AppSecDC 2012

WASHINGTON, D.C. March 16, 2012—AppSec DC 2012 (http://www.AppSecDC.org), the East Coast's premier information security conference, has added a full roster of training seminars to its four-day schedule of discussions and events. The seminars will be a mixture of one- and two-day sessions organized by OWASP in order to serve both its membership and the broader technology community. As a special offering, OWASP has aligned with (ISC)², the world’s largest information security professional body and administrators of the CSSLP^®, on a free seminar for all AppSec DC attendees.

"OWASP seeks to be proactive, rather than reactive," said Mark Bristow, AppSec DC Organizer. "With these training sessions, we hope to empower everyone in the enterprise and in the public sector with the most current best practices in web and information security."  

AppSec's DC's training seminars will be held on April 2-3 before the plenary sessions. Information on OWASP's free seminar with (ISC)² for all AppSec DC attendees is as follows:

Certified Secure Software Lifecycle Professional (CSSLP) Clinic (*)

 - Tuesday, April 3, 1-5 PM

WHY YOU SHOULD REGISTER: Educate yourself in Secure Software Design and Development, two of the seven domains found in the CSSLP certification, held by over 1,000 secure software professionals worldwide and recently labeled the “Holy Grail” of secure software development certifications by analyst David Foote. This session will provide an in-depth education of these two tough domains of the CSSLP and will cover the skills and knowledge needed to design and develop secure code. In the Secure Software Design domain, attendees will learn the fundamentals of design principles, when applied, will save costly rework. The Secure Software Development domain will discuss the OWASP Top 10 threats and how to mitigate them effectively.

The CSSLP contains seven domains focusing on the fundamental topics needed to develop secure software. CSSLPs are professionals who have validated their competency in incorporating security into each phase of the software lifecycle.

(*) Please note that all attendees of the free seminar must pre-register at the AppSec site: http://appsecdc.org/training/

Other training sessions include:

•   Building Secure Android Apps

•   The Art of Exploiting Injection Flaws

•   Assessing and Exploiting Web Applications with Samurai-WTF

•   Secure Web Application Development Training

•   Source Code Analysis – Discovering Vulnerabilities in Web 2.0, HTML5, RIA

•   Practical Threat Modeling

•   Mobile Hacking and Securing

•   WebAppSec: Developing Secure Web Applications

•   Virtual Patching Workshop

•   Complete list of seminars: and additional information at http://appsecdc.org/training/

OWASP strives to provide world-class training for a variety of skill levels and interests at its conferences. From the novice to the expert, developers to managers, there is a training course for you. Classes will begin at 9 AM each day and run until 5 PM. Please check each course for required materials and whether a course is one or two days.

OWASP AppSec DC attracts a worldwide audience. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent.

Along with training seminars, AppSec DC 2012 has also lined up a robust list of speakers, including representatives from Homeland Security, LivingSocial.com and thought-leaders such as Dan Geer, Creator of the Index of Cyber Security (2011) and the Cyber Security Decision Market (2011), among other accomplishments. Past conferences have drawn more than 700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.  A full schedule can be found at http://appsecdc.org/2012schedule/

Sponsored by Aspect Security, Securicon, MANDIANT, Trustwave SpiderLabs, Secure Ideas, and nVisium Security, AppSec DC is hosted by the Washington, D.C. chapter of Open Web & Application Security Project (OWASP), a 501c3 Not-For-Profit, is an open-source application security project made up of corporations, educational organizations, and individuals from around the world. Providing free, vendor-neutral, practical, cost-effective application security guidelines, the organization has become the de facto standards body for application security over the past decade. 

To attend OWASP AppSec DC 2012, visit: www.AppSecDC.org or register at http://reg.appsecdc.org. To become a member of OWASP or a sponsor of AppSec DC 2012, kindly drop us a note at: sponsors@appsecdc.org.  

About OWASP:

The Open Web & Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work from Individuals, Organization Supporters & Accredited University Supporters. For more information, please visit: http://www.owasp.org/

MEDIA CONTACT:

Bill Lessard

PRwithBrains

press@appsecdc.org

914.476.6089 - office

914.330.3501 - cell

OWASP Hacking-Lab

Dear OWASP leaders,

As you might know, Hacking-Lab is providing free OWASP TOP 10 hands-on challenges to the OWASP community. This is an inner service of GEC (Global Education Commitee) as part of the Academy Portal project.

Vulnerabilities within used frameworks and libraries, like the Apache Struts vulnerability do not have a prominent place with the OWASP TOP 10 list, but very important because of it's remote code execution characteristic. Hacking-Lab has written a vulnerable Apache Struts service and a tutorial video. Check it out.

I think it is important to discuss library and dependency risks.

Please watch the tutorial here:
* http://media.hacking-lab.com/movies/struts2/

Please read more about the Apache vulnerability here
* http://struts.apache.org/2.x/docs/s2-009.html

Please try it our, mess around in Hacking-Lab (if you like, it's free!)
* https://www.hacking-lab.com/events/registerform.html?eventid=199

Looking forward to hearing from you
Ivan Buetler, Switzerland

OWASP Security-101 List

(from michael.coates@owasp.org )

Leaders,

A few weeks back I started a thread about a security 101 list.  The idea is that this is a place we can direct people new to OWASP with any intro security questions.  Here we can respond with answers to their questions or provide links to OWASP projects, presentations, tools, etc.  We may even find out that the most common questions we don't have material available to address (i.e. future wiki doc or project ideas)

If you like this idea you can help out in the following ways:
1. Subscribe to the mailing list in order to help answer the questions
2. Add the mailing lists in the end of your slide decks or presentations as a place where the audience can go with any sort of security or owasp question

security101@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/security101


http://michael-coates.blogspot.com/2012/03/security-101-owasp-community.html


Thanks!

-------
Michael Coates | OWASP
michael.coates@owasp.org | @_mwc

OWASP Mission and Principles

Recent events in the media have mentioned the OWASP organization and I'd like to use this opportunity to provide background on OWASP and also highlight our mission and guiding principles

First and foremost, OWASP is a worldwide non-profit organization with the mission of increasing application security by providing free and open tools, knowledge, and a thriving global community. With the exception of our talented four-person operations team, we are driven entirely by volunteers from project contributors, chapter leaders, and even the board.

Since OWASP is an open source, grass roots movement, any individual is able to contribute resources or participate in the community.  Like other open source projects, individuals from all over the world will donate code, documentation or expertise. Similarly, this organization does not perform background checks or submit participants to invasive reviews in order to participate in the community. This is standard practice for open organizations.

OWASP is driven and align all of our activities around the mission, core values, code of ethics, and our core principles.

The OWASP community consists of over ten thousand individuals on our mailing lists, 1500 members organized into 200+ volunteer led chapters around the world, volunteer chapter leaders, multiple global committees and an elected board. OWASP fosters a thriving community of open source projects and coordinates annual security conferences on nearly every major continent and a variety of regional outreach and university events.

OWASP is a force for good and believes strongly in our mission and values. We do not support projects or activates that are counter to these views, goals or ethics.



Michael Coates
Chair of OWASP Board
michael.coates@owasp.org

OWASP India Call For Papers (August 24-25 2012)

Greetings!

OWASP India is pleased to announce the CFP (Call for Papers) for its 3rd upcoming conference to be held on 24th - 25th August 2012 at Hotel Crowne Plaza Today, Gurgaon, New Delhi (NCR), India.

OWASP conference in India is the largest and premier platform in the region to bring information security leaders, policy makers, regulators, investigators, defense, government departments and decision makers from over 200 organization from across the world.

Our last event in India was attended by over 500 participants and we anticipate much larger participation this year.

Quick Links:

 1. CFP Details - http://www.owasp.in/cfp/call-for-papers

 2. CFP Criteria - http://www.owasp.in/cfp/cfp-evaluation-critera/

 3. CFP Committee - http://www.owasp.in/category/cfp/cfp-committee/

Quick Contacts:

 1. CFPs: cfp@owasp.in

 2. Sponsors: sponsors@owasp.in

 3. General: info@owasp.in

With Regards,

Organizing Committee

OWASP InfoSec India Conference 2012

======

OWASP India Archives:

 1. OWASP India's 2nd Conference, New Delhi:

    http://www.owasp.in/archive/second-turned-indias-largest-information-security-conference/

 2. OWASP India's 1st Conference, New Delhi:

    http://www.owasp.in/archive/first-owasp-india-application-security-conference/

PRESS RELEASE: OWASP AppSec DC 2012

FOR IMMEDIATE RELEASE:

East Coast's Premier Information Security Conference Returns with OWASP AppSec DC 2012

Popular Event to Attract Leading Experts for Four Days of Discussion and Training, April 2 - 5

WASHINGTON, D.C. March 5, 2012—AppSec DC, the East Coast's premier information security conference, returns with AppSec DC 2012 (http://www.AppSecDC.org). Now in its third year, AppSec DC is the Open Web & Application Security Project's (OWASP's) annual gathering of leading experts in the field of application security. The event will be held at the Walter E. Washington Convention Center, April 2-5.

AppSec DC features two days of training April 2-3, followed by two days of talks, April 4-5. The event will provide a forum for hundreds of IT professionals interested in securing web technologies to learn, interact, network, and attend presentations and training given by some of the world's top practitioners of application security.

"With the ever growing number of intrusions that have taken place over the past year, we feel that the business and federal communities could greatly benefit from what we offer now more than ever," said Mark Bristow, AppSec DC Organizer. "We encourage security professionals, technology executives, students, and anyone with who realizes the importance that application security plays in all of our lives to attend."

Highlight's of AppSec DC 2012 will include:

•  Keynote by Daniel Earl Geer, Jr., Sc.D., Creator of the Index of Cyber Security (2011) and the Cyber Security Decision Market (2011), among his numerous other accomplishments
• Presentation by Joe Jarzombek, Director for Software Assurance, National Cyber Security Division of the Department of Homeland Security
• Presentation by Ken Johnson, Senior Security Architect for LivingSocial.com, responsible for securing mobile applications, web services and web applications
• Panel topics to include Critical Infrastructure, Pentesting Smart Grid Web Apps, How to Get Every IT Architect to Become a Security Ambassador, Adapting and Managing IT Security Solutions for Industrial Control Systems
• Training classes to include Assessing and Exploiting Web Applications with Samurai-WTF, Building Secure Android Apps, Secure Web Application Development Training
• Full schedule at https://schedule.appsecdc.org

Bristow added, "In accordance with the broadening of OWASP's mission after the 2011 OWASP Global Summit, AppSec DC is not restricting its content to strictly to the realm of web applications. We invite all practitioners of application security and those who work with or interact with all facets of application security to submit papers and participate in the conference."

OWASP AppSec DC attracts a worldwide audience. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. Past conferences have drawn more than 700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.

Sponsored by Aspect Security, Securicon, MANDIANT, Trustwave, Secure Ideas, and nVisium Security, AppSec DC is hosted by the Washington, D.C. chapter of Open Web &Application Security Project (OWASP), a 501c3 Not-For-Profit, is an open-source application security project made up of corporations, educational organizations, and individuals from around the world. Providing free, vendor-neutral, practical, cost-effective application security guidelines, the organization has become the de facto standards body for application security over the past decade. 

To attend OWASP AppSec DC 2012, visit: www.AppSecDC.org or register at http://reg.appsecdc.org. To become a member of OWASP or a sponsor of AppSec DC 2012, kindly drop us a note at: sponsors@appsecdc.org.   

About OWASP:

The Open Web & Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work from Individuals, Organization Supporters & Accredited University Supporters. For more information, please visit: http://www.owasp.org/

MEDIA CONTACT:

Bill Lessard

PRwithBrains

press@appsecdc.org

914.476.6089 - office

914.330.3501 - cell

Approval of LASCON Exception

From The OWASP Board (Michael Coates michael.coates@owasp.org)

We wanted to thank everyone for the open, honest, and respectful discussion of the Lascon exception issue.  The board has considered the information provided by all parties as well as the principles and mission of OWASP.  After discussion and deliberation we've reached the following decision:

The OWASP Board has voted to approve the following:

Approve LASCON Exception per current chapter & committee rules with the recommendation that LASCON considers the objectives provided by the Board for the new policy. Further, this is the second and final exception for LASCON.

The updated chapter/conference policy must be approved within 45 days or LASCON exception is revoked.

Recommendations for the New Policy

The OWASP board would like the conferences and chapters committees to work together to jointly draft and approve an update to the policies governing chapters and conference events. We appreciate all the hard work that the committees have put forth to grow our chapters and conferences to its current state.  We've accomplished some great things and this is another situation where we have to review and adjust as a result of our continued growth and success as an organization (a good problem to have).

As global committee members you are in the best place to determine the specifics of this policy; however, we would like to set an overall direction that will be worked towards and we’ve outlined the following objectives that should be considered for the updated chapter and conference policies.  

We encourage the committees to review these guiding objectives and work to build a structure that will encourage the growth of OWASP and our mission.  

Guiding Objectives
We would like to see chapter empowerment through a profit sharing model that is in line with our core value of Innovation
We have concerns over the use of profit caps on gains from specific events
We would like some sort of annual review, requirements, or rules to address the issue of stale chapter funds in excessive amounts
We would like some periodic recap on funds spent by chapters to help ensure funds are appointed on items aligned with the “OWASP Mission”.
We recognize there could be concerns over conflicting large chapter events and our core global conferences. Controls should be added to prevent this conflict (perhaps CFP blackout periods in regions within X months of a global event)
We would like a dedicated committee with continual and significant control over the core OWASP global events (i.e. conference committee
Foundation has resources that can be are being provided to local chapter events but we need these costs to be accounted for in the chapter's event planning
Controls are needed to prevent chapters from over-committing on financial costs
Final policy and structure created by the committees should ensure, as much as is possible, that there is no incentive for chapters to form legal entities in their own countries.  Any such activity has significant implications for the foundation and must be discussed and coordinated  with the Foundation Board.
Infrastructure
Chapters must use established technology methods (such as regonline) any time money is handled
CFPs need to use established OWASP procedures
A single “source of truth” is needed for all events so that OWASP employees can best assist all events.  These include events under either  committee’s purview.
Branding
Naming standard enforced for all events (e.g. OWASP X)
Logo standards that includes OWASP on all logos, event sites, collateral, etc

Thanks for the significant efforts that have been made thus far and we look forward to the updated policy/policies that can take OWASP and our growing member and chapter base to the next level.

Lastly, Kate will update the official vote record to reflect our vote and capture the above guiding objectives on the wiki.

-The OWASP Board

Michael Coates
michael.coates@owasp.org