME_VersionCheck PORT_Alloc PORT_ArenaAlloc PORT_ArenaGrow PORT_ArenaMark PORT_ArenaRelease PORT_ArenaStrdup PORT_ArenaUnmark PORT_ArenaZAlloc PORT_Free PORT_FreeArena PORT_GetError PORT_NewArena PORT_Realloc PORT_SetError PORT_SetUCS2_ASCIIConversionFunction PORT_SetUCS2_UTF8ConversionFunction PORT_SetUCS4_UTF8ConversionFunction PORT_Strdup PORT_UCS2_ASCIIConversion PORT_UCS2_UTF8Conversion PORT_ZAlloc PORT_ZFree RSA_FormatBlock SEC_ASN1Decode SEC_ASN1DecodeInteger SEC_ASN1DecodeItem SEC_ASN1DecoderAbort SEC_ASN1DecoderClearFilterProc SEC_ASN1DecoderClearNotifyProc SEC_ASN1DecoderFinish SEC_ASN1DecoderSetFilterProc SEC_ASN1DecoderSetNotifyProc SEC_ASN1DecoderStart SEC_ASN1DecoderUpdate SEC_ASN1Encode SEC_ASN1EncodeInteger SEC_ASN1EncodeItem SEC_ASN1EncoderAbort SEC_ASN1EncoderClearNotifyProc SEC_ASN1EncoderClearStreaming SEC_ASN1EncoderClearTakeFromBuf SEC_ASN1EncoderFinish SEC_ASN1EncoderSetNotifyProc SEC_ASN1EncoderSetStreaming SEC_ASN1EncoderSetTakeFromBuf SEC_ASN1EncoderStart SEC_ASN1EncoderUpdate SEC_ASN1EncodeUnsignedInteger SEC_ASN1LengthLength SEC_DupCrl SEC_GetSignatureAlgorithmOidTag SEC_PKCS5GetCryptoAlgorithm SEC_PKCS5GetKeyLength SEC_PKCS5GetPBEAlgorithm SEC_PKCS5IsAlgorithmPBEAlg SEC_RegisterDefaultHttpClient SEC_SignData SECITEM_AllocItem SECITEM_ArenaDupItem SECITEM_CompareItem SECITEM_CopyItem SECITEM_DupItem SECITEM_FreeItem SECITEM_ItemsAreEqual SECITEM_ZfreeItem SECKEY_CopyEncryptedPrivateKeyInfo SECKEY_CopyPrivateKeyInfo SECKEY_CreateRSAPrivateKey SECKEY_DestroyEncryptedPrivateKeyInfo SECKEY_DestroyPrivateKeyInfo SECKEY_DestroyPublicKey SECKEY_PublicKeyStrength SECKEY_UpdateCertPQG SECMOD_AddNewModule SECMOD_AddNewModuleEx SECMOD_CancelWait SECMOD_CanDeleteInternalModule SECMOD_CreateModule SECMOD_DeleteModule SECMOD_FindModule SECMOD_FindSlot SECMOD_FreeModuleSpecList SECMOD_GetDBModuleList SECMOD_GetDeadModuleList SECMOD_GetModuleSpecList SECMOD_HasRemovableSlots SECMOD_IsModulePresent SECMOD_LoadModule SECMOD_LoadUserModule SECMOD_LookupSlot SECMOD_PubCipherFlagstoInternal SECMOD_PubMechFlagstoInternal SECMOD_UnloadUserModule SECMOD_UpdateModule SECMOD_UpdateSlotList SECMOD_WaitForAnyTokenEvent SECOID_AddEntry SECOID_CompareAlgorithmID SECOID_CopyAlgorithmID SECOID_DestroyAlgorithmID SECOID_FindOID SECOID_FindOIDByTag SECOID_FindOIDTag SECOID_FindOIDTagDescription SECOID_GetAlgorithmTag SECOID_SetAlgorithmID SGN_Begin SGN_CompareDigestInfo SGN_CopyDigestInfo SGN_CreateDigestInfo SGN_DestroyContext SGN_DestroyDigestInfo SGN_Digest SGN_End SGN_NewContext SGN_Update VFY_Begin VFY_CreateContext VFY_DestroyContext VFY_End VFY_Update VFY_VerifyData VFY_VerifyDigest NSS_CMSContentInfo_GetBulkKey NSS_CMSContentInfo_GetBulkKeySize NSS_CMSContentInfo_GetContent NSS_CMSContentInfo_GetContentEncAlgTag NSS_CMSContentInfo_GetContentTypeTag NSS_CMSContentInfo_SetBulkKey NSS_CMSContentInfo_SetContent NSS_CMSContentInfo_SetContent_Data NSS_CMSContentInfo_SetContentEncAlg NSS_CMSContentInfo_SetContent_DigestedData NSS_CMSContentInfo_SetContent_EncryptedData NSS_CMSContentInfo_SetContent_EnvelopedData NSS_CMSContentInfo_SetContent_SignedData NSS_CMSDecoder_Cancel NSS_CMSDecoder_Finish NSS_CMSDecoder_Start NSS_CMSDecoder_Update NSS_CMSDigestContext_Cancel NSS_CMSDigestContext_FinishMultiple NSS_CMSDigestContext_FinishSingle NSS_CMSDigestContext_StartMultiple NSS_CMSDigestContext_StartSingle NSS_CMSDigestContext_Update NSS_CMSDigestedData_Create NSS_CMSDigestedData_Destroy NSS_CMSDigestedData_GetContentInfo NSS_CMSDEREncode NSS_CMSEncoder_Cancel NSS_CMSEncoder_Finish NSS_CMSEncoder_Start NSS_CMSEncoder_Update NSS_CMSEncryptedData_Create NSS_CMSEncryptedData_Destroy NSS_CMSEncryptedData_GetContentInfo NSS_CMSEnvelopedData_AddRecipient NSS_CMSEnvelopedData_Create NSS_CMSEnvelopedData_Destroy NSS_CMSEnvelopedData_GetContentInfo NSS_CMSMessage_ContentLevel NSS_CMSMessage_ContentLevelCount NSS_CMSMessage_Copy NSS_CMSMessage_Create NSS_CMSMessage_CreateFromDER NSS_CMSMessage_Destroy NSS_CMSMessage_GetContent NSS_CMSMessage_GetContentInfo NSS_CMSMessage_IsEncrypted NSS_CMSMessage_IsSigned NSS_CMSRecipientInfo_Create NSS_CMSRecipientInfo_CreateFromDER NSS_CMSRecipientInfo_CreateNew NSS_CMSRecipientInfo_CreateWithSubjKeyID NSS_CMSRecipientInfo_CreateWithSubjKeyIDFromCert NSS_CMSRecipientInfo_Destroy NSS_CMSRecipientInfo_Encode NSS_CMSRecipientInfo_GetCertAndKey NSS_CMSRecipientInfo_UnwrapBulkKey NSS_CMSRecipientInfo_WrapBulkKey NSS_CMSSignedData_AddCertChain NSS_CMSSignedData_AddCertList NSS_CMSSignedData_AddCertificate NSS_CMSSignedData_AddDigest NSS_CMSSignedData_AddSignerInfo NSS_CMSSignedData_Create NSS_CMSSignedData_CreateCertsOnly NSS_CMSSignedData_Destroy NSS_CMSSignedData_GetContentInfo NSS_CMSSignedData_GetDigestAlgs NSS_CMSSignedData_GetSignerInfo NSS_CMSSignedData_HasDigests NSS_CMSSignedData_ImportCerts NSS_CMSSignedData_SetDigests NSS_CMSSignedData_SetDigestValue NSS_CMSSignedData_SignerInfoCount NSS_CMSSignedData_VerifyCertsOnly NSS_CMSSignedData_VerifySignerInfo NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs NSS_CMSSignerInfo_AddSMIMECaps NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs NSS_CMSSignerInfo_AddSigningTime NSS_CMSSignerInfo_Create NSS_CMSSignerInfo_CreateWithSubjKeyID NSS_CMSSignerInfo_Destroy NSS_CMSSignerInfo_GetCertList NSS_CMSSignerInfo_GetSignerCommonName NSS_CMSSignerInfo_GetSignerEmailAddress NSS_CMSSignerInfo_GetSigningCertificate NSS_CMSSignerInfo_GetSigningTime NSS_CMSSignerInfo_GetVerificationStatus NSS_CMSSignerInfo_GetVersion NSS_CMSSignerInfo_IncludeCerts NSS_CMSUtil_VerificationStatusToString NSS_SMIMESignerInfo_SaveSMIMEProfile NSS_SMIMEUtil_FindBulkAlgForRecipients SEC_PKCS7AddCertificate SEC_PKCS7AddRecipient SEC_PKCS7AddSigningTime SEC_PKCS7ContainsCertsOrCrls SEC_PKCS7ContentIsEncrypted SEC_PKCS7ContentIsSigned SEC_PKCS7ContentType SEC_PKCS7CopyContentInfo SEC_PKCS7CreateCertsOnly SEC_PKCS7CreateData SEC_PKCS7CreateEncryptedData SEC_PKCS7CreateEnvelopedData SEC_PKCS7CreateSignedData SEC_PKCS7DecodeItem SEC_PKCS7DecoderAbort SEC_PKCS7DecoderFinish SEC_PKCS7DecoderStart SEC_PKCS7DecoderUpdate SEC_PKCS7DecryptContents SEC_PKCS7DestroyContentInfo SEC_PKCS7Encode SEC_PKCS7EncodeItem SEC_PKCS7EncoderAbort SEC_PKCS7EncoderFinish SEC_PKCS7EncoderStart SEC_PKCS7EncoderUpdate SEC_PKCS7GetCertificateList SEC_PKCS7GetContent SEC_PKCS7GetEncryptionAlgorithm SEC_PKCS7GetSignerCommonName SEC_PKCS7GetSignerEmailAddress SEC_PKCS7GetSigningTime SEC_PKCS7IncludeCertChain SEC_PKCS7IsContentEmpty SEC_PKCS7SetContent SEC_PKCS7VerifyDetachedSignature SEC_PKCS7VerifySignature SECMIME_DecryptionAllowed SEC_PKCS12AddCertAndKey SEC_PKCS12AddPasswordIntegrity SEC_PKCS12CreateExportContext SEC_PKCS12CreatePasswordPrivSafe SEC_PKCS12CreateUnencryptedSafe SEC_PKCS12DecoderFinish SEC_PKCS12DecoderGetCerts SEC_PKCS12DecoderImportBags SEC_PKCS12DecoderIterateInit SEC_PKCS12DecoderIterateNext SEC_PKCS12DecoderSetTargetTokenCAs SEC_PKCS12DecoderStart SEC_PKCS12DecoderUpdate SEC_PKCS12DecoderValidateBags SEC_PKCS12DecoderVerify SEC_PKCS12DestroyExportContext SEC_PKCS12EnableCipher SEC_PKCS12Encode SEC_PKCS12IsEncryptionAllowed

2nd Group – Use this to highlight fixes
* Foreground color – green
* Font style - bold
* Background color – white
* Prefix mode – make sure this is set (checked)
* mysql_real_escape_string

Comment & Number
* Comment line
* Foreground color – light grey
* Treat keyword as symbol
* // #

Comment Block
* Foreground color – light grey
* Treat keyword as symbol
* Comment open - /*
* Comment close - */

Save As
* PHP4, 5 SCA

Then, when one opens a file using the new "language", starting from the suspected highlighted finding, one can double click on the parameters and return values of suspect functions, then keep selecting variables and return values as you trace through the code, using the highlighting all instances function and so on to expidite your review.

Here it is in action:

[[Image:Npp-eg.JPG]]

[[Category:OWASP Application Security Verification Standard Project]]
[[Category:How To]]

AppSecAsiaPac2012/Chapters Workshop

2012-03-05T03:35:11Z

Zakiakhmad: /* Remote Participation */

As part of [[AppSecAsiaPac2012|AppSec APAC 2012]], on '''Thursday, April 12 at 1:30PM-5:00PM''', the Global Chapter Committee is organizing a chapter leader workshop for all the chapter leaders that attend the conference. ''Please note that this Workshop will take place on the day before the Conference starts.''

==Agenda==
We plan to start with a 1.5 hour session run by experienced leaders (panel) on how to run a successful chapter. The second part of the workshop will be a roundtable discussion on regional issues and challenges, with a goal of working together to create solutions.

Are there other topics you would like to discuss? Please add them below:
* Best practices of Chapter organization
* How long should a leader lead a chapter?
* ...

== Funding to Attend Workshop ==

If you need financial assistance to attend the Chapter Leader Workshop at AppSec APAC, please submit a request to [mailto:josh.sokol@owasp.org Josh Sokol] and [mailto:sarah.baso@owasp.org Sarah Baso] by '''March 1, 2012'''.

Funding for your attendance to the workshop should be worked out in the following order.

# Ask your employer to fund your trip to AppSec Asia Pacific in Sydney, Australia.
# Utilize your chapter funds.
# Ask the chapter committee for funding assistance.

While we wish we could fund every chapter leader, due to the limited amount of budget allocated for this event, we may not be able to fund 100% to all the requests. Priority of sponsorships will be given to those not covered by a sponsorship to attend a workshop in 2011. Additionally, we are looking for new or struggling chapter leaders who need assistance kick starting their chapter.

After March 1, the Global Chapters Committee will make funding decision in a fair and transparent manner. When you apply for funding, please let us know '''why we should sponsor you'''. While we prefer that chapter leaders use their own chapter's funds before requesting a sponsorship, this is not a requirement for application. If your chapter has fund but will not be using them to sponsor your attendance, please include why you will not be using the funds for this purpose (i.e. what are the other plans for those funds?).

== Participants ==

'''If you plan to attend, please fill in your name and chapter below:'''

* Sarah Baso (OWASP Operational Support)
* Andrew van der Stock
* [https://www.owasp.org/index.php/User:Mohd_Fazli_Azran Mohd Fazli Azran] (GCC & Malaysia Chapter)
* [https://www.owasp.org/index.php/User:Tgondrom Tobias Gondrom] (OWASP London) - (attendance will depend on whether I will be at the AppSec to give presentation/training at the AppSec anyway)
* [https://www.owasp.org/index.php/User:gandhiasrn Gandhi Aryavalli] (GMC)

...

== Remote Participation ==

Details TBA.

* [https://www.owasp.org/index.php/User:Zakiakhmad Zaki Akhmad] (Indonesia Chapter)
* ...
* ...

== 2011 Chapter Leader Workshops==
* [[AppSecEU 2011 chapters workshop agenda]] and [https://docs.google.com/a/owasp.org/document/d/1PrGmwy1pxs2cb4LyewXS4TonbzAY7nORWvj-NJYaEnk/edit?hl=en_US Meeting Minutes]
* [[AppSec USA 2011 chapters workshop agenda]] and [https://docs.google.com/a/owasp.org/document/d/13KyIN9F75ZcM8lPDpvwU11JgxcImYp3or6dhmcezpF0/edit?hl=en_US Meeting Minutes] 21-Sept-2011 in Minneapolis, MN, USA
* [[AppSecLatam2011 chapters workshop agenda]] and [https://docs.google.com/document/d/1875PxrASC37IxgclLuK7cE9nfOu4D98p5GwSeYHSgas/edit?hl=en_US Meeting Minutes] 5-Oct-2011 in Porto Alegre, Brazil
* [[OWASP Global AppSec Asia 2011 chapters workshop agenda]] and [https://docs.google.com/a/owasp.org/document/d/1z_3ehI9T_lIeMmkeUo9QL9mbjh8ygSKquVlBaJY7ed4/edit Meeting Minutes] 9-Nov-2011 in Beijing, China

== Questions? ==

Contact us: 
[mailto:josh.sokol@owasp.org Josh Sokol], Chapters Committee Chair 
[mailto:sarah.baso@owasp.org Sarah Baso], OWASP Operational Support - Conference Logistics & Community Relations

AppSecAsiaPac2012/Chapters Workshop

2012-03-05T03:34:44Z

Zakiakhmad: /* Remote Participation */

As part of [[AppSecAsiaPac2012|AppSec APAC 2012]], on '''Thursday, April 12 at 1:30PM-5:00PM''', the Global Chapter Committee is organizing a chapter leader workshop for all the chapter leaders that attend the conference. ''Please note that this Workshop will take place on the day before the Conference starts.''

==Agenda==
We plan to start with a 1.5 hour session run by experienced leaders (panel) on how to run a successful chapter. The second part of the workshop will be a roundtable discussion on regional issues and challenges, with a goal of working together to create solutions.

Are there other topics you would like to discuss? Please add them below:
* Best practices of Chapter organization
* How long should a leader lead a chapter?
* ...

== Funding to Attend Workshop ==

If you need financial assistance to attend the Chapter Leader Workshop at AppSec APAC, please submit a request to [mailto:josh.sokol@owasp.org Josh Sokol] and [mailto:sarah.baso@owasp.org Sarah Baso] by '''March 1, 2012'''.

Funding for your attendance to the workshop should be worked out in the following order.

# Ask your employer to fund your trip to AppSec Asia Pacific in Sydney, Australia.
# Utilize your chapter funds.
# Ask the chapter committee for funding assistance.

While we wish we could fund every chapter leader, due to the limited amount of budget allocated for this event, we may not be able to fund 100% to all the requests. Priority of sponsorships will be given to those not covered by a sponsorship to attend a workshop in 2011. Additionally, we are looking for new or struggling chapter leaders who need assistance kick starting their chapter.

After March 1, the Global Chapters Committee will make funding decision in a fair and transparent manner. When you apply for funding, please let us know '''why we should sponsor you'''. While we prefer that chapter leaders use their own chapter's funds before requesting a sponsorship, this is not a requirement for application. If your chapter has fund but will not be using them to sponsor your attendance, please include why you will not be using the funds for this purpose (i.e. what are the other plans for those funds?).

== Participants ==

'''If you plan to attend, please fill in your name and chapter below:'''

* Sarah Baso (OWASP Operational Support)
* Andrew van der Stock
* [https://www.owasp.org/index.php/User:Mohd_Fazli_Azran Mohd Fazli Azran] (GCC & Malaysia Chapter)
* [https://www.owasp.org/index.php/User:Tgondrom Tobias Gondrom] (OWASP London) - (attendance will depend on whether I will be at the AppSec to give presentation/training at the AppSec anyway)
* [https://www.owasp.org/index.php/User:gandhiasrn Gandhi Aryavalli] (GMC)

...

== Remote Participation ==

Details TBA.

* [https://www.owasp.org/index.php/User:Zakiakhmad Zaki Akhmad]
* ...
* ...

== 2011 Chapter Leader Workshops==
* [[AppSecEU 2011 chapters workshop agenda]] and [https://docs.google.com/a/owasp.org/document/d/1PrGmwy1pxs2cb4LyewXS4TonbzAY7nORWvj-NJYaEnk/edit?hl=en_US Meeting Minutes]
* [[AppSec USA 2011 chapters workshop agenda]] and [https://docs.google.com/a/owasp.org/document/d/13KyIN9F75ZcM8lPDpvwU11JgxcImYp3or6dhmcezpF0/edit?hl=en_US Meeting Minutes] 21-Sept-2011 in Minneapolis, MN, USA
* [[AppSecLatam2011 chapters workshop agenda]] and [https://docs.google.com/document/d/1875PxrASC37IxgclLuK7cE9nfOu4D98p5GwSeYHSgas/edit?hl=en_US Meeting Minutes] 5-Oct-2011 in Porto Alegre, Brazil
* [[OWASP Global AppSec Asia 2011 chapters workshop agenda]] and [https://docs.google.com/a/owasp.org/document/d/1z_3ehI9T_lIeMmkeUo9QL9mbjh8ygSKquVlBaJY7ed4/edit Meeting Minutes] 9-Nov-2011 in Beijing, China

== Questions? ==

Contact us: 
[mailto:josh.sokol@owasp.org Josh Sokol], Chapters Committee Chair 
[mailto:sarah.baso@owasp.org Sarah Baso], OWASP Operational Support - Conference Logistics & Community Relations

AppSecAsiaPac2012/Chapters Workshop

2012-03-05T03:33:23Z

Zakiakhmad: /* Remote Participation */

As part of [[AppSecAsiaPac2012|AppSec APAC 2012]], on '''Thursday, April 12 at 1:30PM-5:00PM''', the Global Chapter Committee is organizing a chapter leader workshop for all the chapter leaders that attend the conference. ''Please note that this Workshop will take place on the day before the Conference starts.''

==Agenda==
We plan to start with a 1.5 hour session run by experienced leaders (panel) on how to run a successful chapter. The second part of the workshop will be a roundtable discussion on regional issues and challenges, with a goal of working together to create solutions.

Are there other topics you would like to discuss? Please add them below:
* Best practices of Chapter organization
* How long should a leader lead a chapter?
* ...

== Funding to Attend Workshop ==

If you need financial assistance to attend the Chapter Leader Workshop at AppSec APAC, please submit a request to [mailto:josh.sokol@owasp.org Josh Sokol] and [mailto:sarah.baso@owasp.org Sarah Baso] by '''March 1, 2012'''.

Funding for your attendance to the workshop should be worked out in the following order.

# Ask your employer to fund your trip to AppSec Asia Pacific in Sydney, Australia.
# Utilize your chapter funds.
# Ask the chapter committee for funding assistance.

While we wish we could fund every chapter leader, due to the limited amount of budget allocated for this event, we may not be able to fund 100% to all the requests. Priority of sponsorships will be given to those not covered by a sponsorship to attend a workshop in 2011. Additionally, we are looking for new or struggling chapter leaders who need assistance kick starting their chapter.

After March 1, the Global Chapters Committee will make funding decision in a fair and transparent manner. When you apply for funding, please let us know '''why we should sponsor you'''. While we prefer that chapter leaders use their own chapter's funds before requesting a sponsorship, this is not a requirement for application. If your chapter has fund but will not be using them to sponsor your attendance, please include why you will not be using the funds for this purpose (i.e. what are the other plans for those funds?).

== Participants ==

'''If you plan to attend, please fill in your name and chapter below:'''

* Sarah Baso (OWASP Operational Support)
* Andrew van der Stock
* [https://www.owasp.org/index.php/User:Mohd_Fazli_Azran Mohd Fazli Azran] (GCC & Malaysia Chapter)
* [https://www.owasp.org/index.php/User:Tgondrom Tobias Gondrom] (OWASP London) - (attendance will depend on whether I will be at the AppSec to give presentation/training at the AppSec anyway)
* [https://www.owasp.org/index.php/User:gandhiasrn Gandhi Aryavalli] (GMC)

...

== Remote Participation ==

Details TBA.

* [[User:Zakiakhmad Zaki Akhmad]]
* ...
* ...

== 2011 Chapter Leader Workshops==
* [[AppSecEU 2011 chapters workshop agenda]] and [https://docs.google.com/a/owasp.org/document/d/1PrGmwy1pxs2cb4LyewXS4TonbzAY7nORWvj-NJYaEnk/edit?hl=en_US Meeting Minutes]
* [[AppSec USA 2011 chapters workshop agenda]] and [https://docs.google.com/a/owasp.org/document/d/13KyIN9F75ZcM8lPDpvwU11JgxcImYp3or6dhmcezpF0/edit?hl=en_US Meeting Minutes] 21-Sept-2011 in Minneapolis, MN, USA
* [[AppSecLatam2011 chapters workshop agenda]] and [https://docs.google.com/document/d/1875PxrASC37IxgclLuK7cE9nfOu4D98p5GwSeYHSgas/edit?hl=en_US Meeting Minutes] 5-Oct-2011 in Porto Alegre, Brazil
* [[OWASP Global AppSec Asia 2011 chapters workshop agenda]] and [https://docs.google.com/a/owasp.org/document/d/1z_3ehI9T_lIeMmkeUo9QL9mbjh8ygSKquVlBaJY7ed4/edit Meeting Minutes] 9-Nov-2011 in Beijing, China

== Questions? ==

Contact us: 
[mailto:josh.sokol@owasp.org Josh Sokol], Chapters Committee Chair 
[mailto:sarah.baso@owasp.org Sarah Baso], OWASP Operational Support - Conference Logistics & Community Relations

AppSecAsiaPac2012/Chapters Workshop

2012-03-05T03:32:40Z

Zakiakhmad: /* Participants */

As part of [[AppSecAsiaPac2012|AppSec APAC 2012]], on '''Thursday, April 12 at 1:30PM-5:00PM''', the Global Chapter Committee is organizing a chapter leader workshop for all the chapter leaders that attend the conference. ''Please note that this Workshop will take place on the day before the Conference starts.''

==Agenda==
We plan to start with a 1.5 hour session run by experienced leaders (panel) on how to run a successful chapter. The second part of the workshop will be a roundtable discussion on regional issues and challenges, with a goal of working together to create solutions.

Are there other topics you would like to discuss? Please add them below:
* Best practices of Chapter organization
* How long should a leader lead a chapter?
* ...

== Funding to Attend Workshop ==

If you need financial assistance to attend the Chapter Leader Workshop at AppSec APAC, please submit a request to [mailto:josh.sokol@owasp.org Josh Sokol] and [mailto:sarah.baso@owasp.org Sarah Baso] by '''March 1, 2012'''.

Funding for your attendance to the workshop should be worked out in the following order.

# Ask your employer to fund your trip to AppSec Asia Pacific in Sydney, Australia.
# Utilize your chapter funds.
# Ask the chapter committee for funding assistance.

While we wish we could fund every chapter leader, due to the limited amount of budget allocated for this event, we may not be able to fund 100% to all the requests. Priority of sponsorships will be given to those not covered by a sponsorship to attend a workshop in 2011. Additionally, we are looking for new or struggling chapter leaders who need assistance kick starting their chapter.

After March 1, the Global Chapters Committee will make funding decision in a fair and transparent manner. When you apply for funding, please let us know '''why we should sponsor you'''. While we prefer that chapter leaders use their own chapter's funds before requesting a sponsorship, this is not a requirement for application. If your chapter has fund but will not be using them to sponsor your attendance, please include why you will not be using the funds for this purpose (i.e. what are the other plans for those funds?).

== Participants ==

'''If you plan to attend, please fill in your name and chapter below:'''

* Sarah Baso (OWASP Operational Support)
* Andrew van der Stock
* [https://www.owasp.org/index.php/User:Mohd_Fazli_Azran Mohd Fazli Azran] (GCC & Malaysia Chapter)
* [https://www.owasp.org/index.php/User:Tgondrom Tobias Gondrom] (OWASP London) - (attendance will depend on whether I will be at the AppSec to give presentation/training at the AppSec anyway)
* [https://www.owasp.org/index.php/User:gandhiasrn Gandhi Aryavalli] (GMC)

...

== Remote Participation ==

Details TBA.

== 2011 Chapter Leader Workshops==
* [[AppSecEU 2011 chapters workshop agenda]] and [https://docs.google.com/a/owasp.org/document/d/1PrGmwy1pxs2cb4LyewXS4TonbzAY7nORWvj-NJYaEnk/edit?hl=en_US Meeting Minutes]
* [[AppSec USA 2011 chapters workshop agenda]] and [https://docs.google.com/a/owasp.org/document/d/13KyIN9F75ZcM8lPDpvwU11JgxcImYp3or6dhmcezpF0/edit?hl=en_US Meeting Minutes] 21-Sept-2011 in Minneapolis, MN, USA
* [[AppSecLatam2011 chapters workshop agenda]] and [https://docs.google.com/document/d/1875PxrASC37IxgclLuK7cE9nfOu4D98p5GwSeYHSgas/edit?hl=en_US Meeting Minutes] 5-Oct-2011 in Porto Alegre, Brazil
* [[OWASP Global AppSec Asia 2011 chapters workshop agenda]] and [https://docs.google.com/a/owasp.org/document/d/1z_3ehI9T_lIeMmkeUo9QL9mbjh8ygSKquVlBaJY7ed4/edit Meeting Minutes] 9-Nov-2011 in Beijing, China

== Questions? ==

Contact us: 
[mailto:josh.sokol@owasp.org Josh Sokol], Chapters Committee Chair 
[mailto:sarah.baso@owasp.org Sarah Baso], OWASP Operational Support - Conference Logistics & Community Relations

AppSecAsiaPac2012/Chapters Workshop

2012-02-17T08:22:32Z

Zakiakhmad: /* Agenda */

As part of [[AppSecAsiaPac2012|AppSec APAC 2012]], on '''Thursday, April 12 at 1:30PM-5:00PM''', the Global Chapter Committee is organizing a chapter leader workshop for all the chapter leaders that attend the conference. ''Please note that this Workshop will take place on the day before the Conference starts.''

==Agenda==
We plan to start with a 1.5 hour session run by experienced leaders (panel) on how to run a successful chapter. The second part of the workshop will be a roundtable discussion on regional issues and challenges, with a goal of working together to create solutions.

Are there other topics you would like to discuss? Please add them below:
* Best practices of Chapter organization
* How long should a leader lead a chapter?
* ...

== Funding to Attend Workshop ==

If you need financial assistance to attend the Chapter Leader Workshop at AppSec APAC, please submit a request to [mailto:josh.sokol@owasp.org Josh Sokol] and [mailto:sarah.baso@owasp.org Sarah Baso] by '''March 1, 2012'''.

Funding for your attendance to the workshop should be worked out in the following order.

# Ask your employer to fund your trip to AppSec Asia Pacific in Sydney, Australia.
# Utilize your chapter funds.
# Ask the chapter committee for funding assistance.

While we wish we could fund every chapter leader, due to the limited amount of budget allocated for this event, we may not be able to fund 100% to all the requests. Priority of sponsorships will be given to those not covered by a sponsorship to attend a workshop in 2011. Additionally, we are looking for new or struggling chapter leaders who need assistance kick starting their chapter.

After March 1, the Global Chapters Committee will make funding decision in a fair and transparent manner. When you apply for funding, please let us know '''why we should sponsor you'''. While we prefer that chapter leaders use their own chapter's funds before requesting a sponsorship, this is not a requirement for application. If your chapter has fund but will not be using them to sponsor your attendance, please include why you will not be using the funds for this purpose (i.e. what are the other plans for those funds?).

== Participants ==

'''If you plan to attend, please fill in your name and chapter below:'''

* Sarah Baso (OWASP Operational Support)
* Andrew van der Stock
* [https://www.owasp.org/index.php/User:Mohd_Fazli_Azran Mohd Fazli Azran] (GCC & Malaysia Chapter)
*
*
...

== Remote Participation ==

Details TBA.

== 2011 Chapter Leader Workshops==
* [[AppSecEU 2011 chapters workshop agenda]] and [https://docs.google.com/a/owasp.org/document/d/1PrGmwy1pxs2cb4LyewXS4TonbzAY7nORWvj-NJYaEnk/edit?hl=en_US Meeting Minutes]
* [[AppSec USA 2011 chapters workshop agenda]] and [https://docs.google.com/a/owasp.org/document/d/13KyIN9F75ZcM8lPDpvwU11JgxcImYp3or6dhmcezpF0/edit?hl=en_US Meeting Minutes] 21-Sept-2011 in Minneapolis, MN, USA
* [[AppSecLatam2011 chapters workshop agenda]] and [https://docs.google.com/document/d/1875PxrASC37IxgclLuK7cE9nfOu4D98p5GwSeYHSgas/edit?hl=en_US Meeting Minutes] 5-Oct-2011 in Porto Alegre, Brazil
* [[OWASP Global AppSec Asia 2011 chapters workshop agenda]] and [https://docs.google.com/a/owasp.org/document/d/1z_3ehI9T_lIeMmkeUo9QL9mbjh8ygSKquVlBaJY7ed4/edit Meeting Minutes] 9-Nov-2011 in Beijing, China

== Questions? ==

Contact us: 
[mailto:josh.sokol@owasp.org Josh Sokol], Chapters Committee Chair 
[mailto:sarah.baso@owasp.org Sarah Baso], OWASP Operational Support - Conference Logistics & Community Relations

OWASP Global AppSec Asia 2011

2012-02-01T10:39:22Z

Zakiakhmad:

__NOTOC__ [[Image:OWASP 2011 AppSec Asia.jpg|center|OWASP 2011 AppSec Asia.jpg]]

 

= Welcome =

=== OWASP Global AppSec Asia Pacific 2011 - Beijing China ===

[http://www.owasp.org/index.php/China-Mainland OWASP China-Mainland Chapter] will host '''OWASP Global AppSec Asia 2011''' in Beijing, China from Nov. 8 to Nov. 11, 2011. The summit will gather OWASP leaders, security experts, executives, technical thought leaders, developers, scientists and researchers from Asia and around the world for in-depth discussions of cutting-edge application security issues. The summit will draw participation from major Chinese and global organizations across various verticals including government, information technology, services and consulting, telecommunications, finance, e-commerce, Internet, universities and research institutes. About 800 people are expected to attend the summit, which will be covered by major news media. Panel discussions, vendor exhibit, and dinners will be held at the summit, providing sufficient networking opportunities.

= [http://www.owasp.org.cn/OWASP_Conference/AppSec_2011/Asia_2011-PPT Presentations Download]=

= 中文(Chinese) =

=== 中文网站 ===

[http://www.owasp.org.cn OWASP 中国]

[http://www.owasp.org.cn/OWASP_Conference OWASP 2011亚太峰会]

= Registration =

请使用[http://www.regonline.com/appsecasia2011 RegOnline 链接]来注册(中文).

Please use [http://www.regonline.com/owaspglobalappsecasia2011 RegOnline link] for your registration (English).

'''Who Should Attend OWASP Global AppSec Asia 2011:'''

*Application Developers
*Application Testers and Quality Assurance
*Application Project Management and Staff
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
*Security Managers and Staff
*Executives, Managers, and Staff Responsible for IT Security Governance
*IT Professionals Interesting in Improving IT Security

For student discount, attendees must present proof of enrollment when picking up your badge.

= Keynotes =

=== Manoranjan Paul ===

{| class="FCK__ShowTableBorders" style="background-color: transparent;"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | https://www.owasp.org/images/7/7c/Mano_Paul.jpg
| Manoranjan (Mano) Paul is founder and CEO of SecuRisk Solutions and Express Certifications, companies that specialize in security training, consulting and product development. His information security and software assurance experience includes designing and developing security programs from compliance-to-coding, security in the SDLC, writing secure code, risk management, security strategy, and security awareness training and education.
He is the author of the official (ISC)2 guide to the Certified Secure Software LifecycleProfessional (CSSLP) book (released June 2011) and has contributed to chapters in the Information Security Management Handbook. His has been interviewed and referenced in several articles including those in CIO.com. Mano has been featured in various domestic and international security conferences and is an invited speaker and panelist, delivering training, talks and keynotes in conferences such as the OWASP, ASIS, CSI, Catalyst, SC World Congress, (ISC)2 Security Congress, and TRISC.

|}

=== Cassio Goldschmidt ===

{| class="FCK__ShowTableBorders" style="background-color: transparent;"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | https://www.owasp.org/images/b/b4/Cassio.jpg
| [http://cassiogoldschmidt.com/Blog/default.html Cassio Goldschmidt] is a globally recognized application security leader, and senior manager of the product security team at Symantec Corporation (a long time OWASP supporter). In this role Cassio leads the Symantec Product Security team with company-wide responsibility for product security assurance, vulnerability management, security development lifecycle implementation, and oversees the coordination of security certifications and training.
Cassio's contribution to OWASP include:

#Co-chair of OWASP AppSec USA 2010
#Co-chair of OWASP AppSec Latin America 2011
#Member of the conference committee
#Major contributions to the revamp of OWASP LA Chapter
#Honorary founder of OWASP Porto Alegre Chapter
#Board member of OWASP LA Chapter
#Speaking engagements at OWASP conferences

|}

=== Frank Fan ===

{| class="FCK__ShowTableBorders" style="background-color: transparent;"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | https://www.owasp.org/images/b/b1/Frank_150.jpg
| Mr. Frank Fan was graduated from California State University as a Computer Science PhD.
With more than ten years of technical research and project management experience in world famous security companies, Mr. Frank Fan researched deeply about online security, database security and auditing and compliance( such as SOX, PCI, ISO17799/27001). Because of his successful technological innovation in information security, he become the first Chinese who made a speech in the World’s top security conference BLACKHAT and he has certificates such as CISSP, CISA, GCIH, GCIA, etc. Right now, Mr. Frank Fan is the vice president of OWASP China and member of 2008 Olympic Organizing Committee security group.

|}

 

= Guest Speakers =
In Surname's Alphabetical Order

=== Sebastien Deleersnyder ===
{| class="FCK__ShowTableBorders" style="background-color: transparent;"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | https://www.owasp.org/images/d/dd/Seba_reasonably_small.jpg
| [[:User:Sdeleersnyder|Seba Deleersnyder]], Managing Technical Consultant ICT Security at SAIT Zenitel.
As security project leader and information security officer for multiple customers Sebastien has build up extensive experience in Information Security related disciplines, both at strategic and tactical level. Sebastien specializes in (Web) Application Security,combining both his broad development and information security experience.

Seba is the Belgian OWASP Chapter Leader, member of the influential OWASP Foundation Board and performed several public presentations on Web Application and Web Services Security. He also co-organizes the yearly security & hacker BruCON conference and trainings in Brussels.
|}

 

=== Tobias Gondrom ===
{| class="FCK__ShowTableBorders" style="background-color: transparent;"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | https://www.owasp.org/images/c/cf/Tobias.gondrom.jpg
| Tobias Gondrom is Managing Director of an IT Security & Risk Management Advisory based in the United Kingdom and Germany. He has twelve years of experience in software development, application security, cryptography, electronic signatures and global standardisation organisations working for independent software vendors and large global corporations in the financial, technology and government sector, in America, EMEA and APAC. As the Global Head of the Security Team at Open Text (2005-2007) and from 2000-2004 as the lead of the Security Task Force at IXOS Software AG, he was responsible for security, risk and incident management and introduced and implemented a secure SDLC used globally by development departments in the US, Canada, UK and Germany.

Since 2003 he is the chair of working groups of the IETF (www.ietf.org) in the security area, member of the IETF security directorate, and since 2010 chair of the formed web security WG at the IETF, and a former chapter lead of the German OWASP chapter from 2007 to 2008 and board member of OWASP London. Tobias is the author of the international standards RFC 4998, RFC 6283 and co-author and contributor to a number of internet standards and papers on security and electronic signatures, as well as the co-author of the book „Secure Electronic Archiving“, and frequent presenter at conferences and publication of articles (e.g. AppSec, ISSE, Moderner Staat, IETF, VOI-booklet “Electronic Signature“, iX).
|}

 

=== Jianmeng Li ===
{| class="FCK__ShowTableBorders" style="background-color: transparent;"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | https://www.owasp.org/images/c/c9/Jianmli.jpg
| Jianmeng Li（Jimmy）is a core member of security team in CISCO CSG. When graduated at 2011, Jimmy worked on the development of client and website for a foreign company. In 2004, he was dispatched to Japan for a year. Jimmy joined Huawei technologies Co., LTD when he came back and worked to develop mobile communication platform. Then Jimmy joined CISCO at 2006 and worked on the development of backend server of online products and application security field. He has rich developing experience on multi-language and multi-platform and is responsible for the training of C/C++ convention and skills. Currently Jimmy is focusing on Fuzz test and secure development.
|}

 

=== Larry Man ===
{| class="FCK__ShowTableBorders" style="background-color: transparent;"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | https://www.owasp.org/images/c/c0/Larryman.jpg
| Larry Man is a dynamic-leader in information security, with over 15 years experience in the field. He is Principle Consultant – SZBOWEB Company Limited which provides independent IT Security consulting to arrange of clients in China and Hong Kong. He is an expert in Data Security. He previously led a team in Ottawa Canada to create an embedded software system specialized in digital rights management. He is also the founder of Ironclad System, a software vendor in producing ERM systems. Larry used to work as a computer auditor of HSBC in HK. Larry was graduated from University of Manitoba with two degrees, one in Computer Science and one in Accounting & Finance. He also had a Master Degree in Engineering from CUHK. Larry is based in Hong Kong and has previously lived in Canada, US and China.
|}

 

=== Marco M. Morana ===
{| class="FCK__ShowTableBorders" style="background-color: transparent;"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | https://www.owasp.org/images/0/07/Marco-morana.JPG
| Marco Morana is leader of the OWASP (Open Web Application Security Project) Cincinnati chapter, Ohio, USA and co-author of OWASP projects such as the secure coding guide and the testing guide. In his current position, Marco works as Sr. Technology Information Security Officer and Security Architect for Citigroup Global Consumer North America where his primary responsibility is security analysis and design review of financial based web applications including on-line banking. Prior to Citigroup, Marco worked for more than 15 years at different companies as software security consultant, security instructor, security application architect and security software engineer. Marco owns a Masters Degree in Computer Systems Engineering from Northwestern Polytechnic University and an Engineering Doctorate Degree (Dr. Ing.) in Mechanical Engineering from University of Padua.
|}

 

=== Alexander Wang ===
{| class="FCK__ShowTableBorders" style="background-color: transparent;"
|-
! width="200" align="center" |
! width="1000" align="center" | 
|-
| align="center" | https://www.owasp.org/images/f/fa/Wenjun.png
| Wenjun Wang is a tech lead and security architect in HP PPM R&D with 10 years experience in software development and 4 years’ in security architecture. He used to work in the PPM integration team, took the tech lead for PPM-EDS project, now he acts as the tech lead and scrum master for PPM-Mobility project. He had been working in HP for 4 years. Before joining HP, he worked in Wuerth Phoenix as a Java developer for an ERP system.
As a team leader of the localization of AntiSamy Java in OWASP China, Wenjun organized the training of Antisamy Java and won welcome from students for his understandable style of speech and humor. He holds a master degree in EE and a bachelor degree in Accounting of Shanghai Jiaotong University.
|}

 

=== Daniel Ching Wa Ng ===
{| class="FCK__ShowTableBorders" style="background-color: transparent;"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | https://www.owasp.org/images/3/39/Daniel_ng.jpg
| NG, CHING WA (Daniel) started the career as computer programmer in 1990, and then progressing towards ICT Security, Computer Forensics, Financial Accounting and Auditing after millennium. Recently, he starts his PhD (Security & Forensics) in a UK reputable institute and The Hong Kong Polytechnic University, after earning a good stock options as a corporate director in a listed entity. His interest is Cyber Security, Health Informatics, FaceBook investigation, Digital Evidence standard for forensics laboratory, and Network Forensics. Professionally, he is a committee member HTCIA Asia Pacifc, Chairperson of Professional Internet Security Professional (HK/China), Founder of China PIS Alliance (C-PISA), Director of ISACA China, and Expert Advisor to HKSAR Legco Councillor Samson Tam, ISC2 CSSLP evangelist and authorized trainer. Under the strong influence of knowledge intensive works, Daniel branches into the topic of e-learning, in particular, mobile learning. This research is working with Malaysia Government MIMOS, the national organization for ontology and semantic web. Academically, Daniel is strong in Knowledge Management with a master degree graduated at GPA 3.8.
|}

 

=== Jonathan Werrett ===
{| class="FCK__ShowTableBorders" style="background-color: transparent;"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | https://www.owasp.org/images/c/c4/Jw-headshot-200px.jpg
| Jonathan Werrett is a Hong Kong based Senior Security Consultant with Trustwave's SpiderLabs. SpiderLabs is Trustwave's advanced security team focused on penetration testing,incident response, and application security. Over the past 10 years, Jonathan has worked in roles securing web infrastructure for a number of online start-ups, as well as providing web application testing and secure development consulting services to various international organizations.
|}

 

=== Yuming Xia ===
{| class="FCK__ShowTableBorders" style="background-color: transparent;"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | https://www.owasp.org/images/e/ef/Yumingxia.png
| Yuming Xia(Bruce), employee of Cisco System Inc., focusing on application security, including penetration testing and security solution development.Before joining Cisco, Bruce was a network analyzer for China Telecom. And as a main author for book “Software Quality Management” (Tsinghua University Press, 2007), he has lots of experience in quality assurance and security processes. After one year of technical study in San Jose (CA, USA) , he is fully skilled on security issue detection and solution development, and now acting as security owner for several large projects.
|}

 

=== Noa Bar Yosef ===
{| class="FCK__ShowTableBorders" style="background-color: transparent;"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | https://www.owasp.org/images/8/81/NoaBarYosef.jpg
| Noa is a senior security strategist at Imperva. In this role Noa researches and analyzes the trends in the threat landscape. She is a frequent contributor to different security magazines, comments on security-breaking news, and is regularly invited to speak at industry events. Currently, Noa writes a bi-weekly column on hacker trends and techniques for SecurityWeek. Previously, she held the position of a senior security researcher for Imperva’s Application Defense Center. Noa holds a MSc degree (specializing in information security) from Tel-Aviv University.
|}

 

= CFP and CFT =

=== OWASP APPSEC ASIA 2011 ===

=== CALL FOR Presentation ===

OWASP AppSec Asia 2011 Conference will be a major international forum for the presentation of research results, cutting-edge ideas and in-depth discussions in the field of application security. OWASP AppSec Asia 2011 Conference invites application security researchers, thought leaders and developers worldwide to submit papers for the opportunity of presenting to 800+ expected participants.

The topics we are seeking include, but are not limited to:

#Web Application Security
#Mobile Application Security
#Cloud Application Security
#Software and Architecture Patterns for Application Security
#Metrics for Application Security
#OWASP Tools and Projects
#Secure Coding Practices (J2EE/.NET)
#Application Security Testing
#New Attacks and Defense
#Other subjects related to OWASP and Application Security

To make a submission:

#Download and fill out the form available at https://www.owasp.org/images/d/d3/OWASP_AppSec_Asia_2011_CFP_v2.zip
#Submit the form through the Easychair conference web site at http://www.easychair.org/conferences/?conf=GlobalAppSecAsia2011

Each talk should be limited to 40 minutes, followed by a 10 minute question session.

*Submission deadline: August 22, 2011.
*Notification of acceptance: September 9, 2011.
*Presentation slides due: October 21, 2011.

=== CALL FOR Training ===

OWASP AppSec Asia will begin with two days of training sessions on November 10th and 11th, 2011. Proposals are solicited for the training of either a one-day (6 hours plus breaks) or two-day sessions on all topics of application security with focus on secure application design and development, threat modeling and defense strategy, and secure application testing. Each training session should cover a single topic in detail in order to allow trainees to grasp practical understanding and basic skill in the subject. Submissions should include a cover sheet and an extended abstract. The cover sheet should specify:

#The title and length of the training;
#The intended audience and prerequisite knowledge or skills, if any;
#Complete contact information for the trainer; and
#Brief biography (max. 2 paragraphs) for the trainer. The extended abstract should be 1 to 2 pages, and should include an outline of the training plan, along with descriptions of the objectives and course materials.

Training proposals in PDF or Word format must be sent via email by August 22, 2011 to Jack Li (jack.li@owasp.org). The submissions will undergo review and trainings will be selected by the OWASP AppSec Asia 2011 Conference Committee. Notifications will be sent out by September 9, 2011.

 For more information, please see the following web pages:

Conference Website: https://www.owasp.org/index.php/OWASP_Global_AppSec_Asia_2011
OWASP Speaker Agreement: http://www.owasp.org/index.php/Speaker_Agreement
OWASP Website: http://www.owasp.org
Easychair conference site: https://www.easychair.org/account/signin.cgi?conf=apac2011
Presentation proposal form: https://www.owasp.org/images/b/b6/OWASP_AppSec_Asia_2011_CFP.zip

 

= Agenda =
<center>
== '''November 8th''' ==

{| class="t FCK__ShowTableBorders" width="80%"
|-
| height="17" width="14%" align="right" | 08:00 – 09:00
| bgcolor="#8595c2" align="center" | '''Registration'''
|-
| height="49" width="14%" align="right" | 09:00 – 09:15
| bgcolor="#b9c2dc" align="center" | '''Rip, OWASP China (Language: Chinese)''' Opening Ceremony: Development of OWASP China
|-
| height="49" width="14%" align="right" | 09:15 – 09:30
| bgcolor="#eeeeee" align="center" | '''Sebastien Deleersnyder, OWASP Global Committee''' Opening Ceremony  '''(Language: English)'''
|-
| height="49" width="14%" align="right" | 09:30 – 09:50
| bgcolor="#b9c2dc" align="center" | '''Liping Ding  (Language: Chinese) ''' The Analysis of Hidden Communication Channels within Cloud Computing Environment
|-
| height="49" width="14%" align="right" | 09:50 – 10:30
| bgcolor="#eeeeee" align="center" | '''Manoranjan Paul  (Language: English)''' Silver Lining in Dark Clouds: A Look at Cloud Computing Security
|-
| height="49" width="14%" align="right" | 10:30 – 11:00
| bgcolor="#b9c2dc" align="center" | '''Frank Fan  (Language: Chinese)''' Current Web Security and its' Future
|-
| height="49" width="14%" align="right" | 11:00 – 11:30
| bgcolor="#eeeeee" align="center" | '''Jonathan Werrett  (Language: English)''' WAFs: Patch First, Ask Questions Later
|-
| height="49" width="14%" align="right" | 11:30 – 12:00
| bgcolor="#b9c2dc" align="center" | '''Hanqing Wu   (Language: Chinese)''' Flaws of Popular Application Applied Encryption Algorithms and the Corresponding Utilization"
|-
| height="17" width="14%" align="right" | 12:00 – 14:30
| bgcolor="#d98b66" align="center" | '''Lunch & Networking'''
|-
| height="49" width="14%" align="right" | 14:30 – 15:10
| bgcolor="#b9c2dc" align="center" | '''Cassio Goldschmidt'    (Language: English) '''The Fundamental Approaches and Tools to Achieve Secured Development Life Cycle
|-
| height="49" width="14%" align="right" | 15:10 – 15:40
| bgcolor="#eeeeee" align="center" | '''Yuming Xia   (Language: Chinese)''' Web2.0 Secure Coding Practice
|-
| height="49" width="14%" align="right" | 15:40 – 16:10
| bgcolor="#b9c2dc" align="center" | '''Marco M. Morana & Wei Zhang   (Language: Chinese)''' The Financial Industry Web Application Single Sign-On (SSO) Framework Design and Case Studies
|-
| height="49" width="14%" align="right" | 16:10 – 16:40
| bgcolor="#eeeeee" align="center" | '''Noa Bar Yosef    (Language: English)''' Hacking 2011：Lesson for 2012
|-
| height="49" width="14%" align="right" | 16:40 – 17:10
| bgcolor="#b9c2dc" align="center" | '''Sebastien Deleersnyder    (Language: English)''' OWASP WTE: testing your way
|-
| height="49" width="14%" align="right" | 17:10 – 18:00
| bgcolor="#eeeeee" align="center" | Exhibition of Internet Security Products
|}

== '''November 9th''' ==

{| class="t FCK__ShowTableBorders" width="80%"
|-
| height="17" width="14%" align="right" | 08:00 – 09:00
| bgcolor="#8595c2" align="center" | '''Registration'''
|-
| height="49" width="14%" align="right" | 09:00 – 09:30
| bgcolor="#b9c2dc" align="center" | '''Wenju Wang  (Language: Chinese)''' The XSS Detection and Defense Techniques and Case Studies
|-
| height="49" width="14%" align="right" | 09:30 – 10:00
| bgcolor="#eeeeee" align="center" | '''Larry Man  (Language: Chinese)''' Data Control: Improve Database Security through Vulnerability Management
|-
| height="49" width="14%" align="right" | 10:00 – 10:30
| bgcolor="#b9c2dc" align="center" | '''Daniel Ng  (Language: Chinese)''' Beefing up Cloud Application through Genetic Network Coding
|-
| height="49" width="14%" align="right" | 10:30 – 11:00
| bgcolor="#eeeeee" align="center" | '''Dr. Meng-Chow Kang  (Language: Chinese)''' Overview of ISO/IEC 27034 - the Application Security Standards
|-
| height="49" width="14%" align="right" | 11:00 – 11:30
| bgcolor="#b9c2dc" align="center" | '''Jianmeng Li (Language: Chinese)''' Secure C Function: The Lightweight Solution for Buffer Overflow
|-
| height="49" width="14%" align="right" | 11:30 – 12:00
| bgcolor="#eeeeee" align="center" | '''Langyu Hu (Language: Chinese)''' RFID Security
|-
| height="17" width="14%" align="right" | 12:00 – 14:30
| bgcolor="#d98b66" align="center" | '''Lunch & Networking'''
|-
| height="49" width="14%" align="right" | 14:30 – 15:00
| bgcolor="#b9c2dc" align="center" | '''Yongjian Guo (Language: Chinese)''' Information Security Forensics
|-
| height="49" width="14%" align="right" | 15:00 – 15:30
| bgcolor="#eeeeee" align="center" | '''Chenming Zhong (Language: Chinese)''' Overview of Website Security
|-
| height="49" width="14%" align="right" | 15:30 – 16:00
| bgcolor="#b9c2dc" align="center" | '''Tony (Language: Chinese)''' 2011 Application Security with 0-Day Vulnerability Analysis
|-
| height="49" width="14%" align="right" | 16:00 – 16:15
| bgcolor="#eeeeee" align="center" | Lucky Draw
|-
| height="49" width="14%" align="right" | 16:15 – 16:45
| bgcolor="#b9c2dc" align="center" | '''Yongbo Liu (Language: Chinese)''' The Challenges of China's Post Information Security Era
|-
| height="49" width="14%" align="right" | 16:45 – 17:15
| bgcolor="#eeeeee" align="center" | '''Dr. Jianchun Jiang (Language: Chinese) NSACE - The Network Security Capability Oriented Training and Certificates'''
|-
| height="49" width="14%" align="right" | 17:15 – 17:45
| bgcolor="#b9c2dc" align="center" | Future Plan of OWASP China and Release of WAF Testing Benchmark
|-
| height="17" width="14%" align="right" | 17:45 – 18:00
| bgcolor="#eeeeee" align="center" | '''Closing'''
|}

 

 

= Training =
<center></center>

== '''November 10th''' ==

{| width="80%" class="t FCK__ShowTableBorders"
|-
| width="14%" height="49" align="right" | 08:00 – 12:00
| align="CENTER" bgcolor="#8595c2" | '''Tobias Gondrom''' OWASP for CISO and senior managers
|-
| width="14%" height="49" align="right" | 14:00 – 18:00
| align="CENTER" bgcolor="#b9c2dc" | '''Wei Zhang''' Secured Framework Design for Online Banking System
|-
| width="14%" height="49" align="right" | 14:00 – 18:00
| align="CENTER" bgcolor="#8595c2" | '''Tony''' Application Security Training
|}

 

== '''November 11th''' ==

{| width="80%" class="t FCK__ShowTableBorders"
|-
| width="14%" height="49" align="right" | 08:00 – 12:00
| align="CENTER" bgcolor="#8595c2" | '''Wenjun Wang''' OWASP Top 10 and Countermeasures
|-
| width="14%" height="49" align="right" | 14:00 – 18:00
| align="CENTER" bgcolor="#b9c2dc" | '''Jianmeng Li''' Secure Way of Development - Resolving and Preventing Security Vulnerabilities from Origin
|}
</center>
= Sponsors =

=== Sponsor US! ===

We are still soliciting sponsors for the OWASP Global AppSec Asia 2011. An exhibit hall will be held for vendor booths and presentations.

More than 500 people attended the OWASP China conference last year. As a sponsor, you will gain exclusive access to companies in Asia through a limited number of expo floor slots.

New in 2011, we are offering exclusive Global AppSec Sponsorships to provide additional benefits and streamline the planning process for our most supportive organizations.

Please [mailto:heleng@owasp.org contact us] directly if you have any related question.

To find out more about the different sponsorship opportunities please check the document below: [https://www.owasp.org/images/2/24/OWASP_China2011_Sponsorship.pdf OWASP_China2011_Sponsorship.pdf]

 

'''Sponsors:'''

<iflanguage is="es">
Si usa materiales de OWASP, por favor considere ayudarnos a continuar nuestro trabajo.

* '''[[Membership|Membrecía]]''' - Detalles para [https://www.owasp.org/index.php/Membership/members individuos] y miembros corporativos.
* '''[[Member Offers|Ofertas para miembros]]''' - Descuentos y otros beneficios disponibles para los miembros de OWASP.
* Lo invitamos a participar en las traducción de el sitio vea el proyecto de [[OWASP_Spanish|OWASP en Español]].


</iflanguage>

'''Gold Sponsor:'''
{| class="FCK__ShowTableBorders" style="border: 1px solid rgb(204, 204, 204); width: 100%; background-color: rgb(255, 255, 255);"
|-
| style="text-align: center; color: rgb(0, 0, 0);" |
{{MemberLinks|link=http://www.huaweisymantec.com/cn/|logo=HS.jpg}} {{MemberLinks|link=http://www.yxlink.com/|logo=Yxlink.jpg}}
 
|}

'''Training Sponsor:'''
{| class="FCK__ShowTableBorders" style="border: 1px solid rgb(204, 204, 204); width: 100%; background-color: rgb(255, 255, 255);"
|-
| style="text-align: center; color: rgb(0, 0, 0);" |
{{MemberLinks|link=http://www.nsfocus.com/en/|logo=NSFOCUS.jpg}}
 
|}

'''Supported Organizations:'''
{| class="FCK__ShowTableBorders" style="border: 1px solid rgb(204, 204, 204); width: 100%; background-color: rgb(255, 255, 255);"
|-
| style="text-align: center; color: rgb(0, 0, 0);" |
{{MemberLinks|link=https://www.isc2.org/|logo=Isc2_logo.jpg}} {{MemberLinks|link=http://www.nsace.org.cn/|logo=NSACE.jpg}}
 
|}

'''Exhibitors:'''
{| class="FCK__ShowTableBorders" style="border: 1px solid rgb(204, 204, 204); width: 100%; background-color: rgb(255, 255, 255);"
|-
| style="text-align: center; color: rgb(0, 0, 0);" |
{{MemberLinks|link=http://english.venustech.com.cn|logo=Venustech.gif}} {{MemberLinks|link=http://www.dumasoftware.com/about.asp?ArticleID=190|logo=Dumalogo.jpg}} {{MemberLinks|link=http://www.szboweb.com/?site_language=english|logo=SZB Blogo 40.jpg}} 
{{MemberLinks|link=http://www.dbappsecurity.com.cn|logo=Dbappsecurity.jpg}} {{MemberLinks|link=http://www.ankki.com/|logo=Ankki.gif}} {{MemberLinks|link=https://www.trustwave.com/|logo=Trustwave-Logo-with-Tagline.jpg}} 
{{MemberLinks|link=http://www.mainway.net/|logo=Mainway.jpg}} {{MemberLinks|link=http://www.anchiva.com/|logo=Anchiva.png}} {{MemberLinks|link=http://www.legendsec.com/|logo=SECWORLD.gif‎‎}} {{MemberLinks|link=http://www.knownsec.com/en//|logo=Knownsec.gif‎}}
 
|}

'''Cooperators:'''
{| class="FCK__ShowTableBorders" style="border: 1px solid rgb(204, 204, 204); width: 100%; background-color: rgb(255, 255, 255);"
|-
| style="text-align: center; color: rgb(0, 0, 0);" |
{{MemberLinks|link=http://aiscanner.sinaapp.com/site/|logo=Aiscanner.png}} {{MemberLinks|link=http://www.broadview.com.cn/|logo=Broadview.jpg}}
|}
 

= Media Partners =

'''International Media:'''

<iflanguage is="es">
Si usa materiales de OWASP, por favor considere ayudarnos a continuar nuestro trabajo.

* '''[[Membership|Membrecía]]''' - Detalles para [https://www.owasp.org/index.php/Membership/members individuos] y miembros corporativos.
* '''[[Member Offers|Ofertas para miembros]]''' - Descuentos y otros beneficios disponibles para los miembros de OWASP.
* Lo invitamos a participar en las traducción de el sitio vea el proyecto de [[OWASP_Spanish|OWASP en Español]].


</iflanguage>

{| class="FCK__ShowTableBorders" style="border: 1px solid rgb(204, 204, 204); width: 100%; background-color: rgb(255, 255, 255);"
|-
| style="text-align: center; color: rgb(0, 0, 0);" |
{{MemberLinks|link=https://www.isc2.org/|logo=Isc2 logo.jpg}} {{MemberLinks|link=http://fanaticmedia.com/infosecurity/|logo=InfoSecurity logo.jpg}} {{MemberLinks|link=http://www.fanaticmedia.com/|logo=Fanatic Media Logo.jpg}} {{MemberLinks|link=http://chmag.in/|logo=Chmag.in.png}} 

 

|}

 '''Chinese Media:'''

<iflanguage is="es">
Si usa materiales de OWASP, por favor considere ayudarnos a continuar nuestro trabajo.

* '''[[Membership|Membrecía]]''' - Detalles para [https://www.owasp.org/index.php/Membership/members individuos] y miembros corporativos.
* '''[[Member Offers|Ofertas para miembros]]''' - Descuentos y otros beneficios disponibles para los miembros de OWASP.
* Lo invitamos a participar en las traducción de el sitio vea el proyecto de [[OWASP_Spanish|OWASP en Español]].


</iflanguage>

{| class="FCK__ShowTableBorders" style="border: 1px solid rgb(204, 204, 204); width: 100%; background-color: rgb(255, 255, 255);"
|-
| style="text-align: center; color: rgb(0, 0, 0);" |
{{MemberLinks|link=http://www.51cto.com//|logo=51CTO.jpg}} {{MemberLinks|link=http://www.it168.com/|logo=IT168.JPG}} {{MemberLinks|link=http://www.hackerxfiles.net/forum.php/|logo=Hackfiles.png}} {{MemberLinks|link=http://www.chinabyte.com//|logo=Byte.jpg}} {{MemberLinks|link=http://www.ciotimes.com//|logo=CIOlogo.jpg}}{{MemberLinks|link=http://www.csdn.net//|logo=CSDN.jpg}}{{MemberLinks|link=http://www.searchsecurity.com.cn/|logo=TT-China.gif}}{{MemberLinks|link=http://www.itxinwen.com/|logo=IT55464e1a65b095fb7f51.gif}} {{MemberLinks|link=http://www.techweb.com.cn/|logo=TechWeblogo.jpg}}{{MemberLinks|link=http://www.ittime.com.cn/|logo=IT65f64ee35468520a-60.gif}}{{MemberLinks|link=http://www.zdnet.com.cn/|logo=Zdnet.gif‎}}{{MemberLinks|link=http://www.ittime.com.cn/|logo=Xinxianquanyujishu.jpg}} 

 

|}

= Team =

*[mailto:heleng@owasp.org Contact us]

=== Members (in alphabetical order) ===

*[mailto:frank.fan@dbappsecurity.com.cn Frank Fan 范渊]
*[mailto:heleng@owasp.org Helen Gao 高雯]
*[mailto:nsace2009@gmail.com Jianchun Jiang 蒋建春]
*[mailto:helen.gao@owasp.org Jack Li 李江宏]
*[mailto:rip@owasp.org.cn Rip Torn 万振華]
*[mailto:wangjie8578@yahoo.com.cn Jie Wang 王颉]
*[mailto:ivy@owasp.org.cn Ivy Zhang 张平]
*[mailto:zhendong.yu@owasp.org Zhendong Yu 于振东]

= Expense =

=== Registration Fee ===

The registration is fee for OWASP members. To become a member, just click [https://www.owasp.org/index.php/Membership here]. If you are located in the Asia Pacific region, then you may qualify for a reduced membership fee. Please contact your [https://www.owasp.org/index.php/Category:OWASP_Chapter local chapters] for details.

=== Accommodation ===

Please check the local hotel website for detail information.

= Logistics =

=== Venue ===

Beijing International Convention Center

No 8 Beichen Dong Road Chaoyang District, Beijing China 100101

Tel: +86-10-84979768

website: http://www.bicc.com.cn

=== Hotel ===

Attendees can enjoy preferred rates in following hotels. Please send email to [mailto:Ivy@owasp.org.cn Ivy] before Sep 30th, 2011 and reservation is subject to our confirmation. Hotels will not reserve rooms with preferential prices for us.

1. [http://www.bicc.com.cn/English/jiudian/index.asp Beijing North Star Continental Grand Hotel]

Add:No.8 Beichen Dong Road, Chaoyang District, Beijing P. R. China 100101

Price for advanced Rooms: RMB 620/day (include Chinese-style breakfast)(Four star)

2. Aoyou Hotel
Address: No. 8 North Star East Road, Chaoyang District, Beijing
( 10 minutes walk to conference center)
single room: RMB 240(including Breakfast),
Double room: RMB 320(including breakfast).

=== Travel ===

How to obtain a visa for the event

*Invitation letter will be sent out for overseas attendees after registration.
*For detailed information on obtaining a business visa for this event, please refer to [http://www.china-embassy.org/eng/hzqz/zgqz/t84247.htm Chinese embassy]

= Chapter Leader Workshop =

'''[https://docs.google.com/a/owasp.org/document/d/1z_3ehI9T_lIeMmkeUo9QL9mbjh8ygSKquVlBaJY7ed4/edit Meeting Minutes from Chapters Workshop]'''

'''[https://plus.google.com/photos/100460852248386556939/albums/5676383343638946545 Photos of Chapters Workshop]'''

== '''What is the Chapter Leader Workshop?''' ==

On '''Wednesday, November 9, 2011 at 2:30pm-5:30pm''' the Global Chapter Committee is organizing a chapter leader workshop for all the chapter leaders that attend the conference. ''Please note that this Workshop will take place on the day before the Conference starts.''

 '''Items that will be discussed are:'''

*How to improve the current Chapter Leader Handbook?
*How to start and support new chapters within the Asia/Pacific region?
*How to support inactive chapters in the Asia/Pacific region?
*What Governance model is required for OWASP chapters?
*How can the Global Chapters Committee facilitate the Asian OWASP chapters?
*...

 Additionally we hope to make time and space available to do hands-on work revising the [[Chapter Leader Handbook]], details TBA.

 

== '''Funding to Attend the Workshop''' ==

If you need financial assistance to attend the Chapter Leader Workshop at AppSec Asia, please submit a request to [mailto:tin.zaw@owasp.org Tin Zaw] and [mailto:sarah.baso@owasp.org Sarah Baso] by '''September 15, 2011'''.

 Funding for your attendance to the workshop should be worked out in the following order.

#Ask your employer to fund your trip to AppSec Asia conference.
#Utilize your chapter funds.
#Ask the chapter committee for funding assistance.

 While we wish we could fund every chapter leader, due to the limited amount of budget allocated for this event, we may not be able to fund 100% to all the requests. After September 15, we will make funding decision in a fair and transparent manner. When you apply for funding, please highlight your past contributions to OWASP and your future plans for the local chapter and OWASP.

 

== '''RSVP and Details''' ==

To RSVP and view more details about the Workshop, go to the '''[[OWASP Global AppSec Asia 2011 chapters workshop agenda]]'''.

 

== '''Contact''' ==

Email [mailto:sarah.baso@owasp.org Sarah Baso] or [mailto:tin.zaw@owasp.org Tin Zaw] for more details.

 

<headertabs />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_Asia_Summit_2011]] [[Category:China]]