Framework Security Summit

[Rohit Sethi]

Hi all,

At Appsec USA I had a chance to sit down individually with Dinis Cruz and John Steven. All of us agree that something needs to be done about framework security. I asked Dinis his thoughts about how we could get framework developers to feel they are part of the OWASP community. Dinis suggested we do a summit for frameworks, which I thought is a great idea if we can get the logistics to work out.

After posting the thought to, John Wilander also suggested we invite client-side framework developers (e.g. JQuery, Sencha, Dojo) which I  think is another excellent idea.

Can we do this? I know we are all busy people, and I don't want to over-commit. I suggest we plan something like this for about a year from now so that we give ourselves adequate time to prepare. I imagine it'd be a very small summit, ideally so that we could use some company's space for a period of time. I'm happy to volunteer space for < 40 people at the Security Compass office in Toronto, although I suspect a location in the US may be more accessible to the majority of North American developers.

--
Rohit Sethi
SD Elements
http://www.sdelements.com
twitter: rksethi

[Rohit Sethi]

BTW, I just got the following message from Jacob @ Django:

On Tue, Sep 27, 2011 at 11:46 AM, Sethi, Rohit <ro...@sdelements.com> wrote:

> BTW, I've proposed to a few more OWASP people that we come up with

> better ways to engage the web app framework development community.

> Dinis Cruz, one of the core members of OWASP, has suggested we have an

> in-person summit sometime next year and invite various framework

> developers down. Do you think this is something you'd be interested

> in? Ideally we'd all work together to figure out how to improve web

> app security through frameworks and ways that OWASP can better support

> those frameworks

 

I'd be very interested, yes. We're embarking on some security-related stuff ourselves and would love to talk things over with other like-minded folk.

 

Jacob

--------------------

[Erlend Oftedal]

Hi

I really like this idea. Sounds like a very interesting and useful summit.

Best regards
Erlend

[dinis cruz]

To do this we need to find 150k USD (to cover the cost of the attendees and venue)

I spoke with!a couple people/companies at the AppSec conference last week which would be interrested in chiping-in with part of that cost (25k to 50k).

What we need is a plan.

Sorry to be so direct, but my experience in creating these types of events (ie last 2 global owasp summits) is that we need a decent budget to kick start it.

Dinis Cruz

[Rohit Sethi]

Hey Dinis, it's better to be direct. How much of that cost isthe  venue? Also, how many people do you expect will attend? I would think this would be much smaller than previous summits and may need less organization / logistics.

Frank Kim suggested we may be able to co-locate with the SANS appsec conference next year. Frank, would SANS be willing to absorb or partially cover the facilities cost?

[Jim Manico]

I think this is an excellent idea, I'm in!

--

Jim Manico

(808) 652-3805

[Rohit Sethi]

Hey Kevin, you've brought up a good point which I thought I'd share with the list: we can absolutely extend this to other, non-web frameworks.

I suspect our challenge will be to motivate the framework developers to come, rather than having too many people attend. We should cast our net wide.

On Tue, Sep 27, 2011 at 9:17 PM, Kevin W. Wall <kevin....@gmail.com> wrote:

On Tue, Sep 27, 2011 at 12:51 PM, Rohit Sethi <rkl...@gmail.com> wrote:
> BTW, I just got the following message from Jacob @ Django:
>
> On Tue, Sep 27, 2011 at 11:46 AM, Sethi, Rohit <ro...@sdelements.com> wrote:
>
>> BTW, I've proposed to a few more OWASP people that we come up with
>> better ways to engage the web app framework development community

>> Dinis Cruz, one of the core members of OWASP, has suggested we have an
>> in-person summit sometime next year and invite various framework
>> developers down. Do you think this is something you'd be interested
>> in? Ideally we'd all work together to figure out how to improve web
>> app security through frameworks and ways that OWASP can better support

>> those framework.

>
> I'd be very interested, yes. We're embarking on some security-related stuff
> ourselves and would love to talk things over with other like-minded folk.

Rohit,

I think tihs is a great idea, and as someone who has a major stake in
ESAPI, I'm all for it, but I think it would foolish restrict it to
frameworks that are only (or mostly) concerned with web-based applications.
Certainly developer frameworks involved with mobile should at least be
involved as well.

-kevin
--
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein

[Glenn Leifheit]

I'm happy to help out.

Sent from my iPhone

[dinis cruz]

Couple more comments:

• The reason why we need to start with a fix budget (ideally 150k) is to be able to 
• Secure a good venue
• Be confident that the Summit will happen
• (probably the most important) be able to directly invite the talent that needs to be there with a 'here is all-expenses paid (travel + accommodation) ticket' , or in another works:  'we want YOU there and are prepared to cover your costs' (ironically, after the first invite a number of attendees WILL get their companies to cover the costs, but it is critical that the first invite has no strings attached)
• From past experience the full cost per person is about 2000 USD (which includes a average of the travel+ accommodation +food+venue costs). So 150k would get at at least 75 people which is a good number (the first owasp Summit had 90x and the 2nd 170x)
• This type of event doesn't work if connected to another event or conference
• The choice of venue/hotel is critical for the success of the event (and to create an 16h to 20h a day productive environment). We will need to be isolated and everybody needs to be staying in the same physical location (the best option is villas with hotel rooms used as backup/special-cases)
• The key concept of the Summit is to attract as much talent as possible and to have an super efficient and powerful Summit-Team (who is focused on making that talent as productive as they can be)
• Apart from a couple early adopters (and the Summit team) MOST participants will NOT focus on the summit until
• A) a month before
• B) when they get there
• The Sheadule needs to be flexible (and only completed in the last days before the Summit (with enough flexibility for 'new sessions only defined during the summit'))
• We need at least 3 full days if not 4 to be productive

I'm CCing John Wilander which in the last Summit showed how to create an environment where the best talent in one sector (in his case the Browsers) can be invited, attracted and connected into the same physical location (where they where able to work together in a highly productive environment)

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2

[David Rook]

I can't argue with any of those points Dinis!

I believe I said this when the mailing list was first setup but I
think it's very important to make sure we approach this in the right
way. What I mean by that is we need to speak to the frameworks first,
find out what they want help with and find a way to use the awesome
OWASP brains and connections to help them out. Lets not do it the
other way round, you know the <fanfare> we are the security dudes and
we are here to fix YOUR insecure code.

Dave (@securityninja)

[Rohit Sethi]

David, I couldn't agree with you more. The focus should be on how we can work the frameworks, improve OWASP to cater to their needs, and make sure we build strong connections with them. I don't think anyone sees this as a way for us to lecture to developers about security - it's about how we can all work together.

We can facilitate this by asking the framework developers to help build the agenda.

Dinis - these are all valid points about costs, however I think we should focus on paying the way for framework developers rather than OWASP members.  One fundraising angle is to  ask companies to help pay for the core contributors to the frameworks that they use.

[Rohit Sethi]

Sorry, I misunderstood about the SANS stuff. We'll probably still need to field the costs, but maybe we can get an estimate to size of the team coming onsite and figure out a good venue.

Dinis, how many people do you think will attend? Is it fair to ask people to pay their own way rather than having OWASP pay for project / chapter leaders to come? What if we make this a 2 or even 1 day event? Maybe  if we have an idea of what the 250k was used for the other summits we can see if there are ways to cut down on costs. We can then start figuring out how to drive funding

[John Wilander]

Hi guys!

As said, this is a good initiative. I'll be speaking at SenchaCon in TX next month and would love to have something like this to promote there. Sencha is the company behind ExtJS (rich web widgets) and Sencha Touch (popular mobile framework).

150k is a lot of money but let's not fall into the Big Number Fear. Chop it up, identify what value we can create for sponsors, and build a list of probable/desirable supporters.

For instance Microsoft ships jQuery with Visual Studio so I'd propose they sponsor by sending 5 of their own web framework guys and pay for 3-5 jQuery guys. Peanuts in terms of money but great goodwill and some additional polish to the MS security armor.

IBM loves and supports Dojo so we could probably find a similar deal there.

Oracle could be the guys who support Apache (Struts ...).

By that time Spring, Sencha etc will sponsor their own, i.e. the enterprise-owned frameworks.

That's how I'd start. Except we need tentative dates and a probable geographic location.

Regards, John

-- 

My music http://www.johnwilander.com

Twitter https://twitter.com/johnwilander

CV or Résumé http://johnwilander.se

[Rohit Sethi]

Good points John. If we tentatively said next August/September time frame and somewhere in the US East Coast (e.g. DC) or Mid-West (e.g. Chicago), maybe that's enough to get started?

On Wed, Sep 28, 2011 at 4:30 PM, John Wilander <john.w...@owasp.org> wrote:

Hi guys!

As said, this is a good initiative. I'll be speaking at SenchaCon in TX next month and would love to have something like this to promote there. Sencha is the company behind ExtJS (rich web widgets) and Sencha Touch (popular mobile framework).

I

[dinis cruz]

John, the mode you mention below is very similar to what I'm thinking (I just want to make it more explicit and centralized)

For example you say that Microsoft should bring/sponsor 10 participants. 

I agree, and at 2000 USD a person that is a 20k USD sponsorship. Which I what I was thinking that we should get the interested companies to commit.

So 150k is about 6 to 10 companies with a sponsorship amount of 15k to 25k. That is not too much to ask is it?

Part of the reason why there should be an explicit amount between support provided and people sponsored is because the real cost is the one to bring people there (and sleep and feed them).

Btw, most of the 'paid/sponsor' attendees by this fund should NOT be from the OWASP leaders group (i.e. the effort should be in bringing in the players we keep trying to reach: from framework/API developers to development houses, to security consultants). The OWASP leaders should be funded by OWASP funds (for example the chapters and committees have now budgets that they could use). Of course that the sponsors can chose to sponsor OWASP leaders (we can sort out these details when the time comes)

Dinis Cruz

[dinis cruz]

We need to look at the OWASP Conference's schedule to make sure it fits without major conflicts.

The location needs to be at a major US international airport (with the venue being a max 50k distance). We have good data on the flights cost and possible travel locations of participants which we should use to pick the airport and venue.

Dinis Cruz

[dinis cruz]

Absolutely, and in my view the only real way to do that is to get all that talent and energy in the same physical location (as with the last Summit, my focus/strategy is on getting as much talent there as possible).

Having such event has two main benefits:

 - there is SOME work that will be done before we get there (and this will depend a lot on how much energy the Summit team can put into preparing the Working Sessions (which is what Paulo and Sandra did before the last Summit))

 - there will be an ENORMOUS amount of work and energy created at the Summit (the practical/actionable results will also depend on how much energy and focus the Summit Team is able to do (during and after the Summit)).

The hard part is in making the participants BELIEVE that the Summit will exist and it will be worth while their efforts and energy (namely to start working on it before they get there).

Since we have now some track record in pulling off these events, It should be easier this time around.

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2

[dinis cruz]

I agree that the main recipients of the 'Summit Ticket' should be those framework developers (and other key players we will identify).

My experience is that the sequence of events is:

 a) identify who we would like to go

 b) find somebody who personally knows them (or can get a direct contact)

 c) invite them to the summit with a 'no-strings-attached-Summit-Ticket' (i.e. all expenses paid: travel, accommodation, food, drinks)

 d) mention them that the cost is about 2000 USD and if they can get their company to pay that, it would be great (since that would mean that we would be able to invite another developer)

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2

[Rohit Sethi]

Well, I think we've got some ideas around a) already. Clearly we should really try our best to engage the biggest players: .Net and Java. Does anyone have relationships with key contacts for these two? What about Rails?

What other frameworks do we already have some kind of personal contact with? 

[Rohit Sethi]

Brief update on a few  fronts:

I've reached out to Mark Curphey about getting the .Net people involved. We'll be talking a bit more about it but at least the ball is rolling.

Jim Manico provided me with some good Java EE and Spring Source contacts whom I'll be reaching out to over the next week. Jeff Williams has also said the idea has his full support and he'll helping to reach out to some of the JSR teams.

We still need some kind of link into Apache Struts, Rails, JQuery and Dojo. Any other framework contacts would also be appreciated.

[dinis cruz]

I think that if we create the right environment they will come (specially since we seem to have enough frameworks and developers to create momentum) and we now have a track recording of creating such high-performance-collaborative environments (case study 'browser group at last Summit in PT')

What we need next is to figure out the action plan , namely what we want to do and want we want to achieve.

Once we have this, we can go out and get the funding for it

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2

[Rohit Sethi]

Conference call? Dinis, I presume you have a lot of experience figuring out times that work for well for people in both Europe and North America. Let me know what times work for you and I can schedule a call for the first week of November

[Rohit Sethi]

What are your thoughts on this proposed outline?

High level goals:

·         Align OWASP efforts with frameworks development efforts in order to improve the security of applications built on top of frameworks

·         Have framework developers take a more active role at OWASP to help drive priorities

 Specific areas to cover:

·         How can OWASP better serve application framework developers? What can OWASP be doing a better job at?

·         How can developers from different frameworks collaborate to discuss issues relating to security?

·         How can OWASP volunteers work together with framework teams to deliver a consistent message about building secure apps on top of a specific framework?

·         What practical ways can we increase participation from your core development team and your user community in OWASP?

[John Wilander]

As we all know, the framework developers we're talking about have a hefty backlog and will reply "Pull the source and please start coding" if we ask "How can OWASP help ..." :). I think we need to have a thought out tactic there.

Given that the OWASP community comprises a bunch of really skilled pentesters I think a good offer would be to have a full-day hackathon at the summit where OWASPers pentest and patch together with the framework guys. I could not think of a more fun activity either.

With such a proactive offer we would bring a mix of actions and questions to the table. We also show that we mean business, not paperwork or slideware.

We also need to check our competence inventory to see which frameworks we're actually proficient in. We're much more likely to be able to attract the frameworks we know. As always, developers can smell a mile away if we don't know their specific technology and they'll be reluctant to cooperate with us if they suspect they'll have to educate us first.

2011/10/19 Rohit Sethi <rkl...@gmail.com>

--
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com

Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
My music http://www.johnwilander.com & my résumé http://johnwilander.se

[Rohit Sethi]

Hi all, a brief update on this:

 * Oracle has confirmed that they'd be interested in attending, which would bring Java to the table

 * Started a conversation with Microsoft, who may also be interested in attending. They'd like to know more about benefits & sponsorship costs, etc.

 * As I already stated, Django is interested

 * Still trying to get ahold of Apache & Spring

I'll probably have more time to focus on this early in January.