The Open Source Security Testing Methodology
http://www.isecom.org/mirror/OSSTMM.3.pdf
The Information Systems Security Assessment Framework (ISSAF) seeks to integrate the following management tools and internal control checklists:
Evaluate the organizations information security policies & processes to report on their compliance with IT industry standards, and applicable laws and regulatory requirements
Identify and assess the business dependencies on infrastructure services provided by IT
Conduct vulnerability assessments & penetration tests to highlight system vulnerabilities that could result in potential risks to information assets
Specify evaluation models by security domains to :
Find mis-configurations and rectify them
Identifying risks related to technologies and addressing them
Identifying risks within people or business processes and addressing them
Strengthening existing processes and technologies
Provide best practices and procedures to support business continuity initiatives
Business Benefits of ISSAF
The ISSAF is intended to comprehensively report on the implementation of existing controls to support IEC/ISO 27001:2005(BS7799), Sarbanes Oxley SOX404, CoBIT, SAS70 and COSO, thus adding value to the operational aspects of IT related business transformation programmes.
Its primary value will derive from the fact that it provides a tested resource for security practitioners thus freeing them up from commensurate investment in commercial resources or extensive internal research to address their information security needs.
It is designed from the ground up to evolve into a comprehensive body of knowledge for organizations seeking independence and neutrality in their security assessment efforts.
It is the first framework to provide validation for bottom up security strategies such as penetration testing as well as top down approaches such as the standardization of an audit checklist for information policies.
The Open Web Application Security Project (OWASP) is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Foundation is a 501(c)(3)charitable organization that supports and manages OWASP projects and infrastructure. It is also a registered non profit in Europe since June 2011.
OWASP is not affiliated with any technology company, although it supports the informed use of security technology. OWASP has avoided affiliation as it believes freedom from organizational pressures may make it easier for it to provide unbiased, practical, cost-effective information about application security.[citation needed] OWASP advocates approaching application security by considering the people, process, and technology dimensions.
OWASP’s most successful documents include the book-length OWASP Guide,[1] the OWASP Code Review Guide OWASP Guide [2] and the widely adopted Top 10 awareness document.[3][citation needed] The most widely used OWASP tools include their training environment,[4] their penetration testing proxy WebScarab,[5] and their .NET tools.[6] OWASP includes roughly 190 local chapters [7] around the world and thousands of participants on the project mailing lists. OWASP has organized the AppSec [8] series of conferences to further build the application security community.
OWASP is also an emerging standards body, with the publication of its first standard in December 2008, the OWASP Application Security Verification Standard (ASVS).[9] The primary aim of the OWASP ASVS Project is to normalize the range of coverage and level of rigor available in the market when it comes to performing application-level security verification. The goal is to create a set of commercially workable open standards that are tailored to specific web-based technologies. A Web Application Edition has been published. A Web Service Edition is under development.
the OWASP Top Ten Project – if you’re looking for the OWASP Top 10 Mobile Click Here
The Release Candidate for the OWASP Top 10 for 2013 is now available here: OWASP Top 10 – 2013 – Release Candidate
The OWASP Top 10 – 2013 Release Candidate includes the following changes as compared to the 2010 edition:
- A1 Injection
- A2 Broken Authentication and Session Management (was formerly A3)
- A3 Cross-Site Scripting (XSS) (was formerly A2)
- A4 Insecure Direct Object References
- A5 Security Misconfiguration (was formerly A6)
- A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection)
- A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access)
- A8 Cross-Site Request Forgery (CSRF) (was formerly A5)
- A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration)
- A10 Unvalidated Redirects and Forwards
Please review this release candidate and provide comments to dave.wichers@owasp.org or to the OWASP Top 10 mailing list (which you must be subscribed to). The comment period is open from Feb 16 through March 30, 2013 and a final version will be released in May 2013.
If you are interested, the methodology for how the Top 10 is produced is now documented here: OWASP Top 10 Development Methodology
OWASP Appsec Tutorial Series
Uploaded on Jan 30, 2011
The first episode in the OWASP Appsec Tutorial Series. This episode describes what the series is going to cover, why it is vital to learn about application security, and what to expect in upcoming episodes.
Uploaded on Feb 8, 2011
The second episode in the OWASP Appsec Tutorial Series. This episode describes the #1 attack on the OWASP top 10 – injection attacks. This episode illustrates SQL Injection, discusses other injection attacks, covers basic fixes, and then recommends resources for further learning.
Uploaded on Jul 11, 2011
The third episode in the OWASP Appsec Tutorial Series. This episode describes the #2 attack on the OWASP top 10 – Cross-Site Scripting (XSS). This episode illustrates three version of an XSS attack: high level, detailed with the script tag, and detailed with no script tag, and then recommends resources for further learning.
Published on Sep 24, 2012
The forth episode in the OWASP Appsec Tutorial Series. This episode describes the importance of using HTTPS for all sensitive communication, and how the HTTP Strict Transport Security header can be used to ensure greater security, by transforming all HTTP links to HTTPS automatically in the browser.
DEFT 7 is based on the new Kernel 3 (Linux side) and the DART (Digital Advanced Response Toolkit) with the best freeware Windows Computer Forensic tools. It’s a new concept of Computer Forensic system that use LXDE as desktop environment and WINE for execute Windows tools under Linux and mount manager as tool for device management.
It is a very professional and stable system that includes an excellent hardware detection and the best free and open source applications dedicated to Incident Response, Cyber Intelligence and Computer Forensics.
DEFT is meant to be used by:
Military
Police
Investigators
IT Auditors
Individuals
DEFT is 100% made in Italy