[Owasp-leaders] Creating OWASP 4.0!

Chris Schmidt chris.schmidt at owasp.org
Mon Dec 13 23:17:19 EST 2010


FWIW ­ I think we want to stay away from actually calling it the ³No Fluff,
Just Stuff² track as I am pretty sure Jay has that name protected ­ however,
that isn¹t to say that we couldn¹t petition Jay for involvement in
development of the track and cross promotional type stuff.


On 12/13/10 3:54 AM, "dinis cruz" <dinis.cruz at owasp.org> wrote:

> John, can you work with Sarah Baso (sarah.baso at owasp.org) on creating the "No
> Fluff just stuff" Track for the Summit? We talked about it last night and she
> is already fully briefed on the need to create this.
> 
> I love your idea and concept and I agree that the Summit is the perfect place
> to kick-start it.
> 
> Within the current Summit schedule I think we could run this on the Wed and
> Thu, with Tue having at least a planning session and Fri a wrap-up session.
> 
> For the Summit, I don't think you will be able to get all facilitators there
> all day (or in 6 of the 8 session) since they will probably be involved in
> other sessions that might be happening in parallel (this is a problem that you
> will only have at the Summit, since for the follow-up editions these 'No Fluff
> just Stuff' days would happen independently'). That said, we need to get a
> dedicated team just for this Track that will be running it and be around 90%
> of the time.
> 
> What I really like about this idea is that it is a great attraction for
> developers and architects to come to the Summit, since your 8x session list is
> answering the questions these guys have in the real world today (once we start
> having confirmed attendees to this track it might be a good idea to ask them
> what topics they are more interested in).
> 
> I also would like to have a 30m to 1h Working Session on: 
> * how to scale this idea, 
> * how to get sponsorship for it and 
> * schedule at least two following 'No Fluff just Stuff' days in 2010
> 
> Dinis Cruz
> 
> On 10 December 2010 04:36, Lorna Alamri <lorna.alamri at owasp.org> wrote:
>> John,
>> Make sure to add your ideas to the Summit working sessions page
>> http://www.owasp.org/index.php/Summit_2011#tab=Working_Sessions and the
>> schedule http://www.owasp.org/index.php/Summit_2011#tab=Schedule_and_Tracks
>> and that everyone is on the attendee list if they plan to attend
>> http://www.owasp.org/index.php/Summit_2011_Attendee. Invite documents are
>> located here: 
>> http://www.owasp.org/index.php/Summit_2011#tab=Letters_and_Summit_Materials
>> 
>> We've also extended dates for applying for Chapter and Project sponsorship so
>> follow the procedure outlined here: 
>> http://www.owasp.org/index.php/Summit_2011#tab=Applying_for_Chapter_or_Projec
>> t_Sponsorship
>>  
>> Let me know if you have questions.
>> Regards,
>> Lorna
>> 
>> 
>> On Thu, Dec 9, 2010 at 2:04 PM, John Steven <John.Steven at owasp.org> wrote:
>>> All,
>>> 
>>> I agree with Rex. Chaos remains an important (constructively)
>>> disruptive force. It can not provide coherent direction I hear people
>>> craving ATM. The board seems to want the organization to remain
>>> decentralized and with a bottom-up driven direction through project
>>> leaders. This seems 'fine' to me because its fundamental to the OWASP
>>> organization and culture.
>>> 
>>> Though, outside of the community itself, I perceive this having
>>> resulted in two forces providing OWASP most of its external impact and
>>> momentum beyond general Application Security Awareness recently:
>>> Conferences and ESAPI
>>> 
>>> I'm concerned that as we look at '11, we don't see these two forces
>>> providing us the progress we desire alone. The last few conferences I
>>> attended suffered from confusion or division in promotion and the
>>> majority of topic areas have already been presented (often in nearly
>>> or exactly their current form). Momentum on conferences, from my view,
>>> will wane unless something changes. ESAPI, by comparison, has momentum
>>> but is less mature. There isn't a "The Solution" but I think we can
>>> create some direction and bolster both of these key aspects of the
>>> OWASP organization simultaneously. I've talked to almost everyone
>>> explicitly listed as a CC regarding my idea. They seemed at least
>>> superficially interested in participating.
>>> 
>>> Create a "No Fluff just stuff"-like track for Portugal, pull out our
>>> laptops (not for email/IM), and show people how to develop secure
>>> code. Chris referred to this here:
>>> http://yet-another-dev.blogspot.com/2010/11/cross-pollination-its-not-just-f
>>> or-bees.html
>>> I'd like to prototype this in Portugal and keep it going in Minnesota.
>>> Pravir led something like this with SAMM (but regarding process) in
>>> Portugal the first time around. This was incredibly valuable.
>>> 
>>> I'd like to propose the following skeleton and get passionate
>>> developers to sign up for it. I'm imagining 1/2 day sessions. (So,
>>> over four days, we could have eight (8) facilitators). I suggest we
>>> pick a single target (Java EE?), a single victim app, and a single
>>> container as a 'base of operations' for the first one to keep things
>>> simple.
>>> 
>>> Track Mission: Building Security In: Using OWASP tools/techniques/code
>>> to build secure applications.
>>> (the list is not in any particular order. In fact, that may be
>>> something to talk about. I've tried to provide four (4) one-hour seeds
>>> for each session, subject again to discussion)
>>> 
>>> *     Topic                                             *
>>> Facilitator   *    Proctors   *
>>> 
>>> 1 Applying ESAPI input validation        Mr. Schmidt
>>>     * Serial Decomp: Decode, canonicalize, filter
>>>     * Structured data (SSN, CC, etc.)
>>>     * Unstructured data (comments, blogs,  blah)
>>>     * Other input examples (ws-, Database, etc.)
>>> 
>>> 2  Defining AppSensor sensors for:      Mr. Coates
>>>      * Forced Browsing
>>>      * Request Velocity
>>>      * Unexpected encodings
>>>      * Impersonation (Sudden user switch)
>>> 
>>> 3 Managing sessions                          ????????
>>>    * Across requests
>>>    * Across containers
>>>    * Invaliding sessions (Timeout, attack event, logout)
>>>    * Invalidating sessions (across containers, SSO token invalidation,
>>> user termination)
>>> 
>>> 4 Protecting information stored client-side  Mr. Steven
>>>     * Threat Modeling the problem
>>>     * Protecting theft and re-playability of application-specific
>>> info (on client & in flight)
>>>     * Protecting theft and re-playability of session-specific info (in
>>> flight)
>>>     * Protecting session-specific information from attack on the client
>>> 
>>> 5 Protecting against CSRF                 ????????
>>>     * Hygiene
>>>        * Discuss/show Frames-busting, cross-domain policy,
>>>        * Discuss referrer and other red herrings
>>>     * Tokens (crafting, scoping, and checking)
>>>     * Discussions, techniques on scale
>>>     * Discussions, techniques on CAPTCHA, re-auth, etc.
>>> 
>>> 6 Providing access to persisted data   ???????
>>>    * Controlling visibility of tables by role (Spring?)
>>>    * Providing access to safe SQL-like query through DAO layer
>>>    * Discussions, techniques for providing secure 'auto-wiring' / marshaling
>>>    * Encoding and canonicalization for storage (or alternatively:
>>>    * Security concerns with hierarchical caching & object pooling)
>>> 
>>> 7 ...I have some other ideas for 7 and 8, but wanted to afford the
>>> skeleton some flexibility.
>>> 
>>> 8
>>> 
>>> 
>>> Rules:
>>> 
>>> * Facilitator role replaces "speaker". They lead the session, but the
>>> session is a working session, laptops open, whiteboards filling. This
>>> is not a lecture.
>>> * Other facilitators adopt the present facilitator's goal as their own
>>> and we drive the concept/design/code forward Dissenting views are for
>>> drinks later.
>>> * Sessions are open to all participants provided they have at least
>>> the ability to read the chosen language, and have the following things
>>> installed when they arrive:
>>>    * Our victim app
>>>    * All session dependencies
>>>    * Dev tools sufficient to build and run the app and our dependencies
>>> * Facilitators must agree to attend six (6) out of eight (8) sessions.
>>> Failing that, they're booted from the next venue
>>> * The objective of each session is split between educating
>>> participants and bringing the state of the practice forward.
>>> * Participants may bring whatever code they like, provided they
>>> contribute it to OWASP.
>>> * Facilitators should seek to absorb any new developments into the
>>> next conference session. IE: each session should have some new and
>>> unique content
>>> * Facilitators don't 'own' topics, in fact, I'd like them to rotate
>>> between cons. if possible.
>>> 
>>> Next Steps:
>>> 
>>> * Define eight sessions, facilitators. Solicit proctoring help
>>> * Finalize (and verify) dependency list for participants
>>> * Ratchet up specificity in session topics (create, review, and revise
>>> a track outline)
>>> * Establish a twice-monthly call for facilitators to take our skeleton
>>> plan to reality.
>>> 
>>> 
>>> I would be happy to help organize this track, direct it, and provide
>>> air-support to the other facilitators in their sessions. Chris, Mike:
>>> want to participate? Mr. Cornell--we discussed this out west. You
>>> game? Others?
>>> 
>>> This track idea, in no way, replaces the need for continued awareness,
>>> novice training, and other popular OWASP tools/projects (LiveCD,
>>> Top10, ... etc.)  The track is designed to engage passionate and more
>>> advanced participants, as well as entice more developer participation.
>>> Let's build something interactive, tangible and immediately useful for
>>> our conference participants.
>>> 
>>> -jOHN
>>> 
>>> 
>>> On Wed, Dec 8, 2010 at 5:36 PM, Rex Booth <rex.booth at owasp.org> wrote:
>>>> > I hate to so contrarian with you today James, but chaos doesn't work on a
>>>> > strategic level.  Your positive experience at your chapter doesn't
>>>> translate
>>>> > to the organization as a whole.
>>>> > Whether we are a non-profit or not, we need to recognize that we are in a
>>>> > competitive marketplace where we need to struggle for relevancy in order
>>>> to
>>>> > achieve our mission.  We can't treat this like some sort of free-for-all.
>>>> > We have numerous dedicated individuals, but I think as an organization we
>>>> > try to be everything to everyone.  In the pursuit of allowing owasp to be
>>>> > anything somebody wants it to be (new conference?  Sure!  New project?
>>>>  Why
>>>> > not?) we've sacrificed our ability to focus and really make an impact
>>>> (with
>>>> > some notable exceptions).
>>>> > I think better coordination of efforts, some culling of the less useful
>>>> > projects and undertakings, and more strategic leadership from the board
>>>> > level would go a long way.
>>>> > Imagine how much we could accomplish if we eliminated the noise and were
>>>> > able to double our efforts on the truly impactful and high-profile
>>>> efforts!
>>>> > Rex
>>>> >
>>>> > On Dec 8, 2010, at 4:02 PM, "James McGovern" <JMcGovern at virtusa.com>
>>>> wrote:
>>>> >
>>>> > I too have noticed the chaos and believe it is a good thing! When the
>>>> > Hartford chapter did a joint meeting with ISACA, they had a lot more
>>>> > formality in organizing things. Generally speaking, when I organize
>>>> Hartford
>>>> > chapter meetings I tend to start with finding two speakers who are of
>>>> > interest, figuring out what they are going to talk about, creating an
>>>> agenda
>>>> > and then blasting it to the world. The ISACA model required multiple
>>>> levels
>>>> > of approval and dozens of phone calls.
>>>> >
>>>> > We get things done without requiring audits and checklists :-)
>>>> >
>>>> > James McGovern
>>>> >
>>>> > Insurance SBU
>>>> >
>>>> > Virtusa Corporation
>>>> >
>>>> > 100 Northfield Drive, Suite 305 | Windsor, CT | 06095
>>>> >
>>>> > Phone:  860 688 9900 Ext:  1037 | Facsimile:  860 688 2890
>>>> >
>>>> >
>>>> >
>>>> > -----Original Message-----
>>>> >
>>>> > From: owasp-leaders-bounces at lists.owasp.org
>>>> > [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Yiannis
>>>> > Pavlosoglou
>>>> >
>>>> > Sent: Wednesday, December 08, 2010 12:47 PM
>>>> >
>>>> > To: owasp-leaders at lists.owasp.org
>>>> >
>>>> > Subject: Re: [Owasp-leaders] Creating OWASP 4.0!
>>>> >
>>>> > Examples:
>>>> >
>>>> > 2. We have real issues on establishing individual efforts and commits
>>>> >
>>>> > to a particular task. Other organisations are also open and
>>>> >
>>>> > transparent, why all the chaos with us?
>>>> >
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> 

Chris Schmidt
ESAPI Project Manager (http://www.esapi.org)
ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
Blog: http://yet-another-dev.blogspot.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101213/4b97785b/attachment-0001.html 


More information about the OWASP-Leaders mailing list