This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Summit 2011 Outcomes"

From OWASP
Jump to: navigation, search
Line 43: Line 43:
  
 
===XSS Eradication & Mitigation===
 
===XSS Eradication & Mitigation===
XSS and the Frameworks & XSS - Awareness, Resources, and Partnerships (Justin Clarke) - [https://docs.google.com/document/d/1Qxj9_mV3Ocl1klTH0PQivi9SQS0C9Mc6AYkxsAEidgM/edit?hl=en_US&authkey=CMPpvKkO Combined Working Session Notes]<br>
+
[[Summit_2011_Working_Sessions/Session009|XSS and the Frameworks]] & [[Working_Sessions_XSS_AwarnessResourcesPartnerships|XSS - Awareness, Resources, and Partnerships]] (Justin Clarke) - [https://docs.google.com/document/d/1Qxj9_mV3Ocl1klTH0PQivi9SQS0C9Mc6AYkxsAEidgM/edit?hl=en_US&authkey=CMPpvKkO Combined Working Session Notes]<br>
  
 
[https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet DOM based XSS Prevention Cheat Sheet] (Jim Manico & Abraham Kang)<br>
 
[https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet DOM based XSS Prevention Cheat Sheet] (Jim Manico & Abraham Kang)<br>
  
WAF Mitigation for XSS (Ryan Barnett)<br>
+
[[Summit_2011_Working_Sessions/Session043|WAF Mitigation for XSS]] (Ryan Barnett)<br>
 +
 
 +
[[Summit_2011_Working_Sessions/Session091|Virtual Patching Best Practices]] (Ryan Barnett) - [https://docs.google.com/document/d/1gx5LAFfU07IOR5BtgDRUBF3CetsABXsuCECoGGa4Xqo/edit?hl=en_US&authkey=CLvq7M0H Working Session Notes]<br>
  
Virtual Patching Best Practices (Ryan Barnett) - [https://docs.google.com/document/d/1gx5LAFfU07IOR5BtgDRUBF3CetsABXsuCECoGGa4Xqo/edit?hl=en_US&authkey=CLvq7M0H Working Session Notes]<br>
 
  
 
===Metrics===
 
===Metrics===
Risk Metrics (Chris Wysopal) & Metrics and Labeling (Chris Eng) - [https://docs.google.com/document/d/1OWKzMuqjabrXYaVhdMvcLbLbBtLjPRuq2iXxNZBqBHM/edit?hl=en_US&authkey=CNin8vsH Working Session Transcripts]<br>
+
[[Summit_2011_Working_Sessions/Session055|Risk Metrics]] (Chris Wysopal) & [[Summit_2011_Working_Sessions/Session057|Metrics and Labeling]] (Chris Eng) - [https://docs.google.com/document/d/1OWKzMuqjabrXYaVhdMvcLbLbBtLjPRuq2iXxNZBqBHM/edit?hl=en_US&authkey=CNin8vsH Working Session Transcripts]<br>
 
 
Counting and Scoring Application Security Defects (Chris Eng & Chris Wysopal) - [https://docs.google.com/leaf?id=0B5Z9zE0hx0LNMzNmMTViZjgtZTZhNy00ZjQ3LTgxNzQtMDQ4YWM3Njc4NzFi&hl=en_US&authkey=CM_-3OQB Brief Introduction to Common Weakness Scoring System ppt created by Steve Christey]<br>
 
  
Formal Risk Assessment Methods (Benjamin Tomhave) <br>
+
[[Summit_2011_Working_Sessions/Session058|Counting and Scoring Application Security Defects]] (Chris Eng & Chris Wysopal) - [https://docs.google.com/leaf?id=0B5Z9zE0hx0LNMzNmMTViZjgtZTZhNy00ZjQ3LTgxNzQtMDQ4YWM3Njc4NzFi&hl=en_US&authkey=CM_-3OQB Brief Introduction to Common Weakness Scoring System ppt created by Steve Christey]<br>
  
  
Line 112: Line 111:
 
[[ASVS|Application Security Verification Standard (ASVS) Project]] (Dave Wichers)<br>
 
[[ASVS|Application Security Verification Standard (ASVS) Project]] (Dave Wichers)<br>
  
[[OWASP Portuguese Language Project]] (Lucas Ferriera)<br>
+
[[OWASP Portuguese Language Project]] (Lucas Ferriera)- [[Summit_2011_Working_Sessions/Session048/Deliverable_1 Working Session Outcomes]]<br>
  
 
[[OWASP Hackademic Challenges Project]] (Kostas & Vasileros Vlachos)<br>
 
[[OWASP Hackademic Challenges Project]] (Kostas & Vasileros Vlachos)<br>
  
[[OWASP Java Project]] (Lucas Ferriera)<br>
+
[[OWASP Java Project]] (Lucas Ferriera) - [[Summit_2011_Working_Sessions/Session053/Deliverable_1|Action Plan for the Java Project]], [[Summit_2011_Working_Sessions/Session053/Deliverable_2|New Project Leader]]<br>
  
 
[http://www.opensamm.org/ OpenSAMM] (Pravir Chandra) - [http://www.opensamm.org/2011/03/bsimm-activities-mapped-to-samm/ Pravir Chandra - BSIMM activities mapped to SAMM]<br>
 
[http://www.opensamm.org/ OpenSAMM] (Pravir Chandra) - [http://www.opensamm.org/2011/03/bsimm-activities-mapped-to-samm/ Pravir Chandra - BSIMM activities mapped to SAMM]<br>

Revision as of 21:39, 23 June 2011

Global Summit 2011 Outcomes - please note that this is a work in progress. If you have any comments, corrections, or questions please contact Sarah Baso

Acknowledgements

Press Release & Media Mentions

Interview with Jeff Williams - http://www.vimeo.com/25335824
Interview with Tom Brennan - http://www.vimeo.com/23889097

Summit Background

2011 Summit Finances & Budget

  • Breakdown of 2011 Summit Budget, Operational and Travel

Summit 2011 Financials Summary of Expenses and Income and Summit Travel and Accommodations Costs

  • Comparison to 2008 Summit Budget
  • Projection of costs needed for future Summit


2011 Summit Lessons Learned

Appendix: Working Session Details and Documentation

Browser Security

Here are the notes from all the four browser security sessions. John Wilander is working on a Browser Security Report building on these sessions.

Site Security Policy notes (pdf)

DOM Sandboxing notes (pdf)

HTML5 Security notes (pdf)

EcmaScript 5 Security notes (pdf)

Enduser Warnings notes (pdf)


XSS Eradication & Mitigation

XSS and the Frameworks & XSS - Awareness, Resources, and Partnerships (Justin Clarke) - Combined Working Session Notes

DOM based XSS Prevention Cheat Sheet (Jim Manico & Abraham Kang)

WAF Mitigation for XSS (Ryan Barnett)

Virtual Patching Best Practices (Ryan Barnett) - Working Session Notes


Metrics

Risk Metrics (Chris Wysopal) & Metrics and Labeling (Chris Eng) - Working Session Transcripts

Counting and Scoring Application Security Defects (Chris Eng & Chris Wysopal) - Brief Introduction to Common Weakness Scoring System ppt created by Steve Christey


University, Education, and Training

OWASP Education Project (Martin Knobloch)

OWASP Training (Sandra Paiva) - Working Session Notes

University Outreach - OWASP Academies (Sandra Paiva) - Working Session Notes, OWASP Academy Portal Project

OWASP Top 10 Online Training in Hacking-Lab (Ivan Buetler)

University Outreach - OWASP College Chapter Program (Martin Knobloch) (renamed "OWASP Student Chapters Program")

OWASP Exams Project (Jason Taylor)

OWASP Certification (Jason Taylor & Jason Li) - Certification Code of Conduct Draft


Secure Coding Workshop

Protecting Information Stored Client-Side (John Steven)

Providing Access to Persisted Data (Dan Cornell) - Working Session Notes]

Contextual Ourput Encoding (Chris Schmidt)

ESAPI-CORE (Jim Manico)

Applying ESAPI input Validation (Chris Schmidt)

Defining AppSensor Detection Points (Michael Coates)

Secure Development Guidelines for Smartphone Developers (Giles Hogben)


Individual OWASP Projects

OWASP Secure Coding Practices (Keith Turpin) - Working Session Notes

Enterprise Web Defense Roundtable (Michael Coates & Chris Lyon) - Etherpad Notes Page with Agenda, Slides & Background Reading

Threat Modeling (Anurag Agarwal) - Working Session discussion points and notes

OWASP Common Vulnerability List (Meucci/Keary/Agarwal) - CVL ppt presentation created by Matteo Meucci

Common Structure and Numbering for All Guides (Keith Turpin/Matteo Meucci/Vishal Garg)

OWASP Testing Guide (Matteo Meucci) - Working Session Notes, Planning the OWASP Testing Guide 4.0 ppt presentation

OWASP Mobile Security Project (Mike Zusman) - Working Session Notes

Development Guide (Vishal Garg)

Application Security Verification Standard (ASVS) Project (Dave Wichers)

OWASP Portuguese Language Project (Lucas Ferriera)- Summit_2011_Working_Sessions/Session048/Deliverable_1 Working Session Outcomes

OWASP Hackademic Challenges Project (Kostas & Vasileros Vlachos)

OWASP Java Project (Lucas Ferriera) - Action Plan for the Java Project, New Project Leader

OpenSAMM (Pravir Chandra) - Pravir Chandra - BSIMM activities mapped to SAMM

The Future of OpenSAMM (Pravir Chandra)

OWASP Project Disclosure Policies (Chris Schmidt) - OWASP Project Disclosure Policy, OWASP Security Bulletin Template, Project Adherence Rules

OWASP O2 Platform (Dinis Cruz)


OWASP Governance and Committees

Global Education Committee (Martin Knobloch)

Global Industry Committee (Eoin Keary & Colin Watson) - Working Session Notes

Global Projects Committee (Jason Li & Brad Causey)

Global Membership Committee (Dan Cornell) - Working Session Notes

Global Chapters Committee (Seba Deleersnyder) - Working Session Meeting Minutes

Global Conferences Committee (Mark Bristow)

Government Outreach (Doug Wilson) - Working Session Outcome

OWASP Funding and CEO Discussion (Keith Turpin) Working Session Notes

OWASP Board/Committee Governance (Mark Bristow)

OWASP Points - Tracking OWASP Participation (Mark Bristow)

OWASP Licensing (Abraham Kang) - Working Session Notes, OWASP Licensing PowerPoint, Licensing - Questions for follow up

OWASP Codes of Conduct (Dinis Cruz & Jeff Williams) - Draft Document]
Building the OWASP Brazilian Leaders Group (Lucas Ferriera)

OWASP Asia/Pacific Working Group (Helen Gao)

Building the OWASP Brazilian Leaders Group (Lucas Ferreira) - Objectives and action plan to improve OWASP presence in Brazil

Industry - Healthcare (Joe Bernik & Lorna Alamri)

Industry - Banking/Finance (Joe Bernik & Lorna Alamri)


Miscellaneous

Privacy - Personal Data/PII, Legislation and OWASP (Colin Watson) - Working Session Notes

Overhauling the OWASP Website (Jason Li)

Should OWASP work directly with PCI-DSS? (Matthew Chalmers) - Working Session Notes

How can OWASP reach/talk/engage with auditors? (Matthew Chalmers) - Working Session Notes

Developer Outreach (Mark Bristow & Jason Li)


Summit Team & Attendee Bios

Support Staff Bios


Attendee Bios


Summit-Related Blog Posts

Colin Watson - 3 part Recap/Reflections on OWASP Summit 2011, February 8-10, 2011

Carlos Serrão - OWASP Summit 2011, February 9, 2011

Ben Tomhave - Evolving OWASP: Reflections on the 2011 Summit, February 11, 2011

John Wilander - Fears & Hopes for OWASP, February 13, 2011

Dinis Cruz - OWASP Summit 2011 Results, February 15, 2011

Chris Schmidt - Dear OWASP Summit, Obrigado, February 16, 2011

Mark Curphey - OWASP - Has it reached a tipping point?, February 19, 2011

Michael Coates - A Vision for OWASP, February 21, 2011

Pravir Chandra - BSIMM activities mapped to SAMM, March 3, 2011