OWASP Developer Guide Reboot
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

OWASP Developer Guide Reboot

on

  • 711 views

My slides from #AppSecUSA 2013. If you want to help, please join the Developer Guide mail list (https://lists.owasp.org/mailman/listinfo/owasp-guide) and say hi. We have a Git Hub Repo which you can ...

My slides from #AppSecUSA 2013. If you want to help, please join the Developer Guide mail list (https://lists.owasp.org/mailman/listinfo/owasp-guide) and say hi. We have a Git Hub Repo which you can find from our project page.

Statistics

Views

Total Views
711
Views on SlideShare
710
Embed Views
1

Actions

Likes
0
Downloads
6
Comments
0

1 Embed 1

https://www.docsnode.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

OWASP Developer Guide Reboot Presentation Transcript

  • 1. OWASP Developer Guide Reboot +Andrew van der Stock ! @vanderaj | vanderaj@owasp.org
  • 2. ABOUT ME Associate director, KPMG Security Technical Assessments and Architecture ! Project Lead, OWASP Developer Guide Co-Lead, OWASP Proactive Controls Lead author, OWASP Application Security Verification Standard Lead author, OWASP Top 10 2007 Project Lead, OWASP ESAPI for PHP ! 2 ISC CSSLP Help set SANS GIAC GSSP (Java) exam (2007)
  • 3. “Think Evil.”
  • 4. AUDITING SOFTWARE FOR FUN AND PROFIT linux.conf.au 2002
  • 5. How did that work out for you?
  • 6. Mea culpa
  • 7. 7,000" http://nvd.nist.gov 6,000" 5,000" 4,000" 3,000" 2,000" 1,000" 0" 2000" 2001" 2002" 2003" 2004" 2005" 2006" 2007" 2008" 2009" 2010" 2011" 2012"
  • 8. Your threat model did not include me!
  • 9. ENABLE SECURE BUSINESS Think outside the box - don’t be a speed bump
  • 10. VALUE • What is “valuable” to your organization is almost not valuable to someone else • There is no “<client>” profile in any automated tool • Embed the notion of “value” into the Developer Guide
  • 11. OWASP DEVELOPER GUIDE 2013 • A comprehensive dictionary of all the things • Designed to be a tertiary level text book for application architects and developers • SMART - Specific, measurable (testable), attainable, relevant, time effective • Need help!
  • 12. OWASP APPLICATION SECURITY VERIFICATION STANDARD 2.0 • A comprehensive standard with three levels of verification • Designed to be a standard(!) • SMART - Specific, measurable (testable), attainable, relevant, time effective • GA - November 2013
  • 13. OWASP PROACTIVE CONTROLS 2013 • The things every development team should be doing to be secure • Designed to be a standard(!) • SMART - Specific, measurable (testable), attainable, relevant, time effective • GA - November 2013
  • 14. WHAT HASN’T WORKED • Converting to XML. Failed x1 time so far (1.1.1) • Minor updates. Failed x1 times so far (2.1) • Starting from scratch. Failed x3 times so far (3.0, 2010, 2012) • No project manager, roadmap or deadlines. • Community. Help! • Succession.
  • 15. WHO • We need a project manager • We need lots of help writing material • We need lots of help with UML diagrams • We need lots of help with code snippets • Eventually, we will need technical and normal reviewers • Eventually, we would like translators
  • 16. WRITING PROCESS
  • 17. WHAT NEEDS TO BE WRITTEN • Everything ! • Large table of contents • Don’t freak out - contributions great and small gratefully accepted! • Need to decide on refactor or re-write
  • 18. EDITING
  • 19. RESEARCH
  • 20. RESEARCH • Need better research methods • Need better quality results • Need to support our views by performing basic research
  • 21. EVIDENCE BASED RESULTS • Controls must be • • In use • • In place Effective foreach ($thing in $all_the_things) { $thing()->test(); }
  • 22. SNIPPETS
  • 23. TRANSLATION
  • 24. HOW YOU CAN HELP • Be part of the community • Join the Dev Guide mail list
 
 https://lists.owasp.org/mailman/listinfo/owasp-guide • Tell us what you want to work on • Write! Contribute! Review! Translate!
  • 25. DECISIONS, DECISIONS • How best to build community?
  • 26. DECISIONS, DECISIONS • How best to fund the project?
  • 27. DECISIONS, DECISIONS • Refactor or re-write?
  • 28. DECISIONS, DECISIONS • Private Wiki or dog food?
  • 29. THANK YOU • Questions? ! • @vanderaj • vanderaj@owasp.org • 0451 057 580