170 likes | 311 Views
OWASP Membership Plan. Jeff Williams Chair – The OWASP Foundation CEO – Aspect Security jeff.williams@owasp.org. Thank You. Thank You. Mission. OWASP is dedicated to finding and fighting the causes of insecure software. What causes? Immediate causes – vulnerabilities themselves
E N D
OWASP Membership Plan Jeff Williams Chair – The OWASP FoundationCEO – Aspect Securityjeff.williams@owasp.org
Thank You Thank You
Mission OWASP is dedicated to finding and fightingthe causes of insecure software • What causes? • Immediate causes – vulnerabilities themselves • Developers and operators • Organizational structure, development process, supporting technology • Increasing connectivity and complexity • Legal and regulatory environment • Asymmetric information in the software market
Application Security Is Just Getting Started • You can’t improve what you can’t measure • We need to… • Experiment • Share what works • Combine our efforts • Expect 10 years
Approach == “Open” • Open means everything is $free • Open means rough consensus and running code • Open means free to use and modify • Open means independent • Open means open information sharing • Open means wider audience and participation
Our Successes • OWASP Tools and Documentation • ~15,000 downloads (per month) • ~30,000 unique visitors (per month) • ~2 million website hits (per month) • OWASP Chapters are blossoming worldwide • 1674 members in 56 chapters (~4 new chapters per month) • OWASP AppSec Conferences • New York, London, Washington D.C, more… • Distributed content portal • 90 authors for tools, projects, and chapters
Community Local Chapters Translations Conferences Mailing Lists Papers and more… All free and open source Documentation Guide Top Ten Testing Legal AppSec FAQ and more… Tools WebGoat WebScarab Stinger DotNet and more… Some of What You’ll Find at OWASP
Our Failures • OWASP currently isn’t good at… • Managing projects • Establishing a great community infrastructure • Recruiting contributors • Setting a clear roadmap • Direct result of part-time leadership • We are correcting this with a three part plan
Part 1 – Establish The OWASP Foundation The OWASP Foundation TechnicalInfrastructure Foundation Mgmt Project Mgmt Tech. Editors Members Contributors
Part 2 – Create the Membership Plan • Newly Unveiled Plan • Dual License Approach • Membership Fees • Open! • Not like SANS, CSI, OASIS, or anything else • Membership Drive Soon • Small number of companies have already joined, even before any membership drive, including VISA
Dual License Approach • Open Source License • Anyone can use OWASP Materials according to the terms of the open source license associated with each OWASP project. - OR - • Commercial License • Members get a Commercial License that allows all employees to use the OWASP Materials without having to consider open source license.
How to Become a Member Step 1 Step 2 http://www.owasp.org/about/membership.html
Part 3 – Find a Full-Time Director • OWASP is looking for a candidate for director • Responsibilities will include: • Developing a relationship with OWASP users • Fund-raising and publicity • Coordinating projects and chapters • Overseeing and coordinating infrastructure • Working with: • Security experts • Industry representatives • Press and media
Imagine… • The OWASP Application Security Academy • Developers, AppSec Specialists, Management • OWASP Certified Application Security Professional • OWASP Independent Testing Labs • Applications, Products, Libraries, Evaluation Methodology • OWASP Open Static Analysis Project • OWASP Application Security Workbench • Tools, Findings, STRIDE/DREAD, Report Generation • OWASP Standards • OWASP Metrics • OWASP Legal • Legislation, RFP Language, Defense Fund
Software Facts Expected Number of Users 15 Typical Roles per Instance 4 Modules 155 Modules from Libraries 120 % Vulnerability* 65% Cross Site Scripting 22 Reflected 12 Stored 10 SQL Injection 2 Buffer Overflow 5 95% Ingredients: Sun Java 1.5 runtime, Sun J2EE 1.2.2, Jakarta log4j 1.5, Jakarta Commons 2.1, Jakarta Struts 2.0, Harold XOM 1.1rc4, Hunter JDOMv1 Total Security Mechanisms 3 Modularity .035 Cyclomatic Complexity 323 Encryption 3 Authentication 15 Access Control 3 Input Validation 233 Logging 33 * % Vulnerability values are based on typical use scenarios for this product. Your Vulnerability Values may be higher or lower depending on your software security needs: Usage Intranet Internet Cross Site Scripting Less Than 10 5 Reflected Less Than 10 5 Stored Less Than 10 5 SQL Injection Less Than 20 2 Buffer Overflow Less Than 20 2 Security Mechanisms 10 14 Encryption 3 15
Q & Q U E S T I O N S A N S W E R S www.owasp.org A