OWASP Project Summit 2015/Working Sessions

We are currently looking for more working session ideas for the summit. If you're interested in adding a Working Session for the 2014 Summit, please contact either [mailto:johanna.curiel@owasp.org Johanna Curiel] Please review the Working Session methodology for Working Session rules.

Keep checking back, as we will be adding more working sessions every week.

Current Daily Schedule
OWASP PROJECT Summit Agenda 2015

Location: AMSTERDAM RAI - 19 & 20 May Rooms E103 & E104 (see attached floor plan)

OWTF==>E103 ZAP==>E103 Hackademic Challenges==>E104 ASVS==>E104 Codes of Conduct - Document Review==>E104 AppSensor - Guide Review==>E103 Snakes and Ladders - Dutch Translation==>E104 Cornucopia - Video==>E104 AppSensor - Dashboard==>E103 Automated Threats to Web Applications==>E104 Code Review==>E104 OpenSAMM==>E103 Security Shepperd==>E104

9:00-9:30 Welcome to Project Summit 2015
(Looking for sponsors for (easy breezy) breakfast with the Project leaders)

Project Review Task Force
Project Reviews 2014-2015 Results 9:30-10:30

Actual situation of projects
20 min presentation about the results of the last Project review, and release report about the active/ inactive projects per category It is expected than all attending project leaders and some members of the owasp board can assist to this presentation and participate

Security Gaps Workshop
(25 min): Security issues that no project has explored so far. Potential source of inspiration for new projects

Projects as Operational objectives
(Kate Hartmann, Johanna, Paul,Timo, Jim) Deliverables: Report, Wiki updated and a nice infographic with the results.Plan for projects to be part of the operational objectives

OWASP Knowledge Based Authentication Performance Metrics Project
09h00 – 10h15. Review of the OWASP KBA-PMP project general advances with the project leaders and project managers (Ann Racuya-Robbins, Noreen Whysel) 10h30 – 12h30.

Review of the KBA testing tools (such as the KBA plugin).
15h00 – 19h00 .Open discussion of the KBA-PMP project: Why does the industry need a KBA standard? How is KBA used by different service providers around the world? KBA pentest experiences. Is dynamic KBA more secure than static KBA? Legal and technical challenges of dynamic KBA? Legal and technical challenges of remote identity proofing and KBA? The new ground of identity, security, privacy and governance and the role of KBA in each.

OWASP Codes of Conduct – Document Review
10:30 – 12:00 The current Codes of Conduct were developed primarily during the last major OWASP Summit in Portugal. They cover: Government Bodies, Educational Institutions, Standards Groups, Trade Organizations, Certifying Bodies, and Development Organizations. This 1.5 hour session will review, edit, update and release v1.2 of each document. Participants should be interested in how external entities can be encouraged to support OWASP's mission, read the existing Codes of Conduct in advance, and come with suggestions for changes. • Introduction • Joint review and edit (15 mins each document) • Publish updated documents to wiki (PDF and Word). Project website: https://www.owasp.org/index.php/OWASP_Codes_of_Conduct

OWASP ASVS
10:20 -11:50 & 14:30-17:30 OWASP ASVS Discuss issues around practitioners consuming ASVS in their consultancies Discuss how to improve adoption by development teams Live resolution of outstanding issues in ASVS Github Live QA of 2.1 Early planning of ASVS v3.0

Hackademics
9:30 - 11:30 Hackademics – Wiki page rewrite, documentation review The current wiki page was written by the founders of the project back when the project started and it is missing lots of new information, also it has links to very old versions of the project and overall it needs rewriting. The current documentation is covering less than half of the features and it's wrong or not very clear in other parts.

This session will review, edit, update and release documentation for the version 2.0 of the project coming at the beginning of April. Moreover, we'll update the wiki listing contributors, developer guidelines, supporters and synch the documentation in the github wiki with the owasp wiki page. Participants should be familiar with hackademic and come with suggestions on missing guidelines.

14:00 - 17:30 Hackademics – Greek, French translation We are currently implementing an internationalization feature using I18n which should be ready for our v2.0 release. Our goal is to translate the strings present in the platform in French and Greek. (Since it's already in English and French and Greek are the only other languages the core contributors(and most likely participants) speak. There are approximately 300 strings in the platform. Participants to help are gladly welcome.

AppSensor
13:00 – 15:00 AppSensor (Documentation) – Guide Review The AppSensor Guide v2 was published in May last year, and has had two minor updates, the last one mainly due to the important release of the v2 code implementation. This session is to edit and improve the guide, since many of the chapters have not been fully reviewed. Participants should read a chapter or two in advance of the summit (chapter 5 onwards, but choose randomly/what is of interest) and bring their edits/comments to the session, where the guide will be updated. All participants will be acknowledged in the guide and on the project wiki page. • Briefing • Live editing • Publication updated PDF. The latest version of the guide is at: https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc

Snakes and Ladders
15:30 – 16:30 Snakes and Ladders – Dutch Translation OWASP Snakes & Ladders (web applications) has been translated into 5 other languages already, and Portuguese is in progress. But so far not Dutch. This rapid session will ask participants to translate the 900 words or so into Dutch, so that a PDF and Adobe Illustrator version can be created. It will also be possible to help remotely, as it will be set up on Crowdin. • Meet • Translate • Create Illustrator and PDF output • Publish. Project website: https://www.owasp.org/index.php/OWASP_Snakes_and_Ladders

OWASP OWTF
10h - 12h00: OWASP OWTF Introduction for GSOC Students The OWTF project has seen more than 8 GSoC projects being merged into the master branch over the past couple of years. We want to introduce the students to the program. Quick presentation of OWASP OWTF and some of its GSoC projects What did GSoC offer over the past 3 years? Current ideas for GSoC 2015 Brainstorm about new ideas for GSoC 2015 We expect to introduce students to OWTF and how GSoC would be a valuable experience for them.

12h00 - 13h00: OWASP OWTF Open Forum Two ex-GSoC students are available to speak about their experience with OWTF and GSoC. How did we hear about GSoC? Why did we choose OWTF? How did they contact the project leader? What is a proposal? How hard was it? How much time did it take? What did GSoC give them back? We expect to share our experiences with possible future-GSoC students and help them to better understand what it can offer.

14h00 - 17h00: OWASP OWTF Wiki Review Because OWTF has grown really fast the past years, some part of the wiki might be out of date even though we worked hard to update it. Proof-read the Wiki Reproduce the steps described in the Wiki Find the out-dated information Remove/Update them We expect to have an up-to-date wiki by the end of this session or at least a list of known out-of-date information.

OWASP Security Shepherd
10:30 - 12:00 - Challenge Brain Storm The Security Shepherd project needs fresh challenge idea.Security Shepherd currently sports ~60 challenges covering the topics listed by the OWASP Web and Mobile Top Ten. These challenges start simple and increment in difficulty as bad fixes become closer to being good fixes. However, the scope of bad fix examples that are presented in Security Shepherd are a fraction of what's possible. So drop in and lay out any of the security gaps you can think of in applications, no matter how simple or complex they are. It could be a XSS blacklist filter, session management flaw or even poor data storage on a mobile device. If participants want to get their hands dirty and implement their idea into a challenge, that would be more than welcome across the session.

14:00 - 16:00 - Mobile Application Challenges without Hard Coded keys Implement a mechanism where a user can log into a Security Shepherd server through a Mobile Challenge Application to facilitate user specific keys to be presentated. This mechanism would need to be crafted so it cannot be exploited to return keys for security challenges without completing the level.

Project website: https://www.owasp.org/index.php/OWASP_Security_Shepherd

OWASP ZAP
Summit https://groups.google.com/d/msg/zaproxy-develop/OlKKKEc2Bxo/TF-f8_aKO94J : 10:00h - 16h30 The ZAP summit is aimed at existing and prospective ZAP developers and is an opportunity to discuss all aspects of ZAP development and future direction. It is not planned to include any training on how to use ZAP.

The exact topics discussed will be agreed between the attendees at the start of the day, but are expected to cover things like: An introduction to ZAP and the attendees A review of ZAPs perceived strengths and weaknesses Discussions around the future direction of ZAP Areas of ZAP that people find difficult to contribute to Components of ZAP that attendees think need significant reworking How to encourage more participation Interworking with 3rd party tools The opportunity to focus on specific areas of interest to the attendees

OWASP Knowledge Based Authentication Performance Metrics
09h30 – 12h30. Project Review of the KBA standard contents with the project leaders and managers (Luis Enriquez, Ann Racuya-Robbin, Noreen Whysel). 15h00 – 18h00. Open discussion of the OWASP Security Labeling system project proposal (secure code, privacy, ingredients, and openness labels) -Should security become visible for normal users? -Should Owasp consider providing labels and certifications? -Expected audience : +20 people.
 * Searching for interaction with other project leaders, and the boar

09:00 – 12:00 Cornucopia - Ecommerce Website Edition – Video
The objective is to create a short "how to play the Cornucopia card game" video during this half-day session. Cornucopia is a card game that helps identify security requirements, but people may not be familiar with how easy it is to get started. Participants for this session are needed to be players, to create a narrative, to video the game being played, and if there is time and anyone has the skill, to edit the video and sound into a release version. It is preferable if participants are already a little familiar with the game and/or threat modelling. If there is time, we will also discuss alternative game strategies like a Jeopardy format. • Storyboarding • Game play recording • Editing • Soundtrack • Publish video. Project website: https://www.owasp.org/index.php/OWASP_Cornucopia

9:30 - 11:30 Hackademics test coverage
Improve unit tests coverage. Currently, unit tests cover ~20% of the platform, this session will focus on doubling the test coverage. Deliverables: 40% unit and functional tests coverage.

13:30 – 17:00 AppSensor (Code) – Dashboard
The AppSensor v2.0.0 code implementation final release was undertaken in January. One of the tasks to continue with is the development of a reporting dashboard. This session is to brainstorm ideas and layouts for the dashboard, and identify what tools/libraries can assist in the creation of the dashboard. Bring ideas, energy, URLs, paper and pens! The outputs will be dashboard mockups. • Introductions and objectives • Information requirements • User stories • Information design • Code libraries and frameworks. Code roadmap: https://www.owasp.org/index.php/OWASP_AppSensor_Project#tab=Road_Map_and_Getting_Involved Microsite http://www.appsensor.org/

14:00 - 17:30 Hackademics - Student performance metrics visualization
Currently, the platform gathers student performance metrics in the form of how long it took them to solve challenges, how many requests, how much time idle e.t.c. However, the only way for a teacher to see the numbers is with database access.(The data is gathered for the advanced scoring functionality but it is also very useful as performance analytics). We plan to use graphing libraries to create interactive graphs to visualize the comprehension of the student performance. It's a simple front-end feature which will improve the usability of the platform.

17:00-18:00 OWASP Automated Threats to Web Applications Project - Website Owner Experiences
The OWASP Automated Threats to Web Applications Project is undertaking research and will publish its outputs immediately prior to AppSec EU 2015. This meeting seeks input from training and conference attendees on their own organisations' experiences of automated attacks: • What types of automated attacks occur and with what frequency? • What were the symptoms? • How are they detected? • What incident response measures were taken? • What steps were undertaken to prevent or mitigate such attacks? Participation/contribution can be anonymous or otherwise. The intention is to update the published documents during the session and if possible create additional sector-specific guidance.

10h00 - 13h00: OWASP OWTF Architecture Audit
During the past three years, OWTF has know a fast growth thanks to different GSoC projects. But the initial architecture is no more suited for the project nowadays. Identify the different elements of OWTF Define the inter-dependencies Estimate the accuracy of such dependencies Remove unnecessary dependencies Draw a better architecture for OWTF We expect to have a draft of the next architecture better suited for the needs of OWTF by the end of this session.

14h00 - 15h00: OWASP OWTF CLI Assessment
Over the past year, the development has been mostly focused on the improvement of the Web User Interface. A side effect is that currently the Command Line Interface (CLI) is broken and does not meet the objectives initially set. Test the CLI Report all commands/flags that are broken Find out the best features that the CLI should offer Gather the findings and draw a new standard for the CLI We expect to have a new standard for the CLI that will be implemented this year in order to enhance and fix its behaviors. This could be part of a GSoC project depending of the output of the session.

15h00 - 17h00: OWASP OWTF Hack It For Fun
The OWTF project is written in Python and we want to show how easy it is to hack into the code base. We propose a small workshop where the students would customize OWTF the way the want. Presentation of small code snippets Customize the console output Customize the web interface Competition about Implementing small features We expect to show how easy it is for students to hack into the code base of OWTF. As a reward, the winners of the competition will be offered nice goodies :)

Project Developments: The Good, The Bad and the Ugly
17:30 - 18:30 Open Forum with Project leaders Forum discussion with project leaders and Board==>(1 hour session) Why my project is not moving forward? What can be done to help improve my project? How to improve the actual situation of projects How to improve the review process Deliverables: Collect information and create a report Use the session results and see how can we implement them Inform leaders about the actual process

18:30-19:30 HAPPY HOUR with Project leaders==>Looking for sponsors