OWASP DENVER CHAPTER MEETING FEBRUARY 20 2007
-
Upload
leverett-reynaud -
Category
Documents
-
view
49 -
download
0
description
Transcript of OWASP DENVER CHAPTER MEETING FEBRUARY 20 2007
Copyright 2008 © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP DENVERCHAPTER MEETING FEBRUARY 20 2007
David CampbellOWASP Denver Chapter
[email protected]+1 (415) 377 7379
DENVER, COLORADOUSA
2OWASP
Denver Chapter Business
Leadership ChangeMuch thanks to David Byrne and Andy Lewis
for their leadership over the past two yearsTransitioning to David Campbell and Eric
Duprey
Goal for 2008Meetings at least bi-monthlyPlanning the Front Range OWASP Conference
( 10 June 2008) along with the BOULDER OWASP chapter
3OWASP 3
OWASP Mission
Open source non-profit charitable foundation dedicated to enabling organizations so they can develop, maintain, and acquire software they can trust
Making Security Visible
Through…
Documentation Top Ten, Dev. Guide, Design Guide, Testing Guide, …
Tools WebGoat, WebScarab, Site Generator, Report Generator, ESAPI, CSRF
Guard, CSRF Tester, Stinger, Pantera, … Working Groups
Browser Security, Industry Sectors, Access Control (XACML), Education, Mobile Phone Security, Preventive Security, OWASP SDL, OWASP Governance, RIA
SecurityCommunity and Awareness Local Chapters, Conferences, Tutorials, Mailing Lists
4OWASP
Some OWASP Growth Stats
One year ago (Oct 2006), we had about 75 local chapters about 15 corporate sponsors about 180K page views / month at OWASP.org and finally a little bit of money . About $88K
Now (Nov 2007), we have over 100 local chapters over 30 corporate sponsors about 360K page views / month at OWASP.org prior to this conference we had about $298K
Of which $80K is pledged to the completion of the 2007 Spring of Code projects
4
8OWASP
Where Does the Money Go?
ConferencesMuch more affordable than SANS / Blackhat /
Cansec
BooksCreated from the Wiki materials (i.e. Top 10,
Testing Guide)Distributed to corporate sponsors and
individual members
Projects (Spring of Code, Winter of Code) Subsidies to fly in top notch speakers for
chapter meetings!
9OWASP
SpoC 007 - OWASP Spring of Code 2007
26 projects sponsored @ $125,000 USD 15 projects made strong to amazing deliveries
OWASP Education Project (PPTs for community use) Code Review Guide OWASP Top 10 - Ruby on Rails version Attacks refresh (Wiki data consolidation) OWASP Evaluation and Certification criteria OWASP Scholastic Project (using OWASP at academia) SpoC project management (we now know how to do it :) )
5 projects are in the final stages 6 projects were canceled Final amount sponsored: $103,500 USD
9
10OWASP
OWASP Working Groups
Browser Security: Robert R'Snake, Petkov Pdb Industry Sectors: Tom Brennan Access Control (XACML): Gunner peterson Education: Sebastien Deleersnyder Mobile Phone Security: Corey Benninger Preventive Security: Dinis Cruz OWASP SDL: Pravir Chandra OWASP Governance: Tom Brennan
Some ideas for other OWASP working groups: RIA Frameworks, Open Source solutions, Commercial vendors
solutions, Evaluation & Certification, Privacy
10
11OWASP 11
Some OWASP Conference Stats 1st OWASP AppSec Conference (2004 NY) - ~100 people on a weekend 2nd OWASP AppSec Conference (2005 London) ~100 on a weekend 3rd OWASP AppSec Conference (2005 D.C.)
About 175 Attendees plus 40 people in first tutorial 4th OWASP AppSec Conference (2006 Brussels)
About 125 with 40 people in two tutorials plus refereed papers track 5th OWASP AppSec Conference (2006 Seattle)
About 180 attendees with 115 in three tutorials! 6th OWASP AppSec Conference (2007 Milan)
About 140 attendees, 40 people in 3 tutorials plus refereed papers track OWASP Taiwan Conference (2007 Taiwan)
About 600 attendees for half day free conference!! 2007 OWASP & WASC AppSec Conference (2007 San Jose)
About 260 attendees with 80 people in six 2-day tutorials First Tech Expo: Sold out with 10 vendors participating
12OWASP 12
Conference Plans for 2008
2008 OWASP Australia AppSec Conference Gold Coast – March 29-31 – 1-day tutorials, 2-day conference
2008 OWASP AppSec Europe Conference Brussels – May 19-22, 2008 Refereed papers track, Vendor Expo Two day Tutorials – two day conference
2008 Front Range OWASP Conference One day, multi-track (tech & mgt) CFP immiment! Some top notch speakers already
committed
2008 OWASP AppSec Taiwan Conference - ?? 2008 OWASP AppSec U.S. Conference
New York City, Oct. 2007 Refereed papers track, Vendor Expo, Lots of tutorials Capture the flag event?
13OWASP
What does all this mean?
OWASP is gaining industry traction
PCI-DSS Self Assessment Questionnaire (SAQ) requirement 6.5 specifically requires that OWASP guidelines be followed when developing web apps
14OWASP
What Can You Do?
Just getting started with application security?
Managers: Familiarize yourself with the Top 10 most common vulnerabilities in web applications
Developers: Get your hands on the OWASP Guide to Building Secure Web Applications
Penetration Testers: Start working through the OWASP Testing Guide, and also tools like Webscarab
15OWASP
What Can You Do?
Already past that stage?
Get involved! We need the following:Presenters for future meetingsOWASP Project Leaders and ParticipantsSeason of Code Participants (paid projects!)Wiki contributions