Alchemist is focused to present this solution by architecting a real-life high stakes application with security built into it right from the inception, step-by-step as it falls under an SDLC. The current exercise is targeted at demonstrating this on a J2EE based web application that is developed using Spring framework. Spring framework was chosen due to its widespread adoption in the financial products. However, it is important note that Alchemist is not limited to J2EE or more specifically Spring framework. The idea is to demonstrate the upper spectrum of security practices that are often neglected or are done in bits and pieces by picking a well known widely adopted technology. Since the emphasis is on security architecture and defensibility, the future road-map is to demonstrate the same for applications built using other leading programming languages and frameworks.

Although this project is more than useful for existing/already developed applications, Alchemist is not the ideal solution to retrofit security into existing applications. It is aimed at offering more to applications that are at least in development, most in design phase. Allowing for language-specific differences, Alchemist builds this application with a strong foundation of security architecture that covers following main practices:

• Security Requirements
• Threat Risk Modeling
• Use and Abuse Cases
• Secure Coding Guideline

• The final goal is to integrate a set of OWASP projects into an Application Security Assessment process in order to define a model which can be used by an organization to provide application security through OWASP standards.

• In 9 years of activities OWASP has become the standard for Web Application Security. We are full of projects that are fantastic resources for developers and testers.
• OWASP SAMM and ASVS address many security management issues.
• What I see is missing now is a kind of guideline the managers should follow to adhere to the OWASP standards. I see that every security manager has different idea about the secure dev and testing (when and how to perform it).
• This project wants to address the Security Manager point of view and tell him what he should do to implement an efficient Application Security Program.
• In this project we will show all the OWASP Guides and tools and will tell why,how and when to use that. We can do that in function of the size of the organization, management roles and objectives. The idea is for example for a Bank Company,OWASP says to perform a OWASP SAMM assessment every year, to per perform Code Review and WAPT to all critical new software, testing every 3 months, etc.. Every activities is linked to an OWASP resource to use.

Upon completion of the quiz, for each question, it will tell the quiz taker whether they had the correct or incorrect answer, a discussion of the question, the specific application security areas the question focused on, a discussion about the correct an incorrect answers, and links to further references.

• Use as a metric - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications,
• Use as guidance - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and
• Use during procurement - Provide a basis for specifying application security verification requirements in contracts.

• The product of this project is intended to help all involved in web application security, whether it is project management, risk assessment, software development, testing, etc.
• The reason d'etre of this project is that, whilst security requirements are sometimes well captured and clearly defined, there are other times when they are not, for any number of reasons.

Overview The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. Current efforts are underway to create the AppSensor tool which can be utilized by any existing application interested in adding detection and response capabilities.
Detection AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.
Response AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.
Defending the Application An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.

Going forward I hope to further integrate with the ASVS and other guides such as the testing and ASDR guides shall be perfromed for version 2.0.

• The current release of this project is not suitable for production use

• ESAPI for C++ is sponsored by the United States Government
• An API for helping programmers develop more secure business applications in C++.
• Provides easy to use functions for proper auditing, simple wrappers for cryptographic functions, and more.
• The current release of this project is not suitable for production use

• ESAPI for C is sponsored by the United States Government
• An API for helping programmers develop more secure business applications in C.
• Provides easy to use functions for proper auditing, simple wrappers for cryptographic functions, and more.

• The current release of this project is not suitable for production use

• The application is intended for Java Developers. The goal of the application is to teach developers about the functionality of the ESAPI library and give users a practical understanding of how it can be used to protect web applications against common security vulnerabilities.

1. Remote code execution
2. SQL injection
3. Format string vulnerabilities
4. Cross Site Scripting (XSS)
5. Session hacking
6. Denial of service (DoS) attacks
7. Eavesdropping /Sniffing/ Phishing
8. Identity Spoofing
9. Man-in-the-Middle Attacks
10. Username enumeration
    1. Instrumentation & Audits for:
    2. Critical Business Areas
    3. User Management
    4. Un-usual activities
    5. Interfaces Integrations
11. IIS Tweaks
12. Password Policy

The exams may be distributed either in text format as well as in Moodle (an open source LMS) format so that they can be re-purposed for use in any system or an educator can use them directly in Moodle to administer exams to students. Ideally the exams will be tied to OWASP Academies learning blocks so that there is good learning and training content that can be used to motivate the usage of the exams.

• The initial release is of alpha-level maturity and contains a fully functional functional RESTful web service and an Android application to get started. Future releases will add new applications and services, and will expand upon the current codebase to provide new and increasingly difficult to discover security flaws.
• The entire application and framework is Java based. There is no need to install an external web server or container. Each web service runs on embedded Jetty instances and uses the Jersey implementation of JAX-RS.
• In the first release, solutions will not be provided. You are encouraged to figure out where the holes are and determine the best way to mitigate them. The next release will include the solutions for version 1.
• You can download the project via Google Code: http://code.google.com/p/owasp-goatdroid/

• The Hackademic Challenges project implements realistic scenarios with known vulnerabilities in a safe, controllable environment. Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective.
• They have been especially designed for use in a classroom environment where they have been proved a valuable educational tool. Using hackademic challenges students have the chance to experience application security in a realistic environment, something that triggers their interest and provokes a lot of interesting discussions.
• The Hackademic Challenges are currently used in several Universities and have received very positive feedback from both professors and students.

• Built in Python/Qt + MongoDB.

• • Swing-based UI,
  • Interception capabilities with manual edit,
  • Syntax highlightning (html/form-data/http) based on JFlex,
  • Storage of http traffic into MongoDB database,
  • Interception capabilities of tcp-traffic,
  • Possibilities to intercept in Fully Qualified mode (like all other http-proxies) OR Non-fully qualified mode. The latter means that interception is performed *after* the host has been parsed, thereby enabling the user to submit non-valid http content.
• The primary purpose of the Hatkit Proxy is to create a minimal, lightweight proxy which stores traffic into an offline storage where further analysis can be performed, e.g. all kinds of analysis which is currently implemented by the proxies themselves (webscarab/burp/paros etc).
• Also, since the http traffic is stored in a MongoDB, the traffic is stored at an object-level, retaining the structure of the parsed traffic, which enables a user to perform advanced queries later.
• The proxy should also be a good choice for 'defenders' who wants to (temporarily?) monitor traffic. The proxy itself is, as stated, very lightweight, and the backend MongoDB storage scales very well and should be able to handle extreme amounts of data. This would allow defenders to perform advanced post-mortem or real-time analysis of incoming traffic.
• Built in Java/Swing + MongoDB.

Similar to WebGoat (developer), the user is presented with a series of lessons surrounding numerous vulnerabilities associated with iOS apps. The student exploits each vulnerability to validate its existence, and then he implements a remediation in the lesson's source code.

Further, iGoat is designed and implemented modularly, similar conceptually to WebGoat's modular Java EE servlet model. It is intended to provide a foundational framework to build lessons on top of, starting with a core set of lessons provided in the first release.

Main

Welcome to the OWASP Java Encoder Project

Contextual Output Encoding is a computer programming technique necessary to stop [Cross Site Scripting]. This project is a Java 1.5 simple-to-use drop-in high-performance encoder class with little baggage.

• No third party libraries or configuration necessary.
• This code was designed for high-availability/high-performance encoding functionality.
• The key motivation for the separate project was:

1. Simple drop-in encoding functionality
2. Redesigned for performance
3. More complete API (uri and uri component encoding, etc) in some regards.

• This is a Java 1.5 project.

Use the Java Encoder Project

The general API pattern to utilize the Java Encoder Project is "Encode.forContextName(untrustedData)", where "ContextName" is the name of the target context and "untrustedData" in untrusted user input.

For example, to use in a JSP

<input type="text" name="data" value="<%= Encode.forHtmlAttribute(dataValue) %>" />

<textarea name="text"><%= Encode.forHtmlContent(textValue) %>" />

Generally Encode.forHtml(...) is safe but slightly less efficient for the above two contexts (since it encodes more characters than necessary).

For JavaScript string data

<button onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg) %>');">click me</button>

<script type="text/javascript"> var msg = "<%= Encode.forJavaScriptBlock(message) %>"; alert(msg); </script>

Again generally Encode.forJavaScript is safe for the above two context, but slightly less efficient since it encodes more characters.

Other Contexts

Other contexts can be found in the org.owasp.Encode class methods, including CSS strings, CSS urls, XML contexts, URIs and URI components.

Build the Java Encoder Project

checkout and run "mvn package" (using maven 2.0 or 3.0)

By providing automatic context aware escaping, JXT relieves the developer of having to think through the various contexts and appropriate escaping method required--allowing them to focus on coding the application. It also helps make the application more robust--it is easy to forget an escape after late night coding sessions after long hours. An additional benefit, perhaps not obvious at first, is that the automatic escaping provides for shorter syntax, and thus more readable code.

Unlike intrusion detection and prevention systems, which rely on signatures specific to known vulnerabilities, the CRS is based on generic rules which focus on attack payload identification in order to provide protection from zero day and unknown vulnerabilities often found in web applications, which are in most cases custom coded.

• Its goal is to help people securing their web applications against attacks like SQL Injections, Cross Site Scripting, Cross Site Request Forgery, Local & Remote file inclusions.

• The difference with most WAF (Web Application Firewalls) out there is that it does not rely upon signatures to detect and block attacks. It uses a simpler model where, instead of trying to detect "known" attacks, it detects unexpected characters in the HTTP requests/arguments.

• Each kind of unusual character will increase the score of the request. If the request reaches a score considered "too high", the request will be denied, and the user will be redirected to a "forbidden" page. Yes, it works somewhat like a spam system.

• We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. Think of server and desktop software, but don't forget routers, cars, phones. Open source is everywhere.
• The OWASP Open Review Project (ORPRO) exists to act as a resource providing automated static analysis of OWASP projects.
• Fortify Software has made their Fortify on Demand (FoD) technology available to OWASP projects at owasp.fortifyondemand.com.

• More about OVAL from MITRE website:
• Open Vulnerability and Assessment Language (OVAL®) is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services.
  • This project will strive to create OVAL content (which are simply XML files) for common security mis-configurations. For example, refer to http://www.codeproject.com/KB/web-security/web-based-applications.aspx for list of top 10 Application Security Vulnerabilities in Web.config Files which may impact any ASP.NET web application. Each of these security settings can be tested easily by writing corresponding OVAL checks. In this particular case, xmlfilecontent_item can be used.
  • There are already free tools (OVAL Interpreters) available which can be readily used to check content conforming to OVAL standard.
  • OVAL community is quite active and there is fast amount of content available in OVAL repository maintained at MITRE website.
  • By providing standard OWASP reviewed OVAL content to general public, this project goal is to make it easier for anyone involved in finding configuration related vulnerabilities in any web application platform

NOTE: most of the O2 Platform content is still on the external website
www.o2platform.com

• Allow buyers to find the best providers for their needs.

This project will have a two pronged approach designed to put more nails in the single-factor method of authentication.

• First, we will create an interactive portal where penetration testers are able to enter known information about the target. This known information can then be broken down and converted to create a large downloadable dictionary list that has been customized to the target. This list will be added to a comprehensive standard dictionary with the character conversions performed on that as well. The result would be a large list of commonly used passwords, dictionary words, target specific passwords, and various derivitives of each which should cover the vast majority of passwords used today.

• The second prong of our approach will be to capture the results of all data collected into a large database. This data will be hashed with common hashing methods to create what will become the world's largest rainbow tables. A user can provide us with a hash and we can do a lookup against these tables to search for matching entries. The goal here is to put a stop to unsalted password hashes for authentication.

We've all heard of capture the flag competitions, Secure The Flag (STF) is different. STF is a developer focused competition where teams compete to develop the most secure application based on a series of software requirements. Some requirements are just there to set boundaries and standardize the game, some requirements are critical elements and MUST be implemented, other elements are optional and can get you bonus points, but be careful, bonus features are more risky! Teams will receive the requirements, along with a pre-configured VM (LAMP) several days before the competition to allow ample time to design and implement their systems.

• Frameworks that are ‘secure by default’ will yield a dramatic reduction in the number of common web application security vulnerabilities.
• Application security experts should provide, on a regularly basis, updated guidance to framework developers on how to incorporate mechanisms to avoid newly discovered vulnerabilities.

With the support of the OWASP (Open Web Application Security Project) community SIMBA is constantly improved so current security vulnerabilities are better supported and proactive work is done against future vulnerabilities. SIMBA is not vendor specific, developed in an international community and is supported by all major platforms.

In another words: Varnish as a Web Application Firewall; A kind of mod_security for Varnish; Varnish security filters.

Major Features:

• Passive detection of security, privacy, and PCI compliance issues in HTTP, HTML, Javascript, CSS, and development frameworks (e.g. ASP.NET, JavaServer);
• Works seamlessly with complex Web 2.0 applications while you drive the Web browser;
• Non-intrusive, will not raise alarms or damage production sites;
• Real-time analysis and reporting - findings are reported as they’re found, exportable to XML, HTML, and Team Foundation Server (TFS);
• Configurable domains with wildcard support;
• Extensible framework for adding new checks.

You may also be interested in testing the Next Generation of WebScarab.

x5s is a Fiddleraddon which aims to assist penetration testers in finding cross-site scripting vulnerabilities. This is not a point and shoot tool, it requires some understanding of how encoding issues lead to XSS, and it requires manual driving.

It's main goal is to help you identify the hotspots where XSS might occur by:

• Detecting where safe encodings were not applied to emitted user-inputs
• Detecting where Unicode character transformations might bypass security filters
• Detecting where non-shortest UTF-8 encodings might bypass security filters

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.