[Owasp-london] September 5 Meeting Notes

Ivan Ristic ivanr at webkreator.com
Sun Sep 9 17:27:02 EDT 2007


The meeting on September 5th was held in the Auriol Kensington Rowing
Club (http://www.akrowing.com/page.php?page=findus). Breach Security
(http://www.breach.com) covered the cost of the venue.

There were 13 people at the meeting. A few others wanted to come but
were prevented either by work or the tube strike.

The meeting kicked off with a video message from Jeff Williams. Well,
not really a video message because we didn't get to actually see
Jeff. We only got to hear his voice over some slides describing OWASP.

PDP spoke next. His talk was very interesting (you can find the
whitepaper here:
http://www.gnucitizen.org/blog/for-my-next-trick-hacking-web20); it
lasted longer than anticipated. This wasn't a problem for PDP or
the audience, but it did affect the activities scheduled for after
- some people had to leave.

After a short break, the mandatory discussion on privacy issues
followed. The overall impression is that the topic of privacy is
much larger than web application security. Even if we fixed all
issues we could (in this area) the issues of privacy would remain
largely unaffected.

An idea was floated to force all sites to declare what they are
going to do with personal information. And to have them inspected
(certified) by a third party on regular basis. For example:

- Provide a list containing each piece of information kept.

- For each such piece declare how long it will be kept.

A third party could certify the site was developed in accordance
with best security development practices. (Note that it would
not certify that the site does not contain any problems.)

Ultimately, however, the problem is that the majority of people
simply do not care for the privacy and security issues. Until
that changes it is not likely for things to improve.

The plan, initially, was to also discuss the future of the OWASP
chapter but because it was already 22:30 most people wanted to
leave. However, the topic was brought up several times during the
meeting, in the breaks between the activities. The good news is there
is both will and interest. I will summarise in a separate email and
move discussion to the mailing list.

Some suggestions I got from people:

 - Meet more often.

 - Have shorter meetings (7pm - 9pm was suggested).

Bye,
Ivan


More information about the Owasp-london mailing list