Monday, June 26, 2017

OWASP Summit 2017: what's new?

Last week we attended the OWASP Summit 2017 in Woburn Forest Center Parcs near London.

The OWASP Summit 2017 was a 5-days participant driven event, dedicated to the collaboration of Development and Security professionals, with a strong focus on DevSecOps.

Here, hundreds of OWASPers and AppSec experts did fantastic interactive working sessions. The idea was to promote new ideas, start new projects with a selected team or restart OWASP projects with the aims to produce a new version.

It was more than good to meet new young students and professionals really interested to give a contribute to the project.


Every day we had working sessions for a total of 173 at the end of the summit.

The outcome consisted in several discussions between the participants, a list of actions and, in some cases, a new draft for a new project.

So what are the main outcomings that could be really interesting for people passionate on AppSec?
Let's group the most promising projects based on the roles in a company.

- OWASP CISO Guide: its goal is to help CISOs on managing application security programs according to CISO roles, responsibilities, perspectives, and needs. Application security best practices and OWASP resources are referenced throughout this guide. You can download the actual CISO Guide here.
GDPR and DPO AppSec implications: GDPR (General Data Protection Regulation) is a major EU Regulation which will affect every company that does business with the EU, which is just about every major company worldwide.This Working Session discussed some aspects of GDPR, including the role of the DPO (Data Protection Officer), the wider definition of PII data (like IP Addresses), and the need to report breaches and incidents within a short time period.

- Auditors, Testers:
- OWASP Mobile Testing Guide, one of the most active project during the Summit focused  on testing iOS and Android applications.
- OWASP Testing Guide v5, the standard de facto to perform a Web Application Penetration Testing. If you want to collaborate to this project that we are leading together with Andrew Muller please send us an email. 

- DevSecOps: 
- Define Agile Security Practices: the idea of using Agile in Security Practices/Activities makes a lot of sense but what does it mean? This Working Session started defining those practices in easy-to-use and scalable formats and documentation. 
- DevSecOps Track: we had many working sessions on DevSecOps.
- Pwning OWASP Juice Shop is a web application with 42+ intended security vulnerabilities, the OWASP Juice Shop is supposed to be the opposite of a best practice or template application for web developers: it is an awareness, training, demonstration and exercise tool for security risks in modern web applications.

OWASP is an open community that encourage new contributions. If you want to collaborate you can start from here.

See you next year!