Projects Summit 2013

From OWASP
(Redirected from Summit 2013)
Jump to: navigation, search

AppSec USA 2013

Project Summit Home

2013 OWASP Project Summit Report


Summit-logo.jpg
Summit NY Image.jpg


Introduction

The OWASP Project Summit is a smaller version of the much larger OWASP Summits. This event activity gives our project leaders the opportunity to showcase their project progress, and have attendees sit down and work on project tasks during the event. It is an excellent opportunity to engage the event attendees, and it gives project leaders the chance to move forward on their project milestones while meeting new potential volunteers that can assist with future milestones.

For more details see also the main Project Summit pages at the main OWASP AppSecUSA website: http://appsecusa.org/2013/activities/owasp-project-summit/

Working Sessions

Click on the working session name to see the home page for that particular session. During the Summit those working session home pages will be used to document discussions and outcomes.

If you're interested in adding a Working Session for the 2013 Summit, there still is time to start a session! Please review the Working Session methodology for Working Session rules.

NOTE: The current banners below are placeholders. Track topics are subject to change.

Monday, November 18

Summit Banners 2013 Projects.jpg

Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
Project Reviews
  1. Introduction to new assessment criteria to conduct reviews.
  2. Team in small groups (2 to 3 max) based on experience and background to asses a set of Projects (Code, Tool or Documentation).
  3. Fill in the Questionnaire (Google Forms) to complete assessment of Projects and provide the review with a final score and results (Project defined as Incubator, Lab or Flagship).
  4. Review results of questionnaire with your team.
  5. Present results and conclusions of assessment session.
  1. Review of all the current Flagship, some Lab, and some Incubator projects. Find here.
  2. Assign them an appropriate stage designation based on the review.
  3. Update the inventory based on reviews.
  4. Create banners that show what stage each project is on. To be placed on the wiki.
Johanna Curiel @


Summit Banners 2013 ESAPI.jpg

Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
ESAPI Hackathon
  1. Planning to sponsor 2 "senior developers" to attend the hack-a-thon and take the lead role on the development effort, they will be involved in the architecture aspect of the project and goal-building and attendees will be able to choose a component from the architecture to work on.
  2. We will purchase a prize for the developer/team that accomplishes the most quality work scored based on complexity of the component(s) they will be working on. The judges for the prizes will be Jeff Williams, Kevin Wall and Chris Schmidt.
  3. There will be a set of guidelines for entries – primarily, backwards compatibility and/or clear upgrade path from ESAPI 2.x, testability, and distribution model of the component.
  1. Identify the primary goals to deem the hack-a-thon a success.
  2. Layout the overall architecture vision for ESAPI 3.0.
  3. Lay down the infrastructure (Git, Continuous Integration, Testing Framework, etc.).
  4. Design the specification for the components that will be required.
  5. Close down all inactive ESAPI Projects.
Chris Schmidt @

Chris Schmidt @

Kevin Wall @

Jeff Williams @


Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
OWASP Media Project
  1. The first and main instance of the project will be a YouTube channel.
  2. To gather potential sources and existing videos in order to populate the OWASP channel.
  3. Give projects exposure with video content.
  1. Presenting Google Hangouts
  2. Presenting the official OWASP YouTube channel.
  3. Gather potential sources and existing videos in order to populate the OWASP channel.
Jonathan.Marcil@owasp.org @


Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
OWASP PHP Security and RBAC Project
  1. To demonstrate and introduce the OWASP PHP Security Project, have people contribute to it and have people contribute it to their own projects!
  2. The project is developed, we're going to show sample usages and have people try to hack them (which should be impossible). We also introduce the libraries and discuss what future works are needed on the project.
  3. The project is really interesting and has a cool aim, and this will help get a lot more people in its community.

RBAC Project

  1. OWASP RBAC is a new cutting-edge technology taht can revolutionize the authorization domain. Unfortunately because its rigorous and comlex, we havent been very succesful in expanding its usage.
  2. Get the people know how awesome this is, and get them use it in their applications. This is a pretty mature project and is one of those things that you don't know exists, but when you do you can't get enough of. We also like to get contributors porting it to other programming languages.
  1. The RBAC project aims to port and promote standard NIST Level 2 RBAC implementations.
  2. OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework.
Abbas Naderi @


Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
Bug Bounty Session
  1. Collaboration, Learning and Sharing Knowledge - By creating an environment where attendees can get together in an 'live hacking' event.
  2. In order to keep things focused, the 'targets' are going to be companies that have public "Bug Bounties' programs. These will be companies that accept and want to be targets for such ethical hacking activities.
  3. Each participant will be asked to have 'common sense' and to respect a couple 'soft' rules of engagement.
  4. All participants are encouraged to share their ideas, techniques and discoveries.
  5. In addition to the 'Bug Bounty' targets, we will also add a couple Open Source apps so that the 'builders' also have the opportunity to fix the source code and the 'breakers' can do source-code analysis.
  1. To have authorization to attack/test 'targets'.
Dinis Cruz @


Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
AppSensor 2.0 Hackathon
  1. Build code for AppSensor 2.0.
  2. Move to a service model of both REST and SOAP for event detection and response.
  3. Make it possible to identify and and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.
  1. Define detection points.
  2. Provide guidance on how to respond once a malicious attacker has been identified.
John Melton


Tuesday, November 19

Summit Banners 2013 Education.jpg

Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
OWASP Training Development Session
  1. OWASP Boot camp development.
  2. OWASP Training events brainstorming session and planning.
  1. Develop a roadmap for an OWASP Bootcamp Program.
  2. Develop a handfull of ideas for an OWASP Training Program.
Konstantinos Papapanagiotou @

Martin Knobloch @

Konstantinos Papapanagiotou @

view
edit
OWASP Academies Development Session
  1. OWASP Academies discussion.
  2. OWASP University Outreach.
  3. OWASP Student Chapter.
  1. Develop a roadmap for OWASP Academies Program for 2014.
Martin Knobloch @

Konstantinos Papapanagiotou @

Martin Knobloch @


Summit Banners 2013 ESAPI.jpg

Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
ESAPI Hackathon
  1. Planning to sponsor 2 "senior developers" to attend the hack-a-thon and take the lead role on the development effort, they will be involved in the architecture aspect of the project and goal-building and attendees will be able to choose a component from the architecture to work on.
  2. We will purchase a prize for the developer/team that accomplishes the most quality work scored based on complexity of the component(s) they will be working on. The judges for the prizes will be Jeff Williams, Kevin Wall and Chris Schmidt.
  3. There will be a set of guidelines for entries – primarily, backwards compatibility and/or clear upgrade path from ESAPI 2.x, testability, and distribution model of the component.
  1. Identify the primary goals to deem the hack-a-thon a success.
  2. Layout the overall architecture vision for ESAPI 3.0.
  3. Lay down the infrastructure (Git, Continuous Integration, Testing Framework, etc.).
  4. Design the specification for the components that will be required.
  5. Close down all inactive ESAPI Projects.
Chris Schmidt @

Chris Schmidt @

Kevin Wall @

Jeff Williams @


Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
Mobile Security Project
  1. The primary focus is at the application layer.
  2. Target the areas that the average developer can make a difference.
  3. Focus on the mobile applications deployed to end user devices.
  4. Focus on the broader server-side infrastructure which the mobile apps communicate with.
  5. A heavy focus is placed on the integration between the mobile application, remote authentication services, and cloud platform-specific features.
  1. Top Ten Mobile Risks
  2. Mobile Tools
  3. Mobile Security Testing
  4. Mobile Cheat Sheet Series
  5. Secure Mobile Development
Jack Mannino @
Jason Haddix @
Daniel Miessler @


Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
Bug Bounty Session
  1. Collaboration, Learning and Sharing Knowledge - By creating an environment where attendees can get together in an 'live hacking' event.
  2. In order to keep things focused, the 'targets' are going to be companies that have public "Bug Bounties' programs. These will be companies that accept and want to be targets for such ethical hacking activities.
  3. Each participant will be asked to have 'common sense' and to respect a couple 'soft' rules of engagement.
  4. All participants are encouraged to share their ideas, techniques and discoveries.
  5. In addition to the 'Bug Bounty' targets, we will also add a couple Open Source apps so that the 'builders' also have the opportunity to fix the source code and the 'breakers' can do source-code analysis.
  1. To have authorization to attack/test 'targets'.
Dinis Cruz @


Wednesday, November 20

Summit Banners 2013 Writing.jpg

Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
Project Guide Review Session
  1. Figure out what else needs to be done for each project.
  2. Assign sections to each participant.
  3. Finish various sections assigned to you.
  4. Consolidate all finished sections.
  1. Finished content for AppSensor Book.
  2. Finished content for Development Guide Book.
  3. Finished content for Code Review Guide Book. .
  4. Finished content for Testing Guide Book.
Michael Hidalgo @

Summit Banners 2013 ESAPI.jpg

Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
ESAPI Hackathon
  1. Planning to sponsor 2 "senior developers" to attend the hack-a-thon and take the lead role on the development effort, they will be involved in the architecture aspect of the project and goal-building and attendees will be able to choose a component from the architecture to work on.
  2. We will purchase a prize for the developer/team that accomplishes the most quality work scored based on complexity of the component(s) they will be working on. The judges for the prizes will be Jeff Williams, Kevin Wall and Chris Schmidt.
  3. There will be a set of guidelines for entries – primarily, backwards compatibility and/or clear upgrade path from ESAPI 2.x, testability, and distribution model of the component.
  1. Identify the primary goals to deem the hack-a-thon a success.
  2. Layout the overall architecture vision for ESAPI 3.0.
  3. Lay down the infrastructure (Git, Continuous Integration, Testing Framework, etc.).
  4. Design the specification for the components that will be required.
  5. Close down all inactive ESAPI Projects.
Chris Schmidt @

Chris Schmidt @

Kevin Wall @

Jeff Williams @


Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
Bug Bounty Session
  1. Collaboration, Learning and Sharing Knowledge - By creating an environment where attendees can get together in an 'live hacking' event.
  2. In order to keep things focused, the 'targets' are going to be companies that have public "Bug Bounties' programs. These will be companies that accept and want to be targets for such ethical hacking activities.
  3. Each participant will be asked to have 'common sense' and to respect a couple 'soft' rules of engagement.
  4. All participants are encouraged to share their ideas, techniques and discoveries.
  5. In addition to the 'Bug Bounty' targets, we will also add a couple Open Source apps so that the 'builders' also have the opportunity to fix the source code and the 'breakers' can do source-code analysis.
  1. To have authorization to attack/test 'targets'.
Dinis Cruz @


Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
PCI Toolkit Working Session
  1. To help define if the system components of your network falls within the PCI-DSS requirements.
  2. Create an assessment and a final report of your scope delimitation.
  1. Beta version will be released in December 2013.



Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
OWASP O2 Documentation Session
  1. Discuss the development of an O2 Handbook.
  2. Develop a documentation outline and assign sections to attendees.
  1. Alpha version will be released in December 2013.


Thursday, November 21

Summit Banners 2013 ZAP.jpg

Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
ZAP Hackathon Session
  1. Explain how people can contribute to ZAP
  2. Demonstrate how to set up a ZAP development environment
  3. Explain ZAP code structure
  4. Show people how to code scripts, active/passive scan rules, add-ons, core changes and improve the docs and localization
  5. Let people hack the ZAP code and docs with full support and guidance
  1. Identify set of enhancements attendees can work on
  2. Everyone with access to a ZAP dev environment
  3. An understanding of the ZAP code structure
  4. An understanding of how to develop ZAP code
  5. A set of small enhancements that can be committed immediately
Simon Bennetts @

Johanna Curiel

Summit Banners 2013 ESAPI.jpg

Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
ESAPI Hackathon
  1. Planning to sponsor 2 "senior developers" to attend the hack-a-thon and take the lead role on the development effort, they will be involved in the architecture aspect of the project and goal-building and attendees will be able to choose a component from the architecture to work on.
  2. We will purchase a prize for the developer/team that accomplishes the most quality work scored based on complexity of the component(s) they will be working on. The judges for the prizes will be Jeff Williams, Kevin Wall and Chris Schmidt.
  3. There will be a set of guidelines for entries – primarily, backwards compatibility and/or clear upgrade path from ESAPI 2.x, testability, and distribution model of the component.
  1. Identify the primary goals to deem the hack-a-thon a success.
  2. Layout the overall architecture vision for ESAPI 3.0.
  3. Lay down the infrastructure (Git, Continuous Integration, Testing Framework, etc.).
  4. Design the specification for the components that will be required.
  5. Close down all inactive ESAPI Projects.
Chris Schmidt @

Chris Schmidt @

Kevin Wall @

Jeff Williams @



Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
Bug Bounty Session
  1. Collaboration, Learning and Sharing Knowledge - By creating an environment where attendees can get together in an 'live hacking' event.
  2. In order to keep things focused, the 'targets' are going to be companies that have public "Bug Bounties' programs. These will be companies that accept and want to be targets for such ethical hacking activities.
  3. Each participant will be asked to have 'common sense' and to respect a couple 'soft' rules of engagement.
  4. All participants are encouraged to share their ideas, techniques and discoveries.
  5. In addition to the 'Bug Bounty' targets, we will also add a couple Open Source apps so that the 'builders' also have the opportunity to fix the source code and the 'breakers' can do source-code analysis.
  1. To have authorization to attack/test 'targets'.
Dinis Cruz @


Name of Working Session Objective(s) Outcome(s) / Deliverable(s) Owner/Leader Members/Attendees
view
edit
Open SAMM
  1. Evaluate an organization’s existing software security practices.
  2. Build a balanced software security program in well-defined iterations.
  3. Demonstrate concrete improvements to a security assurance program.
  4. Define and measure security-related activities within an organization.
  1. Flexibility
  2. A model that can be applied organization-wide.
Sebastien Deleersnyder




Summit Organisation Pages

These are pages with organization details about this event

Reference Links: