Monday, May 30, 2011

AppSec Latin America 2011

We are pleased to announce that the OWASP Porto Alegre Local Chapter will organize the Global AppSec Latin America 2011 Conference in Porto Alegre-RS, Brazil.

The Global AppSec Latin America 2011 Conference will be a reunion of Information Security latin american leaders, and will present cutting-edge ideas. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 200-250 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.

A OWASP Global AppSec Latin América 2011 will be happens in Brazil at Porto Alegre city, Rio Grande do Sul state map in October 4th to 7th 2011. The trainings will be in October 04 and 05, and the presentations will be in October 06 and 07.

If you have any questions, please email the conference chair: AppSec2011@AppSecLatam.org

Who Should Attend Global AppSec Latin América 2011:
  • Application Developers
  • Application Testers and Quality Assurance
  • Application Project Management and Staff
  • Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
  • Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
  • Security Managers and Staff
  • Executives, Managers, and Staff Responsible for IT Security Governance
  • IT Professionals Interested in Improving IT Security

Sunday, May 29, 2011

AppSec EU Registration Alert

(From Kate Hartmaan)


I would like to encourage anyone who will be attending AppSec EU to register as soon as possible. The training seats are close to capacity!

Please join us at historic Trinity College in Dublin Ireland for the 2011 Global AppSec European event. Training will be held on June 7th and 8th followed by two days of cutting edge presentations given by university and industry experts on June 9th and 10th. Breakout sessions will be hosted by the OWASP Global Industry Committee and the Global Chapters Committee.

There will be opportunities for networking at our social events including the first ever KartCon EU!

Please visit www.appseceu.org for complete information on speakers, presentations, networking events, and, of course, KartCon EU!

If you are all set to register, you can do that directly by clicking here: http://www.regonline.com/owasp_appsec_eu_2011

I am looking forward to seeing everyone in Dublin!

Kate Hartmann

Operations Director

301-275-9403

www.owasp.org

Skype: Kate.hartmann1

ModSecurity Core Rule Set v2.2.0

(From Ryan Barnett)

I am pleased to announce the release of the OWASP ModSecurity Core Rule Set (CRS) v2.2.0. This is a significant update as we have added a number of very important capabilities.

CHANGE LOG -
-------------------------- Version 2.2.0 - 05/26/2011 --------------------------
Improvements: 
--------------------------
DOWNLOADING
--------------------------
Manual Downloading:
You can always download the latest CRS version here -

Automated Downloading:
Use the rules-updater.pl script in the CRS /util directory

# Get a list of what the repository contains:


modsecurity-crs {
2.0.0: modsecurity-crs_2.0.0.zip
2.0.1: modsecurity-crs_2.0.1.zip
2.0.2: modsecurity-crs_2.0.2.zip
2.0.3: modsecurity-crs_2.0.3.zip
2.0.4: modsecurity-crs_2.0.4.zip
2.0.5: modsecurity-crs_2.0.5.zip
2.0.6: modsecurity-crs_2.0.6.zip
2.0.7: modsecurity-crs_2.0.7.zip
2.0.8: modsecurity-crs_2.0.8.zip
2.0.9: modsecurity-crs_2.0.9.zip
2.0.9: modsecurity-crs_2.0.10.zip
2.1.0: modsecurity-crs_2.1.0.zip
2.1.1: modsecurity-crs_2.1.1.zip
2.1.2: modsecurity-crs_2.1.2.zip
2.2.0: modsecurity-crs_2.2.0.zip
}

# Get the latest stable version of "modsecurity-crs":
$ ./rules-updater.pl -rhttp://www.modsecurity.org/autoupdate/repository/ -prules -Smodsecurity-crs
Fetching: modsecurity-crs/modsecurity-crs_2.2.0.zip ...
$ ls -R rules
modsecurity-crs

rules/modsecurity-crs:
modsecurity-crs_2.2.0.zip modsecurity-crs_2.2.0.zip.sig

--
Ryan Barnett
OWASP ModSecurity CRS Project Leader

Friday, May 27, 2011

London OWASP chapter meeting June 3rd

London OWASP chapter & ISG, Royal Holloway Joint Seminar
Date: Friday, June 3rd 2011 6:30pm - 8:00pm  
Tea & Coffee will be served from 6pm, with a sandwich buffet after the seminar.  
Speaker/Topic: Steve Lord on Wordpress Security
Abstract: Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.
Location: Bourne Lecture Theatre 2 Royal Holloway University of London Egham TW20 0EX  Directions to Royal Holloway and a Campus Plan are available from the following website (Bourne LT 2 is in building 31 on the Campus Plan):
http://www.rhul.ac.uk/aboutus/locationmap/home.aspx

Friday, May 13, 2011

OWASP 2.0 Released!

(From Chris Schmidt)

Friends, Romans, Countrymen - Lend me your ears!

It is my pleasure to announce the official release of ESAPI 2.0GA!

This release features some key enhancements over ESAPI 1.4.x including, but not limited to:
  • Upgrade baseline to use Java5
  • Completely redesigned and rewrote Encryptor
  • New and Improved Validation and Encoding Methods
  • Complete redesign of the ESAPI Locator and ObjectFactory
  • More unit tests
  • ESAPI Jar is now Signed with an OWASP Code Signing Certificate
  • ESAPI Jar is Sealed
  • And much, much more
We understand that a lot of you have been waiting a very long time for this, and so have we! It was important that we take our time with this release to make sure we had addressed everything possible prior to it going out. Included in that process was:
  • Peer review of the ESAPI Codebase
  • Code and Architecture Review of new Encryption
  • Adding and fixing unit tests
  • Tons of discussion and interaction with the OWASP Community and ESAPI Users
Without the feedback from our users, we could have never accomplished some of the awesome enhancements that have been made to the library since the last major release, so we owe you all a debt of gratitude for helping us design and implement controls that will ultimately help you write more secure applications.

We are currently in the process of getting a whole new suite of documentation, with a focus on integration tasks and actually using ESAPI in real applications - look for those documents over the next couple monthes, as well as a whole new contribs section in our repository aimed at providing turnkey components and solutions to some of the more commonly encountered integration points for ESAPI.

You can download the full distribution of ESAPI 2.0GA from our home on Google Code at: http://code.google.com/p/owasp-esapi-java/downloads/list

The latest API Docs can always be found at:
http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/index.html

Within the next 24-48 hours the distribution to Maven Central should be updated as well and you should be able to start using 2.0GA in your Maven projects as soon as that happens. Maven dependency will be:

<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.0GA</version>
</dependency>

As always, we would love to hear your feedback on the release and if you have any questions at all, you can join the ESAPI-User Mailing List here: https://lists.owasp.org/mailman/listinfo/esapi-user

Thanks again to the OWASP and ESAPI Community for helping us build and release the tools that help make the internet just a little bit more sane!

Sincerely,
The ESAPI Development and Management Teams

P.S. Please forward this along to any colleagues or distribution lists that may be interested.

Monday, May 9, 2011

AppSec USA 2011: Training, Marlinspike & Winkler & Curphey, CFP, Community

The OWASP AppSec USA 2011 team has exciting updates for the September 20-23, 2011 event commemorating OWASP's tenth anniversary in the invigorating city of Minneapolis, Minnesota!

TRAINING
Ready to learn the art of SQL injection? Got it. Securing iOS or Android apps? You're covered. Taking OWASP WTE (OWASP Live CD) to the next level? Learn from its maintainer! Hardening your Web 2.0, .NET, and PHP code? Be instructed by masters of the craft Dave Wichers and Robert H'obbes' Zakon, and respected infosec authors Shreeraj Shah (author of "Hacking Web Services") and Erez Metula (author of "Managed Code Rootkits"). And if you want to set up the next generation of application layer defenses, build your intrusion detection and protection platform with Colin Watson.

http://www.appsecusa.org/training.html

MORE KEYNOTES
We've got Moxie! Moxie Marlinspike, creator of sslsniff and sslstrip, joins OWASP founder Mark Curphey and "Spies Among Us" author Ira Winkler as a conference keynote.

http://www.appsecusa.org/moxie_marlinspike.html
http://www.appsecusa.org/ira_winkler.html
http://www.appsecusa.org/mark_curphey_community_the_killer_app.html

CALL FOR PAPERS OPEN UNTIL JUNE 14, 2011
Give back to the field and show your peers the way forward. The CFP is open. As OWASP reflects on its first ten years, share your vision for the next ten years. Submit today and you could be leading a track as a featured speaker.

http://www.appsecusa.org/talks.html

5K/10K FOR CHARITY
See Dinis Cruz, Dan Cornell, and Mark Curphey sprint to the finish line in fashion as OWASP helps the Bakken Museum (http://www.thebakken.org/) teach youth about the wonderful world of electromagnetism. Let's strengthen the bond with community and improve our health. Place your donations and get signed up to race in the late afternoon Wednesday (September 21, 2011) the day before the conference talks.

http://www.appsecusa.org/strengthen.html

WOMEN IN APPSEC
Enable more women to enter the application security field. We're off to a great start with the Wells Fargo Foundation's generous seed funding of $5,000 for grants to women interested in attending OWASP AppSec USA 2011 to launch their career in this growing field. OWASP transformed the way information security works once already, and it's time again to propel positive progress.

http://www.appsecusa.org/womeninappsec.html

CAPTURE THE FLAG (AND GET A FREE TICKET)
The first monthly CTF challenge for OWASP AppSec USA 2011 is posted, and it's a great way to start preparing for the full CTF in September! Solve the May challenge before anyone else and get a free ticket to the conference plus props on www.appsecusa.org.

http://www.appsecusa.org/ctf.html

DISCOUNTS
Register early and save money. Register a large group and save even more. And if you're a student, the savings are huge. So sign up today for a great deal, and please spread the word to students in computation, information protection, forensics, and law. We need more people to secure the world's systems. Registration is open!

http://www.appsecusa.org/attend.html

CR0WD50URC3D
If you have a bumping track, let it be heard. Upload your original music, submit the link, and it may get played at OWASP AppSec USA 2011 or on the www.appsecusa.org website.

http://www.appsecusa.org/deepcuts.html

THANK YOU TO OUR SPONSORS! We couldn't pull this off without your generous support!

Thanks all.

OWASP AppSec USA 2011: Your life is in the cloud.
September 20-23 Training, Talks, CTF, Showroom, and More
www.appsecusa.org
@appsecusa