The OWASP Summit began this morning with a launch introduction by Dinis Cruz, board member, and the rest of the summit team. Tuesday's schedule included ten primary workshops across two tracks, combined with a number of additional sessions in the more dynamic part of the programme which ran into the evening up to 23:00 hrs.
Justin Clarke ran one of the starting workshops about cross site scripting (XSS) awareness, resources, partnerships and the influence browser vendors and framework producers can have on combatting this vulnerability. The panel and audience came to the conclusion that a multi-layered approach was needed, using techniques like auto-escaping templates, server policies, browser sandboxing and the use of something like Content Security Policy (CSP)> There was a follow-up session at 21:00 hrs which I was unable to attend.
The second workshop I attended was led by Ryan Barnett on virtual patching best practive, and as part of this how Wweb application firewalls (WAFs) might contribute to the efforts to mitigate XSS. The group thought that more information needed to be made available about virtual patching and what vulnerabilities might be suitable for this technique. The discussion referenced an excellent document produced by the OWASP German chapter about best practices for WAFs, and thought thiinformation could be updated, extended and promoted more widely. After discussing some of the merits and problems of blocking vs. detection-only, the use of WAFs for mitigating XSS was discussed further. The problems of XSS sources, filtering and blacklisting were examined, and ideas proposed for alternative detection techniques.
After lunch, I attended the session on risk metrics and associated labelling, led by Chris Wysopal and Chris Eng. The US federal OMB M-04-04 risk classifications and pproaches in other sectors were discussed. But the appropriateness of using any form of risk determination in a cross-industry approach was debated, and examples of more factual labelling, perhaps aimed at the supply chain rather than end users was examined.
Keith Turpin introduced the secure coding practices project, and there was a lively debate about the purpose, audience and length of the document. The document's name may be changed in due course to better reflext its aims. The audience had different views on how best OWASP should enage with the development community, but there was very little dissent on the content of the project. Keith was at pains to point out that the document is a list of possible requirements for projects, and cannot be used"as is" without interpretation for particular application and organisation's context. Further input by the email list was welcomed.
The Enterprise Web Defense Round Table examined scaling web security, security training programmes, security bounty & hacking programmes and where can OWASP assist. The perspectives from the panel and audience gave plenty of insight into the different appraoches and what does, and doesn't work. The topic of automated defenses was postponed and will be included in a session about AppSensor at lunchtime on Wednesday.
After dinner, I attended the preliminary discussions about OWASP governance, which will continue and be finalised in a session on Thursday morning.
Posted on: 08 February 2011 at 23:30 hrs