Copyright 2008 © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

OWASP DENVERCHAPTER MEETING FEBRUARY 20 2007

David CampbellOWASP Denver Chapter

dcampbell@owasp.org+1 (415) 377 7379

DENVER, COLORADOUSA

2OWASP

Denver Chapter Business

Leadership ChangeMuch thanks to David Byrne and Andy Lewis

for their leadership over the past two yearsTransitioning to David Campbell and Eric

Duprey

Goal for 2008Meetings at least bi-monthlyPlanning the Front Range OWASP Conference

( 10 June 2008) along with the BOULDER OWASP chapter

3OWASP 3

OWASP Mission

Open source non-profit charitable foundation dedicated to enabling organizations so they can develop, maintain, and acquire software they can trust

Making Security Visible

Through…

Documentation Top Ten, Dev. Guide, Design Guide, Testing Guide, …

Tools WebGoat, WebScarab, Site Generator, Report Generator, ESAPI, CSRF

Guard, CSRF Tester, Stinger, Pantera, … Working Groups

Browser Security, Industry Sectors, Access Control (XACML), Education, Mobile Phone Security, Preventive Security, OWASP SDL, OWASP Governance, RIA

SecurityCommunity and Awareness Local Chapters, Conferences, Tutorials, Mailing Lists

4OWASP

Some OWASP Growth Stats

One year ago (Oct 2006), we had about 75 local chapters about 15 corporate sponsors about 180K page views / month at OWASP.org and finally a little bit of money . About $88K

Now (Nov 2007), we have over 100 local chapters over 30 corporate sponsors about 360K page views / month at OWASP.org prior to this conference we had about $298K

Of which $80K is pledged to the completion of the 2007 Spring of Code projects

4

5OWASP

OWASP Chapters

5

6OWASP

How Does OWASP Make Money?

Corporate sponsorships

Individual memberships

7OWASP 7

OWASP Corporate Members

8OWASP

Where Does the Money Go?

ConferencesMuch more affordable than SANS / Blackhat /

Cansec

BooksCreated from the Wiki materials (i.e. Top 10,

Testing Guide)Distributed to corporate sponsors and

individual members

Projects (Spring of Code, Winter of Code) Subsidies to fly in top notch speakers for

chapter meetings!

9OWASP

SpoC 007 - OWASP Spring of Code 2007

26 projects sponsored @ $125,000 USD 15 projects made strong to amazing deliveries

OWASP Education Project (PPTs for community use) Code Review Guide OWASP Top 10 - Ruby on Rails version Attacks refresh (Wiki data consolidation) OWASP Evaluation and Certification criteria OWASP Scholastic Project (using OWASP at academia) SpoC project management (we now know how to do it :) )

5 projects are in the final stages 6 projects were canceled Final amount sponsored: $103,500 USD

9

10OWASP

OWASP Working Groups

Browser Security: Robert R'Snake, Petkov Pdb Industry Sectors: Tom Brennan Access Control (XACML): Gunner peterson Education: Sebastien Deleersnyder Mobile Phone Security: Corey Benninger Preventive Security: Dinis Cruz OWASP SDL: Pravir Chandra OWASP Governance: Tom Brennan

Some ideas for other OWASP working groups: RIA Frameworks, Open Source solutions, Commercial vendors

solutions, Evaluation & Certification, Privacy

10

11OWASP 11

Some OWASP Conference Stats 1st OWASP AppSec Conference (2004 NY) - ~100 people on a weekend 2nd OWASP AppSec Conference (2005 London) ~100 on a weekend 3rd OWASP AppSec Conference (2005 D.C.)

About 175 Attendees plus 40 people in first tutorial 4th OWASP AppSec Conference (2006 Brussels)

About 125 with 40 people in two tutorials plus refereed papers track 5th OWASP AppSec Conference (2006 Seattle)

About 180 attendees with 115 in three tutorials! 6th OWASP AppSec Conference (2007 Milan)

About 140 attendees, 40 people in 3 tutorials plus refereed papers track OWASP Taiwan Conference (2007 Taiwan)

About 600 attendees for half day free conference!! 2007 OWASP & WASC AppSec Conference (2007 San Jose)

About 260 attendees with 80 people in six 2-day tutorials First Tech Expo: Sold out with 10 vendors participating

12OWASP 12

Conference Plans for 2008

2008 OWASP Australia AppSec Conference Gold Coast – March 29-31 – 1-day tutorials, 2-day conference

2008 OWASP AppSec Europe Conference Brussels – May 19-22, 2008 Refereed papers track, Vendor Expo Two day Tutorials – two day conference

2008 Front Range OWASP Conference One day, multi-track (tech & mgt) CFP immiment! Some top notch speakers already

committed

2008 OWASP AppSec Taiwan Conference - ?? 2008 OWASP AppSec U.S. Conference

New York City, Oct. 2007 Refereed papers track, Vendor Expo, Lots of tutorials Capture the flag event?

13OWASP

What does all this mean?

OWASP is gaining industry traction

PCI-DSS Self Assessment Questionnaire (SAQ) requirement 6.5 specifically requires that OWASP guidelines be followed when developing web apps

14OWASP

What Can You Do?

Just getting started with application security?

Managers: Familiarize yourself with the Top 10 most common vulnerabilities in web applications

Developers: Get your hands on the OWASP Guide to Building Secure Web Applications

Penetration Testers: Start working through the OWASP Testing Guide, and also tools like Webscarab

15OWASP

What Can You Do?

Already past that stage?

Get involved! We need the following:Presenters for future meetingsOWASP Project Leaders and ParticipantsSeason of Code Participants (paid projects!)Wiki contributions

16OWASP

Questions / Comments