Copyright 2008 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP OWASP DENVER CHAPTER MEETING FEBRUARY David Campbell OWASP Denver Chapter +1 (415) DENVER, COLORADO USA

OWASP 2 Denver Chapter Business  Leadership Change  Much thanks to David Byrne and Andy Lewis for their leadership over the past two years  Transitioning to David Campbell and Eric Duprey  Goal for 2008  Meetings at least bi-monthly  Planning the Front Range OWASP Conference ( 10 June 2008) along with the BOULDER OWASP chapterFront Range OWASP Conference

OWASP 33 OWASP Mission  Open source non-profit charitable foundation dedicated to enabling organizations so they can develop, maintain, and acquire software they can trust  Making Security Visible  Through…  Documentation  Top Ten, Dev. Guide, Design Guide, Testing Guide, …  Tools  WebGoat, WebScarab, Site Generator, Report Generator, ESAPI, CSRF Guard, CSRF Tester, Stinger, Pantera, …  Working Groups  Browser Security, Industry Sectors, Access Control (XACML), Education, Mobile Phone Security, Preventive Security, OWASP SDL, OWASP Governance, RIA  Security Community and Awareness  Local Chapters, Conferences, Tutorials, Mailing Lists

OWASP 4 Some OWASP Growth Stats  One year ago (Oct 2006), we had  about 75 local chapters  about 15 corporate sponsors  about 180K page views / month at OWASP.org  and finally a little bit of money. About $88K  Now (Nov 2007), we have  over 100 local chapters  over 30 corporate sponsors  about 360K page views / month at OWASP.org  prior to this conference we had about $298K  Of which $80K is pledged to the completion of the 2007 Spring of Code projects 4

OWASP 5 OWASP Chapters 5

OWASP 6 How Does OWASP Make Money?  Corporate sponsorships  Individual memberships

OWASP 77 OWASP Corporate Members

OWASP 8 Where Does the Money Go?  Conferences  Much more affordable than SANS / Blackhat / Cansec  Books  Created from the Wiki materials (i.e. Top 10, Testing Guide)  Distributed to corporate sponsors and individual members  Projects (Spring of Code, Winter of Code)Spring of CodeWinter of Code  Subsidies to fly in top notch speakers for chapter meetings!

OWASP 9 SpoC OWASP Spring of Code 2007  26 projects $125,000 USD  15 projects made strong to amazing deliveries  OWASP Education Project (PPTs for community use)  Code Review Guide  OWASP Top 10 - Ruby on Rails version  Attacks refresh (Wiki data consolidation)  OWASP Evaluation and Certification criteria  OWASP Scholastic Project (using OWASP at academia)  SpoC project management (we now know how to do it :) )  5 projects are in the final stages  6 projects were canceled  Final amount sponsored: $103,500 USD 9

OWASP 10 OWASP Working Groups  Browser Security: Robert R'Snake, Petkov Pdb  Industry Sectors: Tom Brennan  Access Control (XACML): Gunner peterson  Education: Sebastien Deleersnyder  Mobile Phone Security: Corey Benninger  Preventive Security: Dinis Cruz  OWASP SDL: Pravir Chandra  OWASP Governance: Tom Brennan  Some ideas for other OWASP working groups:  RIA Frameworks, Open Source solutions, Commercial vendors solutions, Evaluation & Certification, Privacy 10

OWASP 11 Some OWASP Conference Stats  1 st OWASP AppSec Conference (2004 NY) - ~100 people on a weekend  2 nd OWASP AppSec Conference (2005 London) ~100 on a weekend  3 rd OWASP AppSec Conference (2005 D.C.)  About 175 Attendees plus 40 people in first tutorial  4 th OWASP AppSec Conference (2006 Brussels)  About 125 with 40 people in two tutorials plus refereed papers track  5 th OWASP AppSec Conference (2006 Seattle)  About 180 attendees with 115 in three tutorials!  6 th OWASP AppSec Conference (2007 Milan)  About 140 attendees, 40 people in 3 tutorials plus refereed papers track  OWASP Taiwan Conference (2007 Taiwan)  About 600 attendees for half day free conference!!  2007 OWASP & WASC AppSec Conference (2007 San Jose)  About 260 attendees with 80 people in six 2-day tutorials  First Tech Expo: Sold out with 10 vendors participating

OWASP 12 Conference Plans for 2008  2008 OWASP Australia AppSec Conference  Gold Coast – March – 1-day tutorials, 2-day conference  2008 OWASP AppSec Europe Conference  Brussels – May 19-22, 2008  Refereed papers track, Vendor Expo  Two day Tutorials – two day conference  2008 Front Range OWASP Conference  One day, multi-track (tech & mgt)  CFP immiment! Some top notch speakers already committed  2008 OWASP AppSec Taiwan Conference - ??  2008 OWASP AppSec U.S. Conference  New York City, Oct  Refereed papers track, Vendor Expo, Lots of tutorials  Capture the flag event?

OWASP 13 What does all this mean?  OWASP is gaining industry traction  PCI-DSS Self Assessment Questionnaire (SAQ) requirement 6.5 specifically requires that OWASP guidelines be followed when developing web apps

OWASP 14 What Can You Do?  Just getting started with application security?  Managers: Familiarize yourself with the Top 10 most common vulnerabilities in web applicationsTop 10  Developers: Get your hands on the OWASP Guide to Building Secure Web ApplicationsOWASP Guide to Building Secure Web Applications  Penetration Testers: Start working through the OWASP Testing Guide, and also tools like Webscarab OWASP Testing GuideWebscarab

OWASP 15 What Can You Do?  Already past that stage?  Get involved! We need the following:  Presenters for future meetings  OWASP Project Leaders and Participants  Season of Code Participants (paid projects!)  Wiki contributions

OWASP 16 Questions / Comments