[Owasp-leaders] Recap: Charlotte DUG/AppSensor
will at thestranathans.com
Sat Nov 5 19:03:29 EDT 2011
John Melton and I did a presentation at the UNC-Charlotte Cyber Security Symposium a couple of weeks ago, and one of the sidebars of the presentation was getting out of the "security echo chamber". We've been complaining about the most obvious of flaws for 10 years, and developers (largely) aren't making many fewer mistakes. A large part of the problem (we estimate) is that the people who go to RSA are mostly cryptologists and security experts. The people who go to Black Hat and Def Con are largely security people. The people who go to jQueryCon are jQuery people. The people who go to EclipseCon are programmers. i.e., not only do people who are just developers usually not enter our gates, but we're very bad about entering the gates of programming circles.
This week, I had the pleasure of presenting OWASP AppSensor to the Charlotte Drupal User's Group. It was only a handful of people, but they were VERY interested in taking part of upcoming work on AppSensor. They're mostly interested in providing a security-haredened (and harden-able) distribution of Drupal - with AppSensor/ESAPI already wired in and detection points written and set for the "easy to find" things in Drupal, and configured so that plugin developers can easily trigger detection points for more logical type findings.
Not only are they interested in providing that hardened Drupal package, but they want to help in writing the code that needs to be done for PHP ESAPI and AppSensor. This is *really* promising.
We largely have one local chapter member, Jon Molesa, to thank for this. He has been part of the Drupal Users Group for some time, was introduced to OWASP, and personally made all the arrangements for us to present AppSensor to the Charlotte DUG.
On an additional note, the Charlotte DUG meetings are held at a great location (part of Classic Graphics in Charlotte) which might be a great facility for future meetings. We're not currently looking to move away from UNC-Charlotte, but the parking there is $6, so for normal meetings it takes some arranging of schedules so people can ride share.
More to follow - I have to find a good time for writing some "quick win" detection points for PHP and Drupal.
More information about the OWASP-Leaders