- Application Developers
- Application Testers and Quality Assurance
- Application Project Management and Staff
- Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
- Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
- Security Managers and Staff
- Executives, Managers, and Staff Responsible for IT Security Governance
- IT Professionals Interested in Improving IT Security
Monday, May 30, 2011
Sunday, May 29, 2011
(From Kate Hartmaan)
I would like to encourage anyone who will be attending AppSec EU to register as soon as possible. The training seats are close to capacity!
Please join us at historic Trinity College in Dublin Ireland for the 2011 Global AppSec European event. Training will be held on June 7th and 8th followed by two days of cutting edge presentations given by university and industry experts on June 9th and 10th. Breakout sessions will be hosted by the OWASP Global Industry Committee and the Global Chapters Committee.
There will be opportunities for networking at our social events including the first ever KartCon EU!
Please visit www.appseceu.org for complete information on speakers, presentations, networking events, and, of course, KartCon EU!
If you are all set to register, you can do that directly by clicking here: http://www.regonline.com/owasp_appsec_eu_2011
I am looking forward to seeing everyone in Dublin!
-------------------------- Version 2.2.0 - 05/26/2011 --------------------------
- Changed Licensing from GPLv2 to Apache Software License v2 (ASLv2) http://www.apache.org/licenses/LICENSE-2.0.txt
- Created new INSTALL file outlining quick config setup - Added a new rule regression testing framework to the /util directory
- Added new activated_rules directory which will allow users to place symlinks pointing to files they want to run. This allows for easier Apache Include wild-carding
- Adding in new RULE_MATURITY and RULE_ACCURACY tags
- Adding in a check for X-Forwarded-For source IP when creating IP collection - Added new Application Defect checks (55 app defect file) from Watcher tool (Check Charset) http://websecuritytool.codeplex.com/wikipage?title=Checks#charset
- Added new AppSensor rules to experimental_dir https://www.owasp.org/index.php/AppSensor_DetectionPoints
- Added new Generic Malicious JS checks in outbound content - Added experimental IP Forensic rules to gather Client hostname/whois info http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html
- Added support for Mozilla's Content Security Policy (CSP) to the experimental_rules http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html
- Global collection in the 10 file now uses the Host Request Header as the collection key. This allows for per-site global collections.
- Added new SpiderLabs Research (SLR) rules directory (slr_rules) for known vulnerabilties. This includes both converted web rules from Emerging Threats (ET) and from SLR Team.
- Added new SLR rule packs for known application vulns for WordPress, Joomla and phpBB
- - Added experimental rules for detecting Open Proxy Abuse http://blog.spiderlabs.com/2011/03/detecting-malice-with-modsecurity-open-proxy-abuse.html
- Added experimental Passive Vulnerability Scanning ruleset using OSVDB and Lua API http://blog.spiderlabs.com/2011/02/modsecurity-advanced-topic-of-the-week-passive-vulnerability-scanning-part-1-osvdb-checks.html
- Added additional URI Request Validation rule to the 20 protocol violations file (Rule ID - 981227)
- Added new SQLi detection rules (959070, 959071 and 959072)
- Added "Toata dragostea mea pentru diavola" to the malicious User-Agent data https://www.modsecurity.org/tracker/browse/CORERULES-64 Bug Fixes: - Assigned IDs to all active SecRules/SecActions
- Removed rule inversion (!) from rule ID 960902
- Fixed false negative issue in Response Splitting Rule
- Fixed false negative issue with @validateByteRange check
- Updated the TARGETS lising for rule ID 950908
- Updated TX data for REQBODY processing
- Changed the pass action to block in the RFI rules in the 40 generic file
- Updated RFI regex to catch IP address usage in hostname https://www.modsecurity.org/tracker/browse/CORERULES-68
- Changed REQUEST_URI_RAW variable to REQUEST_LINE in SLR rules to allow matches on request methods.
- Updated the RFI rules in the 40 generic attacks conf file to remove explicit logging actions. They will now inherit the settings from the SecDefaultAction
Friday, May 13, 2011
Friends, Romans, Countrymen - Lend me your ears!
It is my pleasure to announce the official release of ESAPI 2.0GA!
This release features some key enhancements over ESAPI 1.4.x including, but not limited to:
- Upgrade baseline to use Java5
- Completely redesigned and rewrote Encryptor
- New and Improved Validation and Encoding Methods
- Complete redesign of the ESAPI Locator and ObjectFactory
- More unit tests
- ESAPI Jar is now Signed with an OWASP Code Signing Certificate
- ESAPI Jar is Sealed
- And much, much more
- Peer review of the ESAPI Codebase
- Code and Architecture Review of new Encryption
- Adding and fixing unit tests
- Tons of discussion and interaction with the OWASP Community and ESAPI Users
We are currently in the process of getting a whole new suite of documentation, with a focus on integration tasks and actually using ESAPI in real applications - look for those documents over the next couple monthes, as well as a whole new contribs section in our repository aimed at providing turnkey components and solutions to some of the more commonly encountered integration points for ESAPI.
You can download the full distribution of ESAPI 2.0GA from our home on Google Code at: http://code.google.com/p/owasp-esapi-java/downloads/list
The latest API Docs can always be found at:
Within the next 24-48 hours the distribution to Maven Central should be updated as well and you should be able to start using 2.0GA in your Maven projects as soon as that happens. Maven dependency will be:
As always, we would love to hear your feedback on the release and if you have any questions at all, you can join the ESAPI-User Mailing List here: https://lists.owasp.org/mailman/listinfo/esapi-user
Thanks again to the OWASP and ESAPI Community for helping us build and release the tools that help make the internet just a little bit more sane!
The ESAPI Development and Management Teams
P.S. Please forward this along to any colleagues or distribution lists that may be interested.
Monday, May 9, 2011
Ready to learn the art of SQL injection? Got it. Securing iOS or Android apps? You're covered. Taking OWASP WTE (OWASP Live CD) to the next level? Learn from its maintainer! Hardening your Web 2.0, .NET, and PHP code? Be instructed by masters of the craft Dave Wichers and Robert H'obbes' Zakon, and respected infosec authors Shreeraj Shah (author of "Hacking Web Services") and Erez Metula (author of "Managed Code Rootkits"). And if you want to set up the next generation of application layer defenses, build your intrusion detection and protection platform with Colin Watson.
We've got Moxie! Moxie Marlinspike, creator of sslsniff and sslstrip, joins OWASP founder Mark Curphey and "Spies Among Us" author Ira Winkler as a conference keynote.
CALL FOR PAPERS OPEN UNTIL JUNE 14, 2011
Give back to the field and show your peers the way forward. The CFP is open. As OWASP reflects on its first ten years, share your vision for the next ten years. Submit today and you could be leading a track as a featured speaker.
5K/10K FOR CHARITY
See Dinis Cruz, Dan Cornell, and Mark Curphey sprint to the finish line in fashion as OWASP helps the Bakken Museum (http://www.thebakken.org/) teach youth about the wonderful world of electromagnetism. Let's strengthen the bond with community and improve our health. Place your donations and get signed up to race in the late afternoon Wednesday (September 21, 2011) the day before the conference talks.
WOMEN IN APPSEC
Enable more women to enter the application security field. We're off to a great start with the Wells Fargo Foundation's generous seed funding of $5,000 for grants to women interested in attending OWASP AppSec USA 2011 to launch their career in this growing field. OWASP transformed the way information security works once already, and it's time again to propel positive progress.
CAPTURE THE FLAG (AND GET A FREE TICKET)
The first monthly CTF challenge for OWASP AppSec USA 2011 is posted, and it's a great way to start preparing for the full CTF in September! Solve the May challenge before anyone else and get a free ticket to the conference plus props on www.appsecusa.org.
Register early and save money. Register a large group and save even more. And if you're a student, the savings are huge. So sign up today for a great deal, and please spread the word to students in computation, information protection, forensics, and law. We need more people to secure the world's systems. Registration is open!
If you have a bumping track, let it be heard. Upload your original music, submit the link, and it may get played at OWASP AppSec USA 2011 or on the www.appsecusa.org website.
THANK YOU TO OUR SPONSORS! We couldn't pull this off without your generous support!
OWASP AppSec USA 2011: Your life is in the cloud.
September 20-23 Training, Talks, CTF, Showroom, and More