This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Python Security Project"

From OWASP

Jump to: navigation, search

Latest revision as of 09:24, 7 December 2015

OWASP Python Security Project

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

Introduction

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

Security in python: white-box analysis, structural and functional analysis Security of python: black-box analysis, identify and address security-related issues Security with python: develop security hardened python suitable for high-risk and high-security environments

Licensing

License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) This license is a community friendly license as recommended by OWASP. You can read more here:

OWASP Licenses

What is the Python Security Project?

Other Python Security Related Research

This is a list of security related research on python core modules by other researchers.

Project Founder

Enrico Branca @

Project Leaders

Enrico Branca @

Quick Download

OWASP Python Security Flyer
- PDF

Code Repository

OWASP Python Security Github https://github.com/ebranca/owasp-pysec/ (Current)

OWASP Python Project

Classifications

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Python_Security_Project&oldid=204783"

Categories:

Difference between revisions of "OWASP Python Security Project"

Latest revision as of 09:24, 7 December 2015

OWASP Python Security Project

Introduction

Licensing

What is the Python Security Project?

Other Python Security Related Research

Project Founder

Project Leaders

Quick Download

Code Repository

Related

Classifications

Current activities

Technical Roadmap

General Roadmap

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools

@@ Line 1: / Line 1: @@
 =Main=
+<div style="width:100%;height:100px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>
-<div style="width:100%;height:120px;border:0,margin:0;overflow: hidden;"></div>
-<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;"></div>
 {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 | valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
@@ Line 24: / Line 21: @@
 Security of python: black-box analysis, identify and address security-related issues
 Security with python: develop security hardened python suitable for high-risk and high-security environments
-== Detect and Respond to Attacks from Within the Application ==
-=== Detection ===
-AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.
-=== Response===
-AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.
-===Defending the Application===
-An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.
@@ Line 47: / Line 33: @@
+== Other Python Security Related Research ==
+This is a list of security related research on python core modules by other researchers.
-== Overview ==
+*[https://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_WP.pdf Sour Pickles Paper Blackhat 2011 Marco Slaviero]
+*[https://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_Slides.pdf Sour Pickles Slides Blackhat 2011]
-[[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]
-[https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf 12-page US Letter booklet]
@@ Line 70: / Line 56: @@
 == Quick Download ==
-* OWASP AppSensor Guide v2.0.1 EN
+* OWASP Python Security Flyer
-** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
+** [https://www.owasp.org/images/2/2b/OWASP_PYSEC_FLYER.pdf PDF]
-** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
-** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Hard copy]
-* OWASP AppSensor Reference Implementation
-** [https://github.com/jtmelton/appsensor v2 Code]
 == Code Repository ==
 * OWASP Python Security Github https://github.com/ebranca/owasp-pysec/ (Current)
+== Related ==
-== In Print ==
+* [[OWASP Python Project|OWASP Python Project]]
-[[File:AppSensor2_small.jpg|link=]]
-The [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html AppSensor Guide] and [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html CISO Briefing] can be purchased at cost as a print on demand books.
 ==Classifications==
@@ Line 97: / Line 74: @@
     | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
     |-
-   | colspan="2" align="center"  | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
     |-
     | colspan="2" align="center"  | [[File:Project_Type_Files_DOC.jpg|link=]]
@@ Line 109: / Line 85: @@
 Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:
-* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project General project]
+* [https://lists.owasp.org/mailman/listinfo/owasp_python_security_project General project]
-* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-dev Code development]
@@ Line 121: / Line 96: @@
 === General Roadmap ===
-"- Set up website with wiki
+- Set up website with wiki
 - Configure mailing list
@@ Line 158: / Line 133: @@
 - Release utility for PE extraction and hash generation from web files
-- Release update version of ""OWASP-ESAPI-python"""
-= Detection Points =
-Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.
- '''[http://www.owasp.org/index.php/AppSensor_DetectionPoints Detailed Detection Point Information Here] '''
- '''[http://www.owasp.org/index.php/AppSensor_ResponseActions Response Action Information Here]'''
-'''Summary of Information'''
-'''Detection Categories:'''
-RE - Request
-AE - Authentication
-SE - Session
-ACE - Access Control
-IE - Input
-EE - Encoding
-CIE - Command Injection
-FIO - File IO
-HT - Honey Trap
-UT - User Trend
-STE - System Trend
-RP - Reputation
-'''Signature Based Event Titles'''
-ID Event
-RE1 Unexpected HTTP Command
-RE2 Attempt to Invoke Unsupported HTTP Method
-RE3 GET When Expecting POST
-RE4 POST When Expecting GET
-RE5 Additional/Duplicated Data in Request
-RE6 Data Missing from Request
-RE7 Unexpected Quantity of Characters in Parameter
-RE8 Unexpected Type of Characters in Parameter
-AE1 Use Of Multiple Usernames
-AE2 Multiple Failed Passwords
-AE3 High Rate of Login Attempts
-AE4 Unexpected Quantity of Characters in Username
-AE5 Unexpected Quantity of Characters in Password
-AE6 Unexpected Type of Character in Username
-AE7 Unexpected Type of Character in Password
-AE8 Providing Only the Username
-AE9 Providing Only the Password
-AE10 Adding POST Variable
-AE11 Missing POST Variable
-AE12 Utilization of Common Usernames
-SE1 Modifying Existing Cookie
-SE2 Adding New Cookie
-SE3 Deleting Existing Cookie
-SE4 Substituting Another User's Valid Session ID or Cookie
-SE5 Source IP Address Changes During Session
-SE6 Change Of User Agent Mid Session
-ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt
-ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt
-ACE3 Force Browsing Attempt
-ACE4 Evading Presentation Access Control Through Custom POST
-IE1 Cross Site Scripting Attempt
-IE2 Violation of Implemented White Lists
-IE3 Violation Of Implemented Black Lists
-IE4 Violation of Input Data Integrity
-IE5 Violation of Stored Business Data Integrity
-IE6 Violation of Security Log Integrity
-EE1 Double Encoded Character
-EE2 Unexpected Encoding Used
-CIE1 Blacklist Inspection for Common SQL Injection Values
-CIE2 Detect Abnormal Quantity of Returned Records
-CIE3 Null Byte Character in File Request
-CIE4 Carriage Return or Line Feed Character In File Request
-FIO1 Detect Large Individual File
-FIO2 Detect Large Number of File Uploads
-HT1 Alteration to Honey Trap Data
-HT2 Honey Trap Resource Requested
-HT3 Honey Trap Data Used
-'''Behavior Based Event Titles'''<br>
-UT1 Irregular Use of Application
-UT2 Speed of Application Use
-UT3 Frequency of Site Use
-UT4 Frequency of Feature Use
-STE1 High Number of Logouts Across The Site
-STE2 High Number of Logins Across The Site
-STE3 Significant Change in Usage of Same Transaction Across The Site
-RP1 Suspicious or Disallowed User IP Address
-RP2 Suspicious External User Behavior
-RP3 Suspicious Client-Side Behavior
-RP4 Change to Environment Threat Level
-= Media =
-== Introductory Briefings ==
-{|
-| align="center" valign="top" | Developers
-|
-| align="center" valign="top" | Architects
-|
-| align="center" valign="top" | CISOs
-|-
-| width="200" align="left" valign="top" | [[File:Appsensor-developer-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor_intro_for_developers.pdf]]
-| width="20" |
-| width="200" align="left" valign="top" | [[File:Appsensor_crosstalk_small.jpg|link=http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf]]
-| width="20" |
-| width="200" align="center" valign="top" | [[File:Appsensor-cisobriefing-small.jpg|link=https://www.owasp.org/index.php/File:Appsensor-ciso-briefing.pdf]]
-|}
-The CISO briefing is also available to [http://www.lulu.com/shop/owasp-foundation/appsensor-ciso-briefing/paperback/product-22121723.html buy at cost in print].
-== AppSensor Website ==
-[[File:Appsensor-website-large.jpg|link=http://appsensor.org/]]
-[http://appsensor.org/ http://appsensor.org/]
-== Code ==
-*v2 [https://github.com/jtmelton/appsensor Github Code]
-* (LEGACY) v1 [http://code.google.com/p/appsensor/ Google Code]
-== AppSensor Guide ==
-* OWASP AppSensor Guide
-** v2.0 EN
-*** [https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf PDF]
-*** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc DOC]
-*** [http://www.lulu.com/shop/owasp-foundation/appsensor-guide/paperback/product-21608107.html Print on demand at cost hard copy]
-** v1.1 EN
-*** [https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf PDF]
-*** [https://www.owasp.org/images/b/b0/OWASP_AppSensor_Beta_1.1.doc DOC]
-== Presentations ==
-[http://www.brighttalk.com/webcast/20680 Automated Application Defenses to Thwart Advanced Attackers (Slides & Audio)]
-July, 2010 - OWASP London (UK) - [http://www.owasp.org/index.php/File:Owasp-london-20100715-appsensor-3.pdf Real Time Application Attack Detection and Response with OWASP AppSensor]
-June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application
-June, 2010 - Video presentation - [http://michael-coates.blogspot.com/2010/06/online-presentation-thursday-automated.html Automated Application Defenses to Thwart Advanced Attackers]
-November, 2009 -  AppSec DC - [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf Defend Yourself: Integrating Real Time Defenses into Online Applications]
-May, 2009 - [http://www.owasp.org/download/jmanico/owasp_podcast_51.mp3 OWASP Podcast #51 ]
-May, 2009 - AppSec EU Poland - [https://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx Real Time Defenses against Application Worms and Malicious Attackers]
-November, 2008 - [https://www.owasp.org/images/7/77/Presentation_AppSensor.ppt OWASP Summit Portugal 2008 PPT]
-==Video Demos of AppSensor==
-[http://www.youtube.com/watch?v=8ItfuwvLxRk Detecting Multiple Attacks & Logging Out Attacker]
-[http://www.youtube.com/watch?v=CekUMk_VRV8 Detecting XSS Probes]
-[http://www.youtube.com/watch?v=LfD4y67qdWE Detecting URL Tampering]
-[http://www.youtube.com/watch?v=1D6nTlmYjhY Detecting Verb Tampering]
-==Source Documents / Artwork==
-* Guide
-** [https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc Word (content only)], DOC 11Mb
-** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/appsensor-guide-2v0-owasp.zip Word, images, Lulu covers, diagrams], ZIP 96Mb
-* Introduction for Developers
-** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-a4.zip A4 Illustrator and PDF exports], ZIP 19Mb
-** [https://www.owasp.org/index.php/File:Appsensor-intro-for-developers-usletter.zip US letter Illustrator and PDF exports], ZIP 19Mb
-* Poster
-** [https://www.owasp.org/index.php/File:Owasp-appsensor-poster-a1.zip A1 Illustrator and PDF export] ZIP, 18Mb
 = Project Approach =