“Security is a process, not a product” -- Bruce Schneier
What if the software world was only… 100 apps written by 100 developers at 100 companies
Why?
“Don’t hate the playa Hate the game” -- Ice T
We Trust We Blame We Hide Toxic?
AppSec Visibility Cycle Audit Developers Infosec Legal Architects Users Research Business Monitor Threat Create Security Architecture Define Security Requirements Implement Controls Share Findings Understand Laws Verify Compliance Understand Stakeholders Our Mission: Visibility
Growing Ecosystems
OWASP Foundation (OWASP Board) Projects Membership Education Conferences Industry Chapters Connections OWASP Leaders (Chapters and Project) OWASP Meritocracy OWASP MembersOWASP Users and Participants
DC Sep 2009 Nov 2010 DC Sep 2009 Nov 2010 Brussels May 2008 Brussels May 2008 Poland May 2009 Poland May 2009 Taiwan Oct Taiwan Oct Portugal Nov 2008 Portugal Nov 2008 Israel Sep Israel Sep India Aug 2008 Nov 2009 India Aug 2008 Nov 2009 Australia Feb Australia Feb Minnesota Oct Minnesota Oct Denver Spring Denver Spring Sweden June 2010 Sweden June 2010 Ireland Sept June 2011 Ireland Sept June 2011 Greece June 2012 Greece June 2012 New York Nov 2008 Oct 2012 New York Nov 2008 Oct 2012 China Oct 2010 China Oct 2010 New Zealand July New Zealand July Brazil Oct Brazil Oct Germany Oct Germany Oct 08-10
Today Getting Started with OWASP T10 and Guides Building a Software Assurance Program Using the OWASP Live CD =====LUNCH===== OWASP Enterprise Security API (ESAPI) OWASP O2 The DISA AppSec STIG and OWASP Tools Discussion