[Owasp-leaders] Creating OWASP 4.0!

Jason Li jason.li at owasp.org
Wed Jan 12 22:14:56 EST 2011


Matt,

I can assure you that everyone on the Summit committee is aligned on the
goal*s* of the Summit. The community has had a lot of great energy and ideas
about what they would like to do with the Summit and that is extremely
encouraging. In fact, I think you'll find that we're creating a good balance
of flexibility in the schedule to allow sessions to develop organically,
while still being mindful to keep big ticket items static (discussions about
certifications, OWASP governance, browser day, etc).

I'd like to stress a different part of your quote (actually, it's my quote
since I wrote that page ;)):
"*where application security experts meet to discuss plans, projects and
solutions for the future of application security"*
*
*
One of the many goals of the Summit is to get our community in one place.
OWASP is providing the venue - we want our community to collaborate on ideas
and topics that wouldn't otherwise be practical in our distributed world.

"Actual work" can mean a lot of things --- maybe through John's session, the
group is able to prototype a model for furthering the OWASP Education
Project; or it becomes the basis for expanding the OWASP Academies, who
knows! :)

I can certainly imagine a working session to produce the materials for such
a session counting as "actual work". I believe we did exactly that a few
years ago - the day before, we had a few OWASPers run a training session at
a local university and then during the event, they used the working time to
capture the experience and refine what they had done for the next go around.

Let's not dismiss their efforts out of hand :)

-Jason

On Wed, Jan 12, 2011 at 9:26 PM, Matthew Chalmers <
matthew.chalmers at owasp.org> wrote:

> Dinis,
>
> It seems like you understand this but I'm not sure if everyone does. Is
> there some way you can reiterate to people on the Summit committee and those
> interested like John that:
>
> *"The OWASP Global Summit is the place where application security experts
> meet to discuss plans, projects and solutions for the future of application
> security. The Summit is not a conference - there are no talks or training
> seminars - this is an opportunity to do actual work to further the field
> of application security."*
>
> That is directly from the Summit main page on the wiki.
>
> Matt
>
>
> On Mon, Dec 13, 2010 at 4:54 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
>
>> John, can you work with Sarah Baso (sarah.baso at owasp.org) on creating
>> the "No Fluff just stuff" Track for the Summit? We talked about it last
>> night and she is already fully briefed on the need to create this.
>>
>> I love your idea and concept and I agree that the Summit is the perfect
>> place to kick-start it.
>>
>> Within the current Summit schedule I think we could run this on the Wed
>> and Thu, with Tue having at least a planning session and Fri a wrap-up
>> session.
>>
>> For the Summit, I don't think you will be able to get
>> all facilitators there all day (or in 6 of the 8 session) since they will
>> probably be involved in other sessions that might be happening in parallel
>> (this is a problem that you will only have at the Summit, since for the
>> follow-up editions these 'No Fluff just Stuff' days would
>> happen independently'). That said, we need to get a dedicated team just for
>> this Track that will be running it and be around 90% of the time.
>>
>> What I really like about this idea is that it is a great attraction for
>> developers and architects to come to the Summit, since your 8x session list
>> is answering the questions these guys have in the real world today (once we
>> start having confirmed attendees to this track it might be a good idea to
>> ask them what topics they are more interested in).
>>
>> I also would like to have a 30m to 1h Working Session on:
>>
>>    - how to scale this idea,
>>    - how to get sponsorship for it and
>>    - schedule at least two following 'No Fluff just Stuff' days in 2010
>>
>>
>> Dinis Cruz
>>
>>
>> On 10 December 2010 04:36, Lorna Alamri <lorna.alamri at owasp.org> wrote:
>>
>>> John,
>>> Make sure to add your ideas to the Summit working sessions page
>>> http://www.owasp.org/index.php/Summit_2011#tab=Working_Sessions and the
>>> schedule
>>> http://www.owasp.org/index.php/Summit_2011#tab=Schedule_and_Tracks and
>>> that everyone is on the attendee list if they plan to attend
>>> http://www.owasp.org/index.php/Summit_2011_Attendee. Invite documents
>>> are located here:
>>> http://www.owasp.org/index.php/Summit_2011#tab=Letters_and_Summit_Materials
>>>
>>> We've also extended dates for applying for Chapter and Project
>>> sponsorship so follow the procedure outlined here:
>>> http://www.owasp.org/index.php/Summit_2011#tab=Applying_for_Chapter_or_Project_Sponsorship
>>>
>>> Let me know if you have questions.
>>> Regards,
>>> Lorna
>>>
>>>
>>> On Thu, Dec 9, 2010 at 2:04 PM, John Steven <John.Steven at owasp.org>wrote:
>>>
>>>> All,
>>>>
>>>> I agree with Rex. Chaos remains an important (constructively)
>>>> disruptive force. It can not provide coherent direction I hear people
>>>> craving ATM. The board seems to want the organization to remain
>>>> decentralized and with a bottom-up driven direction through project
>>>> leaders. This seems 'fine' to me because its fundamental to the OWASP
>>>> organization and culture.
>>>>
>>>> Though, outside of the community itself, I perceive this having
>>>> resulted in two forces providing OWASP most of its external impact and
>>>> momentum beyond general Application Security Awareness recently:
>>>> Conferences and ESAPI
>>>>
>>>> I'm concerned that as we look at '11, we don't see these two forces
>>>> providing us the progress we desire alone. The last few conferences I
>>>> attended suffered from confusion or division in promotion and the
>>>> majority of topic areas have already been presented (often in nearly
>>>> or exactly their current form). Momentum on conferences, from my view,
>>>> will wane unless something changes. ESAPI, by comparison, has momentum
>>>> but is less mature. There isn't a "The Solution" but I think we can
>>>> create some direction and bolster both of these key aspects of the
>>>> OWASP organization simultaneously. I've talked to almost everyone
>>>> explicitly listed as a CC regarding my idea. They seemed at least
>>>> superficially interested in participating.
>>>>
>>>> Create a "No Fluff just stuff"-like track for Portugal, pull out our
>>>> laptops (not for email/IM), and show people how to develop secure
>>>> code. Chris referred to this here:
>>>>
>>>> http://yet-another-dev.blogspot.com/2010/11/cross-pollination-its-not-just-for-bees.html
>>>> I'd like to prototype this in Portugal and keep it going in Minnesota.
>>>> Pravir led something like this with SAMM (but regarding process) in
>>>> Portugal the first time around. This was incredibly valuable.
>>>>
>>>> I'd like to propose the following skeleton and get passionate
>>>> developers to sign up for it. I'm imagining 1/2 day sessions. (So,
>>>> over four days, we could have eight (8) facilitators). I suggest we
>>>> pick a single target (Java EE?), a single victim app, and a single
>>>> container as a 'base of operations' for the first one to keep things
>>>> simple.
>>>>
>>>> Track Mission: Building Security In: Using OWASP tools/techniques/code
>>>> to build secure applications.
>>>> (the list is not in any particular order. In fact, that may be
>>>> something to talk about. I've tried to provide four (4) one-hour seeds
>>>> for each session, subject again to discussion)
>>>>
>>>> *     Topic                                             *
>>>> Facilitator   *    Proctors   *
>>>>
>>>> 1 Applying ESAPI input validation        Mr. Schmidt
>>>>    * Serial Decomp: Decode, canonicalize, filter
>>>>    * Structured data (SSN, CC, etc.)
>>>>    * Unstructured data (comments, blogs,  blah)
>>>>    * Other input examples (ws-, Database, etc.)
>>>>
>>>> 2  Defining AppSensor sensors for:      Mr. Coates
>>>>     * Forced Browsing
>>>>     * Request Velocity
>>>>     * Unexpected encodings
>>>>     * Impersonation (Sudden user switch)
>>>>
>>>> 3 Managing sessions                          ????????
>>>>   * Across requests
>>>>   * Across containers
>>>>   * Invaliding sessions (Timeout, attack event, logout)
>>>>   * Invalidating sessions (across containers, SSO token invalidation,
>>>> user termination)
>>>>
>>>> 4 Protecting information stored client-side  Mr. Steven
>>>>    * Threat Modeling the problem
>>>>    * Protecting theft and re-playability of application-specific
>>>> info (on client & in flight)
>>>>    * Protecting theft and re-playability of session-specific info (in
>>>> flight)
>>>>    * Protecting session-specific information from attack on the client
>>>>
>>>> 5 Protecting against CSRF                 ????????
>>>>    * Hygiene
>>>>       * Discuss/show Frames-busting, cross-domain policy,
>>>>       * Discuss referrer and other red herrings
>>>>    * Tokens (crafting, scoping, and checking)
>>>>    * Discussions, techniques on scale
>>>>    * Discussions, techniques on CAPTCHA, re-auth, etc.
>>>>
>>>> 6 Providing access to persisted data   ???????
>>>>   * Controlling visibility of tables by role (Spring?)
>>>>   * Providing access to safe SQL-like query through DAO layer
>>>>   * Discussions, techniques for providing secure 'auto-wiring' /
>>>> marshaling
>>>>   * Encoding and canonicalization for storage (or alternatively:
>>>>   * Security concerns with hierarchical caching & object pooling)
>>>>
>>>> 7 ...I have some other ideas for 7 and 8, but wanted to afford the
>>>> skeleton some flexibility.
>>>>
>>>> 8
>>>>
>>>>
>>>> Rules:
>>>>
>>>> * Facilitator role replaces "speaker". They lead the session, but the
>>>> session is a working session, laptops open, whiteboards filling. This
>>>> is not a lecture.
>>>> * Other facilitators adopt the present facilitator's goal as their own
>>>> and we drive the concept/design/code forward Dissenting views are for
>>>> drinks later.
>>>> * Sessions are open to all participants provided they have at least
>>>> the ability to read the chosen language, and have the following things
>>>> installed when they arrive:
>>>>   * Our victim app
>>>>   * All session dependencies
>>>>   * Dev tools sufficient to build and run the app and our dependencies
>>>> * Facilitators must agree to attend six (6) out of eight (8) sessions.
>>>> Failing that, they're booted from the next venue
>>>> * The objective of each session is split between educating
>>>> participants and bringing the state of the practice forward.
>>>> * Participants may bring whatever code they like, provided they
>>>> contribute it to OWASP.
>>>> * Facilitators should seek to absorb any new developments into the
>>>> next conference session. IE: each session should have some new and
>>>> unique content
>>>> * Facilitators don't 'own' topics, in fact, I'd like them to rotate
>>>> between cons. if possible.
>>>>
>>>> Next Steps:
>>>>
>>>> * Define eight sessions, facilitators. Solicit proctoring help
>>>> * Finalize (and verify) dependency list for participants
>>>> * Ratchet up specificity in session topics (create, review, and revise
>>>> a track outline)
>>>> * Establish a twice-monthly call for facilitators to take our skeleton
>>>> plan to reality.
>>>>
>>>>
>>>> I would be happy to help organize this track, direct it, and provide
>>>> air-support to the other facilitators in their sessions. Chris, Mike:
>>>> want to participate? Mr. Cornell--we discussed this out west. You
>>>> game? Others?
>>>>
>>>> This track idea, in no way, replaces the need for continued awareness,
>>>> novice training, and other popular OWASP tools/projects (LiveCD,
>>>> Top10, ... etc.)  The track is designed to engage passionate and more
>>>> advanced participants, as well as entice more developer participation.
>>>> Let's build something interactive, tangible and immediately useful for
>>>> our conference participants.
>>>>
>>>> -jOHN
>>>>
>>>>
>>>> On Wed, Dec 8, 2010 at 5:36 PM, Rex Booth <rex.booth at owasp.org> wrote:
>>>> > I hate to so contrarian with you today James, but chaos doesn't work
>>>> on a
>>>> > strategic level.  Your positive experience at your chapter doesn't
>>>> translate
>>>> > to the organization as a whole.
>>>> > Whether we are a non-profit or not, we need to recognize that we are
>>>> in a
>>>> > competitive marketplace where we need to struggle for relevancy in
>>>> order to
>>>> > achieve our mission.  We can't treat this like some sort of
>>>> free-for-all.
>>>> > We have numerous dedicated individuals, but I think as an organization
>>>> we
>>>> > try to be everything to everyone.  In the pursuit of allowing owasp to
>>>> be
>>>> > anything somebody wants it to be (new conference?  Sure!  New project?
>>>>  Why
>>>> > not?) we've sacrificed our ability to focus and really make an impact
>>>> (with
>>>> > some notable exceptions).
>>>> > I think better coordination of efforts, some culling of the less
>>>> useful
>>>> > projects and undertakings, and more strategic leadership from the
>>>> board
>>>> > level would go a long way.
>>>> > Imagine how much we could accomplish if we eliminated the noise and
>>>> were
>>>> > able to double our efforts on the truly impactful and high-profile
>>>> efforts!
>>>> > Rex
>>>> >
>>>> > On Dec 8, 2010, at 4:02 PM, "James McGovern" <JMcGovern at virtusa.com>
>>>> wrote:
>>>> >
>>>> > I too have noticed the chaos and believe it is a good thing! When the
>>>> > Hartford chapter did a joint meeting with ISACA, they had a lot more
>>>> > formality in organizing things. Generally speaking, when I organize
>>>> Hartford
>>>> > chapter meetings I tend to start with finding two speakers who are of
>>>> > interest, figuring out what they are going to talk about, creating an
>>>> agenda
>>>> > and then blasting it to the world. The ISACA model required multiple
>>>> levels
>>>> > of approval and dozens of phone calls.
>>>> >
>>>> > We get things done without requiring audits and checklists :-)
>>>> >
>>>> > James McGovern
>>>> >
>>>> > Insurance SBU
>>>> >
>>>> > Virtusa Corporation
>>>> >
>>>> > 100 Northfield Drive, Suite 305 | Windsor, CT | 06095
>>>> >
>>>> > Phone:  860 688 9900 Ext:  1037 | Facsimile:  860 688 2890
>>>> >
>>>> >
>>>> >
>>>> > -----Original Message-----
>>>> >
>>>> > From: owasp-leaders-bounces at lists.owasp.org
>>>> > [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Yiannis
>>>> > Pavlosoglou
>>>> >
>>>> > Sent: Wednesday, December 08, 2010 12:47 PM
>>>> >
>>>> > To: owasp-leaders at lists.owasp.org
>>>> >
>>>> > Subject: Re: [Owasp-leaders] Creating OWASP 4.0!
>>>> >
>>>> > Examples:
>>>> >
>>>> > 2. We have real issues on establishing individual efforts and commits
>>>> >
>>>> > to a particular task. Other organisations are also open and
>>>> >
>>>> > transparent, why all the chaos with us?
>>>> >
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>
>>>
>>>
>>> --
>>> Lorna Alamri
>>> OWASP MSP: Host to OWASP AppSec USA 2011
>>> September 20-23 Training, Talks, CTF, and Vendor Show
>>> www.appsecusa.org (2011 site coming soon)
>>> @appsecusa, @owaspmsp
>>> Dir: 651-338-0243
>>> skype: lorna.alamri
>>> lorna.alamri at owasp.org
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110112/22a8ebb1/attachment-0001.html 


More information about the OWASP-Leaders mailing list