OWASP Charlotte What, Why, Where and How January 19 2011 The OWASP Foundation http://www.owasp.org Customize with the information of the presenter and event. Any updates to this presentation, for example to address specific known questions for a group, could be posted to the web site – where this will be posted after peer review. <Presenter Information> <Name> <Organization> <OWASP role> <OWASP Committee> <Email> <Phone>
Agenda OWASP Worldwide OWASP Charlotte OWASP and You 2
OWASP Worldwide The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. (from the web) The OWASP Foundation came online on December 1st 2001 it was established as a not-for-profit charitable organization in the United States on April 21, 2004. International organization with chapters in countries around the world. Non-commercial in order to promote collaboration and openeness. Goals of approaching software security as a people and process issue, not just a technology one. Participation is covered by a Code of Ethics in order to insure a professional standard of behaviour. Will also provide an expectation to the security community and example to follow. As a 501c3 it is a tax exempt organization, accepting voluntary membership dues ($50/yr US) and donations. 3
OWASP Top 10 Projects Tools Presentations OWASP Worldwide 4 OWASP Top 10. Tied to visibility goal, the top 10 is an “awareness document”, which is explains the mix of vulnerabilities, attacks and recommendations in the list. Provides not only awareness but a foundation for organizations to use in prioritizing and decision making. Project: OWASP Chapters work together and individually on projects to be shared within the security community. Projects have a defined roadmap and set of tasks. Participation by anyone interested is welcome, not just developers. Programming skills are great – and greatly needed – however testing, documentation, translation, graphics and many other skill sets are needed too! Tools: OWASP hosts a significant collection of tools created from collaborative projects and individual contributors within the OWASP community. Some of the more well known include (provide overview, including goals/usage) WebGoat, WebScarab, AntiSamy and Reform. Presentations: Collected research and presentations on multiple topics from local chapters and professional presentations. In PowerPoint and PDF format, usable for company influence and public presentations to jump start your own efforts. 4
History Changes Restart OWASP Charlotte 5 Charlotte had an OWASP chapter in the 2000-2003 timeframe, however the I/T community in Charlotte had not yet focused on application security, as was reflected in the business climate and professional meetings. Eventually membership slowed and the chapter consolidated with the Raleigh chapter. All meetings then moved to Raleigh. The current OWASP Charlotte is a new formation, given the overall health of the security community within the Charlotte corporate entities as well as the educational organizations with UNCC leading the way. UNCC will be simultaneously starting a student chapter, affiliated with the professional chapter. Significant synergy and partnership is anticipated for the two groups. 5
Professional Contacts Technical Interactions Altruistic Contributions OWASP and You Professional Contacts Technical Interactions Altruistic Contributions CPEs! We are looking to build a membership base (state it right up front). You don’t have to be a programmer or in an application support role to join. We have network techs, managers and yes programmers in the current base membership. Anyone wanting to: Broaden their security experience Develop contacts with peers in similar roles and industries Participate in projects performing everything from coding, to testing, to documentation, to speaking, etc. Collect CPE’s! Those holding CISSPs can claim 1 hour for every hour spent at a chapter meeting Other certifications may allow credit as well, such as for CMUs. Add a differentiator to your resume. Participation in open source shows your professional dedication to security. 6
Summary & Conclusion
Attend quarterly meetings Participate Next Steps Join the mailing list Attend quarterly meetings Participate 8
http://www.owasp.org/index.php/Charlotte More Information 9 Visit this site to learn more about OWASP and OWASP Charlotte. If you can’t remember the URL, just go to OWASP.ORG and search on Charlotte. Feel free join the mailing list to keep up on events and post any questions you might have. [Thank everyone for their time. State availability for questions after the event.] 9