OWASP Day

OWASP Day : Worldwide OWASP chapter meetings on the topic "Privacy in the 21st Century" (5th till 12th September 2007)
OWASP Day is the title given to the 17 chapter meetings (hosted by 19 OWASP Chapters) staged during the Global Security Week. Since these meetings occurred between 5th and 12th of September 2007, we ended up calling this event the OWASP Week.

Before you start looking at the presentations below, take a moment to see this presentation from Jeff (audio + powerpoint presentation)


 * "Welcome to OWASP Day 2007, Quick tour of OWASP, Jeff Williams, video played at all chapter meetings

Organizers
In addition to the local chapter leaders, Dinis Cruz and Mike de Libero are the main points of contact (but of course much more help is needed :)  )

Global Security Week (GWS)
For more details on the (GWS) see:
 * http://www.globalsecurityweek.com/
 * http://www.globalsecurityweek.com/html/national_activities.html
 * http://www.globalsecurityweek.com/html/gsw_06.html (Resources)

And here is a description from one the organizers:

''The aim of Global Security Week is to raise security awareness amongst the public and organizations about issues relating to security, primarily information security. This year's theme is on the subject of privacy and we hope that a number of events will be held worldwide to promote people's awareness as to how to protect their privacy when online and also educate companies on their responsibilities, both legal and morally, when it comes to protecting the privacy of their customers.  Global Security Week is a totally voluntary initiative and we have no commercial funding or agenda. The initiative is funded entirely from the committee's own funds and time. We have people involved in Global Security Week throughout the world and during the week we have events planned in different regions. For example here in Ireland I plan to run a free seminar on the above topic open to anyone who wished to attend''

''We ask that those who wish to become involved, help promote Global Security Week in their region either by running specific events dedicated to Global Security Week, taking part in events already planned or simply making people aware that the week is on and the topic is "Privacy in the 21st Century". Even simply making people aware of Global Security Week and directing them to the website is a great help. Not having commercial funding we depend on word of mouth and like minded individuals to make people aware of the week.''

(original) Proposed Event layout
Each chapter is free to organize its mini conference and to define how long it should last.

But within the spirit of the event the following ideas are proposed:


 * The topic of the event should be on "Privacy in the 21st Century", so all talks should be related to it (we should be addressing the Web Application side of Privacy (for example what happens to Privacy with SQL Injection, XSS and issues like pdp's Snoop onto Them as they Snoop onto us)
 * The event should have 4 to 5 speaking slots (can be 30m if required)
 * If possible, invite a presenter from the local government to talk about their views on the subject
 * Presentation from a local OWASP Project leader about his/hers project (i.e. for the cases where a leader of an OWASP Project lives locally (or will be in that city during the event)
 * All events are recommended to have the same panel discussion on the subject "What is the current state of Privacy on Web Application Security? and what should we be focusing on?"). After the panel discussion, each local chapters is invited to create a summary of its conclusions for publishing on the OWASP website
 * "Talk 'Lets get rid of 3 major sources of vulnerabilities:
 * CROSS-SITE SCRIPTING: 70-90% of web applications have Cross-Site Scripting (XSS) holes. You must *both* carefully validate input and use HTML entity encoding on all data output.
 * SQL INJECTION: If your queries are a bunch of strings and user input concatenated together, your database could be attacked with SQL Injection. Stamp out this attack by using "parameterized" queries, such as Java's PreparedStatement instead.
 * SESSION EXPOSURE: Your SESSIONIDs are *just* as valuable as usernames and passwords, so make sure you never expose them. Don't ever allow authenticated SESSIONIDs to be sent without SSL or exposed in the URL."

Other Ideas

 * Create a Security Manifest that will be 'signed' by all attendees
 * Distributed capture the flag (where each local chapter plays has a team (against the other chapters))
 * Short intro/welcome movie at the beginning of each mini-conference by OWASP board