I’m currently at the OWASP AppSec 2008 Conference in New York City and am listening to the keynote presentation shared by the board of OWASP.  Starting off is Jeff Williams, Chair of OWASP.  He talked about OWASP’s mission, what we’re currently working on, and offered the following suggestions on how to take OWASP into the future:

1) Prioritize

  • You can’t “hack” code secure.
  • Use risk metrics.

2) Set a useful research agenda

  • Don’t spend time searching for obscure vulnerabilities
  • Create tools that verify that software does the RIGHT thing instead of just looking for problems.

3) Turn application security from a black art to a science

  • OWASP in School program
  • Translating OWASP Top 10 and various books and projects into other languages.
  • Printing guides, books, and manuals for cost of printing.  Free downloads online.

4) We can enable secure coding

  • Breaking things is easy, try creating something secure and tell people how you did it.
  • Check out the OWASP Enterprise Security API Project
  • Increased visibility (software should provide info on who built it, what libraries they used, etc)

5) Make application security into a movement

  • Evangelize application security
  • Show people what an application security program looks like

Next up was Dave Wichers.  He talked about the OWASP goals of improving quality and support.  OWASP is publishing a “desk reference” guide on application security.  Community outreach is a huge focus of OWASP.  Over 100 chapters around the world.  Dave is the Conference Chair and helps to organize these conferences.  Let him know if you’re interested in putting one on.

Tom Brennan, head of NY/NJ chapter and OWASP Board Member starts talking about over 10,000 members on the mailing list and over 120 chapters involved in OWASP effort.  Says you should get involved in OWASP!

Next up is Dinis Cruz, another board member, who says he comes up with all sorts of crazy ideas for OWASP.  Helped come up with the OWASP Grants ideas when the Belgium chapter had extra money in the bank.  OWASP Spring of Code 2007 sponsored 26 projects at $125,000.  Summor of Code 2008 has 31 grants and they are focusing on quality with reviewers, project managers, etc.  OWASP has given out over $250,000 in grants since the Seasons of Code project started.  Then he started talking about the OWASP EU Summit happening in Portugal in 2008 in November.  Nice hotel by the seafront.  Go to meet all of the guys who are influential in OWASP.  Coming up with a bunch of training courses that are completely OWASP related and mostly done by our leaders.  Lots of working sessions to start discussing projects and set the AppSec agenda for 2009.  Five nights at a 5 star hotel for 300 Euros if you share a room or 600 euros if you want a single.  It’s a deal!  If you’re at the conference, they’re giving out free books.

Last up is Sebastian Deleersnyder who compares OWASP to Second Life.  A lot of people doing this as a second job, but it’s also a virtual community.  Asks chapter leaders to stand up and everyone gives them a hand.  *pats self on the back*  End of keynote.