Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec June 2004 NYC Welcome to AppSec2004 Mark Curphey, OWASP Founder Director of Software Security Foundstone

OWASP AppSec House Rules and Logistics  Be Interactive, Ask Questions  Absolutely No Cell Phones, No Loud Talking  Be Courteous  Fire Exits  Restrooms  Catering  Enjoy, Socialize and Learn!

OWASP AppSec Agenda  House Rules and Logistics  OWASP Yesterday, Today and Tomorrow  Mission Impossible?  The Way We Work  The Good, the Bad and The Ugly  Future Highlights  Thanks  Speaker Introductions  Beer Tonight

OWASP AppSec OWASP Yesterday, Today and Tomorrow  Yesterday  Market Maturity, FUD, Lack of Information  Concept and Initial Project  No Formal Mission, No Resources, No Funding  Volunteer Best Efforts  Today  40 Active Participants  Global Participation  Increasing Respect and Interest  OWASP Board of Advisors  OWASP Foundation, New Chair, Organization  Tomorrow  Increased Corporate and Community Participation  oPortal  Conferences  Outreach  Chapters  Quality not Quantity  Holistic and Synergistic Projects  Funding?

OWASP AppSec Mission Impossible?  Balancing Corporate Security & The Open Source Community  Balancing Accessibility & Capability  Balancing Employers Needs & OWASP Needs

OWASP AppSec The Way We Work  Licensing, Copyright and Ownership  GPL and the Future  Copyright (FSF)  Meritocracy  OWASP Leaders  Board of Advisors  Volunteer Best Efforts  Community  Collaboration  Project Structure  Project Leads  OWASP Foundation  Not for Profit

OWASP AppSec The Good the Bad and the Ugly  Running an Open Source Project  Utopian Dream?  Great People (come and go)  Priorities Differ  Motivation Differ and Change  People Want Free Stuff But Free Stuff Costs Money and Takes Time  The CSO Who Was Running OWASP  Vendor Sales Story  Top Ten and the FTC  Tech TV, CNN.com etc  The Man Who Stole Our Servers  OWASP Itself  The Projects  The Community  Respect  The Enthusiasm

OWASP AppSec  Metrics and Measurement  oPortal  CMS  Personalization  Blogs  Surveys  ISO  Guide Version 2.0  Testing Project  Berretta  Open Source Commercial Quality Web App Scanner  C# ASP.NET  New Development Model Future Highlights

OWASP AppSec High Level Architecture design Developer, Website administrator or PenTester Beretta administrator Discovery Engine Platform Vulnerabilities Dynamic Vulnerabilities Beretta Configuration GUI Session GUI Reporting Beretta_Kernel.DLL XML file access and Parsing Configuration Settings Timer and Scheduling..Task Assignment.Session Management RAW TCP/IP packet creation and management Exposed Classes Bereta_Execution Web Service INTERNET Web Application to test XML Database OASIS WAS

OWASP AppSec Thanks  Attendees  Those that Can’t Make It  Adrian Wiessmann  Ingo Struck  David Endler  Dennis Groves  Steve Taylor  Bill Hau  OWASP Contributors  Those That Are Here  OWASP Leaders and Participants  MVCO - Stan Guzik  MVSE – Carric Dooley  Sponsors  Fidelity  Teros  NetScaler  Imperva  Yuval Ben-Itzak  Stevens Institute

OWASP AppSec Speaker Introductions  Denis Verdon - Fidelity National Financial  Mark Curphey – Foundstone  Jeff Williams – CEO, Aspect Security  Jack Danahy – Ounce Labs  Stan Guzik – Immediatech  Bruce Mayhew – Aspect Security  Dave Aitel – Immunity Security  Dinis Cruz – DDPlus  David Raphael / Ben Poweski – Citadel  George Capehart – Capehart Associates  Kartik Trivedi – Foundstone  Andreas Fuchsberger – Royal Holloway, University of London

OWASP AppSec Beer Tonight  Location  Luna Park North end of Union Square Park (Flatiron/Gramercy/Union Square) 17th St. between Broadway and Park Ave. So  Time  8pm Onwards  URL  9.htm 9.htm