This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Category:Summit 2011 Tracks

From OWASP
Revision as of 16:20, 21 January 2011 by Sandra Paiva (talk | contribs)

Jump to: navigation, search

Back to main Summit 2011 page

Introduction

Click on the working session name to see the home page for that particular session. During the Summit those working session home pages will be used to document discussions and outcomes.

If you're interested in adding a Working Session for the 2011 Summit, there still is time to start a session! Please review the Working Session methodology for Working Session rules.


T. metrics.jpg
Category: Summit 2011 Metrics Track

Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
Risk Metrics
  1. Quantify business criticality of a deployed application
  2. Translate technical risks into business risks (speak the language of management)
  3. Translate technical risk into approximate financial risk
  1. Paper describing definitions and formula for determining business criticality
  2. Paper translating technical language and risks into business language and monetary risk
Chris Wysopal @

Tony UcedaVelez @

Eoin Keary @

Sherif Koussa @

Konstantinos Papapanagiotou @

Vishal Garg @

Mateo Martinez @

Mikko Saario @

Ofer Maor @

Nuno Loureiro @

Wojciech Dworakowski @

Tobias Gondrom @

Juan Jose Rider @

Alexandre Miguel Aniceto @

view
edit
Tools Interoperability (Data Instrumentation)
  1. Defining consuming and instrumental tools data
  1. A standard schema for describing application security risks of all types, with a place for all relevant information – whether derived statically, dynamically, manually, or architecturally.
Dinis Cruz @

Stefano Di Paola @

Dan Cornell @

Jeremy Long @

Paolo Perego @

Sherif Koussa @

view
edit
Metrics and Labeling
  1. Discuss positive security properties that should be tracked
  2. Discuss options for consumer-friendly labeling
  3. Discuss ways to encourage participation in risk labeling
  1. White paper sketching out a standard for a software security label and a plan to finalize the standard.
Chris Eng @

Vishal Garg @

Doug Wilson @

Alexandre Miguel Aniceto @

view
edit
Counting and scoring application security defects
  1. Discuss existing methods for counting and scoring defects, by vendors and practitioners willing to share their methodologies.
  2. Discuss advantages and disadvantages of a standardized approach.
  3. Discuss the CWSS 0.1 draft and how it might be incorporated into a standard.
  1. White paper sketching out a standard for rating risks that accomodates individual minor defects all the way through architectural flaws (that may represent many individual defects)
Chris Eng @
Chris Wysopal @
Jason Taylor @

Justin Clarke @

Sherif Koussa @

Vishal Garg @

Matteo Meucci @

Elke Roth-Mandutz @

Mateo Martinez @

Doug Wilson @

Ofer Maor @

Wojciech Dworakowski @

Alexandre Miguel Aniceto @

view
edit
Measuring SDLC process performance
  1. Determine which SDLC activities correlate with more secure software
  2. Determine how to measure the performance of these activities
  1. Paper describing the SDLC activities that matter and measurement techniques for their performance
Chris Wysopal @
Chris Eng @
Eoin Keary @

Nishi Kumar @

L. Gustavo C. Barbato @

Jason Taylor @

Matthew Chalmers @

Justin Clarke @

Seba Deleersnyder @

Sherif Koussa @

Vishal Garg @

Giorgio Fedon @

Ofer Maor @

Nuno Loureiro @

Tobias Gondrom @

view
edit
Common structure and numbering for all guides
  1. Discuss and review current document project structures and key elements.
  2. Review proposal to align to ASVS and discuss whether the current version of ASVS provides an adequate baseline.
  3. Review other options for structure and numbering.
  4. Develop a draft structure and numbering plan.
  5. Discuss any dependencies which may exist, such as common nomenclature and definitions.
  1. A written recommendation for a unified category and numbering system for applicable document projects.
  2. Agreement from applicable document project leaders to adopt the finalized version of the system.
  3. An implementation plan discussing when projects will implement the new system.
Keith Turpin @
Matteo Meucci @
Vishal Garg @
Lucas C. Ferreira @

Vlatko Kosturjak @

view
edit
Creating a unified "finding" Dinis Cruz @

Abraham Kang @
view
edit
Global Conferences Committee Monthly Meeting
  1. Develop v1 of OWASP Global Sponsorship Model
  2. Develop 2012 Call for AppSec Conferences (and new management system)
  3. Develop messaging plan for new initiatives
Mark Bristow @

Mark Bristow @

Lucas C. Ferreira @

Neil Matatall @

Ralph Durkee @


T. browser security.jpg
Category: Summit 2011 Browser Security Track

Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
DOM Sandboxing
  1. Attenuated versions of existing apis to sandboxed code.
  2. Client side sandboxed apps maintaining state and authentication.
  3. Create a standard for modifying a sandboxed environment
  4. Deprecate and discourage standards which ambiently or undeniably pass credentials.
  5. Create a standard for authentication within a sandboxed environment (maybe interfacing with existing auth without passing creds like 0Auth works)
  1. Browser Security Report
  2. Browser Security Priority List
Jasvir Nagra
Gareth Heyes @
Email John Wilander if you are unable to edit the Wiki and would like to sign up! @

Michael Coates

Eduardo Vela @

Stefano Di Paola

Isaac Dawson

Chris Eng @

Alexandre Miguel Aniceto @

view
edit
HTML5 Security
  1. Handle autofocus in a unified and secure way.
  2. Discuss necessity and capability for the HTML5 form controls.
  3. Initiate and create documentation and references for developers that address security issues.
  4. Discuss and heavily restrict SVG capabilities - especially when deployed in CSS backgrounds and <img> tags.
  5. Long Term Goal(s): Provide a working and easy to use as well as vendor supported HTML5 compliant filter software such as HTMLPurifier.
  1. Browser Security Report
  2. Browser Security Priority Report
Mario Heiderich
Gareth Heyes @
John Wilander @

Michael Coates @

Tony UcedaVelez @

Stefano Di Paola

Isaac Dawson

Chris Eng @

Nishi Kumar @

Elke Roth-Mandutz @

Giorgio Fedon

Paolo Perego @

Eduardo Vela @

Abraham Kang @

Nuno Loureiro @

Alexandre Miguel Aniceto @

view
edit
EcmaScript 5 Security
  1. Fix the problems with Object.defineProperty() and property unsealing / double-freezing.
  2. Raise awareness for the power or object freezing in a security context.
  3. Raise awareness in seeing the DOM as the place where XSS attacks actually take place - and where they should be prevented.
  4. Long Term Goal: Discuss the possibility of vendor supported client side security mechanisms.
  1. Browser Security Report
  2. Browser Security Priority List
Mario Heiderich
TBC
John Wilander @

Michael Coates @


Stefano Di Paola

Isaac Dawson

Abraham Kang

Gareth Heyes

view
edit
Enduser Warnings
  1. Clearly there is a need for warnings that users understand and that conveys the right information. Perhaps we can agree on some guidelines or at least exchange lessons learned.
  1. Browser Security Report
  2. Browser Security Priority List
John Wilander @

John Wilander @

Michael Coates @


Vishal Garg @

view
edit
Site Security Policy
  1. Browser Security Report
  2. Browser Security Priority List
John Wilander @
Michal Coates @
John Wilander @

Michael Coates @


Stefano Di Paola

Tobias Gondrom @

Alexandre Miguel Aniceto @

view
edit
Securing Plugins
  1. Browser Security Report
  2. Browser Security Priority List


John Wilander @

Michael Coates @

Giorgio Fedon

view
edit
Blacklisting
  1. Browser Security Report
  2. Browser Security Priority List


John Wilander @

Michael Coates @

view
edit
OS Integration
  1. Browser Security Report
  2. Browser Security Priority List


John Wilander @

Michael Coates @

view
edit
Sandboxed Tabs/Domains/Browser
  1. Browser Security Report
  2. Browser Security Priority List


John Wilander @

Michael Coates @

view
edit



T. cross site.jpg
Category: Summit 2011 XSS Eradication Track

Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
XSS and the Frameworks
  1. Work on how OWASP can engage with the major web frameworks to move towards a "secure by default" stance
  2. Work on OWASP resources to provide patches/design approaches in conjunction with the frameworks
  1. OWASP statement/Press release to publicly ask the frameworks to build security in
  2. Engagement plan on how we'd work with (if at all) a framework to get ESAPI or similar functionality integrated
  3. White paper or standard for what we want the web frameworks to provide in terms of XSS defenses. Turning the XSS Prevention Cheat Sheet into a standard/metric for frameworks would be great.
  4. OWASP Standard defining an appraisal methodology for a framework’s XSS prevention capability based on the other deliverable.
Justin Clarke @

Chris Eng @

Abraham Kang

Tony UcedaVelez @

Fred Donovan @

Juan Jose Rider @

view
edit
XSS - Awareness, Resources, and Partnerships
  1. Work on what partners we can reach, and what resources they can provide us access to
  2. Work on who we can work with to reach a maximum amount of developers writing web applications
  3. Plan engagement with identified organizations
  4. Plan a call to action for OWASP chapters for identified XSS resources
  1. A concrete, specific business plan for investing OWASP Funds in a campaign designed to ensure that every developer knows about XSS and what to do to prevent it. The plan should have specific goals, measures, and targets over time so we know if it is on track.
Justin Clarke @

Chris Eng @

Abraham Kang

Sherif Koussa @

view
edit
WAF Mitigations for XSS
  1. Improve XSS Attack Payload Detection Techniques
  2. Identifying Improper Output Handling Flaws in Web Apps
  3. Feasibility of Profile Page Scripts/Iframes
  4. Testing Injection of JS Sandbox Code in Responses
  1. White paper describing “Next Generation WAF Capabilities” such as the ones described above. Include areas requiring additional research and funding.
Ryan Barnett @

Lucas C. Ferreira @

Achim Hoffmann @

Justin Clarke @

Giorgio Fedon

Abraham Kang

Mario Heiderich

Gareth Heyes

Eduardo Vela @

Stefano Di Paola

David Lindsay

Juan Jose Rider @

view
edit


view
edit


view
edit


view
edit



T. mitigation.jpg
Category: Summit 2011 Mitigation Track

Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
Virtual Patching Best Practices
  1. Identify which attacks/vulnerabilities are best suited for virtual patching
  2. Identify which tools are best suited for virtual patching (appliance vs. embedded, WAFs vs IPS, etc...)
  3. Identify who should be responsible for virtual patching
  4. How to develop/test virtual patches
  1. White paper on “Effective Virtual Patching” that discusses the scenarios above.
Ryan Barnett @

Achim Hoffmann @

Dan Cornell @

Martin Knobloch @

view
edit
Scaling Web Application Security Testing
  1. A white paper describing strategies for scaling application security verification programs beyond a single application at a time. Should address achieving coverage of expected controls, depth of assurance, both automated and manual approaches, custom rules, rule management, rule deployment.
Arian Evans
Dinis Cruz @
Eoin Keary @

Achim Hoffmann @

Steven van der Baan @

Cecil Su @

Sherif Koussa @

Matthias Rohr @

Vishal Garg @

Chris Eng @

Nishi Kumar @

Michael Coates @

Giorgio Fedon

Keith Turpin @

Ofer Maor @

Nuno Loureiro @

Mikko Saario @

Wojciech Dworakowski @

Martin Knobloch @

Antonio Fontes @

view
edit
How to report known security vulnerabilities (for websites)
  1. Discuss the OWASP strategy and policy on responsible disclosure of known vulnerabilities in public web applications.
  2. Should OWASP provide an OT10-Leaks platform in a country with legal protection for anonymous sources?
  1. A white paper evaluating the various options for handing discovered vulnerabilities. Possible standards and recommendations associated with the options.
Dinis Cruz @
Seba Deleersnyder @
Mateo Martinez @

Michael Coates @

Giorgio Fedon

Eduardo Vela @

Martin Knobloch @

view
edit
Microsoft's SDL in 16 steps (and lessons learned)
  1. Discuss additional reference materials and identifying publicly-available tools targeting a variety of platforms (web, OSX, Unix, mobile platforms, etc) in an effort to provide practical, platform-specific implementation guidance for each of the security practices in the 16 Steps of the Simplified SDL.
  2. Define the practical “crawl/walk/run” steps for adopting the 16 Practices of the Simplified SDL for development organizations of any size.
  1. Identify 1-2 target platforms and potential locations for a library of platform-specific guidance and tools associated with each of the 16 practices of the Simplified SDL.
  2. Identify OWASP contributors who are willing to help build the content for #1.
  3. Define the practical “crawl/walk/run” steps for adopting the 16 Practices of the Simplified SDL for development organizations of any size.
Jeremy Dallman @

Tony UcedaVelez @

John Menerick @

Daniel Brzozowski @

Alexandre Miguel Aniceto @

view
edit


view
edit


view
edit



T. university.jpg
Category: Summit 2011 University Education Training Track

Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
University Outreach
  1. Estimation of Security prorams currently exist in university settings around the world
  2. How can OWASP participate and influence the curricula of these educational programs?
  3. How can we foster relationships between OWASP and universities?
  4. How can the relationship between OWASP and universities be standardized?
  5. What can OWASP offer universities and what can they, in turn, expect from each other?
  1. A study with facts, numbers, and other metrics about application secuirity in academia. The OWASP Academic State of the World.
  2. A white paper with strategies for infiltrating academia with our priorities.
Martin Knobloch @

Nishi Kumar @

Cecil Su @

Elke Roth-Mandutz @

Heiko Richler @

Lucas C. Ferreira @

Jason Taylor @

Carlos Serrão @

Konstantinos Papapanagiotou @

Mateo Martinez @

L. Gustavo C. Barbato @

Edward Bonver @

Ricardo Melo @

Alexandre Agustini @

view
edit
Computer Crime Laws
  1. Understand the current laws/frameworks in place in relation to computer crime and prevention
  2. Discuss ways these laws are currently failing consumers in protecting assets
  3. Discuss possible amendments to the laws/frameworks to better protect the public
  1. A study evaluating the existing computer crime laws and how they might be applied to the current set of application security attacks. Recommendations for a new legal framework.
Daniel Cuthbert @

Matthew Chalmers @

Abraham Kang

view
edit
OWASP Academies
  1. Presentation of the discussion had in January – what were we looking for, what conclusions were reached and why;
  2. The OWASP Academic Portal Project – what is it, advantages, contributors, roadmap;
  3. Alternative ways of working with Universities when possible – Summer School proposal (ISCTE);
  4. OWASP Appsec Tutorial Series – How to best disseminate it and use it.
  1. Deliver the above as a fundable business plan complete with financial and resource requirements, timelines, metrics, etc…
Sandra Paiva @

Martin Knobloch @

Paulo Coimbra @

Dinis Cruz @

Nishi Kumar @

Cecil Su @

Heiko Richler @

Lucas C. Ferreira @

Jason Taylor @

Mateo Martinez @

Konstantinos Papapanagiotou @

Carlos Serrão @

Matteo Meucci @

Elke Roth-Mandutz @

Daniel Brzozowski @

L. Gustavo C. Barbato @

Ricardo Melo @

Alexandre Agustini @

view
edit
OWASP Training
  1. Presentation of the OWASP Training Model;
  2. How to keep the initiative alive – people, methodologies, contents, materials;
  3. Trainers Database – assessment of quality;
  4. Connection with the Paid Training Model;
  5. Set up a strategy to apply for currently available state European funding.
  1. Deliver the above as a fundable business plan complete with financial and resource requirements, timelines, metrics, etc…
  2. Team and Model to apply for currently available state European funding.
Sandra Paiva @

Martin Knobloch @

Paulo Coimbra @

Dinis Cruz @

Nishi Kumar @

Cecil Su @

Heiko Richler @

Lucas C. Ferreira @

L. Gustavo C. Barbato @

Jason Taylor @

Achim Hoffmann @

Mark Bristow @

Mateo Martinez @

Carlos Serrão @

Konstantinos Papapanagiotou @

Vishal Garg @

Matteo Meucci @

Jeremy Long @

Seba Deleersnyder @

Ralph Durkee @

Ricardo Melo @

view
edit
Developer's Security Training Package
  1. To create an organized package that can be used by companies for the purposes of educating developers on securely coding web applications and web services
  1. A curriculum for the above based on OWASP materials and a plan to build it out.
Brad Causey @

Martin Knobloch @

Nishi Kumar @

Jason Taylor @

Carlos Serrão @

Konstantinos Papapanagiotou @

Daniel Brzozowski @

L. Gustavo C. Barbato @

Keith Turpin @

Ralph Durkee @

Mikko Saario @

Ricardo Melo @

Mateo Martinez @

Tobias Gondrom @

Alexandre Agustini @

Sherif Koussa @

view
edit
OWASP TOP 10 online training in Hacking-Lab
  1. To learn more about the OWASP TOP 10 cases in Hacking-Lab - Vulnerable Apps in HL
  2. Experience the users's view of a training - lab descriptions, exercises, send-solution, ranking, global ranking, my profile
  3. Experience the teacher's view of a training - solution movies, accpet or reject solutions from users, solution movie
  4. Experience the Hacking-Lab LiveCD (accessing the lab), teaming, levels in HL, avatar, rankings
  5. Talk about a potential collaboration between OWASP and Hacking-Lab for the future. Free OWASP TOP 10 training.
  1. A plan to create free awesome OWASP T10 awareness training using HL and others. Integrate the various environments and create a prototype if possible.
Ivan Buetler @

Nishi Kumar @

Cecil Su @

Jason Taylor @

Achim Hoffmann @

Carlos Serrão @

Konstantinos Papapanagiotou @

Vishal Garg @

Mateo Martinez @

Daniel Brzozowski @

Tony UcedaVelez @

Ralph Durkee @

Ricardo Melo @

Martin Knobloch @

Juan Jose Rider Jimenez @

Alexandre Miguel Aniceto @

view
edit
How to present worldwide David Rice's Pollution keynote
  1. A plan for a marketing/awareness campaign that starts to promote the top and bottom-line business advantages of application security. Prototype awareness concepts if possible.
Dinis Cruz @

Seba Deleersnyder @
view
edit
OWASP Exams
  1. Establish model for CC-licensed exams creation
  2. Establish model for CC-licensed exams distribution and usage
  3. Establish a first CC-licensed exam to test the concept (an alpha will be brought to the working session)
  4. Try OWASP training and exam end-to-end to experience and improve training and exam usage scenarios
  1. A business plan for evaluation by the community at large. What is the investment, schedule, metrics, benefit…
Jason Taylor @

Dinis Cruz @

Matthew Chalmers @

Mateo Martinez @

Jeremy Long @

Matteo Meucci @

Paolo Perego @

Ralph Durkee @

Martin Knobloch @

view
edit
OWASP Certification
  1. Determine whether certification would have value for OWASP's Community
  2. Determine a model by which certification based on OWASP materials could succeed
  3. Determine a model for creation and distribution of a CC-licensed certification exam based on OWASP materials
  4. (if agreed) Determine a model for supporting the administration of certification based on OWASP Materials
  1. A business plan for evaluation by the community at large.


Dinis Cruz @

Matthew Chalmers @

Mateo Martinez @

Jeremy Long @

Matteo Meucci @

Seba Deleersnyder @

Daniel Brzozowski @

Paolo Perego @

Edward Bonver @

Ralph Durkee @

Nuno Loureiro @

Ricardo Melo @

Martin Knobloch @

Alexandre Miguel Aniceto @


T. secure coding.jpg
Category: Summit 2011 OWASP Secure Coding Workshop Track

Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
Applying ESAPI Input Validation
  1. Serial Decomp: Decode, canonicalize, filter
  2. Structured data (SSN, CC, etc.)
  3. Unstructured data (comments, blogs, etc.)
  4. Other input exaples (ws-, database, etc.)
  1. A clear and concise user guide for getting ESAPI input validation up and running.
Chris Schmidt @

Nishi Kumar @


Justin Clarke @

John Steven @

view
edit
Defining AppSensor Detection Points
  1. Understand AppSensor Fundamentals
  2. Define AppSensor Detection Points applicable to most applications
  3. Implement detection points into code
  1. Status of AppSensor Whitepaper including AppSensor Roadmap
  2. Updated AppSensor-Tutorial code with new lessons and lesson structure enhancements
  3. Updated Getting Started Guide for new adopters and developers leveraging feedback from session
Michael Coates @

Ryan Barnett @

Colin Watson

Chris Schmidt @

view
edit
Contextual Output Encoding
  1. Increase coverage and functionality of existing Output Encoding Codecs
  2. Create new codecs to cover more output encoding contextual needs
  3. Introduce these codecs in a way that doesn't interfere with ESAPI Modularization Tasks
  4. Draft an implementation guide for Application Framework Developers to implement ESAPI Output Encoding into their Application Frameworks
  1. Increase coverage and functionality of existing Output Encoding Codecs
  2. New drop in set of codecs for the ESAPI Encoder to use for additional contexts
  3. Implementation Guide for Framework Developers to integrate Output Encoding into their Application Framework. This should be a simple guide that can be distributed en masse to framework developers as a push to get them involved in making their frameworks more secure by eliminating XSS.
Chris Schmidt @

Justin Clarke @

Abraham Kang

view
edit
Protecting Information Stored Client-Side
  1. Produce an informal threat model for each development scenario
  2. Impart clear and simple shared understanding of threats associated with each development scenario (and dispel common misunderstandings/idioms)
  3. Define solution that resists defined attacks
  4. Deliver solution implementation (snippets) to https://code.google.com/p/secure-coding-workshop/
  1. (see objectives) Threat Models
  2. (see objectives) Code Snippets
  3. Plan and Extra-summit work-items for exercises in Phone and RIA contexts during next summit
John Steven @

Elke Roth-Mandutz @

Jim Manico @

Chris Schmidt @

Justin Clarke @

Neil Matatall @

Tony UcedaVelez @

Fred Donovan @

Alexandre Miguel Aniceto @

Antonio Fontes @

view
edit
Protecting Against CSRF
  1. A practical guideline for protecting against CSRF in the real world.
  2. A concise, clear standard for determining whether an application is vulnerable to CSRF.


Chris Schmidt @

Achim Hoffmann @

Ryan Barnett @

Mark Thomas @

Vishal Garg @

view
edit
Providing Access to Persisted Data
  1. Create design and code examples for protecting access to database tables and rows by role
  2. Create design and code examples for protecting access to data when 'auto-wiring' and marshalling
  3. Create design and code examples for protecting sensitive data at rest
  1. A short reference architecture/coding examples type of guideline that clearly explains positive and negative examples of accessing persisted data.
Dan Cornell @

Chris Schmidt @

Justin Clarke @

Dan Cornell @

John Steven @

Ralph Durkee @

Alexandre Miguel Aniceto @

view
edit
The Future of the OWASP Secure Coding Workshop
  1. Determine how to scale the idea
  2. Determine how to get funding for it
  3. Schedule at least two following OWASP Secure Coding Workshop days in 2011
  1. A business plan for OSCW to be evaluated by the community at large. What is the investment, schedule, metrics, benefit…
John Steven @
Chris Schmidt @

Justin Clarke @

Jeremy Long @Summit 2011 Working Sessions/Session032

view
edit
ESAPI for Ruby
  1. Define which APIs needs to be implemented
  2. Define the module's namespace inside the gem
  3. Write cucumber scenarios to define overall integration tests
  4. Write rspec contexts for each API for fine grain test
  5. (hopefully: implementing at least 5% of APIs starting from their rspecs)
  1. Cucumber scenarios
  2. Rspec context for each API choosen
  3. 5% of APIs being implemented
Paolo Perego @

view
edit
ESAPI-CORE
  1. Build ESAPI-core version 1 for Java 1.5+
  2. Document planning phase and design decisions around ESAPI-core
  3. Produce library usage documentation
  1. Build a design plan for ESAPI core.
  2. Deploy the first version of the ESAPI-core Jar.
Jim Manico @

Paolo Perego @

Jim Manico @

view
edit
OWASP Security Refactorings
  1. Goals and Scope of initial "Security Refactorings"
  2. High level Organization of Code Example Smells
  3. Format to present Security Refactorings
  4. Solutions and Segmenting of work.
  1. 1. Goals and Scope of initial "Security Refactorings"
  2. 2. High level Organization of Code Example Smells
  3. 3. Format to present Security Refactorings
  4. 4. Solutions and Segmenting of work.
Abraham Kang @

Abraham Kang @


T. individual projects.jpg
Category: Summit 2011 Individual OWASP Projects Track

Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/AttendeesSummit 2011 Working Sessions/Session062
view
edit
O2 Platform
  1. Define 'What is O2'
  2. Map out easy ways to start using O2
  3. Document success stories and 'real world' O2 usage
  1. Simple user’s guide that shows how to install, configure, and use O2 to do a few simple common things.
  2. Detailed workflows for the more complex features
  3. Roadmap for the next version of O2
Dinis Cruz @

Nishi Kumar @

Jason Taylor @

Steven van der Baan @

Sherif Koussa @

Daniel Brzozowski @

Anurag Agarwal @

Giorgio Fedon

Achim Hoffmann @

Paolo Perego @

Neil Matatall @

Abraham Kang

Tony UcedaVelez @

L. Gustavo C. Barbato @

Alexandre Agustini @

Vlatko Kosturjak @

view
edit
Mobile Security
  1. Primary: Create core knowledge base on project wiki site
  2. Recruit volunteers to contribute to project
  3. Establish relationships with key players (i.e. Apple/Google/etc)
  4. Create the OWASP Mobile Top 10
  1. Project wiki page
  2. A project home page, roadmap, and action plan. Look at the OWASP Ecosystem concept to see what all you should have in place.
  3. OWASP Mobile Top 10
Mike Zusman @
David Campbell @
Colin Watson

Tom Neaves @

Mateo Martinez @

Justin Clarke @

Sherif Koussa @

Vishal Garg @

Dan Cornell @

Chris Eng @

Jim Manico @

Jack Mannino @

Nishi Kumar @

Giorgio Fedon

Steve Jensen

Neil Matatall @

Abraham Kang

Mikko Saario @

Vlatko Kosturjak @

Chris Wysopal @

Antonio Fontes @

view
edit
Development Guide
  1. Discussion on major enhancements to the next version of the development guide
  2. Discussion on aligning the guide to ASVS standard and OWASP common numbering scheme
  3. Discussion on improving the usefulness of the guide to all stakeholders
  4. Collaboration with other OWASP guides - Top 10, ASDR, CRG and TG
  1. An updated outline for the development guide that is tied into the OWASP common numbering scheme
  2. A short white paper with ideas for revisions to the Development Guide for evaluation and discussion by the community at large.
  3. A committed project manager who can reach out to experts to get the document completed.
Vishal Garg @

Matthias Rohr @

Eoin Keary @

Steven van der Baan @

Abraham Kang

Keith Turpin @

Fred Donovan @

view
edit
ASVS Project
  1. Discuss expierences with using ASVS
  2. Discuss specific requirements and ideas for improvement
  3. Create a white paper with ideas for revisions to the ASVS
  1. A short white paper with ideas for revisions to the ASVS, ready for evaluation by the community at large. Actual suggested revisions to the document are helpful, but not required if time does not allow.
Matthias Rohr @

Nishi Kumar @

Steven van der Baan @

Wojciech Dworakowski @

Jim Manico @

Vishal Garg @

Abraham Kang

Keith Turpin @

Alexandre Miguel Aniceto @

view
edit
Enterprise Web Defense Roundtable
  1. What techniques are effective for scaling web security within a large company?
  2. Strategies for developer education that work?
  3. Automated defenses - what techniques are currently in use?
  4. Benefits/considerations for using security bounty programs and public hacking initiatives.
  5. What can OWASP build or develop to assist with enterprise wide application security?
  1. A white paper detailing specific recommendations for Enterprise Web Security.
  2. A plan for building an ecosystem specifically targeting enterprise web security. What does it take to scientifically advance the state of the art?
Michael Coates @
Chris Lyon @
Eoin Keary @

Dinis Cruz @

Chris Schmidt @

Justin Clarke @

Matthias Rohr @

Matteo Meucci @

Mateo Martinez @

Ofer Maor @

Wojciech Dworakowski @

Tobias Gondrom @

view
edit
OWASP Testing Guide
  1. Show the v3, and debating what we need to create an excellent v4
  1. An updated outline for the testing guide that is tied into the OWASP common numbering scheme
  2. A short white paper with ideas for revisions to the Testing Guide for evaluation and discussion by the community at large.
  3. A committed project manager who can reach out to experts to get the document completed.
Matteo Meucci @

Nishi Kumar @

Cecil Su @

Lucas C. Ferreira @

Keith Turpin @

Achim Hoffmann @

Tom Neaves @

Vishal Garg @

Giorgio Fedon @

Stefano Di Paola @

Pavol Luptak @

Andre Gironda @

Edward Bonver @

Wojciech Dworakowski @

Vlatko Kosturjak @

Antonio Fontes @

Christian Martorella @

view
edit
OWASP Java Project
  1. Restart the Java project
  2. Find new leadership
  3. Recruit volunteers
  4. Build a new Roadmap for the project
  1. Action plan for the project
  2. New project leader
Lucas C. Ferreira @

Mateo Martinez @

Daniel Brzozowski @

view
edit
OWASP Portuguese Language Project
  1. Kickstart the project
  2. Define leadership and roles
  3. Prioritize documents
  4. List all Portuguese materials available
  1. A prioritized action plan for getting OWASP materials created in Portuguese
Lucas C. Ferreira @

Paulo Coimbra @

Sandra Paiva @

L. Gustavo C. Barbato @

Ricardo Melo @

Alexandre Agustini @

view
edit
Threat Modeling
  1. Reviewing existing methodologies and their pros and cons
  2. Assigning business impacts to threats
  3. Assigning technical impacts to threats
  4. Threat Rating System.
  5. Can we bring attack trees into main stream threat modeling methodology?
  1. A document with a public recommendation on the use of threat modeling
  2. An OWASP standard defining what a threat model is.
  3. An OWASP standard defining a workflow for creating and maintaining a threat model.
  4. A white paper providing recommendations on how organizations can use threat modeling to achieve better security earlier in the process. Including a business-case rationale for threat modeling would be excellent.
Anurag Agarwal @

Matthew Chalmers @

Colin Watson

Mateo Martinez @

Dinis Cruz @

Jim Manico @

Neil Matatall @

Christian Martorella @

Steven van der Baan @

Nishi Kumar @

Cecil Su @

Antonio Fontes @

Sherif Koussa @

Matthias Rohr @

Vishal Garg @

Matteo Meucci @

Seba Deleersnyder @

Tony UcedaVelez @

L. Gustavo C. Barbato @

Edward Bonver @

Ofer Maor @


T. global committees.jpg
Category: Summit 2011 OWASP Governance Track

Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
OWASP Board/Committee Governance
  1. Universal Committee Governance Document/Policies
  2. Review Board Governance and By-Laws (Including Board composition/elections)
  3. Committee alignment to OWASP Goals/Mission including Authorities, Individual Missions and Areas of Responsibility (AoR).
  4. Providing budgets to committees for direct oversight and spending in their AoR
  5. Additional transparency in OWASP accounting (Expenditures, Expense Reports for Officers/Committee Members.....)
  1. Universal Committee Governance Document and operating Policies
  2. Proposed updated OWASP By-Laws
  3. Committee mission clarifications and delineation of areas of responsibility
  4. New model for funding OWASP activities
  5. New policies to enhance transparency
Mark Bristow @
Jason Li @
Tom Brennan @
Jim Manico @

Nishi Kumar @

Joe Bernik

Matthew Chalmers @

Sarah Baso @

Doug Wilson @

Kate Hartmann @

John Steven @

Seba Deleersnyder @

view
edit
OWASP Projects
  1. Review changes made in the last 2 years
  2. Discuss the high level steps of a project life-cycle
  3. Approve the OWASP GPC Governance Document
  4. Streamline project initialization process to make it easier for new projects
  5. Implement project governance change approved by the Board to limit use of "OWASP" brand name to projects of certain maturity
  1. Initial draft for an RFP for a centralized OWASP project hosting solution
  2. A project lifecycle flow chart to identify the necessary steps to improving the visibility of a project's health
  3. An envisioned structure for the future of OWASP Projects
Brad Causey @
Jason Li @
Seba Deleersnyder @

Nishi Kumar @

view
edit
OWASP Industry Outreach
  1. The OWASP 2011 Industry Plan. To discuss plans for working with industry in a closer manner. The plan should contain specific activities, commitments, dates, and expected outcomes.
Eoin Keary @
Colin Watson
Lorna Alamri @

David Campbell

Eoin Keary

Matt Tesauro

Joe Bernik

Nishi Kumar @

Lucas C. Ferreira @

Tobias Gondrom @

Vehbi Tasar

Colin Watson

Jason Taylor @

Sarah Baso @

Mateo Martinez @

Konstantinos Papapanagiotou @

view
edit
Membership
  1. Develop a plan for reaching out to other organizations in order to expand OWASP's exposure to the larger security and developer communities.
  2. Create a budget and funding plan for the Membership Committee
  3. Be ready to conduct a survey of new and existing OWASP Members and Supporters. Develop survey questions and specifics for the implementation.
  1. The OWASP 2011 Membership Plan – describing the membership program and recommendations, marketing plans. The plan should contain specific membership targets for all membership classes and detailed strategies for achieving the goals.
Dan Cornell @

Michael Coates @

Mateo Martinez @

Dan Cornell @

Tony UcedaVelez @

Ofer Maor @

view
edit
Connections
  1. Define the mission of the Connections Committee
  2. Agree engagement/working patterns with the other global committees
  1. The OWASP 2011 Connection Plan – describing the current connections program and detailing the specifics for what will happen in 2011. The plan should contain specific goals and strategies for achieving the goals.
Jim Manico @
Justin Clarke @
Achim Hoffmann @

Doug Wilson @

Andre Gironda @

view
edit
Chapters
  1. Challenges and solutions to run a successful OWASP chapter
  1. The OWASP 2011 Chapter Plan – describing the current state of OWASP chapters worldwide and identifying what will happen in 2011 to grow the number of chapters and improve their quality.
Seba @

Mandeep Khera

Matthew Chalmers @

Matteo Meucci @

Mateo Martinez @

Ferdinand Vroom @

Helen Gao @

L. Gustavo C. Barbato @

Ofer Maor @

Wojciech Dworakowski @

Martin Knobloch @

Vlatko Kosturjak @

Antonio Fontes @

view
edit
Education
  1. Estimate how the past achievements do support the current educational developments
  2. Evaluate how we can get the projects involved in developing (or at least reviewing) training material
  3. Define new goals for the upcoming period
  4. Define success factors for the upcoming period
  1. The OWASP 2011 Education Plan – describing the specific plans for education in 2011 with schedule, targets, action plans, etc…
Martin Knobloch @

Nishi Kumar @

Cecil Su @

Jason Taylor @

view
edit
Conferences - Improving Conference Planner Support
  1. Discuss the GCC's current 2011 Plan of action and new initiatives
  2. Review comments provided in the Conference Planner Survey
  3. Discuss mechanisms to improve Planner/Operational Support
  4. Discuss mechanisms to improve event marketing/sponsorships
  5. Discuss Global Conference Sponsorship Plan
  1. The OWASP 2011 Conference Plan – describing the plan for continuing to make our conferences even better, specifically defining the various tiers of conferences, naming, partnering with other entities, and other challenges.
Mark Bristow @

Lorna Alamri @

Nishi Kumar @

Lucas C. Ferreira @

Ralph Durkee @

Matthew Chalmers @

Matteo Meucci @

Mateo Martinez @

Neil Matatall @

Seba Deleersnyder @

L. Gustavo C. Barbato @

view
edit
Tracking OWASP Participation
  1. Identify the specific needs for a participation tracking system
  2. Develop a working framework that provides an open, distributed and accountable mechanism to track participation
  3. Discuss initial "points system" detail and point values
  4. Discuss normalization of system points
  1. Point Tracking System
  2. Initial set of point values
  3. A white paper recommending an approach for tracking/measuring OWASP participation to be used for prioritizing support whenever needed.
Mark Bristow @

Jason Li @

Martin Knobloch @

view
edit
Professionalize OWASP
  1. Having annual OWASP Foundation Bord Member election? During annual OWASP Summit's?
  2. Professionalize OWASP PR, hiring more OWASP employees, at least one for PR?
  3. Hiring more OWASP professionals?
  4. Paying for OWASP Board Members and OWASP Leaders?
  5. Creating an European OWASP entity?
  1. A white paper recommending an approach for professionalizing OWASP without upsetting the progress we are making in the existing structure. Specifically consider the budget requirements for the plan and the effect that this would have on existing budgets.
Martin Knobloch @

Nishi Kumar @

Lorna Alamri @

Mark Bristow @

Matthew Chalmers @

Justin Clarke @

view
edit
Building the OWASP Brazilian Leaders Group
  1. Define the members of the group
  2. Define the rules of engagement for the group
  3. Discuss how to fund Brazilian chapters
  4. Discuss the translation of OWASP materials to Portuguse
  5. Define the rules for hosting AppSec Brazil
  1. Objectives and working plan to improve OWASP presence in Brazil
Lucas C. Ferreira @

L. Gustavo C. Barbato @

Eduardo Jorge Feres Serrano Neves @

view
edit
Government Outreach
  1. Determine realistic ways to promote OWASP offerings to governments around the world
  2. Determine what governments are looking for from OWASP
  3. Determine resources that governments could provide that would assist the OWASP mission
  4. Explore the practicality of liaison roles to/from government organizations
  1. A list of suggestions to pass along to the Global Connections Committe for the best ways of engaging government
  2. A high level outline of what OWASP has to offer governments at large
  3. A list of items that government agencies are looking for from OWASP
  4. An outline of strategy for pursuing interaction with different governments in depth
Doug Wilson @

Lucas C. Ferreira @

Mateo Martinez @

Colin Watson

Martin Knobloch @

view
edit
Board Structure

John Steven @

Michael Coates @

Colin Watson

Martin Knobloch @

Seba Deleersnyder @

Jim Manico @

Mark Bristow @


T. owasp.jpg
Category: Summit 2011 OWASP Track

Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
OWASP Around the World
  1. Internationalization
  2. Global Job Board
  3. New OWASP chapters in parts of the world where we have not spread much yet
  1. A white paper with specific recommendations on how we can ensure the greatest amount of access and involvement with OWASP for all people everywhere.


Matthew Chalmers @

Mateo Martinez @

Cecil Su @

view
edit
What is an OWASP Leader?
  1. Define what it means to be an OWASP Leader
  1. Definition of critera for OWASP Leaders
  2. A standard defining exactly what characterizes an OWASP Leader, for use in providing benefits and prioritizing support.
Dinis Cruz @

Matthew Chalmers @

Chris Schmidt @

Mark Bristow @

Daniel Brzozowski @

Martin Knobloch @

Vlatko Kosturjak @

Antonio Fontes @

view
edit
Overhauling the OWASP Website
  1. Revisit goals from previous working session
  2. Identify available Google Apps (e.g. Code Review, Moderator, Short Links, Project Hosting, Groups, etc) that we can leverage to support OWASP Website Infrastructure.
  3. Review Website Overhaul Proposal for consideration
  4. Decide what elements should be outsourced/contracted to expedite implementation
  5. Resolve on schedule for achieving goals
  1. A project plan describing the future of web support for the OWASP ecosystem (think social) that covers all the various constituents, stakeholders, users, leaders, etc…. The plan will define all the steps necessary to get there and provide a rough estimate of the effort to get there. To the maximum extent possible, the plan will be designed to be parallelizable so that parts can be worked independently.
Jason Li @

Larry Casey

Achim Hoffmann @

Michael Coates @

Colin Watson

Nishi Kumar @

Dinis Cruz @

Matthew Chalmers @

Justin Clarke @

Mark Bristow @

Seba Deleersnyder @

view
edit
Managing the OWASP Brand
  1. A white paper describing the OWASP brand and the challenges of getting people to use the brand without abusing it. The paper will update the OWASP Brand Guidelines and make recommendations about other ways to promote and protect the brand.


Jason Li @

Lucas C. Ferreira @

Matthew Chalmers @

Matteo Meucci @

Martin Knobloch @

view
edit
Developer Outreach
  1. Determine strategic conferences/events OWASP can participate in to engage developers.
  2. Determine new/existing projects that can be leveraged to attract developers to OWASP
  3. Determine method for allowing developers to promote their activities in OWASP
  1. A white paper describing strategies for reaching developers with OWASP philosophy, materials, tools, etc…
Mark Bristow @
Jason Li @
Martin Knobloch @

Steven van der Baan @

L. Gustavo C. Barbato @

Antonio Fontes @

view
edit
Privacy - Personal Data/PII, Legislation and OWASP
  1. Identify privacy enhancing & verification aspects of existing tools and documents
  2. Create a one-page OWASP projects-to-privacy cross reference factsheet
  1. Complete and approve OWASP's response to the FTC's staff report "Protecting Consumer Privacy in an Era of Rapid Change - A Framework for Businesses and Policymakers"
  2. A white paper discussing how the privacy ecosystem overlaps with the OWASP ecosystem and whether there should be more bridges built between them.
Colin Watson

Matthew Chalmers @

Lorna Alamri @

Achim Hoffmann @

Elke Roth-Mandutz @

David Campbell @

Abraham Kang

view
edit
Replicating Samy's EU Tour across OWASP
  1. A white paper describing the outcomes from Samy’s EU tour and whether it is something that we can or should replicate.


view
edit
S is for Safety (as well as Security)
  1. Create a whitepaper on application security for critical systems
  2. Create a whitepaper on how application security protects people
  1. A white paper describing how the safety ecosystem overlaps with the OWASP ecosystem and whether there should be more bridges built between them.
Colin Watson

Fred Donovan @
view
edit
OWASP Quotes
  1. Open letter to governments
  2. Open letter to insurance companies
  3. Tools inoperability
  4. Tools customization by security consultants
  5. Wiki leaks & WebAppSec
  1. A white paper on how OWASP can use “quotes” effectively to drive awareness and action. The paper will suggest specific strategies for obtaining, vetting, and promoting quotes to achieve our aims.
Dinis Cruz @

Matthew Chalmers @
view
edit
Did OWASP Failed to achieve its full potential? (and lessons learned)
  1. A white paper capturing possible missed opportunities during the 2000’s and suggesting strategies for doing better in the 2010’s.
Dinis Cruz @

view
edit
OWASP funding and CEO discussion
  1. A process for gathering and addressing suggestions for new OWASP funding opportunities.
  2. A recommendation on whether or not the investment in a CEO would be cost-effective.
Keith Turpin @

Matthew Chalmers @

Dinis Cruz @

Mark Bristow @

Doug Wilson @

Martin Knobloch @

view
edit
Less preaching to the choir, engage more with the outsiders TBD

Matthew Chalmers @

Doug Wilson @

Martin Knobloch @

view
edit
Investment justification for Web Application Security TBD

view
edit
Should OWASP work directly with PCI-DSS? Matthew Chalmers @
Vlatko Kosturjak
Matthew Chalmers @

Vlatko Kosturjak @

Juan Jose Rider @Summit 2011 Working Sessions/Session081

view
edit
How can OWASP reach/talk/engage with auditors
  1. Educate security professionals and developers on, and dispel the myths about, audit and control
  2. Educate auditors on OWASP, software development and web & application security
  3. Discuss ways OWASP can help security pros, developers and auditors work together for mutual benefit and world domination
  1. A white paper describing specific strategies for interacting with auditors as described above.
Matthew Chalmers @

Matthew Chalmers @

Achim Hoffmann @

Justin Clarke @Summit 2011 Working Sessions/Session083

view
edit
Creating an Application Security Career - For the Average IT/Network Security Practitioner TBD

view
edit
OWASP Licensing
  1. Discuss the goals of the OWASP Licensing model for OWASP documents and informative materials.
  2. Understand better the corporate use cases for OWASP documentation and artifacts.
  3. Identify possible options for licensing changes to spur growth in corporate sponsorships.
  1. Licensing Requirements for OWASP documentation
  2. List existing Licenses used by OWASP projects.
  3. Problem corporations face with adopting and utilizing OWASP materials and code
  4. Recommendations for changes in the OWASP License
  5. OWASP: Licensing FAQs
Abraham Kang @

Abraham Kang @

Alexandre Miguel Aniceto @ Test

view
edit
OWASP vs Government vs Universities
  1. First steps on the goal of building partnerships involving Euro/American Goverment Agencies + Euro/American Universities + OWASP Foundation to push forward web appsec education goals.
  2. To assess the potential of the European funding currently available and designed to support 'Transatlantic Education' - Call for proposals 2011
Dinis Cruz @
Jeff Williams @
view
edit


view
edit


view
edit


view
edit


view
edit


view
edit


Subcategories

This category has the following 10 subcategories, out of 10 total.

Pages in category "Summit 2011 Tracks"

This category contains only the following page.