Difference between revisions of "Summit 2011 Outcomes"

From OWASP
Jump to: navigation, search
m (Video & Pictures of Summit)
 
(44 intermediate revisions by 2 users not shown)
Line 1: Line 1:
''Global Summit 2011 Outcomes - please note that this is a work in progress. If you have any comments, corrections, or questions please contact [mailto:sarah.baso@owasp.org Sarah Baso]''
+
If you have any comments, corrections, or questions about the information contained in this page or related links, please contact [mailto:sarah.baso@owasp.org Sarah Baso]
  
==Acknowledgements==
+
==Final Report==
 +
[http://sl.owasp.org/summit2011_finalreport View OWASP Summit 2011: Post-Summit Report and Working Sessions Outcomes]
 +
 
 +
* [http://www.lulu.com/product/paperback/owasp-summit-2011-post-summit-report-and-working-session-outcomes/16364260 Purchase] black & white copy of report on Lulu.com or free PDF download
 +
* [http://www.lulu.com/product/paperback/owasp-summit-2011-post-summit-report-and-working-session-outcomes/16364260 Purchase] full color copy of report on Lulu.com or free PDF download
  
  
Line 7: Line 11:
 
*[[Summit_2011/Summit_Results_Summary|Global Summit 2011 Press Release & Results Summary]] ([http://www.owasp.org/images/2/27/OWASP_Summit_2011_Results.pdf View PDF Format])([http://www.owasp.org/images/5/54/OWASP_Summit_2011_Results.docx View Word Format])
 
*[[Summit_2011/Summit_Results_Summary|Global Summit 2011 Press Release & Results Summary]] ([http://www.owasp.org/images/2/27/OWASP_Summit_2011_Results.pdf View PDF Format])([http://www.owasp.org/images/5/54/OWASP_Summit_2011_Results.docx View Word Format])
  
*'''[[Media:Summit_Outcomes.pptx|Summit Outcomes ppt]]<br/>
+
*[[Media:Summit_Outcomes.pptx|Summit Outcomes ppt]]<br/>
  
 +
*Interview with Jeff Williams - http://www.vimeo.com/25335824 <br>
 +
*Interview with Tom Brennan - http://www.vimeo.com/23889097
  
 
==Summit Background==
 
==Summit Background==
 +
(included in final report)
  
  
 
==2011 Summit Finances & Budget==
 
==2011 Summit Finances & Budget==
*Breakdown of 2011 Summit Budget, Operational and Travel <br/>
+
*Summit 2011 Financials: [https://spreadsheets.google.com/ccc?key=0ApZ9zE0hx0LNdFBXS3k3aGdSdTYwQ2dfbmhjaEdUTEE&hl=en Summary of Expenses and Income] and [https://spreadsheets.google.com/a/owasp.org/ccc?key=0ApZ9zE0hx0LNdGJuVDlCU2xaUm9sc2pGMFEydXhYVWc&hl=en#gid=0 Summit Travel and Accommodations Costs]
Summit 2011 Financials [https://spreadsheets.google.com/ccc?key=0ApZ9zE0hx0LNdFBXS3k3aGdSdTYwQ2dfbmhjaEdUTEE&hl=en Summary of Expenses and Income] and [https://spreadsheets.google.com/a/owasp.org/ccc?key=0ApZ9zE0hx0LNdGJuVDlCU2xaUm9sc2pGMFEydXhYVWc&hl=en#gid=0 Summit Travel and Accommodations Costs]
+
  
 
*Comparison to 2008 Summit Budget
 
*Comparison to 2008 Summit Budget
Line 22: Line 28:
  
 
==2011 Summit Lessons Learned==
 
==2011 Summit Lessons Learned==
 +
(included in final report)
  
  
Line 27: Line 34:
  
 
===Browser Security===
 
===Browser Security===
Here are the notes from all the four browser security sessions. John Wilander is working on a Browser Security Report building on these sessions.
 
  
[http://www.owasp.org/images/6/6d/OWASPSummit2011SiteSecurityPolicyBrowserSecurityTrack.pdf Site Security Policy notes (pdf)]<br>
+
[https://docs.google.com/document/d/1KcdJKBG_ZMuqWoy6RQRS6HNsKgXkGbuayEjK-PXwD2U/edit?hl=en_US&authkey=CKy3gO8M Browser Security Report]
 +
 
 +
 
 +
'''Notes from the 5 Browser Security Sessions'''<br>
  
 
[http://www.owasp.org/images/0/06/OWASPSummit2011DOMSandboxingBrowserSecurityTrack.pdf DOM Sandboxing notes (pdf)]<br>
 
[http://www.owasp.org/images/0/06/OWASPSummit2011DOMSandboxingBrowserSecurityTrack.pdf DOM Sandboxing notes (pdf)]<br>
Line 39: Line 48:
 
[http://www.owasp.org/images/f/f7/OWASPSummit2011EnduserWarningsBrowserSecurityTrack.pdf Enduser Warnings notes (pdf)]
 
[http://www.owasp.org/images/f/f7/OWASPSummit2011EnduserWarningsBrowserSecurityTrack.pdf Enduser Warnings notes (pdf)]
  
 +
[http://www.owasp.org/images/6/6d/OWASPSummit2011SiteSecurityPolicyBrowserSecurityTrack.pdf Site Security Policy notes (pdf)]<br>
  
===XSS Eradication===
 
XSS and the Frameworks &  XSS - Awareness, Resources, and Partnerships (Justin Clarke) - [https://docs.google.com/document/d/1Qxj9_mV3Ocl1klTH0PQivi9SQS0C9Mc6AYkxsAEidgM/edit?hl=en_US&authkey=CMPpvKkO Combined Working Session Notes]<br>
 
  
 +
===XSS Eradication===
 
[https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet DOM based XSS Prevention Cheat Sheet] (Jim Manico & Abraham Kang)<br>
 
[https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet DOM based XSS Prevention Cheat Sheet] (Jim Manico & Abraham Kang)<br>
  
WAF Mitigation for XSS (Ryan Barnett)<br>
+
[[Summit_2011_Working_Sessions/Session009|XSS and the Frameworks: XSS - Awareness, Resources, and Partnerships]] (Justin Clarke) - [https://docs.google.com/document/d/1Qxj9_mV3Ocl1klTH0PQivi9SQS0C9Mc6AYkxsAEidgM/edit?hl=en_US&authkey=CMPpvKkO Working Session Notes]<br>
 +
 
 +
[[Summit_2011_Working_Sessions/Session043|WAF Mitigation for XSS: Virtual Patching Best Practices]] (Ryan Barnett) - [https://docs.google.com/document/d/1gx5LAFfU07IOR5BtgDRUBF3CetsABXsuCECoGGa4Xqo/edit?hl=en_US&authkey=CLvq7M0H Working Session Notes]<br>
  
  
 
===Metrics===
 
===Metrics===
Risk Metrics (Chris Wysopal) & Metrics and Labeling (Chris Eng) - [https://docs.google.com/document/d/1OWKzMuqjabrXYaVhdMvcLbLbBtLjPRuq2iXxNZBqBHM/edit?hl=en_US&authkey=CNin8vsH Working Session Transcripts]<br>
+
[[Summit_2011_Working_Sessions/Session058|Counting and Scoring Application Security Defects]] (Chris Eng & Chris Wysopal) - [https://docs.google.com/leaf?id=0B5Z9zE0hx0LNMzNmMTViZjgtZTZhNy00ZjQ3LTgxNzQtMDQ4YWM3Njc4NzFi&hl=en_US&authkey=CM_-3OQB Brief Introduction to Common Weakness Scoring System ppt created by Steve Christey]<br>
  
Counting and Scoring Application Security Defects (Chris Eng & Chris Wysopal) - [https://docs.google.com/leaf?id=0B5Z9zE0hx0LNMzNmMTViZjgtZTZhNy00ZjQ3LTgxNzQtMDQ4YWM3Njc4NzFi&hl=en_US&authkey=CM_-3OQB Brief Introduction to Common Weakness Scoring System ppt created by Steve Christey]<br>
+
[[Summit_2011_Working_Sessions/Session055|Risk Metrics: Metrics and Labeling]] (Chris Eng & Chris Wysopal) - [https://docs.google.com/document/d/1OWKzMuqjabrXYaVhdMvcLbLbBtLjPRuq2iXxNZBqBHM/edit?hl=en_US&authkey=CNin8vsH Working Session Transcripts]<br>
  
Formal Risk Assessment Methods (Benjamin Tomhave) <br>
+
===Individual OWASP Projects===
 +
[[ASVS|Application Security Verification Standard (ASVS) Project]] (Dave Wichers)<br>
  
 +
[[Projects/OWASP_Development_Guide|Development Guide]] (Vishal Garg)<br>
  
 +
[http://www.opensamm.org/ OpenSAMM] (Pravir Chandra) - [http://www.opensamm.org/2011/03/bsimm-activities-mapped-to-samm/ BSIMM activities mapped to SAMM]<br>
  
===Mitigation===
+
[[OWASP_Common_Numbering_Project|OWASP Common Structure and Numbering for All Guides]] (Keith Turpin/Matteo Meucci/Vishal Garg)<br>
Virtual Patching Best Practices (Ryan Barnett) - [https://docs.google.com/document/d/1gx5LAFfU07IOR5BtgDRUBF3CetsABXsuCECoGGa4Xqo/edit?hl=en_US&authkey=CLvq7M0H Working Session Notes]<br>
+
  
Scaling Web Application Security Testing (Arian Evans & Dinis Cruz)<br>
+
[[OWASP_Common_Numbering_Project|OWASP Common Vulnerability List]] (Meucci/Keary/Agarwal) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNOTkzNmYwN2YtNWZmZC00NjdhLTk1ZjMtMmU5NjQ5ZThhYmVl&hl=en_US&authkey=CNPQ4LkG CVL ppt presentation created by Matteo Meucci]<br>
  
Microsoft’s SDL in 16 Steps (and lessons learned) (Jeremy Dallman)<br>
+
[[OWASP Java Project]] (Lucas Ferreira) - [[Summit_2011_Working_Sessions/Session053/Deliverable_1|Action Plan for the Java Project]], [[Summit_2011_Working_Sessions/Session053/Deliverable_2|New Project Leader]]<br>
  
 +
[[OWASP Mobile Security Project]] (Mike Zusman) - [https://docs.google.com/document/d/1vDB6FMCFHLqpEfB-SPlG0hliKak8flnUvJ1fwZPa-qM/edit?hl=en_US&authkey=CI_Mj4wJ Working Session Notes]<br>
  
===University, Education, and Training===
+
[[OWASP O2 Platform]] (Dinis Cruz)<br>
[[:Category:OWASP_Education_Project|OWASP Education Project]] (Martin Knobloch)<br>
+
  
[[OWASP Training]] (Sandra Paiva) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNY2I5M2YwMjMtMGJjNi00ZjZkLWJkYmUtZmU0YjhjNjc4NzYx&hl=en_US&authkey=COzlt4cC Working Session Notes]<br>
+
[[OWASP Portuguese Language Project]] (Lucas Ferreira) - [[Summit_2011_Working_Sessions/Session048/Deliverable_1|Working Session Outcomes]]<br>
  
[[OWASP Academies| University Outreach - OWASP Academies]] (Sandra Paiva) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNZGE2MmE4MjAtYmEwYS00M2NmLTk2ZjYtNmM3ODc2MDQyODBm&hl=en_US&authkey=CPHdmtIB Working Session Notes], [[OWASP Academy Portal Project]]<br>
+
[[Summit_2011_Working_Sessions/Session203|OWASP Project Disclosure Policies]] (Chris Schmidt) - [[Summit_2011_Working_Sessions/Session203/Deliverable_1|OWASP Project Disclosure Policy]], [[Summit_2011_Working_Sessions/Session203/Deliverable_2|OWASP Security Bulletin Template]]<br>
  
[[Summit_2011_Working_Sessions/Session069|OWASP Top 10 Online Training in Hacking-Lab]] (Ivan Buetler)<br>
+
[[OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide|OWASP Secure Coding Practices - Quick Reference Guide]] (Keith Turpin) - [https://docs.google.com/document/d/12SMf5i0zRSYEeHfYrJtWHSqy-dnSZq72OkTaMa_UM3U/edit?hl=en_US&authkey=CNjU_5oP Working Session Notes]<br>
  
[[OWASP_Student_Chapters_Program|University Outreach - OWASP College Chapter Program]] (Martin Knobloch) (renamed "OWASP Student Chapters Program")<br>
+
[[OWASP Testing Project|OWASP Testing Guide]] (Matteo Meucci) - [https://docs.google.com/document/d/11vERv8lf0xrEgdi37iLbuJL2rqjAsgP8icoE4rMtL50/edit?hl=en_US&authkey=CPLqrfoJ Working Session Notes], [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNMWVmZTE5ZTctOTZkYy00MGZiLWE1N2UtNDE1NjEwZDg2MGRi&hl=en_US&authkey=CJfF-KwL Planning the OWASP Testing Guide 4.0 ppt presentation]<br>
  
[[OWASP Exams Project]] (Jason Taylor)<br>
+
[[Threat Modeling]] (Anurag Agarwal) - [https://docs.google.com/document/d/1QnCgW7Sr1cGx6cg3EKOqxhvNyx9G6xmFP5Mksebd3Ts/edit?hl=en_US&authkey=CLexzjE Working Session discussion points and notes]<br>
  
[[OWASP_Working_Session_-_OWASP_Certification|OWASP Certification]] (Jason Taylor & Jason Li) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNMTlkMDUxNGEtZmM1MS00ODI2LWEwMDYtMjU1Nzc4ZWEwYmJk&hl=en_US&authkey=CNbHmJkP Certification Code of Conduct Draft]<br>
 
  
 +
===Secure Coding Workshop===
 +
[[:Category:Summit_2011_OWASP_Secure_Coding_Workshop_Track|General Information on the OWASP Secure Coding Track]] - [https://code.google.com/p/secure-coding-workshop/ Code Repository (Google)]<br>
  
  
===Secure Coding Workshop===
+
[[Summit_2011_Working_Sessions/Applying_ESAPI_Input_Validation|Applying ESAPI Input Validation]] (Chris Schmidt)<br>
OWASP Secure Coding Practices (Keith Turpin)<br>
+
  
Protecting Information Stored Client-Side (John Steven)<br>
+
[[Summit_2011_Working_Sessions/Session034|Contextual Output Encoding: ESAPI-CORE]] (Chris Schmidt & Jim Manico)<br>
  
Providing Access to Persisted Data (Dan Cornell) - [https://docs.google.com/document/d/1bdmsNimmANJnRaVOpxYL1jVGutEMF84cK_iSjhSo40o/edit?hl=en_US&authkey=CIfD594I Working Session Notes]]<br>
+
[[Summit_2011_Working_Sessions/Session026|Defining AppSensor Detection Points]] (Michael Coates) - [https://lists.owasp.org/pipermail/owasp-appsensor-project/2011-February/000208.html Working Session Notes], [http://code.google.com/p/appsensor/source/browse/#svn%2Ftrunk%2FAppSensor-Tutorial Updated AppSensor-Tutorial code with new lessons and lesson structure enhancements], [https://www.owasp.org/index.php/AppSensor_Developer_Guide AppSensor Updated Getting Started Guide for new adopters and developers leveraging feedback from session]<br>
  
Contextual Ourput Encoding (Chris Schmidt)<br>
+
[[Summit_2011_Working_Sessions/Session028|Protecting Information Stored Client-Side]] (John Steven)<br>
  
ESAPI-CORE (Jim Manico)<br>
+
[[Summit_2011_Working_Sessions/Session030|Providing Access to Persisted Data]] (Dan Cornell) - [https://docs.google.com/document/d/1bdmsNimmANJnRaVOpxYL1jVGutEMF84cK_iSjhSo40o/edit?hl=en_US&authkey=CIfD594I Working Session Notes]<br>
  
Applying ESAPI input Validation (Chris Schmidt)<br>
 
  
Defining AppSensor Detection Points (Michael Coates)<br>
+
===University, Education, and Training===
 +
[[:Category:OWASP_Education_Project|OWASP Education Project]] (Martin Knobloch)<br>
  
Secure Development Guidelines for Smartphone Developers (Giles Hogben)<br>
+
[[OWASP_Working_Session_-_OWASP_Certification|OWASP Certification]] (Jason Taylor & Jason Li) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNMTlkMDUxNGEtZmM1MS00ODI2LWEwMDYtMjU1Nzc4ZWEwYmJk&hl=en_US&authkey=CNbHmJkP Certification Code of Conduct Draft]<br>
  
 +
[[OWASP Exams Project]] (Jason Taylor)<br>
  
===Individual OWASP Projects===
+
[[OWASP Hackademic Challenges Project]] (Kostas Papapanagiotou & Vasileros Vlachos)<br>
[[Summit_2011_Working_Sessions/Session068|Enterprise Web Defense Roundtable]] (Michael Coates & Chris Lyon) - [http://etherpad.mozilla.org:9000/OWASP-EWDR Etherpad Notes Page with Agenda, Slides & Background Reading]<br>
+
  
[[Threat Modeling]] (Anurag Agarwal) - [https://docs.google.com/document/d/1QnCgW7Sr1cGx6cg3EKOqxhvNyx9G6xmFP5Mksebd3Ts/edit?hl=en_US&authkey=CLexzjE Working Session discussion points and notes]<br>
+
[[Summit_2011_Working_Sessions/Session069|OWASP Top 10 Training in Hacking-Lab]] (Ivan Buetler) - [https://www.hacking-lab.com/ Hacking Lab Website]<br>
  
[[OWASP_Common_Numbering_Project|OWASP Common Vulnerability List]] (Meucci/Keary/Agarwal) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNOTkzNmYwN2YtNWZmZC00NjdhLTk1ZjMtMmU5NjQ5ZThhYmVl&hl=en_US&authkey=CNPQ4LkG CVL ppt presentation created by Matteo Meucci]<br>
+
[[OWASP Training]] (Sandra Paiva) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNY2I5M2YwMjMtMGJjNi00ZjZkLWJkYmUtZmU0YjhjNjc4NzYx&hl=en_US&authkey=COzlt4cC Working Session Notes]<br>
  
[[OWASP_Common_Numbering_Project|Common Structure and Numbering for All Guides]] (Keith Turpin/Matteo Meucci/Vishal Garg)<br>
+
[[OWASP Academies| University Outreach - OWASP Academies]] (Sandra Paiva) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNZGE2MmE4MjAtYmEwYS00M2NmLTk2ZjYtNmM3ODc2MDQyODBm&hl=en_US&authkey=CPHdmtIB Working Session Notes], [[OWASP Academy Portal Project]]<br>
  
[[OWASP Testing Project|OWASP Testing Guide]] (Matteo Meucci) - [https://docs.google.com/document/d/11vERv8lf0xrEgdi37iLbuJL2rqjAsgP8icoE4rMtL50/edit?hl=en_US&authkey=CPLqrfoJ Working Session Notes], [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNMWVmZTE5ZTctOTZkYy00MGZiLWE1N2UtNDE1NjEwZDg2MGRi&hl=en_US&authkey=CJfF-KwL Planning the OWASP Testing Guide 4.0 ppt presentation]<br>
+
[[OWASP_Student_Chapters_Program|University Outreach - OWASP College Chapter Program]] (Martin Knobloch) (renamed "OWASP Student Chapters Program")<br>
  
[[OWASP Mobile Security Project]] (Mike Zusman) - [https://docs.google.com/document/d/1vDB6FMCFHLqpEfB-SPlG0hliKak8flnUvJ1fwZPa-qM/edit?hl=en_US&authkey=CI_Mj4wJ Working Session Notes]<br>
 
  
[[Projects/OWASP_Development_Guide|Development Guide]] (Vishal Garg)<br>
+
===OWASP Internal Governance and Global Committees===
 +
[[Global Chapters Committee]] (Seba Deleersnyder) - [[Summit_2011_Working_Sessions/Session018/Deliverable_1|Working Session Meeting Minutes]]<br>
  
[[ASVS|Application Security Verification Standard (ASVS) Project]] (Dave Wichers)<br>
+
[[Global Conferences Committee]] (Mark Bristow) - [https://docs.google.com/a/owasp.org/document/d/1-dlyY97XAiDSphFA3rSedc_19rp3r7vfiH1L34wezpU/edit?hl=en_US Working Session/Monthly Committee Meeting Minutes]<br>
  
[[OWASP Portuguese Language Project]] (Lucas Ferriera)<br>
+
[[Global Education Committee]] (Martin Knobloch)<br>
  
[[OWASP Hackademic Challenges Project]] (Kostas & Vasileros Vlachos)<br>
+
[[Global Industry Committee]] (Eoin Keary & Colin Watson) - [https://docs.google.com/document/d/1XtFXZuyzCmRAxMTwmtSmz4zQ9m7yAdqOFO7c0PLYDLw/edit?hl=en_US&authkey=CPPl898J Working Session Notes], [https://www.surveymonkey.com/s/SCJBX7R 2011 Industry Outreach Survey]<br>
  
[[OWASP Java Project]] (Lucas Ferriera)<br>
+
[[Global Membership Committee]] (Dan Cornell) - [https://docs.google.com/document/d/1lsoExx4UW-dpjRgRlZaJq0BQPf4lRxRQPI56McMfUBs/edit?hl=en_US&authkey=COO8kd4E Working Session Notes], [[Membership|Membership page with changes subsequent to 2011 Summit]]<br>
  
[http://www.opensamm.org/ OpenSAMM] (Pravir Chandra)<br>
+
[[Global Projects Committee]] (Jason Li & Brad Causey) - [[GPC_2011_Summit_Outcomes|Summary of Outcomes and Post-Summit Progress]], [https://lists.owasp.org/pipermail/global-projects-committee/2011-February/001777.html February GPC Meeting Minutes] <br>
  
[http://www.opensamm.org/ The Future of OpenSAMM] (Pravir Chandra)<br>
+
[[Summit_2011_Working_Sessions/Session013|OWASP Board & Global Committee Governance]] (Mark Bristow) - [[Talk:Summit_2011_Working_Sessions/Session013|Working Session Rationale]], [[Membership/2011Election|2011 Board of Directors Election Information]], [https://docs.google.com/a/owasp.org/document/d/1r_hS2ioEBcNOKqmEjSJmlLUOdQEb5qPb_0GU_VU1Arw/edit?hl=en&authkey=CLe5nZwD New Bylaws]<br>
  
[[Summit_2011_Working_Sessions/Session203|OWASP Project Disclosure Policies]] (Chris Schmidt) - [[Summit_2011_Working_Sessions/Session203/Deliverable_1|OWASP Project Disclosure Policy]], [[Summit_2011_Working_Sessions/Session203/Deliverable_2|OWASP Security Bulletin Template]], [[Summit_2011_Working_Sessions/Session203/Deliverable_3|Project Adherence Rules]]<br>
+
[[Summit_2011_Working_Sessions/Session251|OWASP Chapters:Asia/Pacific Working Group]] (Helen Gao) - [[Summit_2011_Working_Sessions/Session251|Working Group Outcomes]]<br>
  
[[OWASP O2 Platform]] (Dinis Cruz)<br>
+
[[Summit_2011_Working_Sessions/Session035|OWASP Chapters: Building the OWASP Brazilian Leaders Group]] (Lucas Ferreira) - [[Summit_2011_Working_Sessions/Session035/Deliverable_1|Objectives and action plan to improve OWASP presence in Brazil]]<br>
  
 +
[[Summit_2011_Working_Sessions/Session077|OWASP Funding and CEO Discussion]] (Keith Turpin) - [https://docs.google.com/document/d/1WghR2_ID1ZNUJqtjZhQHPcEpdbGt_RRR7snu7b8xTvU/edit?hl=en_US&authkey=CNClgtMN Working Session Notes], [https://docs.google.com/document/d/1eZPomybmFn1NIQjg-UquncYhrdfc86WIGMO6_5V84ls/edit?hl=en_US&authkey=CO3n74gG List of suggestions from Funding and CEO discussion], [[Talk:Summit_2011_Working_Sessions/Session077|Arguments for hiring an OWASP CEO]]<br>
  
===OWASP Governance and Committees===
+
[[OWASP_Licenses|OWASP Licensing]] (Abraham Kang) - [https://docs.google.com/document/d/1zDR7ufDk4-lsjFptv2w2mJbyIrKW6NLAPeGuKrhbu-A/edit?hl=en_US&authkey=CLb5r4sK Working Session Notes], [https://docs.google.com/leaf?id=0B5Z9zE0hx0LNMzI5NGQxMzItNDFiZS00ZWYyLThiYjQtZTY2ZDYyYmMxNWRh&hl=en_US&authkey=CJzZ3sQP OWASP Licensing PowerPoint], [https://docs.google.com/document/d/14dXwV8XbUqPZ4_b5wWJPxaTi8FJb1GWp98DjJQKbRek/edit?hl=en_US&authkey=CMvsidkO Licensing - Questions for follow up] <br>
[[Global Education Committee]] (Martin Knobloch)<br>
+
  
[[Global Industry Committee]] (Eoin Keary & Colin Watson) - [https://docs.google.com/document/d/1XtFXZuyzCmRAxMTwmtSmz4zQ9m7yAdqOFO7c0PLYDLw/edit?hl=en_US&authkey=CPPl898J Working Session Notes]<br>
+
[[Working_Sessions_OWASP_Website|Overhauling the OWASP Website]] (Jason Li) - [[Summit_2011_Working_Sessions/Session023/Deliverable_1|Summary of Outcomes]]<br>
  
[[Global Projects Committee]] (Jason Li & Brad Causey)<br>
+
[[OWASP Points|OWASP Points - Tracking OWASP Participation]] (Mark Bristow)<br>
  
[[Global Membership Committee]] (Dan Cornell) - [https://docs.google.com/document/d/1lsoExx4UW-dpjRgRlZaJq0BQPf4lRxRQPI56McMfUBs/edit?hl=en_US&authkey=COO8kd4E Working Session Notes]<br>
 
  
[[Global Chapters Committee]] (Seba Deleersnyder)<br>
+
===Other OWASP Initiatives===
  
[[Global Conferences Committee]] (Mark Bristow)<br>
+
[[OWASP Codes of Conduct|Defining a Minimal AppSec Program for Universities, Governments, and Standards Bodies]] (Dinis Cruz & Jeff Williams) - [https://docs.google.com/document/d/1F5HI3ddSxf-gF2qM_fNaEb2u73nsnrJXm3VmbsVVo28/edit?hl=en_US&authkey=CPy0gZwH Draft OWASP Codes of Conduct Document]<br>
 +
 
 +
[[Summit_2011_Working_Sessions/Session068|Enterprise Web Defense Roundtable]] (Michael Coates & Chris Lyon) - [http://etherpad.mozilla.org:9000/OWASP-EWDR Etherpad Notes Page with Agenda, Slides & Background Reading]<br>
  
 
[[Summit_2011_Working_Sessions/Session036|Government Outreach]] (Doug Wilson) - [[Summit_2011_Working_Sessions/Session036/Deliverable_1|Working Session Outcome]]<br>
 
[[Summit_2011_Working_Sessions/Session036|Government Outreach]] (Doug Wilson) - [[Summit_2011_Working_Sessions/Session036/Deliverable_1|Working Session Outcome]]<br>
  
OWASP Funding and CEO Discussion (Keith Turpin) [https://docs.google.com/document/d/1WghR2_ID1ZNUJqtjZhQHPcEpdbGt_RRR7snu7b8xTvU/edit?hl=en_US&authkey=CNClgtMN Working Session Notes] <br>
+
[[Summit_2011_Working_Sessions/Session262|Healthcare Industry Outreach]] & [[Summit_2011_Working_Sessions/Session263|Banking/Finance Industry Outreach]] ( Lorna Alamri) - [https://docs.google.com/document/d/1YsQC2J6GIqvE69agde25xDE4LsZIZN-bKMrFbAatywU/edit?hl=en_US&authkey=CK35nnc Vertical Outreach Notes], [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNYmM4Y2Y3YWEtMTU5YS00NGU0LTk1NTgtYjk1MzdiOWZkMWQ5&hl=en_US&authkey=CP3ZsqMK Industry Outreach Mapping]<br>  
  
OWASP Board/Committee Governance (Mark Bristow)<br>
+
[[Summit_2011_Working_Sessions/Session082|How can OWASP reach/talk/engage with auditors?]] (Matthew Chalmers) - [https://docs.google.com/document/d/1Kv5Qb9JeTaxBvCJMksSi3XlI0Sk77kdRVxj8-PY3jMI/edit?hl=en_US&authkey=COqF7e4M Working Session Notes]<br>
  
[[OWASP Points]] - Tracking OWASP Participation (Mark Bristow)<br>
+
[[Summit_2011_Working_Sessions/Session073|Privacy - Personal Data/PII, Legislation and OWASP]] (Colin Watson) - [https://docs.google.com/document/d/1iemUPPunBlWC7rBCALirPLN662rdYHQPPCerDzKIO6c/edit?hl=en_US&authkey=CLmG9nQ Working Session Notes]<br>
  
[[OWASP_Licenses|OWASP Licensing]] (Abraham Kang) - [https://docs.google.com/document/d/1zDR7ufDk4-lsjFptv2w2mJbyIrKW6NLAPeGuKrhbu-A/edit?hl=en_US&authkey=CLb5r4sK Working Session Notes], [https://docs.google.com/leaf?id=0B5Z9zE0hx0LNMzI5NGQxMzItNDFiZS00ZWYyLThiYjQtZTY2ZDYyYmMxNWRh&hl=en_US&authkey=CJzZ3sQP OWASP Licensing PowerPoint], [https://docs.google.com/document/d/14dXwV8XbUqPZ4_b5wWJPxaTi8FJb1GWp98DjJQKbRek/edit?hl=en_US&authkey=CMvsidkO Licensing - Questions for follow up] <br>
+
[[Summit_2011_Working_Sessions/Session080|Should OWASP work directly with PCI-DSS?]] (Matthew Chalmers) - [https://docs.google.com/document/d/19s9oXr2-wvaGI7Wka44ii5amsUflfTEvCweTBMV7Dew/edit?hl=en_US&authkey=CKmbgLoI Working Session Notes]<br>
  
[[OWASP Codes of Conduct]] (Dinis Cruz & Jeff Williams) - [https://docs.google.com/document/d/1F5HI3ddSxf-gF2qM_fNaEb2u73nsnrJXm3VmbsVVo28/edit?hl=en_US&authkey=CPy0gZwH Draft Document]]<br>
 
Building the OWASP Brazilian Leaders Group (Lucas Ferriera)<br>
 
  
OWASP Asia/Pacific Working Group (Helen Gao)<br>
 
  
Industry - Healthcare (Joe Bernik & Lorna Alamri)<br>
+
==Summit Team & Attendee Bios==
  
Industry - Banking/Finance (Joe Bernik & Lorna Alamri)<br>
+
* [[Media: Attendee_Bios_for_Outcomes_-_Participants.pdf|Summit Attendees and Staff Bios]]
  
  
===Miscellaneous===
+
==Summit-Related Blog Posts==
Privacy - Personal Data/PII, Legislation and OWASP (Colin Watson) - [https://docs.google.com/document/d/1iemUPPunBlWC7rBCALirPLN662rdYHQPPCerDzKIO6c/edit?hl=en_US&authkey=CLmG9nQ Working Session Notes]<br>
+
[http://www.clerkendweller.com/2011/2/8/OWASP-Summit-2011-Part-1 Colin Watson - 3 part Recap/Reflections on OWASP Summit 2011, 8-Feb-2011]<br>
  
Overhauling the OWASP Website (Jason Li)<br>
+
[http://www.carlosserrao.net/2011/02/owasp-summit-2011/ Carlos Serrão - OWASP Summit 2011, 9-Feb-2011]<br>
  
Should OWASP work directly with PCI-DSS? (Matthew Chalmers) - [https://docs.google.com/document/d/19s9oXr2-wvaGI7Wka44ii5amsUflfTEvCweTBMV7Dew/edit?hl=en_US&authkey=CKmbgLoI Working Session Notes]<br>
+
[http://www.secureconsulting.net/2011/02/evolving_owasp_reflections_on.html Ben Tomhave - Evolving OWASP: Reflections on the 2011 Summit, 11-Feb-2011]<br>
  
How can OWASP reach/talk/engage with auditors? (Matthew Chalmers) - [https://docs.google.com/document/d/1Kv5Qb9JeTaxBvCJMksSi3XlI0Sk77kdRVxj8-PY3jMI/edit?hl=en_US&authkey=COqF7e4M Working Session Notes]<br>
+
[http://appsandsecurity.blogspot.com/2011/02/fears-hopes-for-owasp.html John Wilander - Fears & Hopes for OWASP, 13-Febr-2011]<br>
  
Developer Outreach (Mark Bristow & Jason Li)<br>
+
[http://diniscruz.blogspot.com/2011/02/owasp-summit-2011-results.html Dinis Cruz - OWASP Summit 2011 Results, 15-Feb-2011]<br>
  
 +
[http://yet-another-dev.blogspot.com/search/label/owasp%20summit Chris Schmidt - Dear OWASP Summit, Obrigado, 16-Feb-2011]<br>
  
==Summit Team & Attendee Bios==
+
[http://supplychaintechnology.wordpress.com/2011/02/17/notes-from-owasp-2011-summit-published/ Supply Chain Technology - Notes from the OWASP 2011 Summit Published, 17-Feb-2011]
  
===Support Staff Bios===
+
[http://www.curphey.com/2011/02/owasp-has-it-reached-a-tipping-point/ Mark Curphey - OWASP - Has it reached a tipping point?, 19-Feb-2011]<br>
* [[Media:Attendee_Bios_for_Outcomes_-_Staff.pdf|Summit Support Staff Bios]]
+
  
 +
[http://michael-coates.blogspot.com/2011/02/vision-for-owasp.html Michael Coates - A Vision for OWASP, 21-Feb-2011]<br>
  
===Attendee Bios===
+
[http://www.opensamm.org/2011/03/bsimm-activities-mapped-to-samm/ Pravir Chandra - BSIMM activities mapped to SAMM, 3-Mar-2011]<br>
* [[Media: Attendee_Bios_for_Outcomes_-_Participants.pdf|Summit Participant Bios]]
+
  
  
==Summit-Related Blog Posts==
+
==Video & Pictures of Summit==
 +
Video clips of the Summit recorded by [[User:Zakiakhmad|Zaki Akhmad]], a Summit Attendee & OWASP Chapter Leader from [[Indonesia|Indonesia]].  Full video of the Summit Working Sessions is forthcoming.
 +
 
 +
*[http://www.youtube.com/watch?v=w6nuPCxCyC8 Summit 2011 - Governance Session, part 1]
 +
*[http://youtu.be/6HnA3NY7gR0 Summit 2011 - Governance Session, part 2]
 +
*[http://youtu.be/RStrwZGgz0U Summit 2011 - Wrap Up Session #1]
 +
*[http://youtu.be/O0eD-CeQld4 Summit 2011 - Browser Security Wrap Up]
 +
*[http://youtu.be/ZB2JM4xgtBQ Summit 2011 - ESAPI Working Session]
 +
*[http://youtu.be/GRWCgbZF3_g Summit 2011 - Chapter Leader Working Session]
 +
 
 +
 
 +
Pictures of the Summit:
 +
*[https://picasaweb.google.com/owaspphotos/OWASPSummit# Pictures taken by Ofer Maor, a Summit Attendee & OWASP Chapter Leader from Israel]
 +
*[https://picasaweb.google.com/103488670506331805557/OWASPSummit2011Portugal?authkey=Gv1sRgCLSQr-TtgqrGEA&feat=directlink# Pictures taken by Vlatko Kosturjak, a Summit Attendee & OWASP Chapter Leader from Croatia]
 +
*[https://picasaweb.google.com/carlos.j.serrao/OWASPSummit2011?authkey=Gv1sRgCN3g-7qmu_i93QE# Pictures taken by Carlos Serrão, a Summit Attendee & OWASP Chapter Leader from Portugal]

Latest revision as of 06:19, 19 January 2012

If you have any comments, corrections, or questions about the information contained in this page or related links, please contact Sarah Baso

Contents

Final Report

View OWASP Summit 2011: Post-Summit Report and Working Sessions Outcomes

  • Purchase black & white copy of report on Lulu.com or free PDF download
  • Purchase full color copy of report on Lulu.com or free PDF download


Press Release & Media Mentions

Summit Background

(included in final report)


2011 Summit Finances & Budget

  • Comparison to 2008 Summit Budget
  • Projection of costs needed for future Summit


2011 Summit Lessons Learned

(included in final report)


Appendix: Working Session Details and Documentation

Browser Security

Browser Security Report


Notes from the 5 Browser Security Sessions

DOM Sandboxing notes (pdf)

HTML5 Security notes (pdf)

EcmaScript 5 Security notes (pdf)

Enduser Warnings notes (pdf)

Site Security Policy notes (pdf)


XSS Eradication

DOM based XSS Prevention Cheat Sheet (Jim Manico & Abraham Kang)

XSS and the Frameworks: XSS - Awareness, Resources, and Partnerships (Justin Clarke) - Working Session Notes

WAF Mitigation for XSS: Virtual Patching Best Practices (Ryan Barnett) - Working Session Notes


Metrics

Counting and Scoring Application Security Defects (Chris Eng & Chris Wysopal) - Brief Introduction to Common Weakness Scoring System ppt created by Steve Christey

Risk Metrics: Metrics and Labeling (Chris Eng & Chris Wysopal) - Working Session Transcripts

Individual OWASP Projects

Application Security Verification Standard (ASVS) Project (Dave Wichers)

Development Guide (Vishal Garg)

OpenSAMM (Pravir Chandra) - BSIMM activities mapped to SAMM

OWASP Common Structure and Numbering for All Guides (Keith Turpin/Matteo Meucci/Vishal Garg)

OWASP Common Vulnerability List (Meucci/Keary/Agarwal) - CVL ppt presentation created by Matteo Meucci

OWASP Java Project (Lucas Ferreira) - Action Plan for the Java Project, New Project Leader

OWASP Mobile Security Project (Mike Zusman) - Working Session Notes

OWASP O2 Platform (Dinis Cruz)

OWASP Portuguese Language Project (Lucas Ferreira) - Working Session Outcomes

OWASP Project Disclosure Policies (Chris Schmidt) - OWASP Project Disclosure Policy, OWASP Security Bulletin Template

OWASP Secure Coding Practices - Quick Reference Guide (Keith Turpin) - Working Session Notes

OWASP Testing Guide (Matteo Meucci) - Working Session Notes, Planning the OWASP Testing Guide 4.0 ppt presentation

Threat Modeling (Anurag Agarwal) - Working Session discussion points and notes


Secure Coding Workshop

General Information on the OWASP Secure Coding Track - Code Repository (Google)


Applying ESAPI Input Validation (Chris Schmidt)

Contextual Output Encoding: ESAPI-CORE (Chris Schmidt & Jim Manico)

Defining AppSensor Detection Points (Michael Coates) - Working Session Notes, Updated AppSensor-Tutorial code with new lessons and lesson structure enhancements, AppSensor Updated Getting Started Guide for new adopters and developers leveraging feedback from session

Protecting Information Stored Client-Side (John Steven)

Providing Access to Persisted Data (Dan Cornell) - Working Session Notes


University, Education, and Training

OWASP Education Project (Martin Knobloch)

OWASP Certification (Jason Taylor & Jason Li) - Certification Code of Conduct Draft

OWASP Exams Project (Jason Taylor)

OWASP Hackademic Challenges Project (Kostas Papapanagiotou & Vasileros Vlachos)

OWASP Top 10 Training in Hacking-Lab (Ivan Buetler) - Hacking Lab Website

OWASP Training (Sandra Paiva) - Working Session Notes

University Outreach - OWASP Academies (Sandra Paiva) - Working Session Notes, OWASP Academy Portal Project

University Outreach - OWASP College Chapter Program (Martin Knobloch) (renamed "OWASP Student Chapters Program")


OWASP Internal Governance and Global Committees

Global Chapters Committee (Seba Deleersnyder) - Working Session Meeting Minutes

Global Conferences Committee (Mark Bristow) - Working Session/Monthly Committee Meeting Minutes

Global Education Committee (Martin Knobloch)

Global Industry Committee (Eoin Keary & Colin Watson) - Working Session Notes, 2011 Industry Outreach Survey

Global Membership Committee (Dan Cornell) - Working Session Notes, Membership page with changes subsequent to 2011 Summit

Global Projects Committee (Jason Li & Brad Causey) - Summary of Outcomes and Post-Summit Progress, February GPC Meeting Minutes

OWASP Board & Global Committee Governance (Mark Bristow) - Working Session Rationale, 2011 Board of Directors Election Information, New Bylaws

OWASP Chapters:Asia/Pacific Working Group (Helen Gao) - Working Group Outcomes

OWASP Chapters: Building the OWASP Brazilian Leaders Group (Lucas Ferreira) - Objectives and action plan to improve OWASP presence in Brazil

OWASP Funding and CEO Discussion (Keith Turpin) - Working Session Notes, List of suggestions from Funding and CEO discussion, Arguments for hiring an OWASP CEO

OWASP Licensing (Abraham Kang) - Working Session Notes, OWASP Licensing PowerPoint, Licensing - Questions for follow up

Overhauling the OWASP Website (Jason Li) - Summary of Outcomes

OWASP Points - Tracking OWASP Participation (Mark Bristow)


Other OWASP Initiatives

Defining a Minimal AppSec Program for Universities, Governments, and Standards Bodies (Dinis Cruz & Jeff Williams) - Draft OWASP Codes of Conduct Document

Enterprise Web Defense Roundtable (Michael Coates & Chris Lyon) - Etherpad Notes Page with Agenda, Slides & Background Reading

Government Outreach (Doug Wilson) - Working Session Outcome

Healthcare Industry Outreach & Banking/Finance Industry Outreach ( Lorna Alamri) - Vertical Outreach Notes, Industry Outreach Mapping

How can OWASP reach/talk/engage with auditors? (Matthew Chalmers) - Working Session Notes

Privacy - Personal Data/PII, Legislation and OWASP (Colin Watson) - Working Session Notes

Should OWASP work directly with PCI-DSS? (Matthew Chalmers) - Working Session Notes


Summit Team & Attendee Bios


Summit-Related Blog Posts

Colin Watson - 3 part Recap/Reflections on OWASP Summit 2011, 8-Feb-2011

Carlos Serrão - OWASP Summit 2011, 9-Feb-2011

Ben Tomhave - Evolving OWASP: Reflections on the 2011 Summit, 11-Feb-2011

John Wilander - Fears & Hopes for OWASP, 13-Febr-2011

Dinis Cruz - OWASP Summit 2011 Results, 15-Feb-2011

Chris Schmidt - Dear OWASP Summit, Obrigado, 16-Feb-2011

Supply Chain Technology - Notes from the OWASP 2011 Summit Published, 17-Feb-2011

Mark Curphey - OWASP - Has it reached a tipping point?, 19-Feb-2011

Michael Coates - A Vision for OWASP, 21-Feb-2011

Pravir Chandra - BSIMM activities mapped to SAMM, 3-Mar-2011


Video & Pictures of Summit

Video clips of the Summit recorded by Zaki Akhmad, a Summit Attendee & OWASP Chapter Leader from Indonesia. Full video of the Summit Working Sessions is forthcoming.


Pictures of the Summit: