The Open Web Application Security Project

“Security is a process, not a product”

-- Bruce Schneier

What if the software world was only…

100 apps written by 100 developers at 100 companies

83apps have a serious vulnerability

72apps have Cross Site Scripting

40apps have SQL injection

1company has a

responsible appsec program

1developer has any security training

100apps contain codeof unknown origin

90apps use unpatched libraries

with known flaws

5apps have had a scan or pentest

1app has had a manualsecurity code review

0apps provide any

visibility into security

Why?

“Don’t hate the playa

Hate the game”

-- Ice T

The first rule of security is…

…You do not talk about security

We Trust

We Blame

We Hide

Toxic?

AppSecVisibility

Cycle

Audit

Developers

Infosec

Legal

Architects

Users

Research

Business

MonitorThreat

Create SecurityArchitecture

Define SecurityRequirements

ImplementControls

ShareFindings

UnderstandLaws

VerifyCompliance

UnderstandStakeholders

Our Mission: Visibility

Growing Ecosystems

OWASP Foundation(OWASP Board)

Proj

ects

Mem

bers

hip

Educ

ation

Conf

eren

ces

Indu

stry

Chap

ters

Conn

ectio

ns

OWASP Leaders(Chapters and Project)

OWASP Meritocracy

OWASP Members

OWASP Users and Participants

DCSep 2009Nov 2010

BrusselsMay 2008

PolandMay 2009

TaiwanOct 07-08

PortugalNov 2008 Israel

Sep 07-08India

Aug 2008Nov 2009

AustraliaFeb 08-09

MinnesotaOct 08-11

DenverSpring 08-10

SwedenJune 2010

IrelandSept 08-09June 2011

GreeceJune 2012

New YorkNov 2008 Oct 2012 China

Oct 2010

New ZealandJuly 09-10

BrazilOct 09-10

GermanyOct 08-10

Today

• Getting Started with OWASP T10 and Guides• Building a Software Assurance Program• Using the OWASP Live CD

=====LUNCH=====

• OWASP Enterprise Security API (ESAPI)• OWASP O2• The DISA AppSec STIG and OWASP Tools• Discussion

Jeff WilliamsAspect Security CEO

OWASP Foundation Chairjeff.williams@owasp.orghttp://www.owasp.org

twitter @planetlevel410-707-1487

Join Us