Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

2022 OWASP AppSec USA Keynote

Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Próximo SlideShare
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
Cargando en…3
×

Eche un vistazo a continuación

1 de 38 Anuncio
Anuncio

Más Contenido Relacionado

Más de Simon Bennetts (13)

Más reciente (20)

Anuncio

2022 OWASP AppSec USA Keynote

  1. 1. Simon Bennetts OWASP: Whats the Point? Jit
  2. 2. OWASP: Whats the Point? 01 What is OWASP? What is Wrong with OWASP? What is Right with OWASP? Do we Still Need OWASP? Can we Make OWASP Better?
  3. 3. OWASP: Whats the Point? 02 What is OWASP? We cannot judge something that we cannot define.
  4. 4. OWASP: Whats the Point? What is OWASP?
  5. 5. OWASP: Whats the Point? What is OWASP? ● Chapters ● Events ● Projects ● Websites ● People
  6. 6. OWASP: Whats the Point? Chapters 448 chapters around the world
  7. 7. OWASP: Whats the Point? Events ● Global Events ● Regional Events ● Online Events / Webinars
  8. 8. OWASP: Whats the Point? Projects 276 projects
  9. 9. ● owasp.org ● OWASP Slack ● Project websites ● zaproxy.org ● owaspsamm.org ● dependencytrack.org ● ... OWASP: Whats the Point? Websites
  10. 10. OWASP: Whats the Point? People ● Board (7) ● Staff (8) ● Committees (6) ● Members (6.1k) ● Corporate Members ● Slack community (21k) ● Volunteers ● Consumers
  11. 11. OWASP: Whats the Point? 03 What is Wrong with OWASP? If we do not know what is wrong then we can not fix it. ✘
  12. 12. OWASP: Whats the Point? Chapters - Problems ● Too many inactive chapters – 178 ● Post COVID – do people want in-person events? ● Some run like independent social clubs ● Talks too basic ● Talks too advanced! ● Hijacked by vendors
  13. 13. OWASP: Whats the Point? Events - Problems ● Numbers significantly down ● Post COVID – do people want in- person events? ● Too much reliance on conference income
  14. 14. OWASP: Whats the Point? Projects - Problems ● Too many inactive projects – 123 ● Too much overlap ● Too many gaps (e.g. SAST) ● Some too close to vendors ● Lack of support from OWASP ● No real funding ● Own GitHub orgs
  15. 15. OWASP: Whats the Point? Websites - Problems ● owasp.org ● Badly organised ● Broken links ● Outdated content ● Not focused on target audience ● Projects with non .owasp.org websites
  16. 16. OWASP: Whats the Point? People - Problems ● Few, overloaded staff ● Very limited number of “doers” ● Very few people focussed on “OWASP” ● We are the “awkward squad” ● Less “soft skills” in evidence ● Not inclusive enough
  17. 17. OWASP: Whats the Point? Miscellaneous - Problems ● No clear / achievable vision “No more insecure software” ● No clear plan ● No clear strategy ● No measure of our impact / value ● Brand abuse by vendors
  18. 18. OWASP: Whats the Point? 04 What is Right with OWASP? It is not all bad! ✔
  19. 19. OWASP: Whats the Point? Chapters - Successes ● Lots of chapters are still very active ● New chapters are still being formed ● Local focus scales really well ● Some are adopting remote access ● Great way to build local connections
  20. 20. OWASP: Whats the Point? Events - Successes ● Lots of high quality talks and training ● Meeting people face-face works! ● Great way to build global connections ● Pretty good at avoiding vendor pitches
  21. 21. OWASP: Whats the Point? Projects - Successes ● The Top Ten – an industry “standard” ● Some world class tools ● OWASP tools are driving down costs ● Low bar to start a project ● GSoC – huge benefit to projects
  22. 22. OWASP: Whats the Point? Websites - Successes ● Source on GitHub – anyone can PR ● More data driven ● Non OWASP sites allow projects to establish their own identity
  23. 23. OWASP: Whats the Point? People - Successes ● Anyone can volunteer ● Not pay-to-play ● Community generally very welcoming ● The toxicity of the Leaders list is no more?? ● Its a great way to get into the industry
  24. 24. OWASP: Whats the Point? 05 Do We Still Need OWASP? OWASP in the balance. Or a face, which do you see?
  25. 25. OWASP: Whats the Point? Do We Still Need OWASP? ● Have we solved AppSec yet? ● Have vendors solved AppSec yet? ● Are some vendors still selling overpriced products? ● Have we made it easy for developers to create secure systems? ● Is it easy for newcomers to enter the industry?
  26. 26. OWASP: Whats the Point? Do We Still Need OWASP? ● Can OWASP continue to give high quality guidance? ● Can OWASP continue to develop industry leading tools? ● Can OWASP continue to help people enter this industry? ● Do we still need OWASP?
  27. 27. OWASP: Whats the Point? 06 How Can We Make OWASP Better? After all, everything can be improved. This will not be an exhaustive list! 
  28. 28. OWASP: Whats the Point? Can we make OWASP Better? ● Who are we trying to help? ● Developers? ● Businesses? ● Security people? ● How are we going to do it?
  29. 29. OWASP: Whats the Point? Can we make OWASP Better? ● Volunteering ● Sell the benefits of volunteering ● Better volunteer support ● Promote OWASP leaders ● More initiatives like GSoC
  30. 30. OWASP: Whats the Point? Can we make OWASP Better? ● Proposal: new “Community Leader” title ● People focused on improving OWASP ● Not focused on one chapter or project ● Helping and encouraging volunteers ● Focusing on solving problems for our target audience
  31. 31. OWASP: Whats the Point? Can we make OWASP Better? ● Balance between OWASP, chapters and projects ● Larger chapters and projects should be allowed to have their own identity ● But still be focussed on supporting OWASP’s goals
  32. 32. OWASP: Whats the Point? Can we make OWASP Better? ● Outside engagement ● Encourage positive vendor involvement ● Encourage more involvement from companies that benefit from OWASP ● Work more closely with other OSS orgs ● Raise much more funding
  33. 33. OWASP: Whats the Point? Can we make OWASP Better? ● Projects ● Proper funding, esp for flagships ● More focus on significant projects ● Stricter on abandoned projects ● Stricter on vendor control ● Keep encouraging new projects ● Projects should work together better
  34. 34. OWASP: Whats the Point? Can we make OWASP Better? ● Projects and Chapters ● More support ● Especially from successful ones ● We need to help each other ● More focus on OWASP’s mission
  35. 35. OWASP: Whats the Point? Can we make OWASP Better? ● Website ● Redesign! ● Focus on ● Newcomers ● Target market ● Volunteering
  36. 36. OWASP: Whats the Point? Can we make OWASP Better? What have I missed?
  37. 37. OWASP: Whats the Point? 07 Do We Still Need OWASP? Let’s go back to this question...
  38. 38. OWASP: Whats the Point? 05 Needs You!

×