Finily I got some time to write about open source community in Serbia that I am leading. I hope it will help also a bit to make it more popular and also I hope it will give some advices to new OWASP chapter leaders or people who want to create some technical community. Feel free to comment also if you have some advices for us.
What is OWASP
Question that is offen asked. Especially in countries like Serbia where web security is not well covered topic. So let’s start from the basics.
The Open Web Application Security Project (OWASP) is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Foundation is a 501(c)(3) charitable organization that supports and manages OWASP projects and infrastructure. It is also a registered non profit in Europe since June 2011.
OWASP is not affiliated with any technology company, although it supports the informed use of security technology. OWASP has avoided affiliation as it believes freedom from organizational pressures may make it easier for it to provide unbiased, practical, cost-effective information about application security. OWASP advocates approaching application security by considering the people, process, and technology dimensions.
OWASP’s most successful documents include the book-length OWASP Guide, the OWASP Code Review Guide OWASP Guide and the widely adopted Top 10 awareness document. The most widely used OWASP tools include their training environment, their penetration testing proxy WebScarab, and their .NET tools. OWASP includes roughly 190 local chapters around the world and thousands of participants on the project mailing lists. OWASP has organized the AppSec series of conferences to further build the application security community.
OWASP is also an emerging standards body, with the publication of its first standard in December 2008, the OWASP Application Security Verification Standard (ASVS). The primary aim of the OWASP ASVS Project is to normalize the range of coverage and level of rigor available in the market when it comes to performing application-level security verification. The goal is to create a set of commercially workable open standards that are tailored to specific web-based technologies. A Web Application Edition has been published. A Web Service Edition is under development.
Building from the scratch (OWASP Serbia)
As I said before, Serbia about 2 years ago was a country in which no one really cared about security of applications. There were few little companies that were tring hard to find something to do about security, and they were hardly finding some jobs in testing local banks and big institutions. I got interested in topic, so I started learning. Main source of learning was of course Google, since I had no one that really knows something to show me, or there were no courses that I could afford. So as it goes I found many useful resources on OWASP website. I tried also WebGoat and some other OWASP Projects. I started to communicate with OWASPers. Subscribed on OWASP Mobile project and OWASP anti malware project mailing list. Started to talk with people involved in OWASP anti malware project, and they give me great resources from which I learned a lot about malware and reverse engineering. Then I started to contribute a bit on OWASP malware project, wrote some descriptions of some malwares. Then I got idea to start a local chapter in Serbia. Contacted people here I know that were dealing a bit with security, some friends, asked OWASP what is needed, and how to started. Had short negotiations, and we started it. First partners were company Network Security Solutions, that gave us place where to hold first presentation. And in April 2012. we started with first OWASP meeting, where I presented some basic things about OWASP. OWASP created for us new mailing list, where we asked people to subscribe. On this meeting there was about 10 people, but it announced forming of new Open Source community in Serbia – OWASP Serbia.
Then I started thinking about branding of OWASP Serbia events. OWASP meeting was not appropriate, since if you have meeting, it’s like people who knows each others will come and meet. We were not in that situation. Since few people know each other. So we started like event, with one lecture session and discussion. Since events were in the evening about 7 or 8 pm, I have branded it OWASP Evening. For this name I got quite well feedback on OWASP leaders mailing list, and few local chapters adopted my name, and started to using it.
Then we set one goal that we still did not reach. In local chapter guide book there is recommended 4 local chapter meeting a year. But when you look it in perspective what people that comes think about it. When you have one meeting in 3 months people will forget about you. So we set goal to have one event each month. That goal is partially implemented, since I had some problems with space where to have presentations, or problems with potential speakers we are having one event in about two months. But I think that is quite great. Also I had to take a bit more care about who the speakers are, since we had few boring ones, and after it, it is hard to recreate your name, and motivate people to come again. So if you are creating new community, carefully choose speakers.
So it flows, we now have about 20-60 people on events. It has it’s ups and downs. We have more than 200 people on mailing lists. And we are trying to make one event monthly. Also we would like to try to organize some bigger event like OWASP day in Serbia and to motivate people to join some of OWASP projects. We covered in 4 lectures OWASP top 10, we covered history of malware, OWASP legal project and we are looking forward to cover other things. Also we are part of network of Open source communities in Serbia that is under construction. We also started some kind of collaboration with some journalists, so we are gaining more and more people using marketing on their portals.
It is my great pleasure that I think we improve security awareness in Serbia. Many people from state institutions and big local companies started to coming to our events. Also my impression is that less sites nowadays get defaced and attacked in Serbia. People started to recognize us as organization, and asking for some advices, where we share OWASP resources. Also I have to say that I contributed to OWASP business cards design, since I did not had business cards, I needed them for branding OWASP, there was some not so nice template and in low resolution, so I took it as starting point, but recreated business card design and send it back to OWASP leaders. Now my design is as official template for OWASP business cards on OWASP web site.
Ideas from your side?
So I said what is OWASP and how OWASP Serbia created security community in Serbia. It is becoming more and more influential, but still we are not visible as I would like it to be. Still we can do more. I would like you to ask you if you have any idea or suggestion from your experience, please share it in comment.