Interview Sebastien Deleersnyder (OWASP BE)

Theme : Security

Hello Sebastien :) The projects you will talk about at LSM2013 come all from OWASP, can you tell us a word about OWASP and its goals?

The Open Web Application Security Project (OWASP) is a worldwide not-for-profit organization focused on improving the security of software. Our mission is to make software security OWASP_Video visible, so that Citations individuals and organizations worldwide can make informed decisions about true software security risks.

Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. You’ll find everything about OWASP here on or linked from our wiki and current information on our Blog . OWASP ’’’does not endorse or recommend commercial products or services’’’, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide.

You are the founder and leader of the Belgium chapter, what does it mean? What are the activities of a national chapter?

Chapters are local OWASP organisations that engage the local community to think and act on insecure software. In Belgium we do this since 2005 by organizing regular chapter meetings where people can learn and discuss about these subjects. We also regularly present about OWASP in schools or at other events.

Web applications are in the core of OWASP acronym, is this restriction of scope still holding or is it now part of history?

Web applications are indeed part of the acronym, but OWASP covers insecure software in the broadest sense of its definition. In the past years, OWASP also has focused on e.g. Mobile Security, for details.

So OpenSAMM is relevant for any kind of software development?

Yes, it is!

Who is actively using OpenSAMM? Do you have any big names to share? I heard about Dell...

DELL is indeed one of the early adopters of SAMM, but many other organisations have adopted SAMM since then. We will be building a list of public SAMM adopters in the coming months as part of the project activities. I personally know of quite a lot of financial, healthcare and government organisations that have adopted SAMM in some form.

Gary McGraw has strong links with Owasp, could you compare his BSIMM with OpenSAMM? Are there bridges, influences?

BSIMM is now on version 4, and has a lot of overlap with SAMM. Pravir Chandra contributed to both models and you can see that there are a lot of similarities. There is even a BSIMM to SAMM mapping available on http://www.opensamm.org/2011/03/bsimm-activities-mapped-to-samm/

What will be the next flagship coming out of Owasp projects incubator?

Hard to predict, it really depends on how much traction a certain project gets and how the project leader can activate and engage a community around it. Look at e.g. OWASP Zed Attack Proxy (ZAP) that Simon started only 2 years ago and is now one of the flagship projects.

How to get involved in OWASP activities?

It’s easy: come to our chapter meeting, get involved in your projects of interest or start your own OWASP project. We try to make it as easy as possible to get involved. A great starting point is the OWASP Initiatives where you can volunteer or contribute to key areas covering Membership,Education, Chapters, Conferences, Projects, Social Media and Industry Relationships.

What’s your personal contribution to Owasp you’re the most proud of? Why is it so important in your eyes?

Besides starting the Belgian chapter where we now have a great team, I am especially proud of having started the OWASP Education project, which is currently run by Martin Knobloch. Awareness and education is the most important cornerstone of any secure development initiative. Understanding the problem and the challenge is the first but most important step to solving the security problems we currently face with software.

Thank you Sebastien and see you in Brussels !

Interview done by email by Philippe Teuwen, Security topic co-chairman.