[Owasp-leaders] Secure Coding Workshop: Status Update

John Steven John.Steven at owasp.org
Mon Feb 28 03:28:30 EST 2011


At the OWASP Summit, we made some progress towards setting up a secure
programming track but I think we all fell prey to wanting to involve
ourselves in other important topics (governance, ESAPI, projects,
broader developer outreach) at the expense of more concrete progress.
This disappoints me, but it's OK as well. In Dan's session,
especially, we made decent progress in spec'ing out what a finished
session would look like. I made progress in-between sessions on a code
base that would be valuable the next time around.

If individuals remain interested, I'd like to set up weekly calls
(again) and march towards a full-fledged track for the AppSec 2011
conference planned for  September 22-23, concurrent with training.

This week, I'm going to roll-up an agenda for the march towards
September but I'd ask those interested to reconsider material on the
WIki ( www.owasp.org/.../Category:Summit_2011_OWASP_Secure_Coding_Workshop_Track
I think, the site is down) and "re-up" their ownership of a particular


On Wed, Feb 2, 2011 at 6:10 PM, John Steven <John.Steven at owasp.org> wrote:
> All,
> I've updated the "Protecting Client-Side Information" subsection of
> the Secure Coding Workshop Wiki page. It now includes:
> * Development contexts/environments used;
> * Scenarios over which we'll consider them; and
> * Specific work stream we'll go through to 'consider' each and produce code.
> I also added deliverable items and objectives.
> I'd anxiously like to draw more interested attendees to this difficult
> topic, and make some progress. Feel free to look at the wiki:
> http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session028
> Feel free to send me suggestions, feedback, or rants... or just throw
> things you've pondered but for which you don't have solutions out
> there.
> -jOHN
> On Tue, Jan 25, 2011 at 8:17 AM, John Steven <jsteven at maladjustment.org> wrote:
>> All,
>> [Sum]
>> Last night we honed in on our track sub-section focuses. Two
>> sub-sections come to the summit with more content available and a
>> clearer picture: IV and AppSensor.
>> Jim suggested an "Attack and Defense" style offering where he'd bring
>> enough application and attack harness code to have participants in
>> roles either building defense against encoding-based attacks or
>> proving evasion of those protections built by others. He suggested
>> participants switch roles within his session so that they gain both
>> perspectives. He suggested building competition kit (bells/whistles
>> for when an evasion succeeds, etc.)  to raise interest / sex-appeal.
>> Mike has a cut-and-dried task in his mind: we have the AppSensor
>> framework and need more example sensors. He'd like to focus his
>> session on [that: building those].
>> I have, for my part, come up with a few goals in the context of
>> 'protecting information client-side' and have documented on the
>> sub-track page (PI, App-specific info, etc.). I am concerned about
>> dragging participants through those goals in two or three contexts
>> (Classic n-tier, phone OS, and RIA). Currently, I'm trying to build
>> sub-section design to take these ideas into work-able chunks. My
>> principal concern remains [potential audience] familiarity with phone
>> OSes and RIA tech stacks.
>> Dan reports a similar difficulty in working his persisting data
>> section. He and Jim are going to  mine their existing code bases for
>> usable snippet material. Dan, particularly, is concerned about
>> representing properties of 'real world' data models that that solution
>> definition/implementation treats issues developers confront beyond,
>> "Flip this config setting and you're good."
>> [Decisions]
>> * Move from GITHUB --> Google Code (SVN)  - Completed; jOHN has
>> already exhausted his tears on the matter.
>> https://code.google.com/p/secure-coding-workshop/
>> * Focus each sub-section on 'getting something back' from the session
>> to share with the community in addition to raising awareness and
>> disseminating knowledge
>> * Decision to work with snippets rather than demand a full "sample app."
>> * Meet 'every other day' until summit in prep. Tentatively, this will
>> be on Tuesday, Thursday, and Saturday.
>>  [Actions]
>> * Each person held themselves to different prep-work activities but we
>> agreed that for the next call to come up with the specific goals for:
>>   * What we want participants to 'give back' to the sub-section in
>> analysis/code/test/docs
>>   * What we want participants to 'leave understanding' that they
>> didn't when they arrived.
>> I'll report status each week to cut down list traffic,

More information about the OWASP-Leaders mailing list