Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec DC October OWASP Membership Plan Jeff Williams Chair – The OWASP Foundation CEO – Aspect Security

OWASP AppSec DC Thank You

OWASP AppSec DC Mission  What causes?  Immediate causes – vulnerabilities themselves  Developers and operators  Organizational structure, development process, supporting technology  Increasing connectivity and complexity  Legal and regulatory environment  Asymmetric information in the software market OWASP is dedicated to finding and fighting the causes of insecure software

OWASP AppSec DC Application Security Is Just Getting Started  You can’t improve what you can’t measure  We need to…  Experiment  Share what works  Combine our efforts  Expect 10 years

OWASP AppSec DC Approach == “Open”  Open means everything is $free  Open means rough consensus and running code  Open means free to use and modify  Open means independent  Open means open information sharing  Open means wider audience and participation

OWASP AppSec DC Our Successes  OWASP Tools and Documentation  ~15,000 downloads (per month)  ~30,000 unique visitors (per month)  ~2 million website hits (per month)  OWASP Chapters are blossoming worldwide  1674 members in 56 chapters (~4 new chapters per month)  OWASP AppSec Conferences  New York, London, Washington D.C, more…  Distributed content portal  90 authors for tools, projects, and chapters

OWASP AppSec DC Some of What You’ll Find at OWASP  Community  Local Chapters  Translations  Conferences  Mailing Lists  Papers  and more…  All free and open source  Documentation  Guide  Top Ten  Testing  Legal  AppSec FAQ  and more…  Tools  WebGoat  WebScarab  Stinger  DotNet  and more…

OWASP AppSec DC Our Failures  OWASP currently isn’t good at…  Managing projects  Establishing a great community infrastructure  Recruiting contributors  Setting a clear roadmap  Direct result of part-time leadership  We are correcting this with a three part plan

OWASP AppSec DC MembersContributors Part 1 – Establish The OWASP Foundation Project Mgmt Technical Infrastructure Tech. Editors The OWASP Foundation Foundation Mgmt

OWASP AppSec DC Part 2 – Create the Membership Plan  Newly Unveiled Plan  Dual License Approach  Membership Fees  Open!  Not like SANS, CSI, OASIS, or anything else  Membership Drive Soon  Small number of companies have already joined, even before any membership drive, including VISA

OWASP AppSec DC Dual License Approach  Open Source License  Anyone can use OWASP Materials according to the terms of the open source license associated with each OWASP project. - OR -  Commercial License  Members get a Commercial License that allows all employees to use the OWASP Materials without having to consider open source license.

OWASP AppSec DC Plan Details Membership CategoryDescriptionAnnual Membership Fee Individual Members Individuals who support OWASP's mission and would like to provide financial support to our efforts. $100 USD Educational Members Approved educational institutions that would like to use OWASP materials in their courses, research, or other educational purposes. $250 USD End-User Organization Members End-user organizations that use OWASP Materials within their organization. Organizations with 100 or more employees are considered large. Small (<100) - $2,000 USD Large (100+) - $7,000 USD Consulting Organization Members Organizations with employees that provide information security consulting, training, or auditing services and use OWASP Materials in their services or marketing. Organizations with 10 or more consultants are considered large. Small (<10) - $3,000 USD Large (10+) - $8,000 USD Vendor Organization Members Software vendors that market security products or other software and use OWASP Materials in their products or marketing. $9,000 USD

OWASP AppSec DC How to Become a Member Step 1Step 2

OWASP AppSec DC Part 3 – Find a Full-Time Director  OWASP is looking for a candidate for director  Responsibilities will include:  Developing a relationship with OWASP users  Fund-raising and publicity  Coordinating projects and chapters  Overseeing and coordinating infrastructure  Working with:  Security experts  Industry representatives  Press and media

OWASP AppSec DC Imagine…  The OWASP Application Security Academy  Developers, AppSec Specialists, Management  OWASP Certified Application Security Professional  OWASP Independent Testing Labs  Applications, Products, Libraries, Evaluation Methodology  OWASP Open Static Analysis Project  OWASP Application Security Workbench  Tools, Findings, STRIDE/DREAD, Report Generation  OWASP Standards  OWASP Metrics  OWASP Legal  Legislation, RFP Language, Defense Fund

OWASP AppSec DC Ingredients: Sun Java 1.5 runtime, Sun J2EE 1.2.2, Jakarta log4j 1.5, Jakarta Commons 2.1, Jakarta Struts 2.0, Harold XOM 1.1rc4, Hunter JDOMv1 Software Facts Modules 155 Modules from Libraries 120 % Vulnerability* * % Vulnerability values are based on typical use scenarios for this product. Your Vulnerability Values may be higher or lower depending on your software security needs: Cross Site Scripting % SQL Injection 2 Buffer Overflow 5 Total Security Mechanisms 3 Encryption 3 Authentication % Modularity.035 Cyclomatic Complexity 323 Access Control 3 Input Validation 233 Logging 33 Expected Number of Users 15 Typical Roles per Instance 4 Reflected 12 Stored 10 Cross Site Scripting Less Than 10 5 Reflected Less Than 10 5 Stored Less Than 10 5 SQL Injection Less Than 20 2 Buffer Overflow Less Than 20 2 Security Mechanisms Encryption 3 15 Usage Intranet Internet

OWASP AppSec DC A Q & Q U E S T I O N S A N S W E R S