[Global_membership_committee] FW: [Owasp-leaders] Creating OWASP 4.0!

Kate Hartmann kate.hartmann at owasp.org
Fri Dec 10 13:00:33 EST 2010

John, I have your membership as having expired in February.  You would have
gotten a notice sometime in January.

Honorary membership was granted prior to 2009 for the Board Member Vote to
recognize active members of the community.  These have expired, but the
membership committee is working on redefining this membership type.

Kate Hartmann
Operations Director
Skype:  Kate.hartmann1

-----Original Message-----
From: Lorna Alamri [mailto:lorna.alamri at owasp.org] 
Sent: Friday, December 10, 2010 12:40 PM
To: John Steven
Cc: Kate Hartmann; dinis cruz; Eduardo Neves
Subject: Re: [Owasp-leaders] Creating OWASP 4.0!

The OWASP Board will be determining who will be sponsored. Please fill out
the form for Chapter sponsorship for the partial funds.  The Summit team
will the have the board determine what funds they are willing to allocate to
each individual.  Would your employer be willing to sponsor any of your

Sent from my iPhone

"If there is no struggle, there is no  progress."

On Dec 10, 2010, at 6:30 AM, John Steven <John.Steven at owasp.org> wrote:

> Lorna,
> I will absolutely add the idea to the Working Sessions and Schedule. I 
> am the NoVA (Northern Virginia) Chapter President but our current 
> kitty is only like $425. Does the conference itself have budget to 
> contribute to my trip for an idea such as I've suggested?
> Also: Kate... I noticed I'm not an OWASP Member any more (according to 
> the spreadsheet). Did my membership expire without a notification? I 
> feel like I was notified, I would have "re-upped". What is my status?
> Also: quick random question: what is an "Honorary Member"?
> -jOHN
> 703.727.4034
> On Thu, Dec 9, 2010 at 11:36 PM, Lorna Alamri <lorna.alamri at owasp.org>
>> John,
>> Make sure to add your ideas to the Summit working sessions page 
>> http://www.owasp.org/index.php/Summit_2011#tab=Working_Sessions and 
>> the schedule 
>> http://www.owasp.org/index.php/Summit_2011#tab=Schedule_and_Tracks
>> and that everyone is on the attendee list if they plan to attend 
>> http://www.owasp.org/index.php/Summit_2011_Attendee. Invite documents 
>> are located here:
>> http://www.owasp.org/index.php/Summit_2011#tab=Letters_and_Summit_Mat
>> erials
>> We've also extended dates for applying for Chapter and Project 
>> sponsorship so follow the procedure outlined here:
>> http://www.owasp.org/index.php/Summit_2011#tab=Applying_for_Chapter_o
>> r_Project_Sponsorship
>> Let me know if you have questions.
>> Regards,
>> Lorna
>> On Thu, Dec 9, 2010 at 2:04 PM, John Steven <John.Steven at owasp.org>
>>> All,
>>> I agree with Rex. Chaos remains an important (constructively) 
>>> disruptive force. It can not provide coherent direction I hear 
>>> people craving ATM. The board seems to want the organization to 
>>> remain decentralized and with a bottom-up driven direction through 
>>> project leaders. This seems 'fine' to me because its fundamental to 
>>> the OWASP organization and culture.
>>> Though, outside of the community itself, I perceive this having 
>>> resulted in two forces providing OWASP most of its external impact 
>>> and momentum beyond general Application Security Awareness recently:
>>> Conferences and ESAPI
>>> I'm concerned that as we look at '11, we don't see these two forces 
>>> providing us the progress we desire alone. The last few conferences 
>>> I attended suffered from confusion or division in promotion and the 
>>> majority of topic areas have already been presented (often in nearly 
>>> or exactly their current form). Momentum on conferences, from my 
>>> view, will wane unless something changes. ESAPI, by comparison, has 
>>> momentum but is less mature. There isn't a "The Solution" but I 
>>> think we can create some direction and bolster both of these key 
>>> aspects of the OWASP organization simultaneously. I've talked to 
>>> almost everyone explicitly listed as a CC regarding my idea. They 
>>> seemed at least superficially interested in participating.
>>> Create a "No Fluff just stuff"-like track for Portugal, pull out our 
>>> laptops (not for email/IM), and show people how to develop secure 
>>> code. Chris referred to this here:
>>> http://yet-another-dev.blogspot.com/2010/11/cross-pollination-its-no
>>> t-just-for-bees.html I'd like to prototype this in Portugal and keep 
>>> it going in Minnesota.
>>> Pravir led something like this with SAMM (but regarding process) in 
>>> Portugal the first time around. This was incredibly valuable.
>>> I'd like to propose the following skeleton and get passionate 
>>> developers to sign up for it. I'm imagining 1/2 day sessions. (So, 
>>> over four days, we could have eight (8) facilitators). I suggest we 
>>> pick a single target (Java EE?), a single victim app, and a single 
>>> container as a 'base of operations' for the first one to keep things 
>>> simple.
>>> Track Mission: Building Security In: Using OWASP 
>>> tools/techniques/code to build secure applications.
>>> (the list is not in any particular order. In fact, that may be 
>>> something to talk about. I've tried to provide four (4) one-hour 
>>> seeds for each session, subject again to discussion)
>>> *     Topic                                             *
>>> Facilitator   *    Proctors   *
>>> 1 Applying ESAPI input validation        Mr. Schmidt
>>>    * Serial Decomp: Decode, canonicalize, filter
>>>    * Structured data (SSN, CC, etc.)
>>>    * Unstructured data (comments, blogs,  blah)
>>>    * Other input examples (ws-, Database, etc.)
>>> 2  Defining AppSensor sensors for:      Mr. Coates
>>>     * Forced Browsing
>>>     * Request Velocity
>>>     * Unexpected encodings
>>>     * Impersonation (Sudden user switch)
>>> 3 Managing sessions                          ????????
>>>   * Across requests
>>>   * Across containers
>>>   * Invaliding sessions (Timeout, attack event, logout)
>>>   * Invalidating sessions (across containers, SSO token 
>>> invalidation, user termination)
>>> 4 Protecting information stored client-side  Mr. Steven
>>>    * Threat Modeling the problem
>>>    * Protecting theft and re-playability of application-specific 
>>> info (on client & in flight)
>>>    * Protecting theft and re-playability of session-specific info 
>>> (in
>>> flight)
>>>    * Protecting session-specific information from attack on the 
>>> client
>>> 5 Protecting against CSRF                 ????????
>>>    * Hygiene
>>>       * Discuss/show Frames-busting, cross-domain policy,
>>>       * Discuss referrer and other red herrings
>>>    * Tokens (crafting, scoping, and checking)
>>>    * Discussions, techniques on scale
>>>    * Discussions, techniques on CAPTCHA, re-auth, etc.
>>> 6 Providing access to persisted data   ???????
>>>   * Controlling visibility of tables by role (Spring?)
>>>   * Providing access to safe SQL-like query through DAO layer
>>>   * Discussions, techniques for providing secure 'auto-wiring' / 
>>> marshaling
>>>   * Encoding and canonicalization for storage (or alternatively:
>>>   * Security concerns with hierarchical caching & object pooling)
>>> 7 ...I have some other ideas for 7 and 8, but wanted to afford the 
>>> skeleton some flexibility.
>>> 8
>>> Rules:
>>> * Facilitator role replaces "speaker". They lead the session, but 
>>> the session is a working session, laptops open, whiteboards filling. 
>>> This is not a lecture.
>>> * Other facilitators adopt the present facilitator's goal as their 
>>> own and we drive the concept/design/code forward Dissenting views 
>>> are for drinks later.
>>> * Sessions are open to all participants provided they have at least 
>>> the ability to read the chosen language, and have the following 
>>> things installed when they arrive:
>>>   * Our victim app
>>>   * All session dependencies
>>>   * Dev tools sufficient to build and run the app and our 
>>> dependencies
>>> * Facilitators must agree to attend six (6) out of eight (8) sessions.
>>> Failing that, they're booted from the next venue
>>> * The objective of each session is split between educating 
>>> participants and bringing the state of the practice forward.
>>> * Participants may bring whatever code they like, provided they 
>>> contribute it to OWASP.
>>> * Facilitators should seek to absorb any new developments into the 
>>> next conference session. IE: each session should have some new and 
>>> unique content
>>> * Facilitators don't 'own' topics, in fact, I'd like them to rotate 
>>> between cons. if possible.
>>> Next Steps:
>>> * Define eight sessions, facilitators. Solicit proctoring help
>>> * Finalize (and verify) dependency list for participants
>>> * Ratchet up specificity in session topics (create, review, and 
>>> revise a track outline)
>>> * Establish a twice-monthly call for facilitators to take our 
>>> skeleton plan to reality.
>>> I would be happy to help organize this track, direct it, and provide 
>>> air-support to the other facilitators in their sessions. Chris, Mike:
>>> want to participate? Mr. Cornell--we discussed this out west. You 
>>> game? Others?
>>> This track idea, in no way, replaces the need for continued 
>>> awareness, novice training, and other popular OWASP tools/projects 
>>> (LiveCD, Top10, ... etc.)  The track is designed to engage 
>>> passionate and more advanced participants, as well as entice more
developer participation.
>>> Let's build something interactive, tangible and immediately useful 
>>> for our conference participants.
>>> -jOHN
>>> On Wed, Dec 8, 2010 at 5:36 PM, Rex Booth <rex.booth at owasp.org> wrote:
>>>> I hate to so contrarian with you today James, but chaos doesn't 
>>>> work on a strategic level.  Your positive experience at your 
>>>> chapter doesn't translate to the organization as a whole.
>>>> Whether we are a non-profit or not, we need to recognize that we 
>>>> are in a competitive marketplace where we need to struggle for 
>>>> relevancy in order to achieve our mission.  We can't treat this 
>>>> like some sort of free-for-all.
>>>> We have numerous dedicated individuals, but I think as an 
>>>> organization we try to be everything to everyone.  In the pursuit 
>>>> of allowing owasp to be anything somebody wants it to be (new 
>>>> conference?  Sure!  New project?
>>>>  Why
>>>> not?) we've sacrificed our ability to focus and really make an 
>>>> impact (with some notable exceptions).
>>>> I think better coordination of efforts, some culling of the less 
>>>> useful projects and undertakings, and more strategic leadership 
>>>> from the board level would go a long way.
>>>> Imagine how much we could accomplish if we eliminated the noise and 
>>>> were able to double our efforts on the truly impactful and 
>>>> high-profile efforts!
>>>> Rex
>>>> On Dec 8, 2010, at 4:02 PM, "James McGovern" 
>>>> <JMcGovern at virtusa.com>
>>>> wrote:
>>>> I too have noticed the chaos and believe it is a good thing! When 
>>>> the Hartford chapter did a joint meeting with ISACA, they had a lot 
>>>> more formality in organizing things. Generally speaking, when I 
>>>> organize Hartford chapter meetings I tend to start with finding two 
>>>> speakers who are of interest, figuring out what they are going to 
>>>> talk about, creating an agenda and then blasting it to the world. 
>>>> The ISACA model required multiple levels of approval and dozens of 
>>>> phone calls.
>>>> We get things done without requiring audits and checklists :-)
>>>> James McGovern
>>>> Insurance SBU
>>>> Virtusa Corporation
>>>> 100 Northfield Drive, Suite 305 | Windsor, CT | 06095
>>>> Phone:  860 688 9900 Ext:  1037 | Facsimile:  860 688 2890
>>>> -----Original Message-----
>>>> From: owasp-leaders-bounces at lists.owasp.org
>>>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Yiannis 
>>>> Pavlosoglou
>>>> Sent: Wednesday, December 08, 2010 12:47 PM
>>>> To: owasp-leaders at lists.owasp.org
>>>> Subject: Re: [Owasp-leaders] Creating OWASP 4.0!
>>>> Examples:
>>>> 2. We have real issues on establishing individual efforts and 
>>>> commits
>>>> to a particular task. Other organisations are also open and
>>>> transparent, why all the chaos with us?
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> --
>> Lorna Alamri
>> OWASP MSP: Host to OWASP AppSec USA 2011 September 20-23 Training, 
>> Talks, CTF, and Vendor Show www.appsecusa.org (2011 site coming soon) 
>> @appsecusa, @owaspmsp
>> Dir: 651-338-0243
>> skype: lorna.alamri
>> lorna.alamri at owasp.org

More information about the Global_membership_committee mailing list