OWASP Developer Guide Reboot

+Andrew van der Stock !@vanderaj | vanderaj@owasp.org

ABOUT MEAssociate director, KPMG

Security Technical Assessments and Architecture

!

Project Lead, OWASP Developer Guide

Co-Lead, OWASP Proactive Controls

Lead author, OWASP Application Security Verification Standard

Lead author, OWASP Top 10 2007

Project Lead, OWASP ESAPI for PHP

!

ISC2 CSSLP

Help set SANS GIAC GSSP (Java) exam (2007)

“Think Evil.”

AUDITING SOFTWARE FOR FUN AND PROFIT

linux.conf.au 2002

How did that work out for you?

Mea culpa

0"

1,000"

2,000"

3,000"

4,000"

5,000"

6,000"

7,000"

2000" 2001" 2002" 2003" 2004" 2005" 2006" 2007" 2008" 2009" 2010" 2011" 2012"

http://nvd.nist.gov

Your threat model did not include me!

ENABLE SECURE BUSINESSThink outside the box - don’t be a speed bump

VALUE

• What is “valuable” to your organization is almost not valuable to someone else

• There is no “<client>” profile in any automated tool

• Embed the notion of “value” into the Developer Guide

OWASP DEVELOPER GUIDE 2013• A comprehensive dictionary of all

the things

• Designed to be a tertiary level text book for application architects and developers

• SMART - Specific, measurable (testable), attainable, relevant, time effective

• Need help!

OWASP APPLICATION SECURITY VERIFICATION STANDARD 2.0

• A comprehensive standard with three levels of verification

• Designed to be a standard(!)

• SMART - Specific, measurable (testable), attainable, relevant, time effective

• GA - November 2013

OWASP PROACTIVE CONTROLS 2013

• The things every development team should be doing to be secure

• Designed to be a standard(!)

• SMART - Specific, measurable (testable), attainable, relevant, time effective

• GA - November 2013

WHAT HASN’T WORKED• Converting to XML. Failed x1 time so far (1.1.1)

• Minor updates. Failed x1 times so far (2.1)

• Starting from scratch. Failed x3 times so far (3.0, 2010, 2012)

• No project manager, roadmap or deadlines.

• Community. Help!

• Succession.

WHO• We need a project manager

• We need lots of help writing material

• We need lots of help with UML diagrams

• We need lots of help with code snippets

• Eventually, we will need technical and normal reviewers

• Eventually, we would like translators

WRITING PROCESS

WHAT NEEDS TO BE WRITTEN• Everything

!

• Large table of contents

• Don’t freak out - contributions great and small gratefully accepted!

• Need to decide on refactor or re-write

EDITING

RESEARCH

RESEARCH

• Need better research methods

• Need better quality results

• Need to support our views by performing basic research

EVIDENCE BASED RESULTS• Controls must be

• In place

• In use

• Effective

• foreach ($thing in $all_the_things) { $thing()->test(); }

SNIPPETS

TRANSLATION

HOW YOU CAN HELP• Be part of the community

• Join the Dev Guide mail list https://lists.owasp.org/mailman/listinfo/owasp-guide

• Tell us what you want to work on

• Write! Contribute! Review! Translate!

DECISIONS, DECISIONS

• How best to build community?

DECISIONS, DECISIONS

• How best to fund the project?

DECISIONS, DECISIONS

• Refactor or re-write?

DECISIONS, DECISIONS

• Private Wiki or dog food?

THANK YOU

• Questions?

!

• @vanderaj

• vanderaj@owasp.org

• 0451 057 580