Back in the days when I attended college computer security meant how to secure your networks from snooping eyes. You know – firewalls. And that was it. Websec could be summarized to: don’t depend on Javascript validation, use HTTPS and POST – SQL Injection theory was only a foot note. The world has moved on since then and the topic is treated with more respect than ever. My training in this field comes mostly from whatever I’ve found on the net and from books – and experience. Today I am going to talk about an organization you are mostly guaranteed to stumble upon when reading material from the net or in compsec books. Meet OWASP.

What is OWASP?

OWASP is an world wide organization working for raising awareness about software security and to provide information free of charge so that both individuals and organizations can make informed decisions about security risks. They do this by publishing articles, blog posts, guidelines and useful software. Oh – and that’s quite impressive since they’re an non profit organization. By the way – OWASP stands for Open Web Application Security Project. They were founded back in 2001 (Dec 1) – they took a leap further registering as a not-for-profit charitable organization in the U.S. on April 21, 2004.

Notable projects

OWASP offers a truckload of interesting projects. A comprehensive overview can be found here. The list is too big to cover for this blog post – but I will try to give a brief description of what most users will stumble upon when encountering OWASP for the first time. In general, their archive is vast and I think you would be heavily rewarded if you spent some time on their site.

WebScarab

WebScarab is a Java based tool for analyzing applications that runs over HTTP(S). There are many features to this tool, but the one most notable and the one that most users will stumble upon is the intercepting proxy. For those that does not know what this implies, it goes something along this: An intercepting proxy is a “box” between your browser and the net. Request are routed through this “box”. When a request has been sent from your browser to this “box” you can intercept the request tailoring it to your needs and then pass it through to its destination. A funny tool to try out what remote logic can be. You can also intercept and review responses from remote before landing in your browser. Ok – the reason for saying that most people will stumble upon this intercepting proxy is that many security books prefer this tool.

For more information about this tool, visit the product page here.

WebGoat

WebGoat is maybe even more interesting seen from a newbies point of view. Or perhaps even for more experienced compsec geeks. It is a deliberately insecure web application – by design. It is a training tool for web application security lessons. A sand case if you will for your experimental fetish. Too me, it looks somewhat like HackThisSite and similar. With this tool you can play with:

  • Cross-site Scripting (XSS)
  • Access Control
  • Thread Safety
  • Hidden Form Field Manipulation
  • Parameter Manipulation
  • Session Cookies
  • SQL Injection
  • ++

How to join

Even though they are an non-profit organization they need dough to continue their good work. Hence they offer memberships. A personal membership runs about $50 USD pr. year (as far as I can see). For more information about personal membership, go here.

AppSecTutorialSeries Videos

OWASP has produced some very good informational Youtube videos that lasts for about ten minutes pr. episode. At this moment they’ve produced four videos. From what I can see these are extremely good and up to the point.

Advertisements