Wednesday, December 29, 2010

December 2010 OWASP Newsletter

I am happy to be able to send out the December 2010 OWASP Newsletter!

Thank you to our editor, Lorna Alamri, MN Chapter co-leader, AppSec US 2011 organizer, Summit 2011 organizer, Industry Committee member, and global contributor.

Happy Holidays!

Kate Hartmann
Operations Director
Skype: Kate.hartmann1

Wednesday, December 15, 2010

OWASP 2011 Membership

(by Tom Brennan)

Can you believe the OWASP concept is approaching 10 years old?!!

It's those little things like volunteering your time, insight expertise and membership to a professional organization that make the bigger things possible and effect the mission. In growing a community, being taken seriously as a body, having citations from around the world, employees, administrative costs and even having the ability to allocate 50k in funds to put towards a global summit in 2011 is progress.

But no matter how many hours volunteered to it (OWASP), to be recognized as a "member" in 2011 starts with agreement to the principals and donation of $50usd as a member. While everything is free at OWASP this "designation" comes with a privilege that others don't get, that is the ability to support or effect change with a collective consensus of his/her peers and a vote.

Since 2002 I have personally experienced a variety of perspectives:

-Outsider looking for resources

-Individual Member

-Chapter Leader

-Board Member

-Project Leader

-Project Contributor

-Project Reviewer



-Active Committee Member

-Member of a Supporting Sponsor(s)

In each role the perception of the of OWASP is different at the 2011 summit I hope to unify this important membership topic and I hope you will join us for the discussion. It's worth my $50 bucks per year.


*For persons going to the summit as a example if they have not paid there $50 individual membership fee... Please complete this transaction as a prerequisite. This includes everyone from the board members to the newest member of this mailing list.

Not going to the summit but running a local chapter, do you lead by example with membership?

The current memberlist:

How/where do you join?

FAQ: If my company(5k) or university($0) is a supporter does this make me a member? Answer: No - however some have called it "associated member/lite member" as in associated with the supporting company however note, this has no voting right in the association.

Support the mission, change the world.


(from Eric Sheridan)

It is with great pride that I announce the release of OWASP CSRFGuard (ALPHA)! This is a development release of the v3 series that is in need of peer review, testing, and general feedback in preparation for BETA. There are several significant new features that are in need of testing in the enterprise development environments. Please contact me for support if you are interested in testing the latest release. Of course, I am always open to questions, comments, or feature requests!

Please check out the project home page ( and User Manual ( for more information about how to install, configure, and deploy the OWASP CSRFGuard library.

OWASP CSRFGuard has been completely rewritten to address the various feature requests and bug fixes submitted to me over the past couple years. No longer will CSRFGuard be referred to as just a "reference implementation". By addressing the performance and scalability issues plaguing older releases, OWASP CSRFGuard v3 is intended to serve as the de-facto standard prevention mechanism against CSRF attacks for JavaEE web applications. The following is a bulleted summary of the significant changes associated with the v3 release:

  • OWASP CSRFGuard is now available under the much more liberal BSD license
  • file can be loaded from classpath, web context directory, or current directory
  • Developers can implement a custom logger to be consumed by the library
  • Experimental support for the rotation of CSRF tokens once the previous token is expired
  • Experimental support for creating and verifying unique CSRF tokens per page
  • Experimental support for Ajax through the verification of headers dynamically injected by CSRFGuard JavaScript
  • Configurable actions including Log, Invalidate, Redirect, Forward, RequestAttribute, and SessionAttribute
  • Unprotected pages can be captured using same syntax used by the JavaEE container in web.xml
  • Library no longer intercepts HTTP responses produced by the web application
  • Developers can manually inject CSRF prevention tokens using the JSP tag library
  • Developers can automate injection of CSRF prevention tokens using dynamic JavaScript DOM Manipulation
  • Tokens are only injected into HTML elements that submit requests to the current origin (planned for XHR)
  • JavaScript token injection can be configured to inject into links, forms, and XMLHttpRequests

Please check out the following resources for more information regarding recent project updates:

Project Page -

User Manual -

Code Repository -

Blog -


Tuesday, December 7, 2010


(From Jeff Williams)

Hi everyone,

In my mind, OWASP 1.0 was pre-wiki with lots of great work and a less great infrastructure. OWASP 2.0 was establishing the 501c3, putting in the wiki, and getting lots of great projects started. OWASP 3.0 started with the Summit in Portugal when we created the new committees and has focused on creating thriving projects instead of standalone tools. Thank you for all of your efforts growing a fun, civil, productive community.

I reach out to you now to ask you to take some time and think about what OWASP should become. The time has come to measure our success not by the number of members, projects, and conferences, but by whether we are succeeding at making the world’s software more secure. It’s time to get our message and strategy to the next level.


If you consider yourself an OWASP Leader, won’t you take a few minutes of quiet time and propose a few ideas for how OWASP can retool, reorganize, refocus, and revamp itself to really achieve our mission? We will rip, mix, and burn these ideas into a new strategy for OWASP at the Portugal Summit. I encourage you to check out the resort and all the plans happening right now at

Here are some ideas to get you started.

  1. We bootstrap several application security ecosystems around key technologies like mobile, cloud, REST
  2. We reach out to governments around the world to help them push for application security
  3. We raise money to fund real security enhancements to tools, browsers, protocols (e.g. OpenSSL)
  4. We make the OWASP materials more usable by providing a “user” site and keep the wiki for development
  5. We invest in marketing AppSec – How do we scale David Rice and the “greening” of AppSec
  6. We continue our education initiative – academies, college chapters, videos, curriculum
  7. We continue our browser initiative and do whatever it takes to get the browsers and frameworks talking
  8. We invest in getting in front of new technologies like HTML5
  9. We launch a no-holds barred XSS eradication campaign
  10. We create a set of objective AppSec *market* metrics that quantify the state of our art
  11. We continue to push on creating standards

We need your ideas NOW. Get yourself on the list!

In one week of thinking, arguing, coding, hacking, and writing we are going to accomplish more than the rest of the world’s appsec efforts combined. We’ll see you in Portugal ready to rock. Thanks!

--Jeff Williams

Thursday, December 2, 2010

OWASP Call for Trainers!

To all OWASP Leaders

In the context of the effort we are making to stabilize and consolidate an OWASP Training model that can be used as a powerful tool to spread OWASP’s knowledge and message, OWASP is looking for trainers to deliver training under the flag “OWASP projects and resources you can use today”. This is a model of training which is free for OWASP members, delivered by OWASP Leaders (with only travel expenses paid) and covering OWASP modules and/or projects.

If you are an OWASP Leader and would like to be included in OWASP's pool of trainers, this is your chance - add your name and info to the OWASP Trainers Database and be counted!

Check out the Database and do it now!

Follow all the developments on the OWASP Training here.

We are looking forward to seeing your names online!