Monday, January 23, 2017

OWASP is once again participating in the Google Summer of Code Program


It is that time of year again!  OWASP will participate in the Google Summer of Code (GSoC).  We love that GSoC is a great vehicle to introduce students to both open source projects and application security with real, hands on projects. Through GSoC students will apply to work with you on your project.  Once an OWASP Mentor has "hired" a student, the mentor will guide them through coding tasks they set to improve their OWASP Project.  Both the project and the student will receive a small grant to compensate for their time, but Leaders tend to love spending time working with students who are able to focus on their project for three months most.  

The program is completed entirely online and students and mentors from more than 100 countries have participated in past years. Students who have worked with OWASP often become long term volunteers and Project Leaders in their own rights!

How you can get involved:
If you are a project leader and would like for your project to participate add your idea on our GSOC 2017 Idea wiki page ASAP!  The deadline to be involved is Feb 6th.

Become a Mentor: 
Do you want to become a mentor for a student?
Choose a participating OWASP project from the wiki page, preferably the one you are most familiar with.

Touch base with the project leader and ask one of the OWASP Organizational Administrators (Konstantinos Papapanagiotou, Claudia Aviles Casanovas, & Fabio Cerullo) to send you an invitation to get started today.

Help OWASP Invite Students: 
Are you somehow affiliated with a university? Get in touch with students, inform them about the program and how they can participate with OWASP.  Please direct students to the wiki page for details: https://www.owasp.org/index.php/GSOC_2017_for_Students

If you need help or supporting material you can email one of the admins.

 Let's make this OWASP-GSoC event the best ever and a success!





Monday, January 16, 2017

OWASP 2017 Graduation Reviews - Volunteers Needed!

OWASP is reviewing projects who wish to graduate from Incubator to Lab.  The purpose of this assessment is to determine whether a project meets the minimum criteria to graduate as outlined in the Project Health Assessment Criteria Document.  The review process begins with an initial self-assessment done by the project leader and reviewed by Matt Tesauro.  Next the the assessment enters the peer review phase where we ask volunteers in our OWASP Community to participate and finalize the results.   


It is our goal to have at least two or three reviewers per project to provide their expertise and feedback for each OWASP Project listed below.  If you would like to help sign up by February 15th.

I have included a Sample of a Project Assessment for your review and consideration.


 



Type of Project:  Tool
Project Leader: Bjoern Kimminich
Project Name: OWASP Juice Shop Project
Wiki Page:  https://www.owasp.org/index.php/OWASP_Juice_Shop_Project
Github Linkhttps://github.com/bkimminich/juice-shop

Description:​
OWASP Juice Shop is a professionally developed application using all sorts of quality assurance tools and automation processes to ensure it is working as intended. The project is in development since October 2014 and just recently joined the OWASP project inventory. It would be unfortunate to leave it in "Incubator" state longer that absolutely necessary given the maturity the project gained over the last 2 years.





Type of Project:  Code
Project Name: OWASP DefectDojo Project
Project Leader:  Greg Anderson
Project Web Page:  https://www.owasp.org/index.php/OWASP_DefectDojo_Project
Project Github: https://github.com/OWASP/django-DefectDojo

Description:
An open source vulnerability management tool that streamlines the testing process by offering templating, report generation, metrics, and baseline self-service tools.  DefectDojo is a tracking tool written in Python / Django. DefectDojo was created in 2013 and open-sourced on March 13th, 2015. The project was started to make optimizing vulnerability tracking less painful. The top goal of DefectDojo is to reduce the amount of time security professionals spend logging vulnerabilities. DefectDojo accomplishes this by offering a templating system for vulnerabilities, imports for common vulnerability scanners, report generation, and metrics.




Type of Project: Tool 
Project Name: OWASP Benchmark Project
Project Leader:  Dave Wichers
Project Web Page:  https://www.owasp.org/index.php/Benchmark
Project Github: https://github.com/google/benchmark

Description:
An enormous amount of work has gone into this project already and we are planning to do a lot more. The ability to run the Benchmark in just a few minutes, and then score a large set of tools automatically once their results files have been produced is a significant capability that required a huge amount of work to produce. There is nothing else like it in the industry and the quality of the scorecard output is very high.






Project Type: Code
Project Name: OWASP Node.js Goat Project
Project Leader:  Chetan Karande
Project Web Page:  https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project
Project Github: https://github.com/OWASP/NodeGoat

Description:
Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.






Project Type: Documentation
Project Name: OWASP Automated Threats to Web Application
Project Leader (s):  Colin Watson & Tin Zaw
Project Web Page: https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications
PDF Doc Link: https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf

Description:
Web applications are subjected to unwanted automated usage – day in, day out. Often these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is commonly mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the primary intent. Frequently these have sector-specific names. Most of these problems seen regularly by web application owners are not listed in any OWASP Top Ten or other top issue list. Furthermore, they are not enumerated or defined adequately in existing dictionaries. These factors have contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues.




January 2017 Corporate Members


January 2017 Corporate Members

We would like to thank the following companies for supporting the OWASP Foundation.  
The companies listed below have contributed this month by either renewing their existing 
Corporate Membership or joining OWASP as a new Corporate Member.  

Details about Corporate Membership can be found here.

Contributor Corporate Members


Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network—Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 394,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at www.accenture.com.


Organizations worldwide use Black Duck’s industry-leading products to automate the process of securing and managing open source software, eliminating the pain related to security vulnerabilities, compliance and operational risk. Black Duck is headquartered in Burlington, MA, and has offices in San Jose, CA, London, Frankfurt, Hong Kong, Tokyo, Seoul and Beijing. For more information, visit www.blackducksoftware.com.



Cybozu is a Japanese cloud computing vendor founded in 1997.
Its service supports effective team collaboration hence our services are widely used from large-scaled teams like multinational enterprises to small-scaled teams like volunteer groups, clubs even families. “kintone” is one of the Cybozu’s key products released in 2011.
It is called "no-code application platform" which makes work more productive through business applications. It is recognized as one of the leading vendors in” Gartner 2016 Enterprise application Platform as a Service (aPaaS), Worldwide Magic Quadrant”.

Cybozu has been focusing on security enhancement. It has started "bug bounty project" in 2013 to find any vulnerabilities which may exist in its product in order to provide its customers with the most secure service possible.
For more information about Cybozu, please visit https://www.cybozu.com/jp/


Want your name here? Find out how by visiting our Corporate Member information page, or contact Kelly Santalucia today!  Thank you to all of our Premier and Contributor Corporate Members for your support in 2016!


Monday, January 9, 2017

OWASP Project Graduation Update


Congratulations to Project Leaders below on moving your project forward to the next level!

New Flagship Project:
Lab to Flagship Status
Project Name: OWASP Security Shepherd
Project Leader:  Mark Denihan
Project Web Page:  https://www.owasp.org/index.php/OWASP_Security_Shepherd


New Lab Projects:

Project Name: OWASP Seraphimdroid
Project Leaders: Nikola Milosevic, Kartik Kholi


Incubator to Lab Status Project Review Report
Project Name: OWASP Security Logging Project

Project Leader:  Sytze van Koningsveld


-- 

Friday, January 6, 2017

OWASP Operations Update for January 2017

Welcome to the first operations update for 2017.  We started monthly blogs about what's happening at the OWASP Foundation back in December.

Here's our major efforts and status of those in process starting with updates from last time:

The Website Reboot aka TWR - a major effort to update and modernize OWASP's web presence.  Since last month, we've

  • Made progress on Phase 1 - updating the wiki to 1.27.x
    • Got the wiki source and all extensions in Git repos
    • Started coding Ansible to automate our deploys and updates
    • Production roll-out - mid-January
  • Next up Phase 2 - Updating the look and feel of the OWASP Wiki
    • Blocked: waiting for the 2017 Budget to get approved by the OWASP Board
The OWASP Communications Plan - a staff-created plan to professionalize how OWASP interacts with its community and the world at large.  There’s a ton of moving parts to this effort but here’s what we focusing on currently:

  • Migration to Discourse
    • Evaluation of Discourse showed it would fit our needs
    • Worked with/reverse engineered the Discourse API to ensure we can automate:
      • Migration from Mailman
      • Future operational tasks
    • An empty production site is expected mid-January
  • Beta program for the Foundation's Global Meetup account is continuing.
Two new major, interlinked efforts

Two major efforts are starting this month - a significant upgrade to OWASP's Association Management System (AMS) and the proposed plan for updating our membership models.
  • Association Management System
    • Runs atop the OWASP Foundation's Salesforce account
    • Handles many operational aspects: membership, conference registrations, etc
    • New AMS allows us to re-think our past membership model
    • Beginning the first week of February, we'll start the migration to the new AMS
  • Updating Membership Models
    • New plans created by staff based on past community, board and staff discussions
    • Account for diverse membership 
    • Developed to optimize accessibility and growth
    • Request to the OWASP Community: Please provide feedback prior to the Jan 11th Board Meeting when staff is asking for approval of the new membership plans.  The links above allow for public comments.
Projects
  • New projects
    • 2 Documenation projects
    • 5 Tool projects
    • 2 New Code Projects
  • Project Reviews
    • Multiple projects under review - look for requests for feedback this month!
Updates on Events for 2017
  • AppSec EU 2017
    • CFP & CFT Final Review
  • AppSec USA 2017
    • CFP and CFT planned to open by the end of January - look for announcements soon!
  • AppSec California 2017 happens January 23 - 25 in lovely Santa Monica CA
Membership and Outreach
  • Member numbers for January
    • 2048 Individual members
    • 70 Corporate members
  • Membership drive planning begins - tentative June launch
Community
  • Claudia and Tiffany have started the planning for an updated OWASP Volunteer program
    • Planned enhancements include searchable descriptions of opportunities, details including expected time commitment and volunteer profiles
  • Women in AppSec (WIA) Committee has been formed - Congrats!
  • Chapter Leader Handbook updates continue - draft version tentatively available at Feb Board Meeting
  • Pending a board vote: Request for a committee to be invite only as an exception to the Committee 2.0 rules
As always, the OWASP staff are here to help make the OWASP community even stronger.  If you have any question, concern or need, let us know by using the ‘Contact Us’ form here.

Your friendly neighborhood OWASP staff:
          Kate, Kelly, Alison, Laura, Claudia, Tiffany, Dawn and Matt


Thursday, January 5, 2017



Signal Sciences Supports the OWASP Foundation as a Premier Corporate Member


Bel Air, MD – January 5, 2017 – The Open Web Application Security Project (OWASP), a worldwide not-for-profit charitable organization focused on improving the security of software, is pleased to welcome Signal Sciences, a leading provider of security technologies for modern web applications as a Premier Corporate Member of OWASP.   


OWASP is an open community of over 46,000 participants dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.  OWASP does not endorse or recommend commercial products or services. Instead, we allow our community to remain vendor neutral with the collective wisdom of the best individual minds in application security worldwide.


“Signal Sciences’ Web Protection Platform provides protection for many of the Fortune 500 web properties throughout the world in addition to other top brands such as UnderArmour, Adobe, Dun & Bradstreet, and Etsy. It is with great enthusiasm that we choose to become a Premier Corporate Member with the OWASP Foundation. The OWASP community brings immense benefit to our customers as well as the web population at large. By being affiliated with OWASP, we continue to support and encourage a safer and more secure Internet.” -Tyler Shields, VP Marketing Signal Sciences


Signal Sciences has contributed to the OWASP Foundation since 2016.  Their continued support helps to fulfill the OWASP mission of making software security visible so individuals and organizations are able to make informed decisions. Just recently Signal Sciences supported the Global AppSec USA 2016 conference that took place in Washington, DC as a Gold sponsor.  AppSec USA 2016 conference talks are now available for free on the conference site.


“OWASP receives one-third of its funding from Corporate Members and we are thrilled to have Signal Sciences support as a Premier Corporate member,” stated Kelly Santalucia, Membership & Business Liaison of the OWASP Foundation. “In 2016 Signal Sciences sponsored our Global AppSec USA 2016 conference and our local LASCON event. Their participation demonstrates strong support for our global initiatives, and we are hopeful that others will follow their lead in giving back to the community.”


About OWASP
The Open Web Application Security Project (OWASP) is dedicated to making application
security visible by empowering individuals and organizations to make informed decisions
about true software security risks. As a 501(c)(3) not-for-profit worldwide charitable  organization, OWASP does not endorse or recommend commercial products or services. Instead, we allow our community to remain vendor-neutral with the collective
wisdom of the best individual minds in software security worldwide.  For more information, visit: www.owasp.org or follow us at @owasp on Twitter.


About Signal Sciences

Signal Sciences Web Protection Platform provides security visibility, protection, and scalability while breaking down the silos that divide security, operations, and development teams. We believe web application security should be a shared responsibility, so we’ve created a Web Protection Platform with collaboration firmly at its center. We allow teams to easily work together to secure the technology they build.



Signal Sciences is based in Venice, California. For more information please visit www.signalsciences.com or follow us at @signalsciences on Twitter.



Thursday, December 29, 2016

Combating the Vulnerability Chaos with OWASP DefectDojo

By: Greg Anderson

Four short years ago, I spent 35% of my time actually hacking on products and 65% of my time writing reports and recording metrics. Our team tried a multitude of tools to make our lives easier, but it seemed to only increase our turnover rates. The landscape of security has never been harder to manage with the numerous hoops engineers and penetration testers have to jump through to actually do their job.To alleviate our frustration and lack of options we created DefectDojo, a free and open-source vulnerability management tool.

Home Screen:  Here is what you will see when you first login to DefectDojo.
It provides a quick overview of the state of your security program.

DefectDojo is a tool that not only stores findings, but also helps to streamline your entire application security program. It simplifies vulnerability management by offering templating, report generation, metrics, finding deduplication, and baseline self-service tools to allow security engineers and penetration testers to spend their time on their actual expertise, hacking. Comprehensive details on all of DefectDojo’s features can be found on our official docs.


templates.gif
Templating: DefectDojo's templating system saves time on reporting
 by allowing users to recycle previous entries on similar issues.
report_gen.gif
Report Generation: DefectDojo includes a multitude of options to generate custom reports including
 filtering for a specific engagement or test-type. For an example report see the link below.
scan.gif
Self-Service Tools: DefectDojo includes self-service tools that allow teams to schedule
their own scans and store the results back into DefectDojo.
upload_scan.gif
Scanner Integration: DefectDojo allows you to import scan data from multiple commercial and open-source security tools.
Every code change is checked for quality and security with continuous testing using Travis CI.  We do this to ensure that future updates do not break the current build.  We also run the same series of tests against any contributed code.  Speaking of contributions, we’re happy to take your pull requests, feature requests or donations to keep DefectDojo moving forward.  We’ve had several pull requests from new contributors, including a recent one that added file uploads to the REST API.  
dojo_ci.PNG
Continuous Integration: Every code change is run against a series of of tests to ensure stable updates.


It is easy to make Dojo your own.  You can install DefectDojo using a single command on all Linux systems and OS X. There is also an option for Docker. The project is written with Python/Django. If you wanted to add or alter any features or displays to personalize your instance, only three files need to be changed (models.py, views.py, and templates).


DefectDojo is currently used by multiple large enterprises and has core contributors from five different organizations including Rackspace, Rapid7, Pearson, Cengage, and the OWASP Foundation.


DefectDojo works at scale. For example, Pearson uses DefectDojo to manage application security engagements for 2,000+ applications written by 5,000+ developers with operations on every continent.

If you’re curious about DefectDojo, there is a live demo.
You can log in as an administrator like so:
Admin
You can also log in as a product owner / non-staff user:
Product owner
Please direct all inquires to greg.anderson@owasp.org