This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Summit 2011 Outcomes"
Sarah Baso (talk | contribs) |
Sarah Baso (talk | contribs) |
||
| Line 31: | Line 31: | ||
===Metrics=== | ===Metrics=== | ||
Risk Metrics (Chris Wysopal) & Metrics and Labeling (Chris Eng) - [https://docs.google.com/document/d/1OWKzMuqjabrXYaVhdMvcLbLbBtLjPRuq2iXxNZBqBHM/edit?hl=en_US&authkey=CNin8vsH Working Session Transcripts]<br> | Risk Metrics (Chris Wysopal) & Metrics and Labeling (Chris Eng) - [https://docs.google.com/document/d/1OWKzMuqjabrXYaVhdMvcLbLbBtLjPRuq2iXxNZBqBHM/edit?hl=en_US&authkey=CNin8vsH Working Session Transcripts]<br> | ||
| + | |||
Counting and Scoring Application Security Defects (Chris Eng & Chris Wysopal)<br> | Counting and Scoring Application Security Defects (Chris Eng & Chris Wysopal)<br> | ||
| + | |||
Formal Risk Assessment Methods (Benjamin Tomhave) <br> | Formal Risk Assessment Methods (Benjamin Tomhave) <br> | ||
| + | |||
Common Structure and Guide for All Guides (Keith Turpin, Matteo Meucci, Vishal Garg)<br> | Common Structure and Guide for All Guides (Keith Turpin, Matteo Meucci, Vishal Garg)<br> | ||
| Line 38: | Line 41: | ||
===Mitigation=== | ===Mitigation=== | ||
Virtual Patching Best Practices (Ryan Barnett)<br> | Virtual Patching Best Practices (Ryan Barnett)<br> | ||
| + | |||
Scaling Web Application Security Testing (Arian Evans & Dinis Cruz)<br> | Scaling Web Application Security Testing (Arian Evans & Dinis Cruz)<br> | ||
| + | |||
Microsoft’s SDL in 16 Steps (and lessons learned) (Jeremy Dallman)<br> | Microsoft’s SDL in 16 Steps (and lessons learned) (Jeremy Dallman)<br> | ||
| Line 44: | Line 49: | ||
===University, Education, and Training=== | ===University, Education, and Training=== | ||
[[:Category:OWASP_Education_Project|OWASP Education Project]] (Martin Knobloch)<br> | [[:Category:OWASP_Education_Project|OWASP Education Project]] (Martin Knobloch)<br> | ||
| + | |||
[[OWASP Training]] (Sandra Paiva) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNY2I5M2YwMjMtMGJjNi00ZjZkLWJkYmUtZmU0YjhjNjc4NzYx&hl=en_US&authkey=COzlt4cC Working Session Notes]<br> | [[OWASP Training]] (Sandra Paiva) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNY2I5M2YwMjMtMGJjNi00ZjZkLWJkYmUtZmU0YjhjNjc4NzYx&hl=en_US&authkey=COzlt4cC Working Session Notes]<br> | ||
| + | |||
[[OWASP Academies| University Outreach - OWASP Academies]] (Sandra Paiva) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNZGE2MmE4MjAtYmEwYS00M2NmLTk2ZjYtNmM3ODc2MDQyODBm&hl=en_US&authkey=CPHdmtIB Working Session Notes], [[OWASP Academy Portal Project]]<br> | [[OWASP Academies| University Outreach - OWASP Academies]] (Sandra Paiva) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNZGE2MmE4MjAtYmEwYS00M2NmLTk2ZjYtNmM3ODc2MDQyODBm&hl=en_US&authkey=CPHdmtIB Working Session Notes], [[OWASP Academy Portal Project]]<br> | ||
| + | |||
| + | [[Summit_2011_Working_Sessions/Session069|OWASP Top 10 Online Training in Hacking-Lab]] (Ivan Buetler)<br> | ||
| + | |||
[[OWASP_Student_Chapters_Program|University Outreach - OWASP College Chapter Program]] (Martin Knobloch) (renamed "OWASP Student Chapters Program")<br> | [[OWASP_Student_Chapters_Program|University Outreach - OWASP College Chapter Program]] (Martin Knobloch) (renamed "OWASP Student Chapters Program")<br> | ||
| + | |||
OWASP Exams (Jason Taylor)<br> | OWASP Exams (Jason Taylor)<br> | ||
| + | |||
OWASP Certification (Jason Taylor & Jason Li) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNMTlkMDUxNGEtZmM1MS00ODI2LWEwMDYtMjU1Nzc4ZWEwYmJk&hl=en_US&authkey=CNbHmJkP Certification Code of Conduct Draft]<br> | OWASP Certification (Jason Taylor & Jason Li) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNMTlkMDUxNGEtZmM1MS00ODI2LWEwMDYtMjU1Nzc4ZWEwYmJk&hl=en_US&authkey=CNbHmJkP Certification Code of Conduct Draft]<br> | ||
| Line 65: | Line 77: | ||
===Individual OWASP Projects=== | ===Individual OWASP Projects=== | ||
Enterprise Web Defense Roundtable (Michael Coates & Chris Lyon)<br> | Enterprise Web Defense Roundtable (Michael Coates & Chris Lyon)<br> | ||
| + | |||
Threat Modeling (Anurag Agarwal)<br> | Threat Modeling (Anurag Agarwal)<br> | ||
| + | |||
OWASP Common Vulnerability List (Meucci/Keary/Agarwal) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNOTkzNmYwN2YtNWZmZC00NjdhLTk1ZjMtMmU5NjQ5ZThhYmVl&hl=en_US&authkey=CNPQ4LkG CVL ppt presentation created by Matteo Meucci]]<br> | OWASP Common Vulnerability List (Meucci/Keary/Agarwal) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNOTkzNmYwN2YtNWZmZC00NjdhLTk1ZjMtMmU5NjQ5ZThhYmVl&hl=en_US&authkey=CNPQ4LkG CVL ppt presentation created by Matteo Meucci]]<br> | ||
| + | |||
Common Structure and Numbering for All Guides (Keith Turpin/Matteo Meucci/Vishal Garg)<br> | Common Structure and Numbering for All Guides (Keith Turpin/Matteo Meucci/Vishal Garg)<br> | ||
| − | OWASP Testing Guide (Matteo Meucci) - [https://docs.google.com/document/d/11vERv8lf0xrEgdi37iLbuJL2rqjAsgP8icoE4rMtL50/edit?hl=en_US&authkey=CPLqrfoJ Working Session Notes], [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNMWVmZTE5ZTctOTZkYy00MGZiLWE1N2UtNDE1NjEwZDg2MGRi&hl=en_US&authkey=CJfF-KwL Planning the OWASP Testing Guide 4.0 ppt presentation]<br> | + | |
| + | [[OWASP Testing Project|OWASP Testing Guide]] (Matteo Meucci) - [https://docs.google.com/document/d/11vERv8lf0xrEgdi37iLbuJL2rqjAsgP8icoE4rMtL50/edit?hl=en_US&authkey=CPLqrfoJ Working Session Notes], [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNMWVmZTE5ZTctOTZkYy00MGZiLWE1N2UtNDE1NjEwZDg2MGRi&hl=en_US&authkey=CJfF-KwL Planning the OWASP Testing Guide 4.0 ppt presentation]<br> | ||
| + | |||
[[OWASP Mobile Security Project]] (Mike Zusman) - [https://docs.google.com/document/d/1vDB6FMCFHLqpEfB-SPlG0hliKak8flnUvJ1fwZPa-qM/edit?hl=en_US&authkey=CI_Mj4wJ Working Session Notes]<br> | [[OWASP Mobile Security Project]] (Mike Zusman) - [https://docs.google.com/document/d/1vDB6FMCFHLqpEfB-SPlG0hliKak8flnUvJ1fwZPa-qM/edit?hl=en_US&authkey=CI_Mj4wJ Working Session Notes]<br> | ||
| − | + | ||
| − | Development Guide (Vishal Garg)<br> | + | [[Projects/OWASP_Development_Guide|Development Guide]] (Vishal Garg)<br> |
| − | ASVS Project (Dave Wichers)<br> | + | |
| − | OWASP Portuguese Language Project (Lucas Ferriera)<br> | + | [[ASVS|Application Security Verification Standard (ASVS) Project]] (Dave Wichers)<br> |
| − | Hackademic Challenges (Kostas & Vasileros Vlachos)<br> | + | |
| + | [[OWASP Portuguese Language Project]] (Lucas Ferriera)<br> | ||
| + | |||
| + | [[OWASP Hackademic Challenges Project]] (Kostas & Vasileros Vlachos)<br> | ||
| + | |||
OWASP Java Project (Lucas Ferriera)<br> | OWASP Java Project (Lucas Ferriera)<br> | ||
| + | |||
OpenSAMM (Pravir Chandra)<br> | OpenSAMM (Pravir Chandra)<br> | ||
| + | |||
The Future of OpenSAMM (Pravir Chandra)<br> | The Future of OpenSAMM (Pravir Chandra)<br> | ||
| + | |||
Vulnerability Disclosure Policies (Chris Schmidt)<br> | Vulnerability Disclosure Policies (Chris Schmidt)<br> | ||
| + | |||
O2 Platform (Dinis Cruz)<br> | O2 Platform (Dinis Cruz)<br> | ||
| Line 84: | Line 109: | ||
===OWASP Governance and Committees=== | ===OWASP Governance and Committees=== | ||
[[Global Education Committee]] (Martin Knobloch)<br> | [[Global Education Committee]] (Martin Knobloch)<br> | ||
| + | |||
[[Global Industry Committee]] - Industry Outreach (Eoin Keary & Colin Watson)<br> | [[Global Industry Committee]] - Industry Outreach (Eoin Keary & Colin Watson)<br> | ||
| + | |||
[[Global Projects Committee]] (Jason Li & Brad Causey)<br> | [[Global Projects Committee]] (Jason Li & Brad Causey)<br> | ||
| + | |||
[[Global Membership Committee]] (Dan Cornell)<br> | [[Global Membership Committee]] (Dan Cornell)<br> | ||
| + | |||
[[Global Chapters Committee]] (Seba Deleersnyder)<br> | [[Global Chapters Committee]] (Seba Deleersnyder)<br> | ||
| + | |||
[[Global Conferences Committee]] (Mark Bristow)<br> | [[Global Conferences Committee]] (Mark Bristow)<br> | ||
Government Outreach (Doug Wilson)<br> | Government Outreach (Doug Wilson)<br> | ||
| + | |||
OWASP Funding and CEO Discussion (Keith Turpin) [https://docs.google.com/document/d/1WghR2_ID1ZNUJqtjZhQHPcEpdbGt_RRR7snu7b8xTvU/edit?hl=en_US&authkey=CNClgtMN Working Session Notes] <br> | OWASP Funding and CEO Discussion (Keith Turpin) [https://docs.google.com/document/d/1WghR2_ID1ZNUJqtjZhQHPcEpdbGt_RRR7snu7b8xTvU/edit?hl=en_US&authkey=CNClgtMN Working Session Notes] <br> | ||
| + | |||
OWASP Board/Committee Governance (Mark Bristow)<br> | OWASP Board/Committee Governance (Mark Bristow)<br> | ||
| + | |||
[[OWASP Points]] - Tracking OWASP Participation (Mark Bristow)<br> | [[OWASP Points]] - Tracking OWASP Participation (Mark Bristow)<br> | ||
| + | |||
[[OWASP_Licenses|OWASP Licensing]] (Abraham Kang) - [https://docs.google.com/document/d/1zDR7ufDk4-lsjFptv2w2mJbyIrKW6NLAPeGuKrhbu-A/edit?hl=en_US&authkey=CLb5r4sK Working Session Notes], [https://docs.google.com/leaf?id=0B5Z9zE0hx0LNMzI5NGQxMzItNDFiZS00ZWYyLThiYjQtZTY2ZDYyYmMxNWRh&hl=en_US&authkey=CJzZ3sQP OWASP Licensing PowerPoint], [https://docs.google.com/document/d/14dXwV8XbUqPZ4_b5wWJPxaTi8FJb1GWp98DjJQKbRek/edit?hl=en_US&authkey=CMvsidkO Licensing - Questions for follow up] <br> | [[OWASP_Licenses|OWASP Licensing]] (Abraham Kang) - [https://docs.google.com/document/d/1zDR7ufDk4-lsjFptv2w2mJbyIrKW6NLAPeGuKrhbu-A/edit?hl=en_US&authkey=CLb5r4sK Working Session Notes], [https://docs.google.com/leaf?id=0B5Z9zE0hx0LNMzI5NGQxMzItNDFiZS00ZWYyLThiYjQtZTY2ZDYyYmMxNWRh&hl=en_US&authkey=CJzZ3sQP OWASP Licensing PowerPoint], [https://docs.google.com/document/d/14dXwV8XbUqPZ4_b5wWJPxaTi8FJb1GWp98DjJQKbRek/edit?hl=en_US&authkey=CMvsidkO Licensing - Questions for follow up] <br> | ||
| + | |||
[[OWASP Codes of Conduct]] (Dinis Cruz & Jeff Williams) - [https://docs.google.com/document/d/1F5HI3ddSxf-gF2qM_fNaEb2u73nsnrJXm3VmbsVVo28/edit?hl=en_US&authkey=CPy0gZwH Draft Document]]<br> | [[OWASP Codes of Conduct]] (Dinis Cruz & Jeff Williams) - [https://docs.google.com/document/d/1F5HI3ddSxf-gF2qM_fNaEb2u73nsnrJXm3VmbsVVo28/edit?hl=en_US&authkey=CPy0gZwH Draft Document]]<br> | ||
Building the OWASP Brazilian Leaders Group (Lucas Ferriera)<br> | Building the OWASP Brazilian Leaders Group (Lucas Ferriera)<br> | ||
| + | |||
OWASP Asia/Pacific Working Group (Helen Gao)<br> | OWASP Asia/Pacific Working Group (Helen Gao)<br> | ||
| + | |||
Industry - Healthcare (Joe Bernik & Lorna Alamri)<br> | Industry - Healthcare (Joe Bernik & Lorna Alamri)<br> | ||
| + | |||
Industry - Banking/Finance (Joe Bernik & Lorna Alamri)<br> | Industry - Banking/Finance (Joe Bernik & Lorna Alamri)<br> | ||
===Miscellaneous=== | ===Miscellaneous=== | ||
| + | |||
| + | Privacy - Personal Data/PII, Legislation and OWASP (Colin Watson)<br> | ||
| + | |||
Overhauling the OWASP Website (Jason Li)<br> | Overhauling the OWASP Website (Jason Li)<br> | ||
| − | + | ||
Should OWASP work directly with PCI-DSS? (Matthew Chalmers)<br> | Should OWASP work directly with PCI-DSS? (Matthew Chalmers)<br> | ||
| + | |||
How can OWASP reach/talk/engage with auditors (Matthew Chalmers)<br> | How can OWASP reach/talk/engage with auditors (Matthew Chalmers)<br> | ||
| + | |||
Developer Outreach (Mark Bristow & Jason Li)<br> | Developer Outreach (Mark Bristow & Jason Li)<br> | ||
Revision as of 15:07, 23 June 2011
Global Summit 2011 Outcomes - please note that this is a work in progress. If you have any comments, corrections, or questions please contact Sarah Baso
Table of Contents
Press Release
Appendix: Working Session Details and Documentation
Browser Security
Here are the notes from all the four browser security sessions. John Wilander is working on a Browser Security Report building on these sessions.
Site Security Policy notes (pdf)
DOM Sandboxing notes (pdf)
HTML5 Security notes (pdf)
EcmaScript 5 Security notes (pdf)
Enduser Warnings notes (pdf)
XSS Eradication
XSS and the Frameworks (Justin Clarke)
XSS - Awareness, Resources, and Partnerships (Justin Clarke)
WAF Mitigation for XSS (Ryan Barnett)
Metrics
Risk Metrics (Chris Wysopal) & Metrics and Labeling (Chris Eng) - Working Session Transcripts
Counting and Scoring Application Security Defects (Chris Eng & Chris Wysopal)
Formal Risk Assessment Methods (Benjamin Tomhave)
Common Structure and Guide for All Guides (Keith Turpin, Matteo Meucci, Vishal Garg)
Mitigation
Virtual Patching Best Practices (Ryan Barnett)
Scaling Web Application Security Testing (Arian Evans & Dinis Cruz)
Microsoft’s SDL in 16 Steps (and lessons learned) (Jeremy Dallman)
University, Education, and Training
OWASP Education Project (Martin Knobloch)
OWASP Training (Sandra Paiva) - Working Session Notes
University Outreach - OWASP Academies (Sandra Paiva) - Working Session Notes, OWASP Academy Portal Project
OWASP Top 10 Online Training in Hacking-Lab (Ivan Buetler)
University Outreach - OWASP College Chapter Program (Martin Knobloch) (renamed "OWASP Student Chapters Program")
OWASP Exams (Jason Taylor)
OWASP Certification (Jason Taylor & Jason Li) - Certification Code of Conduct Draft
Secure Coding Workshop
OWASP Secure Coding Practices (Keith Turpin)
Protecting Information Stored Client-Side (John Steven)
Providing Access to Persisted Data (Dan Cornell)
Contextual Ourput Encoding (Chris Schmidt)
ESAPI-CORE (Jim Manico)
Applying ESAPI input Validation (Chris Schmidt)
Defining AppSensor Detection Points (Michael Coates)
Secure Development Guidelines for Smartphone Developers (Giles Hogben)
Individual OWASP Projects
Enterprise Web Defense Roundtable (Michael Coates & Chris Lyon)
Threat Modeling (Anurag Agarwal)
OWASP Common Vulnerability List (Meucci/Keary/Agarwal) - CVL ppt presentation created by Matteo Meucci]
Common Structure and Numbering for All Guides (Keith Turpin/Matteo Meucci/Vishal Garg)
OWASP Testing Guide (Matteo Meucci) - Working Session Notes, Planning the OWASP Testing Guide 4.0 ppt presentation
OWASP Mobile Security Project (Mike Zusman) - Working Session Notes
Development Guide (Vishal Garg)
Application Security Verification Standard (ASVS) Project (Dave Wichers)
OWASP Portuguese Language Project (Lucas Ferriera)
OWASP Hackademic Challenges Project (Kostas & Vasileros Vlachos)
OWASP Java Project (Lucas Ferriera)
OpenSAMM (Pravir Chandra)
The Future of OpenSAMM (Pravir Chandra)
Vulnerability Disclosure Policies (Chris Schmidt)
O2 Platform (Dinis Cruz)
OWASP Governance and Committees
Global Education Committee (Martin Knobloch)
Global Industry Committee - Industry Outreach (Eoin Keary & Colin Watson)
Global Projects Committee (Jason Li & Brad Causey)
Global Membership Committee (Dan Cornell)
Global Chapters Committee (Seba Deleersnyder)
Global Conferences Committee (Mark Bristow)
Government Outreach (Doug Wilson)
OWASP Funding and CEO Discussion (Keith Turpin) Working Session Notes
OWASP Board/Committee Governance (Mark Bristow)
OWASP Points - Tracking OWASP Participation (Mark Bristow)
OWASP Licensing (Abraham Kang) - Working Session Notes, OWASP Licensing PowerPoint, Licensing - Questions for follow up
OWASP Codes of Conduct (Dinis Cruz & Jeff Williams) - Draft Document]
Building the OWASP Brazilian Leaders Group (Lucas Ferriera)
OWASP Asia/Pacific Working Group (Helen Gao)
Industry - Healthcare (Joe Bernik & Lorna Alamri)
Industry - Banking/Finance (Joe Bernik & Lorna Alamri)
Miscellaneous
Privacy - Personal Data/PII, Legislation and OWASP (Colin Watson)
Overhauling the OWASP Website (Jason Li)
Should OWASP work directly with PCI-DSS? (Matthew Chalmers)
How can OWASP reach/talk/engage with auditors (Matthew Chalmers)
Developer Outreach (Mark Bristow & Jason Li)
Summit "Behind the Scenes"
Summit Budget
- Breakdown of 2011 Summit Budget, Operational and Travel
Summit 2011 Financials Summary of Expenses and Income and Summit Travel and Accommodations Costs
- Comparison to 2008 Summit Budget
- Projection of costs needed for future Summit
Roles and Responsibilities
Fixes and Dynamic Working Sessions
Lessons Learned
Appendix
Support Staff Bios
