https://wiki.owasp.org/api.php?action=feedcontributions&user=Timo+Pagel&feedformat=atomOWASP - User contributions [en]2024-03-19T03:45:38ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=OWASP_DevSecOps_Maturity_Model&diff=251391OWASP DevSecOps Maturity Model2019-05-11T05:21:37Z<p>Timo Pagel: </p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Description==<br />
From a startup to a multinational corporation the software development industry is currently dominated by agile frameworks and product teams and as part of it DevOps strategies. It has been observed that during the implementation, security aspects are usually neglected or are at least not sufficient taken account of. It is often the case that standard safety requirements of the production environment are not utilized or applied to the build pipeline in the continuous integration environment with containerization or concrete docker. Therefore, the docker registry is often not secured which might result in the theft of the entire company’s source code.<br />
<br />
The DevSecOps Maturity Model, which is presented in the talk, shows security measures which are applied when using DevOps strategies and how these can be prioritized. <br />
<br />
With the help of DevOps strategies security can also be enhanced. For example, each component such as application libraries and operating system libraries in docker images can be tested for known vulnerabilities. <br />
<br />
Attackers are intelligent and creative, equipped with new technologies and purpose. Under the guidance of the forward-looking DevSecOps Maturity Model, appropriate principles and measures are at hand implemented which counteract the attacks.<br />
==Licensing==<br />
The projects code is licensed under GNU GENERAL PUBLIC LICENSE Version 3. The intellectual property is licensed under Attribution-ShareAlike.<br />
<br />
==Roadmap==<br />
Get more visibility.<br />
<br />
Add mapping to OWASP SAMM as soon as a stable version 2 is out.<br />
==Getting Involved==<br />
In case you have ideas for improvements for the application, please create a pull request.<br />
<br />
In case you have ideas to adjust the model, please create a pull request with appropriate description. In a maturity model, a first check of the new/changed activities against the ease of implementation and the value in the same sub dimension should be performed. Afterwards, the ease of implementation and the value needs to be compared against activities in the same dimension and other dimension. A documentation of the comparison in the pull request needs to be added.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
[https://dsomm.timo-pagel.de View the model]<br />
<br />
[https://github.com/wurstbrot/DevSecOps-MaturityModel Github]<br />
<br />
[https://docs.google.com/presentation/d/1rrbyXqxy3LXAJNPFrVH99mj_BNaJKymMsXZItYArWEM/edit?usp=sharing DevSecOps Maturity Model]<br />
<br />
[https://docs.google.com/presentation/d/1dAewXIHgBEKHKwBPpM5N_G2eM6PRpduoGJrp6R6pNUI/edit?usp=sharing Continuous Application Security Testing for Enterprise (with DevSecOps Maturity Model)]<br />
<br />
<br />
== Project Leader ==<br />
[mailto://timo.pagel@owasp.org Timo Pagel]<br />
<br />
== Related Projects ==<br />
* OWASP SAMM<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Document]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[Image:Creative%20Commons.png| 90px | link=https://creativecommons.org/licenses/by-sa/3.0/| Creative Commons Attribution ShareAlike 3.0 License]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_DevSecOps_Maturity_Model&diff=251390OWASP DevSecOps Maturity Model2019-05-11T05:20:16Z<p>Timo Pagel: </p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==Project About==<br />
{{:Template:Project About<br />
|project_name=DevSecOps Maturity Model<br />
|leader_name1=Timo Pagel<br />
|leader_email1=timo.pagel@owasp.org<br />
}}<br />
==Description==<br />
From a startup to a multinational corporation the software development industry is currently dominated by agile frameworks and product teams and as part of it DevOps strategies. It has been observed that during the implementation, security aspects are usually neglected or are at least not sufficient taken account of. It is often the case that standard safety requirements of the production environment are not utilized or applied to the build pipeline in the continuous integration environment with containerization or concrete docker. Therefore, the docker registry is often not secured which might result in the theft of the entire company’s source code.<br />
<br />
The DevSecOps Maturity Model, which is presented in the talk, shows security measures which are applied when using DevOps strategies and how these can be prioritized. <br />
<br />
With the help of DevOps strategies security can also be enhanced. For example, each component such as application libraries and operating system libraries in docker images can be tested for known vulnerabilities. <br />
<br />
Attackers are intelligent and creative, equipped with new technologies and purpose. Under the guidance of the forward-looking DevSecOps Maturity Model, appropriate principles and measures are at hand implemented which counteract the attacks.<br />
==Licensing==<br />
The projects code is licensed under GNU GENERAL PUBLIC LICENSE Version 3. The intellectual property is licensed under Attribution-ShareAlike.<br />
<br />
==Roadmap==<br />
Get more visibility.<br />
<br />
Add mapping to OWASP SAMM as soon as a stable version 2 is out.<br />
==Getting Involved==<br />
In case you have ideas for improvements for the application, please create a pull request.<br />
<br />
In case you have ideas to adjust the model, please create a pull request with appropriate description. In a maturity model, a first check of the new/changed activities against the ease of implementation and the value in the same sub dimension should be performed. Afterwards, the ease of implementation and the value needs to be compared against activities in the same dimension and other dimension. A documentation of the comparison in the pull request needs to be added.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
[https://dsomm.timo-pagel.de View the model]<br />
<br />
[https://github.com/wurstbrot/DevSecOps-MaturityModel Github]<br />
<br />
[https://docs.google.com/presentation/d/1rrbyXqxy3LXAJNPFrVH99mj_BNaJKymMsXZItYArWEM/edit?usp=sharing DevSecOps Maturity Model]<br />
<br />
[https://docs.google.com/presentation/d/1dAewXIHgBEKHKwBPpM5N_G2eM6PRpduoGJrp6R6pNUI/edit?usp=sharing Continuous Application Security Testing for Enterprise (with DevSecOps Maturity Model)]<br />
<br />
<br />
== Project Leader ==<br />
[mailto://timo.pagel@owasp.org Timo Pagel]<br />
<br />
== Related Projects ==<br />
* OWASP SAMM<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Document]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[Image:Creative%20Commons.png| 90px | link=https://creativecommons.org/licenses/by-sa/3.0/| Creative Commons Attribution ShareAlike 3.0 License]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_DevSecOps_Maturity_Model&diff=251212OWASP DevSecOps Maturity Model2019-05-08T05:54:22Z<p>Timo Pagel: </p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<span style="color:#ff0000"><br />
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.<br />
</span><br />
==Project About==<br />
<span style="color:#ff0000"><br />
{{:Template:Project About<br />
|project_name=DevSecOps Maturity Model<br />
|leader_name1=Timo Pagel<br />
|leader_email1=timo.pagel@owasp.org<br />
}}<br />
==Description==<br />
From a startup to a multinational corporation the software development industry is currently dominated by agile frameworks and product teams and as part of it DevOps strategies. It has been observed that during the implementation, security aspects are usually neglected or are at least not sufficient taken account of. It is often the case that standard safety requirements of the production environment are not utilized or applied to the build pipeline in the continuous integration environment with containerization or concrete docker. Therefore, the docker registry is often not secured which might result in the theft of the entire company’s source code.<br />
<br />
The DevSecOps Maturity Model, which is presented in the talk, shows security measures which are applied when using DevOps strategies and how these can be prioritized. <br />
<br />
With the help of DevOps strategies security can also be enhanced. For example, each component such as application libraries and operating system libraries in docker images can be tested for known vulnerabilities. <br />
<br />
Attackers are intelligent and creative, equipped with new technologies and purpose. Under the guidance of the forward-looking DevSecOps Maturity Model, appropriate principles and measures are at hand implemented which counteract the attacks.<span style="color:#ff0000"><br />
<br />
==Licensing==<br />
The projects code is licensed under GNU GENERAL PUBLIC LICENSE Version 3. The intellectual property is licensed under Attribution-ShareAlike.<br />
<br />
<span style="color:#ff0000"><br />
<br />
==Roadmap==<br />
Get more visibility.<span style="color:#ff0000"><br />
<br />
Add mapping to OWASP SAMM as soon as a stable version 2 is out.<br />
==Getting Involved==<br />
In case you have ideas for improvements for the application, please create a pull request.<br />
<br />
In case you have ideas to adjust the model, please create a pull request with appropriate description. In a maturity model, a first check of the new/changed activities against the ease of implementation and the value in the same sub dimension should be performed. Afterwards, the ease of implementation and the value needs to be compared against activities in the same dimension and other dimension. A documentation of the comparison in the pull request needs to be added.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
<span style="color:#ff0000"><br />
This is where you can link to the key locations for project files, including setup programs, the source code repository, online documentation, a Wiki Home Page, threaded discussions about the project, and Issue Tracking system, etc. <br />
</span><br />
<br />
[https://github.com/SamanthaGroves Installation Package]<br />
<br />
[https://github.com/SamanthaGroves Source Code]<br />
<br />
[https://github.com/SamanthaGroves What's New (Revision History)]<br />
<br />
[https://github.com/SamanthaGroves Documentation]<br />
<br />
[https://github.com/SamanthaGroves Wiki Home Page]<br />
<br />
[https://github.com/SamanthaGroves Issue Tracker]<br />
<br />
[https://github.com/SamanthaGroves Slide Presentation]<br />
<br />
[https://github.com/SamanthaGroves Video]<br />
<br />
== Project Leader ==<br />
<span style="color:#ff0000"><br />
A project leader is the individual who decides to lead the project throughout its lifecycle. The project leader is responsible for communicating the project’s progress to the OWASP Foundation, and he/she is ultimately responsible for the project’s deliverables. The project leader must provide OWASP with his/her real name and contact e-mail address for his/her project application to be accepted, as OWASP prides itself on the openness of its products, operations, and members.<br />
</span><br />
<br />
[mailto://timo.pagel@owasp.org Timo Pagel]<br />
<br />
== Related Projects ==<br />
<span style="color:#ff0000"><br />
This is where you can link to other OWASP Projects that are similar to yours. <br />
</span><br />
* [[OWASP_Code_Project_Template]]<br />
* [[OWASP_Tool_Project_Template]]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Document]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[Image:Creative%20Commons.png| 90px | link=https://creativecommons.org/licenses/by-sa/3.0/| Creative Commons Attribution ShareAlike 3.0 License]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_DevSecOps_Maturity_Model&diff=251211OWASP DevSecOps Maturity Model2019-05-08T05:51:50Z<p>Timo Pagel: change desc.</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<span style="color:#ff0000"><br />
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.<br />
</span><br />
==Project About==<br />
<span style="color:#ff0000"><br />
{{:Template:Project About<br />
|project_name=DevSecOps Maturity Model<br />
|leader_name1=Timo Pagel<br />
|leader_email1=timo.pagel@owasp.org<br />
}}<br />
==Description==<br />
From a startup to a multinational corporation the software development industry is currently dominated by agile frameworks and product teams and as part of it DevOps strategies. It has been observed that during the implementation, security aspects are usually neglected or are at least not sufficient taken account of. It is often the case that standard safety requirements of the production environment are not utilized or applied to the build pipeline in the continuous integration environment with containerization or concrete docker. Therefore, the docker registry is often not secured which might result in the theft of the entire company’s source code.<br />
<br />
The DevSecOps Maturity Model, which is presented in the talk, shows security measures which are applied when using DevOps strategies and how these can be prioritized. <br />
<br />
With the help of DevOps strategies security can also be enhanced. For example, each component such as application libraries and operating system libraries in docker images can be tested for known vulnerabilities. <br />
<br />
Attackers are intelligent and creative, equipped with new technologies and purpose. Under the guidance of the forward-looking DevSecOps Maturity Model, appropriate principles and measures are at hand implemented which counteract the attacks.<span style="color:#ff0000"><br />
<br />
==Licensing==<br />
The projects code is licensed under GNU GENERAL PUBLIC LICENSE Version 3. The intellectual property is licensed under Attribution-ShareAlike.<br />
<br />
<span style="color:#ff0000"><br />
<br />
==Roadmap==<br />
Get more visibility.<span style="color:#ff0000"><br />
==Getting Involved==<br />
In case you have ideas for improvements for the application, please create a pull request.<br />
<br />
In case you have ideas to adjust the model, please create a pull request with appropriate description. In a maturity model, a first check of the new/changed activities against the ease of implementation and the value in the same sub dimension should be performed. Afterwards, the ease of implementation and the value needs to be compared against activities in the same dimension and other dimension. A documentation of the comparison in the pull request needs to be added.<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
<span style="color:#ff0000"><br />
This is where you can link to the key locations for project files, including setup programs, the source code repository, online documentation, a Wiki Home Page, threaded discussions about the project, and Issue Tracking system, etc. <br />
</span><br />
<br />
[https://github.com/SamanthaGroves Installation Package]<br />
<br />
[https://github.com/SamanthaGroves Source Code]<br />
<br />
[https://github.com/SamanthaGroves What's New (Revision History)]<br />
<br />
[https://github.com/SamanthaGroves Documentation]<br />
<br />
[https://github.com/SamanthaGroves Wiki Home Page]<br />
<br />
[https://github.com/SamanthaGroves Issue Tracker]<br />
<br />
[https://github.com/SamanthaGroves Slide Presentation]<br />
<br />
[https://github.com/SamanthaGroves Video]<br />
<br />
== Project Leader ==<br />
<span style="color:#ff0000"><br />
A project leader is the individual who decides to lead the project throughout its lifecycle. The project leader is responsible for communicating the project’s progress to the OWASP Foundation, and he/she is ultimately responsible for the project’s deliverables. The project leader must provide OWASP with his/her real name and contact e-mail address for his/her project application to be accepted, as OWASP prides itself on the openness of its products, operations, and members.<br />
</span><br />
<br />
[mailto://timo.pagel@owasp.org Timo Pagel]<br />
<br />
== Related Projects ==<br />
<span style="color:#ff0000"><br />
This is where you can link to other OWASP Projects that are similar to yours. <br />
</span><br />
* [[OWASP_Code_Project_Template]]<br />
* [[OWASP_Tool_Project_Template]]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Document]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
| colspan="2" align="center" | [[Image:Creative%20Commons.png| 90px | link=https://creativecommons.org/licenses/by-sa/3.0/| Creative Commons Attribution ShareAlike 3.0 License]]<br />
|}<br />
|}<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_Security_Pins_Project&diff=244245OWASP Security Pins Project2018-10-15T14:28:44Z<p>Timo Pagel: Timo Pagel moved page OWASP Security Buttons Project to OWASP Security Pins Project: Most people understand a web button by saying button, so Pin is better</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==The OWASP Security Principles==<br />
<br />
Oftentimes motivating security champions is a challenge. Most of the time, they're not willing to dedicate the time and effort to the invisible part of security. The product owners themselves focus on pushing the developement of features therefore the nessecity of security is often neglected or almost completely overlooked.[[File:Broken authentification.png|thumb]]That is why there is a need to visualize the investment in security, made by a champion or an entire team. One solution would be to give out corresponding buttons for every security event the champions attend. Those events could be something along the lines of a threat modeling session with OWASP Cornucopia or any other relevant topics.<br />
<br />
The buttons can be seen as a reward given to the representatives of each team, showcased in the team rooms. Preferably on a white hat or a sash. This concept could also be implemented with stickers. As an alternative to reward the attendency of a meeting, the actual implementation (e.g. using of a hardened image) might be rewarded.<br />
<br />
Benefits:<br />
* A teams effort in security is visible and therefore measureable<br />
* teams are able to compare each others achievements, especially with different skill levels (e.g. XSS Basics and XSS Advanced events)<br />
* Security Champions are able to get some kind of certification<br />
* This project could help engange others in the topic of security<br />
<br />
==Licensing==<br />
<br />
This project is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit <nowiki>http://creativecommons.org/licenses/by/4.0/</nowiki> or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
https://github.com/wurstbrot/security-buttons<br />
<br />
== Project Leader ==<br />
Timo Pagel<br />
<br />
== Classifications ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here is where you can let the community know what project stage your project is currently in, whether the project is a builder, breaker, or defender project, and what type of project you are running. <br />
</span><br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<br />
==How can I participate in your project?==<br />
Create buttons. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Create buttons. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project [https://github.com/wurstbrot/security-buttons/graphs/contributors contributors is found here].<br />
<br />
The first contributors to the project were:<br />
<br />
* Katharina Treptow__NOTOC__<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_Security_Buttons_Project&diff=244246OWASP Security Buttons Project2018-10-15T14:28:44Z<p>Timo Pagel: Timo Pagel moved page OWASP Security Buttons Project to OWASP Security Pins Project: Most people understand a web button by saying button, so Pin is better</p>
<hr />
<div>#REDIRECT [[OWASP Security Pins Project]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_Security_Pins_Project&diff=239425OWASP Security Pins Project2018-04-05T19:01:25Z<p>Timo Pagel: </p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==The OWASP Security Principles==<br />
<br />
Oftentimes motivating security champions is a challenge. Most of the time, they're not willing to dedicate the time and effort to the invisible part of security. The product owners themselves focus on pushing the developement of features therefore the nessecity of security is often neglected or almost completely overlooked.[[File:Broken authentification.png|thumb]]That is why there is a need to visualize the investment in security, made by a champion or an entire team. One solution would be to give out corresponding buttons for every security event the champions attend. Those events could be something along the lines of a threat modeling session with OWASP Cornucopia or any other relevant topics.<br />
<br />
The buttons can be seen as a reward given to the representatives of each team, showcased in the team rooms. Preferably on a white hat or a sash. This concept could also be implemented with stickers. As an alternative to reward the attendency of a meeting, the actual implementation (e.g. using of a hardened image) might be rewarded.<br />
<br />
Benefits:<br />
* A teams effort in security is visible and therefore measureable<br />
* teams are able to compare each others achievements, especially with different skill levels (e.g. XSS Basics and XSS Advanced events)<br />
* Security Champions are able to get some kind of certification<br />
* This project could help engange others in the topic of security<br />
<br />
==Licensing==<br />
<br />
This project is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit <nowiki>http://creativecommons.org/licenses/by/4.0/</nowiki> or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
https://github.com/wurstbrot/security-buttons<br />
<br />
== Project Leader ==<br />
Timo Pagel<br />
<br />
== Classifications ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here is where you can let the community know what project stage your project is currently in, whether the project is a builder, breaker, or defender project, and what type of project you are running. <br />
</span><br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<br />
==How can I participate in your project?==<br />
Create buttons. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Create buttons. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project [https://github.com/wurstbrot/security-buttons/graphs/contributors contributors is found here].<br />
<br />
The first contributors to the project were:<br />
<br />
* Katharina Treptow__NOTOC__<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=File:Broken_authentification.png&diff=239424File:Broken authentification.png2018-04-05T19:01:03Z<p>Timo Pagel: </p>
<hr />
<div>Borken Authentication Button</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_Security_Pins_Project&diff=239423OWASP Security Pins Project2018-04-05T18:55:24Z<p>Timo Pagel: /* Quick Download */</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==The OWASP Security Principles==<br />
<br />
Oftentimes motivating security champions is a challenge. Most of the time, they're not willing to dedicate the time and effort to the invisible part of security. The product owners themselves focus on pushing the developement of features therefore the nessecity of security is often neglected or almost completely overlooked.<br />
<br />
That is why there is a need to visualize the investment in security, made by a champion or an entire team. One solution would be to give out corresponding buttons for every security event the champions attend. Those events could be something along the lines of a threat modeling session with OWASP Cornucopia or any other relevant topics.<br />
<br />
The buttons can be seen as a reward given to the representatives of each team, showcased in the team rooms. Preferably on a white hat or a sash. This concept could also be implemented with stickers. As an alternative to reward the attendency of a meeting, the actual implementation (e.g. using of a hardened image) might be rewarded.<br />
<br />
Benefits:<br />
* A teams effort in security is visible and therefore measureable<br />
* teams are able to compare each others achievements, especially with different skill levels (e.g. XSS Basics and XSS Advanced events)<br />
* Security Champions are able to get some kind of certification<br />
* This project could help engange others in the topic of security<br />
<br />
==Licensing==<br />
<br />
This project is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit <nowiki>http://creativecommons.org/licenses/by/4.0/</nowiki> or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
https://github.com/wurstbrot/security-buttons<br />
<br />
== Project Leader ==<br />
Timo Pagel<br />
<br />
== Classifications ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here is where you can let the community know what project stage your project is currently in, whether the project is a builder, breaker, or defender project, and what type of project you are running. <br />
</span><br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<br />
==How can I participate in your project?==<br />
Create buttons. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Create buttons. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project [https://github.com/wurstbrot/security-buttons/graphs/contributors contributors is found here].<br />
<br />
The first contributors to the project were:<br />
<br />
* Katharina Treptow__NOTOC__<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_Security_Pins_Project&diff=239422OWASP Security Pins Project2018-04-05T18:54:48Z<p>Timo Pagel: /* If I am not a programmer can I participate in your project? */</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==The OWASP Security Principles==<br />
<br />
Oftentimes motivating security champions is a challenge. Most of the time, they're not willing to dedicate the time and effort to the invisible part of security. The product owners themselves focus on pushing the developement of features therefore the nessecity of security is often neglected or almost completely overlooked.<br />
<br />
That is why there is a need to visualize the investment in security, made by a champion or an entire team. One solution would be to give out corresponding buttons for every security event the champions attend. Those events could be something along the lines of a threat modeling session with OWASP Cornucopia or any other relevant topics.<br />
<br />
The buttons can be seen as a reward given to the representatives of each team, showcased in the team rooms. Preferably on a white hat or a sash. This concept could also be implemented with stickers. As an alternative to reward the attendency of a meeting, the actual implementation (e.g. using of a hardened image) might be rewarded.<br />
<br />
Benefits:<br />
* A teams effort in security is visible and therefore measureable<br />
* teams are able to compare each others achievements, especially with different skill levels (e.g. XSS Basics and XSS Advanced events)<br />
* Security Champions are able to get some kind of certification<br />
* This project could help engange others in the topic of security<br />
<br />
==Licensing==<br />
<br />
This project is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit <nowiki>http://creativecommons.org/licenses/by/4.0/</nowiki> or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->A preview can be found here: <nowiki>https://nextcloud.fhunii.com/s/WYfC43RDE8KZXQK</nowiki><br />
<br />
Please not that they are using not allowed logo combinations and non open source fonts at the moment.<br />
<br />
<span style="color:#ff0000"><br />
This is where you can link to your repository.<br />
</span><br />
<br />
The home of the OWASP Security Principles is on [https://github.com/OWASP/Security-Principles GitHub.] You are encourged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/OWASP/Security-Principles/zipball/master .zip file.]<br />
* [https://github.com/OWASP/Security-Principles/tarball/master .tgz file.]<br />
<br />
== Project Leader ==<br />
Timo Pagel<br />
<br />
== Classifications ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here is where you can let the community know what project stage your project is currently in, whether the project is a builder, breaker, or defender project, and what type of project you are running. <br />
</span><br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<br />
==How can I participate in your project?==<br />
Create buttons. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Create buttons. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project [https://github.com/wurstbrot/security-buttons/graphs/contributors contributors is found here].<br />
<br />
The first contributors to the project were:<br />
<br />
* Katharina Treptow__NOTOC__<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_Security_Pins_Project&diff=239421OWASP Security Pins Project2018-04-05T18:52:56Z<p>Timo Pagel: /* What is OWASP Security Principles Project? */</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==The OWASP Security Principles==<br />
<br />
Oftentimes motivating security champions is a challenge. Most of the time, they're not willing to dedicate the time and effort to the invisible part of security. The product owners themselves focus on pushing the developement of features therefore the nessecity of security is often neglected or almost completely overlooked.<br />
<br />
That is why there is a need to visualize the investment in security, made by a champion or an entire team. One solution would be to give out corresponding buttons for every security event the champions attend. Those events could be something along the lines of a threat modeling session with OWASP Cornucopia or any other relevant topics.<br />
<br />
The buttons can be seen as a reward given to the representatives of each team, showcased in the team rooms. Preferably on a white hat or a sash. This concept could also be implemented with stickers. As an alternative to reward the attendency of a meeting, the actual implementation (e.g. using of a hardened image) might be rewarded.<br />
<br />
Benefits:<br />
* A teams effort in security is visible and therefore measureable<br />
* teams are able to compare each others achievements, especially with different skill levels (e.g. XSS Basics and XSS Advanced events)<br />
* Security Champions are able to get some kind of certification<br />
* This project could help engange others in the topic of security<br />
<br />
==Description==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This section must include a shorter description of what the project is, why the project was started, and what security issue is being helped by the project deliverable. This description will be used to promote the project so make sure the description represents your project in the best way possible. <br />
</span><br />
<br />
'''Although this is a sample template, the project is real! [http://owasp.github.io/Security-Principles Please contribute to this project.]'''<br />
<br />
Over the course of my career, I have come across and collected a number of security ''aphorisms.'' These aphorisms constitute the fundamental principles of information security.<br />
<br />
None of the ideas or truths are mine, and unfortunately, I did not collect the citations. Initially, I would like to identify the correct citations for each aphorism.<br />
<br />
Additionally, many are re-statements of the same idea; thus, the 'collection of ideas' defines a fundamental principle. As such, I would also like to reverse engineer the principles from the aphorisms where appropriate, as well.<br />
<br />
==Licensing==<br />
<br />
This project is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit <nowiki>http://creativecommons.org/licenses/by/4.0/</nowiki> or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->A preview can be found here: <nowiki>https://nextcloud.fhunii.com/s/WYfC43RDE8KZXQK</nowiki><br />
<br />
Please not that they are using not allowed logo combinations and non open source fonts at the moment.<br />
<br />
<span style="color:#ff0000"><br />
This is where you can link to your repository.<br />
</span><br />
<br />
The home of the OWASP Security Principles is on [https://github.com/OWASP/Security-Principles GitHub.] You are encourged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/OWASP/Security-Principles/zipball/master .zip file.]<br />
* [https://github.com/OWASP/Security-Principles/tarball/master .tgz file.]<br />
<br />
== Project Leader ==<br />
Timo Pagel<br />
<br />
== Classifications ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here is where you can let the community know what project stage your project is currently in, whether the project is a builder, breaker, or defender project, and what type of project you are running. <br />
</span><br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<br />
==How can I participate in your project?==<br />
Create buttons. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Create buttons. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project [https://github.com/wurstbrot/security-buttons/graphs/contributors contributors is found here].<br />
<br />
The first contributors to the project were:<br />
<br />
* Katharina Treptow<br />
<br />
= Road Map and Getting Involved =<br />
<br />
=Project About=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager. <br />
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project<br />
</span><br />
<br />
{{:Projects/OWASP_Example_Project_About_Page}} <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_Security_Pins_Project&diff=239420OWASP Security Pins Project2018-04-05T18:49:02Z<p>Timo Pagel: </p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==The OWASP Security Principles==<br />
<br />
Oftentimes motivating security champions is a challenge. Most of the time, they're not willing to dedicate the time and effort to the invisible part of security. The product owners themselves focus on pushing the developement of features therefore the nessecity of security is often neglected or almost completely overlooked.<br />
<br />
That is why there is a need to visualize the investment in security, made by a champion or an entire team. One solution would be to give out corresponding buttons for every security event the champions attend. Those events could be something along the lines of a threat modeling session with OWASP Cornucopia or any other relevant topics.<br />
<br />
The buttons can be seen as a reward given to the representatives of each team, showcased in the team rooms. Preferably on a white hat or a sash. This concept could also be implemented with stickers. As an alternative to reward the attendency of a meeting, the actual implementation (e.g. using of a hardened image) might be rewarded.<br />
<br />
Benefits:<br />
* A teams effort in security is visible and therefore measureable<br />
* teams are able to compare each others achievements, especially with different skill levels (e.g. XSS Basics and XSS Advanced events)<br />
* Security Champions are able to get some kind of certification<br />
* This project could help engange others in the topic of security<br />
<br />
==Description==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This section must include a shorter description of what the project is, why the project was started, and what security issue is being helped by the project deliverable. This description will be used to promote the project so make sure the description represents your project in the best way possible. <br />
</span><br />
<br />
'''Although this is a sample template, the project is real! [http://owasp.github.io/Security-Principles Please contribute to this project.]'''<br />
<br />
Over the course of my career, I have come across and collected a number of security ''aphorisms.'' These aphorisms constitute the fundamental principles of information security.<br />
<br />
None of the ideas or truths are mine, and unfortunately, I did not collect the citations. Initially, I would like to identify the correct citations for each aphorism.<br />
<br />
Additionally, many are re-statements of the same idea; thus, the 'collection of ideas' defines a fundamental principle. As such, I would also like to reverse engineer the principles from the aphorisms where appropriate, as well.<br />
<br />
==Licensing==<br />
<br />
This project is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit <nowiki>http://creativecommons.org/licenses/by/4.0/</nowiki> or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP Security Principles Project? ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here you should add a short description of what your project actually does. What is the primary goal of your project, and why is it important?<br />
</span><br />
<br />
The end goal is to identify, cite, and document the fundamental principles of information security. Once this is well organised, I think it would be great to publish this through the [http://scriptogr.am/dennis-groves/post/owasp-press OWASP Press]. Of course, it will always remain freely available, and any money collected will go directly into the project to absorb costs with any remaining funds going to the OWASP Foundation.<br />
<br />
This document should serve as a guide to technical architects and designers outlining the fundamental principles of security.<br />
<br />
== Presentation ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to slide presentations related to your project. <br />
</span><br />
<br />
<br />
AppSec USA 2013 [https://github.com/OWASP/Security-Principles/tree/master/Presentations/AppSec%20NYC%202013]<br />
<br />
== Project Leader ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project leader is the individual who decides to lead the project throughout its lifecycle. The project leader is responsible for communicating the project’s progress to the OWASP Foundation, and he/she is ultimately responsible for the project’s deliverables. The project leader must provide OWASP with his/her real name and contact e-mail address for his/her project application to be accepted, as OWASP prides itself on the openness of its products, operations, and members.<br />
</span><br />
<br />
* [https://www.owasp.org/index.php/User:Dennis_Groves Dennis Groves]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to other OWASP Projects that are similar to yours. <br />
</span><br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/orgs/OWASP OWASP Project Openhub]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->A preview can be found here: <nowiki>https://nextcloud.fhunii.com/s/WYfC43RDE8KZXQK</nowiki><br />
<br />
Please not that they are using not allowed logo combinations and non open source fonts at the moment.<br />
<br />
<span style="color:#ff0000"><br />
This is where you can link to your repository.<br />
</span><br />
<br />
The home of the OWASP Security Principles is on [https://github.com/OWASP/Security-Principles GitHub.] You are encourged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/OWASP/Security-Principles/zipball/master .zip file.]<br />
* [https://github.com/OWASP/Security-Principles/tarball/master .tgz file.]<br />
<br />
== News and Events ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to press your project has been a part of. Appropriate press includes: Project Leader interviews, articles written about your project, and videos about your project. <br />
</span><br />
<br />
* [20 Nov 2013] News 2<br />
* [30 Sep 2013] News 1<br />
<br />
== In Print ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you place links to where your project product can be downloaded or purchased, in the case of a book. <br />
</span><br />
<br />
This project can be purchased as a print on demand book from Lulu.com<br />
<br />
==Classifications==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here is where you can let the community know what project stage your project is currently in, whether the project is a builder, breaker, or defender project, and what type of project you are running. <br />
</span><br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'<br />
</span><br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project. <br />
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project. <br />
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.<br />
</span><br />
<br />
The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project [https://github.com/OWASP/Security-Principles/graphs/contributors contributors is found here]. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/User:Dennis_Groves Dennis Groves]<br />
* [https://github.com/sublimino Andrew Martin]<br />
* [https://github.com/Lambdanaut Josh Thomas]<br />
* '''YOUR NAME BELONGS HERE'''<br />
<br />
= Road Map and Getting Involved =<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project roadmap is the envisioned plan for the project. The purpose of the roadmap is to help others understand where the project is going. It gives the community a chance to understand the context and the vision for the goal of the project. Additionally, if a project becomes inactive, or if the project is abandoned, a roadmap can help ensure a project can be adopted and continued under new leadership.<br />
</span> <br />
<br />
<span style="color:#ff0000"><br />
Roadmaps vary in detail from a broad outline to a fully detailed project charter. Generally speaking, projects with detailed roadmaps have tended to develop into successful projects. Some details that leaders may consider placing in the roadmap include: envisioned milestones, planned feature enhancements, essential conditions, project assumptions, development timelines, etc. You are required to have at least 4 milestones for every year the project is active. <br />
</span><br />
<br />
Design of more buttons<br />
<br />
Please provide more detail and timeline of deliverables you would like to meet.<br />
<br />
As of October 2013, the priorities are:<br />
* Finish the referencing for each principle.<br />
* Update the Project Template.<br />
* Use the OWASP Press to develop a book.<br />
* Finish and publish the book on Lulu.<br />
<br />
Involvement in the development and promotion of the OWASP Security Principles Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some of the principles.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing support for the book. <br />
<br />
=Project About=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager. <br />
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project<br />
</span><br />
<br />
{{:Projects/OWASP_Example_Project_About_Page}} <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_Security_Pins_Project&diff=239419OWASP Security Pins Project2018-04-05T18:48:24Z<p>Timo Pagel: /* The OWASP Security Principles */</p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><span style="color:#ff0000"><br />
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.<br />
</span><br />
<br />
==The OWASP Security Principles==<br />
<br />
Oftentimes motivating security champions is a challenge. Most of the time, they're not willing to dedicate the time and effort to the invisible part of security. The product owners themselves focus on pushing the developement of features therefore the nessecity of security is often neglected or almost completely overlooked.<br />
<br />
That is why there is a need to visualize the investment in security, made by a champion or an entire team. One solution would be to give out corresponding buttons for every security event the champions attend. Those events could be something along the lines of a threat modeling session with OWASP Cornucopia or any other relevant topics.<br />
<br />
The buttons can be seen as a reward given to the representatives of each team, showcased in the team rooms. Preferably on a white hat or a sash. This concept could also be implemented with stickers. As an alternative to reward the attendency of a meeting, the actual implementation (e.g. using of a hardened image) might be rewarded.<br />
<br />
Benefits:<br />
* A teams effort in security is visible and therefore measureable<br />
* teams are able to compare each others achievements, especially with different skill levels (e.g. XSS Basics and XSS Advanced events)<br />
* Security Champions are able to get some kind of certification<br />
* This project could help engange others in the topic of security<br />
<br />
==Description==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This section must include a shorter description of what the project is, why the project was started, and what security issue is being helped by the project deliverable. This description will be used to promote the project so make sure the description represents your project in the best way possible. <br />
</span><br />
<br />
'''Although this is a sample template, the project is real! [http://owasp.github.io/Security-Principles Please contribute to this project.]'''<br />
<br />
Over the course of my career, I have come across and collected a number of security ''aphorisms.'' These aphorisms constitute the fundamental principles of information security.<br />
<br />
None of the ideas or truths are mine, and unfortunately, I did not collect the citations. Initially, I would like to identify the correct citations for each aphorism.<br />
<br />
Additionally, many are re-statements of the same idea; thus, the 'collection of ideas' defines a fundamental principle. As such, I would also like to reverse engineer the principles from the aphorisms where appropriate, as well.<br />
<br />
==Licensing==<br />
<br />
This project is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit <nowiki>http://creativecommons.org/licenses/by/4.0/</nowiki> or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP Security Principles Project? ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here you should add a short description of what your project actually does. What is the primary goal of your project, and why is it important?<br />
</span><br />
<br />
The end goal is to identify, cite, and document the fundamental principles of information security. Once this is well organised, I think it would be great to publish this through the [http://scriptogr.am/dennis-groves/post/owasp-press OWASP Press]. Of course, it will always remain freely available, and any money collected will go directly into the project to absorb costs with any remaining funds going to the OWASP Foundation.<br />
<br />
This document should serve as a guide to technical architects and designers outlining the fundamental principles of security.<br />
<br />
== Presentation ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to slide presentations related to your project. <br />
</span><br />
<br />
<br />
AppSec USA 2013 [https://github.com/OWASP/Security-Principles/tree/master/Presentations/AppSec%20NYC%202013]<br />
<br />
== Project Leader ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project leader is the individual who decides to lead the project throughout its lifecycle. The project leader is responsible for communicating the project’s progress to the OWASP Foundation, and he/she is ultimately responsible for the project’s deliverables. The project leader must provide OWASP with his/her real name and contact e-mail address for his/her project application to be accepted, as OWASP prides itself on the openness of its products, operations, and members.<br />
</span><br />
<br />
* [https://www.owasp.org/index.php/User:Dennis_Groves Dennis Groves]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to other OWASP Projects that are similar to yours. <br />
</span><br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/orgs/OWASP OWASP Project Openhub]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->A preview can be found here: <nowiki>https://nextcloud.fhunii.com/s/WYfC43RDE8KZXQK</nowiki><br />
<br />
Please not that they are using not allowed logo combinations and non open source fonts at the moment.<br />
<br />
<span style="color:#ff0000"><br />
This is where you can link to your repository.<br />
</span><br />
<br />
The home of the OWASP Security Principles is on [https://github.com/OWASP/Security-Principles GitHub.] You are encourged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/OWASP/Security-Principles/zipball/master .zip file.]<br />
* [https://github.com/OWASP/Security-Principles/tarball/master .tgz file.]<br />
<br />
== News and Events ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to press your project has been a part of. Appropriate press includes: Project Leader interviews, articles written about your project, and videos about your project. <br />
</span><br />
<br />
* [20 Nov 2013] News 2<br />
* [30 Sep 2013] News 1<br />
<br />
== In Print ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you place links to where your project product can be downloaded or purchased, in the case of a book. <br />
</span><br />
<br />
This project can be purchased as a print on demand book from Lulu.com<br />
<br />
==Classifications==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here is where you can let the community know what project stage your project is currently in, whether the project is a builder, breaker, or defender project, and what type of project you are running. <br />
</span><br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'<br />
</span><br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project. <br />
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project. <br />
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.<br />
</span><br />
<br />
The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project [https://github.com/OWASP/Security-Principles/graphs/contributors contributors is found here]. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/User:Dennis_Groves Dennis Groves]<br />
* [https://github.com/sublimino Andrew Martin]<br />
* [https://github.com/Lambdanaut Josh Thomas]<br />
* '''YOUR NAME BELONGS HERE'''<br />
<br />
= Road Map and Getting Involved =<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project roadmap is the envisioned plan for the project. The purpose of the roadmap is to help others understand where the project is going. It gives the community a chance to understand the context and the vision for the goal of the project. Additionally, if a project becomes inactive, or if the project is abandoned, a roadmap can help ensure a project can be adopted and continued under new leadership.<br />
</span> <br />
<br />
<span style="color:#ff0000"><br />
Roadmaps vary in detail from a broad outline to a fully detailed project charter. Generally speaking, projects with detailed roadmaps have tended to develop into successful projects. Some details that leaders may consider placing in the roadmap include: envisioned milestones, planned feature enhancements, essential conditions, project assumptions, development timelines, etc. You are required to have at least 4 milestones for every year the project is active. <br />
</span><br />
<br />
Design of more buttons<br />
<br />
Please provide more detail and timeline of deliverables you would like to meet.<br />
<br />
As of October 2013, the priorities are:<br />
* Finish the referencing for each principle.<br />
* Update the Project Template.<br />
* Use the OWASP Press to develop a book.<br />
* Finish and publish the book on Lulu.<br />
<br />
Involvement in the development and promotion of the OWASP Security Principles Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some of the principles.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing support for the book. <br />
<br />
=Project About=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager. <br />
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project<br />
</span><br />
<br />
{{:Projects/OWASP_Example_Project_About_Page}} <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_Security_Pins_Project&diff=239418OWASP Security Pins Project2018-04-05T18:46:34Z<p>Timo Pagel: </p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><span style="color:#ff0000"><br />
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.<br />
</span><br />
<br />
==The OWASP Security Principles==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you need to add your more robust project description. A project description should outline the purpose of the project, and the value it provides to application security. Ideally, project descriptions should be written in such a way that there is no question what value the project provides to the software security community. This section will be seen and used in various places within the Projects Portal. Poorly written project descriptions therefore detract from a project’s visibility, and project leaders should ensure that the description is meaningful.<br />
</span><br />
<br />
Oftentimes motivating security champions is a challenge. Most of the time, they're not willing<br />
<br />
to dedicate the time and effort to the invisible part of security. The product owners themselves focus on pushing<br />
<br />
the developement of features therefore the nessecity of security is often neglected or almost completely overlooked.<br />
<br />
That is why there is a need to visualize the investment in security, made by a champion or an entire team.<br />
<br />
One solution would be to give out corresponding buttons for every security event the champions attend.<br />
<br />
Those events could be something along the lines of a threat modeling session with OWASP Cornucopia or any other<br />
<br />
relevant topics.<br />
<br />
The buttons can be seen as a reward given to the representatives of each team, showcased in the team rooms.<br />
<br />
Preferably on a white hat or a sash. This concept could also be implemented with stickers.<br />
<br />
Benefits:<br />
<br />
- A teams effort in security is visible and therefore measureable<br />
<br />
- teams are able to compare each others achievements, especially with different skill levels (e.g. XSS Basics and XSS Advanced events)<br />
<br />
- Security Champions are able to get some kind of certification<br />
<br />
- This project could help engange others in the topic of security<br />
<br />
Inevitably applications are designed with security principles architects knew about, security folks included. However, as this project demonstrates there are far more than just a 'few' principles, most of which never make it into the design.<br />
<br />
For example, security design happens with perhaps a handful of principles:<br />
<br />
* Least Privilege<br />
* Perimeter Security<br />
* Defence in Depth<br />
<br />
However, we regularly see designs without '''separation of privilege'''!<br />
<br />
Think about that, most web applications today have all their eggs in a single basket. The business logic, the identities, passwords, products, policy enforcement, security rules are all found in the same application database that makes up the typical website! It is little wonder then, that attacks on the database have been so completely devastating, since there is no separation of privilege!<br />
<br />
The aim of this project, is to identify and describe a minimum functional set of principles that must be present in a secure design.<br />
<br />
==Description==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This section must include a shorter description of what the project is, why the project was started, and what security issue is being helped by the project deliverable. This description will be used to promote the project so make sure the description represents your project in the best way possible. <br />
</span><br />
<br />
'''Although this is a sample template, the project is real! [http://owasp.github.io/Security-Principles Please contribute to this project.]'''<br />
<br />
Over the course of my career, I have come across and collected a number of security ''aphorisms.'' These aphorisms constitute the fundamental principles of information security.<br />
<br />
None of the ideas or truths are mine, and unfortunately, I did not collect the citations. Initially, I would like to identify the correct citations for each aphorism.<br />
<br />
Additionally, many are re-statements of the same idea; thus, the 'collection of ideas' defines a fundamental principle. As such, I would also like to reverse engineer the principles from the aphorisms where appropriate, as well.<br />
<br />
==Licensing==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project must be licensed under a community friendly or open source license. For more information on OWASP recommended licenses, please see [https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]. While OWASP does not promote any particular license over another, the vast majority of projects have chosen a Creative Commons license variant for documentation projects, or a GNU General Public License variant for tools and code projects.<br />
</span><br />
<br />
'''The OWASP Security Principles are free to use. In fact it is encouraged!!!'''<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.''<br />
<br />
The OWASP Security Principles are licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP Security Principles Project? ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here you should add a short description of what your project actually does. What is the primary goal of your project, and why is it important?<br />
</span><br />
<br />
The end goal is to identify, cite, and document the fundamental principles of information security. Once this is well organised, I think it would be great to publish this through the [http://scriptogr.am/dennis-groves/post/owasp-press OWASP Press]. Of course, it will always remain freely available, and any money collected will go directly into the project to absorb costs with any remaining funds going to the OWASP Foundation.<br />
<br />
This document should serve as a guide to technical architects and designers outlining the fundamental principles of security.<br />
<br />
== Presentation ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to slide presentations related to your project. <br />
</span><br />
<br />
<br />
AppSec USA 2013 [https://github.com/OWASP/Security-Principles/tree/master/Presentations/AppSec%20NYC%202013]<br />
<br />
== Project Leader ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project leader is the individual who decides to lead the project throughout its lifecycle. The project leader is responsible for communicating the project’s progress to the OWASP Foundation, and he/she is ultimately responsible for the project’s deliverables. The project leader must provide OWASP with his/her real name and contact e-mail address for his/her project application to be accepted, as OWASP prides itself on the openness of its products, operations, and members.<br />
</span><br />
<br />
* [https://www.owasp.org/index.php/User:Dennis_Groves Dennis Groves]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to other OWASP Projects that are similar to yours. <br />
</span><br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/orgs/OWASP OWASP Project Openhub]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->A preview can be found here: <nowiki>https://nextcloud.fhunii.com/s/WYfC43RDE8KZXQK</nowiki><br />
<br />
Please not that they are using not allowed logo combinations and non open source fonts at the moment.<br />
<br />
<span style="color:#ff0000"><br />
This is where you can link to your repository.<br />
</span><br />
<br />
The home of the OWASP Security Principles is on [https://github.com/OWASP/Security-Principles GitHub.] You are encourged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/OWASP/Security-Principles/zipball/master .zip file.]<br />
* [https://github.com/OWASP/Security-Principles/tarball/master .tgz file.]<br />
<br />
== News and Events ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you can link to press your project has been a part of. Appropriate press includes: Project Leader interviews, articles written about your project, and videos about your project. <br />
</span><br />
<br />
* [20 Nov 2013] News 2<br />
* [30 Sep 2013] News 1<br />
<br />
== In Print ==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This is where you place links to where your project product can be downloaded or purchased, in the case of a book. <br />
</span><br />
<br />
This project can be purchased as a print on demand book from Lulu.com<br />
<br />
==Classifications==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Here is where you can let the community know what project stage your project is currently in, whether the project is a builder, breaker, or defender project, and what type of project you are running. <br />
</span><br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'<br />
</span><br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project. <br />
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project. <br />
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.<br />
</span><br />
<br />
The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project [https://github.com/OWASP/Security-Principles/graphs/contributors contributors is found here]. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/User:Dennis_Groves Dennis Groves]<br />
* [https://github.com/sublimino Andrew Martin]<br />
* [https://github.com/Lambdanaut Josh Thomas]<br />
* '''YOUR NAME BELONGS HERE'''<br />
<br />
= Road Map and Getting Involved =<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
A project roadmap is the envisioned plan for the project. The purpose of the roadmap is to help others understand where the project is going. It gives the community a chance to understand the context and the vision for the goal of the project. Additionally, if a project becomes inactive, or if the project is abandoned, a roadmap can help ensure a project can be adopted and continued under new leadership.<br />
</span> <br />
<br />
<span style="color:#ff0000"><br />
Roadmaps vary in detail from a broad outline to a fully detailed project charter. Generally speaking, projects with detailed roadmaps have tended to develop into successful projects. Some details that leaders may consider placing in the roadmap include: envisioned milestones, planned feature enhancements, essential conditions, project assumptions, development timelines, etc. You are required to have at least 4 milestones for every year the project is active. <br />
</span><br />
<br />
Design of more buttons<br />
<br />
Please provide more detail and timeline of deliverables you would like to meet.<br />
<br />
As of October 2013, the priorities are:<br />
* Finish the referencing for each principle.<br />
* Update the Project Template.<br />
* Use the OWASP Press to develop a book.<br />
* Finish and publish the book on Lulu.<br />
<br />
Involvement in the development and promotion of the OWASP Security Principles Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some of the principles.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing support for the book. <br />
<br />
=Project About=<br />
<br />
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.--><br />
<span style="color:#ff0000"><br />
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager. <br />
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project<br />
</span><br />
<br />
{{:Projects/OWASP_Example_Project_About_Page}} <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_Security_Pins_Project&diff=239417OWASP Security Pins Project2018-04-05T18:44:12Z<p>Timo Pagel: </p>
<hr />
<div><div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==Description==<br />
<br />
Oftentimes motivating security champions is a challenge. Most of the time, they're not willing to dedicate the time and effort to the invisible part of security. The product owners themselves focus on pushing the developement of features therefore the nessecity of security is often neglected or almost completely overlooked.<br />
<br />
That is why there is a need to visualize the investment in security, made by a champion or an entire team. One solution would be to give out corresponding buttons for every security event the champions attend. Those events could be something along the lines of a threat modeling session with OWASP Cornucopia or any other relevant topics.<br />
<br />
The buttons can be seen as a reward given to the representatives of each team, showcased in the team rooms. Preferably on a white hat or a sash. This concept could also be implemented with stickers. As an alternative to reward the attendency of a meeting, the actual implementation (e.g. using of a hardened image) might be rewarded.<br />
<br />
Benefits:<br />
* A teams effort in security is visible and therefore measureable<br />
* teams are able to compare each others achievements, especially with different skill levels (e.g. XSS Basics and XSS Advanced events)<br />
* Security Champions are able to get some kind of certification<br />
* This project could help engange others in the topic of security<br />
<br />
==Licensing==<br />
{| class="wikitable"<br />
|This project is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit <nowiki>http://creativecommons.org/licenses/by/4.0/</nowiki> or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.<br />
|}<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Leader ==<br />
<br />
Timo Pagel<br><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Git ==<br />
https://github.com/wurstbrot/security-buttons<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%" | <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
==How can I participate in your project?==<br />
Create buttons. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Create buttons.<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project [https://github.com/wurstbrot/security-buttons/graphs/contributors contributors is found here].<br />
<br />
The first contributors to the project were:<br />
<br />
* Katharina Treptow<br />
<br />
{{:Projects/OWASP_Example_Project_About_Page}} <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_Security_Pins_Project&diff=239416OWASP Security Pins Project2018-04-05T18:43:14Z<p>Timo Pagel: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==Description==<br />
<br />
Oftentimes motivating security champions is a challenge. Most of the time, they're not willing to dedicate the time and effort to the invisible part of security. The product owners themselves focus on pushing the developement of features therefore the nessecity of security is often neglected or almost completely overlooked.<br />
<br />
That is why there is a need to visualize the investment in security, made by a champion or an entire team. One solution would be to give out corresponding buttons for every security event the champions attend. Those events could be something along the lines of a threat modeling session with OWASP Cornucopia or any other relevant topics.<br />
<br />
The buttons can be seen as a reward given to the representatives of each team, showcased in the team rooms. Preferably on a white hat or a sash. This concept could also be implemented with stickers. As an alternative to reward the attendency of a meeting, the actual implementation (e.g. using of a hardened image) might be rewarded.<br />
<br />
Benefits:<br />
* A teams effort in security is visible and therefore measureable<br />
* teams are able to compare each others achievements, especially with different skill levels (e.g. XSS Basics and XSS Advanced events)<br />
* Security Champions are able to get some kind of certification<br />
* This project could help engange others in the topic of security<br />
<br />
==Licensing==<br />
{| class="wikitable"<br />
|This project is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit <nowiki>http://creativecommons.org/licenses/by/4.0/</nowiki> or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.<br />
|}<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Leader ==<br />
<br />
Timo Pagel<br><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Git ==<br />
https://github.com/wurstbrot/security-buttons<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%" | <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
==How can I participate in your project?==<br />
Create buttons. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Create buttons.<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project [https://github.com/wurstbrot/security-buttons/graphs/contributors contributors is found here].<br />
<br />
The first contributors to the project were:<br />
<br />
* Katharina Treptow<br />
<br />
{{:Projects/OWASP_Example_Project_About_Page}} <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=GSOC2018_Ideas&diff=236759GSOC2018 Ideas2018-01-12T12:07:11Z<p>Timo Pagel: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
===React Handling===<br />
'''Brief Explanation:'''<br />
<br />
ZAP doesnt understand React applications as well as it should be able to.<br />
<br />
It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.<br />
<br />
'''Expected Results:'''<br />
* ZAP able to explore React applications more effectively<br />
* ZAP able to attack React applications more effectively<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated authentication detection and configuration ===<br />
'''Brief Explanation:'''<br />
<br />
Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
<br />
This is time consuming and error prone.<br />
<br />
Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
<br />
'''Expected Results:'''<br />
* Detect login and registration pages<br />
* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
'''Brief Explanation:'''<br />
<br />
Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
<br />
A standardized text representation and parser would be very useful and help its adoption.<br />
<br />
'''Expected Results:'''<br />
* A documented definition of a text representation for Zest<br />
* A parser that converts the text representation into a working Zest script<br />
* An option in the Zest java implementation to output Zest scripts text format<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Develop Bamboo Addon ===<br />
'''Brief Explanation:'''<br />
<br />
It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]<br />
<br />
For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].<br />
<br />
'''Expected Results:'''<br />
<br />
A Bamboo addon that supports:<br />
* Spidering (using the traditional and Ajax spiders)<br />
* Active Scanning<br />
* Authentication<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2018 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Contributor<br />
<br />
=== Frontend Technology Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target client-architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, testing and building<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== UI/Graphics Design Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 4] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.<br />
<br />
'''Expected Results:'''<br />
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)<br />
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons<br />
* Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop<br />
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application<br />
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way<br />
<br />
''' Getting started: '''<br />
* Get familiar with the existing HTML views and CSS of the frontend<br />
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Strong web and graphic design experience<br />
* Sophisticated HTML and CSS experience<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Contributor <br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP Security Knowledge Framework==<br />
===Brief Explanation===<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.<br />
<br />
'''In a nutshell'''<br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development ( Security by design, early feedback of possible security issues )<br />
<br />
- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
===Your idea / Getting started===<br />
*Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)<br />
===Expected Results===<br />
*Adding features to SKF project<br />
**https://github.com/blabla1337/skf-flask/issues/369<br />
**https://github.com/blabla1337/skf-flask/issues/367<br />
**https://github.com/blabla1337/skf-flask/issues/68<br />
**https://github.com/blabla1337/skf-flask/issues/95<br />
*Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )<br />
*Adding/updating knowledge base items<br />
*Adding CWE references to knowledgebase items<br />
**https://github.com/blabla1337/skf-flask/issues/35<br />
*Improve unit testing of the Angular quality, currently only 68% of the front-end is unit tested automated <br />
**https://github.com/blabla1337/skf-flask/issues/352<br />
===Knowledge Prerequisites===<br />
*For helping in the development of new features and functions you need Python flask and for the frond-end we use Angular 4.0<br />
*For writing knowledgebase items only technical knowledge of application security is required<br />
*For writing / updating code examples you need to know a programming language along with secure development.<br />
*For writing the verification guide you need some penetration testing experience.<br />
'''Mentors:'''<br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]<br />
<br />
==OWASP Nettacker==<br />
===Brief Explanation===<br />
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.<br />
<br />
if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).<br />
<br />
===Getting started===<br />
<br />
* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.<br />
<br />
'''A Better Penetration Testing Automated Framework'''<br />
<br />
===Expected Results===<br />
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.<br />
* Good knowledge of computer security (and penetration testing)<br />
* Knowledge of OS (Linux, Windows, Mac...) and Services<br />
* Familiar with IDS/IPS/Firewalls and ...<br />
* To develop the API you should be familiar with HTTP, Database...<br />
<br />
===Mentors===<br />
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/ui-break.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP CSRF Protector ==<br />
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form. <br />
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===<br />
'''Brief explanation:'''<br />
<br />
The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.<br />
<br />
Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;<br />
<br />
The goal of this project would be to:<br />
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]<br />
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]<br />
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues] <br />
'''Expected results:'''<br />
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)<br />
<br />
'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=GSOC2018_Ideas&diff=236758GSOC2018 Ideas2018-01-12T11:59:12Z<p>Timo Pagel: Add Timo Pagel to Juice Shop</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
===React Handling===<br />
'''Brief Explanation:'''<br />
<br />
ZAP doesnt understand React applications as well as it should be able to.<br />
<br />
It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.<br />
<br />
'''Expected Results:'''<br />
* ZAP able to explore React applications more effectively<br />
* ZAP able to attack React applications more effectively<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated authentication detection and configuration ===<br />
'''Brief Explanation:'''<br />
<br />
Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
<br />
This is time consuming and error prone.<br />
<br />
Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
<br />
'''Expected Results:'''<br />
* Detect login and registration pages<br />
* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
'''Brief Explanation:'''<br />
<br />
Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
<br />
A standardized text representation and parser would be very useful and help its adoption.<br />
<br />
'''Expected Results:'''<br />
* A documented definition of a text representation for Zest<br />
* A parser that converts the text representation into a working Zest script<br />
* An option in the Zest java implementation to output Zest scripts text format<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Develop Bamboo Addon ===<br />
'''Brief Explanation:'''<br />
<br />
It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]<br />
<br />
For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].<br />
<br />
'''Expected Results:'''<br />
<br />
A Bamboo addon that supports:<br />
* Spidering (using the traditional and Ajax spiders)<br />
* Active Scanning<br />
* Authentication<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2018 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Frontend Technology Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target client-architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, testing and building<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Contributor <br />
<br />
=== UI/Graphics Design Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 4] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.<br />
<br />
'''Expected Results:'''<br />
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)<br />
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons<br />
* Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop<br />
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application<br />
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way<br />
<br />
''' Getting started: '''<br />
* Get familiar with the existing HTML views and CSS of the frontend<br />
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Strong web and graphic design experience<br />
* Sophisticated HTML and CSS experience<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Contributor <br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP Security Knowledge Framework==<br />
===Brief Explanation===<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.<br />
<br />
'''In a nutshell'''<br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development ( Security by design, early feedback of possible security issues )<br />
<br />
- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
===Your idea / Getting started===<br />
*Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)<br />
===Expected Results===<br />
*Adding features to SKF project<br />
**https://github.com/blabla1337/skf-flask/issues/369<br />
**https://github.com/blabla1337/skf-flask/issues/367<br />
**https://github.com/blabla1337/skf-flask/issues/68<br />
**https://github.com/blabla1337/skf-flask/issues/95<br />
*Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )<br />
*Adding/updating knowledge base items<br />
*Adding CWE references to knowledgebase items<br />
**https://github.com/blabla1337/skf-flask/issues/35<br />
*Improve unit testing of the Angular quality, currently only 68% of the front-end is unit tested automated <br />
**https://github.com/blabla1337/skf-flask/issues/352<br />
===Knowledge Prerequisites===<br />
*For helping in the development of new features and functions you need Python flask and for the frond-end we use Angular 4.0<br />
*For writing knowledgebase items only technical knowledge of application security is required<br />
*For writing / updating code examples you need to know a programming language along with secure development.<br />
*For writing the verification guide you need some penetration testing experience.<br />
'''Mentors:'''<br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]<br />
<br />
==OWASP Nettacker==<br />
===Brief Explanation===<br />
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.<br />
<br />
if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).<br />
<br />
===Getting started===<br />
<br />
* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.<br />
<br />
'''A Better Penetration Testing Automated Framework'''<br />
<br />
===Expected Results===<br />
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.<br />
* Good knowledge of computer security (and penetration testing)<br />
* Knowledge of OS (Linux, Windows, Mac...) and Services<br />
* Familiar with IDS/IPS/Firewalls and ...<br />
* To develop the API you should be familiar with HTTP, Database...<br />
<br />
===Mentors===<br />
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/ui-break.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP CSRF Protector ==<br />
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form. <br />
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===<br />
'''Brief explanation:'''<br />
<br />
The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.<br />
<br />
Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;<br />
<br />
The goal of this project would be to:<br />
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]<br />
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]<br />
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues] <br />
'''Expected results:'''<br />
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)<br />
<br />
'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_Education_Presentation&diff=233883OWASP Education Presentation2017-09-29T14:35:54Z<p>Timo Pagel: Add Security in DevOps</p>
<hr />
<div>This page provide a commented overview of the OWASP presentations available.<br><br />
Please use the last line of the tables as template.<br><br />
Presentions can be tracked through:<br />
* the [http://www.owasp.org/index.php/Category:OWASP_Presentations OWASP Presentations Category]<br />
* [http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference Past OWASP Conference agenda's]<br />
* From the chapter pages<br />
Everybody is encouraged to link the presentations and add their findings on this page !<br />
There are currently hundreds of presentations all over the OWASP web site. <br />
If you search google with “site:owasp.org filetype:ppt” there are 166 hits. “site:owasp.org filetype:pdf” returns 76.<br />
Feel free to “mine” them and add them to the overview.<br />
<br />
== OWASP Education Presentations ==<br />
{| class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"<br />
|+ OWASP Education Presentations<br />
! width="30%" |Title<br />
! width="40%" |Comment<br />
! width="15%" |Level<br />
! width="15%" |Date (2015-07-04)<br />
|-<br />
|[https://docs.google.com/presentation/d/1M4cx_zVFN7WCKybV2c7c8L0QG9gP5z78JAIELRhkVkg/edit?usp=sharing Security in DevOps-Strategies]<br />
|Show Security in DevOps-Strategies and how to use the Generic DevOps Security Maturity Model<br />
|Intermediate<br />
|2017-09-29<br />
|-<br />
|[https://docs.google.com/presentation/d/1SWCyscCQ0YGW3_Y6vCwI4ZY_Q5-TOQ-eoVZaT6qwofc/edit?usp=sharing Docker Security Workshop]<br />
|One till two days workshop to introduce docker related risks and treatments by Timo Pagel<br />
|Novice / Intermediate<br />
|2017-09-08<br />
|-<br />
|[https://drive.google.com/open?id=0B2KKdB7MPO7xTEwtWkkwTnl5VFk Security in Webapplications]<br />
|University Module "Security in Webapplications" by Timo Pagel<br />
|Novice / Intermediate<br />
|2017-04-25<br />
|- valign="top"<br />
|[https://www.owasp.org/images/f/f2/LASCON_2015_-_Web_Application_Developer_Security_Training.pptx Web Application Developer Security Training]|| Secure Web App Development course by [[user:Jsokol | Josh Sokol]], [[user:Dancornell | Dan Cornell]] || Novice || 2015-10-21<br />
|- valign="top"<br />
|[https://www.owasp.org/index.php/Education/Free_Training Free Developer Training]|| Developer AppSec Course by [[Eoin Keary]] and [https://www.owasp.org/index.php/User:Jmanico Jim Manico] || Intermediate || 2014-04-04<br />
|- valign="top"<br />
|[[:Image:OWASP Overview Winter 2009v1.pptx|OWASP Overview Winter 2009]]|| Updated overview of OWASP || Novice || 2009-12-08<br />
|- valign="top"<br />
|[[:Image:Programa_de_Educacion_OWASP.ppt|Programa de Educacion OWASP]]|| Una introduccion a OWASP para Universidades y Centros Educativos por Fabio Cerullo|| Novice || 2009-03-20<br />
|- valign="top"<br />
|[[:Image:OWASP_Educational_Programme.ppt|OWASP Educational Programme]]|| An introduction to OWASP for Universities & Educational Institutions by Fabio Cerullo|| Novice || 2009-03-20<br />
|- valign="top"<br />
|[[:Image:OWASP Overview Summer 2009.pptx|OWASP Overview Summer 2009]]|| Recent overview of OWASP by Jeff Williams || Novice || 2009-08-25<br />
|- valign="top"<br />
|[[:Image:Education Module Why WebAppSec Matters.ppt|Why WebAppSec Matters]]|| This module explains why security should be considered when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01<br />
|- valign="top"<br />
|[[:Image:OWASP-Intro-2008-portuguese.ppt|OWASP Intro 2008 Portuguese]]|| Este módulo é uma intrudução sobre o projeto OWASP. || Novice || 2008-07-06<br />
|- valign="top"<br />
|[[:Image:Education Module OWASP Top 10 Introduction and Remedies.ppt|OWASP Top 10 Introduction and Remedies]]|| This module explains the OWASP Top 10 web application vulnerabilities as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01<br />
|- valign="top"<br />
|[[:Image:Education Module Embed within SDLC.ppt|Embed within SDLC]]|| This module explains the complete approach of Web Application Security when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01<br />
|- valign="top"<br />
|[[:Image:Education Module Good Secure Development Practices.ppt|Good Secure Development Practices]]|| This module explains some good secure development practices when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01<br />
|- valign="top"<br />
|[[:Image:Education Module Testing for Vulnerabilities.ppt|Testing for Vulnerabilities]]|| This module explains application security testing when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01<br />
|- valign="top"<br />
|[[:Image:Education Module Good WebAppSec Resources.ppt|Good WebAppSec Resources]]|| This module points you to some good web application security resources when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01<br />
|- valign="top"<br />
|}<br />
,<br />
<br><br />
<br />
== OWASP Project Presentations ==<br />
{| class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"<br />
|+ OWASP Project Presentations<br />
! width="30%" |Title<br />
! width="40%" |Comment<br />
! width="15%" |Level<br />
! width="15%" |Date (yyyy-mm-dd)<br />
|- valign="top"<br />
|[[:Image:Germany 2008 Conference OWASP Introduction v1.pptx|OWASP Introduction]] || OWASP Overview presentation covering OWASP, project parade and OWASP near you. Given by Seba during the Germany 2008 Conference || Novice || 2008-11-25<br />
|- valign="top"<br />
|[[:Image:OWASP Foundation The story so far and beyond - Part 1.ppt|India08 Keynote - Part 1]] || OWASP Overview presentation. Part 1 of 2. Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16<br />
|- valign="top"<br />
|[[:Image:OWASP Foundation The story so far and beyond - Part 2.ppt|India08 Keynote - Part 2]] || OWASP Overview presentation. Part 2 of 2. Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16<br />
|- valign="top"<br />
|[[:Image:OWASP India - Tour of OWASP projects.ppt|Tour of OWASP’s projects]] || Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16<br />
|- valign="top"<br />
|[https://www.owasp.org/images/5/59/RISK_2008_OWASP_Introduction_v1.pptx OWASP @ RISK08 (Norway)] || OWASP introduction at Norway RISK2008 conference by Seba || Novice || 2008-04-23<br />
|- valign="top"<br />
|[[:Image:OWASP NY Keynote.ppt|OWASP NY Keynote by Jeff]] also available in [[:Image:20070620-FR-OWASP NY Keynote.ppt|French]]|| OWASP Overview presentation with slide "OWASP by the numbers" and slide with the sorry state of Tools (at best 45%) which caused some controverse || Novice || 2007-06-12<br />
|- valign="top"<br />
|[http://www.owasp.org/images/a/af/OWASP_Testing_Guide_Presentation.zip The OWASP Testing Guide (Jeff Williams)] || Overview of the OWASP Testing Guide || Novice || 2007-01-23<br />
|- valign="top"<br />
|[http://www.owasp.org/images/e/e9/OWASP_Testing_Guide_Presentation_EUSecWest07.zip The OWASP Testing Guide v2 EUSecWest07 (Matteo Meucci, Alberto Revelli)] || Presentation at EUSecWest07 || Intermediate || 2007-03-01<br />
|- valign="top"<br />
|[http://www.owasp.org/images/3/3c/OWASP_Flyer_Sep06.ppt OWASP Project Overview] || High level overview of projects and how OWASP works || Novice || 2006-09-19 <br />
|- valign="top"<br />
|[http://www.owasp.org/images/4/49/OWASPAppSec2006Seattle_Security_Metrics.ppt The OWASP Application Security Metrics Project (Bob Austin)] || Presentation on the Application Security Metrics project || Novice || 2006-10-17<br />
|- valign="top"<br />
|[http://www.owasp.org/images/5/53/OWASPAppSecEU2006_CLASP_Project.ppt OWASP CLASP Project (Pravir Chandra)] || OWASP CLASP project presentation given at the 2006 European AppSec conference || Novice || 2006-05-30<br />
|- valign="top"<br />
|[http://www.owasp.org/images/3/30/OWASPAppSec2006Seattle_UsingSprajaxToTestAJAXSecurity.ppt Sprajax (Dan Cornell)] || OWASP Sprajax presentation given at the 2006 Seattle AppSec conference || Intermediate || 2006-10-17<br />
|- valign="top"<br />
|}<br />
<br />
<br><br />
<br />
== OWASP Conference Presentations ==<br />
{| class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"<br />
|+ OWASP Conference Presentations <br />
! width="30%" | Title<br />
! width="40%" | Comment<br />
! width="15%" | Level<br />
! width="15%" |Date (yyyy-mm-dd)<br />
<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan ModSecurityCoreRuleSet.ppt | Mod Security Core Rule Set (Ofer Shezaf)]] ||Ofer Shezaf's presentation on the Core Ruleset for the latest version of ModSecurity presented at 6th OWASP AppSec conference in Milan, Italy, in May 2007.|| Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan OWASPTestingGuide2v1.ppt | OWASP Testing Guide v2.1 (Matteo Meucci)]] ||Matteo Meucci's presentation on the OWASP Testing Guide v2 at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan CLASP.ppt | CLASP (Pravir Chandra)]] ||Pravir Chandra's presentation on the upcoming 2007 update to CLASP presented at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan AdvancedWebHacking.ppt | Advanced Web Hacking (PDP)]] ||PDPs presentation at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan XMLSecurityGatewayEvalCriteria.ppt | XML Security Gateway Evaluation Criteria (Gunnar Peterson)]] ||Gunnar Peterson's presentation about the new XML Security Gateway Evaluation Criteria project at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan TestingFlashApplications.ppt | Testing Flash Applications (Stephano Di Paolo)]] ||Stephano Di Paolo's presentation on how to test Flash applications presented at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert|| 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan OvertakingGoogleDesktop.ppt | Overtaking Google Desktop (Yair Amit)]] ||Yair Amit's presentation on XSS Flaws in Google Desktop that can be exploited through google.com presented at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan MS ACETeamAppSecfromTheCore.ppt | ACE Team Application Security from the Core (Simon Roses Femerling)]] ||Simon Roses Femerling's presentation on the Microsoft ACE team's application security process at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan Pantera.ppt | Pantera (Simon Roses Femerling)]] ||Simon Roses Femerling's presentation on the new OWASP tool Pantera at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan ProtectingWebAppsfromUniversalPDFXSS.ppt | Protecting Web applications from universal PDF XSS (Ivan Ristic)]] ||Ivan Ristic's Universal XSS PDF presentation at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan SoftwareSecurity.ppt | Software Security (Rudolph Araujo)]] ||Rudolph Araujo's presentation on Application Security best practices at the 6th OWASP AppSec conference in Milan Italy, May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan WebGoatv5.ppt | WebGoat v5 (Dave Wichers)]] ||WebGoat v5 presentation by Dave Wichers at the 6th OWASP AppSec Conference in Milan, Italy, May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan WebScarabNG.ppt | WebScarab NG (Dave Wichers)]] ||Description of the new WebScarab-NG efforts presented by Dave Wichers at the 6th OWASP AppSec conference in Milan, Italy in May 2007.|| Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan SANS SPSA Initiative.ppt | SANS SPSA Initiative (Dave Wichers)]] ||Description of the SANS Secure Coding Exam Initiative presented by Dave Wichers at the 6th OWASP AppSec conference in Milan Italy, May 2007.|| Novice || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan OWASPItalyActivities.ppt | OWASP Italy Activities (Raoul Chiesa)]] ||Raoul Chiesa's keynote for day 2 of the 6th OWASP AppSec conference on the state of application security in Italy including OWASP's activities in that country.|| Novice || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan SecurityEngineeringInVista.ppt | Security engineering in Vista (Alex Lucas)]] ||Alex Lucas' from Microsoft's keynote presentation for Day 1 of the 6th OWASP AppSec conference in Milan on the benefits of Microsoft's SDL to the security of Vista. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[http://www.owasp.org/images/5/5f/OWASPAppSec2006Seattle_SecurityEngineeringInVista.ppt How the Security Development Lifecycle(SDL) Improved Windows Vista (Michael Howard)] || Michael Howard's talk on SDL from the OWASP Seattle AppSec Conference in 2006 || Intermediate || 2006-10-18<br />
|- valign="top"<br />
|[http://www.owasp.org/images/3/34/OWASPAppSecEU2006_Bootstrapping_the_Application_Assurance_Process.ppt Bootstrapping the Application Assurance Process (Sebastien Deleersnyder)] || Presentation given during the European 2006 AppSec conference on the application assurance process || Novice || 2006-05-30<br />
|- valign="top"<br />
|[http://www.owasp.org/images/8/8b/OWASPAppSecEU2006_InlineApproachforSecureSOAPRequests.ppt Inline Approach for Secure SOAP Requests and Early Validation (Mohammad Ashiqur Rahaman, Maartin Rits and Andreas Schaad SAP Research, Sophia Antipolis, France)] || Presentation given at the European 2006 AppSec conference about security and soap message structure issues || Intermediate || 2006-05-31<br />
|- valign="top"<br />
|[http://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt Web Application Firewalls:When Are They Useful? (Ivan Ristic)] || Presentation about Web Application Firewalls || Novice || 2006-05-31<br />
|- valign="top"<br />
|[http://www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt HTTP Message Splitting, Smuggling and Other Animals (Amit Klein)] || A presentation about Message splitting other attacks around the HTTP protocol || Intermediate || 2006-05-31<br />
|- valign="top"<br />
|[http://www.owasp.org/images/f/f6/OWASPAppSec2006Seattle_WebAppForensics.ppt Web Application Incident Response & Forensics: A Whole New Ball Game! (Rohyt Belani & Chuck Willis)] || Talk about Web Application Security incident handling and forensics given at the OWASP 2006 Seattle AppSec conference || Intermediate || 2006-10-18<br />
|- valign="top"<br />
|[http://www.owasp.org/images/d/d2/OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10.ppt Can (Automated) Testing Tools Really Find the OWASP Top 10? (Erwin Geirnaert)] || A talk about how automated testing tools stack up against the OWASP top 10 || Intermediate || 2006-05-30<br />
|- valign="top"<br />
|[http://www.owasp.org/images/2/28/OWASPAppSecEU2006_RequestRodeo.ppt RequestRodeo: Client Side Protection against Session Riding (Martin Johns / Justus Winter)] || Presentation given about how Sessions can be hi-jacked, etc... || Novice || 2006-05-31<br />
|- valign="top"<br />
|[http://www.owasp.org/images/6/62/OWASPAppSecEU2006_SecurityTestingthruAutomatedSWTests.ppt Security Testing through Automated Software Tests (Stephen de Vries)] || Presentation given at the 2006 EuSec conference || Intermediate || 2006-05-31<br />
|- valign="top"<br />
|[http://www.owasp.org/images/0/0e/AppSec2005DC-Jeremy_Poteet-In_the_Line_of_Fire.ppt In the Line of Fire: Defending Highly Visible Targets (Jeremy Poteet)] || Conference given at the 2005 DC AppSec conference || Novice || 2005-10-1<br />
|- valign="top"<br />
|[http://www.owasp.org/images/9/93/AppSec2005DC-Matt_Fisher-Google_Hacking_and_Worms.ppt Google Hacking and Web Application Worms (Matt Fisher)] || Talk given at the 2005 DC AppSec conference || Novice || 2005-10-01<br />
|- valign="top"<br />
|[http://www.owasp.org/images/0/05/AppSec2005DC-Anthony_Canike-Enterprise_AppSec_Program.ppt Establishing an Enterprise Application Security Program (Tony Canike)] || Talk given at the 2005 DC AppSec Conference || Novice || 2005-10-01<br />
|- valign="top"<br />
|[https://owasp.org/images/0/0d/OWASPAppSec2006Seattle_Why_AJAX_Applications_More_Likely_Insecure.ppt Why AJAX Applications Are Far More Likely To Be Insecure (And What To Do About It) (Dave Wichers)] || Dave's talk on AJAX given at the Seattle 2006 AppSec conference || Intermediate || 2006-10-01<br />
|- valign="top"<br />
|}<br />
<br />
<br><br />
<br />
== Web Application Security Presentations ==<br />
{| class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"<br />
|+ Web Application Security Presentations <br />
! width="30%" |Title<br />
! width="40%" |Comment<br />
! width="15%" |Level<br />
! width="15%" |Date (yyyy-mm-dd)<br />
|- valign="top"<br />
|[[:Image:Protecting Web Applications from Universal PDF XSS.ppt| Universal PDF XSS by Ivan Ristic]] || Protecting Web Applications from Universal PDF XSS || Intermediate || 2007-06-28<br />
|- valign="top"<br />
|[[:Image:IdM-OWASP.v.0.2.14.pdf|Identity Management Basics (Derek Brown)]] ||Identity Management Basics|| Novice || 2007-05-09<br />
|- valign="top"<br />
|[[http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt Advanced SQL Injection (Victor Chapela)] || Detailed methodology for analyzing applications for SQL injection vulnerabilities || Expert || 2005-11-04<br />
|- valign="top"<br />
|[[http://www.owasp.org/images/7/7d/Advanced_Topics_on_SQL_Injection_Protection.ppt Advanced Topics on SQL Injection Protection (Sam NG)] || 7 methods to prevent SQL injection attacks correctly and in a more integrated approach. Methods 1 to 3 are applicable during design or development life cycle. Method 4 is mainly from QA’s perspective. Methods 5 and 6 can be applied to production environment and are applicable even if you do not have access to or if you cannot change the source code. Other non-main stream technology are discussed in Method 7. || Intermediate || 2006-02-27<br />
|- valign="top"<br />
|[[http://www.owasp.org/images/d/d1/AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt Attacking Web Services (Alex Stamos)] || Web Services Introduction and Attacks || Intermediate || 2005-10-11<br />
|- valign="top"<br />
|[http://www.owasp.org/images/7/72/MMS_Spoofing.ppt MMS Spoofing (Matteo Meucci)] || A Case-study of a vulnerable web application || Intermediate<br />
|- valign="top"<br />
|[http://www.owasp.org/images/f/f9/OWASPAppSecEU2006_AJAX_Security.ppt Ajax Security (Andrew van der Stock)] || Presentation on Ajax security for OWASP AppSec Europe 2006 || Intermediate || 2006-05-30<br />
|- valign="top"<br />
|[http://www.owasp.org/images/3/3a/OWASPAppSec2006Seattle_Web_Services_Security.ppt Advanced Web Services Security & Hacking (Justin Derry)] || Presentation given on Webservice security at the Seattle 2006 AppSec conference || Intermediate || 2006-10-18<br />
|- valign="top"<br />
|[http://www.owasp.org/images/f/f6/Integration_into_the_SDLC.ppt Integration into the SDLC (Eoin Keary)] || A presentation about why and how to integrate the SDLC. || Novice || 2005-04-09<br />
|- valign="top"<br />
|}<br />
<br />
<br><br />
<br />
== Chapter Presentations ==<br />
[[Category:OWASP Education Project]]<br />
[[Category:OWASP Presentations]]<br />
[[Category:Chapter Resources]]<br />
{| class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"<br />
|+ Chapter Presentations<br />
! width="30%" |Title<br />
! width="30%" |Comment<br />
! width="10%" |Level<br />
! width="10%" |Month (Mon-yyyy)<br />
! width="10%" |Chapter<br />
<br />
|- valign="top"<br />
|[[:Image:Common_Application_Flaws.ppt| Common Application Flaws (Brett Moore)]] ||OWASP New Zealand chapter presentation on Common Application Flaws|| Novice/Intermediate ||November 2008 || [[New Zealand]]<br />
|- valign="top"<br />
|[[:Image:Time_Based_SQL_Injections.ppt| Time Based SQL Injections (Muhaimin Dzulfakar)]] ||OWASP New Zealand chapter presentation on Time Based SQL Injections|| Intermediate ||September 2008 || [[New Zealand]]<br />
|- valign="top"<br />
|[[:Image:Browser_security.ppt| Browser Security (Roberto Suggi Liverani)]] ||OWASP New Zealand chapter presentation on Browser Security|| Intermediate ||September 2008 || [[New Zealand]]<br />
|- valign="top"<br />
|[[:Image:OWASP_CMH_SQLInjection__20080707.zip| 7/7/2008 SQL Injection (Columbus, OH)]] || SQL Injection Presentation given at the Columbus, OH OWASP Chapter Meeting. Powerpoint, derby DB, and applicable java code. || Novice / Intermediate || July 2008 || [[Columbus]]<br />
|- valign="top"<br />
|[[:Image:OWASP_ellak-Greece.ppt| Detecting Web Application Vulnerabilities Using Open Source Means (Konstantinos Papapanagiotou)]] ||OWASP Greek Chapter presentation given at the Open Source Software (FLOSS) Conference in Athens|| Novice ||May 2008 || [[Greece]]<br />
|- valign="top"<br />
|[[:Image:Hacking_The_World_With_Flash.ppt| Hacking The World With Flash (Paul Craig)]] ||OWASP New Zealand chapter presentation on Flash security|| Intermediate ||April 2008 || [[New Zealand]]<br />
|- valign="top"<br />
|[[:Image:Web_spam_techniques.ppt| Web Spam Techniques (Roberto Suggi Liverani)]] ||OWASP New Zealand chapter presentation on Web Spam Techniques|| Intermediate ||April 2008 || [[New Zealand]]<br />
|- valign="top"<br />
|[[:Image:Xpath_Injection.ppt| Xpath Injection Overview (Roberto Suggi Liverani)]] ||OWASP New Zealand chapter presentation on Xpath Injection|| Intermediate ||February 2008 || [[New Zealand]]<br />
|- valign="top"<br />
|[[:Image:Owasp security4mobileJava.pdf| Dependability for Java Mobile Code (Pierre Parrend)]] ||OWASP Swiss chapter presentation on Mobile Java Security || Expert ||July 2007 || [[Switzerland]]<br />
|- valign="top"<br />
|[[:Image:Trust Security Usability - v1.0.pdf|Trust, Security and Usability (Roger Carhuatocto) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]<br />
|- valign="top"<br />
|[[:Image:OWASP-tratamiento_de_datos.pdf|Tratamiento seguro de datos en aplicaciones in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]<br />
|- valign="top"<br />
|[[:Image:Conferencia_OWASP.pdf|Ataques DoS en aplicaciones Web (Jaime Blasco Bermejo) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]<br />
|- valign="top"<br />
|[[:Image:Seguridad en entornos financieros.pdf|Seguridad en entornos financierosPedro (Pedro Sánchez) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]<br />
|- valign="top"<br />
|[[:Image:Java_Open_Review.ppt|Brian Chess from Fortify shared what's going on with the Java Open Source review project at the June NoVA OWASP meeting]] || Java Open Review || Intermediate ||June 2007 || [[Virginia (Northern Virginia)]]<br />
|- valign="top"<br />
|[[:Image:Bytecode_injection.ppt|Brian Chess from Fortify, presentation to NoVA OWASP chapter in June 2007.]] || Bytecode injection || Expert ||June 2007 || [[Virginia (Northern Virginia)]]<br />
|- valign="top"<br />
|[[:Image:Security at the VMM Layer - OWASP.ppt|Security at the VMM Layer by Ted Winograd]] || Security at the VMM Layer || Expert ||June 2007 || [[Virginia (Northern Virginia)]]<br />
|- valign="top"<br />
|[[:Image:KC June 2007 Evaluating and Tuning WAFs.pdf|Evaluating and Tuning Web Application Firewalls (Barry Archer)]] ||Presentation given at Kansas City June 2007 chapter meeting|| Intermediate ||June 2007 || [[Kansas City]]<br />
|- valign="top"<br />
|[[:Image:OWASP_SDL-IT.pdf|Microsoft Security Development Lifecycle for IT (Rob Labbé)]] ||Presentation by Rob Labbe at Ottawa OWASP Chapter|| Novice ||May 2007|| [[Ottawa]]<br />
|- valign="top"<br />
|[[:Image:OWASP_IL_7_Application_DOS.pdf|Application Denial of Service (Shaayy Cheen)]] ||Is it Really That Easy? Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP_IL_7_FuzzGuru.pdf|Fuzzing in Microsoft and FuzzGuru framework (John Neystadt)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP_IL_7_AppSec_and_Beyond.pdf|Application Security, not just development (David Lewis)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP IL 7 Overtaking Google Desktop.pdf|Overtaking Google Desktop, Leveraging XSS to Raise Havoc (Yair Amit)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP IL 7 UnregisterAttackInSip.pdf|Unregister Attack in SIP (Anat Bremler-Barr, Ronit Halachmi-Bekel and Jussi Kangasharju)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP IL 7 WAF Positive Security.pdf|Positive Security Model for Web Applications, Challenges and Promise (Ofer Shezaf)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP IL 7 DOT NET Reverse Engineering.pdf|.NET Reverse Engineering (Erez Metula)]] ||Presentation given at the Israel Mini Conference in May 2007|| Expert ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP IL 7 OWASP Introduction.pdf|OWASP introduction (Ofer Shezaf)]] ||2nd OWASP IL mini conference at the Interdisciplinary Center (IDC) Herzliya|| Intermediate ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP BeLux 2007-06-22 Update on Internet Attack Statistics for Belgium in 2006.ppt|Update on Internet Attack Statistics for Belgium in 2006 by Hilar Leoste (Zone-H)]] || Update on Internet Attack Statistics for Belgium in 2006 || Novice ||May 2007 || [[Belgium]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:InfoSec_World_2007_-_Web_services_gateways.ppt Securing Web Services using XML Security Gateways by Tim Bond] || Securing Web Services using XML Security Gateways || Intermediate ||May 2007 || [[Virginia (Northern Virginia)]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:SwA_Acquisition_WG_-_Overview.ppt Software Assurance in the Acquisition Process by Stan Wisseman] || Software Assurance in the Acquisition Process || Intermediate ||May 2007 || [[Virginia (Northern Virginia)]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_Legal_Aspects_Jos_Dumortier.zip Legal Aspects of (Web) Application Security by Jos Dumortier] || Legal Aspects of (Web) Application Security || Intermediate ||May 2007 || [[Belgium|Belgium]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_AppSec_Research_Lieven_Desmet.zip AppSec Research (University Leuven Belgium)] || Formal absence of implementation bugs in web applications: a case study on indirect data sharing by Lieven Desmet || Expert ||May 2007 || [[Belgium|Belgium]]<br />
|- valign="top"<br />
|[[:Image:Scanner-Sparkly.ppt|A Scanner Sparkly]] || A Scanner Sparkly, taken from the Phoenix OWASP presentations on Application Security Tools, May 2007 || Intermediate ||May 2007 || [[Phoenix]]<br />
|- valign="top"<br />
|[[:Image:Owasp-lessonslearned.ppt|Grey Box Assessment Lessons Learned]] || "Grey Box Assessment Lessons Learned", taken from the Phoenix OWASP presentations, Application Security Tools, May 2007 || Intermediate ||May 2007 || [[Phoenix]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_OWASP_Update.zip OWASP Update and OWASP BeLux Board Presentation (Seba)] || OWASP Update and OWASP BeLux Board Presentation || Novice||May 2007 || [[Belgium|Belgium]]<br />
|- valign="top"<br />
|[[:Image:Security Metics- What can we measure- Zed Abbadi.pdf|Metics- What can we measure (Zed Abbadi)]] ||19 April NoVa chapter meeting presentation on Security Metrics || Novice ||April 2007 || [[Virginia (Northern Virginia)]]<br />
|- valign="top"<br />
|[[:Image:Web Services Hacking and Hardening.pdf| Web Services Hacking and Hardening (Adam Vincent)]] ||3/8/07 NoVA chapter meeting, Adam Vincent from Layer7 || Expert ||March 2007 || [[Virginia (Northern Virginia)]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_OWASP_Update.zip OWASP Update (Seba)] || OWASP Update || Novice||Jan 2007 || [[Belgium|Belgium]]<br />
|- valign="top"<br />
|[http://www.owasp.org/images/f/fe/Pres_20070206_04_svetsch_xss_worms_owasp.zip XSS Worms (Sven Vetsch)] || XSS Worms || Intermediate ||Feb 2007 || [[Switzerland|Switzerland]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_OWASP_Update.zip OWASP Update (Seba)] || OWASP Update || Novice||Jan 2007 || [[Belgium|Belgium]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_WebGoat-Pantera.zip WebGoat and Pantera presentation (Philippe Bogaerts)] || WebGoat and Pantera presentation || Novice || Jan 2007 || [[Belgium|Belgium]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_AOP_security.zip Security implications of AOP for secure software (Bart De Win)] || Security implications of AOP for secure software || Expert || Jan 2007 || [[Belgium|Belgium]]<br />
|- valign="top"<br />
|[http://www.owasp.org/images/1/12/OWASP_Denver_Nov-06_presentation.ppt testing for common security flaws (David Byrne)] || testing for common security flaws || Intermediate || Nov 2006 || [[Denver|Denver]]<br />
|- valign="top"<br />
|[http://www.owasp.org/images/7/7c/Owasp-olli.pdf 40-ish slides on analyzing threats (Olli)] || Analyzing Threats || Novice || Dec 2006 || [[Helsinki|Helsinki]]<br />
|- valign="top"<br />
|[http://www.owasp.org/images/2/2c/KC_Dec2006_Attacking_The_App.pdf Attacking the Application (Dave Ferguson)] || Vulnerabilities, attacks and coding suggestions || Intermediate || Dec 2006 || [[Kansas City|Kansas City]]<br />
|- valign="top"<br />
|[http://www.owasp.org/images/6/6a/KC_Dec2006_Ajax_Security_Concerns.pdf Ajax Security Concerns (Rohini Sulatycki)] || Ajax Security Concerns || Intermediate ||Dec 2006 || [[Kansas City|Kansas City]]<br />
|- valign="top"<br />
|[http://www.owasp.org/images/8/8c/Anatomy_of_2_Web_App_Testing.zip Anatomy of 2 Web Application Testing (Matteo Meucci)] || Anatomy of 2 Web Application Testing || Intermediate || Mar 2006 || [[Italy|Italy]]<br />
<br />
|- valign="top"<br />
<br />
|[https://www.owasp.org/images/9/99/WTE-Cloud-Austin-2012-02.pdf Testing From the Cloud: Is the Sky Falling?] || WTE Cloud-based Testing || Intermediate || Feb 2012 || [[Austin|Austin]]<br />
|- valign="top"<br />
<br />
|}</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_Education_Presentation&diff=233041OWASP Education Presentation2017-09-08T17:10:55Z<p>Timo Pagel: Add Docker Security Workshop</p>
<hr />
<div>This page provide a commented overview of the OWASP presentations available.<br><br />
Please use the last line of the tables as template.<br><br />
Presentions can be tracked through:<br />
* the [http://www.owasp.org/index.php/Category:OWASP_Presentations OWASP Presentations Category]<br />
* [http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference Past OWASP Conference agenda's]<br />
* From the chapter pages<br />
Everybody is encouraged to link the presentations and add their findings on this page !<br />
There are currently hundreds of presentations all over the OWASP web site. <br />
If you search google with “site:owasp.org filetype:ppt” there are 166 hits. “site:owasp.org filetype:pdf” returns 76.<br />
Feel free to “mine” them and add them to the overview.<br />
<br />
== OWASP Education Presentations ==<br />
{| class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"<br />
|+ OWASP Education Presentations<br />
! width="30%" |Title<br />
! width="40%" |Comment<br />
! width="15%" |Level<br />
! width="15%" |Date (2015-07-04)<br />
|-<br />
|[https://docs.google.com/presentation/d/1SWCyscCQ0YGW3_Y6vCwI4ZY_Q5-TOQ-eoVZaT6qwofc/edit?usp=sharing Docker Security Workshop]<br />
|One till two days workshop to introduce docker related risks and treatments by Timo Pagel<br />
|Novice / Intermediate<br />
|2017-09-08<br />
|-<br />
|[https://drive.google.com/open?id=0B2KKdB7MPO7xTEwtWkkwTnl5VFk Security in Webapplications]<br />
|University Module "Security in Webapplications" by Timo Pagel<br />
|Novice / Intermediate<br />
|2017-04-25<br />
|- valign="top"<br />
|[https://www.owasp.org/images/f/f2/LASCON_2015_-_Web_Application_Developer_Security_Training.pptx Web Application Developer Security Training]|| Secure Web App Development course by [[user:Jsokol | Josh Sokol]], [[user:Dancornell | Dan Cornell]] || Novice || 2015-10-21<br />
|- valign="top"<br />
|[https://www.owasp.org/index.php/Education/Free_Training Free Developer Training]|| Developer AppSec Course by [[Eoin Keary]] and [https://www.owasp.org/index.php/User:Jmanico Jim Manico] || Intermediate || 2014-04-04<br />
|- valign="top"<br />
|[[:Image:OWASP Overview Winter 2009v1.pptx|OWASP Overview Winter 2009]]|| Updated overview of OWASP || Novice || 2009-12-08<br />
|- valign="top"<br />
|[[:Image:Programa_de_Educacion_OWASP.ppt|Programa de Educacion OWASP]]|| Una introduccion a OWASP para Universidades y Centros Educativos por Fabio Cerullo|| Novice || 2009-03-20<br />
|- valign="top"<br />
|[[:Image:OWASP_Educational_Programme.ppt|OWASP Educational Programme]]|| An introduction to OWASP for Universities & Educational Institutions by Fabio Cerullo|| Novice || 2009-03-20<br />
|- valign="top"<br />
|[[:Image:OWASP Overview Summer 2009.pptx|OWASP Overview Summer 2009]]|| Recent overview of OWASP by Jeff Williams || Novice || 2009-08-25<br />
|- valign="top"<br />
|[[:Image:Education Module Why WebAppSec Matters.ppt|Why WebAppSec Matters]]|| This module explains why security should be considered when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01<br />
|- valign="top"<br />
|[[:Image:OWASP-Intro-2008-portuguese.ppt|OWASP Intro 2008 Portuguese]]|| Este módulo é uma intrudução sobre o projeto OWASP. || Novice || 2008-07-06<br />
|- valign="top"<br />
|[[:Image:Education Module OWASP Top 10 Introduction and Remedies.ppt|OWASP Top 10 Introduction and Remedies]]|| This module explains the OWASP Top 10 web application vulnerabilities as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01<br />
|- valign="top"<br />
|[[:Image:Education Module Embed within SDLC.ppt|Embed within SDLC]]|| This module explains the complete approach of Web Application Security when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01<br />
|- valign="top"<br />
|[[:Image:Education Module Good Secure Development Practices.ppt|Good Secure Development Practices]]|| This module explains some good secure development practices when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01<br />
|- valign="top"<br />
|[[:Image:Education Module Testing for Vulnerabilities.ppt|Testing for Vulnerabilities]]|| This module explains application security testing when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01<br />
|- valign="top"<br />
|[[:Image:Education Module Good WebAppSec Resources.ppt|Good WebAppSec Resources]]|| This module points you to some good web application security resources when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01<br />
|- valign="top"<br />
|}<br />
,<br />
<br><br />
<br />
== OWASP Project Presentations ==<br />
{| class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"<br />
|+ OWASP Project Presentations<br />
! width="30%" |Title<br />
! width="40%" |Comment<br />
! width="15%" |Level<br />
! width="15%" |Date (yyyy-mm-dd)<br />
|- valign="top"<br />
|[[:Image:Germany 2008 Conference OWASP Introduction v1.pptx|OWASP Introduction]] || OWASP Overview presentation covering OWASP, project parade and OWASP near you. Given by Seba during the Germany 2008 Conference || Novice || 2008-11-25<br />
|- valign="top"<br />
|[[:Image:OWASP Foundation The story so far and beyond - Part 1.ppt|India08 Keynote - Part 1]] || OWASP Overview presentation. Part 1 of 2. Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16<br />
|- valign="top"<br />
|[[:Image:OWASP Foundation The story so far and beyond - Part 2.ppt|India08 Keynote - Part 2]] || OWASP Overview presentation. Part 2 of 2. Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16<br />
|- valign="top"<br />
|[[:Image:OWASP India - Tour of OWASP projects.ppt|Tour of OWASP’s projects]] || Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16<br />
|- valign="top"<br />
|[https://www.owasp.org/images/5/59/RISK_2008_OWASP_Introduction_v1.pptx OWASP @ RISK08 (Norway)] || OWASP introduction at Norway RISK2008 conference by Seba || Novice || 2008-04-23<br />
|- valign="top"<br />
|[[:Image:OWASP NY Keynote.ppt|OWASP NY Keynote by Jeff]] also available in [[:Image:20070620-FR-OWASP NY Keynote.ppt|French]]|| OWASP Overview presentation with slide "OWASP by the numbers" and slide with the sorry state of Tools (at best 45%) which caused some controverse || Novice || 2007-06-12<br />
|- valign="top"<br />
|[http://www.owasp.org/images/a/af/OWASP_Testing_Guide_Presentation.zip The OWASP Testing Guide (Jeff Williams)] || Overview of the OWASP Testing Guide || Novice || 2007-01-23<br />
|- valign="top"<br />
|[http://www.owasp.org/images/e/e9/OWASP_Testing_Guide_Presentation_EUSecWest07.zip The OWASP Testing Guide v2 EUSecWest07 (Matteo Meucci, Alberto Revelli)] || Presentation at EUSecWest07 || Intermediate || 2007-03-01<br />
|- valign="top"<br />
|[http://www.owasp.org/images/3/3c/OWASP_Flyer_Sep06.ppt OWASP Project Overview] || High level overview of projects and how OWASP works || Novice || 2006-09-19 <br />
|- valign="top"<br />
|[http://www.owasp.org/images/4/49/OWASPAppSec2006Seattle_Security_Metrics.ppt The OWASP Application Security Metrics Project (Bob Austin)] || Presentation on the Application Security Metrics project || Novice || 2006-10-17<br />
|- valign="top"<br />
|[http://www.owasp.org/images/5/53/OWASPAppSecEU2006_CLASP_Project.ppt OWASP CLASP Project (Pravir Chandra)] || OWASP CLASP project presentation given at the 2006 European AppSec conference || Novice || 2006-05-30<br />
|- valign="top"<br />
|[http://www.owasp.org/images/3/30/OWASPAppSec2006Seattle_UsingSprajaxToTestAJAXSecurity.ppt Sprajax (Dan Cornell)] || OWASP Sprajax presentation given at the 2006 Seattle AppSec conference || Intermediate || 2006-10-17<br />
|- valign="top"<br />
|}<br />
<br />
<br><br />
<br />
== OWASP Conference Presentations ==<br />
{| class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"<br />
|+ OWASP Conference Presentations <br />
! width="30%" | Title<br />
! width="40%" | Comment<br />
! width="15%" | Level<br />
! width="15%" |Date (yyyy-mm-dd)<br />
<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan ModSecurityCoreRuleSet.ppt | Mod Security Core Rule Set (Ofer Shezaf)]] ||Ofer Shezaf's presentation on the Core Ruleset for the latest version of ModSecurity presented at 6th OWASP AppSec conference in Milan, Italy, in May 2007.|| Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan OWASPTestingGuide2v1.ppt | OWASP Testing Guide v2.1 (Matteo Meucci)]] ||Matteo Meucci's presentation on the OWASP Testing Guide v2 at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan CLASP.ppt | CLASP (Pravir Chandra)]] ||Pravir Chandra's presentation on the upcoming 2007 update to CLASP presented at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan AdvancedWebHacking.ppt | Advanced Web Hacking (PDP)]] ||PDPs presentation at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan XMLSecurityGatewayEvalCriteria.ppt | XML Security Gateway Evaluation Criteria (Gunnar Peterson)]] ||Gunnar Peterson's presentation about the new XML Security Gateway Evaluation Criteria project at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan TestingFlashApplications.ppt | Testing Flash Applications (Stephano Di Paolo)]] ||Stephano Di Paolo's presentation on how to test Flash applications presented at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert|| 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan OvertakingGoogleDesktop.ppt | Overtaking Google Desktop (Yair Amit)]] ||Yair Amit's presentation on XSS Flaws in Google Desktop that can be exploited through google.com presented at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan MS ACETeamAppSecfromTheCore.ppt | ACE Team Application Security from the Core (Simon Roses Femerling)]] ||Simon Roses Femerling's presentation on the Microsoft ACE team's application security process at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan Pantera.ppt | Pantera (Simon Roses Femerling)]] ||Simon Roses Femerling's presentation on the new OWASP tool Pantera at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan ProtectingWebAppsfromUniversalPDFXSS.ppt | Protecting Web applications from universal PDF XSS (Ivan Ristic)]] ||Ivan Ristic's Universal XSS PDF presentation at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan SoftwareSecurity.ppt | Software Security (Rudolph Araujo)]] ||Rudolph Araujo's presentation on Application Security best practices at the 6th OWASP AppSec conference in Milan Italy, May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan WebGoatv5.ppt | WebGoat v5 (Dave Wichers)]] ||WebGoat v5 presentation by Dave Wichers at the 6th OWASP AppSec Conference in Milan, Italy, May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan WebScarabNG.ppt | WebScarab NG (Dave Wichers)]] ||Description of the new WebScarab-NG efforts presented by Dave Wichers at the 6th OWASP AppSec conference in Milan, Italy in May 2007.|| Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan SANS SPSA Initiative.ppt | SANS SPSA Initiative (Dave Wichers)]] ||Description of the SANS Secure Coding Exam Initiative presented by Dave Wichers at the 6th OWASP AppSec conference in Milan Italy, May 2007.|| Novice || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan OWASPItalyActivities.ppt | OWASP Italy Activities (Raoul Chiesa)]] ||Raoul Chiesa's keynote for day 2 of the 6th OWASP AppSec conference on the state of application security in Italy including OWASP's activities in that country.|| Novice || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan SecurityEngineeringInVista.ppt | Security engineering in Vista (Alex Lucas)]] ||Alex Lucas' from Microsoft's keynote presentation for Day 1 of the 6th OWASP AppSec conference in Milan on the benefits of Microsoft's SDL to the security of Vista. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[http://www.owasp.org/images/5/5f/OWASPAppSec2006Seattle_SecurityEngineeringInVista.ppt How the Security Development Lifecycle(SDL) Improved Windows Vista (Michael Howard)] || Michael Howard's talk on SDL from the OWASP Seattle AppSec Conference in 2006 || Intermediate || 2006-10-18<br />
|- valign="top"<br />
|[http://www.owasp.org/images/3/34/OWASPAppSecEU2006_Bootstrapping_the_Application_Assurance_Process.ppt Bootstrapping the Application Assurance Process (Sebastien Deleersnyder)] || Presentation given during the European 2006 AppSec conference on the application assurance process || Novice || 2006-05-30<br />
|- valign="top"<br />
|[http://www.owasp.org/images/8/8b/OWASPAppSecEU2006_InlineApproachforSecureSOAPRequests.ppt Inline Approach for Secure SOAP Requests and Early Validation (Mohammad Ashiqur Rahaman, Maartin Rits and Andreas Schaad SAP Research, Sophia Antipolis, France)] || Presentation given at the European 2006 AppSec conference about security and soap message structure issues || Intermediate || 2006-05-31<br />
|- valign="top"<br />
|[http://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt Web Application Firewalls:When Are They Useful? (Ivan Ristic)] || Presentation about Web Application Firewalls || Novice || 2006-05-31<br />
|- valign="top"<br />
|[http://www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt HTTP Message Splitting, Smuggling and Other Animals (Amit Klein)] || A presentation about Message splitting other attacks around the HTTP protocol || Intermediate || 2006-05-31<br />
|- valign="top"<br />
|[http://www.owasp.org/images/f/f6/OWASPAppSec2006Seattle_WebAppForensics.ppt Web Application Incident Response & Forensics: A Whole New Ball Game! (Rohyt Belani & Chuck Willis)] || Talk about Web Application Security incident handling and forensics given at the OWASP 2006 Seattle AppSec conference || Intermediate || 2006-10-18<br />
|- valign="top"<br />
|[http://www.owasp.org/images/d/d2/OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10.ppt Can (Automated) Testing Tools Really Find the OWASP Top 10? (Erwin Geirnaert)] || A talk about how automated testing tools stack up against the OWASP top 10 || Intermediate || 2006-05-30<br />
|- valign="top"<br />
|[http://www.owasp.org/images/2/28/OWASPAppSecEU2006_RequestRodeo.ppt RequestRodeo: Client Side Protection against Session Riding (Martin Johns / Justus Winter)] || Presentation given about how Sessions can be hi-jacked, etc... || Novice || 2006-05-31<br />
|- valign="top"<br />
|[http://www.owasp.org/images/6/62/OWASPAppSecEU2006_SecurityTestingthruAutomatedSWTests.ppt Security Testing through Automated Software Tests (Stephen de Vries)] || Presentation given at the 2006 EuSec conference || Intermediate || 2006-05-31<br />
|- valign="top"<br />
|[http://www.owasp.org/images/0/0e/AppSec2005DC-Jeremy_Poteet-In_the_Line_of_Fire.ppt In the Line of Fire: Defending Highly Visible Targets (Jeremy Poteet)] || Conference given at the 2005 DC AppSec conference || Novice || 2005-10-1<br />
|- valign="top"<br />
|[http://www.owasp.org/images/9/93/AppSec2005DC-Matt_Fisher-Google_Hacking_and_Worms.ppt Google Hacking and Web Application Worms (Matt Fisher)] || Talk given at the 2005 DC AppSec conference || Novice || 2005-10-01<br />
|- valign="top"<br />
|[http://www.owasp.org/images/0/05/AppSec2005DC-Anthony_Canike-Enterprise_AppSec_Program.ppt Establishing an Enterprise Application Security Program (Tony Canike)] || Talk given at the 2005 DC AppSec Conference || Novice || 2005-10-01<br />
|- valign="top"<br />
|[https://owasp.org/images/0/0d/OWASPAppSec2006Seattle_Why_AJAX_Applications_More_Likely_Insecure.ppt Why AJAX Applications Are Far More Likely To Be Insecure (And What To Do About It) (Dave Wichers)] || Dave's talk on AJAX given at the Seattle 2006 AppSec conference || Intermediate || 2006-10-01<br />
|- valign="top"<br />
|}<br />
<br />
<br><br />
<br />
== Web Application Security Presentations ==<br />
{| class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"<br />
|+ Web Application Security Presentations <br />
! width="30%" |Title<br />
! width="40%" |Comment<br />
! width="15%" |Level<br />
! width="15%" |Date (yyyy-mm-dd)<br />
|- valign="top"<br />
|[[:Image:Protecting Web Applications from Universal PDF XSS.ppt| Universal PDF XSS by Ivan Ristic]] || Protecting Web Applications from Universal PDF XSS || Intermediate || 2007-06-28<br />
|- valign="top"<br />
|[[:Image:IdM-OWASP.v.0.2.14.pdf|Identity Management Basics (Derek Brown)]] ||Identity Management Basics|| Novice || 2007-05-09<br />
|- valign="top"<br />
|[[http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt Advanced SQL Injection (Victor Chapela)] || Detailed methodology for analyzing applications for SQL injection vulnerabilities || Expert || 2005-11-04<br />
|- valign="top"<br />
|[[http://www.owasp.org/images/7/7d/Advanced_Topics_on_SQL_Injection_Protection.ppt Advanced Topics on SQL Injection Protection (Sam NG)] || 7 methods to prevent SQL injection attacks correctly and in a more integrated approach. Methods 1 to 3 are applicable during design or development life cycle. Method 4 is mainly from QA’s perspective. Methods 5 and 6 can be applied to production environment and are applicable even if you do not have access to or if you cannot change the source code. Other non-main stream technology are discussed in Method 7. || Intermediate || 2006-02-27<br />
|- valign="top"<br />
|[[http://www.owasp.org/images/d/d1/AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt Attacking Web Services (Alex Stamos)] || Web Services Introduction and Attacks || Intermediate || 2005-10-11<br />
|- valign="top"<br />
|[http://www.owasp.org/images/7/72/MMS_Spoofing.ppt MMS Spoofing (Matteo Meucci)] || A Case-study of a vulnerable web application || Intermediate<br />
|- valign="top"<br />
|[http://www.owasp.org/images/f/f9/OWASPAppSecEU2006_AJAX_Security.ppt Ajax Security (Andrew van der Stock)] || Presentation on Ajax security for OWASP AppSec Europe 2006 || Intermediate || 2006-05-30<br />
|- valign="top"<br />
|[http://www.owasp.org/images/3/3a/OWASPAppSec2006Seattle_Web_Services_Security.ppt Advanced Web Services Security & Hacking (Justin Derry)] || Presentation given on Webservice security at the Seattle 2006 AppSec conference || Intermediate || 2006-10-18<br />
|- valign="top"<br />
|[http://www.owasp.org/images/f/f6/Integration_into_the_SDLC.ppt Integration into the SDLC (Eoin Keary)] || A presentation about why and how to integrate the SDLC. || Novice || 2005-04-09<br />
|- valign="top"<br />
|}<br />
<br />
<br><br />
<br />
== Chapter Presentations ==<br />
[[Category:OWASP Education Project]]<br />
[[Category:OWASP Presentations]]<br />
[[Category:Chapter Resources]]<br />
{| class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"<br />
|+ Chapter Presentations<br />
! width="30%" |Title<br />
! width="30%" |Comment<br />
! width="10%" |Level<br />
! width="10%" |Month (Mon-yyyy)<br />
! width="10%" |Chapter<br />
<br />
|- valign="top"<br />
|[[:Image:Common_Application_Flaws.ppt| Common Application Flaws (Brett Moore)]] ||OWASP New Zealand chapter presentation on Common Application Flaws|| Novice/Intermediate ||November 2008 || [[New Zealand]]<br />
|- valign="top"<br />
|[[:Image:Time_Based_SQL_Injections.ppt| Time Based SQL Injections (Muhaimin Dzulfakar)]] ||OWASP New Zealand chapter presentation on Time Based SQL Injections|| Intermediate ||September 2008 || [[New Zealand]]<br />
|- valign="top"<br />
|[[:Image:Browser_security.ppt| Browser Security (Roberto Suggi Liverani)]] ||OWASP New Zealand chapter presentation on Browser Security|| Intermediate ||September 2008 || [[New Zealand]]<br />
|- valign="top"<br />
|[[:Image:OWASP_CMH_SQLInjection__20080707.zip| 7/7/2008 SQL Injection (Columbus, OH)]] || SQL Injection Presentation given at the Columbus, OH OWASP Chapter Meeting. Powerpoint, derby DB, and applicable java code. || Novice / Intermediate || July 2008 || [[Columbus]]<br />
|- valign="top"<br />
|[[:Image:OWASP_ellak-Greece.ppt| Detecting Web Application Vulnerabilities Using Open Source Means (Konstantinos Papapanagiotou)]] ||OWASP Greek Chapter presentation given at the Open Source Software (FLOSS) Conference in Athens|| Novice ||May 2008 || [[Greece]]<br />
|- valign="top"<br />
|[[:Image:Hacking_The_World_With_Flash.ppt| Hacking The World With Flash (Paul Craig)]] ||OWASP New Zealand chapter presentation on Flash security|| Intermediate ||April 2008 || [[New Zealand]]<br />
|- valign="top"<br />
|[[:Image:Web_spam_techniques.ppt| Web Spam Techniques (Roberto Suggi Liverani)]] ||OWASP New Zealand chapter presentation on Web Spam Techniques|| Intermediate ||April 2008 || [[New Zealand]]<br />
|- valign="top"<br />
|[[:Image:Xpath_Injection.ppt| Xpath Injection Overview (Roberto Suggi Liverani)]] ||OWASP New Zealand chapter presentation on Xpath Injection|| Intermediate ||February 2008 || [[New Zealand]]<br />
|- valign="top"<br />
|[[:Image:Owasp security4mobileJava.pdf| Dependability for Java Mobile Code (Pierre Parrend)]] ||OWASP Swiss chapter presentation on Mobile Java Security || Expert ||July 2007 || [[Switzerland]]<br />
|- valign="top"<br />
|[[:Image:Trust Security Usability - v1.0.pdf|Trust, Security and Usability (Roger Carhuatocto) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]<br />
|- valign="top"<br />
|[[:Image:OWASP-tratamiento_de_datos.pdf|Tratamiento seguro de datos en aplicaciones in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]<br />
|- valign="top"<br />
|[[:Image:Conferencia_OWASP.pdf|Ataques DoS en aplicaciones Web (Jaime Blasco Bermejo) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]<br />
|- valign="top"<br />
|[[:Image:Seguridad en entornos financieros.pdf|Seguridad en entornos financierosPedro (Pedro Sánchez) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]<br />
|- valign="top"<br />
|[[:Image:Java_Open_Review.ppt|Brian Chess from Fortify shared what's going on with the Java Open Source review project at the June NoVA OWASP meeting]] || Java Open Review || Intermediate ||June 2007 || [[Virginia (Northern Virginia)]]<br />
|- valign="top"<br />
|[[:Image:Bytecode_injection.ppt|Brian Chess from Fortify, presentation to NoVA OWASP chapter in June 2007.]] || Bytecode injection || Expert ||June 2007 || [[Virginia (Northern Virginia)]]<br />
|- valign="top"<br />
|[[:Image:Security at the VMM Layer - OWASP.ppt|Security at the VMM Layer by Ted Winograd]] || Security at the VMM Layer || Expert ||June 2007 || [[Virginia (Northern Virginia)]]<br />
|- valign="top"<br />
|[[:Image:KC June 2007 Evaluating and Tuning WAFs.pdf|Evaluating and Tuning Web Application Firewalls (Barry Archer)]] ||Presentation given at Kansas City June 2007 chapter meeting|| Intermediate ||June 2007 || [[Kansas City]]<br />
|- valign="top"<br />
|[[:Image:OWASP_SDL-IT.pdf|Microsoft Security Development Lifecycle for IT (Rob Labbé)]] ||Presentation by Rob Labbe at Ottawa OWASP Chapter|| Novice ||May 2007|| [[Ottawa]]<br />
|- valign="top"<br />
|[[:Image:OWASP_IL_7_Application_DOS.pdf|Application Denial of Service (Shaayy Cheen)]] ||Is it Really That Easy? Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP_IL_7_FuzzGuru.pdf|Fuzzing in Microsoft and FuzzGuru framework (John Neystadt)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP_IL_7_AppSec_and_Beyond.pdf|Application Security, not just development (David Lewis)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP IL 7 Overtaking Google Desktop.pdf|Overtaking Google Desktop, Leveraging XSS to Raise Havoc (Yair Amit)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP IL 7 UnregisterAttackInSip.pdf|Unregister Attack in SIP (Anat Bremler-Barr, Ronit Halachmi-Bekel and Jussi Kangasharju)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP IL 7 WAF Positive Security.pdf|Positive Security Model for Web Applications, Challenges and Promise (Ofer Shezaf)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP IL 7 DOT NET Reverse Engineering.pdf|.NET Reverse Engineering (Erez Metula)]] ||Presentation given at the Israel Mini Conference in May 2007|| Expert ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP IL 7 OWASP Introduction.pdf|OWASP introduction (Ofer Shezaf)]] ||2nd OWASP IL mini conference at the Interdisciplinary Center (IDC) Herzliya|| Intermediate ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP BeLux 2007-06-22 Update on Internet Attack Statistics for Belgium in 2006.ppt|Update on Internet Attack Statistics for Belgium in 2006 by Hilar Leoste (Zone-H)]] || Update on Internet Attack Statistics for Belgium in 2006 || Novice ||May 2007 || [[Belgium]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:InfoSec_World_2007_-_Web_services_gateways.ppt Securing Web Services using XML Security Gateways by Tim Bond] || Securing Web Services using XML Security Gateways || Intermediate ||May 2007 || [[Virginia (Northern Virginia)]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:SwA_Acquisition_WG_-_Overview.ppt Software Assurance in the Acquisition Process by Stan Wisseman] || Software Assurance in the Acquisition Process || Intermediate ||May 2007 || [[Virginia (Northern Virginia)]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_Legal_Aspects_Jos_Dumortier.zip Legal Aspects of (Web) Application Security by Jos Dumortier] || Legal Aspects of (Web) Application Security || Intermediate ||May 2007 || [[Belgium|Belgium]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_AppSec_Research_Lieven_Desmet.zip AppSec Research (University Leuven Belgium)] || Formal absence of implementation bugs in web applications: a case study on indirect data sharing by Lieven Desmet || Expert ||May 2007 || [[Belgium|Belgium]]<br />
|- valign="top"<br />
|[[:Image:Scanner-Sparkly.ppt|A Scanner Sparkly]] || A Scanner Sparkly, taken from the Phoenix OWASP presentations on Application Security Tools, May 2007 || Intermediate ||May 2007 || [[Phoenix]]<br />
|- valign="top"<br />
|[[:Image:Owasp-lessonslearned.ppt|Grey Box Assessment Lessons Learned]] || "Grey Box Assessment Lessons Learned", taken from the Phoenix OWASP presentations, Application Security Tools, May 2007 || Intermediate ||May 2007 || [[Phoenix]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_OWASP_Update.zip OWASP Update and OWASP BeLux Board Presentation (Seba)] || OWASP Update and OWASP BeLux Board Presentation || Novice||May 2007 || [[Belgium|Belgium]]<br />
|- valign="top"<br />
|[[:Image:Security Metics- What can we measure- Zed Abbadi.pdf|Metics- What can we measure (Zed Abbadi)]] ||19 April NoVa chapter meeting presentation on Security Metrics || Novice ||April 2007 || [[Virginia (Northern Virginia)]]<br />
|- valign="top"<br />
|[[:Image:Web Services Hacking and Hardening.pdf| Web Services Hacking and Hardening (Adam Vincent)]] ||3/8/07 NoVA chapter meeting, Adam Vincent from Layer7 || Expert ||March 2007 || [[Virginia (Northern Virginia)]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_OWASP_Update.zip OWASP Update (Seba)] || OWASP Update || Novice||Jan 2007 || [[Belgium|Belgium]]<br />
|- valign="top"<br />
|[http://www.owasp.org/images/f/fe/Pres_20070206_04_svetsch_xss_worms_owasp.zip XSS Worms (Sven Vetsch)] || XSS Worms || Intermediate ||Feb 2007 || [[Switzerland|Switzerland]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_OWASP_Update.zip OWASP Update (Seba)] || OWASP Update || Novice||Jan 2007 || [[Belgium|Belgium]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_WebGoat-Pantera.zip WebGoat and Pantera presentation (Philippe Bogaerts)] || WebGoat and Pantera presentation || Novice || Jan 2007 || [[Belgium|Belgium]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_AOP_security.zip Security implications of AOP for secure software (Bart De Win)] || Security implications of AOP for secure software || Expert || Jan 2007 || [[Belgium|Belgium]]<br />
|- valign="top"<br />
|[http://www.owasp.org/images/1/12/OWASP_Denver_Nov-06_presentation.ppt testing for common security flaws (David Byrne)] || testing for common security flaws || Intermediate || Nov 2006 || [[Denver|Denver]]<br />
|- valign="top"<br />
|[http://www.owasp.org/images/7/7c/Owasp-olli.pdf 40-ish slides on analyzing threats (Olli)] || Analyzing Threats || Novice || Dec 2006 || [[Helsinki|Helsinki]]<br />
|- valign="top"<br />
|[http://www.owasp.org/images/2/2c/KC_Dec2006_Attacking_The_App.pdf Attacking the Application (Dave Ferguson)] || Vulnerabilities, attacks and coding suggestions || Intermediate || Dec 2006 || [[Kansas City|Kansas City]]<br />
|- valign="top"<br />
|[http://www.owasp.org/images/6/6a/KC_Dec2006_Ajax_Security_Concerns.pdf Ajax Security Concerns (Rohini Sulatycki)] || Ajax Security Concerns || Intermediate ||Dec 2006 || [[Kansas City|Kansas City]]<br />
|- valign="top"<br />
|[http://www.owasp.org/images/8/8c/Anatomy_of_2_Web_App_Testing.zip Anatomy of 2 Web Application Testing (Matteo Meucci)] || Anatomy of 2 Web Application Testing || Intermediate || Mar 2006 || [[Italy|Italy]]<br />
<br />
|- valign="top"<br />
<br />
|[https://www.owasp.org/images/9/99/WTE-Cloud-Austin-2012-02.pdf Testing From the Cloud: Is the Sky Falling?] || WTE Cloud-based Testing || Intermediate || Feb 2012 || [[Austin|Austin]]<br />
|- valign="top"<br />
<br />
|}</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_Education_Presentation&diff=229144OWASP Education Presentation2017-04-25T16:18:28Z<p>Timo Pagel: Add University Module "Security in Webapplication"</p>
<hr />
<div>This page provide a commented overview of the OWASP presentations available.<br><br />
Please use the last line of the tables as template.<br><br />
Presentions can be tracked through:<br />
* the [http://www.owasp.org/index.php/Category:OWASP_Presentations OWASP Presentations Category]<br />
* [http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference Past OWASP Conference agenda's]<br />
* From the chapter pages<br />
Everybody is encouraged to link the presentations and add their findings on this page !<br />
There are currently hundreds of presentations all over the OWASP web site. <br />
If you search google with “site:owasp.org filetype:ppt” there are 166 hits. “site:owasp.org filetype:pdf” returns 76.<br />
Feel free to “mine” them and add them to the overview.<br />
<br />
== OWASP Education Presentations ==<br />
{| class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"<br />
|+ OWASP Education Presentations<br />
! width="30%" |Title<br />
! width="40%" |Comment<br />
! width="15%" |Level<br />
! width="15%" |Date (2015-07-04)<br />
|-<br />
|[https://drive.google.com/open?id=0B2KKdB7MPO7xTEwtWkkwTnl5VFk Security in Webapplications]<br />
|University Module "Security in Webapplications" by Timo Pagel<br />
|Novice / Intermediate<br />
|2017-04-25<br />
|- valign="top"<br />
|[https://www.owasp.org/images/f/f2/LASCON_2015_-_Web_Application_Developer_Security_Training.pptx Web Application Developer Security Training]|| Secure Web App Development course by [[user:Jsokol | Josh Sokol]], [[user:Dancornell | Dan Cornell]] || Novice || 2015-10-21<br />
|- valign="top"<br />
|[https://www.owasp.org/index.php/Education/Free_Training Free Developer Training]|| Developer AppSec Course by [[Eoin Keary]] and [https://www.owasp.org/index.php/User:Jmanico Jim Manico] || Intermediate || 2014-04-04<br />
|- valign="top"<br />
|[[:Image:OWASP Overview Winter 2009v1.pptx|OWASP Overview Winter 2009]]|| Updated overview of OWASP || Novice || 2009-12-08<br />
|- valign="top"<br />
|[[:Image:Programa_de_Educacion_OWASP.ppt|Programa de Educacion OWASP]]|| Una introduccion a OWASP para Universidades y Centros Educativos por Fabio Cerullo|| Novice || 2009-03-20<br />
|- valign="top"<br />
|[[:Image:OWASP_Educational_Programme.ppt|OWASP Educational Programme]]|| An introduction to OWASP for Universities & Educational Institutions by Fabio Cerullo|| Novice || 2009-03-20<br />
|- valign="top"<br />
|[[:Image:OWASP Overview Summer 2009.pptx|OWASP Overview Summer 2009]]|| Recent overview of OWASP by Jeff Williams || Novice || 2009-08-25<br />
|- valign="top"<br />
|[[:Image:Education Module Why WebAppSec Matters.ppt|Why WebAppSec Matters]]|| This module explains why security should be considered when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01<br />
|- valign="top"<br />
|[[:Image:OWASP-Intro-2008-portuguese.ppt|OWASP Intro 2008 Portuguese]]|| Este módulo é uma intrudução sobre o projeto OWASP. || Novice || 2008-07-06<br />
|- valign="top"<br />
|[[:Image:Education Module OWASP Top 10 Introduction and Remedies.ppt|OWASP Top 10 Introduction and Remedies]]|| This module explains the OWASP Top 10 web application vulnerabilities as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01<br />
|- valign="top"<br />
|[[:Image:Education Module Embed within SDLC.ppt|Embed within SDLC]]|| This module explains the complete approach of Web Application Security when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01<br />
|- valign="top"<br />
|[[:Image:Education Module Good Secure Development Practices.ppt|Good Secure Development Practices]]|| This module explains some good secure development practices when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01<br />
|- valign="top"<br />
|[[:Image:Education Module Testing for Vulnerabilities.ppt|Testing for Vulnerabilities]]|| This module explains application security testing when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01<br />
|- valign="top"<br />
|[[:Image:Education Module Good WebAppSec Resources.ppt|Good WebAppSec Resources]]|| This module points you to some good web application security resources when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]] || Novice || 2007-11-01<br />
|- valign="top"<br />
|}<br />
,<br />
<br><br />
<br />
== OWASP Project Presentations ==<br />
{| class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"<br />
|+ OWASP Project Presentations<br />
! width="30%" |Title<br />
! width="40%" |Comment<br />
! width="15%" |Level<br />
! width="15%" |Date (yyyy-mm-dd)<br />
|- valign="top"<br />
|[[:Image:Germany 2008 Conference OWASP Introduction v1.pptx|OWASP Introduction]] || OWASP Overview presentation covering OWASP, project parade and OWASP near you. Given by Seba during the Germany 2008 Conference || Novice || 2008-11-25<br />
|- valign="top"<br />
|[[:Image:OWASP Foundation The story so far and beyond - Part 1.ppt|India08 Keynote - Part 1]] || OWASP Overview presentation. Part 1 of 2. Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16<br />
|- valign="top"<br />
|[[:Image:OWASP Foundation The story so far and beyond - Part 2.ppt|India08 Keynote - Part 2]] || OWASP Overview presentation. Part 2 of 2. Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16<br />
|- valign="top"<br />
|[[:Image:OWASP India - Tour of OWASP projects.ppt|Tour of OWASP’s projects]] || Given by Dinis and Jason during the India08 Conference || Novice || 2008-08-16<br />
|- valign="top"<br />
|[https://www.owasp.org/images/5/59/RISK_2008_OWASP_Introduction_v1.pptx OWASP @ RISK08 (Norway)] || OWASP introduction at Norway RISK2008 conference by Seba || Novice || 2008-04-23<br />
|- valign="top"<br />
|[[:Image:OWASP NY Keynote.ppt|OWASP NY Keynote by Jeff]] also available in [[:Image:20070620-FR-OWASP NY Keynote.ppt|French]]|| OWASP Overview presentation with slide "OWASP by the numbers" and slide with the sorry state of Tools (at best 45%) which caused some controverse || Novice || 2007-06-12<br />
|- valign="top"<br />
|[http://www.owasp.org/images/a/af/OWASP_Testing_Guide_Presentation.zip The OWASP Testing Guide (Jeff Williams)] || Overview of the OWASP Testing Guide || Novice || 2007-01-23<br />
|- valign="top"<br />
|[http://www.owasp.org/images/e/e9/OWASP_Testing_Guide_Presentation_EUSecWest07.zip The OWASP Testing Guide v2 EUSecWest07 (Matteo Meucci, Alberto Revelli)] || Presentation at EUSecWest07 || Intermediate || 2007-03-01<br />
|- valign="top"<br />
|[http://www.owasp.org/images/3/3c/OWASP_Flyer_Sep06.ppt OWASP Project Overview] || High level overview of projects and how OWASP works || Novice || 2006-09-19 <br />
|- valign="top"<br />
|[http://www.owasp.org/images/4/49/OWASPAppSec2006Seattle_Security_Metrics.ppt The OWASP Application Security Metrics Project (Bob Austin)] || Presentation on the Application Security Metrics project || Novice || 2006-10-17<br />
|- valign="top"<br />
|[http://www.owasp.org/images/5/53/OWASPAppSecEU2006_CLASP_Project.ppt OWASP CLASP Project (Pravir Chandra)] || OWASP CLASP project presentation given at the 2006 European AppSec conference || Novice || 2006-05-30<br />
|- valign="top"<br />
|[http://www.owasp.org/images/3/30/OWASPAppSec2006Seattle_UsingSprajaxToTestAJAXSecurity.ppt Sprajax (Dan Cornell)] || OWASP Sprajax presentation given at the 2006 Seattle AppSec conference || Intermediate || 2006-10-17<br />
|- valign="top"<br />
|}<br />
<br />
<br><br />
<br />
== OWASP Conference Presentations ==<br />
{| class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"<br />
|+ OWASP Conference Presentations <br />
! width="30%" | Title<br />
! width="40%" | Comment<br />
! width="15%" | Level<br />
! width="15%" |Date (yyyy-mm-dd)<br />
<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan ModSecurityCoreRuleSet.ppt | Mod Security Core Rule Set (Ofer Shezaf)]] ||Ofer Shezaf's presentation on the Core Ruleset for the latest version of ModSecurity presented at 6th OWASP AppSec conference in Milan, Italy, in May 2007.|| Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan OWASPTestingGuide2v1.ppt | OWASP Testing Guide v2.1 (Matteo Meucci)]] ||Matteo Meucci's presentation on the OWASP Testing Guide v2 at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan CLASP.ppt | CLASP (Pravir Chandra)]] ||Pravir Chandra's presentation on the upcoming 2007 update to CLASP presented at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan AdvancedWebHacking.ppt | Advanced Web Hacking (PDP)]] ||PDPs presentation at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan XMLSecurityGatewayEvalCriteria.ppt | XML Security Gateway Evaluation Criteria (Gunnar Peterson)]] ||Gunnar Peterson's presentation about the new XML Security Gateway Evaluation Criteria project at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan TestingFlashApplications.ppt | Testing Flash Applications (Stephano Di Paolo)]] ||Stephano Di Paolo's presentation on how to test Flash applications presented at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert|| 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan OvertakingGoogleDesktop.ppt | Overtaking Google Desktop (Yair Amit)]] ||Yair Amit's presentation on XSS Flaws in Google Desktop that can be exploited through google.com presented at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Expert || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan MS ACETeamAppSecfromTheCore.ppt | ACE Team Application Security from the Core (Simon Roses Femerling)]] ||Simon Roses Femerling's presentation on the Microsoft ACE team's application security process at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan Pantera.ppt | Pantera (Simon Roses Femerling)]] ||Simon Roses Femerling's presentation on the new OWASP tool Pantera at the 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan ProtectingWebAppsfromUniversalPDFXSS.ppt | Protecting Web applications from universal PDF XSS (Ivan Ristic)]] ||Ivan Ristic's Universal XSS PDF presentation at 6th OWASP AppSec conference in Milan, Italy in May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan SoftwareSecurity.ppt | Software Security (Rudolph Araujo)]] ||Rudolph Araujo's presentation on Application Security best practices at the 6th OWASP AppSec conference in Milan Italy, May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan WebGoatv5.ppt | WebGoat v5 (Dave Wichers)]] ||WebGoat v5 presentation by Dave Wichers at the 6th OWASP AppSec Conference in Milan, Italy, May 2007. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan WebScarabNG.ppt | WebScarab NG (Dave Wichers)]] ||Description of the new WebScarab-NG efforts presented by Dave Wichers at the 6th OWASP AppSec conference in Milan, Italy in May 2007.|| Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan SANS SPSA Initiative.ppt | SANS SPSA Initiative (Dave Wichers)]] ||Description of the SANS Secure Coding Exam Initiative presented by Dave Wichers at the 6th OWASP AppSec conference in Milan Italy, May 2007.|| Novice || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan OWASPItalyActivities.ppt | OWASP Italy Activities (Raoul Chiesa)]] ||Raoul Chiesa's keynote for day 2 of the 6th OWASP AppSec conference on the state of application security in Italy including OWASP's activities in that country.|| Novice || 2007-05-16<br />
|- valign="top"<br />
|[[:Image:OWASPAppSec2007Milan SecurityEngineeringInVista.ppt | Security engineering in Vista (Alex Lucas)]] ||Alex Lucas' from Microsoft's keynote presentation for Day 1 of the 6th OWASP AppSec conference in Milan on the benefits of Microsoft's SDL to the security of Vista. || Intermediate || 2007-05-16<br />
|- valign="top"<br />
|[http://www.owasp.org/images/5/5f/OWASPAppSec2006Seattle_SecurityEngineeringInVista.ppt How the Security Development Lifecycle(SDL) Improved Windows Vista (Michael Howard)] || Michael Howard's talk on SDL from the OWASP Seattle AppSec Conference in 2006 || Intermediate || 2006-10-18<br />
|- valign="top"<br />
|[http://www.owasp.org/images/3/34/OWASPAppSecEU2006_Bootstrapping_the_Application_Assurance_Process.ppt Bootstrapping the Application Assurance Process (Sebastien Deleersnyder)] || Presentation given during the European 2006 AppSec conference on the application assurance process || Novice || 2006-05-30<br />
|- valign="top"<br />
|[http://www.owasp.org/images/8/8b/OWASPAppSecEU2006_InlineApproachforSecureSOAPRequests.ppt Inline Approach for Secure SOAP Requests and Early Validation (Mohammad Ashiqur Rahaman, Maartin Rits and Andreas Schaad SAP Research, Sophia Antipolis, France)] || Presentation given at the European 2006 AppSec conference about security and soap message structure issues || Intermediate || 2006-05-31<br />
|- valign="top"<br />
|[http://www.owasp.org/images/9/9c/OWASPAppSecEU2006_WAFs_WhenAreTheyUseful.ppt Web Application Firewalls:When Are They Useful? (Ivan Ristic)] || Presentation about Web Application Firewalls || Novice || 2006-05-31<br />
|- valign="top"<br />
|[http://www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt HTTP Message Splitting, Smuggling and Other Animals (Amit Klein)] || A presentation about Message splitting other attacks around the HTTP protocol || Intermediate || 2006-05-31<br />
|- valign="top"<br />
|[http://www.owasp.org/images/f/f6/OWASPAppSec2006Seattle_WebAppForensics.ppt Web Application Incident Response & Forensics: A Whole New Ball Game! (Rohyt Belani & Chuck Willis)] || Talk about Web Application Security incident handling and forensics given at the OWASP 2006 Seattle AppSec conference || Intermediate || 2006-10-18<br />
|- valign="top"<br />
|[http://www.owasp.org/images/d/d2/OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10.ppt Can (Automated) Testing Tools Really Find the OWASP Top 10? (Erwin Geirnaert)] || A talk about how automated testing tools stack up against the OWASP top 10 || Intermediate || 2006-05-30<br />
|- valign="top"<br />
|[http://www.owasp.org/images/2/28/OWASPAppSecEU2006_RequestRodeo.ppt RequestRodeo: Client Side Protection against Session Riding (Martin Johns / Justus Winter)] || Presentation given about how Sessions can be hi-jacked, etc... || Novice || 2006-05-31<br />
|- valign="top"<br />
|[http://www.owasp.org/images/6/62/OWASPAppSecEU2006_SecurityTestingthruAutomatedSWTests.ppt Security Testing through Automated Software Tests (Stephen de Vries)] || Presentation given at the 2006 EuSec conference || Intermediate || 2006-05-31<br />
|- valign="top"<br />
|[http://www.owasp.org/images/0/0e/AppSec2005DC-Jeremy_Poteet-In_the_Line_of_Fire.ppt In the Line of Fire: Defending Highly Visible Targets (Jeremy Poteet)] || Conference given at the 2005 DC AppSec conference || Novice || 2005-10-1<br />
|- valign="top"<br />
|[http://www.owasp.org/images/9/93/AppSec2005DC-Matt_Fisher-Google_Hacking_and_Worms.ppt Google Hacking and Web Application Worms (Matt Fisher)] || Talk given at the 2005 DC AppSec conference || Novice || 2005-10-01<br />
|- valign="top"<br />
|[http://www.owasp.org/images/0/05/AppSec2005DC-Anthony_Canike-Enterprise_AppSec_Program.ppt Establishing an Enterprise Application Security Program (Tony Canike)] || Talk given at the 2005 DC AppSec Conference || Novice || 2005-10-01<br />
|- valign="top"<br />
|[https://owasp.org/images/0/0d/OWASPAppSec2006Seattle_Why_AJAX_Applications_More_Likely_Insecure.ppt Why AJAX Applications Are Far More Likely To Be Insecure (And What To Do About It) (Dave Wichers)] || Dave's talk on AJAX given at the Seattle 2006 AppSec conference || Intermediate || 2006-10-01<br />
|- valign="top"<br />
|}<br />
<br />
<br><br />
<br />
== Web Application Security Presentations ==<br />
{| class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"<br />
|+ Web Application Security Presentations <br />
! width="30%" |Title<br />
! width="40%" |Comment<br />
! width="15%" |Level<br />
! width="15%" |Date (yyyy-mm-dd)<br />
|- valign="top"<br />
|[[:Image:Protecting Web Applications from Universal PDF XSS.ppt| Universal PDF XSS by Ivan Ristic]] || Protecting Web Applications from Universal PDF XSS || Intermediate || 2007-06-28<br />
|- valign="top"<br />
|[[:Image:IdM-OWASP.v.0.2.14.pdf|Identity Management Basics (Derek Brown)]] ||Identity Management Basics|| Novice || 2007-05-09<br />
|- valign="top"<br />
|[[http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt Advanced SQL Injection (Victor Chapela)] || Detailed methodology for analyzing applications for SQL injection vulnerabilities || Expert || 2005-11-04<br />
|- valign="top"<br />
|[[http://www.owasp.org/images/7/7d/Advanced_Topics_on_SQL_Injection_Protection.ppt Advanced Topics on SQL Injection Protection (Sam NG)] || 7 methods to prevent SQL injection attacks correctly and in a more integrated approach. Methods 1 to 3 are applicable during design or development life cycle. Method 4 is mainly from QA’s perspective. Methods 5 and 6 can be applied to production environment and are applicable even if you do not have access to or if you cannot change the source code. Other non-main stream technology are discussed in Method 7. || Intermediate || 2006-02-27<br />
|- valign="top"<br />
|[[http://www.owasp.org/images/d/d1/AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt Attacking Web Services (Alex Stamos)] || Web Services Introduction and Attacks || Intermediate || 2005-10-11<br />
|- valign="top"<br />
|[http://www.owasp.org/images/7/72/MMS_Spoofing.ppt MMS Spoofing (Matteo Meucci)] || A Case-study of a vulnerable web application || Intermediate<br />
|- valign="top"<br />
|[http://www.owasp.org/images/f/f9/OWASPAppSecEU2006_AJAX_Security.ppt Ajax Security (Andrew van der Stock)] || Presentation on Ajax security for OWASP AppSec Europe 2006 || Intermediate || 2006-05-30<br />
|- valign="top"<br />
|[http://www.owasp.org/images/3/3a/OWASPAppSec2006Seattle_Web_Services_Security.ppt Advanced Web Services Security & Hacking (Justin Derry)] || Presentation given on Webservice security at the Seattle 2006 AppSec conference || Intermediate || 2006-10-18<br />
|- valign="top"<br />
|[http://www.owasp.org/images/f/f6/Integration_into_the_SDLC.ppt Integration into the SDLC (Eoin Keary)] || A presentation about why and how to integrate the SDLC. || Novice || 2005-04-09<br />
|- valign="top"<br />
|}<br />
<br />
<br><br />
<br />
== Chapter Presentations ==<br />
[[Category:OWASP Education Project]]<br />
[[Category:OWASP Presentations]]<br />
[[Category:Chapter Resources]]<br />
{| class="wikitable sortable" style="text-align: top;" border="1" cellpadding="2"<br />
|+ Chapter Presentations<br />
! width="30%" |Title<br />
! width="30%" |Comment<br />
! width="10%" |Level<br />
! width="10%" |Month (Mon-yyyy)<br />
! width="10%" |Chapter<br />
<br />
|- valign="top"<br />
|[[:Image:Common_Application_Flaws.ppt| Common Application Flaws (Brett Moore)]] ||OWASP New Zealand chapter presentation on Common Application Flaws|| Novice/Intermediate ||November 2008 || [[New Zealand]]<br />
|- valign="top"<br />
|[[:Image:Time_Based_SQL_Injections.ppt| Time Based SQL Injections (Muhaimin Dzulfakar)]] ||OWASP New Zealand chapter presentation on Time Based SQL Injections|| Intermediate ||September 2008 || [[New Zealand]]<br />
|- valign="top"<br />
|[[:Image:Browser_security.ppt| Browser Security (Roberto Suggi Liverani)]] ||OWASP New Zealand chapter presentation on Browser Security|| Intermediate ||September 2008 || [[New Zealand]]<br />
|- valign="top"<br />
|[[:Image:OWASP_CMH_SQLInjection__20080707.zip| 7/7/2008 SQL Injection (Columbus, OH)]] || SQL Injection Presentation given at the Columbus, OH OWASP Chapter Meeting. Powerpoint, derby DB, and applicable java code. || Novice / Intermediate || July 2008 || [[Columbus]]<br />
|- valign="top"<br />
|[[:Image:OWASP_ellak-Greece.ppt| Detecting Web Application Vulnerabilities Using Open Source Means (Konstantinos Papapanagiotou)]] ||OWASP Greek Chapter presentation given at the Open Source Software (FLOSS) Conference in Athens|| Novice ||May 2008 || [[Greece]]<br />
|- valign="top"<br />
|[[:Image:Hacking_The_World_With_Flash.ppt| Hacking The World With Flash (Paul Craig)]] ||OWASP New Zealand chapter presentation on Flash security|| Intermediate ||April 2008 || [[New Zealand]]<br />
|- valign="top"<br />
|[[:Image:Web_spam_techniques.ppt| Web Spam Techniques (Roberto Suggi Liverani)]] ||OWASP New Zealand chapter presentation on Web Spam Techniques|| Intermediate ||April 2008 || [[New Zealand]]<br />
|- valign="top"<br />
|[[:Image:Xpath_Injection.ppt| Xpath Injection Overview (Roberto Suggi Liverani)]] ||OWASP New Zealand chapter presentation on Xpath Injection|| Intermediate ||February 2008 || [[New Zealand]]<br />
|- valign="top"<br />
|[[:Image:Owasp security4mobileJava.pdf| Dependability for Java Mobile Code (Pierre Parrend)]] ||OWASP Swiss chapter presentation on Mobile Java Security || Expert ||July 2007 || [[Switzerland]]<br />
|- valign="top"<br />
|[[:Image:Trust Security Usability - v1.0.pdf|Trust, Security and Usability (Roger Carhuatocto) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]<br />
|- valign="top"<br />
|[[:Image:OWASP-tratamiento_de_datos.pdf|Tratamiento seguro de datos en aplicaciones in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]<br />
|- valign="top"<br />
|[[:Image:Conferencia_OWASP.pdf|Ataques DoS en aplicaciones Web (Jaime Blasco Bermejo) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]<br />
|- valign="top"<br />
|[[:Image:Seguridad en entornos financieros.pdf|Seguridad en entornos financierosPedro (Pedro Sánchez) in Spanish]]||OWASP Spain chapter meeting (July'07) || Intermediate ||July 2007 || [[Spain]]<br />
|- valign="top"<br />
|[[:Image:Java_Open_Review.ppt|Brian Chess from Fortify shared what's going on with the Java Open Source review project at the June NoVA OWASP meeting]] || Java Open Review || Intermediate ||June 2007 || [[Virginia (Northern Virginia)]]<br />
|- valign="top"<br />
|[[:Image:Bytecode_injection.ppt|Brian Chess from Fortify, presentation to NoVA OWASP chapter in June 2007.]] || Bytecode injection || Expert ||June 2007 || [[Virginia (Northern Virginia)]]<br />
|- valign="top"<br />
|[[:Image:Security at the VMM Layer - OWASP.ppt|Security at the VMM Layer by Ted Winograd]] || Security at the VMM Layer || Expert ||June 2007 || [[Virginia (Northern Virginia)]]<br />
|- valign="top"<br />
|[[:Image:KC June 2007 Evaluating and Tuning WAFs.pdf|Evaluating and Tuning Web Application Firewalls (Barry Archer)]] ||Presentation given at Kansas City June 2007 chapter meeting|| Intermediate ||June 2007 || [[Kansas City]]<br />
|- valign="top"<br />
|[[:Image:OWASP_SDL-IT.pdf|Microsoft Security Development Lifecycle for IT (Rob Labbé)]] ||Presentation by Rob Labbe at Ottawa OWASP Chapter|| Novice ||May 2007|| [[Ottawa]]<br />
|- valign="top"<br />
|[[:Image:OWASP_IL_7_Application_DOS.pdf|Application Denial of Service (Shaayy Cheen)]] ||Is it Really That Easy? Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP_IL_7_FuzzGuru.pdf|Fuzzing in Microsoft and FuzzGuru framework (John Neystadt)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP_IL_7_AppSec_and_Beyond.pdf|Application Security, not just development (David Lewis)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP IL 7 Overtaking Google Desktop.pdf|Overtaking Google Desktop, Leveraging XSS to Raise Havoc (Yair Amit)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP IL 7 UnregisterAttackInSip.pdf|Unregister Attack in SIP (Anat Bremler-Barr, Ronit Halachmi-Bekel and Jussi Kangasharju)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP IL 7 WAF Positive Security.pdf|Positive Security Model for Web Applications, Challenges and Promise (Ofer Shezaf)]] ||Presentation given at the Israel Mini Conference in May 2007|| Intermediate ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP IL 7 DOT NET Reverse Engineering.pdf|.NET Reverse Engineering (Erez Metula)]] ||Presentation given at the Israel Mini Conference in May 2007|| Expert ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP IL 7 OWASP Introduction.pdf|OWASP introduction (Ofer Shezaf)]] ||2nd OWASP IL mini conference at the Interdisciplinary Center (IDC) Herzliya|| Intermediate ||May 2007 || [[Israel]]<br />
|- valign="top"<br />
|[[:Image:OWASP BeLux 2007-06-22 Update on Internet Attack Statistics for Belgium in 2006.ppt|Update on Internet Attack Statistics for Belgium in 2006 by Hilar Leoste (Zone-H)]] || Update on Internet Attack Statistics for Belgium in 2006 || Novice ||May 2007 || [[Belgium]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:InfoSec_World_2007_-_Web_services_gateways.ppt Securing Web Services using XML Security Gateways by Tim Bond] || Securing Web Services using XML Security Gateways || Intermediate ||May 2007 || [[Virginia (Northern Virginia)]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:SwA_Acquisition_WG_-_Overview.ppt Software Assurance in the Acquisition Process by Stan Wisseman] || Software Assurance in the Acquisition Process || Intermediate ||May 2007 || [[Virginia (Northern Virginia)]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_Legal_Aspects_Jos_Dumortier.zip Legal Aspects of (Web) Application Security by Jos Dumortier] || Legal Aspects of (Web) Application Security || Intermediate ||May 2007 || [[Belgium|Belgium]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_AppSec_Research_Lieven_Desmet.zip AppSec Research (University Leuven Belgium)] || Formal absence of implementation bugs in web applications: a case study on indirect data sharing by Lieven Desmet || Expert ||May 2007 || [[Belgium|Belgium]]<br />
|- valign="top"<br />
|[[:Image:Scanner-Sparkly.ppt|A Scanner Sparkly]] || A Scanner Sparkly, taken from the Phoenix OWASP presentations on Application Security Tools, May 2007 || Intermediate ||May 2007 || [[Phoenix]]<br />
|- valign="top"<br />
|[[:Image:Owasp-lessonslearned.ppt|Grey Box Assessment Lessons Learned]] || "Grey Box Assessment Lessons Learned", taken from the Phoenix OWASP presentations, Application Security Tools, May 2007 || Intermediate ||May 2007 || [[Phoenix]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:OWASP_BeLux_2007-05-10_OWASP_Update.zip OWASP Update and OWASP BeLux Board Presentation (Seba)] || OWASP Update and OWASP BeLux Board Presentation || Novice||May 2007 || [[Belgium|Belgium]]<br />
|- valign="top"<br />
|[[:Image:Security Metics- What can we measure- Zed Abbadi.pdf|Metics- What can we measure (Zed Abbadi)]] ||19 April NoVa chapter meeting presentation on Security Metrics || Novice ||April 2007 || [[Virginia (Northern Virginia)]]<br />
|- valign="top"<br />
|[[:Image:Web Services Hacking and Hardening.pdf| Web Services Hacking and Hardening (Adam Vincent)]] ||3/8/07 NoVA chapter meeting, Adam Vincent from Layer7 || Expert ||March 2007 || [[Virginia (Northern Virginia)]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_OWASP_Update.zip OWASP Update (Seba)] || OWASP Update || Novice||Jan 2007 || [[Belgium|Belgium]]<br />
|- valign="top"<br />
|[http://www.owasp.org/images/f/fe/Pres_20070206_04_svetsch_xss_worms_owasp.zip XSS Worms (Sven Vetsch)] || XSS Worms || Intermediate ||Feb 2007 || [[Switzerland|Switzerland]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_OWASP_Update.zip OWASP Update (Seba)] || OWASP Update || Novice||Jan 2007 || [[Belgium|Belgium]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_WebGoat-Pantera.zip WebGoat and Pantera presentation (Philippe Bogaerts)] || WebGoat and Pantera presentation || Novice || Jan 2007 || [[Belgium|Belgium]]<br />
|- valign="top"<br />
|[http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_AOP_security.zip Security implications of AOP for secure software (Bart De Win)] || Security implications of AOP for secure software || Expert || Jan 2007 || [[Belgium|Belgium]]<br />
|- valign="top"<br />
|[http://www.owasp.org/images/1/12/OWASP_Denver_Nov-06_presentation.ppt testing for common security flaws (David Byrne)] || testing for common security flaws || Intermediate || Nov 2006 || [[Denver|Denver]]<br />
|- valign="top"<br />
|[http://www.owasp.org/images/7/7c/Owasp-olli.pdf 40-ish slides on analyzing threats (Olli)] || Analyzing Threats || Novice || Dec 2006 || [[Helsinki|Helsinki]]<br />
|- valign="top"<br />
|[http://www.owasp.org/images/2/2c/KC_Dec2006_Attacking_The_App.pdf Attacking the Application (Dave Ferguson)] || Vulnerabilities, attacks and coding suggestions || Intermediate || Dec 2006 || [[Kansas City|Kansas City]]<br />
|- valign="top"<br />
|[http://www.owasp.org/images/6/6a/KC_Dec2006_Ajax_Security_Concerns.pdf Ajax Security Concerns (Rohini Sulatycki)] || Ajax Security Concerns || Intermediate ||Dec 2006 || [[Kansas City|Kansas City]]<br />
|- valign="top"<br />
|[http://www.owasp.org/images/8/8c/Anatomy_of_2_Web_App_Testing.zip Anatomy of 2 Web Application Testing (Matteo Meucci)] || Anatomy of 2 Web Application Testing || Intermediate || Mar 2006 || [[Italy|Italy]]<br />
<br />
|- valign="top"<br />
<br />
|[https://www.owasp.org/images/9/99/WTE-Cloud-Austin-2012-02.pdf Testing From the Cloud: Is the Sky Falling?] || WTE Cloud-based Testing || Intermediate || Feb 2012 || [[Austin|Austin]]<br />
|- valign="top"<br />
<br />
|}</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=User:Timo_Pagel&diff=225754User:Timo Pagel2017-01-31T08:24:34Z<p>Timo Pagel: </p>
<hr />
<div>Timo Pagel is a DevOps engineer with passion in web application security.</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_PHP_Security_Training_Project&diff=211314OWASP PHP Security Training Project2016-03-17T13:44:34Z<p>Timo Pagel: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP PHP Security Training Project==<br />
<br />
OWASP PHP Security Training Project is...<br />
<br />
==Introduction==<br />
<br />
The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit is divided in an attack and a defense part.<br />
<br />
<br />
<br />
==Description==<br />
<br />
The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit shall be divided in an attack and a defense part. When working through the attack part, the developers will have to strike against a vulnerable application. Through this, they will learn to <br />
think like a hacker. Weaknesses to detect and exploit might be XSS, CSRF or SQL Injection, which are listed in the OWASP top 10. While viewing the defense part, the user shall be introduced to securing the vulnerable application, for example by safeguarding the code.<br />
<br />
<br />
==Licensing==<br />
OWASP PHP Security Training Project is free to use. It is licensed under the GNU GPL v3 License, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is PHP Security Training ==<br />
<br />
OWASP PHP Security Training Project provides:<br />
<br />
* VirtualBox-Machine<br />
* Debian Package<br />
<br />
<br />
== Informations ==<br />
Paper: http://files.timo-pagel.de/php-security-trainig-system/paper.pdf<br />
Poster: http://files.timo-pagel.de/php-security-trainig-system/poster2.pdf<br />
Presentation: http://files.timo-pagel.de/vortraege/security/phpug_php_security_training_system.pdf (German)<br />
<br />
== Project Leader ==<br />
<br />
[mailto:timo.pagel@owasp.org Timo Pagel]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<br />
<br />
== Ohloh ==<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* http://files.timo-pagel.de/php-security-trainig-system/<br />
<br />
== Source Code ==<br />
<br />
* https://bitbucket.org/tpagel/php-security-training-system<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_php_security_training_project Sign up]<br />
<br />
== News and Events ==<br />
* [21 Jan 2015] Poster and Paper is available.<br />
<br />
== In Print ==<br />
<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; How to install OWASP PSeTS?<br />
<pre>wget http://files.timo-pagel.de/php-security-trainig-system/php-security-training-system-vagrant.tar<br />
tar xfv php-security-training-system-vagrant.tar<br />
cd vagrant/<br />
vagrant plugin install vagrant-hostsupdater<br />
vagrant up<br />
goto http://guidesystem.local/ in your browser<br />
</pre><br />
; In which languages is OWASP PSeTS translated?<br />
: So far, it is only available in German.<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* xxx<br />
* xxx<br />
<br />
==Others==<br />
* xxx<br />
* xxx<br />
<br />
= Road Map and Getting Involved =<br />
As of July, the priorities are:<br />
*Internationalization of existing units <br />
*UnitTests<br />
*Enhancement of existing units<br />
*Creation of more units<br />
*Java integration<br />
*Error message: Enhance details<br />
*Point system<br />
*Track clicks on the help button/solution to asses the quality of a unit<br />
*Possibility to reset single units<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_PHP_Security_Training_Project}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_PHP_Security_Training_Project&diff=211231OWASP PHP Security Training Project2016-03-16T13:40:54Z<p>Timo Pagel: Add setup and language info to FAQ</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP PHP Security Training Project==<br />
<br />
OWASP PHP Security Training Project is...<br />
<br />
==Introduction==<br />
<br />
The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit is divided in an attack and a defense part.<br />
<br />
<br />
<br />
==Description==<br />
<br />
The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit shall be divided in an attack and a defense part. When working through the attack part, the developers will have to strike against a vulnerable application. Through this, they will learn to <br />
think like a hacker. Weaknesses to detect and exploit might be XSS, CSRF or SQL Injection, which are listed in the OWASP top 10. While viewing the defense part, the user shall be introduced to securing the vulnerable application, for example by safeguarding the code.<br />
<br />
<br />
==Licensing==<br />
OWASP PHP Security Training Project is free to use. It is licensed under the GNU GPL v3 License, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is PHP Security Training ==<br />
<br />
OWASP PHP Security Training Project provides:<br />
<br />
* VirtualBox-Machine<br />
* Debian Package<br />
<br />
<br />
== Informations ==<br />
Paper: http://files.timo-pagel.de/php-security-trainig-system/paper.pdf<br />
Poster: http://files.timo-pagel.de/php-security-trainig-system/poster2.pdf<br />
Presentation: http://files.timo-pagel.de/vortraege/security/phpug_php_security_training_system.pdf (German)<br />
<br />
== Project Leader ==<br />
<br />
[mailto:timo.pagel@owasp.org Timo Pagel]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<br />
<br />
== Ohloh ==<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* http://files.timo-pagel.de/php-security-trainig-system/<br />
<br />
== Source Code ==<br />
<br />
* https://bitbucket.org/tpagel/php-security-training-system<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_php_security_training_project Sign up]<br />
<br />
== News and Events ==<br />
* [21 Jan 2015] Poster and Paper is available.<br />
<br />
== In Print ==<br />
<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; How to install OWASP PSeTS?<br />
<pre>wget http://files.timo-pagel.de/php-security-trainig-system/php-security-training-system-vagrant.tar<br />
cd vagrant/<br />
tar xfvz php-security-training-system-vagrant.tar<br />
vagrant plugin install vagrant-hostsupdater<br />
vagrant up<br />
goto http://guidesystem.local/ in your browser<br />
</pre><br />
; In which languages is OWASP PSeTS translated?<br />
: So far, it is only available in German.<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* xxx<br />
* xxx<br />
<br />
==Others==<br />
* xxx<br />
* xxx<br />
<br />
= Road Map and Getting Involved =<br />
As of July, the priorities are:<br />
*Internationalization of existing units <br />
*UnitTests<br />
*Enhancement of existing units<br />
*Creation of more units<br />
*Java integration<br />
*Error message: Enhance details<br />
*Point system<br />
*Track clicks on the help button/solution to asses the quality of a unit<br />
*Possibility to reset single units<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_PHP_Security_Training_Project}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_PHP_Security_Training_Project&diff=188330OWASP PHP Security Training Project2015-01-21T11:10:56Z<p>Timo Pagel: Add poster/paper</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP PHP Security Training Project==<br />
<br />
OWASP PHP Security Training Project is...<br />
<br />
==Introduction==<br />
<br />
The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit is divided in an attack and a defense part.<br />
<br />
<br />
<br />
==Description==<br />
<br />
The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit shall be divided in an attack and a defense part. When working through the attack part, the developers will have to strike against a vulnerable application. Through this, they will learn to <br />
think like a hacker. Weaknesses to detect and exploit might be XSS, CSRF or SQL Injection, which are listed in the OWASP top 10. While viewing the defense part, the user shall be introduced to securing the vulnerable application, for example by safeguarding the code.<br />
<br />
<br />
==Licensing==<br />
OWASP PHP Security Training Project is free to use. It is licensed under the GNU GPL v3 License, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is PHP Security Training ==<br />
<br />
OWASP PHP Security Training Project provides:<br />
<br />
* VirtualBox-Machine<br />
* Debian Package<br />
<br />
<br />
== Informations ==<br />
Paper: http://files.timo-pagel.de/php-security-trainig-system/paper.pdf<br />
Poster: http://files.timo-pagel.de/php-security-trainig-system/poster2.pdf<br />
Presentation: http://files.timo-pagel.de/vortraege/security/phpug_php_security_training_system.pdf (German)<br />
<br />
== Project Leader ==<br />
<br />
[mailto:timo.pagel@owasp.org Timo Pagel]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<br />
<br />
== Ohloh ==<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* http://files.timo-pagel.de/php-security-trainig-system/<br />
<br />
== Source Code ==<br />
<br />
* https://bitbucket.org/tpagel/php-security-training-system<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_php_security_training_project Sign up]<br />
<br />
== News and Events ==<br />
* [21 Jan 2015] Poster and Paper is available.<br />
<br />
== In Print ==<br />
<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1<br />
: A1<br />
<br />
; Q2<br />
: A2<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* xxx<br />
* xxx<br />
<br />
==Others==<br />
* xxx<br />
* xxx<br />
<br />
= Road Map and Getting Involved =<br />
As of July, the priorities are:<br />
*Internationalization of existing units <br />
*UnitTests<br />
*Enhancement of existing units<br />
*Creation of more units<br />
*Java integration<br />
*Error message: Enhance details<br />
*Point system<br />
*Track clicks on the help button/solution to asses the quality of a unit<br />
*Possibility to reset single units<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_PHP_Security_Training_Project}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_PHP_Security_Training_Project&diff=177214OWASP PHP Security Training Project2014-06-18T12:34:37Z<p>Timo Pagel: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP PHP Security Training Project==<br />
<br />
OWASP PHP Security Training Project is...<br />
<br />
==Introduction==<br />
<br />
The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit is divided in an attack and a defense part.<br />
<br />
<br />
<br />
==Description==<br />
<br />
The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit shall be divided in an attack and a defense part. When working through the attack part, the developers will have to strike against a vulnerable application. Through this, they will learn to <br />
think like a hacker. Weaknesses to detect and exploit might be XSS, CSRF or SQL Injection, which are listed in the OWASP top 10. While viewing the defense part, the user shall be introduced to securing the vulnerable application, for example by safeguarding the code.<br />
<br />
<br />
==Licensing==<br />
OWASP PHP Security Training Project is free to use. It is licensed under the GNU GPL v3 License, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is PHP Security Training ==<br />
<br />
OWASP PHP Security Training Project provides:<br />
<br />
* VirtualBox-Machine<br />
* Debian Package<br />
<br />
<br />
== Presentation ==<br />
http://files.timo-pagel.de/vortraege/security/phpug_php_security_training_system.pdf (German)<br />
<br />
<br />
<br />
== Project Leader ==<br />
<br />
[mailto:timo.pagel@owasp.org Timo Pagel]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<br />
<br />
== Ohloh ==<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* http://files.timo-pagel.de/php-security-trainig-system/<br />
<br />
== Source Code ==<br />
<br />
* https://bitbucket.org/tpagel/php-security-training-system<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_php_security_training_project Sign up]<br />
<br />
== News and Events ==<br />
* [20 Nov 2013] News 2<br />
* [30 Sep 2013] News 1<br />
<br />
<br />
== In Print ==<br />
<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1<br />
: A1<br />
<br />
; Q2<br />
: A2<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* xxx<br />
* xxx<br />
<br />
==Others==<br />
* xxx<br />
* xxx<br />
<br />
= Road Map and Getting Involved =<br />
As of July, the priorities are:<br />
*Internationalization of existing units <br />
*UnitTests<br />
*Enhancement of existing units<br />
*Creation of more units<br />
*Java integration<br />
*Error message: Enhance details<br />
*Point system<br />
*Track clicks on the help button/solution to asses the quality of a unit<br />
*Possibility to reset single units<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_PHP_Security_Training_Project}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_PHP_Security_Training_Project&diff=177213OWASP PHP Security Training Project2014-06-18T12:31:03Z<p>Timo Pagel: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP PHP Security Training Project==<br />
<br />
OWASP PHP Security Training Project is...<br />
<br />
==Introduction==<br />
<br />
The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit is divided in an attack and a defense part.<br />
<br />
<br />
<br />
==Description==<br />
<br />
The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit shall be divided in an attack and a defense part. When working through the attack part, the developers will have to strike against a vulnerable application. Through this, they will learn to <br />
think like a hacker. Weaknesses to detect and exploit might be XSS, CSRF or SQL Injection, which are listed in the OWASP top 10. While viewing the defense part, the user shall be introduced to securing the vulnerable application, for example by safeguarding the code.<br />
<br />
<br />
==Licensing==<br />
OWASP PHP Security Training Project is free to use. It is licensed under the GNU GPL v3 License, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is PHP Security Training ==<br />
<br />
OWASP PHP Security Training Project provides:<br />
<br />
* VirtualBox-Machine<br />
* Debian Package<br />
<br />
<br />
== Presentation ==<br />
http://files.timo-pagel.de/vortraege/security/phpug_php_security_training_system.pdf (German)<br />
<br />
<br />
<br />
== Project Leader ==<br />
<br />
[mailto:timo.pagel@owasp.org Timo Pagel]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<br />
<br />
== Ohloh ==<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* http://files.timo-pagel.de/php-security-trainig-system/<br />
<br />
== Source Code ==<br />
<br />
* https://bitbucket.org/tpagel/php-security-training-system<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_php_security_training_project Sign up]<br />
<br />
== News and Events ==<br />
* [20 Nov 2013] News 2<br />
* [30 Sep 2013] News 1<br />
<br />
<br />
== In Print ==<br />
<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1<br />
: A1<br />
<br />
; Q2<br />
: A2<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* xxx<br />
* xxx<br />
<br />
==Others==<br />
* xxx<br />
* xxx<br />
<br />
= Road Map and Getting Involved =<br />
As of July, the priorities are:<br />
*Internationalization of existing units <br />
*UnitTests<br />
*Enhancement of existing units<br />
*Creation of more unints<br />
*Java integration<br />
*Error message: Enhance details<br />
*Point system<br />
*Track clicks on the help button/solution to measure and enhance quality<br />
*Possibility to reset single units<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_PHP_Security_Training_Project}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_PHP_Security_Training_Project&diff=176901OWASP PHP Security Training Project2014-06-14T12:58:41Z<p>Timo Pagel: Enhance TODO-List</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP PHP Security Training Project==<br />
<br />
OWASP PHP Security Training Project is...<br />
<br />
==Introduction==<br />
<br />
The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit is divided in an attack and a defense part.<br />
<br />
<br />
<br />
==Description==<br />
<br />
The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit shall be divided in an attack and a defense part. When working through the attack part, the developers will have to strike against a vulnerable application. Through this, they will learn to <br />
think like a hacker. Weaknesses to detect and exploit might be XSS, CSRF or SQL Injection, which are listed in the OWASP top 10. While viewing the defense part, the user shall be introduced to securing the vulnerable application, for example by safeguarding the code.<br />
<br />
<br />
==Licensing==<br />
OWASP PHP Security Training Project is free to use. It is licensed under the GNU GPL v3 License, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is PHP Security Training ==<br />
<br />
OWASP PHP Security Training Project provides:<br />
<br />
* VirtualBox-Machine<br />
* Debian Package<br />
<br />
<br />
== Presentation ==<br />
http://files.timo-pagel.de/vortraege/security/phpug_php_security_training_system.pdf (German)<br />
<br />
<br />
<br />
== Project Leader ==<br />
<br />
[mailto:timo.pagel@owasp.org Timo Pagel]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<br />
<br />
== Ohloh ==<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* http://files.timo-pagel.de/php-security-trainig-system/<br />
<br />
== Source Code ==<br />
<br />
* https://bitbucket.org/tpagel/php-security-training-system<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_php_security_training_project Sign up]<br />
<br />
== News and Events ==<br />
* [20 Nov 2013] News 2<br />
* [30 Sep 2013] News 1<br />
<br />
<br />
== In Print ==<br />
<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1<br />
: A1<br />
<br />
; Q2<br />
: A2<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* xxx<br />
* xxx<br />
<br />
==Others==<br />
* xxx<br />
* xxx<br />
<br />
= Road Map and Getting Involved =<br />
As of July, the priorities are:<br />
*Internationalization of existing units <br />
*UnitTests<br />
*Enhancement of existing units<br />
*Creation of more unints<br />
*Java integration<br />
*Error message: Enhance details<br />
*Point system<br />
*Track clicks on the help button/solution to measure and enhance quality<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_PHP_Security_Training_Project}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_PHP_Security_Training_Project&diff=176103OWASP PHP Security Training Project2014-05-30T21:42:52Z<p>Timo Pagel: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP PHP Security Training Project==<br />
<br />
OWASP PHP Security Training Project is...<br />
<br />
==Introduction==<br />
<br />
The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit is divided in an attack and a defense part.<br />
<br />
<br />
<br />
==Description==<br />
<br />
The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit shall be divided in an attack and a defense part. When working through the attack part, the developers will have to strike against a vulnerable application. Through this, they will learn to <br />
think like a hacker. Weaknesses to detect and exploit might be XSS, CSRF or SQL Injection, which are listed in the OWASP top 10. While viewing the defense part, the user shall be introduced to securing the vulnerable application, for example by safeguarding the code.<br />
<br />
<br />
==Licensing==<br />
OWASP PHP Security Training Project is free to use. It is licensed under the GNU GPL v3 License, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is PHP Security Training ==<br />
<br />
OWASP PHP Security Training Project provides:<br />
<br />
* VirtualBox-Machine<br />
* Debian Package<br />
<br />
<br />
== Presentation ==<br />
http://files.timo-pagel.de/vortraege/security/phpug_php_security_training_system.pdf (German)<br />
<br />
<br />
<br />
== Project Leader ==<br />
<br />
[mailto:timo.pagel@owasp.org Timo Pagel]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<br />
<br />
== Ohloh ==<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* http://files.timo-pagel.de/php-security-trainig-system/<br />
<br />
== Source Code ==<br />
<br />
* https://bitbucket.org/tpagel/php-security-training-system<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_php_security_training_project Sign up]<br />
<br />
== News and Events ==<br />
* [20 Nov 2013] News 2<br />
* [30 Sep 2013] News 1<br />
<br />
<br />
== In Print ==<br />
<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1<br />
: A1<br />
<br />
; Q2<br />
: A2<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* xxx<br />
* xxx<br />
<br />
==Others==<br />
* xxx<br />
* xxx<br />
<br />
= Road Map and Getting Involved =<br />
As of May, the priorities are:<br />
*Internationalization of existing units <br />
*Enhancement of existing units<br />
*Creation of more unints<br />
<br />
Involvement in the development and promotion of PHP Security Training is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* xxx<br />
* xxx<br />
<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_PHP_Security_Training_Project}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_PHP_Security_Training_Project&diff=176102OWASP PHP Security Training Project2014-05-30T21:42:35Z<p>Timo Pagel: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP PHP Security Training Project==<br />
<br />
OWASP PHP Security Training Project is...<br />
<br />
==Introduction==<br />
<br />
The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit is divided in an attack and a defense part.<br />
<br />
<br />
<br />
==Description==<br />
<br />
The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit shall be divided in an attack and a defense part. When working through the attack part, the developers will have to strike against a vulnerable application. Through this, they will learn to <br />
think like a hacker. Weaknesses to detect and exploit might be XSS, CSRF or SQL Injection, which are listed in the OWASP top 10. While viewing the defense part, the user shall be introduced to securing the vulnerable application, for example by safeguarding the code.<br />
<br />
<br />
==Licensing==<br />
OWASP PHP Security Training Project is free to use. It is licensed under the GNU GPL v3 License, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is PHP Security Training ==<br />
<br />
OWASP PHP Security Training Project provides:<br />
<br />
* VirtualBox-Machine<br />
* Debian Package<br />
<br />
<br />
== Presentation ==<br />
<br />
Link to presentation<br />
http://files.timo-pagel.de/vortraege/security/phpug_php_security_training_system.pdf<br />
<br />
<br />
<br />
== Project Leader ==<br />
<br />
[mailto:timo.pagel@owasp.org Timo Pagel]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<br />
<br />
== Ohloh ==<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* http://files.timo-pagel.de/php-security-trainig-system/<br />
<br />
== Source Code ==<br />
<br />
* https://bitbucket.org/tpagel/php-security-training-system<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_php_security_training_project Sign up]<br />
<br />
== News and Events ==<br />
* [20 Nov 2013] News 2<br />
* [30 Sep 2013] News 1<br />
<br />
<br />
== In Print ==<br />
<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1<br />
: A1<br />
<br />
; Q2<br />
: A2<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* xxx<br />
* xxx<br />
<br />
==Others==<br />
* xxx<br />
* xxx<br />
<br />
= Road Map and Getting Involved =<br />
As of May, the priorities are:<br />
*Internationalization of existing units <br />
*Enhancement of existing units<br />
*Creation of more unints<br />
<br />
Involvement in the development and promotion of PHP Security Training is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* xxx<br />
* xxx<br />
<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_PHP_Security_Training_Project}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_PHP_Security_Training_Project&diff=175713OWASP PHP Security Training Project2014-05-24T07:48:48Z<p>Timo Pagel: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP PHP Security Training Project==<br />
<br />
OWASP PHP Security Training Project is...<br />
<br />
==Introduction==<br />
<br />
The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit is divided in an attack and a defense part.<br />
<br />
<br />
<br />
==Description==<br />
<br />
The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit shall be divided in an attack and a defense part. When working through the attack part, the developers will have to strike against a vulnerable application. Through this, they will learn to <br />
think like a hacker. Weaknesses to detect and exploit might be XSS, CSRF or SQL Injection, which are listed in the OWASP top 10. While viewing the defense part, the user shall be introduced to securing the vulnerable application, for example by safeguarding the code.<br />
<br />
<br />
==Licensing==<br />
OWASP PHP Security Training Project is free to use. It is licensed under the GNU GPL v3 License, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is PHP Security Training ==<br />
<br />
OWASP PHP Security Training Project provides:<br />
<br />
* VirtualBox-Machine<br />
* Debian Package<br />
<br />
<br />
== Presentation ==<br />
<br />
Link to presentation<br />
<br />
<br />
<br />
<br />
== Project Leader ==<br />
<br />
[mailto:timo.pagel@owasp.org Timo Pagel]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<br />
<br />
== Ohloh ==<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* http://files.timo-pagel.de/php-security-trainig-system/<br />
<br />
== Source Code ==<br />
<br />
* https://bitbucket.org/tpagel/php-security-training-system<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_php_security_training_project Sign up]<br />
<br />
== News and Events ==<br />
* [20 Nov 2013] News 2<br />
* [30 Sep 2013] News 1<br />
<br />
<br />
== In Print ==<br />
<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1<br />
: A1<br />
<br />
; Q2<br />
: A2<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* xxx<br />
* xxx<br />
<br />
==Others==<br />
* xxx<br />
* xxx<br />
<br />
= Road Map and Getting Involved =<br />
As of May, the priorities are:<br />
*Internationalization of existing units <br />
*Enhancement of existing units<br />
*Creation of more unints<br />
<br />
Involvement in the development and promotion of PHP Security Training is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* xxx<br />
* xxx<br />
<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_PHP_Security_Training_Project}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=OWASP_PHP_Security_Training_Project&diff=175712OWASP PHP Security Training Project2014-05-24T07:47:28Z<p>Timo Pagel: Add rep. and download</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP PHP Security Training Project==<br />
<br />
OWASP PHP Security Training Project is...<br />
<br />
==Introduction==<br />
<br />
The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit is divided in an attack and a defense part.<br />
<br />
<br />
<br />
==Description==<br />
<br />
The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit shall be divided in an attack and a defense part. When working through the attack part, the developers will have to strike against a vulnerable application. Through this, they will learn to <br />
think like a hacker. Weaknesses to detect and exploit might be XSS, CSRF or SQL Injection, which are listed in the OWASP top 10. While viewing the defense part, the user shall be introduced to securing the vulnerable application, for example by safeguarding the code.<br />
<br />
<br />
==Licensing==<br />
OWASP PHP Security Training Project is free to use. It is licensed under the GNU GPL v3 License, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is PHP Security Training ==<br />
<br />
OWASP PHP Security Training Project provides:<br />
<br />
* LiveDVD<br />
* Debian Package<br />
<br />
<br />
== Presentation ==<br />
<br />
Link to presentation<br />
<br />
<br />
<br />
<br />
== Project Leader ==<br />
<br />
[mailto:timo.pagel@owasp.org Timo Pagel]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<br />
<br />
== Ohloh ==<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* http://files.timo-pagel.de/php-security-trainig-system/<br />
<br />
== Source Code ==<br />
<br />
* https://bitbucket.org/tpagel/php-security-training-system<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_php_security_training_project Sign up]<br />
<br />
== News and Events ==<br />
* [20 Nov 2013] News 2<br />
* [30 Sep 2013] News 1<br />
<br />
<br />
== In Print ==<br />
<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1<br />
: A1<br />
<br />
; Q2<br />
: A2<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* xxx<br />
* xxx<br />
<br />
==Others==<br />
* xxx<br />
* xxx<br />
<br />
= Road Map and Getting Involved =<br />
As of May, the priorities are:<br />
*Internationalization of existing units <br />
*Enhancement of existing units<br />
*Creation of more unints<br />
<br />
Involvement in the development and promotion of PHP Security Training is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* xxx<br />
* xxx<br />
<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_PHP_Security_Training_Project}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=User:Timo_Pagel&diff=171660User:Timo Pagel2014-04-05T16:16:30Z<p>Timo Pagel: </p>
<hr />
<div>* Administrator at TNG Stadtnetz GmbH from 2006 till 2010<br />
* PHP Developer at ennit interactive GmbH from 2010 till 2013<br />
* Master-Student since 2014</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=Germany/Projekte/Top_10_fuer_Entwickler-2013/A5-Sicherheitsrelevante_Fehlkonfiguration&diff=169218Germany/Projekte/Top 10 fuer Entwickler-2013/A5-Sicherheitsrelevante Fehlkonfiguration2014-03-02T14:09:11Z<p>Timo Pagel: </p>
<hr />
<div>{{Top_10_2013_DeveloperEdition:TopTemplate<br />
|useprev=2013PrevLinkDeveloperEdition<br />
|usenext=2013NextLinkDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
{{Top_10_2010:SubsectionColoredTemplate<br />
|A5 {{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
||year=2013<br />
}}<br />
<br />
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2010|language=de}}<br />
{{Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=1|impact=2|language=de|year=2013}}<br />
{{Top_10_2010:SummaryTableHeaderEndTemplate}}<br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Nicht authentisierte Angreifer sowie authentisierte Nutzer könnten versuchen, Zugangsdaten anderer zu stehlen. In Betracht kommen außerdem Innentäter, die ihre Handlungen verschleiern wollen.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Angreifer benutzen Standardkonten, inaktive Seiten, ungepatchte Fehler, ungeschützte Dateien und Verzeichnisse etc., um unautorisierten Zugang zum oder Kenntnis über das Zielsystem zu erlangen.</td><br />
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Sicherheitsrelevante Fehlkonfiguration kann auf jeder Ebene der Anwendung, inkl. Plattform, Web- und Anwendungsserver, Frameworks oder Programmcode vorkommen. Die Zusammenarbeit zwischen Entwicklern und Administratoren ist wichtig, um eine sichere Konfiguration aller Ebenen zu gewährleisten. Automatisierte Scanner können oft fehlende Sicherheitspatches, Fehlkonfigurationen, Standardkonten, nicht benötigte Dienste, usw. erkennen.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Diese Fehler geben Angreifern häufig unautorisierten Zugriff auf Systemdaten oder -funktionalitäten.<br/><br />
<br />
Manchmal führen sie zur kompletten Kompromittierung des Zielsystems.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Ein System könnte unbemerkt kompromittiert werden. Alle Daten könnten gestohlen oder nach und nach verändert werden.<br/><br />
<br />
Wiederherstellungskosten können hoch sein.</td><br />
{{Top_10_2010:SummaryTableEndTemplate}}<br />
<br />
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=firstLeft|risk=6|year=2010|language=de }} <br />
'''<u>Szenario 1</u>''': Eine Anwendung baut auf einem mächtigen Framework auf. XSS Fehler werden in diesem Framework gefunden. Ein Update zur Behebung der Sicherheitslücken wurde veröffentlicht, jedoch bisher nicht ausgerollt. Bis zum Update können Angreifer die Fehler in der Anwendung erkennen und ausnutzen.<br/> <br />
<br />
'''<u>Szenario 2</u>''': Die Administratorkonsole mit Standardkonto wurde automatisch installiert und nicht entfernt. Angreifer entdecken dies, melden sich über das Standardkonto an und kapern das System.<br/><br />
<br />
'''<u>Szenario 3</u>''': Directory Listings wurden nicht deaktiviert. Angreifer nutzen dies, um in den Besitz aller Dateien zu kommen. Sie laden alle existierenden Java-Klassen herunter und entdecken ein Backdoor.<br/><br />
<br />
'''<u>Szenario 4</u>''': Die Anwendungsserverkonfiguration erlaubt es, Stack Traces an Benutzer zurückzugeben. Dadurch können potentielle Fehler im Backend offengelegt werden. Angreifer lieben zusätzliche Informationen in Fehlermeldungen.<br/><br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=6|year=2010|language=de}} <br />
Alle folgenden Empfehlungen sollten berücksichtigt werden:<br />
# Ein wiederholbarer Härtungsprozess, der eine schnelle und einfache Verteilung einer neuen, abgesicherten Umgebung erlaubt. Entwicklungs-, QA-, und Produktionsumgebungen sollten identisch konfiguriert sein. Der Prozess sollte automatisiert sein, um nötigen Aufwand bei Erstellung einer neuen, sicheren Umgebung zu minimieren.<br />
# Ein Prozess, der zeitnah neuentwickelte Softwareupdates und Patches auf allen ausgerollten Umgebungen ermöglicht. Davon sind auch alle Bibliotheken und Komponenten betroffen.<br />
# Eine robuste Anwendungsarchitektur, die eine gute Trennung und Absicherung einzelner Komponenten ermöglicht.<br />
# Periodisch durchgeführte Tests und Audits helfen, zukünftige Fehlkonfigurationen oder fehlende Patches zu erkennen und zu vermeiden.<br />
{{Top_10:SubsectionTableEndTemplate}}<br />
<br />
= '''JAVA''' = <br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}} <br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=left|title=3|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
* [[Configuration | OWASP Development Guide: Chapter on Configuration]]<br />
* [[Error_Handling | OWASP Code Review Guide: Chapter on Error Handling]]<br />
* [[Testing_for_configuration_management | OWASP Testing Guide: Configuration Management]]<br />
* [[Testing_for_Error_Code_(OWASP-IG-006) | OWASP Testing Guide: Testing for Error Codes]]<br />
* [[A10_2004_Insecure_Configuration_Management | OWASP Top 10 2004 - Insecure Configuration Management]]<br />
<br />
Weitere Informationen unter [http://www.owasp.org/index.php/ASVS#tab=Download ASVS requirements area for Security Configuration (V12)]<br />
<br />
{{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=de}}<br />
*[http://www.pcmag.com/article2/0,2817,11525,00.asp PC Magazine Article on Web Server Hardening]<br />
*[http://cwe.mitre.org/data/definitions/2.html CWE Entry 2 on Environmental Security Flaws]<br />
*[http://cisecurity.org/en-us/?route=downloads.benchmarks CIS Security Configuration Guides/Benchmarks]<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=JAVA<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
= '''PHP''' = <br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=5|year=2013|language=de}}<br />
In der Datei php.ini bietet PHP Konfigurationsmöglichkeiten für Umgebungsvariablen an. Hier kann bspw. bestimmt werden, ob ein Cookie nur bei HTTP-Abfragen oder auch durch JavaScript ausgelesen werden darf. Zur Laufzeit können die Parameter ebenfalls über die Funktion ini_set() gesetzt werden. Das PHP-Projekt Psecio (siehe https://github.com/psecio/iniscan/) bietet ein Werkzeug zur Überprüfung der php.ini an, mit welchem Schwachstellen in der Konfigurationsdatei aufgedeckt werden können.<br />
<br />
Wichtige Parameter sind dabei u.a.:<br />
* open_basedir "/var/www/project" ; Ggf. auch /tmp erlauben, Einstellung bevorzugt in der Webserver-Konfiguration vornehmen<br />
* session.cookie_secure=On<br />
* session.use_only_cookies=On<br />
* session.cookie_httponly=On <br />
* allow_url_fopen=Off<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=5|year=2013|language=de}}<br />
==== ModSecurity ====<br />
Die Benutzung einer Webfirewall wie modsecurity, welches sich als Modul in den Webserver einbindet, ist empfehlenswert. Zentrale Komponente sind die "corerules", in welchen zwischen Warnungen und Fehlern unterschieden wird. In der Konfiguration des Webservers kann angegeben werden, welche Aktion bei einem Regelverstoß durchgeführt werden soll. Verstößt eine Anfrage gegen hinterlegte Regeln, kann die Ausführung der Anfrage gestoppt oder der Regelverstoß protokolliert werden.<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=left|title=3|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
* [[Configuration | OWASP Development Guide: Chapter on Configuration]]<br />
* [[Error_Handling | OWASP Code Review Guide: Chapter on Error Handling]]<br />
* [[Testing_for_configuration_management | OWASP Testing Guide: Configuration Management]]<br />
* [[Testing_for_Error_Code_(OWASP-IG-006) | OWASP Testing Guide: Testing for Error Codes]]<br />
* [[A10_2004_Insecure_Configuration_Management | OWASP Top 10 2004 - Insecure Configuration Management]]<br />
<br />
Weitere Informationen unter [http://www.owasp.org/index.php/ASVS#tab=Download ASVS requirements area for Security Configuration (V12)]<br />
<br />
{{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=de}}<br />
*[http://www.pcmag.com/article2/0,2817,11525,00.asp PC Magazine Article on Web Server Hardening]<br />
*[http://cwe.mitre.org/data/definitions/2.html CWE Entry 2 on Environmental Security Flaws]<br />
*[http://cisecurity.org/en-us/?route=downloads.benchmarks CIS Security Configuration Guides/Benchmarks]<br />
*[http://www.modsecurity.org/ ModSecurity]<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=PHP<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
= '''Test''' =<br />
<!-- weitere Programmiersprachen oder evtl Anti-Beispiele ---><br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
tbd<br />
Text<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
tbd<br />
Text<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=whole|title=3|risk=5|year=2013|language=de}}<br />
tbd<br />
Text<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=userImpact|position=left|risk=5|year=2013|language=de}}<br />
(ganze Breite)<br />
Text<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=5|year=2013|language=de}}<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=Test<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<headertabs /><br />
{{Top_10_2013_DeveloperEdition:BottomAdvancedTemplate<br />
|type=0<br />
|useprev=2013PrevLinkDeveloperEdition<br />
|usenext=2013NextLinkDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
<br />
[[Category:OWASP Top 10 fuer Entwickler]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=Germany/Projekte/Top_10_fuer_Entwickler-2013/A5-Sicherheitsrelevante_Fehlkonfiguration&diff=166638Germany/Projekte/Top 10 fuer Entwickler-2013/A5-Sicherheitsrelevante Fehlkonfiguration2014-01-25T19:31:02Z<p>Timo Pagel: </p>
<hr />
<div>{{Top_10_2013_DeveloperEdition:TopTemplate<br />
|useprev=2013PrevLinkDeveloperEdition<br />
|usenext=2013NextLinkDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
{{Top_10_2010:SubsectionColoredTemplate<br />
|A5 {{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
||year=2013<br />
}}<br />
<br />
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2010|language=de}}<br />
{{Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=1|impact=2|language=de|year=2013}}<br />
{{Top_10_2010:SummaryTableHeaderEndTemplate}}<br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Nicht authentisierte Angreifer sowie authentisierte Nutzer könnten versuchen, Zugangsdaten anderer zu stehlen. In Betracht kommen außerdem Innentäter, die ihre Handlungen verschleiern wollen.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Angreifer benutzen Standardkonten, inaktive Seiten, ungepatchte Fehler, ungeschützte Dateien und Verzeichnisse etc., um unautorisierten Zugang zum oder Kenntnis über das Zielsystem zu erlangen.</td><br />
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Sicherheitsrelevante Fehlkonfiguration kann auf jeder Ebene der Anwendung, inkl. Plattform, Web- und Anwendungsserver, Frameworks oder Programmcode vorkommen. Die Zusammenarbeit zwischen Entwicklern und Administratoren ist wichtig, um eine sichere Konfiguration aller Ebenen zu gewährleisten. Automatisierte Scanner können oft fehlende Sicherheitspatches, Fehlkonfigurationen, Standardkonten, nicht benötigte Dienste, usw. erkennen.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Diese Fehler geben Angreifern häufig unautorisierten Zugriff auf Systemdaten oder -funktionalitäten.<br/><br />
<br />
Manchmal führen sie zur kompletten Kompromittierung des Zielsystems.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Ein System könnte unbemerkt kompromittiert werden. Alle Daten könnten gestohlen oder nach und nach verändert werden.<br/><br />
<br />
Wiederherstellungskosten können hoch sein.</td><br />
{{Top_10_2010:SummaryTableEndTemplate}}<br />
<br />
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=firstLeft|risk=6|year=2010|language=de }} <br />
'''<u>Szenario 1</u>''': Eine Anwendung baut auf einem mächtigen Framework auf. XSS Fehler werden in diesem Framework gefunden. Ein Update zur Behebung der Sicherheitslücken wurde veröffentlicht, jedoch bisher nicht ausgerollt. Bis zum Update können Angreifer die Fehler in der Anwendung erkennen und ausnutzen.<br/> <br />
<br />
'''<u>Szenario 2</u>''': Die Administratorkonsole mit Standardkonto wurde automatisch installiert und nicht entfernt. Angreifer entdecken dies, melden sich über das Standardkonto an und kapern das System.<br/><br />
<br />
'''<u>Szenario 3</u>''': Directory Listings wurden nicht deaktiviert. Angreifer nutzen dies, um in den Besitz aller Dateien zu kommen. Sie laden alle existierenden Java-Klassen herunter und entdecken ein Backdoor.<br/><br />
<br />
'''<u>Szenario 4</u>''': Die Anwendungsserverkonfiguration erlaubt es, Stack Traces an Benutzer zurückzugeben. Dadurch können potentielle Fehler im Backend offengelegt werden. Angreifer lieben zusätzliche Informationen in Fehlermeldungen.<br/><br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=6|year=2010|language=de}} <br />
Alle folgenden Empfehlungen sollten berücksichtigt werden:<br />
# Ein wiederholbarer Härtungsprozess, der eine schnelle und einfache Verteilung einer neuen, abgesicherten Umgebung erlaubt. Entwicklungs-, QA-, und Produktionsumgebungen sollten identisch konfiguriert sein. Der Prozess sollte automatisiert sein, um nötigen Aufwand bei Erstellung einer neuen, sicheren Umgebung zu minimieren.<br />
# Ein Prozess, der zeitnah neuentwickelte Softwareupdates und Patches auf allen ausgerollten Umgebungen ermöglicht. Davon sind auch alle Bibliotheken und Komponenten betroffen.<br />
# Eine robuste Anwendungsarchitektur, die eine gute Trennung und Absicherung einzelner Komponenten ermöglicht.<br />
# Periodisch durchgeführte Tests und Audits helfen, zukünftige Fehlkonfigurationen oder fehlende Patches zu erkennen und zu vermeiden.<br />
{{Top_10:SubsectionTableEndTemplate}}<br />
<br />
= '''JAVA''' = <br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}} <br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=left|title=3|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
* [[Configuration | OWASP Development Guide: Chapter on Configuration]]<br />
* [[Error_Handling | OWASP Code Review Guide: Chapter on Error Handling]]<br />
* [[Testing_for_configuration_management | OWASP Testing Guide: Configuration Management]]<br />
* [[Testing_for_Error_Code_(OWASP-IG-006) | OWASP Testing Guide: Testing for Error Codes]]<br />
* [[A10_2004_Insecure_Configuration_Management | OWASP Top 10 2004 - Insecure Configuration Management]]<br />
<br />
Weitere Informationen unter [http://www.owasp.org/index.php/ASVS#tab=Download ASVS requirements area for Security Configuration (V12)]<br />
<br />
{{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=de}}<br />
*[http://www.pcmag.com/article2/0,2817,11525,00.asp PC Magazine Article on Web Server Hardening]<br />
*[http://cwe.mitre.org/data/definitions/2.html CWE Entry 2 on Environmental Security Flaws]<br />
*[http://cisecurity.org/en-us/?route=downloads.benchmarks CIS Security Configuration Guides/Benchmarks]<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=JAVA<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
= '''PHP''' = <br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=5|year=2013|language=de}}<br />
In der Datei php.ini bietet PHP Konfigurationsmöglichkeiten für Umgebungsvariablen an. Hier kann bspw. bestimmt werden, ob ein Cookie nur bei HTTP-Abfragen oder auch durch JavaScript ausgelesen werden darf. Zur Laufzeit können die Parameter ebenfalls über die Funktion ini_set() gesetzt werden. Das PHP-Projekt Psecio (siehe https://github.com/psecio/iniscan/) bietet ein Werkzeug zur Überprüfung der php.ini an, mit welchem Schwachstellen in der Konfigurationsdatei aufgedeckt werden können.<br />
<br />
Wichtige Parameter sind dabei u.a.:<br />
* open_basedir "/var/www/project" ; Ggf. auch /tmp erlauben, Einstellung bevorzugt in der Webserver-Konfiguration vornehmen<br />
* session.cookie_secure=On<br />
* session.use_only_cookies=On<br />
* session.cookie_httponly=On <br />
* allow_url_fopen=Off<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=left|title=3|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
* [[Configuration | OWASP Development Guide: Chapter on Configuration]]<br />
* [[Error_Handling | OWASP Code Review Guide: Chapter on Error Handling]]<br />
* [[Testing_for_configuration_management | OWASP Testing Guide: Configuration Management]]<br />
* [[Testing_for_Error_Code_(OWASP-IG-006) | OWASP Testing Guide: Testing for Error Codes]]<br />
* [[A10_2004_Insecure_Configuration_Management | OWASP Top 10 2004 - Insecure Configuration Management]]<br />
<br />
Weitere Informationen unter [http://www.owasp.org/index.php/ASVS#tab=Download ASVS requirements area for Security Configuration (V12)]<br />
<br />
{{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=de}}<br />
*[http://www.pcmag.com/article2/0,2817,11525,00.asp PC Magazine Article on Web Server Hardening]<br />
*[http://cwe.mitre.org/data/definitions/2.html CWE Entry 2 on Environmental Security Flaws]<br />
*[http://cisecurity.org/en-us/?route=downloads.benchmarks CIS Security Configuration Guides/Benchmarks]<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=PHP<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
= '''Test''' =<br />
<!-- weitere Programmiersprachen oder evtl Anti-Beispiele ---><br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
tbd<br />
Text<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
tbd<br />
Text<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=whole|title=3|risk=5|year=2013|language=de}}<br />
tbd<br />
Text<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=userImpact|position=left|risk=5|year=2013|language=de}}<br />
(ganze Breite)<br />
Text<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=5|year=2013|language=de}}<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=Test<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<headertabs /><br />
{{Top_10_2013_DeveloperEdition:BottomAdvancedTemplate<br />
|type=0<br />
|useprev=2013PrevLinkDeveloperEdition<br />
|usenext=2013NextLinkDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
<br />
[[Category:OWASP Top 10 fuer Entwickler]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=Germany/Projekte/Top_10_fuer_Entwickler-2013/A5-Sicherheitsrelevante_Fehlkonfiguration&diff=166637Germany/Projekte/Top 10 fuer Entwickler-2013/A5-Sicherheitsrelevante Fehlkonfiguration2014-01-25T19:30:20Z<p>Timo Pagel: </p>
<hr />
<div>{{Top_10_2013_DeveloperEdition:TopTemplate<br />
|useprev=2013PrevLinkDeveloperEdition<br />
|usenext=2013NextLinkDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
{{Top_10_2010:SubsectionColoredTemplate<br />
|A5 {{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
||year=2013<br />
}}<br />
<br />
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2010|language=de}}<br />
{{Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=1|impact=2|language=de|year=2013}}<br />
{{Top_10_2010:SummaryTableHeaderEndTemplate}}<br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Nicht authentisierte Angreifer sowie authentisierte Nutzer könnten versuchen, Zugangsdaten anderer zu stehlen. In Betracht kommen außerdem Innentäter, die ihre Handlungen verschleiern wollen.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Angreifer benutzen Standardkonten, inaktive Seiten, ungepatchte Fehler, ungeschützte Dateien und Verzeichnisse etc., um unautorisierten Zugang zum oder Kenntnis über das Zielsystem zu erlangen.</td><br />
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Sicherheitsrelevante Fehlkonfiguration kann auf jeder Ebene der Anwendung, inkl. Plattform, Web- und Anwendungsserver, Frameworks oder Programmcode vorkommen. Die Zusammenarbeit zwischen Entwicklern und Administratoren ist wichtig, um eine sichere Konfiguration aller Ebenen zu gewährleisten. Automatisierte Scanner können oft fehlende Sicherheitspatches, Fehlkonfigurationen, Standardkonten, nicht benötigte Dienste, usw. erkennen.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Diese Fehler geben Angreifern häufig unautorisierten Zugriff auf Systemdaten oder -funktionalitäten.<br/><br />
<br />
Manchmal führen sie zur kompletten Kompromittierung des Zielsystems.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Ein System könnte unbemerkt kompromittiert werden. Alle Daten könnten gestohlen oder nach und nach verändert werden.<br/><br />
<br />
Wiederherstellungskosten können hoch sein.</td><br />
{{Top_10_2010:SummaryTableEndTemplate}}<br />
<br />
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=firstLeft|risk=6|year=2010|language=de }} <br />
'''<u>Szenario 1</u>''': Eine Anwendung baut auf einem mächtigen Framework auf. XSS Fehler werden in diesem Framework gefunden. Ein Update zur Behebung der Sicherheitslücken wurde veröffentlicht, jedoch bisher nicht ausgerollt. Bis zum Update können Angreifer die Fehler in der Anwendung erkennen und ausnutzen.<br/> <br />
<br />
'''<u>Szenario 2</u>''': Die Administratorkonsole mit Standardkonto wurde automatisch installiert und nicht entfernt. Angreifer entdecken dies, melden sich über das Standardkonto an und kapern das System.<br/><br />
<br />
'''<u>Szenario 3</u>''': Directory Listings wurden nicht deaktiviert. Angreifer nutzen dies, um in den Besitz aller Dateien zu kommen. Sie laden alle existierenden Java-Klassen herunter und entdecken ein Backdoor.<br/><br />
<br />
'''<u>Szenario 4</u>''': Die Anwendungsserverkonfiguration erlaubt es, Stack Traces an Benutzer zurückzugeben. Dadurch können potentielle Fehler im Backend offengelegt werden. Angreifer lieben zusätzliche Informationen in Fehlermeldungen.<br/><br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=6|year=2010|language=de}} <br />
Alle folgenden Empfehlungen sollten berücksichtigt werden:<br />
# Ein wiederholbarer Härtungsprozess, der eine schnelle und einfache Verteilung einer neuen, abgesicherten Umgebung erlaubt. Entwicklungs-, QA-, und Produktionsumgebungen sollten identisch konfiguriert sein. Der Prozess sollte automatisiert sein, um nötigen Aufwand bei Erstellung einer neuen, sicheren Umgebung zu minimieren.<br />
# Ein Prozess, der zeitnah neuentwickelte Softwareupdates und Patches auf allen ausgerollten Umgebungen ermöglicht. Davon sind auch alle Bibliotheken und Komponenten betroffen.<br />
# Eine robuste Anwendungsarchitektur, die eine gute Trennung und Absicherung einzelner Komponenten ermöglicht.<br />
# Periodisch durchgeführte Tests und Audits helfen, zukünftige Fehlkonfigurationen oder fehlende Patches zu erkennen und zu vermeiden.<br />
{{Top_10:SubsectionTableEndTemplate}}<br />
<br />
= '''JAVA''' = <br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}} <br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=left|title=3|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
* [[Configuration | OWASP Development Guide: Chapter on Configuration]]<br />
* [[Error_Handling | OWASP Code Review Guide: Chapter on Error Handling]]<br />
* [[Testing_for_configuration_management | OWASP Testing Guide: Configuration Management]]<br />
* [[Testing_for_Error_Code_(OWASP-IG-006) | OWASP Testing Guide: Testing for Error Codes]]<br />
* [[A10_2004_Insecure_Configuration_Management | OWASP Top 10 2004 - Insecure Configuration Management]]<br />
<br />
Weitere Informationen unter [http://www.owasp.org/index.php/ASVS#tab=Download ASVS requirements area for Security Configuration (V12)]<br />
<br />
{{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=de}}<br />
*[http://www.pcmag.com/article2/0,2817,11525,00.asp PC Magazine Article on Web Server Hardening]<br />
*[http://cwe.mitre.org/data/definitions/2.html CWE Entry 2 on Environmental Security Flaws]<br />
*[http://cisecurity.org/en-us/?route=downloads.benchmarks CIS Security Configuration Guides/Benchmarks]<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=JAVA<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
= '''PHP''' = <br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=5|year=2013|language=de}}<br />
In der Datei php.ini bietet PHP Konfigurationsmöglichkeiten für Umgebungsvariablen an. Hier kann bspw. bestimmt werden, ob ein Cookie nur bei HTTP-Abfragen oder auch durch JavaScript ausgelesen werden darf. Zur Laufzeit können die Parameter ebenfalls über die Funktion ini_set() gesetzt werden. Das PHP-Projekt Psecio (siehe https://github.com/psecio/iniscan/) bietet ein Werkzeug zur Überprüfung der php.ini an, mit welchem Schwachstellen in der Konfigurationsdatei aufgedeckt werden können.<br />
<br />
Wichtige Parameter sind dabei u.a.:<br />
* open_basedir "/var/www/project" ; Ggf. auch /tmp erlauben, Einstellung am besten im Webserver vornehmen<br />
* session.cookie_secure=On<br />
* session.use_only_cookies=On<br />
* session.cookie_httponly=On <br />
* allow_url_fopen=Off<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=left|title=3|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
* [[Configuration | OWASP Development Guide: Chapter on Configuration]]<br />
* [[Error_Handling | OWASP Code Review Guide: Chapter on Error Handling]]<br />
* [[Testing_for_configuration_management | OWASP Testing Guide: Configuration Management]]<br />
* [[Testing_for_Error_Code_(OWASP-IG-006) | OWASP Testing Guide: Testing for Error Codes]]<br />
* [[A10_2004_Insecure_Configuration_Management | OWASP Top 10 2004 - Insecure Configuration Management]]<br />
<br />
Weitere Informationen unter [http://www.owasp.org/index.php/ASVS#tab=Download ASVS requirements area for Security Configuration (V12)]<br />
<br />
{{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=de}}<br />
*[http://www.pcmag.com/article2/0,2817,11525,00.asp PC Magazine Article on Web Server Hardening]<br />
*[http://cwe.mitre.org/data/definitions/2.html CWE Entry 2 on Environmental Security Flaws]<br />
*[http://cisecurity.org/en-us/?route=downloads.benchmarks CIS Security Configuration Guides/Benchmarks]<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=PHP<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
= '''Test''' =<br />
<!-- weitere Programmiersprachen oder evtl Anti-Beispiele ---><br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
tbd<br />
Text<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
tbd<br />
Text<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=whole|title=3|risk=5|year=2013|language=de}}<br />
tbd<br />
Text<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=userImpact|position=left|risk=5|year=2013|language=de}}<br />
(ganze Breite)<br />
Text<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=5|year=2013|language=de}}<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=Test<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<headertabs /><br />
{{Top_10_2013_DeveloperEdition:BottomAdvancedTemplate<br />
|type=0<br />
|useprev=2013PrevLinkDeveloperEdition<br />
|usenext=2013NextLinkDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
<br />
[[Category:OWASP Top 10 fuer Entwickler]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=Germany/Projekte/Top_10_fuer_Entwickler-2013/A5-Sicherheitsrelevante_Fehlkonfiguration&diff=166636Germany/Projekte/Top 10 fuer Entwickler-2013/A5-Sicherheitsrelevante Fehlkonfiguration2014-01-25T18:56:08Z<p>Timo Pagel: </p>
<hr />
<div>{{Top_10_2013_DeveloperEdition:TopTemplate<br />
|useprev=2013PrevLinkDeveloperEdition<br />
|usenext=2013NextLinkDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
{{Top_10_2010:SubsectionColoredTemplate<br />
|A5 {{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
||year=2013<br />
}}<br />
<br />
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2010|language=de}}<br />
{{Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=1|impact=2|language=de|year=2013}}<br />
{{Top_10_2010:SummaryTableHeaderEndTemplate}}<br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Nicht authentisierte Angreifer sowie authentisierte Nutzer könnten versuchen, Zugangsdaten anderer zu stehlen. In Betracht kommen außerdem Innentäter, die ihre Handlungen verschleiern wollen.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Angreifer benutzen Standardkonten, inaktive Seiten, ungepatchte Fehler, ungeschützte Dateien und Verzeichnisse etc., um unautorisierten Zugang zum oder Kenntnis über das Zielsystem zu erlangen.</td><br />
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Sicherheitsrelevante Fehlkonfiguration kann auf jeder Ebene der Anwendung, inkl. Plattform, Web- und Anwendungsserver, Frameworks oder Programmcode vorkommen. Die Zusammenarbeit zwischen Entwicklern und Administratoren ist wichtig, um eine sichere Konfiguration aller Ebenen zu gewährleisten. Automatisierte Scanner können oft fehlende Sicherheitspatches, Fehlkonfigurationen, Standardkonten, nicht benötigte Dienste, usw. erkennen.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Diese Fehler geben Angreifern häufig unautorisierten Zugriff auf Systemdaten oder -funktionalitäten.<br/><br />
<br />
Manchmal führen sie zur kompletten Kompromittierung des Zielsystems.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Ein System könnte unbemerkt kompromittiert werden. Alle Daten könnten gestohlen oder nach und nach verändert werden.<br/><br />
<br />
Wiederherstellungskosten können hoch sein.</td><br />
{{Top_10_2010:SummaryTableEndTemplate}}<br />
<br />
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=firstLeft|risk=6|year=2010|language=de }} <br />
'''<u>Szenario 1</u>''': Eine Anwendung baut auf einem mächtigen Framework auf. XSS Fehler werden in diesem Framework gefunden. Ein Update zur Behebung der Sicherheitslücken wurde veröffentlicht, jedoch bisher nicht ausgerollt. Bis zum Update können Angreifer die Fehler in der Anwendung erkennen und ausnutzen.<br/> <br />
<br />
'''<u>Szenario 2</u>''': Die Administratorkonsole mit Standardkonto wurde automatisch installiert und nicht entfernt. Angreifer entdecken dies, melden sich über das Standardkonto an und kapern das System.<br/><br />
<br />
'''<u>Szenario 3</u>''': Directory Listings wurden nicht deaktiviert. Angreifer nutzen dies, um in den Besitz aller Dateien zu kommen. Sie laden alle existierenden Java-Klassen herunter und entdecken ein Backdoor.<br/><br />
<br />
'''<u>Szenario 4</u>''': Die Anwendungsserverkonfiguration erlaubt es, Stack Traces an Benutzer zurückzugeben. Dadurch können potentielle Fehler im Backend offengelegt werden. Angreifer lieben zusätzliche Informationen in Fehlermeldungen.<br/><br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=6|year=2010|language=de}} <br />
Alle folgenden Empfehlungen sollten berücksichtigt werden:<br />
# Ein wiederholbarer Härtungsprozess, der eine schnelle und einfache Verteilung einer neuen, abgesicherten Umgebung erlaubt. Entwicklungs-, QA-, und Produktionsumgebungen sollten identisch konfiguriert sein. Der Prozess sollte automatisiert sein, um nötigen Aufwand bei Erstellung einer neuen, sicheren Umgebung zu minimieren.<br />
# Ein Prozess, der zeitnah neuentwickelte Softwareupdates und Patches auf allen ausgerollten Umgebungen ermöglicht. Davon sind auch alle Bibliotheken und Komponenten betroffen.<br />
# Eine robuste Anwendungsarchitektur, die eine gute Trennung und Absicherung einzelner Komponenten ermöglicht.<br />
# Periodisch durchgeführte Tests und Audits helfen, zukünftige Fehlkonfigurationen oder fehlende Patches zu erkennen und zu vermeiden.<br />
{{Top_10:SubsectionTableEndTemplate}}<br />
<br />
= '''JAVA''' = <br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}} <br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=left|title=3|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
* [[Configuration | OWASP Development Guide: Chapter on Configuration]]<br />
* [[Error_Handling | OWASP Code Review Guide: Chapter on Error Handling]]<br />
* [[Testing_for_configuration_management | OWASP Testing Guide: Configuration Management]]<br />
* [[Testing_for_Error_Code_(OWASP-IG-006) | OWASP Testing Guide: Testing for Error Codes]]<br />
* [[A10_2004_Insecure_Configuration_Management | OWASP Top 10 2004 - Insecure Configuration Management]]<br />
<br />
Weitere Informationen unter [http://www.owasp.org/index.php/ASVS#tab=Download ASVS requirements area for Security Configuration (V12)]<br />
<br />
{{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=de}}<br />
*[http://www.pcmag.com/article2/0,2817,11525,00.asp PC Magazine Article on Web Server Hardening]<br />
*[http://cwe.mitre.org/data/definitions/2.html CWE Entry 2 on Environmental Security Flaws]<br />
*[http://cisecurity.org/en-us/?route=downloads.benchmarks CIS Security Configuration Guides/Benchmarks]<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=JAVA<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
= '''PHP''' = <br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=5|year=2013|language=de}}<br />
In der Datei php.ini bietet PHP Konfigurationsmöglichkeiten für Umgebungsvariablen an. Hier kann bspw. bestimmt werden, ob ein Cookie nur bei HTTP-Abfragen oder auch durch JavaScript ausgelesen werden darf. Zur Laufzeit können die Parameter ebenfalls über die Funktion ini_set() gesetzt werden. Das PHP-Projekt Psecio (siehe https://github.com/psecio/iniscan/) bietet ein Werkzeug zur Überprüfung der php.ini an, mit welchem Schwachstellen in der Konfigurationsdatei aufgedeckt werden können.<br />
<br />
Wichtige Parameter sind dabei u.a.:<br />
* open_basedir "/var/www/project"; #Ggf. auch /tmp erlauben, Einstellung am besten im Webserver vornehmen<br />
* session.cookie_secure=On;<br />
* session.use_only_cookies=On;<br />
* session.cookie_httponly=On;<br />
* allow_url_fopen=Off;<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=left|title=3|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
* [[Configuration | OWASP Development Guide: Chapter on Configuration]]<br />
* [[Error_Handling | OWASP Code Review Guide: Chapter on Error Handling]]<br />
* [[Testing_for_configuration_management | OWASP Testing Guide: Configuration Management]]<br />
* [[Testing_for_Error_Code_(OWASP-IG-006) | OWASP Testing Guide: Testing for Error Codes]]<br />
* [[A10_2004_Insecure_Configuration_Management | OWASP Top 10 2004 - Insecure Configuration Management]]<br />
<br />
Weitere Informationen unter [http://www.owasp.org/index.php/ASVS#tab=Download ASVS requirements area for Security Configuration (V12)]<br />
<br />
{{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=de}}<br />
*[http://www.pcmag.com/article2/0,2817,11525,00.asp PC Magazine Article on Web Server Hardening]<br />
*[http://cwe.mitre.org/data/definitions/2.html CWE Entry 2 on Environmental Security Flaws]<br />
*[http://cisecurity.org/en-us/?route=downloads.benchmarks CIS Security Configuration Guides/Benchmarks]<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=PHP<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
= '''Test''' =<br />
<!-- weitere Programmiersprachen oder evtl Anti-Beispiele ---><br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
tbd<br />
Text<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
tbd<br />
Text<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=whole|title=3|risk=5|year=2013|language=de}}<br />
tbd<br />
Text<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=userImpact|position=left|risk=5|year=2013|language=de}}<br />
(ganze Breite)<br />
Text<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=5|year=2013|language=de}}<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=Test<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<headertabs /><br />
{{Top_10_2013_DeveloperEdition:BottomAdvancedTemplate<br />
|type=0<br />
|useprev=2013PrevLinkDeveloperEdition<br />
|usenext=2013NextLinkDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
<br />
[[Category:OWASP Top 10 fuer Entwickler]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=Germany/Projekte/Top_10_fuer_Entwickler-2013/A5-Sicherheitsrelevante_Fehlkonfiguration&diff=166635Germany/Projekte/Top 10 fuer Entwickler-2013/A5-Sicherheitsrelevante Fehlkonfiguration2014-01-25T18:54:58Z<p>Timo Pagel: </p>
<hr />
<div>{{Top_10_2013_DeveloperEdition:TopTemplate<br />
|useprev=2013PrevLinkDeveloperEdition<br />
|usenext=2013NextLinkDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
{{Top_10_2010:SubsectionColoredTemplate<br />
|A5 {{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
||year=2013<br />
}}<br />
<br />
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2010|language=de}}<br />
{{Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=1|impact=2|language=de|year=2013}}<br />
{{Top_10_2010:SummaryTableHeaderEndTemplate}}<br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Nicht authentisierte Angreifer sowie authentisierte Nutzer könnten versuchen, Zugangsdaten anderer zu stehlen. In Betracht kommen außerdem Innentäter, die ihre Handlungen verschleiern wollen.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Angreifer benutzen Standardkonten, inaktive Seiten, ungepatchte Fehler, ungeschützte Dateien und Verzeichnisse etc., um unautorisierten Zugang zum oder Kenntnis über das Zielsystem zu erlangen.</td><br />
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Sicherheitsrelevante Fehlkonfiguration kann auf jeder Ebene der Anwendung, inkl. Plattform, Web- und Anwendungsserver, Frameworks oder Programmcode vorkommen. Die Zusammenarbeit zwischen Entwicklern und Administratoren ist wichtig, um eine sichere Konfiguration aller Ebenen zu gewährleisten. Automatisierte Scanner können oft fehlende Sicherheitspatches, Fehlkonfigurationen, Standardkonten, nicht benötigte Dienste, usw. erkennen.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Diese Fehler geben Angreifern häufig unautorisierten Zugriff auf Systemdaten oder -funktionalitäten.<br/><br />
<br />
Manchmal führen sie zur kompletten Kompromittierung des Zielsystems.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Ein System könnte unbemerkt kompromittiert werden. Alle Daten könnten gestohlen oder nach und nach verändert werden.<br/><br />
<br />
Wiederherstellungskosten können hoch sein.</td><br />
{{Top_10_2010:SummaryTableEndTemplate}}<br />
<br />
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=firstLeft|risk=6|year=2010|language=de }} <br />
'''<u>Szenario 1</u>''': Eine Anwendung baut auf einem mächtigen Framework auf. XSS Fehler werden in diesem Framework gefunden. Ein Update zur Behebung der Sicherheitslücken wurde veröffentlicht, jedoch bisher nicht ausgerollt. Bis zum Update können Angreifer die Fehler in der Anwendung erkennen und ausnutzen.<br/> <br />
<br />
'''<u>Szenario 2</u>''': Die Administratorkonsole mit Standardkonto wurde automatisch installiert und nicht entfernt. Angreifer entdecken dies, melden sich über das Standardkonto an und kapern das System.<br/><br />
<br />
'''<u>Szenario 3</u>''': Directory Listings wurden nicht deaktiviert. Angreifer nutzen dies, um in den Besitz aller Dateien zu kommen. Sie laden alle existierenden Java-Klassen herunter und entdecken ein Backdoor.<br/><br />
<br />
'''<u>Szenario 4</u>''': Die Anwendungsserverkonfiguration erlaubt es, Stack Traces an Benutzer zurückzugeben. Dadurch können potentielle Fehler im Backend offengelegt werden. Angreifer lieben zusätzliche Informationen in Fehlermeldungen.<br/><br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=6|year=2010|language=de}} <br />
Alle folgenden Empfehlungen sollten berücksichtigt werden:<br />
# Ein wiederholbarer Härtungsprozess, der eine schnelle und einfache Verteilung einer neuen, abgesicherten Umgebung erlaubt. Entwicklungs-, QA-, und Produktionsumgebungen sollten identisch konfiguriert sein. Der Prozess sollte automatisiert sein, um nötigen Aufwand bei Erstellung einer neuen, sicheren Umgebung zu minimieren.<br />
# Ein Prozess, der zeitnah neuentwickelte Softwareupdates und Patches auf allen ausgerollten Umgebungen ermöglicht. Davon sind auch alle Bibliotheken und Komponenten betroffen.<br />
# Eine robuste Anwendungsarchitektur, die eine gute Trennung und Absicherung einzelner Komponenten ermöglicht.<br />
# Periodisch durchgeführte Tests und Audits helfen, zukünftige Fehlkonfigurationen oder fehlende Patches zu erkennen und zu vermeiden.<br />
{{Top_10:SubsectionTableEndTemplate}}<br />
<br />
= '''JAVA''' = <br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}} <br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=left|title=3|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
* [[Configuration | OWASP Development Guide: Chapter on Configuration]]<br />
* [[Error_Handling | OWASP Code Review Guide: Chapter on Error Handling]]<br />
* [[Testing_for_configuration_management | OWASP Testing Guide: Configuration Management]]<br />
* [[Testing_for_Error_Code_(OWASP-IG-006) | OWASP Testing Guide: Testing for Error Codes]]<br />
* [[A10_2004_Insecure_Configuration_Management | OWASP Top 10 2004 - Insecure Configuration Management]]<br />
<br />
Weitere Informationen unter [http://www.owasp.org/index.php/ASVS#tab=Download ASVS requirements area for Security Configuration (V12)]<br />
<br />
{{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=de}}<br />
*[http://www.pcmag.com/article2/0,2817,11525,00.asp PC Magazine Article on Web Server Hardening]<br />
*[http://cwe.mitre.org/data/definitions/2.html CWE Entry 2 on Environmental Security Flaws]<br />
*[http://cisecurity.org/en-us/?route=downloads.benchmarks CIS Security Configuration Guides/Benchmarks]<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=JAVA<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
= '''PHP''' = <br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=5|year=2013|language=de}}<br />
In der Datei php.ini bietet PHP Konfigurationsmöglichkeiten für Umgebungsvariablen an. Hier kann bspw. bestimmt werden, ob ein Cookie nur bei HTTP-Abfragen oder auch durch JavaScript ausgelesen werden darf. Zur Laufzeit können die Parameter ebenfalls über die Funktion ini_set() gesetzt werden. Viele der möglichen gefährlichen Einstellungen werden im Rahmen dieser Arbeit vorgestellt. Das PHP-Projekt Psecio bietet ein Werkzeug zur Überprüfung der php.ini an, mit welchem Schwachstellen in der Konfigurationsdatei aufgedeckt werden können.<br />
<br />
Wichtige Parameter sind dabei u.a.:<br />
* open_basedir "/var/www/project"; #Ggf. auch /tmp erlauben, Einstellung am besten im Webserver vornehmen<br />
* session.cookie_secure=On;<br />
* session.use_only_cookies=On;<br />
* session.cookie_httponly=On;<br />
* allow_url_fopen=Off;<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=left|title=3|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
* [[Configuration | OWASP Development Guide: Chapter on Configuration]]<br />
* [[Error_Handling | OWASP Code Review Guide: Chapter on Error Handling]]<br />
* [[Testing_for_configuration_management | OWASP Testing Guide: Configuration Management]]<br />
* [[Testing_for_Error_Code_(OWASP-IG-006) | OWASP Testing Guide: Testing for Error Codes]]<br />
* [[A10_2004_Insecure_Configuration_Management | OWASP Top 10 2004 - Insecure Configuration Management]]<br />
<br />
Weitere Informationen unter [http://www.owasp.org/index.php/ASVS#tab=Download ASVS requirements area for Security Configuration (V12)]<br />
<br />
{{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=de}}<br />
*[http://www.pcmag.com/article2/0,2817,11525,00.asp PC Magazine Article on Web Server Hardening]<br />
*[http://cwe.mitre.org/data/definitions/2.html CWE Entry 2 on Environmental Security Flaws]<br />
*[http://cisecurity.org/en-us/?route=downloads.benchmarks CIS Security Configuration Guides/Benchmarks]<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=PHP<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
= '''Test''' =<br />
<!-- weitere Programmiersprachen oder evtl Anti-Beispiele ---><br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
tbd<br />
Text<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
tbd<br />
Text<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=whole|title=3|risk=5|year=2013|language=de}}<br />
tbd<br />
Text<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=userImpact|position=left|risk=5|year=2013|language=de}}<br />
(ganze Breite)<br />
Text<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=5|year=2013|language=de}}<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=Test<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<headertabs /><br />
{{Top_10_2013_DeveloperEdition:BottomAdvancedTemplate<br />
|type=0<br />
|useprev=2013PrevLinkDeveloperEdition<br />
|usenext=2013NextLinkDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
<br />
[[Category:OWASP Top 10 fuer Entwickler]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=Germany/Projekte/Top_10_fuer_Entwickler-2013/A5-Sicherheitsrelevante_Fehlkonfiguration&diff=166634Germany/Projekte/Top 10 fuer Entwickler-2013/A5-Sicherheitsrelevante Fehlkonfiguration2014-01-25T18:51:27Z<p>Timo Pagel: </p>
<hr />
<div>{{Top_10_2013_DeveloperEdition:TopTemplate<br />
|useprev=2013PrevLinkDeveloperEdition<br />
|usenext=2013NextLinkDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
{{Top_10_2010:SubsectionColoredTemplate<br />
|A5 {{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
||year=2013<br />
}}<br />
<br />
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2010|language=de}}<br />
{{Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=1|impact=2|language=de|year=2013}}<br />
{{Top_10_2010:SummaryTableHeaderEndTemplate}}<br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Nicht authentisierte Angreifer sowie authentisierte Nutzer könnten versuchen, Zugangsdaten anderer zu stehlen. In Betracht kommen außerdem Innentäter, die ihre Handlungen verschleiern wollen.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Angreifer benutzen Standardkonten, inaktive Seiten, ungepatchte Fehler, ungeschützte Dateien und Verzeichnisse etc., um unautorisierten Zugang zum oder Kenntnis über das Zielsystem zu erlangen.</td><br />
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Sicherheitsrelevante Fehlkonfiguration kann auf jeder Ebene der Anwendung, inkl. Plattform, Web- und Anwendungsserver, Frameworks oder Programmcode vorkommen. Die Zusammenarbeit zwischen Entwicklern und Administratoren ist wichtig, um eine sichere Konfiguration aller Ebenen zu gewährleisten. Automatisierte Scanner können oft fehlende Sicherheitspatches, Fehlkonfigurationen, Standardkonten, nicht benötigte Dienste, usw. erkennen.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Diese Fehler geben Angreifern häufig unautorisierten Zugriff auf Systemdaten oder -funktionalitäten.<br/><br />
<br />
Manchmal führen sie zur kompletten Kompromittierung des Zielsystems.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Ein System könnte unbemerkt kompromittiert werden. Alle Daten könnten gestohlen oder nach und nach verändert werden.<br/><br />
<br />
Wiederherstellungskosten können hoch sein.</td><br />
{{Top_10_2010:SummaryTableEndTemplate}}<br />
<br />
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=firstLeft|risk=6|year=2010|language=de }} <br />
'''<u>Szenario 1</u>''': Eine Anwendung baut auf einem mächtigen Framework auf. XSS Fehler werden in diesem Framework gefunden. Ein Update zur Behebung der Sicherheitslücken wurde veröffentlicht, jedoch bisher nicht ausgerollt. Bis zum Update können Angreifer die Fehler in der Anwendung erkennen und ausnutzen.<br/> <br />
<br />
'''<u>Szenario 2</u>''': Die Administratorkonsole mit Standardkonto wurde automatisch installiert und nicht entfernt. Angreifer entdecken dies, melden sich über das Standardkonto an und kapern das System.<br/><br />
<br />
'''<u>Szenario 3</u>''': Directory Listings wurden nicht deaktiviert. Angreifer nutzen dies, um in den Besitz aller Dateien zu kommen. Sie laden alle existierenden Java-Klassen herunter und entdecken ein Backdoor.<br/><br />
<br />
'''<u>Szenario 4</u>''': Die Anwendungsserverkonfiguration erlaubt es, Stack Traces an Benutzer zurückzugeben. Dadurch können potentielle Fehler im Backend offengelegt werden. Angreifer lieben zusätzliche Informationen in Fehlermeldungen.<br/><br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=6|year=2010|language=de}} <br />
Alle folgenden Empfehlungen sollten berücksichtigt werden:<br />
# Ein wiederholbarer Härtungsprozess, der eine schnelle und einfache Verteilung einer neuen, abgesicherten Umgebung erlaubt. Entwicklungs-, QA-, und Produktionsumgebungen sollten identisch konfiguriert sein. Der Prozess sollte automatisiert sein, um nötigen Aufwand bei Erstellung einer neuen, sicheren Umgebung zu minimieren.<br />
# Ein Prozess, der zeitnah neuentwickelte Softwareupdates und Patches auf allen ausgerollten Umgebungen ermöglicht. Davon sind auch alle Bibliotheken und Komponenten betroffen.<br />
# Eine robuste Anwendungsarchitektur, die eine gute Trennung und Absicherung einzelner Komponenten ermöglicht.<br />
# Periodisch durchgeführte Tests und Audits helfen, zukünftige Fehlkonfigurationen oder fehlende Patches zu erkennen und zu vermeiden.<br />
{{Top_10:SubsectionTableEndTemplate}}<br />
<br />
= '''JAVA''' = <br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}} <br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=left|title=3|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
* [[Configuration | OWASP Development Guide: Chapter on Configuration]]<br />
* [[Error_Handling | OWASP Code Review Guide: Chapter on Error Handling]]<br />
* [[Testing_for_configuration_management | OWASP Testing Guide: Configuration Management]]<br />
* [[Testing_for_Error_Code_(OWASP-IG-006) | OWASP Testing Guide: Testing for Error Codes]]<br />
* [[A10_2004_Insecure_Configuration_Management | OWASP Top 10 2004 - Insecure Configuration Management]]<br />
<br />
Weitere Informationen unter [http://www.owasp.org/index.php/ASVS#tab=Download ASVS requirements area for Security Configuration (V12)]<br />
<br />
{{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=de}}<br />
*[http://www.pcmag.com/article2/0,2817,11525,00.asp PC Magazine Article on Web Server Hardening]<br />
*[http://cwe.mitre.org/data/definitions/2.html CWE Entry 2 on Environmental Security Flaws]<br />
*[http://cisecurity.org/en-us/?route=downloads.benchmarks CIS Security Configuration Guides/Benchmarks]<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=JAVA<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
= '''PHP''' = <br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=5|year=2013|language=de}}<br />
In der Datei php.ini bietet PHP Konfigurationsmöglichkeiten für Umgebungsvariablen an. Hier kann bspw. bestimmt werden, ob ein Cookie nur bei HTTP-Abfragen oder auch durch JavaScript ausgelesen werden darf. Zur Laufzeit können die Parameter ebenfalls über die Funktion ini_set() gesetzt werden. Viele der möglichen gefährlichen Einstellungen werden im Rahmen dieser Arbeit vorgestellt. Das PHP-Projekt Psecio bietet ein Werkzeug zur Überprüfung der php.ini an, mit welchem Schwachstellen in der Konfigurationsdatei aufgedeckt werden können. <br />
Wichtige Parameter sind dabei u.a.:<br />
* open_basedir "</var/www/project>" //Ggf. auch /tmp erlauben, Einstellung am besten im Webserver vornehmen<br />
* session.cookie_secure=On<br />
* session.use_only_cookies=On<br />
* session.cookie_httponly=On<br />
* allow_url_fopen=Off<br />
<br />
<br />
<br />
<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}} <br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=left|title=3|risk=5|year=2013|language=de}}<br />
==== Tbd ====<br />
<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
Tbd<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
* [[Configuration | OWASP Development Guide: Chapter on Configuration]]<br />
* [[Error_Handling | OWASP Code Review Guide: Chapter on Error Handling]]<br />
* [[Testing_for_configuration_management | OWASP Testing Guide: Configuration Management]]<br />
* [[Testing_for_Error_Code_(OWASP-IG-006) | OWASP Testing Guide: Testing for Error Codes]]<br />
* [[A10_2004_Insecure_Configuration_Management | OWASP Top 10 2004 - Insecure Configuration Management]]<br />
<br />
Weitere Informationen unter [http://www.owasp.org/index.php/ASVS#tab=Download ASVS requirements area for Security Configuration (V12)]<br />
<br />
{{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=de}}<br />
*[http://www.pcmag.com/article2/0,2817,11525,00.asp PC Magazine Article on Web Server Hardening]<br />
*[http://cwe.mitre.org/data/definitions/2.html CWE Entry 2 on Environmental Security Flaws]<br />
*[http://cisecurity.org/en-us/?route=downloads.benchmarks CIS Security Configuration Guides/Benchmarks]<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=PHP<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
= '''Test''' =<br />
<!-- weitere Programmiersprachen oder evtl Anti-Beispiele ---><br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
tbd<br />
Text<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=5|year=2013|language=de}}<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
tbd<br />
Text<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=whole|title=3|risk=5|year=2013|language=de}}<br />
tbd<br />
Text<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=userImpact|position=left|risk=5|year=2013|language=de}}<br />
(ganze Breite)<br />
Text<br />
<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=5|year=2013|language=de}}<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=Test<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<headertabs /><br />
{{Top_10_2013_DeveloperEdition:BottomAdvancedTemplate<br />
|type=0<br />
|useprev=2013PrevLinkDeveloperEdition<br />
|usenext=2013NextLinkDeveloperEdition<br />
|prev=A4-{{Top_10_2010:ByTheNumbers<br />
|4<br />
|year=2013<br />
|language=de}}<br />
|next=A6-{{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
<br />
[[Category:OWASP Top 10 fuer Entwickler]]</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=Germany/Projekte/Top_10_fuer_Entwickler-2013/A6-Verlust_der_Vertraulichkeit_sensibler_Daten&diff=165737Germany/Projekte/Top 10 fuer Entwickler-2013/A6-Verlust der Vertraulichkeit sensibler Daten2014-01-12T16:28:10Z<p>Timo Pagel: Correct typo</p>
<hr />
<div>{{Top_10_2013_DeveloperEdition:TopTemplate<br />
|useprev=2013PrevLinkDeveloperEdition<br />
|usenext=2013NextLinkDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
{{Top_10_2010:SubsectionColoredTemplate<br />
|A6 {{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}} <small>({{Top_10_2010:ByTheNumbers|7|year=2010|language=de}} / {{Top_10_2010:ByTheNumbers|9|year=2010|language=de}})</small><br />
||year=2013<br />
}}<br />
<br />
{{Top_10_2010_Developer_Edition_De:SummaryTableHeaderBeginTemplate|year=2010|language=de}}<br />
{{Top_10:SummaryTableTemplate|exploitability=3|prevalence=3|detectability=2|impact=1|language=de|year=2013}}<br />
{{Top_10_2010:SummaryTableHeaderEndTemplate}}<br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Jeder Benutzer des Systems ist zu betrachten.<br />
Haben diese ein Interesse, auf geschützte Daten unberechtigt zuzugreifen?<br />
Wie steht es um Administratoren?</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Angreifer brechen üblicherweise nicht die eigentliche Kryptografie. Statt dessen finden Sie Schlüssel, Klartexte oder greifen über Kanäle mit automatischer Entschlüsselung auf Daten zu.</td><br />
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Fehlende Verschlüsselung vertraulicher Daten ist die häufigste Schwachstelle, gefolgt von unsicherer Schlüsselerzeugung, der Speicherung statischer Schlüssel und die Nutzung schwacher Algorithmen. Schwache Hashwerte ohne Salt kommen zum Passwortschutz oft vor. Ein eingeschränkter Zugriff lässt externe Angreifer solche Probleme i.d.R. nicht leicht entdecken. Den nötigen Zugriff müssen sie vorher auf andere Weise erlangen.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Fehler kompromittieren regelmäßig vertrauliche Daten. Es handelt sich hierbei oft um sensitive Daten wie personenbezogene Daten, Benutzernamen und Passwörter oder Kreditkarteninformationen.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Betrachten Sie den Wert verlorener Daten und die Auswirkungen auf die Reputation des betroffenen Unternehmens. Hat es ggf. auch juristische Konsequenzen, wenn die Daten bekannt werden?</td><br />
{{Top_10_2010:SummaryTableEndTemplate}}<br />
<br />
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=firstLeft|risk=7|year=2010|language=de}} <br />
'''<u>Szenario 1</u>''': Eine Anwendung speichert verschlüsselt Kreditkartendaten in einer Datenbank, um Sie vor Angreifern zu schützen. Die Datenbank ist so eingerichtet, dass die Daten beim Auslesen automatisch entschlüsselt werden. Durch SQL-Injection können in diesem Fall alle Kreditkartendaten im Klartext ausgelesen werden. Das System hätte so konfiguriert sein sollen, dass nur nachgelagerte Anwendungen und nicht die Webanwendung selbst entschlüsseln dürfen.<br/> <br />
'''<u>Szenario 2</u>''': Ein Datensicherungsband speichert verschlüsselte Gesundheitsdaten, aber der Schlüssel ist ebenfalls dort gespeichert. Das Band geht auf dem Transportweg verloren.<br/><br />
'''<u>Szenario 3</u>''': Die Passwortdatenbank benutzt Hashwerte ohne Salt zur Speicherung der Passwörter. Eine Schwachstelle in der Downloadfunktion ermöglicht einem Angreifer den Zugriff auf die Datei. Zu allen Hashes kann in vier Wochen ein passender Klartext gefunden werden. Bei starken Hashwerten mit Salt hätte dieser Angriff über 3000 Jahre gedauert.<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=7|year=2010|language=de}} <br />
Eine Übersicht über alle Tücken unsicherer Kryptografie liegt weit außerhalb des Rahmens der Top 10. Für alle vertraulichen Daten sollten Sie zumindest:<br />
# Die Bedrohungen betrachten, vor denen Sie die Daten schützen wollen (z. B. Innen- und Außentäter) und sicherstellen, dass diese Daten angemessen durch Verschlüsselung geschützt werden.<br />
# Sicherstellen, dass ausgelagerte Datensicherungen verschlüsselt sind und die Schlüssel getrennt verwaltet und gesichert werden.<br />
# Sicherstellen, dass angemessene, starke Algorithmen und Schlüssel verwendet und verwaltet werden.<br />
# Sicherstellen, dass Passwörter mit einem starken Algorithmus und einem angemessenen Salt gehasht werden.<br />
# Sicherstellen, dass alle Schlüssel und Passwörter vor unberechtigtem Zugriff geschützt sind.<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=6|year=2013}}<br />
====temporär: Auszug aus [[Top_10_2013-A6-Sensitive_Data_Exposure| Top 10-2013 RC1: A6-Sensitive_Data_Exposure]]====<br />
<u>Scenario #1:</u> An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. The system should have encrypted the credit card numbers using a public key, and only allowed back-end applications to decrypt them with the private key.<br />
<br />
<u>Scenario #2:</u> A site simply doesn't use SSL for all authenticated pages. Attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie. Attacker then replays this cookie and hijacks the user’s session, accessing all their private data.<br />
<br />
<u>Scenario #3:</u> The password database uses unsalted hashes to store everyone’s passwords. A file upload flaw allows an attacker to retrieve the password file. All the unsalted hashes can be exposed with a rainbow table of precalculated hashes.<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=6|year=2013}}<br />
====temporär: Auszug aus [[Top_10_2013-A6-Sensitive_Data_Exposure| Top 10-2013 RC1: A6-Sensitive_Data_Exposure]]====<br />
The full perils of unsafe cryptography, SSL usage, and data protection are well beyond the scope of the Top 10. That said, for all sensitive data, do all of the following, at a minimum:<br />
# Considering the threats you plan to protect this data from (e.g., insider attack, external user), make sure you encrypt all sensitive data at rest and in transit in a manner that defends against these threats.<br />
# Don’t store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t have can’t be stolen.<br />
# Ensure strong standard algorithms and strong keys are used, and proper key management is in place.<br />
Ensure passwords are stored with an algorithm specifically designed for password protection, such as [http://en.wikipedia.org/wiki/Bcrypt bcrypt], [http://en.wikipedia.org/wiki/PBKDF2 PBKDF2], or [http://en.wikipedia.org/wiki/Scrypt scrypt].<br />
# Disable autocomplete on forms collecting sensitive data and disable caching for pages displaying sensitive data.<br />
{{Top_10:SubsectionTableEndTemplate}}<br />
<br />
= '''JAVA''' = <br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=7|year=2010|language=de}}<br />
Ein einfaches Beispiel für die Veschlüsselung von Texten, hier mit dem AES-128 Algorithmus. Die Auswahl an Verschlüsselungsparametern wie beispielsweise Algorithmus, Ciphermodus oder Schlüssellänge ist groß und kommt immer auf die jeweiligen Daten und die Anwendung an. <br />
<nowiki><br />
String plainText = "HelloWorld";<br />
<br />
// password setzen <br />
String password = "my128bitPassword";<br />
<br />
// CBC Cipher immer mit einem zufällig erzeugten <br />
// Initialization Vector (IV) initialisieren (Länge 16 Byte)<br />
byte[] ivBytes = new byte[16];<br />
(new SecureRandom()).nextBytes(ivBytes);<br />
<br />
// den Schlüssel erzeugen<br />
SecretKeySpec key = new SecretKeySpec(password.getBytes(), "AES");<br />
<br />
// Container für die Verschlüsselungs Parameter<br />
IvParameterSpec paramSpec = new IvParameterSpec(ivBytes); <br />
<br />
// Chiffrierer erzeugen und initialisieren<br />
// Algorithmus: AES<br />
// Modus: CBC<br />
// Padding: PKCS5Padding<br />
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");<br />
cipher.init(Cipher.ENCRYPT_MODE, key, paramSpec); <br />
<br />
// Verschlüsselung durchführen<br />
byte[] encrypted = cipher.doFinal(plainText.getBytes());<br />
</nowiki><br />
<br />
Die Benutzung der ESAPI erleichtert die Handhabung, da neben einer großen Bandbreite an Verschlüsselungs-, Hash-, und Signaturalgorithmen auch Methoden für die Schlüsselerzeugung und -verwaltung unterstüzt werden. Nach Initialisierung der Parameter in der Konfigurationsdatei ESAPI.properties, reduziert sich die eigentliche Verschlüsselung eines Textes beispielsweise zu:<br />
<nowiki><br />
CipherText ciphertext = <br />
ESAPI.encryptor().encrypt( new PlainText(myplaintext) );<br />
</nowiki><br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=7|year=2010|language=de}}<br />
Beispiele für das Hashen von Passwörtern. Um die Sicherheit zu erhöhen sollte jedes Passwort mit einem Zufallswert (Salt) berechnet und gespeichert werden sowie möglichst viele Iterationen beim Hashing genutzt werden.<br />
<nowiki><br />
String password = "mypassword";<br />
<br />
// salt anlegen und mit zufälligen Bytes befüllen<br />
byte[] salt = new byte[8];<br />
(new SecureRandom()).nextBytes(salt);<br />
<br />
// Hash-Generator anlegen (verwendeter Algorithmus ist SHA-256)<br />
// und mit salt initialisieren (=> höhere Sicherheit gegen Angriffe)<br />
MessageDigest digest = MessageDigest.getInstance("SHA-256");<br />
digest.reset();<br />
digest.update(salt);<br />
<br />
byte[] input = digest.digest(password.getBytes("UTF-8"));<br />
<br />
// Hash in mehreren Iterationen (n = 100.000) berechnen<br />
// mehr Iterationen verlangsamen Angriffe (signifikant?)<br />
for (int i = 0; i < 100000; i++) {<br />
digest.reset();<br />
input = digest.digest(input);<br />
}<br />
// am Ende der Iterationen enthält input den berechneten Hash<br />
</nowiki><br />
<br />
Sicherer ist allerdings die Nutzung einer PBKDF2 (Password-Based Key Derivation Function 2) wie im folgenden Beispiel: <br />
<nowiki><br />
public byte[] generatePBKDF2Hash(String password) <br />
throws NoSuchAlgorithmException, InvalidKeySpecException { <br />
<br />
byte[] salt = new byte[20]; <br />
// salt mit zufälligen Bytes befüllen<br />
(new SecureRandom()).nextBytes(salt);<br />
<br />
int iterations = 10000;<br />
int keyLength = 160;<br />
// neuen Schlüssel erzeugen <br />
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");<br />
PBEKeySpec pbeKeySpec = new PBEKeySpec(password, salt, iterations, keyLength);<br />
SecretKey mySecretKey = factory.generateSecret(pbeKeySpec);<br />
}<br />
<br />
byte[] hash = generatePBKDF2Hash(password).getEncoded();<br />
</nowiki><br />
<br />
Eine weiterer empfohlener Algorithmus ist bcrypt, hier bespielsweise unter Verwendung der jBCrypt-Bibliothek (siehe Referenzen).<br />
<nowiki><br />
String hashed = BCrypt.hashpw(password, BCrypt.gensalt(12));<br />
</nowiki><br />
Zu bcrypt gibt es mittlerweile eine noch sicherere Variante scrypt, der Link zu einer Beispielimplementierung findet sich bei den Referenzen.<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=left|title=3|risk=7|year=2010|language=de}}<br />
Um geheime Schlüssel sicher, aber auch gleichzeitig einfach zugänglich und austauschbar aufzubewahren empfiehlt sich eine spezielle Schlüsseldatei, wie beispielweise der Java KeyStore. In dieser Datei werden die Schlüssel mit einem Master-Password gesichert, die Datei selbst sollte getrennt von den verschlüsselten Daten abgelegt werden:<br />
<br />
<nowiki><br />
// Erzeugung eines symmetrischen Schlüssels mittels der vorher beschriebenen PBKDF2<br />
String password = "mypassword";<br />
byte[] mySecretKey = generatePBKDF2Hash(password);<br />
<br />
// neuen KeyStore für symmetrische Schlüssel erzeugen <br />
KeyStore ks = KeyStore.getInstance("JCEKS");<br />
ks.load(null, null);<br />
<br />
// Schlüssel speichern<br />
KeyStore.ProtectionParameter passwordProtection = <br />
new KeyStore.PasswordProtection(password);<br />
KeyStore.SecretKeyEntry entry = new KeyStore.SecretKeyEntry(mySecretKey);<br />
ks.setEntry("beispielkey", entry, passwordProtection);<br />
<br />
// KeyStore in Datei speichern <br />
FileOutputStream fos = new FileOutputStream("SecretKeyStoreDatei");<br />
ks.store(fos,password);<br />
fos.close();<br />
</nowiki><br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=1|risk=6|year=2013|language=de}}<br />
;Unzureichende Absicherung der Transportschicht<br />
<br />
Um die Verschlüsselung auf der Transportebene sollte sich der Entwickler nie selbst kümmern, sondern dies immer dem Webserver überlassen:<br />
<br />
Im J2EE-Deployment-Descriptor der Anwendung (= web.xml) ist die folgende Konfiguration vorzunehmen, um sicherzustellen, dass nur ausschließlich über https kommuniziert wird:<br />
<br />
<nowiki><br />
<security-constraint><br />
<web-resource-collection><br />
<web-resource-name>Protected Context</web-resource-name><br />
<url-pattern>/*</url-pattern><br />
</web-resource-collection><br />
<!-- auth-constraint an dieser Stelle für Authentisierung --><br />
<user-data-constraint><br />
<transport-guarantee>CONFIDENTIAL</transport-guarantee><br />
</user-data-constraint><br />
</security-constraint><br />
</nowiki><br />
<br />
Für Session-Cookies ist immer das Attribute SECURE zu setzen:<br />
<nowiki><br />
<session-config> <br />
<cookie-config> <br />
<secure><br />
true<br />
</secure> <br />
</cookie-config> <br />
</session-config> <br />
</nowiki><br />
In der Server-Configuration ist sicherzustellen, dass nur TLS und SSL3 unterstützt werden.<br />
Das Speichern von vertraulichen Inhalten am Client oder auf einem Proxy kann über den Header Cache-Control verhindert werden:<br />
<br />
Header set Cache-Control "no-cache, no store, must-revalidate"<br />
<br />
Weitere Hinweise im [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet Transport Layer Protection Cheat Sheet]<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=left|title=1a|risk=9|year=2010|language=de}}<br />
<br />
Die Sicherheitskonfiguration unter Option 1 hat noch eine Schwachstelle, so das MITM (Man In The Middle attack) nicht zuverlässig verhindert wird. MITM erzeugt einen Zertifikatsfehler am Client, der üblicherweise aber (durch den Anwender) ignoriert wird. Deshalb wurde der HTTP-Header "HTTP Strict Transport Security (HSTS)" eingeführt. Damit werden kompatible Browser (Firefox, Chrome, Opera aber bisher NICHT IE) angewiesen, dass <br />
* der Browser den http-Request ausschließlich über https verschickt (auch falls die Seite mit http aufgerufen wird).<br />
* der Anwender Zertifikatsfehler im Browser nicht mehr ignorieren kann.<br />
<br />
Konfiguration im Apache:<br />
Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"<br />
<br />
Da der HSTS-Header nur über https übermittelt wird ist zusätzlich ein Redirect nötig:<br />
<br />
<VirtualHost *:80><br />
ServerAlias *<br />
RewriteEngine On<br />
<nowiki>RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]</nowiki><br />
</VirtualHost><br />
<br />
Quellen: <br />
<br />
[https://www.owasp.org/index.php/HTTP_Strict_Transport_Security HTTP_Strict_Transport_Security ]<br />
<br />
[http://www.youtube.com/watch?v=zEV3HOuM_Vw&feature=youtube_gdata AppSecTutorial Series - Episode 4]<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=7|year=2010|language=de}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
<br />
Einen umfangreicheren Überblick über die Anforderungen und die hierbei zu vermeidenden Probleme gibt es unter [http://www.owasp.org/index.php/ASVS#tab=ASVS ASVS requirements on Cryptography (V7)]. Des Weiteren:<br />
* [[Top_10_2007-Insecure_Cryptographic_Storage | OWASP Top 10-2007 on Insecure Cryptographic Storage]]<br />
* [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encryptor.html ESAPI Encryptor API]<br />
* [http://www.owasp.org/index.php/Guide_to_Cryptography#Insecure_transmission_of_secrets OWASP Development Guide: Chapter on Cryptography]<br />
* [[Codereview-Cryptography | OWASP Code Review Guide: Chapter on Cryptography]]<br />
{{Top_10_2010_Developer_Edition_De:SubSubsectionExternalReferencesTemplate|language=de}}<br />
* [http://cwe.mitre.org/data/definitions/310.html CWE Entry 310 on Cryptographic Issues]<br />
* [http://cwe.mitre.org/data/definitions/312.html CWE Entry 312 on Cleartext Storage of Sensitive Information]<br />
* [http://cwe.mitre.org/data/definitions/326.html CWE Entry 326 on Weak Encryption]<br />
* [http://www.mindrot.org/projects/jBCrypt Reine Java Implementierung von BCrypt]<br />
* [https://github.com/wg/scrypt Beispielimplementierung von SCrypt]<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=JAVA<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
= '''PHP''' =<br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=2|risk=7|year=2010|language=de}}<br />
Um vorerstellte Hash-Tabellen zu verhindern, kann jedem Datensatz eine zufällige Zeichenfolge hinzugefügt werden, welche als Salt (Deutsch: Salz) bezeichnet wird. Ein Beispiel für die sichere Erstellung eines Hashwerts ist im Folgendemn gegeben. Dafür muss das GIT-Projekt [https://github.com/ircmaxell/password_compat] eingebunden werden, ab PHP-Version 5.5 ist dies im Kern enthalten. <br />
Das Salt wird bspw. bei einem Linuxsystem in der Funktion password_hash() durch Zugriff auf /dev/urandom erstellt. Der Rückgabewert der Funktion ist eine Zeichenkette und beinhaltet u.a. den Hashwert, das Salt und den genutzten Algorithmus.<br />
Die Kosten, welche die Anzahl der Hash-Iterationen angeben, können über den dritten Parameter festgelegt werden.<br />
<br />
<nowiki>$options = [<br />
'cost' => 12,<br />
];<br />
$inputHash = password_hash($_GET['password'], CRYPT_SHA256, $options);<br />
storeHash($user, $inputHash); // Speichere Hash<br />
$hash = getHash($user); // Hole Hash aus der Datenbank<br />
$isPasswordVerified = password_verify($_GET['password'], $hash); // Prüfe eingegebenes Passwort gegen gespeichertes Passwort<br />
if($isPasswordVerified) {<br />
// Password korrekt<br />
} else {<br />
throw new PasswordVerificationException("");<br />
}<br />
</nowiki><br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=7|year=2010|language=de}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
<br />
Einen umfangreicheren Überblick über die Anforderungen und die hierbei zu vermeidenden Probleme gibt es unter [http://www.owasp.org/index.php/ASVS#tab=ASVS ASVS requirements on Cryptography (V7)]. Des Weiteren:<br />
* [[Top_10_2007-Insecure_Cryptographic_Storage | OWASP Top 10-2007 on Insecure Cryptographic Storage]]<br />
* [http://www.owasp.org/index.php/Guide_to_Cryptography#Insecure_transmission_of_secrets OWASP Development Guide: Chapter on Cryptography]<br />
* [[Codereview-Cryptography | OWASP Code Review Guide: Chapter on Cryptography]]<br />
{{Top_10_2010_Developer_Edition_De:SubSubsectionExternalReferencesTemplate|language=de}}<br />
* [http://cwe.mitre.org/data/definitions/310.html CWE Entry 310 on Cryptographic Issues]<br />
* [http://cwe.mitre.org/data/definitions/312.html CWE Entry 312 on Cleartext Storage of Sensitive Information]<br />
* [http://cwe.mitre.org/data/definitions/326.html CWE Entry 326 on Weak Encryption]<br />
* [http://www.php.net/manual/en/function.password-hash.php Funktionsweise der Funktion password_hash]<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=PHP<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
= '''Test''' =<br />
<!-- weitere Programmiersprachen oder evtl Anti-Beispiele ---><br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=7|year=2010|language=de}}<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
tbd<br />
Text<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=7|year=2010|language=de}}<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
tbd<br />
Text<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=whole|title=|risk=7|year=2010|language=de}}<br />
tbd<br />
Text<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=userImpact|position=left|risk=7|year=2010|language=de}}<br />
(ganze Breite)<br />
Text<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=7|year=2010|language=de}}<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=Test<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<headertabs /><br />
{{Top_10_2013_DeveloperEdition:BottomAdvancedTemplate<br />
|type=0<br />
|useprev=2013PrevLinkDeveloperEdition<br />
|usenext=2013NextLinkDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=Germany/Projekte/Top_10_fuer_Entwickler-2013/A6-Verlust_der_Vertraulichkeit_sensibler_Daten&diff=165731Germany/Projekte/Top 10 fuer Entwickler-2013/A6-Verlust der Vertraulichkeit sensibler Daten2014-01-11T17:06:59Z<p>Timo Pagel: </p>
<hr />
<div>{{Top_10_2013_DeveloperEdition:TopTemplate<br />
|useprev=2013PrevLinkDeveloperEdition<br />
|usenext=2013NextLinkDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
{{Top_10_2010:SubsectionColoredTemplate<br />
|A6 {{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}} <small>({{Top_10_2010:ByTheNumbers|7|year=2010|language=de}} / {{Top_10_2010:ByTheNumbers|9|year=2010|language=de}})</small><br />
||year=2013<br />
}}<br />
<br />
{{Top_10_2010_Developer_Edition_De:SummaryTableHeaderBeginTemplate|year=2010|language=de}}<br />
{{Top_10:SummaryTableTemplate|exploitability=3|prevalence=3|detectability=2|impact=1|language=de|year=2013}}<br />
{{Top_10_2010:SummaryTableHeaderEndTemplate}}<br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Jeder Benutzer des Systems ist zu betrachten.<br />
Haben diese ein Interesse, auf geschützte Daten unberechtigt zuzugreifen?<br />
Wie steht es um Administratoren?</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Angreifer brechen üblicherweise nicht die eigentliche Kryptografie. Statt dessen finden Sie Schlüssel, Klartexte oder greifen über Kanäle mit automatischer Entschlüsselung auf Daten zu.</td><br />
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Fehlende Verschlüsselung vertraulicher Daten ist die häufigste Schwachstelle, gefolgt von unsicherer Schlüsselerzeugung, der Speicherung statischer Schlüssel und die Nutzung schwacher Algorithmen. Schwache Hashwerte ohne Salt kommen zum Passwortschutz oft vor. Ein eingeschränkter Zugriff lässt externe Angreifer solche Probleme i.d.R. nicht leicht entdecken. Den nötigen Zugriff müssen sie vorher auf andere Weise erlangen.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Fehler kompromittieren regelmäßig vertrauliche Daten. Es handelt sich hierbei oft um sensitive Daten wie personenbezogene Daten, Benutzernamen und Passwörter oder Kreditkarteninformationen.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Betrachten Sie den Wert verlorener Daten und die Auswirkungen auf die Reputation des betroffenen Unternehmens. Hat es ggf. auch juristische Konsequenzen, wenn die Daten bekannt werden?</td><br />
{{Top_10_2010:SummaryTableEndTemplate}}<br />
<br />
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=firstLeft|risk=7|year=2010|language=de}} <br />
'''<u>Szenario 1</u>''': Eine Anwendung speichert verschlüsselt Kreditkartendaten in einer Datenbank, um Sie vor Angreifern zu schützen. Die Datenbank ist so eingerichtet, dass die Daten beim Auslesen automatisch entschlüsselt werden. Durch SQL-Injection können in diesem Fall alle Kreditkartendaten im Klartext ausgelesen werden. Das System hätte so konfiguriert sein sollen, dass nur nachgelagerte Anwendungen und nicht die Webanwendung selbst entschlüsseln dürfen.<br/> <br />
'''<u>Szenario 2</u>''': Ein Datensicherungsband speichert verschlüsselte Gesundheitsdaten, aber der Schlüssel ist ebenfalls dort gespeichert. Das Band geht auf dem Transportweg verloren.<br/><br />
'''<u>Szenario 3</u>''': Die Passwortdatenbank benutzt Hashwerte ohne Salt zur Speicherung der Passwörter. Eine Schwachstelle in der Downloadfunktion ermöglicht einem Angreifer den Zugriff auf die Datei. Zu allen Hashes kann in vier Wochen ein passender Klartext gefunden werden. Bei starken Hashwerten mit Salt hätte dieser Angriff über 3000 Jahre gedauert.<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=7|year=2010|language=de}} <br />
Eine Übersicht über alle Tücken unsicherer Kryptografie liegt weit außerhalb des Rahmens der Top 10. Für alle vertraulichen Daten sollten Sie zumindest:<br />
# Die Bedrohungen betrachten, vor denen Sie die Daten schützen wollen (z. B. Innen- und Außentäter) und sicherstellen, dass diese Daten angemessen durch Verschlüsselung geschützt werden.<br />
# Sicherstellen, dass ausgelagerte Datensicherungen verschlüsselt sind und die Schlüssel getrennt verwaltet und gesichert werden.<br />
# Sicherstellen, dass angemessene, starke Algorithmen und Schlüssel verwendet und verwaltet werden.<br />
# Sicherstellen, dass Passwörter mit einem starken Algorithmus und einem angemessenen Salt gehasht werden.<br />
# Sicherstellen, dass alle Schlüssel und Passwörter vor unberechtigtem Zugriff geschützt sind.<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=6|year=2013}}<br />
====temporär: Auszug aus [[Top_10_2013-A6-Sensitive_Data_Exposure| Top 10-2013 RC1: A6-Sensitive_Data_Exposure]]====<br />
<u>Scenario #1:</u> An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. The system should have encrypted the credit card numbers using a public key, and only allowed back-end applications to decrypt them with the private key.<br />
<br />
<u>Scenario #2:</u> A site simply doesn't use SSL for all authenticated pages. Attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie. Attacker then replays this cookie and hijacks the user’s session, accessing all their private data.<br />
<br />
<u>Scenario #3:</u> The password database uses unsalted hashes to store everyone’s passwords. A file upload flaw allows an attacker to retrieve the password file. All the unsalted hashes can be exposed with a rainbow table of precalculated hashes.<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=6|year=2013}}<br />
====temporär: Auszug aus [[Top_10_2013-A6-Sensitive_Data_Exposure| Top 10-2013 RC1: A6-Sensitive_Data_Exposure]]====<br />
The full perils of unsafe cryptography, SSL usage, and data protection are well beyond the scope of the Top 10. That said, for all sensitive data, do all of the following, at a minimum:<br />
# Considering the threats you plan to protect this data from (e.g., insider attack, external user), make sure you encrypt all sensitive data at rest and in transit in a manner that defends against these threats.<br />
# Don’t store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t have can’t be stolen.<br />
# Ensure strong standard algorithms and strong keys are used, and proper key management is in place.<br />
Ensure passwords are stored with an algorithm specifically designed for password protection, such as [http://en.wikipedia.org/wiki/Bcrypt bcrypt], [http://en.wikipedia.org/wiki/PBKDF2 PBKDF2], or [http://en.wikipedia.org/wiki/Scrypt scrypt].<br />
# Disable autocomplete on forms collecting sensitive data and disable caching for pages displaying sensitive data.<br />
{{Top_10:SubsectionTableEndTemplate}}<br />
<br />
= '''JAVA''' = <br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=7|year=2010|language=de}}<br />
Ein einfaches Beispiel für die Veschlüsselung von Texten, hier mit dem AES-128 Algorithmus. Die Auswahl an Verschlüsselungsparametern wie beispielsweise Algorithmus, Ciphermodus oder Schlüssellänge ist groß und kommt immer auf die jeweiligen Daten und die Anwendung an. <br />
<nowiki><br />
String plainText = "HelloWorld";<br />
<br />
// password setzen <br />
String password = "my128bitPassword";<br />
<br />
// CBC Cipher immer mit einem zufällig erzeugten <br />
// Initialization Vector (IV) initialisieren (Länge 16 Byte)<br />
byte[] ivBytes = new byte[16];<br />
(new SecureRandom()).nextBytes(ivBytes);<br />
<br />
// den Schlüssel erzeugen<br />
SecretKeySpec key = new SecretKeySpec(password.getBytes(), "AES");<br />
<br />
// Container für die Verschlüsselungs Parameter<br />
IvParameterSpec paramSpec = new IvParameterSpec(ivBytes); <br />
<br />
// Chiffrierer erzeugen und initialisieren<br />
// Algorithmus: AES<br />
// Modus: CBC<br />
// Padding: PKCS5Padding<br />
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");<br />
cipher.init(Cipher.ENCRYPT_MODE, key, paramSpec); <br />
<br />
// Verschlüsselung durchführen<br />
byte[] encrypted = cipher.doFinal(plainText.getBytes());<br />
</nowiki><br />
<br />
Die Benutzung der ESAPI erleichtert die Handhabung, da neben einer großen Bandbreite an Verschlüsselungs-, Hash-, und Signaturalgorithmen auch Methoden für die Schlüsselerzeugung und -verwaltung unterstüzt werden. Nach Initialisierung der Parameter in der Konfigurationsdatei ESAPI.properties, reduziert sich die eigentliche Verschlüsselung eines Textes beispielsweise zu:<br />
<nowiki><br />
CipherText ciphertext = <br />
ESAPI.encryptor().encrypt( new PlainText(myplaintext) );<br />
</nowiki><br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=7|year=2010|language=de}}<br />
Beispiele für das Hashen von Passwörtern. Um die Sicherheit zu erhöhen sollte jedes Passwort mit einem Zufallswert (Salt) berechnet und gespeichert werden sowie möglichst viele Iterationen beim Hashing genutzt werden.<br />
<nowiki><br />
String password = "mypassword";<br />
<br />
// salt anlegen und mit zufälligen Bytes befüllen<br />
byte[] salt = new byte[8];<br />
(new SecureRandom()).nextBytes(salt);<br />
<br />
// Hash-Generator anlegen (verwendeter Algorithmus ist SHA-256)<br />
// und mit salt initialisieren (=> höhere Sicherheit gegen Angriffe)<br />
MessageDigest digest = MessageDigest.getInstance("SHA-256");<br />
digest.reset();<br />
digest.update(salt);<br />
<br />
byte[] input = digest.digest(password.getBytes("UTF-8"));<br />
<br />
// Hash in mehreren Iterationen (n = 100.000) berechnen<br />
// mehr Iterationen verlangsamen Angriffe (signifikant?)<br />
for (int i = 0; i < 100000; i++) {<br />
digest.reset();<br />
input = digest.digest(input);<br />
}<br />
// am Ende der Iterationen enthält input den berechneten Hash<br />
</nowiki><br />
<br />
Sicherer ist allerdings die Nutzung einer PBKDF2 (Password-Based Key Derivation Function 2) wie im folgenden Beispiel: <br />
<nowiki><br />
public byte[] generatePBKDF2Hash(String password) <br />
throws NoSuchAlgorithmException, InvalidKeySpecException { <br />
<br />
byte[] salt = new byte[20]; <br />
// salt mit zufälligen Bytes befüllen<br />
(new SecureRandom()).nextBytes(salt);<br />
<br />
int iterations = 10000;<br />
int keyLength = 160;<br />
// neuen Schlüssel erzeugen <br />
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");<br />
PBEKeySpec pbeKeySpec = new PBEKeySpec(password, salt, iterations, keyLength);<br />
SecretKey mySecretKey = factory.generateSecret(pbeKeySpec);<br />
}<br />
<br />
byte[] hash = generatePBKDF2Hash(password).getEncoded();<br />
</nowiki><br />
<br />
Eine weiterer empfohlener Algorithmus ist bcrypt, hier bespielsweise unter Verwendung der jBCrypt-Bibliothek (siehe Referenzen).<br />
<nowiki><br />
String hashed = BCrypt.hashpw(password, BCrypt.gensalt(12));<br />
</nowiki><br />
Zu bcrypt gibt es mittlerweile eine noch sicherere Variante scrypt, der Link zu einer Beispielimplementierung findet sich bei den Referenzen.<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=left|title=3|risk=7|year=2010|language=de}}<br />
Um geheime Schlüssel sicher, aber auch gleichzeitig einfach zugänglich und austauschbar aufzubewahren empfiehlt sich eine spezielle Schlüsseldatei, wie beispielweise der Java KeyStore. In dieser Datei werden die Schlüssel mit einem Master-Password gesichert, die Datei selbst sollte getrennt von den verschlüsselten Daten abgelegt werden:<br />
<br />
<nowiki><br />
// Erzeugung eines symmetrischen Schlüssels mittels der vorher beschriebenen PBKDF2<br />
String password = "mypassword";<br />
byte[] mySecretKey = generatePBKDF2Hash(password);<br />
<br />
// neuen KeyStore für symmetrische Schlüssel erzeugen <br />
KeyStore ks = KeyStore.getInstance("JCEKS");<br />
ks.load(null, null);<br />
<br />
// Schlüssel speichern<br />
KeyStore.ProtectionParameter passwordProtection = <br />
new KeyStore.PasswordProtection(password);<br />
KeyStore.SecretKeyEntry entry = new KeyStore.SecretKeyEntry(mySecretKey);<br />
ks.setEntry("beispielkey", entry, passwordProtection);<br />
<br />
// KeyStore in Datei speichern <br />
FileOutputStream fos = new FileOutputStream("SecretKeyStoreDatei");<br />
ks.store(fos,password);<br />
fos.close();<br />
</nowiki><br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=1|risk=6|year=2013|language=de}}<br />
;Unzureichende Absicherung der Transportschicht<br />
<br />
Um die Verschlüsselung auf der Transportebene sollte sich der Entwickler nie selbst kümmern, sondern dies immer dem Webserver überlassen:<br />
<br />
Im J2EE-Deployment-Descriptor der Anwendung (= web.xml) ist die folgende Konfiguration vorzunehmen, um sicherzustellen, dass nur ausschließlich über https kommuniziert wird:<br />
<br />
<nowiki><br />
<security-constraint><br />
<web-resource-collection><br />
<web-resource-name>Protected Context</web-resource-name><br />
<url-pattern>/*</url-pattern><br />
</web-resource-collection><br />
<!-- auth-constraint an dieser Stelle für Authentisierung --><br />
<user-data-constraint><br />
<transport-guarantee>CONFIDENTIAL</transport-guarantee><br />
</user-data-constraint><br />
</security-constraint><br />
</nowiki><br />
<br />
Für Session-Cookies ist immer das Attribute SECURE zu setzen:<br />
<nowiki><br />
<session-config> <br />
<cookie-config> <br />
<secure><br />
true<br />
</secure> <br />
</cookie-config> <br />
</session-config> <br />
</nowiki><br />
In der Server-Configuration ist sicherzustellen, dass nur TLS und SSL3 unterstützt werden.<br />
Das Speichern von vertraulichen Inhalten am Client oder auf einem Proxy kann über den Header Cache-Control verhindert werden:<br />
<br />
Header set Cache-Control "no-cache, no store, must-revalidate"<br />
<br />
Weitere Hinweise im [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet Transport Layer Protection Cheat Sheet]<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=left|title=1a|risk=9|year=2010|language=de}}<br />
<br />
Die Sicherheitskonfiguration unter Option 1 hat noch eine Schwachstelle, so das MITM (Man In The Middle attack) nicht zuverlässig verhindert wird. MITM erzeugt einen Zertifikatsfehler am Client, der üblicherweise aber (durch den Anwender) ignoriert wird. Deshalb wurde der HTTP-Header "HTTP Strict Transport Security (HSTS)" eingeführt. Damit werden kompatible Browser (Firefox, Chrome, Opera aber bisher NICHT IE) angewiesen, dass <br />
* der Browser den http-Request ausschließlich über https verschickt (auch falls die Seite mit http aufgerufen wird).<br />
* der Anwender Zertifikatsfehler im Browser nicht mehr ignorieren kann.<br />
<br />
Konfiguration im Apache:<br />
Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"<br />
<br />
Da der HSTS-Header nur über https übermittelt wird ist zusätzlich ein Redirect nötig:<br />
<br />
<VirtualHost *:80><br />
ServerAlias *<br />
RewriteEngine On<br />
<nowiki>RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]</nowiki><br />
</VirtualHost><br />
<br />
Quellen: <br />
<br />
[https://www.owasp.org/index.php/HTTP_Strict_Transport_Security HTTP_Strict_Transport_Security ]<br />
<br />
[http://www.youtube.com/watch?v=zEV3HOuM_Vw&feature=youtube_gdata AppSecTutorial Series - Episode 4]<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=7|year=2010|language=de}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
<br />
Einen umfangreicheren Überblick über die Anforderungen und die hierbei zu vermeidenden Probleme gibt es unter [http://www.owasp.org/index.php/ASVS#tab=ASVS ASVS requirements on Cryptography (V7)]. Des Weiteren:<br />
* [[Top_10_2007-Insecure_Cryptographic_Storage | OWASP Top 10-2007 on Insecure Cryptographic Storage]]<br />
* [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encryptor.html ESAPI Encryptor API]<br />
* [http://www.owasp.org/index.php/Guide_to_Cryptography#Insecure_transmission_of_secrets OWASP Development Guide: Chapter on Cryptography]<br />
* [[Codereview-Cryptography | OWASP Code Review Guide: Chapter on Cryptography]]<br />
{{Top_10_2010_Developer_Edition_De:SubSubsectionExternalReferencesTemplate|language=de}}<br />
* [http://cwe.mitre.org/data/definitions/310.html CWE Entry 310 on Cryptographic Issues]<br />
* [http://cwe.mitre.org/data/definitions/312.html CWE Entry 312 on Cleartext Storage of Sensitive Information]<br />
* [http://cwe.mitre.org/data/definitions/326.html CWE Entry 326 on Weak Encryption]<br />
* [http://www.mindrot.org/projects/jBCrypt Reine Java Implementierung von BCrypt]<br />
* [https://github.com/wg/scrypt Beispielimplementierung von SCrypt]<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=JAVA<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
= '''PHP''' =<br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=2|risk=7|year=2010|language=de}}<br />
Um vorerstellte Hash-Tabellen zu verhindern, kann jedem Datensatz eine zufällige Zeichenfolge hinzugefügt werden, welche als Salt (Deutsch: Salz) bezeichnet wird. Ein Beispiel für die sichere Erstellung eines Hashwerts ist im Folgendem gegeben. Dafür muss das GIT-Projekt [https://github.com/ircmaxell/password_compat] eingebunden werden, ab PHP-Version 5.5 ist dies im Kern enthalten. <br />
Das Salt wird bspw. bei einem Linuxsystem in der Funktion password_hash() durch Zugriff auf /dev/urandom erstellt. Der Rückgabewert der Funktion ist eine Zeichenkette und beinhaltet u.a. den Hashwert, das Salt und den genutzten Algorithmus.<br />
Die Kosten, welche die Anzahl der Hash-Iterationen angeben, können über den dritten Parameter festgelegt werden.<br />
<br />
<nowiki>$options = [<br />
'cost' => 12,<br />
];<br />
$inputHash = password_hash($_GET['password'], CRYPT_SHA256, $options);<br />
storeHash($user, $inputHash); // Speichere Hash<br />
$hash = getHash($user); // Hole Hash aus der Datenbank<br />
$isPasswordVerified = password_verify($_GET['password'], $hash); // Prüfe eingegebenes Passwort gegen gespeichertes Passwort<br />
if($isPasswordVerified) {<br />
// Password korrekt<br />
} else {<br />
throw new PasswordVerificationException("");<br />
}<br />
</nowiki><br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=7|year=2010|language=de}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
<br />
Einen umfangreicheren Überblick über die Anforderungen und die hierbei zu vermeidenden Probleme gibt es unter [http://www.owasp.org/index.php/ASVS#tab=ASVS ASVS requirements on Cryptography (V7)]. Des Weiteren:<br />
* [[Top_10_2007-Insecure_Cryptographic_Storage | OWASP Top 10-2007 on Insecure Cryptographic Storage]]<br />
* [http://www.owasp.org/index.php/Guide_to_Cryptography#Insecure_transmission_of_secrets OWASP Development Guide: Chapter on Cryptography]<br />
* [[Codereview-Cryptography | OWASP Code Review Guide: Chapter on Cryptography]]<br />
{{Top_10_2010_Developer_Edition_De:SubSubsectionExternalReferencesTemplate|language=de}}<br />
* [http://cwe.mitre.org/data/definitions/310.html CWE Entry 310 on Cryptographic Issues]<br />
* [http://cwe.mitre.org/data/definitions/312.html CWE Entry 312 on Cleartext Storage of Sensitive Information]<br />
* [http://cwe.mitre.org/data/definitions/326.html CWE Entry 326 on Weak Encryption]<br />
* [http://www.php.net/manual/en/function.password-hash.php Funktionsweise der Funktion password_hash]<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=PHP<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
= '''Test''' =<br />
<!-- weitere Programmiersprachen oder evtl Anti-Beispiele ---><br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=7|year=2010|language=de}}<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
tbd<br />
Text<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=7|year=2010|language=de}}<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
tbd<br />
Text<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=whole|title=|risk=7|year=2010|language=de}}<br />
tbd<br />
Text<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=userImpact|position=left|risk=7|year=2010|language=de}}<br />
(ganze Breite)<br />
Text<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=7|year=2010|language=de}}<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=Test<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<headertabs /><br />
{{Top_10_2013_DeveloperEdition:BottomAdvancedTemplate<br />
|type=0<br />
|useprev=2013PrevLinkDeveloperEdition<br />
|usenext=2013NextLinkDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=Germany/Projekte/Top_10_fuer_Entwickler-2013/A6-Verlust_der_Vertraulichkeit_sensibler_Daten&diff=165730Germany/Projekte/Top 10 fuer Entwickler-2013/A6-Verlust der Vertraulichkeit sensibler Daten2014-01-11T16:24:45Z<p>Timo Pagel: Remove Java-Specific parts from PHP</p>
<hr />
<div>{{Top_10_2013_DeveloperEdition:TopTemplate<br />
|useprev=2013PrevLinkDeveloperEdition<br />
|usenext=2013NextLinkDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
{{Top_10_2010:SubsectionColoredTemplate<br />
|A6 {{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}} <small>({{Top_10_2010:ByTheNumbers|7|year=2010|language=de}} / {{Top_10_2010:ByTheNumbers|9|year=2010|language=de}})</small><br />
||year=2013<br />
}}<br />
<br />
{{Top_10_2010_Developer_Edition_De:SummaryTableHeaderBeginTemplate|year=2010|language=de}}<br />
{{Top_10:SummaryTableTemplate|exploitability=3|prevalence=3|detectability=2|impact=1|language=de|year=2013}}<br />
{{Top_10_2010:SummaryTableHeaderEndTemplate}}<br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Jeder Benutzer des Systems ist zu betrachten.<br />
Haben diese ein Interesse, auf geschützte Daten unberechtigt zuzugreifen?<br />
Wie steht es um Administratoren?</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Angreifer brechen üblicherweise nicht die eigentliche Kryptografie. Statt dessen finden Sie Schlüssel, Klartexte oder greifen über Kanäle mit automatischer Entschlüsselung auf Daten zu.</td><br />
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Fehlende Verschlüsselung vertraulicher Daten ist die häufigste Schwachstelle, gefolgt von unsicherer Schlüsselerzeugung, der Speicherung statischer Schlüssel und die Nutzung schwacher Algorithmen. Schwache Hashwerte ohne Salt kommen zum Passwortschutz oft vor. Ein eingeschränkter Zugriff lässt externe Angreifer solche Probleme i.d.R. nicht leicht entdecken. Den nötigen Zugriff müssen sie vorher auf andere Weise erlangen.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Fehler kompromittieren regelmäßig vertrauliche Daten. Es handelt sich hierbei oft um sensitive Daten wie personenbezogene Daten, Benutzernamen und Passwörter oder Kreditkarteninformationen.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Betrachten Sie den Wert verlorener Daten und die Auswirkungen auf die Reputation des betroffenen Unternehmens. Hat es ggf. auch juristische Konsequenzen, wenn die Daten bekannt werden?</td><br />
{{Top_10_2010:SummaryTableEndTemplate}}<br />
<br />
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=firstLeft|risk=7|year=2010|language=de}} <br />
'''<u>Szenario 1</u>''': Eine Anwendung speichert verschlüsselt Kreditkartendaten in einer Datenbank, um Sie vor Angreifern zu schützen. Die Datenbank ist so eingerichtet, dass die Daten beim Auslesen automatisch entschlüsselt werden. Durch SQL-Injection können in diesem Fall alle Kreditkartendaten im Klartext ausgelesen werden. Das System hätte so konfiguriert sein sollen, dass nur nachgelagerte Anwendungen und nicht die Webanwendung selbst entschlüsseln dürfen.<br/> <br />
'''<u>Szenario 2</u>''': Ein Datensicherungsband speichert verschlüsselte Gesundheitsdaten, aber der Schlüssel ist ebenfalls dort gespeichert. Das Band geht auf dem Transportweg verloren.<br/><br />
'''<u>Szenario 3</u>''': Die Passwortdatenbank benutzt Hashwerte ohne Salt zur Speicherung der Passwörter. Eine Schwachstelle in der Downloadfunktion ermöglicht einem Angreifer den Zugriff auf die Datei. Zu allen Hashes kann in vier Wochen ein passender Klartext gefunden werden. Bei starken Hashwerten mit Salt hätte dieser Angriff über 3000 Jahre gedauert.<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=7|year=2010|language=de}} <br />
Eine Übersicht über alle Tücken unsicherer Kryptografie liegt weit außerhalb des Rahmens der Top 10. Für alle vertraulichen Daten sollten Sie zumindest:<br />
# Die Bedrohungen betrachten, vor denen Sie die Daten schützen wollen (z. B. Innen- und Außentäter) und sicherstellen, dass diese Daten angemessen durch Verschlüsselung geschützt werden.<br />
# Sicherstellen, dass ausgelagerte Datensicherungen verschlüsselt sind und die Schlüssel getrennt verwaltet und gesichert werden.<br />
# Sicherstellen, dass angemessene, starke Algorithmen und Schlüssel verwendet und verwaltet werden.<br />
# Sicherstellen, dass Passwörter mit einem starken Algorithmus und einem angemessenen Salt gehasht werden.<br />
# Sicherstellen, dass alle Schlüssel und Passwörter vor unberechtigtem Zugriff geschützt sind.<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=6|year=2013}}<br />
====temporär: Auszug aus [[Top_10_2013-A6-Sensitive_Data_Exposure| Top 10-2013 RC1: A6-Sensitive_Data_Exposure]]====<br />
<u>Scenario #1:</u> An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. The system should have encrypted the credit card numbers using a public key, and only allowed back-end applications to decrypt them with the private key.<br />
<br />
<u>Scenario #2:</u> A site simply doesn't use SSL for all authenticated pages. Attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie. Attacker then replays this cookie and hijacks the user’s session, accessing all their private data.<br />
<br />
<u>Scenario #3:</u> The password database uses unsalted hashes to store everyone’s passwords. A file upload flaw allows an attacker to retrieve the password file. All the unsalted hashes can be exposed with a rainbow table of precalculated hashes.<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=6|year=2013}}<br />
====temporär: Auszug aus [[Top_10_2013-A6-Sensitive_Data_Exposure| Top 10-2013 RC1: A6-Sensitive_Data_Exposure]]====<br />
The full perils of unsafe cryptography, SSL usage, and data protection are well beyond the scope of the Top 10. That said, for all sensitive data, do all of the following, at a minimum:<br />
# Considering the threats you plan to protect this data from (e.g., insider attack, external user), make sure you encrypt all sensitive data at rest and in transit in a manner that defends against these threats.<br />
# Don’t store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t have can’t be stolen.<br />
# Ensure strong standard algorithms and strong keys are used, and proper key management is in place.<br />
Ensure passwords are stored with an algorithm specifically designed for password protection, such as [http://en.wikipedia.org/wiki/Bcrypt bcrypt], [http://en.wikipedia.org/wiki/PBKDF2 PBKDF2], or [http://en.wikipedia.org/wiki/Scrypt scrypt].<br />
# Disable autocomplete on forms collecting sensitive data and disable caching for pages displaying sensitive data.<br />
{{Top_10:SubsectionTableEndTemplate}}<br />
<br />
= '''JAVA''' = <br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=7|year=2010|language=de}}<br />
Ein einfaches Beispiel für die Veschlüsselung von Texten, hier mit dem AES-128 Algorithmus. Die Auswahl an Verschlüsselungsparametern wie beispielsweise Algorithmus, Ciphermodus oder Schlüssellänge ist groß und kommt immer auf die jeweiligen Daten und die Anwendung an. <br />
<nowiki><br />
String plainText = "HelloWorld";<br />
<br />
// password setzen <br />
String password = "my128bitPassword";<br />
<br />
// CBC Cipher immer mit einem zufällig erzeugten <br />
// Initialization Vector (IV) initialisieren (Länge 16 Byte)<br />
byte[] ivBytes = new byte[16];<br />
(new SecureRandom()).nextBytes(ivBytes);<br />
<br />
// den Schlüssel erzeugen<br />
SecretKeySpec key = new SecretKeySpec(password.getBytes(), "AES");<br />
<br />
// Container für die Verschlüsselungs Parameter<br />
IvParameterSpec paramSpec = new IvParameterSpec(ivBytes); <br />
<br />
// Chiffrierer erzeugen und initialisieren<br />
// Algorithmus: AES<br />
// Modus: CBC<br />
// Padding: PKCS5Padding<br />
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");<br />
cipher.init(Cipher.ENCRYPT_MODE, key, paramSpec); <br />
<br />
// Verschlüsselung durchführen<br />
byte[] encrypted = cipher.doFinal(plainText.getBytes());<br />
</nowiki><br />
<br />
Die Benutzung der ESAPI erleichtert die Handhabung, da neben einer großen Bandbreite an Verschlüsselungs-, Hash-, und Signaturalgorithmen auch Methoden für die Schlüsselerzeugung und -verwaltung unterstüzt werden. Nach Initialisierung der Parameter in der Konfigurationsdatei ESAPI.properties, reduziert sich die eigentliche Verschlüsselung eines Textes beispielsweise zu:<br />
<nowiki><br />
CipherText ciphertext = <br />
ESAPI.encryptor().encrypt( new PlainText(myplaintext) );<br />
</nowiki><br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=7|year=2010|language=de}}<br />
Beispiele für das Hashen von Passwörtern. Um die Sicherheit zu erhöhen sollte jedes Passwort mit einem Zufallswert (Salt) berechnet und gespeichert werden sowie möglichst viele Iterationen beim Hashing genutzt werden.<br />
<nowiki><br />
String password = "mypassword";<br />
<br />
// salt anlegen und mit zufälligen Bytes befüllen<br />
byte[] salt = new byte[8];<br />
(new SecureRandom()).nextBytes(salt);<br />
<br />
// Hash-Generator anlegen (verwendeter Algorithmus ist SHA-256)<br />
// und mit salt initialisieren (=> höhere Sicherheit gegen Angriffe)<br />
MessageDigest digest = MessageDigest.getInstance("SHA-256");<br />
digest.reset();<br />
digest.update(salt);<br />
<br />
byte[] input = digest.digest(password.getBytes("UTF-8"));<br />
<br />
// Hash in mehreren Iterationen (n = 100.000) berechnen<br />
// mehr Iterationen verlangsamen Angriffe (signifikant?)<br />
for (int i = 0; i < 100000; i++) {<br />
digest.reset();<br />
input = digest.digest(input);<br />
}<br />
// am Ende der Iterationen enthält input den berechneten Hash<br />
</nowiki><br />
<br />
Sicherer ist allerdings die Nutzung einer PBKDF2 (Password-Based Key Derivation Function 2) wie im folgenden Beispiel: <br />
<nowiki><br />
public byte[] generatePBKDF2Hash(String password) <br />
throws NoSuchAlgorithmException, InvalidKeySpecException { <br />
<br />
byte[] salt = new byte[20]; <br />
// salt mit zufälligen Bytes befüllen<br />
(new SecureRandom()).nextBytes(salt);<br />
<br />
int iterations = 10000;<br />
int keyLength = 160;<br />
// neuen Schlüssel erzeugen <br />
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");<br />
PBEKeySpec pbeKeySpec = new PBEKeySpec(password, salt, iterations, keyLength);<br />
SecretKey mySecretKey = factory.generateSecret(pbeKeySpec);<br />
}<br />
<br />
byte[] hash = generatePBKDF2Hash(password).getEncoded();<br />
</nowiki><br />
<br />
Eine weiterer empfohlener Algorithmus ist bcrypt, hier bespielsweise unter Verwendung der jBCrypt-Bibliothek (siehe Referenzen).<br />
<nowiki><br />
String hashed = BCrypt.hashpw(password, BCrypt.gensalt(12));<br />
</nowiki><br />
Zu bcrypt gibt es mittlerweile eine noch sicherere Variante scrypt, der Link zu einer Beispielimplementierung findet sich bei den Referenzen.<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=left|title=3|risk=7|year=2010|language=de}}<br />
Um geheime Schlüssel sicher, aber auch gleichzeitig einfach zugänglich und austauschbar aufzubewahren empfiehlt sich eine spezielle Schlüsseldatei, wie beispielweise der Java KeyStore. In dieser Datei werden die Schlüssel mit einem Master-Password gesichert, die Datei selbst sollte getrennt von den verschlüsselten Daten abgelegt werden:<br />
<br />
<nowiki><br />
// Erzeugung eines symmetrischen Schlüssels mittels der vorher beschriebenen PBKDF2<br />
String password = "mypassword";<br />
byte[] mySecretKey = generatePBKDF2Hash(password);<br />
<br />
// neuen KeyStore für symmetrische Schlüssel erzeugen <br />
KeyStore ks = KeyStore.getInstance("JCEKS");<br />
ks.load(null, null);<br />
<br />
// Schlüssel speichern<br />
KeyStore.ProtectionParameter passwordProtection = <br />
new KeyStore.PasswordProtection(password);<br />
KeyStore.SecretKeyEntry entry = new KeyStore.SecretKeyEntry(mySecretKey);<br />
ks.setEntry("beispielkey", entry, passwordProtection);<br />
<br />
// KeyStore in Datei speichern <br />
FileOutputStream fos = new FileOutputStream("SecretKeyStoreDatei");<br />
ks.store(fos,password);<br />
fos.close();<br />
</nowiki><br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=1|risk=6|year=2013|language=de}}<br />
;Unzureichende Absicherung der Transportschicht<br />
<br />
Um die Verschlüsselung auf der Transportebene sollte sich der Entwickler nie selbst kümmern, sondern dies immer dem Webserver überlassen:<br />
<br />
Im J2EE-Deployment-Descriptor der Anwendung (= web.xml) ist die folgende Konfiguration vorzunehmen, um sicherzustellen, dass nur ausschließlich über https kommuniziert wird:<br />
<br />
<nowiki><br />
<security-constraint><br />
<web-resource-collection><br />
<web-resource-name>Protected Context</web-resource-name><br />
<url-pattern>/*</url-pattern><br />
</web-resource-collection><br />
<!-- auth-constraint an dieser Stelle für Authentisierung --><br />
<user-data-constraint><br />
<transport-guarantee>CONFIDENTIAL</transport-guarantee><br />
</user-data-constraint><br />
</security-constraint><br />
</nowiki><br />
<br />
Für Session-Cookies ist immer das Attribute SECURE zu setzen:<br />
<nowiki><br />
<session-config> <br />
<cookie-config> <br />
<secure><br />
true<br />
</secure> <br />
</cookie-config> <br />
</session-config> <br />
</nowiki><br />
In der Server-Configuration ist sicherzustellen, dass nur TLS und SSL3 unterstützt werden.<br />
Das Speichern von vertraulichen Inhalten am Client oder auf einem Proxy kann über den Header Cache-Control verhindert werden:<br />
<br />
Header set Cache-Control "no-cache, no store, must-revalidate"<br />
<br />
Weitere Hinweise im [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet Transport Layer Protection Cheat Sheet]<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=left|title=1a|risk=9|year=2010|language=de}}<br />
<br />
Die Sicherheitskonfiguration unter Option 1 hat noch eine Schwachstelle, so das MITM (Man In The Middle attack) nicht zuverlässig verhindert wird. MITM erzeugt einen Zertifikatsfehler am Client, der üblicherweise aber (durch den Anwender) ignoriert wird. Deshalb wurde der HTTP-Header "HTTP Strict Transport Security (HSTS)" eingeführt. Damit werden kompatible Browser (Firefox, Chrome, Opera aber bisher NICHT IE) angewiesen, dass <br />
* der Browser den http-Request ausschließlich über https verschickt (auch falls die Seite mit http aufgerufen wird).<br />
* der Anwender Zertifikatsfehler im Browser nicht mehr ignorieren kann.<br />
<br />
Konfiguration im Apache:<br />
Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"<br />
<br />
Da der HSTS-Header nur über https übermittelt wird ist zusätzlich ein Redirect nötig:<br />
<br />
<VirtualHost *:80><br />
ServerAlias *<br />
RewriteEngine On<br />
<nowiki>RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]</nowiki><br />
</VirtualHost><br />
<br />
Quellen: <br />
<br />
[https://www.owasp.org/index.php/HTTP_Strict_Transport_Security HTTP_Strict_Transport_Security ]<br />
<br />
[http://www.youtube.com/watch?v=zEV3HOuM_Vw&feature=youtube_gdata AppSecTutorial Series - Episode 4]<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=7|year=2010|language=de}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
<br />
Einen umfangreicheren Überblick über die Anforderungen und die hierbei zu vermeidenden Probleme gibt es unter [http://www.owasp.org/index.php/ASVS#tab=ASVS ASVS requirements on Cryptography (V7)]. Des Weiteren:<br />
* [[Top_10_2007-Insecure_Cryptographic_Storage | OWASP Top 10-2007 on Insecure Cryptographic Storage]]<br />
* [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encryptor.html ESAPI Encryptor API]<br />
* [http://www.owasp.org/index.php/Guide_to_Cryptography#Insecure_transmission_of_secrets OWASP Development Guide: Chapter on Cryptography]<br />
* [[Codereview-Cryptography | OWASP Code Review Guide: Chapter on Cryptography]]<br />
{{Top_10_2010_Developer_Edition_De:SubSubsectionExternalReferencesTemplate|language=de}}<br />
* [http://cwe.mitre.org/data/definitions/310.html CWE Entry 310 on Cryptographic Issues]<br />
* [http://cwe.mitre.org/data/definitions/312.html CWE Entry 312 on Cleartext Storage of Sensitive Information]<br />
* [http://cwe.mitre.org/data/definitions/326.html CWE Entry 326 on Weak Encryption]<br />
* [http://www.mindrot.org/projects/jBCrypt Reine Java Implementierung von BCrypt]<br />
* [https://github.com/wg/scrypt Beispielimplementierung von SCrypt]<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=JAVA<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
= '''PHP''' =<br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=2|risk=7|year=2010|language=de}}<br />
Um vorerstellte Hash-Tabellen zu verhindern, kann jedem Datensatz eine zufällige Zeichenfolge hinzugefügt werden, welche als Salt (Deutsch: Salz) bezeichnet wird. Ein Beispiel für die sichere Erstellung eines Hashwerts ist im Folgendem gegeben. Dafür muss das GIT-Projekt [https://github.com/ircmaxell/password_compat] eingebunden werden, ab PHP-Version 5.5 ist dies im Kern enthalten. <br />
Das Salt wird bspw. bei einem Linuxsystem in der Funktion password_hash() durch Zugriff auf /dev/urandom erstellt. Der Rückgabewert der Funktion ist eine Zeichenkette und beinhaltet u.a. den Hashwert, das Salt und den genutzten Algorithmus.<br />
Die Kosten, welche die Anzahl der Hash-Iterationen angeben, können über den dritten Parameter festgelegt werden.<br />
<br />
<nowiki><br />
$password = "foo";<br />
$options = [<br />
'cost' => 12,<br />
];<br />
$inputHash = password_hash($_GET['password'], CRYPT_SHA256, $options);<br />
storeHash($user, $inputHash); // Speichere Hash<br />
$hash = getHash($user); // Hole Hash aus der Datenbank<br />
$isPasswordVerified = password_verify($_GET['password'], $hash); // Prüfe eingegebenes Passwort gegen gespeichertes Passwort<br />
if($isPasswordVerified) {<br />
// Password korrekt<br />
} else {<br />
throw new PasswordVerificationException("");<br />
}<br />
</nowiki><br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=7|year=2010|language=de}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
<br />
Einen umfangreicheren Überblick über die Anforderungen und die hierbei zu vermeidenden Probleme gibt es unter [http://www.owasp.org/index.php/ASVS#tab=ASVS ASVS requirements on Cryptography (V7)]. Des Weiteren:<br />
* [[Top_10_2007-Insecure_Cryptographic_Storage | OWASP Top 10-2007 on Insecure Cryptographic Storage]]<br />
* [http://www.owasp.org/index.php/Guide_to_Cryptography#Insecure_transmission_of_secrets OWASP Development Guide: Chapter on Cryptography]<br />
* [[Codereview-Cryptography | OWASP Code Review Guide: Chapter on Cryptography]]<br />
{{Top_10_2010_Developer_Edition_De:SubSubsectionExternalReferencesTemplate|language=de}}<br />
* [http://cwe.mitre.org/data/definitions/310.html CWE Entry 310 on Cryptographic Issues]<br />
* [http://cwe.mitre.org/data/definitions/312.html CWE Entry 312 on Cleartext Storage of Sensitive Information]<br />
* [http://cwe.mitre.org/data/definitions/326.html CWE Entry 326 on Weak Encryption]<br />
* [http://www.php.net/manual/en/function.password-hash.php Funktionsweise der Funktion password_hash]<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=PHP<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
= '''Test''' =<br />
<!-- weitere Programmiersprachen oder evtl Anti-Beispiele ---><br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=7|year=2010|language=de}}<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
tbd<br />
Text<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=7|year=2010|language=de}}<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
tbd<br />
Text<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=whole|title=|risk=7|year=2010|language=de}}<br />
tbd<br />
Text<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=userImpact|position=left|risk=7|year=2010|language=de}}<br />
(ganze Breite)<br />
Text<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=7|year=2010|language=de}}<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=Test<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<headertabs /><br />
{{Top_10_2013_DeveloperEdition:BottomAdvancedTemplate<br />
|type=0<br />
|useprev=2013PrevLinkDeveloperEdition<br />
|usenext=2013NextLinkDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=Germany/Projekte/Top_10_fuer_Entwickler-2013/A6-Verlust_der_Vertraulichkeit_sensibler_Daten&diff=165729Germany/Projekte/Top 10 fuer Entwickler-2013/A6-Verlust der Vertraulichkeit sensibler Daten2014-01-11T16:21:13Z<p>Timo Pagel: Remove Java-Specific parts from PHP</p>
<hr />
<div>{{Top_10_2013_DeveloperEdition:TopTemplate<br />
|useprev=2013PrevLinkDeveloperEdition<br />
|usenext=2013NextLinkDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
{{Top_10_2010:SubsectionColoredTemplate<br />
|A6 {{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}} <small>({{Top_10_2010:ByTheNumbers|7|year=2010|language=de}} / {{Top_10_2010:ByTheNumbers|9|year=2010|language=de}})</small><br />
||year=2013<br />
}}<br />
<br />
{{Top_10_2010_Developer_Edition_De:SummaryTableHeaderBeginTemplate|year=2010|language=de}}<br />
{{Top_10:SummaryTableTemplate|exploitability=3|prevalence=3|detectability=2|impact=1|language=de|year=2013}}<br />
{{Top_10_2010:SummaryTableHeaderEndTemplate}}<br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Jeder Benutzer des Systems ist zu betrachten.<br />
Haben diese ein Interesse, auf geschützte Daten unberechtigt zuzugreifen?<br />
Wie steht es um Administratoren?</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Angreifer brechen üblicherweise nicht die eigentliche Kryptografie. Statt dessen finden Sie Schlüssel, Klartexte oder greifen über Kanäle mit automatischer Entschlüsselung auf Daten zu.</td><br />
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Fehlende Verschlüsselung vertraulicher Daten ist die häufigste Schwachstelle, gefolgt von unsicherer Schlüsselerzeugung, der Speicherung statischer Schlüssel und die Nutzung schwacher Algorithmen. Schwache Hashwerte ohne Salt kommen zum Passwortschutz oft vor. Ein eingeschränkter Zugriff lässt externe Angreifer solche Probleme i.d.R. nicht leicht entdecken. Den nötigen Zugriff müssen sie vorher auf andere Weise erlangen.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Fehler kompromittieren regelmäßig vertrauliche Daten. Es handelt sich hierbei oft um sensitive Daten wie personenbezogene Daten, Benutzernamen und Passwörter oder Kreditkarteninformationen.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Betrachten Sie den Wert verlorener Daten und die Auswirkungen auf die Reputation des betroffenen Unternehmens. Hat es ggf. auch juristische Konsequenzen, wenn die Daten bekannt werden?</td><br />
{{Top_10_2010:SummaryTableEndTemplate}}<br />
<br />
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=firstLeft|risk=7|year=2010|language=de}} <br />
'''<u>Szenario 1</u>''': Eine Anwendung speichert verschlüsselt Kreditkartendaten in einer Datenbank, um Sie vor Angreifern zu schützen. Die Datenbank ist so eingerichtet, dass die Daten beim Auslesen automatisch entschlüsselt werden. Durch SQL-Injection können in diesem Fall alle Kreditkartendaten im Klartext ausgelesen werden. Das System hätte so konfiguriert sein sollen, dass nur nachgelagerte Anwendungen und nicht die Webanwendung selbst entschlüsseln dürfen.<br/> <br />
'''<u>Szenario 2</u>''': Ein Datensicherungsband speichert verschlüsselte Gesundheitsdaten, aber der Schlüssel ist ebenfalls dort gespeichert. Das Band geht auf dem Transportweg verloren.<br/><br />
'''<u>Szenario 3</u>''': Die Passwortdatenbank benutzt Hashwerte ohne Salt zur Speicherung der Passwörter. Eine Schwachstelle in der Downloadfunktion ermöglicht einem Angreifer den Zugriff auf die Datei. Zu allen Hashes kann in vier Wochen ein passender Klartext gefunden werden. Bei starken Hashwerten mit Salt hätte dieser Angriff über 3000 Jahre gedauert.<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=7|year=2010|language=de}} <br />
Eine Übersicht über alle Tücken unsicherer Kryptografie liegt weit außerhalb des Rahmens der Top 10. Für alle vertraulichen Daten sollten Sie zumindest:<br />
# Die Bedrohungen betrachten, vor denen Sie die Daten schützen wollen (z. B. Innen- und Außentäter) und sicherstellen, dass diese Daten angemessen durch Verschlüsselung geschützt werden.<br />
# Sicherstellen, dass ausgelagerte Datensicherungen verschlüsselt sind und die Schlüssel getrennt verwaltet und gesichert werden.<br />
# Sicherstellen, dass angemessene, starke Algorithmen und Schlüssel verwendet und verwaltet werden.<br />
# Sicherstellen, dass Passwörter mit einem starken Algorithmus und einem angemessenen Salt gehasht werden.<br />
# Sicherstellen, dass alle Schlüssel und Passwörter vor unberechtigtem Zugriff geschützt sind.<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=6|year=2013}}<br />
====temporär: Auszug aus [[Top_10_2013-A6-Sensitive_Data_Exposure| Top 10-2013 RC1: A6-Sensitive_Data_Exposure]]====<br />
<u>Scenario #1:</u> An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. The system should have encrypted the credit card numbers using a public key, and only allowed back-end applications to decrypt them with the private key.<br />
<br />
<u>Scenario #2:</u> A site simply doesn't use SSL for all authenticated pages. Attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie. Attacker then replays this cookie and hijacks the user’s session, accessing all their private data.<br />
<br />
<u>Scenario #3:</u> The password database uses unsalted hashes to store everyone’s passwords. A file upload flaw allows an attacker to retrieve the password file. All the unsalted hashes can be exposed with a rainbow table of precalculated hashes.<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=6|year=2013}}<br />
====temporär: Auszug aus [[Top_10_2013-A6-Sensitive_Data_Exposure| Top 10-2013 RC1: A6-Sensitive_Data_Exposure]]====<br />
The full perils of unsafe cryptography, SSL usage, and data protection are well beyond the scope of the Top 10. That said, for all sensitive data, do all of the following, at a minimum:<br />
# Considering the threats you plan to protect this data from (e.g., insider attack, external user), make sure you encrypt all sensitive data at rest and in transit in a manner that defends against these threats.<br />
# Don’t store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t have can’t be stolen.<br />
# Ensure strong standard algorithms and strong keys are used, and proper key management is in place.<br />
Ensure passwords are stored with an algorithm specifically designed for password protection, such as [http://en.wikipedia.org/wiki/Bcrypt bcrypt], [http://en.wikipedia.org/wiki/PBKDF2 PBKDF2], or [http://en.wikipedia.org/wiki/Scrypt scrypt].<br />
# Disable autocomplete on forms collecting sensitive data and disable caching for pages displaying sensitive data.<br />
{{Top_10:SubsectionTableEndTemplate}}<br />
<br />
= '''JAVA''' = <br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=7|year=2010|language=de}}<br />
Ein einfaches Beispiel für die Veschlüsselung von Texten, hier mit dem AES-128 Algorithmus. Die Auswahl an Verschlüsselungsparametern wie beispielsweise Algorithmus, Ciphermodus oder Schlüssellänge ist groß und kommt immer auf die jeweiligen Daten und die Anwendung an. <br />
<nowiki><br />
String plainText = "HelloWorld";<br />
<br />
// password setzen <br />
String password = "my128bitPassword";<br />
<br />
// CBC Cipher immer mit einem zufällig erzeugten <br />
// Initialization Vector (IV) initialisieren (Länge 16 Byte)<br />
byte[] ivBytes = new byte[16];<br />
(new SecureRandom()).nextBytes(ivBytes);<br />
<br />
// den Schlüssel erzeugen<br />
SecretKeySpec key = new SecretKeySpec(password.getBytes(), "AES");<br />
<br />
// Container für die Verschlüsselungs Parameter<br />
IvParameterSpec paramSpec = new IvParameterSpec(ivBytes); <br />
<br />
// Chiffrierer erzeugen und initialisieren<br />
// Algorithmus: AES<br />
// Modus: CBC<br />
// Padding: PKCS5Padding<br />
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");<br />
cipher.init(Cipher.ENCRYPT_MODE, key, paramSpec); <br />
<br />
// Verschlüsselung durchführen<br />
byte[] encrypted = cipher.doFinal(plainText.getBytes());<br />
</nowiki><br />
<br />
Die Benutzung der ESAPI erleichtert die Handhabung, da neben einer großen Bandbreite an Verschlüsselungs-, Hash-, und Signaturalgorithmen auch Methoden für die Schlüsselerzeugung und -verwaltung unterstüzt werden. Nach Initialisierung der Parameter in der Konfigurationsdatei ESAPI.properties, reduziert sich die eigentliche Verschlüsselung eines Textes beispielsweise zu:<br />
<nowiki><br />
CipherText ciphertext = <br />
ESAPI.encryptor().encrypt( new PlainText(myplaintext) );<br />
</nowiki><br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=7|year=2010|language=de}}<br />
Beispiele für das Hashen von Passwörtern. Um die Sicherheit zu erhöhen sollte jedes Passwort mit einem Zufallswert (Salt) berechnet und gespeichert werden sowie möglichst viele Iterationen beim Hashing genutzt werden.<br />
<nowiki><br />
String password = "mypassword";<br />
<br />
// salt anlegen und mit zufälligen Bytes befüllen<br />
byte[] salt = new byte[8];<br />
(new SecureRandom()).nextBytes(salt);<br />
<br />
// Hash-Generator anlegen (verwendeter Algorithmus ist SHA-256)<br />
// und mit salt initialisieren (=> höhere Sicherheit gegen Angriffe)<br />
MessageDigest digest = MessageDigest.getInstance("SHA-256");<br />
digest.reset();<br />
digest.update(salt);<br />
<br />
byte[] input = digest.digest(password.getBytes("UTF-8"));<br />
<br />
// Hash in mehreren Iterationen (n = 100.000) berechnen<br />
// mehr Iterationen verlangsamen Angriffe (signifikant?)<br />
for (int i = 0; i < 100000; i++) {<br />
digest.reset();<br />
input = digest.digest(input);<br />
}<br />
// am Ende der Iterationen enthält input den berechneten Hash<br />
</nowiki><br />
<br />
Sicherer ist allerdings die Nutzung einer PBKDF2 (Password-Based Key Derivation Function 2) wie im folgenden Beispiel: <br />
<nowiki><br />
public byte[] generatePBKDF2Hash(String password) <br />
throws NoSuchAlgorithmException, InvalidKeySpecException { <br />
<br />
byte[] salt = new byte[20]; <br />
// salt mit zufälligen Bytes befüllen<br />
(new SecureRandom()).nextBytes(salt);<br />
<br />
int iterations = 10000;<br />
int keyLength = 160;<br />
// neuen Schlüssel erzeugen <br />
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");<br />
PBEKeySpec pbeKeySpec = new PBEKeySpec(password, salt, iterations, keyLength);<br />
SecretKey mySecretKey = factory.generateSecret(pbeKeySpec);<br />
}<br />
<br />
byte[] hash = generatePBKDF2Hash(password).getEncoded();<br />
</nowiki><br />
<br />
Eine weiterer empfohlener Algorithmus ist bcrypt, hier bespielsweise unter Verwendung der jBCrypt-Bibliothek (siehe Referenzen).<br />
<nowiki><br />
String hashed = BCrypt.hashpw(password, BCrypt.gensalt(12));<br />
</nowiki><br />
Zu bcrypt gibt es mittlerweile eine noch sicherere Variante scrypt, der Link zu einer Beispielimplementierung findet sich bei den Referenzen.<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=left|title=3|risk=7|year=2010|language=de}}<br />
Um geheime Schlüssel sicher, aber auch gleichzeitig einfach zugänglich und austauschbar aufzubewahren empfiehlt sich eine spezielle Schlüsseldatei, wie beispielweise der Java KeyStore. In dieser Datei werden die Schlüssel mit einem Master-Password gesichert, die Datei selbst sollte getrennt von den verschlüsselten Daten abgelegt werden:<br />
<br />
<nowiki><br />
// Erzeugung eines symmetrischen Schlüssels mittels der vorher beschriebenen PBKDF2<br />
String password = "mypassword";<br />
byte[] mySecretKey = generatePBKDF2Hash(password);<br />
<br />
// neuen KeyStore für symmetrische Schlüssel erzeugen <br />
KeyStore ks = KeyStore.getInstance("JCEKS");<br />
ks.load(null, null);<br />
<br />
// Schlüssel speichern<br />
KeyStore.ProtectionParameter passwordProtection = <br />
new KeyStore.PasswordProtection(password);<br />
KeyStore.SecretKeyEntry entry = new KeyStore.SecretKeyEntry(mySecretKey);<br />
ks.setEntry("beispielkey", entry, passwordProtection);<br />
<br />
// KeyStore in Datei speichern <br />
FileOutputStream fos = new FileOutputStream("SecretKeyStoreDatei");<br />
ks.store(fos,password);<br />
fos.close();<br />
</nowiki><br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=1|risk=6|year=2013|language=de}}<br />
;Unzureichende Absicherung der Transportschicht<br />
<br />
Um die Verschlüsselung auf der Transportebene sollte sich der Entwickler nie selbst kümmern, sondern dies immer dem Webserver überlassen:<br />
<br />
Im J2EE-Deployment-Descriptor der Anwendung (= web.xml) ist die folgende Konfiguration vorzunehmen, um sicherzustellen, dass nur ausschließlich über https kommuniziert wird:<br />
<br />
<nowiki><br />
<security-constraint><br />
<web-resource-collection><br />
<web-resource-name>Protected Context</web-resource-name><br />
<url-pattern>/*</url-pattern><br />
</web-resource-collection><br />
<!-- auth-constraint an dieser Stelle für Authentisierung --><br />
<user-data-constraint><br />
<transport-guarantee>CONFIDENTIAL</transport-guarantee><br />
</user-data-constraint><br />
</security-constraint><br />
</nowiki><br />
<br />
Für Session-Cookies ist immer das Attribute SECURE zu setzen:<br />
<nowiki><br />
<session-config> <br />
<cookie-config> <br />
<secure><br />
true<br />
</secure> <br />
</cookie-config> <br />
</session-config> <br />
</nowiki><br />
In der Server-Configuration ist sicherzustellen, dass nur TLS und SSL3 unterstützt werden.<br />
Das Speichern von vertraulichen Inhalten am Client oder auf einem Proxy kann über den Header Cache-Control verhindert werden:<br />
<br />
Header set Cache-Control "no-cache, no store, must-revalidate"<br />
<br />
Weitere Hinweise im [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet Transport Layer Protection Cheat Sheet]<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=left|title=1a|risk=9|year=2010|language=de}}<br />
<br />
Die Sicherheitskonfiguration unter Option 1 hat noch eine Schwachstelle, so das MITM (Man In The Middle attack) nicht zuverlässig verhindert wird. MITM erzeugt einen Zertifikatsfehler am Client, der üblicherweise aber (durch den Anwender) ignoriert wird. Deshalb wurde der HTTP-Header "HTTP Strict Transport Security (HSTS)" eingeführt. Damit werden kompatible Browser (Firefox, Chrome, Opera aber bisher NICHT IE) angewiesen, dass <br />
* der Browser den http-Request ausschließlich über https verschickt (auch falls die Seite mit http aufgerufen wird).<br />
* der Anwender Zertifikatsfehler im Browser nicht mehr ignorieren kann.<br />
<br />
Konfiguration im Apache:<br />
Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"<br />
<br />
Da der HSTS-Header nur über https übermittelt wird ist zusätzlich ein Redirect nötig:<br />
<br />
<VirtualHost *:80><br />
ServerAlias *<br />
RewriteEngine On<br />
<nowiki>RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]</nowiki><br />
</VirtualHost><br />
<br />
Quellen: <br />
<br />
[https://www.owasp.org/index.php/HTTP_Strict_Transport_Security HTTP_Strict_Transport_Security ]<br />
<br />
[http://www.youtube.com/watch?v=zEV3HOuM_Vw&feature=youtube_gdata AppSecTutorial Series - Episode 4]<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=7|year=2010|language=de}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
<br />
Einen umfangreicheren Überblick über die Anforderungen und die hierbei zu vermeidenden Probleme gibt es unter [http://www.owasp.org/index.php/ASVS#tab=ASVS ASVS requirements on Cryptography (V7)]. Des Weiteren:<br />
* [[Top_10_2007-Insecure_Cryptographic_Storage | OWASP Top 10-2007 on Insecure Cryptographic Storage]]<br />
* [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encryptor.html ESAPI Encryptor API]<br />
* [http://www.owasp.org/index.php/Guide_to_Cryptography#Insecure_transmission_of_secrets OWASP Development Guide: Chapter on Cryptography]<br />
* [[Codereview-Cryptography | OWASP Code Review Guide: Chapter on Cryptography]]<br />
{{Top_10_2010_Developer_Edition_De:SubSubsectionExternalReferencesTemplate|language=de}}<br />
* [http://cwe.mitre.org/data/definitions/310.html CWE Entry 310 on Cryptographic Issues]<br />
* [http://cwe.mitre.org/data/definitions/312.html CWE Entry 312 on Cleartext Storage of Sensitive Information]<br />
* [http://cwe.mitre.org/data/definitions/326.html CWE Entry 326 on Weak Encryption]<br />
* [http://www.mindrot.org/projects/jBCrypt Reine Java Implementierung von BCrypt]<br />
* [https://github.com/wg/scrypt Beispielimplementierung von SCrypt]<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=JAVA<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
= '''PHP''' =<br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=2|risk=7|year=2010|language=de}}<br />
Um vorerstellte Hash-Tabellen zu verhindern, kann jedem Datensatz eine zufällige Zeichenfolge hinzugefügt werden, welche als Salt (Deutsch: Salz) bezeichnet wird. Ein Beispiel für die sichere Erstellung eines Hashwerts ist im Folgendem gegeben. Dafür muss das GIT-Projekt [https://github.com/ircmaxell/password_compat] eingebunden werden, ab PHP-Version 5.5 ist dies im Kern enthalten. <br />
Das Salt wird bspw. bei einem Linuxsystem in der Funktion password_hash() durch Zugriff auf /dev/urandom erstellt. Der Rückgabewert der Funktion ist eine Zeichenkette und beinhaltet u.a. den Hashwert, das Salt und den genutzten Algorithmus.<br />
Die Kosten, welche die Anzahl der Hash-Iterationen angeben, können über den dritten Parameter festgelegt werden.<br />
<br />
<nowiki><br />
$password = "foo";<br />
$options = [<br />
'cost' => 12,<br />
];<br />
$inputHash = password_hash($_GET['password'], CRYPT_SHA256, $options);<br />
storeHash($user, $inputHash); // Speichere Hash<br />
$hash = getHash($user); // Hole Hash aus der Datenbank<br />
$isPasswordVerified = password_verify($_GET['password'], $hash); // Prüfe eingegebenes Passwort gegen gespeichertes Passwort<br />
if($isPasswordVerified) {<br />
// Password korrekt<br />
} else {<br />
throw new PasswordVerificationException("");<br />
}<br />
</nowiki><br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=7|year=2010|language=de}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
<br />
Einen umfangreicheren Überblick über die Anforderungen und die hierbei zu vermeidenden Probleme gibt es unter [http://www.owasp.org/index.php/ASVS#tab=ASVS ASVS requirements on Cryptography (V7)]. Des Weiteren:<br />
* [[Top_10_2007-Insecure_Cryptographic_Storage | OWASP Top 10-2007 on Insecure Cryptographic Storage]]<br />
* [http://www.owasp.org/index.php/Guide_to_Cryptography#Insecure_transmission_of_secrets OWASP Development Guide: Chapter on Cryptography]<br />
* [[Codereview-Cryptography | OWASP Code Review Guide: Chapter on Cryptography]]<br />
{{Top_10_2010_Developer_Edition_De:SubSubsectionExternalReferencesTemplate|language=de}}<br />
* [http://cwe.mitre.org/data/definitions/310.html CWE Entry 310 on Cryptographic Issues]<br />
* [http://cwe.mitre.org/data/definitions/312.html CWE Entry 312 on Cleartext Storage of Sensitive Information]<br />
* [http://cwe.mitre.org/data/definitions/326.html CWE Entry 326 on Weak Encryption]<br />
* [http://www.php.net/manual/en/function.password-hash.php Funktionsweise der Funktion password_hash]<br />
* [https://github.com/wg/scrypt Beispielimplementierung von SCrypt]<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=PHP<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
= '''Test''' =<br />
<!-- weitere Programmiersprachen oder evtl Anti-Beispiele ---><br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=7|year=2010|language=de}}<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
tbd<br />
Text<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=7|year=2010|language=de}}<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
tbd<br />
Text<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=whole|title=|risk=7|year=2010|language=de}}<br />
tbd<br />
Text<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=userImpact|position=left|risk=7|year=2010|language=de}}<br />
(ganze Breite)<br />
Text<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=7|year=2010|language=de}}<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=Test<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<headertabs /><br />
{{Top_10_2013_DeveloperEdition:BottomAdvancedTemplate<br />
|type=0<br />
|useprev=2013PrevLinkDeveloperEdition<br />
|usenext=2013NextLinkDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}</div>Timo Pagelhttps://wiki.owasp.org/index.php?title=Germany/Projekte/Top_10_fuer_Entwickler-2013/A6-Verlust_der_Vertraulichkeit_sensibler_Daten&diff=165728Germany/Projekte/Top 10 fuer Entwickler-2013/A6-Verlust der Vertraulichkeit sensibler Daten2014-01-11T16:19:22Z<p>Timo Pagel: </p>
<hr />
<div>{{Top_10_2013_DeveloperEdition:TopTemplate<br />
|useprev=2013PrevLinkDeveloperEdition<br />
|usenext=2013NextLinkDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
{{Top_10_2010:SubsectionColoredTemplate<br />
|A6 {{Top_10_2010:ByTheNumbers<br />
|6<br />
|year=2013<br />
|language=de}} <small>({{Top_10_2010:ByTheNumbers|7|year=2010|language=de}} / {{Top_10_2010:ByTheNumbers|9|year=2010|language=de}})</small><br />
||year=2013<br />
}}<br />
<br />
{{Top_10_2010_Developer_Edition_De:SummaryTableHeaderBeginTemplate|year=2010|language=de}}<br />
{{Top_10:SummaryTableTemplate|exploitability=3|prevalence=3|detectability=2|impact=1|language=de|year=2013}}<br />
{{Top_10_2010:SummaryTableHeaderEndTemplate}}<br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Jeder Benutzer des Systems ist zu betrachten.<br />
Haben diese ein Interesse, auf geschützte Daten unberechtigt zuzugreifen?<br />
Wie steht es um Administratoren?</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Angreifer brechen üblicherweise nicht die eigentliche Kryptografie. Statt dessen finden Sie Schlüssel, Klartexte oder greifen über Kanäle mit automatischer Entschlüsselung auf Daten zu.</td><br />
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Fehlende Verschlüsselung vertraulicher Daten ist die häufigste Schwachstelle, gefolgt von unsicherer Schlüsselerzeugung, der Speicherung statischer Schlüssel und die Nutzung schwacher Algorithmen. Schwache Hashwerte ohne Salt kommen zum Passwortschutz oft vor. Ein eingeschränkter Zugriff lässt externe Angreifer solche Probleme i.d.R. nicht leicht entdecken. Den nötigen Zugriff müssen sie vorher auf andere Weise erlangen.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Fehler kompromittieren regelmäßig vertrauliche Daten. Es handelt sich hierbei oft um sensitive Daten wie personenbezogene Daten, Benutzernamen und Passwörter oder Kreditkarteninformationen.</td><br />
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Betrachten Sie den Wert verlorener Daten und die Auswirkungen auf die Reputation des betroffenen Unternehmens. Hat es ggf. auch juristische Konsequenzen, wenn die Daten bekannt werden?</td><br />
{{Top_10_2010:SummaryTableEndTemplate}}<br />
<br />
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=firstLeft|risk=7|year=2010|language=de}} <br />
'''<u>Szenario 1</u>''': Eine Anwendung speichert verschlüsselt Kreditkartendaten in einer Datenbank, um Sie vor Angreifern zu schützen. Die Datenbank ist so eingerichtet, dass die Daten beim Auslesen automatisch entschlüsselt werden. Durch SQL-Injection können in diesem Fall alle Kreditkartendaten im Klartext ausgelesen werden. Das System hätte so konfiguriert sein sollen, dass nur nachgelagerte Anwendungen und nicht die Webanwendung selbst entschlüsseln dürfen.<br/> <br />
'''<u>Szenario 2</u>''': Ein Datensicherungsband speichert verschlüsselte Gesundheitsdaten, aber der Schlüssel ist ebenfalls dort gespeichert. Das Band geht auf dem Transportweg verloren.<br/><br />
'''<u>Szenario 3</u>''': Die Passwortdatenbank benutzt Hashwerte ohne Salt zur Speicherung der Passwörter. Eine Schwachstelle in der Downloadfunktion ermöglicht einem Angreifer den Zugriff auf die Datei. Zu allen Hashes kann in vier Wochen ein passender Klartext gefunden werden. Bei starken Hashwerten mit Salt hätte dieser Angriff über 3000 Jahre gedauert.<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=7|year=2010|language=de}} <br />
Eine Übersicht über alle Tücken unsicherer Kryptografie liegt weit außerhalb des Rahmens der Top 10. Für alle vertraulichen Daten sollten Sie zumindest:<br />
# Die Bedrohungen betrachten, vor denen Sie die Daten schützen wollen (z. B. Innen- und Außentäter) und sicherstellen, dass diese Daten angemessen durch Verschlüsselung geschützt werden.<br />
# Sicherstellen, dass ausgelagerte Datensicherungen verschlüsselt sind und die Schlüssel getrennt verwaltet und gesichert werden.<br />
# Sicherstellen, dass angemessene, starke Algorithmen und Schlüssel verwendet und verwaltet werden.<br />
# Sicherstellen, dass Passwörter mit einem starken Algorithmus und einem angemessenen Salt gehasht werden.<br />
# Sicherstellen, dass alle Schlüssel und Passwörter vor unberechtigtem Zugriff geschützt sind.<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=6|year=2013}}<br />
====temporär: Auszug aus [[Top_10_2013-A6-Sensitive_Data_Exposure| Top 10-2013 RC1: A6-Sensitive_Data_Exposure]]====<br />
<u>Scenario #1:</u> An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. The system should have encrypted the credit card numbers using a public key, and only allowed back-end applications to decrypt them with the private key.<br />
<br />
<u>Scenario #2:</u> A site simply doesn't use SSL for all authenticated pages. Attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie. Attacker then replays this cookie and hijacks the user’s session, accessing all their private data.<br />
<br />
<u>Scenario #3:</u> The password database uses unsalted hashes to store everyone’s passwords. A file upload flaw allows an attacker to retrieve the password file. All the unsalted hashes can be exposed with a rainbow table of precalculated hashes.<br />
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=6|year=2013}}<br />
====temporär: Auszug aus [[Top_10_2013-A6-Sensitive_Data_Exposure| Top 10-2013 RC1: A6-Sensitive_Data_Exposure]]====<br />
The full perils of unsafe cryptography, SSL usage, and data protection are well beyond the scope of the Top 10. That said, for all sensitive data, do all of the following, at a minimum:<br />
# Considering the threats you plan to protect this data from (e.g., insider attack, external user), make sure you encrypt all sensitive data at rest and in transit in a manner that defends against these threats.<br />
# Don’t store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t have can’t be stolen.<br />
# Ensure strong standard algorithms and strong keys are used, and proper key management is in place.<br />
Ensure passwords are stored with an algorithm specifically designed for password protection, such as [http://en.wikipedia.org/wiki/Bcrypt bcrypt], [http://en.wikipedia.org/wiki/PBKDF2 PBKDF2], or [http://en.wikipedia.org/wiki/Scrypt scrypt].<br />
# Disable autocomplete on forms collecting sensitive data and disable caching for pages displaying sensitive data.<br />
{{Top_10:SubsectionTableEndTemplate}}<br />
<br />
= '''JAVA''' = <br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=7|year=2010|language=de}}<br />
Ein einfaches Beispiel für die Veschlüsselung von Texten, hier mit dem AES-128 Algorithmus. Die Auswahl an Verschlüsselungsparametern wie beispielsweise Algorithmus, Ciphermodus oder Schlüssellänge ist groß und kommt immer auf die jeweiligen Daten und die Anwendung an. <br />
<nowiki><br />
String plainText = "HelloWorld";<br />
<br />
// password setzen <br />
String password = "my128bitPassword";<br />
<br />
// CBC Cipher immer mit einem zufällig erzeugten <br />
// Initialization Vector (IV) initialisieren (Länge 16 Byte)<br />
byte[] ivBytes = new byte[16];<br />
(new SecureRandom()).nextBytes(ivBytes);<br />
<br />
// den Schlüssel erzeugen<br />
SecretKeySpec key = new SecretKeySpec(password.getBytes(), "AES");<br />
<br />
// Container für die Verschlüsselungs Parameter<br />
IvParameterSpec paramSpec = new IvParameterSpec(ivBytes); <br />
<br />
// Chiffrierer erzeugen und initialisieren<br />
// Algorithmus: AES<br />
// Modus: CBC<br />
// Padding: PKCS5Padding<br />
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");<br />
cipher.init(Cipher.ENCRYPT_MODE, key, paramSpec); <br />
<br />
// Verschlüsselung durchführen<br />
byte[] encrypted = cipher.doFinal(plainText.getBytes());<br />
</nowiki><br />
<br />
Die Benutzung der ESAPI erleichtert die Handhabung, da neben einer großen Bandbreite an Verschlüsselungs-, Hash-, und Signaturalgorithmen auch Methoden für die Schlüsselerzeugung und -verwaltung unterstüzt werden. Nach Initialisierung der Parameter in der Konfigurationsdatei ESAPI.properties, reduziert sich die eigentliche Verschlüsselung eines Textes beispielsweise zu:<br />
<nowiki><br />
CipherText ciphertext = <br />
ESAPI.encryptor().encrypt( new PlainText(myplaintext) );<br />
</nowiki><br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=7|year=2010|language=de}}<br />
Beispiele für das Hashen von Passwörtern. Um die Sicherheit zu erhöhen sollte jedes Passwort mit einem Zufallswert (Salt) berechnet und gespeichert werden sowie möglichst viele Iterationen beim Hashing genutzt werden.<br />
<nowiki><br />
String password = "mypassword";<br />
<br />
// salt anlegen und mit zufälligen Bytes befüllen<br />
byte[] salt = new byte[8];<br />
(new SecureRandom()).nextBytes(salt);<br />
<br />
// Hash-Generator anlegen (verwendeter Algorithmus ist SHA-256)<br />
// und mit salt initialisieren (=> höhere Sicherheit gegen Angriffe)<br />
MessageDigest digest = MessageDigest.getInstance("SHA-256");<br />
digest.reset();<br />
digest.update(salt);<br />
<br />
byte[] input = digest.digest(password.getBytes("UTF-8"));<br />
<br />
// Hash in mehreren Iterationen (n = 100.000) berechnen<br />
// mehr Iterationen verlangsamen Angriffe (signifikant?)<br />
for (int i = 0; i < 100000; i++) {<br />
digest.reset();<br />
input = digest.digest(input);<br />
}<br />
// am Ende der Iterationen enthält input den berechneten Hash<br />
</nowiki><br />
<br />
Sicherer ist allerdings die Nutzung einer PBKDF2 (Password-Based Key Derivation Function 2) wie im folgenden Beispiel: <br />
<nowiki><br />
public byte[] generatePBKDF2Hash(String password) <br />
throws NoSuchAlgorithmException, InvalidKeySpecException { <br />
<br />
byte[] salt = new byte[20]; <br />
// salt mit zufälligen Bytes befüllen<br />
(new SecureRandom()).nextBytes(salt);<br />
<br />
int iterations = 10000;<br />
int keyLength = 160;<br />
// neuen Schlüssel erzeugen <br />
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");<br />
PBEKeySpec pbeKeySpec = new PBEKeySpec(password, salt, iterations, keyLength);<br />
SecretKey mySecretKey = factory.generateSecret(pbeKeySpec);<br />
}<br />
<br />
byte[] hash = generatePBKDF2Hash(password).getEncoded();<br />
</nowiki><br />
<br />
Eine weiterer empfohlener Algorithmus ist bcrypt, hier bespielsweise unter Verwendung der jBCrypt-Bibliothek (siehe Referenzen).<br />
<nowiki><br />
String hashed = BCrypt.hashpw(password, BCrypt.gensalt(12));<br />
</nowiki><br />
Zu bcrypt gibt es mittlerweile eine noch sicherere Variante scrypt, der Link zu einer Beispielimplementierung findet sich bei den Referenzen.<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=left|title=3|risk=7|year=2010|language=de}}<br />
Um geheime Schlüssel sicher, aber auch gleichzeitig einfach zugänglich und austauschbar aufzubewahren empfiehlt sich eine spezielle Schlüsseldatei, wie beispielweise der Java KeyStore. In dieser Datei werden die Schlüssel mit einem Master-Password gesichert, die Datei selbst sollte getrennt von den verschlüsselten Daten abgelegt werden:<br />
<br />
<nowiki><br />
// Erzeugung eines symmetrischen Schlüssels mittels der vorher beschriebenen PBKDF2<br />
String password = "mypassword";<br />
byte[] mySecretKey = generatePBKDF2Hash(password);<br />
<br />
// neuen KeyStore für symmetrische Schlüssel erzeugen <br />
KeyStore ks = KeyStore.getInstance("JCEKS");<br />
ks.load(null, null);<br />
<br />
// Schlüssel speichern<br />
KeyStore.ProtectionParameter passwordProtection = <br />
new KeyStore.PasswordProtection(password);<br />
KeyStore.SecretKeyEntry entry = new KeyStore.SecretKeyEntry(mySecretKey);<br />
ks.setEntry("beispielkey", entry, passwordProtection);<br />
<br />
// KeyStore in Datei speichern <br />
FileOutputStream fos = new FileOutputStream("SecretKeyStoreDatei");<br />
ks.store(fos,password);<br />
fos.close();<br />
</nowiki><br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=1|risk=6|year=2013|language=de}}<br />
;Unzureichende Absicherung der Transportschicht<br />
<br />
Um die Verschlüsselung auf der Transportebene sollte sich der Entwickler nie selbst kümmern, sondern dies immer dem Webserver überlassen:<br />
<br />
Im J2EE-Deployment-Descriptor der Anwendung (= web.xml) ist die folgende Konfiguration vorzunehmen, um sicherzustellen, dass nur ausschließlich über https kommuniziert wird:<br />
<br />
<nowiki><br />
<security-constraint><br />
<web-resource-collection><br />
<web-resource-name>Protected Context</web-resource-name><br />
<url-pattern>/*</url-pattern><br />
</web-resource-collection><br />
<!-- auth-constraint an dieser Stelle für Authentisierung --><br />
<user-data-constraint><br />
<transport-guarantee>CONFIDENTIAL</transport-guarantee><br />
</user-data-constraint><br />
</security-constraint><br />
</nowiki><br />
<br />
Für Session-Cookies ist immer das Attribute SECURE zu setzen:<br />
<nowiki><br />
<session-config> <br />
<cookie-config> <br />
<secure><br />
true<br />
</secure> <br />
</cookie-config> <br />
</session-config> <br />
</nowiki><br />
In der Server-Configuration ist sicherzustellen, dass nur TLS und SSL3 unterstützt werden.<br />
Das Speichern von vertraulichen Inhalten am Client oder auf einem Proxy kann über den Header Cache-Control verhindert werden:<br />
<br />
Header set Cache-Control "no-cache, no store, must-revalidate"<br />
<br />
Weitere Hinweise im [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet Transport Layer Protection Cheat Sheet]<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=left|title=1a|risk=9|year=2010|language=de}}<br />
<br />
Die Sicherheitskonfiguration unter Option 1 hat noch eine Schwachstelle, so das MITM (Man In The Middle attack) nicht zuverlässig verhindert wird. MITM erzeugt einen Zertifikatsfehler am Client, der üblicherweise aber (durch den Anwender) ignoriert wird. Deshalb wurde der HTTP-Header "HTTP Strict Transport Security (HSTS)" eingeführt. Damit werden kompatible Browser (Firefox, Chrome, Opera aber bisher NICHT IE) angewiesen, dass <br />
* der Browser den http-Request ausschließlich über https verschickt (auch falls die Seite mit http aufgerufen wird).<br />
* der Anwender Zertifikatsfehler im Browser nicht mehr ignorieren kann.<br />
<br />
Konfiguration im Apache:<br />
Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"<br />
<br />
Da der HSTS-Header nur über https übermittelt wird ist zusätzlich ein Redirect nötig:<br />
<br />
<VirtualHost *:80><br />
ServerAlias *<br />
RewriteEngine On<br />
<nowiki>RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]</nowiki><br />
</VirtualHost><br />
<br />
Quellen: <br />
<br />
[https://www.owasp.org/index.php/HTTP_Strict_Transport_Security HTTP_Strict_Transport_Security ]<br />
<br />
[http://www.youtube.com/watch?v=zEV3HOuM_Vw&feature=youtube_gdata AppSecTutorial Series - Episode 4]<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=7|year=2010|language=de}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
<br />
Einen umfangreicheren Überblick über die Anforderungen und die hierbei zu vermeidenden Probleme gibt es unter [http://www.owasp.org/index.php/ASVS#tab=ASVS ASVS requirements on Cryptography (V7)]. Des Weiteren:<br />
* [[Top_10_2007-Insecure_Cryptographic_Storage | OWASP Top 10-2007 on Insecure Cryptographic Storage]]<br />
* [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encryptor.html ESAPI Encryptor API]<br />
* [http://www.owasp.org/index.php/Guide_to_Cryptography#Insecure_transmission_of_secrets OWASP Development Guide: Chapter on Cryptography]<br />
* [[Codereview-Cryptography | OWASP Code Review Guide: Chapter on Cryptography]]<br />
{{Top_10_2010_Developer_Edition_De:SubSubsectionExternalReferencesTemplate|language=de}}<br />
* [http://cwe.mitre.org/data/definitions/310.html CWE Entry 310 on Cryptographic Issues]<br />
* [http://cwe.mitre.org/data/definitions/312.html CWE Entry 312 on Cleartext Storage of Sensitive Information]<br />
* [http://cwe.mitre.org/data/definitions/326.html CWE Entry 326 on Weak Encryption]<br />
* [http://www.mindrot.org/projects/jBCrypt Reine Java Implementierung von BCrypt]<br />
* [https://github.com/wg/scrypt Beispielimplementierung von SCrypt]<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=JAVA<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
= '''PHP''' =<br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=2|risk=7|year=2010|language=de}}<br />
Um vorerstellte Hash-Tabellen zu verhindern, kann jedem Datensatz eine zufällige Zeichenfolge hinzugefügt werden, welche als Salt (Deutsch: Salz) bezeichnet wird. Ein Beispiel für die sichere Erstellung eines Hashwerts ist im Folgendem gegeben. Dafür muss das GIT-Projekt [https://github.com/ircmaxell/password_compat] eingebunden werden, ab PHP-Version 5.5 ist dies im Kern enthalten. <br />
Das Salt wird bspw. bei einem Linuxsystem in der Funktion password_hash() durch Zugriff auf /dev/urandom erstellt. Der Rückgabewert der Funktion ist eine Zeichenkette und beinhaltet u.a. den Hashwert, das Salt und den genutzten Algorithmus.<br />
Die Kosten, welche die Anzahl der Hash-Iterationen angeben, können über den dritten Parameter festgelegt werden.<br />
<br />
<nowiki><br />
$password = "foo";<br />
$options = [<br />
'cost' => 12,<br />
];<br />
$inputHash = password_hash($_GET['password'], CRYPT_SHA256, $options);<br />
storeHash($user, $inputHash); // Speichere Hash<br />
$hash = getHash($user); // Hole Hash aus der Datenbank<br />
$isPasswordVerified = password_verify($_GET['password'], $hash); // Prüfe eingegebenes Passwort gegen gespeichertes Passwort<br />
if($isPasswordVerified) {<br />
// Password korrekt<br />
} else {<br />
throw new PasswordVerificationException("");<br />
}<br />
</nowiki><br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=7|year=2010|language=de}}<br />
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br />
<br />
Einen umfangreicheren Überblick über die Anforderungen und die hierbei zu vermeidenden Probleme gibt es unter [http://www.owasp.org/index.php/ASVS#tab=ASVS ASVS requirements on Cryptography (V7)]. Des Weiteren:<br />
* [[Top_10_2007-Insecure_Cryptographic_Storage | OWASP Top 10-2007 on Insecure Cryptographic Storage]]<br />
* [http://www.owasp.org/index.php/Guide_to_Cryptography#Insecure_transmission_of_secrets OWASP Development Guide: Chapter on Cryptography]<br />
* [[Codereview-Cryptography | OWASP Code Review Guide: Chapter on Cryptography]]<br />
{{Top_10_2010_Developer_Edition_De:SubSubsectionExternalReferencesTemplate|language=de}}<br />
* [http://cwe.mitre.org/data/definitions/310.html CWE Entry 310 on Cryptographic Issues]<br />
* [http://cwe.mitre.org/data/definitions/312.html CWE Entry 312 on Cleartext Storage of Sensitive Information]<br />
* [http://cwe.mitre.org/data/definitions/326.html CWE Entry 326 on Weak Encryption]<br />
* [http://www.mindrot.org/projects/jBCrypt Reine Java Implementierung von BCrypt]<br />
* [https://github.com/wg/scrypt Beispielimplementierung von SCrypt]<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=PHP<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<br />
= '''Test''' =<br />
<!-- weitere Programmiersprachen oder evtl Anti-Beispiele ---><br />
{{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=firstLeft|title=1|risk=7|year=2010|language=de}}<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
tbd<br />
Text<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=right|title=2|risk=7|year=2010|language=de}}<br />
{{Top_10_2010:ExampleBeginTemplate}}<br />
tbd<br />
Text<br />
{{Top_10_2010:ExampleEndTemplate}}<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|position=whole|title=|risk=7|year=2010|language=de}}<br />
tbd<br />
Text<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=userImpact|position=left|risk=7|year=2010|language=de}}<br />
(ganze Breite)<br />
Text<br />
<br />
{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=7|year=2010|language=de}}<br />
{{Top_10:SubsectionTableEndTemplate}}{{Top 10 DeveloperEdition:NavigationByHeadertab<br />
|headertab=Test<br />
|useprev=2013PrevHeaderTabDeveloperEdition<br />
|usenext=2013NextHeaderTabDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}<br />
<headertabs /><br />
{{Top_10_2013_DeveloperEdition:BottomAdvancedTemplate<br />
|type=0<br />
|useprev=2013PrevLinkDeveloperEdition<br />
|usenext=2013NextLinkDeveloperEdition<br />
|prev=A5-{{Top_10_2010:ByTheNumbers<br />
|5<br />
|year=2013<br />
|language=de}}<br />
|next=A7-{{Top_10_2010:ByTheNumbers<br />
|7<br />
|year=2013<br />
|language=de}}<br />
|year=2013<br />
|language=de<br />
}}</div>Timo Pagel