adrian winckles - british computer society · adrian winckles about me •adrian winckles msc ceng...
TRANSCRIPT
Open Source Security Projects
– Success and Failure….
Adrian Winckles
About Me
• Adrian Winckles MSc CEng CITP AMIEEE
– OWASP Cambridge Chapter Leader
– OWASP AppSec Europe 2014 Conference Chair
– Day Job(s)
• Senior Lecturer – Anglia Ruskin University
• Course Leader –Infromation Security and Forensic
Computing
• Independent IT Security Consultant
3
What is OWASP?
• Open Web Application Security Project
– worldwide free and open community focused on
improving the security of application software
– Promotes secure software development
– Oriented to the delivery of web oriented services
– An open forum for discussion
– A free resource for any development team
4
What is OWASP?
• Open Web Application Security Project
– Non-profit, volunteer driven organization
• All members are volunteers
• All work is donated by sponsors
– Provide free resources to the community
• Publications, Articles, Standards
• Testing and Training Software
• Local Chapters & Mailing Lists
– Supported through sponsorships
• Corporate support through financial or project sponsorship
• Personal sponsorships from members
OWASP Principles
• Free & Open
• Governed by rough consensus & running code
• Abide by a code of ethics (see ethics)
• Not-for-profit
• Not driven by commercial interests
• Risk based approach
OWASP Code of Ethics
• Perform all professional activities and duties in accordance with all
applicable laws and the highest ethical principles
• Promote the implementation of and promote compliance with standards,
procedures, controls for application security
• Maintain appropriate confidentiality of proprietary or otherwise sensitive
information encountered in the course of professional activities
• Discharge professional responsibilities with diligence and honesty
• Refrain from any activities which might constitute a conflict of interest or
otherwise damage the reputation of employers, the information security
profession, or the Association
• Not intentionally injure or impugn the professional reputation of practice
of colleagues, clients, or employers
7
What does OWASP produce?
• What do they provide via Projects?
– Publications
• OWASP Top 10
• CISO Guide
– Tools
• WebGoat
• WebSheperd
• WTE
– Code
• CRSFGuard
8
OWASP Publications
• Common Features
– All OWASP publications are available free for
download from http://www.owasp.org
– Publications are released under GNU “Lesser”
GNU Public License agreement, or the GNU Free
Documentation License (GFDL)
– Living Documents
• Updating as needed
• Ongoing Projects
– OWASP Publications feature collaborative work in
a competitive field
A Sense of Community
Diverse Community
Defenders
Project Flow
• Create something useful: A project or
document for your only enjoyment
has absolutely no purpose to a wider
audience
• A well thought out Roadmap
• A unique angle, or approach to
research/solve/test a security issue:
ZAP has some unique features such
as testing Web sockets. Until recently
, Burp Suite was not able to do this.
• Right now we have more than
different Broken Apps...doing more
or less the same...some written in the
same language (PHP/MySQL)
Documentation is King
• Documentation : A well documented
code/tool project can reach users much
better.
• It is essential that project leaders work on
documenting their projects for first time users
and think about how to reach different
audiences, from beginners in Appsec up to
experts.
Documentation
Documentation
Project Flow
• Make use of videos or step by step
print screens to explain how to use
your tool/code
• An Active and responsive project
leader: The heart of the project is the
leader. If leaders do not have much
time to give to their projects and
respond to potential
users(emails/FAQ's, etc) the project
won't build momentum
• An well, thought out architecture:
this is essential to attract
contributors.
OWASP Project Tips (cont)
• Regular releases and version control:
obviously, if people see your project
hasn't been updated in more than 6
months, they will probably not use
it. For documents a period of 2 years
seems to me, to be the limit,
especially in Appsec.
• Marketing/Promotion: probably the
most underestimated part but the
hugest impact of all. Projects need to
be promoted and the major
responsible for that is the leader.
• Feedback: successful projects have a
process to gather feedback and
implement them in their future
releases
The Problem
Roadmaps
• Movement
to new
projects
status
New Project Model
• 3 New Project Lifestyle Stages
Ongoing refinement at the moment
–Incubator Projects
• Experimental playground & development is still under
way
–Lab Projects
• Have produced a deliverable of value and/or ready for
mainstream use
–Flagship Projects
• Strategic Value to OWASP & Application Security in
general
Flagship Projects
• Zed Attack Proxy (ZAP)
• Web Testing Environment
(WTE)
• CRSFGuard Project (code)
Lab Projects
• Many of the well known ones
– Top 10 Project
– WebGoat
– 02
– SAMM
– ASVS
– ESAPI
– Appsensor
– ………..
Incubator Projects
• A whole host of projects waiting to be take to
maturity …
– Cornucopia
– iOSForensic
– iGoat
– PassFault
– Bricks
– PHP Security
– ……
Archived & Inactive Projects
• As
illustrate
d earlier
may
projects
lie
dormant
…..
Conclusion
• Finally advice anyone willing to run or start an
open source project should read the following
documentation:
– http://www2.econ.iastate.edu/tesfatsi/Producing
OSS.KarlFogel2005.pdf
• In many ways, starting and keeping an open
source project is not much different than
developing a product or a start-up
Any Questions?