This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Python Security Project"
Timo.goosen (talk | contribs) (→Licensing) |
Timo.goosen (talk | contribs) (→Reference Implementation) |
||
Line 43: | Line 43: | ||
You can read more here: | You can read more here: | ||
*[https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses] | *[https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses] | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
== What is the Python Security Project? == | == What is the Python Security Project? == |
Revision as of 16:31, 6 July 2015
OWASP Python Security ProjectPython Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations. The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:
IntroductionPython Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations. The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles: Security in python: white-box analysis, structural and functional analysis Security of python: black-box analysis, identify and address security-related issues Security with python: develop security hardened python suitable for high-risk and high-security environments
Detect and Respond to Attacks from Within the ApplicationDetectionAppSensor defines over 50 different detection points which can be used to identify a malicious attacker. ResponseAppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described. Defending the ApplicationAn attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.
LicensingLicense: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) This license is a community friendly license as recommended by OWASP. You can read more here: What is the Python Security Project?Overview
Project Founder
Project Leaders
|
Quick Download
Code Repository
In Print
The AppSensor Guide and CISO Briefing can be purchased at cost as a print on demand books. Classifications |
Volunteers
All OWASP projects rely on the voluntary efforts of people in the software development and information security sectors. They have contributed their time and energy to make suggestions, provide feedback, write, review and edit documentation, give encouragement, make introductions, produce demonstration code, promote the concept, and provide OWASP support. They participated via the project’s mailing lists, by developing code, by updating the wiki, by undertaking research studies, and through contributions during the AppSensor working session at the OWASP Summit 2011 in Portugal and the AppSensor Summit at AppSec USA 2011. Without all their efforts, the project would not have progressed to this point, and this guide would not have been completed.
|
|
|
OWASP Summer of Code 2008
The AppSensor Project was initially supported by the OWASP Summer of Code 2008, leading to the publication of the book AppSensor v1.1.
Google Summer of Code 2012
Additional development work on SOAP web services was kindly supported by the Google Summer of Code 2012.
Other Acknowledgements
The project has also benefitted greatly from the generous contribution of time and effort by many volunteers in the OWASP community including those listed above, and contributors to the OWASP ESAPI project, members of the former OWASP Global Projects Committee, the OWASP Board, OWASP staff and support from the OWASP Project Reboot initiative. The v2 code and documentation were conceived during the AppSensor Summit held during AppSec USA 2011 in Minneapolis.
Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:
Current activities
Non code
- Update AppSensor Guide to keep in step with code changes and improvements to ideas (see discussion and editable list of changes)
- Create demo
- Develop training materials
v2 Code
The current code being worked on is located on GitHub
The code has been fully rewritten. v2.0.0 final was released in late January 2015. v2.1.0 final was released in June 2015.
The main reason for the rewrite was to allow a client-server style model as opposed to requiring AppSensor be fully embedded in the application. You can now have a central server collecting events from multiple applications and performing analysis. These front-end applications can be in any language as long as they speak rest/soap. There's been a host of other changes, but this was the primary one. A number of starter ideas for coding, user interface and documentation have been outlined via the mailing list at 17th March 2014.
if you want to work on ANYTHING, please let jtmelton[@]gmail.com know.
Code Roadmap
Q4 2015 (2.0)
-
Jan - v 2.0.0 final release-> DONE
Q4 2014 (2.0)
-
Oct - v 2.0.0 release candidate-> DONE -
Jan 2015 (delay due to bug) - v 2.0.0 final-> DONE -
Additional unit tests-> DONE -
Move appsensor.org site over from static html to python-> NOT NECESSARY -
Finish up user documentation at appsensor.org-> DONE
June 2015 (2.1)
-
Add at least 1 attack emitter for DEVOPS visualization (JMX -> SNMP, syslog, SNMP, .. something)(github issue) -> DONE -
Sample application / demo(github issue) -> DONE -
Finish up developer documentation on github and appsensor.org(github issue) -> DONE -
Preparation for GSOC 2015 submission-> DONE - see GSoC2015_Ideas - Update - OWASP not selected
September 2015 (2.2)
January 2016 (2.3)
- Get CI server (cloudbees?) setup (github issue)
- Video demo of setting up appsensor (screen capture) (related to sample apps)
- New detection point implementations (github issue)
- AOP examples of detection point implementations
May 2016 (2.4)
- Trend monitoring implementation (github issue)
- Additional integrations for reporting (graphite, ganglia -> see list supported by codahale metrics)
Past activities
June 2015 Final release v2.1.0 code
April 2015 CISO Briefing booklet published
February 2015 Introduction for Developers flyer published
January 2015 Final release v2.0.0 code
May 2014 Finalisation and publication of the AppSensor Guide v2.0
November, 2013 - AppSensor 2.0 hackathon, and document writing & review at AppSecUSA 2013, New York
2012-2013 - Active Development of next AppSensor book
September, 2011 - AppSensor Summit at AppSec USA 2011, Minneapolis
September, 2010 - Presented at AppSecUSA slides
June, 2010 - Active ESAPI Integration Underway
November, 2009 OWASP DC, November 2009
2009 v1.2 in the works, demo application in development
May, 2009 - AppSec EU Poland - Presentation (PPT) (Video)
January, 2009 - v1.1 Released - Beta Status
November, 2008 - AppSensor Talk at OWASP Portugal
November, 2008 - v1.0 Released - Beta Status
April 16, 2008 - Project Begins
Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.
Detailed Detection Point Information Here
Response Action Information Here
Summary of Information Detection Categories:
RE - Request
AE - Authentication
SE - Session
ACE - Access Control
IE - Input
EE - Encoding
CIE - Command Injection
FIO - File IO
HT - Honey Trap
UT - User Trend
STE - System Trend
RP - Reputation
Signature Based Event Titles
ID Event
RE1 Unexpected HTTP Command
RE2 Attempt to Invoke Unsupported HTTP Method
RE3 GET When Expecting POST
RE4 POST When Expecting GET
RE5 Additional/Duplicated Data in Request
RE6 Data Missing from Request
RE7 Unexpected Quantity of Characters in Parameter
RE8 Unexpected Type of Characters in Parameter
AE1 Use Of Multiple Usernames
AE2 Multiple Failed Passwords
AE3 High Rate of Login Attempts
AE4 Unexpected Quantity of Characters in Username
AE5 Unexpected Quantity of Characters in Password
AE6 Unexpected Type of Character in Username
AE7 Unexpected Type of Character in Password
AE8 Providing Only the Username
AE9 Providing Only the Password
AE10 Adding POST Variable
AE11 Missing POST Variable
AE12 Utilization of Common Usernames
SE1 Modifying Existing Cookie
SE2 Adding New Cookie
SE3 Deleting Existing Cookie
SE4 Substituting Another User's Valid Session ID or Cookie
SE5 Source IP Address Changes During Session
SE6 Change Of User Agent Mid Session
ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt
ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt
ACE3 Force Browsing Attempt
ACE4 Evading Presentation Access Control Through Custom POST
IE1 Cross Site Scripting Attempt
IE2 Violation of Implemented White Lists
IE3 Violation Of Implemented Black Lists
IE4 Violation of Input Data Integrity
IE5 Violation of Stored Business Data Integrity
IE6 Violation of Security Log Integrity
EE1 Double Encoded Character
EE2 Unexpected Encoding Used
CIE1 Blacklist Inspection for Common SQL Injection Values
CIE2 Detect Abnormal Quantity of Returned Records
CIE3 Null Byte Character in File Request
CIE4 Carriage Return or Line Feed Character In File Request
FIO1 Detect Large Individual File
FIO2 Detect Large Number of File Uploads
HT1 Alteration to Honey Trap Data
HT2 Honey Trap Resource Requested
HT3 Honey Trap Data Used
Behavior Based Event Titles
UT1 Irregular Use of Application
UT2 Speed of Application Use
UT3 Frequency of Site Use
UT4 Frequency of Feature Use
STE1 High Number of Logouts Across The Site
STE2 High Number of Logins Across The Site
STE3 Significant Change in Usage of Same Transaction Across The Site
RP1 Suspicious or Disallowed User IP Address
RP2 Suspicious External User Behavior
RP3 Suspicious Client-Side Behavior
RP4 Change to Environment Threat Level
Introductory Briefings
Developers | Architects | CISOs | ||
The CISO briefing is also available to buy at cost in print.
AppSensor Website
Code
- v2 Github Code
- (LEGACY) v1 Google Code
AppSensor Guide
- OWASP AppSensor Guide
- v2.0 EN
- v1.1 EN
Presentations
Automated Application Defenses to Thwart Advanced Attackers (Slides & Audio)
July, 2010 - OWASP London (UK) - Real Time Application Attack Detection and Response with OWASP AppSensor
June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application
June, 2010 - Video presentation - Automated Application Defenses to Thwart Advanced Attackers
November, 2009 - AppSec DC - Defend Yourself: Integrating Real Time Defenses into Online Applications
May, 2009 - OWASP Podcast #51
May, 2009 - AppSec EU Poland - Real Time Defenses against Application Worms and Malicious Attackers
November, 2008 - OWASP Summit Portugal 2008 PPT
Video Demos of AppSensor
Detecting Multiple Attacks & Logging Out Attacker
Source Documents / Artwork
- Guide
- Word (content only), DOC 11Mb
- Word, images, Lulu covers, diagrams, ZIP 96Mb
- Introduction for Developers
- A4 Illustrator and PDF exports, ZIP 19Mb
- US letter Illustrator and PDF exports, ZIP 19Mb
- Poster
- A1 Illustrator and PDF export ZIP, 18Mb
PROJECT INFO What does this OWASP project offer you? |
RELEASE(S) INFO What releases are available for this project? | |||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
}}