Tuesday, June 29, 2010

OWASP NY/NJ Chapter Update

The purpose of this email is to inform the (1381) mailing list members of recent changes with OWASP NY/NJ Chapter.

It is with great pleasure that I announce your 100% Volunteer Chapter Leaders:

Chapter Vice President(s)
1st Vice President
- Dan Guido

2nd Vice President
- Douglas Shin

Chapter Leaders
-Marcin Wielgoszewski
-Peter Dean
-Mahi Dontamsetti
-Blake Cornell
-Tom Ryan
-Vlad Gostomelsky
-Arkadiy Goykhberg
- Kuai Hinojosa
- Brian Peister

By a vote of the above peers I was nominated and supported to continue to in addition to my global role with OWASP Foundation to retain the role of President of the local chapter. For those that have heard the chapter founding story of 5 guys, pizza and sql injection when we first started... boy have we grown together since I got involved in 2004.

The selfless mission of OWASP Foundation is to make application security visible, so that people and organizations can make informed decisions about true application security risks. As we embark on another cycle, I would like to remind everyone to review ABOUT OWASP at: http://www.owasp.org/index.php/About_OWASP with a special focus on Ethics and Principals as I believe its core to our association. Locally, at a high level, our plans are to continue to work with regional universities, like minded associations, regional industry leaders with focus groups and continue to have regional meetings, training events and social meet-ups to help our community continue to grow.

In addition please find to follow (2) important items:

#1 - To manage the flux of individuals requesting to speak at a OWASP event we now utilize a CFP (Call for papers) system. To be selected your submission should highlight a NEW or existing OWASP Project. Submissions are voted on by ALL chapter leaders to ensure we adhere to vendor agnostic content. Access it by visiting URL: http://www.owasp.org/index.php/NYNJMetro and find the information under the HOW-TO #1 to get submitted.

If you are unclear about how to start a OWASP project no worries.. see: http://www.owasp.org/index.php/How_to_Start_an_OWASP_Project or just ask.

#2 - Our association needs needs places to hold meetings, trainings, events in New York City and Northern, Central and Southern New Jersey. If you would like to help simply visit our chapter website at http://www.owasp.org/index.php/NYNJMetro to contact one of our many chapter leaders to get started. With a team of (12) we scale to share the work load as volunteers so if you want to help out just ask and we would like to schedule venue's as far in advance as possible.

On behalf of the entire team, thank you for your continued support of our local chapter and OWASP Foundation. If you have found value with our (118) projects, events conferences or educational seminars we hope that you will become a voting member of our professional association with tax deductible individual a donation of $50.00 see: http://www.owasp.org/index.php/Membership for full details.

Finally, members of the OWASP association will be at the following events coming soon, we hope to see you too!

The Next HOPE in NYC


Security BSides Las Vegas


Defcon 18

International Conference on Cyber Security

and many more... check in on http://www.owasp.org/index.php/NYNJMetro often as this email list is used for announcements only.

Tom Brennan
Global Board & NY/NJ Chapter Leader
OWASP Foundation

Thursday, June 24, 2010

OWASP Spain Day


On Friday June 18, held the sixth edition of our conferences in Spain, at the "Universitat de Barcelona". We were pleased to have Richard Stallman and other great speakers with whom we spend a nice and very interesting day.

We were able to disseminate several OWASP projects (Top 10, Wapiti and Webslayer) and we contact with personal from other universities. Several national media will reflect this event.

The presentations (in Spanish) of the day and some photos are available here:

Best regards,
Vicente Aguilera Diaz
OWASP Spain chapter leader
CEH Instructor, ECSP Instructor, OPSA, OPST
Homepage: http://www.owasp.org/index.php/Spain
Mailing list: http://lists.owasp.org/mailman/listinfo/owasp-spain
PGP: 0xD21C1EF8 - D1F0 E0B5 2ACC B4B5 57CD C427 58B7 CF0D D21C 1EF8

OWASP Sweden announcements


We just made these 3 announcements at the Conference here in Sweden:
  • new attempt at figuring out the OWASP Commercial Services model
  • new model for creating a Source of Financial Funding for OWASP Projects and
  • the launch of the OWASP O2 Platform project (with a v1.0 Beta version available)

You can read more details on this pdf: http://www.owasp.org/index.php/File:Dinis_Cruz_-_APPSECEU_-_3_ANNOUNCEMENTS.pdf

This is just a heads up and we will follow this up with individual emails on each of the 3 topics.

Note, that both Commercial Services and Source of Financial Funding for OWASP Projects are experiments, where we are trying to figure a model that works for OWASP and its community

Dinis Cruz

Wednesday, June 23, 2010

OWASP AppSensor ESAPI Integration


The AppSensor team has been working hard over the last several months to create an AppSensor jar that is ready for ESAPI integration.

AppSensor is a project to enable detailed attack intrusion and response within application by integrating "detection points" into the application itself (think detecting all access control failures, malicious input, unexpected commands and more and then correlating that against the logged in user and logging out/locking the attacker). That's just the basics, more info on AppSensor here: http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project

Here are the instructions for easily updating an existing ESAPI application to use AppSensor. I encourage those interested to take a quick read and respond with any comments.

What's next:
1. We'd like to use the Getting Started guide as an initial strategy for users to begin leveraging AppSensor in their ESAPI apps. We're looking for interested parties to begin using AppSensor within ESAPI and provide their feedback.
2. It would also be great for the ESAPI config to contain the configuration line for AppSensor and a link to the getting started page.

#Use OWASP AppSensor for enhanced application intrusion detection and response
#See http://www.owasp.org/index.php/AppSensor_GettingStarted for necessary JAR and configuration

Thoughts and feedback please.

Michael Coates

OWASP AppSec US 2010

I am thrilled to formally announce that registration is OPEN for this year’s OWASP United States conference.

AppSec US 2010 will be held September 7th through September 10th, 2010 and will be hosted by the Orange County and Los Angeles Chapters at the University of California, Irvine, the only school in the University of California system with a dedicated school of Information and Computer Science.

The keynote speakers have been confirmed! The tremendous response to the call for papers is now being transformed into a jam packed two day, multi track agenda! Additionally, training providers are being locked in for an outstanding selection of one and two day classes.

The event information as well as links to registration can be found here: http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=Welcome

Registration can be completed here: https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=3c8f8c26-a4b3-40d6-9daa-1f541ea0ccc2

Now is the time to make your plans to attend this year’s premier application security event hosted by the world’s foremost community of security professionals, the OWASP Foundation!

If you have any questions, or need additional information, please do not hesitate to contact me. I look forward to seeing everyone in California this fall!

Kate Hartmann
OWASP Operations Director
9175 Guilford Road
Suite 300
Columbia, MD 21046

Skype: kate.hartmann1

Sunday, June 20, 2010

Malaysia Open Source Conference

OWASP Malaysia : Contribution In MSC Malaysia Open Source Conference MOSC2010


OWASP Malaysia is actively contribute to MOSC2010 by arangging speakers for the conference and OWASP Malaysia Chapter Leader - Mohd Fazli Azran is one of the committe member for MOSC2010.

Speakers from OWASP

OWASP Joomla CMS Vulnerability Scanner - Aung Khan, YGN Ethical Hacker
Group, Myanmar.


OWASP and What It Can Do For You - Cecil Su, OWASP Global, Singapore.


MOSC2010 include security topics like

Joomla! 1.6 Security

Easy DNSSEC Deployment with OPENDNSSEC

Internet Malicious Miscreant

For OWASP Malaysia, this will create awareness about security and OWASP.

For more information about MOSC2010


Thank you

Harisfazillah Jamel

Wednesday, June 16, 2010

AppSec US 2010

Dear OWASP Leaders,

AppSec US 2010 is live at http://www.appsecUSA.org

Registration is open. Early registration prices are valid till July 15.

Call for presentations deadline has also been extended till June 30.

As it is the premier OWASP conference of 2010 for US/North America, I would like to ask your help to promote it. Please spread the word everywhere you can -- at local chapter meetings, local meetings of other security or IT organizations, your colleagues at work, at your school, etc.

We are also looking for the volunteers to help with the conference. If you are interested in volunteering, please let me know.

Many thanks in advance!

-- Tin Zaw, CISSP, CSSLP
Chapter Leader and President
OWASP Los Angeles Chapter Co-Chair
AppSec USA 2010 Program Committee
Google Voice: (213) 973-9295
LinkedIn: http://www.linkedin.com/in/tinzaw

OWASP New Zealand Day 2010


I am glad to announce the first round of speakers that have been selected for the OWASP New Zealand Day 2010 conference.

* Scott Bell - Security-Assessment.com - Web Application Vulnerabilities: How far does the rabbit hole go?
* Dean Carter - The Ramblings of an ex-QSA
* Paul Craig - Security-Assessment.com - "Oh F#!K" : What To Do When You Get Pwned
* Graeme Neilson - Aura Software Security & Kirk Jackson - Xero - Tales from the Crypt0

The conference web site has been updated with a speakers section and talk abstracts:


Please note that CFP (Call for Paper) is still open and it will close on the 30th June. There are still available slots for talks.

For more information about the CFP and submission, please refer to my previous post:


I am delighted to announce that 160 people registered so far to attend the event.

This is an excellent result for OWASP in New Zealand and thanks for spreading the voice.

If you are reading this post and you haven't registered yet, please do it by visiting:


Please feel free to invite other people who might be interested to join us.

The event registration will end on the 30th June 2010.

For those of you using LinkedIn, please feel free to join the group "OWASP New Zealand Chapter" at:


Again thanks to everyone for helping the OWASP NZ chapter. Special thanks to
the University of Auckland for providing the venue.

The final list of speakers and the conference agenda will be published on
the 1st July.


Roberto Suggi Liverani


OWASP New Zealand Day 2010 is kindly offered and supported by the
following sponsors:

- University of Auckland (Department of Computer Science) - www.auckland.ac.nz
- NZISF (New Zealand Information Security Forum) -
- Security-Assessment.com - www.security-assessment.com
- Lateral Security - www.lateralsecurity.com

Monday, June 7, 2010




OWASP is currently soliciting training proposals for the OWASP
AppSec Brazil 2010 Conference which will take place at Fundação CPqD
in Campinas, SP, Brazil, on November 16 through November 19, 2010.
There will be training courses on November 16 and 17 followed by
plenary sessions on the 18 and 19 with one single track per day.

We are seeking training proposals on the following topics (in no
particular order):
- Application Threat Modeling
- Business Risks with Application Security
- Hands-on Source Code Review
- Metrics for Application Security
- OWASP Tools and Projects
- Privacy Concerns with Applications and Data Storage
- Secure Coding Practices (J2EE/.NET)
- Starting and Managing Secure Development Lifecycle Programs
- Technology specific presentations on security such as AJAX, XML, etc
- Web Application Security countermeasures
- Web Application Security Testing
- Web Services, XML- and Application Security
- Anything else relating to OWASP and Application Security

Proposals on topics not listed above but related to the conference
(i.e. which are related to Application Security) may also be accepted.

To make a submission you must fill out the form available at
and submit by email to organizacao2010@appsecbrasil.org

There may be 1 or 2-day courses. The proposals must respect the
restrictions of the OWASP Speaker Agreement. The conference will
reward trainers with at least 30% of the total revenue of their
courses, based on a minimum attendance. Courses that attract more
students may be granted higher percentages. No other compensation
(such as tickets or lodging) will be provided. If you require a
different arrangement, please contact the conference chair at the
email address below.

Instructors and authors will be paid based on the number of students
in their training sessions. If the training gathers only the minimum
number of students, the compensation will be 30% of the revenue. For
each group of 10 extra students enrolled, the compensation will be
increased by 5% of the revenue, up to a maximum of 45% of the training
revenue. For example, a 1-day training with 10 to 19 students will
generate a compensation of 30% of the revenue. For classes of 20 to 29
students, the compensation raises to 35% percent of the revenue.

In exceptional cases, different compensation schemes may be accepted.
Please contact the conference organization team by email
(organizacao2010@appsecbrasil.org) for details.

**Training cost**
1-day training: R$ 450 per student
2-day training: R$ 900 per student
All prices in Brazilian Reais (BRL)

**Minimum number of students**
1-day trainings: 10 students
2-day trainings: 20 students

**Important Dates:**
Submission deadline is July 26, 2010, at 11:59 PM (UTC/GMT-3).
Notification of acceptance will be August 16, 2010.
Final version is due September 15, 2010.

The conference organization team may be contacted by email at
organizacao2010 (at) appsecbrasil.org

For more information, please see the following web pages:
Conference Website: https://www.owasp.org/index.php/AppSec_Brasil_2010
OWASP Speaker Agreement: http://www.owasp.org/index.php/Speaker_Agreement
OWASP Website: http://www.owasp.org
Easychair conference site:
Presentation proposal form:

********** WARNING: Submissions without all the information requested
in the proposal form will not be considered ************

Please forward to all interested practitioners and colleagues.

Friday, June 4, 2010

OWASP ModSecurity Core Rule Set

Hello OWASP Leaders. I wanted to let you all know that a new version of the OWASP ModSecurity Core Rule Set (CRS) is now available (v2.0.7).

There are some interesting updates, most notably -

1) The new CSRF protection ruleset.

The ruleset uses ModSecurity's Content Injection capabilities to append an updated version of the csrf.js file from the OWASP CSRFGuard Project (http://code.google.com/p/owaspcsrfguard/source/browse/trunk/main/OWASP-CSRFGuard/src/org/owasp/csrfguard/handlers/csrf.js) to the end of the response data. ModSecurity generates the CSRF token and inserts it into the JS data and then validates it on subsequent requests.

The advantage of using ModSecurity for this is if you are running it on an Apache reverse proxy, then you add in CSRF tokens to any back-end web app regardless of the language.

A call for assistance - the csrf.js code works well however it should probably be extended to handle AJAX calles, etc... If there are any JS ninjas who want to tackle updating the JS code to perhaps add the csrf tokens using OnSubmit or something, let me know.

2) App Defect Rule - Missing HTTPOnly flags

One ruleset will identify if the HTTPOnly flag is missing when the app hands out Set-Cookie SessionIDs. It can optionally fix the issue by passing ENV data to Apache which will append the HTTPOnly flag through a ResponseHeader directive.

3) App Defect Rule - Missing Output Escaping of User-Supplied Data

This is an interesting concept where we are attempting to do some crude Dynamic Taint Propagation tracking related to XSS/Missing Output Escaping. As opposed to trying to identify and block potential XSS payloads on the inbound, we are instead focusing in on the underlying vuln - resources that don't properly track user-supplied data and encode/escape it when given back to clients.

The ruleset basically looks for inbound data that contains meta-characters that are often used in XSS attacks (<,>,/, etc...) and then it stores the entire parameter data in a temporary variable and then inspects the response body to see if the same exact payload is present. If it is, then the app is not properly escaping it. This ruleset works in limited testing but I am interested to see how it fairs once the ModSecurity community starts testing it out :)

Please let me know if anyone has any questions, comments or would like to help out with future

CRS efforts.



Ryan C. Barnett

WASC Web Hacking Incident Database Project Leader

WASC Distributed Open Proxy Honeypot Project Leader

OWASP ModSecurity Core Rule Set Project Leader


OWASP Ireland 2010

Hello everyone,

The OWASP Ireland 2010 agenda is shaping up well and registration is to open soon.
We are still happy to accept presentation proposals until early August.

The sponsorship deck for OWASP Ireland is available here http://www.owasp.org/images/c/c8/OWASP_sponsorship_Master.pdf and is limited in places.
Training shall be announced very soon also consisting of one days training on the 16th of September.

Our Key Note speakers are legendary again this year:

Professor Fred Piper (Royal Holloway University)

Keynote: "The changing face of cryptography"

Fred Piper was appointed Professor of Mathematics at the University of London in 1975 and has worked in information security since 1979. In 1985, he formed a company, Codes & Ciphers Ltd, which offers consultancy advice in all aspects of information security. He has acted as a consultant to over 80 companies including a number of financial institutions and major industrial companies in the UK, Europe, Asia, Australia, South Africa and the USA. The consultancy work has been varied and has included algorithm design and analysis, work on EFTPOS and ATM networks, data systems, security audits, risk analysis and the formulation of security policies. He has lectured worldwide on information security, both academically and commercially, has published more than 100 papers and is joint author of Cipher Systems (1982), one of the first books to be published on the subject of protection of communications, Secure Speech Communications (1985), Digital Signatures - Security & Controls (1999) and Cryptography: A Very Short Introduction (2002).

Damien Gordon Phd (Dublin institute of Technology)

Keynote: "Hackers and Hollywood: The Implications of the Popular Media Representation of Computer Hacking"

Damian Gordon is a lecturer with the School of Computing at the Dublin Institute of Technology and is Programme Co-ordinator for the School's Masters in Computing (Assistive Technology). He was primary researcher on two EU funded projects whose particular focus was looking at issues associated with technoacceptance - the ILT and the E4 projects - and was Educational Advisor for the Ireland-China EMERSION project. His research interests include Differentiated Instruction, Computer Security, Technostress, ICT and Special Needs, Virtual Learning Environments, Image reconstruction from specular reflections, and Lateral Thinking Techniques.

Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

AppSec DC


Building on the success of AppSec DC 2009, OWASP is pleased to announce the OWASP AppSecDC 2010 conference held at the Walter E. Washington Convention Center on November 8th through 11th 2010. Plenary sessions will be on November 10th and 11th preceded by Web Application Security Training on November 8th and 9th.

We are seeking presentations on the following topics:
- OWASP Tools and Projects
- Cloud Application Security
- Government Approaches to Application Security
- Application Security Case Studies
- Application Security and Business Risks
- Metrics for Application Security
- Web Services Security
- Source Code Review
- Web Application Security Testing
- Secure Coding Practices
- Privacy Concerns
- Vulnerabilities/Exploits in the Web App World
- Defense & Countermeasures in the Web App World
- Other web application security topics

Submit papers to http://www.easychair.org/conferences/?conf=appsecdc2010. Submission deadline is July 31st 2010. Inquires can be made to cfp@appsecdc.org.
Additional information can be found in the FAQ. You will have to sign up for an EasyChair account at https://www.easychair.org/account/signup.cgi.

Conference Website: https://www.owasp.org/index.php/OWASP_AppSec_DC_2010
FAQ: https://www.owasp.org/index.php/OWASP_AppSec_DC_2010_-_FAQ

Please forward to all interested practitioners and colleagues.

The AppSec DC Program Committee

Tuesday, June 1, 2010

OWASP Annual Report


The OWASP Annual Report 2009 is online!

You’ll find details on our strategy, our finances, and the activities of all of our global committees. We’ve made some decent progress in 2009, but nothing compared to what the world needs right now.

OWASP is a remarkable organization that I’m proud to serve. Thank you all for your contributions, participation, and energy! Please help us by blogging, tweeting, facebooking, speaking at conferences, writing papers, and whatever else you can do to reach developers wherever they are.

We need a whole lot of innovative thinking to make a real change in the software market. But the era of blindly trusting software has got to end! What can you do in 2010 to make things better? Got an idea that’s too big for you to achieve alone? Share it with OWASP and together maybe we can change the world.


Jeff Williams, Chair
The OWASP Foundation