OWASP DHS SWA Day 2010 Getting Started - Revision history

Walter Houser at 22:13, 4 October 2010

2010-10-04T22:13:08Z

Walter Houser at 22:12, 4 October 2010

2010-10-04T22:12:46Z

Walter Houser at 21:55, 4 October 2010

2010-10-04T21:55:27Z

Walter Houser at 21:48, 4 October 2010

2010-10-04T21:48:50Z

Walter Houser at 21:43, 4 October 2010

2010-10-04T21:43:23Z

Walter Houser at 21:40, 4 October 2010

2010-10-04T21:40:25Z

Dallendoug at 16:51, 28 September 2010

2010-09-28T16:51:53Z

Dallendoug: Created page with '== The presentation == rightAn overview of the OWASP Top Ten, the OWASP ASVS, and the OWASP Guides. This presentation is given as part of [[OWA…'

2010-09-28T03:35:30Z

Created page with '== The presentation == rightAn overview of the OWASP Top Ten, the OWASP ASVS, and the OWASP Guides. This presentation is given as part of [[OWA…'

New page

== The presentation ==

[[Image:Owasp_logo_normal.jpg|right]]An overview of the OWASP Top Ten, the OWASP ASVS, and the OWASP Guides.

This presentation is given as part of [[OWASP Software Assurance Day DC 2010 | OWASP Software Assurance Day]] at the [https://buildsecurityin.us-cert.gov/bsi/events/1133-BSI.html | 13th Annual Software Assurance Forum].

[[Media:Dave_Wichers_2010-09_OWASP_DHS_SWA_Day_-_OWASP_Projects.pptx | Download the presentation]]

== The speaker ==

Dave Wichers Speaker bio will be posted shortly.

[[Category:OWASP_Conference_Presentations]]

← Older revision		Revision as of 22:13, 4 October 2010
Line 88:		Line 88:

	[[Category:OWASP_Conference_Presentations]]		[[Category:OWASP_Conference_Presentations]]
		+	--[[User:Walter Houser\|Walter Houser]] 22:13, 4 October 2010 (UTC)

@@ Line 27: / Line 27: @@
 '''Getting Started with the Top Ten and OWASP Guides'''
 – Dave Wichers
-We are still not asking for secure software.  Is your customer really asking you to create secure software?  There is a fundamental supply and demand problem.  No one will produce something that no one wants to buy.  If I spend the effort to build secure software, then it increases the cost.  If it has the same functionality but has the invisible feature of security, then no one will buy it yet.  We as consumers must demand security from these companies we patronize.  Microsoft has worked very hard to produce secure software.  Some vendors are starting to win contracts because their software is more secure.
+We are still not asking for secure software.  Is your customer really asking you to create secure software?  There is a fundamental supply and demand problem.  No one will produce something that no one wants to buy.  If software firms spend the effort to build secure software, then it increases the cost.  If it has the same functionality but has the invisible feature of security, then no one will buy it yet.  We as consumers must demand security from these companies we patronize.  Microsoft has worked very hard to produce secure software.  Some vendors are starting to win contracts because their software is more secure.
 Microsoft was seeing roughly 8 – 15% of up front costs, but then saw costs drop dramatically due to efficiencies and cost avoidance.  Investing in software quality can also provide a means for cost reduction which is a huge culture problem.
@@ Line 83: / Line 83: @@
-OWASP Common Numbering project organizes the guides in the same standardized order.
+;[http://www.owasp.org/index.php/Common_OWASP_Numbering OWASP Common Numbering] project organizes the guides in the same standardized order.
 ;[[OWASP Secure Coding Practices - Quick Reference Guide|OWASP Secure Coding Practices - Quick Reference Guide]]
 [[Category:OWASP_Conference_Presentations]]

@@ Line 35: / Line 35: @@
 Open Source is not necessarily more or less secure.  It varies. DHS’ HOST program and another site setup in partnership with Coverity provide feedback to open source developers.
-When I work with the DISA STIGs I look at the code to see if it is secure. If I find something, they fix it.  If I don’t, then they don’t fix it. They are focusing on verification.  If there is enough flaws found, then they might ask if there is a better way to build security in.  But if we don’t demand security then we won’t get it.
+When Wichers works with the DISA STIGs he look at the code to see if it is secure. If he finds something, they fix it.  If not, then they don’t fix it. They are focusing on verification.  If there is enough flaws found, then they might ask if there is a better way to build security in.  But if we don’t demand security then we won’t get it.
-I am going to discuss half a dozen projects, but OWASP has many more in various levels of maturity.  There is a bar at the top of the OWASP website that lists some of the most mature projects. The OWASP meritocracy allows members to start new projects and then gain traction.
+Wichers discussed half a dozen projects, but OWASP has many more in various levels of maturity.  There is a bar at the top of the OWASP website that lists some of the most mature projects. The OWASP meritocracy allows members to start new projects and then gain traction. There are slide decks on each OWASP project available online.
 Many are listing OWASP references in either strong or weak ways.  PCI point directly to the OWASP Top 10 despite having no formal relationship.  The DISA STIG makes many references to the Top 10 for more information.
@@ Line 66: / Line 66: @@
 The government needs to ask for secure software in any form. '''The OWASP Legal Guide''' facilitates the requiring of secure software in contracts.  Its use would require a smart purchaser of security to require it of their vendor and having it as a factor of competitive bidding.
-Q. Have any vendors adopted the legal language?  A few companies have experimented with the legal language.
+Q. Have any vendors adopted the legal language?
-A. There are slide decks on each OWASP project available online.
+A. A few companies have experimented with the legal language.
 ;[[:Category:OWASP Guide Project|OWASP Development Guide]]

@@ Line 28: / Line 28: @@
 – Dave Wichers
 We are still not asking for secure software.  Is your customer really asking you to create secure software?  There is a fundamental supply and demand problem.  No one will produce something that no one wants to buy.  If I spend the effort to build secure software, then it increases the cost.  If it has the same functionality but has the invisible feature of security, then no one will buy it yet.  We as consumers must demand security from these companies we patronize.  Microsoft has worked very hard to produce secure software.  Some vendors are starting to win contracts because their software is more secure.
 When I work with the DISA STIGs I look at the code to see if it is secure. If I find something, they fix it.  If I don’t, then they don’t fix it. They are focusing on verification.  If there is enough flaws found, then they might ask if there is a better way to build security in.  But if we don’t demand security then we won’t get it.
@@ Line 35: / Line 41: @@
 Many are listing OWASP references in either strong or weak ways.  PCI point directly to the OWASP Top 10 despite having no formal relationship.  The DISA STIG makes many references to the Top 10 for more information.
 '''Top 10 Web Application Security Risks'''
 The first step to helping developers is to make them aware of the issues.  The Top 10 is a broad brush awareness document for any community.  But it won’t provide all the details.  If you don’t understand the technical foundation of the problems then you can’t build code to be secure against them.
@@ Line 62: / Line 63: @@
 '''The OWASP Application Security Verification Standard (ASVS)''' provides a standard for how to verify security services.  This helps organizations to compare application security service vendors.  The ASVS is a positive model stating what should be found.  The byproduct is a comprehensive roadmap of requirements which other OWASP ecosystems could leverage. The standard is our opinion of what should be included. The ASVS is a verification standard and is organized in terms of level of difficulty.  This is why automated verification is at level 1 and design verification is at level 3.
 The government needs to ask for secure software in any form. '''The OWASP Legal Guide''' facilitates the requiring of secure software in contracts.  Its use would require a smart purchaser of security to require it of their vendor and having it as a factor of competitive bidding.
@@ Line 71: / Line 73: @@
 ;[[:Category:OWASP Enterprise Security API|OWASP Enterprise Security API (ESAPI) Project]]
 '''The OWASP Code Review Guide''' outlines approaches to code review, reporting, metrics, etc. by example within various languages.  It will soon be aligned with the ASVS.
-[[The OWASP Testing Guide]] may be the largest OWASP project in terms of the number of contributors.  This may be the most popular guide due to the number of people trying to perform testing.
+;[[:Category:OWASP Testing Project|OWASP Testing Guide]]
+'''The OWASP Testing Guide'''  may be the largest OWASP project in terms of the number of contributors.  This may be the most popular guide due to the number of people trying to perform testing.
 OWASP Common Numbering project organizes the guides in the same standardized order.

@@ Line 59: / Line 59: @@
 '''The OWASP Prevention Cheat Sheet''' provides article on how to avoid the most common web security problems.  They are all interlinked.  They include very concise guidance for developers.
 '''The OWASP Application Security Verification Standard (ASVS)''' provides a standard for how to verify security services.  This helps organizations to compare application security service vendors.  The ASVS is a positive model stating what should be found.  The byproduct is a comprehensive roadmap of requirements which other OWASP ecosystems could leverage. The standard is our opinion of what should be included. The ASVS is a verification standard and is organized in terms of level of difficulty.  This is why automated verification is at level 1 and design verification is at level 3.
@@ Line 66: / Line 67: @@
 A. There are slide decks on each OWASP project available online.
 '''The OWASP Developer Guide''' was the original flagship document.  The document has languished but there is a team that is working to update it.
@@ Line 84: / Line 86: @@
 OWASP Common Numbering project organizes the guides in the same standardized order.
 [[Category:OWASP_Conference_Presentations]]

← Older revision		Revision as of 21:40, 4 October 2010
Line 22:		Line 22:

	Dave can be reached at: dave.wichers (at) aspectsecurity.com or dave.wichers (at) owasp.org		Dave can be reached at: dave.wichers (at) aspectsecurity.com or dave.wichers (at) owasp.org
		+
		+	== Notes ==
		+
		+	'''Getting Started with the Top Ten and OWASP Guides'''
		+	– Dave Wichers
		+	We are still not asking for secure software. Is your customer really asking you to create secure software? There is a fundamental supply and demand problem. No one will produce something that no one wants to buy. If I spend the effort to build secure software, then it increases the cost. If it has the same functionality but has the invisible feature of security, then no one will buy it yet. We as consumers must demand security from these companies we patronize. Microsoft has worked very hard to produce secure software. Some vendors are starting to win contracts because their software is more secure.
		+
		+	When I work with the DISA STIGs I look at the code to see if it is secure. If I find something, they fix it. If I don’t, then they don’t fix it. They are focusing on verification. If there is enough flaws found, then they might ask if there is a better way to build security in. But if we don’t demand security then we won’t get it.
		+
		+	I am going to discuss half a dozen projects, but OWASP has many more in various levels of maturity. There is a bar at the top of the OWASP website that lists some of the most mature projects. The OWASP meritocracy allows members to start new projects and then gain traction.
		+
		+	Many are listing OWASP references in either strong or weak ways. PCI point directly to the OWASP Top 10 despite having no formal relationship. The DISA STIG makes many references to the Top 10 for more information.
		+
		+	'''Top 10 Web Application Security Risks'''
		+	* Prevention Cheat Sheet Series
		+	* Application Security Verification Standard (ASVS)
		+	* Building Guide
		+	* Code Review Guide
		+	* Testing Guide
		+	* Application Security Desk Reference (ASDR) The ASDR provides plenty of broad information about vulnerabilities.
		+
		+	The first step to helping developers is to make them aware of the issues. The Top 10 is a broad brush awareness document for any community. But it won’t provide all the details. If you don’t understand the technical foundation of the problems then you can’t build code to be secure against them.
		+
		+	The Top 10 helps developers to understand risk. Businesses must understand the risks and how significant they are. The business must understand the gravity of the ramifications if this risk is exploited. Until the business understands the risk, they won’t do anything about it.
		+
		+	The managers must care for the developers to care. The Top 10 includes a section stating that it is related to risk instead of just technical specifications. Businesses understand and are concerned with risk. Everything is a cost-benefit balance.
		+
		+	The attacks are becoming extremely professional and advanced. Economic pressures may not come as strongly from the consumers who are “path-of-least-resistance driven” but business-to-business pressure will be much stronger. This has been seen in the credit card processing industry. Google removed all of its internal Microsoft operating system installations after the Chinese hack.
		+
		+	The OWASP material ranges from understanding risk, to avoiding risk, to measuring risk, to managing risk.
		+
		+	Microsoft has statistics about the cost of the appsec program being zero or negative because the cost of rework outweighs their investment. This information is publicly available. Over time the up front cost is reduced.
		+
		+	The Top 10 was created in 2003. Each year it has been condensed so it is easily consumable. The Top 10 was always about risk, but making this distinction has been made clearer. Although some flaws may be less prevalent, they are just as devastating when exploited. The Top 10 is prioritized based upon the OWASP Risk Rating Methodology.
		+
		+	'''The OWASP Prevention Cheat Sheet''' provides article on how to avoid the most common web security problems. They are all interlinked. They include very concise guidance for developers.
		+
		+	'''The OWASP Application Security Verification Standard (ASVS)''' provides a standard for how to verify security services. This helps organizations to compare application security service vendors. The ASVS is a positive model stating what should be found. The byproduct is a comprehensive roadmap of requirements which other OWASP ecosystems could leverage. The standard is our opinion of what should be included. The ASVS is a verification standard and is organized in terms of level of difficulty. This is why automated verification is at level 1 and design verification is at level 3.
		+
		+	The government needs to ask for secure software in any form. '''The OWASP Legal Guide''' facilitates the requiring of secure software in contracts. Its use would require a smart purchaser of security to require it of their vendor and having it as a factor of competitive bidding.
		+
		+	Q. Have any vendors adopted the legal language? A few companies have experimented with the legal language.
		+	A. There are slide decks on each OWASP project available online.
		+
		+	'''The OWASP Developer Guide''' was the original flagship document. The document has languished but there is a team that is working to update it.
		+
		+	;[[:Category:OWASP Enterprise Security API\|OWASP Enterprise Security API (ESAPI) Project]]
		+	Developers need secure controls to build secure software. This document explains the intent of this statement. It outlines the standard set of controls needed and provides an explanation of the implementation. It outlines standard control implementation in many popular languages.
		+
		+	'''The OWASP Code Review Guide''' outlines approaches to code review, reporting, metrics, etc. by example within various languages. It will soon be aligned with the ASVS.
		+
		+	[[The OWASP Testing Guide]] may be the largest OWASP project in terms of the number of contributors. This may be the most popular guide due to the number of people trying to perform testing.
		+
		+	The ESAPI source code is a great example of secure code. There are plenty of other free OWASP tools online as well.
		+
		+	Microsoft was seeing roughly 8 – 15% of up front costs, but then saw costs drop dramatically due to efficiencies and cost avoidance. Investing in software quality can also provide a means for cost reduction which is a huge culture problem.
		+
		+	Startups only care about marketshare, not security. Small companies should have security as a priority as they gain a certain portion of marketshare.
		+
		+	Open Sources is not necessarily more secure. It varies. DHS’ HOST program and another site setup in partnership with Coverity provide feedback to open source developers.
		+
		+	OWASP Common Numbering project organizes the guides in the same standardized order.

	[[Category:OWASP_Conference_Presentations]]		[[Category:OWASP_Conference_Presentations]]

@@ Line 9: / Line 9: @@
 == The speaker  ==
-Dave Wichers Speaker bio will be posted shortly.
+Dave Wichers is a cofounder and the Chief Operating Officer (COO) of [http://www.aspectsecurity.com Aspect Security], a company that specializes in application security services.
 [[Category:OWASP_Conference_Presentations]]