Monday, March 21, 2011

OWASP Board Election Update

I wanted to provide a status update to everyone on the OWASP-Leaders list to communicate to your respective chapters via fwd or repost to OWASP Blog/Twitter etc..

1. Currently there is a volunteer team assembled and working with Kate Hartmann on Version 3.0 of the OWASP Bylaws (current ones: ) The next milestone update from that team is due by April board meeting. Ongoing the board will need to review them each year, agree to them and vote in subsequent modifications as we continue to grow like any other business with bylaws.

You can track updates at: and the results.

2. In 2009 we ran elections, had (4) candidates, (2) were elected. We utilized a democratic process and documented it: <--- 2009 results format. We will be using the same process. In 2011, (3) seats are up for election: Jeff Williams, Dave Wichers and Sebastian Deleersnyder. (This was based on term length so far) These individuals are encouraged to run for re-election by peers and/or endorse and support another candidate. The role will be come effective in January 2012 after a transition and hand-off period.

3. In 2011 members will cast a ballot (you are on the OWASP Member list aren't you?) now is a good time to check. if you are not a individual member now is a perfect time to renew it. If you work for a company that is a corporate supporter and you are the primary point of contact this only equals = (1) vote. Voting rights are assigned to individuals (yes actual people..) as outlined at:

So this quick updates means in summary that we are ALMOST ready to proceed, but there are a few moving parts;

- April we should be able to [commit] and then we can open a OWASP-ALL nomination process. It will be very similar to the process to the joining a global committee, where if you you are a OWASP member, contributor to projects/chapters and have endorsements of others you can draft your "WHY ME" and run for one of the 3 seats that will be up for election.

- Candidates will be announced from at the kick-off of the Global AppSec Europe, June 9th conference and elections will follow three months later at the Global AppSec North America on September 22nd and it also happens to be our 10 year anniversary at OWASP Foundation.

- If you are still reading this have free time, want to continue to help evolve a global community consider supporting or running for election yourself. Now might be a good time to socialize your desire, get endorsements at your local chapter(s), asking the global committees for endorsement based on your accomplishments, consider releasing that next owasp project to show folks what you are capable of in collaboration with others or as a individual and be in sync with what is happening at the Global Committee's - don't forget to have fun with ALL your volunteer efforts.

Hope this update was helpful?

Tom Brennan


BTW in case you missed the updates from the Summit see:

Wednesday, March 16, 2011

OWASP AppSec EU - Registration Open & CFP/CFT

Registration is OPEN!!! Follow the link for information on Early Bird Pricing!

OWASP is currently soliciting training & presentation proposals for the OWASP AppSec Europe 2011 Conference which will take place at Trinity College Dublin in Ireland, on June 6th through June 10th 2010. There will be training courses on June 6th, 7th and 8th followed by plenary sessions on the 9th and 10th with each day having at least three tracks.

Call for Training

We are seeking training proposals on the following topics (in no particular order):
  • Security in Web 2.0, Web Services/XML
  • Advanced penetration testing
  • Static analysis for security
  • Threat modeling of applications
  • Secure coding practices
  • Security in J2EE/.NET patterns and frameworks
  • Application security with ESAPI
  • OWASP tools in practice
We will look favorably on laboratory-based/hands-on training.

Call for Presentations

We are seeking people and organizations that want to present on any of the following topics (in no particular order):
  • Business Risks with Application Security.
  • Starting and Managing Secure Development Lifecycle Programs.
  • Web Services-, XML- and Application Security.
  • Metrics for Application Security.
  • Application Threat Modeling.
  • Hands-on Source Code Review.
  • Web Application Security Testing.
  • OWASP Tools and Projects.
  • Secure Coding Practices (J2EE/.NET).
  • Privacy Concerns with Applications and Data Storage
  • Web Application Security countermeasures
  • Technology specific presentations on security such as AJAX, XML, etc.
  • Anything else relating to OWASP and Application Security.
Submission Deadline and Instructions

Submission deadline is Sunday April 3 23:59 (GMT).

To submit your proposal please fill out the form here:

Please specify in the form whether you are submitting a Training or a Presentation proposal. Eg. Title: "Training - Introduction to Web Application Security"

Only for Training Proposals
To submit your training proposal please fill out the and attach it while filling out the online form.

Upon acceptance you'll be requested to fill out the Training Instructor Agreement where you'll find details on revenue split etc. The agreement will be reworked but the previous one is here:

Further Information




Twitter: #appseceu11

Kate Hartmann
Operations Director
Skype: Kate.hartmann1

Wednesday, March 9, 2011

OWASP ESAPI for Ruby v0.3

(from Paolo Perego)

I'd like to announce that the first public version (marked as 0.30.0) of the OWASP ESAPI for Ruby gem has been released.

We choose to release early, release often so we started pushing out to the real world even if we started no more than a month ago. We started porting validators, codecs and filters but the road towards 1.0 is far from being close.

Since a lot of work has to be done, we need a lot of talented people, so please go to and subscribe to the project mailing list. At the webpage you can find link to source repository, with all the information you need to contribute to the project.

Paolo Perego