Difference between revisions of "OWASP Enterprise Application Security Project"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
==== Main ====
+
==== [[Image:vulns1]]Main ====
  
== Objective ==
+
== Objective ==
  
The OWASP Enterprise Application Security Project (OWASP-EAS) exists to provide guidance to people involved in the procurement, design, implementation or sign-off of large scale (ie 'Enterprise') applications.
+
The OWASP Enterprise Application Security Project (OWASP-EAS) exists to provide guidance to people involved in the procurement, design, implementation or sign-off of large scale (ie 'Enterprise') applications.  
  
== Project purpose ==
+
== Project purpose ==
  
 
Enterprise applications security is one of the major topics in overall security area because those applications controls money and resources and every security violation can result a significant money loss. Purpose of this project is to aware people about enterprise application security problems and create a guidelines and tools for enterprise application security assessment.  
 
Enterprise applications security is one of the major topics in overall security area because those applications controls money and resources and every security violation can result a significant money loss. Purpose of this project is to aware people about enterprise application security problems and create a guidelines and tools for enterprise application security assessment.  
  
== Our Subprojects==
+
== Our Subprojects ==
  
Here are our primary goals:
+
Here are our primary goals:  
  
 
1 Aware people about enterprise applicatio security vulnerabilities by making an Annual statistics of enterprise business application security vulnerabilities.  
 
1 Aware people about enterprise applicatio security vulnerabilities by making an Annual statistics of enterprise business application security vulnerabilities.  
  
Subproject [[Enterprise Business Application Vulnerability Statistics 2009]]
+
Subproject [[Enterprise Business Application Vulnerability Statistics 2009]]  
  
[[Projects/OWASP Enterprise Application Security Project | Statistics]]
+
[[Projects/OWASP Enterprise Application Security Project|Statistics]]  
[[Category:OWASP_Project|Enterprise Application Security Project | Statistics]]  
+
  
2 Help companies to begin assessment of enterprise applicatios by creating a  
+
2 Help companies to begin assessment of enterprise applicatios by creating a  
 +
 
 +
Subproject [[Enterprise Business Application Security Implementation Assessment Guide]]
  
Subproject [[Enterprise Business Application Security Implementation Assessment Guide]]
 
 
 
3 Help software companies to improve security of their solutions by creating a  
 
3 Help software companies to improve security of their solutions by creating a  
  
Subproject [[Enterprise Business Application Security Vulnerability Testing Guide v1]]
+
Subproject [[Enterprise Business Application Security Vulnerability Testing Guide v1]]  
+
4 Develop a free tools for Enterprise business applicatioons assessment
+
  
Subproject [[Enterprise Business Application Security Software]]
+
4 Develop a free tools for Enterprise business applicatioons assessment
  
 +
Subproject [[Enterprise Business Application Security Software]]
  
== Project Roadmap ==
+
<br>
  
Have a look at the [[OWASP Enterprise Application Security Project/Roadmp]]
+
== Project Roadmap  ==
  
==== Statistics ====
+
Have a look at the [[OWASP Enterprise Application Security Project/Roadmp]]
  
== Objective ==
+
==== Statistics  ====
  
This document is the first statistics report which will be repeated annually with  showing  tendencies and changes in Enterprise Business Application Security area.  
+
== Objective ==
  
== Purpose ==
+
This document is the first statistics report which will be repeated annually with showing tendencies and changes in Enterprise Business Application Security area.
  
This document we will show a result of statistical research in the Business Application security area made by DSECRG and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical are those and what tendences we see.
+
== Purpose  ==
  
== Intro ==
+
This document we will show a result of statistical research in the Business Application security area made by DSECRG and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical are those and what tendences we see.
  
Business applications like ERP, CRM, SRM and others are one of the major topics within the field of computer security as these applications store business data and any vulnerability in these applications will cause a significant monetary loss. Nonetheless people still don’t pay much attention to Enterprise Business Application area as we see during our and our collegues research and audit data. Business applications are very large and complex systems that consists of different components such as Database server, Front-end, Web server, Application server and other parts. Also those systems lay on different Hardware and software that can have their own vulnerabilities. Overall security of Enterprise Business Application consists of different layers such as:
+
== Intro  ==
• Network architecture security
+
• Os security
+
• Database security
+
• Application security
+
• Front-end security
+
  
Every described layer may have their own vulnerabilities that can give attacker full access to business data even if other layers are fully secured.
+
Business applications like ERP, CRM, SRM and others are one of the major topics within the field of computer security as these applications store business data and any vulnerability in these applications will cause a significant monetary loss. Nonetheless people still don’t pay much attention to Enterprise Business Application area as we see during our and our collegues research and audit data. Business applications are very large and complex systems that consists of different components such as Database server, Front-end, Web server, Application server and other parts. Also those systems lay on different Hardware and software that can have their own vulnerabilities. Overall security of Enterprise Business Application consists of different layers such as: • Network architecture security • Os security • Database security • Application security • Front-end security  
In this document all the popular applications from described levels and their vulnerabilities vill be shown. The purpose of this document to Increase awareness of Business Application security.
+
  
== Links ==
+
Every described layer may have their own vulnerabilities that can give attacker full access to business data even if other layers are fully secured. In this document all the popular applications from described levels and their vulnerabilities vill be shown. The purpose of this document to Increase awareness of Business Application security.
  
 +
== Links  ==
  
 
[http://dsecrg.com Business applications vulnerability statistics 2009 and future trends] - Presentation by Dmitry Evdokimov and Dmityy Chastuhin  
 
[http://dsecrg.com Business applications vulnerability statistics 2009 and future trends] - Presentation by Dmitry Evdokimov and Dmityy Chastuhin  
Line 66: Line 59:
 
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities]  
 
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities]  
  
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities]
+
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities]  
  
Annual report comming soon...
+
Annual report comming soon...  
  
== Authors==
+
== Authors ==
  
 +
Alexander Polyakov (DSecRG) Dmitriy Chastuhin (DSecRG) Dmitriy Evdokimov (DSecRG)
  
Alexander Polyakov (DSecRG)
+
<br>
Dmitriy Chastuhin (DSecRG)
+
Dmitriy Evdokimov (DSecRG)
+
  
 +
== Contributors ==
  
== Contributors==
+
Leodid Kats (dsec.ru) Olga Yurova (dsec.ru)
  
Leodid Kats  (dsec.ru)
+
==== Development guides  ====
Olga Yurova  (dsec.ru)
+
  
==== Development guides ====
+
== Objective  ==
  
== Objective ==
+
This document we will describe different areas of programm vulnerabilities that can be found in Enterprise Business applications and ERP systems.
  
This document we will describe different areas of programm vulnerabilities that can be found in Enterprise  Business applications and ERP systems. ==  
+
==Purpose == T
  
Purpose ==
 
The purpose of this document to Increase awareness for Developers of Enterprise business application software. Here we will collect top software vulnerabilities in server site and frontend side that can exist in Business applications.
 
  
== Intro ==
 
There are many different languages and technologies that can be used for developing business applications and writing a costom code. Here we will try to categorize it firstly by dividing into Server and Client site.
 
Top 10 list of vulnerabilities for both areas will be shown.
 
 
  
== Main ==
+
The purpose of this document to Increase awareness for Developers of Enterprise business application software. Here we will collect top software vulnerabilities in server site and frontend side that can exist in Business applications.
  
 +
== Intro  ==
  
== Top 10 Server vulnerabilities ==
+
There are many different languages and technologies that can be used for developing business applications and writing a costom code. Here we will try to categorize it firstly by dividing into Server and Client site. Top 10 list of vulnerabilities for both areas will be shown.
  
 +
<br>
  
== Top 10 Frontend vulnerabilities ==
+
== Main  ==
  
 +
Crosslinks to CWE SANS OWASP and risks with descriptions will be added soon.
  
== Links ==
 
  
cooming soon
 
  
  
  
== Authors==
 
  
  
Alexander Polyakov (DSecRG)
 
Mikhail Markevich
 
Dmitriy Evdokimov (DSecRG)
 
Alexey Sintsov (DSecRG)
 
  
  
== Contributors==
 
  
  
==== Implementation guides ====
 
  
== Objective ==
 
  
This document we will describe different areas of  Secure implementation of g Enterprise Business Applications and ERP systems. Here we will mainly focus on security architecture and configuration threads because pragramm errors are well described in "Software vulnerabilities" topic
 
  
== Purpose ==
 
  
The purpose of this document to Increase awareness for Administrators of Business Application security and help them to start a beginning self-assessment of their systems and find a most critical violations. 
 
  
== Intro ==
+
 
Enterprise Business Applications (Like ERP - is any software system that has been designed to support and automate the business process of medium and large business) are very large systems that consists of different components such as database server, Front-end, Web server, Application server and other parts. Also those systems lay on different Hardware and software that can have their own vulnerabilities. Every described layer may have their own vulnerabilities and misconfigurations that can give attacker full access to business data even if other layers are fully secured.
+
== Top 10 Server vulnerabilities  ==
 +
 
 +
<br>1 XSS<br>2 Improper Access Control <br>3 Information disclosure <br>4 Command/code injection in proprietary language<br>5 SQL Injection <br>6 Missing Encryption of Sensitive Data<br>7 Buffer overflows <br>8 Path traversal<br>9 CSRF <br>10 Use of a Broken or Risky Cryptographic Algorithm<br>
 +
 
 +
== Top 10 Frontend vulnerabilities  ==
 +
 
 +
1 Buffer overflows (ActiveX )<br>2 Exposed Dangerous Method or Function (ActiveX)<br>3 Insecure scripting server access <br>4 File handling Frontend vulnerabilities<br>5 Use of a Broken or Risky Cryptographic Algorithm<br>6 Cleartext Storage of Sensitive Information<br>7 Use of Hard-coded Password<br>8 Lack of integrity checking for front-end application<br>9 Cleartext Transmission of Sensitive Information<br>10 Vulnerable remote services<br>
 +
 
 +
 
 +
 
 +
== Links  ==
 +
 
 +
cooming soon
 +
 
 +
<br>
 +
 
 +
== Authors ==
 +
 
 +
Alexander Polyakov (DSecRG) Mikhail Markevich Dmitriy Evdokimov (DSecRG) Alexey Sintsov (DSecRG)
 +
 
 +
<br>
 +
 
 +
== Contributors ==
 +
 
 +
==== Implementation guides  ====
 +
 
 +
== Objective  ==
 +
 
 +
This document we will describe different areas of Secure implementation of g Enterprise Business Applications and ERP systems. Here we will mainly focus on security architecture and configuration threads because pragramm errors are well described in "Software vulnerabilities" topic
 +
 
 +
== Purpose  ==
 +
 
 +
The purpose of this document to Increase awareness for Administrators of Business Application security and help them to start a beginning self-assessment of their systems and find a most critical violations.
 +
 
 +
== Intro ==
 +
 
 +
Enterprise Business Applications (Like ERP - is any software system that has been designed to support and automate the business process of medium and large business) are very large systems that consists of different components such as database server, Front-end, Web server, Application server and other parts. Also those systems lay on different Hardware and software that can have their own vulnerabilities. Every described layer may have their own vulnerabilities and misconfigurations that can give attacker full access to business data even if other layers are fully secured.  
  
 
  All information was collected and catecorized during our big practice of security assessing Popular business applications Like in SAP ERP, Oracle E-Business Suite, Oracle Peoplesoft, JD-Edwards and other less known or custom applications.  
 
  All information was collected and catecorized during our big practice of security assessing Popular business applications Like in SAP ERP, Oracle E-Business Suite, Oracle Peoplesoft, JD-Edwards and other less known or custom applications.  
  
 +
<br>
 +
 +
== Main  ==
 +
 +
Overall security of Enterprise Business Application consists of different layers such as: • Network architecture security • Os security • Database security • Application security • Front-end security In this document we will Describe top 10 violations on every layer of Enterprise Business Application that can be easily assessed and mitigated.
 +
 +
<br>
 +
 +
== Top 10 Network/Architecture issues  ==
 +
 +
== Top 10 OS issues  ==
 +
 +
== Top 10 Database issues  ==
 +
 +
== Top 10 Application issues  ==
  
== Main ==
+
== Top 10 Frontend issues  ==
  
Overall security of Enterprise Business Application consists of different layers such as:
+
== Links  ==
• Network architecture security
+
• Os security
+
• Database security
+
• Application security
+
• Front-end security
+
In this document we will Describe top 10 violations on every layer of Enterprise Business Application that can be easily assessed and mitigated.
+
  
 +
[http://dsecrg.com ERP Security:Myths Problems Solutions] - by Alexander Polyakov and Ilya Medvedovskiy
  
== Top 10 Network/Architecture issues ==
+
<br>
  
 +
== Authors ==
  
== Top 10 OS issues ==
+
Alexander Polyakov (DSecRG) Mikhail Markevich
  
== Top 10 Database issues ==
+
<br>
  
== Top 10 Application issues ==
+
== Contributors ==
  
== Top 10 Frontend issues ==
+
==== Software  ====
  
 +
== Objective  ==
  
 +
Here will be given information on a tools and services that can be used for assessment of business applications
  
== Links ==
+
== Purpose  ==
  
[http://dsecrg.com ERP Security:Myths Problems Solutions] - by Alexander Polyakov and Ilya Medvedovskiy
+
The purpose of this area is to provide free and commercial tools that can help companies to assess security of their business applications.
  
 +
<br>
  
 +
== Intro  ==
  
== Authors==
+
== Main  ==
  
 +
Currently we are on the beta testing stage of free online service that cen be used to assess security of SAP Frontend.
  
Alexander Polyakov (DSecRG)
+
<br>[http://erpscan.com You can help us to test ERPSCAN Online]
Mikhail Markevich
+
  
 +
== Links  ==
  
 +
[http://erpscan.com] - by DSECRG
  
== Contributors==
+
<br>
  
 +
== Authors ==
  
 +
Alexander Polyakov (DSecRG)
  
==== Software ====
+
Alexey Sintsov (DSecRG)
  
 +
Dmitriy Evdokimov (DSecRG) Dmitriy Chastuhin (DSecRG)
  
 +
<br>
  
==== Project About ====
+
==== Project About ====
{{:Projects/OWASP Enterprise Application Security Project | Project About}}
+
  
 +
{{:Projects/OWASP Enterprise Application Security Project | Project About}}
  
 +
<br>
  
__NOTOC__
+
__NOTOC__ <headertabs />
<headertabs/>
+
  
[[Category:OWASP_Project|Enterprise Application Security Project]]  
+
[[Category:OWASP_Project|Enterprise Application Security Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]
[[Category:OWASP Document]]
+
[[Category:OWASP Alpha Quality Document]]
+

Revision as of 07:38, 12 October 2010

File:Vulns1Main

Objective

The OWASP Enterprise Application Security Project (OWASP-EAS) exists to provide guidance to people involved in the procurement, design, implementation or sign-off of large scale (ie 'Enterprise') applications.

Project purpose

Enterprise applications security is one of the major topics in overall security area because those applications controls money and resources and every security violation can result a significant money loss. Purpose of this project is to aware people about enterprise application security problems and create a guidelines and tools for enterprise application security assessment.

Our Subprojects

Here are our primary goals:

1 Aware people about enterprise applicatio security vulnerabilities by making an Annual statistics of enterprise business application security vulnerabilities.

Subproject Enterprise Business Application Vulnerability Statistics 2009

Statistics

2 Help companies to begin assessment of enterprise applicatios by creating a

Subproject Enterprise Business Application Security Implementation Assessment Guide

3 Help software companies to improve security of their solutions by creating a

Subproject Enterprise Business Application Security Vulnerability Testing Guide v1

4 Develop a free tools for Enterprise business applicatioons assessment

Subproject Enterprise Business Application Security Software


Project Roadmap

Have a look at the OWASP Enterprise Application Security Project/Roadmp

Statistics

Objective

This document is the first statistics report which will be repeated annually with showing tendencies and changes in Enterprise Business Application Security area.

Purpose

This document we will show a result of statistical research in the Business Application security area made by DSECRG and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical are those and what tendences we see.

Intro

Business applications like ERP, CRM, SRM and others are one of the major topics within the field of computer security as these applications store business data and any vulnerability in these applications will cause a significant monetary loss. Nonetheless people still don’t pay much attention to Enterprise Business Application area as we see during our and our collegues research and audit data. Business applications are very large and complex systems that consists of different components such as Database server, Front-end, Web server, Application server and other parts. Also those systems lay on different Hardware and software that can have their own vulnerabilities. Overall security of Enterprise Business Application consists of different layers such as: • Network architecture security • Os security • Database security • Application security • Front-end security

Every described layer may have their own vulnerabilities that can give attacker full access to business data even if other layers are fully secured. In this document all the popular applications from described levels and their vulnerabilities vill be shown. The purpose of this document to Increase awareness of Business Application security.

Links

Business applications vulnerability statistics 2009 and future trends - Presentation by Dmitry Evdokimov and Dmityy Chastuhin

SAP SDN page with latest vulnerabilities

Oracle Secalert CPU page with latest vulnerabilities

Annual report comming soon...

Authors

Alexander Polyakov (DSecRG) Dmitriy Chastuhin (DSecRG) Dmitriy Evdokimov (DSecRG)


Contributors

Leodid Kats (dsec.ru) Olga Yurova (dsec.ru)

Development guides

Objective

This document we will describe different areas of programm vulnerabilities that can be found in Enterprise Business applications and ERP systems.

==Purpose == T


The purpose of this document to Increase awareness for Developers of Enterprise business application software. Here we will collect top software vulnerabilities in server site and frontend side that can exist in Business applications.

Intro

There are many different languages and technologies that can be used for developing business applications and writing a costom code. Here we will try to categorize it firstly by dividing into Server and Client site. Top 10 list of vulnerabilities for both areas will be shown.


Main

Crosslinks to CWE SANS OWASP and risks with descriptions will be added soon.









Top 10 Server vulnerabilities


1 XSS
2 Improper Access Control
3 Information disclosure
4 Command/code injection in proprietary language
5 SQL Injection
6 Missing Encryption of Sensitive Data
7 Buffer overflows
8 Path traversal
9 CSRF
10 Use of a Broken or Risky Cryptographic Algorithm

Top 10 Frontend vulnerabilities

1 Buffer overflows (ActiveX )
2 Exposed Dangerous Method or Function (ActiveX)
3 Insecure scripting server access
4 File handling Frontend vulnerabilities
5 Use of a Broken or Risky Cryptographic Algorithm
6 Cleartext Storage of Sensitive Information
7 Use of Hard-coded Password
8 Lack of integrity checking for front-end application
9 Cleartext Transmission of Sensitive Information
10 Vulnerable remote services


Links

cooming soon


Authors

Alexander Polyakov (DSecRG) Mikhail Markevich Dmitriy Evdokimov (DSecRG) Alexey Sintsov (DSecRG)


Contributors

Implementation guides

Objective

This document we will describe different areas of Secure implementation of g Enterprise Business Applications and ERP systems. Here we will mainly focus on security architecture and configuration threads because pragramm errors are well described in "Software vulnerabilities" topic

Purpose

The purpose of this document to Increase awareness for Administrators of Business Application security and help them to start a beginning self-assessment of their systems and find a most critical violations.

Intro

Enterprise Business Applications (Like ERP - is any software system that has been designed to support and automate the business process of medium and large business) are very large systems that consists of different components such as database server, Front-end, Web server, Application server and other parts. Also those systems lay on different Hardware and software that can have their own vulnerabilities. Every described layer may have their own vulnerabilities and misconfigurations that can give attacker full access to business data even if other layers are fully secured.

All information was collected and catecorized during our big practice of security assessing Popular business applications Like in SAP ERP, Oracle E-Business Suite, Oracle Peoplesoft, JD-Edwards and other less known or custom applications. 


Main

Overall security of Enterprise Business Application consists of different layers such as: • Network architecture security • Os security • Database security • Application security • Front-end security In this document we will Describe top 10 violations on every layer of Enterprise Business Application that can be easily assessed and mitigated.


Top 10 Network/Architecture issues

Top 10 OS issues

Top 10 Database issues

Top 10 Application issues

Top 10 Frontend issues

Links

ERP Security:Myths Problems Solutions - by Alexander Polyakov and Ilya Medvedovskiy


Authors

Alexander Polyakov (DSecRG) Mikhail Markevich


Contributors

Software

Objective

Here will be given information on a tools and services that can be used for assessment of business applications

Purpose

The purpose of this area is to provide free and commercial tools that can help companies to assess security of their business applications.


Intro

Main

Currently we are on the beta testing stage of free online service that cen be used to assess security of SAP Frontend.


You can help us to test ERPSCAN Online

Links

[1] - by DSECRG


Authors

Alexander Polyakov (DSecRG)

Alexey Sintsov (DSecRG)

Dmitriy Evdokimov (DSecRG) Dmitriy Chastuhin (DSecRG)


Project About

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Enterprise Application Security Project (home page)
Purpose: Enterprise applications security is one of the major topics in overall security area because those applications controls money and resources and every security violation can result a significant money loss. Purpose of this project is to aware people about enterprise application security problems and create a guideline for EA security assessment.
License: Creative Commons Attribution Share Alike 3.0
who is working on this project?
Project Leader(s):
Project Contributor(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Main links:
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases