June 2017 Corporate Members

June 2017 Corporate Members

We would like to thank the following companies for supporting the OWASP Foundation.  

The companies listed below have contributed this month by either renewing their existing 

Corporate Membership or joining OWASP as a new Corporate Member.  

Details about Corporate Membership can be found here.

Contributor Corporate Members

Headquartered in downtown Manhattan, CipherTechs, Inc. is a privately held information security services provider. We focus on delivering security solutions for businesses harnessing the power of Internet communications. We audit, design and implement information security solutions in areas of IP networking, firewalls, application security, risk assessment, traffic management, encryption, redundancy and strong authentication. For more information, please visit http://www.ciphertechs.com.

Sonatype secures modern software development by fixing at-risk applications, automating policy throughout the lifecycle and identifying hidden risks in your applications. Sonatype's Component Lifecycle Management identifies and tracks OSS components, automates and enforces policy, and prevents the use of flawed components throughout the software lifecycle. Ask about free risk assessments. More information about Sonatype can be found here http://www.sonatype.com.

We are a software company and community of passionate, purpose-led individuals. We think disruptively to deliver technology that addresses our clients’ toughest challenges, all while seeking to revolutionize the IT industry and create positive social change. ThoughtWorks' 3,000 professionals serve clients from offices in Australia, Brazil, Canada, China, Ecuador, Germany, India, Italy, Singapore, South Africa, Turkey, Uganda, the United Kingdom and the United States. ThoughtWorks releases a regular technology radar, a study that looks at the key trends that impact the software development and business strategies. The Radar helps companies stay on top of topics that are constantly evolving, such as security, and offers insight and practical tools to build secure systems at every stage of the development process. For more information, please visit http://www.thoughtworks.com/

Want your company name here? 

Find out how by visiting our Corporate Member information page, or contact Kelly Santalucia, our Membership & Business Liaison today!  

Thank you to all of our Premier and Contributor Corporate Members for your support!

AppSec USA 2017 Developer Summit Call for Session Volunteers

AppSec USA 2017 Developer Summit 

We are excited to announce that OWASP will once again be holding a two day Developer Summit at AppSecUSA 2017 on September 19 & 20, 2017. OWASP is providing a structured platform for Developers two days prior to the AppSec USA 2017 conference. The Developer Summit will consist of sessions geared toward learning about security vulnerabilities.

If you have an interesting topic and would like to volunteer to host a training session, please SUBMIT HERE.  For topic ideas, you can reference the AppSec Eu 2017 DevSummit agenda. There are limited funds available to help offset the selected presenters travel and one night hotel accommodations.  

The Call for Presenters will close on July 14, 2017. Individuals will be notified on or before July 21, 2017 if their session was chosen. Please note: a conference ticket is NOT included, however you may purchase one separately. 

There is no charge to attend the Developer Summit, so come join us! We do ask that if you plan on attending that you do SIGN UP so we have an estimated headcount to be sure we have enough space and food.

More details and the agenda are coming soon!

Questions? Please submit them here.

OWASP Code Sprint 2017 - Applications Extended to June 18th!!

Student application submissions are now extended to JUNE 18th: APPLY HERE 

Goal:
The OWASP Code Sprint 2017 is a program that aims to provide incentives to students to contribute to OWASP projects. By participating in the OWASP Code Sprint 2017 a student can get real life experience while contributing to an open source project. A student who successfully completes the program will receive $1500.

Help OWASP Invite Students: 

• Are you somehow affiliated with a university? Bring the OWASP Code Sprint to your CS Department!
• Reach out to the students you know, inform them about the program and how they can participate with OWASP Code Sprint 2017 
• Student Application Form here.

Program Leaders:
Kontantinos Papapanagiotou
Fabio Cerullo
Spyros Gasteratos

Claudia Aviles Casanovas, Project Coordinator

Nominations are NOW being accepted for the 2017 WASPY Awards!

Every day, week, month and year OWASP volunteers contribute countless hours of their own personal time to OWASP to help make the cyber world a safer place.  Some of these volunteers are well known in the OWASP community, while many others fly under the radar with only their local community seeing the stunning work they are doing. WASPY awards strive to recognize our unsung contributors and make their contributions to the community visible.

The WASPY Awards offer 3 categories for you to nominate 3 different "unsung heros" that you feel best fits each category description based on the individual's contributions to the OWASP Foundation.

To learn more about the awards, and to nominate your favorite WASPYs please visit: https://www.owasp.org/index.php/WASPY_Awards_2017

OWASP Operations Update for June 2017

Welcome to the operations update for June 2017, the ongoing series of updates on what's happening at the OWASP Foundation.  Last month's post is available here.

Major efforts, status of those and important changes from the last time:

OWASP IT Infrastructure Hosting - Modernizing and migration the OWASP infrastructure after Rackspace ended their donation of hosting.

• Remaining hosts at Rackspace
• OWASP Wiki
• Servers for the wiki will be migrating to AWS - held for AppSec EU and hiring a new IT Contractor after the last left for a startup - wishing them success in their new gig.
• New IT Contractor started on June 1
• Mailman server
• Will be decommissioned after a gradual, phased migration to Discourse of the existing, active lists.  More on Discourse below.
• Mail archives will be moved to a new server with the same URL structure
• Virtual-host server providing redirects and static website content
• Ansible created to deploy virtual-hosts for either redirects or static sites by adding a few lines to a config file
• Ansible tested on the *.appseccalifornia.org domains successfully

The Website Reboot - aka TWR - A major effort to update and modernize OWASP's web presence

• Phase 1 - Complete
• Phase 2 - Wiki style updates
• RFP for the wiki style upgrade is currently being drafted
• RFP will include a responsive MediaWiki theme plus CSS and associated style guide
• Style guide will be used to style other OWASP web site such as Discourse, the blog, etc.
• Phase 3 - Single Sign-on
• SSO using @owasp.org identities will be POC'ed during the AMS migration
• Phase 4 - Wiki content and organization
• Internal R&D completed. RFP will be drafted after Phase 2 (Style) RFP

The OWASP Communication Plan 

• Discourse as a replacement for Mailman
• Dev instance deployed to assist with REST API automation efforts
• Test instance deployed to alpha test structure and organization of content
• Leader Sandbox being deployed to allow leader experimentation and to test SSO with @owasp.org and other identity providers (Github, Twitter, Facebook, ...)
• Beta program for the Foundation's Global Meetup account continues

OWASP 2017 Strategic Goal 

• TLDR: Host 4 trainings worldwide of ~500 attendees geared toward developers and entry-level security professionals - further details on the wiki.
• 4 locations finalized
• Israel - mid-October
• Tokyo - late September
• Boston - October
• Bangalore - November
• Call for Trainers content has been created, call for trainers will launch in June

Association Management System (AMS) upgrade 

• Highly complex, multi-step process taking 8 to 12 weeks
• Accounting module - Complete
• Membership module - in process, waiting for custom dev work to complete
• Events Module - in process, will be used for AppSec USA 2017 registrations
• Current and future benefits
• Multi-currency support in a single registration system
• Significant improvement for event registration and membership renewals especially for OWASP Leaders
• Reduced use of discount codes for registrations e.g. no more leaders code
• Ability to modify an existing registration e.g. add training to an existing conference registration
• Membership renewals - new 2 click process
• Membership renewals - optional auto-renewals
• Better insight for Chapter/Project leaders on the status of their efforts
• Simplified Chapter/Project leader merchandise requests
• Unified and streamlined funding and reimbursement requests

Projects 

• OWASP Code Sprint - program to fund contributions to OWASP Projects by students
• Students get real-life experience working on open source software and a $1500 stipend upon successful completion - full details on the wiki.
• Project Summit in Belfast at AppSec EU 2017 - full recap is here.
• 7 Project Leaders participated in the summit
• Project Reviews at AppSec Summits
• 7 Project Reviews were completed during the summit in Belfast 
• Thanks to our reviewers Johanna Curiel, Talal Albacha, Enrico Branca and Nabin Kc
• New Incubator Projects
• OWASP Secure Software Development Lifecycle Project
• OWASP Secure Medical Device Deployment Standard 
• Blog posts from OWASP Project Leaders
• OWASP Threat Dragon Project Update - more on the project page
• OWASP iGoat Tool Project - Restart - more on the project page

Events 

• OWASP Summit in London - there's still time to register and attend
• AppSec USA 2017 - Orlando
• CFP Round 1 complete - speakers and trainers notified
• CFP Round 2 has begun - ends June 15th
• Project Summit in Orlando at AppSec USA 2017 - Sign-ups now open!
• Sponsorships to date: $335,000 - info on opportunities 
• AppSec EU 2017 in Belfast was a fantastic event
• Developer Summit Recap 57 attendees across 3 sessions - the biggest turnout to date!
• Members Lounge 22 new member sign-ups or 33% of those utilizing the lounge were new members from the event.
• Sponsors Recap €171,933.00 in sponsorships
• OWASP at Blackhat USA 2017
• Call for volunteers is open
• WASPY Awards are right around the corner - start thinking of our awesome unsung heroes you'd like to nominate

Community

• Successful group orientations in Japanese and Spanish for Chapter leaders
• Fast growing languages among OWASP Chapters
• Native language chapter organizations were coordinated successfully
• Leader Workshop at AppSec EU
• Major upcoming changes were discussed with leaders at that conference
• Couldn't attend? See the blog post for the details you missed.

Serving the Community 

Per the request of the OWASP Board, we've included a chart of the staff's interaction with the broader OWASP community via submitted cases to the Foundation. We continue to push beyond the 10,000 total case envelope.

Cases for 2017

As always, the OWASP staff are here to make the OWASP community even stronger.  If you have a question, concern or need something please let us know using the 'Contact Us' form. Also, feel free to attend, suggest or otherwise engage with the OWASP Foundation further at the June 7th Board Meeting.

Your friendly neighborhood OWASP staff:

    Kate, Kelly, Alison, Laura, Claudia, Tiffany, Dawn and Matt 

OWASP iGoat Tool Project - Restart

OWASP iGoat Tool Project

Project Leader: Swaroop Yermalkar (@swaroopsy)

Github Link

iGoat Mailing List

iGoat is a learning tool for iOS developers (iPhone, iPad, etc.) and mobile app pentesters. It was inspired by the WebGoat project, and has a similar conceptual flow to it. As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.

The lessons are laid out in the following steps:

1. Brief introduction to the problem.
2. Verify the problem by exploiting it.
3. Brief description of available remediations to the problem.
4. Fix the problem by correcting and rebuilding the iGoat program.

*Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.

iGoat Version 3.0 Release

1. Updated SQLCipher to latest version
2. Removed project specific compilation warnings
3. Removed crashing code for server side exercises.
4. Updated project details in project github page.
5. Added multiple exercises including:
• Broken Cryptography
• Insecure Storage in Plist
• Insecure Storage in NSUserDefaults
• Side Channel Data Leaks via Device Logs
• Cross Site Scripting

Requirements:

To build and run iGoat, you'll need a Mac running OS X (real or virtual machine), with XCode installed. Best thing about iGoat is you can run it on iOS Simulator and also on iPhone / iPad / iPod.

Call for contributors:

We invite the OWASP community to download and try iGoat, and we welcome your suggestions for improvements. We're always looking for willing participants to contribute to the project as well! To contribute to iGoat project, please contact Swaroop (swaroop.yermalkar@owasp.org or @swaroopsy )

How to contribute?

• You can add new exercises (Oauth Attacks, Crypto Attacks, Third Party Library Issues etc)
• Testing iGoat on iPhone, iPad and checking if any issues
• Remove compilation warnings
• Suggest us new attacks
• Writing blogs / article about iGoat
• Spreading iGoat :)

Screenshots:

1. Broken Cryptography

In this exercise, you're going to identify insecure mechanism for storing sensitive data locally. You will observe encryption key hard coded in code using which you can decrypt sensitive data into plain text. For more information, Refer: (https://www.owasp.org/index.php/Mobile_Top_10_2014-M6)

Please provide feedback to Swaroop Yermalker or use the contact us form.