Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify...
-
Upload
jaycee-frere -
Category
Documents
-
view
218 -
download
0
Transcript of Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify...
![Page 1: Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.](https://reader035.fdocuments.us/reader035/viewer/2022062619/551692f7550346a25b8b4fa6/html5/thumbnails/1.jpg)
Copyright © 2006 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASPAppSecEurope
http://www.owasp.org/
May 2006
Keynote Day 1: OWASP 2.0
Dinis CruzOWASP .Net Project [email protected]
![Page 2: Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.](https://reader035.fdocuments.us/reader035/viewer/2022062619/551692f7550346a25b8b4fa6/html5/thumbnails/2.jpg)
2OWASP AppSec Europe 2006
New Manifesto / Vision
“Enabling organizations to develop, maintain, and purchase applications that they can trust”
Consolidate all OWASP Projects in one strong vision
Focus OWASP efforts in one positive and focused target
Create a ‘package’ that companies will want to buy (i.e. join as members)
Build on past sucessess
![Page 3: Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.](https://reader035.fdocuments.us/reader035/viewer/2022062619/551692f7550346a25b8b4fa6/html5/thumbnails/3.jpg)
3OWASP AppSec Europe 2006
OWASP is about a community who cares
Built on great foundations built by our contributors
Independent Focused on creating a better workd Great peer to peer participation Emphasis on local community building
![Page 4: Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.](https://reader035.fdocuments.us/reader035/viewer/2022062619/551692f7550346a25b8b4fa6/html5/thumbnails/4.jpg)
4OWASP AppSec Europe 2006
Objectives
Organize OWASP’s world Deliver quality products, of highest
standard, usable by small and large companies
Professionalize OWASP delivery More support for projects (both local and
global) Maintain and Improve OWASP’s brand
Improve the quality of the web applications that we use everyday
![Page 5: Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.](https://reader035.fdocuments.us/reader035/viewer/2022062619/551692f7550346a25b8b4fa6/html5/thumbnails/5.jpg)
5OWASP AppSec Europe 2006
Today
The current software / web development process is a messNo standards or MetricsLittle understanding of the threatsSmall number of attacks create ‘comfort zone’Strong business model to reward Features and
PerformanceWeak business model to reward securityServer based code creates false sense of
security due to very limited per-review ‘Shoot the messenger’ practices (UK’s Dan and
US’ xyz guy) make it even worse
![Page 6: Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.](https://reader035.fdocuments.us/reader035/viewer/2022062619/551692f7550346a25b8b4fa6/html5/thumbnails/6.jpg)
6OWASP AppSec Europe 2006
Today II
Strong awareness that ‘something is wrong’ Weak awareness (and agreement) of ‘what
to do about it’Security Industry is part of the problem (Snake
Oil sellers and wild marketing claims)Too much money is being made today by
security vendors (with the current ‘insecure world’)
Market-Leaders are only marginally better than everybody else (or even less when adjusted for their market-share)
Clients don’t know what to ask for and how to commercially reward good vendors
![Page 7: Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.](https://reader035.fdocuments.us/reader035/viewer/2022062619/551692f7550346a25b8b4fa6/html5/thumbnails/7.jpg)
7OWASP AppSec Europe 2006
Today III
Current Security Model is based on the:Lack of attackers (as in Quantity)Attacker’s skillsUnsophisticated Malicious business Model (i.e.
difficulty to monetize Digital Assets)Plenty of Low Hanging Fruit still available
(Phishing, Spam, sale of Boot Nets, Identity Theft)
Basically we are betting that the gradual security improvements that we are making everyday are bigger than the attacker's numbers, skills and business model
![Page 8: Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.](https://reader035.fdocuments.us/reader035/viewer/2022062619/551692f7550346a25b8b4fa6/html5/thumbnails/8.jpg)
8OWASP AppSec Europe 2006
Today IV
What organizations need, is to be able to:develop, ormaintain, or purchase
applications that they can trust
We need Assurance that Applications will:do what they are designed forare securely codedcan be executed in secure ‘Sandboxed’
environmentswill not dramatically increase the risk to our
assets
![Page 9: Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.](https://reader035.fdocuments.us/reader035/viewer/2022062619/551692f7550346a25b8b4fa6/html5/thumbnails/9.jpg)
9OWASP AppSec Europe 2006
OWASP’s new Vision
“Enabling organizations to develop, maintain, and purchase applications that they can trust” Idea launched in OWASP AppSec Europe (May
2006)New wiki-based www.owasp.org website launched
(May 2006) tons of new content (CLASP, old owasp.org website) much more to be added (Guide, etc..)
Next steps will be to convert all OWASP Projects into this new vision
Objective is to have all projects converted by next OWASP conference in the USA (Seattle-Oct 2006) Launch the ‘OWASP member pack’ which contains
everything that owasp has created to date (including special licenses for members)
![Page 10: Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.](https://reader035.fdocuments.us/reader035/viewer/2022062619/551692f7550346a25b8b4fa6/html5/thumbnails/10.jpg)
10
OWASP AppSec Europe 2006
OWASP’s world
Documents / Guides OWASP Top Ten, OWASP Metrics, ISO 17799
Project, WASS Project, OWASP Process Project
Practical AdviceOWASP Guide, OWASP Testing Project
ToolsOWASP .Net stuff (SiteGenerator,
ReportGenerator, ANBS, SAMSHE, DefApp, Beretta), WebGoat, WebScarab, Stinger
Tons of Chapters around the world .... more about this tomorrow
![Page 11: Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.](https://reader035.fdocuments.us/reader035/viewer/2022062619/551692f7550346a25b8b4fa6/html5/thumbnails/11.jpg)
11
OWASP AppSec Europe 2006
the next level...
http://www.flickr.com/creativecommons/
![Page 12: Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.](https://reader035.fdocuments.us/reader035/viewer/2022062619/551692f7550346a25b8b4fa6/html5/thumbnails/12.jpg)
12
OWASP AppSec Europe 2006
Dedicated Executive Director
Andrew van der StockOWASP Guide Project
LeaderStarted Melbourne and
Sydney chapters Sponsored by the
National Australia Bank Will spend 12h (1,5 days)
a week on OWASP projects
Now OWASP Executive Director
![Page 13: Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.](https://reader035.fdocuments.us/reader035/viewer/2022062619/551692f7550346a25b8b4fa6/html5/thumbnails/13.jpg)
13
OWASP AppSec Europe 2006
Andrew’s Responsibilities
Helping projects and chapters succeedHelping projects and chapters succeed Membership & FundingMembership & Funding Assist with infrastructure (if required)Assist with infrastructure (if required) Future directionsFuture directions
http://www.flickr.com/creativecommons/
![Page 14: Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.](https://reader035.fdocuments.us/reader035/viewer/2022062619/551692f7550346a25b8b4fa6/html5/thumbnails/14.jpg)
14
OWASP AppSec Europe 2006
Andrew’s Key duties
Implement decisions from owasp-leaders Help projects and chapters Continue to work on projects (Guide, etc) Defend OWASP Brand
![Page 15: Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.](https://reader035.fdocuments.us/reader035/viewer/2022062619/551692f7550346a25b8b4fa6/html5/thumbnails/15.jpg)
15
OWASP AppSec Europe 2006
OWASP Infrastructure
http://www.flickr.com/creativecommons/
![Page 16: Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.](https://reader035.fdocuments.us/reader035/viewer/2022062619/551692f7550346a25b8b4fa6/html5/thumbnails/16.jpg)
16
OWASP AppSec Europe 2006
MediaWiki - new www.owasp.org
It’s a Wiki Replaces current CMS Easier updates Scalable, relatively
secure
![Page 17: Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.](https://reader035.fdocuments.us/reader035/viewer/2022062619/551692f7550346a25b8b4fa6/html5/thumbnails/17.jpg)
17
OWASP AppSec Europe 2006
Blogs
For all OWASP members WordPress 2.0
![Page 18: Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.](https://reader035.fdocuments.us/reader035/viewer/2022062619/551692f7550346a25b8b4fa6/html5/thumbnails/18.jpg)
18
OWASP AppSec Europe 2006
Forums
Existing forums dead UltimaBB Link from front page
![Page 19: Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.](https://reader035.fdocuments.us/reader035/viewer/2022062619/551692f7550346a25b8b4fa6/html5/thumbnails/19.jpg)
19
OWASP AppSec Europe 2006
Downloads
Finished products/versions moves to owasp.org
Development remains at Sourceforge (supports CVS)
![Page 20: Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.](https://reader035.fdocuments.us/reader035/viewer/2022062619/551692f7550346a25b8b4fa6/html5/thumbnails/20.jpg)
20
OWASP AppSec Europe 2006
Mail lists
Two mail infrastructures:[email protected]*@lists.sourceforge.net
Need to bring this in house... eventually Will happen during 2006 / 2007
![Page 21: Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.](https://reader035.fdocuments.us/reader035/viewer/2022062619/551692f7550346a25b8b4fa6/html5/thumbnails/21.jpg)
Copyright © 2006 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASPAppSecEurope
http://www.owasp.org/
May 2006
Questions