Open Web Application Security Project

AppSec DC 2012 CFP EXTENDED!

2012-01-06T12:51:00.001-08:00

Many of you have written to us asking about the requirement for a paper in our CFP hosted on EasyChair.  Due to an unforeseen change in the way EasyChair works, you are no longer able to configure a submission to require only an abstract as we thought we had done, and done in the past.  To be clear, we are ***NOT*** requiring papers with our CFP submissions.  As we have already started the CFP and can not move the platform we ask that anyone who does not have a paper simply submit their abstract as a .txt file to satisfy the systems requirement to upload a paper.

We apologize for this inconvenience and the confusion it has caused and as a result of the confusion, we are extending the AppSec DC CFP deadline to Feburary 17th 2012 at 11:59 EST to allow all to submit their topics.

Regards,
The AppSec DC Program Committee

2012 The Year of Software Security

2012-01-05T08:50:00.001-08:00

Committee Chairs,

Now that budgets have been passed, please take the time this week to review and EDIT the page to update your respective committee members: https://www.owasp.org/index.php/Global_Committee_Pages

As we kick off 2012 everyone has resolutions now is a good time to reconfirm active individual participation and to allow those that wish to pass the torch or transfer to other committees to do so.

OWASP Project/Chapter leaders:

To join a global committee, the process is VERY EASY simply self-nominate, then ask your peers in your region (example Latin America, North America, APAC, etc..) to support your efforts as a regional voice in the continued evolution of OWASP Foundation: https://www.owasp.org/index.php/How_to_Join_a_Committee

The committees purpose should be looked at as focused task forces establishing a framework with for all community members to utilize focused on global missions around things such as:

- Quality Offerings (Projects/Education)

- Marketing / Public Relations OWASP (Connections)

- Gathering Industry Requirements and Collaboration (Industry)

- Continued Regional Growth (Chapters)

- Global Events and Training (Conferences)

- Setting Value and Governance (Membership)

So we need people from different parts of the world to bring perspectives and contribute the most precious resource professional time.

2012 is the year of Software Security -- there is no doubt from headline news to start-up companies around the world that software and its security is a important part of the global fabric.

Join Us!

2012 Kick Off - Call to Action

2012-01-04T18:40:00.000-08:00

Calling Chapter Leaders in key markets such as: Atlanta, Austin, Boston, Chicago, Denver, Los Angeles, New York, Philadelphia, Portland, San Francisco, Seattle, Washington DC, London, Toronto, and Vancouver. Post your next chapter meeting at Gary's Guide and you might find some new faces that understand software and want to learn about security:

http://www.garysguide.com/cities

Project/chapter leaders worldwide, perform "outside the echo chamber" outreach to other groups in 2012. Offer up your favorite OWASP Project presentation to help evangelize the OWASP mission, community.

Start here: http://www.meetup.com/find (keyword: mobile, programming, .net, java, internet, computer, developer, find local groups)

Got something new to share?? Be sure to submit the CFP for the OWASP Global AppSec Conferences. 2012 has a lot of exciting things happening that rely on software, let's not forget the core of "fight club" -- have fun sharing technical knowledge, open-source code and the social collaboration with people as together we build a vibrant global professional association that has exploded all over the world:

https://www.owasp.org/index.php/OWASP_Chapter#Local_Chapters_by_Geographic_Region

If you have other tips or suggestions please share what you will do to advance the OWASP mission.

Semper Fi,

Tom Brennan

OWASP Foundation

The 12 Days of Christmas

2011-12-12T06:55:00.000-08:00

Ok kids, gather around and sing with me;

On the 1st day of Christmas a hacker faxed to me poof via fax of SQLi in my website database using SELECT * FROM members WHERE username = 'admin'--' AND password = 'password'

On the 2nd of Christmas the hackers gave to me a < IMG SRC="jav ascript:alert('XSS');" > #OWASP and a link to cheat other sheets to at: https://www.owasp.org/index.php/Cheat_Sheets

On the 3rd of Christmas the hackers gave to me Direct Object Reference on a critical system http://yourwebsite.com/secret/adminconsole:8050

On the 4th day of Christmas the hackers gave to me.... "a .PDF file and he said test your sh$t!" this is to easy... http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf

On the 5th day of Christmas the hackers guessed my lame ass Wifi WEP password and changed my SSID to "Hacked"and left it as a Open AP

On the 6th day of Christmas the hackers came back after it was updated and guessed my lame ass WPA password after being upgraded from WEP on day 5 and changed it to "Hacked Again" and made it Open AP

On the 7th day of Christmas a hacker picked my physical lock using a 9999 cut bump key on door #1, a shim on door #2 and and placed a "boom" sign inside the safe to prove a point about my lame physical security

On the 8th day of Christmas the hackers gave to me a bag of dumpster diving treasure to point out lack of shredding that included (bills fro trusted vendors with account info, credit card carbons, internal printed emails and more...

On the 9th day of Christmas the hackers gave to me, an email aimed at my wife concerning a refund of a holiday purchase with targeted malware using a custom packer that bypassed my installed and updated corporate AV investment.. then after getting a remote shell he popped my work laptop that was also connected to my personal LAN, exported the cert on the VPN client installed a keystroke logger on the computer that I use for business to capture the password.... damn

On the 10th day of Christmas the hackers gave to me code snips of critical system code on the new project that he picked up from PasteBin thanks -- 3rd party

On the 11th day of Christmas the hackers knocked down my commerce website during the busy season with a Denial of Service https://www.owasp.org/index.php/OWASP_HTTP_Post_Tool -- and suggested I look at the OWASP CRS Mod_Security project https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

On the 12th day of Christmas the hackers emailed me a complied P0C 0day on the shiny new public facing appliance we installed just to say "whaaat'ssss up"

After getting my A$$ handed to me in 201x..... I started to read the OWASP Foundation website @ http://www.owasp.org and found things like a new Enterprise Security API (EASPI), Free Videos, Guidance on Mobile Security, Jobs Postings from around the world and over 140 other projects: https://www.owasp.org/index.php/Category:OWASP_Project that helped, planned to attend both Global and Local AppSec events value and I became a member

Happy Holidays from the OWASP Foundation

Suggestion: post your comments below of alternative days of Christmas then you can copy and paste to make your own for a company newsletter for a internal awareness campaign)

November 2011 OWASP Newsletter

2011-12-01T10:47:00.001-08:00

The November, 2011 issue of the OWASP newsletter is now available. Many thanks to Deepak Subramanian for his efforts putting this together.

Table of Contents

Notes from the Editor – Deepak Subramanian
Notes on Internal Projects
OWASP Communities – Michael Coates
Protecting against XSS – Gareth Heyes
OWASP Podcast – hosted by Jim Manico
OWASP Zed Attach Proxy (ZAP) – Simon Bennetts
Global Board of Directors Announced
Global Committees
Upcoming Events
OWASP Organizational Sponsors
The OWASP Foundation
OWASP Membership
Newsletter Advertising

OWASP is a volunteer driven organization that provides free and open resources to advance the state of application security and make application security risks visible. Please consider helping support our mission if these resources are useful to you or your organization.

Lots of Great Things Happening At OWASP

2011-11-06T22:11:00.000-08:00

You may be curious to know that OWASP has been doing quite a bitthis past year. With over 1500 members in 189 local chapters around the globe, it’s not hard to understandwhy so much is happening. During 2011, majorOWASP conferences were held in Asia, Europe, Latin America and North America.In addition to the traditional conferences, the 2nd OWASP world summit took place in Portugal with 180 security experts attending from 30 different countries. During this event attendees focused on working sessions to tackle securitychallenges facing the industry (read the full report and results here). OWASP was also present with talks or booths at 38 other events throughout 2011.

In addition to security conferences, many OWASP leaders are speakingat developer conferences to spread security knowledge directly to thosebuilding the applications. We’ll be gathering better metrics in the future, buta quick and informal twitter question reveals many OWASP individuals arepresenting security at non-security conferences such as JsFoo,PHP in the cloud, Jazoon,UberConf, JavaOne, SuperMondays,guest lecturing at Universities, DjangoCon, Pycon, PHPLondon, Cloud Camps, BarCamps, #educause, #jasig and many more.

The OWASP community is also growing strong through a variety ofOWASP projects. Some of these are mature tool sets and resources that are tacklingchallenging security problems; others are in experimentation and explorationphases to test out new areas of research. To better aid project growth the OWASP Projects committee iscontinually working to provide a framework that encourages experimentation andnew project ideas and also builds the process, quality and supporting resourcesneeded to foster more mature projects.

While OWASP has a great number of excellent resources, we alsorealize that its not always the easiest to find the material you are lookingfor. We’re busy figuring out ways tobest match up individuals with the relevant and high quality OWASP materials. New approaches may include building specific paths through the website based ondevelopers, testers, architects, etc (builders, breakers, defenders, or more) orit could be through a meta data store of all project information, or even anapproach where projects are categorized into maturity levels such as Incubator/ Labs / Flagship. None-the-less, we’re aware this is an important area thatneeds attention to further grow the usability and accessibility of OWASPresources.

Ifyou’re interested in helping out then please reach out to anyone within OWASP,join or propose a project, or even volunteer on an OWASP committee. The battle to raise awareness aroundapplication security is a challenging task and we’re constantly looking forfresh ideas and talented individuals to volunteer their time and abilitiestowards furthering the OWASP mission.

Lastily, I realize this doesn't scratch the surface of everything took place in 2011 with OWASP. Please comment below with items you'd like to recognize.

Michael Coates
OWASP

AppSec DC 2012

2011-10-12T14:01:00.000-07:00

by mark.bristow@owasp.org

Colleagues,

Building on the success of AppSec DC 2010 and 2009, OWASP is pleased to announce the next OWASP AppSec DC conference. The theme for this year's conference is "OWASP - Not just webapps anymore" to reflect the new and revised scope of OWASP to include all application security issues instead of focusing just on web application security.

Owing to feedback from the past two years, and in alignment with the overall OWASP Conference mission, the AppSec DC Planners have decided to move the conference to April of 2012. This is in response to requests from a variety of our sponsors and vendors, and de-conflicts overlap in the OWASP conference schedule for North America. OWASP AppSec DC 2012 will be held at the Walter E. Washington Convention Center on April 2nd through April 5th. Plenary sessions will be on April 4th and 5th preceded by Application Security Training on April 2nd and 3rd.

In accordance with the broader OWASP mission stemming from the 2011 OWASP Global Summit, AppSec DC is working to reflect the move of OWASP towards embracing all facets of Application Security, and not restricting it's content to strictly to the realm of web applications.

Therefore we invite all practitioners of application security and those who work with or interact with all facets of application security to submit papers and participate in the conference.

The AppSec DC 2012 Content Committee is seeking presentations in the following subject areas:

OWASP Projects
Research in Application Security Defense (Defense & Countermeasures)
Research in Application Security Offense (Vulnerabilities & Exploits)
Web Application Security
Critical Infrastructure Security
Mobile Security
Government Initiatives & Government Case Studies
Effective Case studies in Policy, Governance, Architecture or Life Cycle
and other application security topics

Submit papers to http://cfp.appsecdc.org. Submission deadline is January 15th 2012. Inquires can be made to cfp@appsecdc.org. Additional information can be found in the FAQ. You will have to sign up for an EasyChair account at https://www.easychair.org/account/signup.cgi.

Conference Website: http://www.appsecdc.org
FAQ: https://www.owasp.org/index.php/OWASP_AppSec_DC_2012_-_FAQ

Please forward to all interested practitioners and colleagues.

Regards,

The AppSec DC Program Committee

--
Mark Bristow
(703) 596-5175
mark.bristow@owasp.org

OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
AppSec DC Organizer - https://www.appsecdc.org

Switzerland Application Security Forum 2011

2011-10-08T09:34:00.000-07:00

The  city of Yverdon-les-Bains will the 2011 edition  of the Application Security Forum - Western Switzerland conference. This event will take place at end of October.  For  this second edition, an exceptional lineup consisting of 19  speakers and trainers, both locally and internationally recognized,  will share their knowledge, best practices and experience on all  sensitive topics related to application security: strong authentication,  privacy, cryptography, critical systems, secure development,  cyberthreats, etc.

Participation  is free during the Conference day (Oct.27th), fees for trainings and  workshops apply on the first day only (Oct. 26th.), online registration  is required to attend the event.

http://event.appsec-forum.ch

The Event is co-organized by the OWASP Switzerland/Geneva Chapter and Openid Switzerland.

OWASP AppSec USA 2011 – The Wrap up

2011-09-29T11:44:00.000-07:00

Article by Lorna Alamri 

While the planning team is still sending out documentation, requesting invoices and finishing up tasks for the event. It’s time to give a summary of the event from a numbers perspective.

The Conference:

OWASP AppSecs bring together people around application security. What better opportunity to get attendees excited and involved in OWASP projects. Outside of an OWASP Summit it’s the largest gathering of OWASP and application security leaders, so a great opportunity to work on solutions and keep momentum going from the OWASP Summit.

Our goals:
500 attendees. $100,000 in funds raised for the OWASP Foundation. Raise awareness around OWASP and application security among developers.

Registrations:
639, Total registration revenue as of 9/15/11 (536attendees) $251,476.15
Sponsors: 24 with a total of $130,600 in funds raised.
Expenses: Estimated at $210,000. (We’re still waiting for someinvoices from vendors.)

The Talks:
2 days/4 tracks
75 speakers, 48 talks, 3 keynotes and one board discussion.

The Training:
4 two-day training courses
4 one-day training courses
Training Course Students: 146, OWASP profit from training: $63,000

The CTFs:
One University CTF challenge - 3 teams
One CTF -2 days

Organizers/Volunteers: 48

Statistics on Attendance:

*Education included both students and employees who attended OWASP AppSecUSA 2011.
*OWASP Employees and non-industry volunteers are not included in numbers.

Overall Attendees by Country

US Attendance by State

The Events:
We took the opportunity to try out a lot of new events at AppSec USA which we hope will be included in future OWASP AppSecs.

5K/10K Run for Charity – funds raised were donated to the Bakken Musuem.
University Challenge – A CTF aimed at University students to increase OWASP awareness at a University level.
Women in AppSec – A grant program to increase particpation at OWASP AppSec USA by women.
Open Source Showcase – An opportunity to demonstrate OWASP and other open source projects to attendees of OWASP AppSecs.
Project work groups: ESAPI, AppSensor, Chapters and Industry along with board and committee meetings.

Lorna Alamri
OWASP AppSec USA

OWASP ModSecurity CRS v2.2.2

2011-09-29T11:34:00.000-07:00

(From ryan.barnett@owasp.org)

I am pleased to announce the release of OWASP ModSecurity CRS v2.2.2.

===========

CHANGELOG

===========

--------------------------

Version 2.2.2 - 09/28/2011

--------------------------

Improvements:

- Updated the AppSensor Profiling (to use Lua scripts) for Request Exceptions Detection Points

http://blog.spiderlabs.com/2011/08/implementing-appsensor-detection-points-in-modsecurity.html

- Added new Range header detection checks to prevent Apache DoS

http://blog.spiderlabs.com/2011/08/mitigation-of-apache-range-header-dos-attack.html

- Added new Security Scanner User-Agent strings

- Added example script to the /util directory to convert Arachni DAST scanner XML data into ModSecurity virtual patching rules.

http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-automated-virtual-patching-script.html

- Updated the SQLi Character Anomaly Detection Rules

- Added Host header info to the RESOURCE collection key for AppSensor profiling rules

Bug Fixes:

- Fixed action list for XSS rules (replaced pass,nolog,auditlog with block)

- Fixed Request Limit rules by removing & from variables

- Fixed Session Hijacking IP/UA hash captures

- Updated the SQLi regex for rule ID 981242

--------------------------

DOWNLOADING

--------------------------

Manual Downloading:

You can always download the latest CRS version here -

https://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/

Automated Downloading:

Use the rules-updater.pl script in the CRS /util directory

# Get a list of what the repository contains:

$ ./rules-updater.pl -rhttp://www.modsecurity.org/autoupdate/repository/ -l

Repository: http://www.modsecurity.org/autoupdate/repository

modsecurity-crs {

          2.0.0: modsecurity-crs_2.0.0.zip

          2.0.1: modsecurity-crs_2.0.1.zip

          2.0.2: modsecurity-crs_2.0.2.zip

          2.0.3: modsecurity-crs_2.0.3.zip

          2.0.4: modsecurity-crs_2.0.4.zip

          2.0.5: modsecurity-crs_2.0.5.zip

          2.0.6: modsecurity-crs_2.0.6.zip

          2.0.7: modsecurity-crs_2.0.7.zip

          2.0.8: modsecurity-crs_2.0.8.zip

          2.0.9: modsecurity-crs_2.0.9.zip

          2.0.9: modsecurity-crs_2.0.10.zip

          2.1.0: modsecurity-crs_2.1.0.zip

          2.1.1: modsecurity-crs_2.1.1.zip

          2.1.2: modsecurity-crs_2.1.2.zip

	  2.2.0: modsecurity-crs_2.2.0.zip

          2.2.1: modsecurity-crs_2.2.1.zip

          2.2.2: modsecurity-crs_2.2.2.zip

}

# Get the latest stable version of "modsecurity-crs":

$ ./rules-updater.pl -rhttp://www.modsecurity.org/autoupdate/repository/ -prules -Smodsecurity-crs

Fetching: modsecurity-crs/modsecurity-crs_2.2.2.zip ...

$ ls -R rules

modsecurity-crs

rules/modsecurity-crs:

modsecurity-crs_2.2.2.zip    modsecurity-crs_2.2.2.zip.sig

Ryan Barnett

OWASP ModSecurity Core Rule Set Project Lead

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

OWASP Board 2012

2011-09-29T11:25:00.000-07:00

I am very please to announce the results of the recent OWASP Board Election!

Turnout: 771 (46.2%) of 1670 electors voted in this ballot.
Top (3) have been elected.

Michael Coates - 524 (31.0%)
Dave Wichers - 460 (27.2%)
Sebastien Deleersnyder - 423 (25.0%)
Christian Heinrich - 286 (16.9%)

Your International Board of Directors term is effective 1-Jan-2012 for (24) months governed by the OWASP Bylaws: https://www.owasp.org/images/d/d6/2011-06-OWASP-BYLAWS.pdf

The Board also held elections at AppSec USA to decide new board roles and responsibilities. The results are as follows:

Michael Coates - OWASP Chair
michael.coates(at)owasp.org

Eoin Keary - Vice Chair
eoin(at)owasp.org

Tom Brennan - Secretary
tom.brennan(at)owasp.org

Matt Tesauro - Treasurer
matt.tesauro(at)owasp.org

Sebastien Deleersnyder - Board Member
seba(at)owasp.org

Dave Wichers - Board Member
dave.wichers(at)owasp.org

Please join me in offering our new board congratulations and support.

Aloha,
Jim Manico
OWASP Connections Committee Chair
jim@owasp.org

AppSec USA 2011 Conference - Two Weeks Away

2011-09-07T00:51:00.000-07:00

Hello OWASP Community,

The OWASP AppSec USA 2011 conference in Minneapolis is only two weeks away. Classes are filling up fast (the OWASP WTE class is full), and the conference talks lineup is impressive. Sign up today for the training on September 20-21 and the main conference talks, CTF, showroom, and Open Source Showcase on September 22-23!

http://www.appsecusa.org/

OWASP is in its tenth year, and application security is on everyone's radar. And this year we have some wonderful new initiatives as part of OWASP AppSec USA 2011. For the first time, we're:

* Funding the conference experience for two women in college through the OWASP Women in AppSec grant. Congratulations to Tara Wilson and Chandni Bhowmik on securing these grants! And thank you to The Wells Fargo Foundation for its generous seed funding.

* Raising funds for science education for inner city youth with the 5K/10K for Charity.

* Hosting a University Challenge offense/defense competition.

* Running an Open Source Showcase during the conference proceedings. Open source community members will demo their awesome work.

Additionally, the OWASP Chapters Committee and the ESAPI and AppSensor teams will be meeting September 21 to build upon their great work in OWASP.

Be a part of AppSec USA 2011, where OWASP propels itself into the next ten years. Lots of cool talks and training. And many opportunities to learn, grow, and give back.

http://www.appsecusa.org/attend.html

We would like to thank the OWASP AppSec USA 2011 donors and sponsors and the many conference contributors for helping us to build an awesome event for the application security and development community.

--

Adam Baso
OWASP AppSec USA 2011 Organizer

OWASP AppSec USA 2011: Your life is in the cloud.
September 20-23 Training, Talks, CTF, Showroom, and More
www.appsecusa.org
@appsecusa

To learn more about OWASP, visit https://www.owasp.org.

OWASP AppSensor Detection Points in the OWASP ModSecurity Core Rule Set

2011-08-31T17:49:00.000-07:00

(from Ryan Barnett)

I have begun the process of implementing the OWASP AppSensor Detection Points (https://www.owasp.org/index.php/AppSensor_DetectionPoints) within the OWASP ModSecurity Core Rule Set (https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project).

I am pleased to announce that I have just made an update to the OWASP CRS SVN repository that fully implements the Request Exception (RE) category - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RequestException. See the following blog post for more details - http://blog.spiderlabs.com/2011/08/implementing-appsensor-detection-points-in-modsecurity.html

The major change in this version vs. the earlier one outlined in this blog post (http://blog.spiderlabs.com/2011/02/modsecurity-advanced-topic-of-the-week-real-time-application-profiling.html) is that both the profiling and detection logic has been moved to Lua scripts. With the increased logic capabilities of Lua, we are now able to more accurately profile the application in real-time by analyzing traffic and automatically generating profiles for the following resource characteristics -

Enforcing the expected Request Method(s)
Enforce the number of expected parameters (min-max range)
Enforce parameter names
Enforce parameter lengths (min-max range)
Enforce Character Classes

Flag (e.g. - /path/to/foo.php?param)
Digits (e.g. - /path/to/foo.php?param=1234)
Alpha (e.g. - /path/to/foo.php?param=abcd)
AlphaNumeric (e.g. - /path/to/foo.php?param=abcd1234)
Email (e.g. - /path/to/foo.php?param=foo@bar.com)
Path (e.g. - /path/to/foo.php?param=/dir/somefile.txt)
URL (e.g. - /path/to/foo.php?param=http://somehost/dir/file.txt)
SafeText (e.g. - /path/to/foo.php?param=some_data-12)

The updated rules files are in the /experimental_rules directory - http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/experimental_rules/

Look in the /lua folder to find the 2 scripts - http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/lua/

I encourage people to test out these new rules and to report back their experiences – both good and bad.

FYI – I also wanted to thank Josh Zlatin for assisting with the initial Lua script creation.

Cheers.

--
Ryan Barnett
OWASP ModSecurity Core Rule Set Project Leader

OWASP AppSec Latin America 2011

2011-08-23T20:53:00.001-07:00

On behalf of the OWASP AppSec Latin America 2011 organization team, I’m thrilled to announce registration is now officially open! The organization committee truly went out of its way to keep prices down and provide the best deals for people who really want to take full advantage of this event. One example is the full package deal: for R$1,000 (approximately US$625) you can attend two classes and the conference.

The deadline for early bird registration is August 31^st so you do need to hurry! Conference details, sponsorship information, registration links, and some cool videos about Brazil and Porto Alegre are all available at the conference site: https://www.owasp.org/index.php/AppSecLatam2011#tab=Welcome.

Get your visa ready. We look forward to seeing everyone in Brazil!

Cassio

AppSec USA Open Source Support!

2011-07-29T10:37:00.000-07:00

(from adam.baso@owasp.org)

OWASP is piloting a new initiative to promote open source ideals at our Global AppSec Conferences!

For the first time, we are offering a limited number of free booth spaces to open source projects as part of the OWASP Open Source Showcase at OWASP AppSec USA 2011!  We invite ANY open source project - not just OWASP projects - to apply for a booth at this showcase to demo and promote their project. Showcase participants need to be ticketed attendees and will be responsible for manning their booth.

Learn more about this opportunity, including how to submit projects for consideration, by visiting the following URL:  http://www.appsecusa.org/oss.html   Applications are due Friday, August 19, 2011, and are considered on a rolling basis - so get moving!

Contact projects@owasp.org if you have any questions.

OWASP MSP: Host to OWASP AppSec USA 2011
September 20-23
Training, Talks, CTF, Showroom and more
www.appsecusa.org @appsecusa

Application Security Tutorial Videos

2011-07-29T09:36:00.000-07:00

The OWASP application video tutorial series, led by Jerry Hoff, has produced three great security videos and has many more on the way. These videos are short and to the point. The 10 minute videos cover core application security risks such as cross site scripting or sql injection and future episodes will cover defense in depth security techniques such as Strict Transport Security or X-Frame-Options.

The following videos are currently available as part of the AppSec Tutorial Video Series.

    •   Episode 1 - Introduction
   •   Episode 2 - Injection Attacks
   •   Episode 3 - Cross Site Scripting
The following link will take you to the OWASP AppSec Video Series homepage on youtube.

http://www.youtube.com/user/AppsecTutorialSeries

You can also watch the three videos embedded below.

OWASP Codes of Conduct Project

2011-07-27T08:36:00.000-07:00

By Colin Watson

At the summit in Portugal earlier this year, a working session on "Defining a Minimal AppSec Program for Universities, Governments, and Standards Bodies" created a document defining minimal requirements for three types of organization, specifying what are the most effective ways to support OWASP's mission. These are OWASP's objectives for other organizations and do not relate to members or other participants.

The three types of organization were:

- Government Bodies
- Educational Institutions
- Standards Groups

with Jeff Williams, Dave Wichers and Dinis Cruz as primary contributors.

Although I didn't attend that particular session, I was able to contribute to an early draft version of the document, and subsequently created a parallel document for:

- Trade Organizations

At another working session on Certification, the participants created another closely-related document on expectations for:

- Certifying Bodies

with Jason Li, Jason Taylor, Martin Knobloch, Matthew Chalmers and Justin Searle as
primary contributors.

Each document has been give a colour name to make it more identifiable, and to provide a shorter title. Thus the document "The OWASP Application Security Code of Conduct for Government Bodies: is also "The OWASP Green Book".

OWASP would like to formalize, complete and create release-quality documents, and therefore I have offered to start a project and become project leader for the OWASP Codes of Conduct Project. The project will nurture these initiatives and collect feedback on the draft documents with the aim of issuing and promoting the documents later this year. With Paulo Coimbra's welcome assistance, the project and
current draft versions can be found at:

https://www.owasp.org/index.php/OWASP_Codes_of_Conduct

The v1.1 draft documents were created from the summit outcomes, and to date I have:

1) standardized their formatting
2) removed reference to "free membership [of bodies, groups] " where
this does not match current policy
3) removed "free attendance at events" for liaison contacts since
this hasn't been more widely discussed
4) made liaison groups within OWASP less specific since we do not
have a "OWASP Educational Institution Executive Council" for example
5) changed the mandatory Code of Conduct items to a numbered list,
and the recommendations to an alphabetical list to distinguish between
them better
6) added hyperlinks to OWASP resources and a summary sheet on the last page

I would welcome feedback on these using the project's mailing list:

https://lists.owasp.org/mailman/listinfo/owasp-codes-of-conduct

Please contribute in the next 4 weeks, after which I will be seeking project formal reviewers. Some things to be discussed before then:

- have all the contributors been captured correctly?
- the documents do not have licensing or copyright stated
- the Green Book requires government organizations to adopt a
definition of "application security", but in the Yellow Book for
Standards Groups, this is an optional requirement, and perhaps they
should be the same
- some organizations might decide they do everything we suggest, and
we might want to state a form of words for any statement of adoption

PLUS ANYTHING ELSE you feel is important. You may have ideas for another similar document. Please join the mailing list.

Colin Watson

OWASP LATAM Tour

2011-07-21T17:13:00.000-07:00

Fabio Cerullo presented the OWASP training day in Argentina on 7/19/2011. There were over 40 attendees (58 registered) and 17 NEW members registered including 5 educational supporters. Outstanding!

The next stop on the tour is Uruguay on 7/26/2011. Mateo is estimating over 120 attendees (although they will need to sign up still J) of the 8 registered for the upcoming training day, 6 have signed up for membership!

Brazil and Peru are scheduled for August, so I will provide updates as we get closer.

https://picasaweb.google.com/fcerullo/OWASPLatamTour?authuser=0&feat=directlink

AppSec Asia 2011

2011-07-20T23:49:00.001-07:00

AppSec Asia 2011

Building on its successes of the past two years, OWASP’s China chapter is again hosting a flagship OWASP outreach event in Beijing, China. The Global AppSec Asia 2011 will be held from November 8 to 11, 2011. This event offers expo, training and conferences and includes many opportunities to converse with the government, industry and education leaders from China and the entire Asia Pacific region.

If you are interested in speaking at the conference (November 8 to 9, 2011) or a training session (November 10 to 11, 2011) then please submit your proposal here.

If your company or other companies you know are interested in reaching out to the vast and growing Asia Pacific market then please contact Helen Gao (516-582-4943). The sponsorship document can be downloaded here. If you are interested in the product exhibit then please let Helen know by July 31, 2011.

Thank you very much for your support.

OWASP AppSec USA 2011

AppSec USA 2011 is a conference for information security and software development professionals who are challenged with solving tough application security problems. This year's format will be eight tracks spread across two days, with each talk running 50 minutes in length. Speakers are just being announced. For more details: www.appsecusa.org

The tracks are:

· Cloud Security

· Mobile Security

· Secure SDLC

· OWASP Projects

· New Attacks & Defenses

· Thought Leadership

· Software & Architecture Patterns for Security

· Software Assurance

AppSec USA’s early bird discount ends: 7/29/11 so register now: http://www.regonline.com/Register/Checkin.aspx?EventID=935213

Follow us on twitter @appsecusa, our linked in group, or on facebook and check the www.appsecusa.org site often for updates we’ll be announcing an Open Source Project demo area, a University CTF Challenge, Thursday evening networking event and more! We also have several events already listed: Women in AppSec | 5K/10K | CR0WD50URC3D

Kate Hartmann

Operations Director

301-275-9403

www.owasp.org

Skype: Kate.hartmann1

_______________________________________________ To unsubscribe from the Owasp-all mailing list, you will need to unsubscribe yourself from all OWASP mailing lists you belong too. This list is automatically generated to allow OWASP to contact all it’s members in one distribution.   Best regards, OWASP

ESAPI for C++

2011-07-17T16:01:00.000-07:00

(from Kevin Wall)

There's a new mailing list on the OWASP ESAPI block at: https://lists.owasp.org/mailman/listinfo/owasp-esapi-c++ 

Yes, that's right. ESAPI for C++. Well, spare me the oxymoron jokes (my resemblance to an ox and an moron is strictly coincidence)...and besides that was my first reaction as well. 

ESAPI for C++ will be a *greatly* stripped down version of ESAPI for JavaEE. The intent will be more similar to ESAPI for C (yes, Virginia, there's one of those too; see http://code.google.com/p/owasp-esapi-c/). 

So sign up for the OWASP ESAPI for C++ mailing list. Even though it's mostly intended for developers, we welcome hecklers and other nay sayers as well. (Keeps us from getting too many "yes men" that way.) 

Or better yet, sign up, and then get involved. Yes sir (or ma'am). ESAPI for C++ is your chance to become rich and famous. OK, just famous. Hmm, maybe not. But it is a chance for all of you, who like me just sat out there for years using FOSS but without every contributing anything back. (No, those 3 patches that you submitted 7 years ago and that $10 donation to GNU's Free Software Foundation are not enough to make up for all the free software that you've used over the years. C'mon, you tip your barber more than that!) 

Uncle OWASP wants you! 
-kevin wall

OWASP New Zealand Day 2011 Wrap-up

2011-07-11T15:10:00.000-07:00

(from Nick Freeman & Scott Bell)

Dear OWASP Leaders,

This email is a brief wrap-up of how the OWASP New Zealand Day 2011 conference went on Thursday July 7.

The conference was a great success, with a 33% increase in attendance from previous years. We had just over 200 people attend our single track, 10 talk conference and two training sessions.

This shows a growing interest in web application security in New Zealand, and we will be pushing the attendees to attend chapter meetings and spread the word about OWASP with their friends, colleagues and other industry groups. We have had a great response from a number of development groups who are interested in having OWASP content presented at their meetings, which we see as an excellent opportunity to expand the OWASP community and web application security awareness in New Zealand.

Feedback from conference attendees has been glowing, with very positive comments and some constructive suggestions. We are still dissecting it all, and will be combining the feedback with our own learnt lessons to ensure future chapter meetings and OWASP NZ Day conferences get better and better.

We'd like to give a very big thanks to Kate Hartmann, Sarah Baso, Mark Bristow, Alison Shrader and everyone else who has helped us organise the conference and make it the success that it was. Special thanks also go out to Roberto Suggi Liverani, previous OWASP NZ Chapter Leader, who organised the previous two OWASP day conferences and has helped OWASP New Zealand grow to its current size.

Final thanks go to our sponsors; The University of Auckland Business School, Security-Assessment.com, Lateral Security, F5 and Aura Information Security. Their generous donations allowed us to keep OWASP New Zealand Day a free conference in an excellent venue with quality catering.

Most content from the conference is already posted on the OWASP New Zealand Day 2011 conference wiki page (https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2011) - we will be uploading the remaining content in the next day or two. In the mean time, a celebratory whisky or two is in order :)

Kind Regards

Nick Freeman & Scott Bell

OWASP New Zealand Chapter Leaders

OWASP Global AppSec Asia 2011

2011-07-10T13:52:00.000-07:00

Dear OWASP Chapter leaders,

Greetings!

I am Rip , Chairman of OWASP China. OWASP China invites you to join OWASP Global AppSec Asia 2011 conference.

This AppSec Asia 2011 offers expo,conferences and trainings. Over 500 people attended the conference last year, representing organizations including: Huawei, Alibaba.com, Baidu, China Telecom, China Mobile, China Merchants Bank, Shenzhen Stock Exchange, Ping An Insurance Group, Chinese Ministry of Industry and Information Technology, Chinese Ministry of Commerce, Forrester Research,Inc., Chinese Academy of Sciences.

AppSec Asia 2011 is not just a conference for mainland China, it is also for Hong Kong, Taiwan, Singapore, India, Malaysia, Indonesia, Japan and all Asian countries.We plan to add a product exposition this year. Please introduce this opportunity to companies in your country. As a matter of fact, in order to encourage you to participate, the conference committee has decided to reimburse your travel expenses if your chapter brings in two qualified sponsors. Please see attached for sponsorship details. And English interpretation will be provided for the entire conference.

For more information, please see OWASP Website.

If you have any questions, please fee free to contact:

Rip: Rip@owasp.org

Helen: helen.gao@owasp.org

Thank you and Best Regards!

--

RIP OWASP中国

US and Canadian Chapter Leader Workshop

2011-07-07T19:06:00.000-07:00

(From tin.zaw@owasp.org)

Dear Fellow Chapter Leaders,

Global Chapter Committee invites you to US and Canadian Chapter Leader Workshop at AppSec USA 2011, in Minneapolis. The workshop will be on September 21, from noon to 3:00PM. Its format will be based on the successful chapter workshop at AppSec EU in Dublin, earlier this year.

While we are still working on the agenda, it will closely resemble the agenda at AppSec EU. It will include review of the chapter handbook, managing chapter finances, Top 10 advice, and how to cross-pollinate and cooperate among chapters. EU event's agenda can be seen below.

https://www.owasp.org/index.php/AppSecEU_2011_chapters_workshop_agenda

We strongly encourage you to participate in this opportunity. Chapter leaders are encouraged to use chapter funds for the travel. Chapter leaders will get a free admission to the conference. The committee has limited funds available for chapter leaders with limited chapter funds.

We would like to ask the following.

* Save the date, September 21, 2011, from noon to 3:00PM, for the workshop.
* Register for AppSec USA event. Ask Lorna Alamri for registration code.
* Start making travel arrangements -- hotel rooms are running out -- if your chapter has funds available.
* If needed, ask for funding by emailing me and Sarah Baso, administrator for the chapter committee.
* Start thinking what topics to discuss.
* Stay tuned to further emails and upcoming Wiki page.

A word about funding. While we wish we could fund every chapter leader, due to the limited amount of budget allocated for this event, we may not be able to fund 100% to all the requests. We will have a deadline for applying funding, and after that deadline, we will make funding decision in a fair and transparent manner. When you apply for funding, please highlight your past contributions to OWASP and your future plans for the local chapter and OWASP.

We will try to have an option to participate, via Skype, for those who cannot make it.

If any questions, please email us. tin.zaw@owasp.org

Best regards,
Tin

OWASP Gothenburg

2011-07-05T14:27:00.001-07:00

(posted by Ulf Larson)

Dear Leaders!

It is my pleasure to announce the birth of OWASP Gothenburg!

OWASP Gothenburg is the second chapter to start in Sweden, some four years after the start of OWASP Sweden. Gothenburg is situated on the west coast of Sweden. Gothenburg has a large port and is also a well known player in the automotive area (Volvo, for example). Furthermore, Gothenburg is home to Chalmers University, a (hopefully) well known education facility with several strong research groups. We also have Liseberg (a large and pretty much awesome amusement park in the center of the city) which is well worth a visit if you happen to pass through.

We (board members, leaders, in total six persons) met for the first time in the beginning of May this year. Discussing, not if, but how, we would go about creating a chapter. We have since had lots of help from John Wilander, Kate Hartmann, and to our great pleasure, Jason Alexander, who heard our twitter call for assistance!

The board and leaders have mixed backgrounds from academia and industry but with the common denominator of application security. The leaders are Jonas Magazinius, Mattias Jidhage, and Ulf Larson. Jonas is a Ph.D. student at Chalmers University, researching on application security, most recently in the context of web mash-ups. Mattias has a master's degree from Chalmers University. He currently works at Omegapoint AB as security specialist/project manager focusing on application security. Ulf has a Ph.D. from Chalmers University. He currently works as a security specialist/systems developer at Adecco IT Konsult.

That's it. It is a pleasure for us to enter the OWASP community, and I hope we meet once or twice in the future!

Best regards

OWASP Gothenburg chapter through Ulf Larson

Board Election Update

2011-06-24T12:47:00.000-07:00

Attention OWASP Community,

Daily we learn of malicious hackers in the news - software security has never been more important to consumers, businesses, governments or students.

We trust that you have found valuable resources at OWASP Foundation in forms of guides, tools, resources and a professional community of over 25,000 worldwide - thank you.

As we continue to evolve our professional association, OWASP is hosting it's second election of its International Board of Directors. This year, three (3) of six board seats are up for election for a twenty-four month term and details of the process and candidates can be found online at:

CLICK ON: https://www.owasp.org/index.php/Membership/2011Election

Who will you support?

Thank you in advance for your continued support.

On behalf of the OWASP Foundation.

Kate Hartmann
Operations Director
301-275-9403
www.owasp.org
Skype: Kate.hartmann1

Election of Officers @ OWASP

2011-06-24T07:03:00.000-07:00

OWASP Community,

Daily we learn of malicious hackers in the news - software security has never been more important to consumers, businesses, governments or students.

We trust that you have found valuable resources at OWASP Foundation in forms of guides, tools, resources and a professional community of over 25,000 worldwide - thank you.

As we continue to evolve our professional association, OWASP is hosting its second election of its International Board of Directors. This year, three (3) of six board seats are up for election for a twenty-four month term and details of the process and candidates can be found online

CLICK ON: https://www.owasp.org/index.php/Membership/2011Election

Who will you support?

Thank you in advance for your continued support.

On behalf of the OWASP Foundation.

Attention Chapter Leaders

2011-06-21T16:55:00.000-07:00

Attention Chapter Leaders!

https://www.owasp.org/index.php/OWASP_Chapter

The goal of the Chapter Leader mailing list is to:

To exchange chapter leader experience
To ask questions (and hopefully get responses) on chapter topics
To announce chapter related topics

There already are a lot of resources available:

https://www.owasp.org/index.php/Category:Chapter_Resources

There is a chapter leader handbook:

https://www.owasp.org/index.php/Chapter_Leader_Handbook

But all of this material can and should be further improved to enable you - as chapter leader - in creating and maintaining our community.

If you need help: ask your question on the mailing list.

If you have some spare time: start building a chapter leaders FAQ as part of the chapter leaders handbook.

Regards,

Seba

CFP OWASP AppSec LATAM and Partner event, Rochester Security Summit

2011-06-17T00:21:00.000-07:00

Colleagues,

OWASP is currently soliciting presentations for the OWASP AppSec Latam 2011 Conference that will take place at PUC-RS in Porto Alegre, RS, Brazil on October 4th through 7th, 2011. There will be training courses on October 4th and 5th followed by plenary sessions on the 6th and 7th with each day having one single track.

We are seeking people and organizations that want to present on any of the following topics (in no particular order), or any other topics related to application security:

Application Threat Modeling
Business Risks with Application Security
Hands-on Source Code Review
Metrics for Application Security
OWASP Tools and Projects
Privacy Concerns with Applications and Data Storage
Secure Coding Practices (J2EE/.NET)
Starting and Managing Secure Development Lifecycle Programs
Technology specific presentations on security such as AJAX, XML, etc
Web Application Security countermeasures
Web Application Security Testing
Web Services-, XML- and Application Security
Anything else relating to OWASP and Application Security

To make a submission you must fill out the form available at https://www.owasp.org/images/e/e4/OWASP_AppSec_Latam_2011_CFP.rtf.zip

and submit through the easychair conference interface at http://www.easychair.org/conferences/?conf=appseclatam2011

Each presenter will have 45 minutes for the presentation, followed by 10 minutes reserved for questions from the audience. The presentations must respect the restrictions of the OWASP Speaker Agreement.

Important Dates

· Submission deadline is July 18, 2011 at 11:59 PM (UTC/GMT -3).

· Notification of acceptance is August 5, 2011.

· Presentation slides are due September 19, 2011.

The conference organization team may be contacted by email at appsec2011 (at) appseclatam.org

For more information, please see the following web pages:

Conference Website: https://www.appseclatam.org or http://www.owasp.org/index.php/AppSecLatam2011

OWASP Speaker Agreement: http://www.owasp.org/index.php/Speaker_Agreement

OWASP Website: http://www.owasp.org

Easychair conference site: http://www.easychair.org/conferences/?conf=appseclatam2011

Presentation proposal form: https://www.owasp.org/images/e/e4/OWASP_AppSec_Latam_2011_CFP.rtf.zip

*** CALL FOR PRESENTATIONS ***

Rochester Security Summit October 4th-5th, 2011 Rochester, NY http://RochesterSecurity.org

We are pleased to announce that the sixth annual Rochester Security Summit is being planned for October 4-5, 2011 in Rochester, NY at the beautiful and totally renovated Hyatt Regency Rochester. This year’s theme is “Security Sanity” with Marcus J. Ranum as our keynote speaker. The Rochester Security Summit is the premiere IT security event in Upstate/Western NY.

In 2010 the Rochester Security Summit gathered more than 200 attendees, including executives from Fortune 500 firms, information security professionals, auditors, developers and software architects. We had 26 outstanding presentations, a sold-out Capture the Flag (a.k.a. Ethical Hacking 101) event and an extremely well received end panel with representatives of the 3 sponsoring organizations, ISSA, ISACA and OWASP.

The Rochester Security Summit is currently soliciting presentations from researchers, academia and industry for the 3 main tracks: Business Professional, Technical Professional and Software Professional. If you believe you have a significant research or technical presentation that the security community would value and enjoy hearing, we invite you to submit your presentation topic for consideration.

All three tracks will consist of presentations in 50-minute blocks, including Q&A. Presentations may be allowed to span two blocks to accommodate topic exploration to different depths if the committee sees the merit in the longer time allotment.

Please submit your proposal before June 30th
We will respond to proposals by July 30th
Draft copy of the slides for the papers must be submitted by August 26th
Final submissions are due by September 23rd

Please review the speaker guidelines on the web site, http://rochestersecurity.org/speakers/speaker-guidelines.html before submitting a proposal.

Proposals may be submitted via e-mail to present2011@rochestersecurity.org

Summit attendees are a mix of technical security professionals, vendors, programmers, web application developers, security testers, students, network administrators and IT executives. Preference will be given to speakers who can present innovative technical content to a broad technical audience. Of course, all presentations are expected to challenge the brightest and quickest of attendees.

The Rochester Security Summit is not a vendor fest. There is zero tolerance for heavy commercial content in presentations. Presenters are expected to avoid any marketing that is not immediately backed up with rationale for its inclusion.

Proposals should consist of the following information:

1. Presenter and contact info (country of origin and residence-mail, postal address, phone, fax).

2. Employer and/or affiliations.

3. Brief biography, list of publications and papers.

4. Any significant presentation and educational experience/background.

5. Topic synopsis, proposed paper title, and a one paragraph description.

6. Reason why this material is innovative or significant or an important tutorial.

7. Optionally, any samples of prepared material or outlines ready.

8. Will you have full text available or only slides?

9. Please list any other publications or conferences where this material has been or will be published or submitted.

10. If you think a second 50-minute block will be required to do your topic justice, please let us know and give a rationale for the longer format.

Please include the plain text version of this information in your email as well as any file, pdf, sxw, ppt, or html attachments.

Please forward the above information to present2011@rochestersecurity.org

For more event information, or to register, visit us online at http://rochestersecurity.org/.

Thank you,

Rochester Security Summit Organizing Committee

Kate Hartmann
Operations Director
301-275-9403
www.owasp.org
Skype: Kate.hartmann1

OWASP iGoat 1.0

2011-06-16T20:15:00.000-07:00

(From Ken van Wyk)

Greetings all.

Yesterday, we put out the first public release of the OWASP iGoat project. This message is a brief description and call for participants in the project.

Background

The iGoat tool is a learning tool, primarily meant for iOS developers (but also useful to IT security practitioners, security architects, and others who simply want to learn about iOS security). It takes its name and inspiration from the venerable OWASP WebGoat tool. Like WebGoat, iGoat users explore a number of security weaknesses in iOS by exploiting  them first. Then, once each weakness has been explored, the iGoat user must implement a remediation to protect against each weakness and validate that the remediation was successful--similar to the WebGoat Developer Edition.  Hints and other background information are provided, right down to commented solutions in the source code, so that developers can use iGoat as a self-study learning tool to explore and understand iOS weaknesses and how to avoid them.  Further, the iGoat platform was specifically designed and built to be as easily extensible as possible, so that new exercises can be easily built and integrated over time.  iGoat was sponsored and initially developed by KRvW Associates, LLC (www.krvw.com), and is being released under GPLv3 licensing to the community.

Status

With the first public release, we've included several initial exercises and exercise  categories. These include such well known topics as SQL Injection, secure communications, etc. We plan to further integrate another handful of exercises in the short term, as well as make several improvements to the user interface. In the short term, we'll also be adding more documentation in the form of HOWTO documents that will cover how to install and use iGoat, as well as how to add new exercises to it.  No doubt, further improvements will quickly surface as the community starts using the   tool...

Project Site

iGoat can be found at: https://www.owasp.org/index.php/OWASP_iGoat_Project

All releases and source code are on Google Code. See the project home page above for   further details.  Call for Participation  The iGoat team would like to invite anyone interested to participate and contribute to iGoat's further development. Please contact the project leader, Ken van Wyk (ken@krvw.com) if you wish to contribute to the project.

Mailing List

An open, unmoderated forum has been set up for the iGoat project. To subscribe, see https://lists.owasp.org/mailman/listinfo/owasp-igoat-project

Cheers, Ken

Question on 3rd party JS

2011-06-15T09:44:00.000-07:00

Question: How do you best use external JavaScripts and comply with PCI-DSS (from @joffemannen)

(Great answer from @johnwilander)

I've had more than one consultation on this issue and we've always had to start by explaining the full access and full trust model of loading 3rd party code and content. To start with there's an important distinction between loading a 3rd party code library such as jQuery, and loading DOM content with or without JavaScript. If they want DOM content then traditional iframing works fine until they want to interact with the 3rd party content or vice versa. Since they will be loaded from different domains they will not be able to access each other.

If they want interaction they have four ways ahead:

Hosted + controlled releases. Establish a B2B release cycle with the vendor in which new versions of script files are released to them via file transfer and not directly into production. Then they do whatever auditing and analysis their process requires and deploy under their own domain. Note that this works for code-only cases too, i.e. no 3rd party content. This used to be an issue back when everyone was "hot linking" but nowadays you typically see requirements to download and host yourself since 3rd parties don't want to have to pay for the bandwidth or even have the tough SLAs in place.
Reverse proxy. Setup a reverse proxy to mimic that the 3rd party content is served by themselves. This makes it look like they're hosting everything themselves but really they're not. However, in this case they can potentially filter and detect code changes. If code changes happen daily it'll just become noise but detecting less frequent changes may prove useful for the cert team.
Normal loading + ajax proxy. Let the 3rd party have their own release cycle, load from 3rd party's domain and set up an ajax proxy if the code requires that. That means their own domain is still serving the client calls but they just reflect whatever source code the vendor serves up.
Point subdomain to 3rd party. If they point a subdomain of their own such as googlemaps.mybank.com pointing to Google Maps and host their own content on secure.mybank.com they can have both the iframe and the outer page set their docment.domain to a mybank.com and thus enable interaction.

In the three latter cases they're basically giving the 3rd party code the same privileges their own code has. So it has to be covered by the same processes (pentests and what not). This is typically when my customers have started considering the first option – "Hey, maybe we need to control what code runs on our page? And who writes that code. And how easy it is to hack into the hosting servers and replace that code. Damn!".

Regards, @johnwilander

OWASP Zed Attack Proxy 1.3.0 released

2011-06-11T20:58:00.000-07:00

(from psiinon@gmail.com)

Hi folks,

Version 1.3.0 of the OWASP Zed Attack Proxy (ZAP) has now been released.

ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

This release adds the following main features:

Fuzzing, using the JBroFuzz library
Dynamic SSL Certificates
Daemon mode and API
BeanShell integration
Full internationalization
Out of the box support for 10 languages

For more information and to download this release please visit the ZAP homepage: http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Many thanks to everyone who contributed code, language files, enhancement requests, bug reports and general feedback.

Psiinon

AppSecEU Was Awesome

2011-06-11T20:48:00.000-07:00

(from Seba)

I am just back from AppSecEU, held in Dublin this week.

I want to congratulate the whole team for a great and inspiring event!

https://www.owasp.org/index.php/AppSecEU2011#tab=Team

AppSec EU Conference Team:

Eoin Keary
Fabio Cerullo
Fiona Walsh
Kate Hartmann
Lorna Alamri
Sarah Baso
Ana Loza
Ralph Durkee
Owen Pendlebury
Niall Jordan
Ronan O'Mullane
Federico Feraboli

And probably a whole lot of people working behind the scenes.

Having co-organized conferences before, I know it has taken them several months of sweat, blood and energy.

A big THANK YOU!

Kind regards,
Seba

AppSec USA 2011 CFP Reminder, CTF Pre-Conference Challenge #2

2011-06-03T19:22:00.000-07:00

Hello OWASP Community!

This is an update about the OWASP AppSec USA 2011 software security conference in Minneapolis this September I just sent to several other mailing lists. Maybe on your way to AppSec EU you can work on a paper and get it submitted! I would be most thankful if you would share the CFP link, as well as the CTF pre-con challenge #2 (free ticket opportunity) and Training links with your friends and local chapters.

*** CALL FOR PAPERS ***

Have something important to say about software security? The OWASP AppSec USA 2011 Call for Papers is still open. We're looking for hardcore talks in cloud security, mobile security, new attacks & defenses, and straight up software development platforms. Get your submission in before time runs out. And have your developer friends submit a talk!

http://www.appsecusa.org/talks.html

The AppSec USA 2011 talks will be delivered September 22-23, 2011 in Minneapolis, Minnesota. In addition to the talks, we'll have excellent keynotes like Moxie Marlinspike.

Leaders: The CFP system for the OWASP-specific track is https://www.easychair.org/conferences/?conf=ot11. Contact Mark Bristow or Jason Li for more information.

*** CAPTURE THE FLAG PRE-CONFERENCE CHALLENGE #2 ***

Last month ChrisKarel won pre-conference challenge #1 for a pass to the OWASP AppSec USA 2011 talks. Congratulations, ChrisKarel!

For June, we're back with another chance for you to score a free conference pass and get a feel for the AppSec USA 2011 CTF challenges coming this September. Good luck.

http://www.appsecusa.org/ctf.html

*** TRAINING ***

We have awesome training at a fair price. Register for mobile security, penetration testing, secure coding, and attack detection and response courses being held September 20-21. Hurry before classes fill up.

http://www.appsecusa.org/training.html

*** MORE APPSEC USA 2011 ***

Check out www.appsecusa.org for other events including a 5K / 10K charity run, the first ever Women in AppSec grant, and a chance to have your own original music played at the conference.

Thanks to our wonderful supporters - check them out at www.appsecusa.org!

--

Adam Baso
OWASP AppSec USA 2011: Your life is in the cloud.

September 20-23 Training, Talks, CTF, Showroom, and More
www.appsecusa.org
@appsecusa

OWASP Project Update

2011-06-03T17:21:00.000-07:00

Reposted from http://globalprojectscommittee.wordpress.com/2011/06/03/owasp-projects-overview-last-6-months/ by Paulo Coimbra

A. NEW PROJECTS

* OWASP Common Numbering Project, led by Dave Wichers, this project is a new numbering scheme that will be common across OWASP Guides and References is being developed.

* OWASP HTTP Post Tool, led by Tom Brenann, this project is a tool for the purpose of performing web application security assessment around the availability concerns.

* OWASP Forward Exploit Tool Project, led by Marcos Mateos Garcia, this aims to develop a tool to exploit Top 10 2010 – A10 – Unvalidated Forward vulnerability to bypass access control to protected Java application files.

* OWASP Java XML Templates Project, led by Jeff Ichnowski, this is a fast and secure XHTML-compliant template language that runs on a model similar to JSP.

* OWASP ASIDE Project, led by Jing Xie, Bill Chu and John Melton, ASIDE is an abbreviation for Assured Software Integrated Development Environment. It is an Eclipse Plugin which is a software tool primarily designed to help students write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.

* OWASP Secure Password Project, led by Josh Sokol, this project will have a two pronged approach designed to put more nails in the single-factor method of authentication: an interactive portal where penetration testers are able to enter known information about the target and the results of all data collected into a large database.

* OWASP Secure the Flag Competition Project, led by Mark Bristow, this project aims to create a different type of competition that encourages secure coding rather than hacking skills.

* OWASP Security Baseline Project, led by Marian Ventuneac, this projects aims to benchmark the security of various enterprise security products/services against OWASP Top 10 risks.

* OWASP ESAPI Objective – C Project, led by Deepak Subramanian, this project is the Objective-C (Cocoa) implementation of ESAPI.

* OWASP Academy Portal Project, led by Martin Knobloch, Ricardo Melo and Konstantinos Papapanagiotou, this project envisages the creation of a Portal to offer academic material in usable blocks, lab’s, video’s and forum.

* OWASP Exams Project, led by Jason Taylor, this project will establish the model by which the OWASP community can create and distribute CC-licensed exams for use by educators.

* OWASP Portuguese Language Project, led by Lucas Ferreira and Carlos Serrão, this project aims to coordinate and push foward the iniciatives developed to translate OWASP materials to Portuguese.

* OWASP Browser Security ACID Tests Project, led by Dave Wichers, John Wilander and David Lindsay, this project was started in order to help people get a better understanding of what these issues are while also providing browser vendors a forum to compare strategies, vulnerabilities, and new features.

* OWASP Web Browser Testing System Project, led by Isaac Dawson, this project was built to quickly automate and test various browser and user-agents for security issues. It contains all the necessary services required for testing a browser.

* OWASP Java Project, led by Matthias Rohr, this project’s goal is to enable Java and J2EE developers to build secure applications efficiently.

* OWASP Myth Breakers Project, led by Stefano Di Paola and Dinis Cruz,this project similar to http://dsc.discovery.com/tv/mythbusters but for appsec, urban legends and assumptions regarding appsec will be tested and there’ll be a set of examples that will prove the correctness/incorrectness of a statement related to the question.

* OWA SP LAPSE Project, led by Pablo Martín Pérez and José María Sierra Cámara, LAPSE is designed to help with the task of auditing Java EE Applications for common types of security vulnerabilities found in Web Applications.

* OWASP Software Security Assurance Process, led by Mateo Martínez, this project envisages to outline mandatory and recommended processes and practices to manage risks associated with applications.

* OWASP Enhancing Security Options Framework (ESOP Framework, led by Amber Marfatia, the purpose of the framework is to provide a security layer to a given web application / web site via web service which can use the functions / modules to protect the site from several specified vulnerabilities.

* OWASP German Language Project, led by Matthias Rohr, this project will provide a foundation, guideance and common terminology for German translations (as well as other German language specific activities) of OWASP documents and parts of the OWASP web site. Furthermore, it will organize, plan and priorize new language projects such as translations.

* OWASP Mantra – Security Framework, led by Abhi M BalaKrishnan, this project is a security framework which can be very helpful in performing all the five phases of attacks including reconnaissance, scanning and enumeration, gaining access, escalation of privileges,maintaining access, and covering tracks.

* OWASP Java HTML Sanitizer, led by by Mike Samuel and Jim Manico, this this is a fast Java-based HTML Sanitizer which provides XSS protection.

* OWASP Java Encoder Project, led by Jeff Ichnowski, this project is a simple-to-use drop-in encoder class with little baggage.

* OWASP WebScarab NG Project, led by Daniel Brzozowsk, this project is a robust tool that assists the user in penetration test. This is a complete rewrite of the old WebScarab application, with a special focus on making the application more user-friendly.

* OWASP Threat Modelling Project, led by Anurag Agarwal, this project envisages to establish a single and inclusive software-centric OWASP Threat modeling Methodology, addressing vulnerability in client and web application-level services over the Internet.

* OWASP Application Security Assessment Standards Project, led by Matteo Michelini, the Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed and what level of assessment is appropriate based on business requirement.

* OWASP Hackademic Challenges Project, led by Anastasios Stasinopoulos and Konstantinos Papapanagiotou, this is an open source project that can be used to test and improve one’s knowledge of web application security.

* OWASP Hatkit Proxy Project, led by Martin Holst Swende, this is an intercepting http/tcp proxy based on the Owasp Proxy, but with several additions.

* OWASP Hatkit Datafiddler Project, led by Martin Holst Swende, this is a tool for performing advanced analysis of http traffic.

* OWASP ESAPI Swingset Interactive Project, led by Cathal Courtney and Fabio Cerullo, this a web application which demonstrates common security vulnerabilities and asks users to secure the application against these vulnerabilities using the ESAPI library.

* OWASP ESAPI Swingset Demo Project, led by Craig Younkins, this is a web application which demonstrates the many uses of the Enterprise Security API (ESAPI).

* OWASP Web Application Security Accessibility Project, led by Petr Závodský, this project will focus extensively on the issue of web application security accessibility.

* OWASP Cloud ‐ 10 Project, led by Vinay Bansal, Shankar Babu Chebrolu, Pankaj Telang, Ken Huang, and Ove Hansen, the goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

* OWASP Web Testing Environment Project,l ed by Matt Tesauro, this project was thought o receive all contents OWASP Live CD related.

* OWASP iGoat Project, led by Kenneth R. van Wyk, this project aims to be a developer learning environment for iOS app developers. It was inspired by the OWASP WebGoat project in particular the developer edition of WebGoat.

* Opa, led by David Rajchenbach-Teller, usher in a new generation of web development tools and methodologies.

* OWASP Mobile Security Project – Mobile Threat Model, led by Jack Mannino this sub-project is a component of the OWASP Mobile Security Project.

* OWASP Codes of Conduct, led by Colin Watson, this project envisages to create and maintain OWASP Codes of Conduct. In order to achieve our mission, OWASP needs to take advantage of every opportunity to affect software development everywhere. At the OWASP Summit 2011 in Portugal, the idea was created to try to influence educational institutions, government bodies, standards groups, and trade organizations.

B. PROJECTS/UNDER WORK

* OWASP Cross-Site Request Forgery Research Pool

AppSec Latin America 2011

2011-05-30T21:53:00.000-07:00

We are pleased to announce that the OWASP Porto Alegre Local Chapter will organize the Global AppSec Latin America 2011 Conference in Porto Alegre-RS, Brazil.

The Global AppSec Latin America 2011 Conference will be a reunion of Information Security latin american leaders, and will present cutting-edge ideas. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 200-250 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.

A OWASP Global AppSec Latin América 2011 will be happens in Brazil at Porto Alegre city, Rio Grande do Sul state map in October 4th to 7th 2011. The trainings will be in October 04 and 05, and the presentations will be in October 06 and 07.

If you have any questions, please email the conference chair: AppSec2011@AppSecLatam.org

Who Should Attend Global AppSec Latin América 2011:

Application Developers
Application Testers and Quality Assurance
Application Project Management and Staff
Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
Security Managers and Staff
Executives, Managers, and Staff Responsible for IT Security Governance
IT Professionals Interested in Improving IT Security

AppSec EU Registration Alert

2011-05-29T22:37:00.003-07:00

(From Kate Hartmaan)

I would like to encourage anyone who will be attending AppSec EU to register as soon as possible. The training seats are close to capacity!

Please join us at historic Trinity College in Dublin Ireland for the 2011 Global AppSec European event. Training will be held on June 7^th and 8^th followed by two days of cutting edge presentations given by university and industry experts on June 9^th and 10^th. Breakout sessions will be hosted by the OWASP Global Industry Committee and the Global Chapters Committee.

There will be opportunities for networking at our social events including the first ever KartCon EU!

Please visit www.appseceu.org for complete information on speakers, presentations, networking events, and, of course, KartCon EU!

If you are all set to register, you can do that directly by clicking here: http://www.regonline.com/owasp_appsec_eu_2011

I am looking forward to seeing everyone in Dublin!

Kate Hartmann

Operations Director

301-275-9403

www.owasp.org

Skype: Kate.hartmann1

ModSecurity Core Rule Set v2.2.0

2011-05-29T22:27:00.000-07:00

(From Ryan Barnett)

I am  pleased to announce the release of the OWASP ModSecurity Core Rule Set  (CRS) v2.2.0.  This is a significant update as we have added a number of  very important capabilities.

CHANGE LOG -

-------------------------- Version 2.2.0 - 05/26/2011 --------------------------Improvements: Changed Licensing from GPLv2 to Apache Software License v2 (ASLv2)   http://www.apache.org/licenses/LICENSE-2.0.txt  
Created new INSTALL file outlining quick config setup - Added a new rule regression testing framework to the /util directory 
Added new activated_rules directory which will allow users to place symlinks pointing   to files they want to run.  This allows for easier Apache Include wild-carding 
Adding in new RULE_MATURITY and RULE_ACCURACY tags 
Adding in a check for X-Forwarded-For source IP when creating IP collection - Added new Application Defect checks (55 app defect file) from Watcher tool (Check Charset)    http://websecuritytool.codeplex.com/wikipage?title=Checks#charset  
Added new AppSensor rules to experimental_dir   https://www.owasp.org/index.php/AppSensor_DetectionPoints 
Added new Generic Malicious JS checks in outbound content - Added experimental IP Forensic rules to gather Client hostname/whois info  http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html  
Added support for Mozilla's Content Security Policy (CSP) to the experimental_rules   http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html    
Global collection in the 10 file now uses the Host Request Header as the collection key.   This allows for per-site global collections. 
Added new SpiderLabs Research (SLR) rules directory (slr_rules) for known vulnerabilties.   This includes both converted web rules from Emerging Threats (ET) and from SLR Team. 
Added new SLR rule packs for known application vulns for WordPress, Joomla and phpBB 
- Added experimental rules for detecting Open Proxy Abuse   http://blog.spiderlabs.com/2011/03/detecting-malice-with-modsecurity-open-proxy-abuse.html  
Added experimental Passive Vulnerability Scanning ruleset using OSVDB and Lua API   http://blog.spiderlabs.com/2011/02/modsecurity-advanced-topic-of-the-week-passive-vulnerability-scanning-part-1-osvdb-checks.html  
Added additional URI Request Validation rule to the 20 protocol violations file (Rule ID - 981227) 
Added new SQLi detection rules (959070, 959071 and 959072) 
Added "Toata dragostea mea pentru diavola" to the malicious User-Agent data   https://www.modsecurity.org/tracker/browse/CORERULES-64  Bug Fixes: - Assigned IDs to all active SecRules/SecActions 
Removed rule inversion (!) from rule ID 960902 
Fixed false negative issue in Response Splitting Rule 
Fixed false negative issue with @validateByteRange check 
Updated the TARGETS lising for rule ID 950908 
Updated TX data for REQBODY processing 
Changed the pass action to block in the RFI rules in the 40 generic file 
Updated RFI regex to catch IP address usage in hostname   https://www.modsecurity.org/tracker/browse/CORERULES-68 
Changed REQUEST_URI_RAW variable to REQUEST_LINE in SLR rules to allow matches on request methods. 
Updated the RFI rules in the 40 generic attacks conf file to remove explicit logging actions.   They will now inherit the settings from the SecDefaultAction

--------------------------

DOWNLOADING

--------------------------

Manual Downloading:

You can always download the latest CRS version here -

https://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/

Automated Downloading:

Use the rules-updater.pl script in the CRS /util directory

# Get a list of what the repository contains:

$ ./rules-updater.pl -rhttp://www.modsecurity.org/autoupdate/repository/ -l

Repository: http://www.modsecurity.org/autoupdate/repository

modsecurity-crs {

          2.0.0: modsecurity-crs_2.0.0.zip

          2.0.1: modsecurity-crs_2.0.1.zip

          2.0.2: modsecurity-crs_2.0.2.zip

          2.0.3: modsecurity-crs_2.0.3.zip

          2.0.4: modsecurity-crs_2.0.4.zip

          2.0.5: modsecurity-crs_2.0.5.zip

          2.0.6: modsecurity-crs_2.0.6.zip

          2.0.7: modsecurity-crs_2.0.7.zip

          2.0.8: modsecurity-crs_2.0.8.zip

          2.0.9: modsecurity-crs_2.0.9.zip

          2.0.9: modsecurity-crs_2.0.10.zip

          2.1.0: modsecurity-crs_2.1.0.zip

          2.1.1: modsecurity-crs_2.1.1.zip

          2.1.2: modsecurity-crs_2.1.2.zip

   2.2.0: modsecurity-crs_2.2.0.zip

}

# Get the latest stable version of "modsecurity-crs":

$ ./rules-updater.pl -rhttp://www.modsecurity.org/autoupdate/repository/ -prules -Smodsecurity-crs

Fetching: modsecurity-crs/modsecurity-crs_2.2.0.zip ...

$ ls -R rules

modsecurity-crs

rules/modsecurity-crs:

modsecurity-crs_2.2.0.zip    modsecurity-crs_2.2.0.zip.sig

--

Ryan Barnett

OWASP ModSecurity CRS Project Leader

London OWASP chapter meeting June 3rd

2011-05-27T22:01:00.000-07:00

London OWASP chapter & ISG, Royal Holloway Joint Seminar

Date: Friday, June 3rd 2011 6:30pm - 8:00pm

Tea & Coffee will be served from 6pm, with a sandwich buffet after the seminar.

Speaker/Topic: Steve Lord on Wordpress Security

Abstract: Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.

Location: Bourne Lecture Theatre 2 Royal Holloway University of London Egham TW20 0EX  Directions to Royal Holloway and a Campus Plan are available from the following website (Bourne LT 2 is in building 31 on the Campus Plan):

http://www.rhul.ac.uk/aboutus/locationmap/home.aspx

OWASP 2.0 Released!

2011-05-13T18:39:00.000-07:00

(From Chris Schmidt)

Friends, Romans, Countrymen - Lend me your ears!

It is my pleasure to announce the official release of ESAPI 2.0GA!

This release features some key enhancements over ESAPI 1.4.x including, but not limited to:

Upgrade baseline to use Java5
Completely redesigned and rewrote Encryptor
New and Improved Validation and Encoding Methods
Complete redesign of the ESAPI Locator and ObjectFactory
More unit tests
ESAPI Jar is now Signed with an OWASP Code Signing Certificate
ESAPI Jar is Sealed
And much, much more

We understand that a lot of you have been waiting a very long time for this, and so have we! It was important that we take our time with this release to make sure we had addressed everything possible prior to it going out. Included in that process was:

Peer review of the ESAPI Codebase
Code and Architecture Review of new Encryption
Adding and fixing unit tests
Tons of discussion and interaction with the OWASP Community and ESAPI Users

Without the feedback from our users, we could have never accomplished some of the awesome enhancements that have been made to the library since the last major release, so we owe you all a debt of gratitude for helping us design and implement controls that will ultimately help you write more secure applications.

We are currently in the process of getting a whole new suite of documentation, with a focus on integration tasks and actually using ESAPI in real applications - look for those documents over the next couple monthes, as well as a whole new contribs section in our repository aimed at providing turnkey components and solutions to some of the more commonly encountered integration points for ESAPI.

You can download the full distribution of ESAPI 2.0GA from our home on Google Code at: http://code.google.com/p/owasp-esapi-java/downloads/list

The latest API Docs can always be found at:
http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/index.html

Within the next 24-48 hours the distribution to Maven Central should be updated as well and you should be able to start using 2.0GA in your Maven projects as soon as that happens. Maven dependency will be:

<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.0GA</version>
</dependency>

As always, we would love to hear your feedback on the release and if you have any questions at all, you can join the ESAPI-User Mailing List here: https://lists.owasp.org/mailman/listinfo/esapi-user

Thanks again to the OWASP and ESAPI Community for helping us build and release the tools that help make the internet just a little bit more sane!

Sincerely,
The ESAPI Development and Management Teams

P.S. Please forward this along to any colleagues or distribution lists that may be interested.

AppSec USA 2011: Training, Marlinspike & Winkler & Curphey, CFP, Community

2011-05-09T18:42:00.001-07:00

The OWASP AppSec USA 2011 team has exciting updates for the September 20-23, 2011 event commemorating OWASP's tenth anniversary in the invigorating city of Minneapolis, Minnesota!

TRAINING
Ready to learn the art of SQL injection? Got it. Securing iOS or Android apps? You're covered. Taking OWASP WTE (OWASP Live CD) to the next level? Learn from its maintainer! Hardening your Web 2.0, .NET, and PHP code? Be instructed by masters of the craft Dave Wichers and Robert H'obbes' Zakon, and respected infosec authors Shreeraj Shah (author of "Hacking Web Services") and Erez Metula (author of "Managed Code Rootkits"). And if you want to set up the next generation of application layer defenses, build your intrusion detection and protection platform with Colin Watson.

http://www.appsecusa.org/training.html

MORE KEYNOTES
We've got Moxie! Moxie Marlinspike, creator of sslsniff and sslstrip, joins OWASP founder Mark Curphey and "Spies Among Us" author Ira Winkler as a conference keynote.

http://www.appsecusa.org/moxie_marlinspike.html
http://www.appsecusa.org/ira_winkler.html
http://www.appsecusa.org/mark_curphey_community_the_killer_app.html

CALL FOR PAPERS OPEN UNTIL JUNE 14, 2011
Give back to the field and show your peers the way forward. The CFP is open. As OWASP reflects on its first ten years, share your vision for the next ten years. Submit today and you could be leading a track as a featured speaker.

http://www.appsecusa.org/talks.html

5K/10K FOR CHARITY
See Dinis Cruz, Dan Cornell, and Mark Curphey sprint to the finish line in fashion as OWASP helps the Bakken Museum (http://www.thebakken.org/) teach youth about the wonderful world of electromagnetism. Let's strengthen the bond with community and improve our health. Place your donations and get signed up to race in the late afternoon Wednesday (September 21, 2011) the day before the conference talks.

http://www.appsecusa.org/strengthen.html

WOMEN IN APPSEC
Enable more women to enter the application security field. We're off to a great start with the Wells Fargo Foundation's generous seed funding of $5,000 for grants to women interested in attending OWASP AppSec USA 2011 to launch their career in this growing field. OWASP transformed the way information security works once already, and it's time again to propel positive progress.

http://www.appsecusa.org/womeninappsec.html

CAPTURE THE FLAG (AND GET A FREE TICKET)
The first monthly CTF challenge for OWASP AppSec USA 2011 is posted, and it's a great way to start preparing for the full CTF in September! Solve the May challenge before anyone else and get a free ticket to the conference plus props on www.appsecusa.org.

http://www.appsecusa.org/ctf.html

DISCOUNTS
Register early and save money. Register a large group and save even more. And if you're a student, the savings are huge. So sign up today for a great deal, and please spread the word to students in computation, information protection, forensics, and law. We need more people to secure the world's systems. Registration is open!

http://www.appsecusa.org/attend.html

CR0WD50URC3D
If you have a bumping track, let it be heard. Upload your original music, submit the link, and it may get played at OWASP AppSec USA 2011 or on the www.appsecusa.org website.

http://www.appsecusa.org/deepcuts.html

THANK YOU TO OUR SPONSORS! We couldn't pull this off without your generous support!

Thanks all.

OWASP AppSec USA 2011: Your life is in the cloud.
September 20-23 Training, Talks, CTF, Showroom, and More
www.appsecusa.org
@appsecusa

ESAPI 2.0 Update

2011-04-28T13:05:00.000-07:00

(from Chris Schmidt)

Just a couple of quick updates and some announcements.

1. We are currently awaiting the verification to complete for our code signing cert - as soon as I receive the cert I will be pushing 2.0GA out the door!

2. There was an excellent paper done on the ESAPI4JS project and I have blogged about it (and linked to the paper hosted at OWASP) - blog is at http://yet-another-dev.blogspot.com

3. I have made a run at some initial contrib modules for esapi and will be creating a contrib branch to host the source and binaries (as well as making the binaries available via maven) sometime this week. Contrive include authn/authz integration with Spring-security, contextual encoding integration with freemarker, and hopefully validation integration using jsr303, spring and hibernate-validator. These have been hands-down the most asked about integrations that I have been asked about and I wrote then for use in an app that I am currently writing.

Regards,
Chris Schmidt
chris.schmidt@owasp.org

OWASP AppSec EU Hacademic Challenges - Win a FREE Admission

2011-04-25T15:51:00.001-07:00

The OWASP Hackademic Challenges Project is an open source project that helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controlled, environment. This is a customized version of the OWASP Hackademic Challenges only for OWASP Appsec Europe 2011.

The competition starts on 21st April and will run for 4 weeks until 15th May.

Once the competition is over, the winner will get a FREE ticket to the conference.

You could find more info here: http://www.appseceu.org/?p=542

Kate Hartmann
Operations Director
301-275-9403
www.owasp.org
Skype: Kate.hartmann1

AppSec EU Agenda and Training

2011-04-25T08:07:00.000-07:00

We are very excited to announce that the Agenda and Training Courses for this year's AppSec EU conference have been finalized. We hope you will join us June 7-10 at beautiful Trinity College in Dublin, Ireland.

Training Courses include: Threat Modeling, Assessing and Exploiting Web Apps with Samurai-WTF, Tactical Defense with ModSecurity, Secure Application Development, and Designing, Building and Testing Secure Applications on Mobile Devices

The plenary sessions include three different tracks that will focus on defense, prevention, and attacks.

There will be ample time for networking, including KartCon EU 2011!

Complete information on the training, agenda, Trinity College, KartCon, and links for registration can be found here: http://www.appseceu.org/

Kate Hartmann
Operations Director
301-275-9403
www.owasp.org
Skype: Kate.hartmann1

OWASP Common Numbering Progress

2011-04-10T08:57:00.000-07:00

(From Dave Wichers)

I took a first stab at the Common Authentication requirements based on Keith's SCP Guide and the ASVS. Keith and I spent a couple hours going through these changes and have together produced the following:

The numbering scheme I have proposed is here, if you haven't looked at it yet: https://www.owasp.org/index.php/OWASP_Common_Numbering_Project#tab=OWASP_Common_Requirements_Numbering_Scheme

The requirements are here:

https://www.owasp.org/index.php/OWASP_Common_Numbering_Project#tab=OWASP_Common_Requirements_-_DRAFT

An updated version of Keith's Secure Coding Best Practices is attached where just the Authentication section has been updated to match these requirements. Keith has decided to have his guide use exactly the same requirements numbers as the common numbering project. But for ASVS, and the Dev/Test/Code review guides I would imagine we would just cross reference to the Common Numbers rather than adopt them.

· Please ignore the rest of my comments on his document. Focus only on the Authentication section.

Also attached is my working notes for these common requirements and a mapping of them to the old Secure Coding Best Practices Guide and the current ASVS.

I plan to update the Authentication section of ASVS to match these new common requirements, but haven't done that yet, as I didn’t want to hold up your review.

I wanted to get your feedback before we follow this model/approach for all the other sections, which is a lot of work. So if you have any major comments on the approach, now is the time to raise them and reach some consensus so we can avoid major rework later.

Here are my major questions:

1. Any comments on the numbering scheme proposed?

a. I have developed suggested areas for requirements based on the various OWASP docs but they can easily change. If you have any suggested changes, let me know.

2. Any comments on our overall approach for developing a full requirements area and mapping that to the Secure Coding Best Practices?

3. Any specific comments on the requirements we have identified so far?

After getting Authentication worked out, I plan to work with Keith to crank out either all the rest all at once or maybe in 2-3 rounds to get all the rest done.

Any and all feedback welcome.

Thanks,

Dave Wichers

April 10-16 is National Volunteer Week!

2011-04-06T13:12:00.000-07:00

The OWASP Foundation is a 99.9% volunteer driven organization! Let’s take this time to recognize those volunteers who have dedicated their time and talent to making the universe safer for the rest of us.

How about a contest to nominate volunteers? What about a blog page? Twitter? How can we raise awareness of the great things we are doing globally?

Mailing list of 25,000, 135 active projects, 70 active chapters globally, volunteer organized conferences on every continent, committees, influencing education and government

This is big…let wave our flag!

OWASP Board Election Update

2011-03-21T22:23:00.001-07:00

I wanted to provide a status update to everyone on the OWASP-Leaders list to communicate to your respective chapters via fwd or repost to OWASP Blog/Twitter etc..

1. Currently there is a volunteer team assembled and working with Kate Hartmann on Version 3.0 of the OWASP Bylaws (current ones: http://www.owasp.org/images/0/0d/OWASP_ByLaws.pdf ) The next milestone update from that team is due by April board meeting. Ongoing the board will need to review them each year, agree to them and vote in subsequent modifications as we continue to grow like any other business with bylaws.

You can track updates at: http://www.owasp.org/index.php/OWASP_Board_Meetings and the results.

2. In 2009 we ran elections, had (4) candidates, (2) were elected. We utilized a democratic process and documented it: http://www.owasp.org/index.php/Board_member <--- 2009 results format. We will be using the same process. In 2011, (3) seats are up for election: Jeff Williams, Dave Wichers and Sebastian Deleersnyder. (This was based on term length so far) These individuals are encouraged to run for re-election by peers and/or endorse and support another candidate. The role will be come effective in January 2012 after a transition and hand-off period.

3. In 2011 members will cast a ballot (you are on the OWASP Member list aren't you?) now is a good time to check. http://www.owasp.org/index.php/Membership/members if you are not a individual member now is a perfect time to renew it. If you work for a company that is a corporate supporter and you are the primary point of contact this only equals = (1) vote. Voting rights are assigned to individuals (yes actual people..) as outlined at: http://www.owasp.org/index.php/Membership

So this quick updates means in summary that we are ALMOST ready to proceed, but there are a few moving parts;

- April we should be able to [commit] and then we can open a OWASP-ALL nomination process. It will be very similar to the process to the joining a global committee, where if you you are a OWASP member, contributor to projects/chapters and have endorsements of others you can draft your "WHY ME" and run for one of the 3 seats that will be up for election.

- Candidates will be announced from at the kick-off of the Global AppSec Europe, June 9th conference and elections will follow three months later at the Global AppSec North America on September 22nd

http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference and it also happens to be our 10 year anniversary at OWASP Foundation.

- If you are still reading this have free time, want to continue to help evolve a global community consider supporting or running for election yourself. Now might be a good time to socialize your desire, get endorsements at your local chapter(s), asking the global committees for endorsement based on your accomplishments, consider releasing that next owasp project to show folks what you are capable of in collaboration with others or as a individual and be in sync with what is happening at the Global Committee's http://www.owasp.org/index.php/Global_Committee_Pages - don't forget to have fun with ALL your volunteer efforts.

Hope this update was helpful?

Tom Brennan

973-202-0122

BTW in case you missed the updates from the Summit see: http://www.owasp.org/images/2/27/OWASP_Summit_2011_Results.pdf

OWASP AppSec EU - Registration Open & CFP/CFT

2011-03-16T09:52:00.001-07:00

Registration is OPEN!!! Follow the link for information on Early Bird Pricing!

http://www.owasp.org/index.php/AppSecEU2011#tab=Registration

OWASP is currently soliciting training & presentation proposals for the OWASP AppSec Europe 2011 Conference which will take place at Trinity College Dublin in Ireland, on June 6th through June 10th 2010. There will be training courses on June 6th, 7th and 8th followed by plenary sessions on the 9th and 10th with each day having at least three tracks.

Call for Training

We are seeking training proposals on the following topics (in no particular order):

Security in Web 2.0, Web Services/XML
Advanced penetration testing
Static analysis for security
Threat modeling of applications
Secure coding practices
Security in J2EE/.NET patterns and frameworks
Application security with ESAPI
OWASP tools in practice

We will look favorably on laboratory-based/hands-on training.

Call for Presentations

We are seeking people and organizations that want to present on any of the following topics (in no particular order):

Business Risks with Application Security.
Starting and Managing Secure Development Lifecycle Programs.
Web Services-, XML- and Application Security.
Metrics for Application Security.
Application Threat Modeling.
Hands-on Source Code Review.
Web Application Security Testing.
OWASP Tools and Projects.
Secure Coding Practices (J2EE/.NET).
Privacy Concerns with Applications and Data Storage
Web Application Security countermeasures
Technology specific presentations on security such as AJAX, XML, etc.
Anything else relating to OWASP and Application Security.

Submission Deadline and Instructions

Submission deadline is Sunday April 3 23:59 (GMT).

To submit your proposal please fill out the form here:
http://www.easychair.org/conferences/submission_new.cgi?a=c0b760808bfd

Please specify in the form whether you are submitting a Training or a Presentation proposal. Eg. Title: "Training - Introduction to Web Application Security"

Only for Training Proposals
To submit your training proposal please fill out the
http://www.owasp.org/index.php/File:OWASP_AppSec_Europe_2011_Call_for_Training.docx and attach it while filling out the online form.

Upon acceptance you'll be requested to fill out the Training Instructor Agreement where you'll find details on revenue split etc. The agreement will be reworked but the previous one is here: http://www.owasp.org/index.php/File:Training_Instructor_Agreement.doc

Further Information

Mail: ireland@owasp.org

Website: http://www.owasp.org/index.php/AppSecEU2011

Linkedin: http://events.linkedin.com/OWASP-AppSec-Europe-2011/pub/522459

Twitter: #appseceu11

Kate Hartmann
Operations Director
301-275-9403
www.owasp.org
Skype: Kate.hartmann1

OWASP ESAPI for Ruby v0.3

2011-03-09T09:43:00.000-08:00

(from Paolo Perego)

I'd like to announce that the first public version (marked as 0.30.0) of the OWASP ESAPI for Ruby gem has been released.

We choose to release early, release often so we started pushing out to the real world even if we started no more than a month ago. We started porting validators, codecs and filters but the road towards 1.0 is far from being close.

Since a lot of work has to be done, we need a lot of talented people, so please go to http://www.owasp.org/index.php/Projects/Owasp_Esapi_Ruby and subscribe to the project mailing list. At the owasp.org webpage you can find link to source repository, with all the information you need to contribute to the project.

https://rubygems.org/gems/owasp-esapi-ruby

Cheers
Paolo Perego

OWASP Summit and AppSensor

2011-02-27T14:23:00.001-08:00

The AppSensor session at the OWASP World Summit was a great success. The focus of the discussion was where should AppSensor go next. We covered all of the available items within the AppSensor project (AppSensor.jar w/ESAPI plugin, detection points guidance, extensive documentation, live running demos defendtheapp.com, etc) and posed the question "What do we need for your company to adopt AppSensor within your applications". There was lots of energy in the room and all 50+ seats were filled. AppSensor is really starting to take off and I'm excited at these results. These ideas represent the next areas for the project to tackle in order to obtain wide adoption.

Here are the outputs of that discussion as action items for the project. Consider this an invitation for anyone to jump into the AppSensor project and lead one of these areas to success (email me and I can give you more info and support your efforts)

* Concern over False Positives
** Article to discuss why AppSensor false positives won't result in negative system performance or adversely impact non-malicious users. Target Audience: Product Managers, CSOs

* Where is AppSensor integrated into development
** Slides or article to demonstrate process of selecting AppSensor detection points during the threat modeling phase. Notes on how to communicate these requirements to developers. How to test proper deployment

* Is there an AppSensor-like implementation that could be handled by operations?
** This is not the traditional AppSensor approach (e.g. within the code), but we could do further research on aspect oriented implementations or real time log analysis for attack monitoring

* Integration with libraries and frameworks
** Sub project to submit patches for common frameworks to log obvious attack types. The goal is to at least get the logging of attack scenarios in place by default. This makes it easier to adopt an AppSensor approach onto these libraries or frameworks
** Possible first target : Sonar (sonarsource.org) - May need to get more info on this idea

* Testimonials from companies using AppSensor or AppSensor-like capabilities
** This wil help raise confidence in the project for potential new adopters

* Software - Code versioning, patching, support ?
** This is a common concern for open source software and OWASP code. What can we do to help make our code more digestible by a company looking for these more stringent development patterns?

* Link in with Fraud systems
** The AppSensor project has been contacted by a large bank to help develop a strategy for detection of fraud through session hijacking and phishing.

Michael Coates

AppSec EU 2011 - First Challenge Released!

2011-02-23T12:19:00.000-08:00

Hi there,

For all those application security professionals and enthusiasts out there here is the first challenge to win a free entrance ticket for AppSec EU 2011.

*Introduction*

As some of you might know, Vicnum is an OWASP project which consists of a flexible web app showing vulnerabilities such as cross site scripting, sql injections, and session management issues. The tool could also be used by those setting up 'capture the flag' exercises or by those who just want to have some fun with web assessments. The Vicnum project was developed for educational purposes by Mordecai Kraushar from Ciphertechs.

For today, we have prepared a customised version of Vicnum The Game that contains several exercises for your enjoyment.

*The Game*

The computer will think of a three digit number with unique digits. After you attempt to guess the number, the computer will tell you how many of your digits match and how many are in the right position. Keeping on submitting three digit numbers until you have guessed the computer's number.

In order to win an free ticket to AppSec EU 2011 you need to solve the following exercises of Vicnum The Game.

- Hack the game: Have a guess count of zero and a guess value > 999

- Hack the database: Find the Vicnum player with the worst possible score (if there is a tie find the older record). Place another record in the database with that player's name concatenated to your name and with a positive score.

Once you solve the exercises, please send us an email to ireland@owasp.org with your full name and details on how you accomplished this goal.

The first one who solves these exercises gets a free ticket to OWASP AppSec

EU 2011!

Please visit http://www.appseceu.org/?page_id=175 to find out further details about the challenge.

A big THANKS goes to Mordecai for setting up and customizing the challenge.

Thank you and best of luck everyone!

Fabio Cerullo

Application Security Track at Uber Conf 2011 - July 12-15

2011-02-22T22:13:00.000-08:00

OWASP is currently soliciting papers for the Application Security Track at Uber Conf, Denver, CO.

OWASP is partnering with Uber Conf to have an Application Security track at this prestigious conference. Brought to you by the No Fluff Just Stuff Software Symposium Series, Über Conf will explore the ever evolving ecosystem of Java the Platform.

The Ü will offer over 120 technically focused sessions including hands on workshops centered around Architecture, Cloud, Security, Enterprise Java, Languages on the JVM, Build/Test, Mobility and Agility. The goal of Über Conf is a simple one: totally blow the minds of our attendees.

We are seeking people and organizations that want to present about how security relates to the following Java topics (in no particular order):

  * Architecture
  * Enterprise Java
  * Java Internals
  * Security - Enterprise & JVM
  * Cloud Computing
  * Languages on the JVM - Groovy, JRuby, Scala & Clojure
  * Java Web Frameworks - Wicket, Tapestry & SpringMVC
  * Build Systems - Maven & Gradle
  * Testing
  * Agility
  * Tools


How to make a submission:
  * Fill the form available at
http://www.owasp.org/images/4/42/UberConf.AppSec.CFP.rtf.zip
  * Submit the filled form at
https://www.easychair.org/conferences/?conf=appsecatuberconf2011

Submission deadline is Feb 28th at 12PM EST (GMT-5)

Submit Proposals to:
https://www.easychair.org/conferences/?conf=appsecatuberconf2011

Conference Website:
http://uberconf.com/conference/denver/2011/07/home

OWASP Website:
http://www.owasp.org 

Please forward to all interested practitioners and colleagues.

AppSec USA 2011 Minneapolis

2011-02-22T02:02:00.001-08:00

OWASP is proud to announce AppSec USA 2011. We're celebrating our first ten years and looking ahead to the next ten years!

Training will be held September 20-21. Talks, CTF, and showroom will be September 22-23. AppSec USA 2011 will be hosted in Minneapolis, Minnesota at the Minneapolis Convention Center.

http://www.appsecusa.org/

CALL FOR TRAINERS NOW OPEN
Think you have a great idea for a one- or two-day class? Submit your idea to Kuai Hinojosa at kuai.hinojosa@owasp.org. Trainers get a 40% cut of the training revenue. Price for trainees will be $1,500 for a 2-day training course and $750 for a 1-day training course (see http://www.appsecusa.org/training.html for additional information on group registration discounts). Please e-mail lorna.alamri@owasp.org if you would like to reserve trainee space for your organization today.

CALL FOR PAPERS OPENS MARCH 15
The call for papers will open March 15. We are excited for high quality submissions from application security professionals, software developers, and thought leaders. This year's format will be four tracks spread across two days covering Cloud Security, Mobile Security, Secure SDLC, OWASP Projects (turbo talks), Software & Architecture Patterns for Security, Software Development Platform Tutorials, New Attacks & Defenses, and Thought Leadership (executive panels, interviews, and speeches). Please e-mail lorna.alamri@owasp.org if you would like to reserve conference passes for your organization today at heavily discounted rates. And stay tuned for the call for papers announcement...

SPONSORSHIP OPPORTUNITIES
AppSec USA 2011 will be a great opportunity to let the community know about your products and services, and also a great time to recruit new talent. See http://www.appsecusa.org/sponsors.html for sponsorship opportunities. We would like to thank IBM for being our first AppSec USA 2011 sponsor!

CAPTURE THE FLAG (CTF)
This year's AppSec USA CTF promises to be the best one yet. If you'd like to volunteer or get prepared for the CTF, visit http://www.appsecusa.org/ctf.html and send an e-mail to the CTF team.

Thank you!

OWASP AppSec USA 2011: Your life is in the cloud.
Web: http://www.appsecusa.org/
Twitter: @appsecusa

ESAPI and the Padding Oracle Attack

2011-02-15T21:21:00.000-08:00

From Kevin Wall.

I originally noticed that the ESAPI symmetric encryption provided no authenticity way back in August 2009 and argued for a very long time with Jim Manico that what was present in ESAPI 1.4 and 2.0rc3 (or maybe it was rc2?) needed to be burned to the ground and replaced, and he agreed. All I remembered was some type of an attack against cipher padding that caused by one tweaking IVs in a certain way and then looking for errors. I remembered that IPSec at one time had been vulnerable to this same vulnerability, but I just couldn't remember the name of the attack or who or when he wrote about it (S. Vaudenay in 2002) so unfortunately couldn't easily search for it. Fortunately, I knew that I had to use a MAC or an authenticated cipher mode to fix it.

After a few months of arguing on the ESAPI developer list that this was something that needed to be addressed, I finally was able to convince people convince the ESAPI community and I volunteered to make the code changes. Had I been able to find Vaudenay's paper and site it, I probably would have been able to convince folks that changing ESAPI's encryption was necessary...especially that Jim Manico guy. ;-) [Aside: Ironically it was this weakness in ESAPI's crypto that caused me to get involved with ESAPI development. I really liked what it presented and wanted to introduce it at Qwest once it was GA, but I was concerned that Qwest developers that would use the broken ESAPI crypto rather then the encryption library we had developed in-house.]

Anyway, subsequent to the the Rizzo / Duong paper appearing, there was probably at least 4-6 sman months of re-design and recoding effort that had taken place.

In fact, at one point I had things just right (apart from using a timing side-channel as padding oracle), but then *in a moment of clear stupidity*, I went in and changed a few of the exception messages intended for end users "to clarify things a bit". My (faulty) reasoning was that if a user got an encryption error and called a help desk, s/he could only report what s/he could see as he error message. But since the error message could be caused by two very different things I decided to make them slightly different so help desk personnel could distinguish between the two cases and act accordingly. (I know, the *logged* error messages were different, but I figured very few tier 1 help desk people ever have access to log files.)

Anyway, this was a *BIG* mistake and reintroduced the padding oracle attack, although not in the same way that earlier versions of ESAPI had, as they did not support authenticity at all.

So the bottom line is the *reason* that "we fixed padding oracle in ESAPI *very* quickly after the paper came out" is all I really had to do to fix it was to go back and change it so that the user intended exception messages were identical in each case. (I also put in some protection against using timing as a side-channel attack as the padding oracle, but that was pretty straightforward.)

Had the NSA completed their crypto review and mentioned this (they didn't and it's not entirely clear that they ever would have!), then this would have been have been fixed without drawing so much attention. But in a way, I consider it serendipitous that it came out in the Duong & Rizzo paper that ESAPI was somewhat vulnerable. By comparison, ESAPI faired well against the others described their paper. I think had ESAPI not been vulnerable, it likely would not have been mentioned at all in their paper and the conclusion of Rizzo's and Duong's readers would have been that they had not evaluated ESAPI's symmetric encryption at all. As it was, it allowed us a platform to be transparent to the OWASP community, tell them how we were addressing the problem, and (IMO) most importantly brought home the seriousness of what I had been saying all along about ESAPI 1.4 encryption being badly broken which motivated getting people off of it.

The reason we were so quick to get it fixed is because we had it 95% right in the first place. (Unfortunately, 95% right is 5% wrong and with vulnerabilities, that's all it takes.)

Thanks for your time,
-kevin

OWASP Summit 2011 Results

2011-02-15T16:34:00.000-08:00

I'm very proud to announce the Summit 2011 Results, which you can download from here:

As you can see by the Summit's highlights, we achieved an amazing amount of work during the 3 days we were together in Portugal!

Amazingly, we also had a great time, and created/consolidated an enormous amount of friendships/relationships. Just look at the the number of similes (and focused faces) that exist on the Summit's official photo album: https://picasaweb.google.com/owaspphotos/OWASPSummit

I would like to take this opportunity to thank the Summit organization team, the Working Session chairs, the 180 on-site participants and the 1000s remote participants, for working so hard and achieving so much.

Note that this is the first version of this document. There is work already underway to create a much more detailed and comprehensive version of this document, which will be released as a number of books (Summit 2011 Final Report, Browser Security Report 2011, etc...).

Please distribute this document/Press-Release as widely as possible.

OWASP Summit Press Release

2011-02-01T17:45:00.000-08:00

FOR IMMEDIATE RELEASE - PLEASE DISTRIBUTE

Top security experts meet in Portugal to discuss the future of application security Portugal, Lisbon, January 28, 2011 - The OWASP (Open Web Application Security Project) Global Summit, held in February 8th-11th in Lisbon, will bring together the most prominent experts in the area of web application security, with the purpose to further the development of the ongoing efforts in application security and to promote solutions that will help reduce the risks and the mistakes incurred by everyone who uses the Web as a workplace and as an information sharing tool – personal, corporate and governmental alike.

The Summit will consist of intensive and collaborative four-day working sessions across a variety of important topics to our industry such as metrics, browser security, cross-site scripting eradication, mitigation and secure coding.

What’s at stake is tackling the threats of cybercrime, either by making clear that security breaches have high costs to organizations, either by explaining the heavy impact that privacy violation has on users.

More than 175 attendees are expected, from more than 20 countries, including top OWASP leaders and security gurus from Google, Mozilla, Microsoft, Paypal, Dell, Apache, Verizon, and many more.

These topics are of the utmost importance, due to the recent development of information systems and of the emergence of web 2.0 technologies, along with the corresponding increase in web applications and services, bringing forth so many implications regarding security and privacy. Never in our lives have we had so much critical personal information being so dependent and simultaneously so threatened by software and web applications (example: Facebook)

Despite the growing investments in security processes and techniques, the truth is we are in a critical situation. AppSecs still have massive vulnerabilities caused by the multiplicity of tasks and/or tools while vendors and clients lack the awareness to address the issue. These are two weaknesses that are obviously leading to increasingly malicious attackers
Given the general lack of awareness we can question what scenario would ultimately drive people or governments to take action. Widespread identity theft? Financial collapse? Mass logistic failure? Loss of critical information? Medical Systems Exploitation? Fraud? Paralyzed public institutions?

OWASP challenges application security leaders and industry players to share their expertise, experience and point of views to help reinforce web application security.

###

About OWASP

The Open Web Application Security Project (OWASP) is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works voluntarily to create freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Foundation is a charitable organization that supports and manages OWASP projects and infrastructure.

Contact Information: Abigail Vistas
avistas@generator.pt
217800828 – 916406948

OWASP Summit JS Challenge

2011-01-24T06:29:00.001-08:00

Hi OWASPers, WebAppSecers and Secure Coders!

The official OWASP Summit Challenge is out – a JavaScript fighting arena where your script should show its name more prominently than its competitors.

Check it out: http://makeXORbreak.com

By this we start the countdown to one of the most important meetings in application security history. February 8-11 we invite you all to join round-table discussions with industry and research leaders on how to solve XSS and enhance browser security, which appsec metrics work, security of HTML5 and EcmaScript 5 and more. We truly believe that crucial things can happen in a social, productivity-oriented environment. That's why OWASP is going all-in on the Summit.

Google will be there. Mozilla will be there. Microsoft will be there. Facebook will be there. PayPal will be there. Apache will be there. The world's top appsec companies will be there. The authors of (my) favorite appsec books will be there. Best thing of all?

You are most welcome to join!  http://www.owasp.org/index.php/OWASP_Summit_2011

Get going with the Challenge – http://makeXORbreak.com

Best regards, John Wilander

Got Hosting?

2011-01-13T07:17:00.000-08:00

The Open Web Application Security Project (OWASP) is seeking competitive quotations for a dedicated web hosting environment hereafter described. Contractors qualified to fulfill these requirements are invited to submit quotations

DETAILS: http://www.owasp.org/index.php/RFO_and_hosting_information

If you are willing to take on the hosting, administration in whole or in part we want to hear from you.

In addition to current project of website redesign, our timeline is to announce the award of the project is OWASP Summit 2011:  http://www.owasp.org/index.php/Summit_2011

Great opportunity to help the community and and support the mission of our professional association!

Please support the OWASP Global Summit

2011-01-12T07:31:00.000-08:00

The OWASP Global Summit Feb 8th - 11th, is where industry and application security practitioners from around the world will assemble, collaborate and set the agenda for the forthcoming advancements of the OWASP mission.

What option will you choose to show the world your support?

* Sponsored Villa 10
* Meeting Room Sponsorship(s) 6k
* Projector Sponsorship(s) 2k
* Lunch Sponsorship(s) 2k
* Happy Hour/ Social Session Sponsorship(s) 2k
* Dinner Sponsorship(s) 4k

* You will be in attendance

Full Details: http://www.owasp.org/index.php/Summit_2011_Corporate_Sponsorship

For more information about the Summit see: FAQ http://www.owasp.org/index.php/Summit_2011_FAQ or contact Tom Brennan directly at 973-202-0122 to discuss how you would like to be involved.

More information about the Summit: http://www.owasp.org/index.php/Summit_2011

OWASP Global Summit Sponsorship

2011-01-10T23:23:00.000-08:00

The OWASP Global Summit is the place where application security experts from around the world will meet to discuss progress, plans, projects and new solutions for the future of the application security.

What option will you choose to show your support at the Global Summit?

Full details: http://sl.owasp.org/summitsupport

* Sponsored Villa 10k
* Meeting Room Sponsorship 6k
* Projector Sponsorship 2k
* Lunch Sponsorship 2k
* Happy Hour/ Social Session Sponsorship 2k
* Dinner Sponsorship 4k

ACT NOW Space is limited - Contact Tom Brennan 973-202-0122 for more information about opportunities or click here: http://www.owasp.org/index.php/Summit_2011_FAQ for other FAQ

OWASP Chapter Leaders - Chapter Status Update Needed!

2011-01-06T14:07:00.000-08:00

Chapter Leaders,

The January 15 deadline is approaching for chapter leaders to provide the chapter status information requested here:

http://www.owasp.org/index.php/Donation_Scoreboard

This important update is required as part of the OWASP planning process and also indicates that the local chapter is alive and well. You have probably noticed this request on several mailing lists.

Below is a link showing active OWASP chapters that have responded so far.
https://spreadsheets.google.com/a/owasp.org/ccc?key=0AhtB029bdcxGdDZmS0JkeXZXQ245c0IyVnBfZ0FhNXc&hl=en&authkey=CLLgpuYD

** Important: Chapters that fail to respond before the deadline will be marked as inactive and any funds in the chapter bucket see: https://spreadsheets.google.com/pub?key=p6IFyntQTi7t-yH-peiD8Aw will be transferred to the OWASP Summit Fund to help offset costs for travel for those that want to attend the 2011 Summit of OWASP 4.0 http://www.owasp.org/index.php/Summit_2011

** Note: To view the shared OSTF document, you must use your @OWASP.ORG email address

December 2010 OWASP Newsletter

2010-12-29T16:35:00.001-08:00

I am happy to be able to send out the December 2010 OWASP Newsletter! http://www.owasp.org/index.php/Category:OWASP_Newsletter#tab=Newsletters

Thank you to our editor, Lorna Alamri, MN Chapter co-leader, AppSec US 2011 organizer, Summit 2011 organizer, Industry Committee member, and global contributor.

Happy Holidays!

Kate Hartmann
Operations Director
301-275-9403
www.owasp.org
Skype: Kate.hartmann1

OWASP 2011 Membership

2010-12-15T23:27:00.000-08:00

(by Tom Brennan)

Can you believe the OWASP concept is approaching 10 years old?!!

It's those little things like volunteering your time, insight expertise and membership to a professional organization that make the bigger things possible and effect the mission. In growing a community, being taken seriously as a body, having citations from around the world, employees, administrative costs and even having the ability to allocate 50k in funds to put towards a global summit in 2011 is progress.

But no matter how many hours volunteered to it (OWASP), to be recognized as a "member" in 2011 starts with agreement to the principals and donation of $50usd as a member. While everything is free at OWASP this "designation" comes with a privilege that others don't get, that is the ability to support or effect change with a collective consensus of his/her peers and a vote.

Since 2002 I have personally experienced a variety of perspectives:

-Outsider looking for resources

-Individual Member

-Chapter Leader

-Board Member

-Project Leader

-Project Contributor

-Project Reviewer

-Trainer

-Evangelist

-Active Committee Member

-Member of a Supporting Sponsor(s)

In each role the perception of the of OWASP is different at the 2011 summit I hope to unify this important membership topic and I hope you will join us for the discussion. It's worth my $50 bucks per year.

Example

*For persons going to the summit as a example if they have not paid there $50 individual membership fee... Please complete this transaction as a prerequisite. This includes everyone from the board members to the newest member of this mailing list.

Not going to the summit but running a local chapter, do you lead by example with membership?

The current memberlist:

http://spreadsheets.google.com/pub?key=p6IFyntQTi7sxa2Xjx191BA

How/where do you join?

http://www.owasp.org/index.php/Membership

FAQ: If my company(5k) or university($0) is a supporter does this make me a member? Answer: No - however some have called it "associated member/lite member" as in associated with the supporting company however note, this has no voting right in the association.

Support the mission, change the world.

OWASP CSRFGuard 3.0.0.336

2010-12-15T23:10:00.000-08:00

(from Eric Sheridan)

It is with great pride that I announce the release of OWASP CSRFGuard 3.0.0.336 (ALPHA)! This is a development release of the v3 series that is in need of peer review, testing, and general feedback in preparation for BETA. There are several significant new features that are in need of testing in the enterprise development environments. Please contact me for support if you are interested in testing the latest release. Of course, I am always open to questions, comments, or feature requests!

Please check out the project home page (http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project) and User Manual (http://www.owasp.org/index.php/CSRFGuard_3_User_Manual) for more information about how to install, configure, and deploy the OWASP CSRFGuard library.

OWASP CSRFGuard has been completely rewritten to address the various feature requests and bug fixes submitted to me over the past couple years. No longer will CSRFGuard be referred to as just a "reference implementation". By addressing the performance and scalability issues plaguing older releases, OWASP CSRFGuard v3 is intended to serve as the de-facto standard prevention mechanism against CSRF attacks for JavaEE web applications. The following is a bulleted summary of the significant changes associated with the v3 release:

OWASP CSRFGuard is now available under the much more liberal BSD license
Owasp.CsrfGuard.properties file can be loaded from classpath, web context directory, or current directory
Developers can implement a custom logger to be consumed by the library
Experimental support for the rotation of CSRF tokens once the previous token is expired
Experimental support for creating and verifying unique CSRF tokens per page
Experimental support for Ajax through the verification of headers dynamically injected by CSRFGuard JavaScript
Configurable actions including Log, Invalidate, Redirect, Forward, RequestAttribute, and SessionAttribute
Unprotected pages can be captured using same syntax used by the JavaEE container in web.xml
Library no longer intercepts HTTP responses produced by the web application
Developers can manually inject CSRF prevention tokens using the JSP tag library
Developers can automate injection of CSRF prevention tokens using dynamic JavaScript DOM Manipulation
Tokens are only injected into HTML elements that submit requests to the current origin (planned for XHR)
JavaScript token injection can be configured to inject into links, forms, and XMLHttpRequests

Please check out the following resources for more information regarding recent project updates:

Project Page - http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project

User Manual - http://www.owasp.org/index.php/CSRFGuard_3_User_Manual

Code Repository - http://code.google.com/p/owaspcsrfguard/

Blog - http://ericsheridan.blogspot.com/

-Eric

OWASP 4.0

2010-12-07T21:54:00.000-08:00

(From Jeff Williams)

Hi everyone,

In my mind, OWASP 1.0 was pre-wiki with lots of great work and a less great infrastructure. OWASP 2.0 was establishing the 501c3, putting in the wiki, and getting lots of great projects started. OWASP 3.0 started with the Summit in Portugal when we created the new committees and has focused on creating thriving projects instead of standalone tools. Thank you for all of your efforts growing a fun, civil, productive community.

I reach out to you now to ask you to take some time and think about what OWASP should become. The time has come to measure our success not by the number of members, projects, and conferences, but by whether we are succeeding at making the world’s software more secure. It’s time to get our message and strategy to the next level.

HELP DESIGN OWASP 4.0 IN PORTUGAL AT THE SUMMIT!

If you consider yourself an OWASP Leader, won’t you take a few minutes of quiet time and propose a few ideas for how OWASP can retool, reorganize, refocus, and revamp itself to really achieve our mission? We will rip, mix, and burn these ideas into a new strategy for OWASP at the Portugal Summit. I encourage you to check out the resort and all the plans happening right now at http://www.owasp.org/index.php/Summit_2011.

Here are some ideas to get you started.

We bootstrap several application security ecosystems around key technologies like mobile, cloud, REST
We reach out to governments around the world to help them push for application security
We raise money to fund real security enhancements to tools, browsers, protocols (e.g. OpenSSL)
We make the OWASP materials more usable by providing a “user” site and keep the wiki for development
We invest in marketing AppSec – How do we scale David Rice and the “greening” of AppSec
We continue our education initiative – academies, college chapters, videos, curriculum
We continue our browser initiative and do whatever it takes to get the browsers and frameworks talking
We invest in getting in front of new technologies like HTML5
We launch a no-holds barred XSS eradication campaign
We create a set of objective AppSec *market* metrics that quantify the state of our art
We continue to push on creating standards

We need your ideas NOW. Get yourself on the list!

http://www.owasp.org/index.php/Summit_2011#tab=Summit_Attendees

In one week of thinking, arguing, coding, hacking, and writing we are going to accomplish more than the rest of the world’s appsec efforts combined. We’ll see you in Portugal ready to rock. Thanks!

--Jeff Williams

OWASP Call for Trainers!

2010-12-02T08:34:00.000-08:00

To all OWASP Leaders

In the context of the effort we are making to stabilize and consolidate an OWASP Training model that can be used as a powerful tool to spread OWASP’s knowledge and message, OWASP is looking for trainers to deliver training under the flag “OWASP projects and resources you can use today”. This is a model of training which is free for OWASP members, delivered by OWASP Leaders (with only travel expenses paid) and covering OWASP modules and/or projects.

If you are an OWASP Leader and would like to be included in OWASP's pool of trainers, this is your chance - add your name and info to the OWASP Trainers Database and be counted!

Check out the Database and do it now!

Follow all the developments on the OWASP Training here.

We are looking forward to seeing your names online!

Preventing XSS with Content Security Policy

2010-11-01T06:00:00.000-07:00

An individual XSS can be easily remediated with contextual output encoding per the OWASP XSS Prevention Cheat Sheet. Although an individual XSS can easily be addressed, the overall cat and mouse game of effectively ridding an application of XSS can be very difficult. To combat this problem a new security feature, Content Security Policy, has been introduced into the Mozilla Firefox browser.

Content Security Policy (CSP) is an opt-in white list approach for defining what external scripts sources are allowed to execute JavaScript or other content loading code (e.g. iframes) within the page. By eliminating inline scripts and defining a white list of allowed external scripts it is possible to strictly control what JavaScript is executed within the page. In the event that a user injected script into the page via an improperly encoded piece of user controlled data, then Content Security Policy would identify that the JavaScript is not part of the white-listed data and the browser will disregard this unauthorized script.

Here's a basic overview of the CSP process:

Externalize all JavaScript within the pages (e.g no inline script
tag, no inline JavaScript for onclick or other handling events )
Define the policy for your site and whitelist the allowed domains where the externalized JavaScript is located.
Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use.

Violation Reporting

The violation reporting component is another huge benefit of using CSP that can be enabled by providing a value for the policy-uri field within the site's specific Content Security Policy. In the event content (JavaScript, injected iframe, etc) is not allowed to execute due to CSP, the user's browser will issue a violation report back to the URL specified by the site's CSP. This means that a website owner can receive real time notifications of CSP violations that could be potential XSS attacks.

CSP Enabled Browsers

Content Security Policy is currently supported in Firefox 4. Although CSP is currently supported in only one browser, there are still many reasons to provide CSP support within a website. CSP will provide an added layer of protection to all web site users with a CSP enabled browser. In addition, CSP enabled browsers will also provide violation reporting feedback back to the web site owners in the event an XSS attack is somehow injected into the page. Finally, if CSP is well received then the intent is to formalize this into a standard and push for adoption within other browsers.

More Information

Spec: https://wiki.mozilla.org/Security/CSP/Specification
Developer CSP Link: https://developer.mozilla.org/en/Introducing_Content_Security_Policy
W3C Web App Security Working Group - CSP Link: http://www.w3.org/2010/07/appsecwg-charter#deliverables
Mozilla Blog Post on CSP: http://blog.mozilla.com/security/2009/06/19/shutting-down-xss-with-content-security-policy/
Sample Policy Definitions : https://wiki.mozilla.org/Security/CSP/Specification#Sample_Policy_Definitions
Notes from one of the CSP creators (Brandon Sterne) : http://people.mozilla.com/~bsterne/content-security-policy/

Michael Coates (@_mwc) & Brandon Sterne (@bsterne)

AppSec DC is just 2 weeks away!

2010-10-25T08:57:00.000-07:00

We have a great schedule (http://schedule.appsecdc.org) this year with 4 tracks of amazing talks and a selection of great training classes at rock bottom prices. Register now at http://reg.appsecdc.org Highlights will include keynotes from Neal Ziring of the Information Assurance Directorate of the National Security Agency (NSA) and Ron Ross of the National Institute of Standards and Technology (NIST), panel discussions of federal CISOs on their experiences with implementing application security, 50 plenary presentations by leading personalities in the field of web application security.

Also this year, AppSec DC has partnered with entities within the Department of Homeland Security, the Department of Defense, the National Institute of Standards and Technology, the National Security Agency, and other government agencies who will be contributing content focusing on Software Assurance and the role that that plays in areas such as protecting Critical Infrastructure or Supply Chain Risk Management.

In addition to two days of great speaking content, a track by the federal government, keynotes and panels, AppSec DC will also provide two days of world class training on applications security from a variety of vendors at a fraction of the cost found at other events. Training courses include:

2-Day Courses ($1495)
- Assessing and Exploiting Web Applications with Samurai-WTF
- Leading the AppSec Initative
- Remote Testing for Common Web Application Security Threats
- Software Security Best Practices

Single Day Courses ($745)
- WebAppSec.php: Developing Secure Web Applications
- The Art of Exploiting SQL Injections
- Java Security Overview
- Software Security Remediation: How to Fix Application Vulnerabilities
- Threat Modeling Express

More information can be found at http://wiki.appsecdc.org. Come join us for what is shaping up to be another amazing conference this year!

The AppSec DC Team
http://www.appsecdc.org

OWASP NYC Chapter Meetings

2010-10-17T09:26:00.001-07:00

OWASP NYC Chapter Meeting

When: November 2nd 6:00pm - 9:00pm

Where: 345 Park Ave, NY, NY

Topics will include:
-Memory Corruption, Exploitation, and You, Dino Dai Zovi
-Escaping the Sandbox, Stephen Ridley
-Much Ado about Randomness, Aleksandr Yampolskiy
-Groundspeed: Manipulating Web Application Interfaces, Felipe Moreno

Food/Beer/Wine/Drinks Included

Cost: FREE

RSVP is required by building security, limited seats: http://www.owasp.org/index.php/NYNJMetro

OWASP NYC Metro Holiday Security Party
December 9th - 6:30 - 10:30pm

Where: STOUT 133 West 33rd Street, NY, NY 10001
When: Thursday, December 9th 2010 6:30pm - 10:30pm
Cost: $40.00 per person include food, drinks and fun!
Limited Capacity get your tickets early - 250 People

RSVP and for more information on these events events visit: http://www.owasp.org/index.php/NYNJMetro#tab=2010_Holiday_Party

Who attendees these events?

NYC Metro

Application Developers
Application Testers and Quality Assurance
Application Project Management and Staff
Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
Security Managers and Staff
Executives, Managers, and Staff Responsible for IT Security Governance
IT Professionals Interesting in Improving IT Security
Anyone interested in learning about or promoting Web Application Security

More information about membership http://www.owasp.org/index.php/Membership

Semper Fi,

Tom Brennan

OWASP NYC Metro Chapter President
OWASP Foundation Board Member
http://www.owasp.org/index.php/About_OWASP

AppSec DC is back!

2010-10-16T22:56:00.001-07:00

OWASP Leaders,

AppSec DC is back as the premier web application security conference on the east coast! AppSec DC will take place at the Walter E. Washington Convention Center in Washington DC on November 8-11. Training will be on the 8th and 9th, talks will be on the 10th and 11th. The partner hotel is the Grand Hyatt again this year but rooms are going fast!

AppSec DC brings some of the leading minds in web application security to Washington DC for two days of talks on a wide variety of topics, including cutting edge presentations and panel discussions with leaders in the Federal, finance, and security research arenas and a variety of world class training at a fraction of the cost of other providers. Highlights will include keynotes from Neal Ziring of the Information Assurance Directorate of the National Security Agency (NSA) and Ron Ross of the National Institute of Standards and Technology (NIST), panel discussions of federal CISOs on their experiences with implementing application security, invaluable interaction and networking with attendees and presenters, a custom-made capture the flag contest by members of OWASP DC, and many of the best talks available by leading personalities in the field of web application security. Oh, and rockets.

Register: https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a
Hotel: https://resweb.passkey.com/Resweb.do?mode=welcome_gi_new&groupID=2766908
Schedule: http://www.owasp.org/index.php/OWASP_AppSec_DC_2010_Schedule

For more information visit the OWASP wiki at http://www.owasp.org/index.php/OWASP_AppSec_DC_2010or the AppSec DC website at http://appsecdc.org

Look forward to seeing you there!

--
Mark Bristow

OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
AppSec DC 2010 Organizer - https://www.appsecdc.org
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu

OWASP Newsletter

2010-10-08T21:43:00.000-07:00

Please follow the attached link to get the latest news from your OWASP Community: http://www.owasp.org/index.php/Category:OWASP_Newsletter#tab=Newsletters

Special thanks to Lorna Alamri – editor and creator of this newsletter, and to all our international translators who make this available in many languages.

If you are interested/available to contribute a few hours/quarter to the newsletter, please contact either Lorna lorna.alamri@owasp.org or me kate.hartmann@owasp.org.

Kate Hartmann
Operations Director
301-275-9403
www.owasp.org
Skype: Kate.hartmann1

IBWAS'10 Call for Papers

2010-09-29T11:02:00.000-07:00

2nd. OWASP Ibero-American Web-Applications Security conference 2010 (IBWAS’10) ISCTE – Lisbon University Institute 25th – 26th November 2010 Lisboa, Portugal http://www.ibwas.com

Call for Papers

Introduction

There is a change in the information systems development paradigm. The emergence of Web 2.0 technologies led to the extensive deployment and use of web-based applications and web services as a way to developed new and flexible information systems. Such systems are easy to develop, deploy and maintain and demonstrate impressive features for users, resulting in their current wide use.

As a result of this paradigm shift, the security requirements have also changed. These web-based information systems have different security requirements, when compared to traditional systems. Important security issues have been found and privacy concerns have also been raised recently. In addition, the emerging Cloud Computing paradigm promises even greater flexibility; however corresponding security and privacy issues still need to be examined. The security environment should involve not only the surrounding environment but also the application core.

This conference aims to bring together application security experts, researchers, educators and practitioners from the industry, academia and international communities such as OWASP, in order to discuss open problems and new solutions in application security. In the context of this track academic researchers will be able to combine interesting results with the experience of practitioners and software engineers.

Conference Topics

Suggested topics for papers submission include (but are not limited to):

Secure application development
Security of service oriented architectures
Security of development frameworks
Threat modelling of web applications
Cloud computing security
Web applications vulnerabilities and analysis (code review, pen-test, static analysis etc.)
Metrics for application security
Countermeasures for web application vulnerabilities
Secure coding techniques
Platform or language security features that help secure web applications
Secure database usage in web applications • Access control in web applications
Web services security
Browser security
Privacy in web applications
Standards, certifications and security evaluation criteria for web applications • Application security awareness and education
Security for the mobile web
Attacks and Vulnerability Exploitation

Global Summit 2011 Venue Proposal

2010-09-20T21:38:00.001-07:00

OWASP Leaders,

We are looking for a venue for the Global Summit to be scheduled for four days sometime between January 15th, 2011 and February 15th, 2011. The Global Summit committee is requesting proposals from OWASP Leaders for venues. We will need your proposal by the October 4th. Proposal can be in rough draft format with estimated pricing, we just need to know who is interested in helping to put together the Global Summit to be held this coming January/or February and rough estimates of pricing for a particular location.

We are also looking for more volunteers to help with planning for the event so please respond if interested.

Venue Requirements:
Key organizer in close contact with venue.

Hosting:
30- 100 people

Cost:
$2000 USD/ per person to include facility, lodging, food, beer and transport to and from location. (This should be an all-inclusive cost per person, with the assumption that OWASP members will room together 2-4 depending on number of beds in room/apartment)

Duration:
4 days

Dates:
Will be scheduled between Jan 15th and Feb 15th

Facility requirements:
3-6 meeting rooms
1 large meeting room to hold all attendees (estimate for 75-100) e.g. auditorium.
Lodging should be part of conference facilities or within walking distance of venue.

Internet - what is bandwidth available?
Must be sufficient for a group used to high bandwidth.

Rooms:
To be shared by attendees - need to understand how many attendees to a room/suite/apartment. Apartments preferred. 4-5 star hotel acceptable.

Food:
Local Food supplier which has been pre-negotiated with hotel.

Airport:
Venue must be within 50 km's max from International airport.

We'd love to bring the OWASP Summit to your city so please consider putting together a proposal.

Thanks
OWASP Global Summit 2011 Planning Committee
martin.Knobloch@owasp.org

OWASP Secure Coding Practices - Quick Reference Guide

2010-08-31T12:49:00.001-07:00

Leaders,

I am glad to announce I’ve just set a new project up – the OWASP Secure Coding Practices - Quick Reference Guide, led by Keith Turpin. Please welcome him!

http://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide#tab=Project_About

http://www.owasp.org/index.php/User:Keith_Turpin

As always, your suggestions and contributions would be greatly appreciated.

In addition, this project already has a very mature release, OWASP Secure Coding Practices - Quick Reference Guide/Version 1.0, which is under formal assessment and seeking Stable Release status.

http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/Current

http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/SCP_v1/Assessment

What’s more, Matt Tesauro already volunteered to act as Second Reviewer in his quality of Board Member but we are still in need of a First Reviewer. Please do let us know if you are up to take the challenge. To do so, please fill in the following link using one of the available positions aka volunteers[1-10].

http://www.owasp.org/index.php/OWASP_Project_Reviewers_Database#tab=Project_Reviewers.2FVolunteers

Many thanks, regards,

Paulo Coimbra,

OWASP Project Manager

ESAPI 2.0 rc7 (for Java 1.5+) is now live!

2010-08-28T23:44:00.000-07:00

ESAPI 2.0 rc7 for Java 1.5 and above is now live!

You can download the complete zip file here:

http://owasp-esapi-java.googlecode.com/files/ESAPI-2.0-rc7.zip

You can browse the ESAPI 2.0 rc7 Javadocs here:

http://owasp-esapi-java.googlecode.com/svn/trunk_doc/2.0-rc7/apidocs/index.html

Additional online project documentation can be found here:

http://owasp-esapi-java.googlecode.com/svn/trunk_doc/2.0-rc7/project-reports.html

Major enhancements include:

Several fixes to SecurityWrapperRequest.
Overhauled Singleton implementations to make the ObjFactory create instances or singletons rather than having ESAPI manage unreliably.
Changes to get rid of deprecated Encryptor encrypt() / decrypt() methods and replace them with the new, stronger encrypt() / decrypt() methods.
Several Validation fixes around returning consistent error states.
Made changes t0 the Encryptor so that it is no longer vulnerable to "padding oracle attacks" (issue #120)
Fixes to seal() so that it now properly works if the message being sealed contains a ":" (issue #28).
Examples should now work (if you follow directions in README.txt)
whether ESAPI has been pulled from the SVN repository or downloaded
from the zip file. (Issue #114.)

Please see changelog.txt at the root of the zip file for more information.

Thanks to Kevin Wall, Chris “Beef” Schmidt, Jonathon Ruckwood and Ed Schaller for their contributions in this release.

Malama Pono Aloha,

Jim Manico

OWASP Podcast Host/Producer

OWASP ESAPI Project Manager

http://www.manico.net

OWASP ModSecurity CRS v2.0.8

2010-08-28T18:32:00.001-07:00

Greetings everyone,
I wanted to announce the availability of the OWASP ModSecurity CRS v2.0.8.

DOWNLOADING -
Download page - http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project#tab=Download
You can also use the util/rules-updater.pl script to auto-download the latest ZIP archive (see the rules-updater-example.conf file for Repo data).

TESTING -
We have integrated the new CRS into the Demo page to help facilitate community testing -
http://www.modsecurity.org/demo/

CHANGES -
--------------------------
Version 2.0.8 - 08/27/2010
--------------------------

Improvements:
- Updated the PHPIDS filters
- Updated the SQL Injection filters to detect boolean attacks (1<2, foo == bar, etc..)
- Updated the SQL Injection filters to account for different quotes
- Added UTF-8 encoding validation support to the modsecurity_crs_10_config.conf file
- Added Rule ID 950109 to detect multiple URL encodings
- Added two experimental rules to detect anomalous use of special characters

Bug Fixes:
- Fixed Encoding Detection RegEx (950107 and 950108)
- Fixed rules-updater.pl script to better handle whitespace
https://www.modsecurity.org/tracker/browse/MODSEC-167
- Fixed missing pass action bug in modsecurity_crs_21_protocol_anomalies.conf
https://www.modsecurity.org/tracker/browse/CORERULES-55
- Fixed the anomaly scoring in the modsecurity_crs_41_phpids_filters.conf file
https://www.modsecurity.org/tracker/browse/CORERULES-54
- Updated XSS rule id 958001 to improve the .cookie regex to reduce false postives
https://www.modsecurity.org/tracker/browse/CORERULES-29

--
Ryan Barnett
OWASP ModSecurity Core Rule Set Project Leader

APPSEC BRAZIL 2010 - REGISTRATIONS OPEN!

2010-08-23T20:25:00.001-07:00

Greetings everyone!

We're proud to announce that the OWASP's AppSec Brazil 2010 Conference registrations' are officially open!

Early bird offers are available! Hurry up!

This year we'll have keynotes by Robert 'Rsnake' Hansen and Jeremiah Grossman and Samy Kamkar as a Special Speaker!

Registrations are available here: http://www.owasp.org/index.php/AppSec_Brasil_2010#tab=Registration

All info about the event can be found at: http://www.appsecbrasil.org

If you have any doubt please contact us at organizacao2010 (at) appsecbrasil.org

See you there!

--
Leonardo Buonsanti

OWASP SPECIAL ANNOUNCEMENT

2010-08-19T13:32:00.000-07:00

This is a special announcement in an attempt to reach out to our community’s

Application Developers
Application Testers and Quality Assurance
Application Project Management and Staff
Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
Security Managers and Staff
Executives, Managers, and Staff Responsible for IT Security Governance
IT Professionals Interesting in Improving IT Security

If you have not done so already, please take a minute to register for one of our upcoming events. We have something happening in almost every part of the world! This is the time to learn the latest in Application Security from the global industry experts. Thanks to our many sponsors, we are able to continue to keep our registration and training costs low while raising the standards in the AppSec industry. Don’t miss out on this opportunity to sharpen your skills, learn new techniques, network with leaders, and advance your career. CPE credits are available for most programs.

As always, if you have any questions, please feel free to contact me. Kate.hartmann@owasp.org

September

September 7-10 AppSec US - Irvine, CA (training available)
http://www.owasp.org/index.php/AppSec_US_2010,_CA

September 17th, AppSec Ireland - Dublin, Ireland (training available)
http://www.owasp.org/index.php/OWASP_IRELAND_2010

October

October 20th, AppSec Germany – Nurnberg, Germany
http://www.owasp.org/index.php/OWASP_AppSec_Germany_2010_Conference

October 20-21, Rochester Security Summit – Rochester, NY
http://www.rochestersecurity.org/

October 20-23, OWASP China Summit 2010 – Beijing, China
http://www.owasp.org/index.php/OWASP_China_Summit_2010

October 29th , LASCON – Austin, TX
http://www.owasp.org/index.php/Lonestar_Application_Security_Conference_2010

November

November 8-11, AppSec DC 2010 – Washington, DC (training available)
http://www.owasp.org/index.php/OWASP_AppSec_DC_2010

November 16-19, AppSec Brazil – Campinas, SP, Brazil (training available)
http://www.owasp.org/index.php/AppSec_Brasil_2010

November 25-26, IBWAS – Portugal (training available)
http://www.owasp.org/index.php/IBWAS10

Kate Hartmann
Operations Director
301-275-9403
www.owasp.org
Skype: Kate.hartmann1

AppSec Ireland, AppSec DC, and AppSec US updates

2010-08-10T11:45:00.000-07:00

OWASP Ireland September 17th 2010
The agenda has been finalized for the OWASP Ireland event. We have the pleasure to announce a number of key figures from industry which should provide some unique insight into the latest trends, threats and methodologies in the world of application security.
http://www.owasp.org/index.php/OWASP_IRELAND_2010

Keynotes:
John Viega: “Application Security in the Real World” - Considerations for AppSec in non-security companies.
http://www.owasp.org/index.php/John_Viega
Professor Fred Piper "The changing face of cryptography"
http://www.owasp.org/index.php/User:Professor_Fred_Piper
Damian Gordon Phd: “Hackers and Hollywood: The Implications of the Popular Media Representation of Computer Hacking"
http://www.owasp.org/index.php/User:Damian_Gordon

We also have some great international and local speakers covering topics from Smart phone application security to SDLC to Penetration testing techniques:

Dan Cornell ("Smart Phones with Dumb Apps")
Ryan Berg ("Path to a Secure Application")
Dr Marian Ventunaec ("Testing the Enterprise E-mail Security - from Software to Cloud-based Services")
Fred Donovan and (“Counter Intelligence as Defense……”)
Nick Coblentz (“Microsoft's Security Development Lifecycle……”)

.. but to name a few http://www.owasp.org/index.php/OWASP_IRELAND_2010#Agenda_and_Presentations_-_September_17

Training:

http://www.owasp.org/index.php/OWASP_IRELAND_2010#Training
“Secure Application Development: Writing secure code (and testing it)”
AppSec DC: CFP Round Two:
AppSec DC 2010 is the East Coast's premiere Information Security Conference for 2010.

**AppSec DC has added a second round for CFP until August 31st, so there is still time to get submissions in for our CFP!**

Building on the success of last year's AppSec DC 2009, the AppSec DC team is working to further the OWASP conference mission of hosting the best minds in application security in a forum to share innovations and ideas. AppSec DC's unique location and relationship with federal entities in the Washington DC area also allows OWASP and affiliates to continue to reach out to and interact with the federal government in this time of ever-increasing National Security concerns.
This year, in addition to content from industry leaders in application security research, entities within the Department of Homeland Security, the Department of Defense, the National Institute of Standards and Technology and other government agencies will be contributing content focusing on Software Assurance and the role that that plays areas of extreme concern in the current climate, such as protecting Critical Infrastructure or Supply Chain Risk Management. If you work in or with the federal government, regardless of branch or service, this is likely a critical concern for some subset of your workplace, and the combination of content at this event will provide an incredible value to your and your employer.

In addition to two days of great speaking content, keynotes and panels, AppSec DC will also provide two days of world class training on applications security from a variety of vendors at a fraction of the cost found at other events. This year featured panels will not only include federal "what works" in application security, but several other areas of interest so that there will be engaging discussion for all types of attendees. The AppSec DC crew is also working a great vendor space and engaging contests, including a hacking competition built specifically for our event.

AppSec DC will take place at the Walter E. Washington Convention Center in Washington DC on November 8-11. Training will be on the 8th and 9th, talks will be on the 10th and 11th. Our partner hotel is the Grand Hyatt again this year, and a discounted rate will be available for attendees who register in Advance.

For more information visit the OWASP wiki at http://www.owasp.org/index.php/OWASP_AppSec_DC_2010
or the AppSec DC website (updates coming soon!) at http://appsecdc.org
CFP submissions should use the Easy Chair system, our URL is at http://www.easychair.org/conferences/?conf=appsecdc2010 -- Registration is required.

AppSec US 2010, CA
Register before August 15, 2010 and you may be eligible to win a free iPad! Details can be found here: http://www.owasp.org/index.php/AppSec_US_2010,_CA

Kate Hartmann
Operations Director
301-275-9403
www.owasp.org
Skype: Kate.hartmann1

Interview with Jeff Williams

2010-07-21T20:47:00.000-07:00

OWASP,

The conference guide for OWASP AppSec Research 2010 featured an interview I did with Jeff Williams, volunteer chair of OWASP. Now it's online. Read his view on:

* Will OWASP ever reach out to developers?
* Application security and the word Trust
* Do developers care about rugged software?
* Java rootkits and trusted developers

http://owaspsweden.blogspot.com/2010/07/interview-with-jeff-williams.html

Regards, John

--
John Wilander
Chapter leader OWASP Sweden, http://owaspsweden.blogspot.com
Conference chair OWASP AppSec Research 2010, http://owasp.se

OWASP July Newsletter

2010-07-21T20:44:00.001-07:00

I am pleased to forward the link to the July edition of the OWASP Newsletter: http://www.owasp.org/index.php/Category:OWASP_Newsletter#tab=Newsletters

As you can see from the front page, our global community is going to be very busy this fall, beginning with our US AppSec event in Irvine, California. If you have not done so already, please visit http://www.owasp.org/index.php/AppSec_US_2010,_CA for the training courses being offered as well as the updated agenda! You can also find information on travel, special room discounts, sponsorship, and registration.

As always, if you need any assistance, do not hesitate to send me an email or give me a call!

I hope to see everyone in California in September!

Kate Hartmann
OWASP Operations Director
9175 Guilford Road
Suite 300
Columbia, MD 21046

301-275-9403
kate.hartmann@owasp.org
Skype: kate.hartmann1

OWASP New Zealand Day 2010

2010-07-21T20:26:00.000-07:00

Hi everyone,

The OWASP New Zealand Day 2010 conference was great and it was cool to see 160 delegates gathering for the event! At the end, we had 7 presentations including an impromptu one ;-).

Feedback forms returned indicate audience was satisfied with the overall quality of the event and I believe this feedback recognized all the efforts to make this conference happen. In fact, I must thank again all the speakers for the time spent and their contribution to the OWASP community. Without them, there won't be a conference.

I would also like to remember that entry to the conference was free and sponsors Security-Assessment.com and Lateral Security offered coffee, lunch and snack breaks to all the attendees.

Some of the presentations have been published and can be downloaded from:
http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010#tab=Presentations

Remaining presentations will be probably published later next month.

OWASP NZ Day 2010 had also some blog coverage:

- Kirk Jackson wrote an excellent article covering all the key points raised during the conference:
http://pageofwords.com/blog/CategoryView,category,OWASP.aspx

If anyone is planning to write or wrote articles/stories on the conference/talks, please let me know.

Feel free to check upcoming OWASP NZ chapter activities at the following page:

http://www.owasp.org/index.php/New_Zealand

or if you haven't yet, subscribe to the OWASP NZ Chapter mailing-list for future announcements:

https://lists.owasp.org/mailman/listinfo/owasp-newzealand

Thanks again,

Roberto Suggi Liverani
OWASP NZ Leader

----
OWASP New Zealand Day 2010 was kindly offered and supported by the following sponsors:

- University of Auckland (ICT and Department of Information Systems and Operations Management) - www.auckland.ac.nz
- NZISF (New Zealand Information Security Forum) - www.security.org.nz/NZISF_NZISForumContent.php
- Security-Assessment.com - www.security-assessment.com
- Lateral Security - www.lateralsecurity.com

SECOND CALL FOR TRAINING SESSIONS (brazil)

2010-07-11T18:42:00.001-07:00

**OWASP APPSEC BRASIL 2010**
**SECOND CALL FOR TRAINING SESSIONS**

Colleagues,

OWASP is currently soliciting training proposals for the OWASP AppSec Brazil 2010 Conference which will take place at Fundação CPqD in Campinas, SP, Brazil, on November 16 through November 19, 2010. There will be training courses on November 16 and 17 followed by plenary sessions on the 18 and 19 with one single track per day.

We are seeking training proposals on the following topics (in no particular order):
- Application Threat Modeling - Business Risks with Application Security
- Hands-on Source Code Review
- Metrics for Application Security
- OWASP Tools and Projects
- Privacy Concerns with Applications and Data Storage
- Secure Coding Practices (J2EE/.NET)
- Starting and Managing Secure Development Lifecycle Programs
- Technology specific presentations on security such as AJAX, XML, etc
- Web Application Security countermeasures
- Web Application Security Testing
- Web Services, XML- and Application Security
- Anything else relating to OWASP and Application Security

Proposals on topics not listed above but related to the conference (i.e. which are related to Application Security) may also be accepted.

To make a submission you must fill out the form available at http://www.owasp.org/images/1/1a/OWASP_AppSec_Brasil_2010_CFT.rtf.zip and submit by email to organizacao2010@appsecbrasil.org

There may be 1 or 2-day courses. The proposals must respect the restrictions of the OWASP Speaker Agreement. The conference will reward trainers with at least 30% of the total revenue of their courses, based on a minimum attendance. Courses that attract more students may be granted higher percentages. No other compensation (such as tickets or lodging) will be provided. If you require a different arrangement, please contact the conference chair at the email address below.

**Compensation**
Instructors and authors will be paid based on the number of students in their training sessions. If the training gathers only the minimum number of students, the compensation will be 30% of the revenue. For each group of 10 extra students enrolled, the compensation will be increased by 5% of the revenue, up to a maximum of 45% of the training revenue. For example, a 1-day training with 10 to 19 students will generate a compensation of 30% of the revenue. For classes of 20 to 29
students, the compensation raises to 35% percent of the revenue.

In exceptional cases, different compensation schemes may be accepted. Please contact the conference organization team by email (organizacao2010@appsecbrasil.org) for details.

**Training cost**
1-day training: R$ 450 per student
2-day training: R$ 900 per student
All prices in Brazilian Reais (BRL)

**Minimum number of students**
1-day trainings: 10 students
2-day trainings: 20 students

**Important Dates:**
Submission deadline is July 26, 2010, at 11:59 PM (UTC/GMT-3).
Notification of acceptance will be August 16, 2010.
Final version is due September 15, 2010.

The conference organization team may be contacted by email at organizacao2010 (at) appsecbrasil.org

For more information, please see the following web pages:
Conference Website: https://www.owasp.org/index.php/AppSec_Brasil_2010
OWASP Speaker Agreement: http://www.owasp.org/index.php/Speaker_Agreement
OWASP Website: http://www.owasp.org
Easychair conference site: http://www.easychair.org/conferences/?conf=appsecbr2010
Presentation proposal form: http://www.owasp.org/images/1/1a/OWASP_AppSec_Brasil_2010_CFT.rtf.zip

********** WARNING: Submissions without all the information requested in the proposal form will not be considered ************

Please forward to all interested practitioners and colleagues.

OWASP NY/NJ Chapter Update

2010-06-29T23:20:00.001-07:00

The purpose of this email is to inform the (1381) mailing list members of recent changes with OWASP NY/NJ Chapter.

It is with great pleasure that I announce your 100% Volunteer Chapter Leaders:

Chapter Vice President(s)

1^st Vice President

- Dan Guido

2^nd Vice President

- Douglas Shin

Chapter Leaders
-Marcin Wielgoszewski
-Peter Dean
-Mahi Dontamsetti
-Blake Cornell
-Tom Ryan
-Vlad Gostomelsky
-Arkadiy Goykhberg

- Kuai Hinojosa
- Brian Peister

By a vote of the above peers I was nominated and supported to continue to in addition to my global role with OWASP Foundation to retain the role of President of the local chapter. For those that have heard the chapter founding story of 5 guys, pizza and sql injection when we first started... boy have we grown together since I got involved in 2004.

The selfless mission of OWASP Foundation is to make application security visible, so that people and organizations can make informed decisions about true application security risks. As we embark on another cycle, I would like to remind everyone to review ABOUT OWASP at: http://www.owasp.org/index.php/About_OWASP with a special focus on Ethics and Principals as I believe its core to our association. Locally, at a high level, our plans are to continue to work with regional universities, like minded associations, regional industry leaders with focus groups and continue to have regional meetings, training events and social meet-ups to help our community continue to grow.

In addition please find to follow (2) important items:

#1 - To manage the flux of individuals requesting to speak at a OWASP event we now utilize a CFP (Call for papers) system. To be selected your submission should highlight a NEW or existing OWASP Project. Submissions are voted on by ALL chapter leaders to ensure we adhere to vendor agnostic content. Access it by visiting URL: http://www.owasp.org/index.php/NYNJMetro and find the information under the HOW-TO #1 to get submitted.

If you are unclear about how to start a OWASP project no worries.. see: http://www.owasp.org/index.php/How_to_Start_an_OWASP_Project or just ask.

#2 - Our association needs needs places to hold meetings, trainings, events in New York City and Northern, Central and Southern New Jersey. If you would like to help simply visit our chapter website at http://www.owasp.org/index.php/NYNJMetro to contact one of our many chapter leaders to get started. With a team of (12) we scale to share the work load as volunteers so if you want to help out just ask and we would like to schedule venue's as far in advance as possible.

On behalf of the entire team, thank you for your continued support of our local chapter and OWASP Foundation. If you have found value with our (118) projects, events conferences or educational seminars we hope that you will become a voting member of our professional association with tax deductible individual a donation of $50.00 see: http://www.owasp.org/index.php/Membership for full details.

Finally, members of the OWASP association will be at the following events coming soon, we hope to see you too!

The Next HOPE in NYC

http://thenexthope.net/

Blackhat

http://www.blackhat.com/html/bh-us-10/bh-us-10-speaker_bios.html

Security BSides Las Vegas

http://www.securitybsides.com/BSidesLasVegas

KartCon

http://www.owasp.org/index.php/KartCon2010

Defcon 18

http://www.defcon.org

International Conference on Cyber Security

http://www.iccs.fordham.edu/

and many more... check in on http://www.owasp.org/index.php/NYNJMetro often as this email list is used for announcements only.

Tom Brennan

Global Board & NY/NJ Chapter Leader

OWASP Foundation

973-506-9303

tomb@owasp.org

OWASP Spain Day

2010-06-24T17:04:00.001-07:00

Hi,

On Friday June 18, held the sixth edition of our conferences in Spain, at the "Universitat de Barcelona". We were pleased to have Richard Stallman and other great speakers with whom we spend a nice and very interesting day.

We were able to disseminate several OWASP projects (Top 10, Wapiti and Webslayer) and we contact with personal from other universities. Several national media will reflect this event.

The presentations (in Spanish) of the day and some photos are available here:
http://www.owasp.org/index.php/Spain/Meetings#Local_Meetings

Best regards,
--
_________________________________
Vicente Aguilera Diaz
OWASP Spain chapter leader
CISA, CISSP, CSSLP, ITIL
CEH Instructor, ECSP Instructor, OPSA, OPST
vicente.aguilera@owasp.org
Homepage: http://www.owasp.org/index.php/Spain
Mailing list: http://lists.owasp.org/mailman/listinfo/owasp-spain
PGP: 0xD21C1EF8 - D1F0 E0B5 2ACC B4B5 57CD C427 58B7 CF0D D21C 1EF8
_________________________________

OWASP Sweden announcements

2010-06-24T07:13:00.001-07:00

We just made these 3 announcements at the Conference here in Sweden:

new attempt at figuring out the OWASP Commercial Services model
new model for creating a Source of Financial Funding for OWASP Projects and
the launch of the OWASP O2 Platform project (with a v1.0 Beta version available)

You can read more details on this pdf: http://www.owasp.org/index.php/File:Dinis_Cruz_-_APPSECEU_-_3_ANNOUNCEMENTS.pdf

This is just a heads up and we will follow this up with individual emails on each of the 3 topics.

Note, that both Commercial Services and Source of Financial Funding for OWASP Projects are experiments, where we are trying to figure a model that works for OWASP and its community

Dinis Cruz

OWASP AppSensor ESAPI Integration

2010-06-23T03:22:00.000-07:00

ESAPI Team,

The AppSensor team has been working hard over the last several months to create an AppSensor jar that is ready for ESAPI integration.

AppSensor is a project to enable detailed attack intrusion and response within application by integrating "detection points" into the application itself (think detecting all access control failures, malicious input, unexpected commands and more and then correlating that against the logged in user and logging out/locking the attacker). That's just the basics, more info on AppSensor here: http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project

Here are the instructions for easily updating an existing ESAPI application to use AppSensor. I encourage those interested to take a quick read and respond with any comments.

http://www.owasp.org/index.php/AppSensor_GettingStarted

What's next:

1. We'd like to use the Getting Started guide as an initial strategy for users to begin leveraging AppSensor in their ESAPI apps. We're looking for interested parties to begin using AppSensor within ESAPI and provide their feedback.

2. It would also be great for the ESAPI config to contain the configuration line for AppSensor and a link to the getting started page.

#Use OWASP AppSensor for enhanced application intrusion detection and response

#See http://www.owasp.org/index.php/AppSensor_GettingStarted for necessary JAR and configuration

#ESAPI.IntrusionDetector=org.owasp.appsensor.intrusiondetection.AppSensorIntrusionDetector

Thoughts and feedback please.

Michael Coates

OWASP

OWASP AppSec US 2010

2010-06-23T01:51:00.001-07:00

I am thrilled to formally announce that registration is OPEN for this year’s OWASP United States conference.

AppSec US 2010 will be held September 7th through September 10th, 2010 and will be hosted by the Orange County and Los Angeles Chapters at the University of California, Irvine, the only school in the University of California system with a dedicated school of Information and Computer Science.

The keynote speakers have been confirmed! The tremendous response to the call for papers is now being transformed into a jam packed two day, multi track agenda! Additionally, training providers are being locked in for an outstanding selection of one and two day classes.

The event information as well as links to registration can be found here: http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=Welcome

Registration can be completed here: https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=3c8f8c26-a4b3-40d6-9daa-1f541ea0ccc2

Now is the time to make your plans to attend this year’s premier application security event hosted by the world’s foremost community of security professionals, the OWASP Foundation!

If you have any questions, or need additional information, please do not hesitate to contact me. I look forward to seeing everyone in California this fall!

Kate Hartmann
OWASP Operations Director
9175 Guilford Road
Suite 300
Columbia, MD 21046

301-275-9403
kate.hartmann@owasp.org
Skype: kate.hartmann1

Malaysia Open Source Conference

2010-06-20T06:17:00.000-07:00

OWASP Malaysia : Contribution In MSC Malaysia Open Source Conference MOSC2010

Hi,

OWASP Malaysia is actively contribute to MOSC2010 by arangging speakers for the conference and OWASP Malaysia Chapter Leader - Mohd Fazli Azran is one of the committe member for MOSC2010.

Speakers from OWASP

OWASP Joomla CMS Vulnerability Scanner - Aung Khan, YGN Ethical Hacker
Group, Myanmar.

http://conf.oss.my/component/content/article/3-newsflash/72-aung-khant-joomla-owasp.html

OWASP and What It Can Do For You - Cecil Su, OWASP Global, Singapore.

http://conf.oss.my/component/content/article/3-newsflash/91-cecil-owasp-and-you.html

MOSC2010 include security topics like

Joomla! 1.6 Security
http://conf.oss.my/news/3-newsflash/73-sam-moffatt-joomla.html

Easy DNSSEC Deployment with OPENDNSSEC
http://conf.oss.my/news/1-latest-news/64-amir-haris-dnssec.html

Internet Malicious Miscreant
http://conf.oss.my/news/3-newsflash/69-najmi-internet-malicious.html

For OWASP Malaysia, this will create awareness about security and OWASP.

For more information about MOSC2010

http://conf.oss.my/

Thank you

Harisfazillah Jamel

AppSec US 2010

2010-06-16T22:41:00.000-07:00

Dear OWASP Leaders,

AppSec US 2010 is live at http://www.appsecUSA.org

Registration is open. Early registration prices are valid till July 15.

Call for presentations deadline has also been extended till June 30.

As it is the premier OWASP conference of 2010 for US/North America, I would like to ask your help to promote it. Please spread the word everywhere you can -- at local chapter meetings, local meetings of other security or IT organizations, your colleagues at work, at your school, etc.

We are also looking for the volunteers to help with the conference. If you are interested in volunteering, please let me know.

Many thanks in advance!

-- Tin Zaw, CISSP, CSSLP

Chapter Leader and President

OWASP Los Angeles Chapter Co-Chair

AppSec USA 2010 Program Committee

www.appsecUSA.org

Google Voice: (213) 973-9295

LinkedIn: http://www.linkedin.com/in/tinzaw