[Owasp-leaders] OWASP Secure Coding Track: Actions from 01//24/11 at 8:30EST

John Steven John.Steven at owasp.org
Tue Jan 25 08:19:19 EST 2011


All,

[Sum]
Last night we honed in on our track sub-section focuses. Two
sub-sections come to the summit with more content available and a
clearer picture: IV and AppSensor.

Jim suggested an "Attack and Defense" style offering where he'd bring
enough application and attack harness code to have participants in
roles either building defense against encoding-based attacks or
proving evasion of those protections built by others. He suggested
participants switch roles within his session so that they gain both
perspectives. He suggested building competition kit (bells/whistles
for when an evasion succeeds, etc.)  to raise interest / sex-appeal.

Mike has a cut-and-dried task in his mind: we have the AppSensor
framework and need more example sensors. He'd like to focus his
session on [that: building those].

I have, for my part, come up with a few goals in the context of
'protecting information client-side' and have documented on the
sub-track page (PI, App-specific info, etc.). I am concerned about
dragging participants through those goals in two or three contexts
(Classic n-tier, phone OS, and RIA). Currently, I'm trying to build
sub-section design to take these ideas into work-able chunks. My
principal concern remains [potential audience] familiarity with phone
OSes and RIA tech stacks.

Dan reports a similar difficulty in working his persisting data
section. He and Jim are going to  mine their existing code bases for
usable snippet material. Dan, particularly, is concerned about
representing properties of 'real world' data models that that solution
definition/implementation treats issues developers confront beyond,
"Flip this config setting and you're good."

[Decisions]
* Move from GITHUB --> Google Code (SVN)  - Completed; jOHN has
already exhausted his tears on the matter.

https://code.google.com/p/secure-coding-workshop/

* Focus each sub-section on 'getting something back' from the session
to share with the community in addition to raising awareness and
disseminating knowledge
* Decision to work with snippets rather than demand a full "sample app."
* Meet 'every other day' until summit in prep. Tentatively, this will
be on Tuesday, Thursday, and Saturday.

 [Actions]
* Each person held themselves to different prep-work activities but we
agreed that for the next call to come up with the specific goals for:

  * What we want participants to 'give back' to the sub-section in
analysis/code/test/docs
  * What we want participants to 'leave understanding' that they
didn't when they arrived.

I'll report status each week to cut down list traffic,
-jOHN


More information about the OWASP-Leaders mailing list