OWASP DENVER CHAPTER MEETING FEBRUARY 20 2007 David Campbell OWASP Denver Chapter OWASP [email protected] +1 (415) 377 7379 DENVER, COLORADO USA Copyright 2008 © The OWASP Foundation Permission is granted to.
Download
Report
Transcript OWASP DENVER CHAPTER MEETING FEBRUARY 20 2007 David Campbell OWASP Denver Chapter OWASP [email protected] +1 (415) 377 7379 DENVER, COLORADO USA Copyright 2008 © The OWASP Foundation Permission is granted to.
OWASP DENVER
CHAPTER MEETING
FEBRUARY 20 2007
David Campbell
OWASP Denver Chapter
OWASP
[email protected]
+1 (415) 377 7379
DENVER, COLORADO
USA
Copyright 2008 © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
Denver Chapter Business
Leadership Change
Much thanks to David Byrne and Andy Lewis for their
leadership over the past two years
Transitioning to David Campbell and Eric Duprey
Goal for 2008
Meetings at least bi-monthly
Planning the Front Range OWASP Conference ( 10
June 2008) along with the BOULDER OWASP chapter
OWASP
2
OWASP Mission
Open source non-profit charitable foundation dedicated to enabling
organizations so they can develop, maintain, and acquire software
they can trust
Making Security Visible
Through…
Documentation
Top Ten, Dev. Guide, Design Guide, Testing Guide, …
Tools
WebGoat, WebScarab, Site Generator, Report Generator, ESAPI, CSRF Guard, CSRF
Tester, Stinger, Pantera, …
Working Groups
Browser Security, Industry Sectors, Access Control (XACML), Education, Mobile Phone
Security, Preventive Security, OWASP SDL, OWASP Governance, RIA
SecurityCommunity and Awareness
Local Chapters, Conferences, Tutorials, Mailing Lists
OWASP
3
Some OWASP Growth Stats
One year ago (Oct 2006), we had
about 75 local chapters
about 15 corporate sponsors
about 180K page views / month at OWASP.org
and finally a little bit of money . About $88K
Now (Nov 2007), we have
over 100 local chapters
over 30 corporate sponsors
about 360K page views / month at OWASP.org
prior to this conference we had about $298K
Of which $80K is pledged to the completion of the 2007 Spring of
Code projects
OWASP
4
OWASP Chapters
OWASP
5
How Does OWASP Make Money?
Corporate sponsorships
Individual memberships
OWASP
6
OWASP Corporate Members
OWASP
7
Where Does the Money Go?
Conferences
Much more affordable than SANS / Blackhat / Cansec
Books
Created from the Wiki materials (i.e. Top 10, Testing
Guide)
Distributed to corporate sponsors and individual
members
Projects (Spring of Code, Winter of Code)
Subsidies to fly in top notch speakers for chapter
meetings!
OWASP
8
SpoC 007 - OWASP Spring of Code 2007
26 projects sponsored @ $125,000 USD
15 projects made strong to amazing deliveries
OWASP Education Project (PPTs for community use)
Code Review Guide
OWASP Top 10 - Ruby on Rails version
Attacks refresh (Wiki data consolidation)
OWASP Evaluation and Certification criteria
OWASP Scholastic Project (using OWASP at academia)
SpoC project management (we now know how to do it :) )
5 projects are in the final stages
6 projects were canceled
Final amount sponsored: $103,500 USD
OWASP
9
OWASP Working Groups
Browser Security: Robert R'Snake, Petkov Pdb
Industry Sectors: Tom Brennan
Access Control (XACML): Gunner peterson
Education: Sebastien Deleersnyder
Mobile Phone Security: Corey Benninger
Preventive Security: Dinis Cruz
OWASP SDL: Pravir Chandra
OWASP Governance: Tom Brennan
Some ideas for other OWASP working groups:
RIA Frameworks, Open Source solutions, Commercial vendors
solutions, Evaluation & Certification, Privacy
OWASP
10
Some OWASP Conference Stats
1st OWASP AppSec Conference (2004 NY) - ~100 people on a weekend
2nd OWASP AppSec Conference (2005 London) ~100 on a weekend
3rd OWASP AppSec Conference (2005 D.C.)
About 175 Attendees plus 40 people in first tutorial
4th OWASP AppSec Conference (2006 Brussels)
About 125 with 40 people in two tutorials plus refereed papers track
5th OWASP AppSec Conference (2006 Seattle)
About 180 attendees with 115 in three tutorials!
6th OWASP AppSec Conference (2007 Milan)
About 140 attendees, 40 people in 3 tutorials plus refereed papers track
OWASP Taiwan Conference (2007 Taiwan)
About 600 attendees for half day free conference!!
2007 OWASP & WASC AppSec Conference (2007 San Jose)
About 260 attendees with 80 people in six 2-day tutorials
First Tech Expo: Sold out with 10 vendors participating
OWASP
11
Conference Plans for 2008
2008 OWASP Australia AppSec Conference
Gold Coast – March 29-31 – 1-day tutorials, 2-day conference
2008 OWASP AppSec Europe Conference
Brussels – May 19-22, 2008
Refereed papers track, Vendor Expo
Two day Tutorials – two day conference
2008 Front Range OWASP Conference
One day, multi-track (tech & mgt)
CFP immiment! Some top notch speakers already committed
2008 OWASP AppSec Taiwan Conference - ??
2008 OWASP AppSec U.S. Conference
New York City, Oct. 2007
Refereed papers track, Vendor Expo, Lots of tutorials
Capture the flag event?
OWASP
12
What does all this mean?
OWASP is gaining industry traction
PCI-DSS Self Assessment Questionnaire (SAQ)
requirement 6.5 specifically requires that OWASP
guidelines be followed when developing web
apps
OWASP
13
What Can You Do?
Just getting started with application security?
Managers: Familiarize yourself with the Top 10 most
common vulnerabilities in web applications
Developers: Get your hands on the OWASP Guide to
Building Secure Web Applications
Penetration Testers: Start working through the
OWASP Testing Guide, and also tools like Webscarab
OWASP
14
What Can You Do?
Already past that stage?
Get involved! We need the following:
Presenters for future meetings
OWASP Project Leaders and Participants
Season of Code Participants (paid projects!)
Wiki contributions
OWASP
15
Questions / Comments
OWASP
16