I am happy to be able to send out the December 2010 OWASP Newsletter! http://www.owasp.org/index.php/Category:OWASP_Newsletter#tab=Newsletters
Thank you to our editor, Lorna Alamri, MN Chapter co-leader, AppSec US 2011 organizer, Summit 2011 organizer, Industry Committee member, and global contributor.
Wednesday, December 29, 2010
I am happy to be able to send out the December 2010 OWASP Newsletter! http://www.owasp.org/index.php/Category:OWASP_Newsletter#tab=Newsletters
Wednesday, December 15, 2010
Can you believe the OWASP concept is approaching 10 years old?!!
It's those little things like volunteering your time, insight expertise and membership to a professional organization that make the bigger things possible and effect the mission. In growing a community, being taken seriously as a body, having citations from around the world, employees, administrative costs and even having the ability to allocate 50k in funds to put towards a global summit in 2011 is progress.
But no matter how many hours volunteered to it (OWASP), to be recognized as a "member" in 2011 starts with agreement to the principals and donation of $50usd as a member. While everything is free at OWASP this "designation" comes with a privilege that others don't get, that is the ability to support or effect change with a collective consensus of his/her peers and a vote.
Since 2002 I have personally experienced a variety of perspectives:
-Outsider looking for resources
-Active Committee Member
-Member of a Supporting Sponsor(s)
In each role the perception of the of OWASP is different at the 2011 summit I hope to unify this important membership topic and I hope you will join us for the discussion. It's worth my $50 bucks per year.
*For persons going to the summit as a example if they have not paid there $50 individual membership fee... Please complete this transaction as a prerequisite. This includes everyone from the board members to the newest member of this mailing list.
Not going to the summit but running a local chapter, do you lead by example with membership?
The current memberlist:
How/where do you join?
FAQ: If my company(5k) or university($0) is a supporter does this make me a member? Answer: No - however some have called it "associated member/lite member" as in associated with the supporting company however note, this has no voting right in the association.
Support the mission, change the world.
(from Eric Sheridan)
It is with great pride that I announce the release of OWASP CSRFGuard 184.108.40.2066 (ALPHA)! This is a development release of the v3 series that is in need of peer review, testing, and general feedback in preparation for BETA. There are several significant new features that are in need of testing in the enterprise development environments. Please contact me for support if you are interested in testing the latest release. Of course, I am always open to questions, comments, or feature requests!
Please check out the project home page (http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project) and User Manual (http://www.owasp.org/index.php/CSRFGuard_3_User_Manual) for more information about how to install, configure, and deploy the OWASP CSRFGuard library.
OWASP CSRFGuard has been completely rewritten to address the various feature requests and bug fixes submitted to me over the past couple years. No longer will CSRFGuard be referred to as just a "reference implementation". By addressing the performance and scalability issues plaguing older releases, OWASP CSRFGuard v3 is intended to serve as the de-facto standard prevention mechanism against CSRF attacks for JavaEE web applications. The following is a bulleted summary of the significant changes associated with the v3 release:
- OWASP CSRFGuard is now available under the much more liberal BSD license
- Owasp.CsrfGuard.properties file can be loaded from classpath, web context directory, or current directory
- Developers can implement a custom logger to be consumed by the library
- Experimental support for the rotation of CSRF tokens once the previous token is expired
- Experimental support for creating and verifying unique CSRF tokens per page
- Configurable actions including Log, Invalidate, Redirect, Forward, RequestAttribute, and SessionAttribute
- Unprotected pages can be captured using same syntax used by the JavaEE container in web.xml
- Library no longer intercepts HTTP responses produced by the web application
- Developers can manually inject CSRF prevention tokens using the JSP tag library
- Tokens are only injected into HTML elements that submit requests to the current origin (planned for XHR)
Please check out the following resources for more information regarding recent project updates:
User Manual - http://www.owasp.org/index.php/CSRFGuard_3_User_Manual
Code Repository - http://code.google.com/p/owaspcsrfguard/
Tuesday, December 7, 2010
(From Jeff Williams)
In my mind, OWASP 1.0 was pre-wiki with lots of great work and a less great infrastructure. OWASP 2.0 was establishing the 501c3, putting in the wiki, and getting lots of great projects started. OWASP 3.0 started with the Summit in Portugal when we created the new committees and has focused on creating thriving projects instead of standalone tools. Thank you for all of your efforts growing a fun, civil, productive community.
I reach out to you now to ask you to take some time and think about what OWASP should become. The time has come to measure our success not by the number of members, projects, and conferences, but by whether we are succeeding at making the world’s software more secure. It’s time to get our message and strategy to the next level.
HELP DESIGN OWASP 4.0 IN PORTUGAL AT THE SUMMIT!
If you consider yourself an OWASP Leader, won’t you take a few minutes of quiet time and propose a few ideas for how OWASP can retool, reorganize, refocus, and revamp itself to really achieve our mission? We will rip, mix, and burn these ideas into a new strategy for OWASP at the Portugal Summit. I encourage you to check out the resort and all the plans happening right now at http://www.owasp.org/index.php/Summit_2011.
Here are some ideas to get you started.
- We bootstrap several application security ecosystems around key technologies like mobile, cloud, REST
- We reach out to governments around the world to help them push for application security
- We raise money to fund real security enhancements to tools, browsers, protocols (e.g. OpenSSL)
- We make the OWASP materials more usable by providing a “user” site and keep the wiki for development
- We invest in marketing AppSec – How do we scale David Rice and the “greening” of AppSec
- We continue our education initiative – academies, college chapters, videos, curriculum
- We continue our browser initiative and do whatever it takes to get the browsers and frameworks talking
- We invest in getting in front of new technologies like HTML5
- We launch a no-holds barred XSS eradication campaign
- We create a set of objective AppSec *market* metrics that quantify the state of our art
- We continue to push on creating standards
We need your ideas NOW. Get yourself on the list!
In one week of thinking, arguing, coding, hacking, and writing we are going to accomplish more than the rest of the world’s appsec efforts combined. We’ll see you in Portugal ready to rock. Thanks!
Thursday, December 2, 2010
In the context of the effort we are making to stabilize and consolidate an OWASP Training model that can be used as a powerful tool to spread OWASP’s knowledge and message, OWASP is looking for trainers to deliver training under the flag “OWASP projects and resources you can use today”. This is a model of training which is free for OWASP members, delivered by OWASP Leaders (with only travel expenses paid) and covering OWASP modules and/or projects.
If you are an OWASP Leader and would like to be included in OWASP's pool of trainers, this is your chance - add your name and info to the OWASP Trainers Database and be counted!
We are looking forward to seeing your names online!
Monday, November 1, 2010
Here's a basic overview of the CSP process:
- Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use.
CSP Enabled Browsers
Content Security Policy is currently supported in Firefox 4. Although CSP is currently supported in only one browser, there are still many reasons to provide CSP support within a website. CSP will provide an added layer of protection to all web site users with a CSP enabled browser. In addition, CSP enabled browsers will also provide violation reporting feedback back to the web site owners in the event an XSS attack is somehow injected into the page. Finally, if CSP is well received then the intent is to formalize this into a standard and push for adoption within other browsers.
- Spec: https://wiki.mozilla.org/Security/CSP/Specification
- Developer CSP Link: https://developer.mozilla.org/en/Introducing_Content_Security_Policy
- W3C Web App Security Working Group - CSP Link: http://www.w3.org/2010/07/appsecwg-charter#deliverables
- Mozilla Blog Post on CSP: http://blog.mozilla.com/security/2009/06/19/shutting-down-xss-with-content-security-policy/
- Sample Policy Definitions : https://wiki.mozilla.org/Security/CSP/Specification#Sample_Policy_Definitions
- Notes from one of the CSP creators (Brandon Sterne) : http://people.mozilla.com/~bsterne/content-security-policy/
Michael Coates (@_mwc) & Brandon Sterne (@bsterne)
Monday, October 25, 2010
We have a great schedule (http://schedule.appsecdc.org) this year with 4 tracks of amazing talks and a selection of great training classes at rock bottom prices. Register now at http://reg.appsecdc.org Highlights will include keynotes from Neal Ziring of the Information Assurance Directorate of the National Security Agency (NSA) and Ron Ross of the National Institute of Standards and Technology (NIST), panel discussions of federal CISOs on their experiences with implementing application security, 50 plenary presentations by leading personalities in the field of web application security.
Also this year, AppSec DC has partnered with entities within the Department of Homeland Security, the Department of Defense, the National Institute of Standards and Technology, the National Security Agency, and other government agencies who will be contributing content focusing on Software Assurance and the role that that plays in areas such as protecting Critical Infrastructure or Supply Chain Risk Management.
In addition to two days of great speaking content, a track by the federal government, keynotes and panels, AppSec DC will also provide two days of world class training on applications security from a variety of vendors at a fraction of the cost found at other events. Training courses include:
- Assessing and Exploiting Web Applications with Samurai-WTF
- Leading the AppSec Initative
- Remote Testing for Common Web Application Security Threats
- Software Security Best Practices
Single Day Courses ($745)
- WebAppSec.php: Developing Secure Web Applications
- The Art of Exploiting SQL Injections
- Java Security Overview
- Software Security Remediation: How to Fix Application Vulnerabilities
- Threat Modeling Express
More information can be found at http://wiki.appsecdc.org. Come join us for what is shaping up to be another amazing conference this year!
The AppSec DC Team
Sunday, October 17, 2010
OWASP NYC Chapter Meeting
When: November 2nd 6:00pm - 9:00pm
Where: 345 Park Ave, NY, NY
Topics will include:
-Memory Corruption, Exploitation, and You, Dino Dai Zovi
-Escaping the Sandbox, Stephen Ridley
-Much Ado about Randomness, Aleksandr Yampolskiy
-Groundspeed: Manipulating Web Application Interfaces, Felipe Moreno
RSVP is required by building security, limited seats: http://www.owasp.org/index.php/NYNJMetro
OWASP NYC Metro Holiday Security Party
December 9th - 6:30 - 10:30pm
Where: STOUT 133 West 33rd Street, NY, NY 10001
When: Thursday, December 9th 2010 6:30pm - 10:30pm
Cost: $40.00 per person include food, drinks and fun!
Limited Capacity get your tickets early - 250 People
RSVP and for more information on these events events visit: http://www.owasp.org/index.php/NYNJMetro#tab=2010_Holiday_Party
Who attendees these events?
Application Testers and Quality Assurance
Application Project Management and Staff
Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
Security Managers and Staff
Executives, Managers, and Staff Responsible for IT Security Governance
IT Professionals Interesting in Improving IT Security
Anyone interested in learning about or promoting Web Application Security
More information about membership http://www.owasp.org/index.php/Membership
OWASP NYC Metro Chapter President
OWASP Foundation Board Member
Saturday, October 16, 2010
AppSec DC is back as the premier web application security conference on the east coast! AppSec DC will take place at the Walter E. Washington Convention Center in Washington DC on November 8-11. Training will be on the 8th and 9th, talks will be on the 10th and 11th. The partner hotel is the Grand Hyatt again this year but rooms are going fast!
AppSec DC brings some of the leading minds in web application security to Washington DC for two days of talks on a wide variety of topics, including cutting edge presentations and panel discussions with leaders in the Federal, finance, and security research arenas and a variety of world class training at a fraction of the cost of other providers. Highlights will include keynotes from Neal Ziring of the Information Assurance Directorate of the National Security Agency (NSA) and Ron Ross of the National Institute of Standards and Technology (NIST), panel discussions of federal CISOs on their experiences with implementing application security, invaluable interaction and networking with attendees and presenters, a custom-made capture the flag contest by members of OWASP DC, and many of the best talks available by leading personalities in the field of web application security. Oh, and rockets.
For more information visit the OWASP wiki at http://www.owasp.org/index.php/OWASP_AppSec_DC_2010or the AppSec DC website at http://appsecdc.org
Look forward to seeing you there!
OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
AppSec DC 2010 Organizer - https://www.appsecdc.org
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
Friday, October 8, 2010
Please follow the attached link to get the latest news from your OWASP Community: http://www.owasp.org/index.php/Category:OWASP_Newsletter#tab=Newsletters
Special thanks to Lorna Alamri – editor and creator of this newsletter, and to all our international translators who make this available in many languages.
Wednesday, September 29, 2010
- Secure application development
- Security of service oriented architectures
- Security of development frameworks
- Threat modelling of web applications
- Cloud computing security
- Web applications vulnerabilities and analysis (code review, pen-test, static analysis etc.)
- Metrics for application security
- Countermeasures for web application vulnerabilities
- Secure coding techniques
- Platform or language security features that help secure web applications
- Secure database usage in web applications • Access control in web applications
- Web services security
- Browser security
- Privacy in web applications
- Standards, certifications and security evaluation criteria for web applications • Application security awareness and education
- Security for the mobile web
- Attacks and Vulnerability Exploitation
Monday, September 20, 2010
We are looking for a venue for the Global Summit to be scheduled for four days sometime between January 15th, 2011 and February 15th, 2011. The Global Summit committee is requesting proposals from OWASP Leaders for venues. We will need your proposal by the October 4th. Proposal can be in rough draft format with estimated pricing, we just need to know who is interested in helping to put together the Global Summit to be held this coming January/or February and rough estimates of pricing for a particular location.
We are also looking for more volunteers to help with planning for the event so please respond if interested.
Key organizer in close contact with venue.
30- 100 people
$2000 USD/ per person to include facility, lodging, food, beer and transport to and from location. (This should be an all-inclusive cost per person, with the assumption that OWASP members will room together 2-4 depending on number of beds in room/apartment)
Will be scheduled between Jan 15th and Feb 15th
3-6 meeting rooms
1 large meeting room to hold all attendees (estimate for 75-100) e.g. auditorium.
Lodging should be part of conference facilities or within walking distance of venue.
Internet - what is bandwidth available?
Must be sufficient for a group used to high bandwidth.
To be shared by attendees - need to understand how many attendees to a room/suite/apartment. Apartments preferred. 4-5 star hotel acceptable.
Local Food supplier which has been pre-negotiated with hotel.
Venue must be within 50 km's max from International airport.
We'd love to bring the OWASP Summit to your city so please consider putting together a proposal.
OWASP Global Summit 2011 Planning Committee
Tuesday, August 31, 2010
Saturday, August 28, 2010
- Several fixes to SecurityWrapperRequest.
- Overhauled Singleton implementations to make the ObjFactory create instances or singletons rather than having ESAPI manage unreliably.
- Changes to get rid of deprecated Encryptor encrypt() / decrypt() methods and replace them with the new, stronger encrypt() / decrypt() methods.
- Several Validation fixes around returning consistent error states.
- Made changes t0 the Encryptor so that it is no longer vulnerable to "padding oracle attacks" (issue #120)
- Fixes to seal() so that it now properly works if the message being sealed contains a ":" (issue #28).
- Examples should now work (if you follow directions in README.txt)
whether ESAPI has been pulled from the SVN repository or downloaded
from the zip file. (Issue #114.)
I wanted to announce the availability of the OWASP ModSecurity CRS v2.0.8.
Download page - http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project#tab=Download
You can also use the util/rules-updater.pl script to auto-download the latest ZIP archive (see the rules-updater-example.conf file for Repo data).
We have integrated the new CRS into the Demo page to help facilitate community testing -
Version 2.0.8 - 08/27/2010
- Updated the PHPIDS filters
- Updated the SQL Injection filters to detect boolean attacks (1<2, foo == bar, etc..)
- Updated the SQL Injection filters to account for different quotes
- Added UTF-8 encoding validation support to the modsecurity_crs_10_config.conf file
- Added Rule ID 950109 to detect multiple URL encodings
- Added two experimental rules to detect anomalous use of special characters
- Fixed Encoding Detection RegEx (950107 and 950108)
- Fixed rules-updater.pl script to better handle whitespace
- Fixed missing pass action bug in modsecurity_crs_21_protocol_anomalies.conf
- Fixed the anomaly scoring in the modsecurity_crs_41_phpids_filters.conf file
- Updated XSS rule id 958001 to improve the .cookie regex to reduce false postives
OWASP ModSecurity Core Rule Set Project Leader
Monday, August 23, 2010
We're proud to announce that the OWASP's AppSec Brazil 2010 Conference registrations' are officially open!
Early bird offers are available! Hurry up!
This year we'll have keynotes by Robert 'Rsnake' Hansen and Jeremiah Grossman and Samy Kamkar as a Special Speaker!
Registrations are available here: http://www.owasp.org/index.php/AppSec_Brasil_2010#tab=Registration
All info about the event can be found at: http://www.appsecbrasil.org
If you have any doubt please contact us at organizacao2010 (at) appsecbrasil.org
See you there!
Thursday, August 19, 2010
- Application Developers
- Application Testers and Quality Assurance
- Application Project Management and Staff
- Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
- Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
- Security Managers and Staff
- Executives, Managers, and Staff Responsible for IT Security Governance
- IT Professionals Interesting in Improving IT Security
As always, if you have any questions, please feel free to contact me. Kate.email@example.com
September 7-10 AppSec US - Irvine, CA (training available)
September 17th, AppSec Ireland - Dublin, Ireland (training available)
October 20th, AppSec Germany – Nurnberg, Germany
October 20-21, Rochester Security Summit – Rochester, NY
October 20-23, OWASP China Summit 2010 – Beijing, China
October 29th , LASCON – Austin, TX
November 8-11, AppSec DC 2010 – Washington, DC (training available)
November 16-19, AppSec Brazil – Campinas, SP, Brazil (training available)
November 25-26, IBWAS – Portugal (training available)
Tuesday, August 10, 2010
The agenda has been finalized for the OWASP Ireland event. We have the pleasure to announce a number of key figures from industry which should provide some unique insight into the latest trends, threats and methodologies in the world of application security.
John Viega: “Application Security in the Real World” - Considerations for AppSec in non-security companies.
Professor Fred Piper "The changing face of cryptography"
Damian Gordon Phd: “Hackers and Hollywood: The Implications of the Popular Media Representation of Computer Hacking"
We also have some great international and local speakers covering topics from Smart phone application security to SDLC to Penetration testing techniques:
- Dan Cornell ("Smart Phones with Dumb Apps")
- Ryan Berg ("Path to a Secure Application")
- Dr Marian Ventunaec ("Testing the Enterprise E-mail Security - from Software to Cloud-based Services")
- Fred Donovan and (“Counter Intelligence as Defense……”)
- Nick Coblentz (“Microsoft's Security Development Lifecycle……”)
“Secure Application Development: Writing secure code (and testing it)”
AppSec DC: CFP Round Two:
AppSec DC 2010 is the East Coast's premiere Information Security Conference for 2010.
**AppSec DC has added a second round for CFP until August 31st, so there is still time to get submissions in for our CFP!**
Building on the success of last year's AppSec DC 2009, the AppSec DC team is working to further the OWASP conference mission of hosting the best minds in application security in a forum to share innovations and ideas. AppSec DC's unique location and relationship with federal entities in the Washington DC area also allows OWASP and affiliates to continue to reach out to and interact with the federal government in this time of ever-increasing National Security concerns.
This year, in addition to content from industry leaders in application security research, entities within the Department of Homeland Security, the Department of Defense, the National Institute of Standards and Technology and other government agencies will be contributing content focusing on Software Assurance and the role that that plays areas of extreme concern in the current climate, such as protecting Critical Infrastructure or Supply Chain Risk Management. If you work in or with the federal government, regardless of branch or service, this is likely a critical concern for some subset of your workplace, and the combination of content at this event will provide an incredible value to your and your employer.
In addition to two days of great speaking content, keynotes and panels, AppSec DC will also provide two days of world class training on applications security from a variety of vendors at a fraction of the cost found at other events. This year featured panels will not only include federal "what works" in application security, but several other areas of interest so that there will be engaging discussion for all types of attendees. The AppSec DC crew is also working a great vendor space and engaging contests, including a hacking competition built specifically for our event.
AppSec DC will take place at the Walter E. Washington Convention Center in Washington DC on November 8-11. Training will be on the 8th and 9th, talks will be on the 10th and 11th. Our partner hotel is the Grand Hyatt again this year, and a discounted rate will be available for attendees who register in Advance.
For more information visit the OWASP wiki at http://www.owasp.org/index.php/OWASP_AppSec_DC_2010
or the AppSec DC website (updates coming soon!) at http://appsecdc.org
CFP submissions should use the Easy Chair system, our URL is at http://www.easychair.org/conferences/?conf=appsecdc2010 -- Registration is required.
AppSec US 2010, CA
Register before August 15, 2010 and you may be eligible to win a free iPad! Details can be found here: http://www.owasp.org/index.php/AppSec_US_2010,_CA
Wednesday, July 21, 2010
The conference guide for OWASP AppSec Research 2010 featured an interview I did with Jeff Williams, volunteer chair of OWASP. Now it's online. Read his view on:
* Will OWASP ever reach out to developers?
* Application security and the word Trust
* Do developers care about rugged software?
* Java rootkits and trusted developers
Chapter leader OWASP Sweden, http://owaspsweden.blogspot.com
Conference chair OWASP AppSec Research 2010, http://owasp.se