Difference between revisions of "OWASP Working Session Top 10 2009"

From OWASP
Jump to: navigation, search
(Working Session Participants)
 
(24 intermediate revisions by 18 users not shown)
Line 25: Line 25:
 
  | colspan="6" style="width:85%; background:#cccccc" align="left"|<font color="black">
 
  | colspan="6" style="width:85%; background:#cccccc" align="left"|<font color="black">
 
* Discuss current Top10 structure and objectives,
 
* Discuss current Top10 structure and objectives,
 +
* Identify which information sources will be considered for analysis, Eg:
 +
** MITRE
 +
** Compromise DB's (Attrition, WASC etc) and bias due to reporting
 +
** Anonomised penetration test results and the difficulty in obtaining
 
* Define methodology to collect attacks statistics,
 
* Define methodology to collect attacks statistics,
 +
* Define prioritisation approach
 +
** Agree weighting between current or emerging threats
 
  |-
 
  |-
 
  | style="width:25%; background:#7B8ABD" align="center"|'''Venue/Date&Time/Model'''
 
  | style="width:25%; background:#7B8ABD" align="center"|'''Venue/Date&Time/Model'''
 
  | style="width:25%; background:#cccccc" align="center"|'''Venue'''<br>[[:OWASP EU Summit 2008|OWASP EU Summit Portugal 2008]]  
 
  | style="width:25%; background:#cccccc" align="center"|'''Venue'''<br>[[:OWASP EU Summit 2008|OWASP EU Summit Portugal 2008]]  
  | style="width:25%; background:#cccccc" align="center"|'''Date&Time'''<br>Wednesday November 5, 2008<br>Time TBD
+
  | style="width:25%; background:#cccccc" align="center"|'''Date&Time'''<br>November 5 & 7, 2008<br>Time TBD
 
  | style="width:25%; background:#cccccc" align="center"|'''Discussion Model'''<br>"Participants + Attendees"
 
  | style="width:25%; background:#cccccc" align="center"|'''Discussion Model'''<br>"Participants + Attendees"
 
  |}
 
  |}
Line 47: Line 53:
 
  ! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION ADDITIONAL DETAILS'''  
 
  ! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION ADDITIONAL DETAILS'''  
 
  |-
 
  |-
  | style="width:100%; background:#cccccc" align="center"|Please add here, any additional notes, links, ideas, guidelines, etc... The objective is to help the working sessions participants and attendees to prepare their participation/contribution
+
  | style="width:100%; background:#cccccc" align="left"|Please add here, any additional notes, links, ideas, guidelines, etc... The objective is to help the working sessions participants and attendees to prepare their participation/contribution.
 +
 
 +
Potential Resources:
 +
 
 +
* [http://cve.mitre.org/cve/ MITRE's Common Vulnerability Enumeration (CVE) Database]
 +
 
 +
* The [http://www.webappsec.org/projects/whid/whid.shtml WASC Web Hacking Incidents Database]
 +
 
 +
* The [http://www.webappsec.org/projects/statistics/ 2007 WASC Web Application Security Statistics Report]
 
  |}
 
  |}
 
{| style="width:100%" border="0" align="center"
 
{| style="width:100%" border="0" align="center"
Line 57: Line 71:
 
  |-
 
  |-
 
  | style="width:7%; background:#7B8ABD" align="center"|  
 
  | style="width:7%; background:#7B8ABD" align="center"|  
  | style="width:46%; background:#C2C2C2" align="center"|The revised OWASP Top 10 for 2009.
+
  | style="width:46%; background:#C2C2C2" align="center"|The sources of input for the 2009 Top 10 will be identified.
 
  | style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.  
 
  | style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.  
 
  |-
 
  |-
 
  | style="width:7%; background:#7B8ABD" align="center"|  
 
  | style="width:7%; background:#7B8ABD" align="center"|  
  | style="width:46%; background:#C2C2C2" align="center"|Fill in here.
+
  | style="width:46%; background:#C2C2C2" align="center"|The ordering scheme for the Top 10 will be determined.
 
  | style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.  
 
  | style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.  
 
  |-
 
  |-
 
  | style="width:7%; background:#7B8ABD" align="center"|
 
  | style="width:7%; background:#7B8ABD" align="center"|
  | style="width:46%; background:#C2C2C2" align="center"|Fill in here.
+
  | style="width:46%; background:#C2C2C2" align="center"|Discussion of whether the existing document structure should be maintained or adjusted.
 
  | style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.  
 
  | style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.  
  |}
+
|-
 +
| style="width:7%; background:#7B8ABD" align="center"|
 +
| style="width:46%; background:#C2C2C2" align="center"|[http://uk.youtube.com/watch?v=GsRbpshqqII Video]
 +
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.
 +
|}
 
== Working Session Participants ==
 
== Working Session Participants ==
(Add you name by editing this table. On your the right, just above the this frame, you have the option to edit)
+
(Add your name by editing this table. On the right, just above this frame, you have the option to edit)
 
{| style="width:100%" border="0" align="center"
 
{| style="width:100%" border="0" align="center"
 
  ! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION PARTICIPANTS'''  
 
  ! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION PARTICIPANTS'''  
Line 79: Line 97:
 
  |-
 
  |-
 
  | style="width:7%; background:#7B8ABD" align="center"|1
 
  | style="width:7%; background:#7B8ABD" align="center"|1
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|Paolo Perego
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|Spike Reply
  | style="width:63%; background:#cccccc" align="center"|
+
  | style="width:63%; background:#cccccc" align="center"|As penetration tester it woud be great to me to participating in writing the new Top 10. As code reviewer and Orizon project leader it would be very interesting in scouting dynamic threats in order to add some dynamic feature to my tool.
 
  |-
 
  |-
 
  | style="width:7%; background:#7B8ABD" align="center"|2
 
  | style="width:7%; background:#7B8ABD" align="center"|2
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|David Campbell
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|OWASP Denver
 
  | style="width:63%; background:#cccccc" align="center"|
 
  | style="width:63%; background:#cccccc" align="center"|
 
  |-
 
  |-
 
  | style="width:7%; background:#7B8ABD" align="center"|3
 
  | style="width:7%; background:#7B8ABD" align="center"|3
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|Robert Mann
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|RBS / ABN AMRO
 
  | style="width:63%; background:#cccccc" align="center"|
 
  | style="width:63%; background:#cccccc" align="center"|
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|4
 
  | style="width:7%; background:#7B8ABD" align="center"|4
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|Troy Leach
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|[https://www.pcisecuritystandards.org/ PCI Security Standards Council]
  | style="width:63%; background:#cccccc" align="center"|
+
  | style="width:63%; background:#cccccc" align="center"|Technical Director
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|5
 
  | style="width:7%; background:#7B8ABD" align="center"|5
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|Eoin Keary
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|Ernst & Young. Long time OWASP member (Code and Testing guides)
 
  | style="width:63%; background:#cccccc" align="center"|
 
  | style="width:63%; background:#cccccc" align="center"|
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|6
 
  | style="width:7%; background:#7B8ABD" align="center"|6
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"| Matteo Meucci
  | style="width:15%; background:#cccccc" align="center"|  
+
  | style="width:15%; background:#cccccc" align="center"| Minded Security
  | style="width:63%; background:#cccccc" align="center"|
+
  | style="width:63%; background:#cccccc" align="center"| I'd like to discuss about a new way to create the Top10 from the OWASP Community
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|7
 
  | style="width:7%; background:#7B8ABD" align="center"|7
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|Giorgio Fedon
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|Minded Security
 
  | style="width:63%; background:#cccccc" align="center"|
 
  | style="width:63%; background:#cccccc" align="center"|
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|8
 
  | style="width:7%; background:#7B8ABD" align="center"|8
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|Andrea Cogliati
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|OWASP Rochester, NY
  | style="width:63%; background:#cccccc" align="center"|
+
  | style="width:63%; background:#cccccc" align="center"|I volunteered as a technical writer
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|9
 
  | style="width:7%; background:#7B8ABD" align="center"|9
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|Christian Martorella
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|S21sec
  | style="width:63%; background:#cccccc" align="center"|
+
  | style="width:63%; background:#cccccc" align="center"|Interested in participating on the creating the Top 10, share some ideas.
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|10
 
  | style="width:7%; background:#7B8ABD" align="center"|10
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|Nishi Kumar
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"|Systems Architect (FIS) Global Web Development Group
  | style="width:63%; background:#cccccc" align="center"|
+
  | style="width:63%; background:#cccccc" align="center"|Interested in participating and sharing ideas
 +
 
 +
|-
 +
| style="width:7%; background:#7B8ABD" align="center"|11
 +
| style="width:15%; background:#cccccc" align="center"| Tom Brennan
 +
| style="width:15%; background:#cccccc" align="center"| OWASP/WhiteHat Security
 +
| style="width:63%; background:#cccccc" align="center"| Want to discuss some of the stats we can share with OWASP
 +
 
 +
|-
 +
| style="width:7%; background:#7B8ABD" align="center"|12
 +
| style="width:15%; background:#cccccc" align="center"| Georg Hess
 +
| style="width:15%; background:#cccccc" align="center"| OWASP Germany
 +
| style="width:63%; background:#cccccc" align="center"| mainly to get some insight into the process
 +
|
 +
 
 +
 
 +
|-
 +
| style="width:7%; background:#7B8ABD" align="center"|12
 +
| style="width:15%; background:#cccccc" align="center"| Arturo 'Buanzo' Busleiman
 +
| style="width:15%; background:#cccccc" align="center"| Independent
 +
| style="width:63%; background:#cccccc" align="center"| Expert Contributor for SANS TOP20 since 2005. want to contribute here.
 +
|
 +
 
 +
|-
 +
| style="width:7%; background:#7B8ABD" align="center"|12
 +
| style="width:15%; background:#cccccc" align="center"| Fabio Cerullo
 +
| style="width:15%; background:#cccccc" align="center"| AIB
 +
| style="width:63%; background:#cccccc" align="center"| Interested in participating on the creation of the Top 10, share some ideas.
 +
|-
 +
| style="width:7%; background:#7B8ABD" align="center"|12
 +
| style="width:15%; background:#cccccc" align="center"| Sébastien Gioria
 +
| style="width:15%; background:#cccccc" align="center"| OWASP France
 +
| style="width:63%; background:#cccccc" align="center"| Interested in reviewing and give some Point of View frome France ans some pentesting made here. Also interessted to translate it as soon as possible for our France Market.
 +
|-
 +
| style="width:7%; background:#7B8ABD" align="center"|13
 +
| style="width:15%; background:#cccccc" align="center"| Marco Mella
 +
| style="width:15%; background:#cccccc" align="center"| Independent
 +
| style="width:63%; background:#cccccc" align="center"|
 +
 
 
  |}
 
  |}
If needed add here more lines.
+
 
 +
 
 +
[[Category:OWASP_Working_Session]]

Latest revision as of 09:45, 18 December 2008

Working Sessions Operational Rules - Please see here the general frame of rules.
WORKING SESSION IDENTIFICATION
Work Session Name OWASP Top 10 2009
Short Work Session Description Aims to provide a key awareness document for web application security.
Related Projects (if any) OWASP Top Ten Project
Email Contacts & Roles Chair
Dave Wichers
Secretary
Jeff Williams
Mailing list
Subscription Page
WORKING SESSION SPECIFICS
Objectives
  • Discuss current Top10 structure and objectives,
  • Identify which information sources will be considered for analysis, Eg:
    • MITRE
    • Compromise DB's (Attrition, WASC etc) and bias due to reporting
    • Anonomised penetration test results and the difficulty in obtaining
  • Define methodology to collect attacks statistics,
  • Define prioritisation approach
    • Agree weighting between current or emerging threats
Venue/Date&Time/Model Venue
OWASP EU Summit Portugal 2008
Date&Time
November 5 & 7, 2008
Time TBD
Discussion Model
"Participants + Attendees"
WORKING SESSION OPERATIONAL RESOURCES
Please add here, ASAP, any needed relevant resources, e.g. data-show, boards, laptops, etc.
WORKING SESSION ADDITIONAL DETAILS
Please add here, any additional notes, links, ideas, guidelines, etc... The objective is to help the working sessions participants and attendees to prepare their participation/contribution.

Potential Resources:

WORKING SESSION OUTCOMES
Statements, Initiatives or Decisions Proposed by Working Group Approved by OWASP Board
The sources of input for the 2009 Top 10 will be identified. After the Board Meeting - fill in here.
The ordering scheme for the Top 10 will be determined. After the Board Meeting - fill in here.
Discussion of whether the existing document structure should be maintained or adjusted. After the Board Meeting - fill in here.
Video After the Board Meeting - fill in here.

Working Session Participants

(Add your name by editing this table. On the right, just above this frame, you have the option to edit)

WORKING SESSION PARTICIPANTS
Name Company Notes & reason for participating, issues to be discussed/addressed
1 Paolo Perego Spike Reply As penetration tester it woud be great to me to participating in writing the new Top 10. As code reviewer and Orizon project leader it would be very interesting in scouting dynamic threats in order to add some dynamic feature to my tool.
2 David Campbell OWASP Denver
3 Robert Mann RBS / ABN AMRO
4 Troy Leach PCI Security Standards Council Technical Director
5 Eoin Keary Ernst & Young. Long time OWASP member (Code and Testing guides)
6 Matteo Meucci Minded Security I'd like to discuss about a new way to create the Top10 from the OWASP Community
7 Giorgio Fedon Minded Security
8 Andrea Cogliati OWASP Rochester, NY I volunteered as a technical writer
9 Christian Martorella S21sec Interested in participating on the creating the Top 10, share some ideas.
10 Nishi Kumar Systems Architect (FIS) Global Web Development Group Interested in participating and sharing ideas
11 Tom Brennan OWASP/WhiteHat Security Want to discuss some of the stats we can share with OWASP
12 Georg Hess OWASP Germany mainly to get some insight into the process


12 Arturo 'Buanzo' Busleiman Independent Expert Contributor for SANS TOP20 since 2005. want to contribute here.
12 Fabio Cerullo AIB Interested in participating on the creation of the Top 10, share some ideas.
12 Sébastien Gioria OWASP France Interested in reviewing and give some Point of View frome France ans some pentesting made here. Also interessted to translate it as soon as possible for our France Market.
13 Marco Mella Independent