OWASP Project Summit 2015/Working Sessions

We are currently looking for more working session ideas for the summit. If you're interested in adding a Working Session for the 2014 Summit, please contact either Johanna Curiel Please review the Working Session methodology for Working Session rules.

Keep checking back, as we will be adding more working sessions every week.

Current Daily Schedule

OWASP PROJECT Summit Agenda 2015

Location: AMSTERDAM RAI - 19 & 20 May Rooms E103 & E104 (see attached floor plan): File:RAI PLAN 2013 LR AW.pdf

Tuesday 19th May

9:00-9:30 Welcome to Project Summit 2015

Project Review Task Force

Project Reviews 2014-2015 Results 9:30-10:30 Location room :E104

Actual situation of projects

20 min presentation about the results of the last Project review, and release report about the active/ inactive projects per category It is expected than all attending project leaders and some members of the owasp board can assist to this presentation and participate Location room :E104

Security Gaps Workshop

(25 min): Security issues that no project has explored so far. Potential source of inspiration for new projects

Location room :E104

Projects as Operational objectives

(Kate Hartmann, Johanna, Paul,Timo, Jim) Deliverables: Report, Wiki updated and a nice infographic with the results.Plan for projects to be part of the operational objectives Location room :E104

OWASP Knowledge Based Authentication Performance Metrics Project

09h00 – 10h15. Review of the OWASP KBA-PMP project general advances with the project leaders and project managers (Ann Racuya-Robbins, Noreen Whysel) 10h30 – 12h30. Location room :E104

Review of the KBA testing tools (such as the KBA plugin).

15h00 – 19h00 .Open discussion of the KBA-PMP project: Why does the industry need a KBA standard? How is KBA used by different service providers around the world? KBA pentest experiences. Is dynamic KBA more secure than static KBA? Legal and technical challenges of dynamic KBA? Legal and technical challenges of remote identity proofing and KBA? The new ground of identity, security, privacy and governance and the role of KBA in each. Location room :E104

OWASP Codes of Conduct – Document Review

10:30 – 12:00 The current Codes of Conduct were developed primarily during the last major OWASP Summit in Portugal. They cover: Government Bodies, Educational Institutions, Standards Groups, Trade Organizations, Certifying Bodies, and Development Organizations. This 1.5 hour session will review, edit, update and release v1.2 of each document. Participants should be interested in how external entities can be encouraged to support OWASP's mission, read the existing Codes of Conduct in advance, and come with suggestions for changes.

• Introduction
• Joint review and edit (15 mins each document)
• Publish updated documents to wiki (PDF and Word).

Project website: https://www.owasp.org/index.php/OWASP_Codes_of_Conduct Location room :E104

OWASP ASVS

10:20 -11:50 & 14:30-17:30 OWASP ASVS Discuss issues around practitioners consuming ASVS in their consultancies Discuss how to improve adoption by development teams Live resolution of outstanding issues in ASVS Github Live QA of 2.1 Early planning of ASVS v3.0 Location room :E104

Hackademics

9:30 - 11:30 Hackademics – Wiki page rewrite, documentation review The current wiki page was written by the founders of the project back when the project started and it is missing lots of new information, also it has links to very old versions of the project and overall it needs rewriting. The current documentation is covering less than half of the features and it's wrong or not very clear in other parts.

This session will review, edit, update and release documentation for the version 2.0 of the project coming at the beginning of April. Moreover, we'll update the wiki listing contributors, developer guidelines, supporters and synch the documentation in the github wiki with the owasp wiki page. Participants should be familiar with hackademic and come with suggestions on missing guidelines.

14:00 - 17:30 Hackademics – Greek, French translation We are currently implementing an internationalization feature using I18n which should be ready for our v2.0 release. Our goal is to translate the strings present in the platform in French and Greek. (Since it's already in English and French and Greek are the only other languages the core contributors(and most likely participants) speak. There are approximately 300 strings in the platform. Participants to help are gladly welcome.

Location room :E103

AppSensor

13:00 – 15:00 AppSensor (Documentation) – Guide Review The AppSensor Guide v2 was published in May last year, and has had two minor updates, the last one mainly due to the important release of the v2 code implementation. This session is to edit and improve the guide, since many of the chapters have not been fully reviewed. Participants should read a chapter or two in advance of the summit (chapter 5 onwards, but choose randomly/what is of interest) and bring their edits/comments to the session, where the guide will be updated. All participants will be acknowledged in the guide and on the project wiki page.

• Briefing
• Live editing
• Publication updated PDF.

The latest version of the guide is at: https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc

Location room :E103

Snakes and Ladders

15:30 – 16:30 Snakes and Ladders – Dutch Translation OWASP Snakes & Ladders (web applications) has been translated into 5 other languages already, and Portuguese is in progress. But so far not Dutch. This rapid session will ask participants to translate the 900 words or so into Dutch, so that a PDF and Adobe Illustrator version can be created. It will also be possible to help remotely, as it will be set up on Crowdin.

• Meet
• Translate
• Create Illustrator and PDF output 
• Publish.

Project website: https://www.owasp.org/index.php/OWASP_Snakes_and_Ladders

Location room :E104

OWASP OWTF

10h - 12h00: OWASP OWTF Introduction for GSOC Students The OWTF project has seen more than 8 GSoC projects being merged into the master branch over the past couple of years. We want to introduce the students to the program. Quick presentation of OWASP OWTF and some of its GSoC projects What did GSoC offer over the past 3 years? Current ideas for GSoC 2015 Brainstorm about new ideas for GSoC 2015 We expect to introduce students to OWTF and how GSoC would be a valuable experience for them.

Location room :E103

12h00 - 13h00: OWASP OWTF Open Forum Two ex-GSoC students are available to speak about their experience with OWTF and GSoC. How did we hear about GSoC? Why did we choose OWTF? How did they contact the project leader? What is a proposal? How hard was it? How much time did it take? What did GSoC give them back? We expect to share our experiences with possible future-GSoC students and help them to better understand what it can offer.

Location room :E103

14h00 - 17h00: OWASP OWTF Wiki Review Because OWTF has grown really fast the past years, some part of the wiki might be out of date even though we worked hard to update it. Proof-read the Wiki Reproduce the steps described in the Wiki Find the out-dated information Remove/Update them We expect to have an up-to-date wiki by the end of this session or at least a list of known out-of-date information.

Location room :E103

OWASP Security Shepherd

10:30 - 12:00 - Challenge Brain Storm The Security Shepherd project needs fresh challenge idea.Security Shepherd currently sports ~60 challenges covering the topics listed by the OWASP Web and Mobile Top Ten. These challenges start simple and increment in difficulty as bad fixes become closer to being good fixes. However, the scope of bad fix examples that are presented in Security Shepherd are a fraction of what's possible. So drop in and lay out any of the security gaps you can think of in applications, no matter how simple or complex they are. It could be a XSS blacklist filter, session management flaw or even poor data storage on a mobile device. If participants want to get their hands dirty and implement their idea into a challenge, that would be more than welcome across the session.

14:00 - 16:00 - Mobile Application Challenges without Hard Coded keys Implement a mechanism where a user can log into a Security Shepherd server through a Mobile Challenge Application to facilitate user specific keys to be presentated. This mechanism would need to be crafted so it cannot be exploited to return keys for security challenges without completing the level.

Project website: https://www.owasp.org/index.php/OWASP_Security_Shepherd

Location room :E104

Wednesday 20th May

OWASP ZAP

Summit https://groups.google.com/d/msg/zaproxy-develop/OlKKKEc2Bxo/TF-f8_aKO94J :

10:00h - 16h30 The ZAP summit is aimed at existing and prospective ZAP developers and is an opportunity to discuss all aspects of ZAP development and future direction. It is not planned to include any training on how to use ZAP.

The exact topics discussed will be agreed between the attendees at the start of the day, but are expected to cover things like: An introduction to ZAP and the attendees A review of ZAPs perceived strengths and weaknesses Discussions around the future direction of ZAP Areas of ZAP that people find difficult to contribute to Components of ZAP that attendees think need significant reworking How to encourage more participation Interworking with 3rd party tools The opportunity to focus on specific areas of interest to the attendees

Location: Room E103

OWASP Knowledge Based Authentication Performance Metrics

09h30 – 12h30. Project Review of the KBA standard contents with the project leaders and managers (Luis Enriquez, Ann Racuya-Robbin, Noreen Whysel). 15h00 – 18h00. Open discussion of the OWASP Security Labeling system project proposal (secure code, privacy, ingredients, and openness labels) -Should security become visible for normal users? -Should Owasp consider providing labels and certifications? -Expected audience : +20 people.

• Searching for interaction with other project leaders, and the board

Location: Room E104

09:00 – 12:00 Cornucopia - Ecommerce Website Edition – Video

The objective is to create a short "how to play the Cornucopia card game" video during this half-day session. Cornucopia is a card game that helps identify security requirements, but people may not be familiar with how easy it is to get started. Participants for this session are needed to be players, to create a narrative, to video the game being played, and if there is time and anyone has the skill, to edit the video and sound into a release version. It is preferable if participants are already a little familiar with the game and/or threat modelling. If there is time, we will also discuss alternative game strategies like a Jeopardy format.

• Storyboarding
• Game play recording
• Editing
• Soundtrack
• Publish video.

Project website: https://www.owasp.org/index.php/OWASP_Cornucopia

Location: Room E104

9:30 - 11:30 Hackademics test coverage

Improve unit tests coverage. Currently, unit tests cover ~20% of the platform, this session will focus on doubling the test coverage. Deliverables: 40% unit and functional tests coverage.

Location: Room E104

13:30 – 17:00 AppSensor (Code) – Dashboard

The AppSensor v2.0.0 code implementation final release was undertaken in January. One of the tasks to continue with is the development of a reporting dashboard. This session is to brainstorm ideas and layouts for the dashboard, and identify what tools/libraries can assist in the creation of the dashboard. Bring ideas, energy, URLs, paper and pens! The outputs will be dashboard mockups.

• Introductions and objectives
• Information requirements
• User stories
• Information design
• Code libraries and frameworks.

Code roadmap: https://www.owasp.org/index.php/OWASP_AppSensor_Project#tab=Road_Map_and_Getting_Involved Microsite http://www.appsensor.org/

Location: Room E104

14:00 - 17:00 Hackademics - Student performance metrics visualization

Currently, the platform gathers student performance metrics in the form of how long it took them to solve challenges, how many requests, how much time idle e.t.c. However, the only way for a teacher to see the numbers is with database access.(The data is gathered for the advanced scoring functionality but it is also very useful as performance analytics). We plan to use graphing libraries to create interactive graphs to visualize the comprehension of the student performance. It's a simple front-end feature which will improve the usability of the platform.

Location: Room E104

17:00-18:00 OWASP Automated Threats to Web Applications Project - Website Owner Experiences

The OWASP Automated Threats to Web Applications Project is undertaking research and will publish its outputs immediately prior to AppSec EU 2015. This meeting seeks input from training and conference attendees on their own organisations' experiences of automated attacks:

• What types of automated attacks occur and with what frequency?
• What were the symptoms?
• How are they detected?
• What incident response measures were taken?
• What steps were undertaken to prevent or mitigate such attacks?

Participation/contribution can be anonymous or otherwise. The intention is to update the published documents during the session and if possible create additional sector-specific guidance.

Location: Room E104

10h00 - 13h00: OWASP OWTF Architecture Audit

During the past three years, OWTF has know a fast growth thanks to different GSoC projects. But the initial architecture is no more suited for the project nowadays. Identify the different elements of OWTF Define the inter-dependencies Estimate the accuracy of such dependencies Remove unnecessary dependencies Draw a better architecture for OWTF We expect to have a draft of the next architecture better suited for the needs of OWTF by the end of this session.

Location: Room E104

14h00 - 15h00: OWASP OWTF CLI Assessment

Over the past year, the development has been mostly focused on the improvement of the Web User Interface. A side effect is that currently the Command Line Interface (CLI) is broken and does not meet the objectives initially set. Test the CLI Report all commands/flags that are broken Find out the best features that the CLI should offer Gather the findings and draw a new standard for the CLI We expect to have a new standard for the CLI that will be implemented this year in order to enhance and fix its behaviors. This could be part of a GSoC project depending of the output of the session.

Location: Room E104

15h00 - 17h00: OWASP OWTF Hack It For Fun

The OWTF project is written in Python and we want to show how easy it is to hack into the code base. We propose a small workshop where the students would customize OWTF the way the want. Presentation of small code snippets Customize the console output Customize the web interface Competition about Implementing small features We expect to show how easy it is for students to hack into the code base of OWTF. As a reward, the winners of the competition will be offered nice goodies :)

Location: Room E104

Project Developments: The Good , The Bad and the Ugly

17:00 - 17:30 Open Forum with Project leaders Forum discussion with project leaders and Board==>(1 hour session)

• Why my project is not moving forward?
• What can be done to help improve my project?
• How to improve the actual situation of projects
• How to improve the review process

Deliverables:

• Collect information and create a report
• Use the session results and see how can we implement them
• Inform leaders about the actual process

Location: Room E104