This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Python Security Project"

From OWASP
Jump to: navigation, search
(Main)
m (added global owasp python project as related information)
 
(28 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
=Main=
 
=Main=
 
+
<div style="width:100%;height:100px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>
<div style="width:100%;height:120px;border:0,margin:0;overflow: hidden;"></div>
 
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;"></div>
 
 
 
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
Line 24: Line 21:
 
Security of python: black-box analysis, identify and address security-related issues
 
Security of python: black-box analysis, identify and address security-related issues
 
Security with python: develop security hardened python suitable for high-risk and high-security environments
 
Security with python: develop security hardened python suitable for high-risk and high-security environments
 
 
== Detect and Respond to Attacks from Within the Application ==
 
 
=== Detection ===
 
AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.
 
=== Response===
 
AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.
 
===Defending the Application===
 
An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.
 
 
 
==Citations==
 
 
* [http://www.crosstalkonline.org/ CrossTalk], The Journal of Defense Software Engineering
 
** Creating Attack-Aware Software Applications with Real Time Defenses, Vol. 24, No. 5, Sep/Oct 2011
 
 
* Norwegian University of Science and Technology in Tronheim
 
** [http://ntnu.diva-portal.org/smash/record.jsf?pid=diva2:566091 AppSensor: Attack-Aware Applications Compared Against a Web Application Firewall and an Intrusion Detection System], Thomassen P, 2012
 
 
*US Department of Homeland Security
 
** [https://buildsecurityin.us-cert.gov/swa/topics/resilient-software/ Resilient Software]
 
** [https://buildsecurityin.us-cert.gov/swa/resources Software Assurance Resources]
 
  
  
 
==Licensing==
 
==Licensing==
OWASP AppSensor is free to use.
 
 
=== Guide ===
 
The guide is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
 
 
=== Reference Implementation ===
 
The reference implementation is licensed under the [http://opensource.org/licenses/MIT MIT License], which is a permissive (commercial-friendly) license only requiring you to include a copy of the license upon distribution or copying.
 
 
&copy; OWASP Foundation
 
 
 
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 
 
== What is AppSensor? ==
 
 
Detect and respond to attacks from within the application. This project includes both a well documented idea (the Guide) and a reference implementation (the Code).
 
 
 
== Intro for Developers ==
 
 
[[File:Appsensor-developer-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf]]
 
 
[https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf Two-sided US Letter or A4]
 
 
  
== AppSensor Website ==
+
License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
 +
This license is a community friendly license as recommended by OWASP.
 +
You can read more here:
 +
*[https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]
  
[[File:Appsensor-website-small.jpg|link=http://appsensor.org/]]
+
== What is the Python Security Project? ==
  
See the [http://appsensor.org/ new AppSensor website] for an introduction and quick start instructions.
 
  
 +
== Other Python Security Related Research ==
 +
This is a list of security related research on python core modules by other researchers.
  
== Overview ==
+
*[https://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_WP.pdf Sour Pickles Paper Blackhat 2011 Marco Slaviero]
 +
*[https://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_Slides.pdf Sour Pickles Slides Blackhat 2011]
  
[[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]
 
 
[https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf 12-page US Letter booklet]
 
  
  
 
== Project Founder ==
 
== Project Founder ==
  
* [https://www.owasp.org/index.php/User:MichaelCoates Michael Coates] [mailto:michael.coates@owasp.org @]
+
* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]
 
 
  
 
== Project Leaders ==
 
== Project Leaders ==
  
* [https://www.owasp.org/index.php/User:Dennis_Groves Dennis Groves] [mailto:dennis.groves@owasp.org @]
+
* [https://www.owasp.org/index.php/User:Enrico_Branca Enrico Branca] [mailto:enrico.branca@owasp.org @]
* [https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:[email protected] @]
 
* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:[email protected] @]
 
 
 
  
== Related Projects ==
 
  
* [[:Category:OWASP_ModSecurity_Core_Rule_Set_Project|OWASP ModSecurity Core Rule Set]]
 
  
  
Line 110: Line 56:
 
== Quick Download ==
 
== Quick Download ==
  
* OWASP AppSensor Guide v2.0.1 EN
+
* OWASP Python Security Flyer
** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
+
** [https://www.owasp.org/images/2/2b/OWASP_PYSEC_FLYER.pdf PDF]
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
 
** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Hard copy]
 
* OWASP AppSensor Reference Implementation
 
** [https://github.com/jtmelton/appsensor v2 Code]
 
 
 
 
 
== News and Events ==
 
 
 
* [9 June 2015] AppSensor Code v2.1.0 [https://github.com/jtmelton/appsensor/releases/tag/v2.1.0 released]
 
* [20 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - Code
 
* [19 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - Documentation
 
* [09 Apr 2015] [https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf CISO Briefing] booklet published
 
* [22 Feb 2015] Proposal for [https://www.owasp.org/index.php/GSoC2015_Ideas#OWASP_AppSensor Google Summer of Code 2015]
 
* [13 Feb 2015] [https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf Introduction for Developers] flyer published
 
* [13 Feb 2015] AppSensor project awarded OWASP flagship status
 
* [28 Jan 2015] AppSensor Code v2.0.0 final [https://github.com/jtmelton/appsensor/releases/tag/v2.0.0 released]
 
* [18 Sep 2014] Guide book giveaway and signing at [http://2014.appsecusa.org/2014/ AppSecUSA 2014]
 
* [17 Sep 2014] Presentation at [http://www.meetup.com/London-API-Group/events/200768922/ London API Group]
 
* [12 Sep 2014] [http://appsensor.org/ AppSensor website] launched
 
  
 
== Code Repository ==
 
== Code Repository ==
* AppSensor v2 https://github.com/jtmelton/appsensor (Current)
+
* OWASP Python Security Github https://github.com/ebranca/owasp-pysec/ (Current)
* Note: LEGACY AppSensor v1 https://code.google.com/p/appsensor/
 
  
== In Print ==
+
== Related ==
 
+
* [[OWASP Python Project|OWASP Python Project]]
[[File:AppSensor2_small.jpg|link=]]
 
 
 
The [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html AppSensor Guide] and [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html CISO Briefing] can be purchased at cost as a print on demand books.
 
  
 
==Classifications==
 
==Classifications==
Line 151: Line 74:
 
   | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
 
   | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
 
   |-
 
   |-
  | colspan="2" align="center"  | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 
 
   |-
 
   |-
 
   | colspan="2" align="center"  | [[File:Project_Type_Files_DOC.jpg|link=]]   
 
   | colspan="2" align="center"  | [[File:Project_Type_Files_DOC.jpg|link=]]   
Line 159: Line 81:
  
 
|}
 
|}
 
= Acknowledgements =
 
 
== Volunteers ==
 
 
All OWASP projects rely on the voluntary efforts of people in the software development and information security sectors. They have contributed their time and energy to make suggestions, provide feedback, write, review and edit documentation, give encouragement, make introductions, produce demonstration code, promote the concept, and provide OWASP support. They participated via the project’s mailing lists, by developing code, by updating the wiki, by undertaking research studies, and through contributions during the AppSensor working session at the OWASP Summit 2011 in Portugal and the AppSensor Summit at AppSec USA 2011. Without all their efforts, the project would not have progressed to this point, and this guide would not have been completed.
 
 
{| cellpadding="2"
 
  |-
 
  | width="200" align="left" valign="top" |
 
 
*Josh Amishav-Zlatin
 
*Ryan Barnett
 
*Simon Bennetts
 
*Joe Bernik
 
*Rex Booth
 
*Luke Briner
 
*Rauf Butt
 
*Juan C Calderon
 
*Fabio Cerullo
 
*Marc Chisinevski
 
*Robert Chojnacki
 
*Michael Coates
 
*Dinis Cruz
 
*August Detlefsen
 
*Ryan Dewhurst
 
 
  | width="200" align="left" valign="top" |
 
 
*Sean Fay
 
*Timo Goosen
 
*Dennis Groves
 
*Randy Janida
 
*Chetan Karande
 
*Eoin Keary
 
*Alex Lauerman
 
*Junior Lazuardi
 
*Benjamin-Hugo LeBlanc
 
*Jason Li
 
*Manuel López Arredondo
 
*Bob Maier
 
*Jim Manico
 
*Sherif Mansour Farag
 
*John Melton
 
 
  | width="200" align="left" valign="top" |
 
 
*Mark Miller
 
*Craig Munson
 
*Louis Nadeau
 
*Giri Nambari
 
*Erlend Oftedal
 
*Jay Reynolds
 
*Chris Schmidt
 
*Sahil Shah
 
*Eric Sheridan
 
*John Steven
 
*Raphael Taban
 
*Alex Thissen
 
*Don Thomas
 
*Christopher Tidball
 
*Kevin W Wall
 
*Colin Watson
 
*Mehmet Yilmaz
 
 
  |}
 
 
==OWASP Summer of Code 2008==
 
The AppSensor Project  was initially supported by the [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008 OWASP Summer of Code 2008], leading to the publication of the book AppSensor v1.1.
 
 
 
==Google Summer of Code 2012==
 
Additional development work on [http://www.google-melange.com/gsoc/project/google/gsoc2012/edil/60002 SOAP web services] was kindly supported by the [http://www.google-melange.com/gsoc/program/home/google/gsoc2012 Google Summer of Code 2012].
 
 
 
== Other Acknowledgements ==
 
The project has also benefitted greatly from the generous contribution of time and effort by many volunteers in the OWASP community including those listed above, and contributors to the OWASP ESAPI project, members of the former OWASP Global Projects Committee, the OWASP Board, OWASP staff and support from the OWASP Project Reboot initiative. The v2 code and documentation were conceived during the AppSensor Summit held during AppSec USA 2011 in Minneapolis.
 
 
  
 
= Road Map and Getting Involved =
 
= Road Map and Getting Involved =
  
 
Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:
 
Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project General project]
+
* [https://lists.owasp.org/mailman/listinfo/owasp_python_security_project General project]
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-dev Code development]
 
  
  
 
== Current activities ==
 
== Current activities ==
  
=== Non code ===
+
=== Technical Roadmap ===
 
 
* Update AppSensor Guide to keep in step with code changes and improvements to ideas ([http://lists.owasp.org/pipermail/owasp-appsensor-project/2015-February/000855.html see discussion and editable list of changes])
 
* Create demo
 
* Develop training materials
 
 
 
=== v2 Code ===
 
 
 
The current code being worked on is located on [https://github.com/jtmelton/appsensor GitHub]
 
 
 
The code has been fully rewritten.
 
v2.0.0 final was released in late January 2015.
 
v2.1.0 final was released in June 2015.
 
 
 
The main reason for the rewrite was to allow a client-server style model as opposed to requiring AppSensor be fully embedded in the application. You can now have a central server collecting events from multiple applications and performing analysis. These front-end applications can be in any language as long as they speak rest/soap. There's been a host of other changes, but this was the primary one. A number of starter ideas for coding, user interface and documentation have been outlined via the mailing list at [http://lists.owasp.org/pipermail/owasp-appsensor-project/2014-March/000682.html 17th March 2014].
 
 
 
if you want to work on ANYTHING, please let jtmelton[@]gmail.com know.
 
 
 
== Code Roadmap ==
 
 
 
=== Q4 2015 (2.0) ===
 
* <strike>Jan - v 2.0.0 final release </strike> -> DONE
 
 
 
=== Q4 2014 (2.0) ===
 
* <strike>Oct - v 2.0.0 release candidate</strike> -> DONE
 
* <strike>Jan 2015 (delay due to bug) - v 2.0.0 final </strike> -> DONE
 
* <strike>Additional unit tests</strike> -> DONE
 
* <strike>Move appsensor.org site over from static html to python</strike> -> NOT NECESSARY
 
* <strike>Finish up user documentation at appsensor.org</strike> -> DONE
 
 
 
=== June 2015 (2.1) ===
 
* <strike>Add at least 1 attack emitter for DEVOPS visualization (JMX -> SNMP, syslog, SNMP, .. something)</strike> ([https://github.com/jtmelton/appsensor/issues/19 github issue]) -> DONE
 
* <strike>Sample application / demo</strike> ([https://github.com/jtmelton/appsensor/issues/9 github issue]) -> DONE
 
* <strike>Finish up developer documentation on github and appsensor.org</strike> ([https://github.com/jtmelton/appsensor/issues/12 github issue]) -> DONE
 
* <strike>Preparation for GSOC 2015 submission</strike> -> DONE - see [[GSoC2015_Ideas]] - Update - OWASP not selected
 
 
 
=== September 2015 (2.2) ===
 
* First version of administration UI for appsensor (monitoring UI) (github issues [https://github.com/jtmelton/appsensor/issues/10 here] and [https://github.com/jtmelton/appsensor/issues/11 here])
 
 
 
=== January 2016 (2.3) ===
 
* Get CI server (cloudbees?) setup ([https://github.com/jtmelton/appsensor/issues/15 github issue])
 
* Video demo of setting up appsensor (screen capture) (related to sample apps)
 
* New detection point implementations ([https://github.com/jtmelton/appsensor/issues/8 github issue])
 
* AOP examples of detection point implementations
 
 
 
=== May 2016 (2.4) ===
 
* Trend monitoring implementation ([https://github.com/jtmelton/appsensor/issues/6 github issue])
 
* Additional integrations for reporting (graphite, ganglia -> see list supported by codahale metrics)
 
 
 
== Past activities ==
 
 
 
'''June 2015''' Final release v2.1.0 code
 
 
 
'''April 2015''' CISO Briefing booklet published
 
 
 
'''February 2015''' Introduction for Developers flyer published
 
 
 
'''January 2015''' Final release v2.0.0 code
 
 
 
'''May 2014''' Finalisation and publication of the AppSensor Guide v2.0
 
  
'''November, 2013''' - AppSensor 2.0 hackathon, and document writing & review at AppSecUSA 2013, New York
+
* [https://github.com/ebranca/owasp-pysec/blob/master/doc/ROADMAP.txt Technical Roadmap or TODO on github]
  
'''2012-2013''' - Active Development of next AppSensor book
+
=== General Roadmap ===
  
'''September, 2011''' - AppSensor Summit at AppSec USA 2011, Minneapolis
+
- Set up website with wiki
  
'''September, 2010''' - Presented at AppSecUSA [http://www.slideshare.net/michael_coates/real-time-application-defenses-the-reality-of-appsensor-esapi-5181743 slides]
+
- Configure mailing list
  
'''June, 2010''' - Active ESAPI Integration Underway
+
- Configure github account and create code structure
  
'''November, 2009''' [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf OWASP DC, November 2009]
+
- Create Project presentation and pamphlet
  
'''2009''' v1.2 in the works, demo application in development
+
- Publish initial batch of documents on python security issues and possible mitigations with code examples
  
'''May, 2009''' - AppSec EU Poland - Presentation ([http://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx PPT]) ([http://blip.tv/file/2198771 Video])
+
- Create python secure coding area
  
'''January, 2009''' - v1.1 Released - Beta Status
+
- Introduce project to OWASP Chapters
  
'''November, 2008''' - AppSensor Talk at OWASP Portugal
+
- Publish initial version of python secure coding manual
  
'''November, 2008''' - v1.0 Released - Beta Status
+
- Publish hardened version of python coded for security purposes
  
'''April 16, 2008''' - Project Begins
+
- Document usage of code security policies and call whitelisting
  
= Detection Points =
+
- Document usage of message deduplication and data storage in hash rings
  
Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.
+
- Document usage of ESAPI-extended security checks, including but not limited to controls applied to python internal calls, strings, processes, permissions, and low level kernel calls
  
'''[http://www.owasp.org/index.php/AppSensor_DetectionPoints Detailed Detection Point Information Here] '''
+
- Create initial documentation of base libraries and modules
  
'''[http://www.owasp.org/index.php/AppSensor_ResponseActions Response Action Information Here]'''
+
- Release library to customizec and integrate OpenSSL and cURL
  
'''Summary of Information'''
+
- Release utility for SSL analysis of HTTPS communication over SSL
'''Detection Categories:'''
 
  
RE - Request
+
- Release utility for SSL analysis of FTPS/FTPES communication over SSL
  
AE - Authentication
+
- Release utility for analysis of POPS/IMAPS/SMTPS connections over SSL
  
SE - Session
+
- Release of utility for archival of SSL certificates and CRLs
  
ACE - Access Control
+
- Release utility for PE extraction and hash generation from web files
  
IE - Input
+
= Project Approach =
 
+
{{:Projects/OWASP_Python_Security_Project | Project Approach}}
EE - Encoding
 
 
 
CIE - Command Injection
 
 
 
FIO - File IO
 
 
 
HT - Honey Trap
 
 
 
UT - User Trend
 
 
 
STE - System Trend
 
 
 
RP - Reputation
 
 
 
 
'''Signature Based Event Titles'''
 
 
 
ID Event
 
 
 
RE1 Unexpected HTTP Command
 
 
 
RE2 Attempt to Invoke Unsupported HTTP Method
 
 
 
RE3 GET When Expecting POST
 
 
 
RE4 POST When Expecting GET
 
 
 
RE5 Additional/Duplicated Data in Request
 
 
 
RE6 Data Missing from Request
 
 
 
RE7 Unexpected Quantity of Characters in Parameter
 
 
 
RE8 Unexpected Type of Characters in Parameter
 
 
 
AE1 Use Of Multiple Usernames
 
 
 
AE2 Multiple Failed Passwords
 
 
 
AE3 High Rate of Login Attempts
 
 
 
AE4 Unexpected Quantity of Characters in Username
 
 
 
AE5 Unexpected Quantity of Characters in Password
 
 
 
AE6 Unexpected Type of Character in Username
 
 
 
AE7 Unexpected Type of Character in Password
 
 
 
AE8 Providing Only the Username
 
 
 
AE9 Providing Only the Password
 
 
 
AE10 Adding POST Variable
 
 
 
AE11 Missing POST Variable
 
 
 
AE12 Utilization of Common Usernames
 
 
 
SE1 Modifying Existing Cookie
 
 
 
SE2 Adding New Cookie
 
 
 
SE3 Deleting Existing Cookie
 
 
 
SE4 Substituting Another User's Valid Session ID or Cookie
 
 
 
SE5 Source IP Address Changes During Session
 
 
 
SE6 Change Of User Agent Mid Session
 
 
 
ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt
 
 
 
ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt
 
 
 
ACE3 Force Browsing Attempt
 
 
 
ACE4 Evading Presentation Access Control Through Custom POST
 
 
 
IE1 Cross Site Scripting Attempt
 
 
 
IE2 Violation of Implemented White Lists
 
 
 
IE3 Violation Of Implemented Black Lists
 
 
 
IE4 Violation of Input Data Integrity
 
 
 
IE5 Violation of Stored Business Data Integrity
 
 
 
IE6 Violation of Security Log Integrity
 
 
 
EE1 Double Encoded Character
 
 
 
EE2 Unexpected Encoding Used
 
 
 
CIE1 Blacklist Inspection for Common SQL Injection Values
 
 
 
CIE2 Detect Abnormal Quantity of Returned Records
 
 
 
CIE3 Null Byte Character in File Request
 
 
 
CIE4 Carriage Return or Line Feed Character In File Request
 
 
 
FIO1 Detect Large Individual File
 
 
 
FIO2 Detect Large Number of File Uploads
 
 
 
HT1 Alteration to Honey Trap Data
 
 
 
HT2 Honey Trap Resource Requested
 
 
 
HT3 Honey Trap Data Used
 
 
 
'''Behavior Based Event Titles'''<br>
 
 
 
UT1 Irregular Use of Application
 
 
 
UT2 Speed of Application Use
 
 
 
UT3 Frequency of Site Use
 
 
 
UT4 Frequency of Feature Use
 
 
 
STE1 High Number of Logouts Across The Site
 
 
 
STE2 High Number of Logins Across The Site
 
 
 
STE3 Significant Change in Usage of Same Transaction Across The Site
 
 
 
RP1 Suspicious or Disallowed User IP Address
 
 
 
RP2 Suspicious External User Behavior
 
 
 
RP3 Suspicious Client-Side Behavior
 
 
 
RP4 Change to Environment Threat Level
 
 
 
= Media =
 
 
 
== Introductory Briefings ==
 
 
 
{|
 
| align="center" valign="top" | Developers
 
|
 
| align="center" valign="top" | Architects
 
|
 
| align="center" valign="top" | CISOs
 
|-
 
| width="200" align="left" valign="top" | [[File:Appsensor-developer-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf]]
 
| width="20" |
 
| width="200" align="left" valign="top" | [[File:Appsensor_crosstalk_small.jpg|link=http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf]]
 
| width="20" |
 
| width="200" align="center" valign="top" | [[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]
 
|}
 
 
 
The CISO briefing is also available to [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html buy at cost in print].
 
 
 
== AppSensor Website ==
 
 
 
[[File:Appsensor-website-large.jpg|link=http://appsensor.org/]]
 
 
 
[http://appsensor.org/ http://appsensor.org/]
 
 
 
 
 
== Code ==
 
 
 
*v2 [https://github.com/jtmelton/appsensor Github Code]
 
* (LEGACY) v1 [http://code.google.com/p/appsensor/ Google Code]
 
 
 
== AppSensor Guide ==
 
 
 
* OWASP AppSensor Guide
 
** v2.0 EN
 
*** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
 
*** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
 
*** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Print on demand at cost hard copy]
 
** v1.1 EN
 
*** [https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf PDF]
 
*** [https://www.owasp.org/images/b/b0/OWASP_AppSensor_Beta_1.1.doc DOC]
 
 
 
== Presentations ==
 
 
 
[http://www.brighttalk.com/webcast/20680 Automated Application Defenses to Thwart Advanced Attackers (Slides & Audio)]
 
 
 
July, 2010 - OWASP London (UK) - [http://www.owasp.org/index.php/File:Owasp-london-20100715-appsensor-3.pdf Real Time Application Attack Detection and Response with OWASP AppSensor]
 
 
 
June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application
 
 
 
June, 2010 - Video presentation - [http://michael-coates.blogspot.com/2010/06/online-presentation-thursday-automated.html Automated Application Defenses to Thwart Advanced Attackers]
 
 
 
November, 2009 -  AppSec DC - [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf Defend Yourself: Integrating Real Time Defenses into Online Applications]
 
 
 
May, 2009 - [http://www.owasp.org/download/jmanico/owasp_podcast_51.mp3 OWASP Podcast #51 ]
 
 
 
May, 2009 - AppSec EU Poland - [https://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx Real Time Defenses against Application Worms and Malicious Attackers]
 
 
 
November, 2008 - [https://www.owasp.org/images/7/77/Presentation_AppSensor.ppt OWASP Summit Portugal 2008 PPT]
 
 
 
==Video Demos of AppSensor==
 
 
 
[http://www.youtube.com/watch?v=8ItfuwvLxRk Detecting Multiple Attacks & Logging Out Attacker]
 
 
 
[http://www.youtube.com/watch?v=CekUMk_VRV8 Detecting XSS Probes]
 
 
 
[http://www.youtube.com/watch?v=LfD4y67qdWE Detecting URL Tampering]
 
 
 
[http://www.youtube.com/watch?v=1D6nTlmYjhY Detecting Verb Tampering]
 
 
 
==Source Documents / Artwork==
 
 
 
* Guide
 
** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc Word (content only)], DOC 11Mb
 
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/appsensor-guide-2v0-owasp.zip Word, images, Lulu covers, diagrams], ZIP 96Mb
 
* Introduction for Developers
 
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-a4.zip A4 Illustrator and PDF exports], ZIP 19Mb
 
** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-usletter.zip US letter Illustrator and PDF exports], ZIP 19Mb
 
* Poster
 
** [https://www.owasp.org/index.php/File:Owasp-appsensor-poster-a1.zip A1 Illustrator and PDF export] ZIP, 18Mb
 
 
 
= Project About =
 
{{:Projects/OWASP_AppSensor_Project | Project About}}
 
  
  
Line 581: Line 143:
  
 
[[Category:OWASP_Project|AppSensor Project]] [[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:SAMM-EH-3]] [[Category:SAMM-SA-2]]
 
[[Category:OWASP_Project|AppSensor Project]] [[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:SAMM-EH-3]] [[Category:SAMM-SA-2]]
 
=Project About=
 
{{:Projects/OWASP_Python_Security_Project}}
 
 
[[Category:OWASP Project]]
 

Latest revision as of 09:24, 7 December 2015

Lab big.jpg

OWASP Python Security Project

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:


Introduction

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

Security in python: white-box analysis, structural and functional analysis Security of python: black-box analysis, identify and address security-related issues Security with python: develop security hardened python suitable for high-risk and high-security environments


Licensing

License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) This license is a community friendly license as recommended by OWASP. You can read more here:

What is the Python Security Project?

Other Python Security Related Research

This is a list of security related research on python core modules by other researchers.


Project Founder

Project Leaders

Quick Download

  • OWASP Python Security Flyer

Code Repository

Related

Classifications

Mature projects.png Owasp-builders-small.png
Owasp-defenders-small.png
Project Type Files DOC.jpg
Project Type Files CODE.jpg

Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:


Current activities

Technical Roadmap

General Roadmap

- Set up website with wiki

- Configure mailing list

- Configure github account and create code structure

- Create Project presentation and pamphlet

- Publish initial batch of documents on python security issues and possible mitigations with code examples

- Create python secure coding area

- Introduce project to OWASP Chapters

- Publish initial version of python secure coding manual

- Publish hardened version of python coded for security purposes

- Document usage of code security policies and call whitelisting

- Document usage of message deduplication and data storage in hash rings

- Document usage of ESAPI-extended security checks, including but not limited to controls applied to python internal calls, strings, processes, permissions, and low level kernel calls

- Create initial documentation of base libraries and modules

- Release library to customizec and integrate OpenSSL and cURL

- Release utility for SSL analysis of HTTPS communication over SSL

- Release utility for SSL analysis of FTPS/FTPES communication over SSL

- Release utility for analysis of POPS/IMAPS/SMTPS connections over SSL

- Release of utility for archival of SSL certificates and CRLs

- Release utility for PE extraction and hash generation from web files

PROJECT INFO
What does this OWASP project offer you? 		RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Python Security Project (home page)
Purpose: Python Security is a free, open source, project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles: - Security in python: white-box analysis, structural and functional analysis - Security of python: black-box analysis, identify and address security-related issues - Security with python: develop security hardened python suitable for high-risk and high-security environments

License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
who is working on this project?
Project Leader(s):
  • Enrico Branca @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact Enrico Branca @ to contribute to this project
  • Contact Enrico Branca @ to review or sponsor this project
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases


}}

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Python_Security_Project&oldid=204783"