Post on 08-Jul-2015
description
OWASP Developer Guide Reboot
+Andrew van der Stock !@vanderaj | vanderaj@owasp.org
ABOUT MEAssociate director, KPMG
Security Technical Assessments and Architecture
!
Project Lead, OWASP Developer Guide
Co-Lead, OWASP Proactive Controls
Lead author, OWASP Application Security Verification Standard
Lead author, OWASP Top 10 2007
Project Lead, OWASP ESAPI for PHP
!
ISC2 CSSLP
Help set SANS GIAC GSSP (Java) exam (2007)
“Think Evil.”
AUDITING SOFTWARE FOR FUN AND PROFIT
linux.conf.au 2002
How did that work out for you?
Mea culpa
0"
1,000"
2,000"
3,000"
4,000"
5,000"
6,000"
7,000"
2000" 2001" 2002" 2003" 2004" 2005" 2006" 2007" 2008" 2009" 2010" 2011" 2012"
http://nvd.nist.gov
Your threat model did not include me!
ENABLE SECURE BUSINESSThink outside the box - don’t be a speed bump
VALUE
• What is “valuable” to your organization is almost not valuable to someone else
• There is no “<client>” profile in any automated tool
• Embed the notion of “value” into the Developer Guide
OWASP DEVELOPER GUIDE 2013• A comprehensive dictionary of all
the things
• Designed to be a tertiary level text book for application architects and developers
• SMART - Specific, measurable (testable), attainable, relevant, time effective
• Need help!
OWASP APPLICATION SECURITY VERIFICATION STANDARD 2.0
• A comprehensive standard with three levels of verification
• Designed to be a standard(!)
• SMART - Specific, measurable (testable), attainable, relevant, time effective
• GA - November 2013
OWASP PROACTIVE CONTROLS 2013
• The things every development team should be doing to be secure
• Designed to be a standard(!)
• SMART - Specific, measurable (testable), attainable, relevant, time effective
• GA - November 2013
WHAT HASN’T WORKED• Converting to XML. Failed x1 time so far (1.1.1)
• Minor updates. Failed x1 times so far (2.1)
• Starting from scratch. Failed x3 times so far (3.0, 2010, 2012)
• No project manager, roadmap or deadlines.
• Community. Help!
• Succession.
WHO• We need a project manager
• We need lots of help writing material
• We need lots of help with UML diagrams
• We need lots of help with code snippets
• Eventually, we will need technical and normal reviewers
• Eventually, we would like translators
WRITING PROCESS
WHAT NEEDS TO BE WRITTEN• Everything
!
• Large table of contents
• Don’t freak out - contributions great and small gratefully accepted!
• Need to decide on refactor or re-write
EDITING
RESEARCH
RESEARCH
• Need better research methods
• Need better quality results
• Need to support our views by performing basic research
EVIDENCE BASED RESULTS• Controls must be
• In place
• In use
• Effective
• foreach ($thing in $all_the_things) { $thing()->test(); }
SNIPPETS
TRANSLATION
HOW YOU CAN HELP• Be part of the community
• Join the Dev Guide mail list https://lists.owasp.org/mailman/listinfo/owasp-guide
• Tell us what you want to work on
• Write! Contribute! Review! Translate!
DECISIONS, DECISIONS
• How best to build community?
DECISIONS, DECISIONS
• How best to fund the project?
DECISIONS, DECISIONS
• Refactor or re-write?
DECISIONS, DECISIONS
• Private Wiki or dog food?