OWASP Global Connector October 9, 2013

Global OWASP Connector - October 9, 2013
Featured OWASP Project OWASP CSRFGuard Project OWASP CSRFGurard is a library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.  The OWASP CSRFGuard library is integrated through the use of JavaEE Filter, and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.  When a user interacts with this HTML, CSRF prevention tokens (i.e. cryptrgraphically random synchronizer tokens) are submitted with the corresponding HTTP request.  It is the responsibility of OWASP CSRFGuard to ensure the token is present and is valid for the current HTTP request.  For more information on the CSRFGuard project, please contact the project leander, Eric Sheridan. NEW OWASP Projects OWASP Node.js Goat Project Node.js is a widely adopted platform for developing web applications.  This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js, and how to effectively address them. For more information, please contact the project leader, Chetan Karande. OWASP Pygoat Project The Pygoat Project is similar to the WebGoat or RailsGoat projects in that it is an application specifically designed to be insecure in hopes of teaching others about code flaws in web applications.  In this specific context, it will focus mainly on Python and Django code libraries.  For more information, please contact the project leader, Kyle Rippee. OWASP Python Security Project Python Security is a free, open source project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations. The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:  Security in python:  white-box analysis, structural and functional analysis, Security in python:  black box analysis, identify and address security-related issues, Security with python:  develop security hardened python suitable for high-risk and high-security environments.  For more information, please contact the project leader, Enrico Branca. 3 New Project Releases! OWASP Broken Web Applications Version 1.1.1 Released From Chuck Willis, project leader:  I'm proud to announce the release of version 1.1.1 of the OWASP BWA VM.  This release is relatively minor, but there were a couple of items that I wanted to address: Fixed issue with Tomcat not starting in some circumstances.  Thanks to the individuals who reported this issue (that I did not experience) and confirmed the fix. Updated Mutillidae and transitioned to use its new Git repository. VM is now available for download in .ova format, which should make it easier to use in virtualization packages other than VMware products. OWASP Java HTML Sanitizer Project v209 Released The OWASP Java HTML Sanitizer project is a fast and easy to configure HTML Sanitizer written in Java.  This project is a secure coding library that lets you include HTML authored by third-parties in your web application while protecting against XSS.  The OWASP Java HTML Sanitizer was authored by and is actively maintained by Mike Samuel from the Google application security team. Version 209 was recently released.  Change-log information can be found here.  If you have questions about this project, please join the project mailing list. OWASP Zed Attack Proxy 2.2.0 Released Zap 2.2.0 is now available HERE. This includes support for scripts embedded in ZAP components like the active and passive scanners as well as support for Zest - a new security focused scripting language from the Mozilla security team.  It also supports Mozilla Plun-n-Hack, locailization in 20 languages, various minor enhancements and lots of bug fixes.  For more details see the release notes. Additionally, if you use ZAP, then please fill in the ZAP user questionnaire linked off the ZAP homepage.  This will help us prioritize features for future releases.  For more information, please contact the project leader, Simon Bennetts. Message from Project Leader, Shruti Kulkarni:  Seeking Contributors Legacy applications are a reality.  I would like to present vulnerabilities and threats of legacy web applications, and the countermeasures for the same, in my project.  I have listed down a few.  I would like contributions in these areas, and also pointers on anything else assiciated with legacy web applications.  The project is the OWASP Supporting Legacy Web Applications in the Current Environment Project.  For more information, please contact the project leader, Shruti Kulkarni. New Support email is now available.  To reach a staff member, email:  support@owasp.org	OWASP AppSec USA 2013 www.appsecusa.org/2013/ The *draft* schedule is now published OWASP Project and Leader Summit Press Releases Local and Regional Events OWASP China 2013 Forum - July 12 - Dec 31, Bejing, Shanghai, and Guangzhou LASCON 2013 - Oct 24-25, Austin, TX Houston November Mini-Con - Nov 15, Houston, TX OWASP BeNeLux - Nov 28-Nov 29, Netherlands BASC 2013 - Dec 14, Cambridge, MA AppSec California 2014 - Jan 27-Jan 28, Santa Monica, CA Partner and Promotional Events Hack in the Box - October 14-17;  Discount code for OWASP Members:  OWASP2013 Nullcon - India, Feb 12-15, 2014.  Call for papers is OPEN Thank you to our Newest Corporate Member Bank of NY Mellon Thank you to our Renewed Corporate Members ADP FICO OWASP Webinar Series Wednesday, October 9, 2013 Live - Global Board Candidate Question and Answers Interactive question and answer format for the Global Foundation Board Candidates.  Facilitated by Kelly Santalucia. 9pm EDT Wednesday, October 23, 2013 Live - Jason Johnson, Project leader - OWASP Hive Project:  Welcome to the Grid Jason will walk us through the OWASP Hive Project - the HIVE project started out as an idea for a learning platform created by using some small, capable pc to do our bidding - now look at the progress! 10 am EDT 9 pm EDT Wednesday November 6, 2013 Live - Kiran Karnan, Project Leader - OWASP Top Ten & BURP Kiran will demonstrate the Top Ten using BURP 10 am EDT 9 pm EDT Wednesday December 4, 2013 Live - Abbas Naderi, Project leader - OWASP PHP Security Project Abbas will demonstrate the existing and planned features of his project 10 am EDT 9 pm EDT The Global Webinar Series wants to feature your Project.  Please contact Kate Hartmann or Samantha Groves to schedule your project webinar. Women in AppSec Selection Finalized After careful consideration, the Women in AppSec selection team chose two winners this year for the Woman in AppSec fund.  They will each receive a free conference pass to AppSec USA 2013, a seat in the training class of their choice along with travel and accommodations to attend.  Please join in our congratulations to this year's winners, Nancy Lornston and Carrie Schaper.	THE ELECTION PAGE Be sure to review the available materials and become an informed voter. Upcoming Dates October 9 - Q&A Webinar October 14 - Voting Begins October 25 - Voting Ends October 29 - Election Result Announced The Web Application Security Persons of the Year (WASPY) award nominees are POSTED Show your support for the community by becoming a Sponsor of the awards. Corporate sponsors AND Chapter sponsors are encouraged to participate FULL SPONSORSHIP INFORMATION CAN BE FOUND HERE In case you missed it ... The Global CTF was an outstanding success.  Initiatlly the honeynet had capacity for 200 active players, however,  the potential to scale up was quicly recognized.  With the assistance of the Instutute of Technology Blanchardstown, who provided additional servers and bandwidth, we ere able to extend the CTF capacity by and additional 25% with active players from all over the world from a variety of time zones.  Although everyone who took part, including teh organizers, learned lots and had fun - there can only be one winner ... Top 10 Places & Scores aaaaaa [1665] reaver2121991 [1640 Orbiter [1539] y0y0Hon3ySinghJ1 [1524] ietians [1302] cybercruiser [1290] Mutantinmate [1284] bannedXD [1278] ntyeil [1277] cia403 [1274] Global Initiatives Metrics 504 unique volunteers Volunteer Sign ups over Time Leadership Status of New Volunteers OWASP Ghana recognized in the fight against cyber crime! Theo Sagoe and the OWASP Ghana team was recently recognized on national television news.  The spot highlights the need in the African Region for increased villigance and attention to cyber security.  Watch the youtube segment