Upload
tmd800
View
290.084
Download
2
Embed Size (px)
Citation preview
OWASP & More
State of OWASP 2015
https://www.owasp.orghttps://2015.appsecusa.org
Twitter: @owasp, @appsecusa
Tobias Gondrom – Board Chair
Paul Ritchie – OWASP Executive Director
Noreen Whysel – OWASP Community Manager
Claudia Casanova – OWASP Project Coordinator
Sept. 24, 2015
State of OWASP
• Welcome: A “brief story” about OWASP
• Updates from our Executive Director, Community Manager and Projects Coordinator
• Q&A
Who is OWASP?Free & Open
Governed by rough
consensus & running
code
Abide by a code of
ethics (see ethics)
Not-for-profit
Not driven by
commercial
interests
Risk based approach
Our Purpose & Our Core Values
OPEN: Everything at OWASP is radically transparent from our finances to our code.
INNOVATION: OWASP encourages and supports innovation/experiments for
solutions to software security challenges.
GLOBAL: Anyone around the world is encouraged to participate in the OWASP
community.
INTEGRITY: OWASP is an honest and truthful, vendor agnostic, global community.
Our Core Values
Our Purpose: The OWASP Foundation will be the thriving global community that drives visibility and evolution in the safety and security of the world’s software.
Strengthen OWASP chapters and increase Chapter’s abilities to
spread message of OWASP through locally organized and run events.
Mature the OWASP Projects Platform: Provide the OWASP projects community a mature project platform to encourage
senior developers to participate in the various and many OWASP
projects.
Build a scalable OWASP trainingprogram that spreads security
training around the world
Strategic Goals for 2015
130Active Projects
268Active Chapters
44,000+participants mailing lists
88+Government & Industry Citations!
100+Academic Supporters
55Paid Corporate Memberships
2458 Members
Our Strong OWASP Operations Team• Executive Director: Paul Ritchie
• Operations Director: Kate Hartmann
• Membership and Business Liaison: Kelly Santalucia
• Event Manager: Laura Grau
• Projects: Claudia Casanovas
• Community Manager: Noreen Whysel
• Accounting: Alison Shrader
• IT Admin: Matt Tesauro(Contractor)
• Graphic Design: Hugo Costa (Contractor)
13
OWASP – chapter meetings and conferences
around the world
Thanks to our sponsors and supporters:
Contributing
Sponsors:
Premium Sponsors:
OWASP is about you!
Free to use
Free to participate
Free to contribute
Join and help to make the Web, make
the world more secure!… join a chapter
… join a project
… join the global community list
… share the security knowledge.
Mission
• Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks
• How’d we do in 2014? See Annual Report themed “Growing, Learning, Sharing, Leading”
Strategic Goals & Metrics - 2015
• Chapter Development• Volunteer Management• Training• Supporting & Maturing the Project Platform• Finances
Chapter Development - 2015
• Our Global Footprint
• 28 New Chapters• 8 Chapters Restarted
• More Chapter & Project Leader Training on Friday
Note Recent New Chapters
in Africa
Volunteer Management• Project Review Task Force Actively looking for Volunteers
• Over 25 Co-marketing agreements ‘signed’ with Speaker or free Booth space at outside event for OWASP Volunteers
• Wiki Volunteer & Initiatives page updated with Volunteer opportunities at University and 25 Chapter Leader openings
Training – Our Reach is Global
AppSec USA-SF 2015• 1200 attendees• 253 Training attendees• 75+ Speakers
AppSecEU 2015• 585 attendees• 133 Training attendees• 57 Speakers
LATAM 2015• 724 attendees• 42 Training attendees• 70 Speakers
Training – Chapters Gone Wild (w/Training)
• AppSec-California Training 7 classes, 36 registrations• NYC Hack Day Training 1 class, 19 registrations• OWASP New Zealand Day 1 class, 12 registrations• LATAM Tour 6 classes, 42 training attendees• AppSecEU 13 classes, 133 registrations• OWASP CONfidence (Krakow) 5 classes, (6 trainers/classes on website)• OWASP SAMM Summit (Dublin) ~30 registrations, 10 paid• OWASP Dublin Training Day 3 classes, 78 registrations• …..And so many more
Project Innovation & Output
• New projects added
• Updates & outputs on 2015
• Project Maturity update
• Project Summit & Summer of Code
• Bossie Award for Open Source Tools– Highlighted: ZAP, Xenotix XSS, O-Saft, OWTF
Project Highlights – 2015 • 2 Project Summits held during AppSec Conferences to maximize participation• OWASP’s own Summer Code Sprint hosted to support Projects• Project Coordinator – Claudia updating the New Project & Project Review process & docs• CISO Guide translated into Spanish• Dependancy Check 1.2.9 released• Dependancy Track 1.0.0 released• Vicnum Project updated• OWASP SAMM Project Summit – Dublin March 2015• AppSensor – CISO Briefing released• ZAP 2.4.0 released• ZAP w/Docker introduction released• ASVS version XX released• OWASP KALP Mobile Project initiated• OWASP Seraphimdroid project, version 2 released
OWASP Finances – Overall Strong & Growing
See Annual Report for Details
Full Financial Transparency & Reports found on the OWASP Wiki
Financial SnapshotGROWTH 2013 - 2016
Conferences remain excellent channel for Training & Community sharing• 65% of Income & 50% of Expenses
Projects / Chapter Funding represented ~$255K in 2015 with potential growth to the $300-400K range in 2016.
26
Project Funding & Chapter FundingWhere’s the Info?• Need Project Funding?
• Need Chapter Funding?
• Got a Chapter Budget, need reimbursement?
• Submit here https://www.owasp.org/index.php/Funding
OWASP Northern Virginia
@OWASPNoVA
OWASP DC
@OWASPDC
The Big Reveal – AppSec US in 2016• OWASP AppSec EU 2016: Rome in June
• OWASP AppSec USA 2016: Washington DC – September– Hosted by No.Virginia & WashDC Chapters
Community Update
Noreen WhyselCommunity ManagerSeptember 24, 2015
Chapter Development
• 28 new chapters started in 2015• 8 chapters restarted• 26 chapters inactivated (some in process of restarting)• 1 merged chapter (Kenya/Nairobi)• 3 chapter splits (Spain, Argentina, Sweden)• 53 new leaders added, including restarts• 120+ cases & conversations with chapter leaders worldwide
Communications
• Community News Flash• Social Media Announcements• Mailing Lists• SalesForce Messaging• Personal Correspondence
Community News Flash
• First issue April 2015• Sent to owasp-leaders and owasp-community lists• Switched to Vertical Response in August 2015
• August 2015– Sent to: 1,282– Opens (257): 20.05%– Clicks (52): 4.06%– Bounces (13): 1.01%– Unsubscribes (0): 0.00%
• September 2015– Sent to: 1,269– Opens (255): 20.09%– Clicks (26): 2.05%– Bounces (3): .24%– Unsubscribes (1): 0.08%
Social Media• Twitter (as of 8/31/2015)
– 4014 tweets– 325 following– 56,819 followers
• Facebook– 9,062 Page Likes– 8,839 Group Members
• LinkedIn– 22,730 group members– 12,800 followers
• Slack– 399 members– 76 channels
• Meetup– 54 “OWASP” Meetup
Groups– 13,328 Members– 1,416 Expressed Interest– 50 Cities– 17 Countries
Chapter Leader Workshops
Room F, Pacific Concourse• Thurs 10:30AM - People and Capital • Thurs 11:30AM - I’m a Leader. Now What?• Friday 10:30AM - What’s In Your Toolbox?• Friday 11:30AM - OWASP Wiki Edit-a-thon
• Friday afternoon - Flex sessions, continue the conversation
Projects & Initiative Update
Claudia Aviles CasanovasProject CoordinatorSeptember 20, 2015
Project Task Force Recent ActivityPending Graduation Review: (Submitted Last Week)
OWASP Security ShepherdOWASP Seraphimdroid ProjectOWASP Security Logging
New Incubator Projects Project Added:
• OWASP ZSC Tool Project
• OWASP Mth3I3m3nt Framework Project
Recent Project that Graduated to the next Level:
• Benchmark Tool Project
Review Results: Moved from Incubator Project To Lab Project
Projects Graduated from Incubator to Lab in June 2015
Category: Documentation
• OWASP Internet of Things To Ten Project
• OWASP Pro Active Controls
• OWASP Top 10 Privacy Risks_Project
• OWASP Reverse Engineering and Code_Modification Prevention Project
Category: Code
• Mobile Application Security Project
• OWASP Security Python Project
Project Summit USA 2015Projects Participating:• OWASP Code Review Guide – Gary Robinson & Larry Coklin• OWASP ASVS & OWASP Pro Active Controls – Jim Manico• OWASP Python Security Project – Enrico Branca• OWASP Security Shepherd – Mark Denihan• OWASP Security Knowledge – Glenn Ten Cate• OWASP PodCast – Mark Miller• OWASP WAFEC (Starting up Activity)– Tony Turner• OWASP O2 – Michael Hidalgo
Project Summit USA 2015Project Name Project Leader Did the Project Summit
help your Project?Did you Accomplish it? Deliverable
OWASP Security Shepherd Mark DenihanPol Mac Cana
Updated the GitHub Wiki pages to a state where new users can easily add Translation support to Shepherd components, add new language tranlations without difficulty and create new Security Shepherd levels with the new specifications made in V3. Also created new Security Shepherd level templates. Eliminated issues that were blocking the progress of the Security Shepherd Docker File.
These last two week’s OWASP Summer Code Sprint 2015 mentors and students have wrapped up activities.
Originally Received 39 Proposals and were able to select 8 Students for the Summer Code Sprint 2015. The selections was difficult due to competitive proposals.
Results: All 8 Students passed the Final Evaluations.
Feedback & Experience:• Amazing Performance!• OWASP Seraphimdroid Project is now able to apply for a Project Review Graduation
due to the work done with the student. • Project’s quality robustness increased like never over the past 2 months!• Excellent work and worked beyond the original plan!• Gained a contributor for the Hackademic Project.• High level of dedication with excellent results• Students were happy to work with such great mentors and excited about the projects.
Results Final EvaluationsFabio Cerullo, Initiative Leader
Summer Code Sprint 2015 ParticipationFabio Cerullo, Initiative Leader
Project Name Mentors Students
OWASP OWTF Abraham Aranguren, Tao Sauvage, Bharadwaj Machiraju
Arun Sori, Alexandra Sandulescu, Viyat Bhlalodia
OWASP Seraphimdroid John Melton Kartik Kholic
OWASP APPSensor Nikola Milosevic Sumanth Damaria
OWASP Hackademic Spyros Gasteratos, Paul Chaignon Anirudh Anand, Minhaz AV, TapasweniPathak
Project Updates
• OWASP Project Task Force• Project Summit USA
• How to Start A New Project
• OWASP Project Dasboard
• OWASP 2014 Project Handbook
– Project Funding Request Form
– Project Spending Policy
Community Q&A
https://www.owasp.orghttps//2015.appsecusa.org
Twitter: @owasp, @appsecusa
Open OWASP Board Meeting Friday, Sep-25, 18:00 – 20:00 PDT
Room A - Pacific Level.
Learn, meet, share and ….
… have a great time!
https//2015.appsecusa.org Twitter: @appsecusa