OWASP DENVER CHAPTER MEETING FEBRUARY 20 2007 David Campbell OWASP Denver Chapter OWASP [email protected] +1 (415) 377 7379 DENVER, COLORADO USA Copyright 2008 © The OWASP Foundation Permission is granted to.
Download ReportTranscript OWASP DENVER CHAPTER MEETING FEBRUARY 20 2007 David Campbell OWASP Denver Chapter OWASP [email protected] +1 (415) 377 7379 DENVER, COLORADO USA Copyright 2008 © The OWASP Foundation Permission is granted to.
OWASP DENVER CHAPTER MEETING FEBRUARY 20 2007 David Campbell OWASP Denver Chapter OWASP [email protected] +1 (415) 377 7379 DENVER, COLORADO USA Copyright 2008 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org Denver Chapter Business Leadership Change Much thanks to David Byrne and Andy Lewis for their leadership over the past two years Transitioning to David Campbell and Eric Duprey Goal for 2008 Meetings at least bi-monthly Planning the Front Range OWASP Conference ( 10 June 2008) along with the BOULDER OWASP chapter OWASP 2 OWASP Mission Open source non-profit charitable foundation dedicated to enabling organizations so they can develop, maintain, and acquire software they can trust Making Security Visible Through… Documentation Top Ten, Dev. Guide, Design Guide, Testing Guide, … Tools WebGoat, WebScarab, Site Generator, Report Generator, ESAPI, CSRF Guard, CSRF Tester, Stinger, Pantera, … Working Groups Browser Security, Industry Sectors, Access Control (XACML), Education, Mobile Phone Security, Preventive Security, OWASP SDL, OWASP Governance, RIA SecurityCommunity and Awareness Local Chapters, Conferences, Tutorials, Mailing Lists OWASP 3 Some OWASP Growth Stats One year ago (Oct 2006), we had about 75 local chapters about 15 corporate sponsors about 180K page views / month at OWASP.org and finally a little bit of money . About $88K Now (Nov 2007), we have over 100 local chapters over 30 corporate sponsors about 360K page views / month at OWASP.org prior to this conference we had about $298K Of which $80K is pledged to the completion of the 2007 Spring of Code projects OWASP 4 OWASP Chapters OWASP 5 How Does OWASP Make Money? Corporate sponsorships Individual memberships OWASP 6 OWASP Corporate Members OWASP 7 Where Does the Money Go? Conferences Much more affordable than SANS / Blackhat / Cansec Books Created from the Wiki materials (i.e. Top 10, Testing Guide) Distributed to corporate sponsors and individual members Projects (Spring of Code, Winter of Code) Subsidies to fly in top notch speakers for chapter meetings! OWASP 8 SpoC 007 - OWASP Spring of Code 2007 26 projects sponsored @ $125,000 USD 15 projects made strong to amazing deliveries OWASP Education Project (PPTs for community use) Code Review Guide OWASP Top 10 - Ruby on Rails version Attacks refresh (Wiki data consolidation) OWASP Evaluation and Certification criteria OWASP Scholastic Project (using OWASP at academia) SpoC project management (we now know how to do it :) ) 5 projects are in the final stages 6 projects were canceled Final amount sponsored: $103,500 USD OWASP 9 OWASP Working Groups Browser Security: Robert R'Snake, Petkov Pdb Industry Sectors: Tom Brennan Access Control (XACML): Gunner peterson Education: Sebastien Deleersnyder Mobile Phone Security: Corey Benninger Preventive Security: Dinis Cruz OWASP SDL: Pravir Chandra OWASP Governance: Tom Brennan Some ideas for other OWASP working groups: RIA Frameworks, Open Source solutions, Commercial vendors solutions, Evaluation & Certification, Privacy OWASP 10 Some OWASP Conference Stats 1st OWASP AppSec Conference (2004 NY) - ~100 people on a weekend 2nd OWASP AppSec Conference (2005 London) ~100 on a weekend 3rd OWASP AppSec Conference (2005 D.C.) About 175 Attendees plus 40 people in first tutorial 4th OWASP AppSec Conference (2006 Brussels) About 125 with 40 people in two tutorials plus refereed papers track 5th OWASP AppSec Conference (2006 Seattle) About 180 attendees with 115 in three tutorials! 6th OWASP AppSec Conference (2007 Milan) About 140 attendees, 40 people in 3 tutorials plus refereed papers track OWASP Taiwan Conference (2007 Taiwan) About 600 attendees for half day free conference!! 2007 OWASP & WASC AppSec Conference (2007 San Jose) About 260 attendees with 80 people in six 2-day tutorials First Tech Expo: Sold out with 10 vendors participating OWASP 11 Conference Plans for 2008 2008 OWASP Australia AppSec Conference Gold Coast – March 29-31 – 1-day tutorials, 2-day conference 2008 OWASP AppSec Europe Conference Brussels – May 19-22, 2008 Refereed papers track, Vendor Expo Two day Tutorials – two day conference 2008 Front Range OWASP Conference One day, multi-track (tech & mgt) CFP immiment! Some top notch speakers already committed 2008 OWASP AppSec Taiwan Conference - ?? 2008 OWASP AppSec U.S. Conference New York City, Oct. 2007 Refereed papers track, Vendor Expo, Lots of tutorials Capture the flag event? OWASP 12 What does all this mean? OWASP is gaining industry traction PCI-DSS Self Assessment Questionnaire (SAQ) requirement 6.5 specifically requires that OWASP guidelines be followed when developing web apps OWASP 13 What Can You Do? Just getting started with application security? Managers: Familiarize yourself with the Top 10 most common vulnerabilities in web applications Developers: Get your hands on the OWASP Guide to Building Secure Web Applications Penetration Testers: Start working through the OWASP Testing Guide, and also tools like Webscarab OWASP 14 What Can You Do? Already past that stage? Get involved! We need the following: Presenters for future meetings OWASP Project Leaders and Participants Season of Code Participants (paid projects!) Wiki contributions OWASP 15 Questions / Comments OWASP 16