Wednesday, May 24, 2017


Student application submission is now open: APPLY HERE!  Many students are already exploring ideas on our wiki page, which means your project still has a chans to join the Code Sprint!  Remember: We need your help in a making this program a success and the more mentors the more slots for Students!

The OWASP Code Sprint 2017 is a program that aims to provide incentives to students to contribute to OWASP projects. By participating in the OWASP Code Sprint 2017 a student can get real life experience while contributing to an open source project. A student who successfully completes the program will receive $1500.

Become a Mentor: 
Do you want to become a mentor for a student?
Choose a participating OWASP project from the OWASP Code Sprint 2017 wiki page--preferably the one you are most familiar with.

Touch base with the project leader and ask one of the org admins (Claudia, Kostas or Fabio) to send you an invitation to get started today.

Help OWASP Invite Students: 

Please let us know you need help or supporting material.

Program Leaders:
Kontantinos Papapanagiotou
Fabio Cerullo
Spyros Gasteratos

Claudia Aviles Casanovas, Project Coordinator

2017 OWASP Global BoD Election Call for Candidates is Now Open!

OWASP is excited to announce that the 2017 Global Board of Directors Call for Candidates is Now Open!

You may submit your candidacy here. There are 4 seats available for this election. For the complete election timeline, board responsibilities, eligibility requirements, and other election details please visit our 2017 Election page

Some key updates for this year's election process:

  • Similar to years past, we will announce all verified candidates once the Call for Candidates closes. This process generates more candidates and minimizes any "popularity contests".  More candidates = more choices for you!  Candidates that wish to announce their candidacy themselves may do so at any time. 
  • An email will be sent to the entire community prior to the paid membership deadline (Sept. 30, 2017) asking them to check the Membership Directory to be sure they are listed as a current individual member.  Individuals who believe they are a current paid individual member, but their name does not appear in the Membership Directory, will be asked to contact us immediately.  Please feel free to check the directory now and contact me if you believe you should be listed as an Individual Member and are not.  
  • Unsubscribed emails to voting list - without an email address Simply Voting, our voting system, is unable to identify who has chosen to unsubscribe from receiving the emails which contain a unique link to each individual's ballot. To be sure all registered voters receive their ballots, OWASP will send an email notifying individuals that the email with their unique link to their ballot has been sent. If they did not receive their ballot, they will be asked to contact us immediately.
  • An email will be released in addition to social media posts on August 7 that will include the candidates names, "why me", profile picture, and bio.

Honorary Membership Update:
  • Honorary Membership is open YEAR ROUND!  Please refer to the Honorary Membership section on the election page for more detailed information.

We are looking forward to a successful election process. If you have any questions or if I can be of any assistance to you, please let me know.
Kindest Regards,  
Kelly Santalucia
Membership and Business Liaison

Tuesday, May 23, 2017

OWASP Leaders' Workshop Pt 1: 4 Major Changes and Leader Insight and Control

The Leaders' Workshop was held on Wednesday night before the AppSec Europe conference with about 30 project and chapter leaders in attendance. It covered some exciting new developments in the OWASP infrastructure as well as leaders' questions about ongoing concerns and upcoming events. If you have been a leader for at least six months, please remember that you can receive free access to any Global AppSec and that you can attend this pre-conference workshop even if you do not attend the conference.  In future conferences we plan to host the workshop on a GoToMeeting Webex as well to allow leaders from all over the world to join in.

There are four key changes coming to OWASP infrastructure as a result of the year-long listening activity that the staff has been engaged in as we assess how to tackle the organization's technical debt and growing pains.  The first four topics we are focusing on include the Website Reboot, the Association Management System (AMS), our mailing lists, and a volunteer program.  This meeting focused primarily on changes coming for our AMS and Lists.  

Website Reboot and Volunteer Systems

We started with a quick update to the Website Reboot and the Volunteer Program.  The Website reboot had hit some snags in scheduling as we waited for the board to approve funding for the project and then had to address a sudden loss of our host provider.  During this time Phase 1: Updating wiki source to 1.27.x  has been completed, Matt is writing the RFP for Phase 2: Wiki style updates, and Phase 3: single sign on is being integrated with the move to Amazon Web Services.  

The Volunteer Program is on the horizon and you should see surveys coming out in the next month and the first results in Q4.  Currently, the goal of the Volunteer Program will be to have an easy way for members and potential volunteers to put together a “Volunteer Resume” and apply to volunteer positions written by leaders.  The end goal is to allow leaders to a) have an easy way to widely distribute calls for volunteers, b) interview and choose volunteers, and C) track, interact with, and reward volunteers.  This program is also closely tied to the AMS and new abilities and insights it will give our leaders.

As always you can follow our monthly Operations Update posts on the OWASP Blog or in the OWASP Connector for detailed information on these projects as they progress.

Updated Association Management System

The Association Management System (AMS) is the platform that allows OWASP to effectively manage the needs of our community.  It is essentially cross-referenced lists of every request, member, volunteer, project, chapter, and sponsor OWASP has interacted with.  Until recently the technology to allow our community leaders to interact with this system in a sustainable and scale-able way did not exist.  Now we are glad to tell you that we are implementing a new system what will not only help things run more smoothly behind the scenes, but also give leaders significant insight into your project or chapter as well as create a single source of truth for the community to work with.  

We are now allowed to give visible and invisible badges to our leaders who will in turn be able to identify project and chapter contributors for badging. Amongst other things, when fully rolled out, leaders will be able to log into their force portal and see who is an OWASP member that has allocated to their chapter or project currently and in the past, as well as who they have listed as official contributors to their project.

Through APIs we will be able to allow special permissions for protected aspects of the wiki.  For example, leader positions will be tied directly to Sales Force so that even if someone changes them on the wiki they will revert to the official status. Additionally, project leaders can allow particular contributors to update protected projects pages. When tied with the upcoming volunteer platform, Leaders will have much more organized control, APIs will slowly be able to eliminate repetitive tasks, and key insights will be much more apparent.  

Equally as important are the new conveniences that authenticating with the force portal will bring.  In your portal page, not only will leaders be able to have new insights into WHO they are working with and HOW they are dividing the work, but the labor they are doing and the support they have requested will be clearly presented.  

The new force portal will create a single location to request, track, and receive funding.  Leadership badges mean that when their membership is up for renewal leaders will be directed to honorary (and if they choose, paid) membership plans rather than having to locate them based on prior knowledge.  It also means that we will be able to severely limit event codes which can lead to annoying slowdowns and frustrating disorganization.  You will be able to register for events directly from your portal and therefore you will be authenticated as a leader and have the discounts automatically applied to your order.  

Mailman Transformed

OWASP’s lists system is very problematic, it is bloated, it is unsupported, and currently, it is insecure.  No matter how we choose to address lists, at this point it would require a migration.  

We began our search for a replacement with a long list of requirements.  We needed a system that worked in both email and on a separate platform.  Our replacement needed to mobile native and allow for restricted lists as well as for a searchable archive.  It also needed to do a more successful job of fostering community than our current solution which has left us with crickets in the community list and many abandoned chapter and project lists.  Furthermore, it needs to allow for people to easily choose what communications they wish to interact with and ignore those they do not wish to spend time on without missing vital communications.  

In the end, the answer to our search was Discourse.  With Discourse we will allow us to create a platform that allows for users to customize their experience, it is searchable, archive-able, mobile native, and you can choose to interact with it through email or through the app/browser platform.  It also has features such as a daily digest that you can choose to replace up-to-the-minute notifications.  

The most important difference that our change to discourse will bring is a reorganization of our lists and how we use them. This is due partially because our current system is incompatible with Discourse, and partially because over the past decade we have learned much about what our community wants and  needs.   With Discourse we can create a system of communication that is both less siloed and more granular.  For instance, the most common complaint about the leader’s list is that too many discussions of governance happen in it.  By changing the structure we can create a place for leaders who wish to communicate without these discussions to thrive, while also supporting our community members who deeply care about governance.  We can also make it easy for our community members to dip into different sections when the topic is vital to them.

In Discourse we will have 6 main categories with subcategories.  

The Community category is the the “main” category for the average OWASP user.  Here there will be a Main uncategorized location to have general conversations.   You can expect recurring events such as puzzles, polls, or directed weekly questions as well as a location to chat with other community members from around the globe.

There will also be a Governance sub-category for those who are interested in discussing, changing, or writing on specific points of governance for our community.  Separately, there is a Board List for reading and communicating directly with the board of directors in their official capacities.  

The two NEW parts of this category are requests from Leaders and community members respectively: Many leaders have asked for an Announce Only list that they can subscribe to so that they can get information from OWASP without automatically signing up for the discussions that usually come with those announcements.  

The second was a request from community members for a place where they can ask specific appsec questions from people they already trust. Answers can be voted on, rewarded, and discussed.  One large request from the Leaders' Workshop was to limit this topic to only paid and honorary members of OWASP.  

Projects, Chapters, and Committees

The Projects, Chapters, and Committees will each have individual sub categories for each project, chapter, or committee (Example: AppSensor or Charlotte or Education Committee) as well their respective FAQs and a location for general uncategorized conversations about projects or chapters.

Projects will specifically have the ability to badge their contributors and allow them to have write-rights in project specific sub categories.


The events category will have sub categories dedicated to local, regional, and global events.  Here you will be able to compare notes, get ideas and problem solve with other volunteers who are running events.  This is an excellent place for experienced event teams to mentor new event teams.  It will also serve as a great place for event teams to set up specific event topics for planning or to discuss making the events platform better.  


The Leaders’ category will remain much as it does now, with the addition of an announce only section for the leaders list.  

What makes this system easier to use across categories is that each user can choose to follow individual categories, sub categories, or even topics.  No longer will someone be overwhelmed by the leaders list and therefore unwilling to engage in with the wider community.  As members sign up, they will be able to sign up for their own Chapter or Project sub category as well as join the community lists and other lists in just one step.  No more applying to join and hoping the moderator notices.  No more joining for one topic but having to slog through dozens of emails you are, frankly, uninterested in.  

Furthermore, due to the trust and social badging systems on Discourse, members will be identified and the volunteer work done by each member will be clearly available so that our top contributors can get the kudos they deserve. Best of all the, Discourse system is responsive.  Threads, topics, subcategories, and categories can change as our community changes--helping OWASP to meet community needs quickly.  

Timeline and Logistics  
Discourse is expected to start being rolled out in Q4 or Q1 of 2018.  In the meantime, we will be slowly beta testing features and you can respond to requests for testers as we roll them out and ramp up each test.  

Other Questions
Our leaders asked us three additional questions:
  • What is happening with the OWASP Code Sprint?
  • Discussion on move from 2 to 4 meetings per year
  • What does the foundation look at when judging if an event can be charged for or not?

We will be answering these questions in future blog posts.  Look for the Code Sprint post on Thursday May 25th and the other questions next week.  

If you have feedback on the Website Reboot, Volunteer program, our new AMS and the Force Portal, or the move to Discourse, please feel free to reach out on the lists, this comments section, or the talk page on the appropriate wiki page.  We will be monitoring all three.  

Which of these upgrades are you most excited about?  

Monday, May 22, 2017

May 2017 Corporate Members

May 2017 Corporate Members

We would like to thank the following companies for supporting the OWASP Foundation.  
The companies listed below have contributed this month by either renewing their existing 
Corporate Membership or joining OWASP as a new Corporate Member.  

Details about Corporate Membership can be found here.

Premier Corporate Member

Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and compliance solutions with over 8,800 customers in more than 100 countries, including a majority of each of the Forbes Global 100 and Fortune 100. The Qualys Cloud Platform and integrated suite of solutions help organizations simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications. Founded in 1999, Qualys has established strategic partnerships with leading managed service providers and consulting organizations including Accenture, BT, Cognizant Technology Solutions, Dell SecureWorks, Fujitsu, HCL Comnet, Infosys, NTT, Optiv, Tata Communications, Verizon and Wipro. The company is also a founding member of the Cloud Security Alliance (CSA). For more information, please visit Qualys, the Qualys logo and QualysGuard are proprietary trademarks of Qualys, Inc. All other products or names may be trademarks of their respective companies. For more information, please visit

Contributor Corporate Members

Oracle is shifting the complexity from IT, moving it out of the enterprise by engineering hardware and software to work together—in the cloud and in the data center. By eliminating complexity and simplifying IT, Oracle enables its customers—400,000 of them in more than 145 countries around the world—to accelerate innovation and create added value for their customers. By engineering out the complexity that stifles business innovation, Oracle is engineering in speed, reliability, security, and manageability. The result is best-in-class products throughout an integrated stack of hardware and software, with every layer designed and engineered to work together according to open industry standards. Oracle's complete, open, and integrated solutions offer extreme performance at the lowest cost—all from a single vendor. Encompassing every phase of the product development lifecycle, Oracle Software Security Assurance is Oracle's methodology for building security into the design, build, testing, and maintenance of its products. Oracle's goal is to ensure that Oracle's products, as well as the customer systems that leverage those products, remain as secure as possible. For more information, please visit

Rakuten, Inc. and its consolidated subsidiaries and affiliates ("Rakuten Group") are full-line Internet services companies. Since its founding in 1997, Rakuten, Inc. ("Rakuten") has spent a decade evolving its business model centered on e-commerce, to create a market completely new to Japan. The Rakuten Group is focusing on two approaches in particular to target growth in the decade to come. The first is to empower people and society through continuous innovation and business operation based on our five concepts of success. The second is to establish a "Rakuten eco-system" which enables us to maximize our customers lifetime value and leverage synergies. Guided by the key phrase "more than Web", the Rakuten Group is taking on the challenge of creating new value by driving convergence between the Internet and traditional "bricks and mortar" businesses. For more information, please visit

Want your company name here? 
Find out how by visiting our Corporate Member information page, or contact Kelly Santalucia, our Membership & Business Liaison today!  

Thank you to all of our Premier and Contributor Corporate Members for your support!

Tuesday, May 16, 2017

Owasp Summit 2017

On 12-16 June Owasp will host its 2017 Global Summit in London where hundreds of participants will join forces in Working Sessions focused on solving hard Application and Cyber Security problems.

This is not a conference with unidirectional presentations. Using the same model as the past two OWASP Summits in Portugal, this 5-day event will be a high-energy experience, during which attendees get the chance to work and collaborate intensively. Every thoroughly prepared working session is geared towards a specific application security challenge and will be focused on actionable outcomes.

With participants flying from all over the world and from major security/development teams, service/product providers and research organizations, this is the place to be to learn and collaborate with industry peers (and even competitors).

The event is split over the following tracks, each focusing on a specific set of challenges:
  • Threat Modeling - This is one of the strongest tracks, with most of the core Threat Modeling talent in the world joining forces and collaborating
  • OwaspSAMM - This is another track where we have the main contributors and users of this Owasp project participating at the Summit
  • DevSecOps - This track has been generating quite a buzz among participants, since it is addressing real pain points and problems that companies face today
  • Education - Always strong in OWASP, this track ranges from University master degree to how to create the next generation of AppSec professionals
  • Mobile Security - Another track where the key Owasp leaders of Mobile-related Owasp projects are participating
  • CISO - This track reaches a wide audience of CISOs and covers a wide range of CISO-related topics
  • Research - This track covers really important and interesting research topics (it's important to look at the future and work on the next generation of Application Security)
  • Agile AppSec - This is a track driven by a couple participants who really care about Agile and want to find better ways to integrate it with AppSec practices
  • Security Crowdsourcing - This is a track that is focused on scaling AppSec activities via internal and external crowdsourcing
  • Owasp Project's Summit - Last but not least, this track has 31x Working Sessions directly related to an Owasp Project (with most having the Project Leader participating)
Each track's Working Session will be expected to deliver something tangible and usable by the Owasp community (whitepaper, documentation, play-books, code, action-plans, books, decisions, etc.) and all Participants are expected to participate actively in Working Sessions (as an organizer or contributor).

Owasp Summit's Schedules are different from normal conferences, since they are focused on maximizing the Participant's time and Working Sessions they want to be actively involved. The current Schedule is under development and will be released in the next weeks.
Here are some of the Working Sessions that will be worked on at the Summit:
In order to attract as much talent as possible to the Summit, the Summit Tickets were kept at a low price. A 5x 8h daily ticket costs £400 (i.e. without accommodation) and a 5x 24h daily ticket costs £1,200 (i.e. with 4-night accommodation), with a 10% discount (for 5 to 9 tickets) and a 20% discount (for 10+ tickets). 1x daily 8h tickets are also available at £100 and 24h tickets at £300.

A key factor of the Owasp Summit's high level productivity and collaboration is the Lodge/Villa accommodation model, where participants will stay, and be literally involved in AppSec/Security conversations and debates from morning till dusk (a number of daily and evening Working Sessions will occur in the Lodges)

Some companies are bringing larger teams to the Summit (with a dedicated Lodge/Villa) where they can double-up as team-building, strategic planning and offsite events.

The Owasp Summit is going to be the largest concentration of AppSec and Security talent focused on solving problems in 2017.

The question is: Will you be there?

Monday, May 15, 2017

AppSecEu Conference Review

AppSecEU in Belfast started with a bang. The organising committee sponsored 500 school children from all over Northern Ireland to take part in Security awareness talks and demonstrations. It was great to see the level of engagement from the school children.

Also starting on Monday was the AppSecEu training. This included training from a number of world renowned security researchers and covered topics ranging from advanced exploitation techniques to Breaking Single Sign-On. Feedback from the students was extremely positive and is something we will be hoping to build on for future AppSec conferences.

Monday evening in combination with the Women who Code Belfast group, the OWASP Women in
The WiA Mentoring event had double the number of participants as in DC
AppSec team invited those interested in mentoring or being mentored to the Waterfront venue for an evening of invigorating talks and fun.  This is the second time the WiA mentoring event has been held and participation was double that of the previous event in Washington D.C.

Wednesday evening saw a pre-conference drinks reception taking place where local business were invited to come speak to vendors and listen to local security and entrepreneurs speaking about their experiences. The OWASP leader meeting also took place on Wednesday evening with leaders from all over the world coming together to share experiences and learn about how their chapters and community engagement can be improved.  The information shared in this meeting will be shared in a blog post next week.  Stay tuned for more information.  

Thursday morning saw over 700 hundred attendees queue up for the start of the AppSecEu conference. The Women in AppSec team hosted an early morning breakfast were attendees were asked to speak about their experiences and also what they felt they needed to do to further their careers. With mentors from the OWASP leader community, burning questions were answered.

With four tracks DevSecOps,  Hacking, CISO and Development the conference was full of inspirational and highly technical talks with speakers from over 30 different 

countries. Keynotes from Shannon Leitz, Brian Honan, Jeremiah Grossman and Jaya Baloo provided attendees with current and future trends and research within Application security.

This was also the start of the Hackpra Allstars conference, a one day conference within a conference. Security researchers from all over the world were in attendance to demonstrate security vulnerabilities they they found in some of the biggest and widely used software in the world.  

Thursday evening saw attendees make their way to the Titanic museum for a gala dinner. With harp music, drummers and Irish dancing the evening was filled with excitement and legendary conversations.

Friday saw a number of events including a Women in AppSec diversity panel and the close of a conference which was heavily praised for the sheer talent that was on show.  We would like to thank all of our Speakers, Sponsors, and Attendees for such a great event and welcome you to join us next year for AppSec Europe 2018 in Tel Aviv!

Friday, May 5, 2017

OWASP Operations Update for May 2017

Welcome to the operations update for May 2017, our ongoing series of updates on what's happening at the OWASP Foundation.  The previous post is available here.

Major efforts, status of those and important changes from last time:

OWASP IT Infrastructure hosting - Rackspace ended the donation of hosting for the OWASP Foundation, migration and updates continue.

  • 6 hosts remain at Rackspace
    • Migrations were paused to migrate AppSec EU conference hosts to the Foundation Infrastructure
    • Current efforts have concentrated on the preparation needed for migrating from Mailman to Discourse (more below)
  • POC install of the wiki infrastructure on AWS is scheduled to begin mid-May and was pushed to accommodate the AppSec EU conference, the EU server migrations and the work on Discourse.
    • Migration to AWS will including updating the wiki software to the 1.28.x branch of MediaWiki
The Website Reboot - aka TWR - A major effort to update and modernize OWASP's web presence
  • Phase 1: Updating wiki source to 1.27.x - COMPLETE
    • The wiki will continue to run 1.27.x source until after the AWS migration
    • New extensions compatible with 1.27.x have been added to streamline management of the community's wiki accounts
  • Phase 2: Wiki style updates
    • RFP for the wiki style phase will go out mid-May after being delayed by the AppSec EU server migrations
    • RFP will include a MediaWiki theme plus CSS and associated style guides for including the style in other Foundation web assets including:
      • New pages made available after the AMS migration (see below for details)
      • New Discourse installation
      • the OWASP blog
  • Phase 3: Single Sign-on - SSO will be tested and POC'ed during the AMS migration
  • Phase 4: Wiki content and organization
    • Research continued into the current 'organization' of the wiki and POC's for the category hierarchy have been conducted.
The OWASP Communication Plan
  • Migration from Mailman to Discourse
    • Sandbox / POC Discourse server setup to allow demos, functional experiments and familiarization by the OWASP staff
    • Dev instance of Discrouse setup to assist in automation coding efforts against the Discourse REST API
  • Beta program for the Foundation's Global Meetup account continues
OWASP 2017 Strategic Training Goal
  • TLDR:  Host 4 trainings worldwide of ~500 attendees geared towards developers and entry-level security professionals - further details on the wiki.
  • Locations and targeted dates
    • Israel - mid-October
    • Tokyo - late September
    • Boston - October
    • Bangalore - November
  • Call for Trainers template is complete and CFT will begin mid-May
Association Management System (AMS) upgrade
  • Migration to a new AMS continues to make progress
  • Highly complex, multi-step process will take 8 to 12 weeks
    • Accounting module and associated workflows - COMPLETE
    • Membership module - in process
      • Note: Membership module will require custom development to fit our needs.  The effort has been scoped, contracted and work has begun.
    • Event module - in process
  • Goal and Outcome
    • An updated version of the AMS used with Salesforce allowing for greater interactions with the community, OWASP leaders engagement, improved event registration, multi-currency handling and a host of other improvements rolling out in 2017.
  • Individual membership: 2,676 individual members or 44% of the yearly goal
  • Corporate membership: 63 corporate members or 41% of the yearly goal
  • Updated membership flyer for the new membership model has been created and Hugo is sending the final copy to the Foundation
  • AppSec EU 2017 Sponshorships - €167,933
    • 2 Diamond, 1 Platinum, 11 Gold, 5 Silver, 1 Pre-Conf Reception, 1 CTF, 1 University Challenge, 1 Lanyard, 2 Sponsor Hall Banners, 2 Carpet Stickers
  • AppSec USA 2017 Sponsorships - $324,500
    • 7 Platinum, 10 Gold, 7 Silver, 1 Bag, 1 Lanyard
  • New Chapters:  OWASP would like to welcome the new chapters in Kyiv, Sukkur, Senegal and Da Nang.
  • Chapter Orientation
    • Since September all new chapters were requested to have an Orientation meeting via GoToMeeting.  Since then these meetings have been refined into a  series of standing one on one appointments for any Chapter Leaders starting a new chapter, any new chapter leaders who wish to join, and any current leaders who want to take a refresher.
    • So far reactions have been good.  Many experienced chapter leaders have expressed a wish for this when they got started and follow up emails with procedural questions have dropped from an average of 5 per new chapter to 10 total in the last 8 months.  We have also seen an uptick in new chapters using funds and getting multiple leaders on board.  All of these are indicators of early chapter health.  Board members, and staff, and community can read the draft of the orientation outline.  The document will be made public in the form of the Chapter FAQ in the next few weeks.
    • We are also using this outline to better our communication with parts of the world where English is not a viable business language.  At this time we have had our first Pan LATAM meeting and are planning our first Japanese meeting after AppSec Europe.
  • OWASP Leaders Meeting @ AppSec EU
    • The OWASP Leaders Meeting @ AppSec EU will unveil the sneak peeks of our new communication platform and the new AMS.  These will streamline chapter communications and allow Chapter Leaders to gain more insights and control of chapter activities.  Join us in Room One at 18.45 on May 10th in the waterfront center. 
Serving the Community

Per the request of the OWASP board, we've included a chart of the staff's interaction with the broader OWASP community via submitted cases to the Foundation.  On April 11th, case number 10,001 was submitted - over 10,000 cases handled by the OWASP staff - impressive! 

Q1 2017 Cases


2017 Year to Date Cases


As always, the OWASP staff are here to make the OWASP community even stronger.  If you have a question, concern or need please let us know using the 'Contact Us' form.  Also, feel free to attend, suggest or otherwise engage with the OWASP Foundation further at the May 9th Board Meeting.

Your friendly neighborhood OWASP staff:
    Kate, Kelly, Alison, Laura, Claudia, Tiffany, Dawn and Matt

Editor's Note 5/12/17 1.23 BST: Previously this post identified Delhi as a target city.  The correct city is Bangalore.  

Tuesday, May 2, 2017

OWASP Top 10 2017 Release Candidate - Speak now.

It’s that time again - there’s a new OWASP Top 10 Release Candidate for 2017 currently in the ‘public comment’ phase of its path to being finalized.  Like all the previous releases, this is a particularly vocal period in the lifecycle of an OWASP Top 10 release.  Various bits of the Internet have comments, suggestions, and other feedback on this - use the search engine of your choice if you want to read more on the reactions to the 2017 release candidate.

I’m taking a few moments to provide my position and thoughts on this release as the senior person hired to oversee OWASP Projects and a full-time member of the OWASP Foundation staff.  In addition, I have spent a long time in the AppSec field and have a long history as part of the OWASP community - project leader, Foundation board member, speaker, trainer, etc.

First some quick background:  The OWASP Top 10 is one of the most well known and referenced of the OWASP projects. It’s long history with OWASP and its use by the greater security community is well known.  Also, the original project leaders (Jeff Williams and Dave Wichers) not only started this project at OWASP but have a long and prolific history of contributions to OWASP and AppSec in general.  OWASP and the information security community is better off from the creation and continued maintenance of the OWASP Top 10 so thanks for your work to date.

Matt’s personal take on this release after watching the project for the releases since 2008:  This is the most open and visible release to date.  Why?

  • The release candidate was shared publicly with the stated goal of getting feedback from the community BEFORE 2017 is finalized. Yes, PDFs aren’t the most  feedback-friendly way to have a RC, but the project is still wanting and actually looking for feedback well before a final release. Not a new thing for this project but very important.
  • The data call was open and public.  Announced back in May 2016, the call for data for this release was made publicly and without any significant restrictions.  The Project leader accepted both emailed and Google Form submissions.  Additionally, the project accepted suggestions on the data being collected and possible omissions to consider as seen in this thread.
  • The collected data used to create the RC is publicly available in GitHub.  Again, Excel isn't my preferred data format but the data used to derive the RC is easily and publicly available.  This is also an improvement over past releases.
  • I have seen no violation of OWASP project policy or community norms by this project.  Yes, every release has perceived winners and losers depending on what problem vendors believe their secret sauce solves.  That’s the nature of narrowing down the possible risks to just 10.

It seems like most of the discussion is about the new bits - A7 and A10.  Lots of this discussion has been great and helped clarify where the language used in the Top 10 didn’t hit its intended target.  Dave Wichers (Project Leader) provided a detailed explanation of what A7 was and how hard it was to condense that into the space required.  This was further clarified by some good feedback from Colin Watson.  A reasonable overview of the pros and cons can be had at CISO online. Particular high praise should be given to Brian Glas for his pair of excellent blog posts looking at the data and different ways to view the collected data.  Those posts are stellar examples of what an open process can create simply by making things visible.

This is where I feel obligated to make yet another request for more involvement from all the players in the AppSec community.  We have  a mountain of work to get done in this field and we’ll make more headway working together than tearing each other apart with infighting.

Inspired by the insights in the feedback already gathered and wanting to get more, Dave Wichers has decided to attend the OWASP Summit in London in June and is organizing a set of working sessions on the OWASP Top 10.  There’s time to still register if this is how you’d like to participate.  Also, if you’re an OWASP leader, Community Engagement Funding or your project/chapter funds can help defray the costs to attend the summit.  If the summit doesn’t work for you, you can always join the Top 10 mail list and comment there.  This project will only be as good as the contributions of the AppSec community, so get involved for this current and future releases.

All this said, let me be direct with you:  If you feel there’s a violation of the rules for OWASP projects, I would like to know the specifics of your complaint.  I haven’t seen any violations but if you feel that you have, please submit a case via the “Contact Us” form so I can keep track of any submissions.  

When you’re providing those specifics, please keep in mind the following:  The rules and norms of OWASP are documented in the Core Values, Core Purpose and Code of Ethics and Principles on the “About OWASP” wiki page.  Specifically for projects, there’s also the Project Handbook, whose content has been moved to Github for an update/review this year - issues and PRs gladly accepted to help make that better after this iteration.  Also note that there’s a ton of cognitive biases out there - try to check those at the door.

Is the process around the creation and release of the OWASP Top 10 perfect?  Nope.

However, as a volunteer-driven effort that has been exceptionally valuable to OWASP and the greater software community, the process of producing a new release continues to get better iteratively on each release.  So, please, join the discussion on the Top 10 mail list and help ensure this and future iterations continue on a trajectory of continuous improvement.

“Keep the stones you are about to throw in your pocket. Use those stones to build a bridge."
    -- Michael Coates on the Leaders List