[Owasp-leaders] Creating OWASP 4.0!
dinis.cruz at owasp.org
Mon Dec 13 05:54:30 EST 2010
John, can you work with Sarah Baso (sarah.baso at owasp.org) on creating
the "No Fluff just stuff" Track for the Summit? We talked about it last
night and she is already fully briefed on the need to create this.
I love your idea and concept and I agree that the Summit is the perfect
place to kick-start it.
Within the current Summit schedule I think we could run this on the Wed and
Thu, with Tue having at least a planning session and Fri a wrap-up session.
For the Summit, I don't think you will be able to get all facilitators there
all day (or in 6 of the 8 session) since they will probably be involved in
other sessions that might be happening in parallel (this is a problem that
you will only have at the Summit, since for the follow-up editions these 'No
Fluff just Stuff' days would happen independently'). That said, we need to
get a dedicated team just for this Track that will be running it and be
around 90% of the time.
What I really like about this idea is that it is a great attraction for
developers and architects to come to the Summit, since your 8x session list
is answering the questions these guys have in the real world today (once we
start having confirmed attendees to this track it might be a good idea to
ask them what topics they are more interested in).
I also would like to have a 30m to 1h Working Session on:
- how to scale this idea,
- how to get sponsorship for it and
- schedule at least two following 'No Fluff just Stuff' days in 2010
On 10 December 2010 04:36, Lorna Alamri <lorna.alamri at owasp.org> wrote:
> Make sure to add your ideas to the Summit working sessions page
> http://www.owasp.org/index.php/Summit_2011#tab=Working_Sessions and the
> http://www.owasp.org/index.php/Summit_2011#tab=Schedule_and_Tracks and
> that everyone is on the attendee list if they plan to attend
> http://www.owasp.org/index.php/Summit_2011_Attendee. Invite documents are
> located here:
> We've also extended dates for applying for Chapter and Project sponsorship
> so follow the procedure outlined here:
> Let me know if you have questions.
> On Thu, Dec 9, 2010 at 2:04 PM, John Steven <John.Steven at owasp.org> wrote:
>> I agree with Rex. Chaos remains an important (constructively)
>> disruptive force. It can not provide coherent direction I hear people
>> craving ATM. The board seems to want the organization to remain
>> decentralized and with a bottom-up driven direction through project
>> leaders. This seems 'fine' to me because its fundamental to the OWASP
>> organization and culture.
>> Though, outside of the community itself, I perceive this having
>> resulted in two forces providing OWASP most of its external impact and
>> momentum beyond general Application Security Awareness recently:
>> Conferences and ESAPI
>> I'm concerned that as we look at '11, we don't see these two forces
>> providing us the progress we desire alone. The last few conferences I
>> attended suffered from confusion or division in promotion and the
>> majority of topic areas have already been presented (often in nearly
>> or exactly their current form). Momentum on conferences, from my view,
>> will wane unless something changes. ESAPI, by comparison, has momentum
>> but is less mature. There isn't a "The Solution" but I think we can
>> create some direction and bolster both of these key aspects of the
>> OWASP organization simultaneously. I've talked to almost everyone
>> explicitly listed as a CC regarding my idea. They seemed at least
>> superficially interested in participating.
>> Create a "No Fluff just stuff"-like track for Portugal, pull out our
>> laptops (not for email/IM), and show people how to develop secure
>> code. Chris referred to this here:
>> I'd like to prototype this in Portugal and keep it going in Minnesota.
>> Pravir led something like this with SAMM (but regarding process) in
>> Portugal the first time around. This was incredibly valuable.
>> I'd like to propose the following skeleton and get passionate
>> developers to sign up for it. I'm imagining 1/2 day sessions. (So,
>> over four days, we could have eight (8) facilitators). I suggest we
>> pick a single target (Java EE?), a single victim app, and a single
>> container as a 'base of operations' for the first one to keep things
>> Track Mission: Building Security In: Using OWASP tools/techniques/code
>> to build secure applications.
>> (the list is not in any particular order. In fact, that may be
>> something to talk about. I've tried to provide four (4) one-hour seeds
>> for each session, subject again to discussion)
>> * Topic *
>> Facilitator * Proctors *
>> 1 Applying ESAPI input validation Mr. Schmidt
>> * Serial Decomp: Decode, canonicalize, filter
>> * Structured data (SSN, CC, etc.)
>> * Unstructured data (comments, blogs, blah)
>> * Other input examples (ws-, Database, etc.)
>> 2 Defining AppSensor sensors for: Mr. Coates
>> * Forced Browsing
>> * Request Velocity
>> * Unexpected encodings
>> * Impersonation (Sudden user switch)
>> 3 Managing sessions ????????
>> * Across requests
>> * Across containers
>> * Invaliding sessions (Timeout, attack event, logout)
>> * Invalidating sessions (across containers, SSO token invalidation,
>> user termination)
>> 4 Protecting information stored client-side Mr. Steven
>> * Threat Modeling the problem
>> * Protecting theft and re-playability of application-specific
>> info (on client & in flight)
>> * Protecting theft and re-playability of session-specific info (in
>> * Protecting session-specific information from attack on the client
>> 5 Protecting against CSRF ????????
>> * Hygiene
>> * Discuss/show Frames-busting, cross-domain policy,
>> * Discuss referrer and other red herrings
>> * Tokens (crafting, scoping, and checking)
>> * Discussions, techniques on scale
>> * Discussions, techniques on CAPTCHA, re-auth, etc.
>> 6 Providing access to persisted data ???????
>> * Controlling visibility of tables by role (Spring?)
>> * Providing access to safe SQL-like query through DAO layer
>> * Discussions, techniques for providing secure 'auto-wiring' /
>> * Encoding and canonicalization for storage (or alternatively:
>> * Security concerns with hierarchical caching & object pooling)
>> 7 ...I have some other ideas for 7 and 8, but wanted to afford the
>> skeleton some flexibility.
>> * Facilitator role replaces "speaker". They lead the session, but the
>> session is a working session, laptops open, whiteboards filling. This
>> is not a lecture.
>> * Other facilitators adopt the present facilitator's goal as their own
>> and we drive the concept/design/code forward Dissenting views are for
>> drinks later.
>> * Sessions are open to all participants provided they have at least
>> the ability to read the chosen language, and have the following things
>> installed when they arrive:
>> * Our victim app
>> * All session dependencies
>> * Dev tools sufficient to build and run the app and our dependencies
>> * Facilitators must agree to attend six (6) out of eight (8) sessions.
>> Failing that, they're booted from the next venue
>> * The objective of each session is split between educating
>> participants and bringing the state of the practice forward.
>> * Participants may bring whatever code they like, provided they
>> contribute it to OWASP.
>> * Facilitators should seek to absorb any new developments into the
>> next conference session. IE: each session should have some new and
>> unique content
>> * Facilitators don't 'own' topics, in fact, I'd like them to rotate
>> between cons. if possible.
>> Next Steps:
>> * Define eight sessions, facilitators. Solicit proctoring help
>> * Finalize (and verify) dependency list for participants
>> * Ratchet up specificity in session topics (create, review, and revise
>> a track outline)
>> * Establish a twice-monthly call for facilitators to take our skeleton
>> plan to reality.
>> I would be happy to help organize this track, direct it, and provide
>> air-support to the other facilitators in their sessions. Chris, Mike:
>> want to participate? Mr. Cornell--we discussed this out west. You
>> game? Others?
>> This track idea, in no way, replaces the need for continued awareness,
>> novice training, and other popular OWASP tools/projects (LiveCD,
>> Top10, ... etc.) The track is designed to engage passionate and more
>> advanced participants, as well as entice more developer participation.
>> Let's build something interactive, tangible and immediately useful for
>> our conference participants.
>> On Wed, Dec 8, 2010 at 5:36 PM, Rex Booth <rex.booth at owasp.org> wrote:
>> > I hate to so contrarian with you today James, but chaos doesn't work on
>> > strategic level. Your positive experience at your chapter doesn't
>> > to the organization as a whole.
>> > Whether we are a non-profit or not, we need to recognize that we are in
>> > competitive marketplace where we need to struggle for relevancy in order
>> > achieve our mission. We can't treat this like some sort of
>> > We have numerous dedicated individuals, but I think as an organization
>> > try to be everything to everyone. In the pursuit of allowing owasp to
>> > anything somebody wants it to be (new conference? Sure! New project?
>> > not?) we've sacrificed our ability to focus and really make an impact
>> > some notable exceptions).
>> > I think better coordination of efforts, some culling of the less useful
>> > projects and undertakings, and more strategic leadership from the board
>> > level would go a long way.
>> > Imagine how much we could accomplish if we eliminated the noise and were
>> > able to double our efforts on the truly impactful and high-profile
>> > Rex
>> > On Dec 8, 2010, at 4:02 PM, "James McGovern" <JMcGovern at virtusa.com>
>> > I too have noticed the chaos and believe it is a good thing! When the
>> > Hartford chapter did a joint meeting with ISACA, they had a lot more
>> > formality in organizing things. Generally speaking, when I organize
>> > chapter meetings I tend to start with finding two speakers who are of
>> > interest, figuring out what they are going to talk about, creating an
>> > and then blasting it to the world. The ISACA model required multiple
>> > of approval and dozens of phone calls.
>> > We get things done without requiring audits and checklists :-)
>> > James McGovern
>> > Insurance SBU
>> > Virtusa Corporation
>> > 100 Northfield Drive, Suite 305 | Windsor, CT | 06095
>> > Phone: 860 688 9900 Ext: 1037 | Facsimile: 860 688 2890
>> > -----Original Message-----
>> > From: owasp-leaders-bounces at lists.owasp.org
>> > [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Yiannis
>> > Pavlosoglou
>> > Sent: Wednesday, December 08, 2010 12:47 PM
>> > To: owasp-leaders at lists.owasp.org
>> > Subject: Re: [Owasp-leaders] Creating OWASP 4.0!
>> > Examples:
>> > 2. We have real issues on establishing individual efforts and commits
>> > to a particular task. Other organisations are also open and
>> > transparent, why all the chaos with us?
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
> Lorna Alamri
> OWASP MSP: Host to OWASP AppSec USA 2011
> September 20-23 Training, Talks, CTF, and Vendor Show
> www.appsecusa.org (2011 site coming soon)
> @appsecusa, @owaspmsp
> Dir: 651-338-0243
> skype: lorna.alamri
> lorna.alamri at owasp.org
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders