Monday, March 27, 2017

March 2017 Connector

OWASP Connector

FOLLOW US


           
  COMMUNICATIONS |  PROJECTS |  EVENTS |  CHAPTERS |  MEMBERSHIP  
Tue. March 28, 2017
OWASP CONNECTOR
Communications

Operations Update

The March operations update includes vital information about OWASP's infrastructure initiatives, membership models, project activity, and the Project Leader handbook. Read it for an overview of what is happening in OWASP.


Project and Chapter Leader Handbooks

OWASP is updating  our Project Leader and Chapter Leader Handbooks as part of periodic maintenance. We are interested in your feedback on the changes as well as hearing any changes you would like to see. The Handbooks are a mixture of core regulations and best practices meant to guide your project or chapter to success.

You can see the changes and suggestions to the Chapter Leader handbook in these shared Google Docs. You can make your own contributions by signing in with your OWASP email address. This is the final request for input into the Chapter Leader handbook.

The Project Handbook is beginning its public review this week. You can follow the previous link to make pull requests to include your suggested text and open conversations. The Project Handbook repository is held under the new Operational Github organization.


Strategic Objective

OWASP has announced our 2017 Strategic Objective. This year instead of holding multiple strategic objectives we will aim for a single ambitious goal meant to drive OWASP forward. This will help us bring all of our resources to bear in ways competing strategic goals prevent.

This year OWASP will host four FREE 500-person training events worldwide targeted towards developers and entry level application security professionals. Each event will be delivered by professional security trainers and cover core application security topics. The purpose is to have the most impact and attract the most number of attendees.

This year the target cities are: Boston, Delhi, Israel, and Tokyo.  

You can follow the progress on the OWASP blog through Staff Operations Updates and keep an eye out for the Call for Trainers coming very soon. 


Free Book to OWASP Members

Essential Node.js Security by Liran Tal is being gifted to OWASP members by the author.



Ads are not endorsements and reflect the messages of the advertiser only. They represent co-marketing arrangements with other organizations in
support of the OWASP Community.  CLICK HERE for more information on Advertising.

Projects

Project Review Session at AppSec Europe

OWASP is once again providing a platform for project leaders on the two full days prior to AppSec Eu 2017. Project Summits are a place for project leaders and contributors to collaborate as well as provide feedback to OWASP.

This year we are also including a session dedicated project reviews. The purpose of this assessment is to determine whether a project meets the minimum criteria to graduate from Incubator to Lab and Lab to Flagship. You can help us review other projects or submit your project to be reviewed. To learn more check out our blog post on the subject.


Attending the free Conference Project Summit is a great opportunity to have face to face work time.                        The Conference Project Summit is a great place to give feed back to OWASP Staff.



Ads are not endorsements and reflect the messages of the advertiser only. They represent co-marketing arrangements with other organizations in
support of the OWASP Community.  CLICK HERE for more information on Advertising.

Events

appsec eu banner
Get Training at AppSec Europe!

Are you looking to combine hands-on training with your conference experience? We have a whopping eleven training courses to choose from.  Attendance for these two or three day classes is is limited and uses interactive activities to ensure you obtain a thorough understanding of the topic. You can choose from: 
 


You can learn more about our amazing conference line up at the AppSec EU website to learn more: https://2017.appsec.eu/

See you in Belfast!


Developer Summit is coming to AppSec Europe

Once again we are excited to bring the OWASP Developer Summit to AppSec Europe 2017. OWASP will provide two full days of training for developers prior to the AppSec EU 2017 conference.

The Developer Summit will start with a full-day, hands-on developer session followed by two half day sessions geared towards learning about security vulnerabilities.

Registration is required and spots are limited so share this opportunity with developers you know as soon as possible.


Appsec usa 2017 logo 33pct

AppSec USA CFP and Sponsorships are open!

CFP

The OWASP AppSec conference in USA is an established and premier venue for web applications leaders, software engineers, and researchers and visionaries from all over the world. OWASP AppSec USA gathers the application security community in a 4-days event to share and discuss novel ideas, initiatives and advancements. The 2017 edition will take place in Orlando from September 19-22.

We are looking for "the next", cutting edge research in the context of web applications, secure development, security management and privacy. Our goal is to give both academic researchers and industry practitioners the opportunity to share their latest findings with the rest of the community; including coverage via our media channels.

Please remember when you submit your proposal that the program committee will review your submission based on a descriptive abstract of your intended presentation. Feel free to attach a preliminary version of your presentation if available, or any other supporting materials. Keep in mind: the better your description is, the better our review will be. Please review your proposal thoroughly as accepted abstract and bio submitted will be published 1:1 on our site. If your presentation is accepted for inclusion in the conference program, you are free to submit a white paper describing your work, which will be added to the website.

Sponsorships

The planning committee for AppSec USA 2017 is excited to present many exciting changes to enhance sponsor value and improve ROI. With an expo floor plan designed for expo purposes and sponsor placement and event activities structured to maximize foot traffic to YOUR booth, you can be assured that you will maximize lead generation activities.

Additionally, the planning team has several events planned to encourage a family friendly atmosphere to drive attendance numbers skyrocketing upwards, and what better place than Walt Disney World?

The vendor booths are located in high track areas so that you can be assured to get the attention of more than 1,000 security decision makers, influencers, and practitioners in the community. This is the opportunity for your company to recruit, generate business, and share ideas.  


 


Upcoming Events

Global AppSec Events

 

Regional and Local Events

 

Project Summits

 

Developer Summits

 

Partner and Promotional Events



Ads are not endorsements and reflect the messages of the advertiser only. They represent co-marketing arrangements with other organizations in
support of the OWASP Community.  CLICK HERE for more information on Advertising.

Chapters

Chapter Handbook Updates

The Chapter Leader handbook updates are going to go live on April 2nd. Please add any pertinent comments to the documents by Friday March 31st.


Brag on Your Chapter!

Is your chapter hosting a cool series of talks or training? Are you running innovative meetings? I would like to feature your chapter on the blog and in the connector. Pitch your story for this ongoing series. Selected chapters will receive a donation from the foundation to their chapter as well as broader publicity.


Welcome New Chapters!

 

 



Ads are not endorsements and reflect the messages of the advertiser only. They represent co-marketing arrangements with other organizations in
support of the OWASP Community.  CLICK HERE for more information on Advertising.

Membership

March 2017 Corporate Members

We would like to thank the following companies for supporting the OWASP Foundation. The companies listed below have contributed this month by either renewing their existing Corporate Membership or joining OWASP as a new Corporate Member.

Details about Corporate Membership can be found here.

 

Premiere Corporate Members

Adobe

Adobe is the global leader in digital marketing and digital media solutions. Our tools and services allow our customers to create groundbreaking digital content, deploy it across media and devices, measure and optimize it over time, and achieve greater business success. We help our customers make, manage, measure, and monetize their content across every channel and screen. For more information, please visit: http://www.adobe.com/

 

Contributor Corporate Members

Aspect Security

Aspect Security, founded in 2002, is a consulting firm focused exclusively on application security products and services. We help ensure that the software that drives business is protected against hackers. Aspect’s Security Engineers analyze, test and validate approximately 5,000,000 lines of code a month, most of which are critical to the national infrastructure. Our work unearths over 10,000 vulnerabilities every year across a wide range of technologies and architectures. Our recommendations dramatically improve our clients’ security posture. We support a worldwide clientele with critical applications in the government, defense, financial, healthcare, services and retail sectors. Our educational division has taught tens of thousands of people around the world how to build, test, and deploy secure applications, making us a world leader in application security training. Flexible delivery options include instructor-led training either in-person or via webcast, or, on-demand through our innovative eLearning curriculum. Aspect Security’s principals are pioneers in the field, having started one of the world’s first application security practices in 1998. They conceived of several industry-leading standards, such the OWASP Top Ten, WebGoat, the Application Security Verification Standard (ASVS), Risk Rating Methodology and Enterprise Security API (ESAPI). These free and open materials are downloaded over 50,000 times a month. We are a founding member of the Open Web Application Security Project (OWASP) in support of educating organizations about the ever-changing threat landscape and how to properly build and secure applications. Headquartered in Columbia, MD, our personnel are located throughout the United States serving our worldwide clientele. For more information, please visit: https://www.aspectsecurity.com/

Contrast Security

Contrast Security delivers the world’s fastest application security software that eliminates the single greatest security risk to enterprises today. Industry research shows that application security flaws are the leading source of data breaches. Contrast can be deployed, automatically discover applications and identify vulnerabilities within seven minutes. Relying on sensors instead of expensive security experts, Contrast runs continuously and is 10 times more accurate than the competition. Unlike tedious, painful and slow legacy approaches, Contrast analyzes a complete portfolio of running applications simultaneously in real time at any scale. As a result, organizations can act faster against threats and immediately reduce risk. More information on Contrast Security can be found at http://www.contrastsecurity.com/

.
Jscrambler

Jscrambler is the leader in JavaScript Application Integrity and the only to offer RASP capabilities to your JS applications. As JavaScript becomes the standard for building websites, hybrid mobile applications, or other application types, most of the code is still completely exposed. With Jscrambler you can make your application self-defensive and resilient to both tampering and reverse-engineering attempts. Jscrambler is trusted by hundreds of companies (including Fortune 500) around more than 130 countries and is supported by a team of JS experts. For more information, please visit: https://jscrambler.com/en/


Want your name here?

Find out how by visiting our Corporate Member information page, or contact our Membership & Business Liaison, Kelly Santalucia today!

Thank you to all of our Premier and Contributor Corporate Members for your support!

 

The OWASP Foundation, 1200C Agora Drive #232, Bel Air, Maryland, 21014, USA

Monday, March 20, 2017

March 2017 Corporate Members


March 2017 Corporate Members

We would like to thank the following companies for supporting the OWASP Foundation.  
The companies listed below have contributed this month by either renewing their existing 
Corporate Membership or joining OWASP as a new Corporate Member.  

Details about Corporate Membership can be found here.



Premier Corporate Members

Adobe is the global leader in digital marketing and digital media solutions. Our tools and services allow our customers to create groundbreaking digital content, deploy it across media and devices, measure and optimize it over time, and achieve greater business success. We help our customers make, manage, measure, and monetize their content across every channel and screen. 
For more information, please visit: http://www.adobe.com/


Contributor Corporate Members

Aspect Security, founded in 2002, is a consulting firm focused exclusively on application security products and services. We help ensure that the software that drives business is protected against hackers. Aspect’s Security Engineers analyze, test and validate approximately 5,000,000 lines of code a month, most of which are critical to the national infrastructure. Our work unearths over 10,000 vulnerabilities every year across a wide range of technologies and architectures. Our recommendations dramatically improve our clients’ security posture. We support a worldwide clientele with critical applications in the government, defense, financial, healthcare, services and retail sectors. Our educational division has taught tens of thousands of people around the world how to build, test, and deploy secure applications, making us a world leader in application security training. Flexible delivery options include instructor-led training either in-person or via webcast, or, on-demand through our innovative eLearning curriculum. Aspect Security’s principals are pioneers in the field, having started one of the world’s first application security practices in 1998. They conceived of several industry-leading standards, such the OWASP Top Ten, WebGoat, the Application Security Verification Standard (ASVS), Risk Rating Methodology and Enterprise Security API (ESAPI). These free and open materials are downloaded over 50,000 times a month. We are a founding member of the Open Web Application Security Project (OWASP) in support of educating organizations about the ever-changing threat landscape and how to properly build and secure applications. Headquartered in Columbia, MD, our personnel are located throughout the United States serving our worldwide clientele. For more information, please visit: https://www.aspectsecurity.com


Contrast Security delivers the world’s fastest application security software that eliminates the single greatest security risk to enterprises today. Industry research shows that application security flaws are the leading source of data breaches. Contrast can be deployed, automatically discover applications and identify vulnerabilities within seven minutes. Relying on sensors instead of expensive security experts, Contrast runs continuously and is 10 times more accurate than the competition. Unlike tedious, painful and slow legacy approaches, Contrast analyzes a complete portfolio of running applications simultaneously in real time at any scale. As a result, organizations can act faster against threats and immediately reduce risk. More information on Contrast Security can be found at http://www.contrastsecurity.com/


Jscrambler is the leader in JavaScript Application Integrity and the only to offer RASP capabilities to your JS applications.As JavaScript becomes the standard for building websites, hybrid mobile applications, or other application types, most of the code is still completely exposed. With Jscrambler you can make your application self-defensive and resilient to both tampering and reverse-engineering attempts. Jscrambler is trusted by hundreds of companies (including Fortune 500) around more than 130 countries and is supported by a team of JS experts. For more information, please visit: https://jscrambler.com/en/





Want your company name here? 
Find out how by visiting our Corporate Member information page, or contact our Membership & Business Liaison, Kelly Santalucia today!  

Thank you to all of our Premier and Contributor Corporate Members for your support!



Thursday, March 9, 2017

OWASP is updating many of our Project Leader and Chapter Leader Handbooks as part of periodic maintenance.  We are interested in your feedback on the changes as well as hearing any changes you would like to see.  The Handbooks are a mixture of core regulations and best practices meant to guide your project or chapter to success.  

You can see the changes and suggestions to the Chapter Leader handbook in these shared Google Docs.  You can make your own contributions by signing in with your OWASP email address. This is the final request for input into the Chapter Leader handbook.  

Chapter 1   |   Chapter 2   |   Chapter 3   |   Chapter 4
Chapter 5   |   Chapter 6   |   Chapter 7   |

The Project Handbook is beginning its public review this week.  You can follow the previous link to make pull requests to include your suggested text and open conversations.  The Project Handbook repository is held under the new Operational Github organization.

Monday, March 6, 2017

OWASP Operations Update for March 2017

Welcome to the operations update for March 2017.  This is a continuation of the series of blog posts about what's happening at the OWASP Foundation.  The previous post is available here.

Major efforts, status of those efforts and important changes from last time:

OWASP IT infrastructure hosting.  Rackspace has ended the donation of hosting to the OWASP Foundation causing a rethink and reshuffle of IT resources.

  • Roughly 1/2 of the servers running at Rack have been relocated to other resources.
  • Additional workload / server migrations have been added to this effort as the hosting for the AppSec EU conferences is moving to the Foundation's infrastructure.
    • Thanks for Dirk for this many years of maintaining those hosts.
    • Migration of the AppSec EU hosting will be concluded by March 30th.
  • Still at Rackspace: Wiki web and db servers, Mailman, and a general purpose server used primarily for static content and http(s) forwards.
The Website Reboot aka TWR - a major effort to update and modernize OWASP's web presence.  Since last month, we've:
  • Continued progress on Phase 1 - updating the wiki to 1.27.x
    • Due to the unexpected end of the Rackspace donation, the Ansible deploy and update code had to be refactored to remove the Rackspace-specific portions.  That work is nearly complete.
    • The new deploy target for the OWASP wiki web and db servers is AWS which will be reflected in the Ansible deploy code
    • As soon as the Ansible refactoring work in complete and tested, the OWASP wiki and db will be updated to 1.27.x and migrated to the AWS infrastructure.  
    • Target completion date March 20th
      • Allows two weekends aka low traffic periods to conduct the migration
  • Phase 2 - Wiki style updates
    • The RFP for the creation of a new look and feel for the OWASP wiki is starting the week of March 6th.  Look for a call for participation shortly.
    • RFP will include a MediaWiki theme and CSS and other styling guidelines to use across the OWASP web presence, including
      • The new web pages available post Assoc. Mgmt System (AMS) migration - more below
      • The new Discourse installation
      • The OWASP Blog
  • Phase 3 Single Sign-on & Phase 4 Wiki content and organization RFPs are scheduled to go out in the 3rd week of March

The OWASP Communications Plan - a staff-created plan to professionalize how OWASP interacts with its community and the world at large.

  • Migration to Discourse to Mailman
    • Temporarily paused during reshuffling of the OWASP IT Infrastructure - details above
    • Migration will be timed to coordinate with the retirement of the Mailman installation at Rackspace.  Mailman migration will occur after the Wiki has new hosting.
  • Beta program for the Foundation's Global Meetup account is continuing.
Other Major Efforts in progress
  • OWASP Staff Summit 
    • In person meeting of all OWASP staff to plan operations tasks for 2017
    • February 22 to March 2 - look for outcomes in future Ops blog posts
  • Association Management System (AMS)
    • Kate begins on the first step of this multi-step migration the week of March 6th
    • Migration will be tested in a sandbox installation then applied to production
    • Expected time frame: 8 to 12 weeks
    • Goal and outcome:
      • Updated version of the AMS software used with Salesforce allowing for greater interactions with the community, OWASP leaders engagement, improved event registration, multi-currency handling and a host of other improvements rolling out during 2017.
Projects
  • Google Summer of Code
    • Google selected the participating organizations on February 27 and unfortunately OWASP  was not selected
    • Currently working with Project Leaders on alternate plans to handle the proposed GSOC activities
  • AppSec EU 2017's Project Summit
    • Gathering reviewers together to conduct a strong project review push during the AppSec EU 2017 conference
    • Reviewing the process of project graduation from Incubator to Labs and Labs to Flagship
    • Other topics covered include: Badges and gamification, project funding and more...
  • Project Handbook review and request for updates
    • The content of the Project Handbook has been converted to Markdown and moved to GitHub - check out its new repo!
    • Using GitHub allows the community to update the handbook content while the wiki is reorganized to remove the multiple templates used currently for the handbook.  
    • PRs accepted.  Fork the repo now or add an issue to the repo.
    • Once updates are complete, the version will be tagged, converted to MediaWiki markup and moved to the OWASP wiki.
    • Our own Claudia (Project Coordinator) will be conducting a session on the project handbook at the London Project Summit - more details as the plans solidify.
Events

  • AppSec EU 2017
    • Paper review finalized.  Conference program will be published this week
    • Conference dinner finalized
    • Photographer contract pending OWASP signature
    • OWASP room block accommodations need confirmation dates
  • AppSec USA 2017
    • Static web site published
    • Empty WordPress site provided to the conference team
    • Sponsorship packages are being sold

Membership and Outreach
  • Membership for 2017 is still going strong - 19% of yearly goal currently
    • Total individual members: 2,464
    • Total corporate members: 67
  • Membership video - continuing to progress
    • Met with video company, collected details necessary to start shooting the video
    • Started working with Hugo to create a new membership flyer to highlight the new membership model approved by the board during the February Board Meeting.
Community

Per the request of the OWASP board, we've included a chart of the staff's interaction with the broader OWASP community via submitted cases to staff:

Case Life Cycle Report Q1 2017


As always, the OWASP staff are here to make the OWASP community even stronger.  If you have a question, concern or need let us know using the 'Contact Us' form.  Also, feel free to attend, suggest or otherwise engage the OWASP Foundation further at the March 8th Board Meeting.

Your friendly neighborhood OWASP staff:
    Kate, Kelly, Alison, Laura, Claudia, Tiffany, Dawn and Matt

Friday, February 24, 2017

Project Review Session at OWASP Project Summit during Belfast APPSEC EU 2017

We have an open session for two days for Project Reviews during our OWASP Project Summit EU 2017 Belfast. We are looking for some volunteers to review projects and helping make OWASP Projects move to the next level with your expertise and feedback.

Please Sign Up and join us in APPSEC EU 2017 in Belfast!

We currently have these leaders attending and want to send thank you for stepping up to the challenge and thank Johanna Curiel, our current Vice Chair on the Board, for helping us lead this effort.
  • Azzeddine Ramrami
  • Talal Albach
  • Kuai Hinojosa
  • Nabin Kc

Overview of Project Reviews:

OWASP is reviewing projects who wish to graduate from Incubator to Lab to Flagship.  The purpose of this assessment is to determine whether a project meets the minimum criteria to graduate as outlined in the Project Health Assessment Criteria Document.  The review process begins with an initial self-assessment done by the project leader and reviewed by Matt Tesauro.  Next, the assessment enters the peer review phase where we ask volunteers in our OWASP Community to participate and finalize the results. I have included a Sample of a Project Assessment for your review and consideration.


Monday, February 20, 2017

February 2017 Corporate Members


February 2017 Corporate Members

We would like to thank the following companies for supporting the OWASP Foundation.  
The companies listed below have contributed this month by either renewing their existing 
Corporate Membership or joining OWASP as a new Corporate Member.  

Details about Corporate Membership can be found here.


Contributor Corporate Members
For more information please visit https://www.nccgroup.trust/us/



NetSPI is a privately held information-security consulting company founded in 2001. By using its consulting team's deep security knowledge and its Correlated VM vulnerability management & reporting solution, the company is a trusted advisor to large enterprises. NetSPI provides a range of assessment and advisory services designed to analyze and mitigate risks and ensure compliance with relevant regulations and industry standards. Clients include large financial services firms, retailers, healthcare organizations and technology companies. For more information, visit http://www.netspi.com


Oneconsult AG offers holistic cyber security consulting against external and internal cyber threats such as APT, hacker attacks, malware infection, digital fraud and data leakage. We specialize in information and IT security and are your trustworthy partner for identifying, assessing, preventing and addressing information and IT security threats. Our core services are penetration testsISO 27001 security audits and IT forensics. To protect your organization and mitigate specific information security risks, Oneconsult also offers practical security consultingsecurity training and virtual security officer services. Our technical tests for office IT and SCADA/ICS cover (mobile) application penetration tests, ethical hacking, client audits, configuration and code reviews as well as reverse engineering and targeted exploit development for APT audits. Oneconsult’s dedicated security research team detects dozens of zero-day vulnerabilities per year in standard software. We have already carried out 1000+ security projectssince 2003 and have become a trusted provider to 250+ organizations worldwide covering a wide variety of industries. For  more information, visit https://www.oneconsult.com/en/ 


For more information, visit https://www.ptsecurity.com/ww-en/


Twistlock provides the industry’s first enterprise suite for container security. We monitor container activities, manage vulnerabilities, detect and isolate threats targeting containerized applications. Our technologies enable enterprises to enforce consistent security policies from development to production, thus maximizing the benefits of container computing. For more information, please visit https://www.twistlock.com


Veracode delivers the application security solutions and services today’s software-driven world requires. Veracode’s unified platform assesses and improves application security from inception through production so that businesses can confidently innovate with the applications they build, buy and deploy as well as the components they integrate into their environments. For more information, visit http://www.veracode.com/


WhiteHat Security has been in the business of securing web applications for 15 years. Combining advanced technology with the expertise of its global Threat Research Center (TRC) team, WhiteHat delivers application security solutions that reduce risk, reduce cost and accelerate the deployment of secure applications and web sites. The company’s flagship product, WhiteHat Sentinel, is a software-as-a-service platform providing dynamic application security testing (DAST), static application security testing (SAST), and mobile application security assessments. The company is headquartered in Santa Clara, Calif., with regional offices across the U.S. and Europe. For more information, visit https://www.whitehatsec.com/


Want your name here? 
Find out how by visiting our Corporate Member information page, or contact our Membership & Business Liaison, Kelly Santalucia today!  

Thank you to all of our Premier and Contributor Corporate Members for your support!