Monday, June 19, 2017

June 2017 Corporate Members


June 2017 Corporate Members

We would like to thank the following companies for supporting the OWASP Foundation.  
The companies listed below have contributed this month by either renewing their existing 
Corporate Membership or joining OWASP as a new Corporate Member.  

Details about Corporate Membership can be found here.


Contributor Corporate Members


Headquartered in downtown Manhattan, CipherTechs, Inc. is a privately held information security services provider. We focus on delivering security solutions for businesses harnessing the power of Internet communications. We audit, design and implement information security solutions in areas of IP networking, firewalls, application security, risk assessment, traffic management, encryption, redundancy and strong authentication. For more information, please visit http://www.ciphertechs.com.


Sonatype secures modern software development by fixing at-risk applications, automating policy throughout the lifecycle and identifying hidden risks in your applications. Sonatype's Component Lifecycle Management identifies and tracks OSS components, automates and enforces policy, and prevents the use of flawed components throughout the software lifecycle. Ask about free risk assessments. More information about Sonatype can be found here http://www.sonatype.com.

We are a software company and community of passionate, purpose-led individuals. We think disruptively to deliver technology that addresses our clients’ toughest challenges, all while seeking to revolutionize the IT industry and create positive social change. ThoughtWorks' 3,000 professionals serve clients from offices in Australia, Brazil, Canada, China, Ecuador, Germany, India, Italy, Singapore, South Africa, Turkey, Uganda, the United Kingdom and the United States. ThoughtWorks releases a regular technology radar, a study that looks at the key trends that impact the software development and business strategies. The Radar helps companies stay on top of topics that are constantly evolving, such as security, and offers insight and practical tools to build secure systems at every stage of the development process. For more information, please visit http://www.thoughtworks.com/




Want your company name here? 
Find out how by visiting our Corporate Member information page, or contact Kelly Santalucia, our Membership & Business Liaison today!  


Thank you to all of our Premier and Contributor Corporate Members for your support!


Friday, June 16, 2017

AppSec USA 2017 Developer Summit Call for Session Volunteers



AppSec USA 2017 Developer Summit 

We are excited to announce that OWASP will once again be holding a two day Developer Summit at AppSecUSA 2017 on September 19 & 20, 2017. OWASP is providing a structured platform for Developers two days prior to the AppSec USA 2017 conference. The Developer Summit will consist of sessions geared toward learning about security vulnerabilities.

If you have an interesting topic and would like to volunteer to host a training session, please SUBMIT HERE.  For topic ideas, you can reference the AppSec Eu 2017 DevSummit agenda. There are limited funds available to help offset the selected presenters travel and one night hotel accommodations.  

The Call for Presenters will close on July 14, 2017. Individuals will be notified on or before July 21, 2017 if their session was chosen. Please note: a conference ticket is NOT included, however you may purchase one separately. 

There is no charge to attend the Developer Summit, so come join us! We do ask that if you plan on attending that you do SIGN UP so we have an estimated headcount to be sure we have enough space and food.

More details and the agenda are coming soon!
Questions? Please submit them here.

Thursday, June 15, 2017

OWASP Code Sprint 2017 - Applications Extended to June 18th!!




Student application submissions are now extended to JUNE 18th: APPLY HERE 

Goal:
The OWASP Code Sprint 2017 is a program that aims to provide incentives to students to contribute to OWASP projects. By participating in the OWASP Code Sprint 2017 a student can get real life experience while contributing to an open source project. A student who successfully completes the program will receive $1500.

Help OWASP Invite Students: 

Program Leaders:
Kontantinos Papapanagiotou
Fabio Cerullo
Spyros Gasteratos

Claudia Aviles Casanovas, Project Coordinator

Wednesday, June 7, 2017



Nominations are NOW being accepted for the 2017 WASPY Awards!

Every day, week, month and year OWASP volunteers contribute countless hours of their own personal time to OWASP to help make the cyber world a safer place.  Some of these volunteers are well known in the OWASP community, while many others fly under the radar with only their local community seeing the stunning work they are doing. WASPY awards strive to recognize our unsung contributors and make their contributions to the community visible.

The WASPY Awards offer 3 categories for you to nominate 3 different "unsung heros" that you feel best fits each category description based on the individual's contributions to the OWASP Foundation.



To learn more about the awards, and to nominate your favorite WASPYs please visit: https://www.owasp.org/index.php/WASPY_Awards_2017

Friday, June 2, 2017

OWASP Operations Update for June 2017

Welcome to the operations update for June 2017, the ongoing series of updates on what's happening at the OWASP Foundation.  Last month's post is available here.

Major efforts, status of those and important changes from the last time:

OWASP IT Infrastructure Hosting - Modernizing and migration the OWASP infrastructure after Rackspace ended their donation of hosting.

  • Remaining hosts at Rackspace
    • OWASP Wiki
      • Servers for the wiki will be migrating to AWS - held for AppSec EU and hiring a new IT Contractor after the last left for a startup - wishing them success in their new gig.
      • New IT Contractor started on June 1
    • Mailman server
      • Will be decommissioned after a gradual, phased migration to Discourse of the existing, active lists.  More on Discourse below.
      • Mail archives will be moved to a new server with the same URL structure
    • Virtual-host server providing redirects and static website content
      • Ansible created to deploy virtual-hosts for either redirects or static sites by adding a few lines to a config file
      • Ansible tested on the *.appseccalifornia.org domains successfully
The Website Reboot - aka TWR - A major effort to update and modernize OWASP's web presence
  • Phase 1 - Complete
  • Phase 2 - Wiki style updates
    • RFP for the wiki style upgrade is currently being drafted
    • RFP will include a responsive MediaWiki theme plus CSS and associated style guide
    • Style guide will be used to style other OWASP web site such as Discourse, the blog, etc.
  • Phase 3 - Single Sign-on
    • SSO using @owasp.org identities will be POC'ed during the AMS migration
  • Phase 4 - Wiki content and organization
    • Internal R&D completed. RFP will be drafted after Phase 2 (Style) RFP
The OWASP Communication Plan 
  • Discourse as a replacement for Mailman
    • Dev instance deployed to assist with REST API automation efforts
    • Test instance deployed to alpha test structure and organization of content
    • Leader Sandbox being deployed to allow leader experimentation and to test SSO with @owasp.org and other identity providers (Github, Twitter, Facebook, ...)
  • Beta program for the Foundation's Global Meetup account continues
OWASP 2017 Strategic Goal 
  • TLDR: Host 4 trainings worldwide of ~500 attendees geared toward developers and entry-level security professionals - further details on the wiki.
  • 4 locations finalized
    • Israel - mid-October
    • Tokyo - late September
    • Boston - October
    • Bangalore - November
  • Call for Trainers content has been created, call for trainers will launch in June
Association Management System (AMS) upgrade 
  • Highly complex, multi-step process taking 8 to 12 weeks
    • Accounting module - Complete
    • Membership module - in process, waiting for custom dev work to complete
    • Events Module - in process, will be used for AppSec USA 2017 registrations
  • Current and future benefits
    • Multi-currency support in a single registration system
    • Significant improvement for event registration and membership renewals especially for OWASP Leaders
    • Reduced use of discount codes for registrations e.g. no more leaders code
    • Ability to modify an existing registration e.g. add training to an existing conference registration
    • Membership renewals - new 2 click process
    • Membership renewals - optional auto-renewals
    • Better insight for Chapter/Project leaders on the status of their efforts
      • Simplified Chapter/Project leader merchandise requests
    • Unified and streamlined funding and reimbursement requests
Projects 
Events 
  • OWASP Summit in London - there's still time to register and attend
  • AppSec USA 2017 - Orlando
    • CFP Round 1 complete - speakers and trainers notified
    • CFP Round 2 has begun - ends June 15th
    • Project Summit in Orlando at AppSec USA 2017 - Sign-ups now open!
    • Sponsorships to date: $335,000 - info on opportunities 
  • AppSec EU 2017 in Belfast was a fantastic event
  • OWASP at Blackhat USA 2017
  • WASPY Awards are right around the corner - start thinking of our awesome unsung heroes you'd like to nominate
Community
  • Successful group orientations in Japanese and Spanish for Chapter leaders
    • Fast growing languages among OWASP Chapters
    • Native language chapter organizations were coordinated successfully
  • Leader Workshop at AppSec EU
    • Major upcoming changes were discussed with leaders at that conference
    • Couldn't attend? See the blog post for the details you missed.
Serving the Community 

Per the request of the OWASP Board, we've included a chart of the staff's interaction with the broader OWASP community via submitted cases to the Foundation. We continue to push beyond the 10,000 total case envelope.

Cases for 2017


As always, the OWASP staff are here to make the OWASP community even stronger.  If you have a question, concern or need something please let us know using the 'Contact Us' form. Also, feel free to attend, suggest or otherwise engage with the OWASP Foundation further at the June 7th Board Meeting.

Your friendly neighborhood OWASP staff:
    Kate, Kelly, Alison, Laura, Claudia, Tiffany, Dawn and Matt 

Thursday, June 1, 2017

OWASP iGoat Tool Project - Restart


Project Leader: Swaroop Yermalkar (@swaroopsy)

iGoat is a learning tool for iOS developers (iPhone, iPad, etc.) and mobile app pentesters. It was inspired by the WebGoat project, and has a similar conceptual flow to it. As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.
The lessons are laid out in the following steps:
  1. Brief introduction to the problem.
  2. Verify the problem by exploiting it.
  3. Brief description of available remediations to the problem.
  4. Fix the problem by correcting and rebuilding the iGoat program.
*Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.

iGoat Version 3.0 Release

  1. Updated SQLCipher to latest version
  2. Removed project specific compilation warnings
  3. Removed crashing code for server side exercises.
  4. Updated project details in project github page.
  5. Added multiple exercises including:
    • Broken Cryptography
    • Insecure Storage in Plist
    • Insecure Storage in NSUserDefaults
    • Side Channel Data Leaks via Device Logs
    • Cross Site Scripting

Requirements:
To build and run iGoat, you'll need a Mac running OS X (real or virtual machine), with XCode installed. Best thing about iGoat is you can run it on iOS Simulator and also on iPhone / iPad / iPod.

Call for contributors:
We invite the OWASP community to download and try iGoat, and we welcome your suggestions for improvements. We're always looking for willing participants to contribute to the project as well! To contribute to iGoat project, please contact Swaroop (swaroop.yermalkar@owasp.org or @swaroopsy )

How to contribute?

  • You can add new exercises (Oauth Attacks, Crypto Attacks, Third Party Library Issues etc)
  • Testing iGoat on iPhone, iPad and checking if any issues
  • Remove compilation warnings
  • Suggest us new attacks
  • Writing blogs / article about iGoat
  • Spreading iGoat :)

Screenshots:

  1. Broken Cryptography


In this exercise, you're going to identify insecure mechanism for storing sensitive data locally. You will observe encryption key hard coded in code using which you can decrypt sensitive data into plain text. For more information, Refer: (https://www.owasp.org/index.php/Mobile_Top_10_2014-M6)

Please provide feedback to Swaroop Yermalker or use the contact us form.
     

Wednesday, May 31, 2017

OWASP Threat Dragon Project Update



OWASP Threat Dragon Project
Project: Leader: Mike Goodwin   Github Link

Threat modelling is a very powerful technique for finding and fixing design-level flaws in applications. It is especially good at promoting defence-in-depth. However, the free tooling that is currently available is limited. OWASP Threat Dragon aims to fix that by providing a free, open source threat modelling tool that
  • Is cross-platform
  • Is easy and enjoyable to use
  • Integrates well with other SDLC tools
  • Has a powerful threat generation rule engine
Although Threat Dragon is an Incubator project, it is progressing well and I hope it will be ready to be promoted to Labs soon. Some highlights of the project so far:
  • The original working prototype has been given a major architecture review. This was my first node.js project and my first significant Angular application so there were quite a few kinks to be straightened out. Also, I completely rethought the model storage approach - originally it was using browser local storage like Mozilla SeaSponge, but this turned out to be problematic in practice.
  • A web application variant that uses GitHub as a backend for storing model files. I have plans to add support for BitBucket and possibly other backends soon. This source control system integration is key to the success of the project IMO and I have lots of plans for deeper and better integration in the future.
  • An installable, cross-platform desktop variant based on Electron and using the local file systems for model storage. This is important for people who use a source control system that is not supported by the web app variant, or for people who want to evaluate the tool without giving it access to their repos. The desktop variant shares >85% of it's code with the web app variant - including most of it's UI. This is critical to make it manageable by a small team (just me at the moment!). The desktop app is still a little rough around the edges compared to the web app (e.g. no auto-update on OSX yet) but it is getting there and most of my effort on the project is going into that at the moment.
  • Good unit test coverage (>90%). Quality is not just for Flagship projects - Incubator projects need it too!
  • A cute logo dragon called Cupcakes :o) (based on an original image by DreamsOfMine)
So what's next for Threat Dragon? Well, firstly, although I think it's progressing well on the first 3 of the key project aims, that's just my opinion. It needs feedback. Lots of feedback. All feedback is welcome - feature requests, bug reports or comments on any aspect of the project. Secondly, at the moment it can be used for basic threat modelling, but the threat generation engine is just a stub. You have to come up with all the threats yourself. Threat generation is the next major functional area that I plan to tackle - hopefully with some collaborators. Thirdly, did I say I was interested in feedback?


Please give it a try and let me know what you think!