Difference between revisions of "Summit 2011 Outcomes"

From OWASP
Jump to: navigation, search
m (Video & Pictures of Summit)
 
(39 intermediate revisions by one other user not shown)
Line 1: Line 1:
''Global Summit 2011 Outcomes - please note that this is a work in progress. If you have any comments, corrections, or questions please contact [mailto:sarah.baso@owasp.org Sarah Baso]''
+
If you have any comments, corrections, or questions about the information contained in this page or related links, please contact [mailto:sarah.baso@owasp.org Sarah Baso]
  
==Acknowledgements==
+
==Final Report==
 +
[http://sl.owasp.org/summit2011_finalreport View OWASP Summit 2011: Post-Summit Report and Working Sessions Outcomes]
 +
 
 +
* [http://www.lulu.com/product/paperback/owasp-summit-2011-post-summit-report-and-working-session-outcomes/16364260 Purchase] black & white copy of report on Lulu.com or free PDF download
 +
* [http://www.lulu.com/product/paperback/owasp-summit-2011-post-summit-report-and-working-session-outcomes/16364260 Purchase] full color copy of report on Lulu.com or free PDF download
  
  
Line 7: Line 11:
 
*[[Summit_2011/Summit_Results_Summary|Global Summit 2011 Press Release & Results Summary]] ([http://www.owasp.org/images/2/27/OWASP_Summit_2011_Results.pdf View PDF Format])([http://www.owasp.org/images/5/54/OWASP_Summit_2011_Results.docx View Word Format])
 
*[[Summit_2011/Summit_Results_Summary|Global Summit 2011 Press Release & Results Summary]] ([http://www.owasp.org/images/2/27/OWASP_Summit_2011_Results.pdf View PDF Format])([http://www.owasp.org/images/5/54/OWASP_Summit_2011_Results.docx View Word Format])
  
*'''[[Media:Summit_Outcomes.pptx|Summit Outcomes ppt]]<br/>
+
*[[Media:Summit_Outcomes.pptx|Summit Outcomes ppt]]<br/>
  
Interview with Jeff Williams - http://www.vimeo.com/25335824 <br>
+
*Interview with Jeff Williams - http://www.vimeo.com/25335824 <br>
Interview with Tom Brennan - http://www.vimeo.com/23889097
+
*Interview with Tom Brennan - http://www.vimeo.com/23889097
  
 
==Summit Background==
 
==Summit Background==
 +
(included in final report)
  
  
 
==2011 Summit Finances & Budget==
 
==2011 Summit Finances & Budget==
*Breakdown of 2011 Summit Budget, Operational and Travel <br/>
+
*Summit 2011 Financials: [https://spreadsheets.google.com/ccc?key=0ApZ9zE0hx0LNdFBXS3k3aGdSdTYwQ2dfbmhjaEdUTEE&hl=en Summary of Expenses and Income] and [https://spreadsheets.google.com/a/owasp.org/ccc?key=0ApZ9zE0hx0LNdGJuVDlCU2xaUm9sc2pGMFEydXhYVWc&hl=en#gid=0 Summit Travel and Accommodations Costs]
Summit 2011 Financials [https://spreadsheets.google.com/ccc?key=0ApZ9zE0hx0LNdFBXS3k3aGdSdTYwQ2dfbmhjaEdUTEE&hl=en Summary of Expenses and Income] and [https://spreadsheets.google.com/a/owasp.org/ccc?key=0ApZ9zE0hx0LNdGJuVDlCU2xaUm9sc2pGMFEydXhYVWc&hl=en#gid=0 Summit Travel and Accommodations Costs]
+
  
 
*Comparison to 2008 Summit Budget
 
*Comparison to 2008 Summit Budget
Line 24: Line 28:
  
 
==2011 Summit Lessons Learned==
 
==2011 Summit Lessons Learned==
 +
(included in final report)
  
  
Line 29: Line 34:
  
 
===Browser Security===
 
===Browser Security===
Here are the notes from all the four browser security sessions. John Wilander is working on a Browser Security Report building on these sessions.
 
  
[http://www.owasp.org/images/6/6d/OWASPSummit2011SiteSecurityPolicyBrowserSecurityTrack.pdf Site Security Policy notes (pdf)]<br>
+
[https://docs.google.com/document/d/1KcdJKBG_ZMuqWoy6RQRS6HNsKgXkGbuayEjK-PXwD2U/edit?hl=en_US&authkey=CKy3gO8M Browser Security Report]
 +
 
 +
 
 +
'''Notes from the 5 Browser Security Sessions'''<br>
  
 
[http://www.owasp.org/images/0/06/OWASPSummit2011DOMSandboxingBrowserSecurityTrack.pdf DOM Sandboxing notes (pdf)]<br>
 
[http://www.owasp.org/images/0/06/OWASPSummit2011DOMSandboxingBrowserSecurityTrack.pdf DOM Sandboxing notes (pdf)]<br>
Line 41: Line 48:
 
[http://www.owasp.org/images/f/f7/OWASPSummit2011EnduserWarningsBrowserSecurityTrack.pdf Enduser Warnings notes (pdf)]
 
[http://www.owasp.org/images/f/f7/OWASPSummit2011EnduserWarningsBrowserSecurityTrack.pdf Enduser Warnings notes (pdf)]
  
 +
[http://www.owasp.org/images/6/6d/OWASPSummit2011SiteSecurityPolicyBrowserSecurityTrack.pdf Site Security Policy notes (pdf)]<br>
  
===XSS Eradication & Mitigation===
 
XSS and the Frameworks &  XSS - Awareness, Resources, and Partnerships (Justin Clarke) - [https://docs.google.com/document/d/1Qxj9_mV3Ocl1klTH0PQivi9SQS0C9Mc6AYkxsAEidgM/edit?hl=en_US&authkey=CMPpvKkO Combined Working Session Notes]<br>
 
  
 +
===XSS Eradication===
 
[https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet DOM based XSS Prevention Cheat Sheet] (Jim Manico & Abraham Kang)<br>
 
[https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet DOM based XSS Prevention Cheat Sheet] (Jim Manico & Abraham Kang)<br>
  
WAF Mitigation for XSS (Ryan Barnett)<br>
+
[[Summit_2011_Working_Sessions/Session009|XSS and the Frameworks: XSS - Awareness, Resources, and Partnerships]] (Justin Clarke) - [https://docs.google.com/document/d/1Qxj9_mV3Ocl1klTH0PQivi9SQS0C9Mc6AYkxsAEidgM/edit?hl=en_US&authkey=CMPpvKkO Working Session Notes]<br>
 +
 
 +
[[Summit_2011_Working_Sessions/Session043|WAF Mitigation for XSS: Virtual Patching Best Practices]] (Ryan Barnett) - [https://docs.google.com/document/d/1gx5LAFfU07IOR5BtgDRUBF3CetsABXsuCECoGGa4Xqo/edit?hl=en_US&authkey=CLvq7M0H Working Session Notes]<br>
  
Virtual Patching Best Practices (Ryan Barnett) - [https://docs.google.com/document/d/1gx5LAFfU07IOR5BtgDRUBF3CetsABXsuCECoGGa4Xqo/edit?hl=en_US&authkey=CLvq7M0H Working Session Notes]<br>
 
  
 
===Metrics===
 
===Metrics===
Risk Metrics (Chris Wysopal) & Metrics and Labeling (Chris Eng) - [https://docs.google.com/document/d/1OWKzMuqjabrXYaVhdMvcLbLbBtLjPRuq2iXxNZBqBHM/edit?hl=en_US&authkey=CNin8vsH Working Session Transcripts]<br>
+
[[Summit_2011_Working_Sessions/Session058|Counting and Scoring Application Security Defects]] (Chris Eng & Chris Wysopal) - [https://docs.google.com/leaf?id=0B5Z9zE0hx0LNMzNmMTViZjgtZTZhNy00ZjQ3LTgxNzQtMDQ4YWM3Njc4NzFi&hl=en_US&authkey=CM_-3OQB Brief Introduction to Common Weakness Scoring System ppt created by Steve Christey]<br>
  
Counting and Scoring Application Security Defects (Chris Eng & Chris Wysopal) - [https://docs.google.com/leaf?id=0B5Z9zE0hx0LNMzNmMTViZjgtZTZhNy00ZjQ3LTgxNzQtMDQ4YWM3Njc4NzFi&hl=en_US&authkey=CM_-3OQB Brief Introduction to Common Weakness Scoring System ppt created by Steve Christey]<br>
+
[[Summit_2011_Working_Sessions/Session055|Risk Metrics: Metrics and Labeling]] (Chris Eng & Chris Wysopal) - [https://docs.google.com/document/d/1OWKzMuqjabrXYaVhdMvcLbLbBtLjPRuq2iXxNZBqBHM/edit?hl=en_US&authkey=CNin8vsH Working Session Transcripts]<br>
  
Formal Risk Assessment Methods (Benjamin Tomhave) <br>
+
===Individual OWASP Projects===
 +
[[ASVS|Application Security Verification Standard (ASVS) Project]] (Dave Wichers)<br>
  
 +
[[Projects/OWASP_Development_Guide|Development Guide]] (Vishal Garg)<br>
  
 +
[http://www.opensamm.org/ OpenSAMM] (Pravir Chandra) - [http://www.opensamm.org/2011/03/bsimm-activities-mapped-to-samm/ BSIMM activities mapped to SAMM]<br>
  
===University, Education, and Training===
+
[[OWASP_Common_Numbering_Project|OWASP Common Structure and Numbering for All Guides]] (Keith Turpin/Matteo Meucci/Vishal Garg)<br>
[[:Category:OWASP_Education_Project|OWASP Education Project]] (Martin Knobloch)<br>
+
  
[[OWASP Training]] (Sandra Paiva) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNY2I5M2YwMjMtMGJjNi00ZjZkLWJkYmUtZmU0YjhjNjc4NzYx&hl=en_US&authkey=COzlt4cC Working Session Notes]<br>
+
[[OWASP_Common_Numbering_Project|OWASP Common Vulnerability List]] (Meucci/Keary/Agarwal) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNOTkzNmYwN2YtNWZmZC00NjdhLTk1ZjMtMmU5NjQ5ZThhYmVl&hl=en_US&authkey=CNPQ4LkG CVL ppt presentation created by Matteo Meucci]<br>
  
[[OWASP Academies| University Outreach - OWASP Academies]] (Sandra Paiva) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNZGE2MmE4MjAtYmEwYS00M2NmLTk2ZjYtNmM3ODc2MDQyODBm&hl=en_US&authkey=CPHdmtIB Working Session Notes], [[OWASP Academy Portal Project]]<br>
+
[[OWASP Java Project]] (Lucas Ferreira) - [[Summit_2011_Working_Sessions/Session053/Deliverable_1|Action Plan for the Java Project]], [[Summit_2011_Working_Sessions/Session053/Deliverable_2|New Project Leader]]<br>
  
[[Summit_2011_Working_Sessions/Session069|OWASP Top 10 Online Training in Hacking-Lab]] (Ivan Buetler)<br>
+
[[OWASP Mobile Security Project]] (Mike Zusman) - [https://docs.google.com/document/d/1vDB6FMCFHLqpEfB-SPlG0hliKak8flnUvJ1fwZPa-qM/edit?hl=en_US&authkey=CI_Mj4wJ Working Session Notes]<br>
  
[[OWASP_Student_Chapters_Program|University Outreach - OWASP College Chapter Program]] (Martin Knobloch) (renamed "OWASP Student Chapters Program")<br>
+
[[OWASP O2 Platform]] (Dinis Cruz)<br>
  
[[OWASP Exams Project]] (Jason Taylor)<br>
+
[[OWASP Portuguese Language Project]] (Lucas Ferreira) - [[Summit_2011_Working_Sessions/Session048/Deliverable_1|Working Session Outcomes]]<br>
  
[[OWASP_Working_Session_-_OWASP_Certification|OWASP Certification]] (Jason Taylor & Jason Li) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNMTlkMDUxNGEtZmM1MS00ODI2LWEwMDYtMjU1Nzc4ZWEwYmJk&hl=en_US&authkey=CNbHmJkP Certification Code of Conduct Draft]<br>
+
[[Summit_2011_Working_Sessions/Session203|OWASP Project Disclosure Policies]] (Chris Schmidt) - [[Summit_2011_Working_Sessions/Session203/Deliverable_1|OWASP Project Disclosure Policy]], [[Summit_2011_Working_Sessions/Session203/Deliverable_2|OWASP Security Bulletin Template]]<br>
  
 +
[[OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide|OWASP Secure Coding Practices - Quick Reference Guide]] (Keith Turpin) - [https://docs.google.com/document/d/12SMf5i0zRSYEeHfYrJtWHSqy-dnSZq72OkTaMa_UM3U/edit?hl=en_US&authkey=CNjU_5oP Working Session Notes]<br>
  
 +
[[OWASP Testing Project|OWASP Testing Guide]] (Matteo Meucci) - [https://docs.google.com/document/d/11vERv8lf0xrEgdi37iLbuJL2rqjAsgP8icoE4rMtL50/edit?hl=en_US&authkey=CPLqrfoJ Working Session Notes], [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNMWVmZTE5ZTctOTZkYy00MGZiLWE1N2UtNDE1NjEwZDg2MGRi&hl=en_US&authkey=CJfF-KwL Planning the OWASP Testing Guide 4.0 ppt presentation]<br>
  
===Secure Coding Workshop===
+
[[Threat Modeling]] (Anurag Agarwal) - [https://docs.google.com/document/d/1QnCgW7Sr1cGx6cg3EKOqxhvNyx9G6xmFP5Mksebd3Ts/edit?hl=en_US&authkey=CLexzjE Working Session discussion points and notes]<br>
OWASP Secure Coding Practices (Keith Turpin)<br>
+
  
Protecting Information Stored Client-Side (John Steven)<br>
 
  
Providing Access to Persisted Data (Dan Cornell) - [https://docs.google.com/document/d/1bdmsNimmANJnRaVOpxYL1jVGutEMF84cK_iSjhSo40o/edit?hl=en_US&authkey=CIfD594I Working Session Notes]]<br>
+
===Secure Coding Workshop===
 +
[[:Category:Summit_2011_OWASP_Secure_Coding_Workshop_Track|General Information on the OWASP Secure Coding Track]] - [https://code.google.com/p/secure-coding-workshop/ Code Repository (Google)]<br>
  
Contextual Ourput Encoding (Chris Schmidt)<br>
 
  
ESAPI-CORE (Jim Manico)<br>
+
[[Summit_2011_Working_Sessions/Applying_ESAPI_Input_Validation|Applying ESAPI Input Validation]] (Chris Schmidt)<br>
  
Applying ESAPI input Validation (Chris Schmidt)<br>
+
[[Summit_2011_Working_Sessions/Session034|Contextual Output Encoding: ESAPI-CORE]] (Chris Schmidt & Jim Manico)<br>
  
Defining AppSensor Detection Points (Michael Coates)<br>
+
[[Summit_2011_Working_Sessions/Session026|Defining AppSensor Detection Points]] (Michael Coates) - [https://lists.owasp.org/pipermail/owasp-appsensor-project/2011-February/000208.html Working Session Notes], [http://code.google.com/p/appsensor/source/browse/#svn%2Ftrunk%2FAppSensor-Tutorial Updated AppSensor-Tutorial code with new lessons and lesson structure enhancements], [https://www.owasp.org/index.php/AppSensor_Developer_Guide AppSensor Updated Getting Started Guide for new adopters and developers leveraging feedback from session]<br>
  
Secure Development Guidelines for Smartphone Developers (Giles Hogben)<br>
+
[[Summit_2011_Working_Sessions/Session028|Protecting Information Stored Client-Side]] (John Steven)<br>
  
 +
[[Summit_2011_Working_Sessions/Session030|Providing Access to Persisted Data]] (Dan Cornell) - [https://docs.google.com/document/d/1bdmsNimmANJnRaVOpxYL1jVGutEMF84cK_iSjhSo40o/edit?hl=en_US&authkey=CIfD594I Working Session Notes]<br>
  
===Individual OWASP Projects===
 
[[Summit_2011_Working_Sessions/Session068|Enterprise Web Defense Roundtable]] (Michael Coates & Chris Lyon) - [http://etherpad.mozilla.org:9000/OWASP-EWDR Etherpad Notes Page with Agenda, Slides & Background Reading]<br>
 
  
[[Threat Modeling]] (Anurag Agarwal) - [https://docs.google.com/document/d/1QnCgW7Sr1cGx6cg3EKOqxhvNyx9G6xmFP5Mksebd3Ts/edit?hl=en_US&authkey=CLexzjE Working Session discussion points and notes]<br>
+
===University, Education, and Training===
 +
[[:Category:OWASP_Education_Project|OWASP Education Project]] (Martin Knobloch)<br>
  
[[OWASP_Common_Numbering_Project|OWASP Common Vulnerability List]] (Meucci/Keary/Agarwal) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNOTkzNmYwN2YtNWZmZC00NjdhLTk1ZjMtMmU5NjQ5ZThhYmVl&hl=en_US&authkey=CNPQ4LkG CVL ppt presentation created by Matteo Meucci]<br>
+
[[OWASP_Working_Session_-_OWASP_Certification|OWASP Certification]] (Jason Taylor & Jason Li) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNMTlkMDUxNGEtZmM1MS00ODI2LWEwMDYtMjU1Nzc4ZWEwYmJk&hl=en_US&authkey=CNbHmJkP Certification Code of Conduct Draft]<br>
  
[[OWASP_Common_Numbering_Project|Common Structure and Numbering for All Guides]] (Keith Turpin/Matteo Meucci/Vishal Garg)<br>
+
[[OWASP Exams Project]] (Jason Taylor)<br>
  
[[OWASP Testing Project|OWASP Testing Guide]] (Matteo Meucci) - [https://docs.google.com/document/d/11vERv8lf0xrEgdi37iLbuJL2rqjAsgP8icoE4rMtL50/edit?hl=en_US&authkey=CPLqrfoJ Working Session Notes], [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNMWVmZTE5ZTctOTZkYy00MGZiLWE1N2UtNDE1NjEwZDg2MGRi&hl=en_US&authkey=CJfF-KwL Planning the OWASP Testing Guide 4.0 ppt presentation]<br>
+
[[OWASP Hackademic Challenges Project]] (Kostas Papapanagiotou & Vasileros Vlachos)<br>
  
[[OWASP Mobile Security Project]] (Mike Zusman) - [https://docs.google.com/document/d/1vDB6FMCFHLqpEfB-SPlG0hliKak8flnUvJ1fwZPa-qM/edit?hl=en_US&authkey=CI_Mj4wJ Working Session Notes]<br>
+
[[Summit_2011_Working_Sessions/Session069|OWASP Top 10 Training in Hacking-Lab]] (Ivan Buetler) - [https://www.hacking-lab.com/ Hacking Lab Website]<br>
  
[[Projects/OWASP_Development_Guide|Development Guide]] (Vishal Garg)<br>
+
[[OWASP Training]] (Sandra Paiva) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNY2I5M2YwMjMtMGJjNi00ZjZkLWJkYmUtZmU0YjhjNjc4NzYx&hl=en_US&authkey=COzlt4cC Working Session Notes]<br>
  
[[ASVS|Application Security Verification Standard (ASVS) Project]] (Dave Wichers)<br>
+
[[OWASP Academies| University Outreach - OWASP Academies]] (Sandra Paiva) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNZGE2MmE4MjAtYmEwYS00M2NmLTk2ZjYtNmM3ODc2MDQyODBm&hl=en_US&authkey=CPHdmtIB Working Session Notes], [[OWASP Academy Portal Project]]<br>
  
[[OWASP Portuguese Language Project]] (Lucas Ferriera)<br>
+
[[OWASP_Student_Chapters_Program|University Outreach - OWASP College Chapter Program]] (Martin Knobloch) (renamed "OWASP Student Chapters Program")<br>
  
[[OWASP Hackademic Challenges Project]] (Kostas & Vasileros Vlachos)<br>
 
  
[[OWASP Java Project]] (Lucas Ferriera)<br>
+
===OWASP Internal Governance and Global Committees===
 +
[[Global Chapters Committee]] (Seba Deleersnyder) - [[Summit_2011_Working_Sessions/Session018/Deliverable_1|Working Session Meeting Minutes]]<br>
  
[http://www.opensamm.org/ OpenSAMM] (Pravir Chandra) - [http://www.opensamm.org/2011/03/bsimm-activities-mapped-to-samm/ Pravir Chandra - BSIMM activities mapped to SAMM]<br>
+
[[Global Conferences Committee]] (Mark Bristow) - [https://docs.google.com/a/owasp.org/document/d/1-dlyY97XAiDSphFA3rSedc_19rp3r7vfiH1L34wezpU/edit?hl=en_US Working Session/Monthly Committee Meeting Minutes]<br>
  
[http://www.opensamm.org/ The Future of OpenSAMM] (Pravir Chandra)<br>
+
[[Global Education Committee]] (Martin Knobloch)<br>
  
[[Summit_2011_Working_Sessions/Session203|OWASP Project Disclosure Policies]] (Chris Schmidt) - [[Summit_2011_Working_Sessions/Session203/Deliverable_1|OWASP Project Disclosure Policy]], [[Summit_2011_Working_Sessions/Session203/Deliverable_2|OWASP Security Bulletin Template]], [[Summit_2011_Working_Sessions/Session203/Deliverable_3|Project Adherence Rules]]<br>
+
[[Global Industry Committee]] (Eoin Keary & Colin Watson) - [https://docs.google.com/document/d/1XtFXZuyzCmRAxMTwmtSmz4zQ9m7yAdqOFO7c0PLYDLw/edit?hl=en_US&authkey=CPPl898J Working Session Notes], [https://www.surveymonkey.com/s/SCJBX7R 2011 Industry Outreach Survey]<br>
  
[[OWASP O2 Platform]] (Dinis Cruz)<br>
+
[[Global Membership Committee]] (Dan Cornell) - [https://docs.google.com/document/d/1lsoExx4UW-dpjRgRlZaJq0BQPf4lRxRQPI56McMfUBs/edit?hl=en_US&authkey=COO8kd4E Working Session Notes], [[Membership|Membership page with changes subsequent to 2011 Summit]]<br>
  
 +
[[Global Projects Committee]] (Jason Li & Brad Causey) - [[GPC_2011_Summit_Outcomes|Summary of Outcomes and Post-Summit Progress]], [https://lists.owasp.org/pipermail/global-projects-committee/2011-February/001777.html February GPC Meeting Minutes] <br>
  
===OWASP Governance and Committees===
+
[[Summit_2011_Working_Sessions/Session013|OWASP Board & Global Committee Governance]] (Mark Bristow) - [[Talk:Summit_2011_Working_Sessions/Session013|Working Session Rationale]], [[Membership/2011Election|2011 Board of Directors Election Information]], [https://docs.google.com/a/owasp.org/document/d/1r_hS2ioEBcNOKqmEjSJmlLUOdQEb5qPb_0GU_VU1Arw/edit?hl=en&authkey=CLe5nZwD New Bylaws]<br>
[[Global Education Committee]] (Martin Knobloch)<br>
+
  
[[Global Industry Committee]] (Eoin Keary & Colin Watson) - [https://docs.google.com/document/d/1XtFXZuyzCmRAxMTwmtSmz4zQ9m7yAdqOFO7c0PLYDLw/edit?hl=en_US&authkey=CPPl898J Working Session Notes]<br>
+
[[Summit_2011_Working_Sessions/Session251|OWASP Chapters:Asia/Pacific Working Group]] (Helen Gao) - [[Summit_2011_Working_Sessions/Session251|Working Group Outcomes]]<br>
  
[[Global Projects Committee]] (Jason Li & Brad Causey)<br>
+
[[Summit_2011_Working_Sessions/Session035|OWASP Chapters: Building the OWASP Brazilian Leaders Group]] (Lucas Ferreira) - [[Summit_2011_Working_Sessions/Session035/Deliverable_1|Objectives and action plan to improve OWASP presence in Brazil]]<br>
  
[[Global Membership Committee]] (Dan Cornell) - [https://docs.google.com/document/d/1lsoExx4UW-dpjRgRlZaJq0BQPf4lRxRQPI56McMfUBs/edit?hl=en_US&authkey=COO8kd4E Working Session Notes]<br>
+
[[Summit_2011_Working_Sessions/Session077|OWASP Funding and CEO Discussion]] (Keith Turpin) - [https://docs.google.com/document/d/1WghR2_ID1ZNUJqtjZhQHPcEpdbGt_RRR7snu7b8xTvU/edit?hl=en_US&authkey=CNClgtMN Working Session Notes], [https://docs.google.com/document/d/1eZPomybmFn1NIQjg-UquncYhrdfc86WIGMO6_5V84ls/edit?hl=en_US&authkey=CO3n74gG List of suggestions from Funding and CEO discussion], [[Talk:Summit_2011_Working_Sessions/Session077|Arguments for hiring an OWASP CEO]]<br>
  
[[Global Chapters Committee]] (Seba Deleersnyder) - [[Summit_2011_Working_Sessions/Session018/Deliverable_1|Working Session Meeting Minutes]]<br>
+
[[OWASP_Licenses|OWASP Licensing]] (Abraham Kang) - [https://docs.google.com/document/d/1zDR7ufDk4-lsjFptv2w2mJbyIrKW6NLAPeGuKrhbu-A/edit?hl=en_US&authkey=CLb5r4sK Working Session Notes], [https://docs.google.com/leaf?id=0B5Z9zE0hx0LNMzI5NGQxMzItNDFiZS00ZWYyLThiYjQtZTY2ZDYyYmMxNWRh&hl=en_US&authkey=CJzZ3sQP OWASP Licensing PowerPoint], [https://docs.google.com/document/d/14dXwV8XbUqPZ4_b5wWJPxaTi8FJb1GWp98DjJQKbRek/edit?hl=en_US&authkey=CMvsidkO Licensing - Questions for follow up] <br>
  
[[Global Conferences Committee]] (Mark Bristow)<br>
+
[[Working_Sessions_OWASP_Website|Overhauling the OWASP Website]] (Jason Li) - [[Summit_2011_Working_Sessions/Session023/Deliverable_1|Summary of Outcomes]]<br>
  
[[Summit_2011_Working_Sessions/Session036|Government Outreach]] (Doug Wilson) - [[Summit_2011_Working_Sessions/Session036/Deliverable_1|Working Session Outcome]]<br>
+
[[OWASP Points|OWASP Points - Tracking OWASP Participation]] (Mark Bristow)<br>
  
OWASP Funding and CEO Discussion (Keith Turpin) [https://docs.google.com/document/d/1WghR2_ID1ZNUJqtjZhQHPcEpdbGt_RRR7snu7b8xTvU/edit?hl=en_US&authkey=CNClgtMN Working Session Notes]  <br>
 
  
OWASP Board/Committee Governance (Mark Bristow)<br>
+
===Other OWASP Initiatives===
  
[[OWASP Points]] - Tracking OWASP Participation (Mark Bristow)<br>
+
[[OWASP Codes of Conduct|Defining a Minimal AppSec Program for Universities, Governments, and Standards Bodies]] (Dinis Cruz & Jeff Williams) - [https://docs.google.com/document/d/1F5HI3ddSxf-gF2qM_fNaEb2u73nsnrJXm3VmbsVVo28/edit?hl=en_US&authkey=CPy0gZwH Draft OWASP Codes of Conduct Document]<br>
  
[[OWASP_Licenses|OWASP Licensing]] (Abraham Kang) - [https://docs.google.com/document/d/1zDR7ufDk4-lsjFptv2w2mJbyIrKW6NLAPeGuKrhbu-A/edit?hl=en_US&authkey=CLb5r4sK Working Session Notes], [https://docs.google.com/leaf?id=0B5Z9zE0hx0LNMzI5NGQxMzItNDFiZS00ZWYyLThiYjQtZTY2ZDYyYmMxNWRh&hl=en_US&authkey=CJzZ3sQP OWASP Licensing PowerPoint], [https://docs.google.com/document/d/14dXwV8XbUqPZ4_b5wWJPxaTi8FJb1GWp98DjJQKbRek/edit?hl=en_US&authkey=CMvsidkO Licensing - Questions for follow up] <br>
+
[[Summit_2011_Working_Sessions/Session068|Enterprise Web Defense Roundtable]] (Michael Coates & Chris Lyon) - [http://etherpad.mozilla.org:9000/OWASP-EWDR Etherpad Notes Page with Agenda, Slides & Background Reading]<br>
  
[[OWASP Codes of Conduct]] (Dinis Cruz & Jeff Williams) - [https://docs.google.com/document/d/1F5HI3ddSxf-gF2qM_fNaEb2u73nsnrJXm3VmbsVVo28/edit?hl=en_US&authkey=CPy0gZwH Draft Document]]<br>
+
[[Summit_2011_Working_Sessions/Session036|Government Outreach]] (Doug Wilson) - [[Summit_2011_Working_Sessions/Session036/Deliverable_1|Working Session Outcome]]<br>
Building the OWASP Brazilian Leaders Group (Lucas Ferriera)<br>
+
  
OWASP Asia/Pacific Working Group (Helen Gao)<br>
+
[[Summit_2011_Working_Sessions/Session262|Healthcare Industry Outreach]] & [[Summit_2011_Working_Sessions/Session263|Banking/Finance Industry Outreach]] ( Lorna Alamri) - [https://docs.google.com/document/d/1YsQC2J6GIqvE69agde25xDE4LsZIZN-bKMrFbAatywU/edit?hl=en_US&authkey=CK35nnc Vertical Outreach Notes], [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNYmM4Y2Y3YWEtMTU5YS00NGU0LTk1NTgtYjk1MzdiOWZkMWQ5&hl=en_US&authkey=CP3ZsqMK Industry Outreach Mapping]<br>  
  
[[Summit_2011_Working_Sessions/Session035|Building the OWASP Brazilian Leaders Group]] (Lucas Ferreira) - [[Summit_2011_Working_Sessions/Session035/Deliverable_1|Objectives and action plan to improve OWASP presence in Brazil]]
+
[[Summit_2011_Working_Sessions/Session082|How can OWASP reach/talk/engage with auditors?]] (Matthew Chalmers) - [https://docs.google.com/document/d/1Kv5Qb9JeTaxBvCJMksSi3XlI0Sk77kdRVxj8-PY3jMI/edit?hl=en_US&authkey=COqF7e4M Working Session Notes]<br>
  
Industry - Healthcare (Joe Bernik & Lorna Alamri)<br>
+
[[Summit_2011_Working_Sessions/Session073|Privacy - Personal Data/PII, Legislation and OWASP]] (Colin Watson) - [https://docs.google.com/document/d/1iemUPPunBlWC7rBCALirPLN662rdYHQPPCerDzKIO6c/edit?hl=en_US&authkey=CLmG9nQ Working Session Notes]<br>
  
Industry - Banking/Finance (Joe Bernik & Lorna Alamri)<br>
+
[[Summit_2011_Working_Sessions/Session080|Should OWASP work directly with PCI-DSS?]] (Matthew Chalmers) - [https://docs.google.com/document/d/19s9oXr2-wvaGI7Wka44ii5amsUflfTEvCweTBMV7Dew/edit?hl=en_US&authkey=CKmbgLoI Working Session Notes]<br>
  
  
===Miscellaneous===
 
Privacy - Personal Data/PII, Legislation and OWASP (Colin Watson) - [https://docs.google.com/document/d/1iemUPPunBlWC7rBCALirPLN662rdYHQPPCerDzKIO6c/edit?hl=en_US&authkey=CLmG9nQ Working Session Notes]<br>
 
  
Overhauling the OWASP Website (Jason Li)<br>
+
==Summit Team & Attendee Bios==
  
Should OWASP work directly with PCI-DSS? (Matthew Chalmers) - [https://docs.google.com/document/d/19s9oXr2-wvaGI7Wka44ii5amsUflfTEvCweTBMV7Dew/edit?hl=en_US&authkey=CKmbgLoI Working Session Notes]<br>
+
* [[Media: Attendee_Bios_for_Outcomes_-_Participants.pdf|Summit Attendees and Staff Bios]]
  
How can OWASP reach/talk/engage with auditors? (Matthew Chalmers) - [https://docs.google.com/document/d/1Kv5Qb9JeTaxBvCJMksSi3XlI0Sk77kdRVxj8-PY3jMI/edit?hl=en_US&authkey=COqF7e4M Working Session Notes]<br>
 
  
Developer Outreach (Mark Bristow & Jason Li)<br>
+
==Summit-Related Blog Posts==
 +
[http://www.clerkendweller.com/2011/2/8/OWASP-Summit-2011-Part-1 Colin Watson - 3 part Recap/Reflections on OWASP Summit 2011, 8-Feb-2011]<br>
  
 +
[http://www.carlosserrao.net/2011/02/owasp-summit-2011/ Carlos Serrão - OWASP Summit 2011, 9-Feb-2011]<br>
  
==Summit Team & Attendee Bios==
+
[http://www.secureconsulting.net/2011/02/evolving_owasp_reflections_on.html Ben Tomhave - Evolving OWASP: Reflections on the 2011 Summit, 11-Feb-2011]<br>
  
===Support Staff Bios===
+
[http://appsandsecurity.blogspot.com/2011/02/fears-hopes-for-owasp.html John Wilander - Fears & Hopes for OWASP, 13-Febr-2011]<br>
* [[Media:Attendee_Bios_for_Outcomes_-_Staff.pdf|Summit Support Staff Bios]]
+
  
 +
[http://diniscruz.blogspot.com/2011/02/owasp-summit-2011-results.html Dinis Cruz - OWASP Summit 2011 Results, 15-Feb-2011]<br>
  
===Attendee Bios===
+
[http://yet-another-dev.blogspot.com/search/label/owasp%20summit Chris Schmidt - Dear OWASP Summit, Obrigado, 16-Feb-2011]<br>
* [[Media: Attendee_Bios_for_Outcomes_-_Participants.pdf|Summit Participant Bios]]
+
  
 +
[http://supplychaintechnology.wordpress.com/2011/02/17/notes-from-owasp-2011-summit-published/ Supply Chain Technology - Notes from the OWASP 2011 Summit Published, 17-Feb-2011]
  
==Summit-Related Blog Posts==
+
[http://www.curphey.com/2011/02/owasp-has-it-reached-a-tipping-point/ Mark Curphey - OWASP - Has it reached a tipping point?, 19-Feb-2011]<br>
[http://www.clerkendweller.com/2011/2/8/OWASP-Summit-2011-Part-1 Colin Watson - 3 part Recap/Reflections on OWASP Summit 2011, February 8-10, 2011]<br>
+
 
+
[http://www.carlosserrao.net/2011/02/owasp-summit-2011/ Carlos Serrão - OWASP Summit 2011, February 9, 2011]<br>
+
  
[http://www.secureconsulting.net/2011/02/evolving_owasp_reflections_on.html Ben Tomhave - Evolving OWASP: Reflections on the 2011 Summit, February 11, 2011]<br>
+
[http://michael-coates.blogspot.com/2011/02/vision-for-owasp.html Michael Coates - A Vision for OWASP, 21-Feb-2011]<br>
  
[http://appsandsecurity.blogspot.com/2011/02/fears-hopes-for-owasp.html John Wilander - Fears & Hopes for OWASP, February 13, 2011]<br>
+
[http://www.opensamm.org/2011/03/bsimm-activities-mapped-to-samm/ Pravir Chandra - BSIMM activities mapped to SAMM, 3-Mar-2011]<br>
  
[http://diniscruz.blogspot.com/2011/02/owasp-summit-2011-results.html Dinis Cruz - OWASP Summit 2011 Results, February 15, 2011]<br>
 
  
[http://yet-another-dev.blogspot.com/search/label/owasp%20summit Chris Schmidt - Dear OWASP Summit, Obrigado, February 16, 2011]<br>
+
==Video & Pictures of Summit==
 +
Video clips of the Summit recorded by [[User:Zakiakhmad|Zaki Akhmad]], a Summit Attendee & OWASP Chapter Leader from [[Indonesia|Indonesia]].  Full video of the Summit Working Sessions is forthcoming.
  
[http://www.curphey.com/2011/02/owasp-has-it-reached-a-tipping-point/ Mark Curphey - OWASP - Has it reached a tipping point?, February 19, 2011]<br>
+
*[http://www.youtube.com/watch?v=w6nuPCxCyC8 Summit 2011 - Governance Session, part 1]
 +
*[http://youtu.be/6HnA3NY7gR0 Summit 2011 - Governance Session, part 2]
 +
*[http://youtu.be/RStrwZGgz0U Summit 2011 - Wrap Up Session #1]
 +
*[http://youtu.be/O0eD-CeQld4 Summit 2011 - Browser Security Wrap Up]
 +
*[http://youtu.be/ZB2JM4xgtBQ Summit 2011 - ESAPI Working Session]
 +
*[http://youtu.be/GRWCgbZF3_g Summit 2011 - Chapter Leader Working Session]
  
[http://michael-coates.blogspot.com/2011/02/vision-for-owasp.html Michael Coates - A Vision for OWASP, February 21, 2011]<br>
 
  
[http://www.opensamm.org/2011/03/bsimm-activities-mapped-to-samm/ Pravir Chandra - BSIMM activities mapped to SAMM, March 3, 2011]<br>
+
Pictures of the Summit:
 +
*[https://picasaweb.google.com/owaspphotos/OWASPSummit# Pictures taken by Ofer Maor, a Summit Attendee & OWASP Chapter Leader from Israel]
 +
*[https://picasaweb.google.com/103488670506331805557/OWASPSummit2011Portugal?authkey=Gv1sRgCLSQr-TtgqrGEA&feat=directlink# Pictures taken by Vlatko Kosturjak, a Summit Attendee & OWASP Chapter Leader from Croatia]
 +
*[https://picasaweb.google.com/carlos.j.serrao/OWASPSummit2011?authkey=Gv1sRgCN3g-7qmu_i93QE# Pictures taken by Carlos Serrão, a Summit Attendee & OWASP Chapter Leader from Portugal]

Latest revision as of 06:19, 19 January 2012

If you have any comments, corrections, or questions about the information contained in this page or related links, please contact Sarah Baso

Final Report

View OWASP Summit 2011: Post-Summit Report and Working Sessions Outcomes

  • Purchase black & white copy of report on Lulu.com or free PDF download
  • Purchase full color copy of report on Lulu.com or free PDF download


Press Release & Media Mentions

Summit Background

(included in final report)


2011 Summit Finances & Budget

  • Comparison to 2008 Summit Budget
  • Projection of costs needed for future Summit


2011 Summit Lessons Learned

(included in final report)


Appendix: Working Session Details and Documentation

Browser Security

Browser Security Report


Notes from the 5 Browser Security Sessions

DOM Sandboxing notes (pdf)

HTML5 Security notes (pdf)

EcmaScript 5 Security notes (pdf)

Enduser Warnings notes (pdf)

Site Security Policy notes (pdf)


XSS Eradication

DOM based XSS Prevention Cheat Sheet (Jim Manico & Abraham Kang)

XSS and the Frameworks: XSS - Awareness, Resources, and Partnerships (Justin Clarke) - Working Session Notes

WAF Mitigation for XSS: Virtual Patching Best Practices (Ryan Barnett) - Working Session Notes


Metrics

Counting and Scoring Application Security Defects (Chris Eng & Chris Wysopal) - Brief Introduction to Common Weakness Scoring System ppt created by Steve Christey

Risk Metrics: Metrics and Labeling (Chris Eng & Chris Wysopal) - Working Session Transcripts

Individual OWASP Projects

Application Security Verification Standard (ASVS) Project (Dave Wichers)

Development Guide (Vishal Garg)

OpenSAMM (Pravir Chandra) - BSIMM activities mapped to SAMM

OWASP Common Structure and Numbering for All Guides (Keith Turpin/Matteo Meucci/Vishal Garg)

OWASP Common Vulnerability List (Meucci/Keary/Agarwal) - CVL ppt presentation created by Matteo Meucci

OWASP Java Project (Lucas Ferreira) - Action Plan for the Java Project, New Project Leader

OWASP Mobile Security Project (Mike Zusman) - Working Session Notes

OWASP O2 Platform (Dinis Cruz)

OWASP Portuguese Language Project (Lucas Ferreira) - Working Session Outcomes

OWASP Project Disclosure Policies (Chris Schmidt) - OWASP Project Disclosure Policy, OWASP Security Bulletin Template

OWASP Secure Coding Practices - Quick Reference Guide (Keith Turpin) - Working Session Notes

OWASP Testing Guide (Matteo Meucci) - Working Session Notes, Planning the OWASP Testing Guide 4.0 ppt presentation

Threat Modeling (Anurag Agarwal) - Working Session discussion points and notes


Secure Coding Workshop

General Information on the OWASP Secure Coding Track - Code Repository (Google)


Applying ESAPI Input Validation (Chris Schmidt)

Contextual Output Encoding: ESAPI-CORE (Chris Schmidt & Jim Manico)

Defining AppSensor Detection Points (Michael Coates) - Working Session Notes, Updated AppSensor-Tutorial code with new lessons and lesson structure enhancements, AppSensor Updated Getting Started Guide for new adopters and developers leveraging feedback from session

Protecting Information Stored Client-Side (John Steven)

Providing Access to Persisted Data (Dan Cornell) - Working Session Notes


University, Education, and Training

OWASP Education Project (Martin Knobloch)

OWASP Certification (Jason Taylor & Jason Li) - Certification Code of Conduct Draft

OWASP Exams Project (Jason Taylor)

OWASP Hackademic Challenges Project (Kostas Papapanagiotou & Vasileros Vlachos)

OWASP Top 10 Training in Hacking-Lab (Ivan Buetler) - Hacking Lab Website

OWASP Training (Sandra Paiva) - Working Session Notes

University Outreach - OWASP Academies (Sandra Paiva) - Working Session Notes, OWASP Academy Portal Project

University Outreach - OWASP College Chapter Program (Martin Knobloch) (renamed "OWASP Student Chapters Program")


OWASP Internal Governance and Global Committees

Global Chapters Committee (Seba Deleersnyder) - Working Session Meeting Minutes

Global Conferences Committee (Mark Bristow) - Working Session/Monthly Committee Meeting Minutes

Global Education Committee (Martin Knobloch)

Global Industry Committee (Eoin Keary & Colin Watson) - Working Session Notes, 2011 Industry Outreach Survey

Global Membership Committee (Dan Cornell) - Working Session Notes, Membership page with changes subsequent to 2011 Summit

Global Projects Committee (Jason Li & Brad Causey) - Summary of Outcomes and Post-Summit Progress, February GPC Meeting Minutes

OWASP Board & Global Committee Governance (Mark Bristow) - Working Session Rationale, 2011 Board of Directors Election Information, New Bylaws

OWASP Chapters:Asia/Pacific Working Group (Helen Gao) - Working Group Outcomes

OWASP Chapters: Building the OWASP Brazilian Leaders Group (Lucas Ferreira) - Objectives and action plan to improve OWASP presence in Brazil

OWASP Funding and CEO Discussion (Keith Turpin) - Working Session Notes, List of suggestions from Funding and CEO discussion, Arguments for hiring an OWASP CEO

OWASP Licensing (Abraham Kang) - Working Session Notes, OWASP Licensing PowerPoint, Licensing - Questions for follow up

Overhauling the OWASP Website (Jason Li) - Summary of Outcomes

OWASP Points - Tracking OWASP Participation (Mark Bristow)


Other OWASP Initiatives

Defining a Minimal AppSec Program for Universities, Governments, and Standards Bodies (Dinis Cruz & Jeff Williams) - Draft OWASP Codes of Conduct Document

Enterprise Web Defense Roundtable (Michael Coates & Chris Lyon) - Etherpad Notes Page with Agenda, Slides & Background Reading

Government Outreach (Doug Wilson) - Working Session Outcome

Healthcare Industry Outreach & Banking/Finance Industry Outreach ( Lorna Alamri) - Vertical Outreach Notes, Industry Outreach Mapping

How can OWASP reach/talk/engage with auditors? (Matthew Chalmers) - Working Session Notes

Privacy - Personal Data/PII, Legislation and OWASP (Colin Watson) - Working Session Notes

Should OWASP work directly with PCI-DSS? (Matthew Chalmers) - Working Session Notes


Summit Team & Attendee Bios


Summit-Related Blog Posts

Colin Watson - 3 part Recap/Reflections on OWASP Summit 2011, 8-Feb-2011

Carlos Serrão - OWASP Summit 2011, 9-Feb-2011

Ben Tomhave - Evolving OWASP: Reflections on the 2011 Summit, 11-Feb-2011

John Wilander - Fears & Hopes for OWASP, 13-Febr-2011

Dinis Cruz - OWASP Summit 2011 Results, 15-Feb-2011

Chris Schmidt - Dear OWASP Summit, Obrigado, 16-Feb-2011

Supply Chain Technology - Notes from the OWASP 2011 Summit Published, 17-Feb-2011

Mark Curphey - OWASP - Has it reached a tipping point?, 19-Feb-2011

Michael Coates - A Vision for OWASP, 21-Feb-2011

Pravir Chandra - BSIMM activities mapped to SAMM, 3-Mar-2011


Video & Pictures of Summit

Video clips of the Summit recorded by Zaki Akhmad, a Summit Attendee & OWASP Chapter Leader from Indonesia. Full video of the Summit Working Sessions is forthcoming.


Pictures of the Summit: