Difference between revisions of "Builders"

From OWASP
Jump to: navigation, search
(Added John Wilander, initiator of the OWASP Builders)
(4 intermediate revisions by one user not shown)
Line 10: Line 10:
 
<br> '''What Are OWASP Communities?'''
 
<br> '''What Are OWASP Communities?'''
  
Builders, Breakers and [http://www.owasp.org/index.php/Defenders Defenders]; the idea of OWASP Communities is to bring together experts in the area that they are best at with the common goal of advancing the state of application security.  This approach allows similar groups of professionals and experts to tackle security problems with the involvement of the most relevant stakeholders.  The intent is to drive high quality output that is immediately usable by the target audience.  More information about this vision can be found [http://michael-coates.blogspot.com/2011/02/vision-for-owasp.html here].
+
Builders, [http://www.owasp.org/index.php/Breakers Breakers] and [http://www.owasp.org/index.php/Defenders Defenders]; the idea of OWASP Communities is to bring together experts in the area that they are best at with the common goal of advancing the state of application security.  This approach allows similar groups of professionals and experts to tackle security problems with the involvement of the most relevant stakeholders.  The intent is to drive high quality output that is immediately usable by the target audience.  More information about this vision can be found [http://michael-coates.blogspot.com/2011/02/vision-for-owasp.html here].
  
 
|  
 
|  
Line 23: Line 23:
 
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br>  
 
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br>  
  
Want to contribute to the OWASP Builders Community? <br>Add your info and send an email to [mailto:john.wilander@owasp.org john.wilander@owasp.org]
+
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br>  
<br>  
+
  
 +
{| cellspacing="1" cellpadding="1" style="width: 404px; height: 413px;"
 +
|-
 +
| [[Image:John_Wilander_090626-346_(for_web).jpg‎|100px]]<br>
 +
| '''John Wilander''' <br> [https://www.owasp.org/index.php/Global_Conferences_Committee/ Member of the Global Conferences Committee]<br> [https://www.owasp.org/index.php/Sweden OWASP Sweden Chapter Co-Leader] <br> john.wilander@owasp.org <br> http://appsandsecurity.blogspot.com/ <br> [https://twitter.com/johnwilander @johnwilander]
 +
|
 +
|
 +
|-
 +
| [[Image:SimonBennetts-OWASP.jpg]]<br>
 +
| '''Simon Bennetts''' <br> [[:OWASP Zed Attack Proxy Project|OWASP Zed Attack Proxy Project]] Lead <br> psiinon@owasp.org <br> http://pentest4devs.blogspot.com/ <br> @psiinon
 +
|
 +
|
 +
|-
 +
| Your pic; <br>
 +
| '''Your name'''<br> ''Your company/project'' <br> ''Your email'' <br> ''Your website'' <br> ''Your twitter''
 +
|
 +
|
 +
|-
 +
| Your pic; <br>
 +
| '''Your name'''<br> ''Your company/project'' <br> ''Your email'' <br> ''Your website'' <br> ''Your twitter''
 +
|
 +
|}
 +
 +
 +
 +
Want to contribute to the OWASP Builders Community? <br>Add your info and send an email to [mailto:john.wilander@owasp.org john.wilander@owasp.org]
 +
<br>
  
 
==== Developer Outreach  ====
 
==== Developer Outreach  ====
Line 72: Line 97:
 
* ''Information is hard to find.'' [C# developer, 4 years experience]
 
* ''Information is hard to find.'' [C# developer, 4 years experience]
  
==== Official Defender Projects  ====
+
==== Official Builder Projects  ====
  
 
To be determined  
 
To be determined  
  
==== All Breaker Related Projects ====
+
==== All Builder Related Projects ====
All projects that are related to the OWASP Builders community can be found at the following link: [[:Category:OWASP_Builders]]
+
All projects that are related to the OWASP Builders community can be found at the following link: [[:Category:OWASP Builders]]
  
  
  
 
__NOTOC__ <headertabs /> <br>
 
__NOTOC__ <headertabs /> <br>

Revision as of 07:09, 10 March 2012

OWASP Builders

Builders Community

A community of security professionals and stakeholders with the common goal of advancing the state of security in the area of application development.


What Are OWASP Communities?

Builders, Breakers and Defenders; the idea of OWASP Communities is to bring together experts in the area that they are best at with the common goal of advancing the state of application security. This approach allows similar groups of professionals and experts to tackle security problems with the involvement of the most relevant stakeholders. The intent is to drive high quality output that is immediately usable by the target audience. More information about this vision can be found here.

OWASP-vision.jpg


The Community

     

     

John Wilander 090626-346 (for web).jpg
John Wilander
Member of the Global Conferences Committee
OWASP Sweden Chapter Co-Leader
john.wilander@owasp.org
http://appsandsecurity.blogspot.com/
@johnwilander
SimonBennetts-OWASP.jpg
Simon Bennetts
OWASP Zed Attack Proxy Project Lead
psiinon@owasp.org
http://pentest4devs.blogspot.com/
@psiinon
Your pic;
Your name
Your company/project
Your email
Your website
Your twitter
Your pic;
Your name
Your company/project
Your email
Your website
Your twitter


Want to contribute to the OWASP Builders Community?
Add your info and send an email to john.wilander@owasp.org

Developer Outreach

Get involved in the Developer Outreach by subscribing to the ...

The first priority of the Builders Community is to reach out to developers and ask what application security is lacking today. An initial lightweight outreach was performed early March 2011.

Developers' Security Itches March 2011

The overall results of the initial outreach can be seen in the diagram below (categorization by John Wilander, full-text available via links below). This is a first glimpse at what developers think are the problems and challenges for application security.

Developer outreach iteration 1.png

Full data searchable via the online database https://www.grubba.net (account 'owasp'/'owasp') or available in a .csv file here.

"Lack of Security in Frameworks"

Here's what the developers said in the number one category "Lack of Security in Frameworks":

Question: What are your security itches?

  • NMP (not my problem), aka should be handled by the used frameworks (spring, struts, etc). [Java and C# developer, 5 years of experience]
  • The idea that you can tackle all security problems with spring security. [Java and C# developer, 5 years of experience]
  • I want more/most/all implementation-level security issues taken care of at the language and framework level. There are far too many security problems that are left to developers to understand and take care of. [Java and JavaScript developer, 15 years experience]
  • Libraries and frameworks have insecure defaults (example: JSP's c:out). Webapp frameworks doesnt keep up with the security landscape, and there are no quick fixes to add security to these. No central place for developers for different languages and frameworks, making it hard to find the good solutions (making people solve the same problems over and over, with different success rate). [Java and JavaScript developer, 6 years of experience]
  • Things I don't have control over. 3rd party DB drivers, image libraries, all kind of framework. [C# and Java developer, 10 years of experience]
  • Frameworks missing mechanisms for solving common security problems (CSRF, http-only etc.) [Java and Ruby developer, 3 years experience]
  • Lack of security support in frameworks. [Java developer, 15 years of experience]
  • Picking secure components. [Java and Scala developer, 8 years of experience]
  • Missing a lot of functionality in frameworks for handling common security issues. [Java and JavaScript developer, 10 years of experience]
  • Secure by default, i e default settings in frameworks would be nice. [Java and JavaScript developer, 10 years of experience]

"Security Info Hard to Find"

Here's what the developers said in the runner up category "Security Info Hard to Find":

Question: What are your security itches?

  • Security is very seldom covered in the channels developers listen to, e.g. developer conferences. [Java and JavaScript developer, 10 years experience]
  • Which tools are good enough? Which frameworks are good enough? Can I trust Google when searching for security solutions? How else to ask? [Java developer, 12 years experience]
  • There are resources for that? [C# developer, 10 years experience]
  • The security info channels you listen to are too noisy. Hard to know what's a real problem. [Java and JavaScript developer, 10 years experience]
  • Would like to see a matrix with various frameworks on one axis and security issues such as OWASP Top 10 on the other. Cells contain links to solutions. [Java and JavaScript developer, 10 years experience]
  • Would like a comparison of what is supported and not in the different web frameworks with regard to security (escaping & encoding, sql-injection, etc). [C# and Ruby developer, 3 years experience]
  • Can't find resources. [PHP developer, 15 years experience]
  • Information is hard to find. [C# developer, 4 years experience]

Official Builder Projects

To be determined

All Builder Related Projects

All projects that are related to the OWASP Builders community can be found at the following link: Category:OWASP Builders