OWASP stands for informed security decisions based on a solid, comprehensive understanding of the business risk associated with an application. OWASP's philosophy is that achieving security involves all parts of an organization, including people, process, and technology. We support the use of our brand consistent with this philosophy. However, we cannot allow the use of our brand when it implies something inconsistent with OWASP's comprehensive and balanced approach to application security. Therefore, we have defined these brand usage rules to clarify appropriate and inappropriate uses of the OWASP brand, including our name, domain, logos, project names, and other trademarks.
The following rules make reference to the OWASP Materials, meaning any tools, documentation, or other content from OWASP. The rules also make reference to "OWASP Published Standards" which are currently in the process of being developed and released. Currently there are no OWASP Published Standards.
By Mike Boberski
Whether it's the OWASP Top 10 or the CWE/SANS Top 25, problems that the domain of Software Assurance (SwA) explores are perhaps “the” central security challenge confronting cyberspace for the foreseeable future. And, these problems are not “traditional” in the same sense that “traditional” warfare is distinct from “Irregular Warfare (IW)”.
IW tactics such as guerrilla warfare, subversion, and sabotage in cyberspace take the form of attacks on the design and construction of application and service interfaces, and on the design, construction and even the unexpected passing of messages (nefariously-crafted or otherwise) input to and output from application and service interfaces. Simply, traditional cyberspace security controls (firewalls, operating system controls, and so on) do not protect against attackers that call applications and services in unintended ways.
Senior leaders across both public and private sectors are asking relevant questions such as What are the top vulnerabilities to my application, but not crucial questions such as What application-level security requirements does my application meet, and will meeting those requirements make my application secure enough for my purposes?
While there’s a growing need for tools that provide repeatable solutions to these types of complex, enduring, and increasingly threatening cyberspace problems, there is a remarkable dearth of such tools. A notable exception is OWASP. OWASP is considered by many to be providing thought leadership and creative solutions to SwA problems. OWASP solutions include:
· OWASP Secure Software Development Contract Annex (Contract Annex) – provides a way to build security in before the building begins, whether it’s in a contract or a policy.
· OWASP Application Security Verification Standard (ASVS) – provides a way to figure out if your application is “this” secure or “T—H—I—S” secure, whether it’s by vulnerability scanning, code review, penetration testing, or architecture review.
· OWASP Enterprise Security API (ESAPI) – provides technical security controls that you can add into your solution stack to guard against attackers calling your applications and services in unintended ways (by providing for example user data input validation controls), whether it’s Java, .NET, PHP, or a laundry list of other languages.
Are you asking the right questions? :-)
OWASP is currently soliciting papers and training proposals for
the OWASP AppSec USA, California 2010
Conference that will take place at the UC Irvine Conference
Center in beautiful Orange County, CA on September 7th through
10th of 2010. There will be training courses on September 7th
and 8th followed by plenary sessions on the 9th and 10th
with each day having at least three tracks.
AppSec USA may also have BOF (informal adhoc meetings),
break out, or speed talks in addition to the standard
schedule depending on the submissions we receive.
We are seeking people and organizations that want to present
on any of the following topics (in no particular order):
- Business Risks with Application Security.
- Starting and Managing Secure Development Lifecycle Programs.
- Web Services-, XML- and Application Security.
- Metrics for Application Security.
- Application Threat Modeling.
- Hands-on Source Code Review.
- Web Application Security Testing.
- OWASP Tools and Projects.
- Secure Coding Practices (J2EE/.NET).
- Privacy Concerns with Applications and Data Storage
- Web Application Security countermeasures
- Technology specific presentations on security such as AJAX, XML, etc.
- Anything else relating to OWASP and Application Security.
To make a submission you must include :
- Presenter(s) name(s)
- Presenter(s) Email and/or Phone number(s)
- Presenter(s) bio(s)
- Any supporting research/tools (will not be released
outside of CFP committee)
Submission deadline is June 6th at 12PM PST (GMT -8)
Submit Proposals to:
Please forward to all interested practitioners