08 February 2011

OWASP Summit 2011 - Part 1

The OWASP Summit began this morning with a launch introduction by Dinis Cruz, board member, and the rest of the summit team. Tuesday's schedule included ten primary workshops across two tracks, combined with a number of additional sessions in the more dynamic part of the programme which ran into the evening up to 23:00 hrs.

Organisers and participants at the opening of the OWASP Summit 2011 in Lisbon, Portugal

Justin Clarke ran one of the starting workshops about cross site scripting (XSS) awareness, resources, partnerships and the influence browser vendors and framework producers can have on combatting this vulnerability. The panel and audience came to the conclusion that a multi-layered approach was needed, using techniques like auto-escaping templates, server policies, browser sandboxing and the use of something like Content Security Policy (CSP)> There was a follow-up session at 21:00 hrs which I was unable to attend.

The second workshop I attended was led by Ryan Barnett on virtual patching best practive, and as part of this how Wweb application firewalls (WAFs) might contribute to the efforts to mitigate XSS. The group thought that more information needed to be made available about virtual patching and what vulnerabilities might be suitable for this technique. The discussion referenced an excellent document produced by the OWASP German chapter about best practices for WAFs, and thought thiinformation could be updated, extended and promoted more widely. After discussing some of the merits and problems of blocking vs. detection-only, the use of WAFs for mitigating XSS was discussed further. The problems of XSS sources, filtering and blacklisting were examined, and ideas proposed for alternative detection techniques.

After lunch, I attended the session on risk metrics and associated labelling, led by Chris Wysopal and Chris Eng. The US federal OMB M-04-04 risk classifications and pproaches in other sectors were discussed. But the appropriateness of using any form of risk determination in a cross-industry approach was debated, and examples of more factual labelling, perhaps aimed at the supply chain rather than end users was examined.

Keith Turpin introduced the secure coding practices project, and there was a lively debate about the purpose, audience and length of the document. The document's name may be changed in due course to better reflext its aims. The audience had different views on how best OWASP should enage with the development community, but there was very little dissent on the content of the project. Keith was at pains to point out that the document is a list of possible requirements for projects, and cannot be used"as is" without interpretation for particular application and organisation's context. Further input by the email list was welcomed.

The Enterprise Web Defense Round Table examined scaling web security, security training programmes, security bounty & hacking programmes and where can OWASP assist. The perspectives from the panel and audience gave plenty of insight into the different appraoches and what does, and doesn't work. The topic of automated defenses was postponed and will be included in a session about AppSensor at lunchtime on Wednesday.

Participant profiles at the OWASP Application Security Summit 2011 in Lisbon, Portugal

After dinner, I attended the preliminary discussions about OWASP governance, which will continue and be finalised in a session on Thursday morning.

Posted on: 08 February 2011 at 23:30 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
OWASP Summit 2011 - Part 1
http://www.clerkendweller.com/2011/2/8/OWASP-Summit-2011-Part-1
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2011/2/8/OWASP-Summit-2011-Part-1
Requested by 54.205.173.252 on Friday, 18 April 2014 at 07:03 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2011-2014 clerkendweller.com