OWASP Global Connector Sept 25, 2013

Global OWASP Connector - September 25, 2013

Featured OWASP Project OWASP CTF Project The OWASP CTF project is a web based hacking challenge application that can be implemented as an event activity during conferences and other events.  The project was created with a handfull of challenges with topics that include web, network, and other activities.  Users will need crativity, resourcefulness, and networking skills to solve the various challenges in the OWASP CTF.  Please visit the project wiki page or contact the project leader, Steven van der Baan for more information. NEW OWASP Projects OWASP Media Project The OWASP Media Project is an infrastructure project that aims to gather, consolidate, an dpromote OWASP content in video format on a central hub.  The first and main instance of the project will be a YouTube channel.  We have now successfully applied to Google for our Non-Profit YouTube account and are working on site branding.  For more information, contact the project leader, Jonathan Marcil OWASP Global Chapter Meetings Project The Global Chapter Meetings Project seeks to connect participants globally by placing a spotlight on local chapters.  This is intended to open the gates of participation and fostering communication and collaboration among chapters.  Additionally, this project plans to create materials that can connect OWASP on a global scale.  For more information, contact the project leader, Yvan Boily. OWASP This I Believe Security Project The OWASP This I Believe Security Project will be a short-term series of essays posted on the OWASP website about broad application security topics.  The project is based n loose adaptation of the basic concept of the "This I Believe" series.  The project aims to expand and elevate the conversation around security topics.  For more information, please contact the project leader, John Melton. Project Announcements Project talks at AppSec USA The OWASP Project Summit is a smaller version of the much larger OWASP Summits.  This event activity gives our project leaders the opportunity to showcase their project progress, and have attendees sit down and work on project tasks during the event.  It is an excellent opportunity to engage the event attendees, and it gives project leaders the chance to move forward on their project milestones while meeting new potential volunteers that can assist with future milestones.  The project talks have now been scheduled.  Visit the AppSec USA website for the schedule.  If you have any questions, please contact Samantha Groves. Global Webinar Series wants to feature your Project.  Please contact Kate Hartmann or Samantha Groves to schedule your project webinar. New Support email is now available.  To reach a staff member, email:  support@owasp.org	OWASP AppSec USA 2013 www.appsecusa.org/2013/ (from 9/12/2013 blog post - Tom Brennan) October is National Cyber Security Awareness Month and it is an opportunity to engage public and private secotor stakeholders - to create a safe, secure, and resilient cyber invironment.  For OWASP Foundation, this is a perfect time to RAISE AWARENESS... The *draft* schedule is now published OWASP Project and Leader Summit Press Releases Local and Regional Events OWASP China 2013 Forum - July 12 - Dec 31, Bejing, Shanghai, and Guangzhou AppSec Israel 2013 - Oct 1, Herzliya Israel LASCON 2013 - Oct 24-25, Austin, TX Houston November Mini-Con - Nov 15, Houston, TX OWASP BeNeLux - Nov 28-Nov 29, Netherlands BASC 2013 - Dec 14, Cambridge, MA AppSec California 2014 - Jan 27-Jan 28, Santa Monica, CA Partner and Promotional Events Information Security Summit Hack in the Box Council on CyberSecurity ISSA International Conference - Discount code for OWASP Members:  confOWASP62c Cloud Security Alliance Congress 2013 - 10% discount for OWASP members with code:  CSA13/OWASP Media Partnerships Information Security Buzz PenTest Magazine - OWASP Members can receive a 25% discount for a PenTest subscription by using discount code:  OWASP25 OWASP Webinar Series Wednesday September 25 LIVE - Josh Sokol TOPIC - SimpleRisk - SimpleRisk is an open source tool designed to help better manage and facilitate enterprise risk management 10am EDT (Live Webinar) 9pm EDT (Recorded Webinar) Wednesday, October 9, 2013 Live - Global Board Candidate Question and Answers Interactive question and answer format for the Global Foundation Board Candidates.  Facilitated by Kelly Santalucia. 10am EDT 9pm EDT	The Written Answers to the Community Questions for all the Board Candidates is now POSTED ON THE ELECTION PAGE The Audio recordings of the interviews conducted by all the Board Candidates is NOW POSTED ON THE ELECTION PAGE Be sure to review the available materials and become an informed voter. Upcoming Dates September 30 - Paid & Honorary membership application deadline October 9 - Q&A Webinar October 14 - Voting Begins October 25 - Voting Ends October 29 - Election Result Announced The Web Application Security Persons of the Year (WASPY) award nominees are POSTED Please review the nominee information and be prepared to vote your selection during the 2013 Election Show your support for the community by becoming a Sponsor of the awards. Corporate sponsors AND Chapter sponsors are encouraged to participate FULL SPONSORSHIP INFORMATION CAN BE FOUND HERE OWASP AppSec News Feed is BACK! The OWASP AppSec News feed is back online.  When google reader died, we went back to the drawing board to setup a new aggregation system.  It's now working and all the information has also been published on: the criteria for posts that are shared, how to submit a blog for consideration (we need to rebuild the sources), how to volunteer to curate Important:  The feed has changed.  You will need to subscribe HERE All other information is posted HERE Many thanks to Jeff Williams who operated the OWASP news feed for 8 years Industry Citations OWASP is often referenced in official, or otherwise important documents.  This does NOT include presentation or educational materials, sales literature, forum messages, blog postings, news stories, or press releases. Please refer to the page for the citations spotted by our community.  Should you come across content that should be listed here, please contact Colin Watson. New OWASP Chapters OWASP Coimbatore Region:  Middle East Chapter Leader:  Subramaniam Sankaran OWASP Charleston Region:  United States Chapter Leader:  Tony Cook

2013 Board Candidate Interviews Are NOW POSTED!

Your 2013 Board Candidate audio recordings and written responses are NOW POSTED!  Become an informed voter and take a listen.
https://www.owasp.org/index.php/2013_Board_Elections#Recorded_Interviews

Please refer to the Election Timeline for important upcoming deadline dates.  

 

Global OWASP Connector September 10, 2013

Global OWASP Connector September 10, 2013		Project Updates Global Board Elections Global CTF
Featured OWASP Project OWASP Hackademic Challenges Project The OWASP Hackademic Challenges Project is an open source project that helps you test your knowledge on web application security.  You can use it to actually attack web applications in a realistic but also controllable and safe environment.  The Hackademic Challenges implement realistic scenarios with known vulnerabilities in a safe, controllable environment.  Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective.  Currently, there are 10 web application security scenarios available. You can choose to start from the one that you find most appealing, although we suggest to follow the order presented.  We intend to expand the available challenges with additional scenarios that involve cryptography, and even vulnerable systems implemented in download-able virtual machines.  Please contact Kostas for more information. New OWASP Projects OWASP JAWS Project The Purpose of the project is to have a work set with runnable java code that shows secure coding practices in a working way.  Too many times, developers end up at some developer forum where someone asks a question and the solutions (that may be working but not necessarily in a secure way) are copied, and end up in production code. The project will demonstrate how to implement existing solutions leveraging on existing material from the OWASP community.  For more information, please contact the project leader Maarten Mestdagh.  Project Announcements Meet our new Grants and Fundraising Intern! Recently, the OWASP Foundation has enjoyed an increase in grant and fundraising opportunities. The Grants and Fundraising Internship opportunity was created to not only assist with the increased workload, but to help the successful candidate gain more experience in grant research, writing, and planning for a global non-profit organization.   After interviewing several candidates, we have finally made our selection.  Please join me in welcoming our new Grants and Fundraising Intern, Kait Disney-Leugers.  Please contact Samantha Groves if you have any questions about our grant work.	Review the Candidates Review the Election Timeline September 30 is the last day to purchase/renew your membership or to apply for an honorary membership to be able to vote in this year's election Review the Nominees Global Capture The Flag Competition is LIVE!!!!!!! Are you ready for the First Global CTF?  The Irish Honeynet project:  @honeyn3t, in cooperation with OWASP have built a CTF designed to engage first time CTF players while also challenging the experienced.  Places for the games are limited - and you must register to play. The competition will run now until the end of September.  The winners will be announced and recognized during AppSec USA 2013 in New York, NY. The purpose of the games is to provide an environment for people to have fun and learn about security! Read more about the Global CTF Here Register for the Global CTF Here OWASP AppSec LATAM 2013 We are sorry to inform that, unfortunately, due to the low attendance, the AppSec LATAM 2013 has been cancelled.  Should you need any further information, do not hesitate to contact us at AppSecLatam2013@owasp.org. OWASP AppSec USA 2013 Potential Sponsors - take note - the deadline to take advantage of preferred both selection is this Friday - September 13, 2013 Secure your space here Click Here for the full schedule of Talks and Training Classes LOCAL AND REGIONAL EVENTS OWASP New Zealand Day 2013 - Sept 11-12; Auckland, New Zealand LASCON 2013 - Oct 24-25, Austin, TX	OWASP Webinar Series GET YOUR CREDITS! Register to participate in the OWASP Webinar Series.  This provides an opportunity to review some of the top security talks AND earn CPE credits!  Wednesday September 11, 2013.  LIVE - Ken Johnson Rails Goat Project Webinar RailsGoat project provides training for developers and security professionals - all specific to the Ruby on Rails framework 10am EDT (Live Webinar) and at 9pm EDT (replay of the Live Webinar) Wednesday September 25, 2013.  LIVE - Josh Sokol SimpleRisk Webinar SimpleRisk is an open source tool designed to help better manage and facilitate enterprise risk management. 10am EDT (Live Webinar) and 9pm EDT (replay of the Live Webinar) Wednesday October 9, 2013.  LIVE - Global Board Candidate Question and Answers Interactive question and answer format for the Global Foundation Board Candidates.  Facilitated by Kelly Santalucia at 10am EDT and 9pm EDT Wednesday November 6, 2013.  LIVE - Kiran Karnad OWASP Top Ten & Burp information and registration coming soon We want to highlight projects and research!  If you have a topic that you would like to present, please submit an abstract here:  Contact us

Meet our new Grants and Fundraising Intern!

The Grants and Fundraising Internship opportunity was created to help a successful candidate gain more experience in grant research, writing, and planning for a global non-profit organization. Recently, we realized that the organization needs some assistance with the grant/fundraising workload. We felt that providing this internship opportunity would be a great way to help someone gain more experience, while having him/her help us alleviate our OWASP grant/fundraising workload. 

After interviewing a handful of candidates, we have finally made our selection. Please help me in welcoming our new Grants and Fundraising Intern, Kait Disney-Leugers.

Grants and Fundraising Intern

Kait Disney-Leugers

I received my B.A. in history from Ohio University, and I now live in Silicon Valley. Along with my interest in OWASP, I am also a member of the American Historical Association. I applied to this internship because OWASP is already apart of my life. My honeymoon was attending last year's AppSec conference in Austin, and I am also interested in helping with the Women in Application Security Program.

Global OWASP Connector September 3, 2013

Global OWASP Connector September 3, 2013		Project Updates Membership Updates Global CTF Translation Efforts
Featured OWASP Project OWASP Periodic Table of Vulnerabilities There are many anthologies of vulnerabilities and weaknesses (including CWE - 25, TCv2, and OWASP Top 10), but there is no attempt to classify these issues based on how they should be best solved.  In the past, we have tried to teach developers how to avoid introducing these problems, but it appears, via the lesson of Buffer Overflow, that the only way we'll ever eliminate them is to make it impossible for developers to write vulnerable code.  The periodic table classifies issues based on the most scalable solution, whether that be in frameworks, perimeter technologies, custom code, or fixing the browsers and standards responsible.  If you would like to contribute, please visit the OWASP Periodic Table of Vulnerabilities page or contact the project leader, James Landis. New OWASP Projects OWASP Framework Security Project The OWASP Framework Security Project focuses on understanding missing security controls within popular frameworks, and coordinating with developers and the framework leaders to effectively integrate the missing security controls.  This project requires the collaboration between security experts, security minded developers, and framework developers and leaders.  The primary deliverable of this project is source code that is accepted into frameworks.  The OWASP Framework Security Project will maintain documentation to indicate with security controls have been accepted, and links to code and documentation at each framework.  For more information, please contact the Project leader, Michael Coates. OWASP SecLists Project SecLists is a collection of multiple types of lists used during security assessments.  List types include usernames, passwords, URLs, sensitive data group strings, fuzzing payloads, and many more.  The goal is to enable a security tester to pull this repo onto a new testing box, and have access to every type of list that may be needed.  For more information, please contact the project leader, Daniel Miessler. Project Announcements New "ESAPI for Java" release - 2.1.0 A new version of ESAPI, release 2.1.0, has been uploaded to both the Google Code downloads list as well as being made available via Maven Central.  The full release notes are available with the Google Code download here.  Most importantly, if fixes Google Issue #306 which is closed with this release.  If you want more information on the release, or the OWASP ESAPI Project, please visit the project wiki page.  Alternatively, you may contact Kevin Wall or Chris Schmidt directly. OWASP Top 10 2013:  Korean Version Released A big thank you to Yune Sung, Johnny Cho, and all those involved in the effort to translate the OWASP Top 10 2013 version into Korean.  The document can be downloaded here, and both the document and the contributors list can be found here.  Please reach out to Yune Sung or Johnny Cho if you have any questions about the translation. OWASP ByWaf Project The OWASP ByWaf Project is looking for Python developers to help with the final stages of the project.  The project is a tool that bypasses WAFs, and its main function is to detect, evade, and display vulnerabilities.  If you are interested in contributing to the project, please contact the project leader, Rafael Gil Larios. 2013 OWASP Mobile Top 10 Call for Data The project leaders for the OWASP Mobile Security Project are looking for data that represents the current state of mobile application security.  They are soliciting not just vulnerability data, but also incident and attack data that reflects the real-world prevalence and significance of these issues.  The goal in requiring both is to rank risks accordingly based on data as opposed to making assumptions.  They will use this data to flesh out and re-evaluate the currently incomplete Mobile Top Ten Project.  If you are interested in contributing data to the project, please contact Project leaders Jason Haddix, Jack Mannino, and Mike Zusman.	Global Capture The Flag Competition is LIVE!!!!!!! Are you ready for the First Global CTF?  The Irish Honeynet project:  @honeyn3t, in cooperation with OWASP have built a CTF designed to engage first time CTF players while also challenging the experienced.  Places for the games are limited - and you must register to play. The competition will run now until the end of September.  The winners will be announced and recognized during AppSec USA 2013 in New York, NY. The purpose of the games is to provide an environment for people to have fun and learn about security! Read more about the Global CTF Here Register for the Global CTF Here   Thank you to our newest Corporate Member: Lynx Technology Partners Thank you to Information Builders for their renewal Thank you to Information Security Buzz A New Media Supporter The Membership Deadline to participate in the 2013 Global Board Election AND the 2013 WASPY awards is September 30, 2013.  Please visit the Membership Page to get information on how to renew or how to join. OWASP AppSec LATAM 2013 Registration is now LIVE!  Click here to register and take advantage of early bird pricing. OWASP AppSec USA 2013 Click Here for the full schedule of Talks and Training Classes LOCAL AND REGIONAL EVENTS Ghana Cyber Security - Sept 5-6 OWASP New Zealand Day 2013 - Sept 11-12; Auckland, New Zealand LASCON 2013 - Oct 24-25, Austin, TX Meet our New Technical Project Advisors As the OWASP Projects Inventory continues to grow, we continue to work towards improving the operations side of OWASP Projects.  One of the major items on the agenda for 2013 is to review and update the current project assessment criteria and graduation process.  The update is needed as there are now over 100 OWASP Projects, and the assessment criteria and process must be able to meet the demand for quality reviews.  This is why the Technical Project Advisors were brought together.  Please help me in welcoming our new Technical Project Advisors.  Read our blog post for more information.	OWASP Webinar Series GET YOUR CREDITS! Register to participate in the OWASP Webinar Series.  This provides an opportunity to review some of the top security talks AND earn CPE credits!  Wednesday September 11, 2013.  LIVE - Ken Johnson Rails Goat Project Webinar RailsGoat project provides training for developers and security professionals - all specific to the Ruby on Rails framework 10am EDT (Live Webinar) and at 9pm EDT (replay of the Live Webinar) Wednesday September 25, 2013.  LIVE - Josh Sokol SimpleRisk Webinar SimpleRisk is an open source tool designed to help better manage and facilitate enterprise risk management. 10am EDT (Live Webinar) and 9pm EDT (replay of the Live Webinar) Wednesday October 9, 2013.  LIVE - Global Board Candidate Question and Answers Interactive question and answer format for the Global Foundation Board Candidates.  Facilitated by Kelly Santalucia at 10am EDT and 9pm EDT Wednesday November 6, 2013.  LIVE - Kiran Karnad OWASP Top Ten & Burp information and registration coming soon We want to highlight projects and research!  If you have a topic that you would like to present, please submit an abstract here:  Contact us Review the Candidates Review the Election Timeline Review the Nominees

Meet our new Technical Project Advisors!

As the OWASP Projects Inventory continues to grow, we continue to work towards improving the operations side of OWASP Projects. One of the major items on the agenda in 2013 is to review and update the current project assessment criteria and graduation process. The update is needed as there are now over 100 OWASP Projects, and the assessment criteria and process must be able to meet the demand for quality reviews. This is why the Technical Project Advisors were brought together. 

The Technical Project Advisors were recruited as volunteers to help the organization review and update the current assessment criteria and project graduation process. They each are responsible for six different areas that encompass the subject matter of our projects. Please help me in welcoming our new Technical Project Advisors.

Technical Project Advisors

Chuck Cooper

Secure Development Advisor

Chuck.Cooper@owasp.org

Chuck has been developing and/or managing several award winning software products for over 25 years including working on Great Plains Property Management, Borland Paradox, Acuity Projects, CA Clarity, and Paylocity Web Pay.  For the past 8 years he has been working as the CIO at Paylocity, and recently he earned his CISSP certification and became the CISO and Sr. VP of Enterprise Architecture. Now he can focus primarily on network and application security for Paylocity's Software-as-a-Service Payroll, HR, Time & Labor Management, and Online Benefits products.  

Given the importance of web security in our society today, Chuck hopes that price is never a deterring factor to individuals and companies adopting best security practices so he is very excited to be working with OWASP to help make important security applications and training available to everyone as open source at, no cost.
................................................................................................................................................................................................................................................

Joshua Clements

Governance Advisor

Joshua.Clements@owasp.org

Josh Clements is an application development manager at AAA Inc., where he has been since 2001. At AAA, Josh is responsible for teams that develop GPS-enabled applications for fleet telematics. He graduated from Florida Institute of Technology with a degree in Computer Information Systems while working full time and raising three young children.
................................................................................................................................................................................................................................................

Ly Vandy

Education Advisor

Ly.Vandy@owasp.org

Based on my experience of web application development for almost 7 years, I have now become a Web Project Manager for GreenICT Technology, Co.,LTD since 2011. Currently, beside my website development career, I am also a Web Application Security Consultant to many big companies in Cambodia in order to test their products, both finding vulnerabilities (security assessment), and protection configuration (on web application layer and web server). 

Beside my professional employment at a private company, I also volunteer as an Incident Analyst at CamCert (NiDA) by helping the head of the department on general security assessment, protection, and forensic work. With this work, I can help make penetration-testing or check hacked websites (victim) find the way an attacker hacked into their website by showing proof, a report, and giving recommendations.

Moreover, I have just become “Technical Project Advisor” for OWASP in the role of Education Advisor. I am very happy to become a part of this advisory group so that I can share and update my knowledge.
................................................................................................................................................................................................................................................

Chris Bush

Secure Lifecycle Activity Advisor

Christopher.Bush@owasp.org

Chris Bush is going into his third decade of combined experience in IT and information security consulting and solutions delivery. Chris specializes in application security, including application penetration testing, secure code review, and integrating security into the software development lifecycle.

Having been a contributing member of the information security community for many years, Chris currently serves as a volunteer for OWASP as a Technical Project Advisor, is an officer of the (ISC)2 Cleveland Chapter, and has a wide variety of public speaking credits, including:

•“Security ROI – Demonstrating The Value of Investing in Information Security”,

Information Security Summit 2012, Cleveland, OH

•“How Cross-Site Request Forgery Can Turn Your Employees Into Unwitting Internal Hackers”, North East Ohio InfoSec Form, November 2010, Information Security Summit 2011, Cleveland,OH

•“Threat Modeling With Abuse Cases”, Information Security Summit 2008, Cleveland, OH

•“Application Security: Who’s Job Is It?”, Cyber Security Summit 2006, Ponte Vedra, FL; Information Security Summit 2006, Cleveland, OH; Software Security Summit 2007, San Mateo, CA.

•“Secure Coding: Tips and Techniques”, Information Security Summit 2005, Cleveland, OH.

Chris is a Certified Information Systems Security Professional (CISSP) and holds a Masters Degree in Computer Science from Binghamton University, Binghamton, New York and a Bachelors Degree in Computer Science from University of Buffalo, Buffalo, New York.
................................................................................................................................................................................................................................................

Johanna Curiel 

Static Analysis Advisor

Johanna.Curiel@owasp.org

Johanna Curiel is a senior security information analyst with more than 10 years of extensive experience in programming and software development. She works, at the moment, in the Banking sector in the Dutch Caribbean, Curacao. She has extensive experience as a software developer in the .NET platform, but also open source tools and languages such as Java.

Johanna is married, has a kid of 11 years old and 2 cats. She loves sports like swimming and tennis, and tries to eat healthy most of the time. She enjoys programming even in her free time, and loves to read about the latest security breaches and hacks.

From June 2012, Johanna is an active chapter leader of the OWASP Curacao Chapter. Johanna also has an M.Sc. in Computer Security from the Liverpool University (2010).
................................................................................................................................................................................................................................................

John Krogulski

Dynamic Analysis Advisor

John.Krogulski@owasp.org

My current position is a Software Architect. In this role, I lead a team of developers designing and building .Net custom interfaces used to integrate disparate third party applications for a health insurance company. These systems must comply with all DIACAP regulations as the company does extensive work with Tricare.

I develop both Client server and Web based applications. I have been trained on the current FDA guidelines for medical devices and software systems. I worked as a software developer for the UW Hospital designing their new organ transplant system ensuring it met all HIPAA, HITECH Act and FDA requirements. I have designed and built active directory modules for use with web applications. I have extensive knowledge of SQL Server and Oracle database design and development, and I have been a windows server administrator.

Last year, I assisted a client in developing a module to allowed them to properly manage credit card information in their systems. This involved both database re-design as well as ensuring their web component did not leak any PCI data.

I hold a current Comptia Security + certification as well as a Certified Ethical Hacker certification, and I have designed enterprise systems that meet federal security requirements. I am trying to transition to a full-time security role.
................................................................................................................................................................................................................................................

Please feel free to reach out to me, or any of our advisors above, if you need more information on the work we are doing.