Difference between revisions of "Summit 2011 Outcomes"

From OWASP
Jump to: navigation, search
m (Video & Pictures of Summit)
 
(30 intermediate revisions by one user not shown)
Line 1: Line 1:
''Global Summit 2011 Outcomes - please note that this is a work in progress. If you have any comments, corrections, or questions please contact [mailto:sarah.baso@owasp.org Sarah Baso]''
+
If you have any comments, corrections, or questions about the information contained in this page or related links, please contact [mailto:sarah.baso@owasp.org Sarah Baso]
  
==Acknowledgements==
+
==Final Report==
 +
[http://sl.owasp.org/summit2011_finalreport View OWASP Summit 2011: Post-Summit Report and Working Sessions Outcomes]
 +
 
 +
* [http://www.lulu.com/product/paperback/owasp-summit-2011-post-summit-report-and-working-session-outcomes/16364260 Purchase] black & white copy of report on Lulu.com or free PDF download
 +
* [http://www.lulu.com/product/paperback/owasp-summit-2011-post-summit-report-and-working-session-outcomes/16364260 Purchase] full color copy of report on Lulu.com or free PDF download
  
  
Line 7: Line 11:
 
*[[Summit_2011/Summit_Results_Summary|Global Summit 2011 Press Release & Results Summary]] ([http://www.owasp.org/images/2/27/OWASP_Summit_2011_Results.pdf View PDF Format])([http://www.owasp.org/images/5/54/OWASP_Summit_2011_Results.docx View Word Format])
 
*[[Summit_2011/Summit_Results_Summary|Global Summit 2011 Press Release & Results Summary]] ([http://www.owasp.org/images/2/27/OWASP_Summit_2011_Results.pdf View PDF Format])([http://www.owasp.org/images/5/54/OWASP_Summit_2011_Results.docx View Word Format])
  
*'''[[Media:Summit_Outcomes.pptx|Summit Outcomes ppt]]<br/>
+
*[[Media:Summit_Outcomes.pptx|Summit Outcomes ppt]]<br/>
  
Interview with Jeff Williams - http://www.vimeo.com/25335824 <br>
+
*Interview with Jeff Williams - http://www.vimeo.com/25335824 <br>
Interview with Tom Brennan - http://www.vimeo.com/23889097
+
*Interview with Tom Brennan - http://www.vimeo.com/23889097
  
 
==Summit Background==
 
==Summit Background==
 +
(included in final report)
  
  
 
==2011 Summit Finances & Budget==
 
==2011 Summit Finances & Budget==
*Breakdown of 2011 Summit Budget, Operational and Travel <br/>
+
*Summit 2011 Financials: [https://spreadsheets.google.com/ccc?key=0ApZ9zE0hx0LNdFBXS3k3aGdSdTYwQ2dfbmhjaEdUTEE&hl=en Summary of Expenses and Income] and [https://spreadsheets.google.com/a/owasp.org/ccc?key=0ApZ9zE0hx0LNdGJuVDlCU2xaUm9sc2pGMFEydXhYVWc&hl=en#gid=0 Summit Travel and Accommodations Costs]
Summit 2011 Financials [https://spreadsheets.google.com/ccc?key=0ApZ9zE0hx0LNdFBXS3k3aGdSdTYwQ2dfbmhjaEdUTEE&hl=en Summary of Expenses and Income] and [https://spreadsheets.google.com/a/owasp.org/ccc?key=0ApZ9zE0hx0LNdGJuVDlCU2xaUm9sc2pGMFEydXhYVWc&hl=en#gid=0 Summit Travel and Accommodations Costs]
+
  
 
*Comparison to 2008 Summit Budget
 
*Comparison to 2008 Summit Budget
Line 24: Line 28:
  
 
==2011 Summit Lessons Learned==
 
==2011 Summit Lessons Learned==
 +
(included in final report)
  
  
Line 29: Line 34:
  
 
===Browser Security===
 
===Browser Security===
Here are the notes from all the four browser security sessions. John Wilander is working on a Browser Security Report building on these sessions.
 
  
[http://www.owasp.org/images/6/6d/OWASPSummit2011SiteSecurityPolicyBrowserSecurityTrack.pdf Site Security Policy notes (pdf)]<br>
+
[https://docs.google.com/document/d/1KcdJKBG_ZMuqWoy6RQRS6HNsKgXkGbuayEjK-PXwD2U/edit?hl=en_US&authkey=CKy3gO8M Browser Security Report]
 +
 
 +
 
 +
'''Notes from the 5 Browser Security Sessions'''<br>
  
 
[http://www.owasp.org/images/0/06/OWASPSummit2011DOMSandboxingBrowserSecurityTrack.pdf DOM Sandboxing notes (pdf)]<br>
 
[http://www.owasp.org/images/0/06/OWASPSummit2011DOMSandboxingBrowserSecurityTrack.pdf DOM Sandboxing notes (pdf)]<br>
Line 41: Line 48:
 
[http://www.owasp.org/images/f/f7/OWASPSummit2011EnduserWarningsBrowserSecurityTrack.pdf Enduser Warnings notes (pdf)]
 
[http://www.owasp.org/images/f/f7/OWASPSummit2011EnduserWarningsBrowserSecurityTrack.pdf Enduser Warnings notes (pdf)]
  
 +
[http://www.owasp.org/images/6/6d/OWASPSummit2011SiteSecurityPolicyBrowserSecurityTrack.pdf Site Security Policy notes (pdf)]<br>
  
===XSS Eradication & Mitigation===
 
[[Summit_2011_Working_Sessions/Session009|XSS and the Frameworks]] & [[Working_Sessions_XSS_AwarnessResourcesPartnerships|XSS - Awareness, Resources, and Partnerships]] (Justin Clarke) - [https://docs.google.com/document/d/1Qxj9_mV3Ocl1klTH0PQivi9SQS0C9Mc6AYkxsAEidgM/edit?hl=en_US&authkey=CMPpvKkO Combined Working Session Notes]<br>
 
  
 +
===XSS Eradication===
 
[https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet DOM based XSS Prevention Cheat Sheet] (Jim Manico & Abraham Kang)<br>
 
[https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet DOM based XSS Prevention Cheat Sheet] (Jim Manico & Abraham Kang)<br>
  
[[Summit_2011_Working_Sessions/Session043|WAF Mitigation for XSS]] (Ryan Barnett)<br>
+
[[Summit_2011_Working_Sessions/Session009|XSS and the Frameworks: XSS - Awareness, Resources, and Partnerships]] (Justin Clarke) - [https://docs.google.com/document/d/1Qxj9_mV3Ocl1klTH0PQivi9SQS0C9Mc6AYkxsAEidgM/edit?hl=en_US&authkey=CMPpvKkO Working Session Notes]<br>
  
[[Summit_2011_Working_Sessions/Session091|Virtual Patching Best Practices]] (Ryan Barnett) - [https://docs.google.com/document/d/1gx5LAFfU07IOR5BtgDRUBF3CetsABXsuCECoGGa4Xqo/edit?hl=en_US&authkey=CLvq7M0H Working Session Notes]<br>
+
[[Summit_2011_Working_Sessions/Session043|WAF Mitigation for XSS: Virtual Patching Best Practices]] (Ryan Barnett) - [https://docs.google.com/document/d/1gx5LAFfU07IOR5BtgDRUBF3CetsABXsuCECoGGa4Xqo/edit?hl=en_US&authkey=CLvq7M0H Working Session Notes]<br>
  
  
 
===Metrics===
 
===Metrics===
[[Summit_2011_Working_Sessions/Session055|Risk Metrics]] (Chris Wysopal) & [[Summit_2011_Working_Sessions/Session057|Metrics and Labeling]] (Chris Eng) - [https://docs.google.com/document/d/1OWKzMuqjabrXYaVhdMvcLbLbBtLjPRuq2iXxNZBqBHM/edit?hl=en_US&authkey=CNin8vsH Working Session Transcripts]<br>
 
 
 
[[Summit_2011_Working_Sessions/Session058|Counting and Scoring Application Security Defects]] (Chris Eng & Chris Wysopal) - [https://docs.google.com/leaf?id=0B5Z9zE0hx0LNMzNmMTViZjgtZTZhNy00ZjQ3LTgxNzQtMDQ4YWM3Njc4NzFi&hl=en_US&authkey=CM_-3OQB Brief Introduction to Common Weakness Scoring System ppt created by Steve Christey]<br>
 
[[Summit_2011_Working_Sessions/Session058|Counting and Scoring Application Security Defects]] (Chris Eng & Chris Wysopal) - [https://docs.google.com/leaf?id=0B5Z9zE0hx0LNMzNmMTViZjgtZTZhNy00ZjQ3LTgxNzQtMDQ4YWM3Njc4NzFi&hl=en_US&authkey=CM_-3OQB Brief Introduction to Common Weakness Scoring System ppt created by Steve Christey]<br>
  
 +
[[Summit_2011_Working_Sessions/Session055|Risk Metrics: Metrics and Labeling]] (Chris Eng & Chris Wysopal) - [https://docs.google.com/document/d/1OWKzMuqjabrXYaVhdMvcLbLbBtLjPRuq2iXxNZBqBHM/edit?hl=en_US&authkey=CNin8vsH Working Session Transcripts]<br>
  
 +
===Individual OWASP Projects===
 +
[[ASVS|Application Security Verification Standard (ASVS) Project]] (Dave Wichers)<br>
  
===University, Education, and Training===
+
[[Projects/OWASP_Development_Guide|Development Guide]] (Vishal Garg)<br>
[[:Category:OWASP_Education_Project|OWASP Education Project]] (Martin Knobloch)<br>
+
  
[[OWASP Training]] (Sandra Paiva) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNY2I5M2YwMjMtMGJjNi00ZjZkLWJkYmUtZmU0YjhjNjc4NzYx&hl=en_US&authkey=COzlt4cC Working Session Notes]<br>
+
[http://www.opensamm.org/ OpenSAMM] (Pravir Chandra) - [http://www.opensamm.org/2011/03/bsimm-activities-mapped-to-samm/ BSIMM activities mapped to SAMM]<br>
  
[[OWASP Academies| University Outreach - OWASP Academies]] (Sandra Paiva) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNZGE2MmE4MjAtYmEwYS00M2NmLTk2ZjYtNmM3ODc2MDQyODBm&hl=en_US&authkey=CPHdmtIB Working Session Notes], [[OWASP Academy Portal Project]]<br>
+
[[OWASP_Common_Numbering_Project|OWASP Common Structure and Numbering for All Guides]] (Keith Turpin/Matteo Meucci/Vishal Garg)<br>
  
[[Summit_2011_Working_Sessions/Session069|OWASP Top 10 Online Training in Hacking-Lab]] (Ivan Buetler)<br>
+
[[OWASP_Common_Numbering_Project|OWASP Common Vulnerability List]] (Meucci/Keary/Agarwal) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNOTkzNmYwN2YtNWZmZC00NjdhLTk1ZjMtMmU5NjQ5ZThhYmVl&hl=en_US&authkey=CNPQ4LkG CVL ppt presentation created by Matteo Meucci]<br>
  
[[OWASP_Student_Chapters_Program|University Outreach - OWASP College Chapter Program]] (Martin Knobloch) (renamed "OWASP Student Chapters Program")<br>
+
[[OWASP Java Project]] (Lucas Ferreira) - [[Summit_2011_Working_Sessions/Session053/Deliverable_1|Action Plan for the Java Project]], [[Summit_2011_Working_Sessions/Session053/Deliverable_2|New Project Leader]]<br>
  
[[OWASP Exams Project]] (Jason Taylor)<br>
+
[[OWASP Mobile Security Project]] (Mike Zusman) - [https://docs.google.com/document/d/1vDB6FMCFHLqpEfB-SPlG0hliKak8flnUvJ1fwZPa-qM/edit?hl=en_US&authkey=CI_Mj4wJ Working Session Notes]<br>
  
[[OWASP_Working_Session_-_OWASP_Certification|OWASP Certification]] (Jason Taylor & Jason Li) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNMTlkMDUxNGEtZmM1MS00ODI2LWEwMDYtMjU1Nzc4ZWEwYmJk&hl=en_US&authkey=CNbHmJkP Certification Code of Conduct Draft]<br>
+
[[OWASP O2 Platform]] (Dinis Cruz)<br>
  
 +
[[OWASP Portuguese Language Project]] (Lucas Ferreira) - [[Summit_2011_Working_Sessions/Session048/Deliverable_1|Working Session Outcomes]]<br>
  
 +
[[Summit_2011_Working_Sessions/Session203|OWASP Project Disclosure Policies]] (Chris Schmidt) - [[Summit_2011_Working_Sessions/Session203/Deliverable_1|OWASP Project Disclosure Policy]], [[Summit_2011_Working_Sessions/Session203/Deliverable_2|OWASP Security Bulletin Template]]<br>
  
===Secure Coding Workshop===
+
[[OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide|OWASP Secure Coding Practices - Quick Reference Guide]] (Keith Turpin) - [https://docs.google.com/document/d/12SMf5i0zRSYEeHfYrJtWHSqy-dnSZq72OkTaMa_UM3U/edit?hl=en_US&authkey=CNjU_5oP Working Session Notes]<br>
[[:Category:Summit_2011_OWASP_Secure_Coding_Workshop_Track|General Information on the OWASP Secure Coding Track]] - [https://code.google.com/p/secure-coding-workshop/ Code Repository (Google)]<br>
+
  
[[Summit_2011_Working_Sessions/Session028|Protecting Information Stored Client-Side]] (John Steven)<br>
+
[[OWASP Testing Project|OWASP Testing Guide]] (Matteo Meucci) - [https://docs.google.com/document/d/11vERv8lf0xrEgdi37iLbuJL2rqjAsgP8icoE4rMtL50/edit?hl=en_US&authkey=CPLqrfoJ Working Session Notes], [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNMWVmZTE5ZTctOTZkYy00MGZiLWE1N2UtNDE1NjEwZDg2MGRi&hl=en_US&authkey=CJfF-KwL Planning the OWASP Testing Guide 4.0 ppt presentation]<br>
  
[[Summit_2011_Working_Sessions/Session030|Providing Access to Persisted Data]] (Dan Cornell) - [https://docs.google.com/document/d/1bdmsNimmANJnRaVOpxYL1jVGutEMF84cK_iSjhSo40o/edit?hl=en_US&authkey=CIfD594I Working Session Notes]<br>
+
[[Threat Modeling]] (Anurag Agarwal) - [https://docs.google.com/document/d/1QnCgW7Sr1cGx6cg3EKOqxhvNyx9G6xmFP5Mksebd3Ts/edit?hl=en_US&authkey=CLexzjE Working Session discussion points and notes]<br>
  
[[Summit_2011_Working_Sessions/Session027|Contextual Ourput Encoding]] (Chris Schmidt)<br>
 
  
[[Summit_2011_Working_Sessions/Session034|ESAPI-CORE]] (Jim Manico)<br>
+
===Secure Coding Workshop===
 +
[[:Category:Summit_2011_OWASP_Secure_Coding_Workshop_Track|General Information on the OWASP Secure Coding Track]] - [https://code.google.com/p/secure-coding-workshop/ Code Repository (Google)]<br>
 +
 
  
 
[[Summit_2011_Working_Sessions/Applying_ESAPI_Input_Validation|Applying ESAPI Input Validation]] (Chris Schmidt)<br>
 
[[Summit_2011_Working_Sessions/Applying_ESAPI_Input_Validation|Applying ESAPI Input Validation]] (Chris Schmidt)<br>
  
[[Summit_2011_Working_Sessions/Session026|Defining AppSensor Detection Points]] (Michael Coates)<br>
+
[[Summit_2011_Working_Sessions/Session034|Contextual Output Encoding: ESAPI-CORE]] (Chris Schmidt & Jim Manico)<br>
  
 +
[[Summit_2011_Working_Sessions/Session026|Defining AppSensor Detection Points]] (Michael Coates) - [https://lists.owasp.org/pipermail/owasp-appsensor-project/2011-February/000208.html Working Session Notes], [http://code.google.com/p/appsensor/source/browse/#svn%2Ftrunk%2FAppSensor-Tutorial Updated AppSensor-Tutorial code with new lessons and lesson structure enhancements], [https://www.owasp.org/index.php/AppSensor_Developer_Guide AppSensor Updated Getting Started Guide for new adopters and developers leveraging feedback from session]<br>
  
===Individual OWASP Projects===
+
[[Summit_2011_Working_Sessions/Session028|Protecting Information Stored Client-Side]] (John Steven)<br>
[[OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide|OWASP Secure Coding Practices]] (Keith Turpin) - [https://docs.google.com/document/d/12SMf5i0zRSYEeHfYrJtWHSqy-dnSZq72OkTaMa_UM3U/edit?hl=en_US&authkey=CNjU_5oP Working Session Notes]<br>
+
  
[[Summit_2011_Working_Sessions/Session068|Enterprise Web Defense Roundtable]] (Michael Coates & Chris Lyon) - [http://etherpad.mozilla.org:9000/OWASP-EWDR Etherpad Notes Page with Agenda, Slides & Background Reading]<br>
+
[[Summit_2011_Working_Sessions/Session030|Providing Access to Persisted Data]] (Dan Cornell) - [https://docs.google.com/document/d/1bdmsNimmANJnRaVOpxYL1jVGutEMF84cK_iSjhSo40o/edit?hl=en_US&authkey=CIfD594I Working Session Notes]<br>
  
[[Threat Modeling]] (Anurag Agarwal) - [https://docs.google.com/document/d/1QnCgW7Sr1cGx6cg3EKOqxhvNyx9G6xmFP5Mksebd3Ts/edit?hl=en_US&authkey=CLexzjE Working Session discussion points and notes]<br>
 
  
[[OWASP_Common_Numbering_Project|OWASP Common Vulnerability List]] (Meucci/Keary/Agarwal) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNOTkzNmYwN2YtNWZmZC00NjdhLTk1ZjMtMmU5NjQ5ZThhYmVl&hl=en_US&authkey=CNPQ4LkG CVL ppt presentation created by Matteo Meucci]<br>
+
===University, Education, and Training===
 +
[[:Category:OWASP_Education_Project|OWASP Education Project]] (Martin Knobloch)<br>
  
[[OWASP_Common_Numbering_Project|Common Structure and Numbering for All Guides]] (Keith Turpin/Matteo Meucci/Vishal Garg)<br>
+
[[OWASP_Working_Session_-_OWASP_Certification|OWASP Certification]] (Jason Taylor & Jason Li) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNMTlkMDUxNGEtZmM1MS00ODI2LWEwMDYtMjU1Nzc4ZWEwYmJk&hl=en_US&authkey=CNbHmJkP Certification Code of Conduct Draft]<br>
  
[[OWASP Testing Project|OWASP Testing Guide]] (Matteo Meucci) - [https://docs.google.com/document/d/11vERv8lf0xrEgdi37iLbuJL2rqjAsgP8icoE4rMtL50/edit?hl=en_US&authkey=CPLqrfoJ Working Session Notes], [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNMWVmZTE5ZTctOTZkYy00MGZiLWE1N2UtNDE1NjEwZDg2MGRi&hl=en_US&authkey=CJfF-KwL Planning the OWASP Testing Guide 4.0 ppt presentation]<br>
+
[[OWASP Exams Project]] (Jason Taylor)<br>
  
[[OWASP Mobile Security Project]] (Mike Zusman) - [https://docs.google.com/document/d/1vDB6FMCFHLqpEfB-SPlG0hliKak8flnUvJ1fwZPa-qM/edit?hl=en_US&authkey=CI_Mj4wJ Working Session Notes]<br>
+
[[OWASP Hackademic Challenges Project]] (Kostas Papapanagiotou & Vasileros Vlachos)<br>
  
[[Projects/OWASP_Development_Guide|Development Guide]] (Vishal Garg)<br>
+
[[Summit_2011_Working_Sessions/Session069|OWASP Top 10 Training in Hacking-Lab]] (Ivan Buetler) - [https://www.hacking-lab.com/ Hacking Lab Website]<br>
  
[[ASVS|Application Security Verification Standard (ASVS) Project]] (Dave Wichers)<br>
+
[[OWASP Training]] (Sandra Paiva) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNY2I5M2YwMjMtMGJjNi00ZjZkLWJkYmUtZmU0YjhjNjc4NzYx&hl=en_US&authkey=COzlt4cC Working Session Notes]<br>
  
[[OWASP Portuguese Language Project]] (Lucas Ferriera) - [[Summit_2011_Working_Sessions/Session048/Deliverable_1|Working Session Outcomes]]<br>
+
[[OWASP Academies| University Outreach - OWASP Academies]] (Sandra Paiva) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNZGE2MmE4MjAtYmEwYS00M2NmLTk2ZjYtNmM3ODc2MDQyODBm&hl=en_US&authkey=CPHdmtIB Working Session Notes], [[OWASP Academy Portal Project]]<br>
  
[[OWASP Hackademic Challenges Project]] (Kostas & Vasileros Vlachos)<br>
+
[[OWASP_Student_Chapters_Program|University Outreach - OWASP College Chapter Program]] (Martin Knobloch) (renamed "OWASP Student Chapters Program")<br>
  
[[OWASP Java Project]] (Lucas Ferriera) - [[Summit_2011_Working_Sessions/Session053/Deliverable_1|Action Plan for the Java Project]], [[Summit_2011_Working_Sessions/Session053/Deliverable_2|New Project Leader]]<br>
 
  
[http://www.opensamm.org/ OpenSAMM] (Pravir Chandra) - [http://www.opensamm.org/2011/03/bsimm-activities-mapped-to-samm/ Pravir Chandra - BSIMM activities mapped to SAMM]<br>
+
===OWASP Internal Governance and Global Committees===
 +
[[Global Chapters Committee]] (Seba Deleersnyder) - [[Summit_2011_Working_Sessions/Session018/Deliverable_1|Working Session Meeting Minutes]]<br>
  
[http://www.opensamm.org/ The Future of OpenSAMM] (Pravir Chandra)<br>
+
[[Global Conferences Committee]] (Mark Bristow) - [https://docs.google.com/a/owasp.org/document/d/1-dlyY97XAiDSphFA3rSedc_19rp3r7vfiH1L34wezpU/edit?hl=en_US Working Session/Monthly Committee Meeting Minutes]<br>
  
[[Summit_2011_Working_Sessions/Session203|OWASP Project Disclosure Policies]] (Chris Schmidt) - [[Summit_2011_Working_Sessions/Session203/Deliverable_1|OWASP Project Disclosure Policy]], [[Summit_2011_Working_Sessions/Session203/Deliverable_2|OWASP Security Bulletin Template]], [[Summit_2011_Working_Sessions/Session203/Deliverable_3|Project Adherence Rules]]<br>
+
[[Global Education Committee]] (Martin Knobloch)<br>
  
[[OWASP O2 Platform]] (Dinis Cruz)<br>
+
[[Global Industry Committee]] (Eoin Keary & Colin Watson) - [https://docs.google.com/document/d/1XtFXZuyzCmRAxMTwmtSmz4zQ9m7yAdqOFO7c0PLYDLw/edit?hl=en_US&authkey=CPPl898J Working Session Notes], [https://www.surveymonkey.com/s/SCJBX7R 2011 Industry Outreach Survey]<br>
  
 +
[[Global Membership Committee]] (Dan Cornell) - [https://docs.google.com/document/d/1lsoExx4UW-dpjRgRlZaJq0BQPf4lRxRQPI56McMfUBs/edit?hl=en_US&authkey=COO8kd4E Working Session Notes], [[Membership|Membership page with changes subsequent to 2011 Summit]]<br>
  
===OWASP Governance and Committees===
+
[[Global Projects Committee]] (Jason Li & Brad Causey) - [[GPC_2011_Summit_Outcomes|Summary of Outcomes and Post-Summit Progress]], [https://lists.owasp.org/pipermail/global-projects-committee/2011-February/001777.html February GPC Meeting Minutes] <br>
[[Global Education Committee]] (Martin Knobloch)<br>
+
  
[[Global Industry Committee]] (Eoin Keary & Colin Watson) - [https://docs.google.com/document/d/1XtFXZuyzCmRAxMTwmtSmz4zQ9m7yAdqOFO7c0PLYDLw/edit?hl=en_US&authkey=CPPl898J Working Session Notes]<br>
+
[[Summit_2011_Working_Sessions/Session013|OWASP Board & Global Committee Governance]] (Mark Bristow) - [[Talk:Summit_2011_Working_Sessions/Session013|Working Session Rationale]], [[Membership/2011Election|2011 Board of Directors Election Information]], [https://docs.google.com/a/owasp.org/document/d/1r_hS2ioEBcNOKqmEjSJmlLUOdQEb5qPb_0GU_VU1Arw/edit?hl=en&authkey=CLe5nZwD New Bylaws]<br>
  
[[Global Projects Committee]] (Jason Li & Brad Causey)<br>
+
[[Summit_2011_Working_Sessions/Session251|OWASP Chapters:Asia/Pacific Working Group]] (Helen Gao) - [[Summit_2011_Working_Sessions/Session251|Working Group Outcomes]]<br>
  
[[Global Membership Committee]] (Dan Cornell) - [https://docs.google.com/document/d/1lsoExx4UW-dpjRgRlZaJq0BQPf4lRxRQPI56McMfUBs/edit?hl=en_US&authkey=COO8kd4E Working Session Notes]<br>
+
[[Summit_2011_Working_Sessions/Session035|OWASP Chapters: Building the OWASP Brazilian Leaders Group]] (Lucas Ferreira) - [[Summit_2011_Working_Sessions/Session035/Deliverable_1|Objectives and action plan to improve OWASP presence in Brazil]]<br>
  
[[Global Chapters Committee]] (Seba Deleersnyder) - [[Summit_2011_Working_Sessions/Session018/Deliverable_1|Working Session Meeting Minutes]]<br>
+
[[Summit_2011_Working_Sessions/Session077|OWASP Funding and CEO Discussion]] (Keith Turpin) - [https://docs.google.com/document/d/1WghR2_ID1ZNUJqtjZhQHPcEpdbGt_RRR7snu7b8xTvU/edit?hl=en_US&authkey=CNClgtMN Working Session Notes], [https://docs.google.com/document/d/1eZPomybmFn1NIQjg-UquncYhrdfc86WIGMO6_5V84ls/edit?hl=en_US&authkey=CO3n74gG List of suggestions from Funding and CEO discussion], [[Talk:Summit_2011_Working_Sessions/Session077|Arguments for hiring an OWASP CEO]]<br>
  
[[Global Conferences Committee]] (Mark Bristow)<br>
+
[[OWASP_Licenses|OWASP Licensing]] (Abraham Kang) - [https://docs.google.com/document/d/1zDR7ufDk4-lsjFptv2w2mJbyIrKW6NLAPeGuKrhbu-A/edit?hl=en_US&authkey=CLb5r4sK Working Session Notes], [https://docs.google.com/leaf?id=0B5Z9zE0hx0LNMzI5NGQxMzItNDFiZS00ZWYyLThiYjQtZTY2ZDYyYmMxNWRh&hl=en_US&authkey=CJzZ3sQP OWASP Licensing PowerPoint], [https://docs.google.com/document/d/14dXwV8XbUqPZ4_b5wWJPxaTi8FJb1GWp98DjJQKbRek/edit?hl=en_US&authkey=CMvsidkO Licensing - Questions for follow up] <br>
  
[[Summit_2011_Working_Sessions/Session036|Government Outreach]] (Doug Wilson) - [[Summit_2011_Working_Sessions/Session036/Deliverable_1|Working Session Outcome]]<br>
+
[[Working_Sessions_OWASP_Website|Overhauling the OWASP Website]] (Jason Li) - [[Summit_2011_Working_Sessions/Session023/Deliverable_1|Summary of Outcomes]]<br>
  
[[Summit_2011_Working_Sessions/Session077|OWASP Funding and CEO Discussion]] (Keith Turpin) - [https://docs.google.com/document/d/1WghR2_ID1ZNUJqtjZhQHPcEpdbGt_RRR7snu7b8xTvU/edit?hl=en_US&authkey=CNClgtMN Working Session Notes], [https://docs.google.com/document/d/1eZPomybmFn1NIQjg-UquncYhrdfc86WIGMO6_5V84ls/edit?hl=en_US&authkey=CO3n74gG List of suggestions from Funding and CEO discussion], [[Talk:Summit_2011_Working_Sessions/Session077|Arguments for & against hiring a CEO for OWASP]]<br>
+
[[OWASP Points|OWASP Points - Tracking OWASP Participation]] (Mark Bristow)<br>
  
[[Summit_2011_Working_Sessions/Session013|OWASP Board/Committee Governance]] (Mark Bristow) - [[Talk:Summit_2011_Working_Sessions/Session013|Comments re: why this working session is/was necessary]]<br>
 
  
[[OWASP Points]] - Tracking OWASP Participation (Mark Bristow)<br>
+
===Other OWASP Initiatives===
  
[[OWASP_Licenses|OWASP Licensing]] (Abraham Kang) - [https://docs.google.com/document/d/1zDR7ufDk4-lsjFptv2w2mJbyIrKW6NLAPeGuKrhbu-A/edit?hl=en_US&authkey=CLb5r4sK Working Session Notes], [https://docs.google.com/leaf?id=0B5Z9zE0hx0LNMzI5NGQxMzItNDFiZS00ZWYyLThiYjQtZTY2ZDYyYmMxNWRh&hl=en_US&authkey=CJzZ3sQP OWASP Licensing PowerPoint], [https://docs.google.com/document/d/14dXwV8XbUqPZ4_b5wWJPxaTi8FJb1GWp98DjJQKbRek/edit?hl=en_US&authkey=CMvsidkO Licensing - Questions for follow up] <br>
+
[[OWASP Codes of Conduct|Defining a Minimal AppSec Program for Universities, Governments, and Standards Bodies]] (Dinis Cruz & Jeff Williams) - [https://docs.google.com/document/d/1F5HI3ddSxf-gF2qM_fNaEb2u73nsnrJXm3VmbsVVo28/edit?hl=en_US&authkey=CPy0gZwH Draft OWASP Codes of Conduct Document]<br>
  
[[OWASP Codes of Conduct]] (Dinis Cruz & Jeff Williams) - [https://docs.google.com/document/d/1F5HI3ddSxf-gF2qM_fNaEb2u73nsnrJXm3VmbsVVo28/edit?hl=en_US&authkey=CPy0gZwH Draft Document]<br>
+
[[Summit_2011_Working_Sessions/Session068|Enterprise Web Defense Roundtable]] (Michael Coates & Chris Lyon) - [http://etherpad.mozilla.org:9000/OWASP-EWDR Etherpad Notes Page with Agenda, Slides & Background Reading]<br>
  
[[Summit_2011_Working_Sessions/Session035|Building the OWASP Brazilian Leaders Group]] (Lucas Ferriera) - [[Summit_2011_Working_Sessions/Session035/Deliverable_1|Objectives and action plan to improve OWASP presence in Brazil]]<br>
+
[[Summit_2011_Working_Sessions/Session036|Government Outreach]] (Doug Wilson) - [[Summit_2011_Working_Sessions/Session036/Deliverable_1|Working Session Outcome]]<br>
  
[[Summit_2011_Working_Sessions/Session251|OWASP Asia/Pacific Working Group]] (Helen Gao) - [[Summit_2011_Working_Sessions/Session251|Working Group Outcomes]]<br>
+
[[Summit_2011_Working_Sessions/Session262|Healthcare Industry Outreach]] & [[Summit_2011_Working_Sessions/Session263|Banking/Finance Industry Outreach]] ( Lorna Alamri) - [https://docs.google.com/document/d/1YsQC2J6GIqvE69agde25xDE4LsZIZN-bKMrFbAatywU/edit?hl=en_US&authkey=CK35nnc Vertical Outreach Notes], [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNYmM4Y2Y3YWEtMTU5YS00NGU0LTk1NTgtYjk1MzdiOWZkMWQ5&hl=en_US&authkey=CP3ZsqMK Industry Outreach Mapping]<br>  
  
[[Summit_2011_Working_Sessions/Session262|Industry - Healthcare]] (Joe Bernik & Lorna Alamri)<br>
+
[[Summit_2011_Working_Sessions/Session082|How can OWASP reach/talk/engage with auditors?]] (Matthew Chalmers) - [https://docs.google.com/document/d/1Kv5Qb9JeTaxBvCJMksSi3XlI0Sk77kdRVxj8-PY3jMI/edit?hl=en_US&authkey=COqF7e4M Working Session Notes]<br>
  
[[Summit_2011_Working_Sessions/Session263|Industry - Banking/Finance]] (Joe Bernik & Lorna Alamri)<br>
+
[[Summit_2011_Working_Sessions/Session073|Privacy - Personal Data/PII, Legislation and OWASP]] (Colin Watson) - [https://docs.google.com/document/d/1iemUPPunBlWC7rBCALirPLN662rdYHQPPCerDzKIO6c/edit?hl=en_US&authkey=CLmG9nQ Working Session Notes]<br>
  
 +
[[Summit_2011_Working_Sessions/Session080|Should OWASP work directly with PCI-DSS?]] (Matthew Chalmers) - [https://docs.google.com/document/d/19s9oXr2-wvaGI7Wka44ii5amsUflfTEvCweTBMV7Dew/edit?hl=en_US&authkey=CKmbgLoI Working Session Notes]<br>
  
===Miscellaneous===
 
[[Summit_2011_Working_Sessions/Session073|Privacy - Personal Data/PII, Legislation and OWASP]] (Colin Watson) - [https://docs.google.com/document/d/1iemUPPunBlWC7rBCALirPLN662rdYHQPPCerDzKIO6c/edit?hl=en_US&authkey=CLmG9nQ Working Session Notes]<br>
 
  
[[Working_Sessions_OWASP_Website|Overhauling the OWASP Website]] (Jason Li)<br>[[Summit_2011_Working_Sessions/Session023/Deliverable_1|Summary of Outcomes]]
 
  
[[Summit_2011_Working_Sessions/Session080|Should OWASP work directly with PCI-DSS?]] (Matthew Chalmers) - [https://docs.google.com/document/d/19s9oXr2-wvaGI7Wka44ii5amsUflfTEvCweTBMV7Dew/edit?hl=en_US&authkey=CKmbgLoI Working Session Notes]<br>
+
==Summit Team & Attendee Bios==
  
[[Summit_2011_Working_Sessions/Session082|How can OWASP reach/talk/engage with auditors?]] (Matthew Chalmers) - [https://docs.google.com/document/d/1Kv5Qb9JeTaxBvCJMksSi3XlI0Sk77kdRVxj8-PY3jMI/edit?hl=en_US&authkey=COqF7e4M Working Session Notes]<br>
+
* [[Media: Attendee_Bios_for_Outcomes_-_Participants.pdf|Summit Attendees and Staff Bios]]
  
[[Summit_2011_Working_Sessions/Session072|Developer Outreach]] (Mark Bristow & Jason Li)<br>
 
  
 +
==Summit-Related Blog Posts==
 +
[http://www.clerkendweller.com/2011/2/8/OWASP-Summit-2011-Part-1 Colin Watson - 3 part Recap/Reflections on OWASP Summit 2011, 8-Feb-2011]<br>
  
==Summit Team & Attendee Bios==
+
[http://www.carlosserrao.net/2011/02/owasp-summit-2011/ Carlos Serrão - OWASP Summit 2011, 9-Feb-2011]<br>
  
===Support Staff Bios===
+
[http://www.secureconsulting.net/2011/02/evolving_owasp_reflections_on.html Ben Tomhave - Evolving OWASP: Reflections on the 2011 Summit, 11-Feb-2011]<br>
* [[Media:Attendee_Bios_for_Outcomes_-_Staff.pdf|Summit Support Staff Bios]]
+
  
 +
[http://appsandsecurity.blogspot.com/2011/02/fears-hopes-for-owasp.html John Wilander - Fears & Hopes for OWASP, 13-Febr-2011]<br>
  
===Attendee Bios===
+
[http://diniscruz.blogspot.com/2011/02/owasp-summit-2011-results.html Dinis Cruz - OWASP Summit 2011 Results, 15-Feb-2011]<br>
* [[Media: Attendee_Bios_for_Outcomes_-_Participants.pdf|Summit Participant Bios]]
+
  
 +
[http://yet-another-dev.blogspot.com/search/label/owasp%20summit Chris Schmidt - Dear OWASP Summit, Obrigado, 16-Feb-2011]<br>
  
==Summit-Related Blog Posts==
+
[http://supplychaintechnology.wordpress.com/2011/02/17/notes-from-owasp-2011-summit-published/ Supply Chain Technology - Notes from the OWASP 2011 Summit Published, 17-Feb-2011]
[http://www.clerkendweller.com/2011/2/8/OWASP-Summit-2011-Part-1 Colin Watson - 3 part Recap/Reflections on OWASP Summit 2011, February 8-10, 2011]<br>
+
  
[http://www.carlosserrao.net/2011/02/owasp-summit-2011/ Carlos Serrão - OWASP Summit 2011, February 9, 2011]<br>
+
[http://www.curphey.com/2011/02/owasp-has-it-reached-a-tipping-point/ Mark Curphey - OWASP - Has it reached a tipping point?, 19-Feb-2011]<br>
  
[http://www.secureconsulting.net/2011/02/evolving_owasp_reflections_on.html Ben Tomhave - Evolving OWASP: Reflections on the 2011 Summit, February 11, 2011]<br>
+
[http://michael-coates.blogspot.com/2011/02/vision-for-owasp.html Michael Coates - A Vision for OWASP, 21-Feb-2011]<br>
  
[http://appsandsecurity.blogspot.com/2011/02/fears-hopes-for-owasp.html John Wilander - Fears & Hopes for OWASP, February 13, 2011]<br>
+
[http://www.opensamm.org/2011/03/bsimm-activities-mapped-to-samm/ Pravir Chandra - BSIMM activities mapped to SAMM, 3-Mar-2011]<br>
  
[http://diniscruz.blogspot.com/2011/02/owasp-summit-2011-results.html Dinis Cruz - OWASP Summit 2011 Results, February 15, 2011]<br>
 
  
[http://yet-another-dev.blogspot.com/search/label/owasp%20summit Chris Schmidt - Dear OWASP Summit, Obrigado, February 16, 2011]<br>
+
==Video & Pictures of Summit==
 +
Video clips of the Summit recorded by [[User:Zakiakhmad|Zaki Akhmad]], a Summit Attendee & OWASP Chapter Leader from [[Indonesia|Indonesia]].  Full video of the Summit Working Sessions is forthcoming.
  
[http://www.curphey.com/2011/02/owasp-has-it-reached-a-tipping-point/ Mark Curphey - OWASP - Has it reached a tipping point?, February 19, 2011]<br>
+
*[http://www.youtube.com/watch?v=w6nuPCxCyC8 Summit 2011 - Governance Session, part 1]
 +
*[http://youtu.be/6HnA3NY7gR0 Summit 2011 - Governance Session, part 2]
 +
*[http://youtu.be/RStrwZGgz0U Summit 2011 - Wrap Up Session #1]
 +
*[http://youtu.be/O0eD-CeQld4 Summit 2011 - Browser Security Wrap Up]
 +
*[http://youtu.be/ZB2JM4xgtBQ Summit 2011 - ESAPI Working Session]
 +
*[http://youtu.be/GRWCgbZF3_g Summit 2011 - Chapter Leader Working Session]
  
[http://michael-coates.blogspot.com/2011/02/vision-for-owasp.html Michael Coates - A Vision for OWASP, February 21, 2011]<br>
 
  
[http://www.opensamm.org/2011/03/bsimm-activities-mapped-to-samm/ Pravir Chandra - BSIMM activities mapped to SAMM, March 3, 2011]<br>
+
Pictures of the Summit:
 +
*[https://picasaweb.google.com/owaspphotos/OWASPSummit# Pictures taken by Ofer Maor, a Summit Attendee & OWASP Chapter Leader from Israel]
 +
*[https://picasaweb.google.com/103488670506331805557/OWASPSummit2011Portugal?authkey=Gv1sRgCLSQr-TtgqrGEA&feat=directlink# Pictures taken by Vlatko Kosturjak, a Summit Attendee & OWASP Chapter Leader from Croatia]
 +
*[https://picasaweb.google.com/carlos.j.serrao/OWASPSummit2011?authkey=Gv1sRgCN3g-7qmu_i93QE# Pictures taken by Carlos Serrão, a Summit Attendee & OWASP Chapter Leader from Portugal]

Latest revision as of 06:19, 19 January 2012

If you have any comments, corrections, or questions about the information contained in this page or related links, please contact Sarah Baso

Contents

Final Report

View OWASP Summit 2011: Post-Summit Report and Working Sessions Outcomes

  • Purchase black & white copy of report on Lulu.com or free PDF download
  • Purchase full color copy of report on Lulu.com or free PDF download


Press Release & Media Mentions

Summit Background

(included in final report)


2011 Summit Finances & Budget

  • Comparison to 2008 Summit Budget
  • Projection of costs needed for future Summit


2011 Summit Lessons Learned

(included in final report)


Appendix: Working Session Details and Documentation

Browser Security

Browser Security Report


Notes from the 5 Browser Security Sessions

DOM Sandboxing notes (pdf)

HTML5 Security notes (pdf)

EcmaScript 5 Security notes (pdf)

Enduser Warnings notes (pdf)

Site Security Policy notes (pdf)


XSS Eradication

DOM based XSS Prevention Cheat Sheet (Jim Manico & Abraham Kang)

XSS and the Frameworks: XSS - Awareness, Resources, and Partnerships (Justin Clarke) - Working Session Notes

WAF Mitigation for XSS: Virtual Patching Best Practices (Ryan Barnett) - Working Session Notes


Metrics

Counting and Scoring Application Security Defects (Chris Eng & Chris Wysopal) - Brief Introduction to Common Weakness Scoring System ppt created by Steve Christey

Risk Metrics: Metrics and Labeling (Chris Eng & Chris Wysopal) - Working Session Transcripts

Individual OWASP Projects

Application Security Verification Standard (ASVS) Project (Dave Wichers)

Development Guide (Vishal Garg)

OpenSAMM (Pravir Chandra) - BSIMM activities mapped to SAMM

OWASP Common Structure and Numbering for All Guides (Keith Turpin/Matteo Meucci/Vishal Garg)

OWASP Common Vulnerability List (Meucci/Keary/Agarwal) - CVL ppt presentation created by Matteo Meucci

OWASP Java Project (Lucas Ferreira) - Action Plan for the Java Project, New Project Leader

OWASP Mobile Security Project (Mike Zusman) - Working Session Notes

OWASP O2 Platform (Dinis Cruz)

OWASP Portuguese Language Project (Lucas Ferreira) - Working Session Outcomes

OWASP Project Disclosure Policies (Chris Schmidt) - OWASP Project Disclosure Policy, OWASP Security Bulletin Template

OWASP Secure Coding Practices - Quick Reference Guide (Keith Turpin) - Working Session Notes

OWASP Testing Guide (Matteo Meucci) - Working Session Notes, Planning the OWASP Testing Guide 4.0 ppt presentation

Threat Modeling (Anurag Agarwal) - Working Session discussion points and notes


Secure Coding Workshop

General Information on the OWASP Secure Coding Track - Code Repository (Google)


Applying ESAPI Input Validation (Chris Schmidt)

Contextual Output Encoding: ESAPI-CORE (Chris Schmidt & Jim Manico)

Defining AppSensor Detection Points (Michael Coates) - Working Session Notes, Updated AppSensor-Tutorial code with new lessons and lesson structure enhancements, AppSensor Updated Getting Started Guide for new adopters and developers leveraging feedback from session

Protecting Information Stored Client-Side (John Steven)

Providing Access to Persisted Data (Dan Cornell) - Working Session Notes


University, Education, and Training

OWASP Education Project (Martin Knobloch)

OWASP Certification (Jason Taylor & Jason Li) - Certification Code of Conduct Draft

OWASP Exams Project (Jason Taylor)

OWASP Hackademic Challenges Project (Kostas Papapanagiotou & Vasileros Vlachos)

OWASP Top 10 Training in Hacking-Lab (Ivan Buetler) - Hacking Lab Website

OWASP Training (Sandra Paiva) - Working Session Notes

University Outreach - OWASP Academies (Sandra Paiva) - Working Session Notes, OWASP Academy Portal Project

University Outreach - OWASP College Chapter Program (Martin Knobloch) (renamed "OWASP Student Chapters Program")


OWASP Internal Governance and Global Committees

Global Chapters Committee (Seba Deleersnyder) - Working Session Meeting Minutes

Global Conferences Committee (Mark Bristow) - Working Session/Monthly Committee Meeting Minutes

Global Education Committee (Martin Knobloch)

Global Industry Committee (Eoin Keary & Colin Watson) - Working Session Notes, 2011 Industry Outreach Survey

Global Membership Committee (Dan Cornell) - Working Session Notes, Membership page with changes subsequent to 2011 Summit

Global Projects Committee (Jason Li & Brad Causey) - Summary of Outcomes and Post-Summit Progress, February GPC Meeting Minutes

OWASP Board & Global Committee Governance (Mark Bristow) - Working Session Rationale, 2011 Board of Directors Election Information, New Bylaws

OWASP Chapters:Asia/Pacific Working Group (Helen Gao) - Working Group Outcomes

OWASP Chapters: Building the OWASP Brazilian Leaders Group (Lucas Ferreira) - Objectives and action plan to improve OWASP presence in Brazil

OWASP Funding and CEO Discussion (Keith Turpin) - Working Session Notes, List of suggestions from Funding and CEO discussion, Arguments for hiring an OWASP CEO

OWASP Licensing (Abraham Kang) - Working Session Notes, OWASP Licensing PowerPoint, Licensing - Questions for follow up

Overhauling the OWASP Website (Jason Li) - Summary of Outcomes

OWASP Points - Tracking OWASP Participation (Mark Bristow)


Other OWASP Initiatives

Defining a Minimal AppSec Program for Universities, Governments, and Standards Bodies (Dinis Cruz & Jeff Williams) - Draft OWASP Codes of Conduct Document

Enterprise Web Defense Roundtable (Michael Coates & Chris Lyon) - Etherpad Notes Page with Agenda, Slides & Background Reading

Government Outreach (Doug Wilson) - Working Session Outcome

Healthcare Industry Outreach & Banking/Finance Industry Outreach ( Lorna Alamri) - Vertical Outreach Notes, Industry Outreach Mapping

How can OWASP reach/talk/engage with auditors? (Matthew Chalmers) - Working Session Notes

Privacy - Personal Data/PII, Legislation and OWASP (Colin Watson) - Working Session Notes

Should OWASP work directly with PCI-DSS? (Matthew Chalmers) - Working Session Notes


Summit Team & Attendee Bios


Summit-Related Blog Posts

Colin Watson - 3 part Recap/Reflections on OWASP Summit 2011, 8-Feb-2011

Carlos Serrão - OWASP Summit 2011, 9-Feb-2011

Ben Tomhave - Evolving OWASP: Reflections on the 2011 Summit, 11-Feb-2011

John Wilander - Fears & Hopes for OWASP, 13-Febr-2011

Dinis Cruz - OWASP Summit 2011 Results, 15-Feb-2011

Chris Schmidt - Dear OWASP Summit, Obrigado, 16-Feb-2011

Supply Chain Technology - Notes from the OWASP 2011 Summit Published, 17-Feb-2011

Mark Curphey - OWASP - Has it reached a tipping point?, 19-Feb-2011

Michael Coates - A Vision for OWASP, 21-Feb-2011

Pravir Chandra - BSIMM activities mapped to SAMM, 3-Mar-2011


Video & Pictures of Summit

Video clips of the Summit recorded by Zaki Akhmad, a Summit Attendee & OWASP Chapter Leader from Indonesia. Full video of the Summit Working Sessions is forthcoming.


Pictures of the Summit: