Tuesday, 22 February 2011
Wednesday, 16 February 2011
I 'soft' published this letter before the OWASP Summit 2011 and I it is time it goes mainstream (note how there are already a number of signatures :) )
Note: The original can be found on the OWASP Website Open letter to WebAppSec Tool and Services vendors: Release your schemas and allow automation
To WebAppSec vendors
If you want to sign , please do it here (on OWASP website)
Wednesday, 2 February 2011
O2 users , please participate remotely on the O2 Working Session that will happen at the Summit. The time-slot and location of this session will depend on how many people are registered (both online and remotely) so if you are going to the Summit or can participate remotely, please register now!
If you are going to be at the Summit, you can add your name here: http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session063 (see 'Working Session Participants' section at the bottom)
If you are going to participate remotely, you can register here : https://spreadsheets.google.com/viewform?formkey=dEptc1BoTVJSQkxBSDhhNHdSaEN1Y3c6MQ (make sure you select the O2 Platform Working Session :) )
For reference, here are the current details of this O2 Platform Working Session (from http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session063):
Description:This session will focus on exchanging experiences between O2 users and on how to make O2 easier to use and consume. There are a lot of areas that O2 can add value during security reviews, the problem most O2 users have is 'I know that it can be done, but how?'. Another key topic for discussion and debate is the 'No more security reports as PDFs concept' (where after a security engagement, clients should be given Unit Tests, not PDFs)Objectives:
- Define 'What is O2'
- Map out easy ways to start using O2
- Document success stories and 'real world' O2 usage
- Simple user’s guide that shows how to install, configure, and use O2 to do a few simple common things
- Detailed workflows for the more complex features
- Roadmap for the next version of O2
Fell free to edit the WIKI and add your ideas (if you have an O2 feature wish-list, now is a good time to document it).
Thanks and see you at this session...
The OWASP Summit is gearing up to be an amazing event.
If you are not able to make it in person to Portugal, then please make the time to participate remotely.
We will have at least 1 professional video/audio feed (provided by Portuguese web company sapo.pt) and most working sessions will have video/audio coverage (technology still to be decided)
If you are going to participate, PLEASE register your interests so that we can (try) to take your needs into account! (important if you are not on a GMT time zone).
Here is the registration form : https://spreadsheets.google.com/viewform?formkey=dEptc1BoTVJSQkxBSDhhNHdSaEN1Y3c6MQ
For reference, here are the main links:
- Home page: http://www.owasp.org/index.php/Summit_2011
- List of planned working sessions: http://www.owasp.org/index.php/Summit_2011_Working_Sessions
- List of confirmed attendees (160 at last count): http://www.owasp.org/index.php/Summit_2011_Attendee
Tuesday, 1 February 2011
A client asked me to recommend a list of application security links. So here they are:
- http://www.owasp.org/index.php/Feed - OWASP AppSec Feed (if you only follow one XML feed, follow this one)
- http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project - OWASP Top 10 Document (should be mandatory reading for everybody)
- http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project - Vulnerable Web Application in J2EE (designed as a learning tool)
- http://code.google.com/p/owasp-hacmebank/downloads/list - Vulnerable Web Application in .NET (designed as a banking application)
- http://www.owasp.org/index.php/OWASP_Testing_Project - OWASP Testing Guide (provides good foundation for Security focused testing)
- http://www.owasp.org/index.php/Category:OWASP_Legal_Project - Great document that shows an example of a what should exist (from a security point of view) on a software development contract
- http://www.opensamm.org/ - A Maturity Model based of what companies should be doing (this a type of SDL)
- http://bsimm.com/ - A Maturity Model based on what a number of large companies are doing
- http://blogs.msdn.com/b/sdl/archive/2011/01/26/only-16-security-practices-implementation-guidance-included.aspx - Good '16 steps to have an SDL' guidance from Microsoft
- http://o2platform.com , http://o2platform.wordpress.com/ - Info about the O2 Platform
- http://jeremiahgrossman.blogspot.com/ - Great application Security Blog (from WhiteHat founder)
- http://1raindrop.typepad.com/1_raindrop/ - Great application Security Bog