[OCC] Last Summit (Fwd: Portugal Notes)

dinis cruz dinis.cruz at owasp.org
Wed Sep 8 09:27:28 EDT 2010


Just found this gread debief/ideas-dump from Darren's participation at the
OWASP last Summit in Portugal:
http://www.owasp.org/index.php/OWASP_EU_Summit_2008

Lots of good ideas and shows the type of debate and meetings we had there

Dinis Cruz


---------- Forwarded message ----------
From: Challey, Darren (GE, Corporate) <Darren.Challey at ge.com>
Date: 12 November 2008 23:57
Subject: Portugal Notes
To: Eduardo Neves <eduardo.neves at owasp.org>, dinis cruz <
dinis.cruz at owasp.org>, jeff.williams at owasp.org, dave.wichers at owasp.org, Kate
Hartmann <kate.hartmann at owasp.org>, tomb at owasp.org


 Here are my rough, personal notes for anyone that is interested ... no
warranty on accuracy or completeness is implied :)

Great meeting you all!

I have a small site where I posted some pics of our Saturday "adventure" to
Morocco: http://challey.com/2008_11_Portugal
 *Table Of Contents*

*1.       November
4<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#November_4>
*

1.1.    Keynote Dinis Cruz

1.2.    OWASP Documentation Track - *15 minute overviews of important OWASP
documents*

1.3.    Eoin Keary - *Code Review Guide*

1.4.    Juan Carlos Calderon - *Spanish Translation Project*

1.5.    ESAPI - *Alex Smolen (great images in presentation)*

1.6.    ASDR - *Leo Cavallari*

1.7.    Dinis Cruz - *Working Session Kick-off*

1.8.    Dave Wichers - *Quality bars for release levels*

1.9.    Matteo Meucci

1.10.   Eoin Keary

1.11.   Eduardo Vianna de Camargo Neves

1.12.   Dave Wichers

1.13.   Manoranjan "Mano" Paul - *Threat Modeling*

1.14.   Threat modeling steps (not only a one-time activity – iterative)

1.15.   Critical Success Factors

*2.       November
5<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#November_5>
*

2.1.    Eduardo Vianna - *Positive Security*

2.2.    Martin Knobloch - *OWASP Education*

2.3.    Juan Carlos Calderon - *OWASP Internationalization Guidelines*

2.4.    Lucilla Mancini - *Passwd Metrics and Vulnerabilities*

2.5.    Dan Cornell - *OWASP Open Review Project*

2.6.    Tom Brenan - *Global Committee Discussion*

2.7.    Tom Brenan / Dinis Cruz - *Censorship Discussion*

2.8.    Sebastian Deleersnyder - *Education Project*

2.9.    Rogan Dawes - *Secrets of Web Scarab*

*2.10.   *Pravir Chandra - *Software Assurance Maturity Model*

*3.       November
6<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#November_6>
*

3.1.    Juan Carlos Calderon - *Classic** ASP*

3.2.    Christian Martorella (Edge Security) - *WebSlayer*

3.3.    Heiko Webers (42 at bauland42.de) - *Ruby on Rails*

3.4.    Mathias Rohr (mro at securnet.de) - *Skavenger** Project*

3.5.    Dave Wichers (dave.wichers at aspectsecurity.com) - *OWASP Top 10 (2009
Update)*

3.6.    Brad Causey - *Ajax** Security*

3.7.    CLASP / SAMM references from Pavir Chandra

3.8.    OWASP Board - *Summit** Debate on Governance*

*3.9.    *Matt Tesauro - *Live CD*

*4.      November
7<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#November_7>
*

4.1.    Final Project Presentations from Working Sessions

4.2.    Arshan Dabirsiaghi - *Browser Security*

4.3.    Arshan Dabirsiaghi - *Framework  Security*

4.4.    Matt Tesauro - *Tools working group*

4.5.    Eoin Keary - *Documentation*

4.6.    Dave Wichers - *Other guides*

4.7.    Dave Wichers - *Top 10*

4.8.    Dinis Cruz - *Certification*

4.9.    George Hess - *Best Practices for Chapter Leaders*

4.10.   David - *Intra-governmental Affairs*

4.11.   Matt Tesauro - *LiveCD*

4.12.   Sebastian Deleersnyder - *Education*

4.13.   Jeff Williams - *ESAPI Results*

4.14.   Matteo Meucci - *Testing Guide*

4.15.   Pravir Chandra - *Software Assurance Maturity Model (extension of
CLASP)*

4.16.   Fabio Cerullo - *OWASP Website*

4.17.   Leo Cavallari - *ASDR*

4.18.   Carlos Serrao - *EU Funding*

4.19.   Paulo Perego - *Orizon** Project*

4.20.   Juan Carlos Calderon - *Internationalization*

4.21.   Giorgio Fedon – *Malware*

4.22.   Tom Brennan - *Censorship*

4.23.   Dinis Cruz - *Close out comments and discussion*

4.24.   3PM OWASP Open Board Meeting

 ------------------------------

*November **4**
**ToP*<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>

*9:00 - Keynote Dinis Cruz**
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Customer testimonials - Brad from Alabama Bank - value of OWASP to his
   team
   - "goodness" needs to become the focus - using and enforcing good
   practice rather than avoiding and detecting bad practice
   - "practicality" of OWASP deliverables - how will this work in practice
   - "proactivity" - determine what will be needed before it actually is

**

*10:00 - OWASP Documentation Track - 15 minute overviews of important OWASP
**documents  **ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Matteo Meucci (matteo.meucci at owasp.org) - OWASP Testing Guide URL:
   owasp_testing_project
   - Project started in 2004 , v2 in 2006 and v3 11/2008 - 350 Pages
   - 66 Total controls
   - owasp_testing_project
   - ASDR will serve as a foundation for the "trinity documents" (Build
   Guide, Code Review Guide, Testing Guide)

*10:30 - Eoin Keary - Code Review Guide**
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - 3 years old and the #3 most popular resource at OWASP
   - v1.1 in 2008 (214 pages now)
   - parallel of code to nature - if you have bad DNA you will eventually
   die out, same holds for poorly constructed code
   - The guide talks to prevention rather than treating the symptom
   - Orizon and Code Crawler tools are both great ones to look at

**

*10:45 - Juan Carlos Calderon - Spanish Translation **Project**
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - 30 Reviewers participated
   - Automated redirection to Spanish pages from Spanish-speaking countries
   - Most of the major documents are done including the web site itself
   - automation can help with these efforts but often easiest to just start
   from scratch with translation

*11:00 - ESAPI - Alex Smolen (great images in presentation)**
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Fully documented code ready for use
   - 85% Code Coverage - OWASP.ESAPI - compiled, ready to go
   - Based upon Java project
   - 120 Unit Tests
   - Direct Translation of the Java ESAPI
   - Common way to implement the security modules
   - Developers should not need to think hard about how to implement
   security
   - .Net implementation of things like cryptography are tough to understand

   - Certain implementations are haphazard about their security behaviors
   - Default ways of doing things are actually no always secure
   - Access Controller, Encoder, Encryptor, Http Utilities, Intrusion
   Detector, logger, randomization, validation,

**

*11:15 - ASDR - Leo Cavallari
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   -  Started with the Honeycomb project in 2006, Spring of Code 2007,
   became ASDR in 2008
   - Basic reference for many Information Security Activities
   - Seeks to become the central repository for redundant information across
   the other guides (e.g. definitions)
   - 800 pages, 650 articles, 300 stubs that need content
   - Index: Principals, Threat Agents, Attacks, Vulnerabilities, Controls,
   Technical Impacts, Business Impacts (new)

**

*11:45 - **Dinis** Cruz - Working Session Kick-off**
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Applying for European Grants for OWASP
   - Colin Watson - Moderator for the Documentation Session
   - Working Session Documentation Projects
   - Setting the 2009 Direction - what ideas do we want to consider?
   - Dinis Cruz says "Ideas are like little birds - must catch them before
   they are gone forever"

**

*12:15 - Dave Wichers - Quality bars for release levels
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Alpha / Beta release quality - on the main OWASP page you see about 8
   projects of release quality (small number)
   - Projects page - 200 or so, great ideas but not enough of them have
   gotten to release quality
   - Need to set the agenda for 2009, can't do it all … let's prioritize
   - OWASP  now has a technical editor (Kerstin) part time (50%)
   - Interlinking of the documents is sometimes a challenge
   - Need to eliminate redundancy where possible - need to normalize the
   data
   - Dave has focused on how to integrate then and how to interlink them,
   naming conventions and templates for articles

**

*Matteo** Meucci**
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Need to understand what documents we have now
   - Shall we rationalize versions?
   - What languages should we adopt - Java & .Net?
   - ASDR will serve as the basis and the normalization point for common
   information across the other guides

**

*Eoin** Keary**
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Reduces the size for the other guides
   - Many folks contributed to these, each has a different understanding,
   need to create a common understanding
   - Appendix of the guides
   - Wikis are great but many folks also prefer to have pdf or printed and
   bound document
   - Need to focus on the most-common languages
   - Need to have a lifecycle between the three guides so that one will lead
   to the next from design to review to test
   - Printed form will have issues with the cross reference and active
   linking when in printed form
   - Business is driven by risk and money, we need to start addressing this
   stuff in addition to the technical solutions
   - Need some form of an outreach program
   - Standard appendix for all documents

**

*Eduardo – **OWASP**
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - NIST has some good reference that can be used as a starting point for
   new activities

**

*Dave **Wichers**
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Need synopsis documents maybe in ppt that outlines what is in each
   document is all about
   - Do we need to pause new development to try and bring existing projects
   to fruition (release quality)
   - Consistency is mundane but important, standard format
   - Need to ensure coordination among the guides
   - Skill set to use the guide
   - Interlink the top 10 better with other documents

**

*Juan **Carlos**
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Can we create content specific to the user who is looking for
   information - are you an executive?  are you a developer?  are you a
   tester?
   - Much of what we are doing is highly technical, how can we

**

*Idea sheets submitted by audience:**
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - OWASP guidelines - drives the others and coordinate the others on how
   to structure and write
   - Perform a full review on all of the available docs, versions, produce
   an index with a summary
   - Setting the priorities - some projects need much more effort than
   others
   - Produce a document for each project in a summary document
   - Create an integration of the index from existing projects - streamline
   - Portuguese translation
   - Alignment on examples presented
   - ASDR Appendix
   - Consistent categories
   - Put the code examples into a language-specific appendix
   - Port them to pdf - pdf plug-in - make it easier to create into pdf -
   pdf generator
   - Agreed to hire a part-time Web Master from Johns Hopkins, 10 years
   prior experience
   - Statistics and Metrics about projects and chapters
   - Common use languages on the internet but not just for business
   - Can automate notifications from the Wiki
   - Best practices and training for optimal use of Wiki (e.g. category vs.
   column) - not everyone aware of optimal use
   - When culling projects be sure to keep a history - already done
   - Platform (language) specific
   - Leverage education projects better
   - Define a curriculum for university
   - Create a "pocket guide" in addition to the full guides
   - Develop talking points for technical folks to talk with management
   about utility and value
   - Simplify website and ensure usability is addressed
   - Why just a top 10 of worst - what about top 10 Best Practices
   - Documentation template and standardization across the guides
   - Training roadmap - what order should I read the available resources

**

*2:15 Manoranjan "Mano" Paul - Threat Modeling
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
*

http://www.securitymasala.com - different flavors (masala) in information
security
Threat modeling is both an art and science
Threat modeling threats include - labor intensive how to justify, when do
you stop, common understanding and definitions

Threat Modeling is a systematic and structured approach to identify:

1) Security Objectives
2) Threats
3) Vulnerabilities

Why? Make decisions and determine where to prioritize efforts.
Threat modeling happens in life all the time

    - Assets (insurance jewelry, photos)
      - Architecture / Design (home design, security systems) - today we
      will focus here
      - Attack (Burglar) tree threat modeling thinks like an attacker
      - Acts of God (vacation planning)

Steps:
1) Do we have policies, standards and procedures in place?
2) Are you aware of compliance requirements
3) Do you have a mature SDLC?
4) Do you plan to actually act upon it
5) Not just security team, developers and business users must also be aware

Challenges:

   - Requires mature SDLC (but a young SDLC can also benefit)
   - Time consuming
   - Requires special skills and training
   - Tough to prove good ROI
   - People would rather act and code then wait and consider risks

CIA and Triple A (Confidentiality, Availability, Integrity, Authentication,
Authorization, Auditing)

Definitions:

   - Assets - anything of value
   - Threat - anything that can compromise the asset
   - Threat Agent - hacker or untrained person
   - Vulnerability - weakness in software
   - Attack - act of a malicious threat agent
   - Safeguard or countermeasure - address the vulnerability but not the
   threat
   - Probability
   - Impact

Threat Agents:

   - Stumbler - accident
   - Researcher - interest
   - Inexperienced wannabes - script kiddies
   - Insiders
   - Organized Crime
   - Malware - malicious software

**

*Threat modeling steps (not only a one-time activity - iterative):*
*ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
*

1) ID Security Objectives
2) Profile the application

    - application attributes (physical architecture, logical architecture,
      data flows),
      - protocols and ports,
      - dependencies on external organizations, APIs or services (e.g. SOA)
      - actors / identities and where they are located (internet / Intranet)

      - data elements that are involved
      - technologies for authentication, authorization, processing and
      storage - coding languages as well

3) Decompose - context scenarios

    - determine trust boundaries
      - map entries and exists
      - data flows or (easier) use cases / abuse cases (negation or inverse
      of use case will generate abuse case from use case)

4) Identify threats - Attack trees (CIA+AAA) or Attackers (Stride, Dread,
Octave)

    - Where could XSS be used, where could session be hijacked, where could
      cookie be stolen?
      - How do we handle exceptions / information exposure?

5) Identify vulnerabilities - shape the design to minimize them, determine
needed controls, determine security test cases (should start in design
phase)

6) Rank and prioritize threats

    - Delphi model for Quantifying Risk:
         - Risk = Probability * Impact
         - Probability (High = 3, Medium = 2, Low =1)
         - Impact (High = 3, Medium = 2, Low =1)

STRIDE:

   - Spoofing - impersonating
   - Tampering - unauthorized alteration
   - Repudiation - denying actions
   - Info Disclosure - confidentiality
   - Denial of Service
   - Elevation of Privilege

DREAD: (sum / 5)

   - Damage Potential (High = 10, Medium 5, Low = 0)
   - Reproducibility
   - Exploitability
   - Affected Users
   - Discoverability

SQL Server port 1433

SD Best Practice on-line from a 4 hour pitch that John ? gave

There are tools (Microsoft Threat Analysis Modeling TAM) but few are
effective

Search 2005 CSI Mano and will find a good presentation and a questionnaire
model to try and automate this slightly

*Critical Success Factors:**
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Make it part of your SDLC
   - BAITS - Business Aware Information Technology Security - it’s a
   business decision, let them drive
   - Define procedures
   - Just do it
   - Educate personal

*November **5**
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
*

*10:10 - Presenter Eduardo Vianna - Positive Security
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - New approach to security
   - Determine audience (Manager, Technical, etc)
   - Speak to them on their terms and in language they understand
   - Make a business case and talk in terms of money for management
   - For technical folks, we use technical guides - we already have those
   - We need help, we are behind, there is much to do!
   - eduardo.neves at owasp.org
   - Jeff Williams - we are no longer only chasing vulnerabilities which is
   a no win proposition.  Need to instead look at what we should be doing
   (positive approach) rather than what we should not be doing (negative
   security)

**

*10:20 - Presenter - Martin Knobloch - OWASP Education
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Part of the summer of code
   - What is education?  How do we teach?
   - The collective knowledge for OWASP is enormous - presentations, videos,
   documents
   - Huge task trying to pull the content into education
   - The notes in the presentations are not complete or effective without
   the presenter
   - Use the notes section
   - Categories them into subjects and then break them down into small units
   and then Martin will:
   - Describe, implement metrics
   - Goal is to take content and make it into education / knowledge to be
   shared
   - Question -> Documents -> Education || Presentation || Video -> Classes
   -> LiveCD || Boot Camp
   - One target is a boot camp - cram knowledge into the brain at high
   volume and speed
   - Summary: find good content, break it down into small, understandable
   nuggets of knowledge

**

*10:35 - Presenter - Juan Carlos Calderon - OWASP Internationalization
Guidelines  **ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Separate projects - one for Spanish translations (which is essentially
   done)
   - The Internationalization project was made independent from the
   translation
   - Idea: Create the guidelines to help other teams do effective
   translations into other languages
   - Make security visible to other non-English speaking people
   - The approach should work for many languages but possibly the approach
   will need to modified for Middle East and Asia Must ensure that things like
   URLs do not get translated (or they will break)
   - New tagging schema identified to facilitate better translation
   capability
   - Rogan and Bruce (Web Scarab and Webgoat) they are looking to translate
   these at some point!
   - Summer of Code (SoC) Project for Spanish translation is 100% done
   - Looking for volunteers to help with getting this concept to work for
   other languages
   - We can double the # of people that we reach by offering other languages

   - We are proud of our own languages and we are also proud of OWASP
   - Let's make those two things meet!

**

*10:55 - Presenter - Lucilla Mancini - Passwd Metrics and Vulnerabilities  *
*ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Security in the SDLC is a key point
   - Business does not see the value of slowing down SDLC
   - Business talks in terms of ROI and money
   - This project seeks to help solve this
   - Goal is to change the way of looking at the involvement of security in
   SDLC
   - Check risk along various points in the SDLC
   - Look at existing security and quality metrics in Industry
   - Measure them within the tested applications
   - Should be able to show a statistical difference between those that were
   tested and those that were not
   - May show the risk reduction over the life cycle
   - Green light = move forward
   - Red Light = Move Back

**

*11:00 - Presenter - Dan Cornell - OWASP Open Review Project
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Open Source is everyone and is a fundamental building block for the IT
   economy
   - In practice, there is not as many qualified eyeballs looking at code to
   find and fix bugs as one might expect
   - Goal is to provide resources to the OpenSource community so that they
   can get the benefits that are available at enterprise organizations
   - Goal is to provide the Open Source Community with independent
   assessments using automated and manual techniques
   - Responsible disclosure will be used for anything discovered
   - Only for Java
   - Automated tools made available
   - Starting first reviews now
   - moodle will be one of the first

**

*11:35 - Presenter - Tom Brenan - Global Committee Discussion
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - The committees are: Industry, Tools, Conference, Member, Industry,
   Education, Chapter

**

*12:00 - Presenter - Tom Brenan / Dinis Cruz - Censorship Discussion
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Discussion to determine what is appropriate for email communications
   - Should we need to moderate?
   - How can we talk freely (on one list) and maybe have another one for
   formal communications sanctioned by OWASP
   - Steve: Leaders list should be for leaders and should not be moderated,
   OWASP all should be moderated in his view

**

*12:55 - Presenter - Sebastian Deleersnyder - Education Project
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Discussion about the curriculum and testing for web application
   security knowledge
   - Raised the issue that we need to proactively specify for universities
   the requirements for students around AppSec.  What is the essential
   knowledge that they *must* to know and what are some good topics that they
   *should* know.

**

*2:00 - Presenter - Rogan Dawes - Secrets of Web Scarab
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Looked at some of the new enhancements to the tool in management of
   certificates, fuzzer and regular expression and scripting
   - Discussed history on the tool in addition to the future enhancements
   - http://dawes.za.net/rogan/webscarab/docs/

**

*4:30 - Presenter - Pravir Chandra - Software Assurance Maturity Model  **
ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Looked at the proposed maturity model for a secure development
   lifecycle
   - Discussed each individual aspect of this model which consists of 12
   building blocks
   - Gives organizations the ability to analyze where they are and what
   needs to be done next
   - Bithal, there is some good information in this guide about how to rate
   our current maturity and where we need to go next, p58 in the pitch
   "Dashboard" is particularly good.
   - http://www.owasp.org/index.php/Category:OWASP_CLASP_Project

*November **6**
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
*

*9:50 - Presenter Juan Carlos Calderon - Classic ASP
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Classic ASP applications are typically less secure
   - Created ESAPI for classic .ASP - about 80%  complete
   - Stinger v1 implemented - http request validation engine - server side,
   rules written in XML

**

*10:15 - Christian Martorella (Edge Security) - WebSlayer**
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - WebSlayer Designed to do highly customized brute force attacks, based
   on wfuzz
   - Used for manual attacks and professional testers
   - Written in python and QT
   - Runs on multiple platforms, multithreaded, fast
   - Runs on Linux, Linux and OS X
   - Can also be used for fuzzing (header, get, post)
   - Resource location (directory and file discovery), recursive
   - Many dictionaries of file names are available (dirb, open-labs)
   - Cookie and session brute forcer
   - Payload generator (user names, credit card numbers, permutations,
   character blocks)
   - Based upon RegEx
   - 15 encodings available, more to come
   - https://www.owasp.org/index.php/Category:OWASP_WebSLayer_Project

**

*10:45 - Heiko Webers (42 at bauland42.de) - Ruby on Rails
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Ruby is a dynamic object-oriented programming language based (partly)
   on Perl, Smalltalk, Eiffel, Ada and Lisp.
   - The Guide version 2 covers Ruby on Rails, MySQL and (a bit) server
   security
   - Object oriented - all items in the language including strings are
   objects
   - Ruby on Rails is an open source web application framework based on
   Ruby.
   - Rails embrace, convention over configuration“, Model-View-Controller
   (MVC), Don‘t-Repeat-Yourself (DRY) and testing
   - http://www.rorsecurity.info

**

*11:15 - Mathias Rohr (mro at securnet.de) - Skavenger Project
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Web Security Scanner for pen testing of web applications
   - It is a Passive analysis tool
   - Currently available apps (WenInspect have two parts:
   - Scanner (sends the http requests)
   - Analyzer (inspects the http responses)
   - Problems with the accuracy, can be considered as hacking, price!
   - Finds the low hanging fruit
   - Phase 1 of Pen test is automated testing - run the scanner
   - Phase 2 or Pen testing is manual testing - Firefox, web scarab, but
   others needed
   - What is Passive Analysis? - looks at the traffic, sends no http request
   itself, can be executed on the fly
   - Pattern Matching, HTML comments, stack traces
   - Fingerprinting based upon cookies, headers etc
   - Parameter reflection - may be able to detect XSS, CRLF potential
   vulnerability if user input is reflected back to user
   - Decoding to see encoding weakness
   - Skavenger is written in Perl and was an improvement on previous tool
   - http://skavenger.sourceforge.net

**

*11:15 - Dave Wichers (dave.wichers at aspectsecurity.com) - OWASP Top 10 (2009
Update)  **ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - List of priorities which helps you to figure out what to focus upon and
   what to work on first
   - Came out in 2002 from Jeff Williams discussion with industry that was
   using only the SANS Top 10
   - First published in 2003, update in 2004, 2007, planning for 2009
   - Looking to do a Web Services Security Top 10 List (Gunner Peterson
   driving)
   - A3 Malicious File Execution for example is mostly a PHP problem and
   many large organizations don't use so it is challenged often but will stay
   - We organize now to be only vulnerabilities (and not attacks etc)
   - Pulled the data for Web Application vulnerabilities from Mitre and this
   is what is used to establish the OWASP top 10
   - Cross Site scripting was called many things (hostile linking etc) and
   it was tough to join together statistically, professional opinion and not
   statistical rigor to establish that one on the list.  It was actually #32 in
   the list but was placed at 5
   - Previously this has been decided by a small group, this year opening
   this up to the OWASP leadership for input.
   - Lot's of effort after the Top 10 is established, writing the content
   - Application Security Verification Standard may have some details
   - Discussion on taxonomy and naming conventions (e.g. XSS or SQLInj below
   Input Validation)
   - They want our input now to factor into the top 10 … for example,
   configuration management is a large thing for us (#2) but is not on Top10!

**

*2:00 - Brad Causey - Ajax Security
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Security concerns - volume of JavaScript - 5 pages of JS sometimes
   - Each single request by the user can lead to tens of http requests from
   the application - web proxy can be quickly overloaded
   - Increased attack surface
   - server-side features exposed to client
   - Ajax implementations - JSON vs. XML - two different popular
   implementations, Raw JS - dynamic code building
   - XSRF is built-in to the technology! UI.js file provides all the
   functions for everyone - the attacker knows the functions, its exposed
   - Toolkits - Net Ajax, Dojo Toolkit, SPRY Yahoo UI
   - Danger of the toolkits - simple and fast to go lift all these
   prewritten JS files - can be highly vulnerable to club these together
   - What about the other features that are unused by your application but
   are still available for exploit
   - SAJA - php for Ajax - stack on top of another framework to add security

   - ACEGI - harder to implement but sits also on top of another toolkit to
   provide security
   - JSON vs. XML - only difference is that JSON sends back in plain text
   - JS does not support Cross domain requests but AJAX needed this to tie
   together two servers / domains so they broke this and built it into a bridge
   - bad idea from a security perspective - how does the browser identify you,
   how do you manage the session and state?
   - State management - particularly bad in AJAX because it is all client
   side.  Easy to manage the state data with the JS, should be using
   server-side management
   - AJAX is difficult to test:
      - Complex code traces
      - managing the cache and how to get to it in Firefox (easier to manage
      when testing in IE)
      - Network proxies can influence the ability to test
      - R/R Request and Response - if this is frequent, it can overwhelm
      tester with data
   - Tools - manual testing, web scarab, firebug, wget, text editor to
   clean-up the JS
   - http://attackvectors.com/EquipmentDB.tar.gz - great little
ajaxapplication to hack against written in PHP on LAMP
   - Written by Andrew van der Stock
   - LAMP - Linux / Apache / MySQL with PHP or Perl or Python

**

*CLASP / SAMM references from Pavir Chandra:**
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - The main SAMM website: http://www.opensamm.org
   - Mailing list for SAMM-related discussion (
   https://lists.owasp.org/mailman/listinfo/owasp-cmm)
   - OWASP Working Session on SAMM (
   https://www.owasp.org/index.php/OWASP_Working_Session_-_Software_Assurance_Maturity_Model)

   - OWASP CLASP website for reference (
   https://www.owasp.org/index.php/Category:OWASP_CLASP_Project)

**

*3:00 - Overview of WebScarab NG (Next Generation) from author Rogan Dawes:*
*  **ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - The application has not been changed for about 3 years
   - New features that allow better drill-in style access to XML trees
   - Advanced Cookie manipulation
   - Advanced fuzzing on multiple parameters with each request
   - Advanced management of scripts (be sure to use different variable names
   in scripts or they will conflict in the interpreter)

**

*5:30 - OWASP Board - Summit Debate on Governance
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - General discussions about evangelism
   - Training at universities
   - How to extend and better communicate the code of ethics
   - Types of licensing that OWASP
   - OWASP should not be used for Commercial Gain
   - Business models that will work for OWASP

**

*7:10 - Matt Tesauro - Live CD
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Self-contained disk with its own operating system
   - Currently on disk, may some day be on a USB stick
   - Documents are also on it including the web pages
   - http://mtesauro.com/livecd/index.php?title=Main_Page
   - http://www.owasp.org/index.php/Category:OWASP_Live_CD_2008_Project
   - CHECK THIS OUT Web Samurai (Not OWASP):
   http://sourceforge.net/project/showfiles.php?group_id=235785


*November **7**
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
*

*Notes from the final Day of the Conference:*

*10:00 - Final Project Presentations from Working Sessions
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

**

*Arshan** Dabirsiaghi - Browser Security
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - If there were easy things to do on the browser, people would have done
   them already
   - Mashups in the future will have health records and banking widgets
   within your Yahoo or Google page
   - Exploits in those pages will be more damaging so must get security
   established for Mashups
   - 2 Issues are:
      - Force user to a page where UID/PWD already populated, IE only: if
      you iFrame in it will not prepopulate which is good
      - Long-term solution for mashup security must have functional access
      control for JS, very difficult problem

**

*Arshan** Dabirsiaghi - Framework  Security**
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - All major frameworks ASP, PHP, Cold Fusion, Struts etc
   - Listed all the security features for those technologies
   - Idea is to let the framework folks know about the security areas

**

*Matt Tesauro - Tools working group
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Official OWASP repository for tools and docs
   - Ajax enabled web-crawler
   - Better metrics on projects
   - Standardize the output of tools so that they can be easier to consume
   or translate or import
   - Make available a GUI / Graphic designer
   - Make available a tech writer, we have one but engagement process is
   unclear
   - Re-categorize projects by audience
   - Standardize look, feel, font and color for tools for continuity

**

*Eoin** Keary - Documentation
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Converge the guides
   - Testing guide is way out ahead - need to get code review and
   development guide up to that
   - Seasons of quality - to improve not just extend
   - Appendix of definitions - OWASP will agree to these and will be housed
   in the ASDR
   - Positive security - focus on the good as well, not just the bad
   - Cross-reference in the guides
   - Reference of the OWASP tools (Horizon etc) and provide some
   documentation
   - ESAPI implementations - how to effectively review and test them should
   be documented
   - XML all the guides - can integrate them in an IDE

**

*Dave Wichers - Other guides
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - XML with good tagging will allow cool things in the future (IDE
   integration etc)
   - Guides are in various states of development
   - Need to try and coordinate everything - stop testing guide development
   to focus on pulling the others along
   - Development guide is older and needs to catch up to the code review and
   testing guide

**

*Dave Wichers - Top 10
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Who is the audience
   - What should go into the categories
   - Get more input from the OWASP community and corporate members
   - New top 10 on Web Services (authentication is far different)
   - Will issue a new Top 10 next year.

**

*Dinis** Cruz - Certification
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - In the short term OWASP will not provide certification
   - Everything will be open when / if this is done
   - Certification has mixed feelings in the group - what are the real
   values for this
   - Does it really help to make people better
   - Can't be commercially related with others like (ISC)2 or SANS

**

*George Hess - Best Practices for Chapter Leaders
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - 20 to 30 people is what chapters grow and then they tend to stagnate
   - NYC chapter still grows
   - Speakers tend to repeat - "OWASP on the move" project provides ability
   to get speakers to travel between chapters
   - Tax issues can be challenging for some of the foreign chapters (e.g.
   Asia)
   - Local money - how can we accept?  Do we have them join or can they just
   donate?
   - Challenges are mostly common but a few are regional
   - Local boards, marketing expertise, industry contacts

**

*David - Intra-governmental Affairs
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Same credibility that PCI has provided for OWASP by inclusion in the
   standard
   - How to get similar endorsement from other bodies like NIST
   - Identified other key government docs that we would like to be included
   within
   - OWASP needs to review the drafts when they come out for comment and
   have a unified position
   - Each country will have a person appointed to deal with each government
   - Reach out to the implementers of the government guidance - Big 4,
   Government

**

*Matt Tesauro - LiveCD**
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Distributing media at OWASP conferences - we agree that this should be
   something that we do at conference
   - All media needs to clearly state the date of release and version
   - Pointers to the OWASP website where most current information resides
   - Need better ways to archive and update - Google currently has highest
   hits to the 2007 (old) LiveCD
   - Webgoat is fully on LiveCD, can be used conveniently for training

**

*Sebastian Deleersnyder - Education
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - How to make the material available so that people understand OWASP
   - Knowledge transfer
   - Outreach program
   - How to select what is there to make it usable
   - How to get on-line video, how to get on LiveCD?
   - Roles: architects, developers etc
   - Create material to get OWASP into universities
   - OWASP Bootcamp - Broad but not deep

**

*Jeff Williams - ESAPI Results
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Framework integration - .Net and PHP will be next
   - Internationalization
   - Guidelines for how to integrate ESAPI with frameworks

**

*Matteo** Meucci - Testing Guide
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - New web services testing project
   - Client side security
   - Standard set of vulnerability names across all guides
   - 66 Controls and checklist - need for other guides as well
   - Link to the OWASP tools (e.g. when talking about SQLInjection mention
   the tools that can help)
   - Kerstin is now review the testing guide for technical writing content
   - Techniques for testing configuration for different languages
   - DB of test cases to be searchable
   - Flowchart to describe the testing methodology

**

*Pravir** Chandra - Software Assurance Maturity Model (extension of CLASP)
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - CLASP was 24 activities
   - SAMM extends that to about 72 items in 12 security functions
   - Reviewed the SAM Beta was reviewed in detail
   - The four areas are Governance, Construction, Verification and
   Deployment

**

*Fabio Cerullo - OWASP Website
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - More usable and professional version of the Wiki
   - OWASP Website is one of the most visible part of our brand
   - Need forums in addition to mailing lists
   - Voting will be incorporated into the site as well
   - RSS Feeds

**

*Leo Cavallari - ASDR
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - New name OWASP Desk Reference or OWASP Reference Guide
   - Prioritization of the most important articles to be focused upon first
   - Many are only stubs and have much work to be done
   - Will postpone development on many of the articles
   - Winter of code will complete
   - How to keep it up to date (e.g. Clickjacking is brand new) - need to
   try and get something out in timely manor

**

*Carlos Serrao - EU Funding
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - What EU funding can we be eligible for if we base research in Europe
   - What are the basic requirements
   - Should OWASP be involved?  What grants are available?
   - What are the steps to create proposal, what are the approval criteria
   etc

**

*Paulo Perego - Orizon Project
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Open source static analysis engine
   - XML language schema needs to be reviewed for consistency
   - can all vulnerabilities be described with that schema?
   - all security checks in the testing guide should be available in the
   tool (not currently true)
   - need to develop simple user interface, focus has been on the engine
   initially

**

*Juan Carlos Calderon - Internationalization
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Most people here are from US or Europe
   - Wanted to focus on Russian, Asian, etc
   - The website is confusing on how the translation works
   - Its automatic if your browser language has been established
   - Tool translation (Web Scarab) will be tough but looking into it
   - Same for ESAPI
   - Define a structure and working model so that we can allow for easier
   future translation
   - Portuguese is a strong desire
   - Spanish - 3 pages  per week per person
   - 300 web pages
   - 300 pages for guide
   - 200 pages for testing
   - 10 pages for FAQ
   - 5 pages for legal
   - Use University students to possibly do the translations

**

*Giorgio Fedon – Malware
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Big problem for financial institutions
   - Can split into 2 parts: Executives and one for technical
   - Need a checklist
   - Certain designs can be good countermeasure
   - Dynamic reference to support countermeasures
   - Need to get some empirical data on the effectiveness of countermeasures

   - To support, need to have reverse engineering skills and malware
   analysis

**

*Tom Brennan - Censorship
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - Censorship and moderation seems to be counter to our charter
   - But we must all understand the rules of engagement and data
   classifications
   - Code of ethics
   - Some membership information can not all be for public consumption
   - Working with industry - how to allow the communication can be anonymous

   - OWASP needs to formalize the business relationships
   - OWASP Leader Announcement List information coming to you
   - OWASP Discussion list will also exist

**

*Dinis** Cruz - Close out comments and discussion
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - What about security within our own products and tools?  Amazingly no
   one raised a concern about having a worm introduced into Webgoat.
   - We need to incubate new ideas and need to encourage open source
   developers to come to us (security, hosting, developers, testers, etc)
   - We need to eat our own dog food and start testing our own applications
   with our own testing guide
   - Not just about maturity of projects but is also around the depth of the
   projects and the usability
   - Board members are not good candidates for review - they are busy and
   they are pushing hard to move forward
   - Reviewers need to be more academic and thoughtful about reviews
   - Reviewers and content creators need to have some level of independence
   to be effective
   - Reviewers concept made the number of participants more than double from
   30 to 70 people
   - A big problem is the lack of general feedback good and bad - not enough
   coming back into the content developers
   - Need a bug submission process - would be very useful (Jira is a
   possible option)
   - user needs to be one minute away from providing input (bug submission)
   - should ensure that we only apply the rigor to the release quality
   products
   - we don't want to stifle creativity and innovation for non release
   quality products and development
   - A season of quality will be next goal to stop new development and focus
   upon clean-up and consistency
   - A season of code and will terminate at the next summit
   - Seasons of code solve the problems and the seasons of quality refine
   and operationalize

**

*3PM OWASP Open Board Meeting
**ToP<http://alpharetta.folders.ge.com/FoldersData/2110872042/Application%20Security%20Program/References/OWASP%20Summit%20EU%2008/?fileid=26122273042&entity_id=4087467042&sid=42&nocache=Wed%20Nov%2012%2013:22:07%20EST%202008#_top>
***

   - @ new hires (50% time):
      - Rohan Singh (University) - Texas - coding
      - Alex Norman (University) - Maryland - WebSite Updates
   - 411 Individual Members
   - 36 Corporate Memebers
   - $150k we will be within budget
   - $350k remaining
   - Public Relations Package is being prepared for the press
   - Within 60 days there will be a full Summit proceedings published
   - New business:
   - Board approves 6 new committees: Industry, Membership, Chapters,
   Education, Conferences, Projects and Tools - Approved
   - 60 days action plans will be presented to the board - Approved
   - A summit will be held again in approximately 1 year - Approved
   - Next OWASP Grant will be the Season of Quality - Approved
   - Board and committee meetings will be open - Approved
   - Board to revoke the dual license - Approved
   - Announce Only list for committees etc - Approved
   - Revoke moderation of the leaders list - Approved
   - Resolution to publish code of ethics and principals - Approved
   - Election of new committee members
   - Governance plan - global committees approvals (see published list for
   names)
   - About 20 people were nominated across the 5 committees and were all
   unanimously approved by the board
   - Kate Harmon will be the primary point of contact for all the committees
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-connections-committee/attachments/20100908/931ef863/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3750 bytes
Desc: not available
Url : https://lists.owasp.org/mailman/private/owasp-connections-committee/attachments/20100908/931ef863/attachment-0001.bin 


More information about the Owasp-connections-committee mailing list