OWASP Developer Guide Reboot

1,147 views

Published on

My slides from #AppSecUSA 2013. If you want to help, please join the Developer Guide mail list (https://lists.owasp.org/mailman/listinfo/owasp-guide) and say hi. We have a Git Hub Repo which you can find from our project page.

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,147
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
15
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

OWASP Developer Guide Reboot

  1. 1. OWASP Developer Guide Reboot +Andrew van der Stock ! @vanderaj | vanderaj@owasp.org
  2. 2. ABOUT ME Associate director, KPMG Security Technical Assessments and Architecture ! Project Lead, OWASP Developer Guide Co-Lead, OWASP Proactive Controls Lead author, OWASP Application Security Verification Standard Lead author, OWASP Top 10 2007 Project Lead, OWASP ESAPI for PHP ! 2 ISC CSSLP Help set SANS GIAC GSSP (Java) exam (2007)
  3. 3. “Think Evil.”
  4. 4. AUDITING SOFTWARE FOR FUN AND PROFIT linux.conf.au 2002
  5. 5. How did that work out for you?
  6. 6. Mea culpa
  7. 7. 7,000" http://nvd.nist.gov 6,000" 5,000" 4,000" 3,000" 2,000" 1,000" 0" 2000" 2001" 2002" 2003" 2004" 2005" 2006" 2007" 2008" 2009" 2010" 2011" 2012"
  8. 8. Your threat model did not include me!
  9. 9. ENABLE SECURE BUSINESS Think outside the box - don’t be a speed bump
  10. 10. VALUE • What is “valuable” to your organization is almost not valuable to someone else • There is no “<client>” profile in any automated tool • Embed the notion of “value” into the Developer Guide
  11. 11. OWASP DEVELOPER GUIDE 2013 • A comprehensive dictionary of all the things • Designed to be a tertiary level text book for application architects and developers • SMART - Specific, measurable (testable), attainable, relevant, time effective • Need help!
  12. 12. OWASP APPLICATION SECURITY VERIFICATION STANDARD 2.0 • A comprehensive standard with three levels of verification • Designed to be a standard(!) • SMART - Specific, measurable (testable), attainable, relevant, time effective • GA - November 2013
  13. 13. OWASP PROACTIVE CONTROLS 2013 • The things every development team should be doing to be secure • Designed to be a standard(!) • SMART - Specific, measurable (testable), attainable, relevant, time effective • GA - November 2013
  14. 14. WHAT HASN’T WORKED • Converting to XML. Failed x1 time so far (1.1.1) • Minor updates. Failed x1 times so far (2.1) • Starting from scratch. Failed x3 times so far (3.0, 2010, 2012) • No project manager, roadmap or deadlines. • Community. Help! • Succession.
  15. 15. WHO • We need a project manager • We need lots of help writing material • We need lots of help with UML diagrams • We need lots of help with code snippets • Eventually, we will need technical and normal reviewers • Eventually, we would like translators
  16. 16. WRITING PROCESS
  17. 17. WHAT NEEDS TO BE WRITTEN • Everything ! • Large table of contents • Don’t freak out - contributions great and small gratefully accepted! • Need to decide on refactor or re-write
  18. 18. EDITING
  19. 19. RESEARCH
  20. 20. RESEARCH • Need better research methods • Need better quality results • Need to support our views by performing basic research
  21. 21. EVIDENCE BASED RESULTS • Controls must be • • In use • • In place Effective foreach ($thing in $all_the_things) { $thing()->test(); }
  22. 22. SNIPPETS
  23. 23. TRANSLATION
  24. 24. HOW YOU CAN HELP • Be part of the community • Join the Dev Guide mail list
 
 https://lists.owasp.org/mailman/listinfo/owasp-guide • Tell us what you want to work on • Write! Contribute! Review! Translate!
  25. 25. DECISIONS, DECISIONS • How best to build community?
  26. 26. DECISIONS, DECISIONS • How best to fund the project?
  27. 27. DECISIONS, DECISIONS • Refactor or re-write?
  28. 28. DECISIONS, DECISIONS • Private Wiki or dog food?
  29. 29. THANK YOU • Questions? ! • @vanderaj • vanderaj@owasp.org • 0451 057 580

×