Download presentation
Presentation is loading. Please wait.
1
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec DC October 2005 http://www.owasp.org OWASP Membership Plan Jeff Williams Chair – The OWASP Foundation CEO – Aspect Security jeff.williams@owasp.org jeff.williams@owasp.org
2
OWASP AppSec DC 2005 2 Thank You
3
OWASP AppSec DC 2005 3 Mission What causes? Immediate causes – vulnerabilities themselves Developers and operators Organizational structure, development process, supporting technology Increasing connectivity and complexity Legal and regulatory environment Asymmetric information in the software market OWASP is dedicated to finding and fighting the causes of insecure software
4
OWASP AppSec DC 2005 4 Application Security Is Just Getting Started You can’t improve what you can’t measure We need to… Experiment Share what works Combine our efforts Expect 10 years
5
OWASP AppSec DC 2005 5 Approach == “Open” Open means everything is $free Open means rough consensus and running code Open means free to use and modify Open means independent Open means open information sharing Open means wider audience and participation
6
OWASP AppSec DC 2005 6 Our Successes OWASP Tools and Documentation ~15,000 downloads (per month) ~30,000 unique visitors (per month) ~2 million website hits (per month) OWASP Chapters are blossoming worldwide 1674 members in 56 chapters (~4 new chapters per month) OWASP AppSec Conferences New York, London, Washington D.C, more… Distributed content portal 90 authors for tools, projects, and chapters
7
OWASP AppSec DC 2005 7 Some of What You’ll Find at OWASP Community Local Chapters Translations Conferences Mailing Lists Papers and more… All free and open source Documentation Guide Top Ten Testing Legal AppSec FAQ and more… Tools WebGoat WebScarab Stinger DotNet and more…
8
OWASP AppSec DC 2005 8 Our Failures OWASP currently isn’t good at… Managing projects Establishing a great community infrastructure Recruiting contributors Setting a clear roadmap Direct result of part-time leadership We are correcting this with a three part plan
9
OWASP AppSec DC 2005 9 MembersContributors Part 1 – Establish The OWASP Foundation Project Mgmt Technical Infrastructure Tech. Editors The OWASP Foundation Foundation Mgmt
10
OWASP AppSec DC 2005 10 Part 2 – Create the Membership Plan Newly Unveiled Plan Dual License Approach Membership Fees Open! Not like SANS, CSI, OASIS, or anything else Membership Drive Soon Small number of companies have already joined, even before any membership drive, including VISA
11
OWASP AppSec DC 2005 11 Dual License Approach Open Source License Anyone can use OWASP Materials according to the terms of the open source license associated with each OWASP project. - OR - Commercial License Members get a Commercial License that allows all employees to use the OWASP Materials without having to consider open source license.
12
OWASP AppSec DC 2005 12 Plan Details Membership CategoryDescriptionAnnual Membership Fee Individual Members Individuals who support OWASP's mission and would like to provide financial support to our efforts. $100 USD Educational Members Approved educational institutions that would like to use OWASP materials in their courses, research, or other educational purposes. $250 USD End-User Organization Members End-user organizations that use OWASP Materials within their organization. Organizations with 100 or more employees are considered large. Small (<100) - $2,000 USD Large (100+) - $7,000 USD Consulting Organization Members Organizations with employees that provide information security consulting, training, or auditing services and use OWASP Materials in their services or marketing. Organizations with 10 or more consultants are considered large. Small (<10) - $3,000 USD Large (10+) - $8,000 USD Vendor Organization Members Software vendors that market security products or other software and use OWASP Materials in their products or marketing. $9,000 USD
13
OWASP AppSec DC 2005 13 How to Become a Member Step 1Step 2 http://www.owasp.org/about/membership.html
14
OWASP AppSec DC 2005 14 Part 3 – Find a Full-Time Director OWASP is looking for a candidate for director Responsibilities will include: Developing a relationship with OWASP users Fund-raising and publicity Coordinating projects and chapters Overseeing and coordinating infrastructure Working with: Security experts Industry representatives Press and media
15
OWASP AppSec DC 2005 15 Imagine… The OWASP Application Security Academy Developers, AppSec Specialists, Management OWASP Certified Application Security Professional OWASP Independent Testing Labs Applications, Products, Libraries, Evaluation Methodology OWASP Open Static Analysis Project OWASP Application Security Workbench Tools, Findings, STRIDE/DREAD, Report Generation OWASP Standards OWASP Metrics OWASP Legal Legislation, RFP Language, Defense Fund
16
OWASP AppSec DC 2005 16 Ingredients: Sun Java 1.5 runtime, Sun J2EE 1.2.2, Jakarta log4j 1.5, Jakarta Commons 2.1, Jakarta Struts 2.0, Harold XOM 1.1rc4, Hunter JDOMv1 Software Facts Modules 155 Modules from Libraries 120 % Vulnerability* * % Vulnerability values are based on typical use scenarios for this product. Your Vulnerability Values may be higher or lower depending on your software security needs: Cross Site Scripting 22 65 % SQL Injection 2 Buffer Overflow 5 Total Security Mechanisms 3 Encryption 3 Authentication 15 95 % Modularity.035 Cyclomatic Complexity 323 Access Control 3 Input Validation 233 Logging 33 Expected Number of Users 15 Typical Roles per Instance 4 Reflected 12 Stored 10 Cross Site Scripting Less Than 10 5 Reflected Less Than 10 5 Stored Less Than 10 5 SQL Injection Less Than 20 2 Buffer Overflow Less Than 20 2 Security Mechanisms 10 14 Encryption 3 15 Usage Intranet Internet
17
OWASP AppSec DC 2005 17 A Q & Q U E S T I O N S A N S W E R S www.owasp.org
Similar presentations
