1 / 21

Keynote Day 1: OWASP 2.0

Keynote Day 1: OWASP 2.0. Dinis Cruz OWASP .Net Project Leader dinis.cruz@owasp.net. New Manifesto / Vision. “Enabling organizations to develop, maintain, and purchase applications that they can trust” Consolidate all OWASP Projects in one strong vision

naomi
Download Presentation

Keynote Day 1: OWASP 2.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Keynote Day 1: OWASP 2.0 • Dinis Cruz • OWASP .Net Project Leader • dinis.cruz@owasp.net

  2. New Manifesto / Vision • “Enabling organizations to develop, maintain, and purchase applications that they can trust” • Consolidate all OWASP Projects in one strong vision • Focus OWASP efforts in one positive and focused target • Create a ‘package’ that companies will want to buy (i.e. join as members) • Build on past sucessess

  3. OWASP is about a community who cares • Built on great foundations built by our contributors • Independent • Focused on creating a better workd • Great peer to peer participation • Emphasis on local community building

  4. Objectives • Organize OWASP’s world • Deliver quality products, of highest standard, usable by small and large companies • Professionalize OWASP delivery • More support for projects (both local and global) • Maintain and Improve OWASP’s brand • Improve the quality of the web applications that we use everyday

  5. Today • The current software / web development process is a mess • No standards or Metrics • Little understanding of the threats • Small number of attacks create ‘comfort zone’ • Strong business model to reward Features and Performance • Weak business model to reward security • Server based code creates false sense of security due to very limited per-review • ‘Shoot the messenger’ practices (UK’s Dan and US’ xyz guy) make it even worse

  6. Today II • Strong awareness that ‘something is wrong’ • Weak awareness (and agreement) of ‘what to do about it’ • Security Industry is part of the problem (Snake Oil sellers and wild marketing claims) • Too much money is being made today by security vendors (with the current ‘insecure world’) • Market-Leaders are only marginally better than everybody else (or even less when adjusted for their market-share) • Clients don’t know what to ask for and how to commercially reward good vendors

  7. Today III • Current Security Model is based on the: • Lack of attackers (as in Quantity) • Attacker’s skills • Unsophisticated Malicious business Model (i.e. difficulty to monetize Digital Assets) • Plenty of Low Hanging Fruit still available (Phishing, Spam, sale of Boot Nets, Identity Theft) • Basically we are betting that the gradual security improvements that we are making everyday are bigger than the attacker's numbers, skills and business model

  8. Today IV • What organizations need, is to be able to: • develop, or • maintain, or • purchase • applications that they can trust • We need Assurance that Applications will: • do what they are designed for • are securely coded • can be executed in secure ‘Sandboxed’ environments • will not dramatically increase the risk to our assets

  9. OWASP’s new Vision • “Enabling organizations to develop, maintain, and purchase applications that they can trust” • Idea launched in OWASP AppSec Europe (May 2006) • New wiki-based www.owasp.org website launched (May 2006) • tons of new content (CLASP, old owasp.org website) • much more to be added (Guide, etc..) • Next steps will be to convert all OWASP Projects into this new vision • Objective is to have all projects converted by next OWASP conference in the USA (Seattle-Oct 2006) • Launch the ‘OWASP member pack’ which contains everything that owasp has created to date (including special licenses for members)

  10. OWASP’s world • Documents / Guides • OWASP Top Ten, OWASP Metrics, ISO 17799 Project, WASS Project, OWASP Process Project • Practical Advice • OWASP Guide, OWASP Testing Project • Tools • OWASP .Net stuff (SiteGenerator, ReportGenerator, ANBS, SAMSHE, DefApp, Beretta), WebGoat, WebScarab, Stinger • Tons of Chapters around the world • .... more about this tomorrow

  11. the next level... http://www.flickr.com/creativecommons/

  12. Dedicated Executive Director • Andrew van der Stock • OWASP Guide Project Leader • Started Melbourne and Sydney chapters • Sponsored by the National Australia Bank • Will spend 12h (1,5 days) a week on OWASP projects • Now OWASP Executive Director

  13. Andrew’s Responsibilities • Helping projects and chapters succeed • Membership & Funding • Assist with infrastructure (if required) • Future directions http://www.flickr.com/creativecommons/

  14. Andrew’s Key duties • Implement decisions from owasp-leaders • Help projects and chapters • Continue to work on projects (Guide, etc) • Defend OWASP Brand

  15. OWASP Infrastructure http://www.flickr.com/creativecommons/

  16. MediaWiki - new www.owasp.org • It’s a Wiki • Replaces current CMS • Easier updates • Scalable, relatively secure

  17. Blogs • For all OWASP members • WordPress 2.0

  18. Forums • Existing forums dead • UltimaBB • Link from front page

  19. Downloads • Finished products/versions moves to owasp.org • Development remains at Sourceforge (supports CVS)

  20. Mail lists • Two mail infrastructures: • webappsec@securityfocus.com • owasp-*@lists.sourceforge.net • Need to bring this in house... eventually • Will happen during 2006 / 2007

  21. Questions

More Related