[Owasp-leaders] AppSec Monthly Themes
chris.schmidt at owasp.org
Thu Mar 22 06:00:54 UTC 2012
I think this is a good start, but I think to really make this successful
I think we need to:
1) Get buy-in from content creators, focus on owasp leaders who have
projects associated with the focus of the theme for each month
a) Talk at chapter meetings
b) Guest Blog Post on Owasp Blog
2) Develop a press release to send to all of the tech industry rags and
the key mainstream media outlets
3) Invite press to chapter meetings where talks on the theme of the
month are being presented - make it a big deal!
4) Push a message! Simply putting a page out on the web with a
downloadable badge or two ("I </3 SQLi", "No Concatenation!", etc) and a
message that people can connect with can go a very long way (A great
example of this, although in a totally different context is the
http://slutsunite.org/ site - Say the oath, grab a badge, and share it
on your social networks!)
So additionally, I think "Injection Attacks" by itself is far too vague
- we need to focus in on a specific vector to have the most impact - and
since both the Verizon DBIR and the Trustwave GSR just came out - both
having a big focus on SQL Injection, I think the timing is ripe to make
that the theme for April.
I will commit to doing a blog post about SQLi in April right now - how
about an article on leveraging AppSensor/ESAPI IDS to identify and react
to sqlmap crawls (an actionable post with demonstrated value, and
relevant to not only the DBIR/GSR b/c it is SQLi, but also b/c sqlmap is
the Hacktivist tool of choice for breaches). I think if we can get at
least 3 more content creators to commit to an article giving us one a
week we can move forward with it. Suggestions would be properly using
parameterized queries across different platforms, Blind SQLi and maybe
an article on identifying, testing for, and mitigating second-order
SQLi. All posts should have something actionable that the audience can
take away from it, whether that be a code snippet they can play with in
their environment - a howto on using a tool to identify risks, or
anything else - as long as there is something.
What it boils down to is keeping it relevant to current(ish) events and
keeping a constant flow of content so the press has something to report
on - setting up a Podcast with a couple of the writers each month would
be good as well.
The goal should be to break out of the echo chamber tho - even if I have
something interesting to say, if I am just saying it to a bunch of
people that are already on-board I haven't accomplished anything more
than stroking my ego a little bit. I think this is a fantastic way to do
that if we do it correctly and strategically.
On 3/21/2012 11:02 PM, Michael Coates wrote:
> I've been toying with the idea of a centralized security theme for each
month. The idea is to flood the airwaves (or is it the pipes?) with a
large amount of information on a particular application security topic.
> For example, April could be "Injection Flaws" and anyone interested
could blog about this topic. I'm hoping to see articles from the
perspective of builders, breakers and defenders. Also articles that dive
into code examples, frameworks, lifecycle considerations, tools and
more. We can have have a push for video examples, podcasts, and project
updates (if relevant to the monthly theme) and more.
> This "coordinated" assault on the issue is then magnified by retweets
from the OWASP twitter account and syndication on the OWASP news feed.
At the end of the month we then have an OWASP blog post that captures
the definitive list to all articles, posts, tools, etc that were created
during that month. We could also award the top contributions and feature
them in the newsletter.
> Anyone interested in this idea? I'm thinking we work through a few of
the OWASP top 10, then maybe jump around with a month for mobile
security, cloud security, lifecylce, risk analysis, etc.
> April the month of Injection Flaws?
> Michael Coates | OWASP
> michael.coates at owasp.org | @_mwc
> OWASP Board
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders