OWASP 2.

0
Enabling organizations to develop, maintain, and
acquire applications they can trust

Dinis Cruz
OWASP
dinis.cruz@owasp.net

OWAS
P
AppSe Copyright © 2006 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
c under the terms of the Creative Commons Attribution-ShareAlike 2.5
License. To view this license, visit http://creativecommons.org/licenses/by-

Seattl sa/2.5/

e The OWASP
October http://www.owasp.org/
2006 Foundation
 Mission

Enabling organizations to
develop, maintain, and
purchase applications that
they can trust

OWASP AppSec Seattle 2006 2

OWASP Foundation

 The OWASP Foundation is a 501c3 not-

for-profit charitable organization that
ensures the ongoing availability and
support for our work. Participation in
OWASP is free and open to all.

OWASP AppSec Seattle 2006 3

History

 2000: Mark Curphey and Microsoft Word

 2001: OWASP Guide 1.0
 Sep 2002: Many volunteers finish 1.1.1
 Oct 2002: owasp-leaders created
 Leaders from each project
 This meritocracy still leads us today
 2003: OWASP Foundation created
 -> 2006: tons of new projects (see
tomorrow)

OWASP AppSec Seattle 2006 4

It’s about community

 Built on great foundations built by our

contributors

 Greater peer to peer participation

 Emphasis on local community building
 More support for your projects

OWASP AppSec Seattle 2006 5

www.owasp.org

OWASP AppSec Seattle 2006 6

It’s about building a solid foundation

 Transparency
Annual Report, financial details
Annual report (with financial details) starting 2006
Move to more formal structure in 2007 timeframe
(à la Apache, NetBSD, Debian, etc)

 Improve membership experience

Membership packages
 Individual
 Corporate
 Sponsor
Starter chapter pack

OWASP AppSec Seattle 2006 7

Autumn of Code 2006

» The Open Web Application Security

Project (OWASP) has recently launched
a new project entitled "OWASP Autumn
of Code 2006” that is aimed at
financially sponsoring contributions to
OWASP Projects.
 On the 18th of September our call for entries
ended and on the 25th of September we released
our list of selected projects to be sponsored.
OWASP has made the decision to sponsor 9
projects (5 at $3,500 USD and 4 at $5,000 USD)
instead of our originally planned number of 8.

OWASP AppSec Seattle 2006 8

Autumn of Code 2006 - Projects

WebScarab NG – Rogan Dawes

Live CD – Joshua Perrymon
CAL9000 – Chris Loomis
SiteGenerator and ORG – Mike de Libero
Pantera – Simon Roses
Web Goat – Sherif Koussa
Testing Guide – Matteo Meucci
OWASP .NET Tools – Boris Maletic
OWASP Website and Branding – Aaron M.
Holmes
OWASP AppSec Seattle 2006 9
Current projects (see website)

Release Quality
Beta Status
Alpha Status
Technology, Research, and Guides

OWASP AppSec Seattle 2006 10

Funding model

 Need to increase OWASP individual and

corporate members

 Current funding model

 Conferences
 Corporate and Individual Memberships (to
be GNI adjusted)
 Advertising
 Sponsorships

OWASP AppSec Seattle 2006 11

OWASP Membership
 An active voice in the development of OWASP Materials that are becoming
widely accepted as an application security standard for all organizations.
 A OWASP Commercial License to use the materials within your organization
without the restrictions associated with the various open source licenses used
by the OWASP projects.
 Timely electronic notification of updates to the OWASP Materials.
 Visibility for your organization's tangible commitment to application security
through its inclusion in the members list on the OWASP website and promotional
materials.
 The right to use the OWASP name and membership mark to show that you are
an OWASP Member. Note that the mark must not be used in any way that might
indicate that OWASP supports a commercial product or service.
 Collaboration with other highly skilled people from organizations around the
world, both virtually and in person during periodic OWASP AppSec conferences
and chapter meetings.
 Discounted registration fees for OWASP AppSec conferences to all individual
members and all employees of member organizations.

OWASP AppSec Seattle 2006 12

OWASP Membership cost

OWASP AppSec Seattle 2006 13

Local Chapters
OWASP AppSec Seattle 2006 14
Chapters!

OWASP AppSec Seattle 2006 15

Local chapters

 Easily the most useful OWASP activity

 Lots of chapters all around the world

OWASP AppSec Seattle 2006 16

Local chapter support

 Use our Internet resources

 Announce meetings well in advance
 Have a schedule well in advance
 Be consistent
 Community: blogs, forum - in your local
language

 Present new stuff

... or borrow other chapter’s slides

OWASP AppSec Seattle 2006 17

Guidelines for chapters

 Encourage membership in OWASP

 Try to be easily found and a popular time

 Always try to meet, if only for drinkies
 Local sponsorship by vendors is fine
 Try not to be 0wned by the vendors (of any
type)

 Protect yourself - insurance, talk choices,

etc
OWASP AppSec Seattle 2006 18
Leadership Focus

 Developing OWASP Foundation and infrastructure

 Helping you deliver timely, useful projects
 Keeping today’s flagship products fresh and relevant
 Winter, Spring, and Summer of Code 2007

OWASP AppSec Seattle 2006 19

OWASP Brand

 Our brand is important to us

 Need something to help get rid of

freeloaders
 Many firms abusing OWASP Top 10 /
Guide brand
 Need a 'brand management' project

OWASP AppSec Seattle 2006 20

Project Incubators

 Initiate any project you like

 Each project will have its own space

 Community: Link to team member blogs
and forum
 Resources: Samples, downloads, private
workspace

OWASP AppSec Seattle 2006 21

Project Focus

Participate!

What do you want us to focus on?

OWASP AppSec Seattle 2006 22