April 30, 2015

Introduction to OWASP: A Security Testing Resource

A subset of slides created in order to illustrate a ten minute tech talk given by me at Fitbit - Boston on security testing resources that the Open Web Application Security Project offers.







What does OWASP Stand for?


OWASP stands for Open Web Application Security Project. https://www.owasp.org/  

What is your experience with OWASP? 


I worked as part of a security testing team at Intralinks back in 2011 to 2012. The QA Manager at the time wanted to try to integrate security into the manual tests we had. 

The in-house security consultant would review testing guides with us, either once a week or every other week breaking off tests we could do in bite sized chunks each week. I’d capture the meeting notes, sketch out and perform the basic tests, and put the information their confluence page.     


What is OWASP? 

The Open Web Application Security Project (OWASP) is a not-for profit started in the United States but now is an international organization. Their tools, documents, forums, and chapters are free and open to anyone with an interest in improving their application security.

What does OWASP do?


The two main documents they produce every few years are a Testing Guide and the OWASP Top Ten Vulnerabilities. Both are made available in either PDF or Wiki format.

... They also have a developers guide, that I am unfamiliar with. 

OWASP also has produced mock web applications you can download from GitHub and run locally. They were left purposely vulnerable so testers could review the web apps, the source code, and test against it using various security tools. They have a mock application to test a generic web application, another to test Ruby on Rails web apps, another to test Node.js applications, among others  

What is the OWASP Top Ten? 

Every few years, OWASP analyzes the top ten risks, publishes a description of these vulnerabilities and how to fix them. The last list was compiled in 2013. They cover topics such as: SQL Injection, Broken Authentication, Cross Site Scripting, Insecure Direct Object Readiness, Security Management, Sensitive Data Exposure. Missing function level access control. Cross Site Forgery, Using components with known vulnerabilities, and unvalidated redirects and forwards. 

If we go to the link: https://www.owasp.org/index.php/Top_10_2013-Top_10 we can see the list and drill down from the list to see who is at risk, how the attack happens, and how you can prevent the attack.   

Where can you find more detail about each security risk? 


When you go to the Top Ten Risk page and drill down into a topic such as Cross Site Scripting (XSS), you are taken to the https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) Cross site scripting page. 

Each page has an easy to read color coded grid detailing the threat, who is at risk, what is the weakness, who it impacts and how it impacts the business. 

Sections contained on the page answer questions like: 
  • Am I vulnerable to Cross site scripting? 
  • How do I prevent Cross Site Scripting? 
  • Lists example attack scenarios. 
  • List related links.   


OWASP's testing projects



OWASP sponsors test projects such as RailsGoat, a purposely vulnerable Ruby on Rails web application designed by the people who created the Living Social web app. 


OWASP RailsGoat test application runs locally from local computer

Unofficial page: http://railsgoat.cktricky.com/ 

 You can use testing tools such as Charles Web Proxy or Burp Proxy to view, alter and edit the HTTP Get and Post calls, run other security testing tools against it, and you don’t have to worry about damaging a real site or altering production data. 

These mock web apps provide real world examples of the OWASP top ten, such as Injection, Cross site scripting, Broken Authentication. 

They give you hints on where to start looking for the vulnerabilities. You get to discover them yourself. 

 Other testing projects other than RailsGoat: WebGoat, iGoat for iPhone applications, Node JS Goat, WebGoat.Net, GoatDroid. Desktop Goat & PyGoat is still in the works.   

Does OWASP meet around Boston?

And, yes, OWASP Boston has a Meetup.com Group! 

I have never attended any of their meetings before, and I was planning on crashing it… 

... And by crashing … I mean signing up and RSVPing like a responsible member of the Meetup community. 

Their next Meetup is Wednesday, May 6th, and is being hosted by Akamai in Kendall Square, only a 2 ½ mile, 40 - 45 minute walk from Fitbit’s office. 



-T.J. Maher
 Sr. QA Engineer, Fitbit
 Boston, MA

// Automated tester for [ 1 ] month and counting!

Please note: 'Adventures in Automation' is a personal blog about automated testing. It is not an official blog of Fitbit.com
Post a Comment