OWASP 2013 Project Summit Summary of 2013 Working Session Outcomes

Summary of 2013 Working Session Outcomes

OWASP Projects Review Session

The Projects Review Session was one of the most challenging and dynamic sessions of the entire summit. Johanna Curiel and Chuck Cooper organized and lead the session. Diniz Cruz, Dennis Groves, and Samantha Groves were key participants, as well. The original aim of the session was to review all of the current OWASP Flagship Projects based on the criteria the Technical Project Advisors put together over a period of a few months prior to the summit. As the Leaders began working on the reviews, they noticed that some of the assessment questions were redundant and did not make sense to ask for certain projects. Additionally, they realized that there was a gap in the reviews as the usability and project value were not being assessed by the criteria they currently had developed. As a result, the entire session’s focus was shifted from conducting reviews, to creating a well rounded review process and criteria that would encompass not only project health and product quality, but that would measure the usability and value of project product consumers. In the end, four sets of criteria were put together, and assessment forms were created based on the criteria. This allowed the reviews to be more streamlined, and easy to use. The project health and product quality assessments were based off of the criteria developed by the Technical Project Advisors, and the usability and value assessments were developed by the session participants during the summit. The criteria are based on the OWASP OpenSAMM Framework. There were many heated discussions during this session, but in the end, the Leaders developed the foundation for a more solid OWASP Project Assessment process that can be expanded upon in 2014.

OWASP Media Project

The OWASP Media Project was one of the last projects to be recruited for the summit, but it proved to be one of the most valuable. Project Leader, Jonathan, Marcil, set all of the equipment up in order to showcase his ideas to potential viewers during the summit. The aim of the session was to introduce participants to the project objective which is to facilitate the recording of OWASP Project presentations, and to facilitate the organization of video and audio based material into one consolidated, easy to find location. Jonathan only had one participant that he showcased his project too, but the more valuable outcome was the community and support he gathered from the attendees. He was able to capture forty three (43) videos online for a total of 34.5 hours of content. Due to his hard work, he was able to increase our OWASP YouTube Channel views from 245 to 11,289 views in one month alone. He was also able to capture that we were watched by 114 different countries across the globe. Overall, the success of the session was due to Jonathan’s keen organizational skills, the quick posting of our video and audio recordings, and his ability to adapt to the ever changing environment of an OWASP AppSec.

Mobile Security Session

The OWASP Mobile Security Session was one of our most popular working sessions at the conference. The group was small, but the attendees were very engaged. The majority were there to discuss the project’s progress with the attending Project Leaders. Jack Mannino and Jason Haddix were both leading the session. The working session group had a great discussion about identifying classes of mobile vulnerabilities specifically in the Mobile Top Ten. The working session group went over quite a few ideas, but they decided on minimal changes to the categories as some places have already established a standard. Additionally, the group were able to identify some new issues and potential new projects to add to the overall Mobile Security Project. Overall, Jason and Jack were able to accomplish what they set out to do with the working session. They were able to discuss category changes, and they were able to talk to actual users of the project and discuss some of their “pains”. The primary concern was project completion according to the Leader report. The next steps are to finish updating the project wiki content, create a PDF guide for the project, and update some of the categories. The Mobile Security Project team hoped to unveil the finished wiki at the AppSec Cali Conference in January 2014.

OWASP PCI Toolkit Session

Johanna Curiel lead the OWASP PCI Toolkit Session, and it was one of our most popular working session at the summit. There were about 20 attendees that all contributed to the working session in great detail. They ranged from recent graduates to experienced PCI-QSA auditors. The aim of the session was to gather feedback from the sector to gauge the need for the project, and to better formulate requirements and a roadmap to move forward in 2014. The working session focused on explaining the project purpose and gathering feedback before beginning the programming work on the toolkit. The session attendees all agreed that this tool will be very beneficial to organizations wishing to understand the PCI-DSS requirements; as a result, Johanna has decided to move the project forward. She has now completed her PCI training, and she was able to become a PCI professional late last year. She hopes to deploy the tool by mid February with the first beta version with 2 modules.

OpenSAMM Session

The OpenSAMM Session was another one of our popular working sessions during the summit. There were eleven attendees, and Seba Deleersnyder and Pravir Chandra lead the team. The session took on the form of a workshop where the focus was to establish the current state of the project and future action items in an effort to move the project forward. The team took an inventory of the current tools and templates, and this was followed by a discussion on shared experiences or case studies. Next, they talked about what currently needs improvement and they prioritized their set of goals for the coming year. This was followed by the collaborative development of a rough plan for future activities aimed at moving the project forward. Overall, it was a very successful working session as the team was able to discuss what items need improvement, and they were able to put together a plan of action for 2014.

OWASP O2 Documentation Session

The OWASP O2 Guide was one of the books created for the 2013 Project Summit. It was a very alpha stage version of the guide that nailed down the foundation for the more robust project book. Michael Hidalgo and Dinis Cruz lead the working session, and they had several attendees contribute to the discussion about the content’s direction. Everyone agreed that the O2 Platform is a very powerful tool, but the primary concern is that the user learning curve is quite high. “How To” documentation can be incredibly useful to potential consumers of the tool, and the team worked on developing a few key chapters. The solid outline still needs to be defined, but the primary outcome is the development of the roadmap goal to work on and complete the guide in 2014.

Writing and Documentation Review Session

The Writing and Documentation Review Session was lead my Michael Hidalgo. One of the challenging aspects of this session is that it only lasted four hours, and Michael reported that the time limit was simply not enough. Contributors really needed to come prepared to discuss each book having already read the materials beforehand. The contributors were only able to skim the sections of the majority of the books, and they gave feedback based on their assessment of the material. The only book that was able to get solid feedback from the contributors was the Code Review Guide as Larry Conklin was in attendance. Larry was able to sit down with Michael and the other contributors, and they were able to discuss the content in more detail. Larry was also able to provide a good roadmap for the content that still needed to be completed for the guide. Overall, this session had many learned lessons to be recorded. If we are to have another writing and documentation review working session at future summits, it is imperative that all contributors come prepared to discuss the content having already read the materials. Additionally, it is incredibly helpful to have the Project Leader on hand to discuss the documentation with the reviewing contributors as it helps to have in-person discussions about the content.

OWASP PHP Security and RBAC Project Sessions

Abbas Naderi and Rahul Chaudhary headed up both of these sessions. They are working together on these projects; however, Abbas focused more on presenting the PHP Security Project and Rahul focused on presenting the RBAC Project. The primary aim for both Leaders was to promote both projects, and to potentially get attendees to contribute to both projects. They each prepared a presentation to give to attendees, but unfortunately very few attendees came to their sessions. The projects are fairly new to the inventory so they were not surprised at the turnout, but both Leaders were able to use this to their advantage. They collaborated with Jonathan Marcil from the OWASP Media Project, and they both did a full recording of their presentation for the OWASP YouTube Channel. They were the first summit participants to record their presentations, and they were both happy to have the promotional opportunity. The primary outcome for these two sessions was an increase in outreach. Both Abbas and Rahul were able to promote their project, establish what they need from the community, and what they would like to accomplish going forward.

ESAPI Hackathon Session

Kevin Wall and Chris Schmidt lead the ESAPI Hackathon during the summit. The working session lasted all four days of the AppSec USA conference, and there were quite a few interested participants that sat down with both Leaders to discuss the Hackathon. It was the first time Chris and Kevin were able to meet in person, and this sparked a great debate on what aspects of ESAPI should be focused on for 2014. Overall, ESAPI received two bug fixes from the ESAPI Google Issues, and one contributor wrote implementations for the proposed interfaces. One of the biggest challenges the Hackathon faced was that the venue’s Wifi access kept dropping for hours on end. This created a huge barrier to contribution as all contributions required online access to the repositories. However, despite this set back, Chris and Kevin were able to make valuable connections and contacts with attendees. They were able to meet with DHS representatives who expressed interest in funding their initiatives, and they met with several organizations that were interested in volunteering some human resources to work on the project. Both Leaders were able to adapt to the unfortunate Wifi set backs, and create value from the connections made at the summit. Moreover, the Hackathon was extended to mid-January. The aim was to run the Hackathon remotely and award prizes to the individuals with the best contributions to the project.

OWASP ZAP Hackathon Session

The ZAP Hackathon had a very good attendee turnout. The session was lead by Project Leader, Simon Bennetts, and it was adapted based on attendee need. Simon had originally wanted to have contributions added to ZAP; however, the attendee discussion dynamically changed the nature of the session. In the end, Simon took over the back room of the summit hall, and gave more of a training session on ZAP. Overall, Simon was very happy with the result as the attendees were happy to be involved in the session. Additionally, Simon collaborated with Jonathan Marcil and the OWASP Media Project. He was able to record his OWASP ZAP presentation which has received a total of 4,490 views to date. Simon has no plans for a future Hackathon, but stresses that there are always things to do when it comes to the OWASP ZAP Project.

AppSensor 2.0 Hackathon Session

The AppSensor 2.0 Hackathon working session was lead by John Melton and Dennis Groves. The aim of the session was to review the current AppSensor Guide documentation for version 2 of the book and give initial feedback on the content to the team. The AppSensor team was able to meet in person for the very first time to discuss the goals and timeline for the second version of the book. They specifically focused on presenting the initial design and code, and they were able to get feedback from the rest of the team and other session attendees. The AppSensor team members were also able to meet with various other conference attendees and present AppSensor to them. They were also able to showcase other OWASP Projects that would meet their needs, during the summit. Overall, the team’s goals were met for the working session. They were able to meet in person, gain some potential new contributors, and discuss the current progress of the AppSensor book project. Additionally, John plans to complete V2 of the code and release it by Q1 of 2014. Current progress can be seen here: https:// github.com/jtmelton/appsensor.

Training and Academies Development Session

The OWASP Training and Academies sessions were one of the most successful working groups at the summit. A good number of Leaders and participants attended the sessions, and the meeting ended up lasting the full day. Attendees decided that since both sessions were very related, it would be best to merge them into one longer working session. Martin Knobloch and Dr. Kostas Papapanagiotou lead both sessions together. The primary outcome was the establishment of a new project type for all of the educational projects within the OWASP Project infrastructure. The attendees identified two primary issues the projects are currently facing: too many projects, and unreachable targets for each project. To solve these issues, the group decided to merge all education projects into one, much larger project, with all other projects treated as sub-projects of the much larger entity. The umbrella project will be called the OWASP Education Project, and participants hope it will eliminate one of the biggest issues with project development. Additionally, the team developed a roadmap on how to proceed with the educational projects in 2014. For a detailed roadmap, please see pg.41 of this report.