[Owasp-leaders] [Owasp-community] Project summit AppSecUSA DC 2016

Andrew van der Stock vanderaj at owasp.org
Thu Oct 13 01:29:25 UTC 2016


Thank you Larry - I popped into the Project Summit today, and it was
buzzing. Projects are exactly the core reason I'm involved with OWASP, and
successful events like this make it all worthwhile.

For those of you running regional and local events, we are taking budget
requests for Project Summits for FY17. Please work with Claudia if you want
to run one in your local or regional event! :) If you have training days,
running a concurrent Project Summit is a great way of getting local chapter
members engaged in projects that matter to them, and moving the needle for
these projects.

Again, a big thanks to all those who helped organise and run the Project
Summit at AppSec USA. Well done! :)

thanks,
Andrew

On Wed, Oct 12, 2016 at 10:52 AM Larry Conklin <larry.conklin at owasp.org>
wrote:

> Ok, it was brought to my attention I did not put in the links to the
> webgoat projects. It was not my attention to put these projects in a bad
> light by not including their web links. So here are the links.
>
> https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
>
> https://www.owasp.org/index.php/WebGoatPHP
>
> Also, there are other projects here but I wasn't in the room for every
> project's presentation/summary. So I left them out not because of any
> reason other then I wasn't there.
>
> Podcast project. https://www.owasp.org/index.php/OWASP_Podcast
>
> Embedded Application Security
> https://www.owasp.org/index.php/OWASP_Embedded_Application_Security
>
>
> Larry Conklin
>
>
>
>
>
> On Wed, Oct 12, 2016 at 10:20 AM, Larry Conklin <larry.conklin at owasp.org>
> wrote:
>
> Day One OWASP Project Summit
>
>
>
> Opinions and observations are mine and mine only.
>
>
>
> OWASP Core Rule Set is here. They are having a release this Friday 2.2
> candidate, which will become release 3.0. Check out new enhancement
> paranoia mode feature.
> https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
>
>
>
> WAFEC is looking for a co-leader and volunteers. A must requirement is the
> person cannot be a associated with a WAFEC vendor.
> https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project
>
>
>
> Automated Threats. Is here. I am not sure of the difference between this
> project and AVS.
> https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf &&
> https://www.owasp.org/images/6/67/OWASPApplicationSecurityVerificationStandard3.0.pdf
>
>
>
> KBAPM is here. First draft just released.
> https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project
>
>
>
> WebGoats. Two WebGoats project are here. Original WebGoat and WebGoat PHP.
> This brings up the big question. Two separate web goat projects. I
> understand the need for different languages and the nuances that different
> languages and frameworks have there own security vulnerabilities. Hence,
> multiple WebGoat projects. But we also have WebGoat in Java, and Security
> Sheppard in Java.  That is a lot of duplication of effort and it leaves the
> community asking which one they should use. Not an easy problem to solve.
> Here are a few suggestions.
>
> ·      Coordinate between projects. Each project must have a core set of
> functionality. I.e. XSS, SQL injection, etc. This should come from OWASP
> project management.
>
> ·      A core set of additional education material that is the same
> content. SQL injection is the same no matter what language.
>
> ·      Would be nice if we could get the leaders to have a semi-annual
> meeting. To discuss what is and what is not working. Maybe a Goat Herding
> project summit. Two days working project just for Goat projects.
>
>
>
> I want to thank the OWASP Foundation board and Andrew van der Stock for
> sponsoring my motion to the board. While it did not pass it was still good
> the board allow me the time to present my motion.
>
>
>
> Have the board membership for OWASP Foundation increase by two members.
> Both of these would be directors at large with full voting rights. These
> members cannot be already associated with OWASP Foundation, chapters, or
> projects. OWASP Foundation board would pick six candidates, mark two as
> preferred by the board and allow the community to vote on all six
> candidates. These members would be in the open source community. This would
> allow OWASP Foundation to have better diversity outside of OWASP.
>
>
>
>
>
> My reason is I think we as a community would get benefit from outside of
> OWASP vision and increased diversity.  Push back centered on three points.
>
> 1.     What are we trying to fix with this motion? Better diversity.
> Other ways at looking at problems other open source organizations have
> already fixed or not fixed.
>
> 2.     Board directors are working members. Good point. I have friends on
> community organization boards. They are working board members. I.E.
> Community foodbank, etc. No one said a director at large could not be a
> working board member.
>
> 3.     OWASP is different. Not really sure if this is a valid point. In
> fact I think this is how some outside diversity could really help.
> Membership, vendor sponsorship, etc are issues at lot of organization face
> today.
>
>
>
> But I do wish to reiterate my motion was not because I think the board is
> NOT doing a great job. I do believe I can do better, the board can do
> better and OWASP is a great organization.
>
>
>
> Board did have an interesting discussion of membership. Should rates
> increase, what are the benefits of being a member?
>
>
>
> The project of redoing the OWASP web refresh project is moving forward to
> creating the RFQ.
>
>
> Again the above is mine and only mine opinions and observations.
>
>
> Larry Conklin
>
>
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161013/8e711b06/attachment.html>


More information about the OWASP-Leaders mailing list