OWASP 2010

AppSec USA 2010 is the premier web application security conference of the year. From IT decision makers and managers to security conscious developers and engineers, AppSec USA will provide answers to a wide variety of questions on application security. The event takes place from September 7th to 10th, 2010 in Southern California.

This year Mozilla will be an organizational supporter of AppSec USA 2010 conference by OWASP.

Goals

• Adoption and awareness of CSP
• Feedback on implementation through bugs

Who Is Going?

• Michael Coates
• Sid Stamm
• Brandon Sterne
• Daniel Veditz

Speaking

• Michael Coates - Day 2 (10:10-10:55) Real Time Application Defenses - The Reality of AppSensor & ESAPI

Booth

• Flyer/postcard to distribute with information from the turbo talk (Brandon to lead with help of Sarah)
• Will use booth to talk about CSP (and encouraging people to adopt it)
• Need swag shipped to hotel/event
  • Hyatt Regency Hotel
  • Hold For Guest: Michael Coates (9/8-9/10)
  • 17900 Jamboree Road
  • Irvine, CA 92614 - US

Blog Posts

• http://blog.sidstamm.com/2010/08/owasp-appsec-usa.html
• Tweets for Monday's blog posts also got some good coverage and was retweeted by several people: http://tweetmeme.com/story/2020665531/application-security-mozilla-at-owasp-appsecusa
• http://michael-coates.blogspot.com/2010/08/mozilla-at-owasp-appsecusa.html
  

Miscellaneous

• Brandon to record video with Rainer?

Results

Goal

Spread awareness of the new content security policy feature within firefox to the web security community and engage the attendees to garter feedback and opinions.

Present security research on application intrusion prevention techniques

Results - Summary

• CSP demo'ed by Brandon Sterne to entire conference attendance

• Extensive discussions at Mozilla booth regarding CSP and Firefox 4

• CSP postcards were a success

• OWASP organization will support and promote CSP to world

• Networking may result in several launch partners for CSP

• AppSensor presentation given by Michael Coates was well attended and received good feedback

• Networking may result in complimentary license for web scanning tool for Mozilla use

• New OWASP Browser Security Working Group will increase exposure of Firefox security features and increase communication between OWASP security leaders and web browsers

Results - Detailed

CSP Presentation to entire conference attendance

- A CSP presentation was delivered to the entire conference at the end of the first day. This reached approximately 300 individuals.

- The CSP presentation was also tweeted by several attendees which results in substantial additional exposure.

Mozilla Booth

- The Mozilla booth at the OWASP conference attended a large number of individuals who sought additional information on CSP.

- The printout CSP "take-aways" were very effective and many users took one of these flyers along with other Mozilla shwag.

OWASP & Mozilla Lunch Roundtable

- Michael Coates of Mozilla and Dinis Cruz of OWASP coordinated a meeting between Mozilla representatives, OWASP leaders and key application security players. The meeting focused on how OWASP and Mozilla could work together to achieve the mutual goal of making the web a safer place. There were a variety of positive results from this meeting including the primary action item of OWASP helping to promote the benefits of Content Security Policy.

Attendees:

• Jeff Williams, OWASP Chairmen & CEO Aspect Security
• Dinis Cruz, OWASP Board & O2 Developer
• Dave Wichers, OWASP Board & COO Aspect Security
• Robert Hansen "rsnake" - CEO SecTheory
• Jeremiah Grossman - CTO WhiteHat Security
• Jim Manico - Security Expert & ESAPI Lead Developer
• Justin Clark - Director and Co-Founder of Gotham Digital Science
• James Landis - Senior Manager Paypal Security

• Michael Coates
• Sid Stamm
• Brandon Sterne
• Dan Veditz

- This meeting also established the OWASP Browser Security Working Group which will be used to increase communication between OWASP and all browsers for security related discussions.

- A follow up meeting is scheduled for the OWASP Summit that will take place in 2011 Q1.

Networking

- Hallway discussions and networking opportunities enabled Mozilla to build new relationships with other leaders including security representatives from Microsoft, Symantec, and multiple security vendors. One immediate benefit is the potential inclusion of Mozilla security representatives at the Microsoft Blue Hat event.

- At least one consulting company may be recommending CSP directly to their customers. These customers would work directly with Brandon Sterne as initial launch partners of CSP.

- Another new relationship resulted in a complimentary license for a web scanning tool