Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP AppSec India Aug About OWASP The story so far and beyond. Part 1 Jason Li & Dinis Cruz (remotely) August 16, 2008
OWASP Agenda OWASP’s World OWASP’s Seasons of Code Governance Membership Next Conferences Participate
OWASP’s World
OWASP
OWASP 6 OWASP – Open Web Application Security Project Open source non-profit charitable foundation dedicated to enabling organizations so they can develop, maintain, and acquire software they can trust Making Security Visible, through… Documentation Top Ten, Dev. Guide, Design Guide, Testing Guide, … Tools WebGoat, WebScarab, Site Generator, Report Generator, ESAPI, CSRF Guard, CSRF Tester, Stinger, Pantera, … Working Groups Browser Security, Industry Sectors, Access Control (XACML), Education, Mobile Phone Security, Preventive Security, OWASP SDL, OWASP Governance, RIA Security Community and Awareness Local Chapters, Conferences, Tutorials, Mailing Lists
OWASP What Is Unique about OWASP? Everything we do is free and open… OWASP Principles All OWASP products are free and open Application security knowledge should be freely available OWASP encourages awareness, discussion, and best practices Making security visible is key to changing the software market OWASP does not recommend any commercial products or services OWASP will not discuss/disclose 0-day exploits
OWASP OWASP Main Site Traffic 8 Worldwide UsersMost New Visitors /wk
OWASP OWASP Worldwide Community 9
OWASP OWASP Conferences 10
OWASP OWASP Books (
OWASP OWASP KnowledgeBase 3,913 total articles 427 presentations 200 updates per day 179 mailing lists 180 blogs monitored 31 doc projects 19 deface attempts 12 grants
OWASP OWASP Body of Knowledge Core Application Security Knowledge Base Acquiring and Building Secure Applications Verifying Application Security Managing Application Security Application Security Tools AppSec Education and CBT Research to Secure New Technologies Principles Threat Agents, Attacks, Vulnerabilities, Impacts, and Countermeasures Principles Threat Agents, Attacks, Vulnerabilities, Impacts, and Countermeasures OWASP Foundation 501c3 OWASP Community Platform (wiki, forums, mailing lists) Projects Chapters AppSec Conferences Guide to Building Secure Web Applications and Web Services Guide to Application Security Testing and Guide to Application Security Code Review Tools for Scanning, Testing, Simulating, and Reporting Web Application Security Issues Web Based Learning Environment and Guide for Learning Application Security Guidance and Tools for Measuring and Managing Application Security Research Projects to Figure Out How to Secure the Use of New Technologies (like Ajax)
OWASP OWASP Tools and Technology 14
OWASP’s Seasons Of Code
OWASP OWASP’s grant / sponsorship model 100% of OWASP membership fees are used to sponsor innovative research projects. So far 3 “season of code” sponsored by OWASP. OWASP Autumn Of Code 2006 $20,000 budget OWASP Autumn Of Code 2006 OWASP Spring Of Code 2007 $117,500 budget OWASP Spring Of Code 2007 OWASP Summer of Code 2008 $126,000 budget OWASP Summer of Code 2008
OWASP SpoC OWASP Spring of Code 2007 26 projects $125,000 USD 15 projects made strong to amazing deliveries OWASP Education Project (PPTs for community use) Code Review Guide OWASP Top 10 - Ruby on Rails version Attacks refresh (Wiki data consolidation) OWASP Evaluation and Certification criteria OWASP Scholastic Project (using OWASP at academia) SpoC project management (we now know how to do it :) ) 5 projects are in the final stages 6 projects were canceled Final amount sponsored: $103,500 USD 17
OWASP OWASP Summer of Code 2008 31 grants to promising application security researchers as part of the OWASP Summer of Code 2008.OWASP Summer of Code
OWASP Selected SoC projects (cont)
OWASP OWASP SoC 2008 – AppSec Innovation AppSensor Teachable Static Analysis Workbench XML/WS Testing Tool AntiSamy.NET Positive Security Project JSP TagLib Tester Online Code Signing Service Access Control Rules Tester 20