Difference between revisions of "Talk:Denver"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
Minutes from the First Denver OWASP meeting, Wednesday November 15th, 2006
 
Minutes from the First Denver OWASP meeting, Wednesday November 15th, 2006
  
As promised, INS provided a conference room and projecter for 12-15 people (thanks INS!)
+
As promised, INS provided a conference room and projecter for 12-15 people (THANKS INS!)
This was much appreciated by the 35 or so folks who showed up!
+
This was much appreciated by the 35 or so folks who showed up (guess we'll be a little more dilligent about rsvp'ing next time!
  
 
Introductions took place around the room and it looks like about 20% of the folks are non-technical (sales, management, business, governance), 40% are in security operations (pen-testing, security ops consulting), 40% SDLC folks (developers, QA, testers), with one or two Project Managers thrown in for good measure.   
 
Introductions took place around the room and it looks like about 20% of the folks are non-technical (sales, management, business, governance), 40% are in security operations (pen-testing, security ops consulting), 40% SDLC folks (developers, QA, testers), with one or two Project Managers thrown in for good measure.   
Line 9: Line 9:
  
 
1. Start at the beginning - with requirements and use-cases.
 
1. Start at the beginning - with requirements and use-cases.
 +
 
2. Leverage existing technologies and methodologies such as Active Directory and the security features of .Net.
 
2. Leverage existing technologies and methodologies such as Active Directory and the security features of .Net.
 +
 
3. Position our developers for success - figure out how to test effectively and correlate security testing failures with where developers ought to go to check their code.
 
3. Position our developers for success - figure out how to test effectively and correlate security testing failures with where developers ought to go to check their code.
 +
 
4. Position our testers/QA for success - figure out how to test effectively without unnecessary delays.
 
4. Position our testers/QA for success - figure out how to test effectively without unnecessary delays.
 +
 
4. Position our business for success - ensure that compliance is also addressed in the 3 areas above.
 
4. Position our business for success - ensure that compliance is also addressed in the 3 areas above.
 +
 
6. Build the case that ties the above activities to actual business value.
 
6. Build the case that ties the above activities to actual business value.
 +
 
7. Figure out how to market this stuff so that it's not entirely about dollars and cents.
 
7. Figure out how to market this stuff so that it's not entirely about dollars and cents.
  
Line 19: Line 25:
  
 
After the meeting we hoisted a pint or two at some Irish pub around the corner from INS and a good time was had by all.
 
After the meeting we hoisted a pint or two at some Irish pub around the corner from INS and a good time was had by all.
 
Stay tuned...
 
  
 
Many thanks to Scott and Rachael of INS for hosting the first meeting!  Contact info for Scott:
 
Many thanks to Scott and Rachael of INS for hosting the first meeting!  Contact info for Scott:

Revision as of 14:23, 18 November 2006

Minutes from the First Denver OWASP meeting, Wednesday November 15th, 2006

As promised, INS provided a conference room and projecter for 12-15 people (THANKS INS!) This was much appreciated by the 35 or so folks who showed up (guess we'll be a little more dilligent about rsvp'ing next time!

Introductions took place around the room and it looks like about 20% of the folks are non-technical (sales, management, business, governance), 40% are in security operations (pen-testing, security ops consulting), 40% SDLC folks (developers, QA, testers), with one or two Project Managers thrown in for good measure.

David B. gave a fascinating slideshow on the OWASP Top 10, followed by a discussion about what we want to accomplish as a chapter and what the topic for the next meeting ought to be. The final decision was captured on Andy's iBook, which unfortunately turned to slag in the middle of the meeting. The concensus was to do the following:

1. Start at the beginning - with requirements and use-cases.

2. Leverage existing technologies and methodologies such as Active Directory and the security features of .Net.

3. Position our developers for success - figure out how to test effectively and correlate security testing failures with where developers ought to go to check their code.

4. Position our testers/QA for success - figure out how to test effectively without unnecessary delays.

4. Position our business for success - ensure that compliance is also addressed in the 3 areas above.

6. Build the case that ties the above activities to actual business value.

7. Figure out how to market this stuff so that it's not entirely about dollars and cents.

So... on January 17th there will be a talk about integrating security into the SDLC. In the mean time, we'll see if we can kick off a few use-cases via email collaboration.

After the meeting we hoisted a pint or two at some Irish pub around the corner from INS and a good time was had by all.

Many thanks to Scott and Rachael of INS for hosting the first meeting! Contact info for Scott:

Scott Scharf INS - International Network Services (303) 953-3401 scott.scharf AT ins.com

Thanks also to the participation of other vendors. Their contact info is below:

Jeff Paddock Application Security, Inc. (303) 274-0404 jpaddock AT appsecinc.com

Dan Wood Accuvant Inc. (303) 298-0600 x119 dwood AT accuvant.com

Steve Drown CA (303) 643-6122 Steven.Drown AT ca.com

Andy Hill Melillo Consulting (720) 480-9634 hill AT mjm.com

Jeff Kowalski South Seas Corporation (303) 649-1771 jkowalski AT southseascorp.com

Chris Bramhall South Seas Corporation (303) 649-1771 cbramhall AT southseascorp.com

Bill Croom III Verisign (719) 481-4991 bcroom AT verisign.com