AppSecUSA 2015: The Project Summit Interviews

AppSecUSA 2015

AppSecUSA 2015

Follow Mark Miller on twitter: @TSWAlliance

I am in San Francisco this week for AppSecUSA 2015. The first two days are a mini-project summit, giving OWASP project teams a chance to work together, face-to-face. I was able to sit down with several of the teams to get an update on their project, talk about what they expect to accomplish at the summit and what they could use from the OWASP Community to support their efforts. (More videos added as they become available.)

The Security Shepherd Project

The Security Shepherd Project is a training platform for web and mobile application penetration testing. The purpose of the project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status. I spoke with project contributors Mark Denihan and Paul McCann.


Application Security Verification Standard

The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls. The primary aim of the ASVS Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. I spoke with project contributor Andrew van der Stock.


OWASP Code Review Guide w/ Larry Conklin, Gary Robinson, Chris Gilmore and Josh Stroschein

The Code Review Guide is currently at release version 1.1 and the second best selling OWASP book in 2008. Many positive comments have been feedback regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity. It has even inspired individuals to build tools based on its information.

The combination of a book on secure code review and tools to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development. Going forward I hope to further integrate with the ASVS and other guides such as the testing and ASDR guides shall be perfromed for version 2.0.

I spoke with project project lead Larry Conlin along with Gary Robinson, Chris Gilmore and Josh Stroschein at AppSecUSA 2015, San Francisco, during the Project Summit on September 22, 2015.


Security Knowledge Framework w/ Ben ten Cate

The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. I spoke with project lead Glenn ten Cate at AppSecUSA 2015, San Francisco, during the Project Summit on September 22, 2015.

You can see the project on the OWASP site:
https://www.owasp.org/index.php/OWASP_Security_Knowledge_Framework


 

Benchmark Project w/ Dave Wichers

The OWASP Benchmark for Security Automation (OWASP Benchmark) is a test suite designed to evaluate the speed, coverage, and accuracy of automated vulnerability detection tools and services (henceforth simply referred to as ‘tools’). Without the ability to measure these tools, it is difficult to understand their strengths and weaknesses, and compare them to each other. The OWASP Benchmark contains over 20,000 test cases that are fully runnable and exploitable, each of which maps to the appropriate CWE number for that vulnerability.

I spoke with project lead Dave Wichers at AppSecUSA 2015, San Francisco, during the Project Summit on September 22, 2015.

You can see the project on the OWASP site:
https://www.owasp.org/index.php/Benchmark


Python Security Project w/ Enrico Branca

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations. The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

I spoke with project lead Enrico Branca at AppSecUSA 2015, San Francisco, during the Project Summit on September 22, 2015.

You can see the project on the OWASP site:
https://www.owasp.org/index.php/OWASP_Python_Security_Project


OWASP Virtual Village w/ Evin Hernandez and Tom Brennan

Virtual Village is a virtual infrastructure provided for OWASP projects and chapters. It is a place where chapter members can develop and test applications as makers and breakers.

I spoke with project contributors Evin Hernandez and Tom Brennan at AppSecUSA 2015, San Francisco, during the Project Summit on September 22, 2015.


 

OWASP Cheatsheet Series w/ Jim Manico

Jim Manico is the project leader of the OWASP Cheatsheet Series, a set of one to three page guides on a variety of different application security topics meant for developers. I spoke with Jim at AppSecUSA 2015, San Francisco, during the Project Summit on September 22, 2015.

You can see the project on the OWASP site:
https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series


Web Application Firewall Evaluation Criteria w/ Tony Turner and Raphael Chileshe

I spoke with project contributors Tony Turner and Rafael Chileshe at AppSecUSA 2015, San Francisco, during the Project Summit on September 22, 2015.

You can see the project on the OWASP site:
https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project


Pipeline Project w/ Matt Konda

The OWASP AppSec Pipeline Project is the place to find the information you need to increase the speed and automation of your AppSec program. Using the documentation and references of this project will allow you to setup your own AppSec Pipeline.

I spoke with project contributor Matt Konda at AppSecUSA 2015, San Francisco, during the Project Summit on September 22, 2015.

You can see the project on the OWASP site:
https://www.owasp.org/index.php/OWASP_AppSec_Pipeline


 

 

 

The following two tabs change content below.

Mark Miller

Senior Storyteller and Community Advocate at Sonatype
Mark Miller is Senior Storyteller and DevOps Advocate for TheNEXUS. His expertise is in the creation and growth of online communities. Mark is Executive Producer of the OWASP 24/7 Podcast Series and is co-producer of the world's largest online DevOps conference, All Day DevOps. You can follow him on Twitter: @AllDayDevOps. You can also find him as the moderator of the LinkedIn DevOps Group.
Authors

Related posts

*

Top