[ { "id" : "162e143d81bc6a99c8bb388e3a31243e", "file_path" : "tracks/DevSecOps/_index.md", "last_modified" : "2019-05-29T07:46:47+01:00", "link" : "/tracks/devsecops/", "content_plain" : "This track is focused on the DevSecOps tools and techniques to embed security as part of CI/CD pipelines.\n", "summary" : "This track is focused on the DevSecOps tools and techniques to embed security as part of CI/CD pipelines.", "title" : "DevSecOps", "track" : null, "type" : "track", "word_count" : 18, "params" : {"description":"Sessions focusing on the DevSecOps tools and techniques to embed security as part of CI/CD pipelines","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-29T07:46:47+01:00","organizers":["Dominik de Smit"],"owasp-project":false,"session_slack":"https://os-summit.slack.com/messages/CAVDNF1NE","title":"DevSecOps","type":"track","when_day":"Wed,Thu","when_time":null} } , { "id" : "bf605faa6f0765dd6302d0f57dc8ed50", "file_path" : "tracks/DevSecOps/working-sessions/agile-practices-for-security-teams.md", "last_modified" : "2019-06-03T15:52:50+01:00", "link" : "/tracks/devsecops/working-sessions/agile-practices-for-security-teams/", "content_plain" : " Until recently, cyber security was often considered as “nice to have” in the software development lifecycle. However, due to several data breaches that hit the headlines, more and more dev teams are now starting to incorporate security practices in their processes. Considering how agile methodologies benefit the development lifecycle, security should be approached in the same, or a similar, way.\nWhy Agile practices have been around for quite some time now and a lot of organisations incorporate Agile practices into their daily operations. This working session will discuss how security teams can utilise these Agile practices to improve their position and make their operational side more productive. Early delivery, a synonym of Agile, is one of the biggest challenges for info-sec, but using some Agile practices could enable security teams to integrate more effectively within their organisations.\nWhat Agile and its practices Security adoption of Agile Architecting security for early delivery Situational awareness in Agile environments Optimising Agile SDLC security Outcomes A Draft List of Agile Security Practices\nSynopsis and Takeaways The following categories highlight some of the key activities of an agile security team:\nEducation - Define and deliver security training programmes\nCommunication - Security team to be visible, present at standups, available - Connect dev to production - Empower security champions\nStandardisation and Compliance - Own strong guidelines, e.g. data classification, regulatory, compliance - Two tier security standards? mandatory, depend on risk/sensitivity etc - Library of standard stories\nSupport - Technical support - Help create security user stories, personas, anti-personas, patterns - Culture of \u0026ldquo;security is not to say no, but to help\u0026rdquo; - Testing - Automation is needed for CI/CD e.g. tool to track 3rd party licenses - \u0026ldquo;Development enablement tribe\u0026rdquo;\nGovernance/Control - Project initiation touch point to define \u0026ldquo;gates\u0026rdquo; - Prioritisation of involvement based on risk assessment, lifecycle stage - Define \u0026ldquo;done\u0026rdquo; - 3rd party maturity assessment - Internal compliance checks - Centralised tracking in primary colours - Security team KPIs - Security organisation has to be separate from development - Monetary value on risks helps prioritisation - Risk acceptance/escalation process\nEngineering - Bring in shared security solutions such as WAF- engineering effort\nPractices - Perhaps agile not applicable, more lean/kanban - View security as functions, not people - resourcing can change but functions don\u0026rsquo;t - Don\u0026rsquo;t be a blocker to agile, e.g. in operational approvals - \u0026ldquo;Security team as a service\u0026rdquo; - Struggle to manage BAU and hence forecasting: separate functions - Need visibility of project portfolio - Separation of duty can be a constraint\nWho The target audience for this Working Session is:\n Developers Security professionals DevSecOps Security champions Working materials Here are the current \u0026lsquo;work in progress\u0026rsquo; materials for this session (please add as much information as possible before the sessions):\nOWASP Proactive Controls\nPrevious Summit Working Session https://owaspsummit.org/Working-Sessions/Agile-AppSec/Agile-Practices-for-Security-Teams.html\n", "summary" : "Until recently, cyber security was often considered as “nice to have” in the software development lifecycle. However, due to several data breaches that hit the headlines, more and more dev teams are now starting to incorporate security practices in their processes. Considering how agile methodologies benefit the development lifecycle, security should be approached in the same, or a similar, way.\nWhy Agile practices have been around for quite some time now and a lot of organisations incorporate Agile practices into their daily operations.", "title" : "Agile Practices for Security Teams", "track" : "DevSecOps", "type" : "working-session", "word_count" : 466, "params" : {"description":"Agile Practices for Security Teams","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-03T15:52:50+01:00","organizers":["(one of participants)"],"room_id":"room-3","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAU62737S","status":"done","title":"Agile Practices for Security Teams","topics":["Agile"],"track":"DevSecOps","type":"working-session","when_day":"Tue","when_time":"AM-1"} } , { "id" : "55a464e249b7a2bfbe4fb7e3a3b8b72a", "file_path" : "tracks/DevSecOps/user-sessions/creating-appsec-metrics-and-visualisation.md", "last_modified" : "2019-06-03T15:23:31+01:00", "link" : "/tracks/devsecops/user-sessions/creating-appsec-metrics-and-visualisation/", "content_plain" : " Why You can\u0026rsquo;t improve what you don\u0026rsquo;t measure. Its important to measure the activities as part of SDL and drive future improvements to the application security program. Metrics show business value to stakeholders and help drive further investments in the program. Metrics also help in figuring out whats working and whats not.\nMetrics used should be meaningful and not there for the sake of just metrics (metric fatigue?).\nWhat The goal of this User Session is to find ways to create meaningful metrics and dashboards for AppSec Professionals like Mean Time To Remediate, Mean Time To Find etc.,\nThis session also works what metrics are effective and meaningful. What can you do to get started and different challenges, you might come across.\nContent What is the difference between metrics and measurement. How to get started and different challenges. What are the best practices for using tools like ELK or prometheus? How to visualise the data collected in actionable/meaningful graphs. Learning curve of tools like graphviz, dot format, etc., Outcomes This Working Session will publish:\n A list of meaningful metrics to measure application security program A guide on how to calculate them using open source tools. Who The target audience for this Working Session is: - Developers - Security professionals - DevSecOps - Security champions\nReferences https://medium.com/@smnbss/how-we-use-activity-oriented-metrics-6d85c6f9d400 https://www.owasp.org/index.php/CISO_AppSec_Guide:_Metrics_For_Managing_Risks_%26_Application_Security_Investments https://www.owasp.org/images/7/77/Magic_Numbers_-_5_KPIs_for_Measuring_WebAppSec_Program_Success_v3.2.pdf https://www.veracode.com/sites/default/files/Resources/Whitepapers/using-metrics-to-manage-your-application-security-program-sans-veracode.pdf https://www.csoonline.com/article/2123361/metrics-budgets/security-metrics--critical-issues.html ", "summary" : "Why You can\u0026rsquo;t improve what you don\u0026rsquo;t measure. Its important to measure the activities as part of SDL and drive future improvements to the application security program. Metrics show business value to stakeholders and help drive further investments in the program. Metrics also help in figuring out whats working and whats not.\nMetrics used should be meaningful and not there for the sake of just metrics (metric fatigue?).\nWhat The goal of this User Session is to find ways to create meaningful metrics and dashboards for AppSec Professionals like Mean Time To Remediate, Mean Time To Find etc.", "title" : "Creating Appsec metrics and visualisation", "track" : "DevSecOps", "type" : "user-session", "word_count" : 220, "params" : {"categories":null,"description":"AppSec Metrics and Visualisation","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-03T15:23:31+01:00","organizers":["Dinis Cruz"],"room_id":"room-5","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVDU1W4S","status":"done","technology":null,"title":"Creating Appsec metrics and visualisation","topics":["Visualisation"],"track":"DevSecOps","type":"user-session","when_day":"Tue","when_time":"PM-1"} } , { "id" : "088dd30177d090205fb4e7d4a382e04d", "file_path" : "tracks/DevSecOps/working-sessions/security-champions.md", "last_modified" : "2019-06-04T09:54:19+01:00", "link" : "/tracks/devsecops/working-sessions/security-champions/", "content_plain" : " Security Champions are a key element of any AppSec team, since they create a cross-functional team focused on Application Security.\nWhat is a Security Champion?\n Security Champions are active members of a team that may help to make decisions about when to engage the Security Team Security Champions act as the \u0026ldquo;voice\u0026rdquo; of security for the given product or team Security Champions assist in the triage of security bugs for their team or area (see definition here)\nWhy The main purpose of this working session is to discuss the role of Security Champions within organizations, and how Security Champions\u0026rsquo; skills can best be utilized across organizations. The session will also discuss the need for a better definition of the role of Security Champion.\nWhat How to define Security Champions\u0026rsquo; roles, responsibilities, and OKR How to create a network of Security Champions Forum for Security Champions to share their experiences The importance of being supported by the corporate Security Policy How to \u0026lsquo;create\u0026rsquo; Security Champions? How to reward Security Champions? Do Security Champions have a path into Application Security profession? Is being a Security Champion worth including in your LinkedIn profile? What is the Security Champion\u0026rsquo;s role in Threat Modelling? Outcomes Agreed definition of security champions\u0026rsquo; roles, responsibilities, and OKR Agreed structure to help companies create networks of security champions Creation of a forum for security champions Who The target audience for this Working Session is:\n Security Champions CISOs Developers References https://www.owasp.org/index.php/Security_Champions https://www.linkedin.com/pulse/do-you-have-security-champions-your-company-robert-hurlbut https://www.brighttalk.com/webcast/5418/165801/creating-a-network-of-security-champions-at-diageo https://securingthehuman.sans.org/blog/2015/01/19/creating-a-security-champions-network http://blog.diniscruz.com/2016/10/if-you-dont-have-security-champion-get.html http://blog.diniscruz.com/2015/01/does-your-team-has-security-champion-if.html Previous Summit Working Session https://owaspsummit.org/Working-Sessions/Agile-AppSec/Security-Champions.html\n", "summary" : "Security Champions are a key element of any AppSec team, since they create a cross-functional team focused on Application Security.\nWhat is a Security Champion?\n Security Champions are active members of a team that may help to make decisions about when to engage the Security Team Security Champions act as the \u0026ldquo;voice\u0026rdquo; of security for the given product or team Security Champions assist in the triage of security bugs for their team or area (see definition here)", "title" : "Creating a Security Champions network", "track" : "DevSecOps", "type" : "working-session", "word_count" : 251, "params" : {"description":"","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-04T09:54:19+01:00","organizers":"Claudio Camerino, Dinis Cruz","participants":null,"room_id":"Dinner Villa","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWE8J5JB","status":"review-content","title":"Creating a Security Champions network","topics":["Security Champions"],"track":"DevSecOps","type":"working-session","when_day":"Wed","when_time":"Eve-1"} } , { "id" : "5fee020c8d696f92031a2f928293863f", "file_path" : "tracks/DevSecOps/working-sessions/dealing-with-security-findings.md", "last_modified" : "2019-06-04T13:44:54+01:00", "link" : "/tracks/devsecops/working-sessions/dealing-with-security-findings/", "content_plain" : " Security testing is vital to validate the correct implementation of controls and that security requirements. To scale securty testing to often hundreds of different software products, many organisations now implement automated tools to scale security testing practices. In this hands-on working session we\u0026rsquo;ll learn how to build a working DevSecOps POC and, more importantly, how to deal with the myriad of security findings it generates.\nSchedule: - Slot 1 (AM1) - Architectiure and Setup - Slot 2 (PM2) - Objectives and Chellenges - Slot 3 (PM3) - Outcomes\nWhy Thanks to the proliferation of automated security scanning tools we are generating a phenomenal amount of security findings. As part of this session we tackle the following goals.\n Increase Visibility - Can\u0026rsquo;t secure what you don\u0026rsquo;t see. Why is important to test early in the SDL and map tests to QA business flows. Define Accountability - Creating a feedback loop with your Devs. Why is important to flag findings to their respective owners and incorporate Devs feedback into testing policies. Improve Noise Removal - Accuracy drives credibility. Devs are more likely to triage and action reputable findings, starting with tighter scan policies. Achieve Scalability - Running tools and managing processes manually is not an option when dealing with hundreds of products. How to scale generation, collection and triaging of security findings. What Explore the automated testing workflow, participants will be encouraged to take part and share their experience. What selection of tools and test types should be used to generate security findings as part of a DevSecOps program. Reccommended security testing approaches for: \u0026ndash; Frontend vs backend applications \u0026ndash; Static vs runtime Why is important to have a single source of truth for multiple testing tools AppSec testing integration with QA - user stories vs abuse cases and how to leverage QA processes to drive ZAP. Integration with Jira - how to raise and populate SEC type tickets and track their lifecycle. Continuous improvement - how to tune security policies as result of the triage process Outcomes Build and run a working DevSecOps POC lab from open source tools Define ruleset for programmatic removal of noise (e.g. duplicates, fixes in progress and easy to spot false positives) Learn how to adapt/hack OSS tools like ZAP and Defect Dojo for enterprise level automation. Define roles and responsibilities for an appsec pipeline based on common industry roles (QA, Del Svcs, Engineering etc.) Create CD scripts to automate generation, collection and allocation of findings. Generation of: \u0026ndash; ZAP scan policies, contexts and ZEST scripts \u0026ndash; SAST SonarQube quality profiles \u0026ndash; Dependency Check Configuration \u0026ndash; Defect Dojo/Jira integration Scripts \u0026ndash; Jenkins groovy scripts to tie it all together Long-term Outcomes Publish Repo with Automation scripts Pull Request for Defect Dojo Document process to handle findings Who The target audience for this Working Session is:\n Developers Security professionals DevOps / DevSecOps Security champions AppSec leaders Working materials Here are the current materials for this session:\n The Security Development Lifecycle SDL in Practice Defect Dojo OWASP ZAP Dependency Check Selenium Previous Summit Working Session ", "summary" : "Security testing is vital to validate the correct implementation of controls and that security requirements. To scale securty testing to often hundreds of different software products, many organisations now implement automated tools to scale security testing practices. In this hands-on working session we\u0026rsquo;ll learn how to build a working DevSecOps POC and, more importantly, how to deal with the myriad of security findings it generates.\nSchedule: - Slot 1 (AM1) - Architectiure and Setup - Slot 2 (PM2) - Objectives and Chellenges - Slot 3 (PM3) - Outcomes", "title" : "Dealing with DevSecOps Findings", "track" : "DevSecOps", "type" : "working-session", "word_count" : 507, "params" : {"categories":null,"description":"How to deal with the security findings in an appsec pipeline and drive continuous improvement of the testing policies","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-04T13:44:54+01:00","organizers":["Claudio Camerino","Francisco Novo","Rafael Jimenez"],"participants":null,"room_id":"room-5","room_layout":null,"session_slack":null,"status":"review-content","technology":"Dependency Check, FindSecBugs, ZAP, Jenkins, Defect Dojo, Selenium, Jira, Juice Shop","title":"Dealing with DevSecOps Findings","topics":["SDL"],"track":"DevSecOps","type":"working-session","when_day":"Wed","when_time":"AM-1,PM-2,PM-3"} } , { "id" : "17aea82629fdfe6925493b209b33c675", "file_path" : "tracks/DevSecOps/working-sessions/devsecops-maturity-model.md", "last_modified" : "2019-06-03T22:21:35+01:00", "link" : "/tracks/devsecops/working-sessions/devsecops-maturity-model/", "content_plain" : "Start with this http://gdosmm-translation.timo-pagel.de/\n", "summary" : "Start with this http://gdosmm-translation.timo-pagel.de/", "title" : "DevSecOps Maturity Model (DSOMM)", "track" : "DevSecOps", "type" : "working-session", "word_count" : 4, "params" : {"categories":null,"description":"DevSecOps Maturity Model (DSOMM)","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-03T22:21:35+01:00","organizers":["(one of participants)"],"room_id":"room-5","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAUS9V0CR","status":"review-content","technology":null,"title":"DevSecOps Maturity Model (DSOMM)","topics":["DevSecOps"],"track":"DevSecOps","type":"working-session","when_day":"Tue","when_time":"PM-2,PM-3"} } , { "id" : "97b207a5c5ae99879dae3034d9f0f510", "file_path" : "tracks/DevSecOps/working-sessions/threat-modeling-to-devsecops.md", "last_modified" : "2019-06-06T06:59:38+02:00", "link" : "/tracks/devsecops/working-sessions/threat-modeling-to-devsecops/", "content_plain" : " Why What Content Outcomes Who The target audience for this Working Session is: - Developers - Security professionals - DevSecOps - Security champions\nReferences ", "summary" : " Why What Content Outcomes Who The target audience for this Working Session is: - Developers - Security professionals - DevSecOps - Security champions\nReferences ", "title" : "From Threat Modeling to DevSecOps metrics", "track" : "DevSecOps", "type" : "working-session", "word_count" : 24, "params" : {"categories":null,"draft":false,"iscjklanguage":false,"lastmod":"2019-06-06T06:59:38+02:00","organizers":["(one of participants)"],"room_id":"room-4","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVDU1W4S","status":"done","technology":null,"title":"From Threat Modeling to DevSecOps metrics","topics":["Visualisation"],"track":"DevSecOps","type":"working-session","when_day":"Thu","when_time":"PM-1"} } , { "id" : "b84daf88a3f64377a171f907499e0f24", "file_path" : "tracks/DevSecOps/working-sessions/integrating-security-tools-in-the-sdl.md", "last_modified" : "2019-06-03T01:50:29+01:00", "link" : "/tracks/devsecops/working-sessions/integrating-security-tools-in-the-sdl/", "content_plain" : " Most of today´s application security problems can be traced to flaws in the code. It does not matter whether security issues affect operating system components, client applications, web applications, or other systems, most well-known vulnerabilities are caused by coding errors and implementation issues.\nThe question here is why so many bugs and coding errors continue to cause major security issues when we have had years to deal with these and other common vulnerabilities that are still found in applications today.\nWhy The best way to make security ‘just happen’ is to integrate it within the normal SDL (Software Development Lifecycle) practices. Security teams can focus on confidentiality and integrity of data which often requires development teams to slow down and assess code differently. Similarly, businesses want developers to write and revise code faster than ever, which often results in the developers focusing on what works best instead of on what is secure.\nWhat How Microsoft adapted its SDLC after a large number of vulnerabilities was found between 1999 and 2003? SDLC in Agile? Policies and Procedures (SANSA by SANS) Bringing it all together Outcomes The goal of this Working Session is to\n Identify common areas where security and development can work together to make improvements. Document identified areas like culture, automation, measurement and sharing in OWASP wiki page. Who The target audience for this Working Session is:\n Developers Security professionals DevSecOps Security champions Working materials Here are the current \u0026lsquo;work in progress\u0026rsquo; materials for this session (please add as much information as possible before the sessions):\n The Security Development Lifecycle SDL in Practice Previous Summit Working Session https://owaspsummit.org/Working-Sessions/DevSecOps/Integrating-Security-Tools-in-SDL.html\n", "summary" : "Most of today´s application security problems can be traced to flaws in the code. It does not matter whether security issues affect operating system components, client applications, web applications, or other systems, most well-known vulnerabilities are caused by coding errors and implementation issues.\nThe question here is why so many bugs and coding errors continue to cause major security issues when we have had years to deal with these and other common vulnerabilities that are still found in applications today.", "title" : "Integrating Security Tools in the SDL", "track" : "DevSecOps", "type" : "working-session", "word_count" : 268, "params" : {"categories":null,"description":"Integrate security tools as part of CI/CD pipeline to find/fix issues early in SDL","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-03T01:50:29+01:00","organizers":["(one of participants)"],"room_id":"room-5","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAUSF58HF","status":"review-content","technology":null,"title":"Integrating Security Tools in the SDL","topics":["SDL"],"track":"DevSecOps","type":"working-session","when_day":"Thu","when_time":"AM-1,PM-1"} } , { "id" : "ff85752550b33d35a55d15a24d75f0fd", "file_path" : "tracks/DevSecOps/working-sessions/secrets-management.md", "last_modified" : "2019-06-03T15:23:06+01:00", "link" : "/tracks/devsecops/working-sessions/secrets-management/", "content_plain" : " Why This Working Session will focus on secrets management - a key element of DevSecOps.\nSecrets are being used everywhere nowadays with the DevOps movement. API keys, database credentials, IAM permissions, SSH keys, certificates, etc. Many organizations have them hard coded in source code, littered throughout configuration files and configuration management tools, and stored in plaintext in version control.\nThere is a big need in the centralizations of secrets to improve the security posture and preventing secrets from leaking and compromizing the organization. Most of the time, services are sharing the same secrets that make identifying the source of compromise or leak very challenging.\nBecause technologies like Containers, Kubernetes, Cloud Native are in full swing, the need for guidance around proper secrets management is at hand. This session aims at starting a new OWASP Cheat Sheet around secrets management.\nWhat Identify best practices for Secrets Management (containers, cloud (AWS, Azure, GCP), applications, etc) Provide guidance in how to do proper secrets management across different environments Agree what to include in an OWASP Cheat Sheet Outcomes This Working Session will publish:\n A set of best practices for DevSecOps engineers The start of an OWASP Cheat Sheet for secrets management Who DevSecOps engineers Security professionals CISOs Developers Operators References HashiCorp Vault Open Source Secrets Management Secrets Management Solutions and Architecture ", "summary" : "Why This Working Session will focus on secrets management - a key element of DevSecOps.\nSecrets are being used everywhere nowadays with the DevOps movement. API keys, database credentials, IAM permissions, SSH keys, certificates, etc. Many organizations have them hard coded in source code, littered throughout configuration files and configuration management tools, and stored in plaintext in version control.\nThere is a big need in the centralizations of secrets to improve the security posture and preventing secrets from leaking and compromizing the organization.", "title" : "Secrets Management", "track" : "DevSecOps", "type" : "working-session", "word_count" : 218, "params" : {"categories":null,"description":"Secrets Management in a DevSecOps world","draft":false,"featured":null,"fixed":true,"iscjklanguage":false,"lastmod":"2019-06-03T15:23:06+01:00","organizers":["Dominik de Smit"],"participants":null,"room_id":"room-5","room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Secrets Management","topics":null,"track":"DevSecOps","type":"working-session","when_day":"Wed","when_time":"PM-1"} } , { "id" : "2b3a104846d0021ba689ffe267cf5960", "file_path" : "tracks/DevSecOps/working-sessions/securing-the-ci-pipeline.md", "last_modified" : "2019-05-31T09:19:53+02:00", "link" : "/tracks/devsecops/working-sessions/securing-the-ci-pipeline/", "content_plain" : " Why This Working Session will consider the securing of the CI Pipeline - A key element of DevOps.\nDoing CI builds, testing, and deployments have many advantages when done correctly. Using libraries from 3rd parties in your build can be on compromised servers. Even signing your packages or artifacts automatically could result in you delivering compromised software to others.\nWhat Identify best practice for DevOps and Developers Agree what to include in a cheat sheet for developers who use third party services Agree recommendations for 3rd party service providers (for example, provide warning messages of possible insecurities) Outcomes This Working Session will publish:\n A set of practices for DevOps and Developers Cheat sheet for developers who use third party services Recommendations for 3rd party service providers Who DevSecOps 3rd party service providers: Travis, SNYK, Codiscope, Gitlab, Node Security, \u0026hellip;. Security professionals Developers References How to Secure a Continuous Integration Process DEF CON 22 - Kyle Kelley and Greg Anderson - Is This Your Pipe? Hijacking the Build Pipeline Devops Pro Europe 2019 - Jeroen Willemsen - Securing your CI/CD Pipeline Previous Summit Working Session https://owaspsummit.org/Working-Sessions/DevSecOps/Securing-the-CI-Pipeline.html\n", "summary" : "Why This Working Session will consider the securing of the CI Pipeline - A key element of DevOps.\nDoing CI builds, testing, and deployments have many advantages when done correctly. Using libraries from 3rd parties in your build can be on compromised servers. Even signing your packages or artifacts automatically could result in you delivering compromised software to others.\nWhat Identify best practice for DevOps and Developers Agree what to include in a cheat sheet for developers who use third party services Agree recommendations for 3rd party service providers (for example, provide warning messages of possible insecurities) Outcomes This Working Session will publish:", "title" : "Securing the CI Pipeline", "track" : "DevSecOps", "type" : "working-session", "word_count" : 185, "params" : {"categories":null,"description":"Secure the CI/CD pipeline","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-31T09:19:53+02:00","organizers":["(one of participants)"],"participants":null,"room_id":"room-5","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAUNFBMAL","status":"review-content","technology":null,"title":"Securing the CI Pipeline","topics":["CI Pipeline"],"track":"DevSecOps","type":"working-session","when_day":"Thu","when_time":"PM-2,PM-3"} } , { "id" : "bdd2fdbdb804702debbab2596d419ef9", "file_path" : "tracks/DevSecOps/user-sessions/wafs-understanding-and-meauring-how-they-behave.md", "last_modified" : "2019-05-29T13:37:24+01:00", "link" : "/tracks/devsecops/user-sessions/wafs-understanding-and-meauring-how-they-behave/", "content_plain" : "", "summary" : "", "title" : "WAFs - Understanding and measuring how they behave", "track" : "DevSecOps", "type" : "user-session", "word_count" : 0, "params" : {"categories":null,"description":"","draft":false,"featured":null,"host_link":null,"host_text":null,"iscjklanguage":false,"lastmod":"2019-05-29T13:37:24+01:00","organizers":["George Glass"],"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"session_type":"public","status":"draft","technology":null,"title":"WAFs - Understanding and measuring how they behave","track":"DevSecOps","type":"user-session","when_day":"Eve-2","when_time":null} } , { "id" : "f790432df99915a7e849cbad8c7698ab", "file_path" : "tracks/DevSecOps/user-sessions/writing-security-tests-to-confirm-vulnerabilities-and-fixes.md", "last_modified" : "2019-05-29T10:23:40+01:00", "link" : "/tracks/devsecops/user-sessions/writing-security-tests-to-confirm-vulnerabilities-and-fixes/", "content_plain" : "Hands on session writing security tests\nSee previous summit session on this topic\n", "summary" : "Hands on session writing security tests\nSee previous summit session on this topic", "title" : "Writing security tests to confirm vulnerabilities and fixes", "track" : "DevSecOps", "type" : "user-session", "word_count" : 13, "params" : {"description":"Hands on session writing security tests","draft":false,"iscjklanguage":false,"lastmod":"2019-05-29T10:23:40+01:00","organizers":["Dinis Cruz"],"participants":null,"room_id":"room-6","session_slack":"https://os-summit.slack.com/messages/CAVHKD1TP","status":"draft","technology":null,"title":"Writing security tests to confirm vulnerabilities and fixes","topics":null,"track":"DevSecOps","type":"user-session","when_day":"Thu","when_time":"PM-1"} } , { "id" : "bdef93e43c9e16c55c4de084b3eefe89", "file_path" : "tracks/Misc/_index.md", "last_modified" : "2019-05-29T13:24:47+01:00", "link" : "/tracks/misc/", "content_plain" : "Sessions on multiple topics\n", "summary" : "Sessions on multiple topics", "title" : "Misc", "track" : null, "type" : "track", "word_count" : 4, "params" : {"description":"Sessions on multiple topics","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-29T13:24:47+01:00","organizers":null,"owasp-project":false,"session_slack":"https://os-summit.slack.com/messages/CAULHPHU2","title":"Misc","type":"track","when_day":"Mon,Wed,Fri"} } , { "id" : "6213edb7cd6c49d6bd5318f543c18970", "file_path" : "tracks/Misc/using-graphs-for-gdpr-mappings.md", "last_modified" : "2019-06-05T20:50:18+01:00", "link" : "/tracks/misc/using-graphs-for-gdpr-mappings/", "content_plain" : "Create graphs as shows in the https://github.com/pbx-gs/gdpr-patterns project\n", "summary" : "Create graphs as shows in the https://github.com/pbx-gs/gdpr-patterns project", "title" : "", "track" : null, "type" : "tracks", "word_count" : 8, "params" : {"draft":false,"iscjklanguage":false,"lastmod":"2019-06-05T20:50:18+01:00"} } , { "id" : "7d5d520ecaac745919dc54df6623db6a", "file_path" : "tracks/Misc/ask-me-anything-on-gdpr.md", "last_modified" : "2019-06-03T23:35:28+01:00", "link" : "/tracks/misc/ask-me-anything-on-gdpr/", "content_plain" : "\u0026lsquo;Ask Me Anything\u0026rsquo; session where tech and non-tech people can ask anything someone who is from the industry relating to GDPR\n", "summary" : "\u0026lsquo;Ask Me Anything\u0026rsquo; session where tech and non-tech people can ask anything someone who is from the industry relating to GDPR", "title" : "Ask me anything (AMA) on GDPR", "track" : "Misc", "type" : "user-session", "word_count" : 21, "params" : {"categories":["GDPR"],"description":"Ask all the burning questions you have on GDPR","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-03T23:35:28+01:00","organizers":["Tony Richards"],"participants":null,"room_id":"room-5","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAXGQ98RK","status":"review-content","technology":null,"title":"Ask me anything (AMA) on GDPR","track":"Misc","type":"user-session","when_day":"Tue","when_time":"AM-1"} } , { "id" : "31bd64d632566592a45f80ebb34e9b27", "file_path" : "tracks/Misc/improving-chaos-toolkit.md", "last_modified" : "2019-06-07T09:30:28+01:00", "link" : "/tracks/misc/improving-chaos-toolkit/", "content_plain" : " The Chaos Toolkit provides a Universal API for Chaos Engineering experiments that is then used to drive various implementations of chaos-causing and system-state-probing functions.\nThis session will focus on how the Chaos Toolkit, and the project\u0026rsquo;s open source ecosystem, can be practically used and extended for DevSecOps concerns to deliver on the needs of automation and collaboration.\nWHY Chaos is about introducing learning loops so that trust and confidence in systems can be maintained in the face of constant change.\nThe Chaos Toolkit provides a free and open source tool and community that can be extended to explore security weaknesses through the chaos engineering discipline.\nTo implement the necessary chaos-driving and system-probing functions for DevSecOps, the Chaos Toolkit will need to be extended using it\u0026rsquo;s \u0026ldquo;driver\u0026rdquo; extension point. This session will focus on how to so that.\nWhat This session will explore, using real code, the ways of extending the Chaos Toolkit to meet DevSecOps concerns.\nOutcomes Attendees will have an excellent grasp of the architecture of the Chaos Toolkit and the various ways in which it can be extended. They will have built one real-world \u0026ldquo;driver\u0026rdquo; from scratch themselves and know how to do the same for general-purpose, or even private and specific, real-world DevSecOps concerns.\nReferences The Chaos Toolkit: http://chaostoolkit.org/ The Chaos Toolkit Universal Open API for Chaos Engineering: http://chaostoolkit.org/reference/api/experiment/ Contributing to and Extending The Chaos Toolkit: http://chaostoolkit.org/reference/contributing/ Extension approaches in the Chaos Toolkit: http://chaostoolkit.org/reference/extending/approaches/ The Chaos Toolkit incubator for current, real-world \u0026ldquo;drivers\u0026rdquo;: https://github.com/chaostoolkit-incubator\n", "summary" : "The Chaos Toolkit provides a Universal API for Chaos Engineering experiments that is then used to drive various implementations of chaos-causing and system-state-probing functions.\nThis session will focus on how the Chaos Toolkit, and the project\u0026rsquo;s open source ecosystem, can be practically used and extended for DevSecOps concerns to deliver on the needs of automation and collaboration.\nWHY Chaos is about introducing learning loops so that trust and confidence in systems can be maintained in the face of constant change.", "title" : "Customising the Chaos Engineering Toolkit", "track" : "Misc", "type" : "working-session", "word_count" : 246, "params" : {"categories":["API Security"],"description":"Practical Guide to Extending the Chaos Toolkit for DevSecOps concerns.","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-07T09:30:28+01:00","locked":false,"organizers":["(one of participants)"],"participants":null,"room_id":"room-5","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAUS7SZEV","status":"review-content","technology":null,"title":"Customising the Chaos Engineering Toolkit","track":"Misc","type":"working-session","when_day":"Fri","when_time":"PM-1"} } , { "id" : "de6d3848541c301c4f947a266be9d8e0", "file_path" : "tracks/Misc/cyber-risk-modeling.md", "last_modified" : "2019-06-06T17:13:11+01:00", "link" : "/tracks/misc/cyber-risk-modeling/", "content_plain" : " Why Phil brings his extensive experience to a discussion on modelling (general) risk and comparing security risk modelling maturity to other markets (finance, insurance, medical..). This also involves attribution of $ value to risk and how security teams can talk the language of the business\nWhat Current Security Risk Management is Broken There is a lot of complexity and uncertainty in cyber risk. Current practice tends to hide uncertainty and present certainty.\nWe use Ordinal Scales (Red, Amber, Green / High, Medium, Low / 1,2,3,4,5 etc) rather than Cardinal measures (£ or %). Is a red x red risk a really red risk? Twice as bad? Three times as bad? We then assign numerical values to support ‘risk arithmetic’ (5 x 5 = 25 /2.5 = risk score) OWASP Risk Rating Methodology (Risk Factors / Ordinal Scales)\nWe then use risk matrices that arbitrarily identify an ordinal boundary as the ‘risk appetite’. (Amber =Good, red = Bad).\nBy assigning a single value to probability and impact we are communicating a level of certainty about the outcome we don’t really have.\nPeople are individually poor at prediction Hedgehogs / Foxes / Superpredictors\nWe are awash with data about cyber events but few documented robust statistical methods deployed.\nThe solutions are well known by other risk professions\nQuantitative Risk Approaches\nProbability of event Range of outcomes (lognormal distribution) Monte Carlo Simulation Loss Exceedance Curves \u0026lt;- Business understands these FAIR / OpenFAIR\nPrediction Approaches Risk Panels Averaged predictions Feedback !!!!!!!!! Brier Scores Base Rate Data Calibration\nReferences: Dan Geer Doug Hubbard Philip Tetlock Jack Jones Ryan Huber\nOutcomes Who References ", "summary" : "Why Phil brings his extensive experience to a discussion on modelling (general) risk and comparing security risk modelling maturity to other markets (finance, insurance, medical..). This also involves attribution of $ value to risk and how security teams can talk the language of the business\nWhat Current Security Risk Management is Broken There is a lot of complexity and uncertainty in cyber risk. Current practice tends to hide uncertainty and present certainty.", "title" : "Cyber Risk Modeling", "track" : "Misc", "type" : "working-session", "word_count" : 267, "params" : {"categories":["CISO","RISK"],"description":"Session on Risk Modeling","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-06T17:13:11+01:00","organizers":"Phil Huggins, Ben Schofield","room_id":"room-4","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVGVTQ85","status":"review-content","title":"Cyber Risk Modeling","track":"Misc","type":"working-session","when_day":"Thu","when_time":"PM-3"} } , { "id" : "9f96ce00f5115348286b0af33e4f6aee", "file_path" : "tracks/Misc/intel.md", "last_modified" : "2019-06-06T19:54:55+01:00", "link" : "/tracks/misc/intel/", "content_plain" : " We all bring value to a diverse team, are you aware of the intelligences your colleagues bring and how to best communicate with them?\nOutcomes TBD\nReferences TBD\nPrevious\u0026ndash;\u0026gt; ", "summary" : " We all bring value to a diverse team, are you aware of the intelligences your colleagues bring and how to best communicate with them?\nOutcomes TBD\nReferences TBD\nPrevious\u0026ndash;\u0026gt; ", "title" : "Emotional/Multiple Intelligence", "track" : "Misc", "type" : "working-session", "word_count" : 29, "params" : {"categories":["Emotional Intelligence","Multiple Intelligence","Inclusivity"],"description":"","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-06T19:54:55+01:00","organizers":"Jemma Davis","participants":"Robert Grace","room_id":"room-2","room_layout":null,"session_slack":null,"status":"done","technology":null,"title":"Emotional/Multiple Intelligence","track":"Misc","type":"working-session","when_day":"Fri","when_time":"AM-1"} } , { "id" : "ffb189444d14db7f08cea7a866cd9741", "file_path" : "tracks/Misc/how-do-cyber-professionals-protect-themselves.md", "last_modified" : "2019-06-06T16:13:42+01:00", "link" : "/tracks/misc/how-do-cyber-professionals-protect-themselves/", "content_plain" : " WHY How do we get the business people interested in (and putting a value on) security. They need to understand how exposed they are, high profile celebrities and major company execs will have active cyber protection programmes. How can we share basic good cyber hygiene good practice to help those outside the cyber community\nWhat (\u0026hellip;)\nOutcomes In the oss_bot channel on Open Security Summit (os-summit.slack.com)\nList running servers \u0026ldquo;jp servers\u0026rdquo;\noss_bot APP [1:53 PM] :point_right: Here are the running servers: jp-tests: open (id: 955c6, user: @Lauren Chiesa, started: 10:27, timeout: 240) jp-monday: open (id: a1e40, user: @Ben Schofield, started: 10:20, timeout: 240) jp-samm: open (id: ec33c, user: @Robert Grace, started: 08:53, timeout: 240)\nOpen the server link https://XXXXXXXXXX.ngrok.io/notebooks/users/BenSchofield/How%20do%20Cyber%20Professionals%20protect%20themselves.ipynb\nRun the notebook References (\u0026hellip;)\n", "summary" : "WHY How do we get the business people interested in (and putting a value on) security. They need to understand how exposed they are, high profile celebrities and major company execs will have active cyber protection programmes. How can we share basic good cyber hygiene good practice to help those outside the cyber community\nWhat (\u0026hellip;)\nOutcomes In the oss_bot channel on Open Security Summit (os-summit.slack.com)\nList running servers \u0026ldquo;jp servers\u0026rdquo;", "title" : "How do Cyber Professionals protect themselves", "track" : null, "type" : "working-session", "word_count" : 124, "params" : {"description":"","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-06T16:13:42+01:00","organizers":["Ben Schofield"],"participants":null,"room_id":"villa-4","room_layout":null,"session_slack":null,"status":"draft","technology":null,"title":"How do Cyber Professionals protect themselves","topics":null,"type":"working-session","when_day":"Tue","when_time":"Eve-1"} } , { "id" : "a214de81ce39f59a44ceb3458a10010e", "file_path" : "tracks/Misc/introduction-to-cynefin-framework.md", "last_modified" : "2019-06-04T22:29:01+01:00", "link" : "/tracks/misc/introduction-to-cynefin-framework/", "content_plain" : "", "summary" : "", "title" : "Introduction to Cynefin Framework", "track" : "Misc", "type" : "user-session", "word_count" : 0, "params" : {"description":"New to Cynefin Framework? This session is for you","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-04T22:29:01+01:00","organizers":["Dave Snowden"],"room_id":"room-2","room_layout":null,"session_slack":null,"status":null,"technology":null,"title":"Introduction to Cynefin Framework","topics":["Cynefin Framework"],"track":"Misc","type":"user-session","when_day":"Wed","when_time":"PM-1"} } , { "id" : "cdf11877f6f7afa702b3fb74da4cda71", "file_path" : "tracks/Misc/oss-bot-and-argumentation-models.md", "last_modified" : "2019-06-07T09:40:47+01:00", "link" : "/tracks/misc/oss-bot-and-argumentation-models/", "content_plain" : "", "summary" : "", "title" : "OSS BOT and Argumentation Models", "track" : null, "type" : "working-session", "word_count" : 0, "params" : {"description":"","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-07T09:40:47+01:00","organizers":null,"participants":null,"room_id":"room-3","room_layout":null,"session_slack":null,"status":"draft","technology":null,"title":"OSS BOT and Argumentation Models","topics":null,"type":"working-session","when_day":"Fri","when_time":"PM-1"} } , { "id" : "1b66f35576bea7bdde5a3319c74f8b3e", "file_path" : "tracks/Misc/community-docs.md", "last_modified" : "2019-06-03T22:21:35+01:00", "link" : "/tracks/misc/community-docs/", "content_plain" : "We\u0026rsquo;ll work on creating new content for the repo https://github.com/OWASP/community-docs.\nWill also contribute to https://github.com/OWASP/owasp-swag.\nCome and create content for others to promote your own project!\nBacked by the OWASP Orange County Chapter\n", "summary" : "We\u0026rsquo;ll work on creating new content for the repo https://github.com/OWASP/community-docs.\nWill also contribute to https://github.com/OWASP/owasp-swag.\nCome and create content for others to promote your own project!\nBacked by the OWASP Orange County Chapter", "title" : "OWASP community-docs", "track" : "Misc", "type" : "working-session", "word_count" : 33, "params" : {"categories":null,"description":"Documents related to community outreach promoting OWASP content","draft":false,"iscjklanguage":false,"lastmod":"2019-06-03T22:21:35+01:00","organizers":["Jonathan Marcil"],"participants":null,"room_id":"virtual-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CK7JX129W","status":"done","technology":null,"title":"OWASP community-docs","track":"Misc","type":"working-session","when_day":"Tue","when_time":"Eve-1"} } , { "id" : "81bfa392fbe2fe40fce27469b5988da3", "file_path" : "tracks/Misc/real-world-chaos-engineering.md", "last_modified" : "2019-06-08T12:12:13+01:00", "link" : "/tracks/misc/real-world-chaos-engineering/", "content_plain" : " In this session a collection of real-world security cases will be explored through the lens of the chaos engineering discipline.\nWHY In the face of increased speed of system evolution and complexity, systems are becoming harder to trust and have confidence in expecially from a security perspective.\nChaos engineering provides a specific mindset that augments the existing security mindset to provide a basis for automated exploring and discovering of weaknesses before your customers experience them.\nThis session will show how that mindset can be applied to common, real-world security cases and how, using the Deliberate Practice of Chaos Engineering, improve the entire sociotechnical system to mitigate and respond, and even preempt, these types of weaknesses coming to light.\nWhat Through real-world examples of chaos engineering, the attendees will explore recent and organisation-specific security weaknesses and how chaos engineering can be brought to bear on those weaknesses.\nOutcomes Attendees will have explored a wealth of their own, and real-world, use cases and know, through real-world chaos engineering examples, how the chaos engineering mindset and process can provide a new tool for exploring and defeating sociotechnical system weaknesses proactively.\nReferences The Principles of Chaos:http://principlesofchaos.org/\n", "summary" : "In this session a collection of real-world security cases will be explored through the lens of the chaos engineering discipline.\nWHY In the face of increased speed of system evolution and complexity, systems are becoming harder to trust and have confidence in expecially from a security perspective.\nChaos engineering provides a specific mindset that augments the existing security mindset to provide a basis for automated exploring and discovering of weaknesses before your customers experience them.", "title" : "Real world Chaos Engineering", "track" : "Misc", "type" : "working-session", "word_count" : 192, "params" : {"categories":["API Security"],"description":"An exploration and working session to characterise, explore and implement real-world DevSecOps chaos experiments.","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-08T12:12:13+01:00","organizers":["Jean-Jacques MOIROUX"],"participants":null,"room_id":"room-4","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAUN7NXFS","status":"review-content","technology":null,"title":"Real world Chaos Engineering","track":"Misc","type":"working-session","when_day":"Fri","when_time":"AM-1"} } , { "id" : "ccad9b0249d5b39a9ca8fef6761bf4b2", "file_path" : "tracks/Misc/scaling-api-security.md", "last_modified" : "2019-06-06T10:30:35+01:00", "link" : "/tracks/misc/scaling-api-security/", "content_plain" : "", "summary" : "", "title" : "Scaling API Security", "track" : "Misc", "type" : "working-session", "word_count" : 0, "params" : {"categories":["API Security"],"description":"","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-06T10:30:35+01:00","organizers":["(one of participants)"],"participants":null,"room_id":"room-3","room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Scaling API Security","track":"Misc","type":"working-session","when_day":"Thu","when_time":"DS-3"} } , { "id" : "af45ebc2d98e3af8b7d98700464c26a9", "file_path" : "tracks/Misc/securing-kubernetes-hosted-apis.md", "last_modified" : "2019-06-06T10:30:35+01:00", "link" : "/tracks/misc/securing-kubernetes-hosted-apis/", "content_plain" : "", "summary" : "", "title" : "Securing Kubernete's hosted APIs", "track" : "Misc", "type" : "working-session", "word_count" : 0, "params" : {"categories":["API Security"],"description":"","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-06T10:30:35+01:00","organizers":["(one of participants)"],"participants":null,"room_id":"room-5","room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Securing Kubernete's hosted APIs","track":"Misc","type":"working-session","when_day":"Thu","when_time":"DS-3"} } , { "id" : "db85c7f95975ea586572686a6753cc4f", "file_path" : "tracks/Misc/security-challenges-what-challenges.md", "last_modified" : "2019-06-03T00:04:23+01:00", "link" : "/tracks/misc/security-challenges-what-challenges/", "content_plain" : " If we\u0026rsquo;re all so smart, and are working so hard, why does everything seem so awful?\nWHY Considering how intelligent security practioners are, how well funded they are, and how hard they work, it feels as though the industry should be obtaining better results than it is currently receiving.\nTherefore there must be something systematically wrong with the way that cyber security is being run, and must be a way to achieve better results with the same resources.\nWhat The current plan is that there will be some kind of introduction by the track organiser, followed by a round table discussion of the issues raised.\nOutcomes Introduction to the general hypothesis that, for the intelligence of the people involved, and the resources dedicated to the task, that cyber security is less effective than it should be, and therefore that the overall strategy determine how resources are used is flawed. Determine who interested parties are, or if there is sufficient interest, as this is a more wide-ranging subject area than most for the summit. References Nick Drage\u0026rsquo;s presentation can be found here: https://www.youtube.com/watch?v=516Z420BgkE\nThe most recent blog post on the subject can be found here: http://blog.sonofsuntzu.org.uk/post/2018/12/11/Lessons-From-The-Legion-ISSA-UK-Christmas-Meeting-2018\nPrevious\u0026ndash;\u0026gt; ", "summary" : "If we\u0026rsquo;re all so smart, and are working so hard, why does everything seem so awful?\nWHY Considering how intelligent security practioners are, how well funded they are, and how hard they work, it feels as though the industry should be obtaining better results than it is currently receiving.\nTherefore there must be something systematically wrong with the way that cyber security is being run, and must be a way to achieve better results with the same resources.", "title" : "Security Challenges - An Introduction", "track" : "Misc", "type" : "working-session", "word_count" : 196, "params" : {"categories":["Strategic Challenges","Strategy overview"],"description":"Introduction and overview","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-03T00:04:23+01:00","organizers":"Nick Drage","outcome_items":null,"outcome_next_steps":null,"outcome_summary":null,"outcomes_slide":"https://docs.google.com/presentation/d/1-oIbl9U_CKx3kua9YI9wutK6ZCa3_OHd7JhrtIkZbsE/edit","participants":null,"room_id":"room-2","room_layout":null,"session_slack":null,"status":"draft","technology":null,"title":"Security Challenges - An Introduction","track":"Misc","type":"working-session","when_day":"Mon","when_time":"PM-2"} } , { "id" : "5177c8043fe24f2a09bcede3a5c0328a", "file_path" : "tracks/Misc/security-challenges-others.md", "last_modified" : "2019-06-05T10:12:28+01:00", "link" : "/tracks/misc/security-challenges-others/", "content_plain" : " Wednesday is a busy day for the summit, and some participants may have commitments elsewhere, such as at InfoSec Europe and BSides London. Therefore, wherever you are today, spend your time looking at what strategies and assumptons are already in use:\nWHY By looking at the challenges we face abstractly, away from the day to day docket of tasks that must simply be dealt with as quickly as possible, we can find better ways of preventing fires rather than always putting them out.\nExamples The track organiser\u0026rsquo;s examples of the understated assumptions and strategies already in play:\n Bug bounty companies: that sufficient coverage of security vulnerabilities exploited by teams of motivated attackers can be achieved using a horde of enthusiasts working largely without co-ordination. Conference organisers and training vendors: that individual technical excellence is the most important factor when determining the success or failure of a cyber security endeavour, such as attacking or defending an organisation. DevSecOps: that sufficient staff can be found to cover the combined intellectual requirements of at least three traditionally distinct disciplines. Firewall vendors: that is possible, and optimal, to prevent most compromises before they achieve any intrusion on to any part of an estate rather than using initial intrusions as high fidelity information on attacks. Penetration testing: that it is possible to find a sufficient number of issues with a system by looking at externally, that an adversarial mindset is best employed in relatively small and time-boxed activities. Threat Intelligence: that attackers change their methods so infrequently that IOCs are of value. And that that intelligence is best shared among relatively small groups of trusted peers rather than more widely. User education services: that internal networks cannot be secured, and that users - as the perimeter for an organisation at the application layer - must be hardened against attack. More examples to follow\u0026hellip;\nOutcomes Participants generate their own list of strategies which they see in play, and submit them to an agreed location on thie Github, or present them on the Thursday.\nReferences TBD\nPrevious\u0026ndash;\u0026gt; ", "summary" : "Wednesday is a busy day for the summit, and some participants may have commitments elsewhere, such as at InfoSec Europe and BSides London. Therefore, wherever you are today, spend your time looking at what strategies and assumptons are already in use:\nWHY By looking at the challenges we face abstractly, away from the day to day docket of tasks that must simply be dealt with as quickly as possible, we can find better ways of preventing fires rather than always putting them out.", "title" : "Security Challenges - Analyse others", "track" : "Misc", "type" : "working-session", "word_count" : 340, "params" : {"categories":["Strategic Challenges"],"description":"What strategies are already in use?","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-05T10:12:28+01:00","organizers":"Nick Drage","participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"ok","technology":null,"title":"Security Challenges - Analyse others","track":"Misc","type":"working-session","when_day":"Wed","when_time":"AM-1"} } , { "id" : "46a8e2671df49cbb70b398e1afde5e81", "file_path" : "tracks/Misc/security-challenges-analysis-analogies.md", "last_modified" : "2019-06-04T12:17:53+01:00", "link" : "/tracks/misc/security-challenges-analysis-analogies/", "content_plain" : " Having looked at some of the characteristics of the cyber security industry, we will now brainstorm on other industries or busineses or organisations or systems or situations that exhibit similar characteristics. What do specific charactertistics remind you of, what are the factors that determine whether you succeed or fail?\nWHY By looking at the challenges we face abstractly, away from the day to day docket of tasks that must simply be dealt with as quickly as possible, we can find better ways of preventing fires rather than always putting them out.\nThe emphasis for this session will be on simply identifying other situations worthy of further investigation.\nWhat The track organiser will have picked some of the outcomes from the session as a starting point, those that seem most promising for further investigation.\nIf there\u0026rsquo;s time the track organiser will describe what he means by an \u0026ldquo;underlying assumption\u0026rdquo;, to give participants something to think about over Wednesday, and possibly Thursday.\nOutcomes A list of other industries or contexts that are worthy of further investigation. References TBD\nPrevious\u0026ndash;\u0026gt; ", "summary" : "Having looked at some of the characteristics of the cyber security industry, we will now brainstorm on other industries or busineses or organisations or systems or situations that exhibit similar characteristics. What do specific charactertistics remind you of, what are the factors that determine whether you succeed or fail?\nWHY By looking at the challenges we face abstractly, away from the day to day docket of tasks that must simply be dealt with as quickly as possible, we can find better ways of preventing fires rather than always putting them out.", "title" : "Security Challenges - Analysis, Analogies", "track" : "Misc", "type" : "working-session", "word_count" : 177, "params" : {"categories":["Analogies","Analysis of cyber security","Strategic Challenges"],"description":"Next step, analyse cyber security in very general terms","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-04T12:17:53+01:00","organizers":"Nick Drage","participants":null,"room_id":"room-2","room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Security Challenges - Analysis, Analogies","track":"Misc","type":"working-session","when_day":"Tue","when_time":"PM-3"} } , { "id" : "fcb6ec175ec11392af0745c7f9293ad3", "file_path" : "tracks/Misc/security-challenges-review.md", "last_modified" : "2019-06-05T22:09:51+01:00", "link" : "/tracks/misc/security-challenges-review/", "content_plain" : " The \u0026ldquo;underlying assumptions\u0026rdquo; idea wasn\u0026rsquo;t put forward on Tuesday, and is still half-formed; and I under-estimated how many people would be here for the entire week. Also my idea wasn\u0026rsquo;t relevant to the participants of the Summit, as almost everyone is here for the entire week.\nAlso I think everyone interested in the higher strategic issues we face should attend the available Wardley Mapping sessions.\nI\u0026rsquo;m available to discuss this at any point during the day during the breaks.\nPrevious\u0026ndash;\u0026gt; ", "summary" : "The \u0026ldquo;underlying assumptions\u0026rdquo; idea wasn\u0026rsquo;t put forward on Tuesday, and is still half-formed; and I under-estimated how many people would be here for the entire week. Also my idea wasn\u0026rsquo;t relevant to the participants of the Summit, as almost everyone is here for the entire week.\nAlso I think everyone interested in the higher strategic issues we face should attend the available Wardley Mapping sessions.\nI\u0026rsquo;m available to discuss this at any point during the day during the breaks.", "title" : "Security Challenges - Collate others' strategies and assumptions", "track" : "Misc", "type" : "working-session", "word_count" : 80, "params" : {"categories":["Strategic Challenges"],"description":"Collate results from Wednesday.","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-05T22:09:51+01:00","organizers":"Nick Drage","participants":"Jim Newman","room_id":null,"room_layout":null,"session_slack":null,"status":"draft","technology":null,"title":"Security Challenges - Collate others' strategies and assumptions","track":"Misc","type":"working-session","when_day":null,"when_time":null} } , { "id" : "2f93cf18e3e6ee96a24535c5b121a3d8", "file_path" : "tracks/Misc/security-challenges-next-step.md", "last_modified" : "2019-06-07T09:30:28+01:00", "link" : "/tracks/misc/security-challenges-next-step/", "content_plain" : " This is the latest version of this idea, partly inspired by a quick conversation with Dinis on Thursday evening.\nOutcomes Answers to the following questions, raised during the week:\n Is the approach of finding similar industries or situations valid? Does Dave Snowden\u0026rsquo;s experience support following or abandoning this methodology? If it\u0026rsquo;s not valid, what methodologies should be used to create or find, and test, the correct strategies? Can we learn from other practitioners in related areas as a useable \u0026ldquo;hack\u0026rdquo; to choose effective new strategies rapidly?\n What are the underlying assumptions of the current strategies? Are those underlying assumptions valid?\n Is this area of study financially or practically viable?\n References TBD\nPrevious\u0026ndash;\u0026gt; ", "summary" : "This is the latest version of this idea, partly inspired by a quick conversation with Dinis on Thursday evening.\nOutcomes Answers to the following questions, raised during the week:\n Is the approach of finding similar industries or situations valid? Does Dave Snowden\u0026rsquo;s experience support following or abandoning this methodology? If it\u0026rsquo;s not valid, what methodologies should be used to create or find, and test, the correct strategies? Can we learn from other practitioners in related areas as a useable \u0026ldquo;hack\u0026rdquo; to choose effective new strategies rapidly?", "title" : "Security Challenges - Next step", "track" : "Misc", "type" : "working-session", "word_count" : 112, "params" : {"categories":["Where do we go from here?","Strategic Challenges"],"description":"Is this viable? Where do we go?","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-07T09:30:28+01:00","organizers":"Nick Drage","participants":"Jim Newman","room_id":"room-3","room_layout":null,"session_slack":null,"status":null,"technology":null,"title":"Security Challenges - Next step","track":"Misc","type":"working-session","when_day":"Fri","when_time":"AM-1"} } , { "id" : "c67bc3d9daa297903169b9651f201260", "file_path" : "tracks/Misc/third-party-due-diligence.md", "last_modified" : "2019-06-06T10:30:35+01:00", "link" : "/tracks/misc/third-party-due-diligence/", "content_plain" : " Why Every company has their own third party due diligence methods. Mostly a mix of questionnaires, open source investigations, sometimes onsite assessments. This is not efficient in today\u0026rsquo;s world as poor vendors are forced to spend 100s of hours each year filling in questionniares with same or similar questions over and over again.\nWhat I believe we should have a restricted opensource platform where the members would agree on a framework and scoring system for third party due diigence from cyber perspective. (later may be expanded in other compliance areas too) This should perform the evaluation, follow-up assessments annually (or at major changes like M\u0026amp;As), tracking for resoltuions of the findings.. Things to consider: Are we assessing the corporate controls of the vendor or their solution\u0026rsquo;s security, or both? What framework or frameworks best suited for this? MITRE, NIST, ISO?? Scores on maturity, flags on category of information classification that is recommended to be shared with the vendor (i.e. do not share non-public information with this vendor until they remediate findigns A, B, C) Funding for the activites - should we form a consortium like what FS-ISAC does for threat intelligence? If the third party is critical outsourcing partner, would the standard evaluation be sufficient, or should there be additional things to consider.\nOutcomes Hard to tell, this session will be a good start on shaping the future of this activity.\nWho In last ten years, every job I had included third party assurance work and I kept sending similar questionnaires to same vendors over and over. This needs to be improved and in this era of open sourcing everything, I believe we can do better if we came up with a shared model for third party due diligence.\nReferences ", "summary" : "Why Every company has their own third party due diligence methods. Mostly a mix of questionnaires, open source investigations, sometimes onsite assessments. This is not efficient in today\u0026rsquo;s world as poor vendors are forced to spend 100s of hours each year filling in questionniares with same or similar questions over and over again.\nWhat I believe we should have a restricted opensource platform where the members would agree on a framework and scoring system for third party due diigence from cyber perspective.", "title" : "Third Party Due Diligence", "track" : "Misc", "type" : "user-session", "word_count" : 290, "params" : {"category":null,"description":"Session on problem and solution discussion","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-06T10:30:35+01:00","organizers":"Didar Gelici","participants":null,"room_id":"room-6","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAURV0D09","status":"draft","title":"Third Party Due Diligence","track":"Misc","type":"user-session","when_day":"Thu","when_time":"DS-3"} } , { "id" : "00667d89af83db9edba17072fe1ae53b", "file_path" : "tracks/OWASP-Juice-Shop/_index.md", "last_modified" : "2019-05-29T12:58:41+02:00", "link" : "/tracks/owasp-juice-shop/", "content_plain" : "This track is focused on OWASP Juice Shop\n", "summary" : "This track is focused on OWASP Juice Shop", "title" : "OWASP Juice Shop", "track" : null, "type" : "track", "word_count" : 8, "params" : {"description":"Sessions focusing on OWASP Juice Shop","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-29T12:58:41+02:00","organizers":["Bjoern Kimminich"],"owasp-project":true,"session_slack":"https://os-summit.slack.com/messages/CJZJ487G8","title":"OWASP Juice Shop","type":"track","when_day":"Mon,Tue,Wed,Thu"} } , { "id" : "1f66573baae0718e5eb8a759b2375161", "file_path" : "tracks/OWASP-Juice-Shop/user-sessions/juice-shop-101.md", "last_modified" : "2019-06-03T23:35:28+01:00", "link" : "/tracks/owasp-juice-shop/user-sessions/juice-shop-101/", "content_plain" : " Why Pick up session for all participants who are interested in the OWASP Juice Shop project but have no experience with it yet.\nWhat Target audience are all interested users from Breaker, Builder and Defender communities alike!\n Demo of the project Installation walk-through Advanced features (CTF mode, custom themes etc.) This is not an introduction into the code base or underlying technology! For this we recommend to participate in the Juice Shop Contributor Onboarding session and join any of the evening Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code evening session series!\nReferences Part I - Hacking preparations of the online-readable companion guide eBook Pwning OWASP Juice Shop Online-viewable introduction slide deck ", "summary" : "Why Pick up session for all participants who are interested in the OWASP Juice Shop project but have no experience with it yet.\nWhat Target audience are all interested users from Breaker, Builder and Defender communities alike!\n Demo of the project Installation walk-through Advanced features (CTF mode, custom themes etc.) This is not an introduction into the code base or underlying technology! For this we recommend to participate in the Juice Shop Contributor Onboarding session and join any of the evening Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code evening session series!", "title" : "Juice Shop 101", "track" : "OWASP Juice Shop", "type" : "user-session", "word_count" : 107, "params" : {"description":"OWASP Juice Shop introduction for newbies","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-03T23:35:28+01:00","organizers":"Bjoern Kimminich","participants":null,"room_id":"room-4","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CK1P3HBU6","status":"review-content","technology":null,"title":"Juice Shop 101","topics":null,"track":"OWASP Juice Shop","type":"user-session","when_day":"Tue","when_time":"AM-1"} } , { "id" : "9c94cc81decd911b66c5149d33382808", "file_path" : "tracks/OWASP-Juice-Shop/working-sessions/juice-shop-challenge-refactoring.md", "last_modified" : "2019-06-03T22:29:47+02:00", "link" : "/tracks/owasp-juice-shop/working-sessions/juice-shop-challenge-refactoring/", "content_plain" : " Why The Juice Shop offers 85+ hacking challenges spread across 6 difficulty levels. It is time to review their categories and difficulty ratings for overall consistency and possible improvements.\nWhat Discuss the need for more (or less?) challenge categories Map to additional existing vulnerability catalogs Discuss the need for more (or less?) difficulty levels Define criteria to map challenges to difficulties more easily (e.g. \u0026ldquo;Scripting needed?\u0026rdquo; or \u0026ldquo;Multi-step attack required?\u0026rdquo;) Map the existing challenge to the aligned difficulty levels Outcomes This working session can result in e.g.\n pros and cons of the current categorization and difficulty rating schemes recommendation for new categories (or ones to be removed/merged) recommendation for changes in the difficulty levels mapping to get from the current state to the proposed new state The documentation of all the above will be put into (or referred to by) a GitHub issue in the Juice Shop repository.\nReferences Current categories with OWASP/CWE mapping Current difficulty mapping of all challenges ", "summary" : "Why The Juice Shop offers 85+ hacking challenges spread across 6 difficulty levels. It is time to review their categories and difficulty ratings for overall consistency and possible improvements.\nWhat Discuss the need for more (or less?) challenge categories Map to additional existing vulnerability catalogs Discuss the need for more (or less?) difficulty levels Define criteria to map challenges to difficulties more easily (e.g. \u0026ldquo;Scripting needed?", "title" : "Juice Shop Challenge Refactoring", "track" : "OWASP Juice Shop", "type" : "working-session", "word_count" : 160, "params" : {"description":"Refactoring the categories and difficulty ratings of the OWASP Juice Shop challenges","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-03T22:29:47+02:00","organizers":"Bjoern Kimminich","participants":null,"room_id":"room-4","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CK1D4FCSK","status":"review-content","technology":null,"title":"Juice Shop Challenge Refactoring","topics":null,"track":"OWASP Juice Shop","type":"working-session","when_day":"Thu","when_time":"AM-1"} } , { "id" : "bd3848bb7db2cc364df4f617ff29ff0b", "file_path" : "tracks/OWASP-Juice-Shop/user-sessions/juice-shop-contributor-onboarding.md", "last_modified" : "2019-06-03T22:29:47+02:00", "link" : "/tracks/owasp-juice-shop/user-sessions/juice-shop-contributor-onboarding/", "content_plain" : " Why Pick up session for all participants who are interested in contributing to the OWASP Juice Shop project but have no experience with its code base yet.\nWhat Architecture overview Contribution guidelines How a hacking challenge is implemented and tested CI/CD pipeline This is not a basic introduction into the project itself! For this we recommend to participate in the Juice Shop 101 session!\nReferences Chapters Codebase 101 and Contribute to development of the online-readable companion guide eBook Pwning OWASP Juice Shop ", "summary" : " Why Pick up session for all participants who are interested in contributing to the OWASP Juice Shop project but have no experience with its code base yet.\nWhat Architecture overview Contribution guidelines How a hacking challenge is implemented and tested CI/CD pipeline This is not a basic introduction into the project itself! For this we recommend to participate in the Juice Shop 101 session!\nReferences Chapters Codebase 101 and Contribute to development of the online-readable companion guide eBook Pwning OWASP Juice Shop ", "title" : "Juice Shop Contributor Onboarding", "track" : "OWASP Juice Shop", "type" : "user-session", "word_count" : 82, "params" : {"description":"OWASP Juice Shop introduction for new contributors","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-03T22:29:47+02:00","organizers":"Bjoern Kimminich","participants":null,"room_id":"room-4","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CJZH5V1QV","status":"review-content","technology":null,"title":"Juice Shop Contributor Onboarding","topics":null,"track":"OWASP Juice Shop","type":"user-session","when_day":"Tue","when_time":"PM-1"} } , { "id" : "ca17761d785c1c105d77c64449c79ab4", "file_path" : "tracks/OWASP-Juice-Shop/working-sessions/juice-shop-hackathon-mon.md", "last_modified" : "2019-06-03T02:06:48+01:00", "link" : "/tracks/owasp-juice-shop/working-sessions/juice-shop-hackathon-mon/", "content_plain" : " Why Develop new features and hacking challenges, beta-test those new challenges and improve the OWASP Juice Shop project across the board.\nWhat Builders work on functionality, bugfixes, new challenges, translations, documentation etc. Breakers try to solve challenges, help fine-tune them and might even write some hints/solutions Defenders use their own tools against the Juice Shop to see what they might miss and get ideas how to close gaps Outcomes This working session can result in e.g.\n PRs being merged into the project\u0026rsquo;s repositories on GitHub translations being improved on CrowdIn the companion guide eBook being extended and improved The results of each day will be accumulated into the Release Notes for the release to be published at the Juice Shop Release Night.\nReferences Chapters Codebase 101 and Contribute to development of the online-readable companion guide eBook Pwning OWASP Juice Shop OWASP Juice Shop\u0026rsquo;s CrowdIn project for i18n and the associated Help with translation chapter in the eBook Previous Juice Shop Contributor Onboarding user session ", "summary" : "Why Develop new features and hacking challenges, beta-test those new challenges and improve the OWASP Juice Shop project across the board.\nWhat Builders work on functionality, bugfixes, new challenges, translations, documentation etc. Breakers try to solve challenges, help fine-tune them and might even write some hints/solutions Defenders use their own tools against the Juice Shop to see what they might miss and get ideas how to close gaps Outcomes This working session can result in e.", "title" : "Juice Shop Hack'n'Code (Mon)", "track" : "OWASP Juice Shop", "type" : "working-session", "word_count" : 164, "params" : {"description":"Coding for and hacking of the OWASP Juice Shop","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-03T02:06:48+01:00","organizers":"Bjoern Kimminich","participants":null,"room_id":"villa-2","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CJN571RB5","status":"review-content","technology":null,"title":"Juice Shop Hack'n'Code (Mon)","topics":null,"track":"OWASP Juice Shop","type":"working-session","when_day":"Mon","when_time":"Eve-1,Eve-2"} } , { "id" : "ec1e8b2f07ec95e1553ad68f93110405", "file_path" : "tracks/OWASP-Juice-Shop/working-sessions/juice-shop-hackathon-tue.md", "last_modified" : "2019-06-03T02:06:48+01:00", "link" : "/tracks/owasp-juice-shop/working-sessions/juice-shop-hackathon-tue/", "content_plain" : " Why Develop new features and hacking challenges, beta-test those new challenges and improve the OWASP Juice Shop project across the board.\nWhat Builders work on functionality, bugfixes, new challenges, translations, documentation etc. Breakers try to solve challenges, help fine-tune them and might even write some hints/solutions Defenders use their own tools against the Juice Shop to see what they might miss and get ideas how to close gaps Outcomes This working session can result in e.g.\n PRs being merged into the project\u0026rsquo;s repositories on GitHub translations being improved on CrowdIn the companion guide eBook being extended and improved The results of each day will be accumulated into the Release Notes for the release to be published at the Juice Shop Release Night.\nReferences Chapters Codebase 101 and Contribute to development of the online-readable companion guide eBook Pwning OWASP Juice Shop OWASP Juice Shop\u0026rsquo;s CrowdIn project for i18n and the associated Help with translation chapter in the eBook Previous Juice Shop Contributor Onboarding user session ", "summary" : "Why Develop new features and hacking challenges, beta-test those new challenges and improve the OWASP Juice Shop project across the board.\nWhat Builders work on functionality, bugfixes, new challenges, translations, documentation etc. Breakers try to solve challenges, help fine-tune them and might even write some hints/solutions Defenders use their own tools against the Juice Shop to see what they might miss and get ideas how to close gaps Outcomes This working session can result in e.", "title" : "Juice Shop Hack'n'Code (Tue)", "track" : "OWASP Juice Shop", "type" : "working-session", "word_count" : 164, "params" : {"description":"Coding for and hacking of the OWASP Juice Shop","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-03T02:06:48+01:00","organizers":"Bjoern Kimminich","participants":null,"room_id":"villa-2","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CJN571RB5","status":"review-content","technology":null,"title":"Juice Shop Hack'n'Code (Tue)","topics":null,"track":"OWASP Juice Shop","type":"working-session","when_day":"Tue","when_time":"Eve-1,Eve-2"} } , { "id" : "d06fb2744f36455ca4c9ebcd8ce38024", "file_path" : "tracks/OWASP-Juice-Shop/working-sessions/juice-shop-hackathon-wed.md", "last_modified" : "2019-06-03T02:06:48+01:00", "link" : "/tracks/owasp-juice-shop/working-sessions/juice-shop-hackathon-wed/", "content_plain" : " Why Develop new features and hacking challenges, beta-test those new challenges and improve the OWASP Juice Shop project across the board.\nWhat Builders work on functionality, bugfixes, new challenges, translations, documentation etc. Breakers try to solve challenges, help fine-tune them and might even write some hints/solutions Defenders use their own tools against the Juice Shop to see what they might miss and get ideas how to close gaps Outcomes This working session can result in e.g.\n PRs being merged into the project\u0026rsquo;s repositories on GitHub translations being improved on CrowdIn the companion guide eBook being extended and improved The results of each day will be accumulated into the Release Notes for the release to be published at the Juice Shop Release Night.\nReferences Chapters Codebase 101 and Contribute to development of the online-readable companion guide eBook Pwning OWASP Juice Shop OWASP Juice Shop\u0026rsquo;s CrowdIn project for i18n and the associated Help with translation chapter in the eBook Previous Juice Shop Contributor Onboarding user session ", "summary" : "Why Develop new features and hacking challenges, beta-test those new challenges and improve the OWASP Juice Shop project across the board.\nWhat Builders work on functionality, bugfixes, new challenges, translations, documentation etc. Breakers try to solve challenges, help fine-tune them and might even write some hints/solutions Defenders use their own tools against the Juice Shop to see what they might miss and get ideas how to close gaps Outcomes This working session can result in e.", "title" : "Juice Shop Hack'n'Code (Wed)", "track" : "OWASP Juice Shop", "type" : "working-session", "word_count" : 164, "params" : {"description":"Coding for and hacking of the OWASP Juice Shop","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-03T02:06:48+01:00","organizers":"Bjoern Kimminich","participants":null,"room_id":"villa-2","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CJN571RB5","status":"review-content","technology":null,"title":"Juice Shop Hack'n'Code (Wed)","topics":null,"track":"OWASP Juice Shop","type":"working-session","when_day":"Wed","when_time":"Eve-1,Eve-2"} } , { "id" : "900e9ffad116f784086607fc40fc4fa1", "file_path" : "tracks/OWASP-Juice-Shop/working-sessions/juice-shop-release-night.md", "last_modified" : "2019-06-03T13:35:07+02:00", "link" : "/tracks/owasp-juice-shop/working-sessions/juice-shop-release-night/", "content_plain" : " Why Publish the results of the Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code sessions on Monday, Tuesday and Wednesday in a new Juice Shop release!\nWhat Wrap up all changes and perform final QA Update release notes and documentation Merge changes into master branch for final CI/CD run Tag new release and trigger automated deployment Outcomes This working session will result in the public release of v8.7.0 of OWASP Juice Shop. The results accumulated from each Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code session on Mon, Tue and Wed evening will be part of this release.\nReferences The main repository\u0026rsquo;s release notes page Juice Shop CI/CD server on Travis-CI Previous Juice Shop Contributor Onboarding user session Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code evening sessions on Mon, Tue and Wed ", "summary" : "Why Publish the results of the Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code sessions on Monday, Tuesday and Wednesday in a new Juice Shop release!\nWhat Wrap up all changes and perform final QA Update release notes and documentation Merge changes into master branch for final CI/CD run Tag new release and trigger automated deployment Outcomes This working session will result in the public release of v8.7.0 of OWASP Juice Shop. The results accumulated from each Juice Shop Hack\u0026rsquo;n\u0026rsquo;Code session on Mon, Tue and Wed evening will be part of this release.", "title" : "Juice Shop Release Night", "track" : "OWASP Juice Shop", "type" : "working-session", "word_count" : 118, "params" : {"description":"Go-live of new OWASP Juice Shop release","draft":false,"featured":false,"iscjklanguage":false,"lastmod":"2019-06-03T13:35:07+02:00","organizers":"Bjoern Kimminich","participants":null,"room_id":"villa-2","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CJZJ618LQ","status":"review-content","technology":null,"title":"Juice Shop Release Night","topics":null,"track":"OWASP Juice Shop","type":"working-session","when_day":"Thu","when_time":"Eve-1,Eve-2"} } , { "id" : "1862b45e7836f36395d8c8429d4e1f46", "file_path" : "tracks/OWASP-Juice-Shop/protecting-juice-shop-waf.md", "last_modified" : "2019-06-07T09:37:30+01:00", "link" : "/tracks/owasp-juice-shop/protecting-juice-shop-waf/", "content_plain" : "", "summary" : "", "title" : "Protecting JuiceShop with AWS WAF", "track" : null, "type" : "working-session", "word_count" : 0, "params" : {"description":"","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-07T09:37:30+01:00","organizers":["Dinis Cruz","Bjoern Kimminich"],"participants":null,"room_id":"room-5","room_layout":null,"session_slack":null,"status":"draft","technology":null,"title":"Protecting JuiceShop with AWS WAF","topics":null,"type":"working-session","when_day":"Fri","when_time":"AM-1"} } , { "id" : "792b2b345e0d5a85b20c8d7a75ec32e9", "file_path" : "tracks/OWASP-MSTG/_index.md", "last_modified" : "2019-05-29T13:24:47+01:00", "link" : "/tracks/owasp-mstg/", "content_plain" : " Welcome to the Mobile Security track! This track is focusing mainly on the following two documents that were created as part of the OWASP Mobile Security Testing Guide (MSTG) project:\n The Mobile Application Security Verification Standard (MASVS) establishes a framework of security requirements needed to design, develop and test secure mobile apps on iOS and Android. The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes technical processes for verifying the controls listed in the MASVS. Slack Please also join our slack channel (especially if you are a remote participant):\n Register an account on the Open Security Summit Slack Join our Slack Channel Why We, the OWASP Mobile Security team, love the OWASP Summit. That time of the year when we come together, all in one place, and forget about the rest of the world (literally as we\u0026rsquo;re in the middle of a forest). Forget about companies / business and concentrate on making the mobile security world a better place. To achieve this we tirelessly work on the MSTG to make it even more awesome as it is already.\nWhat Imagine being in the same room as these people who share your same passion:\n the main authors of the MSTG and MASVS security engineers experienced pentesters researchers \u0026hellip; All working together on mobile security topics:\n creating new content for the MSTG researching together on the latest cutting-edge iOS and Android security topics learning and sharing knowledge with other experts and beginners Our working sessions are ticket based, just take the one you like or you\u0026rsquo;ll get one assigned depending on your level of expertise. We want to start the summit with a focus on the following milestones:\n MASVS milestone 1.1.4: MSTG milestone 1.2: Once you start you\u0026rsquo;ll not only have the chance to do a great contribution but also to drive interesting discussions with the rest of the participants.\nThis year we want to focus on the values that made the first summit a great oppertunity: learning through contributing!\nEveryone is welcome! If you\u0026rsquo;re already experienced you\u0026rsquo;re probably familiar with the issue that you cannot find any trainings/events on mobile security advanced topics that matches your level. Here you\u0026rsquo;ll be able to work hand in hand with people sharing your passion, interest and close to your experience level. One can always learn so much from doing research and being guided by other people (experts or not). If you enjoy sharing your knowledge you\u0026rsquo;ll have the chance to do so at the best working atmosphere. If you\u0026rsquo;re a beginner this is THE PLACE to start!\nCannot come over? Join us remotely! You may want to attend the presentations about onboarding or a 101. Otherwise: contact us, grab a ticket, enjoy the ride! We would love to guide you in your contribution and will take on PRs from morning till early evening (21:00).\nCheck the scheduled sessions below.\n", "summary" : "Welcome to the Mobile Security track! This track is focusing mainly on the following two documents that were created as part of the OWASP Mobile Security Testing Guide (MSTG) project:\n The Mobile Application Security Verification Standard (MASVS) establishes a framework of security requirements needed to design, develop and test secure mobile apps on iOS and Android. The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security testing and reverse engineering.", "title" : "OWASP MSTG", "track" : null, "type" : "track", "word_count" : 486, "params" : {"description":"Sessions focusing on the OWASP MSTG project.","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-29T13:24:47+01:00","organizers":["Jeroen Willemsen","Carlos Holguera","Sven Schleier","Jeroen Beckers"],"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile","title":"OWASP MSTG","topics":"Mobile Security","type":"track","when_day":"Mon, Tue, Wed, Thu, Fri","when_time":null} } , { "id" : "5833f172d264457810a93fab085c2ba8", "file_path" : "tracks/OWASP-MSTG/working-sessions/android-ios-Security-enhancements-fri.md", "last_modified" : "2019-06-03T01:50:29+01:00", "link" : "/tracks/owasp-mstg/working-sessions/android-ios-security-enhancements-fri/", "content_plain" : " Welcome to the OWASP Mobile Security Testing Guide Content pressure cook!\nWhy Staying up-to-date is key, especially regarding mobile security. We have the chance to do it all together in the same place! In this 5 day-continuous sprint, we want to make the MSTG greater than ever! To do this, there are streams that will require constant attention: the guide itself and the apps that we use for examples.\nWhat Get to share the latest Android and iOS security enhancements The first stream is all about making the guide up to date with the latest security updates on iOS 12, Android 9 and 10:\niOS 12:\n UIWebViews are officially deprecated new AuthenticationServices and Network Frameworks New Password AutoFill Framework for iOS and web apps \u0026hellip; Android 9\u0026frasl;10:\n Scoped Storage: an isolated storage sandbox right on external storage device! The READ_ and WRITE_EXTERNAL_STORAGE permissions are being replaced with more fine-grained media specific permissions. StrongBox Keymaster: an implementation of the Keymaster HAL that resides in a hardware security module. You can now import encrypted keys securely into the Keystore using an ASN.1‑encoded key format. \u0026hellip; This and much more that we or you might know about. Let\u0026rsquo;s make sure we extend the guide on best practices and what testers should look for in terms of bad practices.\nThe focus will be on issues identified for the 1.2 milestone of the MSTG, which you can find at Github.\nGet your hands dirty with the Android and iOS crackmes In the second stream, we want to focus on getting better crackmes and playground apps. In order to do this, there are a bunch of things we need to work on (in order of priority):\n Upgrade the existing crackmes \u0026amp; apps to be compatible with the latest version of iOS and Android. Ensure a proper build pipeline for the apps as part of the project so we can easily fix them. Have newer detection mechanisms in the crackmes, for instance: make sure we have a crackme that effectively refuses to run on a rooted Android device (e.g. running Magisk)? Or make the app Frida-resilient. Or\u0026hellip; whatever you like! Try to make cool challenging apps for other people. Just make sure it can be built and tested by the pipeline mentioned in 2. Are UnCrackable App for iOS Level 1 and UnCrackable App for iOS Level 2 too easy for you? Do you have some ideas for a Level 3? In this stream you get the chance to work hand in hand with the Mobile Security team on the MSTG crackme apps. The defenders will make them secure (or intentionally leave some holes) and the attackers will prove they can crack them using the latest techniques and available tools.\nWho The target audience for this Working Session is:\n iOS developers Android developers Penetration Testers Security engineers From experts to beginners. Anybody who is passionate about app mobile security, haves fun hacking, securing and/or developing mobile apps and loves to continuously learn and enjoys sharing knowledge.\nWhat do you need to bring with you? Minimum required: a laptop :)\nDepending on the tasks/challenges you choose:\n For creating a better pipeline: a MacBook is recommended, but not mandatory. For iOS: an iOS device (preferably jailbroken). A MacBook is recommended but not mandatory. For Android: an Android device is highly recommended (preferably rooted). However for many tasks you can use the emulator. The MSTG and crackmes are hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.\nOutcomes Updated iOS and Android chapters in the MSTG covering the latest security changes in iOS and Android.\nReferences Workflow for MSTG contributions via Github Android Security Android Oreo iOS Security Whitepaper MSTG GitHub Issues MSTG GitHub Project Page MSTG Hacking Playground UnCrackable Mobile Apps UnCrackable App for Android Level 1 UnCrackable App for Android Level 2 UnCrackable App for Android Level 3 UnCrackable App for iOS Level 1 UnCrackable App for iOS Level 2 UnCrackable App repository ", "summary" : "Welcome to the OWASP Mobile Security Testing Guide Content pressure cook!\nWhy Staying up-to-date is key, especially regarding mobile security. We have the chance to do it all together in the same place! In this 5 day-continuous sprint, we want to make the MSTG greater than ever! To do this, there are streams that will require constant attention: the guide itself and the apps that we use for examples.", "title" : "Android and iOS Security Enhancements and Crackme Apps (Fri)", "track" : "OWASP MSTG", "type" : "working-session", "word_count" : 671, "params" : {"categories":"MSTG","description":"Updating the content of the MSTG","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-03T01:50:29+01:00","organizers":["Sven Schleier"],"participants":["Jeroen Willemsen","Jeroen Beckers","Carlos Holguera"],"room_id":"room-6","room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile, iOS, Android","title":"Android and iOS Security Enhancements and Crackme Apps (Fri)","track":"OWASP MSTG","type":"working-session","when_day":"Fri","when_time":"AM-1,DS-2,PM-1,PM-2"} } , { "id" : "a6ec3460e293053104c052fb7f5d810d", "file_path" : "tracks/OWASP-MSTG/working-sessions/android-ios-Security-enhancements-mon-eve.md", "last_modified" : "2019-06-03T01:50:29+01:00", "link" : "/tracks/owasp-mstg/working-sessions/android-ios-security-enhancements-mon-eve/", "content_plain" : " Welcome to the OWASP Mobile Security Testing Guide Content pressure cook!\nWhy Staying up-to-date is key, especially regarding mobile security. We have the chance to do it all together in the same place! In this 5 day-continuous sprint, we want to make the MSTG greater than ever! To do this, there are streams that will require constant attention: the guide itself and the apps that we use for examples.\nWhat Get to share the latest Android and iOS security enhancements The first stream is all about making the guide up to date with the latest security updates on iOS 12, Android 9 and 10:\niOS 12:\n UIWebViews are officially deprecated new AuthenticationServices and Network Frameworks New Password AutoFill Framework for iOS and web apps \u0026hellip; Android 9\u0026frasl;10:\n Scoped Storage: an isolated storage sandbox right on external storage device! The READ_ and WRITE_EXTERNAL_STORAGE permissions are being replaced with more fine-grained media specific permissions. StrongBox Keymaster: an implementation of the Keymaster HAL that resides in a hardware security module. You can now import encrypted keys securely into the Keystore using an ASN.1‑encoded key format. \u0026hellip; This and much more that we or you might know about. Let\u0026rsquo;s make sure we extend the guide on best practices and what testers should look for in terms of bad practices.\nThe focus will be on issues identified for the 1.2 milestone of the MSTG, which you can find at Github.\nGet your hands dirty with the Android and iOS crackmes In the second stream, we want to focus on getting better crackmes and playground apps. In order to do this, there are a bunch of things we need to work on (in order of priority):\n Upgrade the existing crackmes \u0026amp; apps to be compatible with the latest version of iOS and Android. Ensure a proper build pipeline for the apps as part of the project so we can easily fix them. Have newer detection mechanisms in the crackmes, for instance: make sure we have a crackme that effectively refuses to run on a rooted Android device (e.g. running Magisk)? Or make the app Frida-resilient. Or\u0026hellip; whatever you like! Try to make cool challenging apps for other people. Just make sure it can be built and tested by the pipeline mentioned in 2. Are UnCrackable App for iOS Level 1 and UnCrackable App for iOS Level 2 too easy for you? Do you have some ideas for a Level 3? In this stream you get the chance to work hand in hand with the Mobile Security team on the MSTG crackme apps. The defenders will make them secure (or intentionally leave some holes) and the attackers will prove they can crack them using the latest techniques and available tools.\nWho The target audience for this Working Session is:\n iOS developers Android developers Penetration Testers Security engineers From experts to beginners. Anybody who is passionate about app mobile security, haves fun hacking, securing and/or developing mobile apps and loves to continuously learn and enjoys sharing knowledge.\nWhat do you need to bring with you? Minimum required: a laptop :)\nDepending on the tasks/challenges you choose:\n For creating a better pipeline: a MacBook is recommended, but not mandatory. For iOS: an iOS device (preferably jailbroken). A MacBook is recommended but not mandatory. For Android: an Android device is highly recommended (preferably rooted). However for many tasks you can use the emulator. The MSTG and crackmes are hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.\nOutcomes Updated iOS and Android chapters in the MSTG covering the latest security changes in iOS and Android.\nReferences Workflow for MSTG contributions via Github Android Security Android Oreo iOS Security Whitepaper MSTG GitHub Issues MSTG GitHub Project Page MSTG Hacking Playground UnCrackable Mobile Apps UnCrackable App for Android Level 1 UnCrackable App for Android Level 2 UnCrackable App for Android Level 3 UnCrackable App for iOS Level 1 UnCrackable App for iOS Level 2 UnCrackable App repository ", "summary" : "Welcome to the OWASP Mobile Security Testing Guide Content pressure cook!\nWhy Staying up-to-date is key, especially regarding mobile security. We have the chance to do it all together in the same place! In this 5 day-continuous sprint, we want to make the MSTG greater than ever! To do this, there are streams that will require constant attention: the guide itself and the apps that we use for examples.", "title" : "Android and iOS Security Enhancements and Crackme Apps (Mon Eve)", "track" : "OWASP MSTG", "type" : "working-session", "word_count" : 671, "params" : {"categories":"MSTG","description":"Updating the content of the MSTG","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-03T01:50:29+01:00","organizers":["Sven Schleier"],"participants":["Jeroen Willemsen","Jeroen Beckers","Carlos Holguera"],"room_id":"villa-6","room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile, iOS, Android","title":"Android and iOS Security Enhancements and Crackme Apps (Mon Eve)","track":"OWASP MSTG","type":"working-session","when_day":"Mon","when_time":"Eve-1,Eve-2"} } , { "id" : "34f2b73b7aecea7d97ecae34b8d867be", "file_path" : "tracks/OWASP-MSTG/working-sessions/android-ios-Security-enhancements-mon.md", "last_modified" : "2019-06-03T09:50:01+01:00", "link" : "/tracks/owasp-mstg/working-sessions/android-ios-security-enhancements-mon/", "content_plain" : " Welcome to the OWASP Mobile Security Testing Guide Content pressure cook!\nWhy Staying up-to-date is key, especially regarding mobile security. We have the chance to do it all together in the same place! In this 5 day-continuous sprint, we want to make the MSTG greater than ever! To do this, there are streams that will require constant attention: the guide itself and the apps that we use for examples.\nWhat Get to share the latest Android and iOS security enhancements The first stream is all about making the guide up to date with the latest security updates on iOS 12, Android 9 and 10:\niOS 12:\n UIWebViews are officially deprecated new AuthenticationServices and Network Frameworks New Password AutoFill Framework for iOS and web apps \u0026hellip; Android 9\u0026frasl;10:\n Scoped Storage: an isolated storage sandbox right on external storage device! The READ_ and WRITE_EXTERNAL_STORAGE permissions are being replaced with more fine-grained media specific permissions. StrongBox Keymaster: an implementation of the Keymaster HAL that resides in a hardware security module. You can now import encrypted keys securely into the Keystore using an ASN.1‑encoded key format. \u0026hellip; This and much more that we or you might know about. Let\u0026rsquo;s make sure we extend the guide on best practices and what testers should look for in terms of bad practices.\nThe focus will be on issues identified for the 1.2 milestone of the MSTG, which you can find at Github.\nGet your hands dirty with the Android and iOS crackmes In the second stream, we want to focus on getting better crackmes and playground apps. In order to do this, there are a bunch of things we need to work on (in order of priority):\n Upgrade the existing crackmes \u0026amp; apps to be compatible with the latest version of iOS and Android. Ensure a proper build pipeline for the apps as part of the project so we can easily fix them. Have newer detection mechanisms in the crackmes, for instance: make sure we have a crackme that effectively refuses to run on a rooted Android device (e.g. running Magisk)? Or make the app Frida-resilient. Or\u0026hellip; whatever you like! Try to make cool challenging apps for other people. Just make sure it can be built and tested by the pipeline mentioned in 2. Are UnCrackable App for iOS Level 1 and UnCrackable App for iOS Level 2 too easy for you? Do you have some ideas for a Level 3? In this stream you get the chance to work hand in hand with the Mobile Security team on the MSTG crackme apps. The defenders will make them secure (or intentionally leave some holes) and the attackers will prove they can crack them using the latest techniques and available tools.\nWho The target audience for this Working Session is:\n iOS developers Android developers Penetration Testers Security engineers From experts to beginners. Anybody who is passionate about app mobile security, haves fun hacking, securing and/or developing mobile apps and loves to continuously learn and enjoys sharing knowledge.\nWhat do you need to bring with you? Minimum required: a laptop :)\nDepending on the tasks/challenges you choose:\n For creating a better pipeline: a MacBook is recommended, but not mandatory. For iOS: an iOS device (preferably jailbroken). A MacBook is recommended but not mandatory. For Android: an Android device is highly recommended (preferably rooted). However for many tasks you can use the emulator. The MSTG and crackmes are hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.\nOutcomes Updated iOS and Android chapters in the MSTG covering the latest security changes in iOS and Android.\nReferences Workflow for MSTG contributions via Github Android Security Android Oreo iOS Security Whitepaper MSTG GitHub Issues MSTG GitHub Project Page MSTG Hacking Playground UnCrackable Mobile Apps UnCrackable App for Android Level 1 UnCrackable App for Android Level 2 UnCrackable App for Android Level 3 UnCrackable App for iOS Level 1 UnCrackable App for iOS Level 2 UnCrackable App repository ", "summary" : "Welcome to the OWASP Mobile Security Testing Guide Content pressure cook!\nWhy Staying up-to-date is key, especially regarding mobile security. We have the chance to do it all together in the same place! In this 5 day-continuous sprint, we want to make the MSTG greater than ever! To do this, there are streams that will require constant attention: the guide itself and the apps that we use for examples.", "title" : "Android and iOS Security Enhancements and Crackme Apps (Mon)", "track" : "OWASP MSTG", "type" : "working-session", "word_count" : 671, "params" : {"categories":"MSTG","description":"Updating the content of the MSTG","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-03T09:50:01+01:00","organizers":["Sven Schleier"],"participants":["Jeroen Willemsen","Jeroen Beckers","Carlos Holguera"],"room_id":"room-5","room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile, iOS, Android","title":"Android and iOS Security Enhancements and Crackme Apps (Mon)","track":"OWASP MSTG","type":"working-session","when_day":"Mon","when_time":"DS-2,PM-1,PM-2,PM-3"} } , { "id" : "660b383c316fe1fe546cb82dd0c4ce5e", "file_path" : "tracks/OWASP-MSTG/working-sessions/android-ios-Security-enhancements-eve-thu.md", "last_modified" : "2019-06-05T12:19:26+01:00", "link" : "/tracks/owasp-mstg/working-sessions/android-ios-security-enhancements-eve-thu/", "content_plain" : " Welcome to the OWASP Mobile Security Testing Guide Content pressure cook!\nWhy Staying up-to-date is key, especially regarding mobile security. We have the chance to do it all together in the same place! In this 5 day-continuous sprint, we want to make the MSTG greater than ever! To do this, there are streams that will require constant attention: the guide itself and the apps that we use for examples.\nWhat Get to share the latest Android and iOS security enhancements The first stream is all about making the guide up to date with the latest security updates on iOS 12, Android 9 and 10:\niOS 12:\n UIWebViews are officially deprecated new AuthenticationServices and Network Frameworks New Password AutoFill Framework for iOS and web apps \u0026hellip; Android 9\u0026frasl;10:\n Scoped Storage: an isolated storage sandbox right on external storage device! The READ_ and WRITE_EXTERNAL_STORAGE permissions are being replaced with more fine-grained media specific permissions. StrongBox Keymaster: an implementation of the Keymaster HAL that resides in a hardware security module. You can now import encrypted keys securely into the Keystore using an ASN.1‑encoded key format. \u0026hellip; This and much more that we or you might know about. Let\u0026rsquo;s make sure we extend the guide on best practices and what testers should look for in terms of bad practices.\nThe focus will be on issues identified for the 1.2 milestone of the MSTG, which you can find at Github.\nGet your hands dirty with the Android and iOS crackmes In the second stream, we want to focus on getting better crackmes and playground apps. In order to do this, there are a bunch of things we need to work on (in order of priority):\n Upgrade the existing crackmes \u0026amp; apps to be compatible with the latest version of iOS and Android. Ensure a proper build pipeline for the apps as part of the project so we can easily fix them. Have newer detection mechanisms in the crackmes, for instance: make sure we have a crackme that effectively refuses to run on a rooted Android device (e.g. running Magisk)? Or make the app Frida-resilient. Or\u0026hellip; whatever you like! Try to make cool challenging apps for other people. Just make sure it can be built and tested by the pipeline mentioned in 2. Are UnCrackable App for iOS Level 1 and UnCrackable App for iOS Level 2 too easy for you? Do you have some ideas for a Level 3? In this stream you get the chance to work hand in hand with the Mobile Security team on the MSTG crackme apps. The defenders will make them secure (or intentionally leave some holes) and the attackers will prove they can crack them using the latest techniques and available tools.\nWho The target audience for this Working Session is:\n iOS developers Android developers Penetration Testers Security engineers From experts to beginners. Anybody who is passionate about app mobile security, haves fun hacking, securing and/or developing mobile apps and loves to continuously learn and enjoys sharing knowledge.\nWhat do you need to bring with you? Minimum required: a laptop :)\nDepending on the tasks/challenges you choose:\n For creating a better pipeline: a MacBook is recommended, but not mandatory. For iOS: an iOS device (preferably jailbroken). A MacBook is recommended but not mandatory. For Android: an Android device is highly recommended (preferably rooted). However for many tasks you can use the emulator. The MSTG and crackmes are hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.\nOutcomes Updated iOS and Android chapters in the MSTG covering the latest security changes in iOS and Android.\nReferences Workflow for MSTG contributions via Github Android Security Android Oreo iOS Security Whitepaper MSTG GitHub Issues MSTG GitHub Project Page MSTG Hacking Playground UnCrackable Mobile Apps UnCrackable App for Android Level 1 UnCrackable App for Android Level 2 UnCrackable App for Android Level 3 UnCrackable App for iOS Level 1 UnCrackable App for iOS Level 2 UnCrackable App repository ", "summary" : "Welcome to the OWASP Mobile Security Testing Guide Content pressure cook!\nWhy Staying up-to-date is key, especially regarding mobile security. We have the chance to do it all together in the same place! In this 5 day-continuous sprint, we want to make the MSTG greater than ever! To do this, there are streams that will require constant attention: the guide itself and the apps that we use for examples.", "title" : "Android and iOS Security Enhancements and Crackme Apps (Thu Eve)", "track" : "OWASP MSTG", "type" : "working-session", "word_count" : 671, "params" : {"categories":"MSTG","description":"Updating the content of the MSTG","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-05T12:19:26+01:00","meet_url":"https://zoom.us/j/605888944","organizers":["Sven Schleier"],"participants":["Jeroen Willemsen","Jeroen Beckers","Carlos Holguera"],"room_id":"villa-6","room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile, iOS, Android","title":"Android and iOS Security Enhancements and Crackme Apps (Thu Eve)","track":"OWASP MSTG","type":"working-session","when_day":"Thu","when_time":"Eve-1,Eve-2"} } , { "id" : "f490b72d9dba932e6787a00507e5f854", "file_path" : "tracks/OWASP-MSTG/working-sessions/android-ios-Security-enhancements-thu.md", "last_modified" : "2019-06-05T12:30:09+01:00", "link" : "/tracks/owasp-mstg/working-sessions/android-ios-security-enhancements-thu/", "content_plain" : " Welcome to the OWASP Mobile Security Testing Guide Content pressure cook!\nWhy Staying up-to-date is key, especially regarding mobile security. We have the chance to do it all together in the same place! In this 5 day-continuous sprint, we want to make the MSTG greater than ever! To do this, there are streams that will require constant attention: the guide itself and the apps that we use for examples.\nWhat Get to share the latest Android and iOS security enhancements The first stream is all about making the guide up to date with the latest security updates on iOS 12, Android 9 and 10:\niOS 12:\n UIWebViews are officially deprecated new AuthenticationServices and Network Frameworks New Password AutoFill Framework for iOS and web apps \u0026hellip; Android 9\u0026frasl;10:\n Scoped Storage: an isolated storage sandbox right on external storage device! The READ_ and WRITE_EXTERNAL_STORAGE permissions are being replaced with more fine-grained media specific permissions. StrongBox Keymaster: an implementation of the Keymaster HAL that resides in a hardware security module. You can now import encrypted keys securely into the Keystore using an ASN.1‑encoded key format. \u0026hellip; This and much more that we or you might know about. Let\u0026rsquo;s make sure we extend the guide on best practices and what testers should look for in terms of bad practices.\nThe focus will be on issues identified for the 1.2 milestone of the MSTG, which you can find at Github.\nGet your hands dirty with the Android and iOS crackmes In the second stream, we want to focus on getting better crackmes and playground apps. In order to do this, there are a bunch of things we need to work on (in order of priority):\n Upgrade the existing crackmes \u0026amp; apps to be compatible with the latest version of iOS and Android. Ensure a proper build pipeline for the apps as part of the project so we can easily fix them. Have newer detection mechanisms in the crackmes, for instance: make sure we have a crackme that effectively refuses to run on a rooted Android device (e.g. running Magisk)? Or make the app Frida-resilient. Or\u0026hellip; whatever you like! Try to make cool challenging apps for other people. Just make sure it can be built and tested by the pipeline mentioned in 2. Are UnCrackable App for iOS Level 1 and UnCrackable App for iOS Level 2 too easy for you? Do you have some ideas for a Level 3? In this stream you get the chance to work hand in hand with the Mobile Security team on the MSTG crackme apps. The defenders will make them secure (or intentionally leave some holes) and the attackers will prove they can crack them using the latest techniques and available tools.\nWho The target audience for this Working Session is:\n iOS developers Android developers Penetration Testers Security engineers From experts to beginners. Anybody who is passionate about app mobile security, haves fun hacking, securing and/or developing mobile apps and loves to continuously learn and enjoys sharing knowledge.\nWhat do you need to bring with you? Minimum required: a laptop :)\nDepending on the tasks/challenges you choose:\n For creating a better pipeline: a MacBook is recommended, but not mandatory. For iOS: an iOS device (preferably jailbroken). A MacBook is recommended but not mandatory. For Android: an Android device is highly recommended (preferably rooted). However for many tasks you can use the emulator. The MSTG and crackmes are hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.\nOutcomes Updated iOS and Android chapters in the MSTG covering the latest security changes in iOS and Android.\nReferences Workflow for MSTG contributions via Github Android Security Android Oreo iOS Security Whitepaper MSTG GitHub Issues MSTG GitHub Project Page MSTG Hacking Playground UnCrackable Mobile Apps UnCrackable App for Android Level 1 UnCrackable App for Android Level 2 UnCrackable App for Android Level 3 UnCrackable App for iOS Level 1 UnCrackable App for iOS Level 2 UnCrackable App repository ", "summary" : "Welcome to the OWASP Mobile Security Testing Guide Content pressure cook!\nWhy Staying up-to-date is key, especially regarding mobile security. We have the chance to do it all together in the same place! In this 5 day-continuous sprint, we want to make the MSTG greater than ever! To do this, there are streams that will require constant attention: the guide itself and the apps that we use for examples.", "title" : "Android and iOS Security Enhancements and Crackme Apps (Thu)", "track" : "OWASP MSTG", "type" : "working-session", "word_count" : 671, "params" : {"categories":"MSTG","description":"Updating the content of the MSTG","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-05T12:30:09+01:00","organizers":["Sven Schleier"],"participants":["Jeroen Willemsen","Jeroen Beckers","Carlos Holguera"],"room_id":"villa-6","room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile, iOS, Android","title":"Android and iOS Security Enhancements and Crackme Apps (Thu)","track":"OWASP MSTG","type":"working-session","when_day":"Thu","when_time":"AM-1,DS-2,PM-1,PM-2,PM-3"} } , { "id" : "5d31a175970eb70c5cd66a139169a633", "file_path" : "tracks/OWASP-MSTG/working-sessions/android-ios-Security-enhancements-tue.md", "last_modified" : "2019-06-03T09:50:01+01:00", "link" : "/tracks/owasp-mstg/working-sessions/android-ios-security-enhancements-tue/", "content_plain" : " Welcome to the OWASP Mobile Security Testing Guide Content pressure cook!\nWhy Staying up-to-date is key, especially regarding mobile security. We have the chance to do it all together in the same place! In this 5 day-continuous sprint, we want to make the MSTG greater than ever! To do this, there are streams that will require constant attention: the guide itself and the apps that we use for examples.\nWhat Get to share the latest Android and iOS security enhancements The first stream is all about making the guide up to date with the latest security updates on iOS 12, Android 9 and 10:\niOS 12:\n UIWebViews are officially deprecated new AuthenticationServices and Network Frameworks New Password AutoFill Framework for iOS and web apps \u0026hellip; Android 9\u0026frasl;10:\n Scoped Storage: an isolated storage sandbox right on external storage device! The READ_ and WRITE_EXTERNAL_STORAGE permissions are being replaced with more fine-grained media specific permissions. StrongBox Keymaster: an implementation of the Keymaster HAL that resides in a hardware security module. You can now import encrypted keys securely into the Keystore using an ASN.1‑encoded key format. \u0026hellip; This and much more that we or you might know about. Let\u0026rsquo;s make sure we extend the guide on best practices and what testers should look for in terms of bad practices.\nThe focus will be on issues identified for the 1.2 milestone of the MSTG, which you can find at Github.\nGet your hands dirty with the Android and iOS crackmes In the second stream, we want to focus on getting better crackmes and playground apps. In order to do this, there are a bunch of things we need to work on (in order of priority):\n Upgrade the existing crackmes \u0026amp; apps to be compatible with the latest version of iOS and Android. Ensure a proper build pipeline for the apps as part of the project so we can easily fix them. Have newer detection mechanisms in the crackmes, for instance: make sure we have a crackme that effectively refuses to run on a rooted Android device (e.g. running Magisk)? Or make the app Frida-resilient. Or\u0026hellip; whatever you like! Try to make cool challenging apps for other people. Just make sure it can be built and tested by the pipeline mentioned in 2. Are UnCrackable App for iOS Level 1 and UnCrackable App for iOS Level 2 too easy for you? Do you have some ideas for a Level 3? In this stream you get the chance to work hand in hand with the Mobile Security team on the MSTG crackme apps. The defenders will make them secure (or intentionally leave some holes) and the attackers will prove they can crack them using the latest techniques and available tools.\nWho The target audience for this Working Session is:\n iOS developers Android developers Penetration Testers Security engineers From experts to beginners. Anybody who is passionate about app mobile security, haves fun hacking, securing and/or developing mobile apps and loves to continuously learn and enjoys sharing knowledge.\nWhat do you need to bring with you? Minimum required: a laptop :)\nDepending on the tasks/challenges you choose:\n For creating a better pipeline: a MacBook is recommended, but not mandatory. For iOS: an iOS device (preferably jailbroken). A MacBook is recommended but not mandatory. For Android: an Android device is highly recommended (preferably rooted). However for many tasks you can use the emulator. The MSTG and crackmes are hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.\nOutcomes Updated iOS and Android chapters in the MSTG covering the latest security changes in iOS and Android.\nReferences Workflow for MSTG contributions via Github Android Security Android Oreo iOS Security Whitepaper MSTG GitHub Issues MSTG GitHub Project Page MSTG Hacking Playground UnCrackable Mobile Apps UnCrackable App for Android Level 1 UnCrackable App for Android Level 2 UnCrackable App for Android Level 3 UnCrackable App for iOS Level 1 UnCrackable App for iOS Level 2 UnCrackable App repository ", "summary" : "Welcome to the OWASP Mobile Security Testing Guide Content pressure cook!\nWhy Staying up-to-date is key, especially regarding mobile security. We have the chance to do it all together in the same place! In this 5 day-continuous sprint, we want to make the MSTG greater than ever! To do this, there are streams that will require constant attention: the guide itself and the apps that we use for examples.", "title" : "Android and iOS Security Enhancements and Crackme Apps (Tue)", "track" : "OWASP MSTG", "type" : "working-session", "word_count" : 671, "params" : {"categories":"MSTG","description":"Updating the content of the MSTG","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-03T09:50:01+01:00","organizers":["Sven Schleier"],"participants":["Jeroen Willemsen","Jeroen Beckers","Carlos Holguera"],"room_id":"room-6","room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile, iOS, Android","title":"Android and iOS Security Enhancements and Crackme Apps (Tue)","track":"OWASP MSTG","type":"working-session","when_day":"Tue","when_time":"AM-1,DS-2,PM-1,PM-2,PM-3"} } , { "id" : "682f5bbf7f9dbd333250889212260ae7", "file_path" : "tracks/OWASP-MSTG/working-sessions/android-ios-Security-enhancements-eve-wed.md", "last_modified" : "2019-06-05T12:19:26+01:00", "link" : "/tracks/owasp-mstg/working-sessions/android-ios-security-enhancements-eve-wed/", "content_plain" : " Welcome to the OWASP Mobile Security Testing Guide Content pressure cook!\nWhy Staying up-to-date is key, especially regarding mobile security. We have the chance to do it all together in the same place! In this 5 day-continuous sprint, we want to make the MSTG greater than ever! To do this, there are streams that will require constant attention: the guide itself and the apps that we use for examples.\nWhat Get to share the latest Android and iOS security enhancements The first stream is all about making the guide up to date with the latest security updates on iOS 12, Android 9 and 10:\niOS 12:\n UIWebViews are officially deprecated new AuthenticationServices and Network Frameworks New Password AutoFill Framework for iOS and web apps \u0026hellip; Android 9\u0026frasl;10:\n Scoped Storage: an isolated storage sandbox right on external storage device! The READ_ and WRITE_EXTERNAL_STORAGE permissions are being replaced with more fine-grained media specific permissions. StrongBox Keymaster: an implementation of the Keymaster HAL that resides in a hardware security module. You can now import encrypted keys securely into the Keystore using an ASN.1‑encoded key format. \u0026hellip; This and much more that we or you might know about. Let\u0026rsquo;s make sure we extend the guide on best practices and what testers should look for in terms of bad practices.\nThe focus will be on issues identified for the 1.2 milestone of the MSTG, which you can find at Github.\nGet your hands dirty with the Android and iOS crackmes In the second stream, we want to focus on getting better crackmes and playground apps. In order to do this, there are a bunch of things we need to work on (in order of priority):\n Upgrade the existing crackmes \u0026amp; apps to be compatible with the latest version of iOS and Android. Ensure a proper build pipeline for the apps as part of the project so we can easily fix them. Have newer detection mechanisms in the crackmes, for instance: make sure we have a crackme that effectively refuses to run on a rooted Android device (e.g. running Magisk)? Or make the app Frida-resilient. Or\u0026hellip; whatever you like! Try to make cool challenging apps for other people. Just make sure it can be built and tested by the pipeline mentioned in 2. Are UnCrackable App for iOS Level 1 and UnCrackable App for iOS Level 2 too easy for you? Do you have some ideas for a Level 3? In this stream you get the chance to work hand in hand with the Mobile Security team on the MSTG crackme apps. The defenders will make them secure (or intentionally leave some holes) and the attackers will prove they can crack them using the latest techniques and available tools.\nWho The target audience for this Working Session is:\n iOS developers Android developers Penetration Testers Security engineers From experts to beginners. Anybody who is passionate about app mobile security, haves fun hacking, securing and/or developing mobile apps and loves to continuously learn and enjoys sharing knowledge.\nWhat do you need to bring with you? Minimum required: a laptop :)\nDepending on the tasks/challenges you choose:\n For creating a better pipeline: a MacBook is recommended, but not mandatory. For iOS: an iOS device (preferably jailbroken). A MacBook is recommended but not mandatory. For Android: an Android device is highly recommended (preferably rooted). However for many tasks you can use the emulator. The MSTG and crackmes are hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.\nOutcomes Updated iOS and Android chapters in the MSTG covering the latest security changes in iOS and Android.\nReferences Workflow for MSTG contributions via Github Android Security Android Oreo iOS Security Whitepaper MSTG GitHub Issues MSTG GitHub Project Page MSTG Hacking Playground UnCrackable Mobile Apps UnCrackable App for Android Level 1 UnCrackable App for Android Level 2 UnCrackable App for Android Level 3 UnCrackable App for iOS Level 1 UnCrackable App for iOS Level 2 UnCrackable App repository ", "summary" : "Welcome to the OWASP Mobile Security Testing Guide Content pressure cook!\nWhy Staying up-to-date is key, especially regarding mobile security. We have the chance to do it all together in the same place! In this 5 day-continuous sprint, we want to make the MSTG greater than ever! To do this, there are streams that will require constant attention: the guide itself and the apps that we use for examples.", "title" : "Android and iOS Security Enhancements and Crackme Apps (Wed Eve)", "track" : "OWASP MSTG", "type" : "working-session", "word_count" : 671, "params" : {"categories":"MSTG","description":"Updating the content of the MSTG","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-05T12:19:26+01:00","meet_url":"https://zoom.us/j/605888944","organizers":["Sven Schleier"],"participants":["Jeroen Willemsen","Jeroen Beckers","Carlos Holguera"],"room_id":"villa-6","room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile, iOS, Android","title":"Android and iOS Security Enhancements and Crackme Apps (Wed Eve)","track":"OWASP MSTG","type":"working-session","when_day":"Wed","when_time":"Eve-1,Eve-2"} } , { "id" : "f0f514f21b78ea30f197f93e09ed4230", "file_path" : "tracks/OWASP-MSTG/working-sessions/android-ios-Security-enhancements-wed.md", "last_modified" : "2019-06-05T12:30:09+01:00", "link" : "/tracks/owasp-mstg/working-sessions/android-ios-security-enhancements-wed/", "content_plain" : " Welcome to the OWASP Mobile Security Testing Guide Content pressure cook!\nWhy Staying up-to-date is key, especially regarding mobile security. We have the chance to do it all together in the same place! In this 5 day-continuous sprint, we want to make the MSTG greater than ever! To do this, there are streams that will require constant attention: the guide itself and the apps that we use for examples.\nWhat Get to share the latest Android and iOS security enhancements The first stream is all about making the guide up to date with the latest security updates on iOS 12, Android 9 and 10:\niOS 12:\n UIWebViews are officially deprecated new AuthenticationServices and Network Frameworks New Password AutoFill Framework for iOS and web apps \u0026hellip; Android 9\u0026frasl;10:\n Scoped Storage: an isolated storage sandbox right on external storage device! The READ_ and WRITE_EXTERNAL_STORAGE permissions are being replaced with more fine-grained media specific permissions. StrongBox Keymaster: an implementation of the Keymaster HAL that resides in a hardware security module. You can now import encrypted keys securely into the Keystore using an ASN.1‑encoded key format. \u0026hellip; This and much more that we or you might know about. Let\u0026rsquo;s make sure we extend the guide on best practices and what testers should look for in terms of bad practices.\nThe focus will be on issues identified for the 1.2 milestone of the MSTG, which you can find at Github.\nGet your hands dirty with the Android and iOS crackmes In the second stream, we want to focus on getting better crackmes and playground apps. In order to do this, there are a bunch of things we need to work on (in order of priority):\n Upgrade the existing crackmes \u0026amp; apps to be compatible with the latest version of iOS and Android. Ensure a proper build pipeline for the apps as part of the project so we can easily fix them. Have newer detection mechanisms in the crackmes, for instance: make sure we have a crackme that effectively refuses to run on a rooted Android device (e.g. running Magisk)? Or make the app Frida-resilient. Or\u0026hellip; whatever you like! Try to make cool challenging apps for other people. Just make sure it can be built and tested by the pipeline mentioned in 2. Are UnCrackable App for iOS Level 1 and UnCrackable App for iOS Level 2 too easy for you? Do you have some ideas for a Level 3? In this stream you get the chance to work hand in hand with the Mobile Security team on the MSTG crackme apps. The defenders will make them secure (or intentionally leave some holes) and the attackers will prove they can crack them using the latest techniques and available tools.\nWho The target audience for this Working Session is:\n iOS developers Android developers Penetration Testers Security engineers From experts to beginners. Anybody who is passionate about app mobile security, haves fun hacking, securing and/or developing mobile apps and loves to continuously learn and enjoys sharing knowledge.\nWhat do you need to bring with you? Minimum required: a laptop :)\nDepending on the tasks/challenges you choose:\n For creating a better pipeline: a MacBook is recommended, but not mandatory. For iOS: an iOS device (preferably jailbroken). A MacBook is recommended but not mandatory. For Android: an Android device is highly recommended (preferably rooted). However for many tasks you can use the emulator. The MSTG and crackmes are hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.\nOutcomes Updated iOS and Android chapters in the MSTG covering the latest security changes in iOS and Android.\nReferences Workflow for MSTG contributions via Github Android Security Android Oreo iOS Security Whitepaper MSTG GitHub Issues MSTG GitHub Project Page MSTG Hacking Playground UnCrackable Mobile Apps UnCrackable App for Android Level 1 UnCrackable App for Android Level 2 UnCrackable App for Android Level 3 UnCrackable App for iOS Level 1 UnCrackable App for iOS Level 2 UnCrackable App repository ", "summary" : "Welcome to the OWASP Mobile Security Testing Guide Content pressure cook!\nWhy Staying up-to-date is key, especially regarding mobile security. We have the chance to do it all together in the same place! In this 5 day-continuous sprint, we want to make the MSTG greater than ever! To do this, there are streams that will require constant attention: the guide itself and the apps that we use for examples.", "title" : "Android and iOS Security Enhancements and Crackme Apps (Wed)", "track" : "OWASP MSTG", "type" : "working-session", "word_count" : 671, "params" : {"categories":"MSTG","description":"Updating the content of the MSTG","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-05T12:30:09+01:00","organizers":["Sven Schleier"],"participants":["Jeroen Willemsen","Jeroen Beckers","Carlos Holguera"],"room_id":"villa-6","room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile, iOS, Android","title":"Android and iOS Security Enhancements and Crackme Apps (Wed)","track":"OWASP MSTG","type":"working-session","when_day":"Wed","when_time":"AM-1,DS-2,PM-1,PM-2,PM-3"} } , { "id" : "f0c67f291583fe359332b1f4c74710c7", "file_path" : "tracks/OWASP-MSTG/working-sessions/ios_secure_pipeline.md", "last_modified" : "2019-06-05T20:50:18+01:00", "link" : "/tracks/owasp-mstg/working-sessions/ios_secure_pipeline/", "content_plain" : " This session is about creating a blueprint for an iOS build pipeline that includes security checks/tools.\nWhy Security tools for iOS are usually very limited at the moment or have no wide coverage. Let\u0026rsquo;s identify the tools that work at the moment and bring value for an iOS pipeline.\nWhat We want to make a summary of best practices and tools that should be part of an iOS pipeline and want to answer the following questions:\n Which approach, scripts or (Open Source) tools can be used for an iOS pipeline: To detect secrets To do secret management To scan source code (Objective-C and Swift) To test if SSL Pinning is activated To test if Root detection is activated To test the configuration of ATS To check 3rd party libraries (CocoaPods and Carthage) and their licene How to maintain the certificates for signing an app? The outcome of this session will be captures in the following public Github Repo: https://github.com/sushi2k/iOS_pipeline\nWho The target audience for this Working Session is:\n iOS developers Penetration Testers DevOps engineers Security engineers From experts to beginners. Anybody who is passionate about iOS mobile security, haves fun hacking, securing and/or developing mobile apps and loves to continuously learn and enjoys sharing knowledge.\nWhat do you need to bring with you? Ideally a laptop (a MacBook is recommended, but not mandatory) to do research for tools, do PoC and contribute to the Github repo. Otherwise contributions can also be done verbally and the team will push to the repo.\nThe outcome is hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.\nOutcomes A summary of best pratices and tools on how to build an iOS pipeline.\nReferences TBD ", "summary" : "This session is about creating a blueprint for an iOS build pipeline that includes security checks/tools.\nWhy Security tools for iOS are usually very limited at the moment or have no wide coverage. Let\u0026rsquo;s identify the tools that work at the moment and bring value for an iOS pipeline.\nWhat We want to make a summary of best practices and tools that should be part of an iOS pipeline and want to answer the following questions:", "title" : "Creating an iOS build pipeline with security checks", "track" : "OWASP MSTG", "type" : "working-session", "word_count" : 296, "params" : {"categories":"MSTG","description":"Brainstorming for a iOS pipeline with security checks","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-05T20:50:18+01:00","organizers":"Sven Schleier","room_id":"room-6","room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile, iOS","title":"Creating an iOS build pipeline with security checks","track":"OWASP MSTG","type":"working-session","when_day":"Thu","when_time":"AM-1"} } , { "id" : "2422681fc0c52df6146a50f87a13ccc8", "file_path" : "tracks/OWASP-MSTG/working-sessions/masvs-enhancements.md", "last_modified" : "2019-06-03T10:06:33+01:00", "link" : "/tracks/owasp-mstg/working-sessions/masvs-enhancements/", "content_plain" : " Welcome to the OWASP MASVS session!\nWhy The MASVS has served as a great basis for the MSTG in terms of providing the right requirements. It has been translated to multiple languages and has been embraced by many parties as a source for security requirements for mobile applications. In order to support the MASVS and allow for easier integration in the SDLC, we have a set of tasks left, which are summarized in milestone 1.1.4 of the project. Note: we do not want to come up with new requirements yet as we rather first try to get the MSTG in sync.\nWhat In this working session, we want to focus on issues identified in the 1.1.4 milestone of the MASVS. Which you can find at Github. Think of a variety of issues, such as:\n Fix the Markdown issues Make sure we have the same code of conduct and contribution guide as the MSTG If you are keen in doing some coding, you can help out with the following:\n Generate JSON/XML Ensure markdown validation automation Make sure gitbooks site shows all languages The tickets for this working session will cover these topics and contribute to increasing the value, readability and extensability of the MASVS. Which in turn will make it easier to extend it across all languages.\nWho The target audience for this Working Session is:\n anyone who wants to help out improving the quality of an OWASP project and anybody interest in mobile security. From experts to beginners. Anybody who is passionate about app mobile security and loves to continuously learn and enjoys sharing knowledge.\nWhat do you need to bring with you? Minimum required: a laptop :)\nThe MASVS is hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.\nOutcomes Hopefully a better (en)coded MASVS! And milestone 1.1.4!\nReferences OWASP MASVS ", "summary" : "Welcome to the OWASP MASVS session!\nWhy The MASVS has served as a great basis for the MSTG in terms of providing the right requirements. It has been translated to multiple languages and has been embraced by many parties as a source for security requirements for mobile applications. In order to support the MASVS and allow for easier integration in the SDLC, we have a set of tasks left, which are summarized in milestone 1.", "title" : "Mobile AppSec Verification Standard (MASVS)", "track" : "OWASP MSTG", "type" : "working-session", "word_count" : 318, "params" : {"categories":"MSTG","description":"Work on the open issues of the MASVS","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-03T10:06:33+01:00","organizers":["Jeroen Beckers"],"participants":["Sven Schleier","Jeroen Willemsen","Carlos Holguera"],"room_id":"room-5","room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile, iOS, Android","title":"Mobile AppSec Verification Standard (MASVS)","track":"OWASP MSTG","type":"working-session","when_day":"Mon","when_time":"PM-1,PM-2,PM-3"} } , { "id" : "ecc40bdc7cfa8da5edd9633be7c9a8b1", "file_path" : "tracks/OWASP-MSTG/working-sessions/masvs-enhancements-eve.md", "last_modified" : "2019-06-03T02:11:24+01:00", "link" : "/tracks/owasp-mstg/working-sessions/masvs-enhancements-eve/", "content_plain" : " Welcome to the OWASP MASVS session!\nWhy The MASVS has served as a great basis for the MSTG in terms of providing the right requirements. It has been translated to multiple languages and has been embraced by many parties as a source for security requirements for mobile applications. In order to support the MASVS and allow for easier integration in the SDLC, we have a set of tasks left, which are summarized in milestone 1.1.4 of the project. Note: we do not want to come up with new requirements yet as we rather first try to get the MSTG in sync.\nWhat In this working session, we want to focus on issues identified in the 1.1.4 milestone of the MASVS. Which you can find at Github. Think of a variety of issues, such as:\n Fix the Markdown issues Make sure we have the same code of conduct and contribution guide as the MSTG If you are keen in doing some coding, you can help out with the following:\n Generate JSON/XML Ensure markdown validation automation Make sure gitbooks site shows all languages The tickets for this working session will cover these topics and contribute to increasing the value, readability and extensability of the MASVS. Which in turn will make it easier to extend it across all languages.\nWho The target audience for this Working Session is:\n anyone who wants to help out improving the quality of an OWASP project and anybody interest in mobile security. From experts to beginners. Anybody who is passionate about app mobile security and loves to continuously learn and enjoys sharing knowledge.\nWhat do you need to bring with you? Minimum required: a laptop :)\nThe MASVS is hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.\nOutcomes Hopefully a better (en)coded MASVS! And milestone 1.1.4!\nReferences OWASP MASVS ", "summary" : "Welcome to the OWASP MASVS session!\nWhy The MASVS has served as a great basis for the MSTG in terms of providing the right requirements. It has been translated to multiple languages and has been embraced by many parties as a source for security requirements for mobile applications. In order to support the MASVS and allow for easier integration in the SDLC, we have a set of tasks left, which are summarized in milestone 1.", "title" : "Mobile AppSec Verification Standard (MASVS) (Evening)", "track" : "OWASP MSTG", "type" : "working-session", "word_count" : 318, "params" : {"categories":"MSTG","description":"Work on the open issues of the MASVS","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-03T02:11:24+01:00","organizers":["Jeroen Beckers"],"participants":["Sven Schleier","Jeroen Willemsen","Carlos Holguera"],"room_id":"villa-3","room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile, iOS, Android","title":"Mobile AppSec Verification Standard (MASVS) (Evening)","track":"OWASP MSTG","type":"working-session","when_day":"Mon","when_time":"Eve-1,Eve-2"} } , { "id" : "e837d8a3ca2ae10b6154eed10f8ed172", "file_path" : "tracks/OWASP-MSTG/working-sessions/mstg-restructuring-eve.md", "last_modified" : "2019-06-05T11:46:48+01:00", "link" : "/tracks/owasp-mstg/working-sessions/mstg-restructuring-eve/", "content_plain" : " Mobile Basic Security Testing and Reverse Engineering Welcome to the ultimate OWASP Mobile Security Testing Guide content reshuffle session!\nWhy If you\u0026rsquo;re familiar with mobile security testing you\u0026rsquo;ll probably know that the way we perform the testing on the different platforms is completely different but at the end, what we want to achieve is the same. We want to get this reflected in the guide. We will be working on topics from basic to advanced Mobile App Security Testing, Reverse Engineering and Tampering on Android and iOS.\nAs a result, the current content will be restructured, which will help\n achieving a more organized testing approach and methodology. detecting potential missing tools or techniques. fixing missing links across chapters. Android and iOS chapter will mirror each other, so the next time someone (e.g. a beginner) wants to get started on these topics it will be very clear what has to be done and how. If you\u0026rsquo;re already an expert on e.g. Android, this will help you quickly identify the things you need when starting testing on iOS, e.g. \u0026ldquo;Accessing the Device Shell\u0026rdquo;.\nWhat Join us in a 2-day sprint to restructure the basic-testing and reverse-engineering chapters in a way that they are easily mappable. We want to be able to restructure the MSTG and connect it to the MASVS in a better way during the first 2 days in order to make the chapters more accessible.\nThis session focus on the following topics (and their corresponding chapters from the MSTG):\n Android and iOS Basic Security Testing (0x5b/0x6b) Android and iOS Reverse Engineering and Tampering (0x5c/0x6c) After the first restructuring and updated outline, you\u0026rsquo;ll have the chance to get your hands dirty and craft examples and new content for the MSTG to add next to existing tooling. For the new examples we will be introducing new tools like r2frida. Did you know you can reverse engineer an app straight from the process memory? That means, e.g. for iOS that you may skip the decryption and extraction of the binary.\nThe tickets for this working session will cover these topics and contribute to the restructuring of the MSTG as described in this issue. This should simplify the chapters, improve their readability and make the project a lot easier to maintain!\nWho The target audience for this Working Session is:\n iOS developers Android developers Penetration Testers Security engineers From experts to beginners. Anybody who is passionate about app mobile security, haves fun hacking, securing and/or developing mobile apps and loves to continuously learn and enjoys sharing knowledge.\nWhat do you need to bring with you? Minimum required: a laptop :)\nDepending on the tasks/challenges you choose:\n General rewriting tasks do not require any devices, however if you want to add new cases, then: For iOS: an iOS device (preferably jailbroken). A MacBook is recommended but not mandatory. For Android: an Android device is highly recommended (preferably rooted). However for many tasks you can use the emulator. The MSTG is hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.\nOutcomes A beautifully restructured MSTG.\nReferences \u0026ldquo;Basic Security Testing / Reverse Engineering and Tampering\u0026rdquo; Chapters Restructuring Issue Android Basic Security Testing Android Reverse Engineering and Tampering iOS Basic Security Testing iOS Reverse Engineering and Tampering ", "summary" : "Mobile Basic Security Testing and Reverse Engineering Welcome to the ultimate OWASP Mobile Security Testing Guide content reshuffle session!\nWhy If you\u0026rsquo;re familiar with mobile security testing you\u0026rsquo;ll probably know that the way we perform the testing on the different platforms is completely different but at the end, what we want to achieve is the same. We want to get this reflected in the guide. We will be working on topics from basic to advanced Mobile App Security Testing, Reverse Engineering and Tampering on Android and iOS.", "title" : "Mobile Basic Security Testing and Reverse Engineering (Evening Session)", "track" : "OWASP MSTG", "type" : "working-session", "word_count" : 555, "params" : {"categories":"MSTG","description":"Work on the Mobile Basic Security Testing and Reverse Engineering topics with focus on restructuring the contents of the MSTG","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-05T11:46:48+01:00","meet_url":"https://zoom.us/j/605888944","organizers":["Carlos Holguera"],"participants":["Jeroen Beckers","Sven Schleier","Jeroen Willemsen"],"room_id":"villa-6","room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile, iOS, Android","title":"Mobile Basic Security Testing and Reverse Engineering (Evening Session)","track":"OWASP MSTG","type":"working-session","when_day":"Wed,Thu","when_time":"Eve-1,Eve-2"} } , { "id" : "3c4fb3c99a861efb9c2a89017aaff0c7", "file_path" : "tracks/OWASP-MSTG/working-sessions/mstg-restructuring-mon-eve.md", "last_modified" : "2019-06-03T02:11:24+01:00", "link" : "/tracks/owasp-mstg/working-sessions/mstg-restructuring-mon-eve/", "content_plain" : " Welcome to the ultimate OWASP Mobile Security Testing Guide content reshuffle session!\nWhy If you\u0026rsquo;re familiar with mobile security testing you\u0026rsquo;ll probably know that the way we perform the testing on the different platforms is completely different but at the end, what we want to achieve is the same. We want to get this reflected in the guide. We will be working on topics from basic to advanced Mobile App Security Testing, Reverse Engineering and Tampering on Android and iOS.\nAs a result, the current content will be restructured, which will help\n achieving a more organized testing approach and methodology. detecting potential missing tools or techniques. fixing missing links across chapters. Android and iOS chapter will mirror each other, so the next time someone (e.g. a beginner) wants to get started on these topics it will be very clear what has to be done and how. If you\u0026rsquo;re already an expert on e.g. Android, this will help you quickly identify the things you need when starting testing on iOS, e.g. \u0026ldquo;Accessing the Device Shell\u0026rdquo;.\nWhat Join us in a 2-day sprint to restructure the basic-testing and reverse-engineering chapters in a way that they are easily mappable. We want to be able to restructure the MSTG and connect it to the MASVS in a better way during the first 2 days in order to make the chapters more accessible.\nThis session focus on the following topics (and their corresponding chapters from the MSTG):\n Android and iOS Basic Security Testing (0x5b/0x6b) Android and iOS Reverse Engineering and Tampering (0x5c/0x6c) After the first restructuring and updated outline, you\u0026rsquo;ll have the chance to get your hands dirty and craft examples and new content for the MSTG to add next to existing tooling. For the new examples we will be introducing new tools like r2frida. Did you know you can reverse engineer an app straight from the process memory? That means, e.g. for iOS that you may skip the decryption and extraction of the binary.\nThe tickets for this working session will cover these topics and contribute to the restructuring of the MSTG as described in this issue. This should simplify the chapters, improve their readability and make the project a lot easier to maintain!\nWho The target audience for this Working Session is:\n iOS developers Android developers Penetration Testers Security engineers From experts to beginners. Anybody who is passionate about app mobile security, haves fun hacking, securing and/or developing mobile apps and loves to continuously learn and enjoys sharing knowledge.\nWhat do you need to bring with you? Minimum required: a laptop :)\nDepending on the tasks/challenges you choose:\n General rewriting tasks do not require any devices, however if you want to add new cases, then: For iOS: an iOS device (preferably jailbroken). A MacBook is recommended but not mandatory. For Android: an Android device is highly recommended (preferably rooted). However for many tasks you can use the emulator. The MSTG is hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.\nOutcomes A beautifully restructured MSTG.\nReferences \u0026ldquo;Basic Security Testing / Reverse Engineering and Tampering\u0026rdquo; Chapters Restructuring Issue Android Basic Security Testing Android Reverse Engineering and Tampering iOS Basic Security Testing iOS Reverse Engineering and Tampering ", "summary" : "Welcome to the ultimate OWASP Mobile Security Testing Guide content reshuffle session!\nWhy If you\u0026rsquo;re familiar with mobile security testing you\u0026rsquo;ll probably know that the way we perform the testing on the different platforms is completely different but at the end, what we want to achieve is the same. We want to get this reflected in the guide. We will be working on topics from basic to advanced Mobile App Security Testing, Reverse Engineering and Tampering on Android and iOS.", "title" : "Mobile Basic Security Testing and Reverse Engineering (Mon Evening)", "track" : "OWASP MSTG", "type" : "working-session", "word_count" : 548, "params" : {"categories":"MSTG","description":"Work on the Mobile Basic Security Testing and Reverse Engineering topics with focus on restructuring the contents of the MSTG","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-03T02:11:24+01:00","organizers":["Carlos Holguera"],"participants":["Jeroen Beckers","Sven Schleier","Jeroen Willemsen"],"room_id":"villa-4","room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile, iOS, Android","title":"Mobile Basic Security Testing and Reverse Engineering (Mon Evening)","track":"OWASP MSTG","type":"working-session","when_day":"Mon","when_time":"Eve-1,Eve-2"} } , { "id" : "2f382e6014e1e13f05a00423cf393b5c", "file_path" : "tracks/OWASP-MSTG/working-sessions/mstg-restructuring-mon.md", "last_modified" : "2019-06-03T09:50:01+01:00", "link" : "/tracks/owasp-mstg/working-sessions/mstg-restructuring-mon/", "content_plain" : " Mobile Basic Security Testing and Reverse Engineering Welcome to the ultimate OWASP Mobile Security Testing Guide content reshuffle session!\nWhy If you\u0026rsquo;re familiar with mobile security testing you\u0026rsquo;ll probably know that the way we perform the testing on the different platforms is completely different but at the end, what we want to achieve is the same. We want to get this reflected in the guide. We will be working on topics from basic to advanced Mobile App Security Testing, Reverse Engineering and Tampering on Android and iOS.\nAs a result, the current content will be restructured, which will help\n achieving a more organized testing approach and methodology. detecting potential missing tools or techniques. fixing missing links across chapters. Android and iOS chapter will mirror each other, so the next time someone (e.g. a beginner) wants to get started on these topics it will be very clear what has to be done and how. If you\u0026rsquo;re already an expert on e.g. Android, this will help you quickly identify the things you need when starting testing on iOS, e.g. \u0026ldquo;Accessing the Device Shell\u0026rdquo;.\nWhat Join us in a 2-day sprint to restructure the basic-testing and reverse-engineering chapters in a way that they are easily mappable. We want to be able to restructure the MSTG and connect it to the MASVS in a better way during the first 2 days in order to make the chapters more accessible.\nThis session focus on the following topics (and their corresponding chapters from the MSTG):\n Android and iOS Basic Security Testing (0x5b/0x6b) Android and iOS Reverse Engineering and Tampering (0x5c/0x6c) After the first restructuring and updated outline, you\u0026rsquo;ll have the chance to get your hands dirty and craft examples and new content for the MSTG to add next to existing tooling. For the new examples we will be introducing new tools like r2frida. Did you know you can reverse engineer an app straight from the process memory? That means, e.g. for iOS that you may skip the decryption and extraction of the binary.\nThe tickets for this working session will cover these topics and contribute to the restructuring of the MSTG as described in this issue. This should simplify the chapters, improve their readability and make the project a lot easier to maintain!\nWho The target audience for this Working Session is:\n iOS developers Android developers Penetration Testers Security engineers From experts to beginners. Anybody who is passionate about app mobile security, haves fun hacking, securing and/or developing mobile apps and loves to continuously learn and enjoys sharing knowledge.\nWhat do you need to bring with you? Minimum required: a laptop :)\nDepending on the tasks/challenges you choose:\n General rewriting tasks do not require any devices, however if you want to add new cases, then: For iOS: an iOS device (preferably jailbroken). A MacBook is recommended but not mandatory. For Android: an Android device is highly recommended (preferably rooted). However for many tasks you can use the emulator. The MSTG is hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.\nOutcomes A beautifully restructured MSTG.\nReferences \u0026ldquo;Basic Security Testing / Reverse Engineering and Tampering\u0026rdquo; Chapters Restructuring Issue Android Basic Security Testing Android Reverse Engineering and Tampering iOS Basic Security Testing iOS Reverse Engineering and Tampering ", "summary" : "Mobile Basic Security Testing and Reverse Engineering Welcome to the ultimate OWASP Mobile Security Testing Guide content reshuffle session!\nWhy If you\u0026rsquo;re familiar with mobile security testing you\u0026rsquo;ll probably know that the way we perform the testing on the different platforms is completely different but at the end, what we want to achieve is the same. We want to get this reflected in the guide. We will be working on topics from basic to advanced Mobile App Security Testing, Reverse Engineering and Tampering on Android and iOS.", "title" : "Mobile Basic Security Testing and Reverse Engineering (Mon)", "track" : "OWASP MSTG", "type" : "working-session", "word_count" : 555, "params" : {"categories":"MSTG","description":"Work on the Mobile Basic Security Testing and Reverse Engineering topics with focus on restructuring the contents of the MSTG","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-03T09:50:01+01:00","organizers":["Carlos Holguera"],"participants":["Jeroen Beckers","Sven Schleier","Jeroen Willemsen"],"room_id":"room-5","room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile, iOS, Android","title":"Mobile Basic Security Testing and Reverse Engineering (Mon)","track":"OWASP MSTG","type":"working-session","when_day":"Mon","when_time":"DS-2,PM-1,PM-2"} } , { "id" : "2d8d67d225b09d33834b9f356229cfb8", "file_path" : "tracks/OWASP-MSTG/working-sessions/mstg-restructuring-thu.md", "last_modified" : "2019-06-05T12:30:09+01:00", "link" : "/tracks/owasp-mstg/working-sessions/mstg-restructuring-thu/", "content_plain" : " Mobile Basic Security Testing and Reverse Engineering Welcome to the ultimate OWASP Mobile Security Testing Guide content reshuffle session!\nWhy If you\u0026rsquo;re familiar with mobile security testing you\u0026rsquo;ll probably know that the way we perform the testing on the different platforms is completely different but at the end, what we want to achieve is the same. We want to get this reflected in the guide. We will be working on topics from basic to advanced Mobile App Security Testing, Reverse Engineering and Tampering on Android and iOS.\nAs a result, the current content will be restructured, which will help\n achieving a more organized testing approach and methodology. detecting potential missing tools or techniques. fixing missing links across chapters. Android and iOS chapter will mirror each other, so the next time someone (e.g. a beginner) wants to get started on these topics it will be very clear what has to be done and how. If you\u0026rsquo;re already an expert on e.g. Android, this will help you quickly identify the things you need when starting testing on iOS, e.g. \u0026ldquo;Accessing the Device Shell\u0026rdquo;.\nWhat Join us in a 2-day sprint to restructure the basic-testing and reverse-engineering chapters in a way that they are easily mappable. We want to be able to restructure the MSTG and connect it to the MASVS in a better way during the first 2 days in order to make the chapters more accessible.\nThis session focus on the following topics (and their corresponding chapters from the MSTG):\n Android and iOS Basic Security Testing (0x5b/0x6b) Android and iOS Reverse Engineering and Tampering (0x5c/0x6c) After the first restructuring and updated outline, you\u0026rsquo;ll have the chance to get your hands dirty and craft examples and new content for the MSTG to add next to existing tooling. For the new examples we will be introducing new tools like r2frida. Did you know you can reverse engineer an app straight from the process memory? That means, e.g. for iOS that you may skip the decryption and extraction of the binary.\nThe tickets for this working session will cover these topics and contribute to the restructuring of the MSTG as described in this issue. This should simplify the chapters, improve their readability and make the project a lot easier to maintain!\nWho The target audience for this Working Session is:\n iOS developers Android developers Penetration Testers Security engineers From experts to beginners. Anybody who is passionate about app mobile security, haves fun hacking, securing and/or developing mobile apps and loves to continuously learn and enjoys sharing knowledge.\nWhat do you need to bring with you? Minimum required: a laptop :)\nDepending on the tasks/challenges you choose:\n General rewriting tasks do not require any devices, however if you want to add new cases, then: For iOS: an iOS device (preferably jailbroken). A MacBook is recommended but not mandatory. For Android: an Android device is highly recommended (preferably rooted). However for many tasks you can use the emulator. The MSTG is hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.\nOutcomes A beautifully restructured MSTG.\nReferences \u0026ldquo;Basic Security Testing / Reverse Engineering and Tampering\u0026rdquo; Chapters Restructuring Issue Android Basic Security Testing Android Reverse Engineering and Tampering iOS Basic Security Testing iOS Reverse Engineering and Tampering ", "summary" : "Mobile Basic Security Testing and Reverse Engineering Welcome to the ultimate OWASP Mobile Security Testing Guide content reshuffle session!\nWhy If you\u0026rsquo;re familiar with mobile security testing you\u0026rsquo;ll probably know that the way we perform the testing on the different platforms is completely different but at the end, what we want to achieve is the same. We want to get this reflected in the guide. We will be working on topics from basic to advanced Mobile App Security Testing, Reverse Engineering and Tampering on Android and iOS.", "title" : "Mobile Basic Security Testing and Reverse Engineering (Thu)", "track" : "OWASP MSTG", "type" : "working-session", "word_count" : 555, "params" : {"categories":"MSTG","description":"Work on the Mobile Basic Security Testing and Reverse Engineering topics with focus on restructuring the contents of the MSTG","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-05T12:30:09+01:00","organizers":["Carlos Holguera"],"participants":["Jeroen Beckers","Sven Schleier","Jeroen Willemsen"],"room_id":"villa-6","room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile, iOS, Android","title":"Mobile Basic Security Testing and Reverse Engineering (Thu)","track":"OWASP MSTG","type":"working-session","when_day":"Thu","when_time":"AM-1,DS-2,PM-1,PM-2,PM-3"} } , { "id" : "509191a73fde3d3ff1d43259317803bc", "file_path" : "tracks/OWASP-MSTG/working-sessions/mstg-restructuring-tue-eve.md", "last_modified" : "2019-06-04T07:59:57+01:00", "link" : "/tracks/owasp-mstg/working-sessions/mstg-restructuring-tue-eve/", "content_plain" : " Welcome to the ultimate OWASP Mobile Security Testing Guide content reshuffle session!\nWhy If you\u0026rsquo;re familiar with mobile security testing you\u0026rsquo;ll probably know that the way we perform the testing on the different platforms is completely different but at the end, what we want to achieve is the same. We want to get this reflected in the guide. We will be working on topics from basic to advanced Mobile App Security Testing, Reverse Engineering and Tampering on Android and iOS.\nAs a result, the current content will be restructured, which will help\n achieving a more organized testing approach and methodology. detecting potential missing tools or techniques. fixing missing links across chapters. Android and iOS chapter will mirror each other, so the next time someone (e.g. a beginner) wants to get started on these topics it will be very clear what has to be done and how. If you\u0026rsquo;re already an expert on e.g. Android, this will help you quickly identify the things you need when starting testing on iOS, e.g. \u0026ldquo;Accessing the Device Shell\u0026rdquo;.\nWhat Join us in a 2-day sprint to restructure the basic-testing and reverse-engineering chapters in a way that they are easily mappable. We want to be able to restructure the MSTG and connect it to the MASVS in a better way during the first 2 days in order to make the chapters more accessible.\nThis session focus on the following topics (and their corresponding chapters from the MSTG):\n Android and iOS Basic Security Testing (0x5b/0x6b) Android and iOS Reverse Engineering and Tampering (0x5c/0x6c) After the first restructuring and updated outline, you\u0026rsquo;ll have the chance to get your hands dirty and craft examples and new content for the MSTG to add next to existing tooling. For the new examples we will be introducing new tools like r2frida. Did you know you can reverse engineer an app straight from the process memory? That means, e.g. for iOS that you may skip the decryption and extraction of the binary.\nThe tickets for this working session will cover these topics and contribute to the restructuring of the MSTG as described in this issue. This should simplify the chapters, improve their readability and make the project a lot easier to maintain!\nWho The target audience for this Working Session is:\n iOS developers Android developers Penetration Testers Security engineers From experts to beginners. Anybody who is passionate about app mobile security, haves fun hacking, securing and/or developing mobile apps and loves to continuously learn and enjoys sharing knowledge.\nWhat do you need to bring with you? Minimum required: a laptop :)\nDepending on the tasks/challenges you choose:\n General rewriting tasks do not require any devices, however if you want to add new cases, then: For iOS: an iOS device (preferably jailbroken). A MacBook is recommended but not mandatory. For Android: an Android device is highly recommended (preferably rooted). However for many tasks you can use the emulator. The MSTG is hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.\nOutcomes A beautifully restructured MSTG.\nReferences \u0026ldquo;Basic Security Testing / Reverse Engineering and Tampering\u0026rdquo; Chapters Restructuring Issue Android Basic Security Testing Android Reverse Engineering and Tampering iOS Basic Security Testing iOS Reverse Engineering and Tampering ", "summary" : "Welcome to the ultimate OWASP Mobile Security Testing Guide content reshuffle session!\nWhy If you\u0026rsquo;re familiar with mobile security testing you\u0026rsquo;ll probably know that the way we perform the testing on the different platforms is completely different but at the end, what we want to achieve is the same. We want to get this reflected in the guide. We will be working on topics from basic to advanced Mobile App Security Testing, Reverse Engineering and Tampering on Android and iOS.", "title" : "Mobile Basic Security Testing and Reverse Engineering (Tue Evening)", "track" : "OWASP MSTG", "type" : "working-session", "word_count" : 548, "params" : {"categories":"MSTG","description":"Work on the Mobile Basic Security Testing and Reverse Engineering topics with focus on restructuring the contents of the MSTG","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-04T07:59:57+01:00","organizers":["Carlos Holguera"],"participants":["Jeroen Beckers","Sven Schleier","Jeroen Willemsen"],"room_id":"villa-5","room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile, iOS, Android","title":"Mobile Basic Security Testing and Reverse Engineering (Tue Evening)","track":"OWASP MSTG","type":"working-session","when_day":"Tue","when_time":"Eve-1,Eve-2"} } , { "id" : "015de0eee67e4e1866faf3b6d5def025", "file_path" : "tracks/OWASP-MSTG/working-sessions/mstg-restructuring-tue.md", "last_modified" : "2019-06-03T09:50:01+01:00", "link" : "/tracks/owasp-mstg/working-sessions/mstg-restructuring-tue/", "content_plain" : " Mobile Basic Security Testing and Reverse Engineering Welcome to the ultimate OWASP Mobile Security Testing Guide content reshuffle session!\nWhy If you\u0026rsquo;re familiar with mobile security testing you\u0026rsquo;ll probably know that the way we perform the testing on the different platforms is completely different but at the end, what we want to achieve is the same. We want to get this reflected in the guide. We will be working on topics from basic to advanced Mobile App Security Testing, Reverse Engineering and Tampering on Android and iOS.\nAs a result, the current content will be restructured, which will help\n achieving a more organized testing approach and methodology. detecting potential missing tools or techniques. fixing missing links across chapters. Android and iOS chapter will mirror each other, so the next time someone (e.g. a beginner) wants to get started on these topics it will be very clear what has to be done and how. If you\u0026rsquo;re already an expert on e.g. Android, this will help you quickly identify the things you need when starting testing on iOS, e.g. \u0026ldquo;Accessing the Device Shell\u0026rdquo;.\nWhat Join us in a 2-day sprint to restructure the basic-testing and reverse-engineering chapters in a way that they are easily mappable. We want to be able to restructure the MSTG and connect it to the MASVS in a better way during the first 2 days in order to make the chapters more accessible.\nThis session focus on the following topics (and their corresponding chapters from the MSTG):\n Android and iOS Basic Security Testing (0x5b/0x6b) Android and iOS Reverse Engineering and Tampering (0x5c/0x6c) After the first restructuring and updated outline, you\u0026rsquo;ll have the chance to get your hands dirty and craft examples and new content for the MSTG to add next to existing tooling. For the new examples we will be introducing new tools like r2frida. Did you know you can reverse engineer an app straight from the process memory? That means, e.g. for iOS that you may skip the decryption and extraction of the binary.\nThe tickets for this working session will cover these topics and contribute to the restructuring of the MSTG as described in this issue. This should simplify the chapters, improve their readability and make the project a lot easier to maintain!\nWho The target audience for this Working Session is:\n iOS developers Android developers Penetration Testers Security engineers From experts to beginners. Anybody who is passionate about app mobile security, haves fun hacking, securing and/or developing mobile apps and loves to continuously learn and enjoys sharing knowledge.\nWhat do you need to bring with you? Minimum required: a laptop :)\nDepending on the tasks/challenges you choose:\n General rewriting tasks do not require any devices, however if you want to add new cases, then: For iOS: an iOS device (preferably jailbroken). A MacBook is recommended but not mandatory. For Android: an Android device is highly recommended (preferably rooted). However for many tasks you can use the emulator. The MSTG is hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.\nOutcomes A beautifully restructured MSTG.\nReferences \u0026ldquo;Basic Security Testing / Reverse Engineering and Tampering\u0026rdquo; Chapters Restructuring Issue Android Basic Security Testing Android Reverse Engineering and Tampering iOS Basic Security Testing iOS Reverse Engineering and Tampering ", "summary" : "Mobile Basic Security Testing and Reverse Engineering Welcome to the ultimate OWASP Mobile Security Testing Guide content reshuffle session!\nWhy If you\u0026rsquo;re familiar with mobile security testing you\u0026rsquo;ll probably know that the way we perform the testing on the different platforms is completely different but at the end, what we want to achieve is the same. We want to get this reflected in the guide. We will be working on topics from basic to advanced Mobile App Security Testing, Reverse Engineering and Tampering on Android and iOS.", "title" : "Mobile Basic Security Testing and Reverse Engineering (Tue)", "track" : "OWASP MSTG", "type" : "working-session", "word_count" : 555, "params" : {"categories":"MSTG","description":"Work on the Mobile Basic Security Testing and Reverse Engineering topics with focus on restructuring the contents of the MSTG","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-03T09:50:01+01:00","organizers":["Carlos Holguera"],"participants":["Jeroen Beckers","Sven Schleier","Jeroen Willemsen"],"room_id":"room-6","room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile, iOS, Android","title":"Mobile Basic Security Testing and Reverse Engineering (Tue)","track":"OWASP MSTG","type":"working-session","when_day":"Tue","when_time":"AM-1,DS-2,PM-1,PM-2,PM-3"} } , { "id" : "78a987f61cc8a484b30319e503feaff8", "file_path" : "tracks/OWASP-MSTG/working-sessions/mstg-restructuring-wed.md", "last_modified" : "2019-06-05T12:30:09+01:00", "link" : "/tracks/owasp-mstg/working-sessions/mstg-restructuring-wed/", "content_plain" : " Mobile Basic Security Testing and Reverse Engineering Welcome to the ultimate OWASP Mobile Security Testing Guide content reshuffle session!\nWhy If you\u0026rsquo;re familiar with mobile security testing you\u0026rsquo;ll probably know that the way we perform the testing on the different platforms is completely different but at the end, what we want to achieve is the same. We want to get this reflected in the guide. We will be working on topics from basic to advanced Mobile App Security Testing, Reverse Engineering and Tampering on Android and iOS.\nAs a result, the current content will be restructured, which will help\n achieving a more organized testing approach and methodology. detecting potential missing tools or techniques. fixing missing links across chapters. Android and iOS chapter will mirror each other, so the next time someone (e.g. a beginner) wants to get started on these topics it will be very clear what has to be done and how. If you\u0026rsquo;re already an expert on e.g. Android, this will help you quickly identify the things you need when starting testing on iOS, e.g. \u0026ldquo;Accessing the Device Shell\u0026rdquo;.\nWhat Join us in a 2-day sprint to restructure the basic-testing and reverse-engineering chapters in a way that they are easily mappable. We want to be able to restructure the MSTG and connect it to the MASVS in a better way during the first 2 days in order to make the chapters more accessible.\nThis session focus on the following topics (and their corresponding chapters from the MSTG):\n Android and iOS Basic Security Testing (0x5b/0x6b) Android and iOS Reverse Engineering and Tampering (0x5c/0x6c) After the first restructuring and updated outline, you\u0026rsquo;ll have the chance to get your hands dirty and craft examples and new content for the MSTG to add next to existing tooling. For the new examples we will be introducing new tools like r2frida. Did you know you can reverse engineer an app straight from the process memory? That means, e.g. for iOS that you may skip the decryption and extraction of the binary.\nThe tickets for this working session will cover these topics and contribute to the restructuring of the MSTG as described in this issue. This should simplify the chapters, improve their readability and make the project a lot easier to maintain!\nWho The target audience for this Working Session is:\n iOS developers Android developers Penetration Testers Security engineers From experts to beginners. Anybody who is passionate about app mobile security, haves fun hacking, securing and/or developing mobile apps and loves to continuously learn and enjoys sharing knowledge.\nWhat do you need to bring with you? Minimum required: a laptop :)\nDepending on the tasks/challenges you choose:\n General rewriting tasks do not require any devices, however if you want to add new cases, then: For iOS: an iOS device (preferably jailbroken). A MacBook is recommended but not mandatory. For Android: an Android device is highly recommended (preferably rooted). However for many tasks you can use the emulator. The MSTG is hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.\nOutcomes A beautifully restructured MSTG.\nReferences \u0026ldquo;Basic Security Testing / Reverse Engineering and Tampering\u0026rdquo; Chapters Restructuring Issue Android Basic Security Testing Android Reverse Engineering and Tampering iOS Basic Security Testing iOS Reverse Engineering and Tampering ", "summary" : "Mobile Basic Security Testing and Reverse Engineering Welcome to the ultimate OWASP Mobile Security Testing Guide content reshuffle session!\nWhy If you\u0026rsquo;re familiar with mobile security testing you\u0026rsquo;ll probably know that the way we perform the testing on the different platforms is completely different but at the end, what we want to achieve is the same. We want to get this reflected in the guide. We will be working on topics from basic to advanced Mobile App Security Testing, Reverse Engineering and Tampering on Android and iOS.", "title" : "Mobile Basic Security Testing and Reverse Engineering (Wed)", "track" : "OWASP MSTG", "type" : "working-session", "word_count" : 555, "params" : {"categories":"MSTG","description":"Work on the Mobile Basic Security Testing and Reverse Engineering topics with focus on restructuring the contents of the MSTG","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-05T12:30:09+01:00","organizers":["Carlos Holguera"],"participants":["Jeroen Beckers","Sven Schleier","Jeroen Willemsen"],"room_id":"villa-6","room_layout":null,"session_slack":null,"status":"review-content","technology":"Mobile, iOS, Android","title":"Mobile Basic Security Testing and Reverse Engineering (Wed)","track":"OWASP MSTG","type":"working-session","when_day":"Wed","when_time":"AM-1,DS-2,PM-1,PM-2,PM-3"} } , { "id" : "913353f1831a6f458634bbfedde118e1", "file_path" : "tracks/OWASP-MSTG/user-sessions/mstg-contributor-onboarding-Mon.md", "last_modified" : "2019-06-03T09:50:01+01:00", "link" : "/tracks/owasp-mstg/user-sessions/mstg-contributor-onboarding-mon/", "content_plain" : " Why A take-off session for all participants that want to contribute to the OWASP Mobile Security Testing Guide project, but are not sure what to do yet during this week or after.\nWhat Introduction into the current state of the MSTG. Issues Milestones Project Page Release process. Contribution guidelines. Outline of the activities planned for this week. This is not a basic introduction into the project itself! Note the first hour will cover the Introduction into the MSTG session, in the second hour, we will have the contributor-onboarding.\nWho Everyone that would like to start contributing to the OWASP Mobile Security Testing Guide project.\nReferences OWASP Mobile Application Verification Standard (MASVS) OWASP Mobile Security Testing Guide (MSTG) style_guide.md ", "summary" : "Why A take-off session for all participants that want to contribute to the OWASP Mobile Security Testing Guide project, but are not sure what to do yet during this week or after.\nWhat Introduction into the current state of the MSTG. Issues Milestones Project Page Release process. Contribution guidelines. Outline of the activities planned for this week. This is not a basic introduction into the project itself!", "title" : "Mobile Security Testing Guide onboarding", "track" : "OWASP MSTG", "type" : "user-session", "word_count" : 118, "params" : {"description":"MSTG introduction for new contributors (Two sessions available - PM-1 on Mon, AM-1 on Wed)","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-03T09:50:01+01:00","organizers":["Jeroen Willemsen"],"participants":["Sven Schleier","Jeroen Beckers","Carlos Holguera"],"room_id":"room-5","room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Mobile Security Testing Guide onboarding","topics":null,"track":"OWASP MSTG","type":"user-session","when_day":"Mon","when_time":"PM-1"} } , { "id" : "59ce60a7a0948e30e8b31ca887391d4d", "file_path" : "tracks/OWASP-MSTG/user-sessions/mstg-contributor-onboarding-Wed.md", "last_modified" : "2019-06-03T09:50:01+01:00", "link" : "/tracks/owasp-mstg/user-sessions/mstg-contributor-onboarding-wed/", "content_plain" : " Why A take-off session for all participants that want to contribute to the OWASP Mobile Security Testing Guide project, but are not sure what to do yet during this week or after.\nWhat Introduction into the current state of the MSTG. Issues Milestones Project Page Release process. Contribution guidelines. Outline of the activities planned for this week. This is not a basic introduction into the project itself! Note the first hour will cover the Introduction into the MSTG session, in the second hour, we will have the contributor-onboarding.\nWho Everyone that would like to start contributing to the OWASP Mobile Security Testing Guide project.\nReferences OWASP Mobile Application Verification Standard (MASVS) OWASP Mobile Security Testing Guide (MSTG) style_guide.md ", "summary" : "Why A take-off session for all participants that want to contribute to the OWASP Mobile Security Testing Guide project, but are not sure what to do yet during this week or after.\nWhat Introduction into the current state of the MSTG. Issues Milestones Project Page Release process. Contribution guidelines. Outline of the activities planned for this week. This is not a basic introduction into the project itself!", "title" : "Mobile Security Testing Guide onboarding (Session 2)", "track" : "OWASP MSTG", "type" : "user-session", "word_count" : 118, "params" : {"description":"MSTG introduction for new contributors (Two sessions available - PM-1 on Mon, AM-1 on Wed)","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-03T09:50:01+01:00","organizers":["Jeroen Willemsen"],"participants":["Sven Schleier","Jeroen Beckers","Carlos Holguera"],"room_id":"room-6","room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Mobile Security Testing Guide onboarding (Session 2)","topics":null,"track":"OWASP MSTG","type":"user-session","when_day":"Wed","when_time":"AM-1"} } , { "id" : "62032b13248499008fccf0bc5589c14b", "file_path" : "tracks/OWASP-MSTG/user-sessions/intro-mstg-Mon.md", "last_modified" : "2019-06-02T23:38:37+01:00", "link" : "/tracks/owasp-mstg/user-sessions/intro-mstg-mon/", "content_plain" : " Why Pick up session for all participants who are interested in the Mobile Security Testing Guide project but have no experience with it yet. This session is mostly an introduction into the guide and the MASVS. It is not to guide contributors specifically, for this, we have the contributor onboarding session.\nWhat Introduction into the Mobile Application Security Verification Standard (MASVS). Introduction into the Mobile Security Testing Guide (structure, what it is about). Some demos of what we teach through the guide. Note the first hour will cover the introduction session, in the second hour, we will have the contributor onboarding session.\nWho Target audience are all interested users from Breaker, Builder and Defender communities alike!\n iOS developers Android developers Penetration Testers Security engineers From experts to beginners.\nReferences OWASP Mobile Application Verification Standard (MASVS) OWASP Mobile Security Testing Guide (MSTG) ", "summary" : "Why Pick up session for all participants who are interested in the Mobile Security Testing Guide project but have no experience with it yet. This session is mostly an introduction into the guide and the MASVS. It is not to guide contributors specifically, for this, we have the contributor onboarding session.\nWhat Introduction into the Mobile Application Security Verification Standard (MASVS). Introduction into the Mobile Security Testing Guide (structure, what it is about).", "title" : "OWASP Mobile Security Testing Guide 101", "track" : "OWASP MSTG", "type" : "user-session", "word_count" : 141, "params" : {"description":"MSTG introduction for newbies (Two sessions available - PM-1 on Mon, AM-1 on Wed)","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-02T23:38:37+01:00","organizers":["Jeroen Willemsen"],"participants":["Sven Schleier","Jeroen Beckers","Carlos Holguera"],"room_id":"room-5","room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"OWASP Mobile Security Testing Guide 101","topics":null,"track":"OWASP MSTG","type":"user-session","when_day":"Mon","when_time":"PM-1"} } , { "id" : "60b2aa0248522c3b859411133ceb786f", "file_path" : "tracks/OWASP-MSTG/user-sessions/intro-mstg-Wed.md", "last_modified" : "2019-06-03T09:50:01+01:00", "link" : "/tracks/owasp-mstg/user-sessions/intro-mstg-wed/", "content_plain" : " Why Pick up session for all participants who are interested in the Mobile Security Testing Guide project but have no experience with it yet. This session is mostly an introduction into the guide and the MASVS. It is not to guide contributors specifically, for this, we have the contributor onboarding session.\nWhat Introduction into the Mobile Application Security Verification Standard (MASVS). Introduction into the Mobile Security Testing Guide (structure, what it is about). Some demos of what we teach through the guide. Note the first hour will cover the introduction session, in the second hour, we will have the contributor onboarding session.\nWho Target audience are all interested users from Breaker, Builder and Defender communities alike!\n iOS developers Android developers Penetration Testers Security engineers From experts to beginners.\nReferences OWASP Mobile Application Verification Standard (MASVS) OWASP Mobile Security Testing Guide (MSTG) ", "summary" : "Why Pick up session for all participants who are interested in the Mobile Security Testing Guide project but have no experience with it yet. This session is mostly an introduction into the guide and the MASVS. It is not to guide contributors specifically, for this, we have the contributor onboarding session.\nWhat Introduction into the Mobile Application Security Verification Standard (MASVS). Introduction into the Mobile Security Testing Guide (structure, what it is about).", "title" : "OWASP Mobile Security Testing Guide 101 (Session 2)", "track" : "OWASP MSTG", "type" : "user-session", "word_count" : 141, "params" : {"description":"MSTG introduction for newbies (Two sessions available - PM-1 on Mon, AM-1 on Wed)","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-03T09:50:01+01:00","organizers":["Jeroen Willemsen"],"participants":["Sven Schleier","Jeroen Beckers","Carlos Holguera"],"room_id":"room-6","room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"OWASP Mobile Security Testing Guide 101 (Session 2)","topics":null,"track":"OWASP MSTG","type":"user-session","when_day":"Wed","when_time":"AM-1"} } , { "id" : "a36c1f4e4b49e1b28a52632b84e6fa63", "file_path" : "tracks/OWASP-Projects/_index.md", "last_modified" : "2019-05-29T13:24:47+01:00", "link" : "/tracks/owasp-projects/", "content_plain" : "Sessions on multiple OWASP Projects\n", "summary" : "Sessions on multiple OWASP Projects", "title" : "OWASP Projects", "track" : null, "type" : "track", "word_count" : 5, "params" : {"description":"Sessions on multiple OWASP Projects","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-29T13:24:47+01:00","organizers":null,"owasp-project":false,"session_slack":"https://os-summit.slack.com/messages/CAULHPHU2","title":"OWASP Projects","type":"track","when_day":"Mon,Wed,Fri"} } , { "id" : "03cee6dd29801a2fdc055f7b6c590638", "file_path" : "tracks/OWASP-Projects/application-security-verification-standard.md", "last_modified" : "2019-06-05T10:51:48+03:00", "link" : "/tracks/owasp-projects/application-security-verification-standard/", "content_plain" : " The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and a list of requirements for secure development for developers.\nWhy The Application Security Verification Standard is a list of application security requirements or tests that can be used by architects, developers, testers, security professionals, and even consumers to define what a secure application is.\nASVS has two main goals: - to help organizations develop and maintain secure applications - to allow security service, security tools vendors, and consumers to align their requirements and offerings\nWhat Risk analysis is always subjective and this is why we expect that there will most likely never be a 100% agreement on this standard. However, keeping the standard up-to-date is certainly a step in the right direction and it will enhance the overall concepts introduced in this important industry standard.\nOutcomes This Working Session will result in a short summary which will include the list of items that need to be updated, added, or changed in order to make the standard more applicable to modern applications.\nWho The target audiences for this Working Session are: - Security champions - Security architects - DevOps Roles - CISOs\nWorking materials Here are the current \u0026lsquo;work in progress\u0026rsquo; materials for this session (please add as much information as possible before the sessions): - ASVS 4.1 in English (pdf) (note that the \u0026ldquo;bleeding edge\u0026rdquo; version is what is in the GitHub repository.) - ASVS GitHub\nPrevious Summit Working Session https://owaspsummit.org/Working-Sessions/Owasp-Projects/Application-Security-Verification-Standard.html\n", "summary" : "The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and a list of requirements for secure development for developers.\nWhy The Application Security Verification Standard is a list of application security requirements or tests that can be used by architects, developers, testers, security professionals, and even consumers to define what a secure application is.\nASVS has two main goals: - to help organizations develop and maintain secure applications - to allow security service, security tools vendors, and consumers to align their requirements and offerings", "title" : "Application Security Verification Standard", "track" : "OWASP Projects", "type" : "working-session", "word_count" : 250, "params" : {"description":"Session on ASVS","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-05T10:51:48+03:00","organizers":["Jim Manico"],"participants":null,"room_id":"villa-3","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAU646WRE","status":"review-content","title":"Application Security Verification Standard","topics":["Owasp Project"],"track":"OWASP Projects","type":"working-session","when_day":"Wed","when_time":"PM-1"} } , { "id" : "a88f505aa4c854c1fb2e1fe2305671ae", "file_path" : "tracks/OWASP-Projects/Application-Security-Curriculum-Project.md", "last_modified" : "2019-06-04T10:33:55+01:00", "link" : "/tracks/owasp-projects/application-security-curriculum-project/", "content_plain" : " Why Part of OWASP’s main purpose is to “Be the thriving global community that drives visibility and evolution in the safety and security of the world’s software”. A key part of that mission is to educate not just the current generation of developers or information security professionals, but also the next generation, particularly in the context of the acknowledged skills shortage in the security sector.\nA common problem with many security education programmes (whether cyber or InfoSec) or even traditional computer science programmes is that they do not address application security adequately, if at all. In some regions, attempts have been made to address this deficit.\nIn the UK for example, ISC2 and the BCS are working on an initiative to embed security firmly within the Computer Science curriculum, with an emphasis on secure coding techniques. OWASP, through my involvement, also champions this initiative.\nThere is an opportunity for OWASP to pull together its wide-ranging expertise, projects, and dedicated volunteers to engage in these types of education programmes and initiatives by developing an educational strategy for undergraduate and postgraduate students. This could take the form of an open “Standard” curriculum template which can be adopted and adapted by diverse educational partners and organisations. Such a template would also give a useful starting point or reference document for when we engage with other professional bodies.\nWhat The deliverables for this project would be:\n Identify and recommend a number of Application Security Learning Outcomes*1 Link the identified learning objectives to available or required resources Produce an open curricula for industry Outcomes Deliverable #1\nWould be to undertake a gap analysis of existing and missing curricula requirements.\nThis will be achieved through literature reviews, surveys/interviews with industry, information gathering advice from professional bodies.\nThe anticipated generated deliverables would be a number of academic papers in the fields of a) security and/or b) learning and teaching.\nDeliverable #2\nWould be to undertaken a gap analysis of existing and missing teaching resources.*2\nThis will be achieved through a discovery workshop and industry visits.\nThe anticipated generated deliverables would be a number of academic papers and a definitive list submitted to OWASP for new project requirements.\nExample of Available Opensource Resource/LO mapping (what go, what is missing, what needs improving): RESOURCE LO#1 LO#2 LO#3 LO#4 etc…\nVersus\nCheatsheets Webgoat Hackademic Security Shepherd\nJuiceShop\netc\nDeliverable #3\nWould be to develop a learning skills framework suitable for industry, with the approval of OWASP.\nInformation gathering will be achieved via industry outreach and visits to confirm the framework meets industry requirement.\nThe anticipated generated deliverables would be an industry focused academic curriculum conference.\nWho Application Security Trainers CISO\u0026rsquo;s Talent Acquisition Developer Leads Academics Working materials TBD\n", "summary" : "Why Part of OWASP’s main purpose is to “Be the thriving global community that drives visibility and evolution in the safety and security of the world’s software”. A key part of that mission is to educate not just the current generation of developers or information security professionals, but also the next generation, particularly in the context of the acknowledged skills shortage in the security sector.\nA common problem with many security education programmes (whether cyber or InfoSec) or even traditional computer science programmes is that they do not address application security adequately, if at all.", "title" : "OWASP Application Security Curriculum Project", "track" : "OWASP Projects", "type" : "working-session", "word_count" : 448, "params" : {"categories":["Education"],"description":"Kick-off session for the new AppSec Curriculum Project, to discuss goals, deliverables, roadmap, etc.","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-04T10:33:55+01:00","organizers":["Adrian Winckles","John DiLeo"],"room_id":"room-4","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVABULJF","status":"review-content","technology":null,"title":"OWASP Application Security Curriculum Project","topics":["Owasp Project","OWASP Application Security Curriculum"],"track":"OWASP Projects","type":"working-session","when_day":"Tue","when_time":"PM-2"} } , { "id" : "9d4d1e7dfb8798d6c9b5e92262f29a5b", "file_path" : "tracks/OWASP-Projects/owasp-honeypot.md", "last_modified" : "2019-06-05T15:16:41+01:00", "link" : "/tracks/owasp-projects/owasp-honeypot/", "content_plain" : " The goal of the OWASP Honeypot Project is to identify emerging attacks against web applications and report them to the community, in order to facilitate protection against such targeted attacks.\nBased around the earlier OWASP/WASC Distributed Web Honeypots Project (https://github.com/SpiderLabs/owasp-distributed-web-honeypots) this project extends on sharing the findings, reproducibility, and simplifying the adoption for the community.\nWhy There is an ongoing GSoC project, proposed by Tulja Vamshi Kiran, to work on it. Both project leaders will be in the Summit so coordination is a must.\nWhat The session will focus on discussing the topics of the project.\nOutcomes Revised deliveries on the activities of the project:\n Review timeline and activities Additional needs for project participants Discussion How to share findings Who The target audience for this Working Session is:\n Developers Security professionals DevOps / DevSecOps AppSec leaders Working materials Here are the current \u0026lsquo;work in progress\u0026rsquo; materials for this session (please add as much information as possible before the sessions): - Honeypot GitHub - GSoC project proposal - Trello Board with Activities\n", "summary" : "The goal of the OWASP Honeypot Project is to identify emerging attacks against web applications and report them to the community, in order to facilitate protection against such targeted attacks.\nBased around the earlier OWASP/WASC Distributed Web Honeypots Project (https://github.com/SpiderLabs/owasp-distributed-web-honeypots) this project extends on sharing the findings, reproducibility, and simplifying the adoption for the community.\nWhy There is an ongoing GSoC project, proposed by Tulja Vamshi Kiran, to work on it.", "title" : "OWASP HoneyPot", "track" : "OWASP Projects", "type" : "working-session", "word_count" : 171, "params" : {"description":"Session on OWASP Honeypot","draft":false,"featured":false,"iscjklanguage":false,"lastmod":"2019-06-05T15:16:41+01:00","meet_url":"https://zoom.us/j/966416810","organizers":["Felipe Zipitria","Adrian Winckles"],"participants":null,"room_id":"villa-158","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAU646WRE","status":"review-content","title":"OWASP HoneyPot","topics":["Owasp Project"],"track":"OWASP Projects","type":"working-session","when_day":"Wed","when_time":"PM-2"} } , { "id" : "da408a16766bffe5ba653adab9aa9739", "file_path" : "tracks/OWASP-Projects/media-project.md", "last_modified" : "2019-06-03T15:09:53-07:00", "link" : "/tracks/owasp-projects/media-project/", "content_plain" : "We\u0026rsquo;ll update the project page, mission and documentation, reset contributors access (currently unmaintained since a while) and plan for a video portal for OWASP.\nhttps://www.owasp.org/index.php/OWASP_Media_Project\n", "summary" : "We\u0026rsquo;ll update the project page, mission and documentation, reset contributors access (currently unmaintained since a while) and plan for a video portal for OWASP.\nhttps://www.owasp.org/index.php/OWASP_Media_Project", "title" : "OWASP Media Project", "track" : "OWASP Projects", "type" : "working-session", "word_count" : 25, "params" : {"categories":null,"description":"Update project docs and plan the next phase of OWASP Media Project","draft":false,"iscjklanguage":false,"lastmod":"2019-06-03T15:09:53-07:00","organizers":["Jonathan Marcil"],"participants":null,"room_id":"virtual-2","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CK7J2M3TP","status":"done","technology":null,"title":"OWASP Media Project","track":"OWASP Projects","type":"working-session","when_day":"Wed","when_time":"Eve-1"} } , { "id" : "8f6cd3791f213bfd77548fe339dded38", "file_path" : "tracks/OWASP-Projects/ZAP-automation.md", "last_modified" : "2019-06-03T22:21:35+01:00", "link" : "/tracks/owasp-projects/zap-automation/", "content_plain" : "An interactive working session for people to discuss and learn how best to automate ZAP.\n", "summary" : "An interactive working session for people to discuss and learn how best to automate ZAP.", "title" : "ZAP working session - automation", "track" : "OWASP Projects", "type" : "working-session", "word_count" : 15, "params" : {"categories":["ZAP"],"description":"Working session on ZAP automation","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-03T22:21:35+01:00","locked":true,"organizers":["Simon Bennetts"],"participants":null,"room_id":"room-2","room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"ZAP working session - automation","track":"OWASP Projects","type":"working-session","when_day":"Tue","when_time":"AM-1"} } , { "id" : "70ee3b0f78cf818091d093f19d87038e", "file_path" : "tracks/OWASP-Projects/ZAP-future plans.md", "last_modified" : "2019-06-03T22:21:35+01:00", "link" : "/tracks/owasp-projects/zap-future-plans/", "content_plain" : "An interactive working session for people to discuss and suggest where ZAP could go in the future.\n", "summary" : "An interactive working session for people to discuss and suggest where ZAP could go in the future.", "title" : "ZAP working session - future plans", "track" : "OWASP Projects", "type" : "working-session", "word_count" : 17, "params" : {"categories":["ZAP"],"description":"Working sessions on ZAP future plans","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-03T22:21:35+01:00","locked":true,"organizers":["Simon Bennetts"],"participants":null,"room_id":"room-2","room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"ZAP working session - future plans","track":"OWASP Projects","type":"working-session","when_day":"Wed","when_time":"AM-1"} } , { "id" : "70cd5b99282ee0e5fb605c25970cc0ab", "file_path" : "tracks/OWASP-Projects/ZAP-the HUD.md", "last_modified" : "2019-06-03T22:21:35+01:00", "link" : "/tracks/owasp-projects/zap-the-hud/", "content_plain" : "An interactive working session for people to learn about the new ZAP Heads Up Display (HUD) including how it can be used and how it can be extended. It is recommended that attendees who would like to try extending the HUD should have the ZAP HUD repo cloned locally.\n", "summary" : "An interactive working session for people to learn about the new ZAP Heads Up Display (HUD) including how it can be used and how it can be extended. It is recommended that attendees who would like to try extending the HUD should have the ZAP HUD repo cloned locally.", "title" : "ZAP working session - the HUD", "track" : "OWASP Projects", "type" : "working-session", "word_count" : 49, "params" : {"categories":["ZAP"],"description":"Working session on the ZAP HUD","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-03T22:21:35+01:00","locked":true,"organizers":["Simon Bennetts"],"participants":null,"room_id":"room-2","room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"ZAP working session - the HUD","track":"OWASP Projects","type":"working-session","when_day":"Tue","when_time":"PM-1"} } , { "id" : "3fbc6393f20797a4bbc25215f1241fb0", "file_path" : "tracks/OWASP-SAMM/_index.md", "last_modified" : "2019-06-06T07:43:33+01:00", "link" : "/tracks/owasp-samm/", "content_plain" : "In addition to specific Maturity Models sessions, a large number of OWASP SAMM Working-Sessions will occur at the Summit.\nThe SAMM Summit is not a regular conference with speaking slots, but a summit where the participants work together in a 5-day sprint on SAMMv2. If you are interested in contributing to this, you are most welcome (knowledge of SAMM or other secure development methodology experience is a prerequisite).\nThis is an excellent opportunity to influence the direction of SAMM and exchange experiences with your peers.\n Thank you to our supporting \u0026ldquo;Leader\u0026rdquo; sponsors that made this summit possible:\n* Micro Focus Fortify\n* NCC Group\n* Splunk\n* Concord\n", "summary" : "In addition to specific Maturity Models sessions, a large number of OWASP SAMM Working-Sessions will occur at the Summit.\nThe SAMM Summit is not a regular conference with speaking slots, but a summit where the participants work together in a 5-day sprint on SAMMv2. If you are interested in contributing to this, you are most welcome (knowledge of SAMM or other secure development methodology experience is a prerequisite).\nThis is an excellent opportunity to influence the direction of SAMM and exchange experiences with your peers.", "title" : "OWASP SAMM", "track" : null, "type" : "track", "word_count" : 108, "params" : {"categories":["OWASP SAMM"],"description":"SAMM team working together in a 5-day sprint on SAMMv2","draft":false,"iscjklanguage":false,"lastmod":"2019-06-06T07:43:33+01:00","organizers":["Sebastien Deleersnyder","Bart De Win"],"owasp-project":true,"session_slack":"https://os-summit.slack.com/messages/CAVHR0UN9","title":"OWASP SAMM","type":"track","when_day":"Tue,Wed,Thu"} } , { "id" : "e6409f3ac2cde98e5bcc2b63f004ff98", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-2-DevSecOps-Mapping.md", "last_modified" : "2019-05-31T13:12:22+02:00", "link" : "/tracks/owasp-samm/working-sessions/samm-2-devsecops-mapping/", "content_plain" : "OWASP DevSecOps Maturity Model activities reference, based on Timo Pagels opinion, to OWASP SAMM activities.\nCheck out https://dsomm.timo-pagel.de/report-samm.php\nQuestions: * Is the current mapping valid? * Some DSOMM activities are not easy to map to SAMM, where should it belong to? (Is it accepted/expected/questioned to have mappings for one DSOMM activity to multiple SAMM activities?) * Are the differences of having activities of maturity level 3 in SAMM and in OWASP DSOMM on maturity 1 accepted/expected/questioned?\nOutcome: * OWASP SAMM team verfies by mapping that no important actvities are missing * OWASP SAMM might add references to OWASP DevSecOps Maturity Model * OWASP DevSecOps Maturity Model will have a more precise mapping\n", "summary" : "OWASP DevSecOps Maturity Model activities reference, based on Timo Pagels opinion, to OWASP SAMM activities.\nCheck out https://dsomm.timo-pagel.de/report-samm.php\nQuestions: * Is the current mapping valid? * Some DSOMM activities are not easy to map to SAMM, where should it belong to? (Is it accepted/expected/questioned to have mappings for one DSOMM activity to multiple SAMM activities?) * Are the differences of having activities of maturity level 3 in SAMM and in OWASP DSOMM on maturity 1 accepted/expected/questioned?", "title" : "Mapping OWASP DevSecOps Maturity Model to SAMMv2", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 112, "params" : {"categories":null,"description":"multiple working sessions on the new SAMMv2","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-31T13:12:22+02:00","locked":true,"organizers":["Timo Pagel","Sebastien Deleersnyder","Bart De Win"],"participants":["Yan Kravchenko"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWA9CQ14","status":"draft","technology":null,"title":"Mapping OWASP DevSecOps Maturity Model to SAMMv2","track":"OWASP SAMM","type":"working-session","when_day":"Wed","when_time":"PM-3"} } , { "id" : "1e2d7ebc5430957014624c917c3cb872", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-agile.md", "last_modified" : "2019-06-02T23:47:08+01:00", "link" : "/tracks/owasp-samm/working-sessions/samm-agile/", "content_plain" : "SAMM is conceived as a methodology agnostic model. The specificities for a particular methodology such as Agile are specified in a separate guidance document. In this session, we want to discuss the guidance document for Agile, which has already been developeds. We want to discuss the mapping and suggestions with you to understand where this can further improve.\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model\n", "summary" : "SAMM is conceived as a methodology agnostic model. The specificities for a particular methodology such as Agile are specified in a separate guidance document. In this session, we want to discuss the guidance document for Agile, which has already been developeds. We want to discuss the mapping and suggestions with you to understand where this can further improve.\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model", "title" : "SAMM - Agile guidance", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 68, "params" : {"categories":null,"description":"Discussing the support for Agile development based on SAMM v2","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-02T23:47:08+01:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["Yan Kravchenko"],"room_id":"villa-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - Agile guidance","track":"OWASP SAMM","type":"working-session","when_day":"Thu","when_time":"Eve-1"} } , { "id" : "1192349bc6ec73a41dcaa3bca33e011c", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-TM-alignment.md", "last_modified" : "2019-06-02T06:15:41+01:00", "link" : "/tracks/owasp-samm/working-sessions/samm-tm-alignment/", "content_plain" : "OWASP SAMM is an overarching model that provides a framework to reason about application security in the broadest sense. To ensure the relevance and usefulness of activities, we will align the content thereof with subject matter experts from other OWASP projects. This will ensure that the objective, suggestions and measurement questions are supported by the OWASP community. In this session, we want to discuss the Threat Modeling stream in particular.\nSession Requirements: Familiarity with v2 of the OWASP SAMM project.\n", "summary" : "OWASP SAMM is an overarching model that provides a framework to reason about application security in the broadest sense. To ensure the relevance and usefulness of activities, we will align the content thereof with subject matter experts from other OWASP projects. This will ensure that the objective, suggestions and measurement questions are supported by the OWASP community. In this session, we want to discuss the Threat Modeling stream in particular.", "title" : "SAMM - Alignment with Threat Modeling", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 80, "params" : {"categories":null,"description":"Aligning the SAMM model with the Threat Modeling project.","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-02T06:15:41+01:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["Yan Kravchenko"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - Alignment with Threat Modeling","track":"OWASP SAMM","type":"working-session","when_day":"Thu","when_time":"PM-2"} } , { "id" : "00a9adeb2caaabfe21fab25ef979d445", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-alignment-fri.md", "last_modified" : "2019-05-31T13:47:07+01:00", "link" : "/tracks/owasp-samm/working-sessions/samm-alignment-fri/", "content_plain" : "OWASP SAMM is an overarching model that provides a framework to reason about application security in the broadest sense. To ensure the relevance and usefulness of activities, we will align the content thereof with subject matter experts from other OWASP projects. This will ensure that the objective, suggestions and measurement questions are supported by the OWASP community. If you are involved in an OWASP project that links with OWASP SAMM, you\u0026rsquo;re more than welcome to join and give your feedback. We will also pro-actively reach out to particular OWASP members and projects to discuss this.\nSession Requirements: Familiarity with the OWASP SAMM project.\n", "summary" : "OWASP SAMM is an overarching model that provides a framework to reason about application security in the broadest sense. To ensure the relevance and usefulness of activities, we will align the content thereof with subject matter experts from other OWASP projects. This will ensure that the objective, suggestions and measurement questions are supported by the OWASP community. If you are involved in an OWASP project that links with OWASP SAMM, you\u0026rsquo;re more than welcome to join and give your feedback.", "title" : "SAMM - Alignment with other OWASP projects (Fri)", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 103, "params" : {"categories":null,"description":"Aligning the model with other OWASP projects.","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-31T13:47:07+01:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["you ?"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - Alignment with other OWASP projects (Fri)","track":"OWASP SAMM","type":"working-session","when_day":"Fri","when_time":"DS-2"} } , { "id" : "ccba055417d40f5234c5bdac4029ff31", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-alignment-thu.md", "last_modified" : "2019-05-31T13:47:07+01:00", "link" : "/tracks/owasp-samm/working-sessions/samm-alignment-thu/", "content_plain" : "OWASP SAMM is an overarching model that provides a framework to reason about application security in the broadest sense. To ensure the relevance and usefulness of activities, we will align the content thereof with subject matter experts from other OWASP projects. This will ensure that the objective, suggestions and measurement questions are supported by the OWASP community. If you are involved in an OWASP project that links with OWASP SAMM, you\u0026rsquo;re more than welcome to join and give your feedback. We will also pro-actively reach out to particular OWASP members and projects to discuss this.\nSession Requirements: Familiarity with the OWASP SAMM project.\n", "summary" : "OWASP SAMM is an overarching model that provides a framework to reason about application security in the broadest sense. To ensure the relevance and usefulness of activities, we will align the content thereof with subject matter experts from other OWASP projects. This will ensure that the objective, suggestions and measurement questions are supported by the OWASP community. If you are involved in an OWASP project that links with OWASP SAMM, you\u0026rsquo;re more than welcome to join and give your feedback.", "title" : "SAMM - Alignment with other OWASP projects (Thu)", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 103, "params" : {"categories":null,"description":"Aligning the model with other OWASP projects.","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-31T13:47:07+01:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["Yan Kravchenko"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - Alignment with other OWASP projects (Thu)","track":"OWASP SAMM","type":"working-session","when_day":"Thu","when_time":"DS-2"} } , { "id" : "3eea2a548de4561e25aff47e933b7dcc", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-alignment-we.md", "last_modified" : "2019-05-31T13:47:07+01:00", "link" : "/tracks/owasp-samm/working-sessions/samm-alignment-we/", "content_plain" : "OWASP SAMM is an overarching model that provides a framework to reason about application security in the broadest sense. To ensure the relevance and usefulness of activities, we will align the content thereof with subject matter experts from other OWASP projects. This will ensure that the objective, suggestions and measurement questions are supported by the OWASP community. If you are involved in an OWASP project that links with OWASP SAMM, you\u0026rsquo;re more than welcome to join and give your feedback. We will also pro-actively reach out to particular OWASP members and projects to discuss this.\nSession Requirements: Familiarity with the OWASP SAMM project.\n", "summary" : "OWASP SAMM is an overarching model that provides a framework to reason about application security in the broadest sense. To ensure the relevance and usefulness of activities, we will align the content thereof with subject matter experts from other OWASP projects. This will ensure that the objective, suggestions and measurement questions are supported by the OWASP community. If you are involved in an OWASP project that links with OWASP SAMM, you\u0026rsquo;re more than welcome to join and give your feedback.", "title" : "SAMM - Alignment with other OWASP projects (Wed)", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 103, "params" : {"categories":null,"description":"Aligning the model with other OWASP projects.","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-31T13:47:07+01:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["you ?"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - Alignment with other OWASP projects (Wed)","track":"OWASP SAMM","type":"working-session","when_day":"Wed","when_time":"DS-2"} } , { "id" : "b7e453f51c8cc44903df6e6b9b15bd86", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-AOB.md", "last_modified" : "2019-05-29T08:41:04+02:00", "link" : "/tracks/owasp-samm/working-sessions/samm-aob/", "content_plain" : "The session will provide room to discuss any remaining topics.\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model\n", "summary" : "The session will provide room to discuss any remaining topics.\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model", "title" : "SAMM - Any Other Business", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 20, "params" : {"categories":null,"description":"Spare session to cover any other topics","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-29T08:41:04+02:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["you ?"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - Any Other Business","track":"OWASP SAMM","type":"working-session","when_day":"Fri","when_time":"PM-1"} } , { "id" : "1927453344f37d03b7872dc8e45b2225", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-devops.md", "last_modified" : "2019-05-29T08:45:18+02:00", "link" : "/tracks/owasp-samm/working-sessions/samm-devops/", "content_plain" : "SAMM is conceived as a methodology agnostic model. The specificities for a particular methodology such as DevOps are specified in a separate guidance document. In this session, we want to work on a guidance document for DevOps. If you\u0026rsquo;re familiar with DevOps-based development, we very much would like to hear from you on how to support this using SAMM v2 !\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model\n", "summary" : "SAMM is conceived as a methodology agnostic model. The specificities for a particular methodology such as DevOps are specified in a separate guidance document. In this session, we want to work on a guidance document for DevOps. If you\u0026rsquo;re familiar with DevOps-based development, we very much would like to hear from you on how to support this using SAMM v2 !\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model", "title" : "SAMM - DevOps guidance", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 71, "params" : {"categories":null,"description":"Discussing the support for DevOps development based on SAMM v2","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-29T08:45:18+02:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["you ?"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - DevOps guidance","track":"OWASP SAMM","type":"working-session","when_day":"Wed","when_time":"PM-3"} } , { "id" : "c3bfe655b8ac7e187bd8dba23e735ad0", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-editing.md", "last_modified" : "2019-05-29T08:47:28+02:00", "link" : "/tracks/owasp-samm/working-sessions/samm-editing/", "content_plain" : "In a first part, we want to reiterate over the editing guidelines for the model to ensure authoring consistency. Next, we will implement changes to the current v2 model based on previous discussions. This session will be used to advance the content of the new v2 model, and focus will be on actual editing (rather than discussing).\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model\n", "summary" : "In a first part, we want to reiterate over the editing guidelines for the model to ensure authoring consistency. Next, we will implement changes to the current v2 model based on previous discussions. This session will be used to advance the content of the new v2 model, and focus will be on actual editing (rather than discussing).\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model", "title" : "SAMM - Editing agreements and parallel editing", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 67, "params" : {"categories":null,"description":"Parallel editing session to improve the content of the current model","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-29T08:47:28+02:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["you ?"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - Editing agreements and parallel editing","track":"OWASP SAMM","type":"working-session","when_day":"Tue","when_time":"AM-1"} } , { "id" : "e0c595517b93db2fb7fcd8f5531819e5", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-measurement1.md", "last_modified" : "2019-06-02T23:47:08+01:00", "link" : "/tracks/owasp-samm/working-sessions/samm-measurement1/", "content_plain" : "One of the core challenges for SAMM v2 is the new way of measuring maturity according to the core model. While in the past, measurements have been focussing on coverage, we\u0026rsquo;re also looking into measuring quality of implementation. In this (and the previous) session, we want to take a final decision on this topic.\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model\n", "summary" : "One of the core challenges for SAMM v2 is the new way of measuring maturity according to the core model. While in the past, measurements have been focussing on coverage, we\u0026rsquo;re also looking into measuring quality of implementation. In this (and the previous) session, we want to take a final decision on this topic.\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model", "title" : "SAMM - Measurement model (Mon EV)", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 64, "params" : {"categories":null,"description":"Discussion on the new measurement model for the SAMM v2 project","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-02T23:47:08+01:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["Yan Kravchenko"],"room_id":"villa-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - Measurement model (Mon EV)","track":"OWASP SAMM","type":"working-session","when_day":"Mon","when_time":"Eve-1"} } , { "id" : "5a55cdd45080044a9d87ea52c626782f", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-measurement2.md", "last_modified" : "2019-05-31T13:47:07+01:00", "link" : "/tracks/owasp-samm/working-sessions/samm-measurement2/", "content_plain" : "One of the core challenges for SAMM v2 is the new way of measuring maturity according to the core model. While in the past, measurements have been focussing on coverage, we\u0026rsquo;re also looking into measuring quality of implementation. In this (and the following) session, we want to take a final decision on this topic.\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model\n", "summary" : "One of the core challenges for SAMM v2 is the new way of measuring maturity according to the core model. While in the past, measurements have been focussing on coverage, we\u0026rsquo;re also looking into measuring quality of implementation. In this (and the following) session, we want to take a final decision on this topic.\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model", "title" : "SAMM - Measurement model (Mon PM)", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 64, "params" : {"categories":null,"description":"Discussion on the new measurement model for the SAMM v2 project","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-31T13:47:07+01:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["Yan Kravchenko"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - Measurement model (Mon PM)","track":"OWASP SAMM","type":"working-session","when_day":"Mon","when_time":"PM-3"} } , { "id" : "ae4152e008d62979a6c80645e6fa9c11", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-challenges-tu.md", "last_modified" : "2019-06-02T23:47:08+01:00", "link" : "/tracks/owasp-samm/working-sessions/samm-challenges-tu/", "content_plain" : "Based on the outstanding Github issues, the user feedback, and any challenges that have come up during editing, we will use this session to have in-depth discussions on how to resolve these. We know from experience that evening sessions are often the most productive ones, so we reserve the evening sessions for core discussions on the model, if any.\nSession Requirements: Familiarity with the OWASP SAMM v1.5 and v2 model\n", "summary" : "Based on the outstanding Github issues, the user feedback, and any challenges that have come up during editing, we will use this session to have in-depth discussions on how to resolve these. We know from experience that evening sessions are often the most productive ones, so we reserve the evening sessions for core discussions on the model, if any.\nSession Requirements: Familiarity with the OWASP SAMM v1.5 and v2 model", "title" : "SAMM - Model Challenges (Tue)", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 70, "params" : {"categories":null,"description":"Discussing outstanding model challenges","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-02T23:47:08+01:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["Yan Kravchenko"],"room_id":"villa-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - Model Challenges (Tue)","track":"OWASP SAMM","type":"working-session","when_day":"Tue","when_time":"Eve-1"} } , { "id" : "6be45cbdd6a129056a50361cfd54743b", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-challenges-we.md", "last_modified" : "2019-06-02T23:47:08+01:00", "link" : "/tracks/owasp-samm/working-sessions/samm-challenges-we/", "content_plain" : "Based on the outstanding Github issues, the user feedback, and any challenges that have come up during editing, we will use this session to have in-depth discussions on how to resolve these. We know from experience that evening sessions are often the most productive ones, so we reserve the evening sessions for core discussions on the model, if any.\nSession Requirements: Familiarity with the OWASP SAMM v1.5 and v2 model\n", "summary" : "Based on the outstanding Github issues, the user feedback, and any challenges that have come up during editing, we will use this session to have in-depth discussions on how to resolve these. We know from experience that evening sessions are often the most productive ones, so we reserve the evening sessions for core discussions on the model, if any.\nSession Requirements: Familiarity with the OWASP SAMM v1.5 and v2 model", "title" : "SAMM - Model Challenges (Wed)", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 70, "params" : {"categories":null,"description":"Discussing outstanding model challenges","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-02T23:47:08+01:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["you ?"],"room_id":"villa-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - Model Challenges (Wed)","track":"OWASP SAMM","type":"working-session","when_day":"Wed","when_time":"Eve-1"} } , { "id" : "bef254da7fb428707a90621e7fe66bae", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-model-tu.md", "last_modified" : "2019-05-31T13:47:07+01:00", "link" : "/tracks/owasp-samm/working-sessions/samm-model-tu/", "content_plain" : "This session will be dedicated to discussing any topics that have come up during editing or based on user feedback, and that need to be discussed to prepare for further editing of the model.\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model\n", "summary" : "This session will be dedicated to discussing any topics that have come up during editing or based on user feedback, and that need to be discussed to prepare for further editing of the model.\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model", "title" : "SAMM - Model discussions (Tue)", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 44, "params" : {"categories":null,"description":"Parallel editing session to improve the content of the current model","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-31T13:47:07+01:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["you ?"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - Model discussions (Tue)","track":"OWASP SAMM","type":"working-session","when_day":"Tue","when_time":"PM-2"} } , { "id" : "9f6d4babb265a2ede2a14478397f1ae8", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-model-we.md", "last_modified" : "2019-05-31T13:47:07+01:00", "link" : "/tracks/owasp-samm/working-sessions/samm-model-we/", "content_plain" : "This session will be dedicated to discussing any topics that have come up during editing or based on user feedback, and that need to be discussed to prepare for further editing of the model.\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model\n", "summary" : "This session will be dedicated to discussing any topics that have come up during editing or based on user feedback, and that need to be discussed to prepare for further editing of the model.\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model", "title" : "SAMM - Model discussions (Wed)", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 44, "params" : {"categories":null,"description":"Parallel editing session to improve the content of the current model","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-31T13:47:07+01:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["Yan Kravchenko"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - Model discussions (Wed)","track":"OWASP SAMM","type":"working-session","when_day":"Wed","when_time":"PM-2"} } , { "id" : "28642dc9380f6502dbb264c13e7aaf49", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-outreach.md", "last_modified" : "2019-05-31T13:47:07+01:00", "link" : "/tracks/owasp-samm/working-sessions/samm-outreach/", "content_plain" : "Discuss how we want to organise and prepare outreach for the SAMM project, including the channels that we\u0026rsquo;re using to update the community, how to organise the upcoming release, what to do with the website and so forth.\nSession Requirements: being familiar with the OWASP SAMM project.\n", "summary" : "Discuss how we want to organise and prepare outreach for the SAMM project, including the channels that we\u0026rsquo;re using to update the community, how to organise the upcoming release, what to do with the website and so forth.\nSession Requirements: being familiar with the OWASP SAMM project.", "title" : "SAMM - Outreach program (Mon)", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 47, "params" : {"categories":null,"description":"Discussing the outreach for the OWASP SAMM project","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-31T13:47:07+01:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["you ?"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - Outreach program (Mon)","track":"OWASP SAMM","type":"working-session","when_day":"Mon","when_time":"DS-2"} } , { "id" : "f6564330dd31fce003a417726320d269", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-outreach-tu.md", "last_modified" : "2019-05-31T13:47:07+01:00", "link" : "/tracks/owasp-samm/working-sessions/samm-outreach-tu/", "content_plain" : "Discuss how we want to organise and prepare outreach for the SAMM project, including the channels that we\u0026rsquo;re using to update the community, how to organise the upcoming release, what to do with the website and so forth.\nSession Requirements: being familiar with the OWASP SAMM project.\n", "summary" : "Discuss how we want to organise and prepare outreach for the SAMM project, including the channels that we\u0026rsquo;re using to update the community, how to organise the upcoming release, what to do with the website and so forth.\nSession Requirements: being familiar with the OWASP SAMM project.", "title" : "SAMM - Outreach program (Tue)", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 47, "params" : {"categories":null,"description":"Discussing the outreach for the OWASP SAMM project","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-31T13:47:07+01:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["you ?"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - Outreach program (Tue)","track":"OWASP SAMM","type":"working-session","when_day":"Tue","when_time":"DS-2"} } , { "id" : "c58a660ff5c602b80588f18e505ff287", "file_path" : "tracks/OWASP-SAMM/working-sessions/samm-outreach-wu.md", "last_modified" : "2019-05-29T08:50:34+02:00", "link" : "/tracks/owasp-samm/working-sessions/samm-outreach-wu/", "content_plain" : "Finalise the discussions of how we want to organise and prepare outreach for the SAMM project, including the channels that we\u0026rsquo;re using to update the community, how to organise the upcoming release, what to do with the website and so forth.\nSession Requirements: being familiar with the OWASP SAMM project.\n", "summary" : "Finalise the discussions of how we want to organise and prepare outreach for the SAMM project, including the channels that we\u0026rsquo;re using to update the community, how to organise the upcoming release, what to do with the website and so forth.\nSession Requirements: being familiar with the OWASP SAMM project.", "title" : "SAMM - Outreach wrap-up", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 50, "params" : {"categories":null,"description":"Deciding on the objectives and plans for outreach for the OWASP SAMM project","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-29T08:50:34+02:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["you ?"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - Outreach wrap-up","track":"OWASP SAMM","type":"working-session","when_day":"Tue","when_time":"PM-3"} } , { "id" : "c6eb8fa851986ea5d3351b482ce1611d", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-editing-thu.md", "last_modified" : "2019-05-31T13:47:07+01:00", "link" : "/tracks/owasp-samm/working-sessions/samm-editing-thu/", "content_plain" : "Discussing the current state of the different SAMM documents (quickstart guide, how-to guide, \u0026hellip;) to analyse the updates that are required to the documents. Furthermore, further editing of the core model as required.\nSession Requirements: Familiarity with the OWASP SAMM v1.5 and v2 models.\n", "summary" : "Discussing the current state of the different SAMM documents (quickstart guide, how-to guide, \u0026hellip;) to analyse the updates that are required to the documents. Furthermore, further editing of the core model as required.\nSession Requirements: Familiarity with the OWASP SAMM v1.5 and v2 models.", "title" : "SAMM - Parallel editing (Thu AM)", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 44, "params" : {"categories":null,"description":"Discussion on the different SAMM documents and content editing.","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-31T13:47:07+01:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["you ?"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - Parallel editing (Thu AM)","track":"OWASP SAMM","type":"working-session","when_day":"Thu","when_time":"AM-1"} } , { "id" : "ea329f0d374a9e55c83c383385957160", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-editing-thu2.md", "last_modified" : "2019-05-31T16:29:35+01:00", "link" : "/tracks/owasp-samm/working-sessions/samm-editing-thu2/", "content_plain" : "Discussing the current state of the different SAMM documents (quickstart guide, how-to guide, \u0026hellip;) to analyse the updates that are required to the documents. Furthermore, further editing of the core model as required.\nSession Requirements: Familiarity with the OWASP SAMM v1.5 and v2 models.\n", "summary" : "Discussing the current state of the different SAMM documents (quickstart guide, how-to guide, \u0026hellip;) to analyse the updates that are required to the documents. Furthermore, further editing of the core model as required.\nSession Requirements: Familiarity with the OWASP SAMM v1.5 and v2 models.", "title" : "SAMM - Parallel editing (Thu PM)", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 44, "params" : {"categories":null,"description":"Discussion on the different SAMM documents and content editing.","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-31T16:29:35+01:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["you ?"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - Parallel editing (Thu PM)","track":"OWASP SAMM","type":"working-session","when_day":"Thu","when_time":"PM-1"} } , { "id" : "3f7148ee90099f354232851799c675ef", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-editing-tu.md", "last_modified" : "2019-05-31T13:47:07+01:00", "link" : "/tracks/owasp-samm/working-sessions/samm-editing-tu/", "content_plain" : "We will implement changes to the current v2 model based on previous discussions. This session will be used to advance the content of the new v2 model, and focus will be on actual editing (rather than discussing).\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model\n", "summary" : "We will implement changes to the current v2 model based on previous discussions. This session will be used to advance the content of the new v2 model, and focus will be on actual editing (rather than discussing).\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model", "title" : "SAMM - Parallel editing (Tue)", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 47, "params" : {"categories":null,"description":"Parallel editing session to improve the content of the current model","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-31T13:47:07+01:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["you ?"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - Parallel editing (Tue)","track":"OWASP SAMM","type":"working-session","when_day":"Tue","when_time":"PM-1"} } , { "id" : "3462ad720a9c9c5334f68a7f85e861a1", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-editing-we2.md", "last_modified" : "2019-05-31T13:47:07+01:00", "link" : "/tracks/owasp-samm/working-sessions/samm-editing-we2/", "content_plain" : "We will implement changes to the current v2 model based on previous discussions. This session will be used to advance the content of the new v2 model, and focus will be on actual editing (rather than discussing).\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model\n", "summary" : "We will implement changes to the current v2 model based on previous discussions. This session will be used to advance the content of the new v2 model, and focus will be on actual editing (rather than discussing).\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model", "title" : "SAMM - Parallel editing (Wed PM)", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 47, "params" : {"categories":null,"description":"Parallel editing session to improve the content of the current model","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-31T13:47:07+01:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["you ?"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - Parallel editing (Wed PM)","track":"OWASP SAMM","type":"working-session","when_day":"Wed","when_time":"PM-1"} } , { "id" : "102f34383f5b78df92687ff5180fd55e", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-planning.md", "last_modified" : "2019-05-29T08:49:56+02:00", "link" : "/tracks/owasp-samm/working-sessions/samm-planning/", "content_plain" : "Based on the progress that we realised during the week, we will revise the current planning for v2 and the project roadmap for future versions.\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model\n", "summary" : "Based on the progress that we realised during the week, we will revise the current planning for v2 and the project roadmap for future versions.\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model", "title" : "SAMM - Planning and Roadmap", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 35, "params" : {"categories":null,"description":"Spare session to cover any other topics","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-29T08:49:56+02:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["you ?"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - Planning and Roadmap","track":"OWASP SAMM","type":"working-session","when_day":"Fri","when_time":"PM-2"} } , { "id" : "d1eb71498bfa21999ba8acc07a1af626", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-benchmark.md", "last_modified" : "2019-06-04T22:01:50+01:00", "link" : "/tracks/owasp-samm/working-sessions/samm-benchmark/", "content_plain" : "One of the key success factors for SAMM is the availability of comparitative data available for the organisations adopting it. One of the challenges is to have a sufficiently open data set that at the same time guarantees anonymity and sufficient quality of data. A potential solution to these challenges was designed in the past. In this session, we want to discuss how to move this forward.\nSession Requirements: Familiarity with the OWASP SAMM v1.5 and v2 models.\n", "summary" : "One of the key success factors for SAMM is the availability of comparitative data available for the organisations adopting it. One of the challenges is to have a sufficiently open data set that at the same time guarantees anonymity and sufficient quality of data. A potential solution to these challenges was designed in the past. In this session, we want to discuss how to move this forward.\nSession Requirements: Familiarity with the OWASP SAMM v1.", "title" : "SAMM - SAMM benchmarking and tooling", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 78, "params" : {"categories":null,"description":"Discussion on data collection and bench marking","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-04T22:01:50+01:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win","Bruce Jenkins (?)"],"participants":["Yan Kravchenko"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - SAMM benchmarking and tooling","track":"OWASP SAMM","type":"working-session","when_day":"Thu","when_time":"PM-3"} } , { "id" : "925ee93b7b3582b4b7d6caa761dfad77", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-editing-we.md", "last_modified" : "2019-05-31T13:47:07+01:00", "link" : "/tracks/owasp-samm/working-sessions/samm-editing-we/", "content_plain" : "Discussing the current state of the different SAMM documents (quickstart guide, how-to guide, \u0026hellip;) to analyse the updates that are required to the documents. Furthermore, further editing of the core model as required.\nSession Requirements: Familiarity with the OWASP SAMM v1.5 and v2 models.\n", "summary" : "Discussing the current state of the different SAMM documents (quickstart guide, how-to guide, \u0026hellip;) to analyse the updates that are required to the documents. Furthermore, further editing of the core model as required.\nSession Requirements: Familiarity with the OWASP SAMM v1.5 and v2 models.", "title" : "SAMM - SAMM documents and parallel editing (Wed AM)", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 44, "params" : {"categories":null,"description":"Discussion on the different SAMM documents and content editing.","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-05-31T13:47:07+01:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["you ?"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - SAMM documents and parallel editing (Wed AM)","track":"OWASP SAMM","type":"working-session","when_day":"Wed","when_time":"AM-1"} } , { "id" : "80ac82bfab3a5c6837b34987ce7ac7a9", "file_path" : "tracks/OWASP-SAMM/working-sessions/SAMM-tooling.md", "last_modified" : "2019-05-29T09:06:45+02:00", "link" : "/tracks/owasp-samm/working-sessions/samm-tooling/", "content_plain" : "We will discuss the tools that we want to provide (as a minimum) to the community. The SAMM toolbox, as the most important one, will be reviewed and updated where necessary.\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model\n", "summary" : "We will discuss the tools that we want to provide (as a minimum) to the community. The SAMM toolbox, as the most important one, will be reviewed and updated where necessary.\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model", "title" : "SAMM - Tooling", "track" : "OWASP SAMM", "type" : "working-session", "word_count" : 41, "params" : {"categories":null,"description":"Discussion on the tools that we're making available for SAMM","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-29T09:06:45+02:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["you ?"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM - Tooling","track":"OWASP SAMM","type":"working-session","when_day":"Fri","when_time":"AM-1"} } , { "id" : "afa6a57fccf06f67d6c0959867df18e0", "file_path" : "tracks/OWASP-SAMM/user-sessions/SAMM-introduction.md", "last_modified" : "2019-06-02T09:48:37+01:00", "link" : "/tracks/owasp-samm/user-sessions/samm-introduction/", "content_plain" : "A general introduction on the OWASP SAMM project. We will discuss the history of the project, give an overview of the current model and discuss some of the challenges leading to the new SAMM v2 model. If you\u0026rsquo;re not familiar with the SAMM project and want to join other SAMM sessions this week, then this session is for you !\nSession Requirements: None.\n", "summary" : "A general introduction on the OWASP SAMM project. We will discuss the history of the project, give an overview of the current model and discuss some of the challenges leading to the new SAMM v2 model. If you\u0026rsquo;re not familiar with the SAMM project and want to join other SAMM sessions this week, then this session is for you !\nSession Requirements: None.", "title" : "SAMM user session - Introduction", "track" : "OWASP SAMM", "type" : "user-session", "word_count" : 63, "params" : {"categories":null,"description":"one of the 2 user sessions on the SAMM project","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-02T09:48:37+01:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":[""],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM user session - Introduction","track":"OWASP SAMM","type":"user-session","when_day":"Mon","when_time":"PM-1"} } , { "id" : "eb257529bea922075a16eb9b1f427d4d", "file_path" : "tracks/OWASP-SAMM/user-sessions/SAMM-Roundtable.md", "last_modified" : "2019-05-29T22:36:34-05:00", "link" : "/tracks/owasp-samm/user-sessions/samm-roundtable/", "content_plain" : "A general discussion for users of the OWASP SAMM project. This session is meant to share experiences among users.\nSession Requirements: None.\n", "summary" : "A general discussion for users of the OWASP SAMM project. This session is meant to share experiences among users.\nSession Requirements: None.", "title" : "SAMM user session - Round-table", "track" : "OWASP SAMM", "type" : "user-session", "word_count" : 22, "params" : {"categories":null,"description":"one of the 2 user sessions on the SAMM project","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-29T22:36:34-05:00","locked":true,"organizers":["Sebastien Deleersnyder","Bart De Win"],"participants":["Yan Kravchenko"],"room_id":"room-1","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMM user session - Round-table","track":"OWASP SAMM","type":"user-session","when_day":"Mon","when_time":"PM-2"} } , { "id" : "5a2ef5e5e458f0c3b40b4c581abd5def", "file_path" : "tracks/Training/_index.md", "last_modified" : "2019-06-02T22:17:15+01:00", "link" : "/tracks/training/", "content_plain" : "", "summary" : "", "title" : "Onboarding and Training", "track" : null, "type" : "track", "word_count" : 0, "params" : {"description":"Onboarding and Training sessions","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-02T22:17:15+01:00","organizers":null,"title":"Onboarding and Training","type":"track","when_day":"Mon"} } , { "id" : "06b901803fd8c62a5c3633ea57527242", "file_path" : "tracks/Training/training/training-jupyter-1st.md", "last_modified" : "2019-06-03T08:46:59+01:00", "link" : "/tracks/training/training/training-jupyter-1st/", "content_plain" : "", "summary" : "", "title" : "Jupyter Training (#1)", "track" : "Onboarding and Training", "type" : "working-session", "word_count" : 0, "params" : {"description":"Training Jupyter (1st session)","draft":false,"iscjklanguage":false,"lastmod":"2019-06-03T08:46:59+01:00","organizers":["Dinis Cruz"],"participants":null,"room_id":"room-1","title":"Jupyter Training (#1)","track":"Onboarding and Training","type":"working-session","when_day":"Mon","when_time":"TS-1"} } , { "id" : "bb414f0f5ea81219029219e3c7d74bd2", "file_path" : "tracks/Training/training/training-jupyter-2nd.md", "last_modified" : "2019-06-03T08:47:18+01:00", "link" : "/tracks/training/training/training-jupyter-2nd/", "content_plain" : "", "summary" : "", "title" : "Jupyter Training (#2)", "track" : "Onboarding and Training", "type" : "working-session", "word_count" : 0, "params" : {"description":"Training Jupyter (2nd session)","draft":false,"iscjklanguage":false,"lastmod":"2019-06-03T08:47:18+01:00","organizers":["Dinis Cruz"],"participants":null,"room_id":"room-1","title":"Jupyter Training (#2)","track":"Onboarding and Training","type":"working-session","when_day":"Mon","when_time":"TS-3"} } , { "id" : "fa7a8eae2378b53846941f3fe7a47816", "file_path" : "tracks/Training/training/training-jupyter-3rd.md", "last_modified" : "2019-06-03T08:47:32+01:00", "link" : "/tracks/training/training/training-jupyter-3rd/", "content_plain" : "", "summary" : "", "title" : "Jupyter Training (#3)", "track" : "Onboarding and Training", "type" : "working-session", "word_count" : 0, "params" : {"description":"Training Jupyter (3rd session)","draft":false,"iscjklanguage":false,"lastmod":"2019-06-03T08:47:32+01:00","organizers":["Dinis Cruz"],"participants":null,"room_id":"room-1","title":"Jupyter Training (#3)","track":"Onboarding and Training","type":"working-session","when_day":"Mon","when_time":"TS-5"} } , { "id" : "bff71aaaaec50f8989dfbf26c9373dc5", "file_path" : "tracks/Training/training/training-samm-1st.md", "last_modified" : "2019-06-03T03:25:02+01:00", "link" : "/tracks/training/training/training-samm-1st/", "content_plain" : "", "summary" : "", "title" : "OWASP SAMM Training (#1)", "track" : "Onboarding and Training", "type" : "working-session", "word_count" : 0, "params" : {"description":"Training OWASP SAMM (1st session)","draft":false,"iscjklanguage":false,"lastmod":"2019-06-03T03:25:02+01:00","organizers":["Sebastien Deleersnyder"],"participants":null,"room_id":"room-3","title":"OWASP SAMM Training (#1)","track":"Onboarding and Training","type":"working-session","when_day":"Mon","when_time":"TS-2"} } , { "id" : "d461dea7f98a2b43011c0e06b2dbc852", "file_path" : "tracks/Training/training/training-samm-2nd.md", "last_modified" : "2019-06-03T03:25:02+01:00", "link" : "/tracks/training/training/training-samm-2nd/", "content_plain" : "", "summary" : "", "title" : "OWASP SAMM Training (#2)", "track" : "Onboarding and Training", "type" : "working-session", "word_count" : 0, "params" : {"description":"Training OWASP SAMM (2nd session)","draft":false,"iscjklanguage":false,"lastmod":"2019-06-03T03:25:02+01:00","organizers":["Sebastien Deleersnyder"],"participants":null,"room_id":"room-3","title":"OWASP SAMM Training (#2)","track":"Onboarding and Training","type":"working-session","when_day":"Mon","when_time":"TS-4"} } , { "id" : "a35d640ad02dfeca4eab87cb57b8c6b7", "file_path" : "tracks/Training/training/training-samm-3rd.md", "last_modified" : "2019-06-03T03:25:02+01:00", "link" : "/tracks/training/training/training-samm-3rd/", "content_plain" : "", "summary" : "", "title" : "OWASP SAMM Training (#3)", "track" : "Onboarding and Training", "type" : "working-session", "word_count" : 0, "params" : {"description":"Training OWASP SAMM (3rd session)","draft":false,"iscjklanguage":false,"lastmod":"2019-06-03T03:25:02+01:00","organizers":["Sebastien Deleersnyder"],"participants":null,"room_id":"room-3","title":"OWASP SAMM Training (#3)","track":"Onboarding and Training","type":"working-session","when_day":"Mon","when_time":"TS-6"} } , { "id" : "7defc9cb02f27780620f6bec64a4b04a", "file_path" : "tracks/Training/onboarding/oss-oboarding-schedule-outcomes-1st.md", "last_modified" : "2019-06-03T08:45:21+01:00", "link" : "/tracks/training/onboarding/oss-oboarding-schedule-outcomes-1st/", "content_plain" : "", "summary" : "", "title" : "Schedule \u0026 Outcomes (#1)", "track" : "Onboarding and Training", "type" : "working-session", "word_count" : 0, "params" : {"description":"OSS Onboarding - Schedule Outcomes (1st session)","draft":false,"iscjklanguage":false,"lastmod":"2019-06-03T08:45:21+01:00","organizers":["Felipe Zipitria"],"participants":null,"room_id":"room-5","title":"Schedule \u0026 Outcomes (#1)","track":"Onboarding and Training","type":"working-session","when_day":"Mon","when_time":"TS-2"} } , { "id" : "0bd03807fa387645bad3bb859e036175", "file_path" : "tracks/Training/onboarding/oss-oboarding-schedule-outcomes-2nd.md", "last_modified" : "2019-06-03T08:45:35+01:00", "link" : "/tracks/training/onboarding/oss-oboarding-schedule-outcomes-2nd/", "content_plain" : "", "summary" : "", "title" : "Schedule \u0026 Outcomes (#2)", "track" : "Onboarding and Training", "type" : "working-session", "word_count" : 0, "params" : {"description":"OSS Onboarding - Schedule Outcomes (2nd session)","draft":false,"iscjklanguage":false,"lastmod":"2019-06-03T08:45:35+01:00","organizers":["Felipe Zipitria"],"participants":null,"room_id":"room-5","title":"Schedule \u0026 Outcomes (#2)","track":"Onboarding and Training","type":"working-session","when_day":"Mon","when_time":"TS-4"} } , { "id" : "ad23cddb538efa173427b6d889987c55", "file_path" : "tracks/Training/onboarding/oss-oboarding-schedule-outcomes-3rd.md", "last_modified" : "2019-06-03T08:46:10+01:00", "link" : "/tracks/training/onboarding/oss-oboarding-schedule-outcomes-3rd/", "content_plain" : "", "summary" : "", "title" : "Schedule \u0026 Outcomes (#3)", "track" : "Onboarding and Training", "type" : "working-session", "word_count" : 0, "params" : {"description":"OSS Onboarding - Schedule Outcomes (3rd session)","draft":false,"iscjklanguage":false,"lastmod":"2019-06-03T08:46:10+01:00","organizers":["Felipe Zipitria"],"participants":null,"room_id":"room-5","title":"Schedule \u0026 Outcomes (#3)","track":"Onboarding and Training","type":"working-session","when_day":"Mon","when_time":"TS-6"} } , { "id" : "e86557c56ac18c4920cced559911734c", "file_path" : "tracks/Training/training/training-tm-1st.md", "last_modified" : "2019-06-03T03:25:02+01:00", "link" : "/tracks/training/training/training-tm-1st/", "content_plain" : "", "summary" : "", "title" : "Threat Modeling Training (#1)", "track" : "Onboarding and Training", "type" : "working-session", "word_count" : 0, "params" : {"description":"Training Threat Modeling (1st session)","draft":false,"iscjklanguage":false,"lastmod":"2019-06-03T03:25:02+01:00","organizers":["Steven Wierckx"],"participants":null,"room_id":"room-3","title":"Threat Modeling Training (#1)","track":"Onboarding and Training","type":"working-session","when_day":"Mon","when_time":"TS-1"} } , { "id" : "299df2039ad586d622cd827f7498275e", "file_path" : "tracks/Training/training/training-tm-2nd.md", "last_modified" : "2019-06-03T03:25:02+01:00", "link" : "/tracks/training/training/training-tm-2nd/", "content_plain" : "", "summary" : "", "title" : "Threat Modeling Training (#2)", "track" : "Onboarding and Training", "type" : "working-session", "word_count" : 0, "params" : {"description":"Training Threat Modeling (2nd session)","draft":false,"iscjklanguage":false,"lastmod":"2019-06-03T03:25:02+01:00","organizers":["Steven Wierckx"],"participants":null,"room_id":"room-3","title":"Threat Modeling Training (#2)","track":"Onboarding and Training","type":"working-session","when_day":"Mon","when_time":"TS-3"} } , { "id" : "5096821500be487dbc996f0d46d0f2e6", "file_path" : "tracks/Training/training/training-tm-3rd.md", "last_modified" : "2019-06-03T03:25:02+01:00", "link" : "/tracks/training/training/training-tm-3rd/", "content_plain" : "", "summary" : "", "title" : "Threat Modeling Training (#3)", "track" : "Onboarding and Training", "type" : "working-session", "word_count" : 0, "params" : {"description":"Training Threat Modeling (3rd session)","draft":false,"iscjklanguage":false,"lastmod":"2019-06-03T03:25:02+01:00","organizers":["Steven Wierckx"],"participants":null,"room_id":"room-3","title":"Threat Modeling Training (#3)","track":"Onboarding and Training","type":"working-session","when_day":"Mon","when_time":"TS-5"} } , { "id" : "0e92a8b0821926dc7c793465383c8ca6", "file_path" : "tracks/Training/training/training-tm-thu.md", "last_modified" : "2019-06-06T06:36:43+01:00", "link" : "/tracks/training/training/training-tm-thu/", "content_plain" : "", "summary" : "", "title" : "Threat Modeling Training (Thu)", "track" : "Onboarding and Training", "type" : "working-session", "word_count" : 0, "params" : {"description":"Training Threat Modeling (1st session)","draft":false,"iscjklanguage":false,"lastmod":"2019-06-06T06:36:43+01:00","organizers":["Steven Wierckx"],"participants":null,"room_id":"room-3","title":"Threat Modeling Training (Thu)","track":"Onboarding and Training","type":"working-session","when_day":"Thu","when_time":"ST-2"} } , { "id" : "8422db87b9287ff9b1e1611b7eeaa858", "file_path" : "tracks/Training/training/training-wardley-maps-1st.md", "last_modified" : "2019-06-03T08:48:23+01:00", "link" : "/tracks/training/training/training-wardley-maps-1st/", "content_plain" : " This will be an practical introducton to Wardley Mapping, taking participants through creating their own basic Wardley Maps, from User Needs, to creating Value-chains and applying Evolution to those Value-chains.\nWHY Using Wardley Mapping to gain understanding and situational awareness of the \u0026ldquo;landscape\u0026rdquo; prior to looking at the effect of climatic patterns.\nWhat https://cdn-images-1.medium.com/max/800/1*aBw7WVHYdishIeMqUMlHBA.jpeg\nOutcomes The participants will understand how to create a Wardley Map of a basic function. The particpant in groups will have mapped a basci security function. Who The target audience for this Working Session is - CISO’s - Security professionals - DevSecOps - Security champions - Anyone interested in Wardley Mapping!\nReferences [Situation Normal, Everything Must Change - Simon Wardley Keynote] - (https://youtu.be/Ty6pOVEc3bA) Wardley Mapping - Chapter 1 - On Being Lost Wardley Mapping - Chapter 2 - Finding a Path ", "summary" : "This will be an practical introducton to Wardley Mapping, taking participants through creating their own basic Wardley Maps, from User Needs, to creating Value-chains and applying Evolution to those Value-chains.\nWHY Using Wardley Mapping to gain understanding and situational awareness of the \u0026ldquo;landscape\u0026rdquo; prior to looking at the effect of climatic patterns.\nWhat https://cdn-images-1.medium.com/max/800/1*aBw7WVHYdishIeMqUMlHBA.jpeg\nOutcomes The participants will understand how to create a Wardley Map of a basic function.", "title" : "Wardley Maps Training (#1)", "track" : "Onboarding and Training", "type" : "working-session", "word_count" : 135, "params" : {"description":"New to Wardley maps? This session is for you","draft":false,"iscjklanguage":false,"lastmod":"2019-06-03T08:48:23+01:00","organizers":["Dinis Cruz","Tony Richards"],"participants":null,"room_id":"room-1","title":"Wardley Maps Training (#1)","track":"Onboarding and Training","type":"working-session","when_day":"Mon","when_time":"TS-2"} } , { "id" : "334867bc8878334c7e6289685153d835", "file_path" : "tracks/Training/training/training-wardley-maps-2nd.md", "last_modified" : "2019-06-03T08:48:39+01:00", "link" : "/tracks/training/training/training-wardley-maps-2nd/", "content_plain" : " This will be an practical introducton to Wardley Mapping, taking participants through creating their own basic Wardley Maps, from User Needs, to creating Value-chains and applying Evolution to those Value-chains.\nWHY Using Wardley Mapping to gain understanding and situational awareness of the \u0026ldquo;landscape\u0026rdquo; prior to looking at the effect of climatic patterns.\nWhat https://cdn-images-1.medium.com/max/800/1*aBw7WVHYdishIeMqUMlHBA.jpeg\nOutcomes The participants will understand how to create a Wardley Map of a basic function. The particpant in groups will have mapped a basci security function. Who The target audience for this Working Session is - CISO’s - Security professionals - DevSecOps - Security champions - Anyone interested in Wardley Mapping!\nReferences [Situation Normal, Everything Must Change - Simon Wardley Keynote] - (https://youtu.be/Ty6pOVEc3bA) Wardley Mapping - Chapter 1 - On Being Lost Wardley Mapping - Chapter 2 - Finding a Path ", "summary" : "This will be an practical introducton to Wardley Mapping, taking participants through creating their own basic Wardley Maps, from User Needs, to creating Value-chains and applying Evolution to those Value-chains.\nWHY Using Wardley Mapping to gain understanding and situational awareness of the \u0026ldquo;landscape\u0026rdquo; prior to looking at the effect of climatic patterns.\nWhat https://cdn-images-1.medium.com/max/800/1*aBw7WVHYdishIeMqUMlHBA.jpeg\nOutcomes The participants will understand how to create a Wardley Map of a basic function.", "title" : "Wardley Maps Training (#2)", "track" : "Onboarding and Training", "type" : "working-session", "word_count" : 135, "params" : {"description":"New to Wardley maps? This session is for you","draft":false,"iscjklanguage":false,"lastmod":"2019-06-03T08:48:39+01:00","organizers":["Dinis Cruz","Tony Richards"],"participants":null,"room_id":"room-1","title":"Wardley Maps Training (#2)","track":"Onboarding and Training","type":"working-session","when_day":"Mon","when_time":"TS-4"} } , { "id" : "4ba32113c484e2de5d32a2fa527eaf4b", "file_path" : "tracks/Training/training/training-wardley-maps-3rd.md", "last_modified" : "2019-06-03T08:48:57+01:00", "link" : "/tracks/training/training/training-wardley-maps-3rd/", "content_plain" : " This will be an practical introducton to Wardley Mapping, taking participants through creating their own basic Wardley Maps, from User Needs, to creating Value-chains and applying Evolution to those Value-chains.\nWHY Using Wardley Mapping to gain understanding and situational awareness of the \u0026ldquo;landscape\u0026rdquo; prior to looking at the effect of climatic patterns.\nWhat https://cdn-images-1.medium.com/max/800/1*aBw7WVHYdishIeMqUMlHBA.jpeg\nOutcomes The participants will understand how to create a Wardley Map of a basic function. The particpant in groups will have mapped a basci security function. Who The target audience for this Working Session is - CISO’s - Security professionals - DevSecOps - Security champions - Anyone interested in Wardley Mapping!\nReferences [Situation Normal, Everything Must Change - Simon Wardley Keynote] - (https://youtu.be/Ty6pOVEc3bA) Wardley Mapping - Chapter 1 - On Being Lost Wardley Mapping - Chapter 2 - Finding a Path ", "summary" : "This will be an practical introducton to Wardley Mapping, taking participants through creating their own basic Wardley Maps, from User Needs, to creating Value-chains and applying Evolution to those Value-chains.\nWHY Using Wardley Mapping to gain understanding and situational awareness of the \u0026ldquo;landscape\u0026rdquo; prior to looking at the effect of climatic patterns.\nWhat https://cdn-images-1.medium.com/max/800/1*aBw7WVHYdishIeMqUMlHBA.jpeg\nOutcomes The participants will understand how to create a Wardley Map of a basic function.", "title" : "Wardley Maps Training (#3)", "track" : "Onboarding and Training", "type" : "working-session", "word_count" : 135, "params" : {"description":"New to Wardley maps? This session is for you","draft":false,"iscjklanguage":false,"lastmod":"2019-06-03T08:48:57+01:00","organizers":["Dinis Cruz","Tony Richards"],"participants":null,"room_id":"room-1","title":"Wardley Maps Training (#3)","track":"Onboarding and Training","type":"working-session","when_day":"Mon","when_time":"TS-6"} } , { "id" : "f4862d60bc4c0138faed400f776a5d2c", "file_path" : "tracks/Training/onboarding/oss-oboarding-welcome-content-1st.md", "last_modified" : "2019-06-03T08:44:34+01:00", "link" : "/tracks/training/onboarding/oss-oboarding-welcome-content-1st/", "content_plain" : "", "summary" : "", "title" : "Welcome \u0026 Content (#1)", "track" : "Onboarding and Training", "type" : "working-session", "word_count" : 0, "params" : {"description":"OSS Onboarding - Welcome and Content (1st session)","draft":false,"iscjklanguage":false,"lastmod":"2019-06-03T08:44:34+01:00","organizers":["Sebastien Deleersnyder"],"participants":null,"room_id":"room-5","title":"Welcome \u0026 Content (#1)","track":"Onboarding and Training","type":"working-session","when_day":"Mon","when_time":"TS-1"} } , { "id" : "a8c9d0d3a84f421566607673a522f38a", "file_path" : "tracks/Training/onboarding/oss-oboarding-welcome-content-2nd.md", "last_modified" : "2019-06-03T08:44:48+01:00", "link" : "/tracks/training/onboarding/oss-oboarding-welcome-content-2nd/", "content_plain" : "", "summary" : "", "title" : "Welcome \u0026 Content (#2)", "track" : "Onboarding and Training", "type" : "working-session", "word_count" : 0, "params" : {"description":"OSS Onboarding - Welcome and Content (2nd session)","draft":false,"iscjklanguage":false,"lastmod":"2019-06-03T08:44:48+01:00","organizers":["Sebastien Deleersnyder"],"participants":null,"room_id":"room-5","title":"Welcome \u0026 Content (#2)","track":"Onboarding and Training","type":"working-session","when_day":"Mon","when_time":"TS-3"} } , { "id" : "7b1e67dcda0bcf0eab5d690eba3fb5bb", "file_path" : "tracks/Training/onboarding/oss-oboarding-welcome-content-3rd.md", "last_modified" : "2019-06-03T21:43:09+01:00", "link" : "/tracks/training/onboarding/oss-oboarding-welcome-content-3rd/", "content_plain" : "", "summary" : "", "title" : "Welcome \u0026 Content (#3)", "track" : "Onboarding and Training", "type" : "working-session", "word_count" : 0, "params" : {"description":"OSS Onboarding - Welcome and Content (3rd session)","draft":false,"iscjklanguage":false,"lastmod":"2019-06-03T21:43:09+01:00","organizers":["Sebastien Deleersnyder"],"participants":null,"room_id":"room-5","title":"Welcome \u0026 Content (#3)","track":"Onboarding and Training","type":"working-session","when_day":"Mon","when_time":"TS-5"} } , { "id" : "bc099d8b73627d07f15c514b78bd4bd2", "file_path" : "tracks/Threat-modelling/_index.md", "last_modified" : "2019-05-31T16:29:35+01:00", "link" : "/tracks/threat-modelling/", "content_plain" : "This track is focused on Threat Modeling\n", "summary" : "This track is focused on Threat Modeling", "title" : "Threat Model", "track" : null, "type" : "track", "word_count" : 7, "params" : {"description":"Sessions focusing on Threat Modeling","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-31T16:29:35+01:00","organizers":null,"owasp-project":false,"session_slack":"https://os-summit.slack.com/messages/CAUNNK1S4","title":"Threat Model","type":"track","when_day":"Wed,Thu"} } , { "id" : "15890c36806b595d1b15c3540374cfab", "file_path" : "tracks/Threat-modelling/working-sessions/TM-Automated-theat-patterns.md", "last_modified" : "2019-06-05T17:20:29+01:00", "link" : "/tracks/threat-modelling/working-sessions/tm-automated-theat-patterns/", "content_plain" : " This session will be referencing the work done by Tin Zaw as part of the Automated Threat Hunting OWASP project. Info: https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications\nNotes Tin gives an overview on the project. The project has been running for 5 years.\nOutcomes Close collaboration between the projects, any change on either end will be triggered (automated) so the other party is notified Keep track of the data origin to notify the party of changes Future Communicate the data schema to the other parties where we retrieve data from Figure out a way to have some kind of integration with other projects ", "summary" : " This session will be referencing the work done by Tin Zaw as part of the Automated Threat Hunting OWASP project. Info: https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications\nNotes Tin gives an overview on the project. The project has been running for 5 years.\nOutcomes Close collaboration between the projects, any change on either end will be triggered (automated) so the other party is notified Keep track of the data origin to notify the party of changes Future Communicate the data schema to the other parties where we retrieve data from Figure out a way to have some kind of integration with other projects ", "title" : "Automated Threat Hunting Project Collaboration", "track" : "Threat Model", "type" : "outcome", "word_count" : 98, "params" : {"categories":null,"description":"Discuss the OWASP Automated Threat Hunting Project and potential cross-over / collaboration options.","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-05T17:20:29+01:00","locked":false,"organizers":["Steven Wierckx","Tash Norris"],"participants":["you ?"],"room_id":"room-3","room_layout":null,"session_slack":null,"status":"done","technology":null,"title":"Automated Threat Hunting Project Collaboration","track":"Threat Model","type":"outcome","when_day":"Wed","when_time":"PM-1"} } , { "id" : "fefcb9cae4753de9841797dc0f8daada", "file_path" : "tracks/Threat-modelling/working-sessions/TM-graph.md", "last_modified" : "2019-06-02T21:49:26-07:00", "link" : "/tracks/threat-modelling/working-sessions/tm-graph/", "content_plain" : " Why \u0026amp; What We want to create a model of a threat model. It needs to be generic so it fits all threat modeling methodologies. Later we can try to use this model to create graph based websites detailing the different techniques and methodologies as well as linking the examples we will have to these different elements of a threat model.\nOutcomes A diagram describing the elements of a threat model.\n", "summary" : "Why \u0026amp; What We want to create a model of a threat model. It needs to be generic so it fits all threat modeling methodologies. Later we can try to use this model to create graph based websites detailing the different techniques and methodologies as well as linking the examples we will have to these different elements of a threat model.\nOutcomes A diagram describing the elements of a threat model.", "title" : "Creating a generic diagram of a threat model", "track" : "Threat Model", "type" : "working-session", "word_count" : 71, "params" : {"categories":"graph","description":"Creating a generic diagram of a threat model","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-02T21:49:26-07:00","locked":true,"organizers":["Steven Wierckx"],"participants":null,"room_id":"room-3","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVPAADAA","status":"review-content","technology":null,"title":"Creating a generic diagram of a threat model","topics":null,"track":"Threat Model","type":"working-session","when_day":"Tue","when_time":"PM-1"} } , { "id" : "919393add1865824db6476df06991d33", "file_path" : "tracks/Threat-modelling/working-sessions/TM-FAQ.md", "last_modified" : "2019-06-03T22:21:35+01:00", "link" : "/tracks/threat-modelling/working-sessions/tm-faq/", "content_plain" : " Why We all love the threat model slack channel. There is a lot of useful information being presented. We need to somehow persist that in a more searchable format, preferably on the OWASP TM wiki pages.\nWhat How are we going to persist this data? Who is going to reduce the backlog? Outcomes A description on how the data from Slack can be peristed in the form of a series of FAQ.\n", "summary" : "Why We all love the threat model slack channel. There is a lot of useful information being presented. We need to somehow persist that in a more searchable format, preferably on the OWASP TM wiki pages.\nWhat How are we going to persist this data? Who is going to reduce the backlog? Outcomes A description on how the data from Slack can be peristed in the form of a series of FAQ.", "title" : "How do we persist the information from the TM Slack channel?", "track" : "Threat Model", "type" : "working-session", "word_count" : 72, "params" : {"categories":null,"description":"How do we persist the information from the TM Slack channel?","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-03T22:21:35+01:00","locked":true,"organizers":["Steven Wierckx"],"participants":null,"room_id":"room-3","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVPAADAA","status":"review-content","technology":null,"title":"How do we persist the information from the TM Slack channel?","topics":null,"track":"Threat Model","type":"working-session","when_day":"Tue","when_time":"PM-1"} } , { "id" : "98dbfd24f3b25c735e345ad2db28d133", "file_path" : "tracks/Threat-modelling/working-sessions/TM-incremental.md", "last_modified" : "2019-06-02T10:20:54+01:00", "link" : "/tracks/threat-modelling/working-sessions/tm-incremental/", "content_plain" : " Why Creating your first threat model can be a daunting task. A good way to start is with a simple threat model and then increment until the threat model is \u0026ldquo;good enough\u0026rdquo;.\nWhat Irene Michlin will introduce a proven method for incremental threat modeling. We will discuss any questions and remarks that might come up from the participants.\nOutcomes This Working Session will publish a document describing a generic way to implement incremental threat modeling.\n", "summary" : "Why Creating your first threat model can be a daunting task. A good way to start is with a simple threat model and then increment until the threat model is \u0026ldquo;good enough\u0026rdquo;.\nWhat Irene Michlin will introduce a proven method for incremental threat modeling. We will discuss any questions and remarks that might come up from the participants.\nOutcomes This Working Session will publish a document describing a generic way to implement incremental threat modeling.", "title" : "Incremental Threat Modeling", "track" : "Threat Model", "type" : "working-session", "word_count" : 75, "params" : {"categories":null,"description":"How to scale Threat Modeling","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-02T10:20:54+01:00","locked":true,"organizers":["Irene Michlin","Steven Wierckx"],"room_id":"room-3","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAUMZ7NQY","status":"review-content","technology":null,"title":"Incremental Threat Modeling","track":"Threat Model","type":"working-session","when_day":"Thu","when_time":"PM-1"} } , { "id" : "c3304639ffab2470df7448d66851adc0", "file_path" : "tracks/Threat-modelling/working-sessions/TM-LINDUNN.md", "last_modified" : "2019-05-29T08:35:26+02:00", "link" : "/tracks/threat-modelling/working-sessions/tm-lindunn/", "content_plain" : " Why Privacy by design is important; it is even required by EU data protection legislation. It however goes beyond the quick fixes that are typically associated with it (e.g. consent for newsletters) and requires a thorough analysis upfront of potential privacy issues in the system. LINDDUN privacy threat modeling can aid the analyst in this process to systematically elicit and mitigate privacy threats in software architectures.\nWhat This session will be twofold. First, we will highlight the differences between privacy and security threat modeling, introduce privacy properties and provide an overview of the LINDDUN threat modeling framework. Second, we will dive into the ongoing LINDDUN privacy threat modeling research, including the lightweight application of LINDDUN.\nOutcomes Input for a lightweight application of privacy threat modeling\n", "summary" : "Why Privacy by design is important; it is even required by EU data protection legislation. It however goes beyond the quick fixes that are typically associated with it (e.g. consent for newsletters) and requires a thorough analysis upfront of potential privacy issues in the system. LINDDUN privacy threat modeling can aid the analyst in this process to systematically elicit and mitigate privacy threats in software architectures.\nWhat This session will be twofold.", "title" : "Lightweight privacy threat modeling using LINDDUN", "track" : "Threat Model", "type" : "working-session", "word_count" : 125, "params" : {"categories":null,"description":"Lightweight privacy threat modeling using LINDDUN","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-29T08:35:26+02:00","locked":true,"organizers":["Steven Wierckx","Kim Wuyts"],"participants":null,"room_id":"room-3","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVPAADAA","status":"review-content","technology":null,"title":"Lightweight privacy threat modeling using LINDDUN","topics":null,"track":"Threat Model","type":"working-session","when_day":"Mon","when_time":"PM-2"} } , { "id" : "6a1f4632e30088c31faf07b87ff7972d", "file_path" : "tracks/Threat-modelling/working-sessions/TM-LINDUNN2.md", "last_modified" : "2019-06-04T13:54:43+01:00", "link" : "/tracks/threat-modelling/working-sessions/tm-lindunn2/", "content_plain" : " Why \u0026amp; What Feedback from the industry is needed for the researcher in academia. In the previous sessions Kim explained the research that was performed at the University of Leuven. This session is where members from the industry can comment on the work done, how usable this seems and give pointers to where research could be done.\nOutcomes Remarks and comments on the usability of the reasearch presented. Input for the University of Leuven on future topics for research, including: - Specific (as opposed to abstract) examples from the TM project group to the LINDDUN researchers (Kim) - Low expertise / lightweight methodology examples\n", "summary" : "Why \u0026amp; What Feedback from the industry is needed for the researcher in academia. In the previous sessions Kim explained the research that was performed at the University of Leuven. This session is where members from the industry can comment on the work done, how usable this seems and give pointers to where research could be done.\nOutcomes Remarks and comments on the usability of the reasearch presented. Input for the University of Leuven on future topics for research, including: - Specific (as opposed to abstract) examples from the TM project group to the LINDDUN researchers (Kim) - Low expertise / lightweight methodology examples", "title" : "Lightweight privacy threat modeling using LINDDUN Part II", "track" : "Threat Model", "type" : "working-session", "word_count" : 104, "params" : {"categories":null,"description":"Lightweight privacy threat modeling using LINDDUN Part II","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-04T13:54:43+01:00","locked":true,"organizers":["Steven Wierckx","Kim Wuyts"],"participants":null,"room_id":"room-3","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVPAADAA","status":"review-content","technology":null,"title":"Lightweight privacy threat modeling using LINDDUN Part II","topics":null,"track":"Threat Model","type":"working-session","when_day":"Mon","when_time":"PM-3"} } , { "id" : "395e0eade86885da1c0d80a90ebf60ef", "file_path" : "tracks/Threat-modelling/working-sessions/TM-SAMM.md", "last_modified" : "2019-06-02T17:03:26+01:00", "link" : "/tracks/threat-modelling/working-sessions/tm-samm/", "content_plain" : "This session will be dedicated to align the SAMM threat modeling practice between the 2 tracks\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model\n", "summary" : "This session will be dedicated to align the SAMM threat modeling practice between the 2 tracks\nSession Requirements: Familiarity with the SAMM v1.5 and v2 model", "title" : "SAMMv2 - Threat Modeling", "track" : "Threat Model", "type" : "working-session", "word_count" : 26, "params" : {"categories":null,"description":"Discuss the SAMM threat modeling practice together with the SAMM team","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-02T17:03:26+01:00","locked":true,"organizers":["Steven Wierckx","Sebastien Deleersnyder"],"participants":["Bart De Win"],"room_id":"room-3","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAWEU9CRM","status":"review-content","technology":null,"title":"SAMMv2 - Threat Modeling","track":"Threat Model","type":"working-session","when_day":"Thu","when_time":"PM-2"} } , { "id" : "a0fa0720327fcf891270409dea23bcc2", "file_path" : "tracks/Threat-modelling/working-sessions/TM-state.md", "last_modified" : "2019-06-02T11:16:52+02:00", "link" : "/tracks/threat-modelling/working-sessions/tm-state/", "content_plain" : " Why What is the current state of threat modeling? Are there any new and exciting things happening? What is needed for the future?\nOutcomes A curated note of the content discussed.\n", "summary" : "Why What is the current state of threat modeling? Are there any new and exciting things happening? What is needed for the future?\nOutcomes A curated note of the content discussed.", "title" : "State and future of threat modeling", "track" : "Threat Model", "type" : "working-session", "word_count" : 31, "params" : {"categories":null,"description":"What is the current state of TM and where do we need to go?","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-02T11:16:52+02:00","locked":true,"organizers":["Steven Wierckx"],"room_id":"room-3","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVPAADAA","status":"review-content","technology":null,"title":"State and future of threat modeling","topics":null,"track":"Threat Model","type":"working-session","when_day":"Wed","when_time":"AM-1"} } , { "id" : "5219169c80531a177435a8e836853b80", "file_path" : "tracks/Threat-modelling/working-sessions/TM-maturity.md", "last_modified" : "2019-06-03T09:40:30+02:00", "link" : "/tracks/threat-modelling/working-sessions/tm-maturity/", "content_plain" : " Why How do we measure the maturity of a threat model? Of the threat model process? Can maturity frameworks be updated with our measurements?\nWhat How do we measure the maturity of a TM? Can we find common questions to be asked to validate the maturity? Is there a way to measure the maturity of a threat model process? Outcomes A list of points and information to measure the maturity of a TM and a TM process.\n", "summary" : "Why How do we measure the maturity of a threat model? Of the threat model process? Can maturity frameworks be updated with our measurements?\nWhat How do we measure the maturity of a TM? Can we find common questions to be asked to validate the maturity? Is there a way to measure the maturity of a threat model process? Outcomes A list of points and information to measure the maturity of a TM and a TM process.", "title" : "TM maturity", "track" : "Threat Model", "type" : "working-session", "word_count" : 77, "params" : {"categories":null,"description":"How do we measure the maturity of TM","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-03T09:40:30+02:00","locked":true,"organizers":["Steven Wierckx"],"participants":null,"room_id":"room-3","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVPAADAA","status":"review-content","technology":null,"title":"TM maturity","topics":null,"track":"Threat Model","type":"working-session","when_day":"Tue","when_time":"PM-2"} } , { "id" : "bea51caa136ed7563192160f56795fbf", "file_path" : "tracks/Threat-modelling/working-sessions/track-intro.md", "last_modified" : "2019-06-04T13:51:21+01:00", "link" : "/tracks/threat-modelling/working-sessions/track-intro/", "content_plain" : " Why In order to get the most from this summit and the threat model track we will give a short introduction on our way of working and discuss all planned sessions. any new and refreshing ideas can then be added to the backlog so we can choose topics that have a large support within the community. This session is meant for all participants who are new to threat modeling and/or new to the summit or threat model track.\nWhat Welcome Our way of working Publishing data Track sessions Outcomes Set objectives for the Summit Discussed project structure Discussed any crossover with other OWASP projects Identified list of sub-modules to create in OWASP project ", "summary" : "Why In order to get the most from this summit and the threat model track we will give a short introduction on our way of working and discuss all planned sessions. any new and refreshing ideas can then be added to the backlog so we can choose topics that have a large support within the community. This session is meant for all participants who are new to threat modeling and/or new to the summit or threat model track.", "title" : "TM track introduction", "track" : "Threat Model", "type" : "working-session", "word_count" : 113, "params" : {"categories":"Threat modeling","description":"Introduction of the TM track and way of working for this week","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-04T13:51:21+01:00","locked":true,"organizers":["Steven Wierckx"],"participants":null,"room_id":"room-3","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVPAADAA","status":"review-content","technology":null,"title":"TM track introduction","topics":null,"track":"Threat Model","type":"working-session","when_day":"Mon","when_time":"PM-1"} } , { "id" : "24a7cb8afb7050fa34411ac52f7d9c6b", "file_path" : "tracks/Threat-modelling/working-sessions/TM-examples.md", "last_modified" : "2019-06-03T11:01:03-07:00", "link" : "/tracks/threat-modelling/working-sessions/tm-examples/", "content_plain" : " WHY This working session will kick start the OWASP Project!\nWhat We created that repository last year: https://github.com/OWASP/threat-model-cookbook.\nThis year another project code named \u0026ldquo;Threat Model Examples\u0026rdquo; was in the work, and now it will merge and be the Cookbooks since it\u0026rsquo;s pretty much the same project idea.\nOutcomes Explanation on the way of working Leadership of the project defined Naming of the project decided (cookbooks or cookbook?) Restructuration of repository (access rights, folders and files) Twitter access shared via Tweetdeck Registration of the project started ", "summary" : " WHY This working session will kick start the OWASP Project!\nWhat We created that repository last year: https://github.com/OWASP/threat-model-cookbook.\nThis year another project code named \u0026ldquo;Threat Model Examples\u0026rdquo; was in the work, and now it will merge and be the Cookbooks since it\u0026rsquo;s pretty much the same project idea.\nOutcomes Explanation on the way of working Leadership of the project defined Naming of the project decided (cookbooks or cookbook?) Restructuration of repository (access rights, folders and files) Twitter access shared via Tweetdeck Registration of the project started ", "title" : "Threat Model Cookbook Project (Part 1)", "track" : "Threat Model", "type" : "working-session", "word_count" : 86, "params" : {"description":"Kick off of the OWASP Threat Model Cookbook Project","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-03T11:01:03-07:00","organizers":["Jonathan Marcil","Tash Norris"],"participants":["Steven Wierckx","Yan Kravchenko","Yasmin Martin","Zuhal Vargun"],"room_id":"room-3","room_layout":null,"session_slack":null,"status":"done","technology":"pytm,plantuml","title":"Threat Model Cookbook Project (Part 1)","topics":null,"track":"Threat Model","type":"working-session","when_day":"Tue","when_time":"PM-3"} } , { "id" : "7ee4c5bd595b10202da28a804dd87bcc", "file_path" : "tracks/Threat-modelling/working-sessions/TM-examples2.md", "last_modified" : "2019-06-05T00:10:04-07:00", "link" : "/tracks/threat-modelling/working-sessions/tm-examples2/", "content_plain" : " WHY This working session will collect threat models to add to our project.\nWhat We will look at existing examples and jam some threat models on the spot!\nDetails about content formats and some examples are already available on https://linktr.ee/threatmodel.\nOutcomes Have some threat models to add to the repository.\nThe official repository is not ready yet, but work will be on https://github.com/jmarcil/threat-model-cookbook at some point this week.\n", "summary" : "WHY This working session will collect threat models to add to our project.\nWhat We will look at existing examples and jam some threat models on the spot!\nDetails about content formats and some examples are already available on https://linktr.ee/threatmodel.\nOutcomes Have some threat models to add to the repository.\nThe official repository is not ready yet, but work will be on https://github.com/jmarcil/threat-model-cookbook at some point this week.", "title" : "Threat Model Cookbook Project (Part 2)", "track" : "Threat Model", "type" : "working-session", "word_count" : 68, "params" : {"description":"Let's add some threat models to the project!","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-05T00:10:04-07:00","organizers":["Jonathan Marcil","Tash Norris"],"participants":["Steven Wierckx","Yasmin Martin","Zuhal Vargun"],"room_id":"room-3","room_layout":null,"session_slack":null,"status":"done","technology":"pytm,plantuml","title":"Threat Model Cookbook Project (Part 2)","topics":null,"track":"Threat Model","type":"working-session","when_day":"Wed","when_time":"PM-3"} } , { "id" : "d740fc453e751f4759303ad28c6616c2", "file_path" : "tracks/Threat-modelling/working-sessions/TM-attack-pattern.md", "last_modified" : "2019-06-05T17:36:23+02:00", "link" : "/tracks/threat-modelling/working-sessions/tm-attack-pattern/", "content_plain" : "This session will be the start of a sub-project for threat modeling that will be lead by Steven and Steven that will create a database of attacks and mitigations that will be categorised in some kind of pattern.\n##outcomes\nThis is the data format in which we are going to record the data:\nThreat file 1 ID (generated)\n2 Description As an attacker I want to \u0026hellip; By \u0026hellip; Or by \u0026hellip; (optional multiple) As an attacker I want to ... \u0026lt;cause an impact\u0026gt; By ... \u0026lt;how does an attacker do this?\u0026gt; Or by ... \u0026lt;how does an attacker do this?\u0026gt; 3 References List\n4 See also Mapping List of \u0026hellip; List of \u0026hellip;\n5 Tags List (limited list of tags)\n6 Origin Project \u0026amp; Project ID\nMitigation file 1 ID (generated)\n2 Description As an defender I want to Prevent By \u0026hellip; Or by \u0026hellip; (optional multiple, cover the mapping of threats) As an defender I want to Prevent \u0026lt;threat?\u0026gt; By ... \u0026lt;how does an defender do this?\u0026gt; Or by ... \u0026lt;how does an defender do this?\u0026gt; 3 References List\n4 See also Mapping List of \u0026hellip; List of \u0026hellip;\n5 Tags List (limited list of tags)\n6 Origin Project \u0026amp; Project ID\nMappings Threat -\u0026gt; mitigation (risidual risk) Mitigation -\u0026gt; threat (is in the mitigation file under description) Threat -\u0026gt; Threat Mitigation -\u0026gt; mitigation Mitigation -\u0026gt; threat (a mitigation can cause a new threat to appear) -\u0026gt; causes chains of mitigations to be implemented Threat -\u0026gt; external reference (CAPEC, CVE, CWE) Mitigation -\u0026gt; external reference? Threat -\u0026gt; examples Mitigation -\u0026gt; examples Threat -\u0026gt; symptoms Threat -\u0026gt; threat -\u0026gt; kill chain\nAction points - check pytm to use a better/more efficient format\nAdditional references that miht prove interesting: https://www.owasp.org/index.php/OWASP_Proactive_Controls\u2029Technical migitation https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project\u2029https://cwe.mitre.org/top25/mitigations.html\u2029 https://cwe.mitre.org/top25/mitigations.html\n", "summary" : "This session will be the start of a sub-project for threat modeling that will be lead by Steven and Steven that will create a database of attacks and mitigations that will be categorised in some kind of pattern.\n##outcomes\nThis is the data format in which we are going to record the data:\nThreat file 1 ID (generated)\n2 Description As an attacker I want to \u0026hellip; By \u0026hellip; Or by \u0026hellip; (optional multiple) As an attacker I want to .", "title" : "Threat pattern libraries", "track" : "Threat Model", "type" : "working-session", "word_count" : 295, "params" : {"categories":null,"description":"Starting the threat model threat model library project","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-05T17:36:23+02:00","locked":false,"organizers":["Steven Wierckx","Steven van der Baan"],"participants":["Tash Norris"],"room_id":"room-3","room_layout":null,"session_slack":null,"status":"done","technology":null,"title":"Threat pattern libraries","track":"Threat Model","type":"working-session","when_day":"Wed","when_time":"PM-2"} } , { "id" : "14ed6bc4f0de60e847793f9cbd453907", "file_path" : "tracks/Threat-modelling/working-sessions/TM-SDL.md", "last_modified" : "2019-06-02T11:17:28+02:00", "link" : "/tracks/threat-modelling/working-sessions/tm-sdl/", "content_plain" : " Why We need a unified way to describe threat models so they can be compared, easy to understand and easy to keep up to date.\nWhat Presentation of an SDL to describe threat models What needs to be done? Discussion Call to action Outcomes A list of improvements for the SDL.\n", "summary" : "Why We need a unified way to describe threat models so they can be compared, easy to understand and easy to keep up to date.\nWhat Presentation of an SDL to describe threat models What needs to be done? Discussion Call to action Outcomes A list of improvements for the SDL.", "title" : "Towards a unified way of describing threat models", "track" : "Threat Model", "type" : "working-session", "word_count" : 51, "params" : {"categories":null,"description":"A presentation and discussion of a new language to describe a threat model","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-02T11:17:28+02:00","locked":true,"organizers":["Steven Wierckx"],"participants":null,"room_id":"room-3","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVPAADAA","status":"done","technology":null,"title":"Towards a unified way of describing threat models","topics":null,"track":"Threat Model","type":"working-session","when_day":"Thu","when_time":"AM-1"} } , { "id" : "a5053371677dcb5861faccf75cfda3b7", "file_path" : "tracks/Threat-modelling/working-sessions/TM-closure.md", "last_modified" : "2019-06-02T17:03:15+01:00", "link" : "/tracks/threat-modelling/working-sessions/tm-closure/", "content_plain" : " What Just a wrap up of what we achieved this week, a call for volunteers to finish items etc.\n", "summary" : "What Just a wrap up of what we achieved this week, a call for volunteers to finish items etc.", "title" : "Track closure", "track" : "Threat Model", "type" : "working-session", "word_count" : 19, "params" : {"categories":null,"description":"Track closure","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-02T17:03:15+01:00","locked":true,"organizers":["Steven Wierckx"],"participants":null,"room_id":"room-3","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVPAADAA","status":"done","technology":null,"title":"Track closure","topics":null,"track":"Threat Model","type":"working-session","when_day":"Thu","when_time":"PM-3"} } , { "id" : "3bacd17cc74e44ac76f1dd7c69306a55", "file_path" : "tracks/Wardley-Maps/_index.md", "last_modified" : "2019-05-30T22:30:46+01:00", "link" : "/tracks/wardley-maps/", "content_plain" : " Sessions focusing on the use of Wardley Maps in Security.\nFollowing his participation in the 2018 Summit, Simon Wardley will be back :)\nWardley maps videos from 2018 Summit Wardley maps - part 1 of 2 Wardley maps - part 2 of 2 Presentations from 2018 Summit 2018 Outcomes: Create Wardley Maps for multiple security scenarios How how different groups mapped “Making Tea” and “AWS Attack” scenarios\nSee outcomes here\n Wardley Maps: Cell Bases structures for Security Crossing the river by feeling the stones Wardley Maps: practical session - 2 hour Wardley Mapping Resources Atlas 2 - https://atlas2.wardleymaps.com/ You can login with a Google account or create one, and start mapping right away. It\u0026rsquo;s not feature rich, but a great and quick way to start\nCreating Context-specific maturity models with Wardley Maps informed by Cynefin - https://medium.com/@chrisvmcd/mapping-maturity-create-context-specific-maturity-models-with-wardley-maps-informed-by-cynefin-37ffcd1d315 Lays out a process using \u0026ldquo;Building the right thing\u0026rdquo;, \u0026lsquo;Building the thing right\u0026rdquo; and \u0026ldquo;Building the thing fast enough\u0026rdquo; and analyse options for investment using the Cynefin to make sense of the available options\nWardley Mapping template for Google Slides - https://docs.google.com/presentation/d/11_7D5KAgEUY3FxKg0K2whpwnC4jZOrS_TO2bpD5PV5A/edit#slide=id.g2482372f53_0_0 Great set of maps, with the summary of Doctrine and icons you can use to build your own slides from Google slides. You can create your own copy and use it freely\nCollection of maps - https://www.pinterest.co.uk/adrianrgcampbel/wardley-maps/ A collection of maps done for different purposes and industries you can use as inspiration or template to develop your own.\nPlotting a path to a greener web - https://www.thegreenwebfoundation.org/news/plotting-a-path-to-a-greener-web-with-wardley-mapping/ A brilliant mapping exercise by the Green web foundation, which is also a great template for mapping a CI/CD environment, from its public facing services, to the systems required to build and run it.\nLearWardleyMapping.com - https://learnwardleymapping.com/#introduction Brilliant summary of Wardley mapping and it\u0026rsquo;s different stages, in an easy to use UI. Probably one of the best resources to start the journey.\nEvolving a business process with Wardley mapping - http://www.abusedbits.com/2018/06/evolving-business-process-with-wardley.html Using Wardley mapping to map and improve a business process, by identifying the parts that are at initial stages of development and finding more efficient ways to address them\n", "summary" : "Sessions focusing on the use of Wardley Maps in Security.\nFollowing his participation in the 2018 Summit, Simon Wardley will be back :)\nWardley maps videos from 2018 Summit Wardley maps - part 1 of 2 Wardley maps - part 2 of 2 Presentations from 2018 Summit 2018 Outcomes: Create Wardley Maps for multiple security scenarios How how different groups mapped “Making Tea” and “AWS Attack” scenarios", "title" : "Wardley Maps", "track" : null, "type" : "track", "word_count" : 346, "params" : {"description":"Sessions focusing on the use of Wardley Maps in Security","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-05-30T22:30:46+01:00","organizers":["Pending"],"owasp-project":false,"session_slack":"https://os-summit.slack.com/messages/CAULHPHU2","title":"Wardley Maps","type":"track","when_day":"Mon,Tue,Wed"} } , { "id" : "55cd830d271fcafbbad9fe651e1c3535", "file_path" : "tracks/Wardley-Maps/_template.md", "last_modified" : "2019-06-06T14:40:00+01:00", "link" : "/tracks/wardley-maps/_template/", "content_plain" : "", "summary" : "", "title" : "", "track" : "Wardley Maps", "type" : "working-session", "word_count" : 0, "params" : {"description":"","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-06T14:40:00+01:00","organizers":null,"participants":null,"room_id":null,"room_layout":null,"session_slack":null,"status":"draft","technology":null,"title":"","topics":null,"track":"Wardley Maps","type":"working-session","when_day":null,"when_time":null} } , { "id" : "96e9b46b056feeef6420d948ecd52375", "file_path" : "tracks/Wardley-Maps/working-sessions/cell-based-structures-for-security.md", "last_modified" : "2019-06-05T20:50:18+01:00", "link" : "/tracks/wardley-maps/working-sessions/cell-based-structures-for-security/", "content_plain" : " With the widespread adoption of agile development and more organisations looking to organise themselves along the lines of the Spotify Model (Squads, Tribes, Chapters and Guides), how can security functions within those organisations take advantage of Cell Based Structures to be more responsive to the business needs, while incorporating the aptitudes and attitudes of Pioneers, Settlers and Town Planners to better meet those needs.\nWHY Many of the issues that businesses suffer with, from business alignment to various forms of inertia, to one size fits all to the perils of outsourcing, are a consequence of how we organize ourselves. Most the time we break companies down into silos grouped around type – i.e. type of activity, practice or data. Hence, we have Finance departments, IT departments and Security departments. Each of these silos consist of many activities, all at different stages of evolution. It is easy for a single department to adopt a one size fits all technique that invariably creates alignment issues with other groups. “We need Security to be more efficient” will be the chant of one group whilst another declares, “We need Security to be more innovative”. The more silos of this type, the more likely that alignment issues will occur. A more effective approach (used by the Next Generation companies) is to break the organization into cells connected by services. The cell-based approach based around grouping components in small teams resolves the problems of one-size fits all and many alignment issues. An example of this can be found with Amazon’s two-pizza model of working in which no team is bigger than can be fed by two pizzas (12 people). Such cell-based approaches are diffusing but are still infrequent in occurrence. The components continue to evolve and as they do so their characteristics change. Which leads to a question. Even if an organization is broken down into small cells, are the right people involved? A two-pizza approach takes advantage of componentization with each group not only providing components to others but also relying on components provided by others. The components continue to evolve and as they do so their characteristics change. Which leads to a question. Even if an organization is broken down into small cells, are the right people involved?\nWhat Cell Based Structures The rules of Cell Based Structures Fitness functions and co-ordination criteria Outcomes Define Security Chapters and the Aptitudes expected Define what is needed to co-ordinate Cell Based Security Organisations Define the Fitness Functions or criteria for security cells Identify the Attitudes of Security professionals across Pioneers, Settlers and Town Planners Who The target audience for this Working Session is: - CISO’s - Security professionals - DevSecOps - Security champions\nReferences Squads, Chapters, Tribes and Guides Simon Wardley – On Structure Notes on organisation - Aptitude and Attitude Pioneers, Settlers and Town Planners Designing for Constant Evolution ", "summary" : "With the widespread adoption of agile development and more organisations looking to organise themselves along the lines of the Spotify Model (Squads, Tribes, Chapters and Guides), how can security functions within those organisations take advantage of Cell Based Structures to be more responsive to the business needs, while incorporating the aptitudes and attitudes of Pioneers, Settlers and Town Planners to better meet those needs.\nWHY Many of the issues that businesses suffer with, from business alignment to various forms of inertia, to one size fits all to the perils of outsourcing, are a consequence of how we organize ourselves.", "title" : "Cell based Structures for Security", "track" : "Wardley Maps", "type" : "working-session", "word_count" : 474, "params" : {"categories":["CISO"],"description":"Cell based Structures for Security - Small autonomous security teams and the use of Pioneers, Settlers and Town Planners (PST)","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-05T20:50:18+01:00","locked":true,"organizers":["Tony Richards","Simon Wardley"],"room_id":"room-2","room_layout":null,"session_slack":"https://os-summit.slack.com/messages/CAVCFHYG2","status":"done","title":"Cell based Structures for Security","topics":["Wardley Maps"],"track":"Wardley Maps","type":"working-session","when_day":"Thu","when_time":"PM-1"} } , { "id" : "a9b838aa0b249cedca31278d51887caa", "file_path" : "tracks/Wardley-Maps/training-session/hands-on-wardley-maps-creation.md", "last_modified" : "2019-06-03T00:04:23+01:00", "link" : "/tracks/wardley-maps/training-session/hands-on-wardley-maps-creation/", "content_plain" : " What Want to have a go at creating your own Wardley maps? This training session will give you hands on experience in creating your maps for multiple scenarios, with experienced practitioners on hand to guide and help you.\nScenarios to Map - - Security Testing - Security Awareness and Education - Security Operations - Security Champions - others\nOutcomes Participants will have experienced creating their own Wardley Maps.\nReferences Finding a Path - The First Map Exploring the Map ", "summary" : " What Want to have a go at creating your own Wardley maps? This training session will give you hands on experience in creating your maps for multiple scenarios, with experienced practitioners on hand to guide and help you.\nScenarios to Map - - Security Testing - Security Awareness and Education - Security Operations - Security Champions - others\nOutcomes Participants will have experienced creating their own Wardley Maps.\nReferences Finding a Path - The First Map Exploring the Map ", "title" : "Hand's on Wardley Maps creation", "track" : "Wardley Maps", "type" : "working-session", "word_count" : 79, "params" : {"description":"Want to have a go at creating your own Wardley maps? This training session will give you hands on experience in creating maps for multiple scenarios, with experienced practitioners on hand to guide and help you.","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-03T00:04:23+01:00","organizers":["Tony Richards"],"participants":null,"room_id":"room-2","room_layout":null,"session_slack":null,"status":"done","technology":null,"title":"Hand's on Wardley Maps creation","topics":null,"track":"Wardley Maps","type":"working-session","when_day":"Mon","when_time":"PM-3"} } , { "id" : "4c723bca712cfd805c44102d458753bf", "file_path" : "tracks/Wardley-Maps/training-session/introduction-to-wardley-maps.md", "last_modified" : "2019-06-03T00:04:23+01:00", "link" : "/tracks/wardley-maps/training-session/introduction-to-wardley-maps/", "content_plain" : " This will be an practical introducton to Wardley Mapping, taking participants through creating their own basic Wardley Maps, from User Needs, to creating Value-chains and applying Evolution to those Value-chains.\nWHY Using Wardley Mapping to gain understanding and situational awareness of the \u0026ldquo;landscape\u0026rdquo; prior to looking at the effect of climatic patterns.\nWhat https://cdn-images-1.medium.com/max/800/1*aBw7WVHYdishIeMqUMlHBA.jpeg\nOutcomes The participants will understand how to create a Wardley Map of a basic function. The particpant in groups will have mapped a basci security function. Who The target audience for this Working Session is - CISO’s - Security professionals - DevSecOps - Security champions - Anyone interested in Wardley Mapping!\nReferences [Situation Normal, Everything Must Change - Simon Wardley Keynote] - (https://youtu.be/Ty6pOVEc3bA) Wardley Mapping - Chapter 1 - On Being Lost Wardley Mapping - Chapter 2 - Finding a Path ", "summary" : "This will be an practical introducton to Wardley Mapping, taking participants through creating their own basic Wardley Maps, from User Needs, to creating Value-chains and applying Evolution to those Value-chains.\nWHY Using Wardley Mapping to gain understanding and situational awareness of the \u0026ldquo;landscape\u0026rdquo; prior to looking at the effect of climatic patterns.\nWhat https://cdn-images-1.medium.com/max/800/1*aBw7WVHYdishIeMqUMlHBA.jpeg\nOutcomes The participants will understand how to create a Wardley Map of a basic function.", "title" : "Introduction to Wardley Maps", "track" : "Wardley Maps", "type" : "working-session", "word_count" : 135, "params" : {"description":"New to Wardley maps? This session is for you","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-03T00:04:23+01:00","organizers":["Tony Richards"],"participants":null,"room_id":"room-2","room_layout":null,"session_slack":null,"status":"done","technology":null,"title":"Introduction to Wardley Maps","topics":null,"track":"Wardley Maps","type":"working-session","when_day":"Mon","when_time":"PM-1"} } , { "id" : "48f4afc6f510e17b257cd229dcd227b7", "file_path" : "tracks/Wardley-Maps/working-sessions/mapping-boot camp-(with-simon).md", "last_modified" : "2019-06-05T20:50:18+01:00", "link" : "/tracks/wardley-maps/working-sessions/mapping-boot-camp-with-simon/", "content_plain" : " \u0026lt;!\u0026ndash;(add intro)\nWHY A Wardley map is a map of the structure of a business or service, mapping the components needed to serve the customer or user. Maps help to communicate, challenge, plan, learn, and mitigate risk. Put into practice, this helps bring to life your future prospects, explore the most opportune reactions to change – or even pre-empt it – and highlight the supporting role played by technology for inspiring clear competitive advantage. At the same time, Mapping equips you with advanced techniques for gaming that competitive environment to your own advantage.\nOutcomes Understanding the basic principles of mapping and how to relate them to your business. What are Value Chains? Identifying your customers, their needs and their journeys. Understanding evolution in a map. Anticipate the future by looking at economic patterns. Identify where to outsource. Who The target audience for this Working Session is - CISO’s - Security professionals - DevSecOps - Security champions - Anyone interested in Wardley Mapping!\nReferences [Crossing the River by Feeling the Stones - Simon Wardley - DDD Europe 2018] - (https://youtu.be/oZZKjxeg5W0) Wardley Mapping - Chapter 1 - On Being Lost Wardley Mapping - Chapter 2 - Finding a Path Open Security Summit 2018 - Wardley Mapping pt1 Open Security Summit 2018 - Wardley Mapping pt2 ", "summary" : "\u0026lt;!\u0026ndash;(add intro)\nWHY A Wardley map is a map of the structure of a business or service, mapping the components needed to serve the customer or user. Maps help to communicate, challenge, plan, learn, and mitigate risk. Put into practice, this helps bring to life your future prospects, explore the most opportune reactions to change – or even pre-empt it – and highlight the supporting role played by technology for inspiring clear competitive advantage.", "title" : "Mapping boot camp", "track" : "Wardley Maps", "type" : "working-session", "word_count" : 213, "params" : {"description":"Wardely Mapping boot camp - Zero to Mapping Hero - By Simon Wardley","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-05T20:50:18+01:00","locked":true,"organizers":["Simon Wardley"],"room_id":"room-2","room_layout":null,"session_slack":null,"status":"need-content","technology":null,"title":"Mapping boot camp","topics":null,"track":"Wardley Maps","type":"working-session","when_day":"Thu","when_time":"AM-1"} } , { "id" : "ab51bf015edbba42cdc2af48791425c7", "file_path" : "tracks/Wardley-Maps/user-sessions/talking-security-risk-to-business-practical-games.md", "last_modified" : "2019-06-06T14:43:15+01:00", "link" : "/tracks/wardley-maps/user-sessions/talking-security-risk-to-business-practical-games/", "content_plain" : " WHY How do security teams engage effectively with the business. Dave and Simon will draw on their extensive consulting experience to suggest some interesting thought exercises and practical games to help cross-functional teams to learn through failure\nWhat (\u0026hellip;)\nOutcomes (\u0026hellip;)\nReferences (\u0026hellip;)\n", "summary" : "WHY How do security teams engage effectively with the business. Dave and Simon will draw on their extensive consulting experience to suggest some interesting thought exercises and practical games to help cross-functional teams to learn through failure\nWhat (\u0026hellip;)\nOutcomes (\u0026hellip;)\nReferences (\u0026hellip;)", "title" : "Talking security risk to business - practical games to learn through failure", "track" : "Wardley Maps", "type" : "user-session", "word_count" : 43, "params" : {"description":"","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-06T14:43:15+01:00","organizers":"Ben Schofield","participants":["Dave Snowden","Simon Wardley"],"room_id":"room-2","room_layout":null,"session_slack":null,"status":"draft","technology":null,"title":"Talking security risk to business - practical games to learn through failure","topics":null,"track":"Wardley Maps","type":"user-session","when_day":"Thu","when_time":"DS-3"} } , { "id" : "73cee012e8eb4f4442e2b262e00cf930", "file_path" : "tracks/Wardley-Maps/working-sessions/using-cynefin-framework-for-making-strategic-security-decisions.md", "last_modified" : "2019-06-04T22:29:01+01:00", "link" : "/tracks/wardley-maps/working-sessions/using-cynefin-framework-for-making-strategic-security-decisions/", "content_plain" : "", "summary" : "", "title" : "Using Cynefin Framework making strategic security decisions", "track" : "Misc", "type" : "working-session", "word_count" : 0, "params" : {"category":["Cynefin Framework"],"description":"Session on how to use Cynefin Framework making strategic security decisions","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-04T22:29:01+01:00","organizers":["Dave Snowden"],"room_id":"room-2","room_layout":null,"session_slack":null,"status":"draft","technology":null,"title":"Using Cynefin Framework making strategic security decisions","track":"Misc","type":"working-session","when_day":"Wed","when_time":"PM-3"} } , { "id" : "6980f68ad425ebd1c66250ef5b731006", "file_path" : "tracks/Wardley-Maps/user-sessions/using-wardley-maps-and-cynefin-for-security.md", "last_modified" : "2019-06-04T23:21:27+01:00", "link" : "/tracks/wardley-maps/user-sessions/using-wardley-maps-and-cynefin-for-security/", "content_plain" : "", "summary" : "", "title" : "Using Wardley Maps and Cynefin for Security", "track" : "Wardley Maps", "type" : "user-session", "word_count" : 0, "params" : {"description":"An introduction to the Cynefin Framework, and its intersection with Wardley Maps, for Security","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-04T23:21:27+01:00","locked":true,"organizers":["Simon Wardley","Dave Snowden"],"room_id":"room-2","room_layout":null,"session_slack":null,"status":"need content","technology":null,"title":"Using Wardley Maps and Cynefin for Security","topics":null,"track":"Wardley Maps","type":"user-session","when_day":"Wed","when_time":"PM-2"} } , { "id" : "a7d6adf97a1d42c81d33cf5f30684d48", "file_path" : "tracks/Wardley-Maps/user-sessions/using-wardley-maps-on-soc.md", "last_modified" : "2019-06-04T23:21:27+01:00", "link" : "/tracks/wardley-maps/user-sessions/using-wardley-maps-on-soc/", "content_plain" : "How to apply Wardley maps to an SOC (Securty Operations Center).\nHere is an example of what this looks like: SOC Value Chain \u0026amp; Delivery Models\nSame example mapped to in-house vs outsource:\n", "summary" : "How to apply Wardley maps to an SOC (Securty Operations Center).\nHere is an example of what this looks like: SOC Value Chain \u0026amp; Delivery Models\nSame example mapped to in-house vs outsource:", "title" : "Using Wardley Maps on SOC", "track" : "Wardley Maps", "type" : "user-session", "word_count" : 33, "params" : {"description":"","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-04T23:21:27+01:00","locked":true,"organizers":["Tony Richards"],"room_id":"room-4","room_layout":null,"session_slack":null,"status":"review-content","technology":null,"title":"Using Wardley Maps on SOC","topics":null,"track":"Wardley Maps","type":"user-session","when_day":"Wed","when_time":"PM-3"} } , { "id" : "dfc42946d7a1017be52d5f50324030f0", "file_path" : "tracks/Wardley-Maps/working-sessions/climatic-patterns-and-using-doctrine.md", "last_modified" : "2019-06-05T20:50:18+01:00", "link" : "/tracks/wardley-maps/working-sessions/climatic-patterns-and-using-doctrine/", "content_plain" : " Climatic patterns are those things which change the map regardless of your actions. This can include common economic patterns or competitor actions. Understanding climatic patterns are important when anticipating change. Doctrine are the basic universal principles that are applicable to all industries regardless of the landscape and its context. This doesn’t mean that the doctrine is right but instead that it appears to be consistently useful for the time being. There will always exist better doctrine in the future.\nWhat You cannot stop climatic patterns from happening though, as you’ll discover, you can influence, use and exploit them.\nOutcomes (\u0026hellip;)\nReferences Wardley Mapping - Chapter 3 - Exploring the Map Wardley Mapping - Chapter 4 - Doctorine ", "summary" : "Climatic patterns are those things which change the map regardless of your actions. This can include common economic patterns or competitor actions. Understanding climatic patterns are important when anticipating change. Doctrine are the basic universal principles that are applicable to all industries regardless of the landscape and its context. This doesn’t mean that the doctrine is right but instead that it appears to be consistently useful for the time being.", "title" : "Wardley Mapping - Climatic Patterns and Using Doctrine", "track" : "Wardley Maps", "type" : "working-session", "word_count" : 117, "params" : {"description":"Wardley Mapping, Understanding Climatic Patterns and Using Doctrine","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-05T20:50:18+01:00","locked":true,"organizers":["Simon Wardley"],"room_id":"room-2","room_layout":null,"session_slack":null,"status":"need-content","technology":null,"title":"Wardley Mapping - Climatic Patterns and Using Doctrine","topics":null,"track":"Wardley Maps","type":"working-session","when_day":"Thu","when_time":"PM-2"} } , { "id" : "f537aae6d9c16f2bb0533459572ab701", "file_path" : "tracks/Wardley-Maps/working-sessions/coordinating-functions-within-a-pst-organisation.md", "last_modified" : "2019-06-05T20:50:18+01:00", "link" : "/tracks/wardley-maps/working-sessions/coordinating-functions-within-a-pst-organisation/", "content_plain" : " Most organisations have structures in place that can be used to embed mapping whether it’s an architectural group or an office of the CEO or a business relationship function or some other home. The role of the co-ordination function is to encourage compliance to policy (doctrine) often via a spend control mechanism and to enable sharing between the business units through the use of maps. This doesn’t require some big bang overhaul but usually the formalisation of an existing structure e.g. Office of an executive function or an architectural board can be converted into this role. When spend control is used then a policy limit (e.g. £100K) should be set above which any project must be mapped and the map sent to the co-ordination function. The function can then analyse the map, make recommendations and introduce elements of transparency and challenge within the organisation. As more maps are gathered then the function can also identify patterns for common services.\nWHY It’s through such a function that other forms of doctrine such as cell based structure, use of Pioneer-Settler-Town Planner along with more context specific gameplay can be introduced into the business units. With your shared services group, then you should aim to populate it with small cells of town planners providing industrialised components. Your business units will tend to become dominated by cells of pioneers and settlers providing custom to product and rental services. Your co-ordination function will mainly become settlers focused on ensuring transparency and learning within the organisation itself. It’s really important that if this is your first co-ordination function (in UK Government this was called Spend Control) that it is staffed by people with experience of “future” ways of operating i.e. you want them to challenge the organisation and pioneers can be useful here.\nWhat (\u0026hellip;)\nOutcomes (\u0026hellip;)\nReferences Wardley Mapping - Chapter 6 - Getting Started Yourself ", "summary" : "Most organisations have structures in place that can be used to embed mapping whether it’s an architectural group or an office of the CEO or a business relationship function or some other home. The role of the co-ordination function is to encourage compliance to policy (doctrine) often via a spend control mechanism and to enable sharing between the business units through the use of maps. This doesn’t require some big bang overhaul but usually the formalisation of an existing structure e.", "title" : "Wardley Mapping - Coordinating functions within a PST organisation", "track" : "Wardley Maps", "type" : "working-session", "word_count" : 311, "params" : {"description":"Coordinating functions within a PST organisation","draft":false,"featured":true,"iscjklanguage":false,"lastmod":"2019-06-05T20:50:18+01:00","locked":true,"organizers":["Simon Wardley"],"room_id":"room-2","room_layout":null,"session_slack":null,"status":"need-content","technology":null,"title":"Wardley Mapping - Coordinating functions within a PST organisation","topics":null,"track":"Wardley Maps","type":"working-session","when_day":"Thu","when_time":"PM-3"} } , { "id" : "af6980dbe95d6977b396dc85d2a11038", "file_path" : "tracks/Wardley-Maps/user-sessions/create-wardley-mappings-for-multiple-security-scenarios.md", "last_modified" : "2019-06-06T08:49:14+01:00", "link" : "/tracks/wardley-maps/user-sessions/create-wardley-mappings-for-multiple-security-scenarios/", "content_plain" : " Wardley Maps are very useful for mapping out strategies along with terrain to advance security controls and efforts. For those not familiar with this concept, it was developed by Simon Wardley (@swardley) and has derived into a very useful tool for prioritizing the right work at the right time to increase the odds of successfully completing a mission.\nIf you are interested in learning more about this tool and how to build a Wardley Map there is great information here: Wardley Blog\nPractical session on creating Wardley Maps\nThe DevSecOps tribe is using this format to begin an effort that helps security teams to uplevel their security programs and share forward momentum without getting lost in minutia.\nIn order to get the ball rolling, we have developed the following map to show the changing landscape for security with the emergence of DevOps, Mobile, and greater demands for security in software.\nWe\u0026rsquo;re completely open to feedback on this map and will continue to develop greater depth via add-on maps to further illustrate community efforts towards transforming security to meet the demands of DevOps.\n![](https://github.com/devsecops/wardley-maps/raw/master/wardley-devsecops-1.0.png\nWardley Mapping resources Atlas 2 - https://atlas2.wardleymaps.com/ You can login with a Google account or create one, and start mapping right away. It’s not feature rich, but a great and quick way to start\nCreating Context-specific maturity models with Wardley Maps informed by Cynefin - https://medium.com/@chrisvmcd/mapping-maturity-create-context-specific-maturity-models-with-wardley-maps-informed-by-cynefin-37ffcd1d315 Lays out a process using “Building the right thing”, ‘Building the thing right” and “Building the thing fast enough” and analyse options for investment using the Cynefin to make sense of the available options\nWardley Mapping template for Google Slides - https://docs.google.com/presentation/d/11_7D5KAgEUY3FxKg0K2whpwnC4jZOrS_TO2bpD5PV5A/edit#slide=id.g2482372f53_0_0 Great set of maps, with the summary of Doctrine and icons you can use to build your own slides from Google slides. You can create your own copy and use it freely\nCollection of maps - https://www.pinterest.co.uk/adrianrgcampbel/wardley-maps/ A collection of maps done for different purposes and industries you can use as inspiration or template to develop your own.\nPlotting a path to a greener web - https://www.thegreenwebfoundation.org/news/plotting-a-path-to-a-greener-web-with-wardley-mapping/ A brilliant mapping exercise by the Green web foundation, which is also a great template for mapping a CI/CD environment, from its public facing services, to the systems required to build and run it.\nLearWardleyMapping.com - https://learnwardleymapping.com/#introduction Brilliant summary of Wardley mapping and it’s different stages, in an easy to use UI. Probably one of the best resources to start the journey.\nEvolving a business process with Wardley mapping - http://www.abusedbits.com/2018/06/evolving-business-process-with-wardley.html Using Wardley mapping to map and improve a business process, by identifying the parts that are at initial stages of development and finding more efficient ways to address them\nMap of security practices (developed at previous Open Security Summit\u0026rsquo;s) - https://github.com/devsecops/wardley-maps)\nFurther links to be provided once updates have beeen made to the material\n", "summary" : "Wardley Maps are very useful for mapping out strategies along with terrain to advance security controls and efforts. For those not familiar with this concept, it was developed by Simon Wardley (@swardley) and has derived into a very useful tool for prioritizing the right work at the right time to increase the odds of successfully completing a mission.\nIf you are interested in learning more about this tool and how to build a Wardley Map there is great information here: Wardley Blog", "title" : "Wardley Maps for Security", "track" : "Wardley Maps", "type" : "user-session", "word_count" : 463, "params" : {"categories":null,"description":"Practical session on using Wardley Maps for Security","draft":false,"featured":null,"iscjklanguage":false,"lastmod":"2019-06-06T08:49:14+01:00","locked":true,"organizers":["Mario Platt","Tony Richards"],"room_id":"room-4","session_slack":"https://os-summit.slack.com/messages/CB1HGSDHU","status":"review-content","technology":null,"title":"Wardley Maps for Security","track":"Wardley Maps","type":"user-session","when_day":"Wed","when_time":"PM-1"} } ]