Friday, February 13, 2009


Matteo Meucci was invited to talk about the new OWASP Testing Guide and Secure Software Development at FOSDEM 09.
Here you can download the video of the presentation:
Testing Guide video

The following is the interview that Christophe Vandeplas gives to Matteo and Paulo Coimbra (OWASP Project Manager):

Hi, thank you for the interview. I have been working in Information Security for some years, starting with a thesis in PKI and Attribute Certificates. I worked for many consultancy firms, then in 2007 with Stefano Di Paola and Giorgio Fedon we decided to create Minded Security, a company totally focused on Application Security Consultancy. I have been contributing to OWASP for many years and in 2005 I founded the Italian Chapter and from 2006 I lead the OWASP Testing Guide Project.

What will your talk be about, exactly?

The goal is to show the OWASP testing methodology and how you can implement a software development lifecycle that permits to develop more secure applications.
What do you hope to accomplish by giving this talk? What do you expect?

I’d like to promote the OWASP guidelines and find more people interested in OWASP and contributing to improve our projects.

What's the target audience for the OWASP Testing Guide?

We make this guide available in a completely free and open way because we believe sharing knowledge could contribute to develop more secure applications. The target audience here is not only the Application Tester, but everyone involved in the Software Development Life Cycle. So the Security Managers, the Internal Audit, the Developer Team, the Testers, are all interested to adopt a common and open source methodology to test the security of the application.

How would you describe the OWASP Testing Guide in a few sentences?

An open and standard methodology to perform Web Application Penetration Testing.

What are the biggest differences between v2 and v3 of the OWASP Testing Guide?

That's a good point. OWASP started in 2005 with the first testing guide version. We collected the set of test to perform and a short methodology. In 2006 we did a great job creating version 2 that collects 8 categories of tests for a total amount of 48 controls. The guide describes each single control to test.

Now v3 collects 10 categories of tests for a total amount of 66 controls and we have created a shared methodology in a 347 pages book.

How successful was the OWASP Summer of Code 2008? How many participants were there? What were the most important accomplishments during this period? What are the differences with the OWASP Spring of Code 2007 and OWASP Autumn of Code 2006?

Paulo Coimbra (OWASP Project Manager): OWASP Foundation is a voluntary, not-for-profit entity and open community. By responding so significantly to the Summer of Code’s challenge, this community has showed its vitality and true passion in improving application security.

We have invested roundly 275,000 dollars to fund the entire Summer of Code initiative. We have used slightly less than half of this amount to symbolically reward the work of one hundred project leaders, contributors and reviewers.

The remaining budget has been used to support the inter-linked OWASP Summit, a thrilling event set up to identify, coordinate, and prioritize OWASP efforts to create a more secure Internet in which the Summer of Code deliveries were publicly presented.

As it was said by OWASP Chair Jeff Williams, "Our community is growing and organizing into a powerful movement that will affect software development worldwide" and so the Summit, being the Summer of Code 2008 its central piece, has marked a major milestone in our efforts to improve application security.

Apart from launching more than two dozen of new or updated documents and tools, as for the most important accomplishments during this period, we would like to point out the reinforcement of an amazing knowledge sharing culture plenty of comradeship, curiosity and freedom.

Given OWASP´s worldwide scope characteristic, several of its contributors from all earth corners had been collaborating to develop application security for several years often without personally meeting each other. By gathering the majority of the most active of them in a friendly and productive environment, both events the OWASP Summer of Code 2008 and the OWASP Summit have created the conditions for enhanced future achievements. This circumstance and an improved organizational support should have been the major differences relatively to the past seasons of code.

What can we expect from the OWASP Winter of Code 2009?

Paulo Coimbra (OWASP Project Manager): Although the OWASP Winter of Code 2009 design is not finished yet and so its final frame can yet be modified by the expected OWASP community inputs, I believe the new season of code to be very similar to the previous one.

Likely by the next month the call for applications will be sent and we will be accepting proposals in three distinct spheres, namely, Innovation/Start-ups, Integration/Development and Quality Improvement.

The entire cycle from launching to completion should last nearly six months and we will be expecting all the approved proposals to be executed in time to be presented in our next Summit which will be probably held next November.

Even if we are expecting applications from the majority of the former season of code participants, we certainly welcome new ones. In addition, to review the approved projects, several positions will also be open.

We are counting on involving no less than hundred people in the OWASP Winter of Code 2009 and we hope you can be one of them. Please check our main page for updates.

You have more than 8 years of experience in information security. What have you seen changing in this period with respect to web application security? Are most types of vulnerabilities still the same or are there any genuinely new developments?

The research on Application Security is a very active field. We are finding new vulnerabilities and new types of attack every week. That's why we have to verify continuously the security of a web application also if the application is not changed during that time.

What do you consider the most underestimated risk for web applications in the near future?

Every application is completely different from the others. Web Application Security is dynamic, it changes every day. The risk for the Companies is to think statically: If you think statically to your application probably you will expose that to some security trouble in the future. That’s why keeping up-to-date is a key factor for the Companies: the OWASP Community could contribute giving state of the art open guidelines and tools.


  1. Hello, Testing Guide Video is broken.

    Joe Morris

  2. Hi Joe,
    thank you for the information.
    I've updated the link.