adrian winckles - andres baravalleossg.bcs.org/.../bcs...risk-owasp-talk-26-9-14.pdf · adrian...
TRANSCRIPT
Open Source Security Projects
– Success and Failure….
Adrian Winckles
About Me
• Adrian Winckles MSc CEng CITP AMIEEE
– OWASP Cambridge Chapter Leader
– OWASP AppSec Europe 2014 Conference Chair
– Day Job(s)
• Senior Lecturer – Anglia Ruskin University
• Course Leader –Infromation Security and Forensic
Computing
• Independent IT Security Consultant
3
What is OWASP?
• Open Web Application Security Project
– worldwide free and open community focused on
improving the security of application software
– Promotes secure software development
– Oriented to the delivery of web oriented services
– An open forum for discussion
– A free resource for any development team
4
What is OWASP?
• Open Web Application Security Project
– Non-profit, volunteer driven organization
• All members are volunteers
• All work is donated by sponsors
– Provide free resources to the community
• Publications, Articles, Standards
• Testing and Training Software
• Local Chapters & Mailing Lists
– Supported through sponsorships
• Corporate support through financial or project sponsorship
• Personal sponsorships from members
OWASP Principles
• Free & Open
• Governed by rough consensus & running code
• Abide by a code of ethics (see ethics)
• Not-for-profit
• Not driven by commercial interests
• Risk based approach
OWASP Code of Ethics
• Perform all professional activities and duties in accordance with all
applicable laws and the highest ethical principles
• Promote the implementation of and promote compliance with standards,
procedures, controls for application security
• Maintain appropriate confidentiality of proprietary or otherwise sensitive
information encountered in the course of professional activities
• Discharge professional responsibilities with diligence and honesty
• Refrain from any activities which might constitute a conflict of interest or
otherwise damage the reputation of employers, the information security
profession, or the Association
• Not intentionally injure or impugn the professional reputation of practice
of colleagues, clients, or employers
7
What does OWASP produce?
• What do they provide via Projects?
– Publications
• OWASP Top 10
• CISO Guide
– Tools
• WebGoat
• WebSheperd
• WTE
– Code
• CRSFGuard
8
OWASP Publications
• Common Features
– All OWASP publications are available free for
download from http://www.owasp.org
– Publications are released under GNU “Lesser”
GNU Public License agreement, or the GNU Free
Documentation License (GFDL)
– Living Documents
• Updating as needed
• Ongoing Projects
– OWASP Publications feature collaborative work in
a competitive field
Project Flow
• Create something useful: A project or
document for your only enjoyment
has absolutely no purpose to a wider
audience
• A well thought out Roadmap
• A unique angle, or approach to
research/solve/test a security issue:
ZAP has some unique features such
as testing Web sockets. Until recently
, Burp Suite was not able to do this.
• Right now we have more than
different Broken Apps...doing more
or less the same...some written in the
same language (PHP/MySQL)
Documentation is King
• Documentation : A well documented
code/tool project can reach users much
better.
• It is essential that project leaders work on
documenting their projects for first time users
and think about how to reach different
audiences, from beginners in Appsec up to
experts.
Project Flow
• Make use of videos or step by step
print screens to explain how to use
your tool/code
• An Active and responsive project
leader: The heart of the project is the
leader. If leaders do not have much
time to give to their projects and
respond to potential
users(emails/FAQ's, etc) the project
won't build momentum
• An well, thought out architecture:
this is essential to attract
contributors.
OWASP Project Tips (cont)
• Regular releases and version control:
obviously, if people see your project
hasn't been updated in more than 6
months, they will probably not use
it. For documents a period of 2 years
seems to me, to be the limit,
especially in Appsec.
• Marketing/Promotion: probably the
most underestimated part but the
hugest impact of all. Projects need to
be promoted and the major
responsible for that is the leader.
• Feedback: successful projects have a
process to gather feedback and
implement them in their future
releases
New Project Model
• 3 New Project Lifestyle Stages
Ongoing refinement at the moment
–Incubator Projects
• Experimental playground & development is still under
way
–Lab Projects
• Have produced a deliverable of value and/or ready for
mainstream use
–Flagship Projects
• Strategic Value to OWASP & Application Security in
general
Flagship Projects
• Zed Attack Proxy (ZAP)
• Web Testing Environment
(WTE)
• CRSFGuard Project (code)
Lab Projects
• Many of the well known ones
– Top 10 Project
– WebGoat
– 02
– SAMM
– ASVS
– ESAPI
– Appsensor
– ………..
Incubator Projects
• A whole host of projects waiting to be take to
maturity …
– Cornucopia
– iOSForensic
– iGoat
– PassFault
– Bricks
– PHP Security
– ……
Archived & Inactive Projects
• As
illustrate
d earlier
may
projects
lie
dormant
…..
Conclusion
• Finally advice anyone willing to run or start an
open source project should read the following
documentation:
– http://www2.econ.iastate.edu/tesfatsi/Producing
OSS.KarlFogel2005.pdf
• In many ways, starting and keeping an open
source project is not much different than
developing a product or a start-up