I was about to write up my notes from Wednesday’s OWASP meeting, but Tim did a pretty good job. He starts by pointing out something I hadn’t really thought about:

The speaker, Andrew van der Stock, threw out many terms and ideas that he expected the audience to be familiar with. I wrote down many of these for later lookup.

This is a danger of what is still a pretty insulated community. It’s easy to toss out terms like clickjacking and ESAPI and expect that an audience at an OWASP chapter meeting, a self-selected group interested in web application security, will know it all. That’s clearly not the case. Tim follows this stuff pretty closely, works in the area professionally, and still there were terms thrown about that weren’t clear.

I don’t mention this as a criticism of Andrew. I do it as a reminder to myself to know your audience. I did the same thing today, dropping a reference to where Google screwed up their SAML implementation in their single-sign-on service, and it didn’t occur to me until later that the guy I was talking to probably had no idea what I was talking about.

Anyway. It was an inspiring talk. Andrew was drumming up support and interest in contributing to a number of OWASP projects.

  • OWASP Top 10 security vulnerabilities in web applications. The 2009 update is in the works. It will again be data-driven, as the 2007 update was (mostly).
  • OWASP Developer’s Guide. A lot of the testing-focused content in the current edition can be removed, since there’s now a Testing Guide. There’s strong interest now in not spending time on what’s done wrong, and instead explaining how to do it right. For SQL injection, for instance, instead of explaining why dynamic queries are dangerous, it’s more valuable to show prepared statements with bound parameters.
  • Top 10 Coding Standard. Andrew introduces this in a recent blog post. The idea is to set a minimum standard for what needs to be done to develop secure software.
  • Application Security Desk Reference. This is pretty much what it sounds like, a reference. If I recall correctly, it should build on the Honeycomb project that was donated to OWASP several years ago, a thorough categorization and reference to web app sec.

There were others — there are a lot of OWASP projects — but those are the ones that stuck with me, partly because I’ve been thinking about what it would take to create short, self-contained courses in web app security and how these docs would fit in.

What’s really cool is that there are lots of ways to contribute in small ways to these projects. Especially with the Top 10 and the Guide, just working on small bits — a paragraph or two — is entirely possible.

I was briefly tempted to throw my hat into the ring to work on PHP ESAPI, a port of the Java Enterprise Security API project at OWASP. But I know I won’t make the time for it, and it’s been a while since I’ve done serious PHP. Besides, it would probably mean that Andrew would make me the lead. :) If you have killer PHP skills, please consider it. We sure as hell need this.

On top of all this, the highlight of the evening was meeting Andrew van der Stock in person. That’s been a long time coming.