Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
public:secureprogramming [2014-09-11 11:51] – [OWASP tools] petrspublic:research:secprog:secureprogramming [2016-12-01 13:28] (current) – external edit 127.0.0.1
Line 2: Line 2:
  
   * 19 deadly sins of software programming (Howard), examples, list of reasonably fresh real examples: http://www.math.uaa.alaska.edu/~afkjm/cs470/handouts/SecuritySins.pdf   * 19 deadly sins of software programming (Howard), examples, list of reasonably fresh real examples: http://www.math.uaa.alaska.edu/~afkjm/cs470/handouts/SecuritySins.pdf
 +  * Mozilla secure coding guidelines: https://developer.mozilla.org/en-US/docs/Secure_Development_Guidelines
 +
  
 ===== Security programming courses ===== ===== Security programming courses =====
Line 81: Line 83:
     * Run cmd with Administrator privileges     * Run cmd with Administrator privileges
       * peach configuration.xml       * peach configuration.xml
 +    * Run Peach in agent mode: //peach -a tcp//
 +      * ERROR: Error, could not load platform assembly 'Peach.Core.OS.Windows.dll' The assembly is part of the Internet Security Zone and loading has been blocked.
 +      * Solution: https://forums.peachfuzzer.com/showthread.php?198-Could-not-load-platform-assembly-Peach-Core-OS-Windows-dll
 +    * ERROR: Could not start monitor "WindowsDebugger" Could not find a part of the path 'C
 +:\Program Files\Debugging Tools for Windows (x86)\dbgeng.dll'.
 +      * set proper path to WinDbg (e.g., c:\Program Files (x86)\Debugging Tools for Windows\) in peach pit file
 +      * <Param name="WinDbgPath" value="c:\Program Files (x86)\Debugging Tools for Windows\" />
 +
 +
  
 ===== Notes ===== ===== Notes =====
Line 90: Line 101:
     * Properties from Andrii     * Properties from Andrii
     * IDE integration vs. standalone / server-based tool     * IDE integration vs. standalone / server-based tool
-  * Miro - Coverity experience +  * Coverity experience 
-  * 3 bc works+  * 3 bc theses 
 +    * Use owasp tools, test against vulnerable apps, evaluate 
 +    * Implement personalized testing scenarios inside given framework (he Web Application Hacker's Handbook scenarios) 
 +      * multiple scenarios, every week demonstration of progress 
 +    * Vulnerability scanners - Nessus, Metasploit...
   * Metrics (owasp top 10)   * Metrics (owasp top 10)
    
Line 133: Line 148:
     * TRY     * TRY
   * [2014] OWASP OWTF, the Offensive (Web) Testing Framework https://www.owasp.org/index.php/OWASP_OWTF    * [2014] OWASP OWTF, the Offensive (Web) Testing Framework https://www.owasp.org/index.php/OWASP_OWTF 
 +  * [2014] XSS detection toolkit https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework
 +    * TRY
 +  * [2014] OWASP ZED Attack Proxy Project https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
 +    * TRY
 +  * [2014] OSAFT https://www.owasp.org/index.php/O-Saft
 +    * ssl testing and auditing tool
 +    * tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations
 +    * try
  
 ==== Vulnerable app / distro / hackme challenges ==== ==== Vulnerable app / distro / hackme challenges ====
Line 147: Line 170:
     * covers all the common vulnerabilities found in iOS applications (following OWASP top 10 mobile risks) and contains several challenges that the user can try     * covers all the common vulnerabilities found in iOS applications (following OWASP top 10 mobile risks) and contains several challenges that the user can try
   * [2011] Hackademic Challenges https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project   * [2011] Hackademic Challenges https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project
-    * vulnerable app, challenges+    * vulnerable app, challenges: https://github.com/Hackademic/hackademic/
     * TRY     * TRY
 +  * [2013] OWASP Security Shepherd https://www.owasp.org/index.php/OWASP_Security_Shepherd
 +    * TRY: https://github.com/OWASP/SecurityShepherd
 +    * security teaching application, CTF
 +  * [2015] Samurai Web Testing Framework http://samurai.inguardians.com/
 +    * preinstalled Mutillidae,  
  
 ==== Security-supporting library ==== ==== Security-supporting library ====
Line 161: Line 189:
   * [2014] JSON Sanitizer Project https://www.owasp.org/index.php/OWASP_JSON_Sanitizer    * [2014] JSON Sanitizer Project https://www.owasp.org/index.php/OWASP_JSON_Sanitizer 
     * Given JSON-like content, convert it to valid JSON. Java library     * Given JSON-like content, convert it to valid JSON. Java library
 +  * [2015] Several Java web applications and command line applications covering different security topics: https://github.com/dschadow/JavaSecurity
  
  
Line 169: Line 198:
  
  
-  * [2013] OWASP Security Shepherd https://www.owasp.org/index.php/OWASP_Security_Shepherd 
-    * TRY 
-    * security teaching application, CTF 
-  * [2014] XSS detection toolkit https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework 
-    * TRY 
-  * [2014] OWASP ZED Attack Proxy Project https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project 
-    * TRY 
-  * [2014] OSAFT https://www.owasp.org/index.php/O-Saft 
-    * ssl testing and auditing tool 
-    * tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations 
-    * try