Difference between revisions of "OWASP Working Session Enterprise Security API Project"

From OWASP
Jump to: navigation, search
(New page: {| style="width:100%" border="0" align="center" ! colspan="7" align="center" style="background:#b3b3b3; color:white"|<font color="black">'''Working Sessions Operational Rules''' - [[:Work...)
 
 
(12 intermediate revisions by 9 users not shown)
Line 6: Line 6:
 
  |-
 
  |-
 
  | style="width:15%; background:#7B8ABD" align="center"|'''Work Session Name'''
 
  | style="width:15%; background:#7B8ABD" align="center"|'''Work Session Name'''
  | colspan="6" style="width:85%; background:#cccccc" align="left"|<font color="black">'''OWASP Education Project '''
+
  | colspan="6" style="width:85%; background:#cccccc" align="left"|<font color="black">'''OWASP Enterprise Security API Project '''
 
  |-
 
  |-
 
  | style="width:15%; background:#7B8ABD" align="center"| '''Short Work Session Description'''  
 
  | style="width:15%; background:#7B8ABD" align="center"| '''Short Work Session Description'''  
  | colspan="6" style="width:85%; background:#cccccc" align="left"|TBD
+
  | colspan="6" style="width:85%; background:#cccccc" align="left"|In this working session we will consider all aspects of the Enterprise Security API project. The goal of the project is to simplify security for developers to make secure code more likely. To achieve this goal we define clean intuitive APIs for standard security functionality. Ideally, these APIs will cover common security controls across web applications, web services, and even rich client applications. This working session will review the state of the project, discuss technical issues, discuss "marketing" of the project, prioritize project work items, and browbeat attendees into joining the project and making the world a safer place.
 
  |-
 
  |-
 
  | style="width:15%; background:#7B8ABD" align="center"| '''Related Projects (if any)'''  
 
  | style="width:15%; background:#7B8ABD" align="center"| '''Related Projects (if any)'''  
 
  | colspan="6" style="width:85%; background:#cccccc" align="left"|
 
  | colspan="6" style="width:85%; background:#cccccc" align="left"|
[[:Category:OWASP Education Project|OWASP Education Project]]
+
[[:Category:OWASP Enterprise Security API|OWASP Enterprise Security API (ESAPI) Project]]
 
  |-
 
  |-
 
  | style="width:25%; background:#7B8ABD" align="center"|'''Email Contacts & Roles'''
 
  | style="width:25%; background:#7B8ABD" align="center"|'''Email Contacts & Roles'''
  | style="width:25%; background:#cccccc" align="center"|'''Chair'''<br>[mailto:seba(at)owasp.org '''Sebastien Deleersnyder''']  
+
  | style="width:25%; background:#cccccc" align="center"|'''Chair'''<br>[mailto:jeff.williams(at)owasp.org '''Jeff Williams''']  
  | style="width:25%; background:#cccccc" align="center"|'''Secretary'''<br>[mailto:martin.knobloch(at)sogeti.nl '''Martin Knobloch''']
+
  | style="width:25%; background:#cccccc" align="center"|'''Secretary'''<br>[mailto:arshan.dabirsiaghi(at)aspectsecurity.com '''Arshan Dabirsiaghi''']
  | style="width:25%; background:#cccccc" align="center"|'''Mailing list'''<br>[https://lists.owasp.org/mailman/listinfo/owasp-education '''Subscription Page''']
+
  | style="width:25%; background:#cccccc" align="center"|'''Mailing list'''<br>[https://lists.owasp.org/mailman/listinfo/owasp-esapi '''Subscription Page''']
 
  |}
 
  |}
 
{| style="width:100%" border="0" align="center"
 
{| style="width:100%" border="0" align="center"
Line 25: Line 25:
 
  | style="width:15%; background:#7B8ABD" align="center"|'''Objectives'''
 
  | style="width:15%; background:#7B8ABD" align="center"|'''Objectives'''
 
  | colspan="6" style="width:85%; background:#cccccc" align="left"|<font color="black">
 
  | colspan="6" style="width:85%; background:#cccccc" align="left"|<font color="black">
* How to improve knowledge transfer from OWASP projects towards the community,
+
Introduce everyone to the idea and cost-benefits of an ESAPI.  
* How to create training material (lessons, classes, courses) from OWASP project material?
+
* How to set up an OWASP education baseline,
+
* How to setup an OWASP Boot Camp,
+
* How to connect to organisation to promote OWASP education content: e.g. universities, other non-profit (or profit?) education organisations,
+
* How to organize the OWASP / Conference trainings to make them the best in the world?
+
* Can we integrate this into OWASP certification projects?
+
* How to setup an OWASP Boot Camp?
+
* How to create lessons, classes, courses from OWASP project material?
+
 
  |-
 
  |-
 
  | style="width:25%; background:#7B8ABD" align="center"|'''Venue/Date&Time/Model'''
 
  | style="width:25%; background:#7B8ABD" align="center"|'''Venue/Date&Time/Model'''
 
  | style="width:25%; background:#cccccc" align="center"|'''Venue'''<br>[[:OWASP EU Summit 2008|OWASP EU Summit Portugal 2008]]  
 
  | style="width:25%; background:#cccccc" align="center"|'''Venue'''<br>[[:OWASP EU Summit 2008|OWASP EU Summit Portugal 2008]]  
  | style="width:25%; background:#cccccc" align="center"|'''Date&Time'''<br>November 5, 2008 <br>Time TBD
+
  | style="width:25%; background:#cccccc" align="center"|'''Date&Time'''<br>November 5, 2008 <br>1:00 PM
  | style="width:25%; background:#cccccc" align="center"|'''Discussion Model'''<br>"Everybody is a Participant"
+
  | style="width:25%; background:#cccccc" align="center"|'''Discussion Model'''<br>"Participants + Attendees"  
 
  |}
 
  |}
 
{| style="width:100%" border="0" align="center"
 
{| style="width:100%" border="0" align="center"
Line 55: Line 47:
 
  ! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION ADDITIONAL DETAILS'''  
 
  ! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION ADDITIONAL DETAILS'''  
 
  |-
 
  |-
  | style="width:100%; background:#cccccc" align="left"|There is plenty of knowledge available inside the OWASP community. This is spread via the OWASP AppSec Conferences and the local chapter meetings, not to forget the books available now. Another, very important way to distribute the available knowledge is to teach! In plenty presentations knowledge is put into slides to share it. The next step is to reuse the information of those presentations and create training material. In a Boot Camp for example, it's not only about telling how to break stuff, but let the attendees break it themselves. Also let them fix the problems, with guidance of the experienced!
+
  | style="width:100%; background:#cccccc" align="left"|Please add here, any additional notes, links, ideas, guidelines, etc... The objective is to help the working sessions participants and attendees to prepare their participation/contribution.
 
  |}
 
  |}
 
{| style="width:100%" border="0" align="center"
 
{| style="width:100%" border="0" align="center"
Line 65: Line 57:
 
  |-
 
  |-
 
  | style="width:7%; background:#7B8ABD" align="center"|
 
  | style="width:7%; background:#7B8ABD" align="center"|
  | style="width:46%; background:#C2C2C2" align="center"|Educational Support on Winter of Code 2008.  
+
  | style="width:46%; background:#C2C2C2" align="center"|A volunteer to lead the 'marketing' campaign for ESAPI.
 
  | style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.  
 
  | style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.  
 
  |-
 
  |-
 
  | style="width:7%; background:#7B8ABD" align="center"|
 
  | style="width:7%; background:#7B8ABD" align="center"|
  | style="width:46%; background:#C2C2C2" align="center"|Guildeline about creating training material.  
+
  | style="width:46%; background:#C2C2C2" align="center"|Prioritized list of marketing ideas for the ESAPI concept.  
 
  | style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.  
 
  | style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.  
 
  |-
 
  |-
 
  | style="width:7%; background:#7B8ABD" align="center"|
 
  | style="width:7%; background:#7B8ABD" align="center"|
  | style="width:46%; background:#C2C2C2" align="center"|Fill in here.
+
  | style="width:46%; background:#C2C2C2" align="center"|Prioritized list of ideas for improving the API.  
 
  | style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.  
 
  | style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.  
  |}
+
|-
 +
| style="width:7%; background:#7B8ABD" align="center"|
 +
| style="width:46%; background:#C2C2C2" align="center"|[http://uk.youtube.com/watch?v=-D_bymZ-8vI Video]
 +
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.
 +
|}
 
== Working Session Participants ==
 
== Working Session Participants ==
 
(Add you name by editing this table. On your the right, just above the this frame, you have the option to edit)
 
(Add you name by editing this table. On your the right, just above the this frame, you have the option to edit)
Line 87: Line 83:
 
  |-
 
  |-
 
  | style="width:7%; background:#7B8ABD" align="center"|1
 
  | style="width:7%; background:#7B8ABD" align="center"|1
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|Matt Tesauro
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|OWASP Live CD Project Lead
  | style="width:63%; background:#cccccc" align="center"|
+
  | style="width:63%; background:#cccccc" align="center"|Curious about how various "ports" should be handled (lang != Java) <br> Run them as separate projects or sub-projects.  How are they synchronized, if at all?  What state are they in?  How bad will the browbeating be?
 
  |-
 
  |-
 
  | style="width:7%; background:#7B8ABD" align="center"|2
 
  | style="width:7%; background:#7B8ABD" align="center"|2
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|Andrea Cogliati
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|OWASP Rochester, NY
  | style="width:63%; background:#cccccc" align="center"|
+
  | style="width:63%; background:#cccccc" align="center"|Interested in porting to other platforms (Ruby&Rails) and in integration issues with existing framework (Struts, Spring, ...)
 
  |-
 
  |-
 
  | style="width:7%; background:#7B8ABD" align="center"|3
 
  | style="width:7%; background:#7B8ABD" align="center"|3
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|Alex Smolen
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|Foundstone
  | style="width:63%; background:#cccccc" align="center"|
+
  | style="width:63%; background:#cccccc" align="center"|Author and Project Leader for .NET ESAPI
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|4
 
  | style="width:7%; background:#7B8ABD" align="center"|4
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|Kuai Hinojosa
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|New York University
  | style="width:63%; background:#cccccc" align="center"|
+
  | style="width:63%; background:#cccccc" align="center"|Interesting in ESAPI for PHP and How to best implement the ESAPI.
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|5
 
  | style="width:7%; background:#7B8ABD" align="center"|5
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|Fred Donovan
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|Donovan Networks
  | style="width:63%; background:#cccccc" align="center"|
+
  | style="width:63%; background:#cccccc" align="center"|Interested in the structure and integrating this as a solution for Fortune 200 web development processes
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|6
 
  | style="width:7%; background:#7B8ABD" align="center"|6
Line 137: Line 133:
 
  |}
 
  |}
 
If needed add here more lines.
 
If needed add here more lines.
 +
 +
[[Category:OWASP_Working_Session]]

Latest revision as of 12:33, 28 November 2008

Working Sessions Operational Rules - Please see here the general frame of rules.
WORKING SESSION IDENTIFICATION
Work Session Name OWASP Enterprise Security API Project
Short Work Session Description In this working session we will consider all aspects of the Enterprise Security API project. The goal of the project is to simplify security for developers to make secure code more likely. To achieve this goal we define clean intuitive APIs for standard security functionality. Ideally, these APIs will cover common security controls across web applications, web services, and even rich client applications. This working session will review the state of the project, discuss technical issues, discuss "marketing" of the project, prioritize project work items, and browbeat attendees into joining the project and making the world a safer place.
Related Projects (if any)

OWASP Enterprise Security API (ESAPI) Project

Email Contacts & Roles Chair
Jeff Williams
Secretary
Arshan Dabirsiaghi
Mailing list
Subscription Page
WORKING SESSION SPECIFICS
Objectives

Introduce everyone to the idea and cost-benefits of an ESAPI.

Venue/Date&Time/Model Venue
OWASP EU Summit Portugal 2008
Date&Time
November 5, 2008
1:00 PM
Discussion Model
"Participants + Attendees"
WORKING SESSION OPERATIONAL RESOURCES
Please add here, ASAP, any needed relevant resources, e.g. data-show, boards, laptops, etc.
WORKING SESSION ADDITIONAL DETAILS
Please add here, any additional notes, links, ideas, guidelines, etc... The objective is to help the working sessions participants and attendees to prepare their participation/contribution.
WORKING SESSION OUTCOMES
Statements, Initiatives or Decisions Proposed by Working Group Approved by OWASP Board
A volunteer to lead the 'marketing' campaign for ESAPI. After the Board Meeting - fill in here.
Prioritized list of marketing ideas for the ESAPI concept. After the Board Meeting - fill in here.
Prioritized list of ideas for improving the API. After the Board Meeting - fill in here.
Video After the Board Meeting - fill in here.

Working Session Participants

(Add you name by editing this table. On your the right, just above the this frame, you have the option to edit)

WORKING SESSION PARTICIPANTS
Name Company Notes & reason for participating, issues to be discussed/addressed
1 Matt Tesauro OWASP Live CD Project Lead Curious about how various "ports" should be handled (lang != Java)
Run them as separate projects or sub-projects. How are they synchronized, if at all? What state are they in? How bad will the browbeating be?
2 Andrea Cogliati OWASP Rochester, NY Interested in porting to other platforms (Ruby&Rails) and in integration issues with existing framework (Struts, Spring, ...)
3 Alex Smolen Foundstone Author and Project Leader for .NET ESAPI
4 Kuai Hinojosa New York University Interesting in ESAPI for PHP and How to best implement the ESAPI.
5 Fred Donovan Donovan Networks Interested in the structure and integrating this as a solution for Fortune 200 web development processes
6
7
8
9
10

If needed add here more lines.