Summit 2011 Working Sessions

1. Attenuated versions of existing apis to sandboxed code.
   
2. Client side sandboxed apps maintaining state and authentication.
   
3. Create a standard for modifying a sandboxed environment
   
4. Deprecate and discourage standards which ambiently or undeniably pass credentials.
   
5. Create a standard for authentication within a sandboxed environment (maybe interfacing with existing auth without passing creds like 0Auth works)
   

1. Browser Security Report
   
2. Browser Security Priority List
   

Michael Coates

Eduardo Vela @

Stefano Di Paola

Isaac Dawson

Chris Eng @

Alexandre Miguel Aniceto @

1. Handle autofocus in a unified and secure way.
   
2. Discuss necessity and capability for the HTML5 form controls.
   
3. Initiate and create documentation and references for developers that address security issues.
   
4. Discuss and heavily restrict SVG capabilities - especially when deployed in CSS backgrounds and <img> tags.
   
5. Long Term Goal(s): Provide a working and easy to use as well as vendor supported HTML5 compliant filter software such as HTMLPurifier.
   

1. Browser Security Report
   
2. Browser Security Priority Report
   

Michael Coates @

Tony UcedaVelez @

Stefano Di Paola

Isaac Dawson

Chris Eng @

Nishi Kumar @

Elke Roth-Mandutz @

Giorgio Fedon

Paolo Perego @

Eduardo Vela @

Abraham Kang @

Nuno Loureiro @

Alexandre Miguel Aniceto @

1. Fix the problems with Object.defineProperty() and property unsealing / double-freezing.
   
2. Raise awareness for the power or object freezing in a security context.
   
3. Raise awareness in seeing the DOM as the place where XSS attacks actually take place - and where they should be prevented.
   
4. Long Term Goal: Discuss the possibility of vendor supported client side security mechanisms.
   

1. Browser Security Report
   
2. Browser Security Priority List
   

Michael Coates @

Stefano Di Paola

Isaac Dawson

Abraham Kang

Gareth Heyes

1. Clearly there is a need for warnings that users understand and that conveys the right information. Perhaps we can agree on some guidelines or at least exchange lessons learned.
   

1. Browser Security Report
   
2. Browser Security Priority List
   

Michael Coates @

Vishal Garg @

1. Browser Security Report
   
2. Browser Security Priority List
   

Michael Coates @

Stefano Di Paola

Tobias Gondrom @

Alexandre Miguel Aniceto @

1. Browser Security Report
   
2. Browser Security Priority List
   

Michael Coates @

Giorgio Fedon

1. Browser Security Report
   
2. Browser Security Priority List
   

Michael Coates @

1. Browser Security Report
   
2. Browser Security Priority List
   

Michael Coates @

1. Work on how OWASP can engage with the major web frameworks to move towards a "secure by default" stance
   
2. Work on OWASP resources to provide patches/design approaches in conjunction with the frameworks
   

1. OWASP statement/Press release to publicly ask the frameworks to build security in
   
2. Engagement plan on how we'd work with (if at all) a framework to get ESAPI or similar functionality integrated
   
3. White paper or standard for what we want the web frameworks to provide in terms of XSS defenses. Turning the XSS Prevention Cheat Sheet into a standard/metric for frameworks would be great.
   
4. OWASP Standard defining an appraisal methodology for a framework’s XSS prevention capability based on the other deliverable.
   

Abraham Kang

Tony UcedaVelez @

Fred Donovan @

Juan Jose Rider @

1. Work on what partners we can reach, and what resources they can provide us access to
   
2. Work on who we can work with to reach a maximum amount of developers writing web applications
   
3. Plan engagement with identified organizations
   
4. Plan a call to action for OWASP chapters for identified XSS resources
   

1. A concrete, specific business plan for investing OWASP Funds in a campaign designed to ensure that every developer knows about XSS and what to do to prevent it. The plan should have specific goals, measures, and targets over time so we know if it is on track.
   

Abraham Kang

Sherif Koussa @

1. Estimation of Security prorams currently exist in university settings around the world
   
2. How can OWASP participate and influence the curricula of these educational programs?
   
3. How can we foster relationships between OWASP and universities?
   
4. How can the relationship between OWASP and universities be standardized?
   
5. What can OWASP offer universities and what can they, in turn, expect from each other?
   

1. A study with facts, numbers, and other metrics about application secuirity in academia. The OWASP Academic State of the World.
   
2. A white paper with strategies for infiltrating academia with our priorities.
   

Cecil Su @

Elke Roth-Mandutz @

Heiko Richler @

Lucas C. Ferreira @

Jason Taylor @

Carlos Serrão @

Konstantinos Papapanagiotou @

Mateo Martinez @

L. Gustavo C. Barbato @

Edward Bonver @

Ricardo Melo @

Alexandre Agustini @

1. Universal Committee Governance Document/Policies
   
2. Review Board Governance and By-Laws (Including Board composition/elections)
   
3. Committee alignment to OWASP Goals/Mission including Authorities, Individual Missions and Areas of Responsibility (AoR).
   
4. Providing budgets to committees for direct oversight and spending in their AoR
   
5. Additional transparency in OWASP accounting (Expenditures, Expense Reports for Officers/Committee Members.....)
   

1. Universal Committee Governance Document and operating Policies
   
2. Proposed updated OWASP By-Laws
   
3. Committee mission clarifications and delineation of areas of responsibility
   
4. New model for funding OWASP activities
   
5. New policies to enhance transparency
   

Nishi Kumar @

Joe Bernik

Matthew Chalmers @

Sarah Baso @

Doug Wilson @

Kate Hartmann @

John Steven @

Seba Deleersnyder @

1. Review changes made in the last 2 years
   
2. Discuss the high level steps of a project life-cycle
   
3. Approve the OWASP GPC Governance Document
   
4. Streamline project initialization process to make it easier for new projects
   
5. Implement project governance change approved by the Board to limit use of "OWASP" brand name to projects of certain maturity
   

1. Initial draft for an RFP for a centralized OWASP project hosting solution
   
2. A project lifecycle flow chart to identify the necessary steps to improving the visibility of a project's health
   
3. An envisioned structure for the future of OWASP Projects
   

Nishi Kumar @

1. The OWASP 2011 Industry Plan. To discuss plans for working with industry in a closer manner. The plan should contain specific activities, commitments, dates, and expected outcomes.
   

David Campbell

Eoin Keary

Matt Tesauro

Joe Bernik

Nishi Kumar @

Lucas C. Ferreira @

Tobias Gondrom @

Vehbi Tasar

Colin Watson

Jason Taylor @

Sarah Baso @

Mateo Martinez @

Konstantinos Papapanagiotou @

1. Develop a plan for reaching out to other organizations in order to expand OWASP's exposure to the larger security and developer communities.
   
2. Create a budget and funding plan for the Membership Committee
   
3. Be ready to conduct a survey of new and existing OWASP Members and Supporters. Develop survey questions and specifics for the implementation.
   

1. The OWASP 2011 Membership Plan – describing the membership program and recommendations, marketing plans. The plan should contain specific membership targets for all membership classes and detailed strategies for achieving the goals.
   

Mateo Martinez @

Dan Cornell @

Tony UcedaVelez @

Ofer Maor @

1. Define the mission of the Connections Committee
   
2. Agree engagement/working patterns with the other global committees
   

1. The OWASP 2011 Connection Plan – describing the current connections program and detailing the specifics for what will happen in 2011. The plan should contain specific goals and strategies for achieving the goals.
   

Doug Wilson @

Andre Gironda @

1. Challenges and solutions to run a successful OWASP chapter
   

1. The OWASP 2011 Chapter Plan – describing the current state of OWASP chapters worldwide and identifying what will happen in 2011 to grow the number of chapters and improve their quality.
   

Matthew Chalmers @

Matteo Meucci @

Mateo Martinez @

Ferdinand Vroom @

Helen Gao @

L. Gustavo C. Barbato @

Ofer Maor @

Wojciech Dworakowski @

Martin Knobloch @

Vlatko Kosturjak @

Antonio Fontes @

1. Estimate how the past achievements do support the current educational developments
   
2. Evaluate how we can get the projects involved in developing (or at least reviewing) training material
   
3. Define new goals for the upcoming period
   
4. Define success factors for the upcoming period
   

1. The OWASP 2011 Education Plan – describing the specific plans for education in 2011 with schedule, targets, action plans, etc…
   

Cecil Su @

Jason Taylor @

1. Discuss the GCC's current 2011 Plan of action and new initiatives
   
2. Review comments provided in the Conference Planner Survey
   
3. Discuss mechanisms to improve Planner/Operational Support
   
4. Discuss mechanisms to improve event marketing/sponsorships
   
5. Discuss Global Conference Sponsorship Plan
   

1. The OWASP 2011 Conference Plan – describing the plan for continuing to make our conferences even better, specifically defining the various tiers of conferences, naming, partnering with other entities, and other challenges.
   

Nishi Kumar @

Lucas C. Ferreira @

Ralph Durkee @

Matthew Chalmers @

Matteo Meucci @

Mateo Martinez @

Neil Matatall @

Seba Deleersnyder @

L. Gustavo C. Barbato @

1. Internationalization
   
2. Global Job Board
   
3. New OWASP chapters in parts of the world where we have not spread much yet
   

1. A white paper with specific recommendations on how we can ensure the greatest amount of access and involvement with OWASP for all people everywhere.
   

Mateo Martinez @

Cecil Su @

1. Define what it means to be an OWASP Leader
   

1. Definition of critera for OWASP Leaders
   
2. A standard defining exactly what characterizes an OWASP Leader, for use in providing benefits and prioritizing support.
   

Chris Schmidt @

Mark Bristow @

Daniel Brzozowski @

Martin Knobloch @

Vlatko Kosturjak @

Antonio Fontes @

1. Revisit goals from previous working session
   
2. Identify available Google Apps (e.g. Code Review, Moderator, Short Links, Project Hosting, Groups, etc) that we can leverage to support OWASP Website Infrastructure.
   
3. Review Website Overhaul Proposal for consideration
   
4. Decide what elements should be outsourced/contracted to expedite implementation
   
5. Resolve on schedule for achieving goals
   

1. A project plan describing the future of web support for the OWASP ecosystem (think social) that covers all the various constituents, stakeholders, users, leaders, etc…. The plan will define all the steps necessary to get there and provide a rough estimate of the effort to get there. To the maximum extent possible, the plan will be designed to be parallelizable so that parts can be worked independently.
   

Achim Hoffmann @

Michael Coates @

Colin Watson

Nishi Kumar @

Dinis Cruz @

Matthew Chalmers @

Justin Clarke @

Mark Bristow @

Seba Deleersnyder @

1. Understand the current laws/frameworks in place in relation to computer crime and prevention
   
2. Discuss ways these laws are currently failing consumers in protecting assets
   
3. Discuss possible amendments to the laws/frameworks to better protect the public
   

1. A study evaluating the existing computer crime laws and how they might be applied to the current set of application security attacks. Recommendations for a new legal framework.
   

Abraham Kang

1. Serial Decomp: Decode, canonicalize, filter
   
2. Structured data (SSN, CC, etc.)
   
3. Unstructured data (comments, blogs, etc.)
   
4. Other input exaples (ws-, database, etc.)
   

1. A clear and concise user guide for getting ESAPI input validation up and running.
   

Justin Clarke @

John Steven @

1. Understand AppSensor Fundamentals
   
2. Define AppSensor Detection Points applicable to most applications
   
3. Implement detection points into code
   

1. Status of AppSensor Whitepaper including AppSensor Roadmap
   
2. Updated AppSensor-Tutorial code with new lessons and lesson structure enhancements
   
3. Updated Getting Started Guide for new adopters and developers leveraging feedback from session
   

Colin Watson

Chris Schmidt @

1. Increase coverage and functionality of existing Output Encoding Codecs
   
2. Create new codecs to cover more output encoding contextual needs
   
3. Introduce these codecs in a way that doesn't interfere with ESAPI Modularization Tasks
   
4. Draft an implementation guide for Application Framework Developers to implement ESAPI Output Encoding into their Application Frameworks
   

1. Increase coverage and functionality of existing Output Encoding Codecs
   
2. New drop in set of codecs for the ESAPI Encoder to use for additional contexts
   
3. Implementation Guide for Framework Developers to integrate Output Encoding into their Application Framework. This should be a simple guide that can be distributed en masse to framework developers as a push to get them involved in making their frameworks more secure by eliminating XSS.
   

Justin Clarke @

Abraham Kang

1. Produce an informal threat model for each development scenario
   
2. Impart clear and simple shared understanding of threats associated with each development scenario (and dispel common misunderstandings/idioms)
   
3. Define solution that resists defined attacks
   
4. Deliver solution implementation (snippets) to https://code.google.com/p/secure-coding-workshop/
   

1. (see objectives) Threat Models
   
2. (see objectives) Code Snippets
   
3. Plan and Extra-summit work-items for exercises in Phone and RIA contexts during next summit
   

Jim Manico @

Chris Schmidt @

Justin Clarke @

Neil Matatall @

Tony UcedaVelez @

Fred Donovan @

Alexandre Miguel Aniceto @

Antonio Fontes @

1. A practical guideline for protecting against CSRF in the real world.
   
2. A concise, clear standard for determining whether an application is vulnerable to CSRF.
   

Achim Hoffmann @

Ryan Barnett @

Mark Thomas @

Vishal Garg @

1. Create design and code examples for protecting access to database tables and rows by role
   
2. Create design and code examples for protecting access to data when 'auto-wiring' and marshalling
   
3. Create design and code examples for protecting sensitive data at rest
   

1. A short reference architecture/coding examples type of guideline that clearly explains positive and negative examples of accessing persisted data.
   

Chris Schmidt @

Justin Clarke @

Dan Cornell @

John Steven @

Ralph Durkee @

Alexandre Miguel Aniceto @