OWASP-WASCAppSec2007SanJose_OWASPStateoftheU

quaggahooliganInternet and Web Development

Feb 5, 2013 (4 years and 6 months ago)

201 views

Copyright © 2007
-

The OWASP Foundation

Permission is granted to copy, distribute and/or modify this document under the
terms of the Creative Commons Attribution
-
ShareAlike

2.5 License. To view this
license, visit http://creativecommons.org/licenses/by
-
sa/2.5/

The OWASP Foundation

OWASP &
WASC
AppSec

2007
Conference

San Jose


Nov 2007

http://www.owasp.org
/

http://www.webappsec.org
/

OWASP State of the Union

Dinis Cruz


Chief OWASP Evangelist

Director of Advanced Technologies (Ounce Labs)


dinis.cruz@owasp.net


OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

2

OWASP Mission


Open source non
-
profit charitable foundation dedicated to enabling
organizations so they can develop, maintain, and acquire software
they can trust



Making Security Visible



Through…



Documentation


Top Ten, Dev. Guide, Design Guide, Testing Guide, …


Tools


WebGoat, WebScarab, Site Generator, Report Generator, ESAPI, CSRF Guard, CSRF
Tester, Stinger, Pantera, …


Working Groups


Browser Security, Industry Sectors, Access Control (XACML), Education, Mobile Phone
Security, Preventive Security, OWASP SDL, OWASP Governance, RIA


Security
Community and Awareness



Local Chapters, Conferences, Tutorials, Mailing Lists

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Some OWASP Growth Stats


One year ago (Oct 2006), we had


about 75 local chapters


about 15 corporate sponsors


about 180K page views / month at OWASP.org


and finally a little bit of money

. About $88K



Now (Nov 2007), we have


over 100 local chapters


over 30 corporate sponsors


about 360K page views / month at OWASP.org


prior to this conference we had about $298K


Of which $80K is pledged to the completion of the 2007 Spring of
Code projects



3

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

OWASP Chapters

4

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

OWASP Wiki


Let’s deface it!


Anybody can edit it


Maximum empowerment


We DO monitor changes :)

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

OWASP Board


OWASP Board members:


Jeff Williams: Chair, Wiki, Management


Dave Wichers: Conferences, Financials


Tom
Brennan
: OWASP Governance


Sebastien
Deleersnyder
: OWASP Chapters and Projects


Dinis Cruz: Firehose of Ideas and Money spender


OWASP Board ‘power’


OWASP Financials (where does the money goes to),


leadership assignment,


conferences locations,


WIKI home page,


bank account details :)


The rest is ‘soft power’


i.e. we have it until we screw up

6

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

OWASP our First Employee


Alison McNamee


Starts Nov 26
th


Working in OWASP Foundation office in Columbia, MD


Perform Administrative Duties such as


Assist OWASP Members


Assist OWASP Project and Chapter Leads


Help organize and manage OWASP conferences


Yeah!!


Manage OWASP corporate and individual memberships


OWASP financial management


OWASP correspondence


etc.


etc.

7

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

How OWASP Works


Q: Do you have a project on XYZ at OWASP
?


A: Nope, do you want to do it?



Q: Why don’t you do XYZ at OWASP?


A: Nope, do you want to do it?



Q: Is there an OWASP chapter at XYZ?


A: Nope, do you want to do start one?



Q: The project/chapter XYZ is dead!!!


A: Ok, do you want to take over its leadership?



Q: What is the deal with the OWASP Band?


A: Apart from the lack of Venue & Instruments we have everything,
so can you
get us and Venue and some Instruments?

8

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

OWASP Structure


OWASP Board


OWASP leaders (Tools, Chapters & Working Groups)


OWASP Members


Subscribers to mailing lists


Anonymous consumers

9

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

OWASP Financials


See word doc

10

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

What has OWASP ever done for me?


Great community of like minded colleagues


Several good new friends


Knowledge


Place to ‘dump’ my research


Speaking slots at conferences


Generate 100% of my contract work for the past 3 years

11


Increase my ‘employability’ and daily rate


Allow me to have the following contracting model:


1 major contract for 20 days per month (with commitment of
only 10 days per month (ABN AMRO, Ounce Labs)


Multiple smaller contracts (5 to 15 days) on very interesting
and challenging projects

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

SpoC 007
-

OWASP Spring of Code 2007


26 projects sponsored @ $125,000 USD


15 projects made strong to amazing deliveries


OWASP Education Project (PPTs for community use)


Code Review Guide


OWASP Top 10
-

Ruby on Rails version


Attacks refresh (Wiki data consolidation)


OWASP Evaluation and Certification criteria


OWASP Scholastic Project (using OWASP at academia)


SpoC project management (we now know how to do it :) )


5 projects are in the final stages


6 projects were canceled


Final amount sponsored: $103,500 USD


12

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

WoC 08
-

OWASP Winter of Code 2008


$100,000 initial budget (from OWASP)


$200,000 proposed target (all OWASP membership fees
received from now till 10th of January will be added to
this pot)


New members are invited to allocated their fees to projects,
working groups or chapters they are interested in



Paulo Coimbra (Spoc project manager) will run it:



December 15: Request for proposals


January 15: Results announcement


30 may: WoC ends


13

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

OWASP Books


We now have the ability to publish books from Pdfs :)


Thanks to lulu.com we got 10 books printed in time for
this conference


See our store at
http://stores.owasp.org


All books are provided with NO MARGIN for OWASP (i.e.
at cost)


We ask everybody that buys a book to distribute it after
reading it (these are VIRAL books)

14

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

OWASP Working Groups


Browser Security
: Robert R'Snake, Petkov Pdb


Industry Sectors
: Tom Brennan


Access Control (XACML)
: Gunner peterson


Education
: Sebastien Deleersnyder


Mobile Phone Security
: Corey Benninger


Preventive Security
: Dinis Cruz


OWASP SDL
: Pravir Chandra


OWASP Governance:
Tom Brennan



Some ideas for other OWASP working groups:


RIA Frameworks, Open Source solutions, Commercial vendors
solutions, Evaluation & Certification, Privacy

15

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

OWASP Membership


Apart from the ‘free’ OWASP Member packs, there is
NOTHING that the member gets that it doesn’t already
have (i.e. all OWASP materials and participation are
available to everybody (members and non members))


Ability to allocate their membership fees to projects,
working groups or chapters they are interested in


Ability to vote of specific OWASP governance issues
(Tom to figure this out)


Makes a public statement of support to OWASP

16

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

OWASP Member Pack


Members on the $100
-

$2000 membership fee wil receive:


OWASP Member pack A (3
-
6 books, 1 shirt, DVD)


2 x DVDs with OWASP Conference proceedings



Members on the $3000
-

$5000 membership fee wil receive:


OWASP Member pack B (10
-
20 books, 2 shirt, DVD, USB stick)


2 x DVDs with OWASP Conference proceedings


1 free training course and conference attendance



Members on the $3000
-

$5000 membership fee wil receive:


OWASP Member pack B (10
-
20 books, 2 shirt, DVD, USB stick)


2 x DVDs with OWASP Conference procedings


2 free training course and conference attendance


17

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

18

OWASP Corporate Members

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Local Chapter Finances
-

OWASP Points


Every Chapter will receive $30 per local individual
OWASP Member



This money can only be spent on ‘centrally’ defined
items, currently: Books and OotM credits (OWASP on the
Move)



Financial management system needed (Google
Checkout?)

19

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

OWASP leader requirements


Identity is identified


Provides address and contact details


Agrees with
OWASP Code of Conduct and values


Commits to action plan for the next 12 months


Becomes an OWASP Member (fee payment is optional)

20

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

21

Some OWASP Conference Stats


1
st

OWASP AppSec Conference (2004 NY)
-

~100 people on a weekend


2
nd

OWASP AppSec Conference (2005 London)
~100 on a weekend


3
rd

OWASP AppSec Conference (2005 D.C.)


About 175 Attendees plus 40 people in first tutorial


4
th

OWASP AppSec Conference (2006 Brussels)


About 125 with 40 people in two tutorials plus refereed papers track


5
th

OWASP AppSec Conference (2006 Seattle)


About 180 attendees with 115 in three tutorials!


6
th

OWASP AppSec Conference (2007 Milan)


About 140 attendees, 40 people in 3 tutorials plus refereed papers track


OWASP Taiwan Conference (2007 Taiwan)


About 600 attendees for half day free conference!!


2007 OWASP & WASC AppSec Conference (2007 San Jose)


About 260 attendees with 80 people in six 2
-
day tutorials


First Tech Expo: Sold out with 10 vendors participating

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

22

Plans for Next Year (2008)


2008 OWASP Australia
AppSec

Conference


Gold Coast


March 29
-
31


1
-
day tutorials, 2
-
day conference



2008 OWASP
AppSec

Europe Conference


Brussels


May 19
-
22, 2008


Refereed papers
track, Vendor Expo


Two day Tutorials


two day conference



2008 OWASP
AppSec

Taiwan Conference
-

??


2008 OWASP
AppSec

U.S. Conference


New York City,
Oct. 2007


Refereed papers
track, Vendor Expo, Lots of tutorials


Capture the flag event?


OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Rules of engagement for Conference Training


Application is open to everybody



Each trainer gets paid $2000 per training day + travel
(minimum 5 students)


Rest of fees goes to OWASP



Class feedback to determine future deliveries



Next conferences are in Belgium and NYC

23

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

OWASP @ Other conferences


Namely developer conferences


OWASP will organize one ‘web security track’


Have a stand in the expo


Sell (or give away) books

24

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

OWASP Open Source project Sponsorship


‘no strings attached’ $1000 USD to Open Source projects
valuable to the OWASP community


Results


Nmap


Mod Security (Ivan)


Firebug


Burp Proxy


Nikto


Httrack


Tamperdata


WebDeveloper


ACEGI (for Spring Framework)


Find bugs

25

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Degree of 0wnage


If every one of these 10 apps has a backdoor, how many
times will you (and your assets (and pentest results)) be
0wned?


Nmap


Mod Security (Ivan)


Firebug


Burp Proxy


Nikto


Httrack


Tamperdata


WebDeveloper


ACEGI (for Spring Framework)


Find bugs


26

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Coming soon to a printer closer to you

The Blob

of Trust!!!!!!!

27

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Results of ‘Questions to OWASP Leaders’ 1/2

1.
A certifying and CBK type pseudo
-
company like (ISC)2?


NO!!!! (just about everybody)



OWASP is a huge success by any measure. I don't think the organizationis
broken and don't think it makes sense to turn it into a 'certifying'organization.
Think about that. OWASP would need fulltime employees topush paperwork?
The current system of voluntary association has led tothe projects and
chapters and success that OWASP is. Why fix what ain'tbroke?

, Anam Munter


2.
An open source project organized along the lines of Debian, Apache,
or a similar group that owns a set of projects?



YES

,
NYNJMetro chapter
?
(and 90% of the answers
)



Apache Foundation is a good example but also we believe OWASP should not
turn into a software development based organization.


Turkey chapter


3.
Does OWASP want to certify apps, testers, both or none? (I've seen
all POV advocated)



Certify them as what? "Secure?




Adam Munter

28

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Results of ‘Questions to OWASP Leaders’ 2/2


1.
Who will be required to pay what kind of dues, if any?


People who use OWASP materials should pay (i.e. become members)
and active leaders should NOT be required to pay

, daniel.cuthbert


2.
How formal of an organization will OWASP become?


Some increase in formality is perhaps needed to increase visibility.
Independence and openess should be retained., Helsinki, Finland


3.
Is the status quo preferable to the proposed change?


While I like many of the ideas raised, I think that OWASP is doing well
and progressing, so whatever we do change must be evolutionary
rather than revolutionary


, Ofer Shezaf

29

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Non Active Chapters (new leaders needed)


Brisbane


Panama


Sydney


Argentina


Manila


Austria


BostonFinancialDist


Charlotte


Chile


Denmark


Hyderabad


Kerala


Kolkata


Madison


Mexico_City


Ohio


Omaha


Pakistan


Pittsburgh


Riyadh


Tokyo


Winnipeg

30

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Non Active Projects


OWASP_Logging_Project


OWASP_Insecure_Web_App_Project


OWASP_CAL9000_Project


OWASP_Legal_Project


OWASP_Application_Security_Metrics_Project


OWASP_Career_Development_Project


OWASP_SQLiX_Project


OWASP_WASS_Project


OWASP_AppSec_FAQ_Project

31

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

32

Please Give Us Your Feedback


Tutorials?


More diversity?


What other topics are you interested in?


Quarterly regional OWASP training events?



Presentations?


More tracks?


Longer conference?


Panels?



Other Activities?


OWASP tool demo’s?


Capture the flag?


Product comparisons? (think UL testing/Consumer Reports)



Send to
conferences@owasp.org


OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

33

Please Help OWASP Grow


As contributors


OWASP Chapter Leaders


OWASP Project Leaders and Participants


Season of Code Participants (paid projects!)


OWASP Conference Committee


Stub articles


wiki contributions


New technologies to analyze


As members


Corporate Members


Individual Members


Please join us and share what you know!

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Final OWASP event: Golf tournament


Next Saturday 17th November


In San Jose


Winner gets an OWASP Sweat Shirt and public kudos


18 Holes


Let me know if you are interested


34

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Thanks & Questions?

35