OWASP 2013 Project Summit Working Session Outcomes Leader Reports

Working Session Outcomes: Leader Reports

The working sessions outcomes below are the direct reports sent to the OWASP Projects Manager from the participating Project Leaders. They outline, in greater detail, what their session deliverables were, and list their roadmaps for future work to be completed. Please note, that some sentence structure, and spelling was corrected before implementation of each report to this document.

OWASP Projects Review Session

SESSION DESCRIPTION: During the OWASP Projects Review working session, attendees will be able to participate in the review of the entire inventory of OWASP Projects using the new assessment criteria developed by our team of Technical Project Advisors. The aim of this session is to establish a more accurate representation of OWASP project health and product quality. The session outline is as follows:

• Overview of new assessment criteria to conduct reviews.
• Team in small groups (2 to 3 max) based on experience and background to asses a set of Projects (Code, Tool or Documentation)
• Fill in the Questionnaire (Google Forms) to complete assessment of Projects and provide the review with a final score and results (Project defined as Incubator, Lab or Flagship)
• Review results of questionnaire with your team.
• Present results and conclusions of assessment session.

OUTCOMES

1. We are able to present quality and health assessments that the team had worked on over the prior few months, get some good feedback from OWASP leaders, and have a number of OWASP members use the assessment to rate some of the existing projects so we could see what worked well and what didn't work.
2. Yes, we were able to take everyone's input to further improve both assessments. We removed a couple of questions that were well-intentioned, but problematic for reviewers. Since it wasn't clear if a project passed a health assessment and should be promoted or not, we made sure all of the questions on the overall project health questions were knock-out questions, meaning that if they did not satisfy the criteria they weren't ready to be promoted since these are all key principles fundamental to the goals of all OWASP projects.. To accomplish this, more subjective questions were moved to the quality assessment which uses a numeric scale to rank the project, rather than being ‘Yes’ or ‘No’ questions. We also created a standard scoring scale for all project types, which works with a single rating range if users assign full credit if a question is not applicable. There were also some cosmetic changes made regarding the instructions to make it easier to focus on the question, and yet still easily get guidance on how to answer each question. The bottom line is that I believe that the time spent talking with OWASP Leaders and Members directly resulted in the biggest improvement to the project assessments, which exceeded my expectations of what we wanted to accomplish at the summit.
3. The follow-up items were to create an online form that reviewers could use to rate projects, ask project leaders to rate their own project (partly as a process to weed out inactive projects, so we don't spend time reviewing dormant projects), get 10 quality reviews for each project from OWASP members who use the projects (especially the tool and library code projects since good health assessments are predicating on having reviews from those most familiar with those project that have an environment to use them in and projects to apply them to), and perform health assessments on all of the projects (focusing first on projects who have requested a review or to be promoted and flagship projects, then lab projects, and finally incubator projects).

OWASP Media Project Session

SESSION DESCRIPTION:The OWASP Media Project is an infrastructure project that gathers, consolidates, and promotes OWASP content in video format on a central appealing hub. The first and main instance of the project will be a YouTube channel.

The session will be used in order to bring project leaders up to speed on how video sharing and live streaming can help promote your project and reach people. We will do that by presenting Google Hangout, and the official OWASP YouTube channel.

Then, we will gather potential sources and existing videos in order to populate the OWASP channel. This summit experience will not just be about promoting the Media Project itself, but also about the exposure of any other projects with video content.

OUTCOMES

1. What were the outcomes of the Sessions? I can't speak for the other project leaders really, but on my part I did meet a lot of them and briefly exchanged contacts. I'd say the session brought us together, not only to see the people within one project, but to also see other project leaders and volunteers and this should be encouraged regularly.
2. Did you accomplish what you set out to accomplish before the summit? In our cases we just presented the project to one interested person, so it was not that good on this part. I think it's hard for a project that isn't flagship level to motivate people to go one day only for that. However we wanted to accomplish something else with the Media Project: record other people from other project, and in that regards we succeeded.
3. What is there left to do? Do more stuff in order to promote the project leader's presentations online and do working session.
4. Roadmap for accomplishing what is left to do. That would be added to the roadmap of Media Project; however, we have many more priorities and this would be down on the list. That could change if we get more volunteers.

OWASP Mobile Security Session

SUMMIT DESCRIPTION:Just as the mobile security landscape has changed, so has the OWASP Mobile Project. Join us as we discuss the major milestones of 2013 and what is in store for the projects future. We will also go deeper in to the Mobile Top Ten project where we will discuss the decisions made on categories, vulnerability information, and look at some surprising vulnerability trends in mobile applications.

During this session we will cover:

• OWASP Top 10 Mobile Risks, 2014 Refresh
• Mobile project 2013 achievements and the 2014 roadmap.
• Increasing industry collaboration within the mobile security space.

OUTCOMES

1. What are the outcomes of this session?
   1. Our small group spent time trying to identify classes of mobile vulnerabilities. The mobile top ten in specific. We went over a lot of ideas but ended up deciding on minimal changes to the current categories. This was for a few reasons. Some places have already instated a standard for one. We did identify some new issues arising and new potential projects to add to the overall mobile security project, such as criteria for MDM type solutions since they are not cover in the mobile project but companies want some security guidance when they test or evaluate them.
2. Did you accomplish what you set out to accomplish before the summit?
   1. We did. We decided on a few category changes. We talked to users of the mobile top ten and addressed some pain points (mostly project incompletion).
3. What is there left to do?
   1. We are finishing the wiki content this month and "unveiling" it at AppSec California. We are also aiming to re-categorize for 2014, but we are unsure if we can make the next week deadline.
4. Roadmap for accomplishing what is left to do.
   1. Wiki content is our top priority at the moment.
   2. Followed by restructuring the categories and evaluating data from 2013.
   3. A PDF guide would be awesome after that.

OWASP PCI Toolkit Session

SUMMIT DESCRIPTION: Join us and learn how to help organize achieve PCI-DSS compliance with OWASP tools and Documentation by creating an interactive scope toolkit app.

OUTCOMES

1. What were the outcomes of the Session?
   1. At AppSec we had one session with a group of 20 persons approx., ranging from recent graduates in security engineering to experienced PCI-QSA auditors. The session focused on explaining the purpose of the project and their feedback before embarking into fully programming the toolkit. All agreed that such a tool will be very beneficiary to companies looking to understand the PCI-DSS requirements and how OWASP guides fits into all of that.
2. Did you accomplish what you set out to accomplish before the summit?
   1. Yes. The idea was to get feedback from the sector to understand and adapt the toolkit requirements to their needs and what kind of information are they looking for to comprehend. Before the summit I had a defined idea, but after speaking to the assistants, it was cleaerer and better to focus in certain areas, which helped to define a better plan that fits their needs.
3. What is there left to do?
   1. Right now, I'm programming the different sectors. End of December I had a PCI_training and I was able to become a PCI professional which took time from my development, but I think this all adds to better understanding and the credibility of the project. I'm happy now that people can verify my credentials as a PCI professional through the PCI council website. This achievement was also part of my project.
4. Roadmap for accomplishing what is left to do.
   1. Right now, I'm focusing to deploy by mid February the first beta version with 2 modules (APPS and NETWORKO) I need to adapt the Wiki, and the idea is that by May to have the other modules completed. A simple draft is available already as a google app on [1] This app will be updated and later available through GitHub. I have 2 potential contributors but again, after I'm back from the Netherlands I'll check with them to get some work done on this part.

OpenSAMM Session

SESSION DESCRIPTION: OWASP Software Assurance Maturity Model (SAMM) is an open framework to help organizations start and implement a secure software development lifecycle that is tailored to the specific risks facing the organization. During the AppSec USA conference, the SAMM project team organizes this workshop for you to influence in which direction SAMM evolves. The workshop is also an excellent opportunity to exchange experiences with your peers.

We will cover the following agenda:

• Introduction/getting to know each other
• Project status and goals
• OpenSAMM inventory of tools and templates
• Case studies/ sharing experiences
• What do we need (thinking about improvements, can be anything ranging from translations over tools to model improvements)
• What do we need next (prioritization)
• Call for involvement (responsibilities), identity teams for specific topics
• Rough planning for the future
• Extra topic: source/build control

OUTCOMES Thursday November 21, 2013 1:00pm - 5:00pm

Location: Sky Lounge (16th Floor)(NY Mariott Marquis)

During the AppSec conferences, the SAMM project team organizes workshops for you to influence the direction SAMM evolves. This is an excellent opportunity to exchange experiences with your peers. Understanding of SAMM is a prerequisite for participation in this OWASP summit session.

Present:

1. Stephanie Tan
2. David Felio
3. Aaron Estes
4. Adam Langford
5. Martin Knobloch
6. Seba Deleersnyder
7. Yan Kravchenko
8. Qinglin Jiang
9. Colin Watson
10. Matteo Meucci
11. Jonathan Carter

Agenda:

1. Introduction / getting to know each other - 10 mins.
2. Project status and goals
3. OpenSAMM inventory of tools and templates
4. Case studies / sharing experiences
5. What do we need (thinking about improvements, can be anything ranging from translations over tools to model

improvements)

1. What do we need next (prioritization)
2. Call for involvement (responsibilities), identity owners / teams for specific topics
3. Rough planning for the future
4. Source/build control

Meeting Notes: Latest OpenSAMM presentation done as project talk: https://www.owasp.org/images/4/47/OpenSAMM_-_OWASP_USA_2014_-_Seba-Pravir.pptx

Resources from the wiki/opensamm.org website / mailing list will all be consolidated online in https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model#tab=Tools__26_Templates

The Quick Start draft is created and can be commented on online: https://docs.google.com/document/d/1WNCcoYg1-PYli5DNQZKLxwzibmwpNawacloH-8ZAlUc/edit?usp=sharing

Metrics: Some overall SAMM score calculation options were discussed, with weighing the 4 business functions (possibly slider based).With the latest SAMM-BSIMMv5 mapping it should be possible to produce statistics on implemented SAMM activities in different verticals.

Latest mapping by Lius Service is uploaded to the mailing list on http://lists.owasp.org/pipermail/samm/2013-November/000528.html

Operational Enablement: Request to update the name for security practice "operational enablement" as this title is too "fuzzy" and interpreted in different ways.

Suggestions during the meeting were: "DevOps", Operations, Production Support.

Action decided: start thread on the mailing list to gather input on new name with a timing towards selection of a new name (or keep the existing one) (Seba)

Improvement for next SAMM version: More guidance to add on how to manage/prioritize fixing found vulnerabilities during verification/production phases.

Yan - Experiences and examples were shared on how to implement SAMM on a portfolio of applications, measuring "static/dynamic" risk for applications.

Yan will share a template on this.

Matteo showed how they guide prioritization of SAMM security activities based on estimated effort and expected impact. This nicely complements the prior portfolio view.

Matteo will share the template.

Action: combine the demonstrated templates to one SAMM application portfolio dashboard to guide people on implementation priorities and reporting.

Aaron showed a secure development implementation guideline as used by Lockheed Martin, based on SAMM with extra metrics, resources, tips and tricks. The final document (with a how-to) will be donated to the SAMM project.

Action: Aaron to share final document

David has mapped SAMM on PCI (v2) and Microsoft SDL and will share these mappings with the SAMM projects. Kuai to coordinate the PCI mapping (also started with this).

Jonathan proposed to put focus on how to handle code modification / reverse engineering in hosting environments and mobile apps. During the meeting it was suggested to first create a paper to discuss of this specific topic should be integrated in the SAMM model.

SAMM Version 1.1 priorities are confirmed to be:

1. Add quick start guide
2. Add tools and OWASP resources
3. Add use cases, experience.
4. Revamp SAMM wiki

All SAMM modle related changes are to be implemented in SAMM v2.

A full day SAMM summit will be organized in Cambridge (AppSec Europe 2014).

Actions Points:

1. Use the BSIMM Mapping to create an overview of SAMM activities that are done by organizations? (Seba?)
2. Start thread on the mailing list to gather input on new name to replace “Operational Enablement” with a timing towards selection of a new name (or keep the existing one). (Seba)
3. Share SAMM portfolio view of applications, measuring "static/dynamic" risk for applications. (Yan)
4. Share how to prioritize SAMM security activities based on estimated effort and expected impact. (Matteo)
5. Create a unified SAMM application portfolio dashboard (owner : TBD)
6. Share the secure development implementation guideline as used by Lockheed Martin, based on SAMM with extra metrics, resources, tips and tricks (Aaron)
7. Create / share a PCI v3 mapping on SAMM activities (Kuai / David)
8. Create / share separate paper on how to handle code modification / reverse engineering in hosting environments and mobile apps and propose how this could be integrated in SAMM. (Jonathan)