Thursday, December 1, 2011

November 2011 OWASP Newsletter

The November, 2011 issue of the OWASP newsletter is now available.  Many thanks to Deepak Subramanian for his efforts putting this together.



Table of Contents
  • Notes from the Editor – Deepak Subramanian    
  • Notes on Internal Projects    
  • OWASP Communities – Michael Coates    
  • Protecting against XSS – Gareth Heyes    
  • OWASP Podcast – hosted by Jim Manico   
  • OWASP Zed Attach Proxy (ZAP) – Simon Bennetts   
  • Global Board of Directors Announced    
  • Global Committees    
  • Upcoming Events    
  • OWASP Organizational Sponsors    
  • The OWASP Foundation    
  • OWASP Membership    
  • Newsletter Advertising




OWASP is a volunteer driven organization that provides free and open resources to advance the state of application security and make application security risks visible.  Please consider helping support our mission if these resources are useful to you or your organization.

Sunday, November 6, 2011

Lots of Great Things Happening At OWASP

You may be curious to know that OWASP has been doing quite a bit this past year.  With over 1500 members in 189 local chapters around the globe, it’s not hard to understand why so much is happening.  During 2011, major OWASP conferences were held in Asia, Europe, Latin America and North America. In addition to the traditional conferences, the 2nd OWASP world summit took place in Portugal with 180 security experts attending from 30 different countries. During this event attendees focused on working sessions to tackle security challenges facing the industry (read the full report and results here). OWASP was also present with talks or booths at 38 other events throughout 2011. 
In addition to security conferences, many OWASP leaders are speaking at developer conferences to spread security knowledge directly to those building the applications. We’ll be gathering better metrics in the future, but a quick and informal twitter question reveals many OWASP individuals are presenting security at non-security conferences such as JsFoo, PHP in the cloud, Jazoon, UberConf, JavaOne, SuperMondays, guest lecturing at Universities, DjangoCon, Pycon, PHPLondon, Cloud Camps, Bar Camps, #educause, #jasig and many more.
The OWASP community is also growing strong through a variety of OWASP projects. Some of these are mature tool sets and resources that are tackling challenging security problems; others are in experimentation and exploration phases to test out new areas of research.  To better aid project growth the OWASP Projects committee is continually working to provide a framework that encourages experimentation and new project ideas and also builds the process, quality and supporting resources needed to foster more mature projects.
While OWASP has a great number of excellent resources, we also realize that its not always the easiest to find the material you are looking for.  We’re busy figuring out ways to best match up individuals with the relevant and high quality OWASP materials.  New approaches may include building specific paths through the website based on developers, testers, architects, etc (builders, breakers, defenders, or more) or it could be through a meta data store of all project information, or even an approach where projects are categorized into maturity levels such as Incubator / Labs / Flagship. None-the-less, we’re aware this is an important area that needs attention to further grow the usability and accessibility of OWASP resources.
If you’re interested in helping out then please reach out to anyone within OWASP, join or propose a project, or even volunteer on an OWASP committee.  The battle to raise awareness around application security is a challenging task and we’re constantly looking for fresh ideas and talented individuals to volunteer their time and abilities towards furthering the OWASP mission. 
Lastily, I realize this doesn't scratch the surface of everything took place in 2011 with OWASP. Please comment below with items you'd like to recognize.

Michael Coates
OWASP

Wednesday, October 12, 2011

AppSec DC 2012

by mark.bristow@owasp.org

Colleagues,

Building on the success of AppSec DC 2010 and 2009, OWASP is pleased to announce the next OWASP AppSec DC conference. The theme for this year's conference is "OWASP - Not just webapps anymore" to reflect the new and revised scope of OWASP to include all application security issues instead of focusing just on web application security.

Owing to feedback from the past two years, and in alignment with the overall OWASP Conference mission, the AppSec DC Planners have decided to move the conference to April of 2012. This is in response to requests from a variety of our sponsors and vendors, and de-conflicts overlap in the OWASP conference schedule for North America. OWASP AppSec DC 2012 will be held at the Walter E. Washington Convention Center on April 2nd through April 5th. Plenary sessions will be on April 4th and 5th preceded by Application Security Training on April 2nd and 3rd.

In accordance with the broader OWASP mission stemming from the 2011 OWASP Global Summit, AppSec DC is working to reflect the move of OWASP towards embracing all facets of Application Security, and not restricting it's content to strictly to the realm of web applications.

Therefore we invite all practitioners of application security and those who work with or interact with all facets of application security to submit papers and participate in the conference.

The AppSec DC 2012 Content Committee is seeking presentations in the following subject areas:
  • OWASP Projects
  • Research in Application Security Defense (Defense & Countermeasures)
  • Research in Application Security Offense (Vulnerabilities & Exploits)
  • Web Application Security
  • Critical Infrastructure Security
  • Mobile Security
  • Government Initiatives & Government Case Studies
  • Effective Case studies in Policy, Governance, Architecture or Life Cycle
  • and other application security topics
Submit papers to http://cfp.appsecdc.org. Submission deadline is January 15th 2012. Inquires can be made to cfp@appsecdc.org. Additional information can be found in the FAQ. You will have to sign up for an EasyChair account at https://www.easychair.org/account/signup.cgi.

Conference Website: http://www.appsecdc.org
FAQ: https://www.owasp.org/index.php/OWASP_AppSec_DC_2012_-_FAQ

Please forward to all interested practitioners and colleagues.

Regards,

The AppSec DC Program Committee

--
Mark Bristow
(703) 596-5175
mark.bristow@owasp.org

OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
AppSec DC Organizer - https://www.appsecdc.org

Saturday, October 8, 2011

Switzerland Application Security Forum 2011

The city of Yverdon-les-Bains will the 2011 edition of the Application Security Forum - Western Switzerland conference. This event will take place at end of October. For this second edition, an exceptional lineup consisting of 19 speakers and trainers, both locally and internationally recognized, will share their knowledge, best practices and experience on all sensitive topics related to application security: strong authentication, privacy, cryptography, critical systems, secure development, cyberthreats, etc.
Participation is free during the Conference day (Oct.27th), fees for trainings and workshops apply on the first day only (Oct. 26th.), online registration is required to attend the event.
http://event.appsec-forum.ch

The Event is co-organized by the OWASP Switzerland/Geneva Chapter and Openid Switzerland.

Thursday, September 29, 2011

OWASP AppSec USA 2011 – The Wrap up

Article by Lorna Alamri

While the planning team is still sending out documentation, requesting invoices and finishing up tasks for the event. It’s time to give a summary of the event from a numbers perspective.

The Conference:

OWASP AppSecs bring together people around application security. What better opportunity to get attendees excited and involved in OWASP projects. Outside of an OWASP Summit it’s the largest gathering of OWASP and application security leaders, so a great opportunity to work on solutions and keep momentum going from the OWASP Summit.

Our goals:
500 attendees. $100,000 in funds raised for the OWASP Foundation. Raise awareness around OWASP and application security among developers.

Registrations: 
639, Total registration revenue as of 9/15/11 (536 attendees) $251,476.15
Sponsors: 24 with a total of $130,600 in funds raised.
Expenses: Estimated at $210,000. (We’re still waiting for some invoices from vendors.) 

The Talks:

2 days/4 tracks
75 speakers, 48 talks, 3 keynotes and one board discussion.

The Training:
4 two-day training courses
4 one-day training courses
Training Course Students: 146, OWASP profit from training: $63,000

The CTFs:
One University CTF challenge - 3 teams
One CTF -2 days

Organizers/Volunteers: 48

Statistics on Attendance:





*Education included both students and employees who attended OWASP AppSecUSA 2011.
*OWASP Employees and non-industry volunteers are not included in numbers.
 

Overall Attendees by Country

US Attendance by State




The Events:
We took the opportunity to try out a lot of new events at AppSec USA which we hope will be included in future OWASP AppSecs.

  • 5K/10K Run for Charity – funds raised were donated to the Bakken Musuem.
  • University Challenge – A CTF aimed at University students to increase OWASP awareness at a University level.
  • Women in AppSec – A grant program to increase particpation at OWASP AppSec USA by women.
  • Open Source Showcase – An opportunity to demonstrate OWASP and other open source projects to attendees of OWASP AppSecs.
  • Project work groups: ESAPI, AppSensor, Chapters and Industry along with board and committee meetings.

Lorna Alamri
OWASP AppSec USA


OWASP ModSecurity CRS v2.2.2


(From ryan.barnett@owasp.org)
 
I am pleased to announce the release of OWASP ModSecurity CRS v2.2.2.  

===========
CHANGELOG
===========
--------------------------
Version 2.2.2 - 09/28/2011
--------------------------

Improvements:
- Updated the AppSensor Profiling (to use Lua scripts) for Request Exceptions Detection Points 
- Added new Range header detection checks to prevent Apache DoS
- Added new Security Scanner User-Agent strings
- Added example script to the /util directory to convert Arachni DAST scanner XML data into ModSecurity virtual patching rules.
- Updated the SQLi Character Anomaly Detection Rules
- Added Host header info to the RESOURCE collection key for AppSensor profiling rules

Bug Fixes:
- Fixed action list for XSS rules (replaced pass,nolog,auditlog with block)
- Fixed Request Limit rules by removing & from variables
- Fixed Session Hijacking IP/UA hash captures 
- Updated the SQLi regex for rule ID 981242

 
--------------------------
DOWNLOADING
--------------------------
Manual Downloading:
You can always download the latest CRS version here -

Automated Downloading:
Use the rules-updater.pl script in the CRS /util directory

# Get a list of what the repository contains:


modsecurity-crs {
          2.0.0: modsecurity-crs_2.0.0.zip
          2.0.1: modsecurity-crs_2.0.1.zip
          2.0.2: modsecurity-crs_2.0.2.zip
          2.0.3: modsecurity-crs_2.0.3.zip
          2.0.4: modsecurity-crs_2.0.4.zip
          2.0.5: modsecurity-crs_2.0.5.zip
          2.0.6: modsecurity-crs_2.0.6.zip
          2.0.7: modsecurity-crs_2.0.7.zip
          2.0.8: modsecurity-crs_2.0.8.zip
          2.0.9: modsecurity-crs_2.0.9.zip
          2.0.9: modsecurity-crs_2.0.10.zip
          2.1.0: modsecurity-crs_2.1.0.zip
          2.1.1: modsecurity-crs_2.1.1.zip
          2.1.2: modsecurity-crs_2.1.2.zip
  2.2.0: modsecurity-crs_2.2.0.zip
          2.2.1: modsecurity-crs_2.2.1.zip
          2.2.2: modsecurity-crs_2.2.2.zip
}

# Get the latest stable version of "modsecurity-crs":
$ ./rules-updater.pl -rhttp://www.modsecurity.org/autoupdate/repository/ -prules -Smodsecurity-crs
Fetching: modsecurity-crs/modsecurity-crs_2.2.2.zip ...
$ ls -R rules
modsecurity-crs

rules/modsecurity-crs:
modsecurity-crs_2.2.2.zip    modsecurity-crs_2.2.2.zip.sig

--
Ryan Barnett
OWASP ModSecurity Core Rule Set Project Lead


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

OWASP Board 2012

I am very please to announce the results of the recent OWASP Board Election!

Turnout: 771 (46.2%) of 1670 electors voted in this ballot.
Top (3) have been elected.
  • Michael Coates - 524 (31.0%)
  • Dave Wichers - 460 (27.2%)
  • Sebastien Deleersnyder - 423 (25.0%)
  • Christian Heinrich - 286 (16.9%)
Your International Board of Directors term is effective 1-Jan-2012 for (24) months governed by the OWASP Bylaws: https://www.owasp.org/images/d/d6/2011-06-OWASP-BYLAWS.pdf

The Board also held elections at AppSec USA to decide new board roles and responsibilities.  The results are as follows:

Michael Coates - OWASP Chair
michael.coates(at)owasp.org

Eoin Keary - Vice Chair
eoin(at)owasp.org

Tom Brennan - Secretary
tom.brennan(at)owasp.org

Matt Tesauro - Treasurer
matt.tesauro(at)owasp.org

Sebastien Deleersnyder - Board Member
seba(at)owasp.org

Dave Wichers - Board Member
dave.wichers(at)owasp.org

Please join me in offering our new board congratulations and support.

Aloha,
Jim Manico
OWASP Connections Committee Chair
jim@owasp.org
 

Wednesday, September 7, 2011

AppSec USA 2011 Conference - Two Weeks Away

Hello OWASP Community,

The OWASP AppSec USA 2011 conference in Minneapolis is only two weeks away. Classes are filling up fast (the OWASP WTE class is full), and the conference talks lineup is impressive. Sign up today for the training on September 20-21 and the main conference talks, CTF, showroom, and Open Source Showcase on September 22-23!

http://www.appsecusa.org/

OWASP is in its tenth year, and application security is on everyone's radar. And this year we have some wonderful new initiatives as part of OWASP AppSec USA 2011. For the first time, we're:

* Funding the conference experience for two women in college through the OWASP Women in AppSec grant. Congratulations to Tara Wilson and Chandni Bhowmik on securing these grants! And thank you to The Wells Fargo Foundation for its generous seed funding.

* Raising funds for science education for inner city youth with the 5K/10K for Charity.

* Hosting a University Challenge offense/defense competition.

* Running an Open Source Showcase during the conference proceedings. Open source community members will demo their awesome work.

Additionally, the OWASP Chapters Committee and the ESAPI and AppSensor teams will be meeting September 21 to build upon their great work in OWASP.

Be a part of AppSec USA 2011, where OWASP propels itself into the next ten years. Lots of cool talks and training. And many opportunities to learn, grow, and give back.

http://www.appsecusa.org/attend.html


We would like to thank the OWASP AppSec USA 2011 donors and sponsors and the many conference contributors for helping us to build an awesome event for the application security and development community.

--

Adam Baso
OWASP AppSec USA 2011 Organizer

OWASP AppSec USA 2011: Your life is in the cloud.
September 20-23 Training, Talks, CTF, Showroom, and More
www.appsecusa.org
@appsecusa

To learn more about OWASP, visit https://www.owasp.org.

Wednesday, August 31, 2011

OWASP AppSensor Detection Points in the OWASP ModSecurity Core Rule Set

(from Ryan Barnett)

I have begun the process of implementing the OWASP AppSensor Detection Points (https://www.owasp.org/index.php/AppSensor_DetectionPoints) within the OWASP ModSecurity Core Rule Set (https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project).

I am pleased to announce that I have just made an update to the OWASP CRS SVN repository that fully implements the Request Exception (RE) category - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RequestException. See the following blog post for more details - http://blog.spiderlabs.com/2011/08/implementing-appsensor-detection-points-in-modsecurity.html

The major change in this version vs. the earlier one outlined in this blog post (http://blog.spiderlabs.com/2011/02/modsecurity-advanced-topic-of-the-week-real-time-application-profiling.html) is that both the profiling and detection logic has been moved to Lua scripts. With the increased logic capabilities of Lua, we are now able to more accurately profile the application in real-time by analyzing traffic and automatically generating profiles for the following resource characteristics -
  • Enforcing the expected Request Method(s)
  • Enforce the number of expected parameters (min-max range)
  • Enforce parameter names
  • Enforce parameter lengths (min-max range)
  • Enforce Character Classes
    • Flag (e.g. - /path/to/foo.php?param)
    • Digits (e.g. - /path/to/foo.php?param=1234)
    • Alpha (e.g. - /path/to/foo.php?param=abcd)
    • AlphaNumeric (e.g. - /path/to/foo.php?param=abcd1234)
    • Email (e.g. - /path/to/foo.php?param=foo@bar.com)
    • Path (e.g. - /path/to/foo.php?param=/dir/somefile.txt)
    • URL (e.g. - /path/to/foo.php?param=http://somehost/dir/file.txt)
    • SafeText (e.g. - /path/to/foo.php?param=some_data-12)
The updated rules files are in the /experimental_rules directory - http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/experimental_rules/

I encourage people to test out these new rules and to report back their experiences – both good and bad.

FYI – I also wanted to thank Josh Zlatin for assisting with the initial Lua script creation.

Cheers.

--
Ryan Barnett
OWASP ModSecurity Core Rule Set Project Leader

Tuesday, August 23, 2011

OWASP AppSec Latin America 2011

On behalf of the OWASP AppSec Latin America 2011 organization team, I’m thrilled to announce registration is now officially open! The organization committee truly went out of its way to keep prices down and provide the best deals for people who really want to take full advantage of this event. One example is the full package deal: for R$1,000 (approximately US$625) you can attend two classes and the conference.

The deadline for early bird registration is August 31st so you do need to hurry! Conference details, sponsorship information, registration links, and some cool videos about Brazil and Porto Alegre are all available at the conference site: https://www.owasp.org/index.php/AppSecLatam2011#tab=Welcome.

Get your visa ready. We look forward to seeing everyone in Brazil!

Cassio

Friday, July 29, 2011

AppSec USA Open Source Support!

(from adam.baso@owasp.org)
OWASP is piloting a new initiative to promote open source ideals at our Global AppSec Conferences!  
For the first time, we are offering a limited number of free booth spaces to open source projects as part of the OWASP Open Source Showcase at OWASP AppSec USA 2011!  We invite ANY open source project - not just OWASP projects - to apply for a booth at this showcase to demo and promote their project. Showcase participants need to be ticketed attendees and will be responsible for manning their booth.  
Learn more about this opportunity, including how to submit projects for consideration, by visiting the following URL:  http://www.appsecusa.org/oss.html   Applications are due Friday, August 19, 2011, and are considered on a rolling basis - so get moving!  
Contact projects@owasp.org if you have any questions.  
OWASP MSP: Host to OWASP AppSec USA 2011
September 20-23
Training, Talks, CTF, Showroom and more
www.appsecusa.org @appsecusa

Application Security Tutorial Videos

The OWASP application video tutorial series, led by Jerry Hoff,  has produced three great security videos and has many more on the way. These videos are short and to the point. The 10 minute videos cover core application security risks such as cross site scripting or sql injection and future episodes will cover defense in depth security techniques such as Strict Transport Security or X-Frame-Options.

The following videos are currently available as part of the AppSec Tutorial Video Series.

    •    Episode 1 - Introduction
    •    Episode 2 - Injection Attacks
    •    Episode 3 - Cross Site Scripting
The following link will take you to the OWASP AppSec Video Series homepage on youtube.

http://www.youtube.com/user/AppsecTutorialSeries

You can also watch the three videos embedded below.





Wednesday, July 27, 2011

OWASP Codes of Conduct Project

By Colin Watson

At the summit in Portugal earlier this year, a working session on "Defining a Minimal AppSec Program for Universities, Governments, and Standards Bodies" created a document defining minimal requirements for three types of organization, specifying what are the most effective ways to support OWASP's mission. These are OWASP's objectives for other organizations and do not relate to members or other participants.

The three types of organization were:

- Government Bodies
- Educational Institutions
- Standards Groups

with Jeff Williams, Dave Wichers and Dinis Cruz as primary contributors.

Although I didn't attend that particular session, I was able to contribute to an early draft version of the document, and subsequently created a parallel document for:

- Trade Organizations

At another working session on Certification, the participants created another closely-related document on expectations for:

- Certifying Bodies

with Jason Li, Jason Taylor, Martin Knobloch, Matthew Chalmers and Justin Searle as
primary contributors.

Each document has been give a colour name to make it more identifiable, and to provide a shorter title. Thus the document "The OWASP Application Security Code of Conduct for Government Bodies: is also "The OWASP Green Book".

OWASP would like to formalize, complete and create release-quality documents, and therefore I have offered to start a project and become project leader for the OWASP Codes of Conduct Project. The project will nurture these initiatives and collect feedback on the draft documents with the aim of issuing and promoting the documents later this year. With Paulo Coimbra's welcome assistance, the project and
current draft versions can be found at:

https://www.owasp.org/index.php/OWASP_Codes_of_Conduct

The v1.1 draft documents were created from the summit outcomes, and to date I have:

1) standardized their formatting
2) removed reference to "free membership [of bodies, groups] " where
this does not match current policy
3) removed "free attendance at events" for liaison contacts since
this hasn't been more widely discussed
4) made liaison groups within OWASP less specific since we do not
have a "OWASP Educational Institution Executive Council" for example
5) changed the mandatory Code of Conduct items to a numbered list,
and the recommendations to an alphabetical list to distinguish between
them better
6) added hyperlinks to OWASP resources and a summary sheet on the last page

I would welcome feedback on these using the project's mailing list:

https://lists.owasp.org/mailman/listinfo/owasp-codes-of-conduct

Please contribute in the next 4 weeks, after which I will be seeking project formal reviewers. Some things to be discussed before then:

- have all the contributors been captured correctly?
- the documents do not have licensing or copyright stated
- the Green Book requires government organizations to adopt a
definition of "application security", but in the Yellow Book for
Standards Groups, this is an optional requirement, and perhaps they
should be the same
- some organizations might decide they do everything we suggest, and
we might want to state a form of words for any statement of adoption

PLUS ANYTHING ELSE you feel is important. You may have ideas for another similar document. Please join the mailing list.

Colin Watson

Thursday, July 21, 2011

OWASP LATAM Tour

Fabio Cerullo presented the OWASP training day in Argentina on 7/19/2011. There were over 40 attendees (58 registered) and 17 NEW members registered including 5 educational supporters. Outstanding!

The next stop on the tour is Uruguay on 7/26/2011. Mateo is estimating over 120 attendees (although they will need to sign up still J) of the 8 registered for the upcoming training day, 6 have signed up for membership!

Brazil and Peru are scheduled for August, so I will provide updates as we get closer.

https://picasaweb.google.com/fcerullo/OWASPLatamTour?authuser=0&feat=directlink

Wednesday, July 20, 2011

AppSec Asia 2011

AppSec Asia 2011

Building on its successes of the past two years, OWASP’s China chapter is again hosting a flagship OWASP outreach event in Beijing, China. The Global AppSec Asia 2011 will be held from November 8 to 11, 2011. This event offers expo, training and conferences and includes many opportunities to converse with the government, industry and education leaders from China and the entire Asia Pacific region.

If you are interested in speaking at the conference (November 8 to 9, 2011) or a training session (November 10 to 11, 2011) then please submit your proposal here.

If your company or other companies you know are interested in reaching out to the vast and growing Asia Pacific market then please contact Helen Gao (516-582-4943). The sponsorship document can be downloaded here. If you are interested in the product exhibit then please let Helen know by July 31, 2011.

Thank you very much for your support.

OWASP AppSec USA 2011

AppSec USA 2011 is a conference for information security and software development professionals who are challenged with solving tough application security problems. This year's format will be eight tracks spread across two days, with each talk running 50 minutes in length. Speakers are just being announced. For more details: www.appsecusa.org

The tracks are:

· Cloud Security

· Mobile Security

· Secure SDLC

· OWASP Projects

· New Attacks & Defenses

· Thought Leadership

· Software & Architecture Patterns for Security

· Software Assurance

AppSec USA’s early bird discount ends: 7/29/11 so register now: http://www.regonline.com/Register/Checkin.aspx?EventID=935213

Follow us on twitter @appsecusa, our linked in group, or on facebook and check the www.appsecusa.org site often for updates we’ll be announcing an Open Source Project demo area, a University CTF Challenge, Thursday evening networking event and more! We also have several events already listed: Women in AppSec | 5K/10K | CR0WD50URC3D

Kate Hartmann

Operations Director

301-275-9403

www.owasp.org

Skype: Kate.hartmann1



_______________________________________________ To unsubscribe from the Owasp-all mailing list, you will need to unsubscribe yourself from all OWASP mailing lists you belong too. This list is automatically generated to allow OWASP to contact all it’s members in one distribution.   Best regards, OWASP

Sunday, July 17, 2011

ESAPI for C++

(from Kevin Wall)

There's a new mailing list on the OWASP ESAPI block at: https://lists.owasp.org/mailman/listinfo/owasp-esapi-c++ 

Yes, that's right. ESAPI for C++. Well, spare me the oxymoron jokes (my resemblance to an ox and an moron is strictly coincidence)...and besides that was my first reaction as well.

ESAPI for C++ will be a *greatly* stripped down version of ESAPI for JavaEE. The intent will be more similar to ESAPI for C (yes, Virginia, there's one of those too; see http://code.google.com/p/owasp-esapi-c/).

So sign up for the OWASP ESAPI for C++ mailing list. Even though it's mostly intended for developers, we welcome hecklers and other nay sayers as well. (Keeps us from getting too many "yes men" that way.)

Or better yet, sign up, and then get involved. Yes sir (or ma'am). ESAPI for C++ is your chance to become rich and famous. OK, just famous. Hmm, maybe not. But it is a chance for all of you, who like me just sat out there for years using FOSS but without every contributing anything back. (No, those 3 patches that you submitted 7 years ago and that $10 donation to GNU's Free Software Foundation are not enough to make up for all the free software that you've used over the years. C'mon, you tip your barber more than that!)

Uncle OWASP wants you!
-kevin wall

Monday, July 11, 2011

OWASP New Zealand Day 2011 Wrap-up

(from Nick Freeman & Scott Bell)

Dear OWASP Leaders,

This email is a brief wrap-up of how the OWASP New Zealand Day 2011 conference went on Thursday July 7.

The conference was a great success, with a 33% increase in attendance from previous years. We had just over 200 people attend our single track, 10 talk conference and two training sessions.

This shows a growing interest in web application security in New Zealand, and we will be pushing the attendees to attend chapter meetings and spread the word about OWASP with their friends, colleagues and other industry groups. We have had a great response from a number of development groups who are interested in having OWASP content presented at their meetings, which we see as an excellent opportunity to expand the OWASP community and web application security awareness in New Zealand.

Feedback from conference attendees has been glowing, with very positive comments and some constructive suggestions. We are still dissecting it all, and will be combining the feedback with our own learnt lessons to ensure future chapter meetings and OWASP NZ Day conferences get better and better.

We'd like to give a very big thanks to Kate Hartmann, Sarah Baso, Mark Bristow, Alison Shrader and everyone else who has helped us organise the conference and make it the success that it was. Special thanks also go out to Roberto Suggi Liverani, previous OWASP NZ Chapter Leader, who organised the previous two OWASP day conferences and has helped OWASP New Zealand grow to its current size.

Final thanks go to our sponsors; The University of Auckland Business School, Security-Assessment.com, Lateral Security, F5 and Aura Information Security. Their generous donations allowed us to keep OWASP New Zealand Day a free conference in an excellent venue with quality catering.

Most content from the conference is already posted on the OWASP New Zealand Day 2011 conference wiki page (https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2011) - we will be uploading the remaining content in the next day or two. In the mean time, a celebratory whisky or two is in order :)

Kind Regards

Nick Freeman & Scott Bell
OWASP New Zealand Chapter Leaders

Sunday, July 10, 2011

OWASP Global AppSec Asia 2011

Dear OWASP Chapter leaders,

Greetings!

I am Rip , Chairman of OWASP China. OWASP China invites you to join OWASP Global AppSec Asia 2011 conference.

This AppSec Asia 2011 offers expo,conferences and trainings. Over 500 people attended the conference last year, representing organizations including: Huawei, Alibaba.com, Baidu, China Telecom, China Mobile, China Merchants Bank, Shenzhen Stock Exchange, Ping An Insurance Group, Chinese Ministry of Industry and Information Technology, Chinese Ministry of Commerce, Forrester Research,Inc., Chinese Academy of Sciences.

AppSec Asia 2011 is not just a conference for mainland China, it is also for Hong Kong, Taiwan, Singapore, India, Malaysia, Indonesia, Japan and all Asian countries.We plan to add a product exposition this year. Please introduce this opportunity to companies in your country. As a matter of fact, in order to encourage you to participate, the conference committee has decided to reimburse your travel expenses if your chapter brings in two qualified sponsors. Please see attached for sponsorship details. And English interpretation will be provided for the entire conference.

For more information, please see OWASP Website.

If you have any questions, please fee free to contact:


Thank you and Best Regards!

--
RIP OWASP中国

Thursday, July 7, 2011

US and Canadian Chapter Leader Workshop

(From tin.zaw@owasp.org)

Dear Fellow Chapter Leaders,

Global Chapter Committee invites you to US and Canadian Chapter Leader Workshop at AppSec USA 2011, in Minneapolis. The workshop will be on September 21, from noon to 3:00PM. Its format will be based on the successful chapter workshop at AppSec EU in Dublin, earlier this year.

While we are still working on the agenda, it will closely resemble the agenda at AppSec EU. It will include review of the chapter handbook, managing chapter finances, Top 10 advice, and how to cross-pollinate and cooperate among chapters. EU event's agenda can be seen below.

https://www.owasp.org/index.php/AppSecEU_2011_chapters_workshop_agenda

We strongly encourage you to participate in this opportunity. Chapter leaders are encouraged to use chapter funds for the travel. Chapter leaders will get a free admission to the conference. The committee has limited funds available for chapter leaders with limited chapter funds.

We would like to ask the following.

* Save the date, September 21, 2011, from noon to 3:00PM, for the workshop.
* Register for AppSec USA event. Ask Lorna Alamri for registration code.
* Start making travel arrangements -- hotel rooms are running out -- if your chapter has funds available.
* If needed, ask for funding by emailing me and Sarah Baso, administrator for the chapter committee.
* Start thinking what topics to discuss.
* Stay tuned to further emails and upcoming Wiki page.


A word about funding. While we wish we could fund every chapter leader, due to the limited amount of budget allocated for this event, we may not be able to fund 100% to all the requests. We will have a deadline for applying funding, and after that deadline, we will make funding decision in a fair and transparent manner. When you apply for funding, please highlight your past contributions to OWASP and your future plans for the local chapter and OWASP.

We will try to have an option to participate, via Skype, for those who cannot make it.

If any questions, please email us. tin.zaw@owasp.org

Best regards,
Tin

Tuesday, July 5, 2011

OWASP Gothenburg

(posted by Ulf Larson)

Dear Leaders!

It is my pleasure to announce the birth of OWASP Gothenburg!

OWASP Gothenburg is the second chapter to start in Sweden, some four years after the start of OWASP Sweden. Gothenburg is situated on the west coast of Sweden. Gothenburg has a large port and is also a well known player in the automotive area (Volvo, for example). Furthermore, Gothenburg is home to Chalmers University, a (hopefully) well known education facility with several strong research groups. We also have Liseberg (a large and pretty much awesome amusement park in the center of the city) which is well worth a visit if you happen to pass through.

We (board members, leaders, in total six persons) met for the first time in the beginning of May this year. Discussing, not if, but how, we would go about creating a chapter. We have since had lots of help from John Wilander, Kate Hartmann, and to our great pleasure, Jason Alexander, who heard our twitter call for assistance!

The board and leaders have mixed backgrounds from academia and industry but with the common denominator of application security. The leaders are Jonas Magazinius, Mattias Jidhage, and Ulf Larson. Jonas is a Ph.D. student at Chalmers University, researching on application security, most recently in the context of web mash-ups. Mattias has a master's degree from Chalmers University. He currently works at Omegapoint AB as security specialist/project manager focusing on application security. Ulf has a Ph.D. from Chalmers University. He currently works as a security specialist/systems developer at Adecco IT Konsult.

That's it. It is a pleasure for us to enter the OWASP community, and I hope we meet once or twice in the future!

Best regards

OWASP Gothenburg chapter through Ulf Larson

Friday, June 24, 2011

Board Election Update

Attention OWASP Community,

Daily we learn of malicious hackers in the news - software security has never been more important to consumers, businesses, governments or students.

We trust that you have found valuable resources at OWASP Foundation in forms of guides, tools, resources and a professional community of over 25,000 worldwide - thank you.

As we continue to evolve our professional association, OWASP is hosting it's second election of its International Board of Directors. This year, three (3) of six board seats are up for election for a twenty-four month term and details of the process and candidates can be found online at:

CLICK ON: https://www.owasp.org/index.php/Membership/2011Election

Who will you support?

Thank you in advance for your continued support.

On behalf of the OWASP Foundation.

Kate Hartmann
Operations Director
301-275-9403
www.owasp.org
Skype: Kate.hartmann1

Election of Officers @ OWASP

OWASP Community,

Daily we learn of malicious hackers in the news - software security has never been more important to consumers, businesses, governments or students.

We trust that you have found valuable resources at OWASP Foundation in forms of guides, tools, resources and a professional community of over 25,000 worldwide - thank you.

As we continue to evolve our professional association, OWASP is hosting its second election of its International Board of Directors. This year, three (3) of six board seats are up for election for a twenty-four month term and details of the process and candidates can be found online

CLICK ON: https://www.owasp.org/index.php/Membership/2011Election

Who will you support?

Thank you in advance for your continued support.

On behalf of the OWASP Foundation.

Tuesday, June 21, 2011

Attention Chapter Leaders

Attention Chapter Leaders!
https://www.owasp.org/index.php/OWASP_Chapter
The goal of the Chapter Leader mailing list is to:

  1. To exchange chapter leader experience
  2. To ask questions (and hopefully get responses) on chapter topics
  3. To announce chapter related topics

There already are a lot of resources available:

https://www.owasp.org/index.php/Category:Chapter_Resources

There is a chapter leader handbook:

https://www.owasp.org/index.php/Chapter_Leader_Handbook

But all of this material can and should be further improved to enable you - as chapter leader - in creating and maintaining our community.

If you need help: ask your question on the mailing list.

If you have some spare time: start building a chapter leaders FAQ as part of the chapter leaders handbook.

Regards,

Seba

Friday, June 17, 2011

CFP OWASP AppSec LATAM and Partner event, Rochester Security Summit

Colleagues,

OWASP is currently soliciting presentations for the OWASP AppSec Latam 2011 Conference that will take place at PUC-RS in Porto Alegre, RS, Brazil on October 4th through 7th, 2011. There will be training courses on October 4th and 5th followed by plenary sessions on the 6th and 7th with each day having one single track.

We are seeking people and organizations that want to present on any of the following topics (in no particular order), or any other topics related to application security:

  • Application Threat Modeling
  • Business Risks with Application Security
  • Hands-on Source Code Review
  • Metrics for Application Security
  • OWASP Tools and Projects
  • Privacy Concerns with Applications and Data Storage
  • Secure Coding Practices (J2EE/.NET)
  • Starting and Managing Secure Development Lifecycle Programs
  • Technology specific presentations on security such as AJAX, XML, etc
  • Web Application Security countermeasures
  • Web Application Security Testing
  • Web Services-, XML- and Application Security
  • Anything else relating to OWASP and Application Security

To make a submission you must fill out the form available at https://www.owasp.org/images/e/e4/OWASP_AppSec_Latam_2011_CFP.rtf.zip

and submit through the easychair conference interface at http://www.easychair.org/conferences/?conf=appseclatam2011

Each presenter will have 45 minutes for the presentation, followed by 10 minutes reserved for questions from the audience. The presentations must respect the restrictions of the OWASP Speaker Agreement.

Important Dates

· Submission deadline is July 18, 2011 at 11:59 PM (UTC/GMT -3).

· Notification of acceptance is August 5, 2011.

· Presentation slides are due September 19, 2011.

The conference organization team may be contacted by email at appsec2011 (at) appseclatam.org

For more information, please see the following web pages:

Conference Website: https://www.appseclatam.org or http://www.owasp.org/index.php/AppSecLatam2011

OWASP Speaker Agreement: http://www.owasp.org/index.php/Speaker_Agreement

OWASP Website: http://www.owasp.org

Easychair conference site: http://www.easychair.org/conferences/?conf=appseclatam2011

Presentation proposal form: https://www.owasp.org/images/e/e4/OWASP_AppSec_Latam_2011_CFP.rtf.zip

*** CALL FOR PRESENTATIONS ***

Rochester Security Summit October 4th-5th, 2011 Rochester, NY http://RochesterSecurity.org

We are pleased to announce that the sixth annual Rochester Security Summit is being planned for October 4-5, 2011 in Rochester, NY at the beautiful and totally renovated Hyatt Regency Rochester. This year’s theme is “Security Sanity” with Marcus J. Ranum as our keynote speaker. The Rochester Security Summit is the premiere IT security event in Upstate/Western NY.

In 2010 the Rochester Security Summit gathered more than 200 attendees, including executives from Fortune 500 firms, information security professionals, auditors, developers and software architects. We had 26 outstanding presentations, a sold-out Capture the Flag (a.k.a. Ethical Hacking 101) event and an extremely well received end panel with representatives of the 3 sponsoring organizations, ISSA, ISACA and OWASP.

The Rochester Security Summit is currently soliciting presentations from researchers, academia and industry for the 3 main tracks: Business Professional, Technical Professional and Software Professional. If you believe you have a significant research or technical presentation that the security community would value and enjoy hearing, we invite you to submit your presentation topic for consideration.

All three tracks will consist of presentations in 50-minute blocks, including Q&A. Presentations may be allowed to span two blocks to accommodate topic exploration to different depths if the committee sees the merit in the longer time allotment.

  • Please submit your proposal before June 30th
  • We will respond to proposals by July 30th
  • Draft copy of the slides for the papers must be submitted by August 26th
  • Final submissions are due by September 23rd

Please review the speaker guidelines on the web site, http://rochestersecurity.org/speakers/speaker-guidelines.html before submitting a proposal.

Proposals may be submitted via e-mail to present2011@rochestersecurity.org

Summit attendees are a mix of technical security professionals, vendors, programmers, web application developers, security testers, students, network administrators and IT executives. Preference will be given to speakers who can present innovative technical content to a broad technical audience. Of course, all presentations are expected to challenge the brightest and quickest of attendees.

The Rochester Security Summit is not a vendor fest. There is zero tolerance for heavy commercial content in presentations. Presenters are expected to avoid any marketing that is not immediately backed up with rationale for its inclusion.

Proposals should consist of the following information:

1. Presenter and contact info (country of origin and residence-mail, postal address, phone, fax).

2. Employer and/or affiliations.

3. Brief biography, list of publications and papers.

4. Any significant presentation and educational experience/background.

5. Topic synopsis, proposed paper title, and a one paragraph description.

6. Reason why this material is innovative or significant or an important tutorial.

7. Optionally, any samples of prepared material or outlines ready.

8. Will you have full text available or only slides?

9. Please list any other publications or conferences where this material has been or will be published or submitted.

10. If you think a second 50-minute block will be required to do your topic justice, please let us know and give a rationale for the longer format.

Please include the plain text version of this information in your email as well as any file, pdf, sxw, ppt, or html attachments.

Please forward the above information to present2011@rochestersecurity.org

For more event information, or to register, visit us online at http://rochestersecurity.org/.

Thank you,

Rochester Security Summit Organizing Committee

  • Kate Hartmann
  • Operations Director
  • 301-275-9403
  • www.owasp.org
  • Skype: Kate.hartmann1

Thursday, June 16, 2011

OWASP iGoat 1.0

(From Ken van Wyk)
Greetings all.
Yesterday, we put out the first public release of the OWASP iGoat project. This message is a brief description and call for participants in the project.  
Background  
The iGoat tool is a learning tool, primarily meant for iOS developers (but also useful to IT security practitioners, security architects, and others who simply want to learn about iOS security). It takes its name and inspiration from the venerable OWASP WebGoat tool. Like WebGoat, iGoat users explore a number of security weaknesses in iOS by exploiting  them first. Then, once each weakness has been explored, the iGoat user must implement a remediation to protect against each weakness and validate that the remediation was successful--similar to the WebGoat Developer Edition.  Hints and other background information are provided, right down to commented solutions in the source code, so that developers can use iGoat as a self-study learning tool to explore and understand iOS weaknesses and how to avoid them.  Further, the iGoat platform was specifically designed and built to be as easily extensible as possible, so that new exercises can be easily built and integrated over time.  iGoat was sponsored and initially developed by KRvW Associates, LLC (www.krvw.com), and is being released under GPLv3 licensing to the community.  
Status  
With the first public release, we've included several initial exercises and exercise  categories. These include such well known topics as SQL Injection, secure communications, etc. We plan to further integrate another handful of exercises in the short term, as well as make several improvements to the user interface. In the short term, we'll also be adding more documentation in the form of HOWTO documents that will cover how to install and use iGoat, as well as how to add new exercises to it.  No doubt, further improvements will quickly surface as the community starts using the   tool...  
Project Site  
iGoat can be found at: https://www.owasp.org/index.php/OWASP_iGoat_Project
All releases and source code are on Google Code. See the project home page above for   further details.  Call for Participation  The iGoat team would like to invite anyone interested to participate and contribute to iGoat's further development. Please contact the project leader, Ken van Wyk (ken@krvw.com) if you wish to contribute to the project.
Mailing List  
An open, unmoderated forum has been set up for the iGoat project. To subscribe, see https://lists.owasp.org/mailman/listinfo/owasp-igoat-project 
Cheers, Ken  

Wednesday, June 15, 2011

Question on 3rd party JS

Question: How do you best use external JavaScripts and comply with PCI-DSS (from @joffemannen)

(Great answer from @johnwilander)

I've had more than one consultation on this issue and we've always had to start by explaining the full access and full trust model of loading 3rd party code and content. To start with there's an important distinction between loading a 3rd party code library such as jQuery, and loading DOM content with or without JavaScript. If they want DOM content then traditional iframing works fine until they want to interact with the 3rd party content or vice versa. Since they will be loaded from different domains they will not be able to access each other.

If they want interaction they have four ways ahead:
  • Hosted + controlled releases. Establish a B2B release cycle with the vendor in which new versions of script files are released to them via file transfer and not directly into production. Then they do whatever auditing and analysis their process requires and deploy under their own domain. Note that this works for code-only cases too, i.e. no 3rd party content. This used to be an issue back when everyone was "hot linking" but nowadays you typically see requirements to download and host yourself since 3rd parties don't want to have to pay for the bandwidth or even have the tough SLAs in place.
  • Reverse proxy. Setup a reverse proxy to mimic that the 3rd party content is served by themselves. This makes it look like they're hosting everything themselves but really they're not. However, in this case they can potentially filter and detect code changes. If code changes happen daily it'll just become noise but detecting less frequent changes may prove useful for the cert team.
  • Normal loading + ajax proxy. Let the 3rd party have their own release cycle, load from 3rd party's domain and set up an ajax proxy if the code requires that. That means their own domain is still serving the client calls but they just reflect whatever source code the vendor serves up.
  • Point subdomain to 3rd party. If they point a subdomain of their own such as googlemaps.mybank.com pointing to Google Maps and host their own content on secure.mybank.com they can have both the iframe and the outer page set their docment.domain to a mybank.com and thus enable interaction.
In the three latter cases they're basically giving the 3rd party code the same privileges their own code has. So it has to be covered by the same processes (pentests and what not). This is typically when my customers have started considering the first option – "Hey, maybe we need to control what code runs on our page? And who writes that code. And how easy it is to hack into the hosting servers and replace that code. Damn!".

Regards, @johnwilander

Saturday, June 11, 2011

OWASP Zed Attack Proxy 1.3.0 released

(from psiinon@gmail.com)

Hi folks,

Version 1.3.0 of the OWASP Zed Attack Proxy (ZAP) has now been released.

ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

This release adds the following main features:
  • Fuzzing, using the JBroFuzz library
  • Dynamic SSL Certificates
  • Daemon mode and API
  • BeanShell integration
  • Full internationalization
  • Out of the box support for 10 languages

For more information and to download this release please visit the ZAP homepage: http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Many thanks to everyone who contributed code, language files, enhancement requests, bug reports and general feedback.

Psiinon