Leveraging OWASP in Open Source Projects - CAS AppSec Working Group

Presented at AppSec USA 2013, Nov. 21, 2013, 10 a.m. (50 minutes)

Video of session: https://www.youtube.com/watch?v=Zf9xSsRHRNo&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=34 The CAS AppSec Working Group is a diverse volunteer team of builders, breakers, and defenders that is working to improve the security of Jasig CAS, an open source WebSSO project.  This presentation will show how the team is leveraging OWASP resources to improve security, provide security artifacts for potential adopters, and implementing policy and processes for vulnerability analysis and notification.  The story is significant in that it directly addresses OWASP A9 "Using components with Known Vulnerabilities / Secure Coding", and points towards a model that other open source projects could adopt.

Presenters:

• David Ohsie
  David came to EMC 2005 in its acquisition of SMARTS. At SMARTS, he devised and implemented the lastest version of its automated root cause analysis algorithm. David received his Phd in Computer Sciences from Columbia University in 1997. 4 years experience in product security assessment and architecture for EMC applications. David Ohsie works on authentication and security architecture for a number of software applications produced by the Advanced Storage Division of EMC Corporation. David has also worked RESTful application architectures across a number of EMC products.
• Aaron Weaver - Principal Security Analyst - Pearson Education
  Aaron Weaver is Principal Security Analyst at Pearson Education, the leading learning and publishing company. He has played various roles including software developer, system engineer, embedded developer to IT security. He also leads OWASP Philadelphia. Experience includes mobile security, web application security, penetration testing and embedded development. Aaron has also worked on developer and QA awareness to increase security in the software development lifecycle and has held numerous training sessions. 7 years in software security, currently working as Principal Security Analyst for Pearson Learning Technologies. Frequent speaker at industry events such as Regional chapter events including OWASP, Infragard, ISSA, Cloud Security Alliance, Philadelphia Secure World and ISACA.
• Bill Thompson - IAM Director - Unicon
  Bill is the Director of the IAM Practice at Unicon, and leads a team of professionals providing IT consulting services to the Higher Education community with a focus on Identity and Access Management, CAS, Shibboleth, and Grouper. Prior to joining Unicon, Bill served as the Senior Associate Director for the Office of Development at Princeton University, providing leadership and direction for web application development, systems integration, business intelligence, and information technology strategy. Prior to Princeton, Bill served as the Associate Director of Architecture and Engineering for Enterprise Systems and Services at Rutgers University, leading teams of IT professionals in identity management, data management, network services, and application development. Bill has served on the Jasig Board of Directors and in leadership roles for uPortal and Jasig CAS. He holds a B.S. in Electrical Engineering and an M.S. in Biomedical Engineering from Rutgers University.

Links:

• https://appsecusa2013.sched.com/event/19n0DKt/leveraging-owasp-in-open-source-projects-cas-appsec-working-group
• https://infocon.org/cons/OWASP/AppSecUSA 2013/Leveraging OWASP in Open Source Projects - Aaron Weaver, David Ohsie, Bill Thompson.mp4
• https://infocon.org/cons/OWASP/AppSecUSA 2013/Leveraging OWASP in Open Source Projects - Aaron Weaver, David Ohsie, Bill Thompson.srt (subtitles)

Similar Presentations:

• AppSec USA 2013 / OWASP Broken Web Applications (OWASP BWA): Beyond 1.0
• AppSec USA 2012 / Security at Scale
• AppSec USA 2013 / Project Talk: The OWASP Education Projects