Thursday, February 25, 2010

OWASP ESAPI4JS project status

The ESAPI4JS project is working on a new specification for an extended client-side validation framework and has a draft of the specification up for comment now. The draft can be found at

The implementation of this framework will function as an add-on component to the core ESAPI4JS library. It's purpose is to offer a comprehensive and easy-to-use validation engine that can be used as an initial validation of simple and complex forms, or in offline applications as a means of validating user supplied information prior to storing it in persistent client-side storage. It will offer support for standard validations (required, length, range, pattern) as well as chained validators and ajax validation.

This framework is not intended to *replace* server-side validation, rather it is intended to compliment it and offer comprehensive validation with the added performance benefit of not having to cycle the information to the server for initial validation, as well as adding some level of security to what is stored in offline applications.

Please take a second to look at the specification and comment on additional features, potential issues, and ideas for changes.

Chris Schmidt


Check out OWASP ESAPI for Java

OWASP ESAPI for JavaScript

Yet Another Developers Blog

Bio and Resume

Wednesday, February 17, 2010

The OWASP Security Ecosystem Project

The OWASP Security Ecosystem Project

Authored By Jeff Williams

The time has come for us to do even more to lead technology companies towards getting their software secure! One key component of achieving secure software is to have a thriving community ecosystem focused on the security of the technology. A few organizations are starting to build these, like Microsoft’s BlueHat community and perhaps a few others. But there’s a huge opportunity for us to do better and OWASP is uniquely positioned to lead this important effort.

The OWASP Security Ecosystem Project

OWASP has recently been approached by several large SaaS vendors to help them work improve their security. We’ll be announcing these vendors and launching their ecosystems as soon as we get permission. Now is the time for us to organize our “Security Ecosytem Project” so that we are ready to help get these programs off the ground quickly and successfully.

So what is a “security ecosystem”?

Nobody (and no company) can build secure software by themselves. We have seen that vulnerability research can help to drive security forward in companies, but it’s a painful process. We envision a partnership between technology platform vendors and a thriving ecosystem focused on the security of their technology. The ecosystem will include researchers (both builders and breakers), tools, libraries, guidelines, awareness materials, standards, education, conferences, forums, feeds, announcements, and probably more.

Why collaborate with vendors?

It might be possible for OWASP to try to start an ecosystem without the vendor’s involvement. In fact the OWASP Java and .NET project partially fit that description. But these efforts may seem like a threat to technology vendors. Vendors might start their own ecosystem, but it is much more likely to succeed with an independent partner like OWASP. The OWASP Ecosystem Project is intended to help create a collaborative open effort focused on improving the security of the technology by focusing on visibility, understanding, and informed decisions about risk. OWASP’s independence and positive approach makes us the perfect environment for these ecosystems to grow.

How do we get started?

The first step is to create a framework for a healthy security ecosystem! Then we can choose a few key technologies and vendors that want to work with us to start. We need to pull together the materials we have and other materials out on the net into a OWASP Security Ecosystem Portal. To grow the ecosystem, we’ll solicit research, tools, and other materials and work with both end-users and the vendor to focus on eliminating the key risks associated with the technology.

The future!

This could mark the dawning of a new collaborative era of application security, where companies actively engage with security researchers in order to make their products better. Everyone benefits by creating an ecosystem focused on fostering transparency. The time has come for security experts and software developers to collaborate. The stakes are way too high to waste time and effort on obscurity and infighting.

If you’re interested in helping get this program off the ground, we’re collaborating on defining the security ecosystem on the OWASP wiki at Ecosystem Project. We're looking for energetic technical leaders who would like to build a thriving security ecosystem around a technology. If you have at least 10 hours a week to dedicate to this important effort, and you think you're the right person, contact us at

Friday, February 12, 2010

Global Connections Committee Message

OWASP Leaders,

The Global Connections Committee would like to share our goals with you around OWASP presentations at non-OWASP sponsored events. OWASP as an organization needs to get out in front of a larger audience and the only way to do that is to get out in front of a lot of people who have not been to an OWASP event - maybe even not have heard about OWASP previously.

Our goal for 2010 for OWASP presentations is to facilitate:
  • 20 OWASP presentations to non OWASP groups.
  • 10 OWASP presentations to student /university groups
  • 10 OWASP presentations to companies with large internal development groups
  • To make connections utilizing the foundation laid by the other Global Committees within the development, university and organizational communities.
  • To publish success stories from chapters where they have proactively lined up OWASP speakers not only for their OWASP chapter but had that speaker present to a developer group, university or large company about OWASP topics.

Leaders- GCC needs your help.

As chapter leaders we'd like you to think about ways that you can get the OWASP story out to a wider audience.
  • What are the active developer groups in your area? Ask to do an overview presentation to them.
  • What are the University's with Information Technology degrees in your area? Get to know the professors and offer to come in and do a presentation to a class.
  • Who are the companies with large development teams? Offer to give an overview of application security trends to their developers.
Support - GCC is here for you.

We'll build the tools you need to implement the GCC strategy, whether that's PowerPoint presentations, meeting announcements, fliers. Let us know what you need to be successful.

Global Connections Committee

CFP/CFT AppSec US 2010

OWASP is currently soliciting papers and training proposals for the OWASP AppSec USA, California 2010

Conference that will take place at the UC Irvine Conference Center in beautiful Orange County, CA on September 7th through 10th of 2010. There will be training courses on September 7th and 8th followed by plenary sessions on the 9th and 10th with each day having at least three tracks. AppSec USA may also have BOF (informal adhoc meetings), break out, or speed talks in addition to the standard schedule depending on the submissions we receive.

We are seeking people and organizations that want to present on any of the following topics (in no particular order):

- Business Risks with Application Security.
- Starting and Managing Secure Development Lifecycle Programs.
- Web Services-, XML- and Application Security.
- Metrics for Application Security.
- Application Threat Modeling.
- Hands-on Source Code Review.
- Web Application Security Testing.
- OWASP Tools and Projects.
- Secure Coding Practices (J2EE/.NET).
- Privacy Concerns with Applications and Data Storage
- Web Application Security countermeasures
- Technology specific presentations on security such as AJAX, XML, etc.
- Anything else relating to OWASP and Application Security.
To make a submission you must include :
- Presenter(s) name(s)
- Presenter(s) Email and/or Phone number(s)
- Presenter(s) bio(s)
- Title
- Abstract
- Any supporting research/tools (will not be released outside of CFP committee)

Submission deadline is June 6th at 12PM PST (GMT -8)
Please forward to all interested practitioners and colleagues.

Kate Hartmann
OWASP Operations Director
9175 Guilford Road
Suite 300
Columbia, MD 21046

Skype: kate.hartmann1

Wednesday, February 10, 2010

OWASP Development Guide Project

News Release/Call For Contributors
The Guide is a manual for designing, developing, and deploying secure web applications
OWASP Development Guide Project
February 10, 2010

MCLEAN, Feb. 10 OWASP Development Guide Project -- After many months of planning and preparation, the OWASP Development Guide project announced today that it is ready to begin work on the next revision of the Guide, and that that the project is looking for volunteers to do the work, both individuals and organizations.

The OWASP Development Guide is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure web applications. The original OWASP Development Guide has become a staple diet for many web security professionals. Since 2002, the initial version was downloaded over 2 million times. Today, the Development Guide is referenced by many leading government, financial, and corporate standards and is the Gold standard for Web Application and Web Service security.

The next version of the OWASP Development Guide will be in effect the detailed design guide for the requirements of the OWASP Application Security Verification Standard (ASVS), which can be found here: Key features of the next Guide will include use of the new OWASP common numbering scheme. The new numbering scheme will be common across OWASP Guides and References, more information can be found here: Additional key features will be the inclusion of worksheets and checklists, such as the sample input validation worksheet which can be found here:

For more information, and for more information if you are interested in volunteering, please see: Please forward this email as you think appropriate. Got buddies and want to work on a section or two as a team? Professional project management will be a key feature of the next release of the Guide and can help to facilitate such arrangements. Here is what the work streams will look like: And, the Guide project is always on the lookout for volunteers. If you think you might have availability in the future, please do reach out at that time.

For more information, email the OWASP Development Guide project manager Mike Boberski at

Wednesday, February 3, 2010

OWASP AppSec Latin America 2011

Dear Fellow OWASP Leaders and Members,

In 2009 we had the first AppSec in South America, which was organised by the Brazilian Chapter in Brasilia, with more than 200 participants from Brazil, Argentina and Peru. For 2010, we are already organising another AppSec Brasil, which will be in Campinas (90 km from the City of São Paulo). We will soon begin releasing the call for presentations for 2010 and hope to have even more submissions from Latin America than we had last year. We have set the goal to make the transition from AppSec Brasil to AppSec Latin America, and need your help in doing so.

As you may know, OWASP's Global Conferences Committee will soon issue a Call for Conferences for year 2011. Before answering to this call, we are planning to release a Call for Conference Locations, so that candidate teams around Latin America can propose local venues to host a big AppSec Latin America Conference for 2011.

We believe this will be the first big effort to get together the Latin American OWASP Community in a big meeting, which would increase collaboration among our Chapter members and improve the presence of the community in OWASP.

We hope to have your support for this effort and are eager to hear your comments and suggestions. We also ask you to help us spread the word to other Chapters or groups we may have missed.

Best Regards,

Wagner Elias (
Eduardo Camargo Neves (
Lucas C. Ferreira (

Wagner Elias - OWASP Leader Project Brazil