OWASP & More

State of OWASP 2015

https://www.owasp.orghttps://2015.appsecusa.org

Twitter: @owasp, @appsecusa

Tobias Gondrom – Board Chair

Paul Ritchie – OWASP Executive Director

Noreen Whysel – OWASP Community Manager

Claudia Casanova – OWASP Project Coordinator

Sept. 24, 2015

State of OWASP

• Welcome: A “brief story” about OWASP

• Updates from our Executive Director, Community Manager and Projects Coordinator

• Q&A

Who is OWASP?Free & Open

Governed by rough

consensus & running

code

Abide by a code of

ethics (see ethics)

Not-for-profit

Not driven by

commercial

interests

Risk based approach

Our Purpose & Our Core Values

OPEN: Everything at OWASP is radically transparent from our finances to our code.

INNOVATION: OWASP encourages and supports innovation/experiments for

solutions to software security challenges.

GLOBAL: Anyone around the world is encouraged to participate in the OWASP

community.

INTEGRITY: OWASP is an honest and truthful, vendor agnostic, global community.

Our Core Values

Our Purpose: The OWASP Foundation will be the thriving global community that drives visibility and evolution in the safety and security of the world’s software.

Strengthen OWASP chapters and increase Chapter’s abilities to

spread message of OWASP through locally organized and run events.

Mature the OWASP Projects Platform: Provide the OWASP projects community a mature project platform to encourage

senior developers to participate in the various and many OWASP

projects.

Build a scalable OWASP trainingprogram that spreads security

training around the world

Strategic Goals for 2015

130Active Projects

268Active Chapters

44,000+participants mailing lists

88+Government & Industry Citations!

100+Academic Supporters

55Paid Corporate Memberships

2458 Members

Our Strong OWASP Operations Team• Executive Director: Paul Ritchie

• Operations Director: Kate Hartmann

• Membership and Business Liaison: Kelly Santalucia

• Event Manager: Laura Grau

• Projects: Claudia Casanovas

• Community Manager: Noreen Whysel

• Accounting: Alison Shrader

• IT Admin: Matt Tesauro(Contractor)

• Graphic Design: Hugo Costa (Contractor)

13

OWASP – chapter meetings and conferences

around the world

Thanks to our sponsors and supporters:

Contributing

Sponsors:

Premium Sponsors:

OWASP is about you!

Free to use

Free to participate

Free to contribute

Join and help to make the Web, make

the world more secure!… join a chapter

… join a project

… join the global community list

… share the security knowledge.

Mission

• Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks

• How’d we do in 2014? See Annual Report themed “Growing, Learning, Sharing, Leading”

Strategic Goals & Metrics - 2015

• Chapter Development• Volunteer Management• Training• Supporting & Maturing the Project Platform• Finances

Chapter Development - 2015

• Our Global Footprint

• 28 New Chapters• 8 Chapters Restarted

• More Chapter & Project Leader Training on Friday

Note Recent New Chapters

in Africa

Volunteer Management• Project Review Task Force Actively looking for Volunteers

• Over 25 Co-marketing agreements ‘signed’ with Speaker or free Booth space at outside event for OWASP Volunteers

• Wiki Volunteer & Initiatives page updated with Volunteer opportunities at University and 25 Chapter Leader openings

Training – Our Reach is Global

AppSec USA-SF 2015• 1200 attendees• 253 Training attendees• 75+ Speakers

AppSecEU 2015• 585 attendees• 133 Training attendees• 57 Speakers

LATAM 2015• 724 attendees• 42 Training attendees• 70 Speakers

Training – Chapters Gone Wild (w/Training)

• AppSec-California Training 7 classes, 36 registrations• NYC Hack Day Training 1 class, 19 registrations• OWASP New Zealand Day 1 class, 12 registrations• LATAM Tour 6 classes, 42 training attendees• AppSecEU 13 classes, 133 registrations• OWASP CONfidence (Krakow) 5 classes, (6 trainers/classes on website)• OWASP SAMM Summit (Dublin) ~30 registrations, 10 paid• OWASP Dublin Training Day 3 classes, 78 registrations• …..And so many more

Project Innovation & Output

• New projects added

• Updates & outputs on 2015

• Project Maturity update

• Project Summit & Summer of Code

• Bossie Award for Open Source Tools– Highlighted: ZAP, Xenotix XSS, O-Saft, OWTF

Project Highlights – 2015 • 2 Project Summits held during AppSec Conferences to maximize participation• OWASP’s own Summer Code Sprint hosted to support Projects• Project Coordinator – Claudia updating the New Project & Project Review process & docs• CISO Guide translated into Spanish• Dependancy Check 1.2.9 released• Dependancy Track 1.0.0 released• Vicnum Project updated• OWASP SAMM Project Summit – Dublin March 2015• AppSensor – CISO Briefing released• ZAP 2.4.0 released• ZAP w/Docker introduction released• ASVS version XX released• OWASP KALP Mobile Project initiated• OWASP Seraphimdroid project, version 2 released

OWASP Finances – Overall Strong & Growing

See Annual Report for Details

Full Financial Transparency & Reports found on the OWASP Wiki

Financial SnapshotGROWTH 2013 - 2016

Conferences remain excellent channel for Training & Community sharing• 65% of Income & 50% of Expenses

Projects / Chapter Funding represented ~$255K in 2015 with potential growth to the $300-400K range in 2016.

26

Project Funding & Chapter FundingWhere’s the Info?• Need Project Funding?

• Need Chapter Funding?

• Got a Chapter Budget, need reimbursement?

• Submit here https://www.owasp.org/index.php/Funding

OWASP Northern Virginia

@OWASPNoVA

OWASP DC

@OWASPDC

The Big Reveal – AppSec US in 2016• OWASP AppSec EU 2016: Rome in June

• OWASP AppSec USA 2016: Washington DC – September– Hosted by No.Virginia & WashDC Chapters

Community Update

Noreen WhyselCommunity ManagerSeptember 24, 2015

Chapter Development

• 28 new chapters started in 2015• 8 chapters restarted• 26 chapters inactivated (some in process of restarting)• 1 merged chapter (Kenya/Nairobi)• 3 chapter splits (Spain, Argentina, Sweden)• 53 new leaders added, including restarts• 120+ cases & conversations with chapter leaders worldwide

Communications

• Community News Flash• Social Media Announcements• Mailing Lists• SalesForce Messaging• Personal Correspondence

Community News Flash

• First issue April 2015• Sent to owasp-leaders and owasp-community lists• Switched to Vertical Response in August 2015

• August 2015– Sent to: 1,282– Opens (257): 20.05%– Clicks (52): 4.06%– Bounces (13): 1.01%– Unsubscribes (0): 0.00%

• September 2015– Sent to: 1,269– Opens (255): 20.09%– Clicks (26): 2.05%– Bounces (3): .24%– Unsubscribes (1): 0.08%

Social Media• Twitter (as of 8/31/2015)

– 4014 tweets– 325 following– 56,819 followers

• Facebook– 9,062 Page Likes– 8,839 Group Members

• LinkedIn– 22,730 group members– 12,800 followers

• Slack– 399 members– 76 channels

• Meetup– 54 “OWASP” Meetup

Groups– 13,328 Members– 1,416 Expressed Interest– 50 Cities– 17 Countries

Chapter Leader Workshops

Room F, Pacific Concourse• Thurs 10:30AM - People and Capital • Thurs 11:30AM - I’m a Leader. Now What?• Friday 10:30AM - What’s In Your Toolbox?• Friday 11:30AM - OWASP Wiki Edit-a-thon

• Friday afternoon - Flex sessions, continue the conversation

Projects & Initiative Update

Claudia Aviles CasanovasProject CoordinatorSeptember 20, 2015

Project Task Force Recent ActivityPending Graduation Review: (Submitted Last Week)

OWASP Security ShepherdOWASP Seraphimdroid ProjectOWASP Security Logging

New Incubator Projects Project Added:

• OWASP ZSC Tool Project

• OWASP Mth3I3m3nt Framework Project

Recent Project that Graduated to the next Level:

• Benchmark Tool Project

Review Results: Moved from Incubator Project To Lab Project

Projects Graduated from Incubator to Lab in June 2015

Category: Documentation

• OWASP Internet of Things To Ten Project

• OWASP Pro Active Controls

• OWASP Top 10 Privacy Risks_Project

• OWASP Reverse Engineering and Code_Modification Prevention Project

Category: Code

• Mobile Application Security Project

• OWASP Security Python Project

Project Summit USA 2015Projects Participating:• OWASP Code Review Guide – Gary Robinson & Larry Coklin• OWASP ASVS & OWASP Pro Active Controls – Jim Manico• OWASP Python Security Project – Enrico Branca• OWASP Security Shepherd – Mark Denihan• OWASP Security Knowledge – Glenn Ten Cate• OWASP PodCast – Mark Miller• OWASP WAFEC (Starting up Activity)– Tony Turner• OWASP O2 – Michael Hidalgo

Project Summit USA 2015Project Name Project Leader Did the Project Summit

help your Project?Did you Accomplish it? Deliverable

OWASP Security Shepherd Mark DenihanPol Mac Cana

Updated the GitHub Wiki pages to a state where new users can easily add Translation support to Shepherd components, add new language tranlations without difficulty and create new Security Shepherd levels with the new specifications made in V3. Also created new Security Shepherd level templates. Eliminated issues that were blocking the progress of the Security Shepherd Docker File.

These last two week’s OWASP Summer Code Sprint 2015 mentors and students have wrapped up activities.

Originally Received 39 Proposals and were able to select 8 Students for the Summer Code Sprint 2015. The selections was difficult due to competitive proposals.

Results: All 8 Students passed the Final Evaluations.

Feedback & Experience:• Amazing Performance!• OWASP Seraphimdroid Project is now able to apply for a Project Review Graduation

due to the work done with the student. • Project’s quality robustness increased like never over the past 2 months!• Excellent work and worked beyond the original plan!• Gained a contributor for the Hackademic Project.• High level of dedication with excellent results• Students were happy to work with such great mentors and excited about the projects.

Results Final EvaluationsFabio Cerullo, Initiative Leader

Summer Code Sprint 2015 ParticipationFabio Cerullo, Initiative Leader

Project Name Mentors Students

OWASP OWTF Abraham Aranguren, Tao Sauvage, Bharadwaj Machiraju

Arun Sori, Alexandra Sandulescu, Viyat Bhlalodia

OWASP Seraphimdroid John Melton Kartik Kholic

OWASP APPSensor Nikola Milosevic Sumanth Damaria

OWASP Hackademic Spyros Gasteratos, Paul Chaignon Anirudh Anand, Minhaz AV, TapasweniPathak

Project Updates

• OWASP Project Task Force• Project Summit USA

• How to Start A New Project

• OWASP Project Dasboard

• OWASP 2014 Project Handbook

– Project Funding Request Form

– Project Spending Policy

Community Q&A

https://www.owasp.orghttps//2015.appsecusa.org

Twitter: @owasp, @appsecusa

Open OWASP Board Meeting Friday, Sep-25, 18:00 – 20:00 PDT

Room A - Pacific Level.

Learn, meet, share and ….

… have a great time!

https//2015.appsecusa.org Twitter: @appsecusa