Thursday, April 17, 2014

Open Source Showcase: Demo your Project at AppSec EU 2014!


OWASP is the foremost web application security non-profit organization in the world, with thousands of members globally, including some of the biggest names in the industry. The mission of OWASP is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks. All OWASP materials are free and open under an open source software license.

The UK Cambridge chapter invites you to join top security architects, developers, technology thought leaders, and executives from Fortune 500 firms to the OWASP AppSec Europe global conference taking place in Cambridge, UK from June 23-26, 2014. This conference is an opportunity to hear about the latest research on a myriad of topics related to web security, as well as establish connections between developers, security experts, and business leaders who are all stakeholders in ensuring applications are as secure as possible.

As part of AppSec EU, the conference organizers are looking for projects to participate in the Open Source Showcase. The Open Source Showcase is a unique event module that allows project leaders and/or project contributors to showcase their work in a demo setting and gain exposure for their projects without the need to conduct a full talk session. The showcase allows a more personal view of the project between attendees.

The guidelines for submitting to the Open Source Showcase are simple: the Open Source Showcase is open to ANY project - not just OWASP projects. The only requirement for submission is that the project must be licensed under an approved Open Source License.
All open source projects are encouraged to apply to take part in the Open Source Showcase at AppSec EU 2014 in Cambridge, UK. The application form can be found here: Submission Form.

If you have additional questions, please contact the AppSec EU 2014 Planning Team (appseceu2014@owasp.org).

Wednesday, April 16, 2014

Graphic Design Menu

As some of you may know, OWASP has recently hired a very talented graphic design contractor, Hugo Costa, to help our community with their design related needs. As there are many different marketing pieces Hugo is able to develop, the Ops Team went ahead and put together a Design Menu of services to better outline the types of options our community can choose from. 

The prices listed next to each item are the cost associated for the development of each piece. OWASP is encouraging projects, chapters, and outreach volunteers to use their funds to cover the cost of the designer’s time for development of each menu item. If your project or chapter does not have funds, then please let us know and we will attempt to find you resources for your design needs.

The price includes 3 rough sketches of the menu item, and 5 changes/edits to the chosen design. Then we will charge by the hour for additional changes. The current hourly rate is $15 USD/Hour. Please note that OWASP is not making any profit on the below prices or hourly rate, and passing along the rate and billing directly from the designer.

There are a good range of services that we are able to provide so we recommend having a read, and letting the staff know if you have questions about anything on the design menu. We are more than happy to help you with any design related question. Please submit your request or question via the Contact Us Form

Tuesday, April 15, 2014

OWASP iGoat Project: New release!










Some big news coming out of the OWASP iGoat Project! First, the OWASP iGoat Project has just released version 2.1, with the new release providing support for iOS 7.1. The newest features with the 2.1 version are:

  • The overall look and feel has been updated to comply with iOS 7.x requirements, with the default target now being iOS 7.1, although 7.0 and 7.x should work too.
  • The latest version of OpenSSL for building SQLcipher in the Local Data Storage lesson.
  • Several NSInterger fields have been updated so they work properly on 64- and 32-bit builds.
  • Updates to a couple of deprecated methods to the new 7.x replacement.

OWASP iGoat app continues to only be distributed as a self-contained Xcode project in source code. To run iGoat, you will need Xcode, which is free from Apple. You can run it for free on the iPhone Simulator included with Xcode, or install it on your iOS device, but the latter requires you to register and pay (USD$99/year) to be an Apple iOS Developer.

To go along with the new release, OWASP iGoat has also announced their new lead developer, Jonathan Carter. Along with the new lead developer, the prospect of new iGoat lessons is eminent. Volunteers are always encouraged to develop their own lessons and donate them to the iGoat Project.

The newest version of iGoat can be found here: https://code.google.com/p/owasp-igoat/wiki/NewDownloads?tm=2 and information about creating an iGoat lesson can be found here:https://code.google.com/p/owasp-igoat/w/list.


Thursday, April 10, 2014

OWASP.next

 
As Chairman of the OWASP global board I’ve strove to bring a scalable structure to OWASP that allows us to continue growing and tackling application security. Over the past 3 years we’ve dramatically increased participation around the world, increased our funding which allows greater opportunities, built a full-time operations team to support our events and appointed an executive director for the foundation. Behind the scenes we’ve also focused heavily on maturing OWASP’s entity for legal and tax compliance, established annual budgeting and tracking, and created annual goals for the foundation that impacts operational focus and growth. All of these efforts setup OWASP to continue rapid growth around the world.

Today we have over 42,000 participants around the world who collaborate with OWASP through local chapter meetings (we have over 200 chapters in over 100 countries), events, projects, free trainings and more. OWASP was even recognized with an SC Magazine editor’s choice award this year.

All of these efforts are the result of the hard work and dedication of our community, operations team and all volunteers. As chairman I’ve tried to build systems and relationships to foster our open community and allow it to grow to meet these challenges. 


.next

Now it’s time for OWASP to make another turn. The need and importance for application security could never be greater. Every week there is a new breach announced impacting thousands of people. Every quarter we hear about a devastating flaw that has widespread security ramifications. OWASP needs to stand up to the challenge of tackling application security.

To rise to the growing challenges we face OWASP must shift course and focus on what makes us successful. 


(1) OWASP is a group of doers 

We must reward and recognize those that see a problem and tackle it.  A list of to-do’s is interesting, but we can all talk about what we want to accomplish. The real power is a list of “have-dones” or more specifically, a list of items we have accomplished. Two quotes I’ve recently heard capture this well: “ideas are cheap, implementation is what matters” and "You know what's easy? Yelling on the internet. You know what's hard? Working with people to build things that last." -Christie Koehler

We all must identify the doers and reward them. Also, the correct response to someone suggesting “hey, why don’t you do x?” Is to say “great idea, please come and help us get that started” or, of course, you could hear that idea, be the doer, and add yet another item to your competed-items list. 


(2) OWASP must take the fight to the enemy

Sitting on a hill and watching a battle does not make you a victor. We must take the fight to the enemy. The application security enemy has many faces: lack of security knowledge or tools to enable fast and secure development, insufficient tools and techniques to defend against attackers, and also popular libraries and frameworks with lingering vulnerabilities that cripple trust in the Internet when they are uncovered.

Over the next weeks I will personally be reaching out to groups developing critical elements of the web to offer our assistance in securing their open source products. In addition I’ll be working directly with different industry verticals so OWASP can integrate into their communities and bring security to medical, manufacturing, critical infrastructure and more. This is not a one-person effort – we’ll figure out how OWASP can foster effective relationships that scale and last in this area. 


(3) The OWASP community is our driving force 

The power of OWASP is in our diverse and talented community that brings together a wealth of skills and expertise. We must break down any walls that prevent participation. We need discussion methods that can support thousands of active contributors. Our community should be so easy to engage that an individual who attends their first OWASP chapter meeting in can go home and join our online discussion area to engage in projects, the wiki, and interact with our amazing community.

Further, our community must be inclusive and supportive. We must recognize that there are different approaches and seek to first understand before judging. We must seek to help those that are struggling and recognize that the ends don’t necessarily justify the means. There are many approaches to tackling a problem and the way we choose to interact with others reflects on our leadership and the value we bring to the OWASP community.

(4) OWASP must put our best foot forward and also be able to experiment, fail quickly, learn and try again


OWASP supports experimentation and research - we always have and always will. Just like a research group or a nimble company, we must be prepared to experiment, fail quickly, learn and try a new approach. Those that do so should be celebrated even if they are in the stages of experimenting, failing and repeating.

However, companies and professionals around the world also look to OWASP for solid guidance on application security. We must ensure that we identify our ideas, projects, and tools that are top notch and ready to be used by others. These ideas will have stood the test of time and have been carefully analyzed by our community. These premier or flagship projects must be well polished, maintained and a serve a true testament that the OWASP community can be proud of.

We may not be in that position today, but I believe by leveraging the combined power of our community and effectively using our available resources we can quickly move into this scenario.


Getting to OWASP.next

OWASP is bigger than you or me, a single project or voice - OWASP represents the vision of a future where applications can provide amazing services and features to the world while also being secure. This security extends to protect the application's users, data, critical components for application functionality and more. It is time for OWASP to ask how we can grow to meet these challenges, build the next 100,000 contributors to OWASP and scale our efforts to meet the obstacles before us.

You’ll see more material coming over the weeks to support the above items. I encourage all of you to ask and discuss how we can make OWASP the organization that is needed to tackle the growing threats to application security.




--

Michael Coates
Chairman & Fellow OWASP'er
@_mwc



OWASP ZAP 2.3.0











OWASP ZAP 2.3.0 is now available : http://code.google.com/p/zaproxy/wiki/Downloads?tm=2

There are a large number of changes in this release, so this post will just give a high level overview of some of the most significant changes:

ZAP ‘lite’ version

For this release we are providing a ‘lite’ version of ZAP in addition to the ‘full’ version. This contains exactly the same core code, but it just includes fewer default add-ons. Of course, you can download all of the ‘missing’ add-ons from the ZAP marketplace to ‘upgrade’ the lite version to a full one.

The ‘lite’ version is aimed at people new to security who need less initial functionality which will hopefully be easier to get started with. It will also be suitable for people looking for a smaller download or those wishing to customize exactly which add-ons they install.

Support for client-side (browser) events

You can now view, intercept, manipulate, resend and fuzz client-side events. This includes postMessages, so you can now detect DOM based XSS vulnerabilities in postMessages. This is the first phase in a series of planned changes to support the testing of AJAX and HTML5 applications even more effectively.

Enhanced authentication support

ZAP's support for authentication has been completely revamped to easily handle complex types of authentication methods and scenarios. Support has also been added for user-defined scripts which allow you to handle custom authentication schemes. In addition, now ZAP understands and allows you to configure web applications' Users so various actions throughout ZAP can be performed from the point of view of defined users. To get started, check out the new Authentication and Users panels in the Session Properties for each of the defined Contexts.

Support for non standard apps

This release includes support for ‘single page’ applications and non standard key-value separators. You can now control these settings via the new Structure panel in the Session Properties.

New Input Vectors including user-defined scripts

ZAP supports new options for defining the input vectors i.e. the elements of a request that ZAP will attack. The new options are available in the Active Scan Input Vectors panel of the Options. Support has also been added for defining custom scripts that define new input vectors.

Scan policy - fine grained control

The scan policy now has a fine grained control, allowing you to tweak individual scanner rules. You can also define, load and save scan policies, allowing you to maintain a set of policies that work well in different circumstances.

In addition, by default ZAP will not now scan well-known service parameters (e.g. __VIEWSTATE) speeding up the overall scanning process. This is completely user configurable, allowing you to specify exactly which parameters ZAP should ignore.

Advanced Active Scan dialog

A new 'Advanced Active Scan' dialog allows you to specify exactly how you want the active scanner to function. It allows you to specify‘custom vectors’ that explicitly define which strings you want to attack. It also supports the option to scan as any of the Users you have defined for the application under test. Start an Advanced Active Scan via the Tools menu or via the Attack section of the right click popup menu.

Extended command line options

You can now run ZAP ‘inline’ i.e. without starting the ZAP UI or a daemon. In this mode you can run simple attacks or run scripts which can access all of the ZAP functionality. You can also now override any of the options defined in the configuration file via command line parameters.

More API support

The API has been extended to support even more of the ZAP functionality.

Internationalized help file

The help file has been internationalized and is in the process of being translated into many other languages viahttps://crowdin.net/project/owasp-zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.

Languages with a significant amount of translated help pages include:
  • Bosnian
  • French
  • Japanese
  • Spanish

Keyboard shortcuts

All menu items can now be invoked via keyboard shortcuts. Defaults are defined for virtually all cases, but you can configure your own preferences in the Keyboard panel of the Options.

New UI options

There is a new option to change the display so that the selected tab takes up the full screen. This is useful when using ZAP on small screens. There is also an option to toggle the visibility of the tab names on an off to further conserve space.
Most of the UI lists have also been converted to tables, which allow you to change column widths and define exactly which columns are displayed, and how the tables are sorted.

More functionality moved to add-ons

More of the core functionality has been moved into add-ons which allows us to deliver updates dynamically via the ZAP Marketplace rather than requiring new full releases.
This includes the language packs, so translations made to the ZAP UI via https://crowdin.net/project/owasp-zap can be downloaded within ZAP or even automatically installed.

New and improved active and passive scanning rules

Many of the release quality active and passive scanning rules have been improved. There are new alpha and beta quality rules and many rules have been promoted from alpha to beta and from beta to release quality.

Other miscellaneous changes and additions

  • A new option to stop individual scan rules without stopping the whole scan
  • A new toolbar button that allows you to quickly and easily record Zest scripts.
  • A new group for sharing ZAP scripts (http://groups.google.com/group/zaproxy-scripts) has been created.
  • The ability to spider applications based on source control metadata (SVN and Git) exposed via a web server
  • The ability to force breaks from within Proxy scripts

To keep up to date with ZAP related news follow @zaproxy on twitter.

Wednesday, April 9, 2014

Open Source Showcase Project Demo Opportunity at AppSec EU 2014!

AppSec EU 2014 is just a few months off, and OWASP is looking for projects to participate in the Open Source Showcase. The Open Source Showcase is a unique event module that allows project leaders and/or project contributors to showcase their work in a demo setting and gain exposure for their projects. The Showcase affords a more personal view of projects between attendees and Leaders.

The guidelines for submitting to the Open Source Showcase are simple: the Open Source Showcase is open to ANY project - not just OWASP projects. The only requirement for submission is that the project must be licensed under an approved Open Source License. All open source projects are encouraged to apply to take part in the Open Source Showcase at AppSec EU 2014 in Cambridge, UK. If you are interested, please apply using our application form. If you require more information, please contact Samantha Groves (Samantha.Groves@owasp.org). The application form can be found here: http://goo.gl/8iIUNw.

See you in Cambridge!

Tuesday, April 8, 2014

April 8 Connector


OWASP Global Connector
April 7, 2014 | | www.owasp.org | Contact Us | Brought to you by the OWASP Foundation
owasp projects

Featured OWASP Project

OWASP Reverse Engineering and Code Modification Project
This project educates security professionals about the risks of reverse engineering and how to ensure that code cannot be reverse engineered or modified. If you are placing sensitive code in an environment in which an attacker can get physical access to that environment (read: mobile, desktops, cloud, particular geographies), you should be concerned with the risks of reverse engineering or unauthorized code modification. This umbrella project will help you understand the risks and how to mitigate them.
For more information, please contact the Project Leader, Jonathan Carter

New OWASP Projects

OWASP Pyttacker Project
The OWASP Pyttacker Project is a portable Web Server that includes the features needed for every Pentester when creating reports, helping to create PoCs that show a more descriptive way to create awareness to the businesses by demonstrating realistic but in-offensive "attacks" included as part of the tool.
For more information, please contact the Project Leader, Mario Robles.
OWASP XSecurity Project
The OWASP XSecurity Project aims to provide the best free security tool integrated with the IDE to assist iOS developers to develop secure iOS apps. We now provide a security plugin for Xcode plus clang static analyzer checkers for iOS application development. This plugin aims to reduce the vulnerability made during development by detecting the vulnerability as it is being created.
For more information, please contact the Project Leaders, Tokuji Akamine. and Ramund Pedraita
OWASP Incident Response Project
The OWASP Incident Response Project will provide users with a current set of tools and best practices for dealing with a hacked web application.
For more information, please contact the Project Leader, Tom Brennan.

Project Announcements

OWASP 24/7 Podcasts
The OWASP Cornucopia Project with Colin Watson
The OWASP Top Ten Proactive Controls Project with Jim Bird
The OWASP Hacky Easter Challenge with Ivan Butler
2014 AppSec APAC: Post Mortem (English)
owasp communication

Phase I of the OWASP Portal is live

Logging into the portal will allow you to renew your membership and register for upcoming events; taking advantage of any individual or corporate membership benefits available to you.
The membership sign up process has been simplified. New member signups will provide some basic demographic information, select their membership type, and complete the process. When you're logged into the portal, you can renew your membership in just a few clicks!
Once you have logged into the portal, you can register for upcoming events quickly and easily.
By clicking on the "My Account" tab, you can generate invoices, receipts, and view any new payment and registration history
A community feature is included in the portal.
Joining the community is not necessary to take advantage of the membership and event features. In the community, you can post new ideas, vote and comment on ideas, organize discussion groups, and connect with other OWASPers.

Additional Features like community resources, OWASP FAQ, awards and recognition, and a much improved donation process, are just some of the enhancements that will be released during 2014.
Current OWASP members should check their inbox for their login instructions. Unique login ID information has been sent to you.
Membership is NOT required to access the portal. If you do not have a current membership, and would like to access the portal, please CLICK HERE
To sign up for a new membership, please CLICK HERE
As always, if you have any problems or comments, please contact us at support@owasp.org
conferences

Global AppSec Events in 2014

AppSec LATAM 2014 - LATAM Tour (April 22 - May 9)
Registration is now open! Please refer to the tour pages for the location you want to register for.
In 2014, instead of holding an AppSec LATAM Conference, we organizing a LATAM Tour which we hope will bering together LATAM community members together to spread the OWASP mission. Here are the sheduled stops for the tour:

  • April 22-23, Santiago, Chile
  • April 23-24 Quito, Ecuador
  • April 25 Guayaquil, Ecuador
  • April 25-26 Lima, Peru
  • April 28-29 Guatemala, Guatemala
  • April 29-30 Montevideo, Uruguay
  • May 6-7 Bogota, Colombia
  • May 8-9 Buenos Aires, Argentina
Sponsorship Opportunities are available as well. Please find further information on the Tour Wiki Page.
AppSec EU 2014 (June 23 - 26, Cambridge, UK)
Registration is now OPEN

AppSec USA 2014 (September 16 - 19, Denver, CO)

Upcoming Regional Events

LASCON 2014 (October 21 - 24, Austin, TX)

Partner and Promotional Events

OWASP has partnered with these great events in beginning of 2014 to grow our community and build awareness around software security. If you want to learn more about OWASP's involvement or will be attending and want to help out contact us
NCCDC - Please visit http://www.nationalccdc.org/, for a complete list of upcoming competitions including the National Championship!
THOTCON - Chicago's Hacking Conference, April 25, 2014, Chicago IL. Tickets
Information Security Media Group, Inc. Discount code for OWASP Members: OWASPFraud2014
Suits & Spooks, April 17-18, Monterey, CA
The IT Summit - April 22, Seattle, WA
The IT Summit - May 14, Houston, TX
ISSA - LA Information Security Summit - May 16, Universal City, CA - OWASP members receive a 25% discount by using the discount code: Ow@splssaLA25
Chapters

New OWASP Chapters - Q1


social media

OWASP Foundation Social Media

LinkedIn
Twitter
Google +
Facebook
Ning
StackOverflow
membership

Thank you to our renewed Corporate Members:


  • Qualys - Premier Corporate Member
  • Booz Allen Hamilton - Contributor Corporate Member
  • Cigital - Contributor Corporate Member
  • Veracode - Contributor Corporate Member

OWASP Member Spotlight - APAC 2014 Planning Team - Japan

As an organization driven by it's membership community, it's high time we dedicate some space to recognizing YOU!

We would like to take this opportunity to congratulate and to sincerely thank the Japan team. This year's AppSec conference in Tokyo, Japan was immensely successful in promoting the OWASP mission in the Japan region.
The turnout this year was our largest to date, and we have received great feedback from attendees about speakers, session content and networking events.
The Organizing Committee is extremely proud to have been able to bring together more than 400 people from all over the world. Indeed this is a great milestone in the history of our Global AppSec Conferences in the Asia Pacific region and having your support and participation was priceless. THANK YOU!
communication

OWASP Wins SC Magazine 2014 Editor's Choice Award

On Tuesday, February 25th OWASP was awarded the 2014 SC Magazine Editor's Choice award.
As a volunteer driven, non-profit organization our contributors donate their time and expertise for the betterment of all.
It is exciting and rewarding for the entire community to be recognized for our continued efforts to increase application security!
To read the complete announcement, please visit The OWASP blog post

Just for Fun

We would like to congratulate Roma Jain for submitting the first correct response to last issue's puzzle. Thank you to everyone who submitted your response. If you missed the question, you can find it on the OWASP Blog
1) 2,1 cross bridge together, 1 come back leaving 2 on other side , min = 2+1 2) 5,10 cross bridge together, both stay there, 2 come back, min 10 +2 3) 1,2 go together, min = 2 Total min = 17
This issue's challenge
Midas has boxes in three sizes: large, medium, and small. He puts 11 large boxes on a table. He leaves some of these boxes empty, and in all the other boxes he puts 8 medium boxes. He leaves some of these medium boxes empty, and in all the other medium boxes he puts 8 (empty) small boxes. Now, 102 of all the boxes on the table are empty. How many boxes has Midas used in total?
Please submit your answers HERE
Education

New OWASP Books

If you would like to purchase copies of OWASP titles, you can do so by accessing all available titles HERE
Some of the most recent books available are:

New Titles will be coming soon!