[Owasp-leaders] Project summit AppSecUSA DC 2016

Larry Conklin larry.conklin at owasp.org
Wed Oct 12 14:20:56 UTC 2016


Day One OWASP Project Summit



Opinions and observations are mine and mine only.



OWASP Core Rule Set is here. They are having a release this Friday 2.2
candidate, which will become release 3.0. Check out new enhancement
paranoia mode feature.
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project



WAFEC is looking for a co-leader and volunteers. A must requirement is the
person cannot be a associated with a WAFEC vendor.
https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project



Automated Threats. Is here. I am not sure of the difference between this
project and AVS.
https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf &&
https://www.owasp.org/images/6/67/OWASPApplicationSecurityVerificationStandard3.0.pdf



KBAPM is here. First draft just released.
https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project



WebGoats. Two WebGoats project are here. Original WebGoat and WebGoat PHP.
This brings up the big question. Two separate web goat projects. I
understand the need for different languages and the nuances that different
languages and frameworks have there own security vulnerabilities. Hence,
multiple WebGoat projects. But we also have WebGoat in Java, and Security
Sheppard in Java.  That is a lot of duplication of effort and it leaves the
community asking which one they should use. Not an easy problem to solve.
Here are a few suggestions.

·      Coordinate between projects. Each project must have a core set of
functionality. I.e. XSS, SQL injection, etc. This should come from OWASP
project management.

·      A core set of additional education material that is the same
content. SQL injection is the same no matter what language.

·      Would be nice if we could get the leaders to have a semi-annual
meeting. To discuss what is and what is not working. Maybe a Goat Herding
project summit. Two days working project just for Goat projects.



I want to thank the OWASP Foundation board and Andrew van der Stock for
sponsoring my motion to the board. While it did not pass it was still good
the board allow me the time to present my motion.



Have the board membership for OWASP Foundation increase by two members.
Both of these would be directors at large with full voting rights. These
members cannot be already associated with OWASP Foundation, chapters, or
projects. OWASP Foundation board would pick six candidates, mark two as
preferred by the board and allow the community to vote on all six
candidates. These members would be in the open source community. This would
allow OWASP Foundation to have better diversity outside of OWASP.





My reason is I think we as a community would get benefit from outside of
OWASP vision and increased diversity.  Push back centered on three points.

1.     What are we trying to fix with this motion? Better diversity. Other
ways at looking at problems other open source organizations have already
fixed or not fixed.

2.     Board directors are working members. Good point. I have friends on
community organization boards. They are working board members. I.E.
Community foodbank, etc. No one said a director at large could not be a
working board member.

3.     OWASP is different. Not really sure if this is a valid point. In
fact I think this is how some outside diversity could really help.
Membership, vendor sponsorship, etc are issues at lot of organization face
today.



But I do wish to reiterate my motion was not because I think the board is
NOT doing a great job. I do believe I can do better, the board can do
better and OWASP is a great organization.



Board did have an interesting discussion of membership. Should rates
increase, what are the benefits of being a member?



The project of redoing the OWASP web refresh project is moving forward to
creating the RFQ.


Again the above is mine and only mine opinions and observations.


Larry Conklin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161012/da71ff86/attachment.html>


More information about the OWASP-Leaders mailing list