OWASP - User contributions [en]

AppSecAsiaPac2012

2012-03-22T15:18:53Z

Pravir Chandra:

__NOTOC__
{| border="0" align="center" style="width: 100%;"
|-
| style="width: 75%; background: none repeat scroll 0% 0% rgb(255, 255, 255);" |
[[File:Owasp appsecAsia2012ConfBanner.jpg]]
| style="width: 25%; background: none repeat scroll 0% 0% rgb(255, 255, 255);" |
[[File:RegisterForAppsec.png|link=http://www.regonline.com/appsecapac2012]]
|}
=Welcome=
<font size=2pt>
{{Social Media Links}}



{| border="0" cellpadding="15" align="center" class="FCK__ShowTableBorders" style="width: 100%;"
|-
| style="width: 35%; background: none repeat scroll 0% 0% rgb(255, 255, 255); color: black;" |
<center>[[File:Owaspconf2012_small320w.jpg]]</center>

<br/>
<br/>
'''Welcome to the OWASP 2012 Appsec Asia Pacific Conference.'''

The event is being held in Sydney, Australia from the 11th to the 14th of April 2012 at the Four Points Sheraton Darling Harbour.

The conference consists of 2 days of world class training by OWASP instructor's followed by 2 days of quality presentations and keynotes from industry leaders, OWASP projects and industry consultants. In previous years the OWASP Asia Pacific conference has been rated as one of the "must attend" events of the year, with the conference always filling up quickly.
<br/>

'''Who should attend this conference:'''

* Application Developers, Testers, Quality Assurance Team Members
* Chief Information Officers, Security Officers, Technology Officers
* Security Managers and Staff
* Executives, Managers and staff responsible for IT Security Governance
* IT Professionals interested in Improving Information Security
<br/>

'''Conference Highlights:'''

* Alastair MacGibbon: Keynote Presentation (more information available on "Speakers" Tab)
* Jacob West (Fortify - HP): Keynote Presentation (more information available on "Speakers" Tab)
* Industry Leading training - Exploiting Web Applications with Samurai-WTF
* Industry Panel from Finance and Insurance Sectors
* Networking Opportunities to meet peers and other developers
* Gain access to resources within OWASP projects as well as leading vendors
<br/>
[[File:RegisterForAppsec.png|link=http://www.regonline.com/appsecapac2012]]

| style="width: 20%; background: none repeat scroll 0% 0% rgb(255, 255, 255);" |
<center>'''Thank you to all of our supporters!'''</center>
<br/>
<h2><center>Diamond & Platinum Sponsors</center></h2>

<center>[[File:Fortify HP logo.png|link=http://www.fortify.com]]</center>

<h2><center>Gold & Silver Sponsors</center></h2>

<center>[[File:AppsecureTransLogo.png|link=http://www.appsecure.com/]]</center><br/>

<center>[[File:CS-LogoWeb.png|link=http://www.contentsecurity.com.au/]]</center><br/>

<center>[[File:Imperva 312x54.jpg|link=http://www.imperva.com/]]</center><br/>

<center>[[File:Ionize75H.jpg‎|link=http://www.ionize.com.au/]]</center><br/>

<center>[[File:SPL-LOGO-LARGE.png|link=http://www.trustwave.com/]]</center><br/>

<h2><center> Associations & Supporters</center></h2>
We are proudly supported by the following Industry Associations and Media outlets.

<center>[[File:Auscert-Header-logo.gif|link=http://www.auscert.org.au/]]</center>

<center>[[File:AisaLogo.png|link=http://www.aisa.org.au/]]</center>

|}

=Registration Costs=

{{:AppSecAsiaPac2012/Register}}

=Training=

{{:AppSecAsiaPac2012/Training}}

= Conference Schedule=

NOTE: Conference is scheduled to change as required by the conference committee, check back for updates prior to the conference.

<font size=2pt>
{| border="0" align="center" class="FCK__ShowTableBorders" style="width: 75%;"
|-
| align="center" colspan="4" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | <font size=3pt>'''Conference Day 1 - Friday - April 13th''' </font>
<br>
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | ''(Time Allocated)''
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Track 1 - Detect''' <br> (Grand Ballroom 1 & 2)
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | '''Track 2 - Protect''' <br> (Grand Ballroom 3)
| style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" | '''Track 3 - Leadership & OWASP''' <br> (Wharf & Bridge Rooms Level 1)
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''7:30 - 8:30 AM''
<br>
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Conference Registration Open - Coffee & Tea Available '''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''8:30-8:40 AM''
<br>
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Conference Opening - Appsec Asia 2012'''
Speakers: Conference Committee Chair - Mr Justin Derry
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''8:40-9:30 AM''
<br>
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''KeyNote: Presentation'''
Speaker: Alastair MacGibbon
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''9:30-9:40 AM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''9:40-10:30 AM''
<br>
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''KeyNote: Presentation'''
Speaker:Jacob West
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''10:30-11:00 AM''
<br>
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Morning Tea - Provided for attendees in main EXPO & Conference Hall - Ground Level'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''11:00-11:50 AM''
<br>
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: You can't filter the stupid!'''
 Speakers: Charles Henderson & David Byrne
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Advanced Mobile Application Code Review Techniques'''
 Speaker: Prashant Vema & Dinesh Shetty
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: Effective Software Development in a PCI-DSS Environment'''
 Speaker: Bruce Ashton
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''11:50-12:00 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''12:00-12:50 PM''
<br>
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Testing from the Cloud. Is the Sky Falling?'''
 Speaker: Matt Tesauro
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Rethinking Web Application Architecture for Cloud'''
 Speaker: Arshad Noor
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: OWASP Project - Secure Coding Practices Quick Reference Guide'''
 Speaker: Justin Clarke
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''12:50-1:30 PM''
<br>
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Lunch - Provided for attendees in main Expo & Conference Hall - Ground Level'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''1:30-2:20 PM''
<br>
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Overcoming the Quality vs Quantity Problem in Software Security Testing'''
 Speaker: Rafal Los
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Mobile Security on iOS and Andriod'''
 Speaker: Mike Park (Trustwave)
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: De-Anonymizing Anonymous'''
 Speaker: Wayne O'Young
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''2:20-2:30 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''2:30-3:20 PM''
<br>
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Pen Testing Mobile Applications'''
 Speaker: Frank Fan
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Application Security Logging & Monitoring, The Next Frontier'''
 Speaker: Peter Freiberg
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: Modern Software Security Assurance with OpenSAMM'''
 Speaker: Pravir Chandra
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''3:30-4:00 PM''
<br>
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Afternoon Tea - Provided for attendees in EXPO & Conference Hall - Ground Level'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''4:00-4:50 PM''
<br>
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Harder, Better, Faster, Stronger (SQLi)'''
 Speakers: Luke Jahnke<br> & Louis Nyffenegger
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Securing the SSL Channel against Man-in-the-middle Attacks'''
 Speaker: Tobias Gondrom
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: The risks that Pen Tests don't find'''
 Speaker: Gary Gaskell
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''4:50-5:00 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''5:00-5:30 PM''
<br>
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Panel Discussion - Application Security Trends in 2012'''
Panelists: TBA
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''5:30-6:30 PM''
<br>
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''OWASP - Afternoon Networking Event - TBA'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''6:30 - 10:00 PM''
<br>
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''OWASP - Evening Networking Event - TBA'''
|}

{| border="0" align="center" class="FCK__ShowTableBorders" style="width: 75%;"
|-
| align="center" colspan="4" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | <font size=3pt>'''Conference Day 2 - Saturday- April 14th''' </font>
<br>
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | ''(Time Allocated)''
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Track 1 - Detect''' <br> (Grand Ballroom 1 & 2)
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | '''Track 2 - Protect''' <br> (Grand Ballroom 3)
| style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" | '''Track 3 - Leadership & OWASP''' <br> (Wharf & Bridge Rooms Level 1)
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''7:30 - 8:30 AM''
<br>
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Conference Registration Open - Coffee & Tea Available '''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''8:30-8:40 AM''
<br>
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''Conference Day 2 Update- Appsec Asia 2012'''
Speakers: Conference Committee Chair - Mr Justin Derry
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''8:40-9:30 AM''
<br>
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''KeyNote: Presentation'''
Speaker: Jeremiah Grossman
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''9:30-9:40 AM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''9:40-10:30 AM''
<br>
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''KeyNote: Presentation'''
Speaker: Dr Jason Smith
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''10:30-11:00 AM''
<br>
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Morning Tea - Provided for attendees in main EXPO & Conference Hall - Ground Level'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''11:00-11:50 AM''
<br>
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation:Pentesting iOS Applications:'''
 Speaker:Jason Haddix
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Password Less Authentication & Authorization & Payments'''
 Speaker: Srikar Sagi
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: OWASP Project - ZED Attack Proxy'''
 Speaker: Simon Bennetts
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''11:50-12:00 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''12:00-12:50 PM''
<br>
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: HTTP Fingerprinting - Next Generation'''
 Speaker: Eldar Marcussen
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Web Crypto for the Developer who has better things to do.'''
 Speaker: Adrian Hayes
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: Static Code Analysis & Governance'''
 Speaker: Jonathan Carter
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''12:50-1:30 PM''
<br>
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''Break - Lunch - Provided for attendees in main Expo & Conference Hall - Ground Level'''
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''1:30-2:20 PM''
<br>
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Shake Hooves with BeEF'''
 Speaker: Christian Frichot
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Software Security Goes Mobile'''
 Speakers: Jacob West
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: Data Breaches - When Application Security Goes Wrong'''
 Speaker: Mark Goudie
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''2:20-2:30 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''2:30-3:20 PM''
<br>
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Pentesting Smart Grid Web Apps'''
 Speaker: Justin Searle
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Breaking is Easy, Preventing is Hard'''
 Speakers: Matias Madou
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: How MITM Proxy has been slaying SSL Dragons'''
 Speaker: Jim Cheetham
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''3:20-3:30 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''3:30-4:20 PM''
<br>
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |  '''Presentation: Rise of the Planet of the Anonymous'''
 Speaker: Errazudin Ishak
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" |  '''Presentation: Anatomy of a Logic Flaw'''
 Speakers: Charles Henderson & David Byrne
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(204, 255, 122);" |  '''Presentation: OWASP Australia - Where, How, Why, When'''
 Speaker: Justin Derry & Andrew Vanderstock
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''4:20-4:30 PM''
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(246, 246, 246);" | Short Break - Conference Movement
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''4:30-5:00 PM''
<br>
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '''OWASP Appsec Asia 2012 - Conference Wrap Up'''
Speakers: OWASP Board, OWASP Appsec Asia Conference Committee
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" |  ''5:00-6:00 PM''
<br>
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | '''OWASP Sponsor - Afternoon Networking Event - TBA'''
|}

</font>

=Keynote Speakers=

'''In alphabetical order:'''

==Alastair MacGibbon==
Alastair MacGibbon is an internationally-respected authority on cybercrime, including Internet fraud, consumer victimisation and a range of Internet security and safety issues. He is the managing partner of Surete Group, a consultancy dealing with improved customer retention for Internet companies by increasing trust and reducing negative user experiences. Prior to this for almost 5 years Alastair headed Trust & Safety at eBay Australia and later eBay Asia Pacific. He was a Federal Agent with the Australian Federal Police for 15 years, his final assignment as the founding Director of the Australian High Tech Crime Centre.

==Jacob West==
Jacob West is Director, Software Security Research for the Enterprise Security Products division of Hewlett-Packard. West is a world-recognized expert on software security and brings a technical understanding of the languages and frameworks used to build software together with extensive knowledge about how real-world systems fail. In 2007, he co-authored the book "Secure Programming with Static Analysis" with colleague and Fortify founder Brian Chess. Today, the book remains the only comprehensive guide to static analysis and how developers can use it to avoid the most prevalent and dangerous vulnerabilities in code. West is a frequent speaker at industry events, including RSA Conference, Black Hat, Defcon, OWASP, and many others. A graduate of the University of California, Berkeley, West holds dual-degrees in Computer Science and French and resides in San Francisco, California.

==Dr. Jason Smith from CERT Australia==
Dr Jason Smith is an assistant director at the national CERT, CERT Australia, which is part of the Attorney-General's Department. He is an experienced cyber security researcher and consultant, having provided consultancy services over the last decade on information infrastructure protection to government and critical infrastructure utilities.

Since joining government Jason has been involved in the development and execution national scale cyber exercises and the advanced cyber security training for control systems conducted by the US Department of Homeland Security.

Jason holds a degree in software engineering and data communications, a PhD in information security and is an Adjunct Associate Professor at the Queensland University of Technology.

[http://www.cert.gov.au/ About CERT Australia]

==Jeremiah Grossman==
Jeremiah Grossman is the Founder and CTO of WhiteHat Security, where he is responsible for Web security R&D and industry outreach. Mr. Grossman has written dozens of articles, white papers, and is a published author. His work has been featured in the Wall Street Journal, NY Times and many other mainstream media outlets. As a well-known security expert and industry veteran, Mr. Grossman has been a guest speaker on five continents at hundreds of events including BlackHat, RSA, ISSA, and others. He has been invited to guest lecture at top universities such as UC Berkeley, Stanford, Harvard, UoW Madison, UCLA, and Carnegie Mellon. Mr. Grossman is also a co-founder of the Web Application Security Consortium (WASC) and previously named one of InfoWorld's Top 25 CTOs. Before founding WhiteHat, Mr. Grossman was an information security officer at Yahoo!

Mr. Grossman was recently a speaker at TEDxMaui. [http://tedxmaui.com/2011/12/30/speaker-spotlight-jeremiah-grossman/ Learn more here.]

=Track Session Speakers=

{{:AppSecAsiaPac2012/Talks}}

=Sponsors=

The Conference Committee is excited to announce that the conference has been openly supported by the following vendors and associations. Without the great support of these companies and organisations the 2012 event would not be what it is today.

<h2>Diamond & Platinum Sponsors</h2>
The OWASP Conference 2012, welcomes our sponsors for Diamond and Platinum. There are still spaces available for sponsorship, but it's closing fast.

More information is available on our sponsorship packages by viewing the sponsor pack [[File:AppSec AsiaPac 2012 Sponsorship.pdf]]. Contact our Committee for more information.

[[File:Fortify HP logo.png|link=http://www.fortify.com]]

<h2>Gold & Silver Sponsors</h2>
The OWASP Conference 2012, welcomes our sponsors for Gold and Silver. The conference still has availability for other Gold and Silver sponsors.

[[File:AppsecureTransLogo.png|link=http://www.appsecure.com/]]
[[File:Imperva 312x54.jpg|link=http://www.imperva.com/]]
[[File:Ionize75H.jpg‎|link=http://www.ionize.com.au/]]
[[File:CS-LogoWeb.png|link=http://www.contentsecurity.com.au/]]
[[File:Trustwave small.png|link=http://www.trustwave.com/]]

<h2> Associations & Supporters</h2>
We are proudly supported by the following Industry Associations and Media outlets.

[[File:Auscert-Header-logo.gif|link=http://www.auscert.org.au/]]
[[File:AisaLogo.png|link=http://www.aisa.org.au/]]

=Chapters Workshop=

{{:AppSecAsiaPac2012/Chapters_Workshop}}

=Venue=

We're excited to announce that the location of the OWASP Conference for Appsec Asia 2012 will be held at:

'''Four Points Sheraton, Darling Harbour'''<br>
161 Sussex Street<br>
Sydney, New South Wales 2000<br>
Australia <br>
<br>

The facility provides hotel rooms and conference facilities, OWASP has secured cheap room rates directly in the hotel for the duration of the event.

If you don't know your way around Sydney, here's the Google Maps link to the Hotel.

http://maps.google.com.au/maps/place?q=Four+Points+by+Sheraton+Sydney,+Sussex+Street,+Sydney,+New+South+Wales&hl=en&cid=7369128618339939693

[[File:FourPointsSheratonDarlingHarbour.jpg]]
<br>

We are using both the Ground and upper levels. The majority of the event will be held on the ground level, including all breaks etc. Attendees will find the registration and conference desk located at the Ground level near Hotel Reception. (You're not going to get lost, as we take up most of the ground level for this event.)

Further details about venue locations will be posted when they become available.

=Travel and Accommodations=
For assistance with any of the items below, feel free to utilize OWASP's preferred travel agency:<br>
Segale Travel Service contact information is: +1-800-841-2276 <br>
Sr. Travel Consultants: <br>
[mailto:mariam@segaletravel.com Maria Martinez]...ext 524 <br>
[mailto:linnv@segaletravel.com Linn Vander Molen]...ext 520

Additionally, the [mailto:appsecasia2012@owasp.org Conference Planning Team] is available to answer any questions!

==Accommodation==

We've been able to arrange for accommodation within the Four Points Sheraton Hotel(where the training and conference will be held) for attendees. These rooms have been allocated at a special rate, and available strictly for a limited time. To book these rooms at the special rate, you need to use the booking link shown below. These rooms are available one night either side of the event ensuring that if you are travelling interstate or international it's easy to find a room at a good rate. The room rate allocated for the event is $200 AUD Inclusive per night.

'''Four Points Sheraton, Darling Harbour'''<br>
161 Sussex Street<br>
Sydney, New South Wales 2000<br>
Australia <br>
<br>

'''[http://www.starwoodmeeting.com/Book/OWASP http://www.starwoodmeeting.com/Book/OWASP]'''

==Travel Domestic==

The OWASP Conference is to be held in Sydney at the Darling Harbour precinct. Hotel Location, http://maps.google.com.au/maps/place?q=Four+Points+by+Sheraton+Sydney,+Sussex+Street,+Sydney,+New+South+Wales&hl=en&cid=7369128618339939693

==International Travel==

The Sydney International Airport is located adjacent to the Domestic terminal. Similar taxi fares to the city and hotel venue apply.
If you are travelling by train, you can ride the train from the International terminal all the way to the Town Hall station as above.

==Airport Transportation==

*Any major Airline carrier will fly you into Sydney Airport, from here, you can take a Taxi (Approx $35-40 AUD).
*[http://www.kst.com.au KST Sydney Airport Shuttle] -- $18AUD oneway/ $32AUD roundtrip
* Another option is the train from the Airport, which you can ride all the way into the closest station which is Town Hall. From this stop the hotel is a small downhill walk (no more then 5-10mins) from the station.

==Driving Instructions==

''From Sydney Airport (South)''

Travel along Southern Cross Drive and take the South Dowling Street exit.

Turn right onto Dacey Avenue.

At the second set of traffic lights turn left onto Anzac Parade.

Follow Anzac Parade past Moore Park on your right; Anzac Parade will become Flinders Street.

Turn left onto Oxford Street and follow to Liverpool Street; Hyde Park will be on your right.

Continue along Liverpool Street and turn right onto Kent Street.

Travel five blocks and turn left onto Erskine Street.

Immediately turn left again onto Sussex Street. The hotel will be on your right.

''From East''

Proceed along New South Head Road. Continue onto William Street and then onto Park Street; Hyde Park will be on your right.

Proceed along Park Street as it becomes Druitt Street and turn right onto Kent Street.

Travel approximately three blocks and turn left onto Erskine Street.

Immediately turn left again onto Sussex Street. The hotel will be on your right.

''From West''

Proceed along the Western Distributor towards the city taking the City North exit followed by the Sussex Street South Exit.

Turn right onto Sussex Street, the hotel will be on your right.

''From North''

Take the Pacific Highway/Warringah Highway and proceed over the Sydney Harbour Bridge.

Take the York street exit off the bridge and continue along before turning right into Erskine Street .

Proceed approximately three blocks before turning left into Sussex Street. The hotel will be on your right.

=Contact Us=

Justin Derry - Planning Committee Co-Chair<br>
Andrew van der Stock - Planning Committee Co-Chair<br>
Christian Frichot - Planning Committee Member<br>
Andrew Mueller - Planning Committee Member<br>
Mohd Fazli Azran - Global Conference Committee Liaison<br>
Sarah Baso - OWASP Operational Support<br>

If you are interested in helping out with this conference or have any questions, please contact us at: appsecasia2012@owasp.org

=Archives=

*[https://www.owasp.org/index.php/AppSecAsiaPac2012/CFP Call for Papers]
*[[Speaker Agreement]]
*[https://www.owasp.org/index.php/AppSecAsiaPac2012/CFT Call for Trainers]
*[https://www.owasp.org/images/8/80/APAC2012_Training_Instructor_Agreement.pdf Training Instructor Agreement]
*Information about the [https://www.owasp.org/index.php/AppSecAsiaPac2012/OWASP_Track OWASP Track]

</font>

<headertabs />

Global Industry Committee - Application 10

2011-03-23T03:23:46Z

Pravir Chandra:

[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]

----

{| style="width:100%" border="0" align="center"
|-
! colspan="2" align="center" style="background:#4058A0; color:white" | <font color="white">'''COMMITTEE APPLICATION FORM'''</font>
|-
| style="width:25%; background:#7B8ABD" align="center" | '''Applicant's Name'''
| colspan="1" style="width:85%; background:#cccccc" align="left" | <font color="black">Sherif Koussa</font>
|-
| style="width:25%; background:#7B8ABD" align="center" | '''Current and past OWASP Roles'''
| colspan="1" style="width:85%; background:#cccccc" align="left" | OWASP Ottawa Chapter Leader - WebGoat 5.0
|-
| style="width:25%; background:#7B8ABD" align="center" | '''Committee Applying for'''
| colspan="1" style="width:85%; background:#cccccc" align="left" | Global Industry Committee
|}

----

<br>

----

Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. An incomplete application will not be considered for vote.

----

<br>

----

{| style="width:100%" border="0" align="center"
|-
! colspan="8" align="center" style="background:#4058A0; color:white" | <font color="white">'''COMMITTEE RECOMMENDATIONS'''</font>
|-
! align="center" style="background:white; color:white" | <font color="black"></font>
! align="center" style="background:#7B8ABD; color:white" | <font color="black">'''Who Recommends/Name'''</font>
! align="center" style="background:#7B8ABD; color:white" | <font color="black">'''Role in OWASP'''</font>
! align="center" style="background:#7B8ABD; color:white" | <font color="black">'''Recommendation Content'''</font>
|-
| style="width:3%; background:#cccccc" align="center" | '''1'''
| style="width:20%; background:#cccccc" align="center" | Dinis Cruz
| style="width:20%; background:#cccccc" align="center" | [[O2 Platform]] Project Leader
| style="width:57%; background:#cccccc" align="center" | Sherif is an active OWASP leader and in the past has already made a number of bridges and connections with the Industry. I think he will be a great addition to this Committee
|-
| style="width:3%; background:#cccccc" align="center" | '''2'''
| style="width:20%; background:#cccccc" align="center" | Bruce Mayhew
| style="width:20%; background:#cccccc" align="center" | [[WebGoat]] Project Leader
| style="width:57%; background:#cccccc" align="center" | Sherif is active in the security community, active in OWASP, and has made major contributions to WebGoat. Sherif will be an asset to this committee.
|-
| style="width:3%; background:#cccccc" align="center" | '''3'''
| style="width:20%; background:#cccccc" align="center" | Karim Nathoo
| style="width:20%; background:#cccccc" align="center" | OWASP Ottawa Chapter Co-Leader
| style="width:57%; background:#cccccc" align="center" | Sherif is the driving force behind the Ottawa Chapter.  He is both a very passionate and motivated volunteer and also a talented application security professional.  I am confident he will be an asset to the Global Industry Committee.
|-
| style="width:3%; background:#cccccc" align="center" | '''4'''
| style="width:20%; background:#cccccc" align="center" | Joe Bernik<span class="Apple-tab-span" style="white-space:pre"> </span>
| style="width:20%; background:#cccccc" align="center" | Committee member<span class="Apple-tab-span" style="white-space:pre"> </span>
| style="width:57%; background:#cccccc" align="center" | Sherif is a driven leader in Canada and will make a great contribution to the Committee.
|-
| style="width:3%; background:#cccccc" align="center" | '''5'''
| style="width:20%; background:#cccccc" align="center" | Abraham Kang
| style="width:20%; background:#cccccc" align="center" | DOM based XSS Cheatsheet Co-Leader
| style="width:57%; background:#cccccc" align="center" | Sherif is a talented application security engineer. He has worked in many industrusties and his experience would be a great asset to the committee.
|-
| style="width:3%; background:#cccccc" align="center" | '''--'''
| style="width:20%; background:#cccccc" align="center" | Pravir Chandra
| style="width:20%; background:#cccccc" align="center" | OWASP Project Leader
| style="width:57%; background:#cccccc" align="center" | Sherif is a very thoughtful and knowledgeable player in the application security space. Combining that with his diverse experience with various industry verticals, he'd be a great addition to help ensure the GIC is well represented.
|}

----

Global Industry Committee - Application 6

2011-03-16T21:54:29Z

Pravir Chandra:

[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]

----

{| border="0" align="center" style="width: 100%;"
|-
! align="center" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" colspan="2" | <font color="white">'''COMMITTEE APPLICATION FORM'''</font>
|-
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | '''Applicant's Name'''
| align="left" style="width: 85%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" colspan="1" | <font color="black">Nishi Kumar</font>
|-
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | '''Current and past OWASP Roles'''
| align="left" style="width: 85%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" colspan="1" | OWASP CBT Project lead and part of OWASP Global Education Committee
|-
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | '''Committee Applying for'''
| align="left" style="width: 85%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" colspan="1" | Global Industry Committee
|}

----

<br>

----

Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. An incomplete application will not be considered for vote.

----

<br>

----

{| border="0" align="center" style="width: 100%;"
|-
! align="center" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" colspan="8" | <font color="white">'''COMMITTEE RECOMMENDATIONS'''</font>
|-
! align="center" style="background: none repeat scroll 0% 0% white; color: white;" | <font color="black"></font>
! align="center" style="background: none repeat scroll 0% 0% rgb(123, 138, 189); color: white;" | <font color="black">'''Who Recommends/Name'''</font>
! align="center" style="background: none repeat scroll 0% 0% rgb(123, 138, 189); color: white;" | <font color="black">'''Role in OWASP'''</font>
! align="center" style="background: none repeat scroll 0% 0% rgb(123, 138, 189); color: white;" | <font color="black">'''Recommendation Content'''</font>
|-
| align="center" style="width: 3%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''1'''
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Giorgio Fedon
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Owasp Italy TD
| align="center" style="width: 57%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Nishi is a talented professional with specific knowledge about large corporates needs for Appsec
|-
| align="center" style="width: 3%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''2'''
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Keith Turpin
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Project Leader
| align="center" style="width: 57%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Nishi represents a large financial sector service and technology provider. She brings extensive industry knowledge and represents a customer set that can directly benefit from OWASP projects. As a industry partner she brings a user based view that will help provide a useful perspective to the committee. Combine this with her excellent technical knowledge as a system architect and she will be an asset as a committee member.
|-
| align="center" style="width: 3%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''3'''
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Dinis Cruz
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | [[O2 Platform]] project leader
| align="center" style="width: 57%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Nishi is going to add a lot of value to this committee. She is a good representative to the type of Industry contact OWASP needs to reach out, and the quality of her contributions to OWASP projects (like the CTB) speak for themselves
|-
| align="center" style="width: 3%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''4'''
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Anurag Agarwal
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Project Leader
| align="center" style="width: 57%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Nishi is very dynamic and hard working. She has practical experience in handling appsec in a big company. Her experience and knowledge is crucial in OWASP's mission
|-
| align="center" style="width: 3%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''5'''
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Greg Genung
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Austin OWASP Membership Director, LASCON Board Member, and OWASP Global Connections Committee Applicant
| align="center" style="width: 57%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Nishi's contributions to OWASP over the last 4 years that I have known her have been large and non-trivial. She jumps right in and supports any OWASP activity with energy for the organization and passion for her trade. Nishi was a contributor to the successful OWASP LASCON in Texas. Her professionalism, leadership, and knowledge in App-Sec makes her a shoe-in for education-related activies, especially community outreach & industry outreach.
|-
| align="center" style="width: 3%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''--'''
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Joe Bernik<span style="white-space: pre;" class="Apple-tab-span"> </span>
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Former Chapter lead and Commitee member<span style="white-space: pre;" class="Apple-tab-span"> </span>
| align="center" style="width: 57%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Nishi Welcome to the OWASP  Industry commitee and thank you for what I know will be a great contribution!
|-
| align="center" style="width: 3%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''--'''
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Alexander Fry
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | GIC Member
| align="center" style="width: 57%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | In addition to the other stellar recommendations for Nishi; she works hard, does good work, and completes projects. In the GIC, we have a large number of projects to complete and I know Nishi's contributions will be appreciated.
|-
| align="center" style="width: 3%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''--'''
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | James Wickett
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | OWASP Austin Chapter VP, LASCON Co-Founder
| align="center" style="width: 57%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Nishi was crucial to the success of LASCON and did a wonderful job on the board. She does a great job at whatever she puts her mind to. Also, she is pretty dang funny and outgoing and lets be honest, that is a rarity in the security community. I fully recommend her for this position.
|-
| align="center" style="width: 3%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''--'''
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Josh Sokol
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | OWASP Austin Chapter President, LASCON Co-Founder
| align="center" style="width: 57%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | It looks like Nishi is the single most recommended committee person in the history of OWASP and there is a reason for it. Nishi is awesome. She is smart, talented, and always willing to lend a hand. She has been a key element on our Austin board for a long time and was a crucial part of LASCON's success. She will be a valuable asset to the OWASP GIC.
|-
| align="center" style="width: 3%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''--'''
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Pravir Chandra
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | OpenSAMM Project Leader
| align="center" style="width: 57%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Nishi is a very motivated and frequent contributor to the OWASP community through her involvement in the Summits and several OWASP educational initiatives. Her perspective coming from the financial space is also a huge asset in knowing the right messaging to engage industry as a member of the GIC.
|}

----

Pravir Chandra

2009-11-18T23:25:26Z

Pravir Chandra: Redirected page to User:Pravir Chandra

#redirect [[User:Pravir_Chandra]]

User:Pravir Chandra

2009-11-18T23:24:28Z

Pravir Chandra:

<div style="display:inline;
width:200px; float:right; padding-left:40px; padding-right:50px; padding-bottom:40px;">
<div style="padding-bottom:10px;">
[http://www.owasp.org/index.php/Pravir_Chandra http://www.pravir.org/PravirChandra-picture.jpg]
</div>
</div>

<b> Please do contact me directly with any questions: <i> chandra <at> owasp <dot> org </i></b>
== My overall vision for OWASP ==

==== Enable contributors ====
The purpose of the Board is to ENABLE contributors
* Allow project leaders to focus on their projects and have the OWASP organization promote them
* Allow chapter leaders to focus on their communities and have the OWASP organization take care of back-end management

==== Professional face ====
OWASP needs a professional face to get more adoption in the software development industry
* There has to be a more user-friendly and efficient front-page for OWASP
** Needs to address people in different roles (CISOs thru geeks)
** Needs to show high-value to users consistently
* OWASP needs to promote projects in a unified voice
** Select and promote projects that are enterprise caliber
** Promote OWASP in non-OWASP circles such as software development conferences and industry-specific events (financial services, retail, etc.)
* Dev leaders need to be able to trust the quality of what they get from OWASP
** This is key to brand protection and needed by any organization of our size/diversity
* OWASP eventually needs to run like other open-source foundations (e.g. Apache)
** Officers and assigned roles/responsibilities

==== Industry feedback ====
OWASP needs more driving influence from our "customers", i.e. the development and appsec community
* Form an Industry Advisory Board
** Ask them directly what they want from OWASP, what their pain points are, & how we can help
** Ask non-members what it would take for them to join OWASP
** Offer Corporate Members a recurring seat on the advisory board for joining (increases membership)
* Organize "steering committees" for key projects that want them
** Useful for Corporate Members to provide feedback directly to projects that they rely upon
** Provides a forum for critical feedback and ideas for future directions

==My OWASP history==

==== Roles ====
* [http://www.owasp.org/index.php/CLASP CLASP Project Lead]
** Worked with my company (Secure Software) to donate the commercial CLASP methodology to OWASP
** Served as project lead since early 2006
* [http://www.owasp.org/index.php/SAMM OpenSAMM Project Lead]
** Worked with my company (Fortify Software) to contribute money to fund development with the purpose of donating it to OWASP
** Served as project lead since late 2008
* [http://www.owasp.org/index.php/Global_Projects_Committee Global Projects Committee Member]
** Worked with committee to develop updates to SoC planning, assessment criteria, project cataloging, etc.

==== Conferences ====
I've presented (or will present) at the following OWASP conferences
* AppSec Europe 2006 - Leuven, Belgium
** Donated CLASP to OWASP
** First time a commercial organization donated an existing commercial product
* AppSec Europe 2007 - Milan, Italy
* OWASP & WASC AppSec US 2007 - San Jose, CA
** Vendor Exhibition Chair
** First time OWASP allowed vendors to exhibit at a conference
* OWASP AppSec US 2008 - New York City, NY
** Unveiled the SAMM Beta
* OWASP Summit 2008 - Portugal
* OWASP AppSec Australia 2009 - Gold Coast, Australia
* OWASP AppSec Europe 2009 - Krakow, Poland
* OWASP Minneapolis Event 2009 - Minneapolis/St. Paul, MN
* OWASP AppSec Academia Symposium - Irvine, CA
* OWASP AppSec Brazil 2009 - Brasilia, Brazil
* OWASP AppSec US 2009 - Washington, DC

I stay active and present at as many local Chapter meetings as possible.
* In 2009, I've spoke at local chapters in 9 cities across the US & Canada

== Professional Experience ==

==== Bio ====

Pravir Chandra is Director of Strategic Services at Fortify where he works with clients to build and optimize software security assurance programs. Pravir is widely recognized in the industry for his expertise in software security and code analysis, and also for his ability to apply technical knowledge strategically from a business perspective. Prior to Fortify, he was affiliated with Cigital as a Principal Consultant where he led large software security programs at Fortune 500 companies. Pravir was also Co-Founder and Chief Security Architect at Secure Software, Inc. before the company was acquired by Fortify Software. His book, Network Security with OpenSSL is a popular reference on protecting software applications through cryptography and secure communications. His varied special project experience includes creating and leading the Open Software Assurance Maturity Model (OpenSAMM) project with the Open Web Application Security Project (OWASP) Foundation. Also, Pravir currently serves as a Member of the OWASP Global Projects Committee.

* Pravir Chandra's [http://www.linkedin.com/in/pravirchandra LinkedIn profile], and [[:Special:Contributions/Pravir Chandra|wiki contributions]].

Global Industry Committee - Application 2

2009-11-18T23:18:07Z

Pravir Chandra:

[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]

----
{| style="width:100%" border="0" align="center"
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM'''
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Alexander Fry
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles'''
| colspan="1" style="width:85%; background:#cccccc" align="left"|SoC 2008 Reviewer for Teachable Static Analysis Workbench and Source Code Review OWASP Projects

|-
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for'''
| colspan="1" style="width:85%; background:#cccccc" align="left"|OWASP Global Industry Committee.
|}
----

----
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''.
An incomplete application will not be considered for vote.
----

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS'''
|-
! align="center" style="background:white; color:white"|<font color="black">
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name'''
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content'''
|-
| style="width:3%; background:#cccccc" align="center"|'''1'''
| style="width:20%; background:#cccccc" align="center"|'''Nishi Kumar'''
| style="width:20%; background:#cccccc" align="center"|'''Contributor of Live CD Project'''
| style="width:57%; background:#cccccc" align="center"|'''Alexander is bright and dedicated towards security. His involvement in Industry committe will be very valuable. '''
|-
| style="width:3%; background:#cccccc" align="center"|'''2'''
| style="width:20%; background:#cccccc" align="center"|'''James Walden'''
| style="width:20%; background:#cccccc" align="center"|'''Project leader for Source Code Review OWASP Projects'''
| style="width:57%; background:#cccccc" align="center"|'''Alexander has contacts that would let him reach out to industry areas OWASP hasn't impacted yet.'''
|-
| style="width:3%; background:#cccccc" align="center"|'''3'''
| style="width:20%; background:#cccccc" align="center"|'''William Gebhardt'''
| style="width:20%; background:#cccccc" align="center"|
| style="width:57%; background:#cccccc" align="center"|'''Alex would be a valuable extension to our industry coverage'''
|-
| style="width:3%; background:#cccccc" align="center"|'''4'''
| style="width:20%; background:#cccccc" align="center"|'''Pravir Chandra'''
| style="width:20%; background:#cccccc" align="center"|'''OpenSAMM Project Lead, GPC Member'''
| style="width:57%; background:#cccccc" align="center"|'''Alex is a smart guy and passionate about security. He would provide great industry insight for the committee not just in the private sector, but also in the US Federal space.'''
|-
| style="width:3%; background:#cccccc" align="center"|'''5'''
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:57%; background:#cccccc" align="center"|
|}
----

Summit 2009

2009-11-12T13:46:47Z

Pravir Chandra: making the logo image fit better

__NOTOC__

[[Image:Summit09.JPG|700px]]

<br> 
====Welcome====
{| style="width: 100%;"
|-
| style="width: 100%; color: rgb(0, 0, 0);" |
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"
|-
| style="width: 95%; color: rgb(0, 0, 0);" |
'''OWASP Global Summit'''

On November 11th 2009 as part of the largest multi-day dedicated application security conference in the USA, [[OWASP AppSec DC 2009]] November 10-13th - OWASP chapter leaders, committee members, project leaders and OWASP members will gather in Washington DC to discuss the latest OWASP tools, documentation projects and set the application security agenda for 2010.

'''Who Should Attend Global Summit 2009:'''

* [http://www.owasp.org/index.php/Category:OWASP_Chapter#Local_Chapters OWASP Local Chapter Leaders]
* [http://www.owasp.org/index.php/Category:OWASP_Project OWASP Project Leaders]
* [http://www.owasp.org/index.php/Global_Committee_Pages OWASP Global Committee Leaders]
* [http://www.owasp.org/index.php/Membership OWASP Members]

* [http://www.owasp.org/index.php/About_OWASP About OWASP]

[http://www.owasp.org/index.php/Summit_2009#tab=Registration http://www.owasp.org/images/8/85/Screen_shot_2009-10-03_at_12.55.55_PM.png]



<br>

|}



| style="border: 0px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0);" | 
[[Image:Twitter-logo-300x300.gif]]

{|
|-
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |
Use '''#DcSummit09 hashtag''' for your tweets (What are [http://hashtags.org/ hashtags]?)

'''[http://search.twitter.com/search?q=%23DcSummit09 Realtime results]''' for #DcSummit09

'''OWASPSummit09 Twitter Feed ([http://www.twitter.com/OWASPSummit09 follow me!])'''

<twitter>16354283</twitter>

| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |
|}

| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |
|}


====Agenda====

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style=background:#BCA57A"; color:white" | '''Room 156''' - November 11, 2009
|-
| style="width:15%; background:#7B8ABD" | 08:00-08:30 || colspan="2" style="width:75%; background:#C2C2C2" align="left" | Registration and Coffee
|-
| style="width:15%; background:#7B8ABD" | 08:30-9:00 || colspan="2" style="width:75%; background:#F2F2F2" align="center" | Opening Remarks: [http://www.owasp.org/index.php/User:Kate_Hartmann Kate Hartmann], OWASP Director of Operations what have we accomplished since [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 OWASP Summit 2009]
'''Don't miss this'''
|-
| style="width:15%; background:#7B8ABD" | 9:15-10:15 || colspan="2" style="width:75%; background:#F2F2F2" align="center" | [http://www.owasp.org/index.php/Global_Membership_Committee Membership Committee], meet the next OWASP [[Board member]] pre-election town hall style Q&A
'''Moderator, Tom Brennan'''
|-
| style="width:15%; background:#7B8ABD" | 10:30-12:00 || colspan="2" style="width:80%;background:#F2F2F2" align="center" | [[:Category:Global Projects Committee|Project Committee Workshop]] ([[media:AppSec_DC_2009_OWASP_GPC.ppt|PPT]])
'''Moderator:Dinis Cruz'''
|-
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | WORKING LUNCH
|-
| style="width:10%; background:#7B8ABD" | 13:15-14:00|| colspan="2" style="width:80%; background:#F2F2F2" align="center" | [[Global Chapter Committee|Chapter Committee Workshop]] ([http://www.owasp.org/images/a/ae/Owasp-gcc-slides_Summit_2009.ppt PPT])
'''Moderator: Sebastien Deleersnyder'''
|-
| style="width:10%; background:#7B8ABD" | 14:15-15:00 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | [[Global Conferences Committee|Conferences Committee Workshop]]
'''Moderator: Dave Wichers'''
|-
| style="width:10%; background:#7B8ABD" | 15:15-16:00|| colspan="2" style="width:80%; background:#F2F2F2" align="center" | [[Global Education Committee|Education Committee Workshop]] ([http://www.owasp.org/images/4/4f/Owasp-gec-slides_Summit_2009.ppt PPT])
'''Moderator: Sebastien Deleersnyder'''
|-
| style="width:10%; background:#7B8ABD" | 16:15-17:00 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | [[:Category:Global Industry Committee|Industry Committee Workshop]]
'''Moderator:Tom Brennan'''
|-
| style="width:10%; background:#7B8ABD" | 17:15-18:00 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Buffer for extra discussion
|-
| style="width:10%; background:#7B8ABD" | 18:15-19:00 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | What has been accomplished today and what are the 2010 goals?
'''OWASP Board'''
|-
| style="width:10%; background:#7B8ABD" | 19:15-22:00 || colspan="2" style="width:80%; background:#C2C2C2" align="center" | OWASP Community Social Gathering
|-
|}

==== Registration ====
Participation is free for OWASP chapter leaders, committee members, project leaders and OWASP [[Membership|members]]

Hint: membership is only $50! Check out the [[Membership]] page to find out more.

Please [http://owaspsummit.eventbrite.com/ Register] upfront so we can size the venue appropriately.

==== Venue ====
The OWASP Global Summit 2009 will be hosted at the [http://www.dcconvention.com/ Walter E. Washington Convention Center] in downtown Washington DC.

The convention center is located over the [http://www.wmata.com/rail/station_detail.cfm?station_id=70 Mount Vernon Square/Convention Center Metro stop] on the Green and Yellow lines of the [http://www.wmata.com DC Metro], and only a few blocks from our convention hotel, the [http://grandwashington.hyatt.com/hyatt/hotels/index.jsp Grand Hyatt Washington] (reserve rooms [https://resweb.passkey.com/Resweb.do?mode=welcome_ei_new&eventID=1401279&fromResdesk=true here]).

==== Organisation ====
The Summit 2009 Program Committee:
* Tom Brennan - tomb 'at' owasp.org
* Sebastien Deleersnyder - seba 'at' owasp.org
* Dinis Cruz - dinis.cruz 'at' owasp.org
* Paulo Coimbra - paulo.coimbra 'at' owasp.org
* Kate Hartmann - kate.hartmann 'at' owasp.org

For Summit related queries please contact Kate Hartmann (kate.hartmann@owasp.org)
<headertabs />

[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_DC_09]]

Summit 2009

2009-11-12T13:45:03Z

Pravir Chandra: adding GPC slides link

__NOTOC__

[[Image:Summit09.JPG]]

<br> 
====Welcome====
{| style="width: 100%;"
|-
| style="width: 100%; color: rgb(0, 0, 0);" |
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"
|-
| style="width: 95%; color: rgb(0, 0, 0);" |
'''OWASP Global Summit'''

On November 11th 2009 as part of the largest multi-day dedicated application security conference in the USA, [[OWASP AppSec DC 2009]] November 10-13th - OWASP chapter leaders, committee members, project leaders and OWASP members will gather in Washington DC to discuss the latest OWASP tools, documentation projects and set the application security agenda for 2010.

'''Who Should Attend Global Summit 2009:'''

* [http://www.owasp.org/index.php/Category:OWASP_Chapter#Local_Chapters OWASP Local Chapter Leaders]
* [http://www.owasp.org/index.php/Category:OWASP_Project OWASP Project Leaders]
* [http://www.owasp.org/index.php/Global_Committee_Pages OWASP Global Committee Leaders]
* [http://www.owasp.org/index.php/Membership OWASP Members]

* [http://www.owasp.org/index.php/About_OWASP About OWASP]

[http://www.owasp.org/index.php/Summit_2009#tab=Registration http://www.owasp.org/images/8/85/Screen_shot_2009-10-03_at_12.55.55_PM.png]



<br>

|}



| style="border: 0px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0);" | 
[[Image:Twitter-logo-300x300.gif]]

{|
|-
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |
Use '''#DcSummit09 hashtag''' for your tweets (What are [http://hashtags.org/ hashtags]?)

'''[http://search.twitter.com/search?q=%23DcSummit09 Realtime results]''' for #DcSummit09

'''OWASPSummit09 Twitter Feed ([http://www.twitter.com/OWASPSummit09 follow me!])'''

<twitter>16354283</twitter>

| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |
|}

| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |
|}


====Agenda====

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style=background:#BCA57A"; color:white" | '''Room 156''' - November 11, 2009
|-
| style="width:15%; background:#7B8ABD" | 08:00-08:30 || colspan="2" style="width:75%; background:#C2C2C2" align="left" | Registration and Coffee
|-
| style="width:15%; background:#7B8ABD" | 08:30-9:00 || colspan="2" style="width:75%; background:#F2F2F2" align="center" | Opening Remarks: [http://www.owasp.org/index.php/User:Kate_Hartmann Kate Hartmann], OWASP Director of Operations what have we accomplished since [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 OWASP Summit 2009]
'''Don't miss this'''
|-
| style="width:15%; background:#7B8ABD" | 9:15-10:15 || colspan="2" style="width:75%; background:#F2F2F2" align="center" | [http://www.owasp.org/index.php/Global_Membership_Committee Membership Committee], meet the next OWASP [[Board member]] pre-election town hall style Q&A
'''Moderator, Tom Brennan'''
|-
| style="width:15%; background:#7B8ABD" | 10:30-12:00 || colspan="2" style="width:80%;background:#F2F2F2" align="center" | [[:Category:Global Projects Committee|Project Committee Workshop]] ([[media:AppSec_DC_2009_OWASP_GPC.ppt|PPT]])
'''Moderator:Dinis Cruz'''
|-
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | WORKING LUNCH
|-
| style="width:10%; background:#7B8ABD" | 13:15-14:00|| colspan="2" style="width:80%; background:#F2F2F2" align="center" | [[Global Chapter Committee|Chapter Committee Workshop]] ([http://www.owasp.org/images/a/ae/Owasp-gcc-slides_Summit_2009.ppt PPT])
'''Moderator: Sebastien Deleersnyder'''
|-
| style="width:10%; background:#7B8ABD" | 14:15-15:00 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | [[Global Conferences Committee|Conferences Committee Workshop]]
'''Moderator: Dave Wichers'''
|-
| style="width:10%; background:#7B8ABD" | 15:15-16:00|| colspan="2" style="width:80%; background:#F2F2F2" align="center" | [[Global Education Committee|Education Committee Workshop]] ([http://www.owasp.org/images/4/4f/Owasp-gec-slides_Summit_2009.ppt PPT])
'''Moderator: Sebastien Deleersnyder'''
|-
| style="width:10%; background:#7B8ABD" | 16:15-17:00 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | [[:Category:Global Industry Committee|Industry Committee Workshop]]
'''Moderator:Tom Brennan'''
|-
| style="width:10%; background:#7B8ABD" | 17:15-18:00 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Buffer for extra discussion
|-
| style="width:10%; background:#7B8ABD" | 18:15-19:00 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | What has been accomplished today and what are the 2010 goals?
'''OWASP Board'''
|-
| style="width:10%; background:#7B8ABD" | 19:15-22:00 || colspan="2" style="width:80%; background:#C2C2C2" align="center" | OWASP Community Social Gathering
|-
|}

==== Registration ====
Participation is free for OWASP chapter leaders, committee members, project leaders and OWASP [[Membership|members]]

Hint: membership is only $50! Check out the [[Membership]] page to find out more.

Please [http://owaspsummit.eventbrite.com/ Register] upfront so we can size the venue appropriately.

==== Venue ====
The OWASP Global Summit 2009 will be hosted at the [http://www.dcconvention.com/ Walter E. Washington Convention Center] in downtown Washington DC.

The convention center is located over the [http://www.wmata.com/rail/station_detail.cfm?station_id=70 Mount Vernon Square/Convention Center Metro stop] on the Green and Yellow lines of the [http://www.wmata.com DC Metro], and only a few blocks from our convention hotel, the [http://grandwashington.hyatt.com/hyatt/hotels/index.jsp Grand Hyatt Washington] (reserve rooms [https://resweb.passkey.com/Resweb.do?mode=welcome_ei_new&eventID=1401279&fromResdesk=true here]).

==== Organisation ====
The Summit 2009 Program Committee:
* Tom Brennan - tomb 'at' owasp.org
* Sebastien Deleersnyder - seba 'at' owasp.org
* Dinis Cruz - dinis.cruz 'at' owasp.org
* Paulo Coimbra - paulo.coimbra 'at' owasp.org
* Kate Hartmann - kate.hartmann 'at' owasp.org

For Summit related queries please contact Kate Hartmann (kate.hartmann@owasp.org)
<headertabs />

[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_DC_09]]

File:AppSec DC 2009 OWASP GPC.ppt

2009-11-12T13:42:27Z

Pravir Chandra: uploaded a new version of "File:AppSec DC 2009 OWASP GPC.ppt": This is the version presented at the Summit 2009

Pravir Chandra

2009-11-11T20:09:15Z

Pravir Chandra:

<div style="display:inline;
width:200px; float:right; padding-left:40px; padding-right:50px; padding-bottom:40px;">
<div style="padding-bottom:10px;">
[http://www.owasp.org/index.php/Pravir_Chandra http://www.pravir.org/PravirChandra-picture.jpg]
</div>
</div>

<b> Please do contact me directly with any questions: <i> chandra <at> owasp <dot> org </i></b>
== My overall vision for OWASP ==

==== Enable contributors ====
The purpose of the Board is to ENABLE contributors
* Allow project leaders to focus on their projects and have the OWASP organization promote them
* Allow chapter leaders to focus on their communities and have the OWASP organization take care of back-end management

==== Professional face ====
OWASP needs a professional face to get more adoption in the software development industry
* There has to be a more user-friendly and efficient front-page for OWASP
** Needs to address people in different roles (CISOs thru geeks)
** Needs to show high-value to users consistently
* OWASP needs to promote projects in a unified voice
** Select and promote projects that are enterprise caliber
** Promote OWASP in non-OWASP circles such as software development conferences and industry-specific events (financial services, retail, etc.)
* Dev leaders need to be able to trust the quality of what they get from OWASP
** This is key to brand protection and needed by any organization of our size/diversity
* OWASP eventually needs to run like other open-source foundations (e.g. Apache)
** Officers and assigned roles/responsibilities

==== Industry feedback ====
OWASP needs more driving influence from our "customers", i.e. the development and appsec community
* Form an Industry Advisory Board
** Ask them directly what they want from OWASP, what their pain points are, & how we can help
** Ask non-members what it would take for them to join OWASP
** Offer Corporate Members a recurring seat on the advisory board for joining (increases membership)
* Organize "steering committees" for key projects that want them
** Useful for Corporate Members to provide feedback directly to projects that they rely upon
** Provides a forum for critical feedback and ideas for future directions

==My OWASP history==

==== Roles ====
* [http://www.owasp.org/index.php/CLASP CLASP Project Lead]
** Worked with my company (Secure Software) to donate the commercial CLASP methodology to OWASP
** Served as project lead since early 2006
* [http://www.owasp.org/index.php/SAMM OpenSAMM Project Lead]
** Worked with my company (Fortify Software) to contribute money to fund development with the purpose of donating it to OWASP
** Served as project lead since late 2008
* [http://www.owasp.org/index.php/Global_Projects_Committee Global Projects Committee Member]
** Worked with committee to develop updates to SoC planning, assessment criteria, project cataloging, etc.

==== Conferences ====
I've presented (or will present) at the following OWASP conferences
* AppSec Europe 2006 - Leuven, Belgium
** Donated CLASP to OWASP
** First time a commercial organization donated an existing commercial product
* AppSec Europe 2007 - Milan, Italy
* OWASP & WASC AppSec US 2007 - San Jose, CA
** Vendor Exhibition Chair
** First time OWASP allowed vendors to exhibit at a conference
* OWASP AppSec US 2008 - New York City, NY
** Unveiled the SAMM Beta
* OWASP Summit 2008 - Portugal
* OWASP AppSec Australia 2009 - Gold Coast, Australia
* OWASP AppSec Europe 2009 - Krakow, Poland
* OWASP Minneapolis Event 2009 - Minneapolis/St. Paul, MN
* OWASP AppSec Academia Symposium - Irvine, CA
* OWASP AppSec Brazil 2009 - Brasilia, Brazil
* OWASP AppSec US 2009 - Washington, DC

I stay active and present at as many local Chapter meetings as possible.
* In 2009, I've spoke at local chapters in 9 cities across the US & Canada

== Professional Experience ==

==== Bio ====

Pravir Chandra is Director of Strategic Services at Fortify where he works with clients to build and optimize software security assurance programs. Pravir is widely recognized in the industry for his expertise in software security and code analysis, and also for his ability to apply technical knowledge strategically from a business perspective. Prior to Fortify, he was affiliated with Cigital as a Principal Consultant where he led large software security programs at Fortune 500 companies. Pravir was also Co-Founder and Chief Security Architect at Secure Software, Inc. before the company was acquired by Fortify Software. His book, Network Security with OpenSSL is a popular reference on protecting software applications through cryptography and secure communications. His varied special project experience includes creating and leading the Open Software Assurance Maturity Model (OpenSAMM) project with the Open Web Application Security Project (OWASP) Foundation. Also, Pravir currently serves as a Member of the OWASP Global Projects Committee.

What I have done on the OWASP Wiki [[:Special:Contributions/Pravir_Chandra|Click Here]]. To view LinkedIn profile [http://www.linkedin.com/in/pravirchandra Click Here]

Pravir Chandra

2009-11-11T20:08:52Z

Pravir Chandra:

<div style="display:inline;
width:200px; float:right; padding-left:40px; padding-right:50px; padding-bottom:40px;">
<div style="padding-bottom:10px;">
[http://www.owasp.org/index.php/Pravir_Chandra http://www.pravir.org/PravirChandra-picture.jpg]
</div>
</div>

<b> Please do contact me directly with any questions: <i> chandra <at> owasp <dot> org </i></b>

== My overall vision for OWASP ==

==== Enable contributors ====
The purpose of the Board is to ENABLE contributors
* Allow project leaders to focus on their projects and have the OWASP organization promote them
* Allow chapter leaders to focus on their communities and have the OWASP organization take care of back-end management

==== Professional face ====
OWASP needs a professional face to get more adoption in the software development industry
* There has to be a more user-friendly and efficient front-page for OWASP
** Needs to address people in different roles (CISOs thru geeks)
** Needs to show high-value to users consistently
* OWASP needs to promote projects in a unified voice
** Select and promote projects that are enterprise caliber
** Promote OWASP in non-OWASP circles such as software development conferences and industry-specific events (financial services, retail, etc.)
* Dev leaders need to be able to trust the quality of what they get from OWASP
** This is key to brand protection and needed by any organization of our size/diversity
* OWASP eventually needs to run like other open-source foundations (e.g. Apache)
** Officers and assigned roles/responsibilities

==== Industry feedback ====
OWASP needs more driving influence from our "customers", i.e. the development and appsec community
* Form an Industry Advisory Board
** Ask them directly what they want from OWASP, what their pain points are, & how we can help
** Ask non-members what it would take for them to join OWASP
** Offer Corporate Members a recurring seat on the advisory board for joining (increases membership)
* Organize "steering committees" for key projects that want them
** Useful for Corporate Members to provide feedback directly to projects that they rely upon
** Provides a forum for critical feedback and ideas for future directions

==My OWASP history==

==== Roles ====
* [http://www.owasp.org/index.php/CLASP CLASP Project Lead]
** Worked with my company (Secure Software) to donate the commercial CLASP methodology to OWASP
** Served as project lead since early 2006
* [http://www.owasp.org/index.php/SAMM OpenSAMM Project Lead]
** Worked with my company (Fortify Software) to contribute money to fund development with the purpose of donating it to OWASP
** Served as project lead since late 2008
* [http://www.owasp.org/index.php/Global_Projects_Committee Global Projects Committee Member]
** Worked with committee to develop updates to SoC planning, assessment criteria, project cataloging, etc.

==== Conferences ====
I've presented (or will present) at the following OWASP conferences
* AppSec Europe 2006 - Leuven, Belgium
** Donated CLASP to OWASP
** First time a commercial organization donated an existing commercial product
* AppSec Europe 2007 - Milan, Italy
* OWASP & WASC AppSec US 2007 - San Jose, CA
** Vendor Exhibition Chair
** First time OWASP allowed vendors to exhibit at a conference
* OWASP AppSec US 2008 - New York City, NY
** Unveiled the SAMM Beta
* OWASP Summit 2008 - Portugal
* OWASP AppSec Australia 2009 - Gold Coast, Australia
* OWASP AppSec Europe 2009 - Krakow, Poland
* OWASP Minneapolis Event 2009 - Minneapolis/St. Paul, MN
* OWASP AppSec Academia Symposium - Irvine, CA
* OWASP AppSec Brazil 2009 - Brasilia, Brazil
* OWASP AppSec US 2009 - Washington, DC

I stay active and present at as many local Chapter meetings as possible.
* In 2009, I've spoke at local chapters in 9 cities across the US & Canada

== Professional Experience ==

==== Bio ====

Pravir Chandra is Director of Strategic Services at Fortify where he works with clients to build and optimize software security assurance programs. Pravir is widely recognized in the industry for his expertise in software security and code analysis, and also for his ability to apply technical knowledge strategically from a business perspective. Prior to Fortify, he was affiliated with Cigital as a Principal Consultant where he led large software security programs at Fortune 500 companies. Pravir was also Co-Founder and Chief Security Architect at Secure Software, Inc. before the company was acquired by Fortify Software. His book, Network Security with OpenSSL is a popular reference on protecting software applications through cryptography and secure communications. His varied special project experience includes creating and leading the Open Software Assurance Maturity Model (OpenSAMM) project with the Open Web Application Security Project (OWASP) Foundation. Also, Pravir currently serves as a Member of the OWASP Global Projects Committee.

What I have done on the OWASP Wiki [[:Special:Contributions/Pravir_Chandra|Click Here]]. To view LinkedIn profile [http://www.linkedin.com/in/pravirchandra Click Here]

OWASP AppSec DC 2009 Schedule

2009-11-06T17:39:14Z

Pravir Chandra: Punching up SDLC Panel title

__NOTOC__

===[[OWASP AppSec DC 2009|Back to Conference Page]]===
Please note, speaking times are not final, check back regularly for updates.
====Training 11/10====
{| cellspacing="0" border="2"
|- valign="middle"
| height="60" align="center" colspan="6" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Day 1 - Nov 10th 2009'''</font>
|- valign="bottom"
| width="67" valign="middle" height="40" bgcolor="#7b8abd" |  
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''Room 154A'''
| width="150" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''Room 149B'''
| width="150" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''Room 149A'''
| width="150" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''Room 154B'''
| width="150" valign="middle" height="40" bgcolor="#BCA57A" align="center" | '''Room 155'''
|- valign="bottom"
| width="67" valign="middle" bgcolor="#7b8abd" | 09:00-12:00
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>Assessing and Exploiting Web Applications with the open source Samurai Web Testing Framework<br> Justin Searle
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>Java EE Secure Code Review<br>Sahba Kazerooni<br>[http://www.securitycompass.com Security Compass]
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Threat Modeling Express<br>Krishna Raja<br>[http://www.securitycompass.com Security Compass]
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | Foundations of Web Services and XML Security<br>Dave Wichers<br>[http://www.aspectsecurity.com Aspect Security]
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | Live CD<br>Matt Tesauro
|- valign="bottom"
| width="67" valign="middle" height="40" bgcolor="#7b8abd" | 12:00-13:00
| valign="middle" height="40" bgcolor="#909090" align="center" colspan="5" | Lunch
|- valign="bottom"
| width="67" valign="middle" bgcolor="#7b8abd" | 13:00-17:00
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Assessing and Exploiting Web Applications with the open source Samurai Web Testing Framework<br> Justin Searle
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Java EE Secure Code Review<br>Sahba Kazerooni<br>[http://www.securitycompass.com Security Compass]
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Threat Modeling Express<br>Krishna Raja<br>[http://www.securitycompass.com Security Compass]
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | Foundations of Web Services and XML Security<br>Dave Wichers<br>[http://www.aspectsecurity.com Aspect Security]
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | Live CD<br>Matt Tesauro 
|}
====Training 11/11====
{| cellspacing="0" border="2"
|- valign="middle"
| height="60" align="center" colspan="6" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Day 2 - Nov 11th 2009'''</font>
|- valign="bottom"
| width="67" valign="middle" height="40" bgcolor="#7b8abd" |  
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''Room 154A'''
| width="150" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''Room 149B'''
| width="150" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''Room 149A'''
| width="150" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''Room 154B'''
|- valign="bottom"
| width="67" valign="middle" bgcolor="#7b8abd" | 09:00-12:00
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 2:<br>Assessing and Exploiting Web Applications with the open source Samurai Web Testing Framework<br> Justin Searle
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 2:<br>Java EE Secure Code Review<br>Sahba Kazerooni<br>[http://www.securitycompass.com Security Compass]
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | WebAppSec.php: Developing Secure Web Applications<br>Robert Zakon
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | Leader and Manager Training - Leading the Development of Secure Applications<br>John Pavone<br>[http://www.aspectsecurity.com Aspect Security]
|- valign="bottom"
| width="67" valign="middle" height="40" bgcolor="#7b8abd" | 12:00-13:00
| valign="middle" height="40" bgcolor="#909090" align="center" colspan="4" | Lunch
|- valign="bottom"
| width="67" valign="middle" bgcolor="#7b8abd" | 13:00-17:00
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Assessing and Exploiting Web Applications with the open source Samurai Web Testing Framework<br> Justin Searle
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Java EE Secure Code Review<br>Sahba Kazerooni<br>[http://www.securitycompass.com Security Compass]
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | WebAppSec.php: Developing Secure Web Applications<br>Robert Zakon
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | Leader and Manager Training - Leading the Development of Secure Applications<br>John Pavone<br>[http://www.aspectsecurity.com Aspect Security]
|}
====Talks 11/12====
{| cellspacing="0" border="2"
|- valign="middle"
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Day 1 - Nov 12th 2009'''</font>
|- valign="bottom"
| width="67" valign="middle" height="40" bgcolor="#7b8abd" |  
| width="200" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''OWASP (146A)'''
| width="200" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''Tools (146B)'''
| width="200" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''Web 2.0 (146C)'''
| width="200" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''SDLC (152A)'''
|- valign="bottom"
| width="67" valign="middle" bgcolor="#7b8abd" | 07:30-08:50
| valign="middle" bgcolor="#e0e0e0" align="center" colspan="4" | Registration
|- valign="bottom"
| width="67" valign="middle" bgcolor="#7b8abd" | 08:50-09:00
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Welcome and Opening Remarks
|- valign="bottom"
| width="67" valign="middle" bgcolor="#7b8abd" | 09:00-10:00
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | Keynote: [[AppSecDC Keynote Jarzomnek|Joe Jarzombek]]
|- valign="bottom"
| width="67" valign="middle" bgcolor="#7b8abd" | 10:00-10:30
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | All about OWASP [[OWASP:About#Global_Board_Members| OWASP Board]]
|- valign="bottom"
| width="67" valign="middle" bgcolor="#7b8abd" | 10:30-10:45
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:AppSecDC2009-Sponsor-denim.gif|link=http://www.denimgroup.com/]]
|- valign="bottom"
| width="67" valign="middle" bgcolor="#7b8abd" | 10:45-11:30
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[OWASP ESAPI AppSecDC|OWASP ESAPI]]<br>Jeff Williams
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Clubbing WebApps with a Botnet]]<br>Gunter Ollmann
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Understanding the Implications of Cloud Computing on Application Security]]<br>Dennis Hurst
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Enterprise Application Security - GE's approach to solving root cause and establishing a Center of Excellence|Enterprise Application Security - GE's approach to solving root cause]]<br>Darren Challey
|- valign="bottom"
| width="67" valign="middle" height="40" bgcolor="#7b8abd" | 11:30-12:30
| valign="middle" height="40" bgcolor="#e0e0e0" align="center" colspan="4" | Hosted Lunch
|- valign="bottom"
| width="67" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 12:30-1:15
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Software Assurance Maturity Model (SAMM)]]<br>Pravir Chandra
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[The Case of Promiscuous Parameters and Other Ongoing Capers in Web Security]]<br>Jacob West
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Transparent Proxy Abuse]]<br>Robert Auger
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Software Development The Next Security Frontier]]<br>Jim Molini
|- valign="bottom"
| width="67" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 1:15-1:20
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break
|- valign="bottom"
| width="67" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 1:20-2:05
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[DISA's Application Security and Development STIG: How OWASP Can Help You]]<br>Jason Li
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[OWASP ModSecurity Core Rule Set Project]]<br>Ryan C. Barnett
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Development Issues Within AJAX Applications: How to Divert Threats]]<br>Lars Ewe
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="3" | [[SDLC Panel AppSecDC|Secure SDLC Panel: Real answers from real experience]]<br><i>Panelists:</i><br>Dan Cornell<br>Michael Craigue<br>Dennis Hurst<br>Joey Peloquin<br>Keith Turpin<br> <br><i>Moderator:</i><br>Pravir Chandra
|- valign="bottom"
| width="67" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 2:05-2:10
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="3" | Break
|- valign="bottom"
| width="67" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 2:10-2:55
| width="200" valign="middle" height="60" bgcolor="#c0a0a0" align="center" | [[Defend Yourself: Integrating Real Time Defenses into Online Applications]]<br>Michael Coates
| width="200" valign="middle" height="60" bgcolor="#ffdf80" align="center" | [[Finding the Hotspots: Web-security testing with the Watcher tool]]<br>Chris Weber
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Social Zombies: Your Friends Want to Eat Your Brains]]<br>Tom Eston/Kevin Johnson
|- valign="bottom"
| width="67" valign="middle" height="15" bgcolor="#7b8abd" rowspan="1"| 2:55-3:10
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:AppSecDC2009-Sponsor-denim.gif|link=http://www.denimgroup.com/]]
|- valign="bottom"
| width="67" valign="middle" height="120" bgcolor="#7b8abd" rowspan="2" | 3:10-3:55
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" rowspan="2" | [[The ESAPI Web Application Firewall (ESAPI WAF)|The ESAPI Web Application Firewall]]<br>Arshan Dabirsiaghi
| width="200" valign="middle" height="60" bgcolor="#ffdf80" align="center" | [[One Click Ownage]]<br>Ferruh Mavituna
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" rowspan="2" | [[Cloudy with a chance of 0-day]]<br>Jon Rose/Tom Leavey
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="2" | [[The essential role of infosec in secure software development]]<br>Kenneth R. van Wyk
|- valign="bottom"
| width="200" valign="middle" height="60" bgcolor="#ffdf80" align="center" | [[Web Application Security Scanner Evaluation Criteria]]<br>Brian Shura

|- valign="bottom"
| width="67" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 3:55-4:00
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="5" | Break
|- valign="bottom"
| width="67" valign="middle" height="120" bgcolor="#7b8abd" rowspan="2" | 4:00-4:45
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" rowspan="2" | [[OWASP Live CD: An open environment for Web Application Security]]<br>Matt Tesauro / Brad Causey
| width="200" valign="middle" height="60" bgcolor="#ffdf80" align="center" | [[Learning by Breaking: A New Project Insecure Web Apps]]<br>Chuck Willis
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" rowspan="2" | [[Attacking WCF Web Services]]<br>Brian Holyfield
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="2" | [[Vulnerability Management in an Application Security World]]<br>Dan Cornell
|- valign="bottom"
| width="200" valign="middle" height="60" bgcolor="#ffdf80" align="center" | [[Synergy! A world where the tools communicate]]<br>
Josh Abraham
|- valign="bottom"
| width="67" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 4:45-4:50
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="5" | Break
|- valign="bottom"
| width="67" valign="middle" height="120" bgcolor="#7b8abd" rowspan="2" | 4:50-5:55
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" rowspan="2" | [[The Entrepreneur's Guide to Career Management]]<br>Lee Kushner
| width="200" valign="middle" height="60" bgcolor="#ffdf80" align="center" | [[Advanced SSL: The good, the bad, and the ugly]]<br>Michael Coates
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" rowspan="2" | [[When Web 2.0 Attacks - Understanding Security Implications of AJAX, Flash and |When Web 2.0 Attacks - Understanding Security Implications of AJAX, Flash and "Highly Interactive" Technologies]]<br>Rafal Los
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="2" | [[Threat Modeling by John Steven|Threat Modeling]]<br>John Steven
|- valign="bottom"
| width="200" valign="middle" height="60" bgcolor="#ffdf80" align="center" | [[User input piercing for Cross Site Scripting Attacks]]<br>Matias Blanco
|- valign="bottom"
| width="67" valign="middle" height="60" bgcolor="#7b8abd" | 6:00-8:00
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | Cocktails and hors d'oeuvres in the EXPO Room (151)<br>Sponsored by [[Image:AppSecDC2009-Sponsor-cenzic.gif|link=http://www.cenzic.com/]]
|}
====Talks 11/13====
{| cellspacing="0" border="2"
|- valign="middle"
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Day 2 - Nov 13th 2009'''</font>
|- valign="bottom"
| width="67" valign="middle" height="40" bgcolor="#7b8abd" |  
| width="200" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''Process (146A)'''
| width="200" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''Attack & Defend (146B)'''
| width="200" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''Metrics (146C)'''
| width="200" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''Compliance (152A)'''
|- valign="bottom"
| width="67" valign="middle" bgcolor="#7b8abd" | 8:00-9:00
| valign="middle" bgcolor="#e0e0e0" align="center" colspan="4" | Registration & Coffee sponsored by [[Image:AppSecDC2009-Sponsor-fyrm.gif|link=http://www.fyrmassociates.com/]]
|- valign="bottom"
| width="67" valign="middle" bgcolor="#7b8abd" rowspan="1"| 9:00-9:45
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[The Big Picture: Web Risks and Assessments Beyond Scanning]]<br>Matt Fisher
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Securing the Core JEE Patterns]]<br>Rohit Sethi/Krishna Raja
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[The Web Hacking Incidents Database]]<br>Ryan C. Barnett
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Business Logic Automatons: Friend or Foe?]]<br>Ofer Shezaf
|- valign="bottom"
| width="67" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 9:45-9:50
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="5" | Break
|- valign="bottom"
| width="67" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 9:50-10:35
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Scalable Application Assessments in the Enterprise]]<br>Tom Parker/Lars Ewe
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Unicode Transformations: Finding Elusive Vulnerabilities]]<br>Chris Weber
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Application security metrics from the organization on down to the vulnerabilities]]<br>Chris Wysopal
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[SCAP: Automating our way out of the Vulnerability Wheel of Pain]]<br>Ed Bellis
|- valign="bottom"
| width="67" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 10:35-10:40
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="5" | Break
|- valign="bottom"
| width="67" valign="middle" height="120" bgcolor="#7b8abd" | 10:40-11:25
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Secure Software Updates: Update Like Conficker]]<br>Jeremy Allen
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Malicious Developers and Enterprise Java Rootkits]]<br>Jeff Williams
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[OWASP Top 10 2010 AppSecDC|OWASP Top 10 - 2010]]<br>Dave Wichers
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Secure SDLC: The Good, The Bad, and The Ugly]]<br>Joey Peloquin
|- valign="bottom"
| width="67" valign="middle" height="40" bgcolor="#7b8abd" | 11:25-12:30
| valign="middle" height="40" bgcolor="#e0e0e0" align="center" colspan="4" | Hosted Lunch
|- valign="bottom"
| width="67" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 12:30-1:15
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Improving application security after an incident]]<br>Cory Scott
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[The 10 least-likely and most dangerous people on the Internet]]<br>Robert Hansen
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Hacking by Numbers]]<br>Tom Brennan
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="3" | [[AppSecDC09 Federal CISO Panel|Federal CISO Panel]]
|- valign="bottom"
| width="67" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 1:15-1:20
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="3" | Break
|- valign="bottom"
| width="67" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 1:20-2:05
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Custom Intrusion Detection Techniques for Monitoring Web Applications]]<br>Matthew Olney
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Automated vs. Manual Security: You can't filter The Stupid]]<br>David Byrne/Charles Henderson
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Building an in-house application security assessment team]]<br>Keith Turpin
|- valign="bottom"
| width="67" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 2:05-2:20
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="5" | Coffee break sponsored by [[Image:AppSecDC2009-Sponsor-fyrm.gif|link=http://www.fyrmassociates.com/]]
|- valign="bottom"
| width="67" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 2:20-3:05
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[AppSecDC OWASP O2 PLATFORM|OWASP O2 Platform - Open Platform for automating application security knowledge and workflows]]<br>Dinis Cruz
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Injectable Exploits: Two New Tools for Pwning Web Apps and Browsers]]<br>Kevin Johnson, Justin Searle, Frank DiMaggio
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[The OWASP Security Spending Benchmarks Project]]<br>Dr. Boaz Gelbord
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Promoting Application Security within Federal Government]]<br>Sarbari Gupta
|- valign="bottom"
| width="67" valign="middle" height="15" bgcolor="#7b8abd" rowspan="1"| 3:05-3:10
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="5" | Break
|- valign="bottom"
| width="67" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1" | 3:10-3:55
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" rowspan="1" | [[Deploying Secure Web Applications with OWASP Resources]]<br>Kuai Hinojosa
| width="200" valign="middle" height="60" bgcolor="#ffdf80" align="center" | [[Manipulating Web Application Interfaces, a new approach to input validation]]<br>Felipe Moreno-Strauch
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" rowspan="1" | [[SANS Dshield Webhoneypot Project]]<br>Jason Lam
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="1" | [[Techniques in Attacking and Defending XML/Web Services]]<br>Mamoon Yunus/Jason Macy
|- valign="bottom"
| width="67" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 3:55-4:00
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="5" | Break
|- valign="bottom"
| width="67" valign="middle" height="60" bgcolor="#7b8abd" | 4:00-4:15
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | Closing Remarks (146B) <br> Mark Bristow, Rex Booth, Doug Wilson
|}
<headertabs />

===[[OWASP AppSec DC 2009|Back to Conference Page]]===

[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_DC_09]]

Global Conferences Committee - Application 2

2009-11-04T14:10:15Z

Pravir Chandra:

[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]

----
{| style="width:100%" border="0" align="center"
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM'''
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Lucas C. Ferreira.
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles'''
| colspan="1" style="width:85%; background:#cccccc" align="left"|OWASP Brazilian Chapter member, AppSec Brasil 2009 Chair.
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for'''
| colspan="1" style="width:85%; background:#cccccc" align="left"|OWASP Global Conferences Committee.
|}
----

----
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''.
An incomplete application will not be considered for vote.
----

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS'''
|-
! align="center" style="background:white; color:white"|<font color="black">
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name'''
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content'''
|-
| style="width:3%; background:#cccccc" align="center"|'''1'''
| style="width:20%; background:#cccccc" align="center"| Eduardo Vianna de Camargo Neves
| style="width:20%; background:#cccccc" align="center"| GEC Member
| style="width:57%; background:#cccccc" align="center"| An outstanding OWASP Member that allocated heart and soul to make the OWASP AppSec Brasil 2009 happens and is already doing the same for the 2010 Edition. Moreover, Lucas is a high evangelist of OWASP resources within the Brazilian IT Community with a strong presence on the Government Sector and Academia.
|-
| style="width:3%; background:#cccccc" align="center"|'''2'''
| style="width:20%; background:#cccccc" align="center"| Pravir Chandra
| style="width:20%; background:#cccccc" align="center"| GPC Member
| style="width:57%; background:#cccccc" align="center"| Lucas is highly motivated and actually executes on his commitments very well. He did a great job in organizing AppSec Brasil 2009 and would be a great asset for the Global Conferences Committee.
|-
| style="width:3%; background:#cccccc" align="center"|'''3'''
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:57%; background:#cccccc" align="center"|
|-
| style="width:3%; background:#cccccc" align="center"|'''4'''
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:57%; background:#cccccc" align="center"|
|-
| style="width:3%; background:#cccccc" align="center"|'''5'''
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:57%; background:#cccccc" align="center"|
|}
----

OWASP Minneapolis St Paul 2009 Conference

2009-07-29T19:49:26Z

Pravir Chandra:

The [[Minneapolis St Paul | OWASP Minneapolis-St. Paul (MSP) chapter]] is pleased to announce an afternoon of information security presentations on August 24, 2009 at the [http://www1.umn.edu/twincities/maps/StCen/StCen-map.html St. Paul Student Center] [http://www.spsc.umn.edu/about/directory/lower.php Auditorium/Theater] on the [http://www1.umn.edu/twincities/index.php University of Minnesota - Twin Cities] campus.

Presentations will be posted shortly after the event. Links to the presentation material will be provided below at that time.

== Registration and Directions to Event ==

[http://owaspmn.eventbrite.com/ '''Register''']

[http://maps.google.com/maps?q=2017+Buford+Avenue+St.+Paul,+MN+55108&oe=utf-8&client=firefox-a&ie=UTF8&split=0&gl=us&ei=KahSStPfHJK4Ncr0mN8I&z=16&iwloc=A Google Maps directions to the St. Paul Student Center]

== Thank You to Our Sponsors ==

[http://www.go-integral.net/ http://www.go-integral.net/files/integral_logo.png] [http://www.symantec.com/ https://www.owasp.org/images/2/26/New_Symantec_Logo.jpg]

A big thank you goes out to the '''University of Minnesota Office of Enterprise Technology''' for sponsoring the event location.

Contact '''[mailto:lorna.alamri@owasp.org Lorna]''' at '''[mailto:lorna.alamri@owasp.org lorna.alamri@owasp.org]''' to sponsor this event.

== Agenda ==
<table width="80%" border="0">
<tr>
<td style="background-color:#AEB7D5; padding: 5px; width: 120px">12:30 PM - 1:30 PM</td>
<td style="border-width:1px; padding: 5px; border-style:solid; border-color: #AEB7D5">Check-In</td>
</tr>

<tr>
<td style="background-color:#AEB7D5; padding: 5px;">1:30 PM - 1:45 PM</td>
<td style="border-width:1px; padding: 5px; border-style:solid; border-color: #AEB7D5">
'''Kuai Hinojosa'''

OWASP MSP President

'''Topic:''' Event Introduction

The OWASP MSP chapter has had a successful year, and will be looking ahead to even more participation in the global OWASP community.

'''Bio:''' Speaker provided bio.
</td>
</tr>

<tr>
<td style="background-color:#AEB7D5; padding: 5px;">1:45 PM - 2:30 PM</td>
<td style="border-width:1px; padding: 5px; border-style:solid; border-color: #AEB7D5">
'''Seth Peter'''

Chief Technology Officer, [http://www.netspi.com/ NetSPI]

'''Topic:''' Topic TBD.

Seth will be discussing OWASP and the PCI-DSS.

'''Bio:''' (From [http://www.nesspi.com/ netspi.com]) ''Seth Peter is a computer security expert with extensive experience with all aspects of information security. He was a founder of the computer forensics team at Kroll Ontrack where he provided expert witness testimony and depositions regarding high profile computer security cases. As the founder and CTO of NetSPI, he is a national leader in risk management and security program assessment. Seth has provided consulting to over 100 different organizations within financial services, government, health care, education, nuclear energy, and retail. Seth is a Payment Card Industry Qualified Security Assessor and Visa Qualified Payment Application Security Professional. Seth holds a B.A. degree in Mathematics from Kenyon College.''
</td>
</tr>

<tr>
<td style="background-color:#AEB7D5; padding: 5px;">2:30 PM - 2:45 PM</td>
<td style="border-width:1px; padding: 5px; border-style:solid; border-color: #AEB7D5">Break</td>
</tr>

<tr>
<td style="background-color: #AEB7D5; padding: 5px;">2:45 PM - 3:30 PM </td>
<td style="border-width:1px; padding: 5px; border-style:solid; border-color: #AEB7D5">
'''Pravir Chandra'''

Director of Strategic Services, [http://www.fortify.com/ Fortify]

'''Topic:''' Software Assurance Maturity Model (OpenSAMM)

The Software Assurance Maturity Model (SAMM) ([http://www.opensamm.org/ http://www.opensamm.org/]) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit [http://www.opensamm.org/ http://www.opensamm.org/].

'''Bio:''' (From [http://www.fortify.com/ fortify.com]) ''Pravir Chandra is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL.''
</td>
</tr>

<tr>
<td style="background-color:#AEB7D5; padding: 5px;">3:30 PM - 3:45 PM</td>
<td style="border-width:1px; padding: 5px; border-style:solid"; border-color: #AEB7D5>Break</td>
</tr>

<tr>
<td style="background-color: #AEB7D5; padding: 5px;">3:45 PM - 4:45 PM</td>
<td style="border-width:1px; padding: 5px; border-style:solid; border-color: #AEB7D5">'''Bruce Schneier'''<br />[http://www.schneier.com/ schneier.com]

'''Topic:''' The Future of the Security Industry: IT is Rapidly Becoming a Commodity'''

More companies are outsourcing their IT infrastructure -- treating it as a service more like electricity, office cleaning, or tax preparation -- and this has profound implications for IT security. Organizational users care less about the technical details of security. Products and services change their focus from the end user to the outsourcer. Industry consolidation results, as non-security IT infrastructure companies seek to bolster their security credentials. Even the profession changes, as jobs move from individual organizations to the outsourcing companies, and in some cases overseas. This talk looks at the future of IT security in a mature IT infrastructure industry.

'''Bio''': (From [http://www.schneier.com/ schneier.com]) ''Bruce Schneier is an internationally renowned security technologist and author. Described by The Economist as a "security guru," he is best known as a refreshingly candid and lucid security critic and commentator. When people want to know how security really works, they turn to Schneier.''</td>
</tr>

<tr>
<td style="background-color:#AEB7D5; padding: 5px;">4:45 PM</td>
<td style="border-width:1px; padding: 5px; border-style:solid; border-color: #AEB7D5">Event Closing</td>
</tr>
</table>

Template:Principle

2009-05-22T14:51:49Z

Pravir Chandra: Undo revision 61177 by AcelcAlcar (Talk)

__NOTOC__
This is a '''principle''' or a set of principles. To view all principles, please see the [[:Category:Principle|Principle Category]] page.

[[Category:OWASP ASDR Project]]

CLASP Security Principles

2009-05-22T14:48:37Z

Pravir Chandra: Undo revision 61167 by EloroRrelt (Talk)

{{Template:Principle}}
{{Template:SecureSoftware}}
[[Category:OWASP CLASP Project]]

==Overview==
This CLASP Resource is meant as a set of basic principles for all members of your application-security project.

==Ethics in Secure-Software Development==
Software development organizations should behave ethically as a whole, but should not expect that their individual components will.

In so far as security goes, it is ethical not to expose a user to security risks that are known and will not be obvious to the user, without clearly informing the user of those risks (and preferably, mitigation strategies).

It is also ethical to provide users with a specific privacy policy for use of their personal information in a timely manner so that they can act to avoid undesired use of that information, if they so desire. Additionally, if you change a privacy policy, the user should be given the explicit choice either to accept the change or to have his personal data expunged.

Additionally, if you have a system that is compromised on which user data resides, it is ethical to inform users of the breach in privacy. If the data resides in the state of California, this is required by law. Similar regulations may apply in other jurisdictions.

Do not expect that all other people on the development team will be ethical. Insiders play a significant factor in over 50% of corporate security breaches. Particularly at risks are those employees that are silently disgruntled or have recently left the company.

==Insider Threats as the Weak Link==
Most development organizations overlook “insider” risks — i.e., those users with inside access to the application, whether it be in deployment or development. For example, when planning for deployments it is easy to assume “a firewall will be there,” although, even when true, there are many techniques for circumventing a firewall.

Most development organizations completely ignore the risks from the guy in the next cube or on the next floor, the risks from the secretaries and the janitors, the risks from those who have recently quit or been fired. This, despite yearly numbers from the Computer Crime and Security Survey performed by the Computer Security Institute and the FBI, which shows that over half of all security incidents have an inside angle.

This suggests that trusting the people around you isn’t good enough. Not only might people be disgruntled or susceptible to bribe that you may not expect, but people are often susceptible to accidentally giving insider help by falling victim to social engineering attacks.

Social engineering is when an attacker uses his social skills (generally involving deception) to meet his security ends. For example, he may convince technical support that he is a particular user who has forgotten his password, and get the password changed over the phone. This is why many people have moved to systems where passwords can be reset automatically only using a “secret question” — although secret questions are a bit too repetitive... if someone is being targeted, it is often easy to figure out the mother’s maiden name, the person’s favorite color, and the name of his or her pets.

==Assume the Network is Compromised==
There are many categories of attack that can be launched by attackers with access to any network media that can see application traffic. Many people assume wrongly that such attacks are not feasible, assuming that it is “difficult to get in the middle of network communications,” especially when most communications are from ISP to ISP.

One misconception is that an attacker actually needs to “be in the middle” for a network attack to be successful. Ethernet is a shared medium, and it turns out that attacks can be launched if the bad guy is on one of the shared segments that will see the traffic. Generally, the greatest risk lies in the local networks that the endpoints use.

Many people think that plugging into a network via a switch will prevent against the threat on the local network. Unfortunately, that is not true, as switches can have their traffic intercepted and monitored using a technique called ARP spoofing. And even if this problem were easily addressed, there are always attacks on the physical media that tend to be easy to perform.

As for router infrastructure, remember that most routers run software. For example, Cisco’s routers run IOS, an operating system written in C that has had exploitable conditions found in it in the past. It may occasionally be reasonable for an attacker to truly be “in the middle.”

Another misconception is that network-level attacks are difficult to perform. There are tools that easily automate them. For example, “dsniff” will automate many attacks, including man-in-the-middle eavesdropping and ARP spoofing.

Well known network-level threats include the following:

* ''Eavesdropping'' — Even when using cryptography, eavesdropping may be possible when not performing proper authentication, using a man-in-the-middle attack.
* ''Tampering'' — An attacker can change data on the wire. Even if the data is encrypted, it may be possible to make significant changes to the data without being able to decrypt it. Tampering is best thwarted by performing ongoing message authentication (MACing), provided by most high-level protocols, such as SSL/TLS.
* ''Spoofing'' — Traffic can be forged so that it appears to come from a different source address than the one from which it actually comes. This will thwart authentication systems that rely exclusively on IP addresses and/or DNS names for authentication.
* ''Hijacking'' — An extension of spoofing, in which established connections can be taken over, allowing the attacker to enter an already established session without having to authenticate. This can be thwarted with ongoing message authentication, which is provided by most high-level protocols, such as SSL/TLS.
* ''Observing'' — It is possible to give away security-critical information even when a network connection is confidentiality-protected through encryption. For example, the mere fact that two particular hosts are talking may give away significant information, as can the timing of traffic. These are generally examples of covert channels (non-obvious communication paths), which tend to be the most difficult problem in the security space.

==Minimize Attack Surface==
For a large application, a rough yet reliable metric for determining overall risk is to measure the number of input points that the application has — i.e., attack surface. The notion is that more points of entry into the application provides more avenues for an attacker to find a weakness.

Of course, any such metric must consider the accessibility of the input point. For example, many applications are developed for a threat model where the local environment is trusted. In this case, having a large number of local input points such as configuration files, registry keys, user input, etc., should be considered far less worrisome than making several external network connections.

Collapsing functionality that previously was spread across several ports onto a single port does not always help reduce attack surface, particularly when the single port exports all the same functionality, with an infrastructure that performs basic switching. The effective attack surface is the same unless the actual functionality is somehow simplified. Since underlying complexity clearly plays a role, metrics based on attack surface should not be used as the only means access control should be mandatory of analyzing risks in a piece of software.

==Secure-by-Default==
A system’s default setting should not expose users to unnecessary risks and should be as secure as possible. This means that all security functionality should be enabled by default, and all optional features which entail any security risk should be disabled by default.

It also means that — if there is some sort of failure in the system — the behavior should not cause the system to behave in an insecure manner (the “fail-safe” principle). For example, if a connection cannot be established over SSL, it is not a good idea to try to establish a plaintext connection.

The “secure-by-default” philosophy does not interact well with usability since it is far simpler for the user to make immediate use of a system if all functionality is enabled. He can make use of functionality which is needed and ignore the functionality that is not.

However, attackers will not ignore this functionality. A system released with an insecure default configuration ensures that the vast majority of systems-in-the-wild are vulnerable. In many circumstances, it can even become difficult to patch a system before it is compromised.

Therefore, if there are significant security risks that the user is not already accepting, you should prefer a secure-by-default configuration. If not, at least alert the user to the risks ahead of time and point him to documentation on mitigation strategies.

Note that, in a secure-by-default system, the user will have to explicitly enable any functionality that increases his risk. Such operations should be relatively hidden (e.g., in an “advanced” preference pane) and should make the risks in disabling the functionality readily apparent.

==Defense-in-Depth==
The principle of defense-in-depth is that redundant security mechanisms increase security. If one mechanism fails, perhaps the other one will still provide the necessary security. For example, it is not a good idea to rely on a firewall to provide security for an internal-use-only application, as firewalls can usually be circumvented by a determined attacker (even if it requires a physical attack or a social engineering attack of some sort).

Implementing a defense-in-depth strategy can add to the complexity of an application, which runs counter to the “simplicity” principle often practiced in security. That is, one could argue that new protection functionality adds additional complexity that might bring new risks with it. The risks need to be weighed. For example, a second mechanism may make no sense when the first mechanism is believed to be 100% effective; therefore, there is not much reason for introducing the additional solution, which may pose new risks. But usually the risks in additional complexity are minimal compared to the risk the protection mechanism seeks to reduce.

==Principles for Reducing Exposure==
Submarines employ a trick that makes them far less risky to inhabit. Assume that you are underwater on a sub when the hull bursts right by you. You actually have a reasonable chance of survival, because the ship is broken up into separate airtight compartments. If one compartment takes on water, it can be sealed off from the rest of the compartments.

Compartmentalization is a good principle to keep in mind when designing software systems. The basic idea is to try to contain damage if something does goes wrong. Another principle is that of least privilege, which states that privileges granted to a user should be limited to only those privileges necessary to do what that user needs to do. For example, least privilege argues that you should not run your program with administrative privileges, if at all possible. Instead, you should run it as a lesser user with just enough privileges to do the job, and no more.

Another relevant principle is to minimize windows of vulnerability. This means that — when risks must be introduced — they should be introduced for as short a time as possible (a corollary of this is “insecure bootstrapping”). In the context of privilege, it is could to account for which privileges a user can obtain, but only grant them when the situation absolutely merits. That supports the least privilege principle by granting the user privileges only when necessary, and revoking them immediately after use.

When the resources you are mitigating access in order to live outside your application, these principles are usually easier to apply with operational controls than with controls you build into your own software. However, one highly effective technique for enforcing these principles is the notion of privilege separation. The idea is that an application is broken up into two portions, the privileged core and the main application. The privileged core has as little functionality as absolutely possible so that it can be well audited. Its only purposes are as follows:

* Authenticate new connections and spawn off unprivileged main processes to handle those connections.
* Mediate access to those resources which the unprivileged process might legitimately get to access. That is, the core listens to requests from the children, determines whether they are valid, and then executes them on behalf of the unprivileged process.

This technique compartmentalizes each user of the system into its own process and completely removes all access to privileges, except for those privileges absolutely necessary, and then grants those privileges indirectly, only at the point where it is necessary.

==The Insecure-Bootstrapping Principle==
Insecure bootstrapping is the principle that — if you need to use an insecure communication channel for anything — you should use it to bootstrap a secure communication channel so that you do not need to use an insecure channel again.

For example, SSH is a protocol that provides a secure channel after the client and server have authenticated each other. Since it does not use a public key infrastructure the first time the client connects, it generally will not have the server credentials. The server sends its credentials, and the client just blindly accepts that they’re the right ones. Clearly, if an attacker can send his own credentials, he can masquerade as the server or launch a man-in-the-middle attack.

But, the SSH client remembers the credentials. If the credentials remain the same, and the first connection was secure, then subsequent connections are secure. If the credentials change, then something is wrong — i.e., either an attack is being waged, or the server credentials have changed — and SSH clients will generally alert the user.

Of course, it is better not to use an insecure communication channel at all, if it can be avoided.

==Input Validation==
If a program is liberal in what it accepts, it often risks an attacker finding an input that has negative security implications. Several major categories of software security problems are ultimately input validation problems — including buffer overflows, SQL injection attacks, and command-injection attacks.

Data input to a program is either valid or invalid. What defines valid can be dependent on the semantics of the program. Good security practice is to definitively identify all invalid data before any action on the data is taken. And, if data is invalid, one should act appropriately.

====Where to perform input validation====
There are many levels at which one can perform input validation. Common places include:
* ''Use'' — all places in the code where data (particularly data of external origin) gets used.
* ''Unit boundaries'' — i.e., individual components, modules, or functions;
* ''Trust boundaries'' — i.e., on a per-executable basis.
* ''Protocol parsing'' — When the network protocol gets interpreted.
* ''Application entry points'' — e.g., just before or just after passing data to an application, such as a validation engine in a web server for a web service.
* ''Network'' — i.e., a traditional intrusion detection system (IDS).

Validating at use is generally quite error-prone because it is easy to forget to insert a check. This is still true, but less so when validating at unit boundaries. Going up the line, validation becomes less error prone. However, at higher levels, it gets harder and harder to make accurate checks because there is less and less context readily available to make a decision with.

At a bare minimum, input validation should be performed at unit boundaries, preferably using a structured technique such as design-by-contract. Validating at other levels provides defense-in-depth to help handle the case where a check is forgotten at a lower level.

====Ways in which data can be invalid====
At a high level, invalid data is anything that does not meet the strictest possible definition of valid. It does not just encompass malformed data, it encompasses missing data and out-of-order data (e.g., data used in a capture-replay attack).

There are four different contexts in which data can be invalid:
* ''Sender'' — Data is invalid if it did not originate from an authentic source.
* ''Tokens'' — Data in network protocols are generally broken up into atomic units called tokens, which often map to concrete data types (e.g., numbers, zip codes, and strings). An invalid token is one that is an invalid value for all token types known to a system.
* ''Syntax'' — Protocols accept messages as valid based on a protocol syntax, which is usually defined in terms of tokens. An invalid message is one that should not be accepted as part of the protocol.
* ''Semantics'' — Even when a message satisfies syntax requirements, it may be semantically invalid.

====How to determine input validity====
Data validity must be evaluated in each of the four contexts described above. For example, a valid sender can send bad tokens. Good tokens can be combined in syntactically invalid ways. And, otherwise valid messages can make no valid sense in terms of the program’s semantics.

At a high-level, there are three approaches to providing data validity:
* ''Black-listing'' — Widely considered bad practice in all cases, one validates based on a policy that explicitly defines bad values. All other data is assumed to be valid, but in practice, it often is not (or should not be).
* ''White-listing'' — One validates based on a precise description of what valid data entails (a policy). If the policy is correct, this prevents accidentally allowing maliciously invalid data. The risks are that the policy will not be correct, which may result not only in allowing bad data but also in disallowing some valid data.
* ''Cryptographic validation'' — One uses cryptography to demonstrate validity of the data.

Handling each input validation context involves a separate strategy:
* The sender can, in the general case, only be validated adequately using cryptographic message authentication.
* Tokens are generally validated using a simple state machine describing valid tokens (often implemented with regular expressions).
* Syntax is generally validated using a standard language parser, such as a recursive decent parser or a parser generated by a parser generator.
* Semantics are generally validated at the highest boundary at which all of the semantic data needed to make a decision is available. Message-ordering omission is best validated cryptographically along with sender authentication.

Protocol-specific semantics are often best validated in the context of a parser generated from a specification. In this case, semantics should be validated in the production associated with a single syntactic rule. When not enough semantic data is available at this level, semantic validation is best performed using a design-by-contract approach.

====Actions to perform when invalid data is found====
There are three classes of action one can take when invalid data is identified:
* ''Error'' — This includes fatal errors and non-fatal errors.
* ''Record'' — This includes logging errors and sending notifications of errors to interested parties.
* ''Modify'' — This includes filtering data or replacing data with default values.

These three classes are orthogonal, meaning that the decision to do any one is independent from the others. One can easily perform all three classes of action.

Category:Software Assurance Maturity Model

2009-05-05T05:48:41Z

Pravir Chandra:

{{OpenSAMM-NoCat}}

==== Main ====
<div style="display:inline;
width:220px; float:right; padding-left:40px; padding-bottom:40px;">
<div style="padding-bottom:10px;">
[http://www.opensamm.org/download/ http://www.opensamm.org/downloads/DownloadButton.png]
</div>
<div style="padding-top:10px;">
[http://www.opensamm.org/ Visit the SAMM Website]
[http://www.opensamm.org/ http://www.owasp.org/images/4/44/SAMM-1.0-Cover.png]
</div>
</div>

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in:
* '''Evaluating an organization’s existing software security practices'''
* '''Building a balanced software security assurance program in well-defined iterations'''
* '''Demonstrating concrete improvements to a security assurance program'''
* '''Defining and measuring security-related activities throughout an organization'''

SAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large organizations using any style of development. Additionally, this model can be applied organization-wide, for a single line-of-business, or even for an individual project. Beyond these traits, SAMM was built on the following principles:
* ''An organization’s behavior changes slowly over time'' - A successful software security program should be specified in small iterations that deliver tangible assurance gains while incrementally working toward long-term goals.
* ''There is no single recipe that works for all organizations'' - A software security framework must be flexible and allow organizations to tailor their choices based on their risk tolerance and the way in which they build and use software.
* ''Guidance related to security activities must be prescriptive'' - All the steps in building and assessing an assurance program should be simple, well-defined, and measurable. This model also provides roadmap templates for common types of organizations.

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

[[Image:SAMM-Overview.png|720px]]

==== Browse Online ====
===== Click on any badge to learn more =====

{| cellpadding="1"
|[http://www.owasp.org/index.php/SAMM_-_Governance http://www.opensamm.org/badges/small/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[http://www.owasp.org/index.php/SAMM_-_Construction http://www.opensamm.org/badges/small/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[http://www.owasp.org/index.php/SAMM_-_Verification http://www.opensamm.org/badges/small/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[http://www.owasp.org/index.php/SAMM_-_Deployment http://www.opensamm.org/badges/small/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

==== Project Identification ====
{{:Key Project Information:Software Assurance Maturity Model Project}}

[[Category:OWASP Project]]
[[Category:OWASP Document]]
[[Category:OWASP Alpha Quality Document]]

__NOTOC__
<headertabs/>
<br/>{{OWASP Book|6888083}}<br/>

File:SAMM-Overview.png

2009-05-05T05:46:36Z

Pravir Chandra:

Category:Software Assurance Maturity Model

2009-05-05T01:02:41Z

Pravir Chandra:

{{OpenSAMM-NoCat}}

==== Main ====
<div style="display:inline;
width:220px; float:right; padding-left:40px; padding-bottom:40px;">
<div style="padding-bottom:10px;">
[http://www.opensamm.org/download/ http://www.opensamm.org/downloads/DownloadButton.png]
</div>
<div style="padding-top:10px;">
[http://www.opensamm.org/ Visit the SAMM Website]
[http://www.opensamm.org/ http://www.owasp.org/images/4/44/SAMM-1.0-Cover.png]
</div>
</div>

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in:
* '''Evaluating an organization’s existing software security practices'''
* '''Building a balanced software security assurance program in well-defined iterations'''
* '''Demonstrating concrete improvements to a security assurance program'''
* '''Defining and measuring security-related activities throughout an organization'''

SAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large organizations using any style of development. Additionally, this model can be applied organization-wide, for a single line-of-business, or even for an individual project. Beyond these traits, SAMM was built on the following principles:
* ''An organization’s behavior changes slowly over time'' - A successful software security program should be specified in small iterations that deliver tangible assurance gains while incrementally working toward long-term goals.
* ''There is no single recipe that works for all organizations'' - A software security framework must be flexible and allow organizations to tailor their choices based on their risk tolerance and the way in which they build and use software.
* ''Guidance related to security activities must be prescriptive'' - All the steps in building and assessing an assurance program should be simple, well-defined, and measurable. This model also provides roadmap templates for common types of organizations.

The foundation of the model is built upon the core business functions of software development with security practices tied to each (see diagram below). The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.

==== Browse Online ====
===== Click on any badge to learn more =====

{| cellpadding="1"
|[http://www.owasp.org/index.php/SAMM_-_Governance http://www.opensamm.org/badges/small/G.png]
|-
|align="center"|'''Strategy & Metrics'''
|{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|padding=0}}
|-
|align="center"|'''Policy & Compliance'''
|{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|padding=0}}
|-
|align="center"|'''Education & Guidance'''
|{{SAMM-BadgeList|name=Education_&_Guidance|abbr=EG|padding=0}}
|-
|[http://www.owasp.org/index.php/SAMM_-_Construction http://www.opensamm.org/badges/small/C.png]
|-
|align="center"|'''Threat Assessment'''
|{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|padding=0}}
|-
|align="center"|'''Security Requirements'''
|{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|padding=0}}
|-
|align="center"|'''Secure Architecture'''
|{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|padding=0}}
|-
|[http://www.owasp.org/index.php/SAMM_-_Verification http://www.opensamm.org/badges/small/V.png]
|-
|align="center"|'''Design Review'''
|{{SAMM-BadgeList|name=Design_Review|abbr=DR|padding=0}}
|-
|align="center"|'''Code Review'''
|{{SAMM-BadgeList|name=Code_Review|abbr=CR|padding=0}}
|-
|align="center"|'''Security Testing'''
|{{SAMM-BadgeList|name=Security_Testing|abbr=ST|padding=0}}
|-
|[http://www.owasp.org/index.php/SAMM_-_Deployment http://www.opensamm.org/badges/small/D.png]
|-
|align="center"|'''Vulnerability Management'''
|{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|padding=0}}
|-
|align="center"|'''Environment Hardening'''
|{{SAMM-BadgeList|name=Environment_Hardening|abbr=EH|padding=0}}
|-
|align="center"|'''Operational Enablement'''
|{{SAMM-BadgeList|name=Operational_Enablement|abbr=OE|padding=0}}
|-
|}

==== Project Identification ====
{{:Key Project Information:Software Assurance Maturity Model Project}}

[[Category:OWASP Project]]
[[Category:OWASP Document]]
[[Category:OWASP Alpha Quality Document]]

__NOTOC__
<headertabs/>
<br/>{{OWASP Book|6888083}}<br/>

Template:OpenSAMM-NoCat

2009-05-05T01:02:24Z

Pravir Chandra: New page: {| style="width: 80%; margin: 0 auto; border-collapse: collapse; color: #bbb; background: #505050; border: 1px solid #000;" |- | style="padding: 0.25em 0.25em;" valign="center" | [http://...

{| style="width: 80%; margin: 0 auto; border-collapse: collapse; color: #bbb; background: #505050; border: 1px solid #000;"
|-
| style="padding: 0.25em 0.25em;" valign="center" | [http://www.opensamm.org http://www.owasp.org/images/thumb/7/70/OpenSAMM_logo.png/250px-OpenSAMM_logo.png]
| style="padding: 0.25em 0.25em;" align="center" | For the latest project news and information,<br/>join the [http://lists.owasp.org/mailman/listinfo/samm <span style="color: #98D3F9;">mailing list</span>] and visit the [http://www.opensamm.org <span style="color: #98D3F9;">OpenSAMM website</span>].
|}
<br/>

Software Assurance Maturity Model

2009-05-05T01:01:04Z

Pravir Chandra: Redirecting to Category:Software Assurance Maturity Model

#redirect [[:Category:Software Assurance Maturity Model]]

Category:OWASP Project

2009-05-05T01:00:16Z

Pravir Chandra:

An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. Tools and documents are organized into the following categories:

* '''PROTECT''' - These are tools and documents that can be used to guard against security-related design and implementation flaws.
* '''DETECT''' - These are tools and documents that can be used to find security-related design and implementation flaws.
* '''LIFE CYCLE''' - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).

If you would like to start a new project please review the <b>[[How to Start an OWASP Project]]</b> guide. Please contact the [https://www.owasp.org/index.php/Global_Projects_and_Tools_Committee Global Project Committee] members to discuss project ideas and how they might fit into OWASP. All OWASP projects must be free and open and have their homepage on the OWASP portal. You can read all the guidelines in the [[:Category:OWASP_Project_Assessment | Project Assessment Criteria]].

Every project has an associated mail list. You can view all the lists, examine their archives, and subscribe to any of them on the [http://lists.owasp.org/mailman/listinfo OWASP Project Mailing Lists] page.
<BR><BR>
==== Release Quality Projects ====
* Release quality projects are generally the level of quality of professional tools or documents.
* Projects are listed below.
<table width="100%" valign="top"><tr><th width="50%">Tools</th><th>Documentation</th></tr><tr valign="top"><td>
'''PROTECT:<br><br>

; [[:Category:OWASP AntiSamy Project|OWASP AntiSamy Java Project]]
: an API for validating rich HTML/CSS input from users without exposure to cross-site scripting and phishing attacks (Assessment Criteria v1.0)

; [[:Category:OWASP AntiSamy Project .NET|OWASP AntiSamy .NET Project]]
: an API for validating rich HTML/CSS input from users without exposure to cross-site scripting and phishing attacks. (Assessment Criteria v1.0)

; [[:Category:OWASP Enterprise Security API|OWASP Enterprise Security API (ESAPI) Project]]
: a free and open collection of all the security methods that a developer needs to build a secure web application. (Assessment Criteria v1.0)

'''DETECT:<br><br>

; [[:Category:OWASP Live CD Project|OWASP Live CD Project]]
: this CD collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite. (Assessment Criteria v1.0)

; [[:Category:OWASP WebScarab Project|OWASP WebScarab Project]]
: a tool for performing all types of security testing on web applications and web services (Assessment Criteria v1.0)

'''LIFE CYCLE:<br><br>

; [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]]
: an online training environment for hands-on learning about application security (Assessment Criteria v1.0)

</td><td>

'''PROTECT:<br><br>

; [[:Category:OWASP Guide Project|OWASP Development Guide]]
: a massive document covering all aspects of web application and web service security (Assessment Criteria v1.0)

; [[:Category:OWASP Ruby on Rails Security Guide V2 | OWASP Ruby on Rails Security Guide V2]]
: this Project is the one and only source of information about Rails security topics. (Assessment Criteria v1.0)

'''DETECT:<br><br>

; [[:Category:OWASP Code Review Project|OWASP Code Review Guide]]
: a project to capture best practices for reviewing code. (Assessment Criteria v1.0)

; [[:Category:OWASP Testing Project|OWASP Testing Guide]]
: a project focused on application security testing procedures and checklists (Assessment Criteria v1.0)

; [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]]
: an awareness document that describes the top ten web application security vulnerabilities (Assessment Criteria v1.0)

'''LIFE CYCLE:<br><br>

; [[:Category:OWASP AppSec FAQ Project|OWASP AppSec FAQ Project]]
: FAQ covering many application security topics (Assessment Criteria v1.0)

; [[:Category:OWASP Legal Project|OWASP Legal Project]]
: a project focused on providing contract language for acquiring secure software (Assessment Criteria v1.0)

; [[:Category:OWASP Source Code Review OWASP Projects Project|OWASP Source Code Review for OWASP-Projects]]
: a workflow for OWASP projects to incorporate static analysis into the Software Development Life Cycle (SDLC). (Assessment Criteria v1.0)

</td></tr></table>

==== Beta Status Projects ====
* Beta quality projects are complete and ready to use with documentation.
* Projects are listed below.
<table width="100%" valign="top"><tr><th width="50%">Tools</th><th>Documentation</th></tr><tr valign="top"><td>
'''PROTECT:<br><br>

; [[:Category:OWASP CSRFGuard Project|OWASP CSRFGuard Project]]
: a J2EE filter that implements a unique request token to mitigate CSRF attacks (Assessment Criteria v1.0)

; [[:Category:OWASP Encoding Project|OWASP Encoding Project]]
: a project focused on the development of encoding best practices for web applications. (Assessment Criteria v1.0)

; [[:Category:OWASP .NET Project|OWASP .NET Research]]
: a project focused on helping .NET developers build secure applications (Assessment Criteria v1.0)

; [[:Category:OWASP OpenSign Server Project|OWASP OpenSign Server Project]]
: the purpose of this project would be to build and host a feature-rich server and suite of client utilities with adequate secure hardware to ensure the integrity of code modules. (Assessment Criteria v1.0)

; [[:Category:OWASP OpenPGP Extensions for HTTP - Enigform and mod openpgp|OWASP OpenPGP Extensions for HTTP - Enigform and mod openpgp]]
: focus on mod_openpgp and Secure Session Management, presenting a working web-site using this new authentication methodology in such a way that it will attract security professionals and web-developers to this new mix of two good'ol protocols: HTTP and OpenPGP. (Assessment Criteria v1.0)

'''DETECT:<br><br>

; [[:Category:OWASP Access Control Rules Tester Project|OWASP Access Control Rules Tester Project]]
: this project is intended to have two deliverables: research technical report (publication ready article) and an Access Control Rules Tester tool. (Assessment Criteria v1.0)

; [[:Category:OWASP Code Crawler|OWASP Code Crawler]]
: this tool is aimed at assisting code review practitioners. It is a static code review tool which searches for key topics within .NET and J2EE/JAVA code. (Assessment Criteria v1.0)

; [[:Category:OWASP DirBuster Project|OWASP DirBuster Project]]
:DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. (Assessment Criteria v1.0)

; [[:Category:OWASP LAPSE Project|OWASP LAPSE Project]]
: an Eclipse-based source-code static analysis tool for Java (Assessment Criteria v1.0)

; [[:Category:OWASP Orizon Project|OWASP Orizon Project]]
: the goal of this project is to develop an extensible code review engine to be used from source code assessment tools. (Assessment Criteria v1.0)

; [[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]
: a project focused on combining automated capabilities with complete manual testing to get the best results (Assessment Criteria v1.0)

; [[ORG_%28Owasp_Report_Generator%29|OWASP Report Generator]]
: a project giving security professionals a way to report and keep track of their projects (Assessment Criteria v1.0)

; [[Owasp_SiteGenerator|OWASP Site Generator]]
: a project allowing users to create dynamic sites for use in training, web application scanner testing, etc... (Assessment Criteria v1.0)

; [[:Category:OWASP Skavenger Project|OWASP Skavenger Project]]
: is a web application security assessment tool kit that passively analyses traffic logged by various MITM proxies as well as other sources and helps to identify various kinds of possible vulnerabilities. (Assessment Criteria v1.0)

; [[:Category:OWASP SQLiX Project|OWASP SQLiX Project]]
: a project focused on the development of SQLiX, a full perl-based SQL scanner (Assessment Criteria v1.0)

; [[:Category:OWASP Sqlibench Project|OWASP Sqlibench Project]]
: this is a benchmarking project of automatic sql injectors related to dumping databases. (Assessment Criteria v1.0)

; [[OWASP_Tiger|OWASP Tiger]]
: OWASP Tiger is a Windows application originally intended to be used for automating the process of testing various known ASP.NET security issues in hosted environments. However, it is much more versatile than that: it can help you construct and send a HTTP requests, receive and analyze the responses, match them against a set of conditions to produce alerts, notifications that something is wrong with the application(s) or service(s) being tested. (Assessment Criteria v1.0)

; [[:Category:OWASP WeBekci Project|OWASP WeBekci Project]]
: OWASP WeBekci is a web based ModSecurity 2.x management tool. WeBekci is written in PHP, Its backend is powered by MySQL and the frontend by XAJAX framework. (Assessment Criteria v1.0)

; [[:Category:OWASP WSFuzzer Project|OWASP WSFuzzer Project]]
: a project focused on the development of WSFuzzer, a full python-based Web Services SOAP fuzzer (Assessment Criteria v1.0)

'''LIFE CYCLE:<br><br>

; [[:Category:OWASP LiveCD Education Project|OWASP Live CD Education Project]]
: an educational supplement project containing tutorials, challenges and videos detailing the use of tools contained within the OWASP LiveCD - LabRat. This project was sponsored by [[OWASP Spring Of Code 2007|OWASP Spring Of Code 2007]] and [http://www.securitydistro.com/ Security Distro] (Assessment Criteria v1.0)

; [[:Category:OWASP Teachable Static Analysis Workbench Project|OWASP Teachable Static Analysis Workbench Project]]
: this project is intended to have two deliverables: research technical report (publication ready article) and a workbench prototype. (Assessment Criteria v1.0)
</td><td>

'''PROTECT:<br><br>
; [[:Category:OWASP AppSensor Project|OWASP AppSensor Project]]
: a framework for detecting and responding to attacks from within the application. (Assessment Criteria v1.0)

; [[:Category:OWASP Backend Security Project|OWASP Backend Security Project]]
: this is a new project created to improve and to collect the existant information about the backend security. (Assessment Criteria v1.0)

; [[:Category:OWASP .NET Project|OWASP .NET Project]]
: the purpose of the this project is to provide a central repository of information and tools for software professionals that use the Microsoft .NET Framework for web applications and services. (Assessment Criteria v1.0)

; [[:Category:OWASP Securing WebGoat using ModSecurity Project |OWASP Securing WebGoat using ModSecurity Project]]
: the purpose of this project is to create custom Modsecurity rulesets that will protect WebGoat 5.2 from as many of its vulnerabilities as possible (the goal is 90%) without changing one line of source code. (Assessment Criteria v1.0)

'''DETECT:<br><br>

; [[:Category:OWASP Application Security Verification Standard Project | OWASP Application Security Verification Standard Project]]
: The ASVS defines a standard for conducting application security verifications. It covers both automated and manual approaches for assessing applications using both external testing and code review techniques. (Assessment Criteria v1.0)

; [[:Category:OWASP Tools Project|OWASP Tools Project]]
: the OWASP Tools Project's goal is to provide unbiased, practical information and guidance about application security tools. (Assessment Criteria v1.0)

'''LIFE CYCLE:<br><br>

; [[:Category:OWASP CLASP Project|OWASP CLASP Project]]
: a project focused on defining process elements that reinforce application security (Assessment Criteria v1.0)

; [[:Category:OWASP Education Project|OWASP Education Project]]
: a project to build educational tracks and modules for different audiences. (Assessment Criteria v1.0)

; [[OWASP_Internationalization | OWASP Internationalization Project]]
: general guidelines to start a new translation project for OWASP site and projects. (Assessment Criteria v1.0)

; [[OWASP_Spanish | OWASP Spanish Project]]
: first translation effort to make OWASP site and project completely available in Spanish language. (Assessment Criteria v1.0)

</td></tr></table>

==== Alpha Status Projects ====
* Alpha quality projects are generally usable but may lack documentation or quality review.
* Projects are listed below.
<table width="100%" valign="top"><tr><th width="50%">Tools</th><th>Documentation</th></tr><tr valign="top"><td>

; [[:Category:OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project|OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project]]
: The idea is to split destination web application technology from the three reusable libraries: library of navigational elements, library of vulnerabilities and library of language constructs. (Assessment Criteria v1.0)

; [[Classic_ASP_Security_Project |OWASP Classic ASP Security Project]]
: it aims in creating a secure framework for Classic ASP application by complementing existing OWASP projects with documentation for this particular technology and the creation of security libraries. (Assessment Criteria v1.0)

; [[:Category:OWASP CRM Project|OWASP CRM Project]]
: provides a management system for membership, projects, industry and chapters and users of OWASP projects (Assessment Criteria v1.0)

; [[:Category:OWASP CSRFTester Project|OWASP CSRFTester Project]]
: gives developers the ability to test their applications for CSRF flaws (Assessment Criteria v1.0)

; [[:Category:OWASP EnDe|OWASP EnDe Project]]
: This tool is an encoder, decoder, converter, transformer, calculator, for various codings used in the wild wide web. (Assessment Criteria v1.0)

; [[:Category:OWASP Google Hacking Project|OWASP Google Hacking Project]]
: Google SOAP Search API with Perl (Assessment Criteria v1.0)

; [[:Category:OWASP Insecure Web App Project|OWASP Insecure Web App Project]]
: a web application that includes common web application vulnerabilities (Assessment Criteria v1.0)

; [[:Category:OWASP JBroFuzz|OWASP JBroFuzz Project]]
: a web application fuzzer for requests being made over HTTP and/or HTTPS. Its purpose is to provide a single, portable application that offers stable web protocol fuzzing capabilities. This project was sponsored by [[OWASP Spring Of Code 2007|OWASP Spring Of Code 2007]] (Assessment Criteria v1.0)

; [[:Category:OWASP Joomla Vulnerability Scanner Project|OWASP Joomla Vulnerability Scanner Project]]
: a regularly-updated signature-based scanner that can detect file inclusion, sql injection, command execution,XSS, DOS,directory traversal vulnerabilities of a target Joomla! web site

; [[:Category:OWASP JSP Testing Tool Project|OWASP JSP Testing Tool Project]]
: the goal of this project is to create an easy to use, freely available tool that can be used to quickly ascertain the level of protection that each component of a JSP tag library offers. (Assessment Criteria v1.0)

; [[:Category:OWASP Learn About Encoding Project|OWASP Learn About Encoding Project]]
: this project has as its ultimate goal of demystifying the problems related to the study of character encoding (charset encoding). (Assessment Criteria v1.0)

; [[:Category:OWASP Mutillidae|OWASP Mutillidae Project]]
: a deliberately vulnerable set of PHP scripts that implement the OWASP Top 10

; [[:Category:OWASP NetBouncer Project|OWASP NetBouncer Project]]
: is secure by default centralised input/output validation library which combines security rules and business rules as well as escaping in the output level. (Assessment Criteria v1.0)

; [[:Category:OWASP Open Review Project|OWASP Open Review Project (ORPRO)]]
: a project to openly check open source libraries and software that are vital to most commercial and non-commercial apps around. (Assessment Criteria v1.0)

; [[:Category:OWASP PHP AntiXSS Library Project|OWASP PHP AntiXSS Library Project]]
: reduce cross-site scripting vulnerabilities by encoding your output (Assessment Criteria v1.0)

; [[:Category:OWASP Python Static Analysis Project|OWASP Python Static Analysis Project]]
: the aim of this project is to provide full language support,other Python frameworks support, analysis improvement, reporting capability, documentation, promotion materials: publication-ready article and presentation (Assessment Criteria v1.0)

; [[:Category:OWASP Proxy|OWASP Proxy Project]]
: aims to provide a high quality intercepting proxy library which can be used by developers who require this functionality in their own programs, rather than having to develop it all from scratch. (Assessment Criteria v1.0)

; [[:Category:OWASP Sprajax Project|OWASP Sprajax Project]]
: an open source black box security scanner used to assess the security of AJAX-enabled applications (Assessment Criteria v1.0)

; [[:Category:OWASP Stinger Project|OWASP Stinger Project]]
: a project focus on the development of a centralized input validation mechanism which can be easily applied to existing or developmental applications (Assessment Criteria v1.0)

; [[:Category:OWASP Vicnum Project|OWASP Vicnum Project]]
: a lightweight vulnerable web application based on a game played to kill time which demonstrates common web application vulnerabilities such as cross site scripting (Assessment Criteria v1.0)

; [[:Category:OWASP Wapiti Project|OWASP Wapiti Project]]
: the project allows to audit the security by performing "black-box" scans acting like a fuzzer, injecting payloads to see if an application is vulnerable (Assessment Criteria v1.0)

; [[:Category:OWASP Web Application Security Metric using Attack Patterns Project|OWASP Web Application Security Metric using Attack Patterns Project]]
: the project provides attack pattern database along with prototype model (Assessment Criteria v1.0)

; [[:Category:OWASP_Web_2.0_Project|OWASP Web 2.0 Project]]
: a place for advanced research of security in the Web 2.0 world (Assessment Criteria v1.0)

; [[:Category:OWASP WeBekci Project|OWASP WeBekci Project]]
: this is web based ModSecurity 2.x management tool. WeBekci is written in PHP, Its backend is powered by MySQL and the frontend by XAJAX framework. (Assessment Criteria v1.0)

; [[:Category:OWASP Webslayer Project|OWASP Webslayer Project]]
: a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (Assessment Criteria v1.0)

; [[:Category:OWASP Yasca Project|OWASP Yasca Project]]
: Yasca is a new static analysis tool designed to scan Java, C/C++, JavaScript, .NET, and other source code for security and code-quality issues. Yasca is easily extensible via a plugin-based architecture, so scanning PHP, Ruby, or other languages is as simple as coming up with rules or integrating external tools. (Assessment Criteria v1.0)

</td><td>

; [[:Category:OWASP ASDR Project | OWASP ASDR Project]]
: is a reference volume that contains basic information about all the foundational topics in application security (Assessment Criteria v1.0)

; [[:Category:OWASP AIR Security Project|OWASP AIR Security Project]]
: investigating the security of AIR applications (Assessment Criteria v1.0)

; [[:Category:OWASP AJAX Security Project|OWASP AJAX Security Guide]]
: investigating the security of AJAX enabled applications (Assessment Criteria v1.0)

; [[:Category:OWASP Anti-Malware Project|OWASP Anti-Malware Project]]
: describing common flaws in security designs (Assessment Criteria v1.0)

; [[:Category:OWASP Application Security Requirements Project|OWASP Application Security Requirements]] (Assessment Criteria v1.0)

; [[:Category:OWASP Best Practices: Use of Web Application Firewalls|OWASP Best Practices: Use of Web Application Firewalls]]
: the document is aimed primarily at technical decision-makers, especially those responsible for operations and security (Assessment Criteria v1.0)

; [[:Category:OWASP Book Cover & Sleeve Design|OWASP Book Cover & Sleeve Design]]
: this is a project of corporate design to develop a scalable book cover series strategy and a Book Sleeve. (Assessment Criteria v1.0)

; [[:Category:OWASP Career Development Project|OWASP Career Development Project]]
: The OWASP Career Development project is focused on helping application security professionals understand the job market, roles, career paths, and skills to work in the field. (Assessment Criteria v1.0)

; [[:Category:OWASP Certification Criteria Project|OWASP Certification Criteria Project]] (Assessment Criteria v1.0)

; [[:Category:OWASP Certification Project|OWASP Certification Project]]
: our challenge is to create a plan for certification: a set of OWASP Certification for Developers and Testers. (Assessment Criteria v1.0)

; [[:Category:OWASP Communications Project|OWASP Communications Project]] (Assessment Criteria v1.0)

; [[:Category:OWASP Flash Security Project|OWASP Flash Security Project]]
: investigating the security of Flash applications (Assessment Criteria v1.0)

; [[:Category:OWASP Honeycomb Project|OWASP Honeycomb Project]]
: a comprehensive and integrated guide to the fundamental building blocks of application security (Assessment Criteria v1.0)

; [[:Category:OWASP Individual and Corporate Member Packs plus Conference Attendee Packs Brief|OWASP Member Packs/Conference Attendee Packs]]
: this is a project of corporate design to develop an Individual/Member Pack. (Assessment Criteria v1.0)

; [[:Category:OWASP Java Project|OWASP Java Project]]
: a project focused on helping Java and J2EE developers build secure applications (Assessment Criteria v1.0)

; [[:Category:OWASP Logging Project|OWASP Logging Guide]]
: a project to define best practices for logging and log management (Assessment Criteria v1.0)

; [[:Category:OWASP ModSecurity Core Rule Set Project|OWASP ModSecurity Core Rule Set Project]]
: a project to document and develop the ModSecurity Core Rule Set (Assessment Criteria v1.0)

; [[:Category:OWASP PHP Project|OWASP PHP Project]]
: a project focused on helping PHP developers build secure applications (Assessment Criteria v1.0)

; [[:Category:OWASP Positive Security Project | OWASP Positive Security Project]]
: a project to learn how companies are working to create a positive security approach on their own resources and use this knowledge to create a set of control, marketing and awareness tools that will be available to promote and construct a positive approach to security worldwide. (Assessment Criteria v1.0)

; [[:Category:OWASP SASAP Project|OWASP Scholastic Application Security Assessment Project]]
: a project that is intended to be the first step towards integrating security requirements in academic course curriculum (Assessment Criteria v1.0)

; [[:Category:OWASP_Security_Spending_Benchmarks|OWASP Security Spending Benchmarks]]
: provides insight to reduce operational appsec costs (Assessment Criteria v1.0)

; [[:Category:Software Assurance Maturity Model|Software Assurance Maturity Model (SAMM)]]
: this project is committed to building a usable framework to help organizations formulate and implement a strategy for application security that's tailored to the specific business risks facing the organization.

; [[:Category:OWASP Source Code Flaws Top 10 Project|OWASP Source Code Flaws Top 10 Project]]
: a project that is a sort of Top 10 of flaw categories that can be used to match vulnerabilities found during a code review (Assessment Criteria v1.0)

; [[:Category:OWASP Validation Project|OWASP Validation Project]]
: a project that provides guidance and tools related to validation (Assessment Criteria v1.0)

; [[:Category:OWASP WASS Project|OWASP WASS Guide]]
: a standards project to develop more concrete criteria for secure applications (Assessment Criteria v1.0)

; [[:Category:OWASP Web Application Scanner Specification Project|OWASP Web Application Scanner Specification Project]]
: there will always be a "gap" between the types of attacks that can be performed and those which can be found by an automated scanner. This project will attempt to outline some of those shortcomings and offer a plan for comparing and/or building web application vulnerability scanners. (Assessment Criteria v1.0)

; [[:Category:OWASP Web Application Security Put Into Practice|OWASP Web Application Security Put Into Practice]]
: real-world web application security for Ruby on Rails, Apache and MySQL (Assessment Criteria v1.0)

; [[:Category:OWASP XML Security Gateway Evaluation Criteria Project|OWASP XML Security Gateway Evaluation Criteria]]
: a project to define evaluation criteria for XML Security Gateways (Assessment Criteria v1.0)

; [[:Category:OWASP on the Move Project|OWASP on The Move Project]]
: a project offering OWASP sponsorship for OWASP (related) speakers on web application security events or chapter meetings. (Assessment Criteria v1.0)

; [[:Category:OWASP Speakers Project|OWASP Speakers Project]]
: a project to match offer and demand regarding OWASP (related) presentations by speakers on web application security events or chapter meetings. (Assessment Criteria v1.0)

; [[:Category:OWASP Fuzzing Code Database|OWASP Fuzzing Code Database]]
: a project to collect, share and compose statements used as code injections like SQL, SSI, XSS, Formatstring and as well directory traversal statements. (Assessment Criteria v1.0)

</td></tr></table>

==== Inactive Projects ====
* Inactive projects are unrated projects (projects that have not reached any one of Alpha, Beta, or Release status) which may have been abandoned. Efforts are being made to contact project leads to determine status and plans for future work.
* Projects are listed below.
<table width="100%" valign="top"><tr><th width="50%">Tools</th><th>Documentation</th></tr><tr valign="top"><td>

; [[:Category:OWASP CAL9000 Project|OWASP CAL9000 Project]]
: a JavaScript based web application security testing suite

; [[:Category:OWASP Interceptor Project|OWASP Interceptor Project]]
: A testing tool for XML web service and Ajax interfaces.

</td><td>

; [[:Category:OWASP Application Security Assessment Standards Project|OWASP Application Security Assessment Standards Project]]
: establish a set of standards defining baseline approaches to conducting differing types/levels of application security assessment (Assessment Criteria v1.0)

; [[:Category:OWASP Application Security Metrics Project|OWASP Application Security Metrics Project]]
: identify and provide a set of application security metrics that have been found by contributors to be effective in measuring application security (Assessment Criteria v1.0)

; [[:OWASP Corporate Application Security Rating Guide|OWASP Corporate Application Security Rating Guide]]
: This project will organize and structure publicly available data that large companies will share of the lessons learned about how to organize an application security initiative, best practices for training and testing, and more.

</td></tr></table>
__NOTOC__
<headertabs/>

{{PutInCategory}}

SAMM

2009-05-05T00:58:05Z

Pravir Chandra: Redirecting to Category:Software Assurance Maturity Model

#redirect [[:Category:Software_Assurance_Maturity_Model]]

Template:OpenSAMM

2009-05-05T00:57:42Z

Pravir Chandra:

SAMM - Vulnerability Management - 3

2009-05-05T00:56:05Z

Pravir Chandra:

{{OpenSAMM}}
<div style="float:left; width:65%;">
{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|border3=2}}
</div>
<div style="float:right; width:30%;">
[http://www.owasp.org/index.php/SAMM_-_Deployment http://www.opensamm.org/downloads/BackButton.png]
</div>

<div style="width:100%; float:left;">
{{SAMM-ObjectiveD3|name=Vulnerability Management|obj=Improve analysis and data gathering within response process for feedback into proactive planning}}
<div style="width:30%; float:right; padding-top:50px; padding-left:10px;">
====Results====
* Detailed feedback for organizational improvement after each incident
* Rough cost estimation from vulnerabilities and compromises
* Stakeholders better able to make tradeoff decisions based on historic incident trends

====Add’l Success Metrics====
* >80% of incidents documented with root causes and further recommendations in past 6 months
* >80% of incidents collated for metrics in the past 6 months

====Add’l Costs====
* Ongoing organization overhead from conducting deeper research and analysis of incidents
* Ongoing organization overhead from collection and review of incident metrics

====Add’l Personnel====
* Security Auditors (3 days/yr)
* Managers (2 days/yr)
* Business Owners (2 days/yr)

====Related Levels====
* Strategy & Metrics - 3

</div>
<div style="float:left; width:65%;">
==Activities==
===A. Conduct root cause analysis for incidents===
Though potentially time consuming, the incident response process should be augmented to include additional analysis to identify the key, underlying security failures. These root causes can be technical problems such as code-level vulnerabilities, configuration errors, etc. or they can be people/process problems such as social engineering, failure to follow procedures, etc.

Once a root cause is identified for an incident, it should be used as a tool to find other potential weaknesses in the organization where an analogous incident could have occurred. For each identified weakness additional recommendations for proactive mitigations should be communicated as part of closing out the original incident response effort.

Any recommendations based on root cause analysis should be reviewed by management and relevant business stakeholders in order to either schedule mitigation activities or note the accepted risks.

===B. Collect per-incident metrics===
By having a centralized process to handle all compromise and high-priority vulnerability reports, an organization is enabled to take measurements of trends over time to determine impact and efficiency of initiatives for security assurance.

Records of past incidents should be stored and reviewed at least every 6 months. Group similar incidents and simply tally the overall count for each type of problem. Additional measurements to take from the incidents include frequency of software projects affected by incidents, system downtime and cost from loss of use, human resources taken in handling and cleanup of the incident, estimates of long-term costs such as regulatory fines or brand damage, etc. For root causes that were technical problems in nature, it is also helpful to identify what kind of proactive, review, or operational practice might have detected it earlier or lessened the damage.

This information is concrete feedback into the program planning process since it represents the real security impact that the organization has felt over time.

</div>
</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Vulnerability Management - 2

2009-05-05T00:55:57Z

Pravir Chandra:

{{OpenSAMM}}
<div style="float:left; width:65%;">
{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|border2=2}}
</div>
<div style="float:right; width:30%;">
[http://www.owasp.org/index.php/SAMM_-_Deployment http://www.opensamm.org/downloads/BackButton.png]
</div>

<div style="width:100%; float:left;">
{{SAMM-ObjectiveD2|name=Vulnerability Management|obj=Elaborate expectations for response process to improve consistency and communications}}
<div style="width:30%; float:right; padding-top:50px; padding-left:10px;">
====Results====
* Communications plan for dealing with vulnerability reports from third-parties
* Clear process for releasing security patches to software operators
* Formal process for tracking, handling, and internally communicating about incidents

====Add’l Success Metrics====
* >80% of project teams briefed on incident response process in past 6 months
* >80% of stakeholders briefed on security issue disclosures in past 6 months

====Add’l Costs====
* Ongoing organization overhead from incident response process

====Add’l Personnel====
* Security Auditors (3-5 days/yr)
* Managers (1-2 days/yr)
* Business Owners (1-2 days/yr)
* Support/Operators (1-2 days/yr)

====Related Levels====

</div>
<div style="float:left; width:65%;">
==Activities==
===A. Establish consistent incident response process===
Extending from the informal security response team, explicitly document the organization’s incident response process as well as the procedures that team members are expected to follow. Additionally, each member of the security response team must be trained on this material at least annually.

There are several tenets to sound incident response process and they include initial triage to prevent additional damage, change management and patch application, managing project personnel and others involved in the incident, forensic evidence collection and preservation, limiting communication about the incident to stakeholders, well-defined reporting to stakeholders and/or communications trees, etc.

With development teams, the security responders should work together to conduct the technical analysis to verify facts and assumptions about each incident or vulnerability report. Likewise, when project teams detect an incident or high-risk vulnerability, they should follow an internal process that puts them in contact with a member of the security response team.

===B. Adopt a security issue disclosure process===
For most organizations, it is undesirable to let news of a security problem become public, but there are several important ways in which internal-to-external communications on security issues should be fulfilled.

The first and most common is through creation and deployment of security patches for the software produced by the organization. Generally, if all software projects are only used internally, then this becomes less critical, but for all contexts where the software is being operated by parties external to the organization, a patch release process must exist. It should provide for several factors including change management and regression testing prior to patch release, announcement to operators/users with assigned criticality category for the patch, sparse technical details so that an exploit cannot be directly derived, etc.

Another avenue for external communications is with third parties that report security vulnerabilities in an organization’s software. By adopting and externally posting the expected process with timeframes for response, vulnerability reporters are encouraged to follow responsible disclosure practices.

Lastly, many states and countries legally require external communications for incidents involving data theft of personally identifiable information and other sensitive data type. Should this type of incident occur, the security response team should work with managers and business stakeholders to determine appropriate next-steps.

</div>
</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Vulnerability Management - 1

2009-05-05T00:55:49Z

Pravir Chandra:

{{OpenSAMM}}
<div style="float:left; width:65%;">
{{SAMM-BadgeList|name=Vulnerability_Management|abbr=VM|border1=2}}
</div>
<div style="float:right; width:30%;">
[http://www.owasp.org/index.php/SAMM_-_Deployment http://www.opensamm.org/downloads/BackButton.png]
</div>

<div style="width:100%; float:left;">
{{SAMM-ObjectiveD1|name=Vulnerability Management|obj=Understand high-level plan for responding to vulnerability reports or incidents}}
<div style="width:30%; float:right; padding-top:50px; padding-left:10px;">
====Results====
* Lightweight process in place to handle high-priority vulnerabilities or incidents
* Framework for stakeholder notification and reporting of events with security impact
* High-level due diligence for handling security issues

====Success Metrics====
* >50% of the organization briefed on closest security point of contact in past 6 months
* >1 meeting of security response team and points of contact in past 12 months

====Costs====
* Ongoing variable project overhead from staff filling the security point of contact roles
* Identification of appropriate security response team

====Personnel====
* Security Auditors (1 day/yr)
* Architects (1 day/yr)
* Managers (1 day/yr)
* Business Owners (1 day/yr)

====Related Levels====
* Education & Guidance - 2
* Strategy & Metrics - 3

</div>
<div style="float:left; width:65%;">
==Activities==
===A. Identify point of contact for security issues===
For each division within the organization or for each project team, establish a point of contact to serve as a communications hub for security information. While generally this responsibility will not claim much time from the individuals, the purpose of having a predetermined point of contact is to add structure and governance for vulnerability management.

Examples of incidents that might cause the utilization include receipt of a vulnerability report from an external entity, compromise or other security failure of software in the field, internal discovery of high-risk vulnerabilities, etc. In case of an event, the closest contact would step in as an extra resource and advisor to the affected project team(s) to provide technical guidance and brief other stakeholders on progress of mitigation efforts.

The point of contact should be chosen from security-savvy technical or management staff with a breadth of knowledge over the software projects in the organization. A list of these assigned security points of contact should be centrally maintained and updated at least every six months. Additionally, publishing and advertising this list allows staff within the organization to request help and work directly with one another on security problems.

===B. Create informal security response team(s)===
From the list of individuals assigned responsibility as a security point of contact or from dedicated security personnel, select a small group to serve as a centralized technical security response team. The responsibilities of the team will include directly taking ownership of security incidents or vulnerability reports and being responsible for triage, mitigation, and reporting to stakeholders.

Given their responsibility when tapped, members of the security response team are also responsible for executive briefings and upward communication during an incident. It is likely that most of the time, the security response team would not be operating in this capacity, though they must be flexible enough to be able to respond quickly or a smooth process must exist for deferring and incident to another team member.

The response team should hold a meeting at least annually to brief security points of contact on the response process and high-level expectations for security-related reporting from project teams.

</div>
</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Verification

2009-05-05T00:55:41Z

Pravir Chandra:

{{OpenSAMM}}
<div style="float:left; width:65%;">
http://www.opensamm.org/badges/small/V.png
</div>
<div style="float:right; width:30%;">
[http://www.owasp.org/index.php/SAMM#tab=Browse_Online http://www.opensamm.org/downloads/BackButton.png]
</div>

<div style="width:100%; float:left;"><br/><br/>
===Design Review===
The Design Review (DR) Practice is focused on assessment of software design and architecture for security-related problems. This allows an organization to detect architecture-level issues early in software development and thereby avoid potentially large costs from refactoring later due to security concerns.

Beginning with lightweight activities to build understanding of the security-relevant details about an architecture, an organization evolves toward more formal inspection methods that verify completeness in provision of security mechanisms. At the organization level, design review services are built and offered to stakeholders.

In a sophisticated form, provision of this Practice involves detailed, data-level inspection of designs and enforcement of baseline expectations for conducting design assessments and reviewing findings before releases are accepted.
{{SAMM-BadgeList|name=Design_Review|abbr=DR}}

===Code Review===
The Code Review (CR) Practice is focused on inspection of software at the source code level in order to find security vulnerabilities. Code-level vulnerabilities are generally simple to understand conceptually, but even informed developers can easily make mistakes that leave software open to potential compromise.

To begin, an organization uses lightweight checklists and for efficiency, only inspects the most critical software modules. However, as an organization evolves it uses automation technology to dramatically improve coverage and efficacy of code review activities.

Sophisticated provision of this Practice involves deeper integration of code review into the development process to enable project teams to find problems earlier. This also enables organizations to better audit and set expectations for code review findings before releases can be made.
{{SAMM-BadgeList|name=Code_Review|abbr=CR}}

===Security Testing===
The Security Testing (ST) Practice is focused on inspection of software in the runtime environment in order to find security problems. These testing activities bolster the assurance case for software by checking it in the same context in which it is expected to run, thus making visible operational misconfigurations or errors in business logic that are difficult to otherwise find.

Starting with penetration testing and high-level test cases based on the functionality of software, an organization evolves toward usage of security testing automation to cover the wide variety of test cases that might demonstrate a vulnerability in the system.

In an advanced form, provision of this Practice involves customization of testing automation to build a battery of security tests covering application-specific concerns in detail. With additional visibility at the organization level, security testing enables organizations to set minimum expectations for security testing results before a project release is accepted.
{{SAMM-BadgeList|name=Security_Testing|abbr=ST}}

</div>

SAMM - Threat Assessment - 3

2009-05-05T00:55:34Z

Pravir Chandra:

{{OpenSAMM}}
<div style="float:left; width:65%;">
{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|border3=2}}
</div>
<div style="float:right; width:30%;">
[http://www.owasp.org/index.php/SAMM_-_Construction http://www.opensamm.org/downloads/BackButton.png]
</div>

<div style="width:100%; float:left;">
{{SAMM-ObjectiveC3|name=Threat Assessment|obj=Concretely tie compensating controls to each threat against internal and third-party software}}
<div style="width:30%; float:right; padding-top:50px; padding-left:10px;">
====Results====
* Deeper consideration of full threat profile for each software project
* Detailed mapping of assurance features to established threats against each software project
* Artifacts to document due diligence based on business function of each software project

====Add’l Success Metrics====
* >80% of project teams with updated threat models prior to every implementation cycle
* >80% of project teams with updated inventory of third-party components prior to every release
* >50% of all security incidents identified a priori by threat models in past 12 months

====Add’l Costs====
* Project overhead from maintenance of detailed threat models and expanded attacker profiles
* Discovery of all third-party dependencies

====Add’l Personnel====
* Business Owners (1 day/yr)
* Developers (1 day/yr)
* Architects (1 day/yr)
* Security Auditors (2 day/yr)
* Managers (1 day/yr)

====Related Levels====
* Security Requirements - 2 & 3

</div>
<div style="float:left; width:65%;">
==Activities==
===A. Explicitly evaluate risk from third-party components===
Conduct an assessment of your software code-base and identify any components that are of external origin. Typically, these will include open-source projects, purchased COTS software, and online services which your software uses.

For each identified component, elaborate attacker profiles for the software project based upon potential compromise of third-party components. Based upon the newly identified attacker profiles, update software threat models to incorporate any likely risks based upon new attacker goals or capabilities.

In addition to threat scenarios, also consider ways in which vulnerabilities or design flaws in the third-party software might affect your code and design. Elaborate your threat models accordingly with the potential risks from vulnerabilities and knowledge of the updated attacker profile.

After initially conducted for a project, this must be updated and reviewed during the design phase or every development cycle. This activity should be conducted by a security auditor with relevant technical and business stakeholders.

===B. Elaborate threat models with compensating controls===
Conduct an assessment to formally identify factors that directly prevent preconditions for compromise represented by the threat models. These mitigating factors are the compensating controls that formally address the direct risks from software. Factors can be technical features in the software itself, but can also be process elements in the development life-cycle, infrastructure features, etc.

If using attack trees, the logical relationship represented by each branch will be either an AND or an OR. Therefore, by mitigating against just one precondition on an AND branch, the parent and all connected leaf nodes can be marked as mitigated. However, all child nodes on an OR node must be prevented before the parent can be marked as mitigated.

Regardless of threat modeling technique, identify compensating controls and annotate the threat models directly. The goal is to maximize coverage in terms of controls that mark parts of the threat model as mitigated. For any viable paths remaining, identify potential compensating controls for feedback into organizational strategy.

After initially conducted for a project, this must be updated and reviewed during the design phase or every development cycle. This activity should be conducted by a security auditor with relevant technical and business stakeholders.

</div>
</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Threat Assessment - 2

2009-05-05T00:55:26Z

Pravir Chandra:

{{OpenSAMM}}
<div style="float:left; width:65%;">
{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|border2=2}}
</div>
<div style="float:right; width:30%;">
[http://www.owasp.org/index.php/SAMM_-_Construction http://www.opensamm.org/downloads/BackButton.png]
</div>

<div style="width:100%; float:left;">
{{SAMM-ObjectiveC2|name=Threat Assessment|obj=Increase accuracy of threat assessment and improve granularity of per-project understanding}}
<div style="width:30%; float:right; padding-top:50px; padding-left:10px;">
====Results====
* Granular understanding of likely threats to individual projects
* Framework for better tradeoff decisions within project teams
* Ability to prioritize development efforts within a project team based on risk weighting

====Add’l Success Metrics====
* >75% of project teams with identified and rated threats
* >75% of project stakeholders briefed on threat and abuse models of relevant projects within past 6 months

====Add’l Costs====
* Project overhead from maintenance of threat models and attacker profiles

====Add’l Personnel====
* Security Auditor (1 day/yr)
* Business Owner (1 day/yr)
* Managers (1 day/yr)

====Related Levels====
* Strategy & Metrics - 2
* Secure Architecture - 2

</div>
<div style="float:left; width:65%;">
==Activities==
===A. Build and maintain abuse-case models per project===
Further considering the threats to the organization, conduct a more formal analysis to determine potential misuse or abuse of functionality. Typically, this process begins with identification of normal usage scenarios, e.g. use-case diagrams if available.

If a formal abuse-case technique isn’t used, generate a set of abuse-cases for each scenario by starting with a statement of normal usage and brainstorming ways in which the statement might be negated, in whole or in part. The simplest way to get started is to insert the word “no” or “not” into the usage statement in as many ways as possible, typically around nouns and verbs. Each usage scenario should generate several possible abuse-case statements.

Further elaborate the abuse-case statements to include any application-specific concerns based on the business function of the software. The ultimate goal is for the completed set of abuse statements to form a model for usage patterns that should be disallowed by the software. If desired, these abuse cases can be combined with existing threat models.

After initial creation, abuse-case models should be updated for active projects during the design phase. For existing projects, new requirements should be analyzed for potential abuse, and existing projects should opportunistically build abuse-cases for established functionality where practical.

===B. Adopt a weighting system for measurement of threats===
Based on the established attacker profiles, identify a rating system to allow relative comparison between the threats. Initially, this can be a simple high-medium-low rating based upon business risk, but any scale can be used provided that there are no more than 5 categories.

After identification of a rating system, build evaluation criteria that allow each threat to be assigned a rating. In order to do this properly, additional factors about each threat must be considered beyond motivation. Important factors include capital and human resources, inherent access privilege, technical ability, relevant goals on the threat model(s), likelihood of successful attack, etc.

After assigning each threat to a rating, use this information to prioritize risk mitigation activities within the development life-cycle. Once built for a project team, it should be updated during design of new features or refactoring efforts.

</div>
</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Threat Assessment - 1

2009-05-05T00:55:14Z

Pravir Chandra:

{{OpenSAMM}}
<div style="float:left; width:65%;">
{{SAMM-BadgeList|name=Threat_Assessment|abbr=TA|border1=2}}
</div>
<div style="float:right; width:30%;">
[http://www.owasp.org/index.php/SAMM_-_Construction http://www.opensamm.org/downloads/BackButton.png]
</div>

<div style="width:100%; float:left;">
{{SAMM-ObjectiveC1|name=Threat Assessment|obj=Identify and understand high-level threats to the organization and individual projects}}
<div style="width:30%; float:right; padding-top:50px; padding-left:10px;">
====Results====
* High-level understanding of factors that may lead to negative outcomes
* Increased awareness of threats amongst project teams
* Inventory of threats for your organization

====Success Metrics====
* >50% of project stakeholders briefed on the threat models of relevant projects within past 12 months
* >75% of project stakeholders briefed on attacker profiles for relevant architectures

====Costs====
* Buildout and maintenance of project artifacts for threat models

====Personnel====
* Business Owners (1 day/yr)
* Developers (1 day/yr)
* Architects (1 day/yr)
* Security Auditors (2 day/yr)
* Managers (1 day/yr)

==== Related Levels====
* Strategy & Metrics - 1
* Security Requirements - 2

</div>
<div style="float:left; width:65%;">
==Activities==
===A. Build and maintain application-specific threat models===
Based purely on the business purpose of each software project and the business risk profile (if available) identify likely worst-case scenarios for the software under development in each project team. This can be conducted using simple attack trees or through a more formal threat modeling process such as Microsoft’s STRIDE, Trike, etc.

To build attack trees, identify each worst-case scenario in one sentence and label these as the high-level goals of an attacker. From each attacker goal identified, identify preconditions that must hold in order for each goal to be realized. This information should be captured in branches underneath each goal where each branch is either a logical AND or a logical OR of the statements contained underneath. An AND branch indicates that each directly attached child nodes must be true in order to realize the parent node. An OR branch indicates that any one of the directly attached child nodes must be true in order to achieve the parent node.

Regardless of the threat modeling approach, review each current and historic functional requirement to augment the attack tree to indicate security failures relevant to each. Brainstorm by iteratively dissecting each failure scenario into all the possible ways in which an attacker might be able to reach one of the goals. After initial creation, the threat model for an application should be updated when significant changes to the software are made. This assessment should be conducted with senior developers and architects as well as one or more security auditors.

===B. Develop attacker profile from software architecture===
Initially, conduct an assessment to identify all likely threats to the organization based on software projects. For this assessment, consider threats to be limited to agents of malicious intent and omit other risks such as known vulnerabilities, potential weaknesses, etc.

Begin by generally considering external agents and their corresponding motivations for attack. To this list, add internal roles that could cause damage and their motivations for insider attack. Based on the architecture of the software project(s) under consideration, it can be more efficient to conduct this analysis once per architecture type instead of for each project individually since applications of architecture and business purpose will generally be susceptible to similar threats.

This assessment should be conducted with business owners and other stakeholders but also include one or more security auditors for additional perspective on threats. In the end, the goal is to have a concise list of threat agents and their corresponding motivations for attack.

</div>
</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Strategy & Metrics - 3

2009-05-05T00:55:05Z

Pravir Chandra:

{{OpenSAMM}}
<div style="float:left; width:65%;">
{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|border3=2}}
</div>
<div style="float:right; width:30%;">
[http://www.owasp.org/index.php/SAMM_-_Governance http://www.opensamm.org/downloads/BackButton.png]
</div>

<div style="width:100%; float:left;">
{{SAMM-ObjectiveG3|name=Strategy & Metrics|obj=Align security expenditure with relevant business indicators and asset value}}
<div style="width:30%; float:right; padding-top:50px; padding-left:10px;">
====Results====
* Information to make informed case-by-case decisions on security expenditures
* Estimates of past loss due to security issues
* Per-project consideration of security expense versus loss potential
* Industry-wide due diligence with regard to security

====Add’l Success Metrics====
* >80% of projects reporting security costs in past 3 months
* >1 industry-wide cost comparison in past 1 year
* >1 historic security spend evaluation in past 1 year

====Add’l Costs====
* Buildout or license industry intelligence on security programs
* Program overhead from cost estimation, tracking, and evaluation

====Add’l Personnel====
* Architects (1 days/yr)
* Managers (1 days/yr)
* Business Owners (1 days/yr)
* Security Auditor (1 days/yr)

====Related Levels====
* Vulnerability Management - 1

</div>
<div style="float:left; width:65%;">
==Activities==
===A. Conduct periodic industry-wide cost comparisons===
Research and gather information about security costs from intra-industry communication forums, business analyst and consulting firms, or other external sources. In particular, there are a few key factors that need to be identified.

First, use collected information to identify the average amount of security effort being applied by similar types of organizations in your industry. This can be done either top-down from estimates of total percentage of budget, revenue, etc. or it can be done bottom-up by identifying security-related activities that are considered normal for your type of organization. Overall, this can be hard to gauge for certain industries, so collect information from as many relevant sources as are accessible.

The next goal of researching security costs is to determine if there are potential cost savings on third-party security products and services that your organization currently uses. When weighing the decision of switching vendors, account for hidden costs such as retraining staff or other program overhead.

Overall, these cost-comparison exercises should be conducted at least annually prior to the subsequent assurance program strategy session. Comparison information should be presented to stakeholders in order to better align the assurance program with the business.

===B. Collect metrics for historic security spend===
Collect project-specific information on the cost of past security incidents. For instance, time and money spent in cleaning up a breach, monetary loss from system outages, fines and fees to regulatory agencies, project-specific one-off security expenditures for tools or services, etc.

Using the application risk categories and the respective prescribed assurance program roadmaps for each, a baseline security cost for each application can be initially estimated from the costs associated with the corresponding risk category.

Combine the application-specific cost information with the general cost model based on risk category, and then evaluate projects for outliers, i.e. sums disproportionate to the risk rating. These indicate either an error in risk evaluation/classification or the necessity to tune the organization’s assurance program to address root causes for security cost more effectively.

The tracking of security spend per project should be done quarterly at the assurance program strategy session, and the information should be reviewed and evaluated by stakeholders at least annually. Outliers and other unforeseen costs should be discussed for potential affect on assurance program roadmap.

</div>
</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Strategy & Metrics - 2

2009-05-05T00:54:57Z

Pravir Chandra:

{{OpenSAMM}}
<div style="float:left; width:65%;">
{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|border2=2}}
</div>
<div style="float:right; width:30%;">
[http://www.owasp.org/index.php/SAMM_-_Governance http://www.opensamm.org/downloads/BackButton.png]
</div>

<div style="width:100%; float:left;">
{{SAMM-ObjectiveG2|name=Strategy & Metrics|obj=Measure relative value of data and software assets and choose risk tolerance}}
<div style="width:30%; float:right; padding-top:50px; padding-left:10px;">
====Results====
* Customized assurance plans per project based on core value to the business
* Organization-wide understanding of security-relevance of data and application assets
* Better informed stakeholders with respect to understanding and accepting risks

====Add’l Success Metrics====
* >90% applications and data assets evaluated for risk classification in past 12 months
* >80% of staff briefed on relevant application and data risk ratings in past 6 months
* >80% of staff briefed on relevant assurance program roadmap in past 3 months

====Add’l Costs====
* Buildout or license of application and data risk categorization scheme
* Program overhead from more granular roadmap planning

====Add’l Personnel====
* Architects (2 days/yr)
* Managers (2 days/yr)
* Business Owners (2 days/yr)
* Security Auditor (2 days/yr)

====Related Levels====
* Policy & Compliance - 2
* Threat Assessment - 2
* Design Review - 2

</div>
<div style="float:left; width:65%;">
==Activities==
===A. Classify data and applications based on business risk===
Establish a simple classification system to represent risk-tiers for applications. In its simplest form, this can be a High/Medium/Low categorization. More sophisticated classifications can be used, but there should be no more than seven categories and they should roughly represent a gradient from high to low impact against business risks.

Working from the organization’s business risk profile, create project evaluation criteria that maps each project to one of the risk categories. A similar but separate classification scheme should be created for data assets and each item should be weighted and categorized based on potential impact to business risks.

Evaluate collected information about each application and assign each a risk category based upon overall evaluation criteria and the risk categories of data assets in use. This can be done centrally by a security group or by individual project teams through a customized questionnaire to gather the requisite information.

An ongoing process for application and data asset risk categorization should be established to assign categories to new assets and keep the existing information updated at least biannually.

===B. Establish and measure per-classification security goals===
With a classification scheme for the organization’s application portfolio in place, direct security goals and assurance program roadmap choices can be made more granular.

The assurance program’s roadmap should be modified to account for each application risk category by specifying emphasis on particular Practices for each category. For each iteration of the assurance program, this would typically take the form of prioritizing more higher-level Objectives on the highest risk application tier and progressively less stringent Objectives for lower/other categories.

This process establishes the organization’s risk tolerance since active decisions must be made as to what specific Objectives are expected of applications in each risk category. By choosing to keep lower risk applications at lower levels of performance with respect to the Security Practices, resources are saved in exchange for acceptance of a weighted risk. However, it is not necessary to arbitrarily build a separate roadmap for each risk category since that can leads to inefficiency in management of the assurance program itself.

</div>
</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Strategy & Metrics - 1

2009-05-05T00:54:48Z

Pravir Chandra:

{{OpenSAMM}}
<div style="float:left; width:65%;">
{{SAMM-BadgeList|name=Strategy_&_Metrics|abbr=SM|border1=2}}
</div>
<div style="float:right; width:30%;">
[http://www.owasp.org/index.php/SAMM_-_Governance http://www.opensamm.org/downloads/BackButton.png]
</div>

<div style="width:100%; float:left;">
{{SAMM-ObjectiveG1|name=Strategy & Metrics|obj=Establish unified strategic roadmap for software security within the organization}}
<div style="width:30%; float:right; padding-top:50px; padding-left:10px;">
====Results====
* Concrete list of the most critical business-level risks caused by software
* Tailored roadmap that addresses the security needs for your organization with minimal overhead
* Organization-wide understanding of how the assurance program will grow over time

====Success Metrics====
* >80% of stakeholders briefed on business risk profile in past 6 months
* >80% of staff briefed on assurance program roadmap in past 3 months
* >1 assurance program strategy session in past 3 months

====Costs====
* Buildout and maintenance of business risk profile
* Quarterly evaluation of assurance program

====Personnel====
* Developers (1 day/yr)
* Architects (4 days/yr)
* Managers (4 days/yr)
* Business Owners (4 days/yr)
* QA Testers (1 day/yr)
* Security Auditor (4 days/yr)

==== Related Levels ====
* Policy & Compliance - 1
* Threat Assessment - 1
* Security Requirements - 2

</div>
<div style="float:left; width:65%;">
==Activities==
===A. Estimate overall business risk profile===
Interview business owners and stakeholders and create a list of worst-case scenarios across the organization’s various application and data assets. Based on the way in which your organization builds, uses, or sells software, the list of worst-case scenarios can vary widely, but common issues include data theft or corruption, service outages, monetary loss, reverse engineering, account compromise, etc.

After broadly capturing worst-case scenario ideas, collate and select the most important based on collected information and knowledge about the core business. Any number can be selected, but aim for at least 3 and no more than 7 to make efficient use of time and keep the exercise focused.

Elaborate a description of each of the selected items and document details of contributing worst-case scenarios, potential contributing factors, and potential mitigating factors for the organization.
The final business risk profile should be reviewed with business owners and other stakeholders for understanding.

===B. Build and maintain assurance program roadmap===
Understanding the main business risks to the organization, evaluate the current performance of the organization against each the twelve Practices. Assign a score for each Practice from 1, 2, or 3 based on the corresponding Objective if the organization passes all the cumulative success metrics. If no success metrics are being met, assign a score of 0 to the Practice.

Once a good understanding of current status is obtained, the next goal is to identify the Practices that will be improved in the next iteration. Select them based on business risk profile, other business drivers, compliance requirements, budget tolerance, etc. Once Practices are selected, the goals of the iteration are to achieve the next Objective under each.

Iterations of improvement on the assurance program should be approximately 3-6 months, but an assurance strategy session should take place at least every 3 months to review progress on activities, performance against success metrics and other business drivers that may require program changes.

</div>
</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Security Testing - 3

2009-05-05T00:54:39Z

Pravir Chandra:

{{OpenSAMM}}
<div style="float:left; width:65%;">
{{SAMM-BadgeList|name=Security_Testing|abbr=ST|border3=2}}
</div>
<div style="float:right; width:30%;">
[http://www.owasp.org/index.php/SAMM_-_Verification http://www.opensamm.org/downloads/BackButton.png]
</div>

<div style="width:100%; float:left;">
{{SAMM-ObjectiveV3|name=Security Testing|obj=Require application-specific security testing to ensure baseline security before deployment}}
<div style="width:30%; float:right; padding-top:50px; padding-left:10px;">
====Results====
* Organization-wide baseline for expected application performance against attacks
* Customized security test suites to improve accuracy of automated analysis
* Project teams aware of objective goals for attack resistance

====Add’l Success Metrics====
* >50% of projects using security testing customizations
* >75% of projects passing all security tests in past 6 months

====Add’l Costs====
* Buildout and maintenance of customizations to security testing automation
* Ongoing project overhead from security testing audit process
* Organization overhead from project delays caused by failed security testing audits

====Add’l Personnel====
* Architects (1 day/yr)
* Developers (1 day/yr)
* Security Auditors (1-2 days/yr)
* QA Testers (1-2 days/yr)
* Business Owners (1 day/yr)
* Managers (1 day/yr)

====Related Levels====
* Policy & Compliance - 2
* Secure Architecture - 3

</div>
<div style="float:left; width:65%;">
==Activities==
===A. Employ application-specific security testing automation===
Through either customization of security testing tools, enhancements to generic test case execution tools, or buildout of custom test harnesses, project teams should formally iterate through security requirements and build a set of automated checkers to test the security of the implemented business logic.

Additionally, many automated security testing tools can be greatly improved in accuracy and depth of coverage if they are customized to understand more detail about the specific software interfaces in the project under test. Further, organization-specific concerns from compliance or technical standards can be codified as a reusable, central test battery to make audit data collection and per-project management visibility simpler.

Project teams should focus on buildout of granular security test cases based on the business functionality of their software, and an organization-level team led by a security auditor should focus on specification of automated tests for compliance and internal standards.

===B. Establish release gates for security testing===
To prevent software from being released with easily found security bugs, a particular point in the software development life-cycle should be identified as a checkpoint where an established set of security test cases must pass in order to make a release from the project. This establishes a baseline for the kinds of security tests all projects are expected to pass.

Since adding too many test cases initially can result in an overhead cost bubble, begin by choosing one
or two security issues and include a wide variety of test cases for each with the expectation that no project may pass if any test fails. Over time, this baseline should be improved by selecting additional security issues and adding a variety of corresponding test cases.

Generally, this security testing checkpoint should occur toward the end of the implementation or testing, but must occur before release.

For legacy systems or inactive projects, an exception process should be created to allow those projects to continue operations, but with an explicitly assigned timeframe for mitigation of findings. Exceptions should be limited to no more that 20% of all projects.

</div>
</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Security Testing - 2

2009-05-05T00:54:31Z

Pravir Chandra:

{{OpenSAMM}}
<div style="float:left; width:65%;">
{{SAMM-BadgeList|name=Security_Testing|abbr=ST|border2=2}}
</div>
<div style="float:right; width:30%;">
[http://www.owasp.org/index.php/SAMM_-_Verification http://www.opensamm.org/downloads/BackButton.png]
</div>

<div style="width:100%; float:left;">
{{SAMM-ObjectiveV2|name=Security Testing|obj=Make security testing during development more complete and efficient through automation}}
<div style="width:30%; float:right; padding-top:50px; padding-left:10px;">
====Results====
* Deeper and more consistent verification of software functionality for security
* Development teams enabled to self-check and correct problems before release
* Stakeholders better aware of open vulnerabilities when making risk acceptance decisions

====Add’l Success Metrics====
* >50% of projects with security testing and stakeholder sign-off in past 6 months
* >80% of projects with access to automated security testing results in past 1 month

====Add’l Costs====
* Research and selection of automated security testing solution
* Initial cost and maintenance of automation integration
* Ongoing project overhead from automated security testing and mitigation

====Add’l Personnel====
* Developers (1 days/yr)
* Architects (1 day/yr)
* Managers (1-2 days/yr)
* Security Auditors (2 days/yr)
* QA Testers (3-4 days/yr)

====Related Levels====

</div>
<div style="float:left; width:65%;">
==Activities==
===A. Utilize automated security testing tools===
In order to test for security issues, a potentially large number of input cases must be checked against each software interface, which can make effective security testing using manual test case implementation and execution unwieldy. Thus, automated security test tools should be used to automatically test software, resulting in more efficient security testing and higher quality results.

Both commercial and open-source products are available and should be reviewed for appropriateness for the organization. Selecting a a suitable tool is based on several factors including robustness and accuracy of built-in security test cases, efficacy at testing architecture types important to organization, customization to change or add test cases, quality and usability of findings to the development organization, etc..

Utilize input from security-savvy technical staff as well as development and quality assurance staff in the selection process, and review overall results with stakeholders.

===B. Integrate security testing into development process===
With tools to run automated security tests, projects within the organization should routinely run security tests and review results during development. In order to make this scalable with low overhead, security testing tools should be configured to automatically run on a routine basis, e.g. nightly or weekly, and findings should be inspected as they occur.

Conducting security tests as early as the requirements or design phases can be beneficial. While traditionally, used for functional test cases, this type of test-driven development approach involves identifying and running relevant security test cases early in the development cycle, usually during design. With the automatic execution of security test cases, projects enter the implementation phase with a number of failing tests for the non-existent functionality. Implementation is complete when all the tests pass. This provides a clear, upfront goal for developers early in the development cycle, thus lowering risk of release delays due to security concerns or forced acceptance of risk in order to meet project deadlines.

For each project release, results from automated and manual security tests should be presented to management and business stakeholders for review. If there are unaddressed findings that remain as accepted risks for the release, stakeholders and development managers should work together to establish a concrete timeframe for addressing them.

</div>
</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Security Testing - 1

2009-05-05T00:54:24Z

Pravir Chandra:

{{OpenSAMM}}
<div style="float:left; width:65%;">
{{SAMM-BadgeList|name=Security_Testing|abbr=ST|border1=2}}
</div>
<div style="float:right; width:30%;">
[http://www.owasp.org/index.php/SAMM_-_Verification http://www.opensamm.org/downloads/BackButton.png]
</div>

<div style="width:100%; float:left;">
{{SAMM-ObjectiveV1|name=Security Testing|obj=Establish process to perform basic security tests based on implementation and software requirements}}
<div style="width:30%; float:right; padding-top:50px; padding-left:10px;">
====Results====
* Independent verification of expected security mechanisms surrounding critical business functions
* High-level due diligence toward security testing
* Ad hoc growth of a security test suite for each software project

====Success Metrics====
* >50% of projects specifying security test cases in past 12 months
* >50% of stakeholders briefed on project status against security tests in past 6 months

====Costs====
* Buildout or license of security test cases
* Ongoing project overhead from maintenance and evaluation of security test cases

====Personnel====
* QA Testers (1-2 days/yr)
* Security Auditor (1-2 days/yr)
* Developers (1 day/yr)
* Architects (1 day/yr)
* Business Owners (1 day/yr)

====Related Levels====
* Security Requirements - 1

</div>
<div style="float:left; width:65%;">
==Activities==
===A. Derive test cases from known security requirements===
From the known security requirements for a project, identify a set of test cases to check the software for correct functionality. Typically, these test cases are derived from security concerns surrounding the functional requirements and business logic of the system, but should also include generic tests for common vulnerabilities based on the implementation language or technology stack.

Often, it is most effective to use the project team’s time to build application-specific test cases and utilize publicly available resources or purchased knowledge bases to select applicable general test cases for security. Although not required, automated security testing tools can also be utilized to cover the general security test cases.

This test case planning should occur during the requirements and/or design phases, but must occur before final testing prior to release. Candidate test cases should be reviewed for applicability, efficacy, and feasibility by relevant development, security, and quality assurance staff.

===B. Conduct penetration testing on software releases===
Using the set of security test cases identified for each project, penetration testing should be conducted to evaluate the system’s performance against each case. It is common for this to occur during the testing phase prior to release.

Penetration testing cases should include both application-specific tests to check soundness of business logic as well as common vulnerability tests to check the design and implementation. Once specified, security test cases can be executed by security-savvy quality assurance or development staff, but first-time execution of security test cases for a project team should be monitored by a security auditor to assist and coach team members.

Prior to release or deployment, stakeholders must review results of security tests and accept the risks indicated by failing security tests at release time. In the latter case, a concrete timeline should be established to address the gaps over time.

</div>
</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Security Requirements - 3

2009-05-05T00:54:17Z

Pravir Chandra:

{{OpenSAMM}}
<div style="float:left; width:65%;">
{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|border3=2}}
</div>
<div style="float:right; width:30%;">
[http://www.owasp.org/index.php/SAMM_-_Construction http://www.opensamm.org/downloads/BackButton.png]
</div>

<div style="width:100%; float:left;">
{{SAMM-ObjectiveC3|name=Security Requirements|obj=Mandate security requirements process for all software projects and third-party dependencies}}
<div style="width:30%; float:right; padding-top:50px; padding-left:10px;">
====Results====
* Formally set baseline for security expectations from external code
* Centralized information on security effort undertaken by each project team
* Ability to align resources to projects based on application risk and desired security requirements

====Add’l Success Metrics====
* >80% of projects passing security requirements audit in past 6 months
* >80% of vendor agreements analyzed for contractual security requirements in past 12 months

====Add’l Costs====
* Increased cost from outsourced development from additional security requirements
* Ongoing project overhead from release gates for security requirements

====Add’l Personnel====
* Security Auditor (2 days/yr)
* Managers (2 days/yr)
* Business Owners (1 day/yr)

====Related Levels====
* Threat Assessment - 3
* Policy & Compliance - 2

</div>
<div style="float:left; width:65%;">
==Activities==
===A. Build security requirements into supplier agreements===
Beyond the kinds of security requirements already identified by previous analysis, additional security benefits can be derived from third-party agreements. Typically, requirements and perhaps high-level design will be developed internally while detailed design and implementation is often left up to suppliers.

Based on the specific division of labor for each externally developed component, identify specific security activities and technical assessment criteria to add to the vendor contracts. Commonly, this is a set of activities from the Design Review, Code Review, and Security Testing Practices.

Modifications of agreement language should be handled on a case-by-case basis with each supplier since adding additional requirements will generally mean an increase in cost. The cost of each potential security activity should be balanced against the benefit of the activity as per the usage of the component or system being considered.

===B. Expand audit program for security requirements===
Incorporate checks for completeness of security requirements into routine project audits. Since this can be difficult to gauge without project-specific knowledge, the audit should focus on checking project artifacts such as requirements or design documentation for evidence that the proper types of analysis were conducted.

Particularly, each functional requirement should be annotated with security requirements based on business drivers as well as expected abuse scenarios. The overall project requirements should contain a list of requirements generated from best-practices in guidelines and standards. Additionally, there should be a clear list of unfulfilled security requirements and an estimated timeline for their provision in future releases.

This audit should be performed during every development iteration, ideally toward the end of the requirements process, but it must be performed before a release can be made.

</div>
</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Security Requirements - 2

2009-05-05T00:54:10Z

Pravir Chandra:

{{OpenSAMM}}
<div style="float:left; width:65%;">
{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|border2=2}}
</div>
<div style="float:right; width:30%;">
[http://www.owasp.org/index.php/SAMM_-_Construction http://www.opensamm.org/downloads/BackButton.png]
</div>

<div style="width:100%; float:left;">
{{SAMM-ObjectiveC2|name=Security Requirements|obj=Increase granularity of security requirements derived from business logic and known risks}}
<div style="width:30%; float:right; padding-top:50px; padding-left:10px;">
====Results====
* Detailed understanding of attack scenarios against business logic
* Prioritized development effort for security features based on likely attacks
* More educated decision-making for tradeoffs between features and security efforts
* Stakeholders that can better avoid functional requirements that inherently have security flaws

====Add’l Success Metrics====
* >75% of all projects with updated abuse-case models within past 6 months

====Add’l Costs====
* Project overhead from buildout and maintenance of abuse-case models

====Add’l Personnel====
* Security Auditor (2 days/yr)
* Managers (1 day/yr)
* Architects (2 days/yr)
* Business Owners (1 day/yr)

====Related Levels====
* Threat Assessment - 1 & 3
* Strategy & Metrics - 1

</div>
<div style="float:left; width:65%;">
==Activities==
===A. Build an access control matrix for resources and capabilities===
Based upon the business purpose of the application, identify user and operator roles. Additionally, build a list of resources and capabilities by gathering all relevant data assets and application-specific features that are guarded by any form of access control.

In a simple matrix with roles on one axis and resources on the other, consider the relationships between each role and each resource and note in each intersection the correct behavior of the system in terms of access control according to stakeholders.

For data resources, it is important to note access rights in terms of creation, read access, update, and deletion. For resources that are features, gradation of access rights will likely be application-specific, but at a minimum note if the role should be permitted access to the feature.

This permission matrix will serve as an artifact to document the correct access control rights for the business logic of the overall system. As such, it should be created by the project teams with input from business stakeholders. After initial creation, it should be updated by business stakeholders before every release, but usually toward the beginning of the design phase.

===B. Specify security requirements based on known risks===
Explicitly review existing artifacts that indicate organization or project-specific security risk in order to better understand the overall risk profile for the software. When available, draw on resources such as the high-level business risk profile, individual application threat models, findings from design review, code review, security testing, etc.

In addition to review of existing artifacts, use abuse-case models for an application to serve as fuel for identification of concrete security requirements that directly or indirectly mitigate the abuse scenarios.

This process should be conducted by business owners and security auditors as needed. Ultimately, the notion of risks leading to new security requirements should become a built-in step in the planning phase whereby newly discovered risks are specifically assessed by project teams.

</div>
</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Security Requirements - 1

2009-05-05T00:54:03Z

Pravir Chandra:

{{OpenSAMM}}
<div style="float:left; width:65%;">
{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|border1=2}}
</div>
<div style="float:right; width:30%;">
[http://www.owasp.org/index.php/SAMM_-_Construction http://www.opensamm.org/downloads/BackButton.png]
</div>

<div style="width:100%; float:left;">
{{SAMM-ObjectiveC1|name=Security Requirements|obj=Consider security explicitly during the software requirements process}}
<div style="width:30%; float:right; padding-top:50px; padding-left:10px;">
====Results====
* High-level alignment of development effort with business risks
* Ad hoc capturing of industry best-practices for security as explicit requirements
* Awareness amongst stakeholders of measures being taken to mitigate risk from software

====Success Metrics====
* >50% of project teams with explicitly defined security requirements

====Costs====
* Project overhead from addition of security requirements to each development cycle

====Personnel====
* Security Auditor (2 days/yr)
* Business Owner (1 days/yr)
* Managers (1 day/yr)
* Architects (1 day/yr)

====Related Levels====
* Education & Guidance - 1
* Policy & Compliance - 2
* Design Review - 1
* Code Review - 1
* Security Testing - 1

</div>
<div style="float:left; width:65%;">
==Activities==
===A. Derive security requirements from business functionality===
Conduct a review of functional requirements that specify the business logic and overall behavior for each software project. After gathering requirements for a project, conduct an assessment to derive relevant security requirements. Even if software is being built by a third-party, these requirements, once identified, should be included with functional requirements delivered to vendors.

For each functional requirement, a security auditor should lead stakeholders through the process of explicitly noting any expectations with regard to security. Typically, questions to clarify for each requirement include expectations for data security, access control, transaction integrity, criticality of business function, separation of duties, uptime, etc.

It is important to ensure that all security requirements follow the same principles for writing good requirements in general. Specifically, they should be specific, measurable, and reasonable.

Conduct this process for all new requirements on active projects. For existing features, it is recommended to conduct the same process as a gap analysis to fuel future refactoring for security.

===B. Evaluate security and compliance guidance for requirements===
Determine industry best-practices that project teams should treat as requirements. These can be chosen from publicly available guidelines, internal or external guidelines/standards/policies, or established compliance requirements.

It is important to not attempt to bring in too many best-practice requirements into each development iteration since there is a time trade-off with design and implementation. The recommended approach is to slowly add best-practices over successive development cycles to bolster the software’s overall assurance profile over time.

For existing systems, refactoring for security best practices can be a complex undertaking. Where possible, add security requirements opportunistically when adding new features. At a minimum, conducting the analysis to identify applicable best practices should be done to help fuel future planning efforts.

This review should be performed by a security auditor with input from business stakeholders. Senior developers, architects, and other technical stakeholders should also be involved to bring design and implementation-specific knowledge into the decision process.

</div>
</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Secure Architecture - 3

2009-05-05T00:53:55Z

Pravir Chandra:

{{OpenSAMM}}
<div style="float:left; width:65%;">
{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|border3=2}}
</div>
<div style="float:right; width:30%;">
[http://www.owasp.org/index.php/SAMM_-_Construction http://www.opensamm.org/downloads/BackButton.png]
</div>

<div style="width:100%; float:left;">
{{SAMM-ObjectiveC3|name=Secure Architecture|obj=Formally control the software design process and validate utilization of secure components}}
<div style="width:30%; float:right; padding-top:50px; padding-left:10px;">
====Results====
* Customized application development platforms that provide built-in security protections
* Organization-wide expectations for proactive security effort in development
* Stakeholders better able to make tradeoff decisions based on business need for secure design

====Add’l Success Metrics====
* >50% of active projects using reference platforms
* >80% of projects reporting framework, pattern, and platform usage feedback in past 6 months
* >3.0 Likert on usefulness of guidance/platforms reported by project teams

====Add’l Costs====
* Buildout or license of reference platform(s)
* Ongoing maintenance and support of reference platforms
* Ongoing project overhead from usage validation during audit

====Add’l Personnel====
* Managers (1 day/yr)
* Business Owners (1 day/yr)
* Architects (3-4 days/yr)
* Developers (2-3 days/yr)
* Security Auditors (2 days/yr)

====Related Levels====
* Policy & Compliance - 2
* Design Review - 3
* Code Review - 3
* Security Testing - 3

</div>
<div style="float:left; width:65%;">
==Activities==
===A. Establish formal reference architectures and platforms===
After promoting integration with shared security services and working with security patterns specific to each type of architecture, a collection of code implementing these pieces of functionality should be selected from project teams and used as the basis for a shared code-base. This shared code-base can initially start as a collection of commonly recommended libraries that each project needs to use and it can grow over time into one or more software frameworks representing reference platforms upon which project teams build their software. Examples of reference platforms include frameworks for model-view-controller web applications, libraries supporting transactional back-end systems, frameworks for web services platforms, scaffolding for client-server applications, frameworks for middle-ware with pluggable business logic, etc.

Another method of building initial reference platforms is to select a particular project early in the life-cycle and have security-savvy staff work with them to build the security functionality in a generic way so that it could be extracted from the project and utilized elsewhere in the organization.

Regardless of approach to creation, reference platforms have advantages in terms of speeding audit and security-related reviews, increasing efficiency in development, and lowering maintenance overhead.

Architects, senior developers and other technical stakeholders should participate in design and creation of reference platforms. After creation, a team must maintain ongoing support and updates.

===B. Validate usage of frameworks, patterns, and platforms===
During routine audits of projects conduct additional analysis of project artifacts to measure usage of recommended frameworks, design patterns, shared security services, and reference platforms. Though conducted during routine audits, the goal of this activity is to collect feedback from project teams as much as to measure their individual proactive security effort.

Overall, it is important to verify several factors with project teams. Identify use of non-recommended frameworks to determine if there may be a gap in recommendations versus the organization’s functionality needs. Examine unused or incorrectly used design patterns and reference platform modules to determine if updates are needed. Additionally, there may be more or different functionality that project teams would like to see implemented in the reference platforms as the organization evolves.

This analysis can be conducted by any security-savvy technical staff. Metrics collected from each project should be collated for analysis by managers and stakeholders.

</div>
</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Secure Architecture - 2

2009-05-05T00:53:47Z

Pravir Chandra:

{{OpenSAMM}}
<div style="float:left; width:65%;">
{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|border2=2}}
</div>
<div style="float:right; width:30%;">
[http://www.owasp.org/index.php/SAMM_-_Construction http://www.opensamm.org/downloads/BackButton.png]
</div>

<div style="width:100%; float:left;">
{{SAMM-ObjectiveC2|name=Secure Architecture|obj=Direct the software design process toward known-secure services and secure-by-default designs}}
<div style="width:30%; float:right; padding-top:50px; padding-left:10px;">
====Results====
* Detailed mapping of assets to user roles to encourage better compartmentalization in design
* Reusable design building blocks for provision of security protections and functionality
* Increased confidence for software projects from use of established design techniques for security

====Add’l Success Metrics====
* >80% of projects with updated permission matrix in past 6 months
* >80% of project teams briefed on applicable security patterns in past 6 months

====Add’l Costs====
* Buildout or license of applicable security patterns
* Ongoing project overhead from maintenance of permission matrix

====Add’l Personnel====
* Architects (2-4 days/yr)
* Developers (1-2 days/yr)
* Managers (1-2 days/yr)
* Business Owners (1 day/yr)
* Security Auditors (1-2 days/yr)

====Related Levels====
* Education & Guidance - 1

</div>
<div style="float:left; width:65%;">
==Activities==
===A. Identify and promote security services and infrastructure===
Organizations should identify shared infrastructure or services with security functionality. These will typically include single-sign-on services, corporate directory systems, access control or entitlements services, and authentication systems. By collecting and evaluating reusable systems, assemble a list of such resources and categorize them by the security mechanism they fulfill. It is also helpful to consider each resource in terms of why a development team would want to integrate with it, i.e. the benefits of using the shared resource.

If multiple resources exist in each category, an organization should select and standardize on one or more shared service per category. Because future software development will rely on these selected services, each should be thoroughly audited to ensure the baseline security posture is understood. For each selected service, design guidance should be created for development teams to understand how to integrate with the system. After such guidance is assembled, it should be made available to development teams through training, mentorship, guidelines, and standards.

The benefits of doing this include promotion of known-secure systems, simplified security guidance for project design teams, and clearer paths to building assurance around the applications utilizing the shared security services.

===B. Identify security design patterns from architecture===
Across software projects at an organization, each should be categorized in terms of the generic architecture type. Common categories include client-server applications, embedded systems, desktop applications, web-facing applications, web services platforms, transactional middleware systems, mainframe applications, etc. Depending on your organizations specialty, more detailed categories may need to be developed based upon language, or processor architecture, or even era of deployment.

For the generic software architecture type, a set of general design patterns representing sound methods of implementing security functionality can be derived and applied to the individual designs of an organization’s software projects. These security design patterns represent general definitions of generic design elements they can be researched or purchased, and it is often even more effective if these patterns are customized to be made more specific to your organization. Example patterns include a single-sign-on subsystem, a cross-tier delegation model, a hardened interface design, separation-of-duties authorization model, a centralized logging pattern, etc.

The process of identification of applicable and appropriate patterns should be carried out by architects, senior developers, and other technical stakeholders during the design phase.

</div>
</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Secure Architecture - 1

2009-05-05T00:53:35Z

Pravir Chandra:

{{OpenSAMM}}
<div style="float:left; width:65%;">
{{SAMM-BadgeList|name=Secure_Architecture|abbr=SA|border1=2}}
</div>
<div style="float:right; width:30%;">
[http://www.owasp.org/index.php/SAMM_-_Construction http://www.opensamm.org/downloads/BackButton.png]
</div>

<div style="width:100%; float:left;">
{{SAMM-ObjectiveC1|name=Secure Architecture|obj=Insert consideration of proactive security guidance into the software design process}}
<div style="width:30%; float:right; padding-top:50px; padding-left:10px;">
====Results====
* Ad hoc prevention of unexpected dependencies and one-off implementation choices
* Stakeholders aware of increased project risk due to libraries and frameworks chosen
* Established protocol within development for proactively applying security mechanisms to a design

====Success Metrics====
* >80% of development staff briefed on software framework recommendations in past 1 year
* >50% of projects self-reporting application of security principles to design

====Costs====
* Buildout, maintenance, and awareness of software framework recommendations
* Ongoing project overhead from analysis and application of security principles

====Personnel====
* Architects (2-4 days/yr)
* Developers (2-4 days/yr)
* Security Auditors (2-4 days/yr)
* Managers (2 days/yr)

====Related Levels====
* Education & Guidance - 1

</div>
<div style="float:left; width:65%;">
==Activities==
===A. Maintain list of recommended software frameworks===
Across software projects within the organization identify commonly used third-party software libraries and frameworks in use. Generally, this need not be an exhaustive search for dependencies, but rather focus on capturing the high-level components that are most often used.

From the list of components, group them into functional categories based on the core features provided by the third-party component. Also, note the usage prevalence of each component across project teams to weight the reliance upon the third-party code. Using this weighted list as a guide, create a list of components to be advertised across the development organization as recommended components.

Several factors should contribute to decisions for inclusion on the recommended list. Although a list can be created without conducting research specifically, it is advisable to inspect each for incident history, track record for responding to vulnerabilities, appropriateness of functionality for the organization, excessive complexity in usage of the third-party component, etc.

This list should be created by senior developers and architects, but also include input from managers and security auditors. After creation, this list of recommended components matched against functional categories should be advertised to the development organization. Ultimately, the goal is to provide well-known defaults for project teams.

===B. Explicitly apply security principles to design===
During design, technical staff on the project team should use a short list of guiding security principles as a checklist against detailed system designs. Typically, security principles include defense in depth, securing the weakest link, use of secure defaults, simplicity in design of security functionality, secure failure, balance of security and usability, running with least privilege, avoidance of security by obscurity, etc.

In particular for perimeter interfaces, the design team should consider each principle in the context of the overall system and identify features that can be added to bolster security at each such interface. Generally, these should be limited such that they only take a small amount of extra effort beyond the normal implementation cost of functional requirements and anything larger should be noted and scheduled for future releases.

While this process should be conducted by each project team after being trained with security awareness, it is helpful to incorporate more security-savvy staff to aide in making design decisions.

</div>
</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Roadmap - Online Service Provider

2009-05-05T00:53:28Z

Pravir Chandra:

{{OpenSAMM}}

=Online Service Provider=
<div style="width:48%; float:right;">
[[Image:SAMM-Roadmap-OSP.png|370px]]
</div>
<div style="width:48%; float:left; padding-right:10px;">
==Rationale==
An Online Services Provider involves the core business function of building web applications and other network-accessible interfaces.

Initial drivers to validate the overall soundness of design without stifling innovation lead to early concentration on Design Review and Security Testing activities.

Since critical systems will be network-facing, Environment Hardening activities are also added early and ramped over time to account for risks from the hosted environment.

Though it can vary based on the core business of the organizations, Policy & Compliance activities should be started early and then advanced according to the criticality of external compliance drivers.

As the organization matures, activities from Threat Assessment, Security Requirements, and Secure Architecture are slowly added to help bolster proactive security after some baseline expectations for security have been established.

==Additional Considerations==
===Outsourced Development===
For organizations using external development resources, restrictions on code access typically leads to prioritization of Security Requirements activities instead of Code Review activities. Additionally, advancing Threat Assessment in earlier phases would allow the organization to better clarify security needs to the outsourced developers. Since expertise on software configuration will generally be strongest within the outsourced group, contracts should be constructed to account for the activities related to Operational Enablement.

===Online Payment Processing===
Organizations required to be in compliance with the Payment Card Industry Data Security Standard (PCI-DSS) or other online payment standards should place activities from Policy & Compliance in earlier phases of the roadmap. This allows the organization to opportunistically establish activities that ensure compliance and enable the future roadmap to be tailored accordingly.

===Web Services Platforms===
For organizations building web services platforms, design errors can carry additional risks and be more costly to mitigate. Therefore, activities from Threat Assessment, Security Requirements, and Secure Architecture should be placed in earlier phases of the roadmap.

===Organizations Grown by Acquisition===
In an organization grown by acquisition, there can often be several project teams following different development models with varying degrees of security-related activities incorporated. An organization such as this may require a separate roadmap for each division or project team to account for varying starting points as well as project-specific concerns if a variety of software types are being developed.

</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Roadmap - Independent Software Vendor

2009-05-05T00:53:20Z

Pravir Chandra:

{{OpenSAMM}}

=Independent Software Vendor=
<div style="width:48%; float:right;">
[[Image:SAMM-Roadmap-ISV.png|370px]]
</div>
<div style="width:48%; float:left; padding-right:10px;">
==Rationale==
An Independent Software Vendor involves the core business function of building and selling software components and applications.

Initial drivers to limit common vulnerabilities affecting customers and users leads to early concentration on Code Review and Security Testing activities.

Shifting toward more proactive prevention of security errors in product specification, an organization adds activities for Security Requirements over time.

Also, to minimize the impact from any discovered security issues, the organization ramps up Vulnerability Management activities over time.

As the organization matures, knowledge transfer activities from Operational Enablement are added to better inform customers and users about secure operation of the software.

==Additional Considerations==
===Outsourced Development===
For organizations using external development resources, restrictions on code access typically leads to prioritization of Security Requirements activities instead of Code Review activities. Additionally, advancing Threat Assessment in earlier phases would allow the organization to better clarify security needs to the outsourced developers. Since expertise on software configuration will generally be strongest within the outsourced group, contracts should be constructed to account for the activities related to Operational Enablement.

===Internet-Connected Applications===
Organizations building applications that use online resources have additional risks from the core internet-facing infrastructure that hosts the internet-facing systems. To account for this risk, organizations should add activities from Environment Hardening to their roadmaps.

===Drivers and Embedded Development===
For organizations building low-level drivers or software for embedded systems, security vulnerabilities in software design can be more damaging and costly to repair. Therefore, roadmaps should be modified to emphasize Secure Architecture and Design Review activities in earlier phases.

===Organizations Grown by Acquisition===
In an organization grown by acquisition, there can often be several project teams following different development models with varying degrees of security-related activities incorporated. An organization such as this may require a separate roadmap for each division or project team to account for varying starting points as well as project-specific concerns if a variety of software types are being developed.

</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Roadmap - Government Organization

2009-05-05T00:53:13Z

Pravir Chandra:

{{OpenSAMM}}

=Government Organization=
<div style="width:48%; float:right;">
[[Image:SAMM-Roadmap-GO.png|370px]]
</div>
<div style="width:48%; float:left; padding-right:10px;">
==Rationale==
A Government Organization involves the core business function of being a state-affiliated organization that builds software to support public sector projects.

Initially, Governance Practices are established, generally to get an idea of the overall compliance burden for the organization in context of the concrete roadmap for improvement.

Because of risks of public exposure and the quantity of legacy code generally in place, early emphasis is given to Security Testing within the Verification Practices and later the more involved Code Review or Design Review Practices are developed.

Similar emphasis is placed on the Construction and Deployment Practices. This helps establish the organization’s management of vulnerabilities and moves toward bolstering the security posture of the operating environment. At the same time, proactive security activities under Construction are built up to help prevent new issues in software under development.

==Additional Considerations==
===Outsourced Development===
For organizations using external development resources, restrictions on code access typically leads to prioritization of Security Requirements activities instead of Code Review activities. Additionally, advancing Threat Assessment in earlier phases would allow the organization to better clarify security needs to the outsourced developers. Since expertise on software configuration will generally be strongest within the outsourced group, contracts should be constructed to account for the activities related to Operational Enablement.

===Web Services Platforms===
For organizations building web services platforms, design errors can carry additional risks and be more costly to mitigate. Therefore, activities from Threat Assessment, Security Requirements, and Secure Architecture should be placed in earlier phases of the roadmap.

===Regulatory Compliance===
For organizations under heavy regulations that affect business processes, the build-out of the Policy & Compliance Practice should be adjusted to accommodate external drivers. Likewise, organizations under a lighter compliance load should take the opportunity to push back build-out of that Practice in favor of others.

</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Roadmap - Financial Services Organization

2009-05-05T00:53:05Z

Pravir Chandra:

{{OpenSAMM}}

=Financial Services Organization=
<div style="width:48%; float:right;">
[[Image:SAMM-Roadmap-FSO.png|370px]]
</div>
<div style="width:48%; float:left; padding-right:10px;">
==Rationale==
A Financial Services Organization involves the core business function of building systems to support financial transactions and processing. In general, this implies a greater concentration of internal and back-end systems that interface with disparate external data providers.

Initially, effort is focused on improving the Practices related to Governance since these are critical services that set the baseline for the assurance program and help meet compliance requirements for the organization.

Since building secure and reliable software proactively is an overall goal, Practices within Construction are started early on and ramped up sharply as the program matures.

Verification activities are also ramped up smoothly over the course of the roadmap to handle legacy systems without creating unrealistic expectations. Additionally, this helps ensure enough cycles are spent building out more proactive Practices.

Since a financial services organization often operates the software they build, focus is given to the Practices within Deployment during the middle of the roadmap after some initial Governance is in place but before heavy focus is given to the proactive Construction Practices.

==Additional Considerations==
===Outsourced Development===
For organizations using external development resources, restrictions on code access typically leads to prioritization of Security Requirements activities instead of Code Review activities. Additionally, advancing Threat Assessment in earlier phases would allow the organization to better clarify security needs to the outsourced developers. Since expertise on software configuration will generally be strongest within the outsourced group, contracts should be constructed to account for the activities related to Operational Enablement.

===Web Services Platforms===
For organizations building web services platforms, design errors can carry additional risks and be more costly to mitigate. Therefore, activities from Threat Assessment, Security Requirements, and Secure Architecture should be placed in earlier phases of the roadmap.

===Organizations Grown by Acquisition===
In an organization grown by acquisition, there can often be several project teams following different development models with varying degrees of security-related activities incorporated. An organization such as this may require a separate roadmap for each division or project team to account for varying starting points as well as project-specific concerns if a variety of software types are being developed.

</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Policy & Compliance - 3

2009-05-05T00:52:57Z

Pravir Chandra:

{{OpenSAMM}}
<div style="float:left; width:65%;">
{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|border3=2}}
</div>
<div style="float:right; width:30%;">
[http://www.owasp.org/index.php/SAMM_-_Governance http://www.opensamm.org/downloads/BackButton.png]
</div>

<div style="width:100%; float:left;">
{{SAMM-ObjectiveG3|name=Policy & Compliance|obj=Require compliance and measure projects against organization-wide policies and standards}}
<div style="width:30%; float:right; padding-top:50px; padding-left:10px;">
====Results====
* Organization-level visibility of accepted risks due to non-compliance
* Concrete assurance for compliance at the project level
* Accurate tracking of past project compliance history
* Efficient audit process leveraging tools to cut manual effort

====Add’l Success Metrics====
* >80% projects in compliance with policies and standards as seen by audit
* <50% time per audit as compared to manual

====Add’l Costs====
* Buildout or license tools to automate audit against internal standards
* Ongoing maintenance of audit gates and exception process

====Add’l Personnel====
* Developers (1 days/yr)
* Architects (1 days/yr)
* Managers (1 days/yr)

====Related Levels====
* Education & Guidance - 3
* Code Review - 2
* Security Testing - 2

</div>
<div style="float:left; width:65%;">
==Activities==
===A. Create compliance gates for projects===
Once an organization has established internal standards for security, the next level of enforcement is to set particular points in the project life-cycle where a project cannot pass until it is audited against the internal standards and found to be in compliance.

Usually, the compliance gate is placed at the point of software release such that they are not allowed to publish a release until the compliance check is passed. It is important to provide enough time for the audit to take place and remediation to occur, so generally the audit should begin earlier, for instance when a release is given to QA.

Despite being a firm compliance gate, legacy or other specialized projects may not be able to comply, so an exception approval process must also be created. No more than about 20% of all projects should have exception approval.

===B. Adopt solution for audit data collection===
Organizations conducting regular audits of project teams generate a large amount of audit data over time. Automation should be utilized to assist in automated collection, manage collation for storage and retrieval, and to limit individual access to sensitive audit data.

For many concrete requirements from the internal standards, existing tools such as code analyzers, application penetration testing tools, monitoring software, etc. can be customized and leveraged to automate compliance checks against internal standards. The purpose of automating compliance checks is to both improve efficiency of audit as well as enable more staff to self-check for compliance before a formal audit takes place. Additionally, automated checks are less error-prone and allow for lower latency on discovery of problems.

Information storage features should allow centralized access to current and historic audit data per project. Automation solutions must also provide detailed access control features to limit access to approved individuals with valid business purpose for accessing the audit data.

All instructions and procedures related to accessing compliance data as well as requesting access privileges should be advertised to project teams. Additional time may be initially required from security auditors to bootstrap project teams.

</div>
</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Policy & Compliance - 2

2009-05-05T00:52:48Z

Pravir Chandra:

{{OpenSAMM}}
<div style="float:left; width:65%;">
{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|border2=2}}
</div>
<div style="float:right; width:30%;">
[http://www.owasp.org/index.php/SAMM_-_Governance http://www.opensamm.org/downloads/BackButton.png]
</div>

<div style="width:100%; float:left;">
{{SAMM-ObjectiveG2|name=Policy & Compliance|obj=Establish security and compliance baseline and understand per-project risks}}
<div style="width:30%; float:right; padding-top:50px; padding-left:10px;">
====Results====
* Awareness for project teams regarding expectations for both security and compliance
* Business owners that better understand specific compliance risks in their product lines
* Optimized approach for efficiently meeting compliance with opportunistic security improvement

====Add’l Success Metrics====
* >75% of staff briefed on policies and standards in past 6 months
* >80% stakeholders aware of compliance status against policies and standards

====Add’l Costs====
* Internal standards buildout or license
* Per-project overhead from compliance with internal standards and audit

====Add’l Personnel====
* Architects (1 days/yr)
* Managers (1 days/yr)
* Security Auditors (2 days/project/yr)

====Related Levels====
* Education & Guidance - 1 & 3
* Strategy & Metrics - 2
* Security Requirements - 1 & 3
* Secure Architecture - 3
* Code Review - 3
* Design Review - 3
* Environment Hardening - 3

</div>
<div style="float:left; width:65%;">
==Activities==
===A. Build policies and standards for security and compliance===
Beginning with a current compliance guidelines, review regulatory standards and note any optional or recommended security requirements. Also, the organization should conduct a small amount of research to discover any potential future changes in compliance requirements that are relevant.

Augment the list with any additional requirements based on known business drivers for security. Often it is simplest to consult existing guidance being provided to development staff and gather a set of best practices.

Group common/similar requirements and rewrite each group as more generalized/simplified statements that meet all the compliance drivers as well as provide some additional security value. Work through this process for each grouping with the goal of building a set of internal policies and standards that can be directly mapped back to compliance drivers and best practices.

It is important for the set of policies and standards to not contain requirements that are too difficult or excessively costly for project teams to comply. A useful heuristic is that approximately 80% of projects should be able to comply with minimal disruption. This requires a good communications program being set up to advertise the new policies/standards and assist teams with compliance if needed.

===B. Establish project audit practice===
Create a simple audit process for project teams to request and receive an audit against internal standards. Audits are typically performed by security auditors but can also be conducted by security-savvy staff as long as they are knowledgeable about the internal standards.

Based upon any known business risk indicators, projects can be prioritized concurrently with audit queue triage such that high-risk software is assessed sooner or more frequently. Additionally, low-risk projects can have internal audit requirements loosened to make the audit practice more cost-effective.

Overall, each active project should undergo an audit at least biannually. Generally, subsequent audits after the initial will be simpler to perform if sufficient audit information about the application is retained.

Advertise this service to business owners and other stakeholders so that they may request an audit for their projects. Detailed pass/fail results per requirement from the internal standards should be delivered to project stakeholders for evaluation. Where practical, audit results should also contain explanations of impact and remediation recommendations.

</div>
</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__

SAMM - Policy & Compliance - 1

2009-05-05T00:52:40Z

Pravir Chandra:

{{OpenSAMM}}
<div style="float:left; width:65%;">
{{SAMM-BadgeList|name=Policy_&_Compliance|abbr=PC|border1=2}}
</div>
<div style="float:right; width:30%;">
[http://www.owasp.org/index.php/SAMM_-_Governance http://www.opensamm.org/downloads/BackButton.png]
</div>

<div style="width:100%; float:left;">
{{SAMM-ObjectiveG1|name=Policy & Compliance|obj=Understand relevant governance and compliance drivers to the organization}}
<div style="width:30%; float:right; padding-top:50px; padding-left:10px;">
====Results====
* Increased assurance for handling third-party audit with positive outcome
* Alignment of internal resources based on priority of compliance requirements
* Timely discovery of evolving regulatory requirements that affect your organization

====Success Metrics====
* >1 compliance discovery meeting in past 6 months
* Compliance checklist completed and updated within past 6 months
* >1 compliance review meeting with stakeholders in past 6 months

====Costs====
* Initial creation and ongoing maintenance of compliance checklist

====Personnel====
* Architects (1 day/yr)
* Managers (2 days/yr)
* Business Owners (1-2 days/yr)

====Related Levels====
* Strategy & Metrics - 1

</div>
<div style="float:left; width:65%;">
==Activities==
===A. Identify and monitor external compliance drivers===
While an organization might have a wide variety of compliance requirements, this activity is specifically oriented around those that either directly or indirectly affect the way in which the organization builds or uses software and/or data. Leverage internal staff focused on compliance if available.

Based on the organization’s core business, conduct research and identify third-party regulatory standards with which compliance is required or considered an industry norm. Possibilities include the Sarbanes-Oxley Act (SOX), the Payment Card Industry Data Security Standards (PCI-DSS), the Health Insurance Portability and Accountability Act (HIPAA), etc. After reading and understanding each third-party standard, collect specific requirements related to software and data and build a consolidated list that maps each driver (third-party standard) to each of its specific requirements for security. At this stage, try to limit the amount of requirements by dropping anything considered optional or only recommended.

At a minimum, conduct research at least biannually to ensure the organization is keeping updated on changes to third-party standards. Depending upon the industry and the importance of compliance, this activity can vary in effort and personnel involvement, but should always be done explicitly.

===B. Build and maintain compliance guidelines===
Based upon the consolidated list of software and data-related requirements from compliance drivers, elaborate the list by creating a corresponding response statement to each requirement. Sometimes called control statements, each response should capture the concept of what the organization does to ensure the requirement is met (or to note why it does not apply).

Since typical audit practice often involves checking a control statement for sufficiency and then measuring the organization against the control statement itself, it is critical that they accurately represent actual organizational practices. Also, many requirements can be met by instituting simple, lightweight process elements to cover base-line compliance prior to evolving the organization for better assurance down the road.

Working from the consolidated list, identify major gaps to feed the future planning efforts with regard to building the assurance program. Communicate information about compliance gaps with stakeholders to ensure awareness of the risk from non-compliance.

At a minimum, update and review control statements with stakeholders at least biannually. Depending on the number of compliance drivers, it may make sense to perform updates more often.

</div>
</div>

<div style="float:left; width:100%;"><br/><br/><br/>
----
----
===Additional Resources===

</div>

__NOTOC__ __NOEDITSECTION__