Setting the Web Application Security Agenda for 2009: OWASP Invites You to Join Our Summit in Portugal

http://www.owasp.org/index.php/OWASP_EU_Summit_2008

With the theme ‘Setting the AppSec agenda for 2009′, the OWASP Summit will be a worldwide gathering of OWASP leaders and key industry players to present and discuss the latest OWASP tools, documentation projects, and web application security trends. Join us in Portugal in just a few short weeks! This venue hosts a diverse selection of training courses along with technical and business tracks, making it THE place to learn about web application security and the resources OWASP has available for use today.

OWASP is a not-for-profit organization with the purpose of supporting the Web Application Security community around the world, and has granted $250,000 USD for web application security research. In addition to over 40 presentations from the OWASP Leaders and grant recipients, the OWASP Summit will host multiple Working Sessions designed to improve collaboration, achieve specific objectives and identify roadmaps for OWASP projects, chapters, and the OWASP community itself.

To facilitate this event, OWASP is investing $150,000 USD which will be used to cover air travel and accommodation expenses for OWASP leaders, active contributors, and select key industry leaders. With their confirmed presence, the OWASP Summit will provide a relaxed but professional environment to meet, discuss, influence and contribute to OWASP projects.

There are still funds available! If you are interested in attending and you meet the profile of the current OWASP supported attendees (see list here: http://spreadsheets.google.com/pub?key=pAX6n7m2zaTVLrPtR07riBA) contact Paulo Coimbra (paulo.coimbra@owasp.org). Please note that you should do so only if you meet the paid attendance criteria (see herehttps://www.owasp.org/index.php/OWASP_EU_Summit_2008_paid_participation_rules) and are unable to get corporate support to attend this event (for other corporate sponsorship opportunities see http://www.owasp.org/index.php/OWASP_EU_Summit_2008_Sponsors).

The OWASP Summit will also host a large and diverse selection of training courses, covering multiple OWASP specific and Web Application Security Topics.

The remarkable impact of OWASP is made possible only by the collaboration of many dedicated people and organizations worldwide. In that spirit of cooperation, OWASP invites all its members (who have 20% discount + 1 VIP Ticket) and interested individuals and companies to attend this thrilling event. Please join us and help to set the Web Application Security Agenda for 2009!

Please see below for additional details about the OWASP Summit or visit the OWASP Summit website: http://www.owasp.org/index.php/OWASP_EU_Summit_2008.

Projects

OWASP projects selected for Summit presentation include new documentation and innovative tools to help developers, architects, and security specialists ensure that applications are secure:

• Application Security Verification Standard,
• Code review guide, V1.1,
• Ruby on Rails Security Guide v2,
• Securing WebGoat using ModSecurity,
• Testing Guide v3,
• GTK+ GUI for w3af project,
• Access Control Rules Tester,
• AntiSamy .NET,
• Live CD & DVD Project,
• OpenPGP Extensions for HTTP,
• Orizon Project,
• Python Static Analysis,
• WebScarab-NG,
• And many, many others.

Working Sessions

Expecting the presence of the application security industry key players, the Working Sessions will cover a wide range of issues such as:

• OWASP Top 10 2009,
• Browser Security,
• Web Application Framework Security,
• Enterprise Security API Project,
• Best Practices for OWASP Chapter Leaders,
• OWASP Documentation Projects,
• OWASP Tools Projects,
• OWASP Education Project,
• OWASP Strategic Planning for 2009,
• OWASP Certification,
• OWASP Winter of Code 2009
• Two-way Internationalization of OWASP Content
• And many more.

Training

These 2-day, 1-day or 1/2-day training courses cover a wide range of OWASP specific and Web Application Security Topics:

• OWASP Top 10 - What Developers Should Know on Web Application Security
• Uncovering WebScarab’s Secret Treasures
• Securing WebGoat with ModSecurity
• Secure Programming with Java
• Advanced Web Application Security Testing
• Building Secure Web 2.0 Applications
• Building Secure Web Services
• Building Secure Web Applications with OWASP’s Enterprise Security API (ESAPI)
• Classic ASP Security using OWASP tools
• Web Application Assessments
• Hacking Owasp Orizon Project v1.0
• Ajax Security
• Practical Penetration Testing: Think Like an Attacker to Stop Attacks
• Linux Software Exploitation
• Web server/services hardening using SELinux

Main Contact:

Kate Hartmann
OWASP Operations Director
9175 Guilford Road, Suite 300
Columbia, MD 21046, USA
Phone: +1-301-575-0189
Facsimile: +1-301-604-8033
Email: kate.hartmann@owasp.org

By all accounts the show did go on, and we have some very interesting results to share with you all.

Take the Top Challenges question. Once again, “Supporting New Technologies/Enabling Innovation” was most popular. But that’s a no-brainer and as one memorable respondent told me, “the definition of what I do”. What was more important was seeing the big jump that “Reducing Management Costs” made on the list, from #5 last year to #2 this year and only 1 percentage point behind #1. Tightening the belt is top of mind for everyone. (As I write, the Dow closed down today over 700 points)

Overall, IT professionals told us they were tackling the practical projects that should and could get done – from deploying Security Information Management solutions to getting Asset Management and Inventory Tools in place. For the first time, we saw a close correlation between what people said was important and what actually got done. Of low importance and even lower actual deployments – ITIL and CMDB, IPv6, Green IT and Cloud Computing.

And perhaps people “fessed” up about virtualization. Instead of the usual “high importance, not so many deployments now, but more deployments planned” theme we’ve been seeing around virtualization adoption, this year the very hot trend seemed to lose a bit of steam. Across the board, the numbers were down for virtualization management, with close to 50% of respondents telling us that their businesses were less than 10% virtualized (4% of that with no virtualization at all).

2008 Detailed Results – showing trends year over year

Comparison of Results from Interop NY 2008 vs FOSE 2008 (government IT)

1. Our brilliant field engineer Dimitri McKay talks about the eternal topic of converting Windows event logs to syslog. Yes, Eric, we ALL know it is ugly, but that is the only way that actually works well across all systems ...
2. More on Windows and syslog: "Syslog ... 20 Years Later."  BTW, this is really not about syslog, but about Vista/2k8 finally getting an ability to natively centralize the event logs via event subscriptions ("It's only about twenty years behind schedule, if you're counting.")
3. Two fun pieces on correlation: 1 and 2. What often kills "a log correlation project"? "Whoever had worked on it had not had much time available to learn the way to properly configure the software" (from this)  and "correlation only really works when backed up by real data about what is the biggest problem in your environment, and how that problem manifests itself in the event logs." (from this) None of this is new, but a useful reminder nonetheless
4. Fun LogLogic podcast is here. The topic of this high-level discussion (CEO) is related to operational use for logs. I did one with them too; on logs and virtualization (will be up soon)
5. A couple of good posts on logging from Nemertes Research: "Sharpening Stones and Walking on Coals",  "Search or Destroy"
6. Reminder about a few useful Windows Vista and 2k8 events: 4802 (screensaver engaged) and 4803 (screensaver dismissed)
7. One person is wondering about the usefulness of logging after "experiencing" Linux auditd logging (kernel audit): "Logs are like a warm blanket; verbose logging means you can know what's happening on your systems if you keep up with the logs.  At the same time, logs become a burden very very easily, and they are easy to ignore." This post is a must read for us logging afficionados; producing too much log data is a sure way to make people hate you...
8. This also follows the same theme: people doubting the god-like power of logs :-) "So for an administrator to not care about logs was a shock." But would I argue that "log management is NOT a pain?" Now, would I? :-)
9. A classic about logging for application developers: "Building Secure Applications: Consistent Logging."  I am noticing a lot more discussions about logging in a developer community, e.g. see this and this (the latter, BTW, contains a lot of info on "why log" for developers). Overall, "getting logging right" is important (and will get more important in the future) and people need something NOW and cannot wait for the standards.  BTW, I am planning a mini-crusade on how to train application developers to include useful logging in their applications...
10. Finally, the "Is SIEM dead?" theme is continued in this fun post "Life after SIEM. Situational Awareness is next." Indeed, context is key for logs. BTW, if somebody mentions that I have "vendor bias", I will kick your ass! :-)

Enjoy!

1. Sad, but VERY insightful story of Alan Shimmel getting 0wned (1,2,3,4, others on his blog)
2. A very good essay on security industry/market/community "Evolution is Punctuated Equilibria" ("Right now, Internet security is due for another period of rapid change.")
3. As I like to say, most everybody in out industry is confused about risk (myself included, in fact) - here is some nice reading about the subject: "Quant love", "What is Risk?" ("The probability of a threat overcoming security controls resistance to exploit a vulnerability that results in a loss.") While you are at it, check this blurb about risk and CVSS (BTW, CVSS is about "V" - vulnerability, not "R" for risk!)
4. Solid gold on "running IT as business" (and where it hits the wall) - Richard, the original CIO.com piece ("If you've tried managing an internal IT department as a bona fide business you already know that you can't take that very far, for the obvious reason that your IT department isn't a business.")
5. More fun stuff from Richard on insiders and why NOT look for them (sadly, same logic applies to not looking for owned boxes in your environment...).
6. Analyst firms shocking discovery: wireless MAY have security issues (I guess count it as humor...)
7. Fun read: "Challenges of Enterprise Cloud Computing" ("By moving the data into the cloud, enterprise, for now, will lose some capabilities to govern their own data set.")
8. Raffy on visualization. ("One of the dangerous things is if you don't understand the log file itself, don't assume you'll understand the visualization of it or even generate a visualization that makes sense") Amen to that! BTW, Raffy's book is finally out.
9. Compliance and checkbox mentality: fun pickup from my original "DLP and Compliance" post - Rich and TechTarget. Good stuff! ("Don’t Sell ‘Compliance’ If It Isn’t A Checkbox ")
10. RedHat is nicely 0wned (more info)
11. BGP hole to dwarf the DNS hole?
12. Chris continues the virtualization and PCI DSS theme here. The jury is still out on this one, even though the common sense approach (that virtualization is OK in regards to PCI) will probably win.
13. NEWS FLASH! Privacy dies. The date of death? 1967. While reading it, think just how visionary some folks are...
14. Finally, just for laughs: How to Spin Bad News

Enjoy!

BTW, I am saving some fun reading for dedicated posts soon :-)