Thursday, November 19, 2009

ESAPI For PHP Project - call for help

The ESAPI for PHP project is always on the lookout for volunteers who are interested in contributing developer cycles. Right now, we’re looking for volunteers to help port ESAPI for Java EE version 1.4 to PHP version 5.2. Here’s what you’ll need to do, if you are interested.

Step 1: Subscribe to the ESAPI for PHP mail list

The first step is to subscribe to the ESAPI for PHP mail list. This is a different separate mail list than the main ESAPI mail list. You can subscribe to the ESAPI for PHP mail list here.

Step 2: Ask Mike for an assignment
The next step is to email Mike to introduce yourself and to ask for an assignment. “Mike” is Mike Boberski, the project manager for ESAPI for PHP. You can email Mike here.

Step 3: Provide Mike with your Google Account ID
The next step is to email Mike with your Google Account name. If you don’t have a Google Account, you’ll need one. ESAPI for PHP source code and documentation is hosted on Google Code here.

Step 4: Check out the latest project source code
The next step is to obtain the SVN client of your choice (such as TortoiseSVN) and point it at the project repository here.

Step 5: Check out the ESAPI for Java source code
The next step is to obtain the ESAPI for Java EE version 1.4 baseline, again using SVN. The ESAPI for Java EE version 1.4 baseline is here.

Step 6: Start coding!
The next step is to get to work! Thank you again for contributing your valuable developer cycles, we recognize and appreciate the value of your time. More details about the approach that we’re using can be found on the other side of this datasheet.

Step 7: Email the list with any questions
If in doubt, email the list with any questions or concerns as you work on the code. Please be patient if you don’t get a response right away. The development team that is working on ESAPI for PHP literally spans the globe, so depending on your location and whomever may have insight into a particular item, there may be a delay.

Step 8: Email the list weekly with your status
Mike sends out a project status email once a week. An archive of weekly status emails can be found here. Please email the ESAPI for PHP mail list with a brief summary of what you worked on during the past week, what you plan on working on the next, and any issues or requests for assistance. Please try to email your status by COB Thursday Eastern time (Mike is located in the greater Washington DC area).

The ESAPI for Java EE is “the” design

Basically, we’re going interface by interface, class by class, line by line through the ESAPI for Java EE code and translating Java language constructs into PHP version 5.2 statements. The only differences between the code should be language‐specific differences. In certain instances however, a solution that is unique to PHP may be required. For example, the ESAPI for PHP configuration file is an XML file, compared to the Java version’s properties file.

In such instances, please email the list with your proposal BEFORE continuing on. Basically, you need to get Mike’s OK, after making sure to follow any guidance or technical direction provided by Andrew. Mike is, in addition to managing tasking, reviewing code and tests to ensure quality and consistency, and to watch for the introduction of any new dependencies. “Andrew” is Andrew van der Stock, the technical lead and the overall project lead. You can email Andrew here.

Check this checklist, before you check in code
Please make sure to run through this checklist BEFORE you commit code:
  1. You have created tests for your new or updated code in /test
  2. You have run /test/AllTests.php and have verified that your tests all run successfully
  3. You have run /test/AllTests.php and have verified that your new code hasn’t broken any existing code
  4. You have updated the phpdoc to match the ESAPI for Java EE javadoc, and added yourself to the attributions
  5. Please make sure to run through this checklist AFTER you commit code:
  6. You have emailed the ESAPI for PHP mail list to let them know what code has been checked in, and what the new or modified code is or does.

Wednesday, November 18, 2009

OWASP Top 10 - 2010 rc1 Released!!

Authored by Dave Wichers - 11/13/2009

Today, I gave my presentation on the new Top 10 at the OWASP AppSec DC Conference and officially released the 2010 release candidate.

I have uploaded both the presentation and the Top 10 itself to the OWASP wiki. The presentation is in .pptx format, and the Top 10 is a PDF document.

They can both be found at the top of the Top 10 project page:

Since this is a release candidate, it is up for open comment until the end of the year. So, please review and provide me with comments.

And the Top 10 for 2010 (rc1) is …

A1: Injection
A2: Cross Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Failure to Restrict URL Access
A8: Unvalidated Redirects and Forwards
A9: Insecure Cryptographic Storage
A10: Insufficient Transport Layer Protection

Thanks, Dave
Dave Wichers

OWASP Top 10 Lead


OWASP Orizon 2.0 update

As you probably may know, next June 2010 during the OWASP AppSec EU in Stockholm we will release Orizon 2.0.

The main goal is to provide a tool usable by security experts (or developers with hacking attitudes as well) and as powerful as findbugs is in the opensource marketplace.

To achieve this, we need to work hard and improve the tool.

To increase collaboration I will publish a slideshow every month describing where we start, where are we going and what have we dan since last month. So I think will be quite motivated.

I will change wiki pages over site and over the blog accordingly to this resolution.

This is the first update:

I'm looking forward to hear your voice.



OWASP Board - Election Results

On behalf of the membership committee and the OWASP community I am pleased to announce that The results for the 2009 OWASP Board Election are in! The election was open to OWASP members and was conducted through an online voting system. Eligible voters were provided a 7 day window to cast their vote to elect 2 new members to the OWASP board. This election brings the total number of board members to 7.

The results are as follows:

OWASP 2009 New Board Members Election

Total 472 responses (236 responders x 2 candidates/responder)

  • Eoin Keary 31.99% - (151 votes)
  • Matt Tesauro 30.72% - (145 votes)
  • Pravir Chandra 24.79% - (117 votes)
  • Kuai Hinojosa 12.50% - (59 votes)

The new OWASP Board is:
  • Jeff Williams
  • Dinis Cruz
  • Dave Wichers
  • Tom Brennan
  • Sebastien Deleersnyder
  • Eoin Keary
  • Matt Tesauro

Complete information on the candidates and the election process can be found here:

Please join me in supporting our Board!

Kate Hartmann
OWASP Operations Director
9175 Guilford Road
Suite 300
Columbia, MD 21046
Skype: kate.hartmann1