Monday, June 29, 2009

OWASP AppSec Europe Videos Posted

Videos from OWASP AppSec Europe 2009 are now available at

Labels: ,

Thursday, June 25, 2009

OWASP APPSEC BRASIL 2009 Call For Training



OWASP is currently soliciting training proposals for the OWASP AppSec Brazil 2009 Conference which will take place at Câmara dos Deputados (Deputy Chamber) in Brasília, DF, on October 27th through October 30th 2009. There will be training courses on October 27th and 28th followed by plenary sessions on the 29th and 30th with one single track per day. The conference will be organized and supported by the TI-Controle Community ( and the Deputy Chamber (

We are seeking training proposals on the following topics (in no
particular order):
- Application Threat Modeling
- Business Risks with Application Security
- Hands-on Source Code Review
- Metrics for Application Security
- OWASP Tools and Projects
- Privacy Concerns with Applications and Data Storage
- Secure Coding Practices (J2EE/.NET)
- Starting and Managing Secure Development Lifecycle Programs
- Technology specific presentations on security such as AJAX, XML, etc
- Web Application Security countermeasures
- Web Application Security Testing
- Web Services-, XML- and Application Security
- Anything else relating to OWASP and Application Security

Proposals on topics not listed above but related to the conference
(i.e. which are related to Application Security) may also be accepted.

There may be 1 or 2-day courses. The proposals must respect the
restrictions of the OWASP Speaker Agreement. The conference sponsors
will provide lodging and domestic (within Brazil) air travel for one
presenter per course, no other compensation is available. If you
require a different arrangement, please contact the conference
organization team at the email address bellow.

**Important Dates:**
Submission deadline is July 11th 2009 at 11:59 PM (UTC/GMT -3).
Notification of acceptance is August 7th 2009.
Final version is due September 5th 2009.

To make a proposal, please fill the form
( and
send it by email to appsec.brasil (at)

For more information, please see the following web pages:

Please forward to all interested practitioners and colleagues.

Kate Hartmann
OWASP Operations Director
9175 Guilford Road
Suite 300
Columbia, MD 21046

Skype: kate.hartmann1

Monday, June 22, 2009

OWASP JBroFuzz Version 1.4 Release‎d

The OWASP JBroFuzz Project is a web application fuzzer for requests being made over HTTP and/or HTTPS. Its purpose is to provide a single, portable application that offers stable web protocol fuzzing capabilities.

OWASP AppSec Research 2010

In exactly one year -- June 21-24, 2010 -- we'll all meet in beautiful Stockholm, Sweden. OWASP Sweden, Norway, and Denmark hereby invite you to OWASP AppSec Research 2010.

AppSec Research = AppSec Europe

This conference was formerly known as OWASP AppSec Europe. We have added 'Research' to highlight that we invite both industry and academia. All the regular AppSec Europe visitors and topics are welcome along with contributions from universities and research institutes.

This is the European conference for anyone interested in or working with application security. Co-host is the Department of Computer and Systems Science at Stockholm University, offering a great venue in the fabulous Aula Magna.

Countdown Challenges -- Free Tickets to Win!

There will be a challenge posted on the conference wiki page the 21st every month up until the event. The winner will get free entrance to the conference. What are you waiting for? The first challenge is posted. Go, go, go --

Call for Papers and Proposals

We offer two options:

1. Full papers. Peer-reviewed 12 page papers that will be published in formal proceedings by Springer-Verlag Lecture Notes in Computer Science (final approval pending).

2. Presentation proposals. A presentation proposal should consist of a 2-page position paper representing the essential matter proposed by the speaker(s). Proposals must include sufficient material for the reviewers to make an informed decision.

Topics of Interest

We encourage the publication and presentation of new tools, new methods, empirical data, novel ideas, and lessons learned in the following areas:

• Web application security

• Security aspects of new/emerging web technologies/paradigms (mashups, web 2.0, offline support, etc)

• Security in web services, REST, and service oriented architectures

• Security in cloud-based services

• Security of frameworks (Struts, Spring, ASP.Net MVC etc)

• New security features in platforms or languages

• Next-generation browser security

• Security for the mobile web

• Secure application development (methods, processes etc)

• Threat modeling of applications

• Vulnerability analysis (code review, pentest, static analysis etc)

• Countermeasures for application vulnerabilities

• Metrics for application security

• Application security awareness and education

Submission Deadline and Instructions

Submission deadline is Sunday February 7th 23:59 (Apia, Samoa time). Submissions should be at most 12 pages long in the Springer LNCS style for "Proceedings and Other Multiauthor Volumes". Templates for preparing papers in this style for LaTeX, Word, etc can be downloaded from: Full papers must be submitted in a form suitable for anonymous review: remove author names and affiliations from the title page, and avoid explicit self-referencing in the text.

Program Committee

• John Wilander, Omegapoint and Linköping University (chair)

• Alan Davidson, Stockholm University/Royal Institute of Technology (co-host)

• Andrei Sabelfeld, Chalmers UT

• Engin Kirda, Institute Eurecom

• Lieven Desmet, Katholieke Universiteit Leuven

• Martin Johns, University of Passau

• Christoph Kern, Google

• Sergio Maffeis, Imperial College London

Organizing Committee

• John Wilander, chapter leader Sweden (chair)

• Mattias Bergling (vice chair)

• Alan Davidson, Stockholm University/Royal Institute of Technology (co-host)

• Ulf Munkedal, chapter leader Denmark

• Kåre Presttun, chapter leader Norway

• Stefan Pettersson (sponsoring coordinator)

• Carl-Johan Bostorp (schedule and event coordinator)

• Martin Holst Swende (coffee/lunch/dinner)

• Kate Hartmann, OWASP

• Sebastien Deleersnyder, OWASP Board

Welcome to Stockholm next year!

Kate Hartmann
OWASP Operations Director
9175 Guilford Road
Suite 300
Columbia, MD 21046
Skype: kate.hartmann1

Wednesday, June 17, 2009

OWASP Project Assessment Criteria v2.0

For more information, see


OWASP created the project assessment criteria to define the quality levels for OWASP Projects with the purpose of evaluating all OWASP projects. The overall goal was to ensure that consistent quality levels are maintained by OWASP projects. This benefits both the external audience and those working on projects. The criteria allows the external audience to determine the quality of any OWASP project they are considering. For project members, it provides a method to measure the quality of their project in relation to other OWASP projects. Additionally, the criteria allows for excellent contributions to be recognized and projects which need further work to be identified.

Currently, OWASP projects fall into three primary categories:

  • Tools
  • Documents
  • Activities and Research

The Tools and Documents categories are easily understood. The Activities and Research category is less obvious and is used for projects which either have multiple sub-projects or have project releases which fall into both the tools and documents category. Thus, Activities and Research can be used for parent projects that cover multiple smaller sub-projects. Some examples will make this clearer:

    • Java
    • .Net
    • PHP
    • ...
  • OWASP Guides
    • Testing Guide
    • Development Guide
    • Code Review Guide
    • ASDR (Application Security Desk Reference)
  • OWASP OpenPGP Extensions for HTTP - Enigform and mod_openpgp

All existing projects and their current ratings are here. Any new OWASP project and its releases will be assessed based on the criteria below as well as any new Season of Code project. The goal is to eventually have all OWASP projects and releases, past and future, assessed under a version of this criteria. The initial set of assessment criteria was created for the OWASP Summer of Code 2008 and was designated version 1.0. The current version below was derived from version 1.0 and is version 2.0. Labelling any new criteria with a version number allows for graceful transitions to occur should any criteria change.

Assessing a project

Any OWASP project will consist of two critical pieces:

  • the project's health
  • one or more project releases

Each of these pieces will be have different methods with which they are reviewed.

People and Projects

Depending on the size and scope of a project, the roles below may be done by separate parties or a single individual may take on multiple roles. Roles vary in their level on involvement with the project, the areas of involvement, their lifespan with a project, etc.

  • Project Leader
  • Project Maintainer
  • Project Contributor
  • Project Reviewer
  • Project Mentor

Each role will be described in the next revision of this document --Mtesauro 16:09, 4 May 2009 (UTC)

OWASP Season of Code 2009

Please visit for more information.


    • Deadline for project release applications: TBD


OWASP is now launching its Season of Code 2009 (OWASP SoC 09) with a provisional budget US$90,000, following the previous OWASP Summer of Code 2008, in which 33 projects were approved and a budget of more than US$125,000 have been made available, the OWASP Spring of Code 2007 (SpoC 07), in which 21 projects were sponsored with a budget of US$117,500, and the OWASP Autumn of Code 2006 (AoC 06), in which 9 projects were sponsored with a budget of US$20,000. The OWASP SoC 2009 is an OWASP grant program to encourage participants/developers to work together on OWASP (and web security) related projects.

Strategic Focus

OWASP SoC 2009 introduces a shift in grant structure from previous Seasons of Code. Going forward, we would like to see Season of Code grants used towards operating expenses. The driving idea behind this shift is that OWASP, as an organization, has plenty of technical talent and knowledge. As a result, our money is best spent on things that we cannot already do right now as an organization. These expenses include things like marketing our best projects, printing promotional samples of our best OWASP documents, graphic design, travel expenses to hold mini-summits, etc.

With this goal in mind, all project proposals should include a budget detailing how much money the team is expecting (up to 20k) and how they plan on using those funds. While all projects will be reviewed by the SoC Jury, preference will be given to projects that use the funds for expenses incurred outside of the OWASP community. The SoC Jury will provide feedback on proposals whose allocations and costs are deemed to be too high.

Although we welcome any project proposals (from improving Quality of existing OWASP projects to new innovative research), the areas below will be preferred:

  1. OWASP Education Pack - (Education Committee)
  2. Enterprise usability of OWASP projects - (Projects Committee)
  3. Additional Sources of Funding - (Membership & Chapters Committee)
  4. Marketing & PR - (Industry & Conferences Committee)

In particular, any projects that wishes to participate in the current SoC with the goal of improving their project quality is welcome to submit an application. Several project leaders have already indicated that they would like to do this even without SoC grant funds. For proposals that do not request SoC grant funds, we will do our best to offer alternative rewards in the form of project promotion (recognition, featured placement on the OWASP website, speaking slots to highlight projects at OWASP conferences, etc).

  • On the allocated projects areas the respective committee, above pointed out, will be involved on the application selection and will act as the 2nd reviewer accordingly with the OWASP Assessment Criteria V2.
  • The OWASP SoC 2009 is also an opportunity for external individual or company sponsors to challenge the participants/developers to work in areas in which they are willing to invest additional funding - see OWASP Season of Code Sponsorship for further information.


  • The only requirement is that the candidate(s) show the potential to accomplish the project release's objectives/deliveries and the commitment to dedicate the time required to complete it within the SoC deadlines.
  • Current active OWASP Project Contributors (including Project leaders) are encouraged to apply.
  • No member of the OWASP board or OWASP Global Projects Committee is allowed to apply for a OWASP SoC 09 sponsorship.
  • There are no any other restrictions on who can apply for a OWASP SoC 09 sponsorship.


  • Ideas to work can be chosen from:
  • To submit an application to develop a project release you have to copy this this form and to publish it here.
    • Please see also OWASP SoC 08, OWASP SpoC 07 and OWASP AoC 06 for contents to be included in the Application.
    • Note that no sensitive personal details should be posted in that page, i.e., full name, postal address, email, and so on.
  • Once your application is published on the WIKI, send an email to Global Projects Committee with the following details:
    • Project and release names;
    • Contact details, i.e., full name, postal address and email.
  • The Global Projects Committee can be contacted for further discussion on issues related to OWASP SoC 09 applications, i.e., project ideas, review of draft applications, etc..


  • 13th May – OWASP SoC 09 is pre launched at OWASP AppSec Europe 2009 - Poland!
  • TBD - OWASP SoC 09 is officially launched. Start date for submitting applications.
  • TBD - Deadline for project release applications.
  • TBD – Publishing of selected applications and start of OWASP SoC 09 project releases.
  • TBD - Participants to report on project status - 50% mark.
  • TBD - Project completion. Participants should deliver final project release report.


The OWASP SoC 09 jury is constituted by the OWASP Board Members (Jeff Williams, Dave Wichers, Tom Brennan, Sebastien Deleersnyder and Dinis Cruz) plus respective Committee representative.


  • The participant must create a roadmap for the project release that includes technical requirements, functional requirements, and quality requirements. Preference will be given to proposals that use the existing OWASP Beta and Stable requirements for quality supplemented with their own technical and functional requirements.
  • If requesting SoC grant funds, the participant must include a budget of anticipated expenses.
  • There are two methods to select OWASP SoC 09 project releases:
    • By direct majority vote by the Jury;
    • By selection rating using the criteria defined below.
      • Each project release will receive a rating from 1 to 5 on the following categories by each Jury. The final result will be the total value.
        • On the Project Release:
          • Complete status - What will be the final Completeness State? (According with the OWASP Assessment Criteria v2.0)
          • Complexity - What is the project release Complexity and Size?
          • Member Value - How big is the potential added value to OWASP Members?
          • Brand Value - How big is the potential added value to the OWASP Brand?
        • On the Candidate:
          • Past Work - Value of past contributions to OWASP Projects;
          • Deliverability - Proven capability to deliver;
          • Quality of Proposal - Global quality of the proposal submitted.


  • Proposals are submitted using online form (with all details publicly posted).
  • The participant should propose one reviewer (for details on the proposed reviewer responsibilities, see TDB see {assessment criteria reviewer role link}).
  • Each and every project release should have its SoC Project Release page always completely updated with all information regarding the project release status.
  • The SoC Project Release's final deliveries will be evaluated by the assigned reviewers. However, the Jury will provide final oversight.
  • Invoicing of expenses can be done directly through Alison, our OWASP accountant. Grants amounts will be approved by the SoC Jury. Participants are expected to stay reasonably close to their line item budgets; significant deviations or re-allocations from individual line items will be approved by the respective Global Committee managing the project so long as the deviation does not result in the costs exceeding the original grant amount. Any costs above and beyond the original grant amount must be approved by the SoC Jury.


  • By taking part on OWASP SoC 09, the participant will authorize OWASP to host and advertise without any limitations his participation and all related contents including proposal and all deliveries.
  • All tools, documentation, or any other materials whatsoever, created by the participants within OWASP SoC 09 context must be released under an Open Source Initiative approved license. However, the participant may mirror development on her/his personal infrastructure at her/his option.
  • Participants and OWASP is free to use the results, including code, of the SoC's 09 code in any way they choose provided it is not in conflict with the license under which the code was developed.
  • Any situation arising not included in the above mentioned set of rules will be decided according to the discretionary judgement of OWASP Board.


  • The initial Budget for SoC 09 will be US$90,000, and it is funded by OWASP.
  • In parallel with the Request for Proposals, OWASP is also launching a sponsorship drive in which sponsors will have the option to choose which project releases they would like to support.
  • The funds available will be allocated to select project releases. However, strong proposals will be accepted by majority vote of the OWASP Board before the final application selection. Remaining budget will be allocated to remaining applications.
  • Note: The referred budget allocation is just a guideline and the final values will be adjusted based on the successful proposals.

OWASP New Zealand Day July 2009

Please visit for more information.


Welcome to the OWASP New Zealand for 2009, the first all day security conference dedicated to web application security in New Zealand.

Conference Venue

The University of Auckland Business School
Owen G Glenn Building
Room: OGGB 260-073 (OGGB4)
Address: 12 Grafton Road
New Zealand

Image:Auckland_business_school_small2.jpg Image:Room_hall.jpg


You are invited to attend to the OWASP Day conference at no charge (Free as in beer). However to ensure an orderly, well run event we require that all attendees register before the registration close off date (20th June 2009). At this time there will be no plan to allow "on the day registration", so register now to reserve your place.

To register at the conference, please click the registration button below:



The OWASP Days have always offered a forum for discussion and exchange of ideas among researchers and practitioners who present their experiences and discuss issues related to Web Application Security from a higher level to a technical point of view.

Conference topics include, but are not limited to:

  • OWASP Project Presentation (i.e Tool Updates/Project Status etc)
  • Threat modelling of web applications
  • Privacy Concerns with Applications and Data Storage
  • Vulnerability analysis of web applications (code review, pentest, static analysis, scanning)
  • Baseline or Metrics for Application Security
  • Countermeasures for web application vulnerabilities
  • Web application security
  • Platform or language (e.g. Java, .NET) security features that help secure web applications
  • Secure application development
  • How to use databases securely in web applications
  • Security of Service Oriented Architectures
  • Access control in web applications
  • Web services security
  • Browser security

Conference structure and schedule

OWASP New Zealand Day 2009 will be all day Conference. The conference aims to provide a workshop-like atmosphere in which contributions can be presented and then time is allowed for constructive discussion of their results and processes.

It will be structured in two parallel streams. During the conference two coffee breaks (one in the morning and one in the afternoon) and the lunch are in program. These might be offered by the sponsors.

The detailed agenda of the conference will be available on the web site before the event.