OWASP DENVER CHAPTER MEETING FEBRUARY 20 2007 David Campbell OWASP Denver Chapter OWASP [email protected] +1 (415) 377 7379 DENVER, COLORADO USA Copyright 2008 © The OWASP Foundation Permission is granted to.

Download Report

Transcript OWASP DENVER CHAPTER MEETING FEBRUARY 20 2007 David Campbell OWASP Denver Chapter OWASP [email protected] +1 (415) 377 7379 DENVER, COLORADO USA Copyright 2008 © The OWASP Foundation Permission is granted to.

OWASP DENVER
CHAPTER MEETING
FEBRUARY 20 2007
David Campbell
OWASP Denver Chapter
OWASP
[email protected]
+1 (415) 377 7379
DENVER, COLORADO
USA
Copyright 2008 © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
Denver Chapter Business
Leadership Change
Much thanks to David Byrne and Andy Lewis for their
leadership over the past two years
Transitioning to David Campbell and Eric Duprey
Goal for 2008
Meetings at least bi-monthly
Planning the Front Range OWASP Conference ( 10
June 2008) along with the BOULDER OWASP chapter
OWASP
2
OWASP Mission
 Open source non-profit charitable foundation dedicated to enabling
organizations so they can develop, maintain, and acquire software
they can trust
 Making Security Visible
 Through…
 Documentation
 Top Ten, Dev. Guide, Design Guide, Testing Guide, …
 Tools
 WebGoat, WebScarab, Site Generator, Report Generator, ESAPI, CSRF Guard, CSRF
Tester, Stinger, Pantera, …
 Working Groups
 Browser Security, Industry Sectors, Access Control (XACML), Education, Mobile Phone
Security, Preventive Security, OWASP SDL, OWASP Governance, RIA
 SecurityCommunity and Awareness
 Local Chapters, Conferences, Tutorials, Mailing Lists
OWASP
3
Some OWASP Growth Stats
 One year ago (Oct 2006), we had
 about 75 local chapters
 about 15 corporate sponsors
 about 180K page views / month at OWASP.org
 and finally a little bit of money . About $88K
 Now (Nov 2007), we have
 over 100 local chapters
 over 30 corporate sponsors
 about 360K page views / month at OWASP.org
 prior to this conference we had about $298K
 Of which $80K is pledged to the completion of the 2007 Spring of
Code projects
OWASP
4
OWASP Chapters
OWASP
5
How Does OWASP Make Money?
Corporate sponsorships
Individual memberships
OWASP
6
OWASP Corporate Members
OWASP
7
Where Does the Money Go?
Conferences
Much more affordable than SANS / Blackhat / Cansec
Books
Created from the Wiki materials (i.e. Top 10, Testing
Guide)
Distributed to corporate sponsors and individual
members
Projects (Spring of Code, Winter of Code)
Subsidies to fly in top notch speakers for chapter
meetings!
OWASP
8
SpoC 007 - OWASP Spring of Code 2007
 26 projects sponsored @ $125,000 USD
 15 projects made strong to amazing deliveries
 OWASP Education Project (PPTs for community use)
 Code Review Guide
 OWASP Top 10 - Ruby on Rails version
 Attacks refresh (Wiki data consolidation)
 OWASP Evaluation and Certification criteria
 OWASP Scholastic Project (using OWASP at academia)
 SpoC project management (we now know how to do it :) )
 5 projects are in the final stages
 6 projects were canceled
 Final amount sponsored: $103,500 USD
OWASP
9
OWASP Working Groups








Browser Security: Robert R'Snake, Petkov Pdb
Industry Sectors: Tom Brennan
Access Control (XACML): Gunner peterson
Education: Sebastien Deleersnyder
Mobile Phone Security: Corey Benninger
Preventive Security: Dinis Cruz
OWASP SDL: Pravir Chandra
OWASP Governance: Tom Brennan
 Some ideas for other OWASP working groups:
 RIA Frameworks, Open Source solutions, Commercial vendors
solutions, Evaluation & Certification, Privacy
OWASP
10
Some OWASP Conference Stats
 1st OWASP AppSec Conference (2004 NY) - ~100 people on a weekend
 2nd OWASP AppSec Conference (2005 London) ~100 on a weekend
 3rd OWASP AppSec Conference (2005 D.C.)
 About 175 Attendees plus 40 people in first tutorial
 4th OWASP AppSec Conference (2006 Brussels)
 About 125 with 40 people in two tutorials plus refereed papers track
 5th OWASP AppSec Conference (2006 Seattle)
 About 180 attendees with 115 in three tutorials!
 6th OWASP AppSec Conference (2007 Milan)
 About 140 attendees, 40 people in 3 tutorials plus refereed papers track
 OWASP Taiwan Conference (2007 Taiwan)
 About 600 attendees for half day free conference!!
 2007 OWASP & WASC AppSec Conference (2007 San Jose)
 About 260 attendees with 80 people in six 2-day tutorials
 First Tech Expo: Sold out with 10 vendors participating
OWASP
11
Conference Plans for 2008
 2008 OWASP Australia AppSec Conference
 Gold Coast – March 29-31 – 1-day tutorials, 2-day conference
 2008 OWASP AppSec Europe Conference
 Brussels – May 19-22, 2008
 Refereed papers track, Vendor Expo
 Two day Tutorials – two day conference
 2008 Front Range OWASP Conference
 One day, multi-track (tech & mgt)
 CFP immiment! Some top notch speakers already committed
 2008 OWASP AppSec Taiwan Conference - ??
 2008 OWASP AppSec U.S. Conference
 New York City, Oct. 2007
 Refereed papers track, Vendor Expo, Lots of tutorials
 Capture the flag event?
OWASP
12
What does all this mean?
OWASP is gaining industry traction
PCI-DSS Self Assessment Questionnaire (SAQ)
requirement 6.5 specifically requires that OWASP
guidelines be followed when developing web
apps
OWASP
13
What Can You Do?
Just getting started with application security?
Managers: Familiarize yourself with the Top 10 most
common vulnerabilities in web applications
Developers: Get your hands on the OWASP Guide to
Building Secure Web Applications
Penetration Testers: Start working through the
OWASP Testing Guide, and also tools like Webscarab
OWASP
14
What Can You Do?
Already past that stage?
Get involved! We need the following:
Presenters for future meetings
OWASP Project Leaders and Participants
Season of Code Participants (paid projects!)
Wiki contributions
OWASP
15
Questions / Comments
OWASP
16