Open Source Security Projects

– Success and Failure….

Adrian Winckles

About Me

• Adrian Winckles MSc CEng CITP AMIEEE

– OWASP Cambridge Chapter Leader

– OWASP AppSec Europe 2014 Conference Chair

– Day Job(s)

• Senior Lecturer – Anglia Ruskin University

• Course Leader –Infromation Security and Forensic

Computing

• Independent IT Security Consultant

3

What is OWASP?

• Open Web Application Security Project

– worldwide free and open community focused on

improving the security of application software

– Promotes secure software development

– Oriented to the delivery of web oriented services

– An open forum for discussion

– A free resource for any development team

4

What is OWASP?

• Open Web Application Security Project

– Non-profit, volunteer driven organization

• All members are volunteers

• All work is donated by sponsors

– Provide free resources to the community

• Publications, Articles, Standards

• Testing and Training Software

• Local Chapters & Mailing Lists

– Supported through sponsorships

• Corporate support through financial or project sponsorship

• Personal sponsorships from members

OWASP Principles

• Free & Open

• Governed by rough consensus & running code

• Abide by a code of ethics (see ethics)

• Not-for-profit

• Not driven by commercial interests

• Risk based approach

OWASP Code of Ethics

• Perform all professional activities and duties in accordance with all

applicable laws and the highest ethical principles

• Promote the implementation of and promote compliance with standards,

procedures, controls for application security

• Maintain appropriate confidentiality of proprietary or otherwise sensitive

information encountered in the course of professional activities

• Discharge professional responsibilities with diligence and honesty

• Refrain from any activities which might constitute a conflict of interest or

otherwise damage the reputation of employers, the information security

profession, or the Association

• Not intentionally injure or impugn the professional reputation of practice

of colleagues, clients, or employers

7

What does OWASP produce?

• What do they provide via Projects?

– Publications

• OWASP Top 10

• CISO Guide

– Tools

• WebGoat

• WebSheperd

• WTE

– Code

• CRSFGuard

8

OWASP Publications

• Common Features

– All OWASP publications are available free for

download from http://www.owasp.org

– Publications are released under GNU “Lesser”

GNU Public License agreement, or the GNU Free

Documentation License (GFDL)

– Living Documents

• Updating as needed

• Ongoing Projects

– OWASP Publications feature collaborative work in

a competitive field

A Sense of Community

Diverse Community

Defenders

Project Flow

• Create something useful: A project or

document for your only enjoyment

has absolutely no purpose to a wider

audience

• A well thought out Roadmap

• A unique angle, or approach to

research/solve/test a security issue:

ZAP has some unique features such

as testing Web sockets. Until recently

, Burp Suite was not able to do this.

• Right now we have more than

different Broken Apps...doing more

or less the same...some written in the

same language (PHP/MySQL)

Documentation is King

• Documentation : A well documented

code/tool project can reach users much

better.

• It is essential that project leaders work on

documenting their projects for first time users

and think about how to reach different

audiences, from beginners in Appsec up to

experts.

Documentation

Documentation

Project Flow

• Make use of videos or step by step

print screens to explain how to use

your tool/code

• An Active and responsive project

leader: The heart of the project is the

leader. If leaders do not have much

time to give to their projects and

respond to potential

users(emails/FAQ's, etc) the project

won't build momentum

• An well, thought out architecture:

this is essential to attract

contributors.

OWASP Project Tips (cont)

• Regular releases and version control:

obviously, if people see your project

hasn't been updated in more than 6

months, they will probably not use

it. For documents a period of 2 years

seems to me, to be the limit,

especially in Appsec.

• Marketing/Promotion: probably the

most underestimated part but the

hugest impact of all. Projects need to

be promoted and the major

responsible for that is the leader.

• Feedback: successful projects have a

process to gather feedback and

implement them in their future

releases

The Problem

Roadmaps

• Movement

to new

projects

status

New Project Model

• 3 New Project Lifestyle Stages

Ongoing refinement at the moment

–Incubator Projects

• Experimental playground & development is still under

way

–Lab Projects

• Have produced a deliverable of value and/or ready for

mainstream use

–Flagship Projects

• Strategic Value to OWASP & Application Security in

general

Flagship Projects

• Zed Attack Proxy (ZAP)

• Web Testing Environment

(WTE)

• CRSFGuard Project (code)

Lab Projects

• Many of the well known ones

– Top 10 Project

– WebGoat

– 02

– SAMM

– ASVS

– ESAPI

– Appsensor

– ………..

Incubator Projects

• A whole host of projects waiting to be take to

maturity …

– Cornucopia

– iOSForensic

– iGoat

– PassFault

– Bricks

– PHP Security

– ……

Archived & Inactive Projects

• As

illustrate

d earlier

may

projects

lie

dormant

…..

Conclusion

• Finally advice anyone willing to run or start an

open source project should read the following

documentation:

– http://www2.econ.iastate.edu/tesfatsi/Producing

OSS.KarlFogel2005.pdf

• In many ways, starting and keeping an open

source project is not much different than

developing a product or a start-up

Any Questions?