Difference between revisions of "Summit 2011 Outcomes"

From OWASP
Jump to: navigation, search
m (Video & Pictures of Summit)
 
(9 intermediate revisions by one other user not shown)
Line 1: Line 1:
 
If you have any comments, corrections, or questions about the information contained in this page or related links, please contact [mailto:sarah.baso@owasp.org Sarah Baso]
 
If you have any comments, corrections, or questions about the information contained in this page or related links, please contact [mailto:sarah.baso@owasp.org Sarah Baso]
  
==Acknowledgments==
+
==Final Report==
(Forthcoming)
+
[http://sl.owasp.org/summit2011_finalreport View OWASP Summit 2011: Post-Summit Report and Working Sessions Outcomes]
 +
 
 +
* [http://www.lulu.com/product/paperback/owasp-summit-2011-post-summit-report-and-working-session-outcomes/16364260 Purchase] black & white copy of report on Lulu.com or free PDF download
 +
* [http://www.lulu.com/product/paperback/owasp-summit-2011-post-summit-report-and-working-session-outcomes/16364260 Purchase] full color copy of report on Lulu.com or free PDF download
  
  
Line 14: Line 17:
  
 
==Summit Background==
 
==Summit Background==
(Forthcoming)
+
(included in final report)
  
  
Line 25: Line 28:
  
 
==2011 Summit Lessons Learned==
 
==2011 Summit Lessons Learned==
(Forthcoming)
+
(included in final report)
  
  
Line 31: Line 34:
  
 
===Browser Security===
 
===Browser Security===
Here are the notes from all the four browser security sessions. John Wilander is working on a Browser Security Report building on these sessions.
+
 
 +
[https://docs.google.com/document/d/1KcdJKBG_ZMuqWoy6RQRS6HNsKgXkGbuayEjK-PXwD2U/edit?hl=en_US&authkey=CKy3gO8M Browser Security Report]
 +
 
 +
 
 +
'''Notes from the 5 Browser Security Sessions'''<br>
  
 
[http://www.owasp.org/images/0/06/OWASPSummit2011DOMSandboxingBrowserSecurityTrack.pdf DOM Sandboxing notes (pdf)]<br>
 
[http://www.owasp.org/images/0/06/OWASPSummit2011DOMSandboxingBrowserSecurityTrack.pdf DOM Sandboxing notes (pdf)]<br>
Line 93: Line 100:
 
[[Summit_2011_Working_Sessions/Session034|Contextual Output Encoding: ESAPI-CORE]] (Chris Schmidt & Jim Manico)<br>
 
[[Summit_2011_Working_Sessions/Session034|Contextual Output Encoding: ESAPI-CORE]] (Chris Schmidt & Jim Manico)<br>
  
[[Summit_2011_Working_Sessions/Session026|Defining AppSensor Detection Points]] (Michael Coates)<br>
+
[[Summit_2011_Working_Sessions/Session026|Defining AppSensor Detection Points]] (Michael Coates) - [https://lists.owasp.org/pipermail/owasp-appsensor-project/2011-February/000208.html Working Session Notes], [http://code.google.com/p/appsensor/source/browse/#svn%2Ftrunk%2FAppSensor-Tutorial Updated AppSensor-Tutorial code with new lessons and lesson structure enhancements], [https://www.owasp.org/index.php/AppSensor_Developer_Guide AppSensor Updated Getting Started Guide for new adopters and developers leveraging feedback from session]<br>
  
 
[[Summit_2011_Working_Sessions/Session028|Protecting Information Stored Client-Side]] (John Steven)<br>
 
[[Summit_2011_Working_Sessions/Session028|Protecting Information Stored Client-Side]] (John Steven)<br>
Line 102: Line 109:
 
===University, Education, and Training===
 
===University, Education, and Training===
 
[[:Category:OWASP_Education_Project|OWASP Education Project]] (Martin Knobloch)<br>
 
[[:Category:OWASP_Education_Project|OWASP Education Project]] (Martin Knobloch)<br>
 
  
 
[[OWASP_Working_Session_-_OWASP_Certification|OWASP Certification]] (Jason Taylor & Jason Li) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNMTlkMDUxNGEtZmM1MS00ODI2LWEwMDYtMjU1Nzc4ZWEwYmJk&hl=en_US&authkey=CNbHmJkP Certification Code of Conduct Draft]<br>
 
[[OWASP_Working_Session_-_OWASP_Certification|OWASP Certification]] (Jason Taylor & Jason Li) - [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNMTlkMDUxNGEtZmM1MS00ODI2LWEwMDYtMjU1Nzc4ZWEwYmJk&hl=en_US&authkey=CNbHmJkP Certification Code of Conduct Draft]<br>
Line 150: Line 156:
  
 
[[OWASP Codes of Conduct|Defining a Minimal AppSec Program for Universities, Governments, and Standards Bodies]] (Dinis Cruz & Jeff Williams) - [https://docs.google.com/document/d/1F5HI3ddSxf-gF2qM_fNaEb2u73nsnrJXm3VmbsVVo28/edit?hl=en_US&authkey=CPy0gZwH Draft OWASP Codes of Conduct Document]<br>
 
[[OWASP Codes of Conduct|Defining a Minimal AppSec Program for Universities, Governments, and Standards Bodies]] (Dinis Cruz & Jeff Williams) - [https://docs.google.com/document/d/1F5HI3ddSxf-gF2qM_fNaEb2u73nsnrJXm3VmbsVVo28/edit?hl=en_US&authkey=CPy0gZwH Draft OWASP Codes of Conduct Document]<br>
 
[[Summit_2011_Working_Sessions/Session072|Developer Outreach]] (Mark Bristow & Jason Li)<br>
 
  
 
[[Summit_2011_Working_Sessions/Session068|Enterprise Web Defense Roundtable]] (Michael Coates & Chris Lyon) - [http://etherpad.mozilla.org:9000/OWASP-EWDR Etherpad Notes Page with Agenda, Slides & Background Reading]<br>
 
[[Summit_2011_Working_Sessions/Session068|Enterprise Web Defense Roundtable]] (Michael Coates & Chris Lyon) - [http://etherpad.mozilla.org:9000/OWASP-EWDR Etherpad Notes Page with Agenda, Slides & Background Reading]<br>
Line 195: Line 199:
  
 
==Video & Pictures of Summit==
 
==Video & Pictures of Summit==
Video clips of the Summit recorded by Zaki Akhmad, a Summit Attendee & OWASP Chapter Leader from Indonesia.  Full video of the Summit Working Sessions is forthcoming.
+
Video clips of the Summit recorded by [[User:Zakiakhmad|Zaki Akhmad]], a Summit Attendee & OWASP Chapter Leader from [[Indonesia|Indonesia]].  Full video of the Summit Working Sessions is forthcoming.
  
 
*[http://www.youtube.com/watch?v=w6nuPCxCyC8 Summit 2011 - Governance Session, part 1]
 
*[http://www.youtube.com/watch?v=w6nuPCxCyC8 Summit 2011 - Governance Session, part 1]

Latest revision as of 06:19, 19 January 2012

If you have any comments, corrections, or questions about the information contained in this page or related links, please contact Sarah Baso

Final Report

View OWASP Summit 2011: Post-Summit Report and Working Sessions Outcomes

  • Purchase black & white copy of report on Lulu.com or free PDF download
  • Purchase full color copy of report on Lulu.com or free PDF download


Press Release & Media Mentions

Summit Background

(included in final report)


2011 Summit Finances & Budget

  • Comparison to 2008 Summit Budget
  • Projection of costs needed for future Summit


2011 Summit Lessons Learned

(included in final report)


Appendix: Working Session Details and Documentation

Browser Security

Browser Security Report


Notes from the 5 Browser Security Sessions

DOM Sandboxing notes (pdf)

HTML5 Security notes (pdf)

EcmaScript 5 Security notes (pdf)

Enduser Warnings notes (pdf)

Site Security Policy notes (pdf)


XSS Eradication

DOM based XSS Prevention Cheat Sheet (Jim Manico & Abraham Kang)

XSS and the Frameworks: XSS - Awareness, Resources, and Partnerships (Justin Clarke) - Working Session Notes

WAF Mitigation for XSS: Virtual Patching Best Practices (Ryan Barnett) - Working Session Notes


Metrics

Counting and Scoring Application Security Defects (Chris Eng & Chris Wysopal) - Brief Introduction to Common Weakness Scoring System ppt created by Steve Christey

Risk Metrics: Metrics and Labeling (Chris Eng & Chris Wysopal) - Working Session Transcripts

Individual OWASP Projects

Application Security Verification Standard (ASVS) Project (Dave Wichers)

Development Guide (Vishal Garg)

OpenSAMM (Pravir Chandra) - BSIMM activities mapped to SAMM

OWASP Common Structure and Numbering for All Guides (Keith Turpin/Matteo Meucci/Vishal Garg)

OWASP Common Vulnerability List (Meucci/Keary/Agarwal) - CVL ppt presentation created by Matteo Meucci

OWASP Java Project (Lucas Ferreira) - Action Plan for the Java Project, New Project Leader

OWASP Mobile Security Project (Mike Zusman) - Working Session Notes

OWASP O2 Platform (Dinis Cruz)

OWASP Portuguese Language Project (Lucas Ferreira) - Working Session Outcomes

OWASP Project Disclosure Policies (Chris Schmidt) - OWASP Project Disclosure Policy, OWASP Security Bulletin Template

OWASP Secure Coding Practices - Quick Reference Guide (Keith Turpin) - Working Session Notes

OWASP Testing Guide (Matteo Meucci) - Working Session Notes, Planning the OWASP Testing Guide 4.0 ppt presentation

Threat Modeling (Anurag Agarwal) - Working Session discussion points and notes


Secure Coding Workshop

General Information on the OWASP Secure Coding Track - Code Repository (Google)


Applying ESAPI Input Validation (Chris Schmidt)

Contextual Output Encoding: ESAPI-CORE (Chris Schmidt & Jim Manico)

Defining AppSensor Detection Points (Michael Coates) - Working Session Notes, Updated AppSensor-Tutorial code with new lessons and lesson structure enhancements, AppSensor Updated Getting Started Guide for new adopters and developers leveraging feedback from session

Protecting Information Stored Client-Side (John Steven)

Providing Access to Persisted Data (Dan Cornell) - Working Session Notes


University, Education, and Training

OWASP Education Project (Martin Knobloch)

OWASP Certification (Jason Taylor & Jason Li) - Certification Code of Conduct Draft

OWASP Exams Project (Jason Taylor)

OWASP Hackademic Challenges Project (Kostas Papapanagiotou & Vasileros Vlachos)

OWASP Top 10 Training in Hacking-Lab (Ivan Buetler) - Hacking Lab Website

OWASP Training (Sandra Paiva) - Working Session Notes

University Outreach - OWASP Academies (Sandra Paiva) - Working Session Notes, OWASP Academy Portal Project

University Outreach - OWASP College Chapter Program (Martin Knobloch) (renamed "OWASP Student Chapters Program")


OWASP Internal Governance and Global Committees

Global Chapters Committee (Seba Deleersnyder) - Working Session Meeting Minutes

Global Conferences Committee (Mark Bristow) - Working Session/Monthly Committee Meeting Minutes

Global Education Committee (Martin Knobloch)

Global Industry Committee (Eoin Keary & Colin Watson) - Working Session Notes, 2011 Industry Outreach Survey

Global Membership Committee (Dan Cornell) - Working Session Notes, Membership page with changes subsequent to 2011 Summit

Global Projects Committee (Jason Li & Brad Causey) - Summary of Outcomes and Post-Summit Progress, February GPC Meeting Minutes

OWASP Board & Global Committee Governance (Mark Bristow) - Working Session Rationale, 2011 Board of Directors Election Information, New Bylaws

OWASP Chapters:Asia/Pacific Working Group (Helen Gao) - Working Group Outcomes

OWASP Chapters: Building the OWASP Brazilian Leaders Group (Lucas Ferreira) - Objectives and action plan to improve OWASP presence in Brazil

OWASP Funding and CEO Discussion (Keith Turpin) - Working Session Notes, List of suggestions from Funding and CEO discussion, Arguments for hiring an OWASP CEO

OWASP Licensing (Abraham Kang) - Working Session Notes, OWASP Licensing PowerPoint, Licensing - Questions for follow up

Overhauling the OWASP Website (Jason Li) - Summary of Outcomes

OWASP Points - Tracking OWASP Participation (Mark Bristow)


Other OWASP Initiatives

Defining a Minimal AppSec Program for Universities, Governments, and Standards Bodies (Dinis Cruz & Jeff Williams) - Draft OWASP Codes of Conduct Document

Enterprise Web Defense Roundtable (Michael Coates & Chris Lyon) - Etherpad Notes Page with Agenda, Slides & Background Reading

Government Outreach (Doug Wilson) - Working Session Outcome

Healthcare Industry Outreach & Banking/Finance Industry Outreach ( Lorna Alamri) - Vertical Outreach Notes, Industry Outreach Mapping

How can OWASP reach/talk/engage with auditors? (Matthew Chalmers) - Working Session Notes

Privacy - Personal Data/PII, Legislation and OWASP (Colin Watson) - Working Session Notes

Should OWASP work directly with PCI-DSS? (Matthew Chalmers) - Working Session Notes


Summit Team & Attendee Bios


Summit-Related Blog Posts

Colin Watson - 3 part Recap/Reflections on OWASP Summit 2011, 8-Feb-2011

Carlos Serrão - OWASP Summit 2011, 9-Feb-2011

Ben Tomhave - Evolving OWASP: Reflections on the 2011 Summit, 11-Feb-2011

John Wilander - Fears & Hopes for OWASP, 13-Febr-2011

Dinis Cruz - OWASP Summit 2011 Results, 15-Feb-2011

Chris Schmidt - Dear OWASP Summit, Obrigado, 16-Feb-2011

Supply Chain Technology - Notes from the OWASP 2011 Summit Published, 17-Feb-2011

Mark Curphey - OWASP - Has it reached a tipping point?, 19-Feb-2011

Michael Coates - A Vision for OWASP, 21-Feb-2011

Pravir Chandra - BSIMM activities mapped to SAMM, 3-Mar-2011


Video & Pictures of Summit

Video clips of the Summit recorded by Zaki Akhmad, a Summit Attendee & OWASP Chapter Leader from Indonesia. Full video of the Summit Working Sessions is forthcoming.


Pictures of the Summit: