Friday, March 19, 2010

March 2010 OWASP newsletter

The March 2010 OWASP newsletter is now available! This quarter’s newsletter has been translated into Spanish, Hungarian, Chinese, Thai, and Greek. All versions as well as previous newsletters can be found here:

Lorna Alamri
OWASP Connections
Dir: 651-338-0243
skype: lorna.alamri

Tuesday, March 16, 2010

OWASP JBroFuzz 2.0 Fuzzer Released!

Well it wasn't timed with Bernando (nor Tom) but after a lot of commits and code re-writes, we are pleased to announce the second major release of JBroFuzz:

From the 2.0 release notes:
  • User basic authentication supported and updated headers to show 2.0 release
  • Fixed preferences bug.
  • Added Authorization header option in UI, under URL Encoding
  • Created a Verifier for .jbrf files
  • Fixed a small mistake in
  • Implemented a Cross Product Fuzzer within core/
  • Introduced, and fixed the directory location preferences.
  • Fixed Graphing Tab, right click menu
  • Arrayedified preferences, fixed maximum frame size, extracted all icons in a /icons folder.
  • binded keys changed to alt+enter to encode and alt+backspace to decode
  • Split org.owasp.jbrofuzz.encode to core and UI
  • Added more documentation within the help topics about fuzzing
  • Added print functionality to keyboard shortcuts
  • Added keyboard shortcuts
  • Fixed the category of SQL Injection
  • Updated INSTALL, README files, converted to unix format

Hope you find it of use.

Many thanks to all those involved (more than the names suggest) in the development of this version,


Tuesday, March 2, 2010

OWASP brand usage rules

OWASP Brand Usage Rules


OWASP stands for informed security decisions based on a solid, comprehensive understanding of the business risk associated with an application. OWASP's philosophy is that achieving security involves all parts of an organization, including people, process, and technology. We support the use of our brand consistent with this philosophy. However, we cannot allow the use of our brand when it implies something inconsistent with OWASP's comprehensive and balanced approach to application security. Therefore, we have defined these brand usage rules to clarify appropriate and inappropriate uses of the OWASP brand, including our name, domain, logos, project names, and other trademarks.


The following rules make reference to the OWASP Materials, meaning any tools, documentation, or other content from OWASP. The rules also make reference to "OWASP Published Standards" which are currently in the process of being developed and released. Currently there are no OWASP Published Standards.

  1. The OWASP Brand may be used to direct people to the OWASP website for information about application security.
  2. The OWASP Brand may be used in commentary about the materials found on the OWASP website.
  3. The OWASP Brand may be used by OWASP Members in good standing to promote a person or company's involvement in OWASP.
  4. The OWASP Brand may be used in association with an application security assessment only if a complete and detailed methodology, sufficient to reproduce the results, is disclosed.
  5. The OWASP Brand must not be used in a manner that suggests that The OWASP Foundation supports, advocates, or recommends any particular product or technology.
  6. The OWASP Brand must not be used in a manner that suggests that a product or technology is compliant with any OWASP Materials other than an OWASP Published Standard.
  7. The OWASP Brand must not be used in a manner that suggests that a product or technology can enable compliance with any OWASP Materials other than an OWASP Published Standard.
  8. The OWASP Brand must not be used in any materials that could mislead readers by narrowly interpreting a broad application security category. For example, a vendor product that can find or protect against forced browsing must not claim that they address all of the access control category.
  9. The OWASP Brand may be used by special arrangement with The OWASP Foundation.

Parallels Between Software Assurance and Irregular Warfare

By Mike Boberski

Whether it's the OWASP Top 10 or the CWE/SANS Top 25, problems that the domain of Software Assurance (SwA) explores are perhaps “the” central security challenge confronting cyberspace for the foreseeable future. And, these problems are not “traditional” in the same sense that “traditional” warfare is distinct from “Irregular Warfare (IW)”.

IW tactics such as guerrilla warfare, subversion, and sabotage in cyberspace take the form of attacks on the design and construction of application and service interfaces, and on the design, construction and even the unexpected passing of messages (nefariously-crafted or otherwise) input to and output from application and service interfaces. Simply, traditional cyberspace security controls (firewalls, operating system controls, and so on) do not protect against attackers that call applications and services in unintended ways.

Senior leaders across both public and private sectors are asking relevant questions such as What are the top vulnerabilities to my application, but not crucial questions such as What application-level security requirements does my application meet, and will meeting those requirements make my application secure enough for my purposes?

While there’s a growing need for tools that provide repeatable solutions to these types of complex, enduring, and increasingly threatening cyberspace problems, there is a remarkable dearth of such tools. A notable exception is OWASP. OWASP is considered by many to be providing thought leadership and creative solutions to SwA problems. OWASP solutions include:

· OWASP Secure Software Development Contract Annex (Contract Annex) – provides a way to build security in before the building begins, whether it’s in a contract or a policy.

· OWASP Application Security Verification Standard (ASVS) – provides a way to figure out if your application is “this” secure or “T—H—I—S” secure, whether it’s by vulnerability scanning, code review, penetration testing, or architecture review.

· OWASP Enterprise Security API (ESAPI) – provides technical security controls that you can add into your solution stack to guard against attackers calling your applications and services in unintended ways (by providing for example user data input validation controls), whether it’s Java, .NET, PHP, or a laundry list of other languages.

Are you asking the right questions? :-)

Monday, March 1, 2010

Call for papers: OWASP AppSec USA 2010 CA Sept 7-10

OWASP is currently soliciting papers and training proposals for
the OWASP AppSec USA, California 2010

Conference that will take place at the UC Irvine Conference
Center in beautiful Orange County, CA on September 7th through
10th of 2010. There will be training courses on September 7th
and 8th followed by plenary sessions on the 9th and 10th
with each day having at least three tracks.

AppSec USA may also have BOF (informal adhoc meetings),
break out, or speed talks in addition to the standard
schedule depending on the submissions we receive.

We are seeking people and organizations that want to present
on any of the following topics (in no particular order):

- Business Risks with Application Security.
- Starting and Managing Secure Development Lifecycle Programs.
- Web Services-, XML- and Application Security.
- Metrics for Application Security.

- Application Threat Modeling.
- Hands-on Source Code Review.
- Web Application Security Testing.
- OWASP Tools and Projects.
- Secure Coding Practices (J2EE/.NET).
- Privacy Concerns with Applications and Data Storage

- Web Application Security countermeasures
- Technology specific presentations on security such as AJAX, XML, etc.
- Anything else relating to OWASP and Application Security.

To make a submission you must include :

- Presenter(s) name(s)
- Presenter(s) Email and/or Phone number(s)
- Presenter(s) bio(s)
- Title
- Abstract
- Any supporting research/tools (will not be released
outside of CFP committee)

Submission deadline is June 6th at 12PM PST (GMT -8)
Submit Proposals to:

Conference Website:,_CA

Please forward to all interested practitioners
and colleagues.