[Owasp-germany] minutes for German chapter meeting - September 7th, 2007

Tobias Gondrom tgondrom at opentext.com
Mon Sep 17 11:18:30 EDT 2007

Hello OWASP Germany,
as scheduled at the last OWASP Germany meeting, below are the meeting minutes. 
Kind regards, Tobias

OWASP German Chapter Meeting

Location: Frankfurt, Commerzbank
Date: September 7th, 2007, 15:00-18:30
Participants: 16

Meeting topic: Restart of the German OWASP Chapter. 

0. published Agenda for the meeting: 
1. (15:00 - 15:10) Administrativia 
2. (15:10 - 16:30) Introduction (each participant 5-10 minutes): introduce, what you expect from OWASP, what you want to bring in to OWASP, what do you want to use or already use from OWASP and personal special skill areas 
3. (16:30 - 16:40) Short introduction to OWASP organisation and chapter structures
4. (16:40 - 17:00) What are other OWASP chapters doing (to later discuss where we fit in)
5. (17:00 - 17:45) The future of the German Chapter: Open discussion which items to work on for the next 3-6 months (fusion of the expectations and areas of interests from 2.) (one goal would be to form work teams of 2-4 for specific targets/projects) 
6. (17:45 - 18:00) Short discussion about handling/org of chapter lead 
7. optional presentation "Evaluation Criteria der OWASP in Bezug auf den europäischen bzw. D-A-CH Markt beisteuern."

1. Organizational:
1.1 general disclaimer: inspired by usage of first names in other OWASP chapters, it is encouraged to use the more simple informal German "Du" and first name at meetings and on mailing-list. (There is a consent that this rule does not necessarily hold on occasions outside of OWASP) 

1.2 Organization and lead of the German chapter 
The participants have agreed on a structure of one chapter lead working together with a board and elected the following candidates: 
Chapter lead: Tobias Gondrom
Board: Thomas Schreiber, Holger Heimann and Boris Hemkemeier

The German Chapter plans on meeting two to maximum four times per year. Currently there is no need to avoid typical working hours for meetings.
The German Chapter page at https://www.owasp.org/index.php/Germany will be the main WIKI page of the Chapter. 

2. Results and ideas
2.1 Results: 
Concluding an open discussion about a number of ideas and work items the German chapter agreed on the next work items it should pick up. (to coordinate work, and provide contact points names of volunteers are added to the specific items in Wiki Germany chapter area, two classifications "work" for full participation and "interested" for partial participation and interest in results of work)

1. Web Application Security Best Practice Quickguide (German) 
2. Best Practice guideline (how to decide between Perimeter/Application) 
3. Chapter meeting with technical presentations, exchange of experiences and best practices, live hacking
4. Public presentations and conferences / Web Security conference of OWASP Germany (focus on technical security experts)
5. We establish working environment for cooperation between meetings (German work place area in OWASP Wiki),
6. Public relations for OWASP Germany (bring in more people, raise awareness of existence and role of OWASP Germany
7. Methodology (from Pen Test point of view (e.g. input from Certification Criteria Project)
8. Translation work (mainly translate English -> German, potentially interesting mini projects for students)
9. Secure Coding Guideline (Golden Rules) - CLASP
9. PHP Security Guide??? How much is already there?
10. Bring "Scavenger" as a tool to OWASP (helps to analyse and consolidate web proxy logs)?

2.2. Generally discussed ideas: 
This is an excerpt of the broad discussion of ideas that lead to the resulting work item in section 2.1: All participants presented their expectations and visions for the future work of German OWASP chapter. And it has also been discussed which already existing work could be integrated and further developed by OWASP. The participants at the meeting represented a good mixture of all three different orientations: security providers, consultants and users. 

Main focus points of the discussion have been around: 
- best practices, guide, awareness, specific for Germany, content for Techies but better understandable, 
- target audience: should focus on technical experts (not only on security subject matter experts) and SME
- use Quick-Win's: use existing work and develop and enhance this further
- provide guidelines, e.g. decision guidelines for project leaders

The following ideas have been discussed at the meeting:
A) conferences and meetings
- create awareness about web application security and OWASP in Germany
- stronger participation at security meetings
- Martin from the Netherlands chapter also informed about OWASP initiatives "on-the-move", which allows the exchange of speakers and certain travel allowances to speak at other chapter meetings and present OWASP at conferences. 
- enhance external presentation of OWASP in Germany 
- strengthen the footprint of the German security knowledge in the global community (e.g. in relation to BS-7799)

B) What special value can the German OWASP chapter bring in?
- focus on Germany specific web application security aspects and German context (e.g. regulations, laws, auditing procedures), also considering the structures of the German economy with its very strong SME part. 
- encourage translation projects in Universities (where English guides or content could be translated by students to German)

C) Guides
- Testing Guide for Flash and Adobe Runtime
- provide best practices guides, decision guidelines with specific advice (e.g. when to apply security at the perimeter level and when on the application level)
- join the work at the CLASP project, e.g. Secure Coding Guidelines
- a medium-level guide in the area of the OWASP Guide has been discussed, to bridge between the normal users and decision makers and the extensive and very detailed and technical OWASP Top-10 guide. (individual members told about certain existing work that might be interesting to pick up, which has been greatly agreed by the others), It would be proposed that such a "Quickguide" should be available in German and English. In particular such a guide could be helpfully for SMEs.
- guides in the form of "10 golden rules for..." (Project leads, managers, testers,...) have also been proposed, where potentially also already existing work might be further enhanced.
- we should emphasize the notion "How do I build a secure Web Application" and not only how to test to break it, viewing this also from the more defensive view point. 
- a current secure programming guide with PHP (e.g. like with Java, and including new security features from PHP-5)
- guides "how do I harden certain applications, environments and configurations" (discussion about that applications and frameworks evolve quickly and such a guide might get outdated quite fast and might require significant continuous effort to keep current)

D) position and role of German OWASP chapter
- the general role of OWASP in relationship between technical experts and political influence has been discussed, with focus on technical expertise and work to achieve credibility first.
- proposal that the chapter could state its opinion about standards, regulations and political decisions: A major part has agreed that the German Chapter should focus at technology related tasks. Currently OWASP Germany is not in a well accepted position for notable political or social statements. 
- discussion about whether the chapter could state its opinion about §202c and resulting potential problems for the work of security experts in Germany. This topic has received a quite controversial discussion, with the result that OWASP Germany will at the moment not strive to make an official statement in this discussion, but at first try to facilitate a better understanding of the real implications of this paragraph for the German IT web application security industry. Again: Rough consensus is that the German Chapter will at first focus on technology related tasks and further actions in this regard would require further group discussion and consensus.

Tobias Gondrom
Head of Open Text Security Team
Director, Product Security

Open Text
Technopark 2
Werner-von-Siemens-Ring 20
D-85630 Grasbrunn

Phone: +49 (0) 89 4629-1816
Mobile: +49 (0) 173 5942987
Telefax: +49 (0) 89 4629-33-1816
eMail: mailto:tobias.gondrom at opentext.com 
Internet: http://www.opentext.com/  

Place of Incorporation / Sitz der Gesellschaft: Open Text GmbH, Werner-von-Siemens-Ring 20, 85630 Grasbrunn, Germany | Phone: +49 (0) 89 4629 0 | Fax: +49 (0) 89 4629 1199 | Register Court / Registergericht: München, Germany | Trade Register Number / HRB: 168364 | VAT ID Number /USt-ID: DE 114 169 819 | Managing Director / Geschäftsführer: John Shackleton, Walter Köhler

This email is protected by domestic and international copyright laws and treaties and is the property of Open Text Corporation, it may contain confidential and/or trade secret information of the Open Text Corporation and/or its subsidiaries (OTC), and may be subject to legal privilege in favor of OTC. This email may only be lawfully received, accessed, displayed on a computer screen, printed, copied, and/or used by the specific addressee(s) named above ("Authorized Recipient") for the purpose for which it was sent by OTC. All other rights and licenses to this email are fully reserved to OTC. If you are not an Authorized Recipient, you are required to immediately delete this email in its entirety without printing, copying, using, and/or re-transmitting this email, either in whole or in part. The transmission of this email by OTC is not to be construed as a waiver by OTC and/or the individual sending this email on behalf of OTC of any of their respective rights or privileges at law or otherwise, howsoever arising.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-germany/attachments/20070917/61c0757b/attachment-0001.html 

More information about the Owasp-germany mailing list