Monday, 22 May 2017

Owasp Summit Working Session 'Definition of Done'

(email sent to all Summit Participants)
Hi Summit Participant. As you can see by the Summit Schedule, one of the nice problems that Participants will have is going to be: how to select which Working Sessions to attend.

The Summit will create a highly focused and energized environment where each Participant is donating it most valuable assets: Time and Knowledge

The Working Sessions organizers have the privilege of the Participant's time, which is a massive gift. Their responsibility is to create the most effective and productive environments for them.

Owasp Summit 2017 - 20 days to go (summit presentation)

Hi, please see this presentation for a nice overview of where we are with 20 days to go to the Owasp Summit 2017 in London.


We now have (draft) schedule and an amazing pool of talent participating onsite and remotely.

Please share this slide-deck with your network + blog + tweet, and if you have an Owasp chapter meeting coming up, please present it (it only takes 5 minutes)

Friday, 19 May 2017

Please help to Promote the Summit

(Email sent to all Owasp Summit Participants)

Summit Participants, the success of the Summit depends on the amount of talent that we are able bring together.

Although the current list of Participants is already quite impressive, I'm sure we can do better, and bring even more talent to the Summit.

First Summit Schedule and Working Sessions Registration

(email sent to all Owasp Summit Participants)

Summit Participants, now that we have a first pass at the Summit Schedule, we really need you to update your Participant page with the Working Sessions that you want to be involved in.

Here are the individual Track's schedule

Here is the consolidated Summit Schedule

What is also really useful, is that after you add those Working Sessions mappings, you will be able to see your personalized schedule on your to your Participant's page.

Sunday, 14 May 2017

Security message on recent Ransomware attacks (WannaCry worm)

(In case it helps, here is an email I sent today to all of PhotoBox Group Technology team)

Hi all Tech (TL;DR: high risk of Ransomware, see list of recommendations below)

As you probably have seen in the news, there has been a wide spread Ransomware attack which affected large number of companies worldwide, and is bound to cause more damage next week.

The attack is called Ransomware (a play on Ransom + Software) and has the business model of encrypting all files the affected computer has access to, and then asking for a ransom (i.e. payment) to decrypt the files.

Owasp Top 10 2017 Track at Owasp Summit 2017

The Owasp Summit now has a full track dedicated to the Owasp Top 10 2017 with the following Working Sessions:

Security Playbooks Track and request for anonymised data

After a conversation with Ante Gulam about Security Playbooks, I had the real-world experience of needing them in multiple occasions this week.

Since I was not able to find good resources online that I could easily use, I realised that the Summit presented a great opportunity to create a set of Security Playbooks in standard formats that could be used by the Owasp/Security community.

After some research, I created the Security Playbooks Track with these Working Sessions:
At the moment none of these Working Sessions have an organiser, so for the ones that you are interested in, please become one (or at least register as an onsite or remote participant).

If you already have Security Playbooks at your company (or similar documents/diagrams/workflows) please submit them in an anonymised format with an OpenSource/CC license (so that it can be used by the Working Sessions)

Remember that significant work and collaboration should occur before the Summit (i.e. between now and the 12th of June). It would be amazing if some of the Working Sessions listed above had its tasks completed before the Summit!

For example, we can start working and collaborating asap on the Security Playbooks Diagrams.

Do you have Playbook Diagrams that you can share? (pictures of whiteboard-based diagrams will be a great place to start)

Thanks for your help

Dinis

Friday, 12 May 2017

30 days to go for the Owasp Summit 2017

In 30 days (12 June) Owasp will host its 2017 Global Summit in London where hundreds of participants will join forces in Working Sessions focused on solving hard Application and Cyber Security problems.

This is not a conference with unidirectional presentations. Using the same model as the past two OWASP Summits in Portugal, this 5-day event will be a high-energy experience, during which attendees get the chance to work and collaborate intensively. Every thoroughly prepared working session is geared towards a specific application security challenge and will be focused on actionable outcomes.

"The Best Real-Life InfoSec Problem Solving Event in the World" (and new Owasp Summit blog)

I just added a blog feature to the Owasp Summit site (which wasn't very hard since Jekyll is a blogging engine) which you can see at http://owaspsummit.org/website/blog.html

The first 3 posts are:

Monday, 8 May 2017

FAQ on attendees count, working session format and how to contribute (as a vendor)

(email sent to all Owasp Summit participants)

-----
Hi Summit Participants, please see below an email sent today in response to a couple questions we received from one of the companies in the Security Crowdsourcing space. See if you can guess which one :)

I'm sure some of you have similar questions, specially around the participation by vendors of security products/services in the Summit's Working Sessions

Btw, if you have questions that you think we have not provided good answers for, please reach out, and we will do our best to answer them
-----

The Woodstock of AppSec and more Owasp Summit Working Sessions

(email sent to all onsite and remote Owasp Summit Participants)

Hi Summit Participants, I hope you had a great weekend. Here in London I meet with Ante Gulam for BBQ and we had a very productive Sunday (as you can see below)

Before I go into the details, I have a question for you: What do you think of this tag line for the Summit: "The Woodstock of AppSec"

Seba come up with it when we meet for lunch on Friday, when we were talking about the Summit's gravitational pull (as in 'the place to be', 'the place were the most interesting AppSec conversations will occur', 'the place where the best minds in XYZ topic will be together', 'the place where participants are trying to solve hard problems that I have today')

Sunday, 7 May 2017

Help with OWASP Summit 2017 Outreach

(email I just sent to the owasp-leaders list)

Hi Owasp Leaders, I would like to ask you for some help in promoting the Owasp Summit 2017

We are now at phase of the Summit's journey, where we have reached critical mass, and really need your energy, collaboration and involvement.

About the Summit:

Owasp Summits are not a normal conference where attendees go to watch presentations. This is a highly collaborative environment made of Working Sessions, which are created by the participants around areas they are passionate about or have real-world problems they need solutions for. 

How the Summit's Working Sessions will work and Summit's Schedule

(email sent to all Summit registered participants)

Hi Summit Participants (BCCed). I have been receiving a number of questions about how the Working Sessions will be organised at the Summit, so here is an explanation of how they will be setup.

At the moment it might look a bit weird the fact that we have more Working Sessions (106) than participants (81). This is actually quite normal (at this stage), since we still have a large number of participants that will be registering in the next month, and a significant number of Working Sessions that will not have enough energy, content, focus or registrations to justify its inclusion in the final schedule.

Saturday, 6 May 2017

19 new Owasp Summit 2017 Working Sessions

(email I just send to all onsite and remote Owasp Summit 2017 participants)

Hi Summit Participant (BCCed)

I hope you are having a good weekend and have some energy for some Summit related GitHub Pull Request activities :)

Thursday, 4 May 2017

39 Working Sessions with no organizers, two new Gold Sponsors (CapitalOne and PhotoBox)

Thanks for the Owasp Summit Participants that added themselves as an organiser to 6 Working Sessions.

It's a great start, but, we need more :)

In fact we now have 39 Working Sessions that need organisers (two more than yesterday), because we added the following 8 new Working sessions (most with no organiser and very little content)

Wednesday, 3 May 2017

Summit Working Sessions with NO organizer (please help)

(here is the email I just sent to all registered Owasp Summit 2017 participants which also applies to you (reader of my blog) :)  . Please take a good look at those 37 'Working Sessions with no organizer' and pick one to help) 



Hi Owasp Summit Participants (onsite and remote)

As you can see by the latest list of 76 Working Sessions, we have a quite a good number of very interesting/important topics to collaborate/work at the Summit (with more sessions being added daily).

We have grouped them into the following tracks and technologies:

Wednesday, 26 April 2017

Owasp top 10 2017 Working Session at next OWASP Summit

Given the recent debates about the changes made on this new version of the OWASP Top 10 (which you can download from here), the next OWASP Summit 2017 will host a Working Session to allow for further collaboration and debate.

Please take a look at http://owaspsummit.org/Working-Sessions/Project-Summit/Owasp-Top-10-2017.html and add/change it accordingly (btw, you can now register as participant, and, if you want to help organising it, please we need an organiser for this Working Session)

Here is a first pass at the topics to cover:

Monday, 10 April 2017

RfP for Owasp SAMM assessment (£10k budget)

Here is a project brief I have been asked to share by a company that operates across Europe, USA and Australia.

Seems to me like a great opportunity for an active member of the OWASP/SAMM community :)

Ping me if your company (or you) want to respond, and I'll put you in touch with them.

--------

Project brief:

Our e-commerce security maturity is of critical importance to us and our valued customers.

Through this RfP process, we are approaching the App/InfoSec community to invite responses from Europe-based AppSec consultants and businesses who are interested in engaging with our Group Security team to delivery an acute assessment of our individual team's security maturity.

We welcome responses from those well versed in the OWASP SAMM methodology, and have full-stack technical experience of auditing complex e-commerce environments and practices. Experience in producing board-level written reports and visualisations of data collected is highly desired. The data is to be collected using the Owasp Maturity Model tool.

Presentation: Building AppSec Teams

Here is the presentation I delivered recently at an online SC Conference on Web Application Security.

This is the consolidation of my recent research (and practical experience) of creating AppSec teams.

I think this structure and focus would make a massive difference (if implemented) at a large number of companies (specially the AppSec Squad concept)

The video is available on demand here

Presentation: OWASP Summit 2017 (Jan and Feb updates)

Here are two presentations I delivered recently (at the OWASP London Chapter) about the forthcoming OWASP Summit 2017

Presentation: Security champions

Here is a presentation I delivered recently to a newly created Security Champions team.

The objective was to present them what are Security Champions, and to motivate them into wanting to become one.

Let me know what you think of it, and if there is anything missing from this initial 'motivational' slide deck

Presentation: Legacy-SecDevOps (AppSec Management Debrief)

Here is a presentation I created last year as a debrief to C-Level execs

It is quite strong, but they took it quite well and agreed with most of it :)

Let me know what you think of it (I'm sure you've seen many similar projects and organisations)

Thursday, 15 December 2016

The Authentication micro-service cache incident

A good example of why we need tests across the board, not just normal unit tests, but integration tests, and tests that are spawned as wide as possible, is the story of a authentication module that was developed as an re-factoring into a separate micro-service.

When the module was developed, it contained a high degree of code coverage, in fact it had 100% unit test coverage. The problems arose when it went live, and several issues occurred. One of the original issues occurred because the new system was designed to improve the way the database or the passwords were stored. This meant that once it was fully deployed some of existing dependent services stopped working.

Risk Dashboards and emails

It is critical that you create a suite of management dashboards that map the existing security metrics and the status of RISK tickets:

Jira Dashboard