OWASP Developer Guide Reboot
Upcoming SlideShare
Loading in...5
×
 

OWASP Developer Guide Reboot

on

  • 699 views

My slides from #AppSecUSA 2013. If you want to help, please join the Developer Guide mail list (https://lists.owasp.org/mailman/listinfo/owasp-guide) and say hi. We have a Git Hub Repo which you can ...

My slides from #AppSecUSA 2013. If you want to help, please join the Developer Guide mail list (https://lists.owasp.org/mailman/listinfo/owasp-guide) and say hi. We have a Git Hub Repo which you can find from our project page.

Statistics

Views

Total Views
699
Views on SlideShare
698
Embed Views
1

Actions

Likes
0
Downloads
6
Comments
0

1 Embed 1

https://www.docsnode.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

OWASP Developer Guide Reboot OWASP Developer Guide Reboot Presentation Transcript

  • OWASP Developer Guide Reboot +Andrew van der Stock ! @vanderaj | vanderaj@owasp.org
  • ABOUT ME Associate director, KPMG Security Technical Assessments and Architecture ! Project Lead, OWASP Developer Guide Co-Lead, OWASP Proactive Controls Lead author, OWASP Application Security Verification Standard Lead author, OWASP Top 10 2007 Project Lead, OWASP ESAPI for PHP ! 2 ISC CSSLP Help set SANS GIAC GSSP (Java) exam (2007)
  • “Think Evil.” View slide
  • AUDITING SOFTWARE FOR FUN AND PROFIT linux.conf.au 2002 View slide
  • How did that work out for you?
  • Mea culpa
  • 7,000" http://nvd.nist.gov 6,000" 5,000" 4,000" 3,000" 2,000" 1,000" 0" 2000" 2001" 2002" 2003" 2004" 2005" 2006" 2007" 2008" 2009" 2010" 2011" 2012"
  • Your threat model did not include me!
  • ENABLE SECURE BUSINESS Think outside the box - don’t be a speed bump
  • VALUE • What is “valuable” to your organization is almost not valuable to someone else • There is no “<client>” profile in any automated tool • Embed the notion of “value” into the Developer Guide
  • OWASP DEVELOPER GUIDE 2013 • A comprehensive dictionary of all the things • Designed to be a tertiary level text book for application architects and developers • SMART - Specific, measurable (testable), attainable, relevant, time effective • Need help!
  • OWASP APPLICATION SECURITY VERIFICATION STANDARD 2.0 • A comprehensive standard with three levels of verification • Designed to be a standard(!) • SMART - Specific, measurable (testable), attainable, relevant, time effective • GA - November 2013
  • OWASP PROACTIVE CONTROLS 2013 • The things every development team should be doing to be secure • Designed to be a standard(!) • SMART - Specific, measurable (testable), attainable, relevant, time effective • GA - November 2013
  • WHAT HASN’T WORKED • Converting to XML. Failed x1 time so far (1.1.1) • Minor updates. Failed x1 times so far (2.1) • Starting from scratch. Failed x3 times so far (3.0, 2010, 2012) • No project manager, roadmap or deadlines. • Community. Help! • Succession.
  • WHO • We need a project manager • We need lots of help writing material • We need lots of help with UML diagrams • We need lots of help with code snippets • Eventually, we will need technical and normal reviewers • Eventually, we would like translators
  • WRITING PROCESS
  • WHAT NEEDS TO BE WRITTEN • Everything ! • Large table of contents • Don’t freak out - contributions great and small gratefully accepted! • Need to decide on refactor or re-write
  • EDITING
  • RESEARCH
  • RESEARCH • Need better research methods • Need better quality results • Need to support our views by performing basic research
  • EVIDENCE BASED RESULTS • Controls must be • • In use • • In place Effective foreach ($thing in $all_the_things) { $thing()->test(); }
  • SNIPPETS
  • TRANSLATION
  • HOW YOU CAN HELP • Be part of the community • Join the Dev Guide mail list
 
 https://lists.owasp.org/mailman/listinfo/owasp-guide • Tell us what you want to work on • Write! Contribute! Review! Translate!
  • DECISIONS, DECISIONS • How best to build community?
  • DECISIONS, DECISIONS • How best to fund the project?
  • DECISIONS, DECISIONS • Refactor or re-write?
  • DECISIONS, DECISIONS • Private Wiki or dog food?
  • THANK YOU • Questions? ! • @vanderaj • vanderaj@owasp.org • 0451 057 580