160 likes | 301 Views
OWASP DENVER CHAPTER MEETING FEBRUARY 20 2007. David Campbell OWASP Denver Chapter dcampbell@owasp.org +1 (415) 377 7379. DENVER, COLORADO USA. Denver Chapter Business. Leadership Change Much thanks to David Byrne and Andy Lewis for their leadership over the past two years
E N D
OWASP DENVERCHAPTER MEETING FEBRUARY 20 2007 David Campbell OWASP Denver Chapter dcampbell@owasp.org +1 (415) 377 7379 DENVER, COLORADO USA
Denver Chapter Business • Leadership Change • Much thanks to David Byrne and Andy Lewis for their leadership over the past two years • Transitioning to David Campbell and Eric Duprey • Goal for 2008 • Meetings at least bi-monthly • Planning the Front Range OWASP Conference ( 10 June 2008) along with the BOULDER OWASP chapter
OWASP Mission Open source non-profit charitable foundation dedicated to enabling organizations so they can develop, maintain, and acquire software they can trust Making Security Visible Through… Documentation Top Ten, Dev. Guide, Design Guide, Testing Guide, … Tools WebGoat, WebScarab, Site Generator, Report Generator, ESAPI, CSRF Guard, CSRF Tester, Stinger, Pantera, … Working Groups Browser Security, Industry Sectors, Access Control (XACML), Education, Mobile Phone Security, Preventive Security, OWASP SDL, OWASP Governance, RIA SecurityCommunity and Awareness Local Chapters, Conferences, Tutorials, Mailing Lists 3
Some OWASP Growth Stats • One year ago (Oct 2006), we had • about 75 local chapters • about 15 corporate sponsors • about 180K page views / month at OWASP.org • and finally a little bit of money . About $88K • Now (Nov 2007), we have • over 100 local chapters • over 30 corporate sponsors • about 360K page views / month at OWASP.org • prior to this conference we had about $298K • Of which $80K is pledged to the completion of the 2007 Spring of Code projects 4
How Does OWASP Make Money? • Corporate sponsorships • Individual memberships
Where Does the Money Go? • Conferences • Much more affordable than SANS / Blackhat / Cansec • Books • Created from the Wiki materials (i.e. Top 10, Testing Guide) • Distributed to corporate sponsors and individual members • Projects (Spring of Code, Winter of Code) • Subsidies to fly in top notch speakers for chapter meetings!
SpoC 007 - OWASP Spring of Code 2007 • 26 projects sponsored @ $125,000 USD • 15 projects made strong to amazing deliveries • OWASP Education Project (PPTs for community use) • Code Review Guide • OWASP Top 10 - Ruby on Rails version • Attacks refresh (Wiki data consolidation) • OWASP Evaluation and Certification criteria • OWASP Scholastic Project (using OWASP at academia) • SpoC project management (we now know how to do it :) ) • 5 projects are in the final stages • 6 projects were canceled • Final amount sponsored: $103,500 USD 9
OWASP Working Groups • Browser Security: Robert R'Snake, Petkov Pdb • Industry Sectors: Tom Brennan • Access Control (XACML): Gunner peterson • Education: Sebastien Deleersnyder • Mobile Phone Security: Corey Benninger • Preventive Security: Dinis Cruz • OWASP SDL: Pravir Chandra • OWASP Governance: Tom Brennan • Some ideas for other OWASP working groups: • RIA Frameworks, Open Source solutions, Commercial vendors solutions, Evaluation & Certification, Privacy 10
Some OWASP Conference Stats 1st OWASP AppSec Conference (2004 NY) - ~100 people on a weekend 2nd OWASP AppSec Conference (2005 London) ~100 on a weekend 3rd OWASP AppSec Conference (2005 D.C.) About 175 Attendees plus 40 people in first tutorial 4th OWASP AppSec Conference (2006 Brussels) About 125 with 40 people in two tutorials plus refereed papers track 5th OWASP AppSec Conference (2006 Seattle) About 180 attendees with 115 in three tutorials! 6th OWASP AppSec Conference (2007 Milan) About 140 attendees, 40 people in 3 tutorials plus refereed papers track OWASP Taiwan Conference (2007 Taiwan) About 600 attendees for half day free conference!! 2007 OWASP & WASC AppSec Conference (2007 San Jose) About 260 attendees with 80 people in six 2-day tutorials First Tech Expo: Sold out with 10 vendors participating 11
Conference Plans for 2008 2008 OWASP Australia AppSec Conference Gold Coast – March 29-31 – 1-day tutorials, 2-day conference 2008 OWASP AppSec Europe Conference Brussels – May 19-22, 2008 Refereed papers track, Vendor Expo Two day Tutorials – two day conference 2008 Front Range OWASP Conference One day, multi-track (tech & mgt) CFP immiment! Some top notch speakers already committed 2008 OWASP AppSec Taiwan Conference - ?? 2008 OWASP AppSec U.S. Conference New York City, Oct. 2007 Refereed papers track, Vendor Expo, Lots of tutorials Capture the flag event? 12
What does all this mean? • OWASP is gaining industry traction • PCI-DSS Self Assessment Questionnaire (SAQ) requirement 6.5 specifically requires that OWASP guidelines be followed when developing web apps
What Can You Do? • Just getting started with application security? • Managers: Familiarize yourself with the Top 10 most common vulnerabilities in web applications • Developers: Get your hands on the OWASP Guide to Building Secure Web Applications • Penetration Testers: Start working through the OWASP Testing Guide, and also tools like Webscarab
What Can You Do? • Already past that stage? • Get involved! We need the following: • Presenters for future meetings • OWASP Project Leaders and Participants • Season of Code Participants (paid projects!) • Wiki contributions