OWASP Project Summit 2015/Home

Jump to: navigation, search



This event activity gives our project leaders the opportunity to showcase their project progress, and have attendees sit down, discuss and provide feedback regarding the project before the annual fundraiser ([1]) regional event. It is an excellent opportunity to engage the event attendees, and it gives project leaders the chance to move forward on their project milestones while meeting new potential volunteers that can provide their input for future milestones.

Call to Action

Hello OWASP Leaders,

The 2015 OWASP Summit is currently in the planning process. We have managed to acquire a great space at Hyatt Regency San Francisco to the AppSec US 2015 planning team. A big thank you to the team for helping us nail down this pace for our summit. There are still quite a few things to do before we are good to go with this year's summit activities. As I mentioned last year, we need to ensure that the culture of our OWASP Summits continues, and I am dedicated to making this a great success for our community so we may continue our efforts for years to come.

Help design the 2015 OWASP Summit in US!

As OWASP Leaders, I would like you to take some time to help us design this year's Summit. We are currently looking for summit track and session ideas. I would love to have your input on what you think we should focus on. Please have a think about the projects, topics, working sessions, and tracks you would like to see or participate in at this year's summit. The Summit team will take these ideas, and create a cohesive and comprehensive schedule of sessions based on your input so I encourage you to summit your ideas straight away. Please email Claudia Aviles Casanovas

We need your ideas, energy, and input! Please reach out to any of us if you would like to lead a session or attend the 2015 Project Summit!

We will see you at AppSec US in San Francisco , US!



How do I sign up for a session?

You can sign up using the following link http://www.eventbrite.com/e/project-summit-eu-2015-tickets-16029097462

Hurry up! places are limited!

We are currently looking for more working session ideas for the summit. If you're interested in adding a Working Session for the 2014 Summit, please contact either Johanna Curiel Please review the Working Session methodology for Working Session rules.

Keep checking back, as we will be adding more working sessions every week.

Current Daily Schedule

OWASP PROJECT Summit Agenda 2015

Location: AMSTERDAM RAI - 19 & 20 May Rooms E103 & E104 (see attached floor plan): File:RAI PLAN 2013 LR AW.pdf

Tuesday 19th May

9:00-9:30 Welcome to Project Summit 2015

Project Review Task Force

Project Reviews 2014-2015 Results 9:30-10:30 Location room :E104

Actual situation of projects

20 min presentation about the results of the last Project review, and release report about the active/ inactive projects per category It is expected than all attending project leaders and some members of the owasp board can assist to this presentation and participate Location room :E104

Security Gaps Workshop

(25 min): Security issues that no project has explored so far. Potential source of inspiration for new projects

Location room :E104

Projects as Operational objectives

(Kate Hartmann, Johanna, Paul,Timo, Jim) Deliverables: Report, Wiki updated and a nice infographic with the results.Plan for projects to be part of the operational objectives Location room :E104

OWASP Knowledge Based Authentication Performance Metrics Project

09h00 – 10h15. Review of the OWASP KBA-PMP project general advances with the project leaders and project managers (Ann Racuya-Robbins, Noreen Whysel) 10h30 – 12h30. Location room :E104

Review of the KBA testing tools (such as the KBA plugin).

15h00 – 19h00 .Open discussion of the KBA-PMP project: Why does the industry need a KBA standard? How is KBA used by different service providers around the world? KBA pentest experiences. Is dynamic KBA more secure than static KBA? Legal and technical challenges of dynamic KBA? Legal and technical challenges of remote identity proofing and KBA? The new ground of identity, security, privacy and governance and the role of KBA in each. Location room :E104

OWASP Codes of Conduct – Document Review

10:30 – 12:00 The current Codes of Conduct were developed primarily during the last major OWASP Summit in Portugal. They cover: Government Bodies, Educational Institutions, Standards Groups, Trade Organizations, Certifying Bodies, and Development Organizations. This 1.5 hour session will review, edit, update and release v1.2 of each document. Participants should be interested in how external entities can be encouraged to support OWASP's mission, read the existing Codes of Conduct in advance, and come with suggestions for changes.

• Introduction
• Joint review and edit (15 mins each document)
• Publish updated documents to wiki (PDF and Word).

Project website: https://www.owasp.org/index.php/OWASP_Codes_of_Conduct Location room :E104


10:20 -11:50 & 14:30-17:30 OWASP ASVS Discuss issues around practitioners consuming ASVS in their consultancies Discuss how to improve adoption by development teams Live resolution of outstanding issues in ASVS Github Live QA of 2.1 Early planning of ASVS v3.0 Location room :E104


9:30 - 11:30 Hackademics – Wiki page rewrite, documentation review The current wiki page was written by the founders of the project back when the project started and it is missing lots of new information, also it has links to very old versions of the project and overall it needs rewriting. The current documentation is covering less than half of the features and it's wrong or not very clear in other parts.

This session will review, edit, update and release documentation for the version 2.0 of the project coming at the beginning of April. Moreover, we'll update the wiki listing contributors, developer guidelines, supporters and synch the documentation in the github wiki with the owasp wiki page. Participants should be familiar with hackademic and come with suggestions on missing guidelines.

14:00 - 17:30 Hackademics – Greek, French translation We are currently implementing an internationalization feature using I18n which should be ready for our v2.0 release. Our goal is to translate the strings present in the platform in French and Greek. (Since it's already in English and French and Greek are the only other languages the core contributors(and most likely participants) speak. There are approximately 300 strings in the platform. Participants to help are gladly welcome.

Location room :E103


13:00 – 15:00 AppSensor (Documentation) – Guide Review The AppSensor Guide v2 was published in May last year, and has had two minor updates, the last one mainly due to the important release of the v2 code implementation. This session is to edit and improve the guide, since many of the chapters have not been fully reviewed. Participants should read a chapter or two in advance of the summit (chapter 5 onwards, but choose randomly/what is of interest) and bring their edits/comments to the session, where the guide will be updated. All participants will be acknowledged in the guide and on the project wiki page.

• Briefing
• Live editing
• Publication updated PDF.

The latest version of the guide is at: https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc

Location room :E103

Snakes and Ladders

15:30 – 16:30 Snakes and Ladders – Dutch Translation OWASP Snakes & Ladders (web applications) has been translated into 5 other languages already, and Portuguese is in progress. But so far not Dutch. This rapid session will ask participants to translate the 900 words or so into Dutch, so that a PDF and Adobe Illustrator version can be created. It will also be possible to help remotely, as it will be set up on Crowdin.

• Meet
• Translate
• Create Illustrator and PDF output 
• Publish.

Project website: https://www.owasp.org/index.php/OWASP_Snakes_and_Ladders

Location room :E104


10h - 12h00: OWASP OWTF Introduction for GSOC Students The OWTF project has seen more than 8 GSoC projects being merged into the master branch over the past couple of years. We want to introduce the students to the program. Quick presentation of OWASP OWTF and some of its GSoC projects What did GSoC offer over the past 3 years? Current ideas for GSoC 2015 Brainstorm about new ideas for GSoC 2015 We expect to introduce students to OWTF and how GSoC would be a valuable experience for them.

Location room :E103

12h00 - 13h00: OWASP OWTF Open Forum Two ex-GSoC students are available to speak about their experience with OWTF and GSoC. How did we hear about GSoC? Why did we choose OWTF? How did they contact the project leader? What is a proposal? How hard was it? How much time did it take? What did GSoC give them back? We expect to share our experiences with possible future-GSoC students and help them to better understand what it can offer.

Location room :E103

14h00 - 17h00: OWASP OWTF Wiki Review Because OWTF has grown really fast the past years, some part of the wiki might be out of date even though we worked hard to update it. Proof-read the Wiki Reproduce the steps described in the Wiki Find the out-dated information Remove/Update them We expect to have an up-to-date wiki by the end of this session or at least a list of known out-of-date information.

Location room :E103

OWASP Security Shepherd

10:30 - 12:00 - Challenge Brain Storm The Security Shepherd project needs fresh challenge idea.Security Shepherd currently sports ~60 challenges covering the topics listed by the OWASP Web and Mobile Top Ten. These challenges start simple and increment in difficulty as bad fixes become closer to being good fixes. However, the scope of bad fix examples that are presented in Security Shepherd are a fraction of what's possible. So drop in and lay out any of the security gaps you can think of in applications, no matter how simple or complex they are. It could be a XSS blacklist filter, session management flaw or even poor data storage on a mobile device. If participants want to get their hands dirty and implement their idea into a challenge, that would be more than welcome across the session.

14:00 - 16:00 - Mobile Application Challenges without Hard Coded keys Implement a mechanism where a user can log into a Security Shepherd server through a Mobile Challenge Application to facilitate user specific keys to be presentated. This mechanism would need to be crafted so it cannot be exploited to return keys for security challenges without completing the level.

Project website: https://www.owasp.org/index.php/OWASP_Security_Shepherd

Location room :E104

Wednesday 20th May


Summit https://groups.google.com/d/msg/zaproxy-develop/OlKKKEc2Bxo/TF-f8_aKO94J :

10:00h - 16h30 The ZAP summit is aimed at existing and prospective ZAP developers and is an opportunity to discuss all aspects of ZAP development and future direction. It is not planned to include any training on how to use ZAP.

The exact topics discussed will be agreed between the attendees at the start of the day, but are expected to cover things like: An introduction to ZAP and the attendees A review of ZAPs perceived strengths and weaknesses Discussions around the future direction of ZAP Areas of ZAP that people find difficult to contribute to Components of ZAP that attendees think need significant reworking How to encourage more participation Interworking with 3rd party tools The opportunity to focus on specific areas of interest to the attendees

Location: Room E103

OWASP Knowledge Based Authentication Performance Metrics

09h30 – 12h30. Project Review of the KBA standard contents with the project leaders and managers (Luis Enriquez, Ann Racuya-Robbin, Noreen Whysel). 15h00 – 18h00. Open discussion of the OWASP Security Labeling system project proposal (secure code, privacy, ingredients, and openness labels) -Should security become visible for normal users? -Should Owasp consider providing labels and certifications? -Expected audience : +20 people.

  • Searching for interaction with other project leaders, and the board

Location: Room E104

09:00 – 12:00 Cornucopia - Ecommerce Website Edition – Video

The objective is to create a short "how to play the Cornucopia card game" video during this half-day session. Cornucopia is a card game that helps identify security requirements, but people may not be familiar with how easy it is to get started. Participants for this session are needed to be players, to create a narrative, to video the game being played, and if there is time and anyone has the skill, to edit the video and sound into a release version. It is preferable if participants are already a little familiar with the game and/or threat modelling. If there is time, we will also discuss alternative game strategies like a Jeopardy format.

• Storyboarding
• Game play recording
• Editing
• Soundtrack
• Publish video.

Project website: https://www.owasp.org/index.php/OWASP_Cornucopia

Location: Room E104

9:30 - 11:30 Hackademics test coverage

Improve unit tests coverage. Currently, unit tests cover ~20% of the platform, this session will focus on doubling the test coverage. Deliverables: 40% unit and functional tests coverage.

Location: Room E104

13:30 – 17:00 AppSensor (Code) – Dashboard

The AppSensor v2.0.0 code implementation final release was undertaken in January. One of the tasks to continue with is the development of a reporting dashboard. This session is to brainstorm ideas and layouts for the dashboard, and identify what tools/libraries can assist in the creation of the dashboard. Bring ideas, energy, URLs, paper and pens! The outputs will be dashboard mockups.

• Introductions and objectives
• Information requirements
• User stories
• Information design
• Code libraries and frameworks.

Code roadmap: https://www.owasp.org/index.php/OWASP_AppSensor_Project#tab=Road_Map_and_Getting_Involved Microsite http://www.appsensor.org/

Location: Room E104

14:00 - 17:00 Hackademics - Student performance metrics visualization

Currently, the platform gathers student performance metrics in the form of how long it took them to solve challenges, how many requests, how much time idle e.t.c. However, the only way for a teacher to see the numbers is with database access.(The data is gathered for the advanced scoring functionality but it is also very useful as performance analytics). We plan to use graphing libraries to create interactive graphs to visualize the comprehension of the student performance. It's a simple front-end feature which will improve the usability of the platform.

Location: Room E104

17:00-18:00 OWASP Automated Threats to Web Applications Project - Website Owner Experiences

The OWASP Automated Threats to Web Applications Project is undertaking research and will publish its outputs immediately prior to AppSec EU 2015. This meeting seeks input from training and conference attendees on their own organisations' experiences of automated attacks:

• What types of automated attacks occur and with what frequency?
• What were the symptoms?
• How are they detected?
• What incident response measures were taken?
• What steps were undertaken to prevent or mitigate such attacks?

Participation/contribution can be anonymous or otherwise. The intention is to update the published documents during the session and if possible create additional sector-specific guidance.

Location: Room E104

10h00 - 13h00: OWASP OWTF Architecture Audit

During the past three years, OWTF has know a fast growth thanks to different GSoC projects. But the initial architecture is no more suited for the project nowadays. Identify the different elements of OWTF Define the inter-dependencies Estimate the accuracy of such dependencies Remove unnecessary dependencies Draw a better architecture for OWTF We expect to have a draft of the next architecture better suited for the needs of OWTF by the end of this session.

Location: Room E104

14h00 - 15h00: OWASP OWTF CLI Assessment

Over the past year, the development has been mostly focused on the improvement of the Web User Interface. A side effect is that currently the Command Line Interface (CLI) is broken and does not meet the objectives initially set. Test the CLI Report all commands/flags that are broken Find out the best features that the CLI should offer Gather the findings and draw a new standard for the CLI We expect to have a new standard for the CLI that will be implemented this year in order to enhance and fix its behaviors. This could be part of a GSoC project depending of the output of the session.

Location: Room E104

15h00 - 17h00: OWASP OWTF Hack It For Fun

The OWTF project is written in Python and we want to show how easy it is to hack into the code base. We propose a small workshop where the students would customize OWTF the way the want. Presentation of small code snippets Customize the console output Customize the web interface Competition about Implementing small features We expect to show how easy it is for students to hack into the code base of OWTF. As a reward, the winners of the competition will be offered nice goodies :)

Location: Room E104

Project Developments: The Good , The Bad and the Ugly

17:00 - 17:30 Open Forum with Project leaders Forum discussion with project leaders and Board==>(1 hour session)

  • Why my project is not moving forward?
  • What can be done to help improve my project?
  • How to improve the actual situation of projects
  • How to improve the review process


  • Collect information and create a report
  • Use the session results and see how can we implement them
  • Inform leaders about the actual process

Location: Room E104

What is the Global Summit? Is it like AppSec or other OWASP conferences?

The OWASP Global Summit is the place where application security experts meet to discuss plans, projects and solutions for the future of application security. The Summit is not a conference - there are no talks or training seminars - this is an opportunity to do actual work to further the field of application security. We are holding the summit as part of our AppSec EU 2014 conference, but it is a separate activity from the conference itself. Participants will stay in shared accommodations and collaborate to produce tangible progress towards influencing standards, establishing roadmaps, and setting the tone for OWASP and application security for the coming years.

The Summit will consist of Summit Working Sessions with a variety of topics set by our community. Participants are free to attend any working session, but we encourage everyone to select working sessions for topics where they have the most to contribute. Anyone can attend the Summit! OWASP community members, application security experts, industry players, and developers are all welcome at the Summit. If you would like to receive a personalized invitation for yourself or another person, see the contact either Johanna Curiel (johanna.curiel@owasp.org)

When is the Summit?

The Summit will be held May 19th and 20th, 2015.

Where is the Summit being held?

Amsterdam RAI is one of the largest exhibition and conference centers in the Netherlands, hosting most of international trade fairs, exhibitions, and congresses held in Amsterdam. The complex consists of 22 conference rooms and 11 halls and has a total floor space of 87,000 m². The largest hall can seat 12,900 people. The complex also includes a musical and concert theatre and underground parking space for over 3,000 cars.

Amsterdam RAI Europaplein 1078 AZ, Amsterdam The Netherlandshttps://2015.appsec.eu/about-rai/

Who do I contact for help?

For general assistance in all matters related to the Summit, contact Johanna Curiel

For help with travel and accommodations, contact Johanna Curiel (johanna.curiel@owasp.org).

Where do I stay?


So who is being funded?

The first round of sponsored attendees will be selected based on their contribution to AppSec EU. These sponsored leaders are our Project Talk Speakers and Summit Session Leaders. Leaders with funding in their projects have also decided to use those project funds to assist with the summit, and give project talks at AppSec EU. Key summit assistants were also funded as they will be key to the successful running of a 4 day summit.

What does it mean to be a “sponsored” Summit attendee?

A sponsored summit leader must prepare and chair their scheduled summit session, and a sponsored summit assistant must be available to help with on-site logistics throughout the entirety of the summit.

Why do they get funded and not me?

Some of the criteria used for selection are:

  • Location: Leaders traveling closer from the region location are given preference
  • The project must be up to date and active


My employer needs an invitation letter/documentation to sponsor me to go. Where do I get this?

Please contact Samantha Groves with your request, and she will work with you on creating some personalized material for your employer/sponsor.

I need help convincing my employer to fund my Summit attendance - what should I tell them?

You can use the following points in your discussion: This year's Summit will be a gathering of OWASP leaders and key industry players to focus on a variety of important application security topics including browser security and cross-site scripting eradication. Attending the Summit will provide <EMPLOYEE NAME> with opportunities to:

  • Participate in the latest developments in application security and influence its trajectory
  • Gain new skills and technical knowledge for current application security projects
  • Find out where other companies are focusing their energy and resource
  • Increase visibility for <COMPANY’S NAME>

We believe that <EMPLOYEE’S NAME>’s attendance at the Global Summit is an worthwhile investment for both <COMPANY NAME> and <EMPLOYEE NAME>. Therefore, we are asking you to consider supporting <EMPLOYEE’S NAME> participation at this important event by donating <HIS/HER> time to attend the Summit.


I want to plan/run a working session. What do I need to do?

  1. If you haven't done so already, please add your name to the Summit Attendee page.
  2. After we know you plan to attend the Summit, visit the Summit working sessions page and determine if there is a working session already listed that you are interested in running/planning/leading, or if you have a new idea.
  3. If there is a session already listed without a leader, feel free to add your name as the leader and send Samantha Groves an email letting her know your intent. She can set you up with a working session page and let you know about any next steps. If a leader already is listed for the session you are interested in, add you your name as session member/attendee and email the leader to see what you can do to help.
  4. If you have a new idea, add your information to one of the blank rows under the appropriate track name, or under Track: OWASP if you don't see a good fit. Send Johanna Curiel (johanna.curiel@owasp.org) an email letting her know your intent. She can set you up with a working session page and let you know about any next steps.