Thursday, December 31, 2009

SQL Injection Resources

(from Robert Portvliet)

Here's list of some (SQL Injection) resources I had put together, a good portion of it is probably covered in the Phoenix OWASP list, but here it is anyway:

Vulnerable WebApps:

GOAT - http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

MOTH - http://www.bonsai-sec.com/en/research/moth.php

Damn Vulnerable Web App - http://www.dvwa.co.uk/

Mutillidae - http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10

Hackme Bank - http://www.foundstone.com/us/resources/proddesc/hacmebank.htm

Hackme Travel - http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm

Hackme Shipping -
http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm

Hackme Casino - http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm

Videos & webcasts:

OWASP Appsec NYC 2008 -
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference

Caught in the web series - http://www.coresecurity.com/content/ondemand-caught

Invasion of the browser snatchers series -
http://www.coresecurity.com/content/on-demand-snatchers

Advanced SQL injection -
http://www.irongeek.com/i.php?page=videos/joe-mccray-advanced-sql-injection

Websec 101 - http://www.foundstone.com/us/websec101.asp

Hackme Bank & Hackme Travel videos-
http://www.foundstone.com/us/resources-videos.asp

Tools

Samurai Web Testing Framework (Live CD which contains most tools
needed to perform web assesment) - http://samurai.inguardians.com

Methodologies

OWASP Testing Guide -
http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf

Cheat Sheets

SQL Injection Cheat Sheet -
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

SQL Injection Cheat Sheet - http://michaeldaw.org/sql-injection-cheat-sheet

SQL Injection Cheat Sheet w/ filter evasion - http://ha.ckers.org/sqlinjection/

SQL Injection Cheat Sheets sorted by DB -
http://pentestmonkey.net/index.php?option=com_content&task=category&sectionid=9&id=24&Itemid=1

XSS Cheat Sheet w/ filter evasion - http://ha.ckers.org/xss.html

Web App Assesment Cheat Sheet -
http://www.secguru.com/files/cheatsheet/webappcheatsheet2.pdf

Books:

Web Application Hackers Handbook - http://portswigger.net/wahh/

Whitepapers & slides-

OWASP article on Web application penetration testing -
http://www.owasp.org/index.php/Web_Application_Penetration_Testing

Advanced SQL injection -
http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf

Best of web application penetration testing tools -
http://pauldotcom.com/TriplePlay-WebAppPenTestingTools.pdf

(The next two papers are a little old, but still quite useful)

Advanced SQL Injection in SQL Server -
http://www.ngssoftware.com/papers/advanced_sql_injection.pdf

(More) Advanced SQL Injection in SQL server -
http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf

Sunday, December 13, 2009

OWASP APPSEC RESEARCH 2010, 2nd CALL FOR PAPERS

Submission is now open for the upcoming OWASP AppSec Research conference, June 21-24, 2010 in Stockholm, Sweden --
http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden .

* TOPICS OF INTEREST *
We encourage the publication and presentation of new tools, new methods, empirical data, novel ideas, and lessons learned in the following areas:
  • Web application security
  • Security aspects of new/emerging web technologies/paradigms (mashups, web 2.0, offline support, etc)
  • Security in web services, REST, and service oriented architectures
  • Security in cloud-based services
  • Security of frameworks (Struts, Spring, ASP.Net MVC etc)
  • New security features in platforms or languages
  • Next-generation browser security
  • Security for the mobile web
  • Secure application development (methods, processes etc)
  • Threat modeling of applications
  • Vulnerability analysis (code review, pentest, static analysis etc)
  • Countermeasures for application vulnerabilities
  • Metrics for application security
  • Application security awareness and education
* TYPES OF SUBMISSION *
  1. Publish or Perish. Peer-reviewed 12 page papers to be published in formal proceedings by Springer-Verlag (Lecture Notes in Computer Science, LNCS). Presentation slides and video takes will be posted on the OWASP wiki after the conference.
  2. Demo or Die. A demo proposal should consist of a pdf with a 1 page abstract summarizing the matter proposed by the speaker(s) and 1 page containing demo screenshot(s). Presentation slides and video takes will be posted on the OWASP wiki after the conference.
  3. Present or Repent. A presentation proposal should consist of a 2 page extended abstract representing the essential matter proposed by the speaker(s). Presentation slides and video takes will be posted on the OWASP wiki after the conference.
Full instructions can be found on the conference webpage
http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden.
If you have any questions regarding submissions etc, please email john.wilander@owasp.org.

* IMPORTANT DATES *

Submission deadline: February 7th 23:59 (Apia, Samoa time).
Decision notification: April 7th
Conference: June 21st - 24th

* PROGRAM COMMITTEE *

  • John Wilander, Omegapoint and Linköping University (chair)
  • Alan Davidson, Stockholm University/Royal Institute of Technology (co-host)
  • Lieven Desmet, Katholieke Universiteit Leuven
  • Úlfar Erlingsson, Reykjavík University and Microsoft Research
  • Martin Johns, University of Passau
  • Christoph Kern, Google
  • Engin Kirda, Institute Eurecom
  • Ulf Lindqvist, SRI International
  • Benjamin Livshits, Microsoft Research
  • Sergio Maffeis, Imperial College London
  • John Mitchell, Stanford University
  • William Robertson, UC Berkeley
  • Andrei Sabelfeld, Chalmers UT
A warm welcome from the OWASP community!

Regards, John Wilander

Friday, December 4, 2009

OWASP Foundation monthly board meetings

OWASP Foundation holds monthly board meetings to keep the principals on track of the foundation to address items that roll-up from the Global Committees http://www.owasp.org/index.php/Global_Committee_Pages

On the next board meeting Dec 1st we will WELCOME Eoin Keary and Matt Tesauro as new members of the board. As a reminder and for transparency ("O" in OWASP = Open) here is the current agenda http://www.owasp.org/index.php/OWASP_Board_Meeting_December_1,_2009_Agenda you are always welcomed to listen in as the meetings are OPEN to the public

If you believe that there is a pressing issue in your chapter/project or collective region of the world that falls into one of the following "buckets" (Membership, Industry, Projects, Chapters, Conferences, Education) your conduit is the appropriate global committee (see webpage for contact information for each of them) they are FOCUSED and EMPOWERED to resolve or address it. Monthly the Global Committees roll up information as a verbal update/written proposal from the committee chair, some people may know this process as a a cross-functional roll up type of meeting and in addition to sometimes daily one-on-one calls, this monthly call is a 60 min "state of the union" update.

Hope this provides insight.. there have been several questions about this since the 2009 Summit that took place in Washington, DC last month.

Tom Brennan

OWASP AppSec Research 2010 2nd Call for Papers

Submission is now open for the upcoming OWASP AppSec Research conference, June 21-24, 2010 in Stockholm, Sweden.

Types of Submission

  1. Publish or Perish. Peer-reviewed 12 page papers to be published in formal proceedings by Springer-Verlag (Lecture Notes in Computer Science, LNCS). Presentation slides and video takes will be posted on the OWASP wiki after the conference.
  2. Demo or Die. A demo proposal should consist of a pdf with a 1 page abstract summarizing the matter proposed by the speaker(s) and 1 page containing demo screenshot(s). Presentation slides and video takes will be posted on the OWASP wiki after the conference.
  3. Present or Repent. A presentation proposal should consist of a 2 page extended abstract representing the essential matter proposed by the speaker(s). Presentation slides and video takes will be posted on the OWASP wiki after the conference.
Topics of Interest

We encourage the publication and presentation of new tools, new methods, empirical data, novel ideas, and lessons learned in the following areas:

• Web application security
• Security aspects of new/emerging web technologies/paradigms (mashups, web 2.0, offline support, etc)
• Security in web services, REST, and service oriented architectures
• Security in cloud-based services
• Security of frameworks (Struts, Spring, ASP.Net MVC etc)
• New security features in platforms or languages
• Next-generation browser security
• Security for the mobile web
• Secure application development (methods, processes etc)
• Threat modeling of applications
• Vulnerability analysis (code review, pentest, static analysis etc)
• Countermeasures for application vulnerabilities
• Metrics for application security
• Application security awareness and education

Full instructions can be found on the conference webpage http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden#tab=CFP. If you have any questions regarding submissions etc, please email john.wilander@owasp.org.

Important Dates
Submission deadline: February 7th 23:59 (Apia, Samoa time).
Decision notification: April 7th
Conference: June 21st - 24th

Program Committee

• John Wilander, Omegapoint and Linköping University (chair)
• Alan Davidson, Stockholm University/Royal Institute of Technology (co-host)
• Lieven Desmet, Katholieke Universiteit Leuven
• Úlfar Erlingsson, Reykjavík University and Microsoft Research
• Martin Johns, University of Passau
• Christoph Kern, Google
• Engin Kirda, Institute Eurecom
• Ulf Lindqvist, SRI International
• Benjamin Livshits, Microsoft Research
• Sergio Maffeis, Imperial College London
• John Mitchell, Stanford University
• William Robertson, UC Berkeley
• Andrei Sabelfeld, Chalmers UT

About OWASP

The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas. We can be found at www.owasp.org.

Kate Hartmann
OWASP Operations Director
9175 Guilford Road
Suite 300
Columbia, MD 21046

301-275-9403
kate.hartmann@owasp.org
Skype: kate.hartmann1

Thursday, November 19, 2009

ESAPI For PHP Project - call for help

The ESAPI for PHP project is always on the lookout for volunteers who are interested in contributing developer cycles. Right now, we’re looking for volunteers to help port ESAPI for Java EE version 1.4 to PHP version 5.2. Here’s what you’ll need to do, if you are interested.

Step 1: Subscribe to the ESAPI for PHP mail list

The first step is to subscribe to the ESAPI for PHP mail list. This is a different separate mail list than the main ESAPI mail list. You can subscribe to the ESAPI for PHP mail list here.

Step 2: Ask Mike for an assignment
The next step is to email Mike to introduce yourself and to ask for an assignment. “Mike” is Mike Boberski, the project manager for ESAPI for PHP. You can email Mike here.

Step 3: Provide Mike with your Google Account ID
The next step is to email Mike with your Google Account name. If you don’t have a Google Account, you’ll need one. ESAPI for PHP source code and documentation is hosted on Google Code here.

Step 4: Check out the latest project source code
The next step is to obtain the SVN client of your choice (such as TortoiseSVN) and point it at the project repository here.

Step 5: Check out the ESAPI for Java source code
The next step is to obtain the ESAPI for Java EE version 1.4 baseline, again using SVN. The ESAPI for Java EE version 1.4 baseline is here.

Step 6: Start coding!
The next step is to get to work! Thank you again for contributing your valuable developer cycles, we recognize and appreciate the value of your time. More details about the approach that we’re using can be found on the other side of this datasheet.

Step 7: Email the list with any questions
If in doubt, email the list with any questions or concerns as you work on the code. Please be patient if you don’t get a response right away. The development team that is working on ESAPI for PHP literally spans the globe, so depending on your location and whomever may have insight into a particular item, there may be a delay.

Step 8: Email the list weekly with your status
Mike sends out a project status email once a week. An archive of weekly status emails can be found here. Please email the ESAPI for PHP mail list with a brief summary of what you worked on during the past week, what you plan on working on the next, and any issues or requests for assistance. Please try to email your status by COB Thursday Eastern time (Mike is located in the greater Washington DC area).

The ESAPI for Java EE is “the” design

Basically, we’re going interface by interface, class by class, line by line through the ESAPI for Java EE code and translating Java language constructs into PHP version 5.2 statements. The only differences between the code should be language‐specific differences. In certain instances however, a solution that is unique to PHP may be required. For example, the ESAPI for PHP configuration file is an XML file, compared to the Java version’s properties file.

In such instances, please email the list with your proposal BEFORE continuing on. Basically, you need to get Mike’s OK, after making sure to follow any guidance or technical direction provided by Andrew. Mike is, in addition to managing tasking, reviewing code and tests to ensure quality and consistency, and to watch for the introduction of any new dependencies. “Andrew” is Andrew van der Stock, the technical lead and the overall project lead. You can email Andrew here.

Check this checklist, before you check in code
Please make sure to run through this checklist BEFORE you commit code:
  1. You have created tests for your new or updated code in /test
  2. You have run /test/AllTests.php and have verified that your tests all run successfully
  3. You have run /test/AllTests.php and have verified that your new code hasn’t broken any existing code
  4. You have updated the phpdoc to match the ESAPI for Java EE javadoc, and added yourself to the attributions
  5. Please make sure to run through this checklist AFTER you commit code:
  6. You have emailed the ESAPI for PHP mail list to let them know what code has been checked in, and what the new or modified code is or does.

Wednesday, November 18, 2009

OWASP Top 10 - 2010 rc1 Released!!

Authored by Dave Wichers - 11/13/2009

Today, I gave my presentation on the new Top 10 at the OWASP AppSec DC Conference and officially released the 2010 release candidate.

I have uploaded both the presentation and the Top 10 itself to the OWASP wiki. The presentation is in .pptx format, and the Top 10 is a PDF document.

They can both be found at the top of the Top 10 project page: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Since this is a release candidate, it is up for open comment until the end of the year. So, please review and provide me with comments.

And the Top 10 for 2010 (rc1) is …

A1: Injection
A2: Cross Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Failure to Restrict URL Access
A8: Unvalidated Redirects and Forwards
A9: Insecure Cryptographic Storage
A10: Insufficient Transport Layer Protection

Thanks, Dave
Dave Wichers

OWASP Top 10 Lead

OWASP Orizon 2.0 update

As you probably may know, next June 2010 during the OWASP AppSec EU in Stockholm we will release Orizon 2.0.

The main goal is to provide a tool usable by security experts (or developers with hacking attitudes as well) and as powerful as findbugs is in the opensource marketplace.

To achieve this, we need to work hard and improve the tool.

To increase collaboration I will publish a slideshow every month describing where we start, where are we going and what have we dan since last month. So I think will be quite motivated.

I will change wiki pages over owasp.org site and over the blog accordingly to this resolution.

This is the first update:

http://www.slideshare.net/thesp0nge/road-towards-owasp-orizon-20-november-2009-update

I'm looking forward to hear your voice.

Regards,
Paolo

OWASP Board - Election Results

On behalf of the membership committee and the OWASP community I am pleased to announce that The results for the 2009 OWASP Board Election are in! The election was open to OWASP members and was conducted through an online voting system. Eligible voters were provided a 7 day window to cast their vote to elect 2 new members to the OWASP board. This election brings the total number of board members to 7.

The results are as follows:

OWASP 2009 New Board Members Election

Total 472 responses (236 responders x 2 candidates/responder)

  • Eoin Keary 31.99% - (151 votes)
  • Matt Tesauro 30.72% - (145 votes)
  • Pravir Chandra 24.79% - (117 votes)
  • Kuai Hinojosa 12.50% - (59 votes)

The new OWASP Board is:
  • Jeff Williams
  • Dinis Cruz
  • Dave Wichers
  • Tom Brennan
  • Sebastien Deleersnyder
  • Eoin Keary
  • Matt Tesauro

Complete information on the candidates and the election process can be found here: http://www.owasp.org/index.php/Board_member

Please join me in supporting our Board!

Kate Hartmann
OWASP Operations Director
9175 Guilford Road
Suite 300
Columbia, MD 21046
301-275-9403
kate.hartmann@owasp.org
Skype: kate.hartmann1

Tuesday, October 13, 2009

AppSec DC and OWASP Global Summit 2009

OWASP Appsec 09
November 10-13
Walter E. Washington Convention Center, Washington DC

OWASP 2009 Summit
November 11
Walter E. Washington Convention Center, Washington DC

Come join the best in the web application security in
Washington DC, November 10-13!

Important reminders for those attending OWASP AppSec DC:

- The OWASP Summit for 2009 is happening in conjunction with AppSecDC the day before the talks (November 11th). http://www.owasp.org/index.php/Summit_2009 This is a great opportunity for OWASP leaders and members to take advantage of both events, as well as things such as the discounted rate for accommodations for conference.

- This week is the LAST week that we can guarantee the generously discounted room rate we have negotiated with the Grand Hyatt. If you book after 10/19/09, we can NOT guarantee that you will get the discounted rate. This applies to people attending both the summit and the conference.

You can make your reservations online here:

https://resweb.passkey.com/Resweb.do?mode=welcome_ei_new&eventID=1401279&fromResdesk=true

or by calling the Grand Hyatt and using the promo code "OWAS" . (It is a 4 letter code – no “P”

- There are still openings in some of our Training Classes. The training options at AppSecDC are substantially cheaper than other comparative industry events. Training options are detailed here:

http://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC#tab=Training

About AppSecDC:

AppSecDC 2009 ( http://appsecdc.org ) will provide two days of world class training on topics like Assessing Web Applications, Threat Modeling, and Secure Code Review, followed by two days of presentations.

Speakers will include subject matter experts and leaders from public and private sectors in eight tracks across two days, with keynotes from leading federal names in application security, an Industry SDLC panel, a Federal CISO panel, and more.

Admission for the presentations is only $395 for two days of talks. OWASP Chapter leaders may be subsidized by the OWASP foundation for the cost of their admission. All events qualify for CPEs if you have ISC2 certifications to maintain.

Visit our website: http://appsecdc.org

Visit the summit website: http://www.owasp.org/index.php/Summit_2009

Register now to guarantee your spot: http://guest.cvent.com/i.aspx?4W,M3,26bc4c77-e1ef-4bad-be46-eb7b0124276c

Book your hotel: https://resweb.passkey.com/Resweb.do?mode=welcome_ei_new&eventID=1401279&fromResdesk=true

Find out more details: http://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC
Kate Hartmann

OWASP Operations Director
9175 Guilford Road
Suite 300
Columbia, MD 21046

301-275-9403
kate.hartmann@owasp.org
Skype: kate.hartmann1

AppSec Brazil 2009 - Call for Participation

International Conference on Application Security, sponsored by TI-Control Community and the Brazilian Chamber of Deputies, in partnership with OWASP and support from the University of Brasília, UnB.

The Computing Centre of the Brazilian Chamber of Deputies and TI-Control invite all interest parties to attend AppSec Brazil 2009, which will happen in Brasília, Brazil, from October 27th to October 30th 2009.

The Conference comprises training sessions on October 27th and 28th, followed by plenary sessions on October 29th and 30th 2009.

Keynotes

Dr. Gary McGraw, CTO, Cigital Inc.

The Building Security In Maturity Model(BSIMM)

Jason Li, Aspect Security

Agile and Secure: Can we do both?

Dinis Cruz, OWASP Board

OWASP Project Overview

Kuai Hinojosa, NY University e OWASP

Implementing Secure Web Applications using OWASP Resources

Selected talks

The Conference will have several technical talks on several aspects of Application Security. Some of the subjects are:

  • Web Application Security
  • Security expenses optimization
  • SQL Ownage
  • Tools

Training Sessions

The Conference will also present 5 training sessions:

  • Gestão de Riscos de Segurança Aplicada a Web Services (in Portuguese)
  • Segurança Web: Técnicas para Programação Segura de Aplicações (in Portuguese)
  • Segurança Computacional no Desenvolvimento de Web Services (in Portuguese)
  • Tecnologias de Segurança em Web Services (in Portuguese)
  • Hands on Web Application Testing using the OWASP Testing Guide (in English)

Location

The conference will be at the Brazilian Chamber of Deputies, in Brasília. The plenary sessions will occur at Auditório Nereu Ramos, Anexo II. The training sessions will be at the Centro de Formação, Treinamento e Aperfeiçoamento.

Registration

Thanks to the sponsors, there will be no fee to attend the Conference, but registration will be required to avoid overcrowding the auditorium.

Registration will be open beginning September 29th, 2009, at the URL: http://www.camara.gov.br/appsecbrasil2009

More Information

For more information, please consult the web sites listed below or write to

appsec.brasil@camara.gov.br

Registration and general information: http://www.camara.gov.br/appsecbrasil2009

TI-Control Community: http://www.ticontrole.gov.br
Chamber of Deputies: http://www.camara.gov.br

Kate Hartmann

OWASP Operations Director
9175 Guilford Road
Suite 300
Columbia, MD 21046

301-275-9403
kate.hartmann@owasp.org
Skype: kate.hartmann1

Monday, October 12, 2009

OWASP-Italy Day IV

Next 6th November we will have the next OWASP-Italy Day.

In this occasion CIOs, CTOs, CISOs, Auditors, IT managers, Security Managers and Security Governance managers, will have the opportunity to uptade about the evolution about the Application Security and the new intiatives about Software Security.

The Agenda:

9:00h Registration
9.30h Introduction to the OWASP-Day
Matteo Meucci - OWASP-Italy Chair
9.50h How to Create Business cases for Your Software Security Initiative
Marco Morana — CISO, Citigroup
10.30 OWASP SAMM / Open Software Assurance Maturity Model
Claudio Merloni — Software Security Consultant, Fortify Software
11.10h Coffee break
11.40h From Web Attacks to Malware. Can Secure Software Development Help Internet Banking Security?
Giorgio Fedon — COO, Minded Security
12.20h Usability versus security: securing Internet facing applications while keeping them highly attractive for everybody
Tobias Christen — CTO, DSwiss Ltd
13.00h Business Lunch
14.00h NoScript, CSP and ABE: When the Browser Is Not Your Enemy
Giorgio Maone — CTO, InformAction
14.40h Building Security In Maturity Model: A Review of Successful Software
Gabriele Giuseppini — Technical Manager, Cigital
15.20h The art of code reviewing
Paolo Perego — Senior Consultant, Spike Reply
16.00h Round Table: Why Software Security is not a priority in our digital world?
Marco Morana, Carlo Merloni, Gabriele Giuseppini, Stefano Di Paola — Keynote Raoul Chiesa

References:

"Avete finito di imbottire le vostre reti di firewall e altre diavolerie simili? Allora è tempo di cambiare prospettiva e rendersi conto che oggi, dopo aver messo in sicurezza il perimetro dei nostri sistemi informativi, le minacce più serie provengono dalle nostre stesse applicazioni che, a volte, non sono progettate ed implementate, tenendo conto delle migliori pratiche di sviluppo di software sicuro. In questo campo l’OWASP rappresenta un punto di riferimento costante ed una miniera di informazioni e strumenti, ed al Ministero dell’Istruzione, Università e Ricerca abbiamo imparato ad apprezzarne i materiali e le informazioni disponibili sul suo sito web, nell’ambito del nostro gruppo che si occupa di sicurezza del sistema informativo. Per conoscere le iniziative dell’OWASP, avere un’anteprima delle principali novità in tema di sicurezza del software, incontrare i maggiori esperti in questo settore, partecipate all’OWASP DAY – ITALY IV il 6 novembre prossimo a Milano, sarà un’occasione utilissima di approfondimento."
Paolo De Santis – Dirigente della Direzione Generale per gli Studi, la Statistica ed i Sistemi Informativi del MIUR

“L’OWASP Day è il luogo e il momento per incontrare altri professionisti e appassionati del settore. E’ un’opportunità per conoscere direttamente dai protagonisti le metodologie, le tecniche e gli ambiti di ricerca nel mondo della sicurezza applicativa divenuto ormai il fattore principale, insieme a quello umano, nel campo dell’Information Security. “
Massimo Trevisani—CSO IWBank

"Le conferenze OWASP in Italia rappresentano un momento importante di awareness sulla sicurezza applicativa. L'evento rappresenta un punto di riferimento in cui i professionisti dell'IT possono valutare nuovi approcci allo sviluppo sicuro del software e alla difesa delle proprie applicazioni on-line"
Marco Bavazzano—CISO Telecom Italia

Wednesday, September 23, 2009

Reminders/Announcements!

  1. Early Bird registration for OWASP AppSec DC 09 ends on Friday! Don’t miss out on the savings. Register today! http://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC#tab=Welcome
  2. OWASP will be hosting the 2009 OWASP Global Summit on November 11, 2009, the day prior to AppSec DC. Summit information can be found here: http://www.owasp.org/index.php/Summit_2009 Please make plans to extend your stay in DC to participate in this event.
  3. CFP for OWASP Italy Day IV has been extended to October 3, 2009. http://www.owasp.org/index.php/Italy_OWASP_Day_4

Please contact me with any questions! As always, thank you for your continued efforts and support of OWASP.

Kate Hartmann
OWASP Operations Director
9175 Guilford Road
Suite 300
Columbia, MD 21046

301-275-9403
kate.hartmann@owasp.org
Skype: kate.hartmann1

Wednesday, September 16, 2009

OWASP-Italy Day IV

=================================================

OWASP-Italy Day IV: "Secure Software Initiatives"
Milan - 6th November 2009

=================================================

Introduction
=========

Following on from the great successes of last OWASP Days, the new conference
will take place next 6th November 2009 in Milan.


Organization and goals:
===============
  • The event will show several points of discussion: we will present the state of the art of the Secure Software Initiatives and technical speeches about the new researches in Application Security.
  • As conclusion of the day, we organize a round table discussing the most interesting subjects came out during the event.
  • Conference goal is creating a debate on which will be the evolution of the research for the Web Application Security, and how to start a secure software initiative.
Call For Paper:
===========

OWASP solicits contributions on the above topics, or general matters of interest to the community. Those who are interested in participating as speakers to the conference can submit an abstract of the speech to the OWASP-Italy

Board by email at: owasp-italy owasp.org

The email subject must be “OWASP Day 4: CFP” and the email body must contains the following information/sections:
  • Name and Surname
  • Email address
  • Telephone number
  • Company name and role
  • Short biography(max 100 words)
  • List of the author’s previous papers/articles/speeches on the same topics
  • Title of the contribution
  • Type of contribution: Technical or Informative
  • Abstract (max one A4 style page)
  • Why the contribution is relevant for OWASP-Italy Day 4
The submission will be reviewed by the OWASP-Italy Board and the 8-9 most interesting ones will be selected and invited for presentation

Important dates:
============
  • Contributions submission deadline: 21st September 2009
  • Communication of acceptance for contributions: 10th October 2009
Additional information:
================

Kate Hartmann
OWASP Operations Director
9175 Guilford Road
Suite 300
Columbia, MD 21046

301-275-9403
kate.hartmann@owasp.org
Skype: kate.hartmann1

Friday, August 21, 2009

AppSec DC 2009

OWASP Announces International Application Security Conference for 2009 Speaker Agenda Released and Registration Open for 2009's Largest Web Application Security Event

Washington DC August 20th, 2009 -- Following in the footsteps of the Open Web Application Security Project's (OWASP, http://www.owasp.org ) immensely successful and popular conferences earlier this year in Australia, Poland, Ireland, and Brazil, Washington DC will be hosting the 2009 OWASP Application Security Conference (AppSec DC, http://www.appsecdc.org ), North America's premier web application security conference, at the Walter E. Washington Convention Center on November 10-13th, 2009.

AppSec DC 2009 will provide a venue for hundreds of IT professionals interested in securing web technologies to learn, interact, network, and attend presentations and training given by some of the world's top practitioners of web application security, suitable for everyone from federal decision makers and management to application security engineers and developers. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead
developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next” in the world of application security. The conference is expected to draw 600-700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.

"AppSec DC is a unique opportunity for federal decision makers and key technologists to become familiar with OWASP and the resources it has to offer," said Doug Wilson, co-chair of the Washington DC OWASP Chapter and organizer of AppSecDC. "The federal government has already
embraced the OWASP Top Ten and other OWASP guidelines. OWASP's mission and community align closely with the goals set forth by the US Chief Information Officer: transparency, engagement of staff, reduction of cost, and innovation in technology. OWASP can enable the government to attain these goals in the pursuit of securing critical technologies that depend on the web."

Highlights for AppSec DC 2009 include a keynote from Joe Jarzombek, Director for Software Assurance in the Department of Homeland Security's (DHS) National Cyber Security Division (NCSD), a panel discussion of US Federal Government Chief Information Security Officers on their experiences with application security, a panel of industry experts on implementing security in development cycles, and a wide variety of talks by leading personalities in the field of web
application security, including Robert "RSnake" Hansen, Robert Auger, Chris Wysopal, and others.

"For AppSec DC 2009, We're really trying to reach out to developers, testers and quality assurance staff because they are pivotal to solving the root causes of application security problems," said Mark Bristow, an organizer of AppSec DC and a founding member of the OWASP Global Conferences Committee. "To this end, we have a dedicated secure development track designed specifically for these folks to give them the skills they need to build secure software effectively."

AppSec DC 2009 will feature interactive, hands-on training courses led by some of the leaders in application security (Security Compass, Aspect Security, WhiteHat Security, Inguardians and others) on the 10th and 11th of November followed by four distinct speaking tracks on the 12th and 13th. Opportunities to interact with AppSec sponsors and vendors will also be available, as well as an OWASP-sponsored Capture the Flag competition and other events.

Who Should Attend AppSec DC 2009:

* Application Developers
* Application Testers and Quality Assurance
* Application Project Management and Staff
* Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
* Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
* Security Managers and Staff
* Executives, Managers, and Staff Responsible for IT Security Governance
* IT Professionals Interesting in Improving IT Security


If you would like more information about AppSec DC 2009, please visit
the conference website at http://www.appsecdc.org/

About OWASP:

The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true
application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work from Individuals, Organization Supporters & Accredited University Supporters.

For more information, please visit http://www.owasp.org/

About the OWASP DC Chapter:

The OWASP DC Chapter is Washington DC's local OWASP presence with bi-monthly meetings and is taking the lead on organizing AppSec DC 2009.

For more information, please visit http://www.owasp.org/index.php/Washington_DC

Tuesday, August 11, 2009

August 2009 update

(authored by Tom Brennan)

The OWASP Aug 2009 meeting has completed.

** Driven by interest of individuals to become board members, a
proposal for addition of 6th board member put to vote. Proposal
process of filling the position to be unveiled in November. Members
would have voting privileges.

What was the agenda?
http://www.owasp.org/index.php/OWASP_Board_Meeting_August_4,_2009_Agenda

What was the outcome?
http://www.owasp.org/index.php/OWASP_Board_Meeting_August_09

Where are all the meetings located?
http://www.owasp.org/index.php/OWASP_Board_Meetings

What else is happening at OWASP Globally? See:
http://www.owasp.org/index.php/Global_Committee_Pages

Thursday, August 6, 2009

OWASP AppSec Germany 2009 Call for Presentations

OWASP AppSec Germany 2009 Call for Presentations

(For German version see below)

The OWASP German Chapter is delighted to invite you to the OWASP AppSec Germany 2009 conference at 13th October, 2009. The conference will this year take place in parallel to the IT security trade fair it-sa in Nuremberg.

Call for Presentations

A presentation proposal should consist of a 2-page position paper representing the essential matter proposed by the speaker(s). Proposals must include sufficient material for the organizing committee to make an informed decision.

Topics of Interest

We encourage in particular presentations about development, operations, and testing aspects of web based applications. We aim to complement the well established technical aspects of web application security with IT management, business, and user oriented topics. The conference language is German but talks are also welcome in English. Topics of interests are all topics related to web application security and OWASP, in particular (all with focus on web application security):

  • Technical talks with particular relevancy to practice.
  • Secure development frameworks and best practices
  • Security awareness programs for developers, testers, architects and business people
  • Security management of web based applications
  • Security management in outsourcing and off-shoring projects and operations
  • Lessons learned talks about web application security, in particular about the introduction of internal web application security processes, internal and/or external auditing etc.
  • OWASP in your enterprise or university
  • Application security and metrics

Depending on the submissions the conference will be organized in one or two parallel tracks. Presentations are scheduled for 30 or 45 minutes. All presentations are held and published under the OWASP speakers agreement (see below).

The conference aims to provide a lab room available for demonstrations or hands on discussions (tbc).

  • Conference participants and in particular all speakers are invited to the pre-opening event at 12th October, 2009. Details will be published shortly.

Dates

  • Submission deadline is the 17th August, 2009. Please indicate the proposed duration (30 / 45 minutes) of your talk. Submission email address is germany@owasp.org . Your submission will be confirmed shortly. Please not if you like to present 30 or 45 minutes and if you like to use the lab.
  • Acceptance notification until 31st August, 2009.
  • Submission deadline for presentation slides (prefinal) 1st October, 2009
  • Conference 13th October 2009 (pre-opening event at 12th October, 2009)

Additional information:

Contact:

Email: germany@owasp.org . Thomas Schreiber und Georg Hess (OWASP German Chapter Leaders), Boris Hemkemeier (OWASP German Chapter Board Member)

___________________________________________________________________

OWASP AppSec Germany 2009 Call for Presentations

Die deutsche Sektion des Open Web Application Security Project (OWASP) richtet die zweite Konferenz OWASP AppSec Germany 2009 am 13.10.2009 aus. Die Konferenz findet begleitend zur IT- Security-Messe it-sa in Nürnberg (Messe) statt. Das German OWASP Chapter ruft für diese Konferenz einen Call for Presentations (CfP) aus. Die Konferenz richtet sich primär an ein deutsches Publikum, die Konferenzsprache ist Deutsch, aber Vorträge sind auch in Englisch willkommen. Die OWASP AppSec Germany 2009 soll eine Ergänzung zu bekannten technologieorientierten Security-Konferenzen darstellen und auch fachliche Vorträge zu Entwicklung, Betrieb und Test von webbasierten Anwendungen bieten.

Call for Presentations

Für die Einreichung von Vorträgen bitten wir um eine maximal zweiseitige Zusammenfassung oder eine Vorabversion des Vortrags.

Erwünschte Themengebiete

Alle Themen mit Bezug zu Web Application Security und OWASP, insbesondere – jeweils bzgl. Web Application Security:

  • Praxisrelevante technische Vorträge
  • Sichere Entwicklungsframeworks und Best Practices
  • Secure Development Lifecycle
  • Security-Awareness Programme für Entwickler, Tester, Architekten und Auftraggeber
  • Security Management von Anwendungen im Unternehmen
  • Anwendungssicherheit bei Outsourcing- und Offshoring-Projekten
  • Erfahrungsberichte aus Unternehmen, insb. bzgl. Einführung von Web Application Security Prozessen, internem und externem Auditing etc.
  • OWASP in Ihrem Unternehmen, Ihrer Hochschule etc.
  • Anwendungssicherheit und Metriken

Abhängig von der Anzahl eingehender Vorträge werden ein oder zwei Tracks angeboten.

Präsentationen können 30 oder 45 Minuten dauern. Wird der Beitrag akzeptiert, kann ggfs. Rücksprache bzgl. der Länge erfolgen.

Alle Vorträge werden unter der OWASP Lizenz (OWASP-Speaker Agreement – siehe unten) auf der Konferenzwebseite veröffentlicht.

Es wird darauf hingewiesen, dass das OWASP-Speaker Agreement vor der Konferenz ohne Änderung akzeptiert und unterschrieben werden muss.

Voraussichtlich wird neben den Konferenzbeiträgen ein kleines Lab angeboten, in dem Demos aus den Vorträgen vorgeführt werden können oder nach dem Vortrag einzelne Themen mit Interessierten praktisch vertieft werden können.

Teilnehmer und insbesondere Vortragende sind herzlich eingeladen zur Vorabendveranstaltung am 12.10.2009.

Termine:

  • Einreichungen bis 17.08.2009 per Email an germany@owasp.org . Bitte fügen Sie eine Zusammenfassung des Vortrags oder eine Vorabversion des Foliensatzes sowie, wenn möglich, eine Kurzbiographie bei. Bitte geben Sie auch die gewünschte Dauer (30 oder 45 Minuten) mit an. Wenn Sie am Lab interessiert sind, vermerken Sie dies bitte.
  • Benachrichtigung der Vortragenden 31.08.2009.
  • Einreichung der Foliensätze (prefinal) 01.10.2009
  • Konferenz 13.10.2009 (mit Vorabendveranstaltung am 12.10.2009)

Weitere Informationen

Kontakt:

germany@owasp.org .Thomas Schreiber und Georg Hess (OWASP German Chapter Leaders), Boris Hemkemeier (OWASP German Chapter Board Member)

Kate Hartmann
OWASP Operations Director
9175 Guilford Road
Suite 300
Columbia, MD 21046

301-275-9403
kate.hartmann@owasp.org
Skype: kate.hartmann1

Friday, July 31, 2009

OWASP ModSecurity CoreRule Set (CRS) v2.0.0 Released

(posted by Ryan C. Barnett)

Greetings everyone,

We have some big news/changes with regards to the Core Rule Set (CRS). Please follow the information here to make sure that you understand the changes moving forward.


1) New Home for CRS
The Core Rule Set is now an official OWASP Project! Here is the new project site -
http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project.


This is the new home of the CRS. The main goal of moving the CRS to OWASP is to better facilitate documentation and development of the rules. As you know, the OWASP pages are wiki-based so you all can go in there and help to document them :) I will add some example template pages soon to help get the ball rolling however my thinking is that we should emulate what Snort Sigs DB used to do and document the goal of each group of rules, what are they looking for, how are they looking for it and any false positive/exception fixes, etc...


Here is the new Download link page -
http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project#tab=Download


2) Changes to the CRS
The latest version of the CRS is v2.0.0 and there are significant changes. The most important ones are related to running in an anomaly scoring mode which allows the rules to collaborate to an overall anomaly score. This will allow users to set appropriate thresholds for their sites for logging/blocking. There are too many other changes to mention directly here so please review the CHANGELOG file -
http://voxel.dl.sourceforge.net/project/mod- security/modsecurity-crs/0-CURRENT/CHANGELOG


3) Rule Update Tracking for the CRS
While the new OWASP project site will mainly be used for documentation purposes, all CRS rule issues will be tracked by using our Jira app -https://www.modsecurity.org/tracker/. We want to track all bugs, false positives and false negatives (if there are any bypass evasion issues that you find), etc...


We are very excited about this new momentum for the CRS and we look forward to a more collaborative exchange with the community!


--
Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com/

Friday, July 24, 2009

AppSec Research 2010 Challenge

July's OWASP AppSec Research 2010 Challenge is posted. Let your chapter members know they can win a conference ticket by solving the first ever(?) OWASP crossword puzzle!

http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden#AppSec_Research_Challenge_2:_OWASP_Crossword_Puzzle

Tuesday, July 21, 2009

How to start an OWASP Project

(posted by Mett Tesauro)

Starting an OWASP Project is easy. You don't have to be an application security expert. You just have to have the drive and desire to make a contribution to the application security community.

Here are some of the guidelines for running a successful OWASP project:

  • The best OWASP projects are strategic - they make it easier to produce secure applications by filling a gap in the application security knowledge-base or technology support.
  • You can run a single person project, but it's usually best to get the community involved. You should be prepared to support a mailing list, build a team, speak at conferences, and promote your project.
  • You can contribute existing documents or tools to OWASP! Assuming you have the intellectual property rights to a work, you can open it to the world as an OWASP Project. Please coordinate this with OWASP by contacting owasp(at)owasp.org.
  • You should promote your project through the OWASP channels as well as by outside means. Get people to blog about it!
Check out http://www.owasp.org/index.php/How_to_Start_an_OWASP_Project#Creating_a_new_project for more information!

Saturday, July 18, 2009

OWASP AppSec USA 2009 Conference

We are pleased to announce that the OWASP DC chapter will host the OWASP AppSec DC 2009 conference in Washington, DC.

The conference will take place at the Walter E. Washington Convention Center (801 Mount Vernon Place NW Washington, DC 20001) on November 10th through 13th of 2009. There will be training courses on November 10th and 11th followed by plenary sessions on the 12th and 13th with each day having three tracks.

Registration is now open!

Current pricing reflects an "Early Bird" discount of $50 off the at the door price of $395.

OWASP membership ($50 annual membership fee) gets you a discount of $50.

$345 General Public
$295 OWASP Members
$195 Student

For student discount, attendees must present proof of enrollment when picking up your badge

AppSec DC 2009 will be taking place at the Walter E. Washington Convention Center in downtown Washington DC.

The convention center is located over the Mount Vernon Square/Convention Center Metro stop on the Green and Yellow lines of the DC Metro, and only a few blocks from our convention hotel, the Grand Hyatt Washington (reserve rooms here).

Tuesday, July 14, 2009

OWASP 2009 Q3 Update

I would like to provide a 2009 Q3 update about the OWASP Foundation on a couple of high-level items.


#0 - OWASP @ Blackhat 2009 - If you will making the trip to #Blackhat (that's twitter speak) be sure to join us for the OWASP breakout briefing about Critical Infrastructures July 29, 16:45 in Genoa room this is the OFFICIAL meet-up.


#1 - OWASP EU Poland Videos are now online (thanks Seba) and people can quickly get to them by going to http://www.owasp.tv or http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland see OWASP blip videos share any of them with your teams = free SDLC training


#2 - OWASP board meetings have been happening every month for sometime now. One of the most common questions I get personally is "what happened at the last meeting..." well its not a secret ivory tower actually - we keep agenda's and results of each monthly meeting ensuring that the OWASP ethics and principals are being adhered to. So you can find this information both historic and future meetings online see: http://www.owasp.org/index.php/OWASP_Board_Meetings - should you have a topic that you feel is critical for OWASP Foundation we request that you communicate first with the appropriate Global Committee as the purpose of these groups is to be a VOICE for each region in the world and then focus on a defined mission with a team of energy filled persons see:

http://www.owasp.org/index.php/Global_Committee_Pages note each committee is led by a board member as well.


Questions about money, tax returns etc., are all located online as well see: http://www.owasp.org/index.php/OWASP_Foundation and managed by Alison, what other professional technology group do you belong to that is this transparent?


#3 - Global Committee's brings out another point - if you would like to help OWASP continue to grow and have some cycles for selflessness volunteerism or simply a suggestion based on your experiences - join the mailing list and or contact the Global Committee http://www.owasp.org/index.php/Global_Committee_Pages the best way to change the world is to start with your local chapter, then region the globally.


#4 - OWASP Podcasts http://www.owasp.org/index.php/OWASP_Podcast got questions, comments or feedback for Jim Manico and team that have been working very hard to bring you interviews with AppSec folks globally, let them know send a email to podcast@owasp.org with your comments and favorite episode and why.


#5 - OWASP Projects have been updated. Have a review of the existing ones as well as detailed how-to on new projects see:

http://www.owasp.org/index.php/Category:OWASP_Project


#6 - HELP WANTED - The OWASP Job Board has lots of active postings of firms looking for the best in the industry, if you are looking for employment or if it is time to change gears and accelerate your career visit http://www.owasp.org/index.php/OWASP_Jobs to have a look around


#7 - OWASP Conferences -

http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference the USA, DC OWASP event is going to be a BIG event plan now to attend it lock in your hotels and travel early. If you would like to host a conference in 2010 be sure to contact Kate Hartmann with your proposal for consideration for 2010.


#8 - OWASP GRANTS/SoC want to work on a OWASP project? Want to sponsor a OWASP project take the time to review the following:

http://www.owasp.org/index.php/OWASP_Season_of_Code_2009

There is so much energy and passion with the OWASP Foundation, thank you for being a member of our mailing lists and if you are an Individual Member (a $50.00 annual donation) or a Organization Supporter (a $5000.00 annual donation) and Accredited University Supporters are FREE so talk to your University if they are not on the list already.


http://www.owasp.org/index.php/Membership#Current_OWASP_Organization_Supporters_.26_Individual_Members


THANK YOU FOR YOUR SUPPORT TO ALLOW US TO CONTINUE ON THE MISSION of "to make application security visible, so that people and organizations can make informed decisions about true application security risks"


Tom Brennan

Volunteer Board Member

OWASP Foundation

Direct: 973-202-0122

http://www.linkedin.com/in/tombrennan