Copyright © 2006 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.

The OWASP Foundation

OWASPAppSecEurope

http://www.owasp.org/

May 2006

Keynote Day 1: OWASP 2.0

Dinis CruzOWASP .Net Project Leaderdinis.cruz@owasp.net

2OWASP AppSec Europe 2006

New Manifesto / Vision

“Enabling organizations to develop, maintain, and purchase applications that they can trust”

Consolidate all OWASP Projects in one strong vision

Focus OWASP efforts in one positive and focused target

Create a ‘package’ that companies will want to buy (i.e. join as members)

Build on past sucessess

3OWASP AppSec Europe 2006

OWASP is about a community who cares

Built on great foundations built by our contributors

Independent Focused on creating a better workd Great peer to peer participation Emphasis on local community building

4OWASP AppSec Europe 2006

Objectives

Organize OWASP’s world Deliver quality products, of highest

standard, usable by small and large companies

Professionalize OWASP delivery More support for projects (both local and

global) Maintain and Improve OWASP’s brand

Improve the quality of the web applications that we use everyday

5OWASP AppSec Europe 2006

Today

The current software / web development process is a messNo standards or MetricsLittle understanding of the threatsSmall number of attacks create ‘comfort zone’Strong business model to reward Features and

PerformanceWeak business model to reward securityServer based code creates false sense of

security due to very limited per-review ‘Shoot the messenger’ practices (UK’s Dan and

US’ xyz guy) make it even worse

6OWASP AppSec Europe 2006

Today II

Strong awareness that ‘something is wrong’ Weak awareness (and agreement) of ‘what

to do about it’Security Industry is part of the problem (Snake

Oil sellers and wild marketing claims)Too much money is being made today by

security vendors (with the current ‘insecure world’)

Market-Leaders are only marginally better than everybody else (or even less when adjusted for their market-share)

Clients don’t know what to ask for and how to commercially reward good vendors

7OWASP AppSec Europe 2006

Today III

Current Security Model is based on the:Lack of attackers (as in Quantity)Attacker’s skillsUnsophisticated Malicious business Model (i.e.

difficulty to monetize Digital Assets)Plenty of Low Hanging Fruit still available

(Phishing, Spam, sale of Boot Nets, Identity Theft)

Basically we are betting that the gradual security improvements that we are making everyday are bigger than the attacker's numbers, skills and business model

8OWASP AppSec Europe 2006

Today IV

What organizations need, is to be able to:develop, ormaintain, or purchase

applications that they can trust

We need Assurance that Applications will:do what they are designed forare securely codedcan be executed in secure ‘Sandboxed’

environmentswill not dramatically increase the risk to our

assets

9OWASP AppSec Europe 2006

OWASP’s new Vision

“Enabling organizations to develop, maintain, and purchase applications that they can trust” Idea launched in OWASP AppSec Europe (May

2006)New wiki-based www.owasp.org website launched

(May 2006) tons of new content (CLASP, old owasp.org website) much more to be added (Guide, etc..)

Next steps will be to convert all OWASP Projects into this new vision

Objective is to have all projects converted by next OWASP conference in the USA (Seattle-Oct 2006) Launch the ‘OWASP member pack’ which contains

everything that owasp has created to date (including special licenses for members)

10

OWASP AppSec Europe 2006

OWASP’s world

Documents / Guides OWASP Top Ten, OWASP Metrics, ISO 17799

Project, WASS Project, OWASP Process Project

Practical AdviceOWASP Guide, OWASP Testing Project

ToolsOWASP .Net stuff (SiteGenerator,

ReportGenerator, ANBS, SAMSHE, DefApp, Beretta), WebGoat, WebScarab, Stinger

Tons of Chapters around the world .... more about this tomorrow

11

OWASP AppSec Europe 2006

the next level...

http://www.flickr.com/creativecommons/

12

OWASP AppSec Europe 2006

Dedicated Executive Director

Andrew van der StockOWASP Guide Project

LeaderStarted Melbourne and

Sydney chapters Sponsored by the

National Australia Bank Will spend 12h (1,5 days)

a week on OWASP projects

Now OWASP Executive Director

13

OWASP AppSec Europe 2006

Andrew’s Responsibilities

Helping projects and chapters succeedHelping projects and chapters succeed Membership & FundingMembership & Funding Assist with infrastructure (if required)Assist with infrastructure (if required) Future directionsFuture directions

http://www.flickr.com/creativecommons/

14

OWASP AppSec Europe 2006

Andrew’s Key duties

Implement decisions from owasp-leaders Help projects and chapters Continue to work on projects (Guide, etc) Defend OWASP Brand

15

OWASP AppSec Europe 2006

OWASP Infrastructure

http://www.flickr.com/creativecommons/

16

OWASP AppSec Europe 2006

MediaWiki - new www.owasp.org

It’s a Wiki Replaces current CMS Easier updates Scalable, relatively

secure

17

OWASP AppSec Europe 2006

Blogs

For all OWASP members WordPress 2.0

18

OWASP AppSec Europe 2006

Forums

Existing forums dead UltimaBB Link from front page

19

OWASP AppSec Europe 2006

Downloads

Finished products/versions moves to owasp.org

Development remains at Sourceforge (supports CVS)

20

OWASP AppSec Europe 2006

Mail lists

Two mail infrastructures:webappsec@securityfocus.comowasp-*@lists.sourceforge.net

Need to bring this in house... eventually Will happen during 2006 / 2007

Copyright © 2006 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.

The OWASP Foundation

OWASPAppSecEurope

http://www.owasp.org/

May 2006

Questions