Wednesday, September 25, 2013

OWASP Global Connector Sept 25, 2013




OWASP_CONNECTOR_BANNER_TOP 2
Global OWASP Connector - September 25, 2013

PROJECT_SHORT_BANNER CON_SHORT_BANNER 2013_Board_ELECTION-BANNER2_SHORT

Featured OWASP Project

OWASP CTF Project

The OWASP CTF project is a web based hacking challenge application that can be implemented as an event activity during conferences and other events.  The project was created with a handfull of challenges with topics that include web, network, and other activities.  Users will need crativity, resourcefulness, and networking skills to solve the various challenges in the OWASP CTF.  Please visit the project wiki page or contact the project leader, Steven van der Baan for more information.

NEW OWASP Projects

OWASP Media Project

The OWASP Media Project is an infrastructure project that aims to gather, consolidate, an dpromote OWASP content in video format on a central hub.  The first and main instance of the project will be a YouTube channel.  We have now successfully applied to Google for our Non-Profit YouTube account and are working on site branding.  For more information, contact the project leader, Jonathan Marcil

OWASP Global Chapter Meetings Project

The Global Chapter Meetings Project seeks to connect participants globally by placing a spotlight on local chapters.  This is intended to open the gates of participation and fostering communication and collaboration among chapters.  Additionally, this project plans to create materials that can connect OWASP on a global scale.  For more information, contact the project leader, Yvan Boily.

OWASP This I Believe Security Project

The OWASP This I Believe Security Project will be a short-term series of essays posted on the OWASP website about broad application security topics.  The project is based n loose adaptation of the basic concept of the "This I Believe" series.  The project aims to expand and elevate the conversation around security topics.  For more information, please contact the project leader, John Melton.

Project Announcements

Project talks at AppSec USA

The OWASP Project Summit is a smaller version of the much larger OWASP Summits.  This event activity gives our project leaders the opportunity to showcase their project progress, and have attendees sit down and work on project tasks during the event.  It is an excellent opportunity to engage the event attendees, and it gives project leaders the chance to move forward on their project milestones while meeting new potential volunteers that can assist with future milestones.  The project talks have now been scheduled.  Visit the AppSec USA website for the schedule.  If you have any questions, please contact Samantha Groves.



Global Webinar Series wants to feature your Project.  Please contact Kate Hartmann or Samantha Groves to schedule your project webinar.

New Support email is now available.  To reach a staff member, email:  support@owasp.org

appsec-horizontal-logo 3

OWASP AppSec USA 2013
www.appsecusa.org/2013/


(from 9/12/2013 blog post - Tom Brennan)

October is National Cyber Security Awareness Month and it is an opportunity to engage public and private secotor stakeholders - to create a safe, secure, and resilient cyber invironment.  For OWASP Foundation, this is a perfect time to RAISE AWARENESS...

The *draft* schedule is now published
OWASP Project and Leader Summit
Press Releases

Local and Regional Events

OWASP China 2013 Forum - July 12 - Dec 31, Bejing, Shanghai, and Guangzhou
AppSec Israel 2013 - Oct 1, Herzliya Israel
LASCON 2013 - Oct 24-25, Austin, TX
Houston November Mini-Con - Nov 15, Houston, TX
OWASP BeNeLux - Nov 28-Nov 29, Netherlands
BASC 2013 - Dec 14, Cambridge, MA
AppSec California 2014 - Jan 27-Jan 28, Santa Monica, CA

Partner and Promotional Events

Information Security Summit
Hack in the Box
Council on CyberSecurity
ISSA International Conference - Discount code for OWASP Members:  confOWASP62c
Cloud Security Alliance Congress 2013 - 10% discount for OWASP members with code:  CSA13/OWASP

MEM_SHORT_BANNER 2

Media Partnerships

Information Security Buzz

PenTest Magazine - OWASP Members can receive a 25% discount for a PenTest subscription by using discount code:  OWASP25

globe

OWASP Webinar Series

Wednesday September 25
LIVE - Josh Sokol
TOPIC - SimpleRisk - SimpleRisk is an open source tool designed to help better manage and facilitate enterprise risk management

10am EDT (Live Webinar)

smaller register 2

9pm EDT (Recorded Webinar)

smaller register 4

Wednesday, October 9, 2013
Live - Global Board Candidate Question and Answers

Interactive question and answer format for the Global Foundation Board Candidates.  Facilitated by Kelly Santalucia.

10am EDT

smaller register 6

9pm EDT

smaller register 8



The Written Answers to the Community Questions for all the Board Candidates is now POSTED ON THE ELECTION PAGE

The Audio recordings of the interviews conducted by all the Board Candidates is NOW POSTED ON THE ELECTION PAGE

Be sure to review the available materials and become an informed voter.


Upcoming Dates

September 30 - Paid & Honorary membership application deadline
October 9 - Q&A Webinar
October 14 - Voting Begins
October 25 - Voting Ends
October 29 - Election Result Announced

WASPY-BANNER_SHORT

The Web Application Security Persons of the Year (WASPY) award nominees are POSTED

Please review the nominee information and be prepared to vote your selection during the 2013 Election

Show your support for the community by becoming a Sponsor of the awards.

Corporate sponsors AND Chapter sponsors are encouraged to participate

FULL SPONSORSHIP INFORMATION CAN BE FOUND HERE

OWASP AppSec News Feed is BACK!

The OWASP AppSec News feed is back online.  When google reader died, we went back to the drawing board to setup a new aggregation system.  It's now working and all the information has also been published on:
the criteria for posts that are shared, how to submit a blog for consideration (we need to rebuild the sources), how to volunteer to curate

Important:  The feed has changed.  You will need to subscribe HERE

All other information is posted HERE

Many thanks to Jeff Williams who operated the OWASP news feed for 8 years

Industry Citations

OWASP is often referenced in official, or otherwise important documents.  This does NOT include presentation or educational materials, sales literature, forum messages, blog postings, news stories, or press releases. Please refer to the page for the citations spotted by our community.  Should you come across content that should be listed here, please contact Colin Watson.

CHAPTERS_SHORT_BANNER

New OWASP Chapters

OWASP Coimbatore
Region:  Middle East
Chapter Leader:  Subramaniam Sankaran

OWASP Charleston
Region:  United States
Chapter Leader:  Tony Cook
OWASP_CONNECTOR_BANNER_BOTTOM

Friday, September 13, 2013

2013 Board Candidate Interviews Are NOW POSTED!

Your 2013 Board Candidate audio recordings and written responses are NOW POSTED!  Become an informed voter and take a listen.
https://www.owasp.org/index.php/2013_Board_Elections#Recorded_Interviews

Please refer to the Election Timeline for important upcoming deadline dates.  
 

Tuesday, September 10, 2013

Global OWASP Connector September 10, 2013


 Global OWASP Connector September 10, 2013
 Project Updates
Global Board Elections
Global CTF
new project banner

Featured OWASP Project


OWASP Hackademic Challenges Project

The OWASP Hackademic Challenges Project is an open source project that helps you test your knowledge on web application security.  You can use it to actually attack web applications in a realistic but also controllable and safe environment.  The Hackademic Challenges implement realistic scenarios with known vulnerabilities in a safe, controllable environment.  Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective.  Currently, there are 10 web application security scenarios available.

You can choose to start from the one that you find most appealing, although we suggest to follow the order presented.  We intend to expand the available challenges with additional scenarios that involve cryptography, and even vulnerable systems implemented in download-able virtual machines.  Please contact Kostas for more information.

New OWASP Projects

OWASP JAWS Project

The Purpose of the project is to have a work set with runnable java code that shows secure coding practices in a working way.  Too many times, developers end up at some developer forum where someone asks a question and the solutions (that may be working but not necessarily in a secure way) are copied, and end up in production code.

The project will demonstrate how to implement existing solutions leveraging on existing material from the OWASP community.  For more information, please contact the project leader Maarten Mestdagh

Project Announcements

Meet our new Grants and Fundraising Intern!

Recently, the OWASP Foundation has enjoyed an increase in grant and fundraising opportunities.
The Grants and Fundraising Internship opportunity was created to not only assist with the increased workload, but to help the successful candidate gain more experience in grant research, writing, and planning for a global non-profit organization.   After interviewing several candidates, we have finally made our selection.  Please join me in welcoming our new Grants and Fundraising Intern, Kait Disney-Leugers.  Please contact Samantha Groves if you have any questions about our grant work.



2013_Board_ELECTION-BANNER2_SHORT

Review the Candidates
Review the Election Timeline

September 30 is the last day to purchase/renew your membership or to apply for an honorary membership to be able to vote in this year's election

WASPY-BANNER_SHORT

Review the Nominees

ctf

Global Capture The Flag Competition is LIVE!!!!!!!

Are you ready for the First Global CTF?  The Irish Honeynet project:  @honeyn3t, in cooperation with OWASP have built a CTF designed to engage first time CTF players while also challenging the experienced.  Places for the games are limited - and you must register to play.

The competition will run now until the end of September.  The winners will be announced and recognized during AppSec USA 2013 in New York, NY.

The purpose of the games is to provide an environment for people to have fun and learn about security!

Read more about the Global CTF Here
Register for the Global CTF Here


new conf banner

Banner_Peru
OWASP AppSec LATAM 2013

We are sorry to inform that, unfortunately, due to the low attendance, the AppSec LATAM 2013 has been cancelled.  Should you need any further information, do not hesitate to contact us at AppSecLatam2013@owasp.org.

AppSec USA 2013 - Simple Banner
OWASP AppSec USA 2013

Potential Sponsors - take note - the deadline to take advantage of preferred both selection is this Friday - September 13, 2013
Secure your space here

Click Here for the full schedule of Talks and Training Classes

LOCAL AND REGIONAL EVENTS

OWASP New Zealand Day 2013 - Sept 11-12; Auckland, New Zealand
LASCON 2013 - Oct 24-25, Austin, TX





globe

OWASP Webinar Series

GET YOUR CREDITS!

Register to participate in the OWASP Webinar Series.  This provides an opportunity to review some of the top security talks AND earn CPE credits!

 Wednesday September 11, 2013. 
LIVE - Ken Johnson
Rails Goat Project Webinar
RailsGoat project provides training for developers and security professionals - all specific to the Ruby on Rails framework

10am EDT (Live Webinar)
smaller register
and
at 9pm EDT (replay of the Live Webinar)
smaller register

Wednesday September 25, 2013. 
LIVE - Josh Sokol
SimpleRisk Webinar
SimpleRisk is an open source tool designed to help better manage and facilitate enterprise risk management.

10am EDT (Live Webinar)
smaller register
and
9pm EDT (replay of the Live Webinar)

smaller register

Wednesday October 9, 2013. 
LIVE - Global Board Candidate Question and Answers

Interactive question and answer format for the Global Foundation Board Candidates.  Facilitated by Kelly Santalucia

at 10am EDT
smaller registerand
9pm EDT
smaller register

Wednesday November 6, 2013. 
LIVE - Kiran Karnad
OWASP Top Ten & Burp
information and registration coming soon


We want to highlight projects and research!  If you have a topic that you would like to present, please submit an abstract here:  Contact us







Meet our new Grants and Fundraising Intern!



The Grants and Fundraising Internship opportunity was created to help a successful candidate gain more experience in grant research, writing, and planning for a global non-profit organization. Recently, we realized that the organization needs some assistance with the grant/fundraising workload. We felt that providing this internship opportunity would be a great way to help someone gain more experience, while having him/her help us alleviate our OWASP grant/fundraising workload. 

After interviewing a handful of candidates, we have finally made our selection. Please help me in welcoming our new Grants and Fundraising Intern, Kait Disney-Leugers.

Grants and Fundraising Intern
Kait Disney-Leugers

I received my B.A. in history from Ohio University, and I now live in Silicon Valley. Along with my interest in OWASP, I am also a member of the American Historical Association. I applied to this internship because OWASP is already apart of my life. My honeymoon was attending last year's AppSec conference in Austin, and I am also interested in helping with the Women in Application Security Program.


Tuesday, September 3, 2013

Global OWASP Connector September 3, 2013


 Global OWASP Connector September 3, 2013
 Project Updates
Membership Updates
Global CTF
Translation Efforts
new project banner

Featured OWASP Project


OWASP Periodic Table of Vulnerabilities

There are many anthologies of vulnerabilities and weaknesses (including CWE - 25, TCv2, and OWASP Top 10), but there is no attempt to classify these issues based on how they should be best solved.  In the past, we have tried to teach developers how to avoid introducing these problems, but it appears, via the lesson of Buffer Overflow, that the only way we'll ever eliminate them is to make it impossible for developers to write vulnerable code.  The periodic table classifies issues based on the most scalable solution, whether that be in frameworks, perimeter technologies, custom code, or fixing the browsers and standards responsible.  If you would like to contribute, please visit the OWASP Periodic Table of Vulnerabilities page or contact the project leader, James Landis.

New OWASP Projects

OWASP Framework Security Project

The OWASP Framework Security Project focuses on understanding missing security controls within popular frameworks, and coordinating with developers and the framework leaders to effectively integrate the missing security controls.  This project requires the collaboration between security experts, security minded developers, and framework developers and leaders.  The primary deliverable of this project is source code that is accepted into frameworks.  The OWASP Framework Security Project will maintain documentation to indicate with security controls have been accepted, and links to code and documentation at each framework.  For more information, please contact the Project leader, Michael Coates.

OWASP SecLists Project

SecLists is a collection of multiple types of lists used during security assessments.  List types include usernames, passwords, URLs, sensitive data group strings, fuzzing payloads, and many more.  The goal is to enable a security tester to pull this repo onto a new testing box, and have access to every type of list that may be needed.  For more information, please contact the project leader, Daniel Miessler.

Project Announcements

New "ESAPI for Java" release - 2.1.0

A new version of ESAPI, release 2.1.0, has been uploaded to both the Google Code downloads list as well as being made available via Maven Central.  The full release notes are available with the Google Code download here.  Most importantly, if fixes Google Issue #306 which is closed with this release.  If you want more information on the release, or the OWASP ESAPI Project, please visit the project wiki page.  Alternatively, you may contact Kevin Wall or Chris Schmidt directly.

OWASP Top 10 2013:  Korean Version Released

A big thank you to Yune Sung, Johnny Cho, and all those involved in the effort to translate the OWASP Top 10 2013 version into Korean.  The document can be downloaded here, and both the document and the contributors list can be found here.  Please reach out to Yune Sung or Johnny Cho if you have any questions about the translation.

OWASP ByWaf Project

The OWASP ByWaf Project is looking for Python developers to help with the final stages of the project.  The project is a tool that bypasses WAFs, and its main function is to detect, evade, and display vulnerabilities.  If you are interested in contributing to the project, please contact the project leader, Rafael Gil Larios.

2013 OWASP Mobile Top 10 Call for Data

The project leaders for the OWASP Mobile Security Project are looking for data that represents the current state of mobile application security.  They are soliciting not just vulnerability data, but also incident and attack data that reflects the real-world prevalence and significance of these issues.  The goal in requiring both is to rank risks accordingly based on data as opposed to making assumptions.  They will use this data to flesh out and re-evaluate the currently incomplete Mobile Top Ten Project.  If you are interested in contributing data to the project, please contact Project leaders Jason Haddix, Jack Mannino, and Mike Zusman.





ctf

Global Capture The Flag Competition is LIVE!!!!!!!

Are you ready for the First Global CTF?  The Irish Honeynet project:  @honeyn3t, in cooperation with OWASP have built a CTF designed to engage first time CTF players while also challenging the experienced.  Places for the games are limited - and you must register to play.

The competition will run now until the end of September.  The winners will be announced and recognized during AppSec USA 2013 in New York, NY.

The purpose of the games is to provide an environment for people to have fun and learn about security!

Read more about the Global CTF Here
Register for the Global CTF Here



 new membership banner

Thank you to our newest Corporate Member:
Lynx Technology Partners

Thank you to
Information Builders
for their renewal

Thank you to
Information Security Buzz
A New Media Supporter

The Membership Deadline to participate in the 2013 Global Board Election AND the 2013 WASPY awards is September 30, 2013.  Please visit the Membership Page to get information on how to renew or how to join.

new conf banner

Banner_Peru
OWASP AppSec LATAM 2013

Registration is now LIVE!  Click here to register and take advantage of early bird pricing.

AppSec USA 2013 - Simple Banner
OWASP AppSec USA 2013

Click Here for the full schedule of Talks and Training Classes

LOCAL AND REGIONAL EVENTS

Ghana Cyber Security - Sept 5-6
OWASP New Zealand Day 2013 - Sept 11-12; Auckland, New Zealand
LASCON 2013 - Oct 24-25, Austin, TX

new project banner

Meet our New Technical Project Advisors

As the OWASP Projects Inventory continues to grow, we continue to work towards improving the operations side of OWASP Projects.  One of the major items on the agenda for 2013 is to review and update the current project assessment criteria and graduation process.  The update is needed as there are now over 100 OWASP Projects, and the assessment criteria and process must be able to meet the demand for quality reviews.  This is why the Technical Project Advisors were brought together.  Please help me in welcoming our new Technical Project Advisors.  Read our blog post for more information



globe

OWASP Webinar Series

GET YOUR CREDITS!

Register to participate in the OWASP Webinar Series.  This provides an opportunity to review some of the top security talks AND earn CPE credits!

 Wednesday September 11, 2013. 
LIVE - Ken Johnson
Rails Goat Project Webinar
RailsGoat project provides training for developers and security professionals - all specific to the Ruby on Rails framework

10am EDT (Live Webinar)
smaller register
and
at 9pm EDT (replay of the Live Webinar)
smaller register

Wednesday September 25, 2013. 
LIVE - Josh Sokol
SimpleRisk Webinar
SimpleRisk is an open source tool designed to help better manage and facilitate enterprise risk management.

10am EDT (Live Webinar)
smaller register
and
9pm EDT (replay of the Live Webinar)

smaller register

Wednesday October 9, 2013. 
LIVE - Global Board Candidate Question and Answers

Interactive question and answer format for the Global Foundation Board Candidates.  Facilitated by Kelly Santalucia

at 10am EDT
smaller registerand
9pm EDT
smaller register

Wednesday November 6, 2013. 
LIVE - Kiran Karnad
OWASP Top Ten & Burp
information and registration coming soon


We want to highlight projects and research!  If you have a topic that you would like to present, please submit an abstract here:  Contact us

2013_Board_ELECTION-BANNER2_SHORT

Review the Candidates
Review the Election Timeline

WASPY-BANNER_SHORT

Review the Nominees




Meet our new Technical Project Advisors!



As the OWASP Projects Inventory continues to grow, we continue to work towards improving the operations side of OWASP Projects. One of the major items on the agenda in 2013 is to review and update the current project assessment criteria and graduation process. The update is needed as there are now over 100 OWASP Projects, and the assessment criteria and process must be able to meet the demand for quality reviews. This is why the Technical Project Advisors were brought together. 

The Technical Project Advisors were recruited as volunteers to help the organization review and update the current assessment criteria and project graduation process. They each are responsible for six different areas that encompass the subject matter of our projects. Please help me in welcoming our new Technical Project Advisors.

Technical Project Advisors












Chuck Cooper
Secure Development Advisor
Chuck.Cooper@owasp.org

Chuck has been developing and/or managing several award winning software products for over 25 years including working on Great Plains Property Management, Borland Paradox, Acuity Projects, CA Clarity, and Paylocity Web Pay.  For the past 8 years he has been working as the CIO at Paylocity, and recently he earned his CISSP certification and became the CISO and Sr. VP of Enterprise Architecture. Now he can focus primarily on network and application security for Paylocity's Software-as-a-Service Payroll, HR, Time & Labor Management, and Online Benefits products.  

Given the importance of web security in our society today, Chuck hopes that price is never a deterring factor to individuals and companies adopting best security practices so he is very excited to be working with OWASP to help make important security applications and training available to everyone as open source at, no cost.
................................................................................................................................................................................................................................................












Joshua Clements
Governance Advisor
Joshua.Clements@owasp.org

Josh Clements is an application development manager at AAA Inc., where he has been since 2001. At AAA, Josh is responsible for teams that develop GPS-enabled applications for fleet telematics. He graduated from Florida Institute of Technology with a degree in Computer Information Systems while working full time and raising three young children.
................................................................................................................................................................................................................................................













Ly Vandy
Education Advisor
Ly.Vandy@owasp.org

Based on my experience of web application development for almost 7 years, I have now become a Web Project Manager for GreenICT Technology, Co.,LTD since 2011. Currently, beside my website development career, I am also a Web Application Security Consultant to many big companies in Cambodia in order to test their products, both finding vulnerabilities (security assessment), and protection configuration (on web application layer and web server). 
Beside my professional employment at a private company, I also volunteer as an Incident Analyst at CamCert (NiDA) by helping the head of the department on general security assessment, protection, and forensic work. With this work, I can help make penetration-testing or check hacked websites (victim) find the way an attacker hacked into their website by showing proof, a report, and giving recommendations.
Moreover, I have just become “Technical Project Advisor” for OWASP in the role of Education Advisor. I am very happy to become a part of this advisory group so that I can share and update my knowledge.
................................................................................................................................................................................................................................................













Chris Bush
Secure Lifecycle Activity Advisor
Christopher.Bush@owasp.org

Chris Bush is going into his third decade of combined experience in IT and information security consulting and solutions delivery. Chris specializes in application security, including application penetration testing, secure code review, and integrating security into the software development lifecycle.

Having been a contributing member of the information security community for many years, Chris currently serves as a volunteer for OWASP as a Technical Project Advisor, is an officer of the (ISC)2 Cleveland Chapter, and has a wide variety of public speaking credits, including:

•“Security ROI – Demonstrating The Value of Investing in Information Security”,
Information Security Summit 2012, Cleveland, OH
•“How Cross-Site Request Forgery Can Turn Your Employees Into Unwitting Internal Hackers”, North East Ohio InfoSec Form, November 2010, Information Security Summit 2011, Cleveland,OH
•“Threat Modeling With Abuse Cases”, Information Security Summit 2008, Cleveland, OH
•“Application Security: Who’s Job Is It?”, Cyber Security Summit 2006, Ponte Vedra, FL; Information Security Summit 2006, Cleveland, OH; Software Security Summit 2007, San Mateo, CA.
•“Secure Coding: Tips and Techniques”, Information Security Summit 2005, Cleveland, OH.

Chris is a Certified Information Systems Security Professional (CISSP) and holds a Masters Degree in Computer Science from Binghamton University, Binghamton, New York and a Bachelors Degree in Computer Science from University of Buffalo, Buffalo, New York.
................................................................................................................................................................................................................................................













Johanna Curiel 
Static Analysis Advisor
Johanna.Curiel@owasp.org

Johanna Curiel is a senior security information analyst with more than 10 years of extensive experience in programming and software development. She works, at the moment, in the Banking sector in the Dutch Caribbean, Curacao. She has extensive experience as a software developer in the .NET platform, but also open source tools and languages such as Java.

Johanna is married, has a kid of 11 years old and 2 cats. She loves sports like swimming and tennis, and tries to eat healthy most of the time. She enjoys programming even in her free time, and loves to read about the latest security breaches and hacks.

From June 2012, Johanna is an active chapter leader of the OWASP Curacao Chapter. Johanna also has an M.Sc. in Computer Security from the Liverpool University (2010).
................................................................................................................................................................................................................................................













John Krogulski
Dynamic Analysis Advisor
John.Krogulski@owasp.org

My current position is a Software Architect. In this role, I lead a team of developers designing and building .Net custom interfaces used to integrate disparate third party applications for a health insurance company. These systems must comply with all DIACAP regulations as the company does extensive work with Tricare.

I develop both Client server and Web based applications. I have been trained on the current FDA guidelines for medical devices and software systems. I worked as a software developer for the UW Hospital designing their new organ transplant system ensuring it met all HIPAA, HITECH Act and FDA requirements. I have designed and built active directory modules for use with web applications. I have extensive knowledge of SQL Server and Oracle database design and development, and I have been a windows server administrator.

Last year, I assisted a client in developing a module to allowed them to properly manage credit card information in their systems. This involved both database re-design as well as ensuring their web component did not leak any PCI data.

I hold a current Comptia Security + certification as well as a Certified Ethical Hacker certification, and I have designed enterprise systems that meet federal security requirements. I am trying to transition to a full-time security role.
................................................................................................................................................................................................................................................


Please feel free to reach out to me, or any of our advisors above, if you need more information on the work we are doing.