The document outlines the efforts and requirements for the OWASP Developer Guide, emphasizing the need for community contributions, project management, and collaboration. It discusses the importance of embedding value into development practices and provides details on various OWASP standards and proactive controls intended to enhance application security. The document also highlights past challenges faced in the project's development and calls for better research methods and community engagement.

1. OWASP Developer Guide Reboot
+Andrew van der Stock !
@vanderaj | vanderaj@owasp.org

2. ABOUT ME
Associate director, KPMG
Security Technical Assessments and Architecture
!
Project Lead, OWASP Developer Guide
Co-Lead, OWASP Proactive Controls
Lead author, OWASP Application Security Verification Standard
Lead author, OWASP Top 10 2007
Project Lead, OWASP ESAPI for PHP
!
2
ISC CSSLP
Help set SANS GIAC GSSP (Java) exam (2007)

3. “Think Evil.”

4. AUDITING SOFTWARE FOR
FUN AND PROFIT
linux.conf.au 2002

5. How did that work
out for you?

6. Mea culpa

8. 7,000"
http://nvd.nist.gov
6,000"
5,000"
4,000"
3,000"
2,000"
1,000"
0"
2000"
2001"
2002"
2003"
2004"
2005"
2006"
2007"
2008"
2009"
2010"
2011"
2012"

9. Your threat model
did not include me!

11. ENABLE SECURE BUSINESS
Think outside the box - don’t be a speed bump

12. VALUE
•
What is “valuable” to your
organization is almost not valuable
to someone else
•
There is no “<client>” profile in any
automated tool
•
Embed the notion of “value” into the
Developer Guide

13. OWASP DEVELOPER GUIDE 2013
•
A comprehensive dictionary of all
the things
•
Designed to be a tertiary level text
book for application architects and
developers
•
SMART - Specific, measurable
(testable), attainable, relevant, time
effective
•
Need help!

14. OWASP APPLICATION SECURITY VERIFICATION
STANDARD 2.0
•
A comprehensive standard with
three levels of verification
•
Designed to be a standard(!)
•
SMART - Specific, measurable
(testable), attainable, relevant, time
effective
•
GA - November 2013

15. OWASP PROACTIVE CONTROLS 2013
•
The things every development team
should be doing to be secure
•
Designed to be a standard(!)
•
SMART - Specific, measurable
(testable), attainable, relevant, time
effective
•
GA - November 2013

16. WHAT HASN’T WORKED
•
Converting to XML. Failed x1 time so far (1.1.1)
•
Minor updates. Failed x1 times so far (2.1)
•
Starting from scratch. Failed x3 times so far (3.0, 2010, 2012)
•
No project manager, roadmap or deadlines.
•
Community. Help!
•
Succession.

17. WHO
•
We need a project manager
•
We need lots of help writing material
•
We need lots of help with UML diagrams
•
We need lots of help with code snippets
•
Eventually, we will need technical and normal reviewers
•
Eventually, we would like translators

18. WRITING PROCESS

19. WHAT NEEDS TO BE WRITTEN
•
Everything
!
•
Large table of contents
•
Don’t freak out - contributions great and small gratefully accepted!
•
Need to decide on refactor or re-write

20. EDITING

21. RESEARCH

22. RESEARCH
•
Need better research methods
•
Need better quality results
•
Need to support our views by performing basic research

23. EVIDENCE BASED RESULTS
•
Controls must be
•
•
In use
•
•
In place
Effective
foreach ($thing in $all_the_things) { $thing()->test(); }

24. SNIPPETS

25. TRANSLATION

26. HOW YOU CAN HELP
•
Be part of the community
•
Join the Dev Guide mail list
https://lists.owasp.org/mailman/listinfo/owasp-guide
•
Tell us what you want to work on
•
Write! Contribute! Review! Translate!

27. DECISIONS, DECISIONS
•
How best to build community?

28. DECISIONS, DECISIONS
•
How best to fund the project?

29. DECISIONS, DECISIONS
•
Refactor or re-write?

30. DECISIONS, DECISIONS
•
Private Wiki or dog food?

31. THANK YOU
•
Questions?
!
•
@vanderaj
•
vanderaj@owasp.org
•
0451 057 580