State of OWASP 2015

Internet

tmd800
of 43
Description
Text
  • OWASP & More State of OWASP 2015 https://www.owasp.org https://2015.appsecusa.org Twitter: @owasp, @appsecusa Tobias Gondrom – Board Chair Paul Ritchie – OWASP Executive Director Noreen Whysel – OWASP Community Manager Claudia Casanova – OWASP Project Coordinator Sept. 24, 2015
  • State of OWASP • Welcome: A “brief story” about OWASP • Updates from our Executive Director, Community Manager and Projects Coordinator • Q&A
  • Who is OWASP? Free & Open Governed by rough consensus & running code Abide by a code of ethics (see ethics) Not-for-profit Not driven by commercial interests Risk based approach
  • Our Purpose & Our Core Values OPEN: Everything at OWASP is radically transparent from our finances to our code. INNOVATION: OWASP encourages and supports innovation/experiments for solutions to software security challenges. GLOBAL: Anyone around the world is encouraged to participate in the OWASP community. INTEGRITY: OWASP is an honest and truthful, vendor agnostic, global community. Our Core Values Our Purpose: The OWASP Foundation will be the thriving global community that drives visibility and evolution in the safety and security of the world’s software.
  • Strengthen OWASP chapters and increase Chapter’s abilities to spread message of OWASP through locally organized and run events. Mature the OWASP Projects Platform: Provide the OWASP projects community a mature project platform to encourage senior developers to participate in the various and many OWASP projects. Build a scalable OWASP training program that spreads security training around the world Strategic Goals for 2015
  • 130 Active Projects
  • 268 Active Chapters
  • 44,000+ participants mailing lists
  • 88+ Government & Industry Citations!
  • 100+ Academic Supporters
  • 55 Paid Corporate Memberships
  • 2458 Members
  • Our Strong OWASP Operations Team • Executive Director: Paul Ritchie • Operations Director: Kate Hartmann • Membership and Business Liaison: Kelly Santalucia • Event Manager: Laura Grau • Projects: Claudia Casanovas • Community Manager: Noreen Whysel • Accounting: Alison Shrader • IT Admin: Matt Tesauro (Contractor) • Graphic Design: Hugo Costa (Contractor) 13
  • OWASP – chapter meetings and conferences around the world
  • Thanks to our sponsors and supporters: Contributing Sponsors: Premium Sponsors: http://www.rapid7.com/ http://www.rapid7.com/ http://www1.contrastsecurity.com/ http://www1.contrastsecurity.com/ http://www.hpenterprisesecurity.com/ http://www.hpenterprisesecurity.com/ http://www.qualys.com/ http://www.qualys.com/ https://www.salesforce.com/ https://www.salesforce.com/ http://www.adobe.com/ http://www.adobe.com/ http://www.acunetix.com/ http://www.acunetix.com/ http://www.akamai.com/ http://www.akamai.com/ http://www.aspectsecurity.com/ http://www.aspectsecurity.com/ http://www.astechconsulting.com/ http://www.astechconsulting.com/ http://www.autodesk.com/ http://www.autodesk.com/ http://www.bestbuy.com/ http://www.bestbuy.com/ http://www.blackducksoftware.com/ http://www.blackducksoftware.com/ http://www.blackhat.com/ http://www.blackhat.com/ http://www.ca.com/us/default.aspx http://www.ca.com/us/default.aspx http://www.cdnetworks.com/ http://www.cdnetworks.com/ http://www.checkmarx.com/ http://www.checkmarx.com/ http://www.coverity.com/ http://www.coverity.com/ http://www.denimgroup.com/ http://www.denimgroup.com/ https://www.edgescan.com/ https://www.edgescan.com/ https://www.elearnsecurity.com/ https://www.elearnsecurity.com/ http://www.fico.com/ http://www.fico.com/ http://www.gosecure.ca/ http://www.gosecure.ca/ http://www.gdssecurity.com/ http://www.gdssecurity.com/ https://www.here.com/ https://www.here.com/ https://www.isc2.org/ https://www.isc2.org/ http://www.imperva.com/ http://www.imperva.com/ http://www.intelligentenvironments.com/ http://www.intelligentenvironments.com/ http://www.monitorapp.com/ http://www.monitorapp.com/ http://www.netspi.com/ http://www.netspi.com/ http://www.netsuite.com/ http://www.netsuite.com/ http://www.oneconsult.com/ http://www.oneconsult.com/ http://www.oracle.com/us/support/assurance/index.html http://www.oracle.com/us/support/assurance/index.html https://www.prevoty.com/ https://www.prevoty.com/ http://www.protiviti.com/ http://www.protiviti.com/ http://www.rackspace.com/ http://www.rackspace.com/ http://www.rakuten.com/ http://www.rakuten.com/ http://www.salesforce.com/ http://www.salesforce.com/ http://www.scs.co.jp/sys/ http://www.scs.co.jp/sys/ https://www.sig.eu/en/ https://www.sig.eu/en/ http://www.sonatype.com/ http://www.sonatype.com/ https://continuousassurance.org/ https://continuousassurance.org/ http://www.symantec.com/ http://www.symantec.com/ https://www.synack.com/ https://www.synack.com/ http://www.thoughtworks.com/ http://www.thoughtworks.com/ http://www.trendmicro.com/us/index.html http://www.trendmicro.com/us/index.html https://www.trustwave.com/application-security.php https://www.trustwave.com/application-security.php https://www.twitter.com/ https://www.twitter.com/ https://www.ups.com/ https://www.ups.com/
  • OWASP is about you! Free to use Free to participate Free to contribute Join and help to make the Web, make the world more secure! … join a chapter … join a project … join the global community list … share the security knowledge.
  • Mission • Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks • How’d we do in 2014? See Annual Report themed “Growing, Learning, Sharing, Leading”
  • Strategic Goals & Metrics - 2015 • Chapter Development • Volunteer Management • Training • Supporting & Maturing the Project Platform • Finances
  • Chapter Development - 2015 • Our Global Footprint • 28 New Chapters • 8 Chapters Restarted • More Chapter & Project Leader Training on Friday Note Recent New Chapters in Africa
  • Volunteer Management • Project Review Task Force Actively looking for Volunteers • Over 25 Co-marketing agreements ‘signed’ with Speaker or free Booth space at outside event for OWASP Volunteers • Wiki Volunteer & Initiatives page updated with Volunteer opportunities at University and 25 Chapter Leader openings
  • Training – Our Reach is Global AppSec USA-SF 2015 • 1200 attendees • 253 Training attendees • 75+ Speakers AppSecEU 2015 • 585 attendees • 133 Training attendees • 57 Speakers LATAM 2015 • 724 attendees • 42 Training attendees • 70 Speakers
  • Training – Chapters Gone Wild (w/Training) • AppSec-California Training 7 classes, 36 registrations • NYC Hack Day Training 1 class, 19 registrations • OWASP New Zealand Day 1 class, 12 registrations • LATAM Tour 6 classes, 42 training attendees • AppSecEU 13 classes, 133 registrations • OWASP CONfidence (Krakow) 5 classes, (6 trainers/classes on website) • OWASP SAMM Summit (Dublin) ~30 registrations, 10 paid • OWASP Dublin Training Day 3 classes, 78 registrations • …..And so many more
  • Project Innovation & Output • New projects added • Updates & outputs on 2015 • Project Maturity update • Project Summit & Summer of Code • Bossie Award for Open Source Tools – Highlighted: ZAP, Xenotix XSS, O-Saft, OWTF
  • Project Highlights – 2015 • 2 Project Summits held during AppSec Conferences to maximize participation • OWASP’s own Summer Code Sprint hosted to support Projects • Project Coordinator – Claudia updating the New Project & Project Review process & docs • CISO Guide translated into Spanish • Dependancy Check 1.2.9 released • Dependancy Track 1.0.0 released • Vicnum Project updated • OWASP SAMM Project Summit – Dublin March 2015 • AppSensor – CISO Briefing released • ZAP 2.4.0 released • ZAP w/Docker introduction released • ASVS version XX released • OWASP KALP Mobile Project initiated • OWASP Seraphimdroid project, version 2 released
  • OWASP Finances – Overall Strong & Growing See Annual Report for Details Full Financial Transparency & Reports found on the OWASP Wiki
  • Financial Snapshot GROWTH 2013 - 2016 Conferences remain excellent channel for Training & Community sharing • 65% of Income & 50% of Expenses Projects / Chapter Funding represented ~$255K in 2015 with potential growth to the $300-400K range in 2016. 26
  • Project Funding & Chapter Funding Where’s the Info? • Need Project Funding? • Need Chapter Funding? • Got a Chapter Budget, need reimbursement? • Submit here https://www.owasp.org/index.php /Funding
  • OWASP Northern Virginia @OWASPNoVA OWASP DC @OWASPDC The Big Reveal – AppSec US in 2016 • OWASP AppSec EU 2016: Rome in June • OWASP AppSec USA 2016: Washington DC – September – Hosted by No.Virginia & WashDC Chapters
  • Community Update Noreen Whysel Community Manager September 24, 2015
  • Chapter Development • 28 new chapters started in 2015 • 8 chapters restarted • 26 chapters inactivated (some in process of restarting) • 1 merged chapter (Kenya/Nairobi) • 3 chapter splits (Spain, Argentina, Sweden) • 53 new leaders added, including restarts • 120+ cases & conversations with chapter leaders worldwide
  • Communications • Community News Flash • Social Media Announcements • Mailing Lists • SalesForce Messaging • Personal Correspondence
  • Community News Flash • First issue April 2015 • Sent to owasp-leaders and owasp-community lists • Switched to Vertical Response in August 2015 • August 2015 – Sent to: 1,282 – Opens (257): 20.05% – Clicks (52): 4.06% – Bounces (13): 1.01% – Unsubscribes (0): 0.00% • September 2015 – Sent to: 1,269 – Opens (255): 20.09% – Clicks (26): 2.05% – Bounces (3): .24% – Unsubscribes (1): 0.08%
  • Social Media • Twitter (as of 8/31/2015) – 4014 tweets – 325 following – 56,819 followers • Facebook – 9,062 Page Likes – 8,839 Group Members • LinkedIn – 22,730 group members – 12,800 followers • Slack – 399 members – 76 channels • Meetup – 54 “OWASP” Meetup Groups – 13,328 Members – 1,416 Expressed Interest – 50 Cities – 17 Countries
  • Chapter Leader Workshops Room F, Pacific Concourse • Thurs 10:30AM - People and Capital • Thurs 11:30AM - I’m a Leader. Now What? • Friday 10:30AM - What’s In Your Toolbox? • Friday 11:30AM - OWASP Wiki Edit-a-thon • Friday afternoon - Flex sessions, continue the conversation
  • Projects & Initiative Update Claudia Aviles Casanovas Project Coordinator September 20, 2015
  • Project Task Force Recent Activity Pending Graduation Review: (Submitted Last Week) OWASP Security Shepherd OWASP Seraphimdroid Project OWASP Security Logging New Incubator Projects Project Added: • OWASP ZSC Tool Project • OWASP Mth3I3m3nt Framework Project Recent Project that Graduated to the next Level: • Benchmark Tool Project Review Results: Moved from Incubator Project To Lab Project Projects Graduated from Incubator to Lab in June 2015 Category: Documentation • OWASP Internet of Things To Ten Project • OWASP Pro Active Controls • OWASP Top 10 Privacy Risks_Project • OWASP Reverse Engineering and Code_Modification Prevention Project Category: Code • Mobile Application Security Project • OWASP Security Python Project https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project https://www.owasp.org/index.php/OWASP_Mth3l3m3nt_Framework_Project https://www.owasp.org/index.php/Benchmark https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project https://www.owasp.org/index.php/OWASP_Proactive_Controls https://www.owasp.org/index.php/OWASP_Top_10_Privacy_Risks_Project https://www.owasp.org/index.php/OWASP_Reverse_Engineering_and_Code_Modification_Prevention_Project#tab=Overview https://www.owasp.org/index.php/OWASP_iMAS_iOS_Mobile_Application_Security_Project https://www.owasp.org/index.php/OWASP_Python_Security_Project
  • Project Summit USA 2015 Projects Participating: • OWASP Code Review Guide – Gary Robinson & Larry Coklin • OWASP ASVS & OWASP Pro Active Controls – Jim Manico • OWASP Python Security Project – Enrico Branca • OWASP Security Shepherd – Mark Denihan • OWASP Security Knowledge – Glenn Ten Cate • OWASP PodCast – Mark Miller • OWASP WAFEC (Starting up Activity)– Tony Turner • OWASP O2 – Michael Hidalgo
  • Project Summit USA 2015 Project Name Project Leader Did the Project Summit help your Project? Did you Accomplish it? Deliverable OWASP Security Shepherd Mark Denihan Pol Mac Cana Updated the GitHub Wiki pages to a state where new users can easily add Translation support to Shepherd components, add new language tranlations without difficulty and create new Security Shepherd levels with the new specifications made in V3. Also created new Security Shepherd level templates. Eliminated issues that were blocking the progress of the Security Shepherd Docker File.
  • These last two week’s OWASP Summer Code Sprint 2015 mentors and students have wrapped up activities. Originally Received 39 Proposals and were able to select 8 Students for the Summer Code Sprint 2015. The selections was difficult due to competitive proposals. Results: All 8 Students passed the Final Evaluations. Feedback & Experience: • Amazing Performance! • OWASP Seraphimdroid Project is now able to apply for a Project Review Graduation due to the work done with the student. • Project’s quality robustness increased like never over the past 2 months! • Excellent work and worked beyond the original plan! • Gained a contributor for the Hackademic Project. • High level of dedication with excellent results • Students were happy to work with such great mentors and excited about the projects. Results Final Evaluations Fabio Cerullo, Initiative Leader
  • Summer Code Sprint 2015 Participation Fabio Cerullo, Initiative Leader Project Name Mentors Students OWASP OWTF Abraham Aranguren, Tao Sauvage, Bharadwaj Machiraju Arun Sori, Alexandra Sandulescu, Viyat Bhlalodia OWASP Seraphimdroid John Melton Kartik Kholic OWASP APPSensor Nikola Milosevic Sumanth Damaria OWASP Hackademic Spyros Gasteratos, Paul Chaignon Anirudh Anand, Minhaz AV, Tapasweni Pathak
  • Project Updates • OWASP Project Task Force • Project Summit USA • How to Start A New Project • OWASP Project Dasboard • OWASP 2014 Project Handbook – Project Funding Request Form – Project Spending Policy https://www.owasp.org/index.php/Category:OWASP_Project#tab=Welcome https://2015.appsecusa.org/agenda/project-summit/ https://www.owasp.org/index.php/Category:OWASP_Project#tab=Starting_a_New_Project https://docs.google.com/spreadsheets/d/15NzgmnxKNtexRDs70rBUi1NHhjQiviBdYUa_kDvd3i4/edit?usp=sharing https://www.owasp.org/index.php/OWASP_2014_Project_Handbook https://www.tfaforms.com/308703 https://www.owasp.org/index.php/Project_Spending_Policy
  • Community Q&A https://www.owasp.org https//2015.appsecusa.org Twitter: @owasp, @appsecusa Open OWASP Board Meeting Friday, Sep-25, 18:00 – 20:00 PDT Room A - Pacific Level.
  • Learn, meet, share and …. … have a great time! https//2015.appsecusa.org Twitter: @appsecusa
Comments
Top