Sounder SIGN UP FOR FREE
OWASP PodCast
OWASP PodCast

Season 1, Episode · 9 months ago

0x03 - 2021-08-01 OWASP Top 10

ABOUT THIS EPISODE

Show notes 1-August - Top10 updates and more with Andrew van der Stock

TOP10 section notes:

We have talked with former Board member, current Executive Director of OWASP and long term big time contributor to the Top 10 project, Andrew van der Stock, about;

The past and the present of OWASP Top10.

What it is and what it isn't. 

How it is different to standards or other Top X lists.

The data and process behind it and the new Top10!

YOU HEAR IT HERE FIRST FOLKS!! Changes to the categories and ordering to Top10 - Andrew goes through the new categories and major changes!

Follow the project on twitter @ https://twitter.com/owasptop10

For the process: https://www.owasptopten.org/

For data submission:

https://github.com/OWASP/Top10/tree/master/2021/Data

3 new categories in 2021 version:

Insecure design (missing, ineffective or redundant designs)

Server side request forgery (SSRF)

Software and data integrity failures

Ordering has changed and multiple previous categories merged. Final order will be revealed at the OWASP 20th Anniversary event on 24th September 2021 https://20thanniversary.owasp.org/

We want to thank all contributors to OWASP Top 10 for creating something which inspired many people to get into security.

Extras:

For getting involved in the education committee or the two new projects mentioned during the episode [Appsec Curriculum project and How to get into Appsec project ] education-committee slack channel is: https://owasp.slack.com/archives/C016H3FK3D5

Orange Tsai - world-renowned expert of SSRF - https://twitter.com/orange_8361 & https://blog.orange.tw/

Non-Top10 updates:

In the spirit of its 20th birthday, we have talked about the story of OWASP.

Mark Curphey's post on Veracode blog for the start story of the OWASP: https://www.veracode.com/blog/intro-appsec/start-owasp-true-story

New flagship project: Software Bill of Materials

(in partnership withCycloneDX) https://owasp.org/www-project-cyclonedx/

Vendor-neutral vs vendor-hostile approach

Elections for the Board coming up!! There will be a call for candidates for the Board mid-August!! Watch this space and apply.

If you are on OWASP leader list, please contribute to the revamp of Mission Statement. Check your mailbox for instructions.

We are at the Black Hat US! Come visit our booth (search for OWASP in the vendor booth list)

Corporate Membership structure is reshaped and been published: https://owasp.org/supporters/

trademark licensing for training partners has become much easier and sponsorships become much easily recognised, plus affordability for startups and regions

We passed 4600 members and the new individual Membership Portal is launched: https://owasp.org/membership/2021/07/05/MembershipPortal.html (edited) 

... you news from inside all of us. I agree. Thank you so much for joining us for the podcast. And UNDREW, you've been amazing contributor and a leader for all of us. Earlier you were on the board and now you are an executive director to oors. You've done so much for our us, but your we are joining you today and we would like to hear it from you. I could. I everyone, thank you for having me and yes, I've been around. I was for like nearly twenty years. I wasn't there at the beginning, but close enough to and this is like my dream job. So again, thank you for having me. Thank you. So let's start. Today. We're going to focus on all of us pop ten and we will have some more updated at the end as well, but let's start with let me ask you about the history of or stop down. What can you tell us? Oh, okay, yeah, so most people don't realize that it was, and I was top ten as early as two thousand and three. So they always top ten was initiated by Jeff Williams and Dave wickers from aspect security. They both work for different companies. Now Jeff's a contrast security and I believe Dave is at one of the big four. I'm not sure which one aspect security got acquired by that big for the reality is they use the information they had from their consultancy. And so there are security boutique and one of the most influential ones back in the earlier to mid two thousands and I work there. So just putting it out there that I do know jeff and Dave very well. So Jeff and Dave helped start the foundation in two thousand and four. They like we literally stand on the shoulders of giants here. Jeff is like two hundred and ten centimeters all. So the reality is here is a giant. But what they got right was it was simple, it's only ten things. It was short and, more to the point, the things that they pointed out where in the OAS top ten pretty much in the same order, which is one of the biggest criticisms of the others top ten as it doesn't seem to change. They got that right in two thousand and three. So they didn't call it anything particular. Then it was like the ost top ten one point zero. They two thousand and four versions, the one that really got traction that we came out the following year. I think the idea was to do it every year, but it ended up being every three. So yeah, the I was top ten two thousand and four of the one that got traction. It was very similar to the two thousand and three version because only a little bit of changed in two thousand and seven. Well, in two thousand and six I took over and jeff and Dave were still significant contributors. At this point I decided to change it from being just about one consultancy's data input to being about the cwe data of it might have had, and so we were one of the first people to actually get the martyr data from Miter at a time when it wasn't publicly available as a data set, and we use that to drive the creation and ordering of the Os top ten, and I think that's the order that we sort of see today. That's both a plus and a minus and we can go into that later. Two Thousand and ten and two thousand and thirteen versions, I felt I was a little bit burnt out after doing the two thousand and seven version and I did a bit of a break, but also I felt that maybe the design wasn't quite right and in fact I'd like probably to delve into that a little bit later. I know that we've got something coming up that. What would you change? I would certainly say there is something that needs to be changed. The two thousand and ten, two thousand and thirteen just submitted the reputation of the Os top ten. People were using it as appset programs and a whole bunch of stuff. The two thousand and seventeen version there was a little bit of controversy, to put up mildly. I don't want to relitigate the controversy because it's very it doesn't reflect well upon the appset community as a whole. But the end result is that jeff and Dave stepped away from the old top ten and to a certain degree we are much poorer for their absence. I was appointed by Dave as the the new lead and my first job was to find new co leaders, people that I didn't necessarily know well, but people that I trusted. One of the people who was providing very, very good feedback and solid data on his opinions was Brian Glass, and so he was an easier point he as for us as concerned, and and that's exactly the sort of feedback we need, constructive feedback how to make this better using real information, and Brian was that person. Torsten had been our translator and web person since two thousand and seven and how he wasn't already a leader of the oils top ten is beyond me. So tolston was a very easier point here as well, and Neil Smith Line have been involved ever since like two thousand and four. So again surprising that they weren't official Co leads. So appointing for colds. made it a much stronger document and I think we had a lot of feedback during that time. We had...

...over three hundred tickets which we closed. I think this shows the depth of concern that many people have for the others top day and they want the right thing. Some people went around at the wrong way. Okay, move on. But I think the top ten two thousand and seven was much stronger document than the previous ones because we'd actually, you know, sat down for two days at the open security summit and designed the process which is now documented. I believe that's going to be in the show notes we now collect to quality of survey questions and I'd happy. I don't want to have a long answer here, but I'm happy to delve into how this process works later. The Os top ten has always had things that have been put in there by the people who write it. For example, in two thousand and seven, without any evidence, I put C RS in because one hundred percent of every applications had C RSF it wasn't rather tri of him. I knew it needed to be in there. What we did is we are actually now taking the pulse of the community, and that was a change that was done. In two thousand and seventeen we made it formal, so it's not just the collads, it's actually the community. And in two thousand and twenty one. Well, obviously covid hit and so delayed our data collection for two thousand and twenty. We were supposed to release it last year. Didn't happen. We didn't get enough data last year, but I'm glad to say that we now have enough data. I'm very happy to talk about that data in a later question. We have data on a five hundred fifteen thousand apps and we have seven hundred and something, nearly eight hundred survey responses. So I think we've got a really solid set of data to argue our point as to the new construction. That's Great, Andrew. Thank you so much for that. And before before we get into that process and all that, the the fun stuff, let's take a quick pause and I want to ask you, and I've heard you speak about this on other podcasts and other events, are there misconceptions about all US top ten there you kind of want to put out there and say here's what a last top ten is. Not Okay? Yes, if the two thousand and seven version, I asked in the forward, please don't adopt this as a standard. It was promptly put into PC idss zero. I wish they'd actually talk to us. We could have made a much stronger pcidss from look at go, but they chose to adopt a mixture of two thousand and four and two thousand and seven and that's still in there today. I think we can do a lot better if we could work with them. I've actually informally reached out to them in the past, but it's an example of where the Os top ten is actually if you look at the number of cwe's, we cover in two thousand and seventeen it was forty three. So it's actually the top ten, but forty three as a standard it's not a very good one. I would encourage people to use it as a bootstrap. This is the very minimum you need to do. And then leads into the second part. It's not an APSECK program. It can be used as a starter APPs program, but if you're just doing the OS top ten you're going to have whacka mole, you're going to have continual breaches because it doesn't actually it's not a nap sick program. And so in two thousand and twenty one we are trying to address both of those things by being a bit crisper in our text and what we recommend. We are going to reference you off to proper standards to find out what you should be doing instead, and we're also going to be talking to the APP sick program data has a program for getting started a nap sick and I would hope that at some point we're can have a getting started with an APSECK program as part of that, and I think the ours top ten is a good entree to that, but it's certainly not the endpoint. Andrew, for those that are using the last top ten incorrectly as an APP sack program or they maybe use it to start off is are you saying that ddars program that the you just mentioned, is a pathway off of our last top ten as your APP sack program I must admit it's at five am on Monday mornings and I can't really attend the meeting, so I don't know where it's up to. I think be love with to here. Dita's explanation is to where the programs up to. But fundamentally I think we need an APSET program project at I was just like Dita's got an APSET, an Intro to abset program I think data. Correct me if I'm wrong and please talk about it. What is the focus of your programs? So I have we have a new leader for the project, but there are two projects that are very in going hand in hand under the Education Committee that runs the carrycolum and the second one is how to get into AP stake and they're both taking ASPS is their base. So I'm not the top ten. Okay, good, that's the correct pathway. So I just want to highlight the fact that that getting started at nap sick is more about how to developers or abset professionals get into the program rather than how does see those or abset leaders start a program and I think that's an element that we can probably start to address in the top ten, twenty, twenty one, but we need a project to do it properly. I'm a big Fan of the paved road concept. I think...

...that's a really good way of getting people to do the right thing and the easiest possible way, and I think it involves the least amount of work in the most amount of scalability for APSET teams. But if you are looking for us out at the ASPS is the correct answer. And if anybody wants to contribute to any of these projects, please come into the education committee a black channel. We do need more people. We always like more volunteers. More volunteers me more work getting down there. Thank you for that. At I want to get into the process, because you didn't mention you're making some changes to make it more comprehensible or complete. Can you tell us a bit about the process behind how we get to the top time? What I might do is I m might just describe the overall process that I was top tens how it's built, how the sausages made, if you like. Sometimes it's not pretty and people made just agree with us, but this is a process we came up with the community and it's worked and it's working now. Fundamentally, the first part is we do it a call for data. We ask people to give us their data and in some cases it's a surprising who does give us the data and we're very, very thankful for them to do so. This is one of the reasons why it's not currently public is that we need to anonymize it. A number of contributors. The tools find specific things or the boutiques might give you an indication as to the size of the business, and that's not our intention. Our intention is to take that as five hundred and fifteen thousand apps from a large number of contributors and we thank each and every one of them for their contribution. So once we've got that data, Brian spends a lot of time in like he's a data scientist. He works at a university here in the United States. He spent a lot of time analyzing it and I think, you know, we've got a pretty solid basis for making decisions about where things need to be. We spend a fair amount of time coalescing elements together, because if you've got five hundred, fifteen thousand APPs with two hundred plus C of you ease, some of the mainly be reported three or four times. Some of them may be reported thousands, if not hundreds of thousands of times. How do we stop the overwhelming percentage of like low value things from swamping this other important signal? So that's the work that we're doing. We've completed that work now and I think we're actually quite agreed on what's going to be in the I was top ten, and so we've started writing. So at this point we are in the process of basically starting to make things public. The first step will probably be the data release. I think a very important part of science is repeatability. You may not agree with our methodology, but here is the data. You go make your own. I think the data set is going to be very important for the ASPS and other people who are very interested in improving their tools or methodologies. What's actually important? I think the data set will help answer that question. It also helped the ASPHERES, for example. I'm a CO leader on that project as well. I think in a future version we need to make level one. What are the things that make the most impact but appear really frequently? I think the ASPS. At the moment, level one has like a hundred and twenty things in it. Probably fifty s the right number, I don't know. But fundamentally, after we've done that we write. Now we're currently writing privately because people aren't aware of what we're doing. I think it's a lot easier to edit than to create, but were going to ask certain people in the community who are specialist in the area to help us create some of these things. In the two thousand and seventeen version we had Christopher frohoff and the other person, I've forgotten his name, it's actually terrible of me, who created why so cereal, to help write the decialization element, and almost all the words you see there came from them. We want to have specialists help us write the stuff and then we put it out for Peer Review and we'll do some drives and Badas. That process will kick off very shortly. In the background, we've had the same graphic design for a long time and so I've asked our graphics consultant to come up with a new look and feel for us and also I'm determined this time that they always top ten as mobile friendly in the in the basically it needs to be mobile first, but there are still people who like to have the PDF. It's always been a PDF. We need to make that look reasonably good and modern, and that's going to happen. But lastly, I want to info graphic, something you can stick on the developers walls. People can then refer to it. What is it that it Olstop ten has and what do you need to do about it? On a single piece of paper? That's very well designed, and so here goes working on that for us as well. But I think the most complicated and most difficult thing is the ordering, and I'm very happy to take a further question of ordering. Yeah, and do one question I have.

Like people are submitting data and we're trying to analyze it using data analytics, but how do people submit their data and where do the submit and contribute to it? Like, okay, maybe for the next time, for this time we are almost done and the West stop then is said to really soon. So for the next time, probably help people, because this is one question I've heard from a lot of people, even call it. Students got it, professors, they are very good to know this thing. Okay, so we about twelve months before we actually true to release the hols top ten. In this case a little bit longer because we've tried early in the actual two thousand and twenty year to get data. We actually have a top ten twitter handle and we ask the infasted community for it. We also get that retweeted by I was itself on the various hours platforms, so linkedin facebook and the main o US twitter accounts. So we try to get as much publicity is possible for the data collection. Yet it is still reasonably OPAKE. We get asked this question. How do we do it? Well, if you go to a GITHUB, and I hope that the actual link there is of our Leble to everyone, the github itself actually has a data folder and I think on the OLS top ten Dot Org website we actually tell you how you can contribute data there as well. I think this is one of the elements we can probably do a little bit better, because we probably don't ask often enough and I don't think we've settled on how do you give us data in the format we can analyze easily early enough so people can get ready for it for the next three years. It's really hard for small boutique to get a bunch of word documents into a form that we can consume without exposing their business, and if they want to contribute in the future they need to do something now. So I think that's an element we might kick off almost as soon as we've released this. That's awesome and you so quick. Quick question and I don't want to go too much on a tangent here. So there's a lot of things like or our stop time here. There's a top ten, there's a scence twenty five, there are many like it. Can you maybe give me an example of how a last top ten is different and how it's similar? Is it good that we have such diversity in these kind of top lists? Is it bad? It's actually a good thing. So one of the comments that we commonly get from people who don't understand the methodology of the OLS top ten is why doesn't it actually have breach order? Why doesn't it have the concordance with the CWE data? The reality is, as top ten has always been about risks. It's always had the likelihood and impact being considered as part of it. We've also because it's an APP set education piece and that's about what it's supposed to be. It's supposed to be awareness. We make judgments as to coalescing things together, which others don't like. The are the mighty top twenty five. They are simple concordance and if you use that as your upseeck program you still going to do quite well. But some of the things in it aren't actually important and if I was a developer lead I would not be fixing some of the Mita top twenty five just because it is an important as much, much more important things to work on. But that said, there's valid, validity and all of those like. If you can say that organizations between two thousand and Seventeen and two thousand and twenty one lost over close to a trillion dollars, you know in business finds, cyber insurance payouts, some whatnot. What were the ones that created the most amount of problems? And it comes down to access control, configuration a few other ones. They need to be in the als top ten, but they may not necessarily be the most prevalent issue because of the methodology. And so, long story shot, I believe we need things like they're are on Varias. On data breach report. We need things like the sands top twenty five. I think there's a very important data points, but the oils top ten itself is an awareness piece and is slightly subjective and as a result, I think we've been highly successful in a way that probably shouldn't be the what I'm most interested about. So what type of changes have you seen in the data sets? Like are don't ordering changes? New categree merges, leds? Yes, okay, I'm just going to bring up the actual data. We have three new categories. This isn't well known yet, but we're going to have to release this sooner or later, so may as well be now. It's going to be insecure design, server side request forgery, which is SSURF, and lastly is software data integrity failures, which is more or less the replacement for vulnerable...

...components, and a couple of other ones. It's slightly different, but we'll talk about that. The ordering is definitely different this time because we've actually had an impact. Sequel injection and Cross site scripting are no longer so prevalent that they can stand alone as anywhere towards the top of the I was top ten in any ordering that we could come up with so we can bind them together for the first time in twenty years. And they still wasn't enough to make it a one. What I can tell you now is that we have three candidates for the ordering, and ordering is by far the most difficult part of the I was top ten. It's not the writing, it's not the editing, it's not the design, it's the ordering. So a lot of work goes into actually understanding what the order might be. And then I've spent more time with my co leads working on the ordering this time. Then we did in two thousand and seventeen. In two thousand and seventeen we had a four and a half hour meeting where we just simply discussed how we do injections and what was its eventual position in the as top ten two thousand and seventeen, because it wasn't given it was going to be a one in two thousand and seventeen either. But this time injections, even with cross that scripting tossed it is not the top. So if you want to delve into those new elements, I'm happy to talk about them individually or collectively. The most important thing is that there is a new order and that shows that we've actually had an impact. Wow, well, I didn't guess that. Ordering was the hardest fret over. The guess is the data you put but yeah, great to know, and you imagine three candidates. Well, but what do you mean by treating handle? So we know what the top ten is and if you are good program you're going to do all of them. But many people start at the top and work the way down the bottom, and so ordering is actually quite vital, even though it's only ten items. So we actually have three different orders. So the items in the als top ten, two thousand and twenty one will be something along the lines of and again, this is not in order. I don't know what the order will be. We're still working on that. It'll involve I'll talk about the new ones. First, insecure design, servicider, coast for dree software, data integrity failures, and then we've got a collection of things like broken access control, injection, security, misconfiguration, vulnerable components, identification authentication failures, and the last one is security logging, a monitoring so SSURF got in by itself, based around data, but also was the number one item by the community. So it's in. What's changed is xxe is pretty much combined into another issue, which is security. misconfiguration and the insecurity of civilization ends up in software data integrity failures, but as a wider scope than before. And you if you don't mind an I'll need to put you on the spot. But for the new categories, can you give an example of what what it looks like to have that issue? So, for insecurity design, what is that look like? For Service Aid request for you? What does that look like? Sure, so insecure design is where the code is actually correct and functioning in the way you would expect. But it's wrong. For example, password resets. If you've got a questions and answers, password reset flow. That design is wrong. It is prohibited by the Application Security Verification Standard. It is prohibited by the nest eight hundred sixty three and I have seen a reduction in its use. It's an insecure design. The problem with it is just because you know something about someone doesn't mean you of them. So for evidence of identity, the design itself is flawed. So when we look at designs, we're looking at missing design. We're also looking at ineffective design or design that's actually present but not used. So, for example, if you are using a sequel connector of some description and you have access to parameterze queries or an arm that's injection proof and then you choose to use something that's not safe, that is an insecure design. It's a design choice you've made. It's not necessarily a good choice, but it still works, it functions as long as you don't do anything naughty. But you had a better choice. So what we try to do in this insecuitist line area is talk about those three different categories. Essentially, you have missing design, or it's in effective design, like that passpid reset flow or alternatively, it's there but you didn't use it, and that, for example, if you're using view or react, it's practically impossible to have cross sight scripting. Yet you still have full access to the DOM and so you can have cross that scripting and APPs that are written in view and react. So that's where I'm trying to get at. Just because you have...

...a great tool kit, a great library, if you're not using the features properly, then you still have vulnerabilities, and so that's what this is about. Okay, so continue doing on server side requests forgery. For those who aren't familiar with it, and many people aren't, is a literally an abuse of URL pausing and other techniques inside it can be done via Xml, it can be done by abusing url pauses. What it does is it allows the the interpretation of users supplied input may cause server side components to do things on their behalf. Now, the easiest one to think about is you have a url that refers to an Ip address that appears on the inside of your your network or VPC or whatever the case may be, and the growing it to see whether or not that actually exists. So if it exists, if it turns really quickly. If it does not exist, it takes forty five seconds, which is a sign of a timeout. So you can actually by just submitting an invalid Ip address, you can find out that what the IP address range of an internal network looks like and what access this server that runs that code has access to. That's actually the simplest possible explanation of server side request forgery. There's a gentleman by the name of Orange Si Tsai, and I'll provide that link for the actual description of this show. I've asked him to help us write this particular thing because he's a world renowned expert on it. One of my favorite talks of twenty seventeen black hat was his talk. I went to it because it was like one of the last talks of the actual conference and I thought I might as well see this. I want to learn about surf, and he showed how he used surf to go from nothing to a complete takeover of github. Essentially, I think it's GITHUB. It's maybe get hub or get lamb. I'm not sure. You'll need to go back and look at the thing, but he's found so many other similar vulnerabilities and it's a particular pattern. So if you do rl pausing or, for example, you have XML processes that look at uses supplied documents, the reality is you could be vulnerable to server side request forgery and there's a design problem and honestly the best way of avoiding this is not to take urls from and be very cautious of what you do with Xmil documents. You may want to have them sandboxed. The reality is urls are very complicated. A wreck x for your role Paser can be over to K in length and still not be correct. So the reality is is that getting euro pausing right and just simply having every single piece of code in your application pausing urls in exactly the same way is very, very difficult. So the simplest way of avoiding surf is not to accept Jactamil documents or urls from the user. I'm probably explain that a little wrong because, quite frankly, SSIRF has moved on so as I last looked at it, and I would love for Orange Society to write that section with us and make sure that we have the technical details correct, because it's complicated. The other thing that's interesting about SSURF is difficult to test for and therefore many people don't test for it, but static code analysis tools can find it pretty craazily. So that's how it ended up, both as data and also the community asking for it. The last one that's new, the software data integrity failures, is literally along the lines of safe example, you send something to the client expecting it to be hidden. This is the old hidden forms issue where you had hidden form fields that could be changed by the user. The modern version of that is jwt tokens that can be modified, can be something along the lines you sending and see a serialized blob to the user and expecting them not to change it. Or we play a different one. Software data integrity phase can actually be able, but it's a larger category than this. But I think I'll concentrate on the old insecurities serialization as being the on trade to this particular problem. But there are other rescues. For example, if we can load, like force load a different component because we can tell the application that's the component that you should be using, that could end up with data integrity failures. So in the easiest way to understand, and this is if you're a developer and you use use cases or user stories to actually design your application. So, as a user, I should be able to view and edit my user profile. The contrary version of that. That should be a test case. It's a functional test case. Is, as...

...a user, I should not be able to see or edit any other users profile. So, although that could be considered broken access control, which is obviously towards the top, it's also a data integrity failure because you can modify data or someone else and that's not good. But we're probably going to concentrate this particular element primarily on how does a user or an attacker change the data about themselves or the data the application processes in a way that enables replay? Like how do I get a thousand cinema tickets? How do I get like abuse business logic flaws, because you've sent something to the user that they could then modify. That's what that wants about. That's really amazing to know, Undrell, and I'm sure there is so much of a change, reshuffling and what not happening with the west of then. But we also want to have the question, I am sure everyone in the industry wants to know, that when are we going to see or we stop then it is we're should any timeline? Yes, we're going to release it on the twenty anniversary of the host organization. Mark curfy stamp and a few others started it on September twenty four two thousand and one and we are having a global event on that day. So if you're interested, it's a free to return thing. Mark is actually talking as a keynote at this conference, so you want to hear about the other days or what he currently thinks about application security, please come along to that one. He's always a challenging discussion, so expect to be challenged, let's put it that way. I'm looking forward to it immensely. So September, twenty four, two thousand and one, so twenty twenty one back in time. That would have been cool, or maybe enough cool, I don't know. Thank you for that. Do we have any protoctop time questions from you, jibbing or wandernner? No, I think you're good. You can do you can move ahead. All the questions and swered. Yeah, I think maybe I'll just say a quick peace. Andrew. If it wasn't for our stop time, I personally would have not gotten security. So it's a work of your team and everybody who has contributed to our stops and over the years. That made entering into security from this nebulist thing into this listening and, of course, securities much bigger than that. But that that was but prepared the entree way for me and I'm sure many other people like me. So appreciate all the work ei there. That's actually not the first time I've heard that. This week we've been discussing with Troy Hunt. We want him to come and talk at the twenty anniversary and he actually mentioned that the I was top ten was influential in him getting into application security. He actually prepared the DOT neet version of the I was top ten two thousand and five and that's how we got into application securities an hour, like a superstar of our industry. So yeah, I'm really, really pleased we've had this impact. That is so inspresstional. It's such a huge impact foot industry. So thank you, Andrew, so much, for being a guess and talking about top ten. But we are not done with you yet. So we do have some more questions and updates from the community as well. I do want to ask you a bit because it's the twenty anniversary and it's quite a big milestone. Would you like to tell us a bit about the history? How did all US start? So yeah, absolutely, it's a very interesting history because it's had such a long and winding path. You know, successful projects have a lot of fathers, is the saying, and I think a lot of people claim to be there at the beginning of those. Mark curfey knows exactly who was there and if you interested, mark did a blog post at Vera Code that describes it the way he puts it as essentially he knows who was who was in the flat with him at the time, who created it. It was like three people. But whatever we snowbold really quickly. I joined in November of two thousand and one, so I don't know what happened in the first couple of months, but I've been there ever since. I us is definitely had its ups and downs. I won't shy away from that. Like, for example, in two thousand and six there was a bit of a split, or a major split be between people who are more endor...

...focused and us. So the web application security consortium got going at that point and that sort of petered out a little bit, and that's sort of unfortunate because they actually did create some really cool stuff and they sort of got adopted a little bit later into ours again, about a decade later. But in that first few years we created the I was developed Guid that was our first thing that we were famous for. There was a taxonomy of essentially, if you think about the way CWA is the moment and it's got categories, the taxonomy is very similar, and we did that in two thousand and one. At was one of the second like a second or third project I led the I was develop a guide project version two. In Two thousand and five we've been holding conferences. The first one was, I believe, in two thousand and three or two thousand and four in New York City, and so we've been doing that for a while and since two thousand and four we've had a European one and we've held two conferences a year under those European USA type of deal. From time to time we've tried to get a third conference going, but it hasn't always panned out. But some of the highlights are that we've got chapters all over the world. We started doing chapters very early on and so we have over two hundred and twenty five chapters at the moment and we've just finished a chapter reactivation program to get everyone busy again, and that's been highly successful. We've seen a very pleasing number of people not only doing chapter meetings virtually but attending them, which is amazing to me, because no one really wants to spend their day on zoom and then come back later and do more zoom. So I do think everyone who puts in the time to both organize, speak at and also attend those conference, those virtual chapter meetings some of our very influential projects. We've just recently got a new flagship project with cycling DX, which is a software bill of material standard which is very, very key and and poor. Wouldn't it actually helps address one of the new top ten? So but we've had flagships more or less since day one, like the developer guide the last top ten. We had early ones like web goat, which was a training program which is still very awesome. You should still test that out if you were in doing intro to APP second teaches some very fundamental skills and that's been around for many, many years. We've had testing tools like web scarab, which then, you know, got supplanted by power us and then eventually at Paris, became Zap. Zap is one of our flagships. So we've had these projects going for a long time. Zap Actually got going in two thousand and ten, I believe. So it's been a more than a decade of our SAP, which is amazing and in my view the New Paradigm is for developers to test their code programmatically, both unit and in integration testing. Zap is actually the best tool for any price, for any amount of money, and it's free for doing that. It is actually designed to be driven headless. It is designed to be driven via scripting and for people who are a little bit unfamiliar with its User Interface, it is a bit quirky, but the reality is it's API second to none. It is actually far better than any of the commercial tools that exist on the market at the moment, and they could learn something from Zapp and I would encourage them. Competitions always good. That dichotomy between vendor neutral and anti vendor sentiment has driven the community for many, many years. I think it's still an active topic of conversation. I tried to clarify what we should be doing last December, which is vendor neutral does not mean no vendors, it means everyone has the same opportunity. Vendors are not only a necessary part of our industry, they are absolutely fundamental to our success. It's really important that. I was itself takes no sights, that we don't get into bed with any one person to the exclusion of all else, and I think that's something that some in our community truly don't understand, but I've been doing it ever since I became edy. It's really important that we don't have anti vendor hostilities because they support a lot of the work that we do here, but also they drive our industry and if we drive them away, I was itself then becomes less influential in the direction of our community. So I asked those who ventor hostile to reconsider it and think about that concept of vendor neutral does not mean no vendors. It means every vendor has exactly the same opportunity and that's what it's about. But yeah, we've recently hit a high watermark prown members. We've got over fourzero six hundred members as of right now and that is amazing.

When I was on the board we were lucky to have twenty three hundred, twenty seven hundred. So that growth is tremendous and I think it shows the health and vibrancy of our community. And so, moving into the modern era, we've got a lot of projects. We've got over two hundred projects. We've got two hundred and twenty five chapters. We've got a very active board. I think the board, this board, has been one of the most active and influential boards of all time. That passed more in the last, you know, few months then any previous board. Many times, if you look at the voting history, the entire year might have three or four motions that pass. We do three or four every single meeting. So as a we got people who are in the driving seat at the moment and that's exactly what we need in the board. So we're about to come up for our elections. We've actually held elections for the board since two thousand and eight, so it's not a new thing. Everyone who's a financial member can vote, and that includes one vote per corporate member as well. So lots of stuff going on at the moment and the election process kicks off in fifteen days when we deal call for candidates. So if you are interested in standing for the board, I highly recommend it. It's helped me in my professional career tremendously. I became treasurer and that helped me understand financials way more than I used to and paved the way for me to have the position I have today. That is a meeting, Andrew and, and thank you for that. Back out and back history. I think that really segues greatly into into the next topic that we are for you, which is the last mission statement. So our mission state hasn't changed a whole life since since we started. It's been it's been twenty years in the making, and can you tell us maybe what the mission what it looks like today, where we're going tomorrow and and what it's going to look like? Yeah, so when I became Ed last year, I noted that we'd had various versions of our mission statement and the only place you could find it was on the irs text returns. That's it. It wasn't really on our website. I went back and I searched and I found the very first mission statement that Mark curfy and team did in two thousand and one and at the time the mission statement met their needs very well, which is that we are a vibrant community that is here to change APP set. The mission statement, as you can find it today, doesn't describe chapters, membership, events or really much to do with projects. It does not describe who we're trying to help, which is developers, and doesn't try to actually say anything about how we're going to achieve those things. And it's very wordy. It's over this over six hundred words long, and so if you're trying to live by the mission statement, it's actually really hard if you're trying to say is this something I was should do, and you try to lens it through our current mission statement. We shouldn't be doing events, we shouldn't be doing chapters, we should be doing meetings. The reality is they are the core of Oh us and we've been doing it for a very long time. So our mission statement is misaligned with what we're doing. So I kicked off the mission statement process and it had a bit of a rocky start. One of the board members got very, very busy with a new job and recently more other things I won't go into, and grant has taken the Batton up and he and I worked on a document. I actually drafted a proposed statement and granted the rest of it and Polish the statement and it's looking really good. So I've really got to say this is a draft statement. I'd like to see it on our nine hundred and ninety returns this year. So again, our mission statement first it really appears officially on our tax returns. But what are saying is we need a beneficiary, we need to actually say what we're trying to do and we're truly really trying to say how we're going to do it. So the first part is the idea that there is this unattainable goal that we strive towards. So it says no more application security vulnerabilities. That's the unattainable part, but it's a way that we can say how do we get there? So I also enables developers and security professionals to openly, freely and transparently build impactful projects, tools, modules, libraries and standards, wold events and chapter meetings worldwide and publish educational resources and set the standard for certification against these standards. Improving the security of all application protects everyone's privacy and the integrity of systems we all rely on and all of our data. This is a for the common good of all. So lot to unpack there, but the reality is it's much shorter. It describes exactly what we...

...currently do. It allows us to lens should we do this activity and then, lastly, who we helping? So it's very easy for us to describe our programs to the IRS. The IRS has a compliance ordered. It's not a financial ordit show us that your mission statement is upheld by your programs and you're funding those programs. We can now have a state mission statement that clearly sets out what we should be funding and therefore, if it doesn't fall under one of those major program areas, then it's a little bit tricky for us to say this is in our wheelhouse. We should never try to become a kitten shelter. We need to stick to APPSEC and so this mission statement helps us get there. Thank you so much, and you and team. Do you have any questions about the mission statement? No, we're just looking forward to reading it and sharing our toughts on it. Yeah, well, it's on the leaders list right now, so if you're an ous leader, please contribute to that thread. We are trying to get active feedback from leaders right now. Once we've got general consensus from the leaderships, we will go to our members and, honestly, if you're interested in mission statements, it's a very dry topic. Please provide us some feedback. I'll do a quick plug for me Hell and Adrian, who have already replied and given us some feedback on the leader list to the new statement. I note that this your is again we are virtual and Blackett is coming soon, so we have a boot at blackhead. What are the things that we are planning? What are the things that we're doing it blackhead and how we're different than the other previous years. Okay, unfortunately we would all love to be able to go to hacker summer camp and enjoy ourselves tremendously with all of our friends. I think we all miss that. They are trying to hold a hybrid event this year, but the virtual booth is what we're doing. The virtual booth itself is fairly limited, so we're trying to provide some information on all parts of our mission. We've got some PDFs and things like that for people's download, but I think the main element is we're trying to get people to be on the booth so that they can actually answer questions from the community. We didn't have many last year, but I'm hoping for more this year it. But we're also using the black hat booth to launch our corporate membership drive, and so we are. It's live now if you're interested, but we're starting the promotion, if you like, at black hat. So we've got this new corporate membership program coming up and that'll be a prime focus of our black hat booth. Oh, is that the published already in the problems membership? Oh, where can we see it go to. I was to talk the banner says corporate membership drive for commers. Join or in you now and it'll take you there. Great. Thank you. I will add that to the show notes as well. Yeah, so, I mean, we can talk about that now if you want. I mean it's actually really quite exciting. We've been working on this for a while, believe. Okay, so our previous package wasn't differentiated, no matter how much you paid as she got exactly the same thing, and what you paid us was primarily based around the income of your organization, which is really not a good conversation to have with people. It's like asking, you know, Caesar's to pay more than people who are entry level. That's not really well directed because you end up having arguments and getting them to disclose how much they're earning and where they earned it. That was just not a good place to be in and we had a plenty of people who were never asked to support us more, even if they wanted to, and there was no real point in actually spending more because you didn't get more. So what we've done is we've gone to a tiered membership program and that's hears actually has different levels of stuff that you get and we've actually coalesced all the existing agreements. So we have, you know, sixty odd corporate sponsors at this moment and I didn't want to have to write contract variations for each of them, but I wanted to make it possible for them to adopt these new things without any additional cost to the end of their membership. So we're providing the existing sponsors exactly what they have now, but they have a way of accessing the new stuff. But if you're joining now, you will get all of these things. So, for example, we've opening up our trademark licensing program so if you're a training company and you do o US top ten training and you've got the word I was top ten in your your thing, please...

...become a corporate member and you can actually get a trademark license to use that and we will definitely not be hounding you to remove the name Oh us from your training and you can do it with confidence. That's what this is about. So you know, we've got different size packages, so platinum get unlimited use of that, gold has five light servers, services or products and silver has one. That's just one the examples of the new benefits. Also, we've decided to make it much easier for people to know who is actually sponsoring us and in what order. The previous one said that we'll just put your logo up onto the oils website, and that we did. But now if you're a diamond or a platinum, like a diamond event sponsor or a platinum corporate member, they are shown first, and so we would like to make sure that we provide the appropriate recognition. Lastly, the only other thing I'd like to talk about here is we've extended the benefits to regional and startups and we've also created this regional startup. So what this means is if you're in a regional area as defined by emerging or I think they call it developing economy, and that's where your staff are and that's where you deliver your services, you can actually get two fifths off, like essentially very steep discount, and we're doing that for mission purposes. We actually barely make any money compared to the actual what we're providing here for that, but we're doing it for omission. The idea is is that we want to make sure that everybody all over the world has a package that's available to them and a price point they can afford. And lastly, the startup one. If Your Company is listed twenty four months old, you can access start up pricing, and start up pricing is exactly the same as the other packages, platinum, gold silver, but it fundamentally allows you to pay a lot less, because we know that many people in startups are literally living off their credit cards and every dollar that goes out is one dollar that don't have to run the company for another month. So we are trying to make it possible for people to leverage their brand on Ostot or and support our mission whilst in that early phase of existence. So I do want to call out those things and we're actually providing increased benefits for both regional and regional startups and startups and the add another great segue. It's like we've planned this into into our next topic, which is the new membership portal. So so we just got finished having talking about corporate membership and and their new membership portal targets the individual members. So maybe can you tell us a little bit what's new there, why it needed to be new, renewed and and what's exciting about it? Sure so the new membership podal allows individual members to manage their contact dealtail details with us. One of the problems that we had was is that a lot of people were making contact with us because they just couldn't renew because their email address was different to the one they originally paid from us. What we tried to do over the last twelve months is to make it a lot easier for people to manage their membership, and the membership portal does that. You can actually add your address, your current title and where you work if you want. You don't have to. It's just, you know, one way for us to recognize you become to one of our events on your name badge. But fundamentally it reduces a lot of work for both the individual and also our staff, and so we can actually concentrate on providing better services for those who are actually having very complicated issues, rather than I want to renew, but I don't know what my email address is, which used to be the broaden bread and butter of our ticketing system. The membership portal went live at the beginning of July and it's been heavily used and we've got a number of tickets from people who really just have lost contact with us because it was too difficult before to find out, oh, I joined with this email address. That's surprising to me. Now we can actually just do that automatically and because it's online all the time, you can do this anywhere around the world. It's fantastic. Thank you so much, Andrew, for the wonderful and side it was, creed, having you on the podcast. So many so much information around or a SKETOPD and membership, ordal corporate membership. We being at the Black Hab and I wision for the upcoming events that we have specially or as twenty of the and it wor was three. Thank you, thank you for having me. I really appreciate the time.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (4)