[Owasp-leaders] Project summit AppSecUSA DC 2016

Larry Conklin larry.conklin at owasp.org
Wed Oct 12 14:52:19 UTC 2016


Ok, it was brought to my attention I did not put in the links to the
webgoat projects. It was not my attention to put these projects in a bad
light by not including their web links. So here are the links.

https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

https://www.owasp.org/index.php/WebGoatPHP

Also, there are other projects here but I wasn't in the room for every
project's presentation/summary. So I left them out not because of any
reason other then I wasn't there.

Podcast project. https://www.owasp.org/index.php/OWASP_Podcast

Embedded Application Security
https://www.owasp.org/index.php/OWASP_Embedded_Application_Security


Larry Conklin





On Wed, Oct 12, 2016 at 10:20 AM, Larry Conklin <larry.conklin at owasp.org>
wrote:

> Day One OWASP Project Summit
>
>
>
> Opinions and observations are mine and mine only.
>
>
>
> OWASP Core Rule Set is here. They are having a release this Friday 2.2
> candidate, which will become release 3.0. Check out new enhancement
> paranoia mode feature. https://www.owasp.org/index.php/Category:OWASP_
> ModSecurity_Core_Rule_Set_Project
>
>
>
> WAFEC is looking for a co-leader and volunteers. A must requirement is the
> person cannot be a associated with a WAFEC vendor.
> https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_
> Evaluation_Criteria_Project
>
>
>
> Automated Threats. Is here. I am not sure of the difference between this
> project and AVS. https://www.owasp.org/images/3/33/Automated-threat-
> handbook.pdf && https://www.owasp.org/images/6/67/
> OWASPApplicationSecurityVerificationStandard3.0.pdf
>
>
>
> KBAPM is here. First draft just released. https://www.owasp.org/index.
> php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project
>
>
>
> WebGoats. Two WebGoats project are here. Original WebGoat and WebGoat PHP.
> This brings up the big question. Two separate web goat projects. I
> understand the need for different languages and the nuances that different
> languages and frameworks have there own security vulnerabilities. Hence,
> multiple WebGoat projects. But we also have WebGoat in Java, and Security
> Sheppard in Java.  That is a lot of duplication of effort and it leaves the
> community asking which one they should use. Not an easy problem to solve.
> Here are a few suggestions.
>
> ·      Coordinate between projects. Each project must have a core set of
> functionality. I.e. XSS, SQL injection, etc. This should come from OWASP
> project management.
>
> ·      A core set of additional education material that is the same
> content. SQL injection is the same no matter what language.
>
> ·      Would be nice if we could get the leaders to have a semi-annual
> meeting. To discuss what is and what is not working. Maybe a Goat Herding
> project summit. Two days working project just for Goat projects.
>
>
>
> I want to thank the OWASP Foundation board and Andrew van der Stock for
> sponsoring my motion to the board. While it did not pass it was still good
> the board allow me the time to present my motion.
>
>
>
> Have the board membership for OWASP Foundation increase by two members.
> Both of these would be directors at large with full voting rights. These
> members cannot be already associated with OWASP Foundation, chapters, or
> projects. OWASP Foundation board would pick six candidates, mark two as
> preferred by the board and allow the community to vote on all six
> candidates. These members would be in the open source community. This would
> allow OWASP Foundation to have better diversity outside of OWASP.
>
>
>
>
>
> My reason is I think we as a community would get benefit from outside of
> OWASP vision and increased diversity.  Push back centered on three points.
>
> 1.     What are we trying to fix with this motion? Better diversity.
> Other ways at looking at problems other open source organizations have
> already fixed or not fixed.
>
> 2.     Board directors are working members. Good point. I have friends on
> community organization boards. They are working board members. I.E.
> Community foodbank, etc. No one said a director at large could not be a
> working board member.
>
> 3.     OWASP is different. Not really sure if this is a valid point. In
> fact I think this is how some outside diversity could really help.
> Membership, vendor sponsorship, etc are issues at lot of organization face
> today.
>
>
>
> But I do wish to reiterate my motion was not because I think the board is
> NOT doing a great job. I do believe I can do better, the board can do
> better and OWASP is a great organization.
>
>
>
> Board did have an interesting discussion of membership. Should rates
> increase, what are the benefits of being a member?
>
>
>
> The project of redoing the OWASP web refresh project is moving forward to
> creating the RFQ.
>
>
> Again the above is mine and only mine opinions and observations.
>
>
> Larry Conklin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161012/c1471e7d/attachment-0001.html>


More information about the OWASP-Leaders mailing list