This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Python Security Project

From OWASP
Revision as of 16:39, 6 July 2015 by Timo.goosen (talk | contribs) (Acknowledgements)

Jump to: navigation, search

OWASP Python Security Project

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:


Introduction

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

Security in python: white-box analysis, structural and functional analysis Security of python: black-box analysis, identify and address security-related issues Security with python: develop security hardened python suitable for high-risk and high-security environments


Detect and Respond to Attacks from Within the Application

Detection

AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.

Response

AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.

Defending the Application

An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.


Licensing

License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) This license is a community friendly license as recommended by OWASP. You can read more here:

What is the Python Security Project?

Overview

Appsensor-cisobriefing-small.jpg

12-page US Letter booklet


Project Founder

Project Leaders

Quick Download


Code Repository


In Print

AppSensor2 small.jpg

The AppSensor Guide and CISO Briefing can be purchased at cost as a print on demand books.

Classifications

Mature projects.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg
Project Type Files CODE.jpg

Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:


Current activities

Technical Roadmap

General Roadmap

"- Set up website with wiki

- Configure mailing list

- Configure github account and create code structure

- Create Project presentation and pamphlet

- Publish initial batch of documents on python security issues and possible mitigations with code examples

- Create python secure coding area

- Introduce project to OWASP Chapters

- Publish initial version of python secure coding manual

- Publish hardened version of python coded for security purposes

- Document usage of code security policies and call whitelisting

- Document usage of message deduplication and data storage in hash rings

- Document usage of ESAPI-extended security checks, including but not limited to controls applied to python internal calls, strings, processes, permissions, and low level kernel calls

- Create initial documentation of base libraries and modules

- Release library to customizec and integrate OpenSSL and cURL

- Release utility for SSL analysis of HTTPS communication over SSL

- Release utility for SSL analysis of FTPS/FTPES communication over SSL

- Release utility for analysis of POPS/IMAPS/SMTPS connections over SSL

- Release of utility for archival of SSL certificates and CRLs

- Release utility for PE extraction and hash generation from web files

- Release update version of ""OWASP-ESAPI-python"""

Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points. 

Detailed Detection Point Information Here 

Response Action Information Here

Summary of Information Detection Categories:

RE - Request

AE - Authentication

SE - Session

ACE - Access Control

IE - Input

EE - Encoding

CIE - Command Injection

FIO - File IO

HT - Honey Trap

UT - User Trend

STE - System Trend

RP - Reputation


Signature Based Event Titles

ID Event

RE1 Unexpected HTTP Command

RE2 Attempt to Invoke Unsupported HTTP Method

RE3 GET When Expecting POST

RE4 POST When Expecting GET

RE5 Additional/Duplicated Data in Request

RE6 Data Missing from Request

RE7 Unexpected Quantity of Characters in Parameter

RE8 Unexpected Type of Characters in Parameter

AE1 Use Of Multiple Usernames

AE2 Multiple Failed Passwords

AE3 High Rate of Login Attempts

AE4 Unexpected Quantity of Characters in Username

AE5 Unexpected Quantity of Characters in Password

AE6 Unexpected Type of Character in Username

AE7 Unexpected Type of Character in Password

AE8 Providing Only the Username

AE9 Providing Only the Password

AE10 Adding POST Variable

AE11 Missing POST Variable

AE12 Utilization of Common Usernames

SE1 Modifying Existing Cookie

SE2 Adding New Cookie

SE3 Deleting Existing Cookie

SE4 Substituting Another User's Valid Session ID or Cookie

SE5 Source IP Address Changes During Session

SE6 Change Of User Agent Mid Session

ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt

ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt

ACE3 Force Browsing Attempt

ACE4 Evading Presentation Access Control Through Custom POST

IE1 Cross Site Scripting Attempt

IE2 Violation of Implemented White Lists

IE3 Violation Of Implemented Black Lists

IE4 Violation of Input Data Integrity

IE5 Violation of Stored Business Data Integrity

IE6 Violation of Security Log Integrity

EE1 Double Encoded Character

EE2 Unexpected Encoding Used

CIE1 Blacklist Inspection for Common SQL Injection Values

CIE2 Detect Abnormal Quantity of Returned Records

CIE3 Null Byte Character in File Request

CIE4 Carriage Return or Line Feed Character In File Request

FIO1 Detect Large Individual File

FIO2 Detect Large Number of File Uploads

HT1 Alteration to Honey Trap Data

HT2 Honey Trap Resource Requested

HT3 Honey Trap Data Used

Behavior Based Event Titles

UT1 Irregular Use of Application

UT2 Speed of Application Use

UT3 Frequency of Site Use

UT4 Frequency of Feature Use

STE1 High Number of Logouts Across The Site

STE2 High Number of Logins Across The Site

STE3 Significant Change in Usage of Same Transaction Across The Site

RP1 Suspicious or Disallowed User IP Address

RP2 Suspicious External User Behavior

RP3 Suspicious Client-Side Behavior

RP4 Change to Environment Threat Level

Introductory Briefings

Developers Architects CISOs
Appsensor-developer-small.jpg Appsensor crosstalk small.jpg Appsensor-cisobriefing-small.jpg

The CISO briefing is also available to buy at cost in print.

AppSensor Website

Appsensor-website-large.jpg

http://appsensor.org/


Code

AppSensor Guide

Presentations

Automated Application Defenses to Thwart Advanced Attackers (Slides & Audio)

July, 2010 - OWASP London (UK) - Real Time Application Attack Detection and Response with OWASP AppSensor

June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application

June, 2010 - Video presentation - Automated Application Defenses to Thwart Advanced Attackers

November, 2009 - AppSec DC - Defend Yourself: Integrating Real Time Defenses into Online Applications

May, 2009 - OWASP Podcast #51

May, 2009 - AppSec EU Poland - Real Time Defenses against Application Worms and Malicious Attackers

November, 2008 - OWASP Summit Portugal 2008 PPT

Video Demos of AppSensor

Detecting Multiple Attacks & Logging Out Attacker

Detecting XSS Probes

Detecting URL Tampering

Detecting Verb Tampering

Source Documents / Artwork

PROJECT INFO
What does this OWASP project offer you? 		RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Python Security Project (home page)
Purpose: Python Security is a free, open source, project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles: - Security in python: white-box analysis, structural and functional analysis - Security of python: black-box analysis, identify and address security-related issues - Security with python: develop security hardened python suitable for high-risk and high-security environments

License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
who is working on this project?
Project Leader(s):
  • Enrico Branca @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact Enrico Branca @ to contribute to this project
  • Contact Enrico Branca @ to review or sponsor this project
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases


}}

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Python_Security_Project&oldid=197090"